Compare commits
8 Commits
696df925c6
...
2d4127a688
| Author | SHA1 | Date | |
|---|---|---|---|
| 2d4127a688 | |||
| 1cc1966b97 | |||
| 4d72a8999f | |||
| e264d1cabc | |||
| aa6e356444 | |||
| fe0b72c9d8 | |||
| ce972e55dd | |||
| 2891de8fef |
@@ -14,7 +14,7 @@
|
||||
--setopt=install_weak_deps=False groupinstall -y base core
|
||||
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
|
||||
- >-
|
||||
arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False
|
||||
{{ chroot_command }} /mnt dnf --releasever=9 --setopt=install_weak_deps=False
|
||||
install -y {{ bootstrap_alma_extra }}
|
||||
register: bootstrap_result
|
||||
changed_when: bootstrap_result.rc == 0
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
- >-
|
||||
debootstrap --include={{ bootstrap_debian_base }}
|
||||
{{ bootstrap_debian_release }} /mnt http://deb.debian.org/debian/
|
||||
- "arch-chroot /mnt apt install -y {{ bootstrap_debian_extra }}"
|
||||
- arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
|
||||
- "{{ chroot_command }} /mnt apt install -y {{ bootstrap_debian_extra }}"
|
||||
- "{{ chroot_command }} /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data"
|
||||
register: bootstrap_result
|
||||
changed_when: bootstrap_result.rc == 0
|
||||
|
||||
@@ -15,8 +15,8 @@
|
||||
groupinstall -y critical-path-base core
|
||||
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
|
||||
- >-
|
||||
arch-chroot /mnt dnf --releasever=43 --setopt=install_weak_deps=False
|
||||
{{ chroot_command }} /mnt dnf --releasever=43 --setopt=install_weak_deps=False
|
||||
install -y {{ bootstrap_fedora_extra }}
|
||||
- arch-chroot /mnt dnf reinstall -y kernel-core
|
||||
- "{{ chroot_command }} /mnt dnf reinstall -y kernel-core"
|
||||
register: bootstrap_result
|
||||
changed_when: bootstrap_result.rc == 0
|
||||
|
||||
@@ -34,12 +34,7 @@
|
||||
state: mounted
|
||||
|
||||
- name: Rebuild RPM database inside chroot
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- arch-chroot
|
||||
- /mnt
|
||||
- rpm
|
||||
- --rebuilddb
|
||||
ansible.builtin.command: "{{ chroot_command }} /mnt rpm --rebuilddb"
|
||||
register: bootstrap_rpm_rebuild_result
|
||||
changed_when: bootstrap_rpm_rebuild_result.rc == 0
|
||||
|
||||
@@ -60,7 +55,7 @@
|
||||
| join(' ')
|
||||
}}
|
||||
ansible.builtin.command: >-
|
||||
arch-chroot /mnt dnf --releasever={{ bootstrap_rhel_release }}
|
||||
{{ chroot_command }} /mnt dnf --releasever={{ bootstrap_rhel_release }}
|
||||
--setopt=install_weak_deps=False install -y {{ bootstrap_rhel_extra }}
|
||||
register: bootstrap_result
|
||||
changed_when: bootstrap_result.rc == 0
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
groupinstall -y base core
|
||||
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
|
||||
- >-
|
||||
arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False
|
||||
{{ chroot_command }} /mnt dnf --releasever=9 --setopt=install_weak_deps=False
|
||||
install -y {{ bootstrap_rocky_extra }}
|
||||
register: bootstrap_result
|
||||
changed_when: bootstrap_result.rc == 0
|
||||
|
||||
@@ -20,8 +20,8 @@
|
||||
debootstrap --include={{ bootstrap_ubuntu_base }}
|
||||
{{ bootstrap_ubuntu_release }} /mnt http://archive.ubuntu.com/ubuntu/
|
||||
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
|
||||
- arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
|
||||
- arch-chroot /mnt apt update
|
||||
