sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:6be464a0e2966a317490f30b864906317592a5bc
Branches Tags
sandwich:master sandwich:rhel
..
compare: sandwich:rhel
Branches Tags
sandwich:master sandwich:rhel

86 Commits
6be464a0e2 ... rhel

Author SHA1 Message Date
Sandwich
cdf2b9fdd7 Adjust examples 2024-11-07 15:02:49 +01:00
Sandwich
6df7d5ccfc Remove non RHEL configuration 2024-11-07 14:57:39 +01:00
Sandwich
75b0e41be6 Remove RHEL ISO variable 2024-11-07 14:26:02 +01:00
Sandwich
38defef1a0 Adjust README for RHEL systems 2024-11-07 14:19:52 +01:00
Sandwich
25deaab87d Add some extra packages and vi mode for bash 2024-11-05 03:36:15 +01:00
Sandwich
89f054e8fd Add final check if the VM is up and running after reboot 2024-11-01 23:58:52 +01:00
Sandwich
cbe238f4d5 Improve the root lv size calculations, still not perfect on bigger disk 
and ram sizes
 2024-10-31 20:07:40 +01:00
Sandwich
c6f1686db8 Preper Shutdown so VMware does not corrupt the installation 2024-10-31 18:27:31 +01:00
Sandwich
c9a15dfccf improve logical volume size calculation 2024-10-31 17:32:27 +01:00
Sandwich
f83a9ebd67 remove zram from debian11 since no support 2024-10-31 16:00:44 +01:00
Sandwich
e16868a78d remove zram for rhel8 since no support 2024-10-31 15:56:42 +01:00
Sandwich
406db38296 dont use sudo for umount 2024-10-31 15:35:22 +01:00
Sandwich
cb3f36a040 Add umount for non RHEL systems 2024-10-31 14:23:55 +01:00
Sandwich
d97f0cfff8 Fix ubuntu install issue 2024-10-31 05:56:20 +01:00
Sandwich
e8f609dd03 Add SWAP support 2024-10-31 05:46:33 +01:00
Sandwich
a599e26a63 Add zram-generator config 2024-10-31 02:18:55 +01:00
Sandwich
3085ebc336 add zram-generator package 2024-10-31 02:10:21 +01:00
Sandwich
f967ea1c3b Add swap optimalisations 2024-10-31 02:05:11 +01:00
Sandwich
2c4995ede8 Make root LV size dynamic based on VM disk size 2024-10-31 01:29:48 +01:00
Sandwich
ccf3193c92 improve VMware cleanup 2024-10-31 01:12:51 +01:00
Sandwich
d92944c345 Fix riski shell pipe 2024-10-31 00:43:49 +01:00
Sandwich
3c94a33ae7 Remove Cloud-init package which can cause issues with NetworkManager on 
bootup
 2024-10-31 00:41:38 +01:00
Sandwich
af82baf1d8 Include MAC-Address into the NetworkManager keyfile 2024-10-31 00:13:23 +01:00
Sandwich
ec55701f00 umount disks before reboot 2024-10-30 23:48:36 +01:00
Sandwich
2a1a47ecc1 Remove VMWare static since not applicable 2024-10-30 23:18:27 +01:00
Sandwich
4808ce4401 Fix DISK removal at cleanup 2024-10-30 23:10:53 +01:00
Sandwich
db1fd13623 Fix variable hierarchy 2024-10-30 22:19:00 +01:00
Sandwich
e5660b0ba7 Fix ISO mounting for VMware Hypervisor 2024-10-30 20:25:41 +01:00
Sandwich
173ecd299b Different aproche for ISO mounting 2024-10-30 19:30:12 +01:00
Sandwich
4d242ad987 Adjust controllerID for RHEL ISO for correct mounting 2024-10-30 19:23:01 +01:00
Sandwich
f8ac22cfab Allow passwordless ssh for VMware Setup 2024-10-30 19:12:36 +01:00
Sandwich
12a7549aaa Speed up setup on VMware if ssh is available 2024-10-30 18:59:32 +01:00
Sandwich
6705411b2d Enable root ssh login 2024-10-30 18:54:15 +01:00
Sandwich
fe2b216fc7 set cis default value 2024-10-30 18:14:29 +01:00
Sandwich
26824ca6bb Improve Ip set on VMware hypervisors 2024-10-30 18:04:46 +01:00
Sandwich
c60fcca86d Fix VM Connection if hypervisor is VMware 2024-10-30 17:57:22 +01:00
Sandwich
cdd8062937 Fix recursion 2024-10-30 17:09:22 +01:00
Sandwich
ebedff1c4e fix jinja syntax 2024-10-30 17:05:50 +01:00
Sandwich
04d05a4e8b Move hypervisor and disk variable from main playbook 2024-10-30 16:58:22 +01:00
Sandwich
ee6e06a3fe lower connection timeout 2024-10-30 16:48:23 +01:00
Sandwich
527bc11d1d Change VMware boot order to boot correctly from ArchISO 2024-10-30 15:59:16 +01:00
Sandwich
d331e07536 Fix VMware Network if no VLAN specified 2024-10-30 15:48:22 +01:00
Sandwich
287036bcb4 use the correct NetworkMask variable name 2024-10-30 14:38:25 +01:00
Sandwich
ca5a3c8807 Add network mask variables for Hypervisor static IP assigments 2024-10-30 14:33:38 +01:00
Sandwich
c8dd89681b move vm_ip back since it is not a permanent/static variable 2024-10-30 14:10:37 +01:00
Sandwich
9d4af56976 Move some persstent Vars to main playbook 2024-10-30 14:01:07 +01:00
Sandwich
3c55eaf4a1 Recommend Ansible Vault for variables storing secrets 2024-10-30 13:45:19 +01:00
Sandwich
d905dce89e Add missing RHEL variable examples 2024-10-30 00:49:37 +01:00
Sandwich
76f1382e3e Assertion for minimum filesystem size 2024-10-30 00:44:19 +01:00
Sandwich
04c27cd7d0 remove deperacted parameter causing sshd startup fails 2024-10-30 00:32:08 +01:00
Sandwich
147430b36e Add RHEL8 and RHEL9 support 2024-10-30 00:29:46 +01:00
Sandwich
f8ba5c41db Update Ubuntu to Oracular Oriole and Ubuntu-LTS to Noble Numbat 2024-10-29 15:08:43 +01:00
Sandwich
7a4fc24f32 Remove SSH Config multiline since OpenSSH does not support it 2024-10-29 14:25:53 +01:00
Sandwich
7bf7c29291 Update Fedora to Version 41 2024-10-29 14:17:01 +01:00
Sandwich
ccfce65673 Disable Cloud-init updates on boot to prevent loopdevice out of storage 2024-10-29 12:59:50 +01:00
Sandwich
528f2fc775 Use command module instead of shell if possible 2024-10-28 21:15:10 +01:00
Sandwich
505110f580 Fix command module formating 2024-10-28 21:07:33 +01:00
Sandwich
1d1b2fff42 Fix connection DNS resolving inside chroot 2024-10-28 20:26:15 +01:00
Sandwich
4cf4816be0 ensure variable is not empty 2024-10-28 19:25:49 +01:00
Sandwich
e37b5a535b Specify changed_when for shell commands 2024-10-28 19:20:05 +01:00
Sandwich
5312ec8cc6 Replace ignore_errors with failed_when 2024-10-28 18:56:00 +01:00
Sandwich
a3b772c543 fix risky-shell-pipe 2024-10-28 18:47:31 +01:00
Sandwich
adde811f47 Fix risky-file-permissions because of unpecified mode 2024-10-28 18:37:44 +01:00
Sandwich
f788767839 Fix line-length 2024-10-28 18:26:54 +01:00
Sandwich
8b773d2304 Adjust literal-compare to use correct bool comparison 2024-10-28 17:17:24 +01:00
Sandwich
c988ab8f9a dont use ignore-errors 2024-07-11 22:31:13 +02:00
Sandwich
8864db253b add missing task name 2024-07-11 22:22:43 +02:00
Sandwich
06ca8d8787 ansible-lint fixes 2024-07-11 22:20:45 +02:00
Sandwich
374b5fc7ef use correct boolean values 2024-07-11 22:09:58 +02:00
Sandwich
6bfd530c90 fix jinja formating 2024-07-11 22:03:15 +02:00
Sandwich
b077e549db remove btrfs quota limits 2024-05-21 14:20:28 +02:00
Sandwich
43ce280d11 correct README 2024-04-17 14:38:47 +02:00
Sandwich
a6b51b4cb4 Add supported distro to the README 2024-04-17 14:37:47 +02:00
Sandwich
6dd31cc95f fix cis support for all distros 2024-04-17 14:09:32 +02:00
Sandwich
4b98ec1434 add ubuntu-lts support 2024-04-17 12:17:19 +02:00
Sandwich
2444c5d7af add ubuntu support 2024-04-17 10:53:09 +02:00
Sandwich
ec6ca49265 fix fedora boot issue 2024-04-17 06:02:32 +02:00
Sandwich
fe43bf6733 add essential almalinux packages 2024-04-17 05:06:45 +02:00
Sandwich
31c155ce92 install dnf if {{ os }} is fedora 2024-04-17 04:47:33 +02:00
Sandwich
0c75114b94 add rocky to README example 2024-04-17 04:39:29 +02:00
Sandwich
cd9ed65c91 Add essential rockylinux packages 2024-04-17 04:32:11 +02:00
Sandwich
9986d19ed6 Add en and de langauge support for rockylinux 2024-04-17 04:19:32 +02:00
Sandwich
d73e78c5f2 Add cloud-init support 2024-04-16 01:17:48 +02:00
Sandwich
b6f620fb70 Add RockyLinux support 2024-04-16 01:14:12 +02:00
Sandwich
cc40bae858 Add RockyLinux support 2024-04-16 01:14:05 +02:00
Sandwich
344753fa5b Add RockyLinux Repo file 2024-04-15 21:30:04 +02:00
28 changed files with 668 additions and 892 deletions
Expand all files Collapse all files

32
README.md
View File

@@ -1,13 +1,18 @@
# Ansible-Bootstrap # Ansible-Bootstrap
An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner, utilizing ArchISO as the foundational tool. An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner.
