sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:06ca8d87873fa7013f300478adc5bf1e781f0dba
Branches Tags
sandwich:master
..
compare: sandwich:43ce280d1155016866e4c25c8c256a4109a8c506
Branches Tags
sandwich:master

No commits in common. "06ca8d87873fa7013f300478adc5bf1e781f0dba" and "43ce280d1155016866e4c25c8c256a4109a8c506" have entirely different histories.
06ca8d8787 ... 43ce280d11

15 changed files with 345 additions and 365 deletions
Show Stats Expand all files Collapse all files

103
main.yml
View File

@ -5,86 +5,87 @@
gather_facts: false gather_facts: false
become: true become: true
vars_prompt: vars_prompt:
- name: user_name - name: user_name
prompt: | prompt: |
What is your username? What is your username?
private: false private: false
- name: user_password - name: user_password
prompt: | prompt: |
What is your password? What is your password?
confirm: true confirm: true
- name: root_password - name: root_password
prompt: | prompt: |
What is your root password? What is your root password?
confirm: true confirm: true
- name: hypervisor - name: hypervisor
prompt: | prompt: |
Select an Hypervisor: Select an Hypervisor:
- libvirt - libvirt
- proxmox - proxmox
- vmware - vmware
private: false private: false
default: proxmox default: "proxmox"
- name: install_drive - name: install_drive
prompt: | prompt: |
"Enter the drive to install the system (default: /dev/sda)" "Enter the drive to install the system (default: /dev/sda)"
confirm: true confirm: true
private: false private: false
default: /dev/sda default: "/dev/sda"
vars_files: vars.yml vars_files: vars.yml
pre_tasks: pre_tasks:
- name: Set ansible_python_interpreter - name: Set ansible_python_interpreter
when: os | lower in ["almalinux", "rhel9", "rhel8", "rocky"] when: os | lower in ["almalinux", "rhel9", "rhel8", "rocky"]
ansible.builtin.set_fact: set_fact:
ansible_python_interpreter: /usr/bin/python3 ansible_python_interpreter: /usr/bin/python3
- name: Validate variables - name: Validate variables
ansible.builtin.assert: assert:
that: that:
- hypervisor in ["libvirt", "proxmox", "vmware", "none"] - hypervisor in ["libvirt", "proxmox", "vmware", "none"]
- filesystem in ["btrfs", "ext4", "xfs"] - filesystem in ["btrfs", "ext4", "xfs"]
- os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rocky", "ubuntu", "ubuntu-lts"] - os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rocky", "ubuntu", "ubuntu-lts"]
fail_msg: Invalid input specified, please try again fail_msg: "Invalid input specified, please try again"
- name: Set connection - name: Set connection
when: hypervisor == "vmware" when: hypervisor == "vmware"
ansible.builtin.set_fact: set_fact:
ansible_connection: vmware_tools ansible_connection: vmware_tools
roles: roles:
- role: virtualization
when: install_type == "virtual"
become: false
vars:
ansible_connection: local
- role: environment - role: virtualization
vars: when: install_type == "virtual"
ansible_connection: "{{ 'vmware_tools' if hypervisor == 'vmware' else 'ssh' }}" become: false
vars:
ansible_connection: local
- role: partitioning - role: environment
vars: vars:
boot_partition_suffix: 1 ansible_connection: "{{ 'vmware_tools' if hypervisor == 'vmware' else 'ssh' }}"
main_partition_suffix: 2
- role: bootstrap - role: partitioning
vars:
boot_partition_suffix: 1
main_partition_suffix: 2
- role: configuration - role: bootstrap
- role: cis - role: configuration
when: cis == true
- role: cleanup - role: cis
when: install_type == "virtual" when: cis == true
vars:
ansible_connection: local - role: cleanup
when: install_type == "virtual"
vars:
ansible_connection: local
tasks: tasks:
- name: Reboot system - name: Reboot system
when: hypervisor != "libvirt" when: hypervisor != "libvirt"
ansible.builtin.command: reboot command: reboot
ignore_errors: true ignore_errors: true

23
roles/bootstrap/tasks/main.yml
View File

@ -1,6 +1,6 @@
--- ---
- name: Include Packages - name: Include Packages
ansible.builtin.include_vars: include_vars:
file: packages.yml file: packages.yml
name: role_packages name: role_packages
@ -8,10 +8,11 @@
block: block:
- name: Bootstrap ArchLinux - name: Bootstrap ArchLinux
when: os | lower == 'archlinux' when: os | lower == 'archlinux'
ansible.builtin.command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit
- name: Bootstrap Debian System - name: Bootstrap Debian System
when: os | lower in ['debian11', 'debian12'] when: os | lower in ['debian11', 'debian12']
ansible.builtin.command: "{{ item }}" shell: "{{ item }}"
with_items: with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} /mnt http://deb.debian.org/debian/ - debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} /mnt http://deb.debian.org/debian/
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }} - arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
@ -19,7 +20,7 @@
- name: Bootstrap Ubuntu System - name: Bootstrap Ubuntu System
when: os | lower in ['ubuntu', 'ubuntu-lts'] when: os | lower in ['ubuntu', 'ubuntu-lts']
ansible.builtin.command: "{{ item }}" shell: "{{ item }}"
with_items: with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'mantic' if os == 'ubuntu' else 'jammy' }} /mnt http://archive.ubuntu.com/ubuntu/ - debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'mantic' if os == 'ubuntu' else 'jammy' }} /mnt http://archive.ubuntu.com/ubuntu/
- arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list - arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
@ -28,7 +29,7 @@
- name: Bootstrap AlmaLinux 9 - name: Bootstrap AlmaLinux 9
when: os | lower == 'almalinux' when: os | lower == 'almalinux'
ansible.builtin.command: "{{ item }}" shell: "{{ item }}"
with_items: with_items:
- dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core - dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
- echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf - echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf
@ -36,7 +37,7 @@
- name: Bootstrap Fedora 40 - name: Bootstrap Fedora 40
when: os | lower == 'fedora' when: os | lower == 'fedora'
ansible.builtin.command: "{{ item }}" shell: "{{ item }}"
with_items: with_items:
- dnf --releasever=40 --best --repo=fedora --repo=fedora-updates --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core - dnf --releasever=40 --best --repo=fedora --repo=fedora-updates --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
- arch-chroot /mnt dnf --releasever=40 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }} - arch-chroot /mnt dnf --releasever=40 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
@ -44,7 +45,7 @@
- name: Bootstrap RockyLinux 9 - name: Bootstrap RockyLinux 9
when: os | lower == 'rocky' when: os | lower == 'rocky'
ansible.builtin.command: "{{ item }}" shell: "{{ item }}"
with_items: with_items:
- dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core - dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
- echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf - echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf
@ -52,8 +53,8 @@
- name: Bootstrap RHEL System - name: Bootstrap RHEL System
when: os | lower in ['rhel8', 'rhel9'] when: os | lower in ['rhel8', 'rhel9']
ansible.builtin.command: "{{ item }}" shell: "{{ item }}"
with_items: with_items:
- dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core - "dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core"
- echo 'nameserver 1.0.0.1' > /mnt/etc/resolv.conf - "echo 'nameserver 1.0.0.1' > /mnt/etc/resolv.conf"
- arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }} - "arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }}"

