Compare commits
4 Commits
43ce280d11
...
06ca8d8787
Author | SHA1 | Date | |
---|---|---|---|
06ca8d8787 | |||
374b5fc7ef | |||
6bfd530c90 | |||
b077e549db |
105
main.yml
105
main.yml
@ -5,87 +5,86 @@
|
|||||||
gather_facts: false
|
gather_facts: false
|
||||||
become: true
|
become: true
|
||||||
vars_prompt:
|
vars_prompt:
|
||||||
- name: user_name
|
- name: user_name
|
||||||
prompt: |
|
prompt: |
|
||||||
What is your username?
|
What is your username?
|
||||||
private: false
|
private: false
|
||||||
|
|
||||||
- name: user_password
|
- name: user_password
|
||||||
prompt: |
|
prompt: |
|
||||||
What is your password?
|
What is your password?
|
||||||
confirm: true
|
confirm: true
|
||||||
|
|
||||||
- name: root_password
|
- name: root_password
|
||||||
prompt: |
|
prompt: |
|
||||||
What is your root password?
|
What is your root password?
|
||||||
confirm: true
|
confirm: true
|
||||||
|
|
||||||
- name: hypervisor
|
- name: hypervisor
|
||||||
prompt: |
|
prompt: |
|
||||||
Select an Hypervisor:
|
Select an Hypervisor:
|
||||||
- libvirt
|
- libvirt
|
||||||
- proxmox
|
- proxmox
|
||||||
- vmware
|
- vmware
|
||||||
private: false
|
private: false
|
||||||
default: "proxmox"
|
default: proxmox
|
||||||
|
|
||||||
- name: install_drive
|
- name: install_drive
|
||||||
prompt: |
|
prompt: |
|
||||||
"Enter the drive to install the system (default: /dev/sda)"
|
"Enter the drive to install the system (default: /dev/sda)"
|
||||||
confirm: true
|
confirm: true
|
||||||
private: false
|
private: false
|
||||||
default: "/dev/sda"
|
default: /dev/sda
|
||||||
vars_files: vars.yml
|
vars_files: vars.yml
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
- name: Set ansible_python_interpreter
|
- name: Set ansible_python_interpreter
|
||||||
when: os | lower in ["almalinux", "rhel9", "rhel8", "rocky"]
|
when: os | lower in ["almalinux", "rhel9", "rhel8", "rocky"]
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
ansible_python_interpreter: /usr/bin/python3
|
ansible_python_interpreter: /usr/bin/python3
|
||||||
|
|
||||||
- name: Validate variables
|
- name: Validate variables
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- hypervisor in ["libvirt", "proxmox", "vmware", "none"]
|
- hypervisor in ["libvirt", "proxmox", "vmware", "none"]
|
||||||
- filesystem in ["btrfs", "ext4", "xfs"]
|
- filesystem in ["btrfs", "ext4", "xfs"]
|
||||||
- os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rocky", "ubuntu", "ubuntu-lts"]
|
- os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rocky", "ubuntu", "ubuntu-lts"]
|
||||||
fail_msg: "Invalid input specified, please try again"
|
fail_msg: Invalid input specified, please try again
|
||||||
|
|
||||||
- name: Set connection
|
- name: Set connection
|
||||||
when: hypervisor == "vmware"
|
when: hypervisor == "vmware"
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
ansible_connection: vmware_tools
|
ansible_connection: vmware_tools
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
|
- role: virtualization
|
||||||
|
when: install_type == "virtual"
|
||||||
|
become: false
|
||||||
|
vars:
|
||||||
|
ansible_connection: local
|
||||||
|
|
||||||
- role: virtualization
|
- role: environment
|
||||||
when: install_type == "virtual"
|
vars:
|
||||||
become: false
|
ansible_connection: "{{ 'vmware_tools' if hypervisor == 'vmware' else 'ssh' }}"
|
||||||
vars:
|
|
||||||
ansible_connection: local
|
|
||||||
|
|
||||||
- role: environment
|
- role: partitioning
|
||||||
vars:
|
vars:
|
||||||
ansible_connection: "{{ 'vmware_tools' if hypervisor == 'vmware' else 'ssh' }}"
|
boot_partition_suffix: 1
|
||||||
|
main_partition_suffix: 2
|
||||||
|
|
||||||
- role: partitioning
|
- role: bootstrap
|
||||||
vars:
|
|
||||||
boot_partition_suffix: 1
|
|
||||||
main_partition_suffix: 2
|
|
||||||
|
|
||||||
- role: bootstrap
|
- role: configuration
|
||||||
|
|
||||||
- role: configuration
|
- role: cis
|
||||||
|
when: cis == true
|
||||||
|
|
||||||
- role: cis
|
- role: cleanup
|
||||||
when: cis == true
|
when: install_type == "virtual"
|
||||||
|
vars:
|
||||||
- role: cleanup
|
ansible_connection: local
|
||||||
when: install_type == "virtual"
|
|
||||||
vars:
|
|
||||||
ansible_connection: local
|
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Reboot system
|
- name: Reboot system
|
||||||
when: hypervisor != "libvirt"
|
when: hypervisor != "libvirt"
|
||||||
command: reboot
|
ansible.builtin.command: reboot
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
- name: Include Packages
|
- name: Include Packages
|
||||||
include_vars:
|
ansible.builtin.include_vars:
|
||||||
file: packages.yml
|
file: packages.yml
|
||||||
name: role_packages
|
name: role_packages
|
||||||
|
|
||||||
@ -8,11 +8,10 @@
|
|||||||
block:
|
block:
|
||||||
- name: Bootstrap ArchLinux
|
- name: Bootstrap ArchLinux
|
||||||
when: os | lower == 'archlinux'
|
when: os | lower == 'archlinux'
|
||||||
command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit
|
ansible.builtin.command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit
|
||||||
|
|
||||||
- name: Bootstrap Debian System
|
- name: Bootstrap Debian System
|
||||||
when: os | lower in ['debian11', 'debian12']
|
when: os | lower in ['debian11', 'debian12']
|
||||||
shell: "{{ item }}"
|
ansible.builtin.command: "{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} /mnt http://deb.debian.org/debian/
|
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} /mnt http://deb.debian.org/debian/
|
||||||
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
|
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
|
||||||
@ -20,7 +19,7 @@
|
|||||||
|
|
||||||
- name: Bootstrap Ubuntu System
|
- name: Bootstrap Ubuntu System
|
||||||
when: os | lower in ['ubuntu', 'ubuntu-lts']
|
when: os | lower in ['ubuntu', 'ubuntu-lts']
|
||||||
shell: "{{ item }}"
|
ansible.builtin.command: "{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'mantic' if os == 'ubuntu' else 'jammy' }} /mnt http://archive.ubuntu.com/ubuntu/
|
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'mantic' if os == 'ubuntu' else 'jammy' }} /mnt http://archive.ubuntu.com/ubuntu/
|
||||||
- arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
|
- arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
|
||||||
@ -29,7 +28,7 @@
|
|||||||
|
|
||||||
- name: Bootstrap AlmaLinux 9
|
- name: Bootstrap AlmaLinux 9
|
||||||
when: os | lower == 'almalinux'
|
when: os | lower == 'almalinux'
|
||||||
shell: "{{ item }}"
|
ansible.builtin.command: "{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
|
- dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
|
||||||
- echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf
|
- echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf
|
||||||
@ -37,7 +36,7 @@
|
|||||||
|
|
||||||
- name: Bootstrap Fedora 40
|
- name: Bootstrap Fedora 40
|
||||||
when: os | lower == 'fedora'
|
when: os | lower == 'fedora'
|
||||||
shell: "{{ item }}"
|
ansible.builtin.command: "{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- dnf --releasever=40 --best --repo=fedora --repo=fedora-updates --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
|
- dnf --releasever=40 --best --repo=fedora --repo=fedora-updates --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
|
||||||
- arch-chroot /mnt dnf --releasever=40 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
|
- arch-chroot /mnt dnf --releasever=40 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
|
||||||
@ -45,7 +44,7 @@
|
|||||||
|
|
||||||
- name: Bootstrap RockyLinux 9
|
- name: Bootstrap RockyLinux 9
|
||||||
when: os | lower == 'rocky'
|
when: os | lower == 'rocky'
|
||||||
shell: "{{ item }}"
|
ansible.builtin.command: "{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
|
- dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
|
||||||
- echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf
|
- echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf
|
||||||
@ -53,8 +52,8 @@
|
|||||||
|
|
||||||
- name: Bootstrap RHEL System
|
- name: Bootstrap RHEL System
|
||||||
when: os | lower in ['rhel8', 'rhel9']
|
when: os | lower in ['rhel8', 'rhel9']
|
||||||
shell: "{{ item }}"
|
ansible.builtin.command: "{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- "dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core"
|
- dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
|
||||||
- "echo 'nameserver 1.0.0.1' > /mnt/etc/resolv.conf"
|
- echo 'nameserver 1.0.0.1' > /mnt/etc/resolv.conf
|
||||||
- "arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }}"
|
- arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }}
|
||||||
|
@ -1,3 +1,4 @@
|
|||||||
|
---
|
||||||
almalinux:
|
almalinux:
|
||||||
- bind-utils
|
- bind-utils
|
||||||
- cloud-init
|
- cloud-init
|
||||||
@ -304,4 +305,4 @@ ubuntu-lts:
|
|||||||
- tcpd
|
- tcpd
|
||||||
- vim
|
- vim
|
||||||
- wget
|
- wget
|
||||||
- zstd
|
- zstd
|
||||||
|
@ -1,7 +1,8 @@
|
|||||||
|
---
|
||||||
- name: Configurationg System for CIS conformity
|
- name: Configurationg System for CIS conformity
|
||||||
block:
|
block:
|
||||||
- name: Disable Kernel Modules
|
- name: Disable Kernel Modules
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
dest: /mnt/etc/modprobe.d/cis.conf
|
dest: /mnt/etc/modprobe.d/cis.conf
|
||||||
content: |
|
content: |
|
||||||
CIS LVL 3 Restrictions
|
CIS LVL 3 Restrictions
|
||||||
@ -19,7 +20,7 @@
|
|||||||
install tipc /bin/true
|
install tipc /bin/true
|
||||||
|
|
||||||
- name: Create USB Rules
|
- name: Create USB Rules
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
|
dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
|
||||||
content: |
|
content: |
|
||||||
By default, disable all.