# Info # Info
Most of the roles are adaptable for use with systems beyond ArchLinux, requiring only that the target system can install a necessary package manager, such as `dnf` for RHEL-based systems. Additionally, a replacement for the `arch-chroot` command may be required for these systems. - For RHEL 8 and RHEL 9, repository access requires the `rhel_iso` variable. This variable specifies a local ISO or proxy repository.
- RHEL systems do not support `btrfs`. Use `ext4` or `xfs` as alternatives.
- For RHEL 8, `xfs` may cause installation issues; `ext4` is recommended.
**NOTE**: # Supported Distributions
- RHEL Systems are not currently supported due to restricted access to their repositories.
A workaround could involve using an ISO as a local repository or setting up a proxy repository to facilitate access. | `os` | Distribution |
|------------|------------------------------------|
| rhel8 | Red Hat Enterprise Linux 8 |
| rhel9 | Red Hat Enterprise Linux 9 |
# Documentation # Documentation
@@ -23,7 +28,7 @@ Most of the roles are adaptable for use with systems beyond ArchLinux, requiring
## 1. Overview ## 1. Overview
The playbook uses the ArchLinux ISO as a foundational tool to provides an efficient and systematic method for the automatic deployment of a variety of Linux distributions on designated target systems. It ensures a standardized setup across different platforms, equipping each system with the essential configurations and software necessary for its designated role. The playbook uses the RHEL ISO to configure and bootstrap an RHEL system from the ground up.
## 2. Global Variables ## 2. Global Variables
@@ -32,7 +37,8 @@ Global variables apply across your Ansible project and are loaded from `vars.yml
| Variable | Description | Example Value | | Variable | Description | Example Value |
|-----------------------|--------------------------------------------------------------------|-----------------------------------------| |-----------------------|--------------------------------------------------------------------|-----------------------------------------|
| `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` | | `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` |
| `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` | | `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. |`local-btrfs:iso/rhel-9.4-x86_64-dvd.iso`|
| `hypervisor` | Type of hypervisor. | `vmware` |
| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` | | `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` |
| `hypervisor_node` | Hypervisor node name. | `node01` | | `hypervisor_node` | Hypervisor node name. | `node01` |
| `hypervisor_password` | Password for hypervisor authentication. | `123456` | | `hypervisor_password` | Password for hypervisor authentication. | `123456` |
@@ -40,9 +46,11 @@ Global variables apply across your Ansible project and are loaded from `vars.yml
| `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` | | `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` |
| `hypervisor_username` | Username for hypervisor authentication. | `root@pam` | | `hypervisor_username` | Username for hypervisor authentication. | `root@pam` |
| `install_drive` | Drive where the system will be installed. | `/dev/sda` | | `install_drive` | Drive where the system will be installed. | `/dev/sda` |
| `install_type` | Type of installation. | `virtual`, `physical` | | `install_type` | Type of installation. | `virtual` |
| `vlan_name` (optional)| VLAN for the VM's network interface. | `vlan100` | | `vlan_name` (optional)| VLAN for the VM's network interface. | `vlan100` |
To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**.
## 3. Inventory Variables ## 3. Inventory Variables
Inventory variables are defined for individual hosts or VMs in the inventory file, allowing customization of settings such as the operating system, filesystem, and compliance with CIS benchmarks. These variables can be set globally and overridden for specific hosts or VMs. Inventory variables are defined for individual hosts or VMs in the inventory file, allowing customization of settings such as the operating system, filesystem, and compliance with CIS benchmarks. These variables can be set globally and overridden for specific hosts or VMs.
@@ -50,9 +58,9 @@ Inventory variables are defined for individual hosts or VMs in the inventory fil
| Variable | Description | Example Value | | Variable | Description | Example Value |
|-------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------| |-------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------|
| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` | | `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` |
| `filesystem` | Filesystem type for the VM's primary storage. | `btrfs`, `ext4`, `xfs` | | `filesystem` | Filesystem type for the VM's primary storage. | `ext4`, `xfs` |
| `hostname` | The hostname assigned to the virtual machine or system. | `vm01` | | `hostname` | The hostname assigned to the virtual machine or system. | `vm01` |
| `os` | Operating system to be installed on the VM. | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora` | | `os` | Operating system to be installed on the VM. | `rhel8`, `rhel9` |
| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` | | `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` |
| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` | | `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` |
| `user_password` | Password for the user account within the VM. | `UserPass123` | | `user_password` | Password for the user account within the VM. | `UserPass123` |
@@ -62,6 +70,8 @@ Inventory variables are defined for individual hosts or VMs in the inventory fil
| `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` | | `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` |
| `vm_id` | Unique identifier for the virtual machine. | `101` | | `vm_id` | Unique identifier for the virtual machine. | `101` |
| `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` | | `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` |
| `vm_nm` (optional) | IP address netmask assigned to the virtual machine. | `255.255.255.0` |
| `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` |
| `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` | | `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` |
| `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` | | `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` |
| `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` | | `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` |
@@ -85,4 +95,4 @@ An effective way to use the playbook involves defining all necessary configurati
ansible-playbook -i inventory.yml -e @vars.yml main.yml ansible-playbook -i inventory.yml -e @vars.yml main.yml
``` ```
This command prompts Ansible to execute the `main.yml` playbook, applying configurations defined in both `vars.yml` and the inventory file. This command prompts Ansible to execute the `main.yml` playbook, applying configurations defined in both `vars.yml` and the inventory file.