1
roles/bootstrap/vars/packages.yml
View File

@ -1,4 +1,3 @@
---
almalinux: almalinux:
- bind-utils - bind-utils
- cloud-init - cloud-init

134
roles/cis/tasks/main.yml
View File

@ -1,8 +1,7 @@
---
- name: Configurationg System for CIS conformity - name: Configurationg System for CIS conformity
block: block:
- name: Disable Kernel Modules - name: Disable Kernel Modules
ansible.builtin.copy: copy:
dest: /mnt/etc/modprobe.d/cis.conf dest: /mnt/etc/modprobe.d/cis.conf
content: | content: |
CIS LVL 3 Restrictions CIS LVL 3 Restrictions
@ -20,7 +19,7 @@
install tipc /bin/true install tipc /bin/true
- name: Create USB Rules - name: Create USB Rules
ansible.builtin.copy: copy:
dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
content: | content: |
By default, disable all. By default, disable all.
@ -36,7 +35,7 @@
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1" ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
- name: Create a consolidated sysctl configuration file - name: Create a consolidated sysctl configuration file
ansible.builtin.copy: copy:
dest: /mnt/etc/sysctl.d/10-cis.conf dest: /mnt/etc/sysctl.d/10-cis.conf
content: | content: |
## CIS Sysctl configurations ## CIS Sysctl configurations
@ -67,10 +66,10 @@
# - { regexp: '^UMASK.*', replace: 'UMASK 027' } # - { regexp: '^UMASK.*', replace: 'UMASK 027' }
- name: Ensure files exist - name: Ensure files exist
ansible.builtin.file: file:
path: "{{ item }}" path: "{{ item }}"
state: touch state: touch
mode: "0600" mode: '0600'
loop: loop:
- /mnt/etc/at.allow - /mnt/etc/at.allow
- /mnt/etc/cron.allow - /mnt/etc/cron.allow
@ -78,87 +77,82 @@
- /mnt/etc/hosts.deny - /mnt/etc/hosts.deny
- name: Add Security related lines into config files - name: Add Security related lines into config files
ansible.builtin.lineinfile: lineinfile:
path: "{{ item.path }}" path: "{{ item.path }}"
line: "{{ item.content }}" line: "{{ item.content }}"
loop: loop:
- { path: /mnt/etc/security/limits.conf, content: "* hard core 0" } - { path: '/mnt/etc/security/limits.conf', content: '* hard core 0' }
- { path: /mnt/etc/security/pwquality.conf, content: minlen = 14 } - { path: '/mnt/etc/security/pwquality.conf', content: 'minlen = 14' }
- { path: /mnt/etc/security/pwquality.conf, content: dcredit = -1 } - { path: '/mnt/etc/security/pwquality.conf', content: 'dcredit = -1' }
- { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 } - { path: '/mnt/etc/security/pwquality.conf', content: 'ucredit = -1' }
- { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 } - { path: '/mnt/etc/security/pwquality.conf', content: 'ocredit = -1' }
- { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 } - { path: '/mnt/etc/security/pwquality.conf', content: 'lcredit = -1' }
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: umask 077 } - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: 'umask 077' }
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: export TMOUT=3000 } - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: 'export TMOUT=3000' }
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent } - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: 'Storage=persistent' }
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" } - { path: '/mnt/etc/sudoers', content: 'Defaults logfile="/var/log/sudo.log"' }
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so } - { path: '/mnt/etc/pam.d/su', content: 'auth required pam_wheel.so' }
- path: /mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" - { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: 'auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900' }
}} - { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: 'account required pam_faillock.so' }
content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 - { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}', content: 'password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5' }
- path: /mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else - { path: '/mnt/etc/hosts.deny', content: 'ALL: ALL' }
"pam.d/system-auth" }} - { path: '/mnt/etc/hosts.allow', content: 'sshd: ALL' }
content: account required pam_faillock.so
- path: /mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}
content: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
- { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
- { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
- name: Set permissions for various files and directories - name: Set permissions for various files and directories
ansible.builtin.file: file:
path: "{{ item.path }}" path: "{{ item.path }}"
owner: "{{ item.owner | default(omit) }}" owner: "{{ item.owner | default(omit) }}"
group: "{{ item.group | default(omit) }}" group: "{{ item.group | default(omit) }}"
mode: "{{ item.mode }}" mode: "{{ item.mode }}"
loop: loop:
- { path: /mnt/etc/ssh/sshd_config, mode: "0600" } - { path: '/mnt/etc/ssh/sshd_config', mode: '0600' }
- { path: /mnt/etc/cron.hourly, mode: "0700" } - { path: '/mnt/etc/cron.hourly', mode: '0700' }
- { path: /mnt/etc/cron.daily, mode: "0700" } - { path: '/mnt/etc/cron.daily', mode: '0700' }
- { path: /mnt/etc/cron.weekly, mode: "0700" } - { path: '/mnt/etc/cron.weekly', mode: '0700' }
- { path: /mnt/etc/cron.monthly, mode: "0700" } - { path: '/mnt/etc/cron.monthly', mode: '0700' }
- { path: /mnt/etc/cron.d, mode: "0700" } - { path: '/mnt/etc/cron.d', mode: '0700' }
- { path: /mnt/etc/crontab, mode: "0600" } - { path: '/mnt/etc/crontab', mode: '0600' }
- { path: /mnt/etc/logrotate.conf, mode: "0644" } - { path: '/mnt/etc/logrotate.conf', mode: '0644' }
- { path: /mnt/usr/sbin/pppd, mode: "754" } - { path: '/mnt/usr/sbin/pppd', mode: '754' }
- { path: '/mnt/usr/bin/{{ "fusermount3" if os in ["archlinux", "debian12", "fedora"] else "fusermount" }}', mode: "755" } - { path: '/mnt/usr/bin/{{ "fusermount3" if os in ["archlinux", "debian12", "fedora"] else "fusermount" }}', mode: '755' }
- { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: "755" } - { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: '755' }
- name: Adjust SSHD config - name: Adjust SSHD config
ansible.builtin.lineinfile: lineinfile:
path: /mnt/etc/ssh/sshd_config path: /mnt/etc/ssh/sshd_config
regexp: ^\s*#?{{ item.option }}\s+.*$ regexp: '^\s*#?{{ item.option }}\s+.*$'
line: "{{ item.option }} {{ item.value }}" line: '{{ item.option }} {{ item.value }}'
with_items: with_items:
- { option: LogLevel, value: VERBOSE } - {option: 'LogLevel', value: 'VERBOSE'}
- { option: LoginGraceTime, value: "60" } - {option: 'LoginGraceTime', value: '60'}
- { option: PermitRootLogin, value: "no" } - {option: 'PermitRootLogin', value: 'no'}
- { option: StrictModes, value: "yes" } - {option: 'StrictModes', value: 'yes'}
- { option: MaxAuthTries, value: "4" } - {option: 'MaxAuthTries', value: '4'}
- { option: MaxSessions, value: "10" } - {option: 'MaxSessions', value: '10'}
- { option: MaxStartups, value: 10:30:60 } - {option: 'MaxStartups', value: '10:30:60'}
- { option: PubkeyAuthentication, value: "yes" } - {option: 'PubkeyAuthentication', value: 'yes'}
- { option: HostbasedAuthentication, value: "no" } - {option: 'HostbasedAuthentication', value: 'no'}
- { option: IgnoreRhosts, value: "yes" } - {option: 'IgnoreRhosts', value: 'yes'}
- { option: PasswordAuthentication, value: "no" } - {option: 'PasswordAuthentication', value: 'no'}
- { option: PermitEmptyPasswords, value: "no" } - {option: 'PermitEmptyPasswords', value: 'no'}
- { option: KerberosAuthentication, value: "no" } - {option: 'KerberosAuthentication', value: 'no'}
- { option: GSSAPIAuthentication, value: "no" } - {option: 'GSSAPIAuthentication', value: 'no'}
- { option: GSSAPIKeyExchange, value: "no" } - {option: 'GSSAPIKeyExchange', value: 'no'}
- { option: AllowAgentForwarding, value: "no" } - {option: 'AllowAgentForwarding', value: 'no'}
- { option: AllowTcpForwarding, value: "no" } - {option: 'AllowTcpForwarding', value: 'no'}
- { option: ChallengeResponseAuthentication, value: "no" } - {option: 'ChallengeResponseAuthentication', value: 'no'}
- { option: GatewayPorts, value: "no" } - {option: 'GatewayPorts', value: 'no'}
- { option: X11Forwarding, value: "no" } - {option: 'X11Forwarding', value: 'no'}
- { option: PermitUserEnvironment, value: "no" } - {option: 'PermitUserEnvironment', value: 'no'}
- { option: ClientAliveInterval, value: "300" } - {option: 'ClientAliveInterval', value: '300'}
- { option: ClientAliveCountMax, value: "0" } - {option: 'ClientAliveCountMax', value: '0'}
- { option: PermitTunnel, value: "no" } - {option: 'PermitTunnel', value: 'no'}
- { option: Banner, value: /etc/issue.net } - {option: 'Banner', value: '/etc/issue.net'}
- name: Append CIS Specific configurations to sshd_config - name: Append CIS Specific configurations to sshd_config
ansible.builtin.lineinfile: lineinfile:
path: /mnt/etc/ssh/sshd_config path: /mnt/etc/ssh/sshd_config
line: |2- line: |
## CIS Specific ## CIS Specific
Protocol 2 Protocol 2