- "arch-chroot /mnt apt install -y {{ bootstrap_ubuntu_extra }}"
|
||||
- "{{ chroot_command }} /mnt sed -i '1s|$| universe|' /etc/apt/sources.list"
|
||||
- "{{ chroot_command }} /mnt apt update"
|
||||
- "{{ chroot_command }} /mnt apt install -y {{ bootstrap_ubuntu_extra }}"
|
||||
register: bootstrap_result
|
||||
changed_when: bootstrap_result.rc == 0
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
---
|
||||
- name: Configure System Cryptography Policy
|
||||
when: os in ["almalinux", "rhel9", "rhel10", "rocky"]
|
||||
ansible.builtin.command: arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
|
||||
ansible.builtin.command: "{{ chroot_command }} /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"
|
||||
register: cis_crypto_policy_result
|
||||
changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout"
|
||||
|
||||
- name: Mask Systemd Services
|
||||
ansible.builtin.command: >
|
||||
arch-chroot /mnt systemctl mask nftables bluetooth rpcbind
|
||||
{{ chroot_command }} /mnt systemctl mask nftables bluetooth rpcbind
|
||||
register: cis_mask_services_result
|
||||
changed_when: cis_mask_services_result.rc == 0
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
--bootloader-id={{ configuration_bootloader_id }}
|
||||
configuration_bootloader_cmd: >-
|
||||
{{ configuration_efibootmgr_cmd if configuration_use_efibootmgr else configuration_grub_cmd }}
|
||||
ansible.builtin.command: "arch-chroot /mnt {{ configuration_bootloader_cmd }}"
|
||||
ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_bootloader_cmd }}"
|
||||
register: configuration_bootloader_result
|
||||
changed_when: configuration_bootloader_result.rc == 0
|
||||
|
||||
@@ -43,7 +43,7 @@
|
||||
else '/usr/bin/dracut --regenerate-all --force'
|
||||
)
|
||||
}}
|
||||
ansible.builtin.command: "arch-chroot /mnt {{ configuration_initramfs_cmd }}"
|
||||
ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_initramfs_cmd }}"
|
||||
register: configuration_initramfs_result
|
||||
changed_when: configuration_initramfs_result.rc == 0
|
||||
|
||||
@@ -59,6 +59,6 @@
|
||||
if is_rhel | bool
|
||||
else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg'
|
||||
}}
|
||||
ansible.builtin.command: "arch-chroot /mnt {{ configuration_grub_cfg_cmd }}"
|
||||
ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_grub_cfg_cmd }}"
|
||||
register: configuration_grub_result
|
||||
changed_when: configuration_grub_result.rc == 0
|
||||
|
||||
@@ -35,9 +35,9 @@
|
||||
if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
|
||||
+ [configuration_luks_device]
|
||||
}}
|
||||
configuration_luks_enroll_chroot_args: "{{ ['arch-chroot', '/mnt'] + configuration_luks_enroll_args }}"
|
||||
ansible.builtin.command:
|
||||
argv: "{{ configuration_luks_enroll_chroot_args }}"
|
||||
configuration_luks_enroll_chroot_cmd: >-
|
||||
{{ chroot_command }} /mnt {{ configuration_luks_enroll_args | join(' ') }}
|
||||
ansible.builtin.command: "{{ configuration_luks_enroll_chroot_cmd }}"
|
||||
register: configuration_luks_tpm2_enroll_chroot
|
||||
changed_when: configuration_luks_tpm2_enroll_chroot.rc == 0
|
||||
failed_when: false
|
||||
|
||||
@@ -26,13 +26,15 @@
|
||||
mode: "0644"
|
||||
|
||||
- name: Create zram config
|
||||
when: os | lower not in ['debian11', 'rhel8']
|
||||
when:
|
||||
- os | lower not in ['debian11', 'rhel8']
|
||||
- swap_enabled | bool
|
||||