12
inventory_example.ini
View File

@@ -8,22 +8,18 @@ vm_dns=1.1.1.1
[192.168.122.10] [192.168.122.10]
hostname=proxy hostname=proxy
vm_id=300 os=rhel8
os=archlinux filesystem=ext4
filesystem=btrfs
vm_memory=2048 vm_memory=2048
vm_ballo=1024 vm_ballo=1024
vm_cpus=2 vm_cpus=2
vm_size=5 vm_size=5
vm_nif=vmbr1
[192.168.122.11] [192.168.122.11]
hostname=database hostname=database
vm_id=101 os=rhel9
os=archlinux filesystem=xfs
filesystem=btrfs
vm_memory=6144 vm_memory=6144
vm_ballo=3072 vm_ballo=3072
vm_cpus=4 vm_cpus=4
vm_size=40 vm_size=40
vm_nif=vmbr1

48
inventory_example.yml
View File

@@ -1,28 +1,56 @@
all: all:
children: children:
promox-kvm: first:
hosts: hosts:
192.168.122.10: 192.168.122.10:
hostname: proxy hostname: proxy
vm_id: 100 os: rhel8
os: archlinux filesystem: ext4
filesystem: btrfs
vm_memory: "2048" vm_memory: "2048"
vm_ballo: "1024" vm_ballo: "1024"
vm_cpus: "2" vm_cpus: "2"
vm_size: "5" vm_size: "5"
vm_nif: vmbr1
vm_gw: 192.168.122.1 vm_gw: 192.168.122.1
vm_dns: 1.1.1.1 vm_dns: 1.1.1.1
192.168.122.11: 192.168.122.11:
hostname: database hostname: database
vm_id: 101 os: rhel9
os: archlinux filesystem: xfs
filesystem: btrfs
vm_memory: "6144" vm_memory: "6144"
vm_ballo: "3072" vm_ballo: "3072"
vm_cpus: "4" vm_cpus: "4"
vm_size: "40" vm_size: "40"
vm_nif: vmbr1
vm_gw: 192.168.122.1 vm_gw: 192.168.122.1
vm_dns: 1.1.1.1 vm_dns: 1.1.1.1
192.168.122.12:
hostname: storage
os: rhel9
filesystem: xfs
vm_memory: "2048"
vm_ballo: "1024"
vm_cpus: "2"
vm_size: "40"
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1
second:
hosts:
192.168.122.13:
hostname: proxy02
os: rhel8
filesystem: ext4
vm_memory: "2048"
vm_ballo: "1024"
vm_cpus: "2"
vm_size: "5"
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1
192.168.122.14:
hostname: database02
os: rhel9
filesystem: xfs
vm_memory: "6144"
vm_ballo: "3072"
vm_cpus: "4"
vm_size: "40"
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1

113
main.yml
View File

@@ -5,87 +5,76 @@
gather_facts: false gather_facts: false
become: true become: true
vars_prompt: vars_prompt:
- name: user_name - name: user_name
prompt: | prompt: |
What is your username? What is your username?
private: false private: false
- name: user_password - name: user_password
prompt: | prompt: |
What is your password? What is your password?
confirm: true confirm: true
- name: root_password - name: root_password
prompt: | prompt: |
What is your root password? What is your root password?
confirm: true confirm: true
- name: hypervisor
prompt: |
Select an Hypervisor:
- libvirt
- proxmox
- vmware
private: false
default: "proxmox"
- name: install_drive
prompt: |
"Enter the drive to install the system (default: /dev/sda)"
confirm: true
private: false
default: "/dev/sda"
vars_files: vars.yml vars_files: vars.yml
pre_tasks: pre_tasks:
- name: Set ansible_python_interpreter - name: Set ansible_python_interpreter
when: os | lower in ["almalinux", "rhel9", "rhel8"] when: os | lower in ["rhel9", "rhel8"]
set_fact: ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3 ansible_python_interpreter: /usr/bin/python3
- name: Validate variables - name: Validate variables
assert: ansible.builtin.assert:
that: that:
- hypervisor in ["libvirt", "proxmox", "vmware", "none"] - filesystem in ["ext4", "xfs"]
- filesystem in ["btrfs", "ext4", "xfs"] - install_drive is defined
- os in ["archlinux", "almalinux", "debian11", "debian12", "fedora"] - os in ["rhel8", "rhel9"]
fail_msg: "Invalid input specified, please try again" - (vm_size | int) >= 20)
- (vm_size | float) >= ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048), [vm_memory | float / 1024, 4.0] | max) + 16)
fail_msg: Invalid input specified, please try again.
- name: Set connection - name: Set connection
when: hypervisor == "vmware" ansible.builtin.set_fact:
set_fact:
ansible_connection: vmware_tools ansible_connection: vmware_tools
roles: roles:
- role: virtualization
become: false
vars:
ansible_connection: local
- role: virtualization - role: environment
when: install_type == "virtual" vars:
become: false ansible_connection: vmware
vars:
ansible_connection: local
- role: environment - role: partitioning
vars: vars:
ansible_connection: "{{ 'vmware_tools' if hypervisor == 'vmware' else 'ssh' }}" boot_partition_suffix: 1
main_partition_suffix: 2
- role: partitioning - role: bootstrap
vars:
boot_partition_suffix: 1
main_partition_suffix: 2
- role: bootstrap - role: configuration
- role: configuration - role: cis
when: cis | bool
- role: cis - role: cleanup
when: cis == true vars:
ansible_connection: local
- role: cleanup
when: install_type == "virtual"
vars:
ansible_connection: local
tasks: tasks:
- name: Reboot system - name: Set final SSH Credentials
when: hypervisor != "libvirt" when: vmware_ssh | bool
command: reboot ansible.builtin.set_fact:
ignore_errors: true ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}"
ansible_become_password: "{{ user_password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Check if VM is back and running
ansible.builtin.wait_for_connection:
timeout: 300

68
roles/bootstrap/tasks/main.yml
View File

@@ -1,43 +1,41 @@
--- ---
- name: Include Packages - name: Include Packages
include_vars: ansible.builtin.include_vars:
file: packages.yml file: packages.yml
name: role_packages name: role_packages
- name: Run OS-specific bootstrap process - name: Run OS-specific bootstrap process
block: block:
- name: Bootstrap ArchLinux
when: os | lower == 'archlinux'
command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit
- name: Bootstrap Debian System
when: os | lower in ['debian11', 'debian12']
shell: "{{ item }}"
with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} /mnt http://deb.debian.org/debian/
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
- arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
- name: Bootstrap AlmaLinux 9
when: os | lower == 'almalinux'
shell: "{{ item }}"
with_items:
- dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
- echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.almalinux | join(' ') }}
- name: Bootstrap Fedora 39
when: os | lower == 'fedora'
shell: "{{ item }}"
with_items:
- dnf --releasever=39 --best --repo=fedora --repo=fedora-updates --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
- arch-chroot /mnt dnf --releasever=39 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
- arch-chroot /mnt dnf reinstall -y grub2-efi-x64 kernel
- name: Bootstrap RHEL System - name: Bootstrap RHEL System
when: os | lower in ['rhel8', 'rhel9'] block:
shell: "{{ item }}" - name: Install base packages in chroot environment
with_items: ansible.builtin.command: >-
- "dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core" dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --repo={{ os | lower }}-baseos
- "echo 'nameserver 1.0.0.1' > /mnt/etc/resolv.conf" --installroot=/mnt
- "arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }}" --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y base core
changed_when: result.rc == 0
register: result
- name: Prepare chroot environment
ansible.builtin.shell: |
ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
mkdir -p /mnt/usr/local/install/redhat/dvd
mount --bind /usr/local/install/redhat/dvd /mnt/usr/local/install/redhat/dvd
arch-chroot /mnt rpm --rebuilddb
changed_when: result.rc == 0
register: result
- name: Copy RHEL repo file into chroot environment
ansible.builtin.copy:
src: /etc/yum.repos.d/{{ os | lower }}.repo
dest: /mnt/etc/yum.repos.d/{{ os | lower }}.repo
mode: '0644'
remote_src: true
- name: Install additional packages in chroot