17
roles/cleanup/tasks/main.yml
View File

@ -1,4 +1,3 @@
---
- name: Setup Cleanup - name: Setup Cleanup
when: hypervisor == "proxmox" when: hypervisor == "proxmox"
delegate_to: localhost delegate_to: localhost
@ -21,17 +20,17 @@
when: hypervisor == "vmware" when: hypervisor == "vmware"
delegate_to: localhost delegate_to: localhost
ignore_errors: true ignore_errors: true
community.vmware.vmware_guest: vmware_guest:
hostname: "{{ hypervisor_url }}" hostname: "{{ hypervisor_url }}"
username: "{{ hypervisor_username }}" username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}" password: "{{ hypervisor_password }}"
validate_certs: false validate_certs: no
datacenter: "{{ hypervisor_cluster }}" datacenter: "{{ hypervisor_cluster }}"
name: "{{ hostname }}" name: "{{ hostname }}"
cdrom: cdrom:
- controller_number: 0 - controller_number: 0
unit_number: 0 unit_number: 0
controller_type: sata controller_type: "sata"
type: iso type: iso
iso_path: "{{ boot_iso }}" iso_path: "{{ boot_iso }}"
state: absent state: absent
@ -47,22 +46,22 @@
state: shutdown state: shutdown
- name: Remove cloud-init disk - name: Remove cloud-init disk
ansible.builtin.file: file:
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso" path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"
state: absent state: absent
- name: Get list of CD-ROM devices - name: Get list of CD-ROM devices
ansible.builtin.shell: virsh --connect qemu:///system domblklist {{ hostname }} --details | grep 'cdrom' | awk '{print $3}' shell: virsh --connect qemu:///system domblklist {{ hostname }} --details | grep 'cdrom' | awk '{print $3}'
changed_when: false changed_when: false
register: cdrom_devices register: cdrom_devices
- name: Wait for VM to spin down - name: Wait for VM to spin down
ansible.builtin.wait_for: wait_for:
timeout: 15 timeout: 15
- name: Remove CD-ROM devices - name: Remove CD-ROM devices
when: cdrom_devices.stdout_lines | length > 0 when: cdrom_devices.stdout_lines | length > 0
ansible.builtin.command: virsh --connect qemu:///system detach-disk {{ hostname }} {{ item }} --persistent command: virsh --connect qemu:///system detach-disk {{ hostname }} {{ item }} --persistent
with_items: "{{ cdrom_devices.stdout_lines }}" with_items: "{{ cdrom_devices.stdout_lines }}"
- name: Start the VM - name: Start the VM
@ -72,5 +71,5 @@
- name: Wait for VM to boot up - name: Wait for VM to boot up
delegate_to: "{{ inventory_hostname }}" delegate_to: "{{ inventory_hostname }}"
ansible.builtin.wait_for_connection: wait_for_connection:
timeout: 300 timeout: 300