ansible.builtin.copy:
|
||||
dest: /mnt/etc/systemd/zram-generator.conf
|
||||
content: |
|
||||
[zram0]
|
||||
zram-size = ram / 2
|
||||
compression-algorithm = zstd
|
||||
compression-algorithm = {{ 'zstd' if zstd_enabled | bool else 'lz4' }}
|
||||
swap-priority = 100
|
||||
fs-type = swap
|
||||
mode: "0644"
|
||||
|
||||
@@ -28,7 +28,14 @@
|
||||
}}
|
||||
configuration_grub_lvm_args_value: >-
|
||||
{{
|
||||
['resume=/dev/mapper/sys-swap', 'rd.lvm.lv=sys/root', 'rd.lvm.lv=sys/swap']
|
||||
(
|
||||
['rd.lvm.lv=sys/root']
|
||||
+ (
|
||||
['rd.lvm.lv=sys/swap', 'resume=/dev/mapper/sys-swap']
|
||||
if swap_enabled | bool
|
||||
else []
|
||||
)
|
||||
)
|
||||
if (filesystem | lower) != 'btrfs'
|
||||
else []
|
||||
}}
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
|
||||
- name: Generate locales
|
||||
when: not is_rhel | bool
|
||||
ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
|
||||
ansible.builtin.command: "{{ chroot_command }} /mnt /usr/sbin/locale-gen"
|
||||
register: configuration_locale_result
|
||||
changed_when: configuration_locale_result.rc == 0
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
- name: Fix SELinux by pre-labeling the filesystem before first boot
|
||||
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and selinux | bool
|
||||
ansible.builtin.command: >
|
||||
arch-chroot /mnt /sbin/setfiles -v -F
|
||||
{{ chroot_command }} /mnt /sbin/setfiles -v -F
|
||||
-e /dev -e /proc -e /sys -e /run
|
||||
/etc/selinux/targeted/contexts/files/file_contexts /
|
||||
register: configuration_setfiles_result
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: Enable Systemd Services
|
||||
ansible.builtin.command: >
|
||||
arch-chroot /mnt systemctl enable NetworkManager
|
||||
{{ chroot_command }} /mnt systemctl enable NetworkManager
|
||||
{{ ' firewalld' if firewalld_enabled | bool else '' }}
|
||||
{{
|
||||
' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
|
||||
@@ -16,7 +16,7 @@
|
||||
|
||||
- name: Disable firewalld when disabled
|
||||
when: not firewalld_enabled | bool
|
||||
ansible.builtin.command: arch-chroot /mnt systemctl disable --now firewalld
|
||||
ansible.builtin.command: "{{ chroot_command }} /mnt systemctl disable --now firewalld"
|
||||
register: configuration_disable_firewalld_result
|
||||
changed_when: configuration_disable_firewalld_result.rc == 0
|
||||
failed_when: false
|
||||
|
||||
@@ -4,11 +4,11 @@
|
||||
configuration_user_group: >-
|
||||
{{ "sudo" if is_debian | bool else "wheel" }}
|
||||
configuration_useradd_cmd: >-
|
||||
arch-chroot /mnt /usr/sbin/useradd --create-home --user-group
|
||||
{{ chroot_command }} /mnt /usr/sbin/useradd --create-home --user-group
|
||||
--groups {{ configuration_user_group }} {{ user_name }}
|
||||
--password {{ user_password | password_hash('sha512') }} --shell /bin/bash
|
||||
configuration_root_cmd: >-
|
||||
arch-chroot /mnt /usr/sbin/usermod --password
|
||||
{{ chroot_command }} /mnt /usr/sbin/usermod --password
|
||||
'{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
|
||||
ansible.builtin.command: "{{ item }}"
|
||||
loop:
|
||||
|
||||
@@ -151,3 +151,37 @@
|
||||
src: "{{ os | lower }}.repo.j2"
|
||||
dest: /etc/yum.repos.d/{{ os | lower }}.repo
|
||||
mode: "0644"
|
||||
|
||||
- name: Check for third-party preparation tasks
|
||||
run_once: true
|
||||
become: false
|
||||
delegate_to: localhost
|
||||
vars:
|
||||
ansible_connection: local
|
||||
block:
|
||||
- name: Resolve third-party preparation task path
|
||||
ansible.builtin.set_fact:
|
||||
environment_thirdparty_tasks_path: >-
|
||||
{{
|
||||
thirdparty_preparation_tasks_path
|
||||
if thirdparty_preparation_tasks_path | regex_search('^/')
|
||||
else playbook_dir + '/' + thirdparty_preparation_tasks_path
|
||||
}}
|
||||
changed_when: false
|
||||
|
||||
- name: Stat third-party preparation tasks
|
||||
ansible.builtin.stat:
|
||||
path: "{{ environment_thirdparty_tasks_path }}"
|
||||
register: environment_thirdparty_tasks_stat
|
||||
changed_when: false
|
||||
|
||||
- name: Run third-party preparation tasks
|
||||
when:
|
||||
- thirdparty_preparation_tasks_path | length > 0
|
||||
- environment_thirdparty_tasks_stat.stat.exists
|
||||
ansible.builtin.include_tasks: >-
|
||||
{{
|
||||
thirdparty_preparation_tasks_path
|
||||
if thirdparty_preparation_tasks_path | regex_search('^/')
|
||||
else playbook_dir + '/' + thirdparty_preparation_tasks_path
|
||||
}}
|
||||
|
||||
@@ -5,6 +5,10 @@ cis: false
|
||||
selinux: true
|
||||
vmware_ssh: false
|
||||
firewalld_enabled: true
|
||||
zstd_enabled: true
|
||||
swap_enabled: true
|
||||
chroot_command: "arch-chroot"
|
||||
thirdparty_preparation_tasks_path: "dropins/preparation.yml"
|
||||
|
||||
cis_enabled: "{{ cis | bool }}"
|
||||
|
||||
|
||||
@@ -16,6 +16,7 @@ partitioning_luks_tpm2_device: "{{ luks_tpm2_device }}"
|
||||
partitioning_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
|
||||
partitioning_luks_keyfile_size: "{{ luks_keyfile_size }}"
|
||||
partitioning_luks_options: "{{ luks_options }}"
|
||||
partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if zstd_enabled | bool else '' }}"
|
||||
partitioning_boot_partition_suffix: 1
|
||||
partitioning_main_partition_suffix: 2
|
||||
partitioning_efi_size_mib: 512
|
||||
|
||||
@@ -19,7 +19,19 @@
|
||||
path: /mnt
|
||||
src: "{{ partitioning_root_device }}"
|
||||
fstype: btrfs
|
||||
opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async
|
||||
opts: >-
|
||||
{{
|
||||
[
|
||||
'rw',
|
||||
'relatime',
|
||||
partitioning_btrfs_compress_opt,
|
||||
'ssd',
|
||||
'space_cache=v2',
|
||||
'discard=async'
|
||||
]
|
||||
| reject('equalto', '')
|
||||
| join(',')
|
||||
}}
|
||||
state: mounted
|
||||
|
||||
- name: Enable quotas on Btrfs filesystem
|
||||
@@ -28,7 +40,9 @@
|
||||
changed_when: false
|
||||
|
||||
- name: Make root subvolumes
|
||||
when: cis_enabled or item.subvol not in ['var_log_audit']
|
||||
when:
|
||||
- cis_enabled or item.subvol not in ['var_log_audit']
|
||||
- swap_enabled | bool or item.subvol != 'swap'
|
||||
ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
|
||||
args:
|
||||
creates: /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
|
||||
@@ -51,6 +65,7 @@
|
||||
changed_when: false
|
||||
|
||||
- name: Create a Btrfs swap file
|
||||
when: swap_enabled | bool
|
||||
ansible.builtin.command: >-
|
||||
btrfs filesystem mkswapfile --size {{ partitioning_swap_size_gb }}g --uuid clear /mnt/@swap/swapfile
|
||||
args:
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
---
|
||||
- name: Detect system memory for swap sizing
|
||||
when:
|
||||
- swap_enabled | bool
|
||||
- partitioning_vm_memory is not defined or (partitioning_vm_memory | float) <= 0
|
||||
- vm_memory is not defined or (vm_memory | float) <= 0
|