|
By default, disable all.
|
||||||
@ -35,7 +36,7 @@
|
|||||||
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
|
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
|
||||||
|
|
||||||
- name: Create a consolidated sysctl configuration file
|
- name: Create a consolidated sysctl configuration file
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
dest: /mnt/etc/sysctl.d/10-cis.conf
|
dest: /mnt/etc/sysctl.d/10-cis.conf
|
||||||
content: |
|
content: |
|
||||||
## CIS Sysctl configurations
|
## CIS Sysctl configurations
|
||||||
@ -66,10 +67,10 @@
|
|||||||
# - { regexp: '^UMASK.*', replace: 'UMASK 027' }
|
# - { regexp: '^UMASK.*', replace: 'UMASK 027' }
|
||||||
|
|
||||||
- name: Ensure files exist
|
- name: Ensure files exist
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
state: touch
|
state: touch
|
||||||
mode: '0600'
|
mode: "0600"
|
||||||
loop:
|
loop:
|
||||||
- /mnt/etc/at.allow
|
- /mnt/etc/at.allow
|
||||||
- /mnt/etc/cron.allow
|
- /mnt/etc/cron.allow
|
||||||
@ -77,82 +78,87 @@
|
|||||||
- /mnt/etc/hosts.deny
|
- /mnt/etc/hosts.deny
|
||||||
|
|
||||||
- name: Add Security related lines into config files
|
- name: Add Security related lines into config files
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: "{{ item.path }}"
|
path: "{{ item.path }}"
|
||||||
line: "{{ item.content }}"
|
line: "{{ item.content }}"
|
||||||
loop:
|
loop:
|
||||||
- { path: '/mnt/etc/security/limits.conf', content: '* hard core 0' }
|
- { path: /mnt/etc/security/limits.conf, content: "* hard core 0" }
|
||||||
- { path: '/mnt/etc/security/pwquality.conf', content: 'minlen = 14' }
|
- { path: /mnt/etc/security/pwquality.conf, content: minlen = 14 }
|
||||||
- { path: '/mnt/etc/security/pwquality.conf', content: 'dcredit = -1' }
|
- { path: /mnt/etc/security/pwquality.conf, content: dcredit = -1 }
|
||||||
- { path: '/mnt/etc/security/pwquality.conf', content: 'ucredit = -1' }
|
- { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 }
|
||||||
- { path: '/mnt/etc/security/pwquality.conf', content: 'ocredit = -1' }
|
- { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
|
||||||
- { path: '/mnt/etc/security/pwquality.conf', content: 'lcredit = -1' }
|
- { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
|
||||||
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: 'umask 077' }
|
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: umask 077 }
|
||||||
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: 'export TMOUT=3000' }
|
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: export TMOUT=3000 }
|
||||||
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: 'Storage=persistent' }
|
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
|
||||||
- { path: '/mnt/etc/sudoers', content: 'Defaults logfile="/var/log/sudo.log"' }
|
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" }
|
||||||
- { path: '/mnt/etc/pam.d/su', content: 'auth required pam_wheel.so' }
|
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
|
||||||
- { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: 'auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900' }
|
- path: /mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth"
|
||||||
- { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: 'account required pam_faillock.so' }
|
}}
|
||||||
- { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}', content: 'password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5' }
|
content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900
|
||||||
- { path: '/mnt/etc/hosts.deny', content: 'ALL: ALL' }
|
- path: /mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else
|
||||||
- { path: '/mnt/etc/hosts.allow', content: 'sshd: ALL' }
|
"pam.d/system-auth" }}
|
||||||
|
content: account required pam_faillock.so
|
||||||
|
- path: /mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}
|
||||||
|
content: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
|
||||||
|
- { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
|
||||||
|
- { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
|
||||||
|
|
||||||
- name: Set permissions for various files and directories
|
- name: Set permissions for various files and directories
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ item.path }}"
|
path: "{{ item.path }}"
|
||||||
owner: "{{ item.owner | default(omit) }}"
|
owner: "{{ item.owner | default(omit) }}"
|
||||||
group: "{{ item.group | default(omit) }}"
|
group: "{{ item.group | default(omit) }}"
|
||||||
mode: "{{ item.mode }}"
|
mode: "{{ item.mode }}"
|
||||||
loop:
|
loop:
|
||||||
- { path: '/mnt/etc/ssh/sshd_config', mode: '0600' }
|
- { path: /mnt/etc/ssh/sshd_config, mode: "0600" }
|
||||||
- { path: '/mnt/etc/cron.hourly', mode: '0700' }
|
- { path: /mnt/etc/cron.hourly, mode: "0700" }
|
||||||
- { path: '/mnt/etc/cron.daily', mode: '0700' }
|
- { path: /mnt/etc/cron.daily, mode: "0700" }
|
||||||
- { path: '/mnt/etc/cron.weekly', mode: '0700' }
|
- { path: /mnt/etc/cron.weekly, mode: "0700" }
|
||||||
- { path: '/mnt/etc/cron.monthly', mode: '0700' }
|
- { path: /mnt/etc/cron.monthly, mode: "0700" }
|
||||||
- { path: '/mnt/etc/cron.d', mode: '0700' }
|
- { path: /mnt/etc/cron.d, mode: "0700" }
|
||||||
- { path: '/mnt/etc/crontab', mode: '0600' }
|
- { path: /mnt/etc/crontab, mode: "0600" }
|
||||||
- { path: '/mnt/etc/logrotate.conf', mode: '0644' }
|
- { path: /mnt/etc/logrotate.conf, mode: "0644" }
|
||||||
- { path: '/mnt/usr/sbin/pppd', mode: '754' }
|
- { path: /mnt/usr/sbin/pppd, mode: "754" }
|
||||||
- { path: '/mnt/usr/bin/{{ "fusermount3" if os in ["archlinux", "debian12", "fedora"] else "fusermount" }}', mode: '755' }
|
- { path: '/mnt/usr/bin/{{ "fusermount3" if os in ["archlinux", "debian12", "fedora"] else "fusermount" }}', mode: "755" }
|
||||||
- { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: '755' }
|
- { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: "755" }
|
||||||
|
|
||||||
- name: Adjust SSHD config
|
- name: Adjust SSHD config
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /mnt/etc/ssh/sshd_config
|
path: /mnt/etc/ssh/sshd_config
|
||||||
regexp: '^\s*#?{{ item.option }}\s+.*$'
|
regexp: ^\s*#?{{ item.option }}\s+.*$
|
||||||
line: '{{ item.option }} {{ item.value }}'
|
line: "{{ item.option }} {{ item.value }}"
|
||||||
with_items:
|
with_items:
|
||||||
- {option: 'LogLevel', value: 'VERBOSE'}
|
- { option: LogLevel, value: VERBOSE }
|
||||||
- {option: 'LoginGraceTime', value: '60'}
|
- { option: LoginGraceTime, value: "60" }
|
||||||
- {option: 'PermitRootLogin', value: 'no'}
|
- { option: PermitRootLogin, value: "no" }
|
||||||
- {option: 'StrictModes', value: 'yes'}
|
- { option: StrictModes, value: "yes" }
|
||||||
- {option: 'MaxAuthTries', value: '4'}
|
- { option: MaxAuthTries, value: "4" }
|
||||||
- {option: 'MaxSessions', value: '10'}
|
- { option: MaxSessions, value: "10" }
|
||||||
- {option: 'MaxStartups', value: '10:30:60'}
|
- { option: MaxStartups, value: 10:30:60 }
|
||||||
- {option: 'PubkeyAuthentication', value: 'yes'}
|
- { option: PubkeyAuthentication, value: "yes" }
|
||||||
- {option: 'HostbasedAuthentication', value: 'no'}
|
- { option: HostbasedAuthentication, value: "no" }