153
roles/configuration/tasks/main.yml
View File

@ -1,22 +1,22 @@
---
- name: Configuration - name: Configuration
block: block:
- name: Generate fstab - name: Generate fstab
ansible.builtin.shell: genfstab -LU /mnt > /mnt/etc/fstab shell: genfstab -LU /mnt > /mnt/etc/fstab
- name: Append TempFS to fstab - name: Append TempFS to fstab
ansible.builtin.lineinfile: lineinfile:
path: /mnt/etc/fstab path: /mnt/etc/fstab
line: "{{ item }}" line: "{{ item }}"
insertafter: EOF insertafter: EOF
with_items: with_items:
- "" - ""
- "# TempFS" - "# TempFS"
- tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0 - "tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0"
- tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0 - "tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0"
- tmpfs /dev/shm tmpfs defaults,noexec 0 0 - "tmpfs /dev/shm tmpfs defaults,noexec 0 0"
- name: Set local timezone - name: Set local timezone
ansible.builtin.command: "{{ item }}" command: '{{ item }}'
with_items: with_items:
- systemctl daemon-reload - systemctl daemon-reload
- arch-chroot /mnt ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime - arch-chroot /mnt ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime
@ -25,155 +25,154 @@
block: block:
- name: Configure locale.gen - name: Configure locale.gen
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
ansible.builtin.lineinfile: lineinfile:
dest: /mnt/etc/locale.gen dest: /mnt/etc/locale.gen
regexp: "{{ item.regex }}" regexp: '{{ item.regex }}'
line: "{{ item.line }}" line: '{{ item.line }}'
loop: loop:
- { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 } - {regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8}
- name: Generate locales\ - name: Generate locales\
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen command: arch-chroot /mnt /usr/sbin/locale-gen
- name: Set hostname - name: Set hostname
ansible.builtin.copy: copy:
content: "{{ hostname }}" content: "{{ hostname }}"
dest: /mnt/etc/hostname dest: /mnt/etc/hostname
- name: Add host entry to /etc/hosts - name: Add host entry to /etc/hosts
ansible.builtin.lineinfile: lineinfile:
path: /mnt/etc/hosts path: /mnt/etc/hosts
line: "{{ ansible_host }} {{ hostname }}" line: "{{ ansible_host }} {{ hostname }}"
state: present state: present
- name: Create vconsole.conf - name: Create vconsole.conf
ansible.builtin.copy: copy:
content: KEYMAP=us-intl content: "KEYMAP=us-intl"
dest: /mnt/etc/vconsole.conf dest: /mnt/etc/vconsole.conf
- name: Create locale.conf - name: Create locale.conf
ansible.builtin.copy: copy:
content: LANG=en_US.UTF-8 content: "LANG=en_US.UTF-8"
dest: /mnt/etc/locale.conf dest: /mnt/etc/locale.conf
- name: SSH permit Password - name: SSH permit Password
ansible.builtin.replace: replace:
path: /mnt/etc/ssh/sshd_config path: /mnt/etc/ssh/sshd_config
regexp: "#PasswordAuthentication yes" regexp: '#PasswordAuthentication yes'
replace: PasswordAuthentication yes replace: 'PasswordAuthentication yes'
- name: Enable Systemd Services - name: Enable Systemd Services
block: block:
- name: Enable sshd - name: Enable sshd
when: os | lower == "archlinux" when: os | lower == "archlinux"
ansible.builtin.command: arch-chroot /mnt systemctl enable sshd logrotate systemd-resolved systemd-timesyncd NetworkManager command: arch-chroot /mnt systemctl enable sshd logrotate systemd-resolved systemd-timesyncd NetworkManager
- name: Configure grub - name: Configure grub
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
block: block:
- name: Add commandline information to grub config - name: Add commandline information to grub config
ansible.builtin.lineinfile: lineinfile:
dest: /mnt/etc/default/grub dest: /mnt/etc/default/grub
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT= regexp: ^GRUB_CMDLINE_LINUX_DEFAULT=
line: GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3" line: 'GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"'
- name: Change Grub time - name: Change Grub time
ansible.builtin.lineinfile: lineinfile:
dest: /mnt/etc/default/grub dest: /mnt/etc/default/grub
regexp: ^GRUB_TIMEOUT= regexp: ^GRUB_TIMEOUT=
line: GRUB_TIMEOUT=1 line: 'GRUB_TIMEOUT=1'
- name: Configure Bootloader - name: Configure Bootloader
block: block:
- name: Install Bootloader - name: Install Bootloader
ansible.builtin.command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/efibootmgr -c command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ os }}\shimx64.efi'{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }} --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}{% endif %}
-L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ os }}\shimx64.efi'{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{
"/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }} --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}{%
endif %}
- name: Generate grub config - name: Generate grub config
ansible.builtin.command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/grub2-mkconfig command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{{ os }}/grub.cfg{% else %}/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}{% endif %}
-o /boot/efi/EFI/{{ os }}/grub.cfg{% else %}/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else
"/boot/grub/grub.cfg" }}{% endif %}
- name: Regenerate initramfs - name: Regenerate initramfs
when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
ansible.builtin.command: arch-chroot /mnt {% if os | lower == "archlinux" %}/usr/sbin/mkinitcpio -P{% elif os | lower not in ["debian11", "debian12", "ubuntu", command: arch-chroot /mnt {% if os | lower == "archlinux" %}/usr/sbin/mkinitcpio -P{% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %}/usr/bin/dracut --regenerate-all --force{% else %}echo "Skipping initramfs regeneration"{% endif %}
"ubuntu-lts", "archlinux"] %}/usr/bin/dracut --regenerate-all --force{% else %}echo "Skipping initramfs regeneration"{% endif %}
- name: Extra Configuration - name: Extra Configuration
block: block:
- name: Append lines to vimrc - name: Append lines to vimrc
ignore_errors: true ignore_errors: true
ansible.builtin.lineinfile: lineinfile:
path: "{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '/mnt/etc/vimrc' }}" path: "{{ '/mnt/etc/vim/vimrc' if os|lower in ['debian11' ,'debian12', 'ubuntu', 'ubuntu-lts'] else '/mnt/etc/vimrc' }}"
line: "{{ item }}" line: "{{ item }}"
insertafter: EOF insertafter: EOF
with_items: with_items:
- set encoding=utf-8 - "set encoding=utf-8"
- set number - "set number"
- set autoindent - "set autoindent"
- set smartindent - "set smartindent"
- set mouse=a - "set mouse=a"
- name: Copy FirstRun Script - name: Copy FirstRun Script
when: os | lower != "archlinux" when: os | lower != "archlinux"
ansible.builtin.template: template:
src: firstrun.sh.j2 src: firstrun.sh.j2
dest: /mnt/root/firstrun.sh dest: /mnt/root/firstrun.sh
mode: "0755" mode: '0755'
- name: Copy Custom Shell config - name: Copy Custom Shell config
ansible.builtin.template: template:
src: custom.sh.j2 src: custom.sh.j2
dest: /mnt/etc/profile.d/custom.sh dest: /mnt/etc/profile.d/custom.sh
- name: Setup Network - name: Setup Network
block: block:
- name: Generate UUID for Network Profile - name: Generate UUID for Network Profile
ansible.builtin.command: uuidgen command: "uuidgen"
register: net_uuid register: net_uuid
- name: Retrieve Network Interface Name - name: Retrieve Network Interface Name
ansible.builtin.shell: ip r | awk 'NR==1 {print $5}' shell: "ip r | awk 'NR==1 {print $5}'"
register: net_inf register: net_inf
- name: Copy NetworkManager keyfile - name: Copy NetworkManager keyfile
ansible.builtin.template: template:
src: network.j2 src: network.j2
dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection
mode: "0600" mode: '0600'
- name: Setup user account - name: Setup user account
block: block:
- name: Create user account - name: Create user account
ansible.builtin.command: "{{ item }}" command: '{{ item }}'
with_items: with_items:
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups {{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else - arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups {{ "sudo" if os|lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "wheel" }} {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
"wheel" }} {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash - arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
- name: Add SSH public key to authorized_keys - name: Add SSH public key to authorized_keys
when: user_public_key is defined when: user_public_key is defined
ansible.builtin.lineinfile: lineinfile:
path: /mnt/home/{{ user_name }}/.ssh/authorized_keys path: "/mnt/home/{{ user_name }}/.ssh/authorized_keys"
line: "{{ user_public_key }}" line: "{{ user_public_key }}"
owner: 1000 owner: 1000
group: 1000 group: 1000
mode: "0600" mode: "0600"
create: true create: yes
- name: Give sudo access to wheel group - name: Give sudo access to wheel group
ansible.builtin.copy: copy:
content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}" content: "{{ '%sudo ALL=(ALL) ALL' if os|lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}"
dest: /mnt/etc/sudoers.d/01-wheel dest: /mnt/etc/sudoers.d/01-wheel
mode: "0440" mode: 0440
validate: /usr/sbin/visudo --check --file=%s validate: /usr/sbin/visudo --check --file=%s
- name: Fix SELinux - name: Fix SELinux
block: block:
- name: Relabel the filesystem - name: Relabel the filesystem
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rocky'] when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rocky']
ansible.builtin.command: touch /mnt/.autorelabel command: touch /mnt/.autorelabel
- name: Disable SELinux
when: os | lower == "fedora" - name: Disable SELinux
ansible.builtin.lineinfile: when: os | lower == "fedora"
path: /mnt/etc/selinux/config lineinfile:
regexp: ^SELINUX= path: /mnt/etc/selinux/config
line: SELINUX=permissive regexp: '^SELINUX='
line: 'SELINUX=permissive'