||||
block:
|
||||
@@ -257,41 +258,59 @@
|
||||
pvs: "{{ partitioning_root_device }}"
|
||||
|
||||
- name: Create LVM logical volumes
|
||||
when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
|
||||
when:
|
||||
- cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
|
||||
- swap_enabled | bool or item.lv != 'swap'
|
||||
vars:
|
||||
partitioning_lvm_swap_target_gb: >-
|
||||
{{
|
||||
[
|
||||
(partitioning_vm_memory_effective | float / 1024),
|
||||
4
|
||||
] | max | float
|
||||
(
|
||||
[
|
||||
(partitioning_vm_memory_effective | float / 1024),
|
||||
4
|
||||
] | max | float
|
||||
)
|
||||
if swap_enabled | bool
|
||||
else 0
|
||||
}}
|
||||
partitioning_lvm_swap_cap_gb: >-
|
||||
{{
|
||||
4
|
||||
+ [
|
||||
(partitioning_vm_size_effective | float) - 20,
|
||||
0
|
||||
] | max
|
||||
(
|
||||
4
|
||||
+ [
|
||||
(partitioning_vm_size_effective | float) - 20,
|
||||
0
|
||||
] | max
|
||||
)
|
||||
if swap_enabled | bool
|
||||
else 0
|
||||
}}
|
||||
partitioning_lvm_swap_target_effective_gb: >-
|
||||
{{
|
||||
[
|
||||
partitioning_lvm_swap_target_gb,
|
||||
partitioning_lvm_swap_cap_gb
|
||||
] | min
|
||||
(
|
||||
[
|
||||
partitioning_lvm_swap_target_gb,
|
||||
partitioning_lvm_swap_cap_gb
|
||||
] | min
|
||||
)
|
||||
if swap_enabled | bool
|
||||
else 0
|
||||
}}
|
||||
partitioning_lvm_swap_max_gb: >-
|
||||
{{
|
||||
[
|
||||
(
|
||||
(partitioning_vm_size_effective | float)
|
||||
- (partitioning_reserved_gb | float)
|
||||
- (cis_enabled | ternary(7.5, 0))
|
||||
- 4
|
||||
),
|
||||
0
|
||||
] | max
|
||||
(
|
||||
[
|
||||
(
|
||||
(partitioning_vm_size_effective | float)
|
||||
- (partitioning_reserved_gb | float)
|
||||
- (cis_enabled | ternary(7.5, 0))
|
||||
- 4
|
||||
),
|
||||
0
|
||||
] | max
|
||||
)
|
||||
if swap_enabled | bool
|
||||
else 0
|
||||
}}
|
||||
partitioning_lvm_available_gb: >-
|
||||
{{
|
||||
@@ -328,10 +347,14 @@
|
||||
}}
|
||||
partitioning_lvm_swap_gb: >-
|
||||
{{
|
||||
[
|
||||
partitioning_lvm_swap_target_effective_gb,
|
||||
partitioning_lvm_swap_max_gb
|
||||
] | min | round(2, 'floor')
|
||||
(
|
||||
[
|
||||
partitioning_lvm_swap_target_effective_gb,
|
||||
partitioning_lvm_swap_max_gb
|
||||
] | min | round(2, 'floor')
|
||||
)
|
||||
if swap_enabled | bool
|
||||
else 0
|
||||
}}
|
||||
partitioning_lvm_root_full_gb: >-
|
||||
{{
|
||||
@@ -399,7 +422,9 @@
|
||||
changed_when: partitioning_boot_ext4_tune_result.rc == 0
|
||||
|
||||
- name: Create swap filesystem
|
||||
when: filesystem != 'btrfs'
|
||||
when:
|
||||
- filesystem != 'btrfs'
|
||||
- swap_enabled | bool
|
||||
community.general.filesystem:
|
||||
fstype: swap
|
||||
dev: /dev/sys/swap
|
||||
@@ -424,28 +449,86 @@
|
||||
register: partitioning_main_uuid
|
||||
changed_when: false
|
||||
|
||||
- name: Get UUIDs for LVM filesystems
|
||||
when: filesystem != 'btrfs' and (cis_enabled or item not in ['home', 'var', 'var_log', 'var_log_audit'])
|
||||
ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }}
|
||||
loop:
|
||||
- root
|
||||
- swap
|
||||
- home
|
||||
- var
|
||||
- var_log
|
||||
- var_log_audit
|
||||
register: partitioning_uuid_result
|
||||
- name: Get UUID for LVM root filesystem
|
||||
when: filesystem != 'btrfs'
|
||||
ansible.builtin.command: blkid -s UUID -o value /dev/sys/root
|
||||
register: partitioning_uuid_root_result
|
||||
changed_when: false
|
||||
|
||||