|
||||||
- {option: 'IgnoreRhosts', value: 'yes'}
|
- { option: IgnoreRhosts, value: "yes" }
|
||||||
- {option: 'PasswordAuthentication', value: 'no'}
|
- { option: PasswordAuthentication, value: "no" }
|
||||||
- {option: 'PermitEmptyPasswords', value: 'no'}
|
- { option: PermitEmptyPasswords, value: "no" }
|
||||||
- {option: 'KerberosAuthentication', value: 'no'}
|
- { option: KerberosAuthentication, value: "no" }
|
||||||
- {option: 'GSSAPIAuthentication', value: 'no'}
|
- { option: GSSAPIAuthentication, value: "no" }
|
||||||
- {option: 'GSSAPIKeyExchange', value: 'no'}
|
- { option: GSSAPIKeyExchange, value: "no" }
|
||||||
- {option: 'AllowAgentForwarding', value: 'no'}
|
- { option: AllowAgentForwarding, value: "no" }
|
||||||
- {option: 'AllowTcpForwarding', value: 'no'}
|
- { option: AllowTcpForwarding, value: "no" }
|
||||||
- {option: 'ChallengeResponseAuthentication', value: 'no'}
|
- { option: ChallengeResponseAuthentication, value: "no" }
|
||||||
- {option: 'GatewayPorts', value: 'no'}
|
- { option: GatewayPorts, value: "no" }
|
||||||
- {option: 'X11Forwarding', value: 'no'}
|
- { option: X11Forwarding, value: "no" }
|
||||||
- {option: 'PermitUserEnvironment', value: 'no'}
|
- { option: PermitUserEnvironment, value: "no" }
|
||||||
- {option: 'ClientAliveInterval', value: '300'}
|
- { option: ClientAliveInterval, value: "300" }
|
||||||
- {option: 'ClientAliveCountMax', value: '0'}
|
- { option: ClientAliveCountMax, value: "0" }
|
||||||
- {option: 'PermitTunnel', value: 'no'}
|
- { option: PermitTunnel, value: "no" }
|
||||||
- {option: 'Banner', value: '/etc/issue.net'}
|
- { option: Banner, value: /etc/issue.net }
|
||||||
|
|
||||||
- name: Append CIS Specific configurations to sshd_config
|
- name: Append CIS Specific configurations to sshd_config
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /mnt/etc/ssh/sshd_config
|
path: /mnt/etc/ssh/sshd_config
|
||||||
line: |
|
line: |2-
|
||||||
|
|
||||||
## CIS Specific
|
## CIS Specific
|
||||||
Protocol 2
|
Protocol 2
|
||||||
@ -170,4 +176,4 @@
|
|||||||
AllowUsers svcansible
|
AllowUsers svcansible
|
||||||
AllowGroups *
|
AllowGroups *
|
||||||
DenyUsers nobody
|
DenyUsers nobody
|
||||||
DenyGroups nobody
|
DenyGroups nobody
|
||||||
|
@ -1,3 +1,4 @@
|
|||||||
|
---
|
||||||
- name: Setup Cleanup
|
- name: Setup Cleanup
|
||||||
when: hypervisor == "proxmox"
|
when: hypervisor == "proxmox"
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
@ -20,17 +21,17 @@
|
|||||||
when: hypervisor == "vmware"
|
when: hypervisor == "vmware"
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
vmware_guest:
|
community.vmware.vmware_guest:
|
||||||
hostname: "{{ hypervisor_url }}"
|
hostname: "{{ hypervisor_url }}"
|
||||||
username: "{{ hypervisor_username }}"
|
username: "{{ hypervisor_username }}"
|
||||||
password: "{{ hypervisor_password }}"
|
password: "{{ hypervisor_password }}"
|
||||||
validate_certs: no
|
validate_certs: false
|
||||||
datacenter: "{{ hypervisor_cluster }}"
|
datacenter: "{{ hypervisor_cluster }}"
|
||||||
name: "{{ hostname }}"
|
name: "{{ hostname }}"
|
||||||
cdrom:
|
cdrom:
|
||||||
- controller_number: 0
|
- controller_number: 0
|
||||||
unit_number: 0
|
unit_number: 0
|
||||||
controller_type: "sata"
|
controller_type: sata
|
||||||
type: iso
|
type: iso
|
||||||
iso_path: "{{ boot_iso }}"
|
iso_path: "{{ boot_iso }}"
|
||||||
state: absent
|
state: absent
|
||||||
@ -46,22 +47,22 @@
|
|||||||
state: shutdown
|
state: shutdown
|
||||||
|
|
||||||
- name: Remove cloud-init disk
|
- name: Remove cloud-init disk
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"
|
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- name: Get list of CD-ROM devices
|
- name: Get list of CD-ROM devices
|
||||||
shell: virsh --connect qemu:///system domblklist {{ hostname }} --details | grep 'cdrom' | awk '{print $3}'
|
ansible.builtin.shell: virsh --connect qemu:///system domblklist {{ hostname }} --details | grep 'cdrom' | awk '{print $3}'
|
||||||
changed_when: false
|
changed_when: false
|
||||||
register: cdrom_devices
|
register: cdrom_devices
|
||||||
|
|
||||||
- name: Wait for VM to spin down
|
- name: Wait for VM to spin down
|
||||||
wait_for:
|
ansible.builtin.wait_for:
|
||||||
timeout: 15
|
timeout: 15
|
||||||
|
|
||||||
- name: Remove CD-ROM devices
|
- name: Remove CD-ROM devices
|
||||||
when: cdrom_devices.stdout_lines | length > 0
|
when: cdrom_devices.stdout_lines | length > 0
|
||||||
command: virsh --connect qemu:///system detach-disk {{ hostname }} {{ item }} --persistent
|
ansible.builtin.command: virsh --connect qemu:///system detach-disk {{ hostname }} {{ item }} --persistent
|
||||||
with_items: "{{ cdrom_devices.stdout_lines }}"
|
with_items: "{{ cdrom_devices.stdout_lines }}"
|
||||||
|
|
||||||
- name: Start the VM
|
- name: Start the VM
|
||||||
@ -71,5 +72,5 @@
|
|||||||
|
|
||||||
- name: Wait for VM to boot up
|
- name: Wait for VM to boot up
|
||||||
delegate_to: "{{ inventory_hostname }}"
|
delegate_to: "{{ inventory_hostname }}"
|
||||||
wait_for_connection:
|
ansible.builtin.wait_for_connection:
|
||||||
timeout: 300
|
timeout: 300
|
||||||
|
@ -1,22 +1,22 @@
|
|||||||
|
---
|
||||||
- name: Configuration
|
- name: Configuration
|
||||||
block:
|
block:
|
||||||
- name: Generate fstab
|
- name: Generate fstab
|
||||||
shell: genfstab -LU /mnt > /mnt/etc/fstab
|
ansible.builtin.shell: genfstab -LU /mnt > /mnt/etc/fstab
|
||||||
|
|
||||||
- name: Append TempFS to fstab
|
- name: Append TempFS to fstab
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /mnt/etc/fstab
|
path: /mnt/etc/fstab
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
insertafter: EOF
|
insertafter: EOF
|
||||||
with_items:
|
with_items:
|
||||||
- ""
|
- ""
|
||||||
- "# TempFS"
|
- "# TempFS"
|
||||||
- "tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0"
|
- tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0
|
||||||
- "tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0"
|
- tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0
|
||||||
- "tmpfs /dev/shm tmpfs defaults,noexec 0 0"
|
- tmpfs /dev/shm tmpfs defaults,noexec 0 0
|
||||||
|
|
||||||
- name: Set local timezone
|
- name: Set local timezone
|
||||||
command: '{{ item }}'
|
ansible.builtin.command: "{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- systemctl daemon-reload
|
- systemctl daemon-reload
|
||||||
- arch-chroot /mnt ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime
|
- arch-chroot /mnt ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime
|
||||||
@ -25,154 +25,155 @@
|
|||||||
block:
|
block:
|
||||||
- name: Configure locale.gen
|
- name: Configure locale.gen
|
||||||
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
|
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /mnt/etc/locale.gen
|
dest: /mnt/etc/locale.gen
|
||||||
regexp: '{{ item.regex }}'
|
regexp: "{{ item.regex }}"
|
||||||
line: '{{ item.line }}'
|
line: "{{ item.line }}"
|
||||||
loop:
|
loop:
|
||||||
- {regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8}
|
- { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 }
|
||||||
|
|
||||||
- name: Generate locales\
|
- name: Generate locales\