58
roles/environment/tasks/main.yml
View File

@ -1,60 +1,62 @@
---
- name: Configre work environment - name: Configre work environment
become: true become: true
block: block:
- name: Wait for connection - name: Wait for connection
ansible.builtin.wait_for_connection: wait_for_connection:
timeout: 300 timeout: 300
delay: 5 delay: 5
- name: Gather facts - name: Gather facts
ansible.builtin.setup: setup:
- name: Check if host is booted from the Arch install media - name: Check if host is booted from the Arch install media
ansible.builtin.stat: stat:
path: /run/archiso path: /run/archiso
register: archiso_stat register: archiso_stat
- name: Abort if the host is not booted from the Arch install media - name: Abort if the host is not booted from the Arch install media
ansible.builtin.fail: fail:
msg: This host is not booted from the Arch install media! msg: "This host is not booted from the Arch install media!"
when: not archiso_stat.stat.exists when: not archiso_stat.stat.exists
- name: Setect Interface - name: Setect Interface
when: hypervisor == "vmware" when: hypervisor == "vmware"
ansible.builtin.shell: "ip l | awk -F': ' '!/lo/{print $2; exit}'" shell: "ip l | awk -F': ' '!/lo/{print $2; exit}'"
register: interface_name register: interface_name
- name: Set IP-Address - name: Set IP-Address
when: hypervisor == "vmware" when: hypervisor == "vmware"
ansible.builtin.command: ip addr replace {{ ansible_host }}/24 dev {{ interface_name.stdout }} command: ip addr replace {{ ansible_host }}/24 dev {{ interface_name.stdout }}
- name: Set Default Gateway - name: Set Default Gateway
when: hypervisor == "vmware" when: hypervisor == "vmware"
ansible.builtin.command: ip route replace default via {{ vm_gw }} command: ip route replace default via {{ vm_gw }}
- name: Synchronize clock via NTP - name: Synchronize clock via NTP
ansible.builtin.command: timedatectl set-ntp true command: timedatectl set-ntp true
- name: Speed-up Bootstrap process - name: Speed-up Bootstrap process
ansible.builtin.lineinfile: lineinfile:
path: /etc/pacman.conf path: /etc/pacman.conf
regexp: ^#ParallelDownloads = regexp: '^#ParallelDownloads ='
line: ParallelDownloads = 20 line: 'ParallelDownloads = 20'
- name: Wait for Pacman - name: Wait for Pacman
ansible.builtin.wait_for: wait_for:
timeout: 15 timeout: 15
- name: Setup Pacman - name: Setup Pacman
community.general.pacman: pacman:
update_cache: true update_cache: true
force: true force: true
name: "{{ item.name }}" name: "{{ item.name }}"
state: latest state: latest
loop: loop:
- { name: glibc } - { name: 'glibc' }
- { name: dnf, os: [almalinux, fedora, rhel9, rhel8, rocky] } - { name: 'dnf', os: ['almalinux', 'fedora', 'rhel9', 'rhel8', 'rocky'] }
- { name: debootstrap, os: [debian11, debian12, ubuntu, ubuntu-lts] } - { name: 'debootstrap', os: ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] }
- { name: debian-archive-keyring, os: [debian11, debian12] } - { name: 'debian-archive-keyring', os: ['debian11', 'debian12'] }
- { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] } - { name: 'ubuntu-keyring', os: ['ubuntu', 'ubuntu-lts'] }
when: "'os' not in item or os in item.os" when: "'os' not in item or os in item.os"
retries: 4 retries: 4
delay: 15 delay: 15
@ -62,12 +64,12 @@
- name: Configure RHEL Repos for installation - name: Configure RHEL Repos for installation
when: os | lower in ["almalinux", "fedora", "rocky"] when: os | lower in ["almalinux", "fedora", "rocky"]
block: block:
- name: Create directories for repository files and RPM GPG keys - name: Create directories for repository files and RPM GPG keys
ansible.builtin.file: file:
path: /etc/yum.repos.d path: /etc/yum.repos.d
state: directory state: directory
- name: Create RHEL repository file - name: Create RHEL repository file
ansible.builtin.template: template:
src: "{{ os | lower }}.repo.j2" src: '{{ os | lower }}.repo.j2'
dest: /etc/yum.repos.d/{{ os | lower }}.repo dest: '/etc/yum.repos.d/{{ os | lower }}.repo'