ansible.builtin.command: >-
arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }}
--setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }}
changed_when: result.rc == 0
register: result

152
roles/bootstrap/vars/packages.yml
View File

@@ -1,160 +1,32 @@
---
archlinux:
- base
- btrfs-progs
- cronie
- dhcpcd
- efibootmgr
- firewalld
- fish
- grub
- htop
- linux
- logrotate
- lrzsz
- lsof
- lvm2
- ncdu
- neofetch
- networkmanager
- nfs-utils
- openssh
- open-vm-tools
- prometheus-node-exporter
- python-psycopg2
- qemu-guest-agent
- reflector
- rsync
- screen
- sudo
- vim
- wireguard-tools
debian11:
base:
- apparmor-utils
- btrfs-progs
- xfsprogs
- chrony
- cron
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- gnupg
- linux-image-amd64
- locales
- logrotate
- lvm2
- net-tools
- openssh-server
- python3
- sudo
extra:
- curl
- firewalld
- htop
- network-manager
- screen
- open-vm-tools
- python-is-python3
- ncdu
- neofetch
- lrzsz
- libpam-pwquality
- rsync
- software-properties-common
- syslog-ng
- tcpd
- fish
- vim
- wget
debian12:
base:
- btrfs-progs
- xfsprogs
- cron
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- gnupg
- linux-image-amd64
- locales
- lvm2
extra:
- apparmor-utils
- chrony
- curl
- firewalld
- fish
- htop
- network-manager
- screen
- open-vm-tools
- python-is-python3
- ncdu
- neofetch
- logrotate
- lrzsz
- libpam-pwquality
- rsync
- software-properties-common
- sudo
- syslog-ng
- tcpd
- net-tools
- openssh-server
- python3
- vim
- wget
fedora:
- dhcp-client
- efibootmgr
- grub2
- grub2-efi-x64-modules
- lrzsz
- nfs-utils
- open-vm-tools
- shim
- telnet
- vim-default-editor
- zstd
almalinux:
- dhcp-client
- efibootmgr
- grub2
- grub2-efi-x64-modules
- lrzsz
- nfs-utils
- open-vm-tools
- shims
- telnet
- vim
- zstd
rhel8: rhel8:
- dhcp-client - dhcp-client
- efibootmgr - efibootmgr
- grub2 - grub2
- grub2-efi-x64-modules - grub2-efi-x64
- lrzsz - lrzsz
- lvm2
- mtr
- nfs-utils - nfs-utils
- open-vm-tools - open-vm-tools
- shim - shim
- telnet - telnet
- tmux
- vim
- zstd - zstd
rhel9: rhel9:
- dhcp-client - dhcp-client
- efibootmgr - efibootmgr
- grub2 - grub2
- grub2-efi-x64-modules - grub2-efi
- lrzsz - lrzsz
- lvm2
- mtr
- nfs-utils - nfs-utils
- open-vm-tools - open-vm-tools
- shim - shim
- telnet - telnet
- zstd - tmux
- vim
- zram-generator
- zstd

150
roles/cis/tasks/main.yml
View File

@@ -1,8 +1,10 @@
---
- name: Configurationg System for CIS conformity - name: Configurationg System for CIS conformity
block: block:
- name: Disable Kernel Modules - name: Disable Kernel Modules
copy: ansible.builtin.copy:
dest: /mnt/etc/modprobe.d/cis.conf dest: /mnt/etc/modprobe.d/cis.conf
mode: '0644'
content: | content: |
CIS LVL 3 Restrictions CIS LVL 3 Restrictions
install freevxfs /bin/true install freevxfs /bin/true
@@ -19,8 +21,9 @@
install tipc /bin/true install tipc /bin/true
- name: Create USB Rules - name: Create USB Rules
copy: ansible.builtin.copy:
dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
mode: '0644'
content: | content: |
By default, disable all. By default, disable all.
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0" ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
@@ -35,8 +38,9 @@
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1" ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
- name: Create a consolidated sysctl configuration file - name: Create a consolidated sysctl configuration file
copy: ansible.builtin.copy:
dest: /mnt/etc/sysctl.d/10-cis.conf dest: /mnt/etc/sysctl.d/10-cis.conf
mode: '0644'
content: | content: |
## CIS Sysctl configurations ## CIS Sysctl configurations
net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.all.log_martians = 1
@@ -65,96 +69,98 @@
# - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' } # - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' }
# - { regexp: '^UMASK.*', replace: 'UMASK 027' } # - { regexp: '^UMASK.*', replace: 'UMASK 027' }
- name: Create allow files - name: Ensure files exist
file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
state: touch state: touch
mode: '0600' mode: "0600"
loop: loop:
- /mnt/etc/at.allow - /mnt/etc/at.allow
- /mnt/etc/cron.allow - /mnt/etc/cron.allow
- /mnt/etc/hosts.allow
- /mnt/etc/hosts.deny
- name: Add Security related lines into config files - name: Add Security related lines into config files
lineinfile: ansible.builtin.lineinfile:
path: "{{ item.path }}" path: "{{ item.path }}"
line: "{{ item.content }}" line: "{{ item.content }}"
loop: loop:
- { path: '/mnt/etc/security/limits.conf', content: '* hard core 0' } - { path: /mnt/etc/security/limits.conf, content: "* hard core 0" }
- { path: '/mnt/etc/security/pwquality.conf', content: 'minlen = 14' } - { path: /mnt/etc/security/pwquality.conf, content: minlen = 14 }
- { path: '/mnt/etc/security/pwquality.conf', content: 'dcredit = -1' } - { path: /mnt/etc/security/pwquality.conf, content: dcredit = -1 }
- { path: '/mnt/etc/security/pwquality.conf', content: 'ucredit = -1' } - { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 }
- { path: '/mnt/etc/security/pwquality.conf', content: 'ocredit = -1' } - { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
- { path: '/mnt/etc/security/pwquality.conf', content: 'lcredit = -1' } - { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
- { path: '/mnt/etc/bash.bashrc', content: 'umask 077' } - { path: '/mnt/etc/bashrc', content: umask 077 }
- { path: '/mnt/etc/bash.bashrc', content: 'export TMOUT=3000' } - { path: '/mnt/etc/bashrc', content: export TMOUT=3000 }
- { path: '/mnt/etc/systemd/journald.conf', content: 'Storage=persistent' } - { path: '/mnt/etc/systemd/journald.conf', content: Storage=persistent }
- { path: '/mnt/etc/sudoers', content: 'Defaults logfile="/var/log/sudo.log"' } - { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" }
- { path: '/mnt/etc/pam.d/su', content: 'auth required pam_wheel.so' } - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
- { path: '/mnt/etc/pam.d/common-auth', content: 'auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900' } - { path: '/mnt/etc/pam.d/system-auth',
- { path: '/mnt/etc/pam.d/common-account', content: 'account required pam_faillock.so' } content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 }
- { path: '/mnt/etc/pam.d/common-password', content: 'password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5' } - { path: '/mnt/etc/pam.d/system-auth', content: account required pam_faillock.so }
- { path: '/mnt/etc/hosts.deny', content: 'ALL: ALL' } - { path: '/mnt/etc/pam.d/passwd',
- { path: '/mnt/etc/hosts.allow', content: 'sshd: ALL' } content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" }
- { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
- { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
- name: Set permissions for various files and directories - name: Set permissions for various files and directories
file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
owner: "{{ item.owner | default(omit) }}" owner: "{{ item.owner | default(omit) }}"
group: "{{ item.group | default(omit) }}" group: "{{ item.group | default(omit) }}"
mode: "{{ item.mode }}" mode: "{{ item.mode }}"
loop: loop: >
- { path: '/mnt/etc/ssh/sshd_config', mode: '0600' } {{ [
- { path: '/mnt/etc/cron.hourly', mode: '0700' } { "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
- { path: '/mnt/etc/cron.daily', mode: '0700' } { "path": "/mnt/etc/cron.hourly", "mode": "0700" },
- { path: '/mnt/etc/cron.weekly', mode: '0700' } { "path": "/mnt/etc/cron.daily", "mode": "0700" },