- name: Get UUID for LVM swap filesystem
|
||||
when:
|
||||
- filesystem != 'btrfs'
|
||||
- swap_enabled | bool
|
||||
ansible.builtin.command: blkid -s UUID -o value /dev/sys/swap
|
||||
register: partitioning_uuid_swap_result
|
||||
changed_when: false
|
||||
|
||||
- name: Get UUID for LVM home filesystem
|
||||
when:
|
||||
- filesystem != 'btrfs'
|
||||
- cis_enabled
|
||||
ansible.builtin.command: blkid -s UUID -o value /dev/sys/home
|
||||
register: partitioning_uuid_home_result
|
||||
changed_when: false
|
||||
|
||||
- name: Get UUID for LVM var filesystem
|
||||
when:
|
||||
- filesystem != 'btrfs'
|
||||
- cis_enabled
|
||||
ansible.builtin.command: blkid -s UUID -o value /dev/sys/var
|
||||
register: partitioning_uuid_var_result
|
||||
changed_when: false
|
||||
|
||||
- name: Get UUID for LVM var_log filesystem
|
||||
when:
|
||||
- filesystem != 'btrfs'
|
||||
- cis_enabled
|
||||
ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log
|
||||
register: partitioning_uuid_var_log_result
|
||||
changed_when: false
|
||||
|
||||
- name: Get UUID for LVM var_log_audit filesystem
|
||||
when:
|
||||
- filesystem != 'btrfs'
|
||||
- cis_enabled
|
||||
ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log_audit
|
||||
register: partitioning_uuid_var_log_audit_result
|
||||
changed_when: false
|
||||
|
||||
- name: Assign UUIDs to Variables
|
||||
when: filesystem != 'btrfs'
|
||||
ansible.builtin.set_fact:
|
||||
partitioning_uuid_root: "{{ partitioning_uuid_result.results[0].stdout_lines }}"
|
||||
partitioning_uuid_swap: "{{ partitioning_uuid_result.results[1].stdout_lines }}"
|
||||
partitioning_uuid_home: "{{ partitioning_uuid_result.results[2].stdout_lines if cis_enabled else '' }}"
|
||||
partitioning_uuid_var: "{{ partitioning_uuid_result.results[3].stdout_lines if cis_enabled else '' }}"
|
||||
partitioning_uuid_var_log: "{{ partitioning_uuid_result.results[4].stdout_lines if cis_enabled else '' }}"
|
||||
partitioning_uuid_var_log_audit: "{{ partitioning_uuid_result.results[5].stdout_lines if cis_enabled else '' }}"
|
||||
partitioning_uuid_root: "{{ partitioning_uuid_root_result.stdout_lines | default([]) }}"
|
||||
partitioning_uuid_swap: >-
|
||||
{{
|
||||
partitioning_uuid_swap_result.stdout_lines | default([])
|
||||
if swap_enabled | bool
|
||||
else ''
|
||||
}}
|
||||
partitioning_uuid_home: >-
|
||||
{{
|
||||
partitioning_uuid_home_result.stdout_lines | default([])
|
||||
if cis_enabled
|
||||
else ''
|
||||
}}
|
||||
partitioning_uuid_var: >-
|
||||
{{
|
||||
partitioning_uuid_var_result.stdout_lines | default([])
|
||||
if cis_enabled
|
||||
else ''
|
||||
}}
|
||||
partitioning_uuid_var_log: >-
|
||||
{{
|
||||
partitioning_uuid_var_log_result.stdout_lines | default([])
|
||||
if cis_enabled
|
||||
else ''
|
||||
}}
|
||||
partitioning_uuid_var_log_audit: >-
|
||||
{{
|
||||
partitioning_uuid_var_log_audit_result.stdout_lines | default([])
|
||||
if cis_enabled
|
||||
else ''
|
||||
}}
|
||||
|
||||
- name: Mount filesystems
|
||||
block:
|
||||
@@ -460,6 +543,7 @@
|
||||
)
|
||||
- >-
|
||||
not (item.path in ['/swap', '/var/cache/pacman/pkg'] and filesystem != 'btrfs')
|
||||
- swap_enabled | bool or item.path != '/swap'
|
||||
ansible.posix.mount:
|
||||
path: /mnt{{ item.path }}
|
||||
src: "{{ 'UUID=' + (partitioning_main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
|
||||
@@ -474,17 +558,17 @@
|
||||