26
roles/partitioning/tasks/btrfs.yml
View File

@ -2,25 +2,25 @@
- name: Setup BTRFS - name: Setup BTRFS
block: block:
- name: Create btrfs filesystem in main volume - name: Create btrfs filesystem in main volume
community.general.filesystem: filesystem:
dev: "{{ install_drive }}{{ main_partition_suffix }}" dev: '{{ install_drive }}{{ main_partition_suffix }}'
fstype: btrfs fstype: btrfs
force: true force: yes
- name: Prepare BTRFS Subvolume - name: Prepare BTRFS Subvolume
ansible.posix.mount: mount:
path: /mnt path: /mnt
src: "{{ install_drive }}{{ main_partition_suffix }}" src: '{{ install_drive }}{{ main_partition_suffix }}'
fstype: btrfs fstype: btrfs
opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async
state: mounted state: mounted
- name: Enable quotas on Btrfs filesystem - name: Enable quotas on Btrfs filesystem
ansible.builtin.command: btrfs quota enable /mnt command: btrfs quota enable /mnt
- name: Make root subvolumes - name: Make root subvolumes
when: cis == true or item.subvol not in ['var_log', 'var_log_audit'] when: cis == true or item.subvol not in ['var_log', 'var_log_audit']
ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
loop: loop:
- { subvol: root } - { subvol: root }
- { subvol: home } - { subvol: home }
@ -30,13 +30,17 @@
- name: Set quotas for subvolumes - name: Set quotas for subvolumes
when: cis == true or item.subvol not in ['var_log', 'var_log_audit'] when: cis == true or item.subvol not in ['var_log', 'var_log_audit']
ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
loop: loop:
- { subvol: home, quota: 2G } - { subvol: root, quota: '12G' }
- { subvol: home, quota: '2G' }
- { subvol: var, quota: '2G' }
- { subvol: var_log, quota: '2G' }
- { subvol: var_log_audit, quota: '1536M' }
- name: Unmount Partition - name: Unmount Partition
ansible.posix.mount: mount:
path: /mnt path: /mnt
src: "{{ install_drive }}{{ main_partition_suffix }}" src: '{{ install_drive }}{{ main_partition_suffix }}'
fstype: btrfs fstype: btrfs
state: unmounted state: unmounted

8
roles/partitioning/tasks/ext4.yml
View File

@ -1,10 +1,10 @@
--- ---
- name: Create and format ext4 logical volumes - name: Create and format ext4 logical volumes
when: cis == true or item.lv not in ['var_log', 'var_log_audit'] when: cis == true or item.lv not in ['var_log', 'var_log_audit']
community.general.filesystem: filesystem:
dev: /dev/sys/{{ item.lv }} dev: '/dev/sys/{{ item.lv }}'
fstype: ext4 fstype: ext4
force: true force: yes
loop: loop:
- { lv: root } - { lv: root }
- { lv: home } - { lv: home }
@ -14,7 +14,7 @@
- name: Remove Unsupported features for older Systems - name: Remove Unsupported features for older Systems
when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky', 'ubuntu-lts']) and (cis == true or item.lv not in ['var_log', 'var_log_audit']) when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky', 'ubuntu-lts']) and (cis == true or item.lv not in ['var_log', 'var_log_audit'])
ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}" command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
loop: loop:
- { lv: root } - { lv: root }
- { lv: home } - { lv: home }