- { path: '/mnt/etc/cron.monthly', mode: '0700' } { "path": "/mnt/etc/cron.weekly", "mode": "0700" },
- { path: '/mnt/etc/cron.d', mode: '0700' } { "path": "/mnt/etc/cron.monthly", "mode": "0700" },
- { path: '/mnt/etc/crontab', mode: '0600' } { "path": "/mnt/etc/cron.d", "mode": "0700" },
- { path: '/mnt/etc/logrotate.conf', mode: '0644' } { "path": "/mnt/etc/crontab", "mode": "0600" },
- { path: '/mnt/usr/sbin/pppd', mode: '754' } { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
- { path: '/mnt/usr/lib/dbus-1.0/dbus-daemon-launch-helper', mode: '754' } { "path": "/mnt/usr/sbin/pppd", "mode": "0754" },
- { path: '/mnt/usr/libexec/polkit-agent-helper-1', mode: '755' } { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["rhel9"]
- { path: '/mnt/usr/bin/{{ "fusermount" if os == "debian11" else "fusermount3" }}', mode: '755' } else "fusermount"), "mode": "755" },
- { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: '755' } { "path": "/mnt/usr/bin/write", "mode": "755" }
- { path: '/mnt/usr/lib/x86_64-linux-gnu/utempter/utempter', mode: '755' } ] | reject("none") }}
- { path: '/mnt/home/svcansible', mode: '750' }
- name: Adjust SSHD config - name: Adjust SSHD config
lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/ssh/sshd_config path: /mnt/etc/ssh/sshd_config
regexp: '^\s*#?{{ item.option }}\s+.*$' regexp: ^\s*#?{{ item.option }}\s+.*$
line: '{{ item.option }} {{ item.value }}' line: "{{ item.option }} {{ item.value }}"
with_items: with_items:
- {option: 'LogLevel', value: 'VERBOSE'} - { option: LogLevel, value: VERBOSE }
- {option: 'LoginGraceTime', value: '60'} - { option: LoginGraceTime, value: "60" }
- {option: 'PermitRootLogin', value: 'no'} - { option: PermitRootLogin, value: "no" }
- {option: 'StrictModes', value: 'yes'} - { option: StrictModes, value: "yes" }
- {option: 'MaxAuthTries', value: '4'} - { option: MaxAuthTries, value: "4" }
- {option: 'MaxSessions', value: '10'} - { option: MaxSessions, value: "10" }
- {option: 'MaxStartups', value: '10:30:60'} - { option: MaxStartups, value: 10:30:60 }
- {option: 'PubkeyAuthentication', value: 'yes'} - { option: PubkeyAuthentication, value: "yes" }
- {option: 'HostbasedAuthentication', value: 'no'} - { option: HostbasedAuthentication, value: "no" }
- {option: 'IgnoreRhosts', value: 'yes'} - { option: IgnoreRhosts, value: "yes" }
- {option: 'PasswordAuthentication', value: 'no'} - { option: PasswordAuthentication, value: "no" }
- {option: 'PermitEmptyPasswords', value: 'no'} - { option: PermitEmptyPasswords, value: "no" }
- {option: 'KerberosAuthentication', value: 'no'} - { option: KerberosAuthentication, value: "no" }
- {option: 'GSSAPIAuthentication', value: 'no'} - { option: GSSAPIAuthentication, value: "no" }
- {option: 'GSSAPIKeyExchange', value: 'no'} - { option: AllowAgentForwarding, value: "no" }
- {option: 'AllowAgentForwarding', value: 'no'} - { option: AllowTcpForwarding, value: "no" }
- {option: 'AllowTcpForwarding', value: 'no'} - { option: ChallengeResponseAuthentication, value: "no" }
- {option: 'ChallengeResponseAuthentication', value: 'no'} - { option: GatewayPorts, value: "no" }
- {option: 'GatewayPorts', value: 'no'} - { option: X11Forwarding, value: "no" }
- {option: 'X11Forwarding', value: 'no'} - { option: PermitUserEnvironment, value: "no" }
- {option: 'PermitUserEnvironment', value: 'no'} - { option: ClientAliveInterval, value: "300" }
- {option: 'ClientAliveInterval', value: '300'} - { option: ClientAliveCountMax, value: "0" }
- {option: 'ClientAliveCountMax', value: '0'} - { option: PermitTunnel, value: "no" }
- {option: 'PermitTunnel', value: 'no'} - { option: Banner, value: /etc/issue.net }
- {option: 'Banner', value: '/etc/issue.net'}
- name: Append CIS Specific configurations to sshd_config - name: Append CIS Specific configurations to sshd_config
lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/ssh/sshd_config path: /mnt/etc/ssh/sshd_config
line: | line: |2-
## CIS Specific ## CIS Specific
Protocol 2 Protocol 2
@@ -169,7 +175,7 @@
AllowStreamLocalForwarding no AllowStreamLocalForwarding no
PermitUserRC no PermitUserRC no
AllowUsers svcansible AllowUsers *
AllowGroups * AllowGroups *
DenyUsers nobody DenyUsers nobody
DenyGroups nobody DenyGroups nobody

107
roles/cleanup/tasks/main.yml
View File

@@ -1,75 +1,44 @@
- name: Setup Cleanup ---
when: hypervisor == "proxmox" - name: Shutdown the VM
community.general.shutdown:
vars:
ansible_connection: ssh
- name: Clean vCenter VM
delegate_to: localhost delegate_to: localhost
become: false become: false
block: block:
- name: Cleanup Setup Disks - name: Remove CD-ROM from VM in vCenter
community.general.proxmox_disk: when: hypervisor == "vmware"
api_host: "{{ hypervisor_url }}" failed_when: false
api_user: "{{ hypervisor_username }}" community.vmware.vmware_guest:
api_password: "{{ hypervisor_password }}" hostname: "{{ hypervisor_url }}"
username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}"
validate_certs: false
datacenter: "{{ hypervisor_cluster }}"
name: "{{ hostname }}" name: "{{ hostname }}"
vmid: "{{ vm_id }}" cdrom:
disk: "{{ item }}" - controller_number: 0
state: absent unit_number: 0
loop: controller_type: sata
- ide0 type: iso
- ide1 iso_path: "{{ boot_iso }}"
state: absent
- controller_number: 0
unit_number: 1
controller_type: sata
type: iso
iso_path: "{{ rhel_iso | default(omit) }}"
state: absent
- name: Remove CD-ROM from VM in vCenter - name: Start VM in vCenter
when: hypervisor == "vmware" when: hypervisor == "vmware"
delegate_to: localhost community.vmware.vmware_guest_powerstate:
ignore_errors: true hostname: "{{ hypervisor_url }}"
vmware_guest: username: "{{ hypervisor_username }}"
hostname: "{{ hypervisor_url }}" password: "{{ hypervisor_password }}"
username: "{{ hypervisor_username }}" validate_certs: false
password: "{{ hypervisor_password }}" datacenter: "{{ hypervisor_cluster }}"
validate_certs: no
datacenter: "{{ hypervisor_cluster }}"
name: "{{ hostname }}"
cdrom:
- controller_number: 0
unit_number: 0
controller_type: "sata"
type: iso
iso_path: "{{ boot_iso }}"
state: absent
- name: Remove Archiso and cloud-init disks
when: hypervisor == "libvirt"
delegate_to: localhost
become: false
block:
- name: Stop the VM
community.libvirt.virt:
name: "{{ hostname }}" name: "{{ hostname }}"
state: shutdown state: powered-on
- name: Remove cloud-init disk
file:
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"
state: absent
- name: Get list of CD-ROM devices
shell: virsh --connect qemu:///system domblklist {{ hostname }} --details | grep 'cdrom' | awk '{print $3}'
changed_when: false
register: cdrom_devices
- name: Wait for VM to spin down
wait_for:
timeout: 15
- name: Remove CD-ROM devices
when: cdrom_devices.stdout_lines | length > 0
command: virsh --connect qemu:///system detach-disk {{ hostname }} {{ item }} --persistent
with_items: "{{ cdrom_devices.stdout_lines }}"
- name: Start the VM
community.libvirt.virt:
name: "{{ hostname }}"
state: running
- name: Wait for VM to boot up
delegate_to: "{{ inventory_hostname }}"
wait_for_connection:
timeout: 300

220
roles/configuration/tasks/main.yml
View File

@@ -1,165 +1,213 @@
---
- name: Configuration - name: Configuration
block: block:
- name: Generate fstab - name: Generate fstab
shell: genfstab -LU /mnt > /mnt/etc/fstab ansible.builtin.shell: genfstab -LU /mnt > /mnt/etc/fstab
changed_when: result.rc == 0
register: result
- name: Replace ISO UUID entry with /dev/sr0 in fstab
when: os in ["rhel8", "rhel9"]
ansible.builtin.lineinfile:
path: /mnt/etc/fstab
regexp: '^.*\/dvd.*$'