|
||||||
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
|
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
|
||||||
command: arch-chroot /mnt /usr/sbin/locale-gen
|
ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
|
||||||
|
|
||||||
- name: Set hostname
|
- name: Set hostname
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
content: "{{ hostname }}"
|
content: "{{ hostname }}"
|
||||||
dest: /mnt/etc/hostname
|
dest: /mnt/etc/hostname
|
||||||
|
|
||||||
- name: Add host entry to /etc/hosts
|
- name: Add host entry to /etc/hosts
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /mnt/etc/hosts
|
path: /mnt/etc/hosts
|
||||||
line: "{{ ansible_host }} {{ hostname }}"
|
line: "{{ ansible_host }} {{ hostname }}"
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Create vconsole.conf
|
- name: Create vconsole.conf
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
content: "KEYMAP=us-intl"
|
content: KEYMAP=us-intl
|
||||||
dest: /mnt/etc/vconsole.conf
|
dest: /mnt/etc/vconsole.conf
|
||||||
|
|
||||||
- name: Create locale.conf
|
- name: Create locale.conf
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
content: "LANG=en_US.UTF-8"
|
content: LANG=en_US.UTF-8
|
||||||
dest: /mnt/etc/locale.conf
|
dest: /mnt/etc/locale.conf
|
||||||
|
|
||||||
- name: SSH permit Password
|
- name: SSH permit Password
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
path: /mnt/etc/ssh/sshd_config
|
path: /mnt/etc/ssh/sshd_config
|
||||||
regexp: '#PasswordAuthentication yes'
|
regexp: "#PasswordAuthentication yes"
|
||||||
replace: 'PasswordAuthentication yes'
|
replace: PasswordAuthentication yes
|
||||||
|
|
||||||
- name: Enable Systemd Services
|
- name: Enable Systemd Services
|
||||||
block:
|
block:
|
||||||
- name: Enable sshd
|
- name: Enable sshd
|
||||||
when: os | lower == "archlinux"
|
when: os | lower == "archlinux"
|
||||||
command: arch-chroot /mnt systemctl enable sshd logrotate systemd-resolved systemd-timesyncd NetworkManager
|
ansible.builtin.command: arch-chroot /mnt systemctl enable sshd logrotate systemd-resolved systemd-timesyncd NetworkManager
|
||||||
|
|
||||||
- name: Configure grub
|
- name: Configure grub
|
||||||
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
|
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
|
||||||
block:
|
block:
|
||||||
- name: Add commandline information to grub config
|
- name: Add commandline information to grub config
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /mnt/etc/default/grub
|
dest: /mnt/etc/default/grub
|
||||||
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT=
|
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT=
|
||||||
line: 'GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"'
|
line: GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"
|
||||||
|
|
||||||
- name: Change Grub time
|
- name: Change Grub time
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /mnt/etc/default/grub
|
dest: /mnt/etc/default/grub
|
||||||
regexp: ^GRUB_TIMEOUT=
|
regexp: ^GRUB_TIMEOUT=
|
||||||
line: 'GRUB_TIMEOUT=1'
|
line: GRUB_TIMEOUT=1
|
||||||
|
|
||||||
- name: Configure Bootloader
|
- name: Configure Bootloader
|
||||||
block:
|
block:
|
||||||
- name: Install Bootloader
|
- name: Install Bootloader
|
||||||
command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ os }}\shimx64.efi'{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }} --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}{% endif %}
|
ansible.builtin.command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/efibootmgr -c
|
||||||
|
-L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ os }}\shimx64.efi'{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{
|
||||||
|
"/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }} --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}{%
|
||||||
|
endif %}
|
||||||
- name: Generate grub config
|
- name: Generate grub config
|
||||||
command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{{ os }}/grub.cfg{% else %}/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}{% endif %}
|
ansible.builtin.command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/grub2-mkconfig
|
||||||
|
-o /boot/efi/EFI/{{ os }}/grub.cfg{% else %}/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else
|
||||||
|
"/boot/grub/grub.cfg" }}{% endif %}
|
||||||
- name: Regenerate initramfs
|
- name: Regenerate initramfs
|
||||||
when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
|
when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
|
||||||
command: arch-chroot /mnt {% if os | lower == "archlinux" %}/usr/sbin/mkinitcpio -P{% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %}/usr/bin/dracut --regenerate-all --force{% else %}echo "Skipping initramfs regeneration"{% endif %}
|
ansible.builtin.command: arch-chroot /mnt {% if os | lower == "archlinux" %}/usr/sbin/mkinitcpio -P{% elif os | lower not in ["debian11", "debian12", "ubuntu",
|
||||||
|
"ubuntu-lts", "archlinux"] %}/usr/bin/dracut --regenerate-all --force{% else %}echo "Skipping initramfs regeneration"{% endif %}
|
||||||
- name: Extra Configuration
|
- name: Extra Configuration
|
||||||
block:
|
block:
|
||||||
- name: Append lines to vimrc
|
- name: Append lines to vimrc
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: "{{ '/mnt/etc/vim/vimrc' if os|lower in ['debian11' ,'debian12', 'ubuntu', 'ubuntu-lts'] else '/mnt/etc/vimrc' }}"
|
path: "{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '/mnt/etc/vimrc' }}"
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
insertafter: EOF
|
insertafter: EOF
|
||||||
with_items:
|
with_items:
|
||||||
- "set encoding=utf-8"
|
- set encoding=utf-8
|
||||||
- "set number"
|
- set number
|
||||||
- "set autoindent"
|
- set autoindent
|
||||||
- "set smartindent"
|
- set smartindent
|
||||||
- "set mouse=a"
|
- set mouse=a
|
||||||
|
|
||||||
- name: Copy FirstRun Script
|
- name: Copy FirstRun Script
|
||||||
when: os | lower != "archlinux"
|
when: os | lower != "archlinux"
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: firstrun.sh.j2
|
src: firstrun.sh.j2
|
||||||
dest: /mnt/root/firstrun.sh
|
dest: /mnt/root/firstrun.sh
|
||||||
mode: '0755'
|
mode: "0755"
|
||||||
|
|
||||||
- name: Copy Custom Shell config
|
- name: Copy Custom Shell config
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: custom.sh.j2
|
src: custom.sh.j2
|
||||||
dest: /mnt/etc/profile.d/custom.sh
|
dest: /mnt/etc/profile.d/custom.sh
|
||||||
|
|
||||||
- name: Setup Network
|
- name: Setup Network
|
||||||
block:
|
block:
|
||||||
- name: Generate UUID for Network Profile
|
- name: Generate UUID for Network Profile
|
||||||
command: "uuidgen"
|
ansible.builtin.command: uuidgen
|
||||||
register: net_uuid
|
register: net_uuid
|
||||||
|
|
||||||
- name: Retrieve Network Interface Name
|
- name: Retrieve Network Interface Name
|
||||||
shell: "ip r | awk 'NR==1 {print $5}'"
|
ansible.builtin.shell: ip r | awk 'NR==1 {print $5}'
|
||||||
register: net_inf
|
register: net_inf
|
||||||
|
|
||||||
- name: Copy NetworkManager keyfile
|
- name: Copy NetworkManager keyfile
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: network.j2
|
src: network.j2
|
||||||
dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection
|
dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection
|
||||||
mode: '0600'
|
mode: "0600"
|
||||||
|
|
||||||
- name: Setup user account
|
- name: Setup user account
|
||||||
block:
|
block:
|
||||||
- name: Create user account
|
- name: Create user account
|
||||||
command: '{{ item }}'
|
ansible.builtin.command: "{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups {{ "sudo" if os|lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "wheel" }} {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
|
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups {{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else
|
||||||
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
|
"wheel" }} {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
|
||||||
|
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
|
||||||
|
|
||||||
- name: Add SSH public key to authorized_keys
|
- name: Add SSH public key to authorized_keys
|
||||||
when: user_public_key is defined
|
when: user_public_key is defined
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: "/mnt/home/{{ user_name }}/.ssh/authorized_keys"
|
path: /mnt/home/{{ user_name }}/.ssh/authorized_keys
|
||||||
line: "{{ user_public_key }}"
|
line: "{{ user_public_key }}"
|
||||||
owner: 1000
|
owner: 1000
|
||||||
group: 1000
|
group: 1000
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
create: yes
|
create: true
|
||||||
|
|
||||||
- name: Give sudo access to wheel group
|
- name: Give sudo access to wheel group
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
content: "{{ '%sudo ALL=(ALL) ALL' if os|lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}"
|
content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}"
|
||||||
dest: /mnt/etc/sudoers.d/01-wheel
|
dest: /mnt/etc/sudoers.d/01-wheel
|
||||||
mode: 0440
|
mode: "0440"
|
||||||
validate: /usr/sbin/visudo --check --file=%s
|
validate: /usr/sbin/visudo --check --file=%s
|
||||||
|
|
||||||
- name: Fix SELinux
|
- name: Fix SELinux
|
||||||
block:
|
block:
|
||||||
- name: Relabel the filesystem
|
- name: Relabel the filesystem
|
||||||
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rocky']
|
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rocky']
|
||||||
command: touch /mnt/.autorelabel
|
ansible.builtin.command: touch /mnt/.autorelabel
|
||||||
|
- name: Disable SELinux
|
||||||
- name: Disable SELinux
|
when: os | lower == "fedora"
|
||||||
when: os | lower == "fedora"
|
ansible.builtin.lineinfile:
|
||||||
lineinfile:
|
path: /mnt/etc/selinux/config
|
||||||
path: /mnt/etc/selinux/config
|
regexp: ^SELINUX=
|
||||||
regexp: '^SELINUX='
|
line: SELINUX=permissive
|
||||||
line: 'SELINUX=permissive'
|
|
||||||
|
@ -1,62 +1,60 @@
|
|||||||
|
---
|
||||||
- name: Configre work environment
|
- name: Configre work environment
|
||||||
become: true
|
become: true
|
||||||
block:
|
block:
|
||||||
- name: Wait for connection
|
- name: Wait for connection
|
||||||
wait_for_connection:
|
ansible.builtin.wait_for_connection:
|
||||||
timeout: 300
|
timeout: 300
|
||||||
delay: 5
|
delay: 5
|
||||||
|
|
||||||
- name: Gather facts
|
- name: Gather facts
|
||||||
setup:
|
ansible.builtin.setup:
|
||||||
|
|
||||||
- name: Check if host is booted from the Arch install media
|
- name: Check if host is booted from the Arch install media
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /run/archiso
|
path: /run/archiso
|
||||||
register: archiso_stat
|
register: archiso_stat
|
||||||
|
|
||||||
- name: Abort if the host is not booted from the Arch install media
|
- name: Abort if the host is not booted from the Arch install media
|
||||||
fail:
|
ansible.builtin.fail:
|
||||||
msg: "This host is not booted from the Arch install media!"
|
msg: This host is not booted from the Arch install media!
|
||||||
when: not archiso_stat.stat.exists
|
when: not archiso_stat.stat.exists
|
||||||
|
|
||||||
- name: Setect Interface
|
- name: Setect Interface
|
||||||
when: hypervisor == "vmware"
|
when: hypervisor == "vmware"
|
||||||
shell: "ip l | awk -F': ' '!/lo/{print $2; exit}'"
|
ansible.builtin.shell: "ip l | awk -F': ' '!/lo/{print $2; exit}'"
|
||||||
register: interface_name
|
register: interface_name
|
||||||
|
|
||||||
- name: Set IP-Address
|
- name: Set IP-Address
|
||||||
when: hypervisor == "vmware"
|
when: hypervisor == "vmware"
|
||||||
command: ip addr replace {{ ansible_host }}/24 dev {{ interface_name.stdout }}
|
ansible.builtin.command: ip addr replace {{ ansible_host }}/24 dev {{ interface_name.stdout }}
|
||||||
|
|
||||||
- name: Set Default Gateway
|
- name: Set Default Gateway
|
||||||
when: hypervisor == "vmware"
|
when: hypervisor == "vmware"
|
||||||
command: ip route replace default via {{ vm_gw }}
|
ansible.builtin.command: ip route replace default via {{ vm_gw }}
|
||||||
|
|
||||||
- name: Synchronize clock via NTP
|
- name: Synchronize clock via NTP
|
||||||
command: timedatectl set-ntp true
|
ansible.builtin.command: timedatectl set-ntp true
|
||||||
|
|
||||||
- name: Speed-up Bootstrap process
|
- name: Speed-up Bootstrap process
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/pacman.conf
|
path: /etc/pacman.conf
|
||||||
regexp: '^#ParallelDownloads ='
|
regexp: ^#ParallelDownloads =
|
||||||
line: 'ParallelDownloads = 20'
|
line: ParallelDownloads = 20
|
||||||
|
|
||||||
- name: Wait for Pacman
|
- name: Wait for Pacman
|
||||||
wait_for:
|
ansible.builtin.wait_for:
|
||||||
timeout: 15
|
timeout: 15
|
||||||
|
|
||||||
- name: Setup Pacman
|
- name: Setup Pacman
|
||||||
pacman:
|
community.general.pacman:
|
||||||
update_cache: true
|
update_cache: true
|
||||||
force: true
|
force: true
|
||||||
name: "{{ item.name }}"
|
name: "{{ item.name }}"
|
||||||
state: latest
|
state: latest
|
||||||
loop:
|
loop:
|
||||||
- { name: 'glibc' }
|
- { name: glibc }
|
||||||
- { name: 'dnf', os: ['almalinux', 'fedora', 'rhel9', 'rhel8', 'rocky'] }
|
- { name: dnf, os: [almalinux, fedora, rhel9, rhel8, rocky] }
|
||||||
- { name: 'debootstrap', os: ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] }
|
- { name: debootstrap, os: [debian11, debian12, ubuntu, ubuntu-lts] }
|
||||||
- { name: 'debian-archive-keyring', os: ['debian11', 'debian12'] }
|
- { name: debian-archive-keyring, os: [debian11, debian12] }
|
||||||
- { name: 'ubuntu-keyring', os: ['ubuntu', 'ubuntu-lts'] }
|
- { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
|
||||||
when: "'os' not in item or os in item.os"
|
when: "'os' not in item or os in item.os"
|
||||||
retries: 4
|
retries: 4
|
||||||
delay: 15
|
delay: 15
|
||||||
@ -64,12 +62,12 @@
|
|||||||
- name: Configure RHEL Repos for installation
|
- name: Configure RHEL Repos for installation
|
||||||
when: os | lower in ["almalinux", "fedora", "rocky"]
|
when: os | lower in ["almalinux", "fedora", "rocky"]
|
||||||
block:
|
block:
|
||||||
- name: Create directories for repository files and RPM GPG keys
|
- name: Create directories for repository files and RPM GPG keys
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /etc/yum.repos.d
|
path: /etc/yum.repos.d
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: Create RHEL repository file