88
roles/partitioning/tasks/main.yml
View File

@ -3,16 +3,16 @@
block: block:
- name: Prepare partitions - name: Prepare partitions
ignore_errors: true ignore_errors: true
ansible.builtin.command: "{{ item.cmd }}" command: "{{ item.cmd }}"
loop: loop:
- { cmd: umount -l /mnt } - { cmd: "umount -l /mnt" }
- { cmd: vgremove -f sys } - { cmd: "vgremove -f sys" }
- { cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;' } - { cmd: "find /dev -wholename \"{{ install_drive }}*\" -exec wipefs --force --all {} \\;" }
loop_control: loop_control:
label: "{{ item.cmd }}" label: "{{ item.cmd }}"
- name: Define partitions - name: Define partitions
community.general.parted: parted:
device: "{{ install_drive }}" device: "{{ install_drive }}"
label: gpt label: gpt
number: "{{ item.number }}" number: "{{ item.number }}"
@ -22,56 +22,56 @@
flags: "{{ item.flags | default(omit) }}" flags: "{{ item.flags | default(omit) }}"
state: present state: present
loop: loop:
- { number: 1, part_end: 500MiB, name: boot, flags: [boot, esp] } - { number: 1, part_end: '500MiB', name: 'boot', flags: ['boot', 'esp'] }
- { number: 2, part_start: 500MiB, name: root } - { number: 2, part_start: '500MiB', name: 'root' }
- name: Create LVM logical volumes - name: Create LVM logical volumes
when: filesystem != 'btrfs' when: filesystem != 'btrfs'
block: block:
- name: Create LVM volume group - name: Create LVM volume group
community.general.lvg: lvg:
vg: sys vg: sys
pvs: "{{ install_drive }}{{ main_partition_suffix }}" pvs: '{{ install_drive }}{{ main_partition_suffix }}'
- name: Create LVM logical volumes - name: Create LVM logical volumes
when: cis or (not cis and item.lv != 'var_log' and item.lv != 'var_log_audit') when: cis or (not cis and item.lv != 'var_log' and item.lv != 'var_log_audit')
community.general.lvol: lvol:
vg: sys vg: sys
lv: "{{ item.lv }}" lv: "{{ item.lv }}"
size: "{{ item.size }}" size: "{{ item.size }}"
state: present state: present
loop: loop:
- { lv: root, size: 12G } - { lv: 'root', size: '12G' }
- { lv: home, size: 2G } - { lv: 'home', size: '2G' }
- { lv: var, size: 2G } - { lv: 'var', size: '2G' }
- { lv: var_log, size: 2G } - { lv: 'var_log', size: '2G' }
- { lv: var_log_audit, size: 1.5G } - { lv: 'var_log_audit', size: '1.5G' }
- name: Create filesystems - name: Create filesystems
block: block:
- name: Create FAT32 filesystem in boot partition - name: Create FAT32 filesystem in boot partition
community.general.filesystem: filesystem:
dev: "{{ install_drive }}{{ boot_partition_suffix }}" dev: '{{ install_drive }}{{ boot_partition_suffix }}'
fstype: vfat fstype: vfat
opts: -F32 opts: -F32
force: true force: yes
- name: Create filesystem - name: Create filesystem
ansible.builtin.include_tasks: "{{ filesystem }}.yml" include_tasks: "{{ filesystem }}.yml"
- name: Get UUID for boot filesystem - name: Get UUID for boot filesystem
ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ boot_partition_suffix }}' command: blkid -s UUID -o value '{{ install_drive }}{{ boot_partition_suffix }}'
changed_when: false changed_when: false
register: boot_uuid register: boot_uuid
- name: Get UUID for main filesystem - name: Get UUID for main filesystem
ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ main_partition_suffix }}' command: blkid -s UUID -o value '{{ install_drive }}{{ main_partition_suffix }}'
changed_when: false changed_when: false
register: main_uuid register: main_uuid
- name: Get UUIDs for LVM filesystems - name: Get UUIDs for LVM filesystems
when: filesystem != 'btrfs' and (cis == true or item not in ['var_log', 'var_log_audit']) when: filesystem != 'btrfs' and (cis == true or item not in ['var_log', 'var_log_audit'])
ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }} command: blkid -s UUID -o value /dev/sys/{{ item }}
changed_when: false changed_when: false
register: uuid_result register: uuid_result
loop: loop:
@ -81,7 +81,7 @@
- var_log - var_log
- var_log_audit - var_log_audit
- ansible.builtin.set_fact: - set_fact:
uuid_root: "{{ uuid_result.results[0].stdout_lines }}" uuid_root: "{{ uuid_result.results[0].stdout_lines }}"
uuid_home: "{{ uuid_result.results[1].stdout_lines }}" uuid_home: "{{ uuid_result.results[1].stdout_lines }}"
uuid_var: "{{ uuid_result.results[2].stdout_lines }}" uuid_var: "{{ uuid_result.results[2].stdout_lines }}"
@ -92,47 +92,33 @@
- name: Mount filesystems - name: Mount filesystems
block: block:
- name: Mount filesystems and subvolumes - name: Mount filesystems and subvolumes
when: cis or (not cis and item.path != '/var/log' and item.path != '/var/log/audit') when: "cis or (not cis and item.path != '/var/log' and item.path != '/var/log/audit')"
ansible.posix.mount: mount:
path: /mnt{{ item.path }} path: "/mnt{{ item.path }}"
src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}" src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
fstype: "{{ filesystem }}" fstype: "{{ filesystem }}"
opts: "{{ item.opts }}" opts: "{{ item.opts }}"
state: mounted state: mounted
loop: loop:
- path: "" - { path: '', uuid: "{{ uuid_root[0] | default(omit) }}", opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}" }
uuid: "{{ uuid_root[0] | default(omit) }}" - { path: '/home', uuid: "{{ uuid_home[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}" }
opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}" - { path: '/var', uuid: "{{ uuid_var[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}" }
- path: /home - { path: '/var/log', uuid: "{{ uuid_var_log[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}" }
uuid: "{{ uuid_home[0] | default(omit) }}" - { path: '/var/log/audit', uuid: "{{ uuid_var_log_audit[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}" }
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home'
}}"
- path: /var
uuid: "{{ uuid_var[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var'
}}"
- path: /var/log
uuid: "{{ uuid_var_log[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log'
}}"
- path: /var/log/audit
uuid: "{{ uuid_var_log_audit[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit'
}}"
- name: Mount tmp and var_tmp filesystems - name: Mount tmp and var_tmp filesystems
ansible.posix.mount: mount:
path: /mnt{{ item.path }} path: "/mnt{{ item.path }}"
src: tmpfs src: tmpfs
fstype: tmpfs fstype: tmpfs
opts: defaults,nosuid,nodev,noexec opts: defaults,nosuid,nodev,noexec
state: mounted state: mounted
loop: loop:
- { path: /tmp } - { path: '/tmp' }
- { path: /var/tmp } - { path: '/var/tmp' }
- name: Mount boot filesystem - name: Mount boot filesystem
ansible.posix.mount: mount:
path: "{{ '/mnt/boot/efi' if os | lower in ['ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}" path: "{{ '/mnt/boot/efi' if os | lower in ['ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}"
src: UUID={{ boot_uuid.stdout }} src: UUID={{ boot_uuid.stdout }}
fstype: vfat fstype: vfat

6
roles/partitioning/tasks/xfs.yml
View File

@ -1,10 +1,10 @@
--- ---
- name: Create and format XFS logical volumes - name: Create and format XFS logical volumes
when: cis == true or item.lv not in ['var_log', 'var_log_audit'] when: cis == true or item.lv not in ['var_log', 'var_log_audit']
community.general.filesystem: filesystem:
dev: /dev/sys/{{ item.lv }} dev: '/dev/sys/{{ item.lv }}'
fstype: xfs fstype: xfs
force: true force: yes
loop: loop:
- { lv: root } - { lv: root }
- { lv: home } - { lv: home }

20
roles/virtualization/tasks/libvirt.yml
View File

@ -1,34 +1,32 @@
---
- name: Check if VM disk exists - name: Check if VM disk exists
delegate_to: localhost delegate_to: localhost
ansible.builtin.stat: stat:
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2" path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2"
register: vm_disk_stat register: vm_disk_stat
- name: Create VM disk - name: Create VM disk
when: not vm_disk_stat.stat.exists when: not vm_disk_stat.stat.exists
delegate_to: localhost delegate_to: localhost
ansible.builtin.command: qemu-img create -f qcow2 {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2 {{ vm_size }}G command: "qemu-img create -f qcow2 {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2 {{ vm_size }}G"
- name: Generate Random MAC Address - name: Generate Random MAC Address
delegate_to: localhost delegate_to: localhost
ansible.builtin.shell: openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//' | sed 's/^/02:/' shell: openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//' | sed 's/^/02:/'
changed_when: false changed_when: false
register: mac_address_output register: mac_address_output
- name: Render cloud config templates - name: Render cloud config templates
delegate_to: localhost delegate_to: localhost
ansible.builtin.template: template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: /tmp/{{ item.dest_prefix }}-{{ hostname }}.yml dest: "/tmp/{{ item.dest_prefix }}-{{ hostname }}.yml"
loop: loop:
- { src: cloud-user-data.yml.j2, dest_prefix: cloud-user-data } - { src: "cloud-user-data.yml.j2", dest_prefix: "cloud-user-data" }
- { src: cloud-network-config.yml.j2, dest_prefix: cloud-network-config } - { src: "cloud-network-config.yml.j2", dest_prefix: "cloud-network-config" }
- name: Create cloud-init disk - name: Create cloud-init disk
delegate_to: localhost delegate_to: localhost
ansible.builtin.command: cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml -N command: "cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml -N /tmp/cloud-network-config-{{ hostname }}.yml"
/tmp/cloud-network-config-{{ hostname }}.yml
- name: Create VM using libvirt - name: Create VM using libvirt
delegate_to: localhost delegate_to: localhost
@ -36,7 +34,7 @@
command: define command: define
xml: "{{ lookup('template', 'vm.xml.j2') }}" xml: "{{ lookup('template', 'vm.xml.j2') }}"
- name: Start vm - name: start vm
delegate_to: localhost delegate_to: localhost
community.libvirt.virt: community.libvirt.virt:
name: "{{ hostname }}" name: "{{ hostname }}"