'defaults'
|
||||
if filesystem != 'btrfs'
|
||||
else [
|
||||
'rw', 'relatime', 'compress=zstd:15', 'ssd', 'space_cache=v2',
|
||||
'rw', 'relatime', partitioning_btrfs_compress_opt, 'ssd', 'space_cache=v2',
|
||||
'discard=async', 'subvol=@'
|
||||
] | join(',')
|
||||
] | reject('equalto', '') | join(',')
|
||||
}}
|
||||
- path: /swap
|
||||
opts: >-
|
||||
{{
|
||||
[
|
||||
'rw', 'nosuid', 'nodev', 'relatime', 'compress=zstd:15', 'ssd',
|
||||
'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
|
||||
'space_cache=v2', 'discard=async', 'subvol=@swap'
|
||||
] | join(',')
|
||||
] | reject('equalto', '') | join(',')
|
||||
}}
|
||||
- path: /home
|
||||
uuid: "{{ partitioning_uuid_home[0] | default(omit) }}"
|
||||
@@ -493,9 +577,9 @@
|
||||
'defaults,nosuid,nodev'
|
||||
if filesystem != 'btrfs'
|
||||
else [
|
||||
'rw', 'nosuid', 'nodev', 'relatime', 'compress=zstd:15', 'ssd',
|
||||
'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
|
||||
'space_cache=v2', 'discard=async', 'subvol=@home'
|
||||
] | join(',')
|
||||
] | reject('equalto', '') | join(',')
|
||||
}}
|
||||
- path: /var
|
||||
uuid: "{{ partitioning_uuid_var[0] | default(omit) }}"
|
||||
@@ -504,9 +588,9 @@
|
||||
'defaults,nosuid,nodev'
|
||||
if filesystem != 'btrfs'
|
||||
else [
|
||||
'rw', 'nosuid', 'nodev', 'relatime', 'compress=zstd:15', 'ssd',
|
||||
'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
|
||||
'space_cache=v2', 'discard=async', 'subvol=@var'
|
||||
] | join(',')
|
||||
] | reject('equalto', '') | join(',')
|
||||
}}
|
||||
- path: /var/log
|
||||
uuid: "{{ partitioning_uuid_var_log[0] | default(omit) }}"
|
||||
@@ -515,9 +599,9 @@
|
||||
'defaults,nosuid,nodev,noexec'
|
||||
if filesystem != 'btrfs'
|
||||
else [
|
||||
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', 'compress=zstd:15',
|
||||
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
|
||||
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log'
|
||||
] | join(',')
|
||||
] | reject('equalto', '') | join(',')
|
||||
}}
|
||||
- path: /var/cache/pacman/pkg
|
||||
uuid: "{{ partitioning_uuid_root | default([]) | first | default(omit) }}"
|
||||
@@ -526,9 +610,9 @@
|
||||
'defaults,nosuid,nodev,noexec'
|
||||
if filesystem != 'btrfs'
|
||||
else [
|
||||
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', 'compress=zstd:15',
|
||||
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
|
||||
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@pkg'
|
||||
] | join(',')
|
||||
] | reject('equalto', '') | join(',')
|
||||
}}
|
||||
- path: /var/log/audit
|
||||
uuid: "{{ partitioning_uuid_var_log_audit[0] | default(omit) }}"
|
||||
@@ -537,9 +621,9 @@
|
||||
'defaults,nosuid,nodev,noexec'
|
||||
if filesystem != 'btrfs'
|
||||
else [
|
||||
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', 'compress=zstd:15',
|
||||
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
|
||||
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log_audit'
|
||||
] | join(',')
|
||||
] | reject('equalto', '') | join(',')
|
||||
}}
|
||||
|
||||
- name: Mount /boot filesystem
|
||||
@@ -559,6 +643,7 @@
|
||||
state: mounted
|
||||
|
||||
- name: Activate swap
|
||||
when: swap_enabled | bool
|
||||
vars:
|
||||
partitioning_swap_cmd: >-
|
||||
{{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + partitioning_uuid_swap[0] }}
|
||||
|
||||
Reference in New Issue
Block a user