|
- name: Create RHEL repository file
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: '{{ os | lower }}.repo.j2'
|
src: "{{ os | lower }}.repo.j2"
|
||||||
dest: '/etc/yum.repos.d/{{ os | lower }}.repo'
|
dest: /etc/yum.repos.d/{{ os | lower }}.repo
|
||||||
|
@ -2,25 +2,25 @@
|
|||||||
- name: Setup BTRFS
|
- name: Setup BTRFS
|
||||||
block:
|
block:
|
||||||
- name: Create btrfs filesystem in main volume
|
- name: Create btrfs filesystem in main volume
|
||||||
filesystem:
|
community.general.filesystem:
|
||||||
dev: '{{ install_drive }}{{ main_partition_suffix }}'
|
dev: "{{ install_drive }}{{ main_partition_suffix }}"
|
||||||
fstype: btrfs
|
fstype: btrfs
|
||||||
force: yes
|
force: true
|
||||||
|
|
||||||
- name: Prepare BTRFS Subvolume
|
- name: Prepare BTRFS Subvolume
|
||||||
mount:
|
ansible.posix.mount:
|
||||||
path: /mnt
|
path: /mnt
|
||||||
src: '{{ install_drive }}{{ main_partition_suffix }}'
|
src: "{{ install_drive }}{{ main_partition_suffix }}"
|
||||||
fstype: btrfs
|
fstype: btrfs
|
||||||
opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async
|
opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async
|
||||||
state: mounted
|
state: mounted
|
||||||
|
|
||||||
- name: Enable quotas on Btrfs filesystem
|
- name: Enable quotas on Btrfs filesystem
|
||||||
command: btrfs quota enable /mnt
|
ansible.builtin.command: btrfs quota enable /mnt
|
||||||
|
|
||||||
- name: Make root subvolumes
|
- name: Make root subvolumes
|
||||||
when: cis == true or item.subvol not in ['var_log', 'var_log_audit']
|
when: cis == true or item.subvol not in ['var_log', 'var_log_audit']
|
||||||
command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
|
ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
|
||||||
loop:
|
loop:
|
||||||
- { subvol: root }
|
- { subvol: root }
|
||||||
- { subvol: home }
|
- { subvol: home }
|
||||||
@ -30,17 +30,13 @@
|
|||||||
|
|
||||||
- name: Set quotas for subvolumes
|
- name: Set quotas for subvolumes
|
||||||
when: cis == true or item.subvol not in ['var_log', 'var_log_audit']
|
when: cis == true or item.subvol not in ['var_log', 'var_log_audit']
|
||||||
command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
|
ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
|
||||||
loop:
|
loop:
|
||||||
- { subvol: root, quota: '12G' }
|
- { subvol: home, quota: 2G }
|
||||||
- { subvol: home, quota: '2G' }
|
|
||||||
- { subvol: var, quota: '2G' }
|
|
||||||
- { subvol: var_log, quota: '2G' }
|
|
||||||
- { subvol: var_log_audit, quota: '1536M' }
|
|
||||||
|
|
||||||
- name: Unmount Partition
|
- name: Unmount Partition
|
||||||
mount:
|
ansible.posix.mount:
|
||||||
path: /mnt
|
path: /mnt
|
||||||
src: '{{ install_drive }}{{ main_partition_suffix }}'
|
src: "{{ install_drive }}{{ main_partition_suffix }}"
|
||||||
fstype: btrfs
|
fstype: btrfs
|
||||||
state: unmounted
|
state: unmounted
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
---
|
---
|
||||||
- name: Create and format ext4 logical volumes
|
- name: Create and format ext4 logical volumes
|
||||||
when: cis == true or item.lv not in ['var_log', 'var_log_audit']
|
when: cis == true or item.lv not in ['var_log', 'var_log_audit']
|
||||||
filesystem:
|
community.general.filesystem:
|
||||||
dev: '/dev/sys/{{ item.lv }}'
|
dev: /dev/sys/{{ item.lv }}
|
||||||
fstype: ext4
|
fstype: ext4
|
||||||
force: yes
|
force: true
|
||||||
loop:
|
loop:
|
||||||
- { lv: root }
|
- { lv: root }
|
||||||
- { lv: home }
|
- { lv: home }
|
||||||
@ -14,10 +14,10 @@
|
|||||||
|
|
||||||
- name: Remove Unsupported features for older Systems
|
- name: Remove Unsupported features for older Systems
|
||||||
when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky', 'ubuntu-lts']) and (cis == true or item.lv not in ['var_log', 'var_log_audit'])
|
when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky', 'ubuntu-lts']) and (cis == true or item.lv not in ['var_log', 'var_log_audit'])
|
||||||
command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
|
ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
|
||||||
loop:
|
loop:
|
||||||
- { lv: root }
|
- { lv: root }
|
||||||
- { lv: home }
|
- { lv: home }
|
||||||
- { lv: var }
|
- { lv: var }
|
||||||
- { lv: var_log }
|
- { lv: var_log }
|
||||||
- { lv: var_log_audit }
|
- { lv: var_log_audit }
|
||||||
|
@ -3,16 +3,16 @@
|
|||||||
block:
|
block:
|
||||||
- name: Prepare partitions
|
- name: Prepare partitions
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
command: "{{ item.cmd }}"
|
ansible.builtin.command: "{{ item.cmd }}"
|
||||||
loop:
|
loop:
|
||||||
- { cmd: "umount -l /mnt" }
|
- { cmd: umount -l /mnt }
|
||||||
- { cmd: "vgremove -f sys" }
|
- { cmd: vgremove -f sys }
|
||||||
- { cmd: "find /dev -wholename \"{{ install_drive }}*\" -exec wipefs --force --all {} \\;" }
|
- { cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;' }
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.cmd }}"
|
label: "{{ item.cmd }}"
|
||||||
|
|
||||||
- name: Define partitions
|
- name: Define partitions
|
||||||
parted:
|
community.general.parted:
|
||||||
device: "{{ install_drive }}"
|
device: "{{ install_drive }}"
|
||||||
label: gpt
|
label: gpt
|
||||||
number: "{{ item.number }}"
|
number: "{{ item.number }}"
|
||||||
@ -22,56 +22,56 @@
|
|||||||
flags: "{{ item.flags | default(omit) }}"
|
flags: "{{ item.flags | default(omit) }}"
|
||||||
state: present
|
state: present
|
||||||
loop:
|
loop:
|
||||||
- { number: 1, part_end: '500MiB', name: 'boot', flags: ['boot', 'esp'] }
|
- { number: 1, part_end: 500MiB, name: boot, flags: [boot, esp] }
|
||||||
- { number: 2, part_start: '500MiB', name: 'root' }
|
- { number: 2, part_start: 500MiB, name: root }
|
||||||
|
|
||||||
- name: Create LVM logical volumes
|
- name: Create LVM logical volumes
|
||||||
when: filesystem != 'btrfs'
|
when: filesystem != 'btrfs'
|
||||||
block:
|
block:
|
||||||
- name: Create LVM volume group
|
- name: Create LVM volume group
|
||||||
lvg:
|
community.general.lvg:
|
||||||
vg: sys
|
vg: sys
|
||||||
pvs: '{{ install_drive }}{{ main_partition_suffix }}'
|
pvs: "{{ install_drive }}{{ main_partition_suffix }}"
|
||||||
|
|
||||||
- name: Create LVM logical volumes
|
- name: Create LVM logical volumes
|
||||||
when: cis or (not cis and item.lv != 'var_log' and item.lv != 'var_log_audit')
|
when: cis or (not cis and item.lv != 'var_log' and item.lv != 'var_log_audit')
|
||||||
lvol:
|
community.general.lvol:
|
||||||
vg: sys
|
vg: sys
|
||||||
lv: "{{ item.lv }}"
|
lv: "{{ item.lv }}"
|
||||||
size: "{{ item.size }}"
|
size: "{{ item.size }}"
|
||||||
state: present
|
state: present
|
||||||
loop:
|
loop:
|
||||||
- { lv: 'root', size: '12G' }
|
- { lv: root, size: 12G }
|
||||||
- { lv: 'home', size: '2G' }
|
- { lv: home, size: 2G }
|
||||||
- { lv: 'var', size: '2G' }
|
- { lv: var, size: 2G }
|
||||||
- { lv: 'var_log', size: '2G' }
|
- { lv: var_log, size: 2G }
|
||||||
- { lv: 'var_log_audit', size: '1.5G' }
|
- { lv: var_log_audit, size: 1.5G }
|
||||||
|
|
||||||
- name: Create filesystems
|
- name: Create filesystems
|
||||||
block:
|
block:
|
||||||
- name: Create FAT32 filesystem in boot partition
|