3
roles/virtualization/tasks/main.yml
View File

@ -1,3 +1,2 @@
---
- name: Create Virtual Machine - name: Create Virtual Machine
ansible.builtin.include_tasks: "{{ hypervisor }}.yml" include_tasks: "{{ hypervisor }}.yml"

39
roles/virtualization/tasks/proxmox.yml
View File

@ -1,49 +1,48 @@
---
- name: Deploy VM on Proxmox - name: Deploy VM on Proxmox
delegate_to: localhost delegate_to: localhost
community.general.proxmox_kvm: proxmox_kvm:
api_host: "{{ hypervisor_url }}" api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}" api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}" api_password: "{{ hypervisor_password }}"
ciuser: "{{ user_name }}" ciuser: "{{ user_name }}"
cipassword: "{{ user_password }}" cipassword: "{{ user_password }}"
node: "{{ hypervisor_node }}" # Proxmox node name node: "{{ hypervisor_node }}" # Proxmox node name
vmid: "{{ vm_id }}" # Unique ID for the VM vmid: "{{ vm_id }}" # Unique ID for the VM
name: "{{ hostname }}" # Name of the VM name: "{{ hostname }}" # Name of the VM
cpu: host cpu: "host"
cores: "{{ vm_cpus }}" # Number of CPU cores cores: "{{ vm_cpus }}" # Number of CPU cores
memory: "{{ vm_memory }}" # Memory size in MB memory: "{{ vm_memory }}" # Memory size in MB
balloon: "{{ vm_ballo | default(omit) }}" # Minimum Memory size in MB balloon: "{{ vm_ballo | default(omit) }}" # Minimum Memory size in MB
numa_enabled: true numa_enabled: true
hotplug: network,disk hotplug: "network,disk"
bios: ovmf bios: ovmf
boot: ac boot: "ac"
scsihw: virtio-scsi-single scsihw: "virtio-scsi-single"
scsi: scsi:
scsi0: "{{ hypervisor_storage }}:{{ vm_size }}" # Disk configuration scsi0: "{{ hypervisor_storage }}:{{ vm_size }}" # Disk configuration
efidisk0: efidisk0:
efitype: 4m efitype: "4m"
format: raw format: "raw"
pre_enrolled_keys: false pre_enrolled_keys: false
storage: "{{ hypervisor_storage }}" storage: "{{ hypervisor_storage }}"
ide: ide:
ide0: "{{ boot_iso }},media=cdrom" ide0: "{{ boot_iso }},media=cdrom"
ide1: "{{ hypervisor_storage }}:cloudinit" ide1: "{{ hypervisor_storage }}:cloudinit"
net: net:
net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %} net0: "virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}"
ipconfig: ipconfig:
ipconfig0: ip={{ vm_ip }},gw={{ vm_gw }} ipconfig0: "ip={{ vm_ip }},gw={{ vm_gw }}"
nameservers: "{{ vm_dns }}" nameservers: "{{ vm_dns }}"
onboot: true # Start the VM on boot onboot: true # Start the VM on boot
state: present # Ensure the VM is present state: present # Ensure the VM is present
- name: Start VM on Proxmox - name: Start VM on Proxmox
delegate_to: localhost delegate_to: localhost
community.general.proxmox_kvm: proxmox_kvm:
api_host: "{{ hypervisor_url }}" api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}" api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}" api_password: "{{ hypervisor_password }}"
node: "{{ hypervisor_node }}" node: "{{ hypervisor_node }}"
name: "{{ hostname }}" name: "{{ hostname }}"
vmid: "{{ vm_id }}" vmid: "{{ vm_id }}"
state: started # Ensure the VM is present state: started # Ensure the VM is present

13
roles/virtualization/tasks/vmware.yml
View File

@ -1,16 +1,15 @@
---
- name: Create VM in vCenter - name: Create VM in vCenter
delegate_to: localhost delegate_to: localhost
community.vmware.vmware_guest: vmware_guest:
hostname: "{{ hypervisor_url }}" hostname: "{{ hypervisor_url }}"
username: "{{ hypervisor_username }}" username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}" password: "{{ hypervisor_password }}"
validate_certs: false validate_certs: no
datacenter: "{{ hypervisor_cluster }}" datacenter: "{{ hypervisor_cluster }}"
cluster: "{{ hypervisor_node }}" cluster: "{{ hypervisor_node }}"
folder: "{{ vm_path }}" folder: "{{ vm_path }}"
name: "{{ hostname }}" name: "{{ hostname }}"
guest_id: otherGuest64 guest_id: "otherGuest64"
state: poweredon state: poweredon
disk: disk:
- size_gb: "{{ vm_size }}" - size_gb: "{{ vm_size }}"
@ -19,16 +18,16 @@
hardware: hardware:
memory_mb: "{{ vm_memory }}" memory_mb: "{{ vm_memory }}"
num_cpus: "{{ vm_cpus }}" num_cpus: "{{ vm_cpus }}"
boot_firmware: efi boot_firmware: "efi"
secure_boot: false secure_boot: false
cdrom: cdrom:
- controller_number: 0 - controller_number: 0
unit_number: 0 unit_number: 0
controller_type: sata controller_type: "sata"
state: present state: present
type: iso type: iso
iso_path: "{{ boot_iso }}" iso_path: "{{ boot_iso }}"
networks: networks:
- vlan: "{{ vlan_name }}" - vlan: "{{ vlan_name }}"
type: dhcp type: dhcp
ignore_errors: true ignore_errors: yes