- name: Create FAT32 filesystem in boot partition
|
||||||
filesystem:
|
community.general.filesystem:
|
||||||
dev: '{{ install_drive }}{{ boot_partition_suffix }}'
|
dev: "{{ install_drive }}{{ boot_partition_suffix }}"
|
||||||
fstype: vfat
|
fstype: vfat
|
||||||
opts: -F32
|
opts: -F32
|
||||||
force: yes
|
force: true
|
||||||
|
|
||||||
- name: Create filesystem
|
- name: Create filesystem
|
||||||
include_tasks: "{{ filesystem }}.yml"
|
ansible.builtin.include_tasks: "{{ filesystem }}.yml"
|
||||||
|
|
||||||
- name: Get UUID for boot filesystem
|
- name: Get UUID for boot filesystem
|
||||||
command: blkid -s UUID -o value '{{ install_drive }}{{ boot_partition_suffix }}'
|
ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ boot_partition_suffix }}'
|
||||||
changed_when: false
|
changed_when: false
|
||||||
register: boot_uuid
|
register: boot_uuid
|
||||||
|
|
||||||
- name: Get UUID for main filesystem
|
- name: Get UUID for main filesystem
|
||||||
command: blkid -s UUID -o value '{{ install_drive }}{{ main_partition_suffix }}'
|
ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ main_partition_suffix }}'
|
||||||
changed_when: false
|
changed_when: false
|
||||||
register: main_uuid
|
register: main_uuid
|
||||||
|
|
||||||
- name: Get UUIDs for LVM filesystems
|
- name: Get UUIDs for LVM filesystems
|
||||||
when: filesystem != 'btrfs' and (cis == true or item not in ['var_log', 'var_log_audit'])
|
when: filesystem != 'btrfs' and (cis == true or item not in ['var_log', 'var_log_audit'])
|
||||||
command: blkid -s UUID -o value /dev/sys/{{ item }}
|
ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }}
|
||||||
changed_when: false
|
changed_when: false
|
||||||
register: uuid_result
|
register: uuid_result
|
||||||
loop:
|
loop:
|
||||||
@ -81,7 +81,7 @@
|
|||||||
- var_log
|
- var_log
|
||||||
- var_log_audit
|
- var_log_audit
|
||||||
|
|
||||||
- set_fact:
|
- ansible.builtin.set_fact:
|
||||||
uuid_root: "{{ uuid_result.results[0].stdout_lines }}"
|
uuid_root: "{{ uuid_result.results[0].stdout_lines }}"
|
||||||
uuid_home: "{{ uuid_result.results[1].stdout_lines }}"
|
uuid_home: "{{ uuid_result.results[1].stdout_lines }}"
|
||||||
uuid_var: "{{ uuid_result.results[2].stdout_lines }}"
|
uuid_var: "{{ uuid_result.results[2].stdout_lines }}"
|
||||||
@ -92,34 +92,48 @@
|
|||||||
- name: Mount filesystems
|
- name: Mount filesystems
|
||||||
block:
|
block:
|
||||||
- name: Mount filesystems and subvolumes
|
- name: Mount filesystems and subvolumes
|
||||||
when: "cis or (not cis and item.path != '/var/log' and item.path != '/var/log/audit')"
|
when: cis or (not cis and item.path != '/var/log' and item.path != '/var/log/audit')
|
||||||
mount:
|
ansible.posix.mount:
|
||||||
path: "/mnt{{ item.path }}"
|
path: /mnt{{ item.path }}
|
||||||
src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
|
src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
|
||||||
fstype: "{{ filesystem }}"
|
fstype: "{{ filesystem }}"
|
||||||
opts: "{{ item.opts }}"
|
opts: "{{ item.opts }}"
|
||||||
state: mounted
|
state: mounted
|
||||||
loop:
|
loop:
|
||||||
- { path: '', uuid: "{{ uuid_root[0] | default(omit) }}", opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}" }
|
- path: ""
|
||||||
- { path: '/home', uuid: "{{ uuid_home[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}" }
|
uuid: "{{ uuid_root[0] | default(omit) }}"
|
||||||
- { path: '/var', uuid: "{{ uuid_var[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}" }
|
opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}"
|
||||||
- { path: '/var/log', uuid: "{{ uuid_var_log[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}" }
|
- path: /home
|
||||||
- { path: '/var/log/audit', uuid: "{{ uuid_var_log_audit[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}" }
|
uuid: "{{ uuid_home[0] | default(omit) }}"
|
||||||
|
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home'
|
||||||
|
}}"
|
||||||
|
- path: /var
|
||||||
|
uuid: "{{ uuid_var[0] | default(omit) }}"
|
||||||
|
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var'
|
||||||
|
}}"
|
||||||
|
- path: /var/log
|
||||||
|
uuid: "{{ uuid_var_log[0] | default(omit) }}"
|
||||||
|
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log'
|
||||||
|
}}"
|
||||||
|
- path: /var/log/audit
|
||||||
|
uuid: "{{ uuid_var_log_audit[0] | default(omit) }}"
|
||||||
|
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit'
|
||||||
|
}}"
|
||||||
|
|
||||||
- name: Mount tmp and var_tmp filesystems
|
- name: Mount tmp and var_tmp filesystems
|
||||||
mount:
|
ansible.posix.mount:
|
||||||
path: "/mnt{{ item.path }}"
|
path: /mnt{{ item.path }}
|
||||||
src: tmpfs
|
src: tmpfs
|
||||||
fstype: tmpfs
|
fstype: tmpfs
|
||||||
opts: defaults,nosuid,nodev,noexec
|
opts: defaults,nosuid,nodev,noexec
|
||||||
state: mounted
|
state: mounted
|
||||||
loop:
|
loop:
|
||||||
- { path: '/tmp' }
|
- { path: /tmp }
|
||||||
- { path: '/var/tmp' }
|
- { path: /var/tmp }
|
||||||
|
|
||||||
- name: Mount boot filesystem
|
- name: Mount boot filesystem
|
||||||
mount:
|
ansible.posix.mount:
|
||||||
path: "{{ '/mnt/boot/efi' if os | lower in ['ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}"
|
path: "{{ '/mnt/boot/efi' if os | lower in ['ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}"
|
||||||
src: UUID={{ boot_uuid.stdout }}
|
src: UUID={{ boot_uuid.stdout }}
|
||||||
fstype: vfat
|
fstype: vfat
|
||||||
state: mounted
|
state: mounted
|
||||||
|
@ -1,13 +1,13 @@
|
|||||||
---
|
---
|
||||||
- name: Create and format XFS logical volumes
|
- name: Create and format XFS logical volumes
|
||||||
when: cis == true or item.lv not in ['var_log', 'var_log_audit']
|
when: cis == true or item.lv not in ['var_log', 'var_log_audit']
|
||||||
filesystem:
|
community.general.filesystem:
|
||||||
dev: '/dev/sys/{{ item.lv }}'
|
dev: /dev/sys/{{ item.lv }}
|
||||||
fstype: xfs
|
fstype: xfs
|
||||||
force: yes
|
force: true
|
||||||
loop:
|
loop:
|
||||||
- { lv: root }
|
- { lv: root }
|
||||||
- { lv: home }
|
- { lv: home }
|
||||||
- { lv: var }
|
- { lv: var }
|
||||||
- { lv: var_log }
|
- { lv: var_log }
|
||||||
- { lv: var_log_audit }
|
- { lv: var_log_audit }
|
||||||
|
@ -1,32 +1,34 @@
|
|||||||
|
---
|
||||||
- name: Check if VM disk exists
|
- name: Check if VM disk exists
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2"
|
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2"
|
||||||
register: vm_disk_stat
|
register: vm_disk_stat
|
||||||
|
|
||||||
- name: Create VM disk
|
- name: Create VM disk
|
||||||
when: not vm_disk_stat.stat.exists
|
when: not vm_disk_stat.stat.exists
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
command: "qemu-img create -f qcow2 {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2 {{ vm_size }}G"
|
ansible.builtin.command: qemu-img create -f qcow2 {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2 {{ vm_size }}G
|
||||||
|
|
||||||
- name: Generate Random MAC Address
|
- name: Generate Random MAC Address
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
shell: openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//' | sed 's/^/02:/'
|
ansible.builtin.shell: openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//' | sed 's/^/02:/'
|
||||||
changed_when: false
|
changed_when: false
|
||||||
register: mac_address_output
|
register: mac_address_output
|
||||||
|
|
||||||
- name: Render cloud config templates
|
- name: Render cloud config templates
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: "{{ item.src }}"
|
src: "{{ item.src }}"
|
||||||
dest: "/tmp/{{ item.dest_prefix }}-{{ hostname }}.yml"
|
dest: /tmp/{{ item.dest_prefix }}-{{ hostname }}.yml
|
||||||
loop:
|
loop:
|
||||||
- { src: "cloud-user-data.yml.j2", dest_prefix: "cloud-user-data" }
|
- { src: cloud-user-data.yml.j2, dest_prefix: cloud-user-data }
|
||||||
- { src: "cloud-network-config.yml.j2", dest_prefix: "cloud-network-config" }
|
- { src: cloud-network-config.yml.j2, dest_prefix: cloud-network-config }
|
||||||
|
|
||||||
- name: Create cloud-init disk
|
- name: Create cloud-init disk
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
command: "cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml -N /tmp/cloud-network-config-{{ hostname }}.yml"
|
ansible.builtin.command: cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml -N
|
||||||
|
/tmp/cloud-network-config-{{ hostname }}.yml
|
||||||
|
|
||||||
- name: Create VM using libvirt
|
- name: Create VM using libvirt
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
@ -34,8 +36,8 @@
|
|||||||
command: define
|
command: define
|
||||||
xml: "{{ lookup('template', 'vm.xml.j2') }}"
|
xml: "{{ lookup('template', 'vm.xml.j2') }}"
|
||||||
|
|
||||||
- name: start vm
|
- name: Start vm
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
community.libvirt.virt:
|
community.libvirt.virt:
|
||||||
name: "{{ hostname }}"
|
name: "{{ hostname }}"
|
||||||
state: running
|
state: running
|
||||||
|
@ -1,2 +1,3 @@
|
|||||||
|
---
|
||||||
- name: Create Virtual Machine
|
- name: Create Virtual Machine
|
||||||
include_tasks: "{{ hypervisor }}.yml"
|
ansible.builtin.include_tasks: "{{ hypervisor }}.yml"
|
||||||
|
@ -1,48 +1,49 @@
|
|||||||
|
---
|
||||||
- name: Deploy VM on Proxmox
|
- name: Deploy VM on Proxmox
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
proxmox_kvm:
|
community.general.proxmox_kvm:
|
||||||
api_host: "{{ hypervisor_url }}"
|
api_host: "{{ hypervisor_url }}"
|
||||||
api_user: "{{ hypervisor_username }}"
|
api_user: "{{ hypervisor_username }}"
|
||||||
api_password: "{{ hypervisor_password }}"
|
api_password: "{{ hypervisor_password }}"
|
||||||
ciuser: "{{ user_name }}"
|
ciuser: "{{ user_name }}"
|
||||||
cipassword: "{{ user_password }}"
|
cipassword: "{{ user_password }}"
|
||||||
node: "{{ hypervisor_node }}" # Proxmox node name
|
node: "{{ hypervisor_node }}" # Proxmox node name
|
||||||
vmid: "{{ vm_id }}" # Unique ID for the VM
|
vmid: "{{ vm_id }}" # Unique ID for the VM
|
||||||
name: "{{ hostname }}" # Name of the VM
|
name: "{{ hostname }}" # Name of the VM
|
||||||
cpu: "host"
|
cpu: host
|
||||||
cores: "{{ vm_cpus }}" # Number of CPU cores
|
cores: "{{ vm_cpus }}" # Number of CPU cores
|
||||||
memory: "{{ vm_memory }}" # Memory size in MB
|
memory: "{{ vm_memory }}" # Memory size in MB
|
||||||
balloon: "{{ vm_ballo | default(omit) }}" # Minimum Memory size in MB
|
balloon: "{{ vm_ballo | default(omit) }}" # Minimum Memory size in MB
|
||||||
numa_enabled: true
|
numa_enabled: true
|
||||||
hotplug: "network,disk"
|
hotplug: network,disk
|
||||||
bios: ovmf
|
bios: ovmf
|
||||||
boot: "ac"
|
boot: ac
|
||||||
scsihw: "virtio-scsi-single"
|
scsihw: virtio-scsi-single
|
||||||
scsi:
|
scsi:
|
||||||
scsi0: "{{ hypervisor_storage }}:{{ vm_size }}" # Disk configuration
|
scsi0: "{{ hypervisor_storage }}:{{ vm_size }}" # Disk configuration
|
||||||
efidisk0:
|
efidisk0:
|
||||||
efitype: "4m"
|
efitype: 4m
|
||||||
format: "raw"
|
format: raw
|
||||||
pre_enrolled_keys: false
|
pre_enrolled_keys: false
|
||||||
storage: "{{ hypervisor_storage }}"
|
storage: "{{ hypervisor_storage }}"
|
||||||
ide:
|
ide:
|
||||||
ide0: "{{ boot_iso }},media=cdrom"
|
ide0: "{{ boot_iso }},media=cdrom"
|
||||||
ide1: "{{ hypervisor_storage }}:cloudinit"
|
ide1: "{{ hypervisor_storage }}:cloudinit"
|
||||||
net:
|
net:
|
||||||
net0: "virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}"
|
net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}
|
||||||
ipconfig:
|
ipconfig:
|
||||||
ipconfig0: "ip={{ vm_ip }},gw={{ vm_gw }}"
|
ipconfig0: ip={{ vm_ip }},gw={{ vm_gw }}
|
||||||
nameservers: "{{ vm_dns }}"
|
nameservers: "{{ vm_dns }}"
|
||||||
onboot: true # Start the VM on boot
|
onboot: true # Start the VM on boot
|
||||||
state: present # Ensure the VM is present
|
state: present # Ensure the VM is present
|
||||||
|
|
||||||
- name: Start VM on Proxmox
|
- name: Start VM on Proxmox
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
proxmox_kvm:
|
community.general.proxmox_kvm:
|
||||||
api_host: "{{ hypervisor_url }}"
|
api_host: "{{ hypervisor_url }}"
|
||||||
api_user: "{{ hypervisor_username }}"
|
api_user: "{{ hypervisor_username }}"
|
||||||
api_password: "{{ hypervisor_password }}"
|
api_password: "{{ hypervisor_password }}"
|
||||||
node: "{{ hypervisor_node }}"
|
node: "{{ hypervisor_node }}"
|
||||||
name: "{{ hostname }}"
|
name: "{{ hostname }}"
|
||||||
vmid: "{{ vm_id }}"
|
vmid: "{{ vm_id }}"
|
||||||
state: started # Ensure the VM is present
|
state: started # Ensure the VM is present
|
||||||
|
@ -1,15 +1,16 @@
|
|||||||
|
---
|
||||||
- name: Create VM in vCenter
|
- name: Create VM in vCenter
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
vmware_guest:
|
community.vmware.vmware_guest:
|
||||||
hostname: "{{ hypervisor_url }}"
|
hostname: "{{ hypervisor_url }}"
|
||||||
username: "{{ hypervisor_username }}"
|
username: "{{ hypervisor_username }}"
|
||||||
password: "{{ hypervisor_password }}"
|
password: "{{ hypervisor_password }}"
|
||||||
validate_certs: no
|
validate_certs: false
|
||||||
datacenter: "{{ hypervisor_cluster }}"
|
datacenter: "{{ hypervisor_cluster }}"
|
||||||
cluster: "{{ hypervisor_node }}"
|
cluster: "{{ hypervisor_node }}"
|
||||||
folder: "{{ vm_path }}"
|
folder: "{{ vm_path }}"
|
||||||
name: "{{ hostname }}"
|
name: "{{ hostname }}"
|
||||||
guest_id: "otherGuest64"
|
guest_id: otherGuest64
|
||||||
state: poweredon
|
state: poweredon
|
||||||
disk:
|
disk:
|
||||||
- size_gb: "{{ vm_size }}"
|
- size_gb: "{{ vm_size }}"
|
||||||
@ -18,16 +19,16 @@
|
|||||||
hardware:
|
hardware:
|
||||||
memory_mb: "{{ vm_memory }}"
|
memory_mb: "{{ vm_memory }}"
|
||||||
num_cpus: "{{ vm_cpus }}"
|
num_cpus: "{{ vm_cpus }}"
|
||||||
boot_firmware: "efi"
|
boot_firmware: efi
|
||||||
secure_boot: false
|
secure_boot: false
|
||||||
cdrom:
|
cdrom:
|
||||||
- controller_number: 0
|
- controller_number: 0
|
||||||
unit_number: 0
|
unit_number: 0
|
||||||
controller_type: "sata"
|
controller_type: sata
|
||||||
state: present
|
state: present
|
||||||
type: iso
|
type: iso
|
||||||
iso_path: "{{ boot_iso }}"
|
iso_path: "{{ boot_iso }}"
|
||||||
networks:
|
networks:
|
||||||
- vlan: "{{ vlan_name }}"
|
- vlan: "{{ vlan_name }}"
|
||||||
type: dhcp
|
type: dhcp
|
||||||
ignore_errors: yes
|
ignore_errors: true
|
||||||
|
Loading…
Reference in New Issue
Block a user