line: "{{ '/usr/local/install/redhat/rhel.iso /usr/local/install/redhat/dvd iso9660 loop,nofail 0 0' if hypervisor == 'vmware'
else '/dev/sr0 /usr/local/install/redhat/dvd iso9660 ro,relatime,nojoliet,check=s,map=n,nofail 0 0' }}"
state: present
backrefs: true
- name: Write image from RHEL ISO to the target machine
ansible.builtin.command: dd if=/dev/sr1 of=/mnt/usr/local/install/redhat/rhel.iso bs=4M
changed_when: result.rc == 0
register: result
- name: Append TempFS to fstab - name: Append TempFS to fstab
lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/fstab path: /mnt/etc/fstab
line: "{{ item }}" line: "{{ item }}"
insertafter: EOF insertafter: EOF
with_items: with_items:
- "" - ""
- "# TempFS" - "# TempFS"
- "tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0" - tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0
- "tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0" - tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0
- "tmpfs /dev/shm tmpfs defaults,noexec 0 0" - tmpfs /dev/shm tmpfs defaults,noexec 0 0
- name: Set local timezone - name: Set local timezone
command: '{{ item }}' ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items: with_items:
- systemctl daemon-reload - systemctl daemon-reload
- arch-chroot /mnt ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime - arch-chroot /mnt ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime
- name: Generate adjtime file
command: arch-chroot /mnt /usr/sbin/hwclock --systohc
- name: Setup locales - name: Setup locales
block: block:
- name: Configure locale.gen
lineinfile:
dest: /mnt/etc/locale.gen
regexp: '{{ item.regex }}'
line: '{{ item.line }}'
loop:
- {regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8}
- name: Generate locales
command: arch-chroot /mnt /usr/sbin/locale-gen
- name: Set hostname - name: Set hostname
copy: ansible.builtin.copy:
content: "{{ hostname }}" content: "{{ hostname }}"
dest: /mnt/etc/hostname dest: /mnt/etc/hostname
mode: '0644'
- name: Add host entry to /etc/hosts - name: Add host entry to /etc/hosts
lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/hosts path: /mnt/etc/hosts
line: "{{ ansible_host }} {{ hostname }}" line: "{{ ansible_host }} {{ hostname }}"
state: present state: present
- name: Create vconsole.conf - name: Create vconsole.conf
copy: ansible.builtin.copy:
content: "KEYMAP=de-latin1-nodeadkeys" content: KEYMAP=us
dest: /mnt/etc/vconsole.conf dest: /mnt/etc/vconsole.conf
mode: '0644'
- name: Create locale.conf - name: Create locale.conf
copy: ansible.builtin.copy:
content: "LANG=en_US.UTF-8" content: LANG=en_US.UTF-8
dest: /mnt/etc/locale.conf dest: /mnt/etc/locale.conf
mode: '0644'
- name: SSH permit Password - name: SSH permit Password
replace: ansible.builtin.replace:
path: /mnt/etc/ssh/sshd_config path: /mnt/etc/ssh/sshd_config
regexp: '#PasswordAuthentication yes' regexp: "#PasswordAuthentication yes"
replace: 'PasswordAuthentication yes' replace: PasswordAuthentication yes
- name: SSH permit root login
ansible.builtin.replace:
path: /mnt/etc/ssh/sshd_config
regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"
- name: Enable Systemd Services - name: Enable Systemd Services
block: ansible.builtin.command: arch-chroot /mnt systemctl enable NetworkManager sshd
- name: Enable sshd changed_when: result.rc == 0
when: os | lower == "archlinux" register: result
command: arch-chroot /mnt systemctl enable sshd logrotate systemd-resolved systemd-timesyncd NetworkManager
- name: Configure grub
when: os | lower != "fedora" and os | lower != "almalinux" and os | lower != "rhel8" and os | lower != "rhel9"
block:
- name: Add commandline information to grub config
lineinfile:
dest: /mnt/etc/default/grub
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT=
line: 'GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"'
- name: Change Grub time
lineinfile:
dest: /mnt/etc/default/grub
regexp: ^GRUB_TIMEOUT=
line: 'GRUB_TIMEOUT=0'
- name: Configure Bootloader - name: Configure Bootloader
block: block:
- name: Install Bootloader - name: Install Bootloader
command: arch-chroot /mnt {% if os | lower != "archlinux" and os | lower != "debian11" and os | lower != "debian12" %}/usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -wwp 1 -l '\efi\EFI\{{ os }}\shimx64.efi'{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id={{ os }}{% endif %} ansible.builtin.command: arch-chroot /mnt /usr/sbin/efibootmgr -c -L '{{ os }}'
-d "{{ install_drive }}" -p 1
-l '\efi\EFI\redhat\shimx64.efi'
changed_when: result.rc == 0
register: result
- name: Generate grub config - name: Generate grub config
command: arch-chroot /mnt {% if os | lower != "archlinux" and os | lower != "debian11" and os | lower != "debian12" %}/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{{ os }}/grub.cfg{% else %}/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg{% endif %} ansible.builtin.command: arch-chroot /mnt /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
changed_when: result.rc == 0
register: result
- name: Regenerate initramfs
when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
ansible.builtin.command: arch-chroot /mnt /usr/bin/dracut --regenerate-all --force
changed_when: result.rc == 0
register: result
- name: Extra Configuration - name: Extra Configuration
when: os | lower != "archlinux"
block: block:
- name: Append lines to vimrc - name: Append vim configurations to vimrc
lineinfile: failed_when: false
path: "{{ '/mnt/etc/vim/vimrc' if os|lower == 'debian11' or os|lower == 'debian12' else '/mnt/etc/vimrc' }}" ansible.builtin.blockinfile:
line: "{{ item }}" path: "/mnt/etc/vimrc"
block: |
set encoding=utf-8
set number
set autoindent
set smartindent
set mouse=a
insertafter: EOF insertafter: EOF
with_items: marker: ""
- "set encoding=utf-8"
- "set number" - name: Add memory tuning parameters
- "set autoindent" ansible.builtin.blockinfile:
- "set smartindent" path: /mnt/etc/sysctl.d/90-memory.conf
- "set mouse=a" create: true
block: |
vm.swappiness=10
vm.vfs_cache_pressure=50
vm.dirty_background_ratio=1
vm.dirty_ratio=10
vm.page-cluster=10
marker: ""
mode: '0644'
- name: Create zram config
when: os not in ['rhel8']
ansible.builtin.copy:
dest: /mnt/etc/systemd/zram-generator.conf
content: |
[zram0]
zram-size = ram / 2
compression-algorithm = zstd
swap-priority = 100
fs-type = swap
mode: '0644'
- name: Copy FirstRun Script - name: Copy FirstRun Script
template: ansible.builtin.template:
src: firstrun.sh.j2 src: firstrun.sh.j2
dest: /mnt/root/firstrun.sh dest: /mnt/root/firstrun.sh
mode: '0755' mode: "0755"
- name: Copy Custom Shell config - name: Copy Custom Shell config
template: ansible.builtin.template:
src: custom.sh.j2 src: custom.sh.j2
dest: /mnt/etc/profile.d/custom.sh dest: /mnt/etc/profile.d/custom.sh
mode: '0644'
- name: Setup Network - name: Setup Network
block: block:
- name: Generate UUID for Network Profile - name: Generate UUID for Network Profile
command: "uuidgen" ansible.builtin.command: uuidgen
register: net_uuid changed_when: net_uuid.rc == 0
register: net_uuid
- name: Retrieve Network Interface Name - name: Retrieve Network Interface Name
shell: "ip r | awk 'NR==1 {print $5}'" ansible.builtin.shell: set -o pipefail && ip r | awk 'NR==1 {print $5}'
register: net_inf changed_when: net_inf.rc == 0
register: net_inf
- name: Copy NetworkManager keyfile - name: Register MAC Address of the Network Interface
template: ansible.builtin.shell: set -o pipefail && ip link show "{{ net_inf.stdout }}" | awk '/link\/ether/ {print $2}' | tr '[:lower:]' '[:upper:]'
src: network.j2 register: net_mac
dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection changed_when: net_mac.rc == 0
mode: '0600'
- name: Copy NetworkManager keyfile
ansible.builtin.template:
src: network.j2
dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection
mode: "0600"
- name: Setup user account - name: Setup user account
block: block:
- name: Create user account - name: Create user account
command: '{{ item }}' ansible.builtin.command: "{{ item }}"
with_items: with_items:
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups {{ "sudo" if os|lower == "debian11" or os|lower == "debian12" else "wheel" }} {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash - arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups wheel
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
changed_when: result.rc == 0
register: result
- name: Add SSH public key to authorized_keys - name: Add SSH public key to authorized_keys
when: user_public_key is defined when: user_public_key is defined
lineinfile: ansible.builtin.lineinfile:
path: "/mnt/home/{{ user_name }}/.ssh/authorized_keys" path: /mnt/home/{{ user_name }}/.ssh/authorized_keys
line: "{{ user_public_key }}" line: "{{ user_public_key }}"
owner: 1000 owner: 1000
group: 1000 group: 1000
mode: "0600" mode: "0600"
create: yes create: true
- name: Give sudo access to wheel group - name: Give sudo access to wheel group
copy: ansible.builtin.copy:
content: "{{ '%sudo ALL=(ALL) ALL' if os|lower == 'debian11' or os|lower == 'debian12' else '%wheel ALL=(ALL) ALL' }}" content: "%wheel ALL=(ALL) ALL"
dest: /mnt/etc/sudoers.d/01-wheel dest: /mnt/etc/sudoers.d/01-wheel
mode: 0440 mode: "0440"
validate: /usr/sbin/visudo --check --file=%s validate: /usr/sbin/visudo --check --file=%s
- name: Fix SELinux - name: Fix SELinux
when: (os | lower == "almalinux" or os | lower == "fedora" or os | lower == "rhel8" or os | lower == "rhel9") ansible.builtin.command: "arch-chroot /mnt /sbin/fixfiles onboot"
command: touch /mnt/.autorelabel changed_when: result.rc == 0
register: result

5
roles/configuration/templates/custom.sh.j2
View File

@@ -9,4 +9,7 @@ PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
# History Size # History Size
HISTFILESIZE= HISTFILESIZE=
HISTSIZE= HISTSIZE=
# Enable vi mode
set -o vi

5
roles/configuration/templates/network.j2
View File

@@ -5,6 +5,7 @@ type=ethernet
interface-name={{ net_inf.stdout }} interface-name={{ net_inf.stdout }}
[ethernet] [ethernet]
mac-address={{ net_mac.stdout }}
[ipv4] [ipv4]
address={{ vm_ip }},{{ vm_gw }} address={{ vm_ip }},{{ vm_gw }}
@@ -12,7 +13,7 @@ dns={{ vm_dns }}
method=manual method=manual
[ipv6] [ipv6]
addr-gen-mode=default addr-gen-mode=stable-privacy
method=disabled method=disabled
[proxy] [proxy]

116
roles/environment/tasks/main.yml
View File

@@ -1,74 +1,122 @@
---
- name: Configre work environment - name: Configre work environment
become: true become: true
block: block:
- name: Wait for connection - name: Wait for connection
wait_for_connection: ansible.builtin.wait_for_connection:
timeout: 300 timeout: 60
delay: 5 delay: 5
- name: Gather facts - name: Gather facts
setup: ansible.builtin.setup:
- name: Check if host is booted from the Arch install media - name: Check if host is booted from the Arch install media
stat: ansible.builtin.stat:
path: /run/archiso path: /run/archiso
register: archiso_stat register: archiso_stat
- name: Abort if the host is not booted from the Arch install media - name: Abort if the host is not booted from the Arch install media
fail: ansible.builtin.fail:
msg: "This host is not booted from the Arch install media!" msg: This host is not booted from the Arch install media!
when: not archiso_stat.stat.exists when: not archiso_stat.stat.exists
- name: Setect Interface - name: Setect Interface
when: hypervisor == "vmware" ansible.builtin.shell: "set -o pipefail && ip l | awk -F': ' '!/lo/{print $2; exit}'"
shell: "ip l | awk -F': ' '!/lo/{print $2; exit}'" changed_when: interface_name.rc == 0
register: interface_name register: interface_name
- name: Set IP-Address - name: Set IP-Address
when: hypervisor == "vmware" ansible.builtin.command: "ip addr replace {{ ansible_host }}/{{ vm_nms | default(24) }} dev {{ interface_name.stdout }}"
command: ip addr replace {{ ansible_host }}/24 dev {{ interface_name.stdout }} changed_when: result.rc == 0
register: result
- name: Set Default Gateway - name: Set Default Gateway
when: hypervisor == "vmware" ansible.builtin.command: "ip route replace default via {{ vm_gw }}"
command: ip route replace default via {{ vm_gw }} changed_when: result.rc == 0
register: result
- name: Synchronize clock via NTP - name: Synchronize clock via NTP
command: timedatectl set-ntp true ansible.builtin.command: timedatectl set-ntp true
changed_when: result.rc == 0
register: result
- name: Configure SSH for root login
when: vmware_ssh | bool
block:
- name: Allow empty passwords temporarily
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: "^#?PermitEmptyPasswords.*"
replace: "PermitEmptyPasswords yes"
- name: Allow root login
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"
- name: Reload SSH service to apply changes
ansible.builtin.service:
name: sshd
state: reloaded
- name: Set connection back to SSH
ansible.builtin.set_fact:
ansible_connection: ssh
ansible_user: "root"
ansible_password: ""
ansible_become_password: ""
ansible_ssh_extra_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
- name: Speed-up Bootstrap process - name: Speed-up Bootstrap process
lineinfile: ansible.builtin.lineinfile:
path: /etc/pacman.conf path: /etc/pacman.conf
regexp: '^#ParallelDownloads =' regexp: ^#ParallelDownloads =
line: 'ParallelDownloads = 20' line: ParallelDownloads = 20
- name: Wait for Pacman - name: Wait for Pacman
wait_for: ansible.builtin.wait_for:
timeout: 15 timeout: 15
- name: Setup Pacman - name: Setup Pacman
pacman: community.general.pacman:
update_cache: true update_cache: true
force: true force: true
name: "{{ item.name }}" name: "{{ item }}"
state: latest state: latest
loop: loop:
- { name: 'glibc' } - glibc
- { name: 'dnf', os: ['almalinux', 'rhel9', 'rhel8'] } - dnf
- { name: 'debootstrap', os: ['debian11', 'debian12'] }
- { name: 'debian-archive-keyring', os: ['debian11', 'debian12'] }
when: "'os' not in item or os in item.os"
retries: 4 retries: 4
delay: 15 delay: 15
- name: Configure RHEL Repos for installation - name: Prepare /iso mount and repository for RHEL-based systems
when: os | lower == "almalinux" or os | lower == "fedora" when: os | lower in ["rhel8", "rhel9"]
block: block:
- name: Create directories for repository files and RPM GPG keys - name: Create /iso directory
file: ansible.builtin.file:
path: /etc/yum.repos.d path: /usr/local/install/redhat/dvd
state: directory state: directory
mode: '0755'
- name: Create RHEL repository file - name: Mount RHEL ISO
template: ansible.posix.mount:
src: '{{ os | lower }}.repo.j2' src: "/dev/sr1"
dest: '/etc/yum.repos.d/{{ os | lower }}.repo' path: /usr/local/install/redhat/dvd
fstype: iso9660
opts: "ro,loop"
state: mounted
- name: Configure RHEL Repos for installation
block:
- name: Create directories for repository files and RPM GPG keys
ansible.builtin.file:
path: /etc/yum.repos.d
state: directory
mode: '0755'
- name: Create RHEL repository file
ansible.builtin.template:
src: "{{ os | lower }}.repo.j2"
dest: /etc/yum.repos.d/{{ os | lower }}.repo
mode: '0644'

46
roles/partitioning/tasks/btrfs.yml
View File

@@ -1,46 +0,0 @@
---
- name: Setup BTRFS
block:
- name: Create btrfs filesystem in main volume
filesystem:
dev: '{{ install_drive }}{{ main_partition_suffix }}'
fstype: btrfs
force: yes
- name: Prepare BTRFS Subvolume
mount:
path: /mnt
src: '{{ install_drive }}{{ main_partition_suffix }}'
fstype: btrfs
opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async
state: mounted
- name: Enable quotas on Btrfs filesystem
command: btrfs quota enable /mnt
- name: Make root subvolumes
when: cis == true or item.subvol not in ['var_log', 'var_log_audit']
command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
loop:
- { subvol: root }
- { subvol: home }
- { subvol: var }
- { subvol: var_log }
- { subvol: var_log_audit }
- name: Set quotas for subvolumes
when: cis == true or item.subvol not in ['var_log', 'var_log_audit']
command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
loop:
- { subvol: root, quota: '12G' }
- { subvol: home, quota: '2G' }
- { subvol: var, quota: '2G' }
- { subvol: var_log, quota: '2G' }
- { subvol: var_log_audit, quota: '1536M' }
- name: Unmount Partition
mount:
path: /mnt
src: '{{ install_drive }}{{ main_partition_suffix }}'
fstype: btrfs
state: unmounted

18
roles/partitioning/tasks/ext4.yml
View File

@@ -1,23 +1,13 @@
--- ---
- name: Create and format ext4 logical volumes - name: Create and format ext4 logical volumes
when: cis == true or item.lv not in ['var_log', 'var_log_audit'] when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
filesystem: community.general.filesystem:
dev: '/dev/sys/{{ item.lv }}' dev: /dev/sys/{{ item.lv }}
fstype: ext4 fstype: ext4
force: yes force: true
loop: loop:
- { lv: root } - { lv: root }
- { lv: home } - { lv: home }
- { lv: var } - { lv: var }
- { lv: var_log } - { lv: var_log }
- { lv: var_log_audit } - { lv: var_log_audit }
- name: Remove Unsupported features for older Systems
when: (os | lower == 'debian11') and (cis == true or item.lv not in ['var_log', 'var_log_audit'])
command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
loop:
- { lv: root }
- { lv: home }
- { lv: var }
- { lv: var_log }
- { lv: var_log_audit }

157
roles/partitioning/tasks/main.yml
View File

@@ -2,17 +2,19 @@
- name: Partition install drive - name: Partition install drive
block: block:
- name: Prepare partitions - name: Prepare partitions
ignore_errors: true failed_when: false
command: "{{ item.cmd }}" ansible.builtin.command: "{{ item.cmd }}"
changed_when: result.rc == 0
register: result
loop: loop:
- { cmd: "umount -l /mnt" } - { cmd: umount -l /mnt }
- { cmd: "vgremove -f sys" } - { cmd: vgremove -f sys }
- { cmd: "find /dev -wholename \"{{ install_drive }}*\" -exec wipefs --force --all {} \\;" } - { cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;' }
loop_control: loop_control:
label: "{{ item.cmd }}" label: "{{ item.cmd }}"
- name: Define partitions - name: Define partitions
parted: community.general.parted:
device: "{{ install_drive }}" device: "{{ install_drive }}"
label: gpt label: gpt
number: "{{ item.number }}" number: "{{ item.number }}"
@@ -22,104 +24,161 @@
flags: "{{ item.flags | default(omit) }}" flags: "{{ item.flags | default(omit) }}"
state: present state: present
loop: loop:
- { number: 1, part_end: '500MiB', name: 'boot', flags: ['boot', 'esp'] } - { number: 1, part_end: 500MiB, name: boot, flags: [boot, esp] }
- { number: 2, part_start: '500MiB', name: 'root' } - { number: 2, part_start: 500MiB, name: root }
- name: Create LVM logical volumes - name: Create LVM logical volumes
when: filesystem != 'btrfs'
block: block:
- name: Create LVM volume group - name: Create LVM volume group
lvg: community.general.lvg:
vg: sys vg: sys
pvs: '{{ install_drive }}{{ main_partition_suffix }}' pvs: "{{ install_drive }}{{ main_partition_suffix }}"
- name: Create LVM logical volumes - name: Create LVM logical volumes
when: cis or (not cis and item.lv != 'var_log' and item.lv != 'var_log_audit') when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
lvol: community.general.lvol:
vg: sys vg: sys
lv: "{{ item.lv }}" lv: "{{ item.lv }}"
size: "{{ item.size }}" size: "{{ item.size }}"
state: present state: present
loop: loop:
- { lv: 'root', size: '12G' } - lv: root
- { lv: 'home', size: '2G' } size: >-
- { lv: 'var', size: '2G' } {{ (
- { lv: 'var_log', size: '2G' } (vm_size | float -
- { lv: 'var_log_audit', size: '1.5G' } ((vm_memory | float / 1024 >= 16.0) | ternary(
(vm_memory | float / 2048) | int,
[vm_memory | float / 1024, 4.0] | max
)) - 0.5 -
(cis | bool | ternary(0, 7.5))
) > 12.0
) | ternary(
(vm_size | float * 0.4) | round(0, 'ceil'),
vm_size | float -
((vm_memory | float / 1024 >= 16.0) | ternary(
(vm_memory | float / 2048) | int,
[vm_memory | float / 1024, 4.0] | max
)) - 0.5 -
(cis | bool | ternary(7.5, 0))
) | string + 'G' }}
- lv: swap
size: >-
{{ ((vm_memory | float / 1024 >= 16.0) | ternary(
(vm_memory | float / 2048) | int,
[vm_memory | float / 1024, 4.0] | max
)) | string + 'G' }}
- lv: home
size: "2G"
- lv: var
size: "2G"
- lv: var_log
size: "2G"
- lv: var_log_audit
size: "1.5G"
- name: Create filesystems - name: Create filesystems
block: block:
- name: Create FAT32 filesystem in boot partition - name: Create FAT32 filesystem in boot partition
filesystem: community.general.filesystem:
dev: '{{ install_drive }}{{ boot_partition_suffix }}' dev: "{{ install_drive }}{{ boot_partition_suffix }}"
fstype: vfat fstype: vfat
opts: -F32 opts: -F32 -n BOOT
force: yes force: true
- name: Create swap filesystem
community.general.filesystem:
fstype: swap
dev: /dev/sys/swap
- name: Create filesystem - name: Create filesystem
include_tasks: "{{ filesystem }}.yml" ansible.builtin.include_tasks: "{{ filesystem }}.yml"
- name: Get UUID for boot filesystem - name: Get UUID for boot filesystem
command: blkid -s UUID -o value '{{ install_drive }}{{ boot_partition_suffix }}' ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ boot_partition_suffix }}'
changed_when: false changed_when: false
register: boot_uuid register: boot_uuid
- name: Get UUID for main filesystem - name: Get UUID for main filesystem
command: blkid -s UUID -o value '{{ install_drive }}{{ main_partition_suffix }}' ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ main_partition_suffix }}'
changed_when: false changed_when: false
register: main_uuid register: main_uuid
- name: Get UUIDs for LVM filesystems - name: Get UUIDs for LVM filesystems
when: filesystem != 'btrfs' and (cis == true or item not in ['var_log', 'var_log_audit']) when: cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit']
command: blkid -s UUID -o value /dev/sys/{{ item }} ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }}
changed_when: false changed_when: false
register: uuid_result register: uuid_result
loop: loop:
- root - root
- swap
- home - home
- var - var
- var_log - var_log
- var_log_audit - var_log_audit
- set_fact: - name: Assign UUIDs to Variables
ansible.builtin.set_fact:
uuid_root: "{{ uuid_result.results[0].stdout_lines }}" uuid_root: "{{ uuid_result.results[0].stdout_lines }}"
uuid_home: "{{ uuid_result.results[1].stdout_lines }}" uuid_swap: "{{ uuid_result.results[1].stdout_lines }}"
uuid_var: "{{ uuid_result.results[2].stdout_lines }}" uuid_home: "{{ uuid_result.results[2].stdout_lines if cis | bool else '' }}"
uuid_var_log: "{{ uuid_result.results[3].stdout_lines if cis == true else '' }}" uuid_var: "{{ uuid_result.results[3].stdout_lines if cis | bool else '' }}"
uuid_var_log_audit: "{{ uuid_result.results[4].stdout_lines if cis == true else '' }}" uuid_var_log: "{{ uuid_result.results[4].stdout_lines if cis | bool else '' }}"
when: filesystem != 'btrfs' uuid_var_log_audit: "{{ uuid_result.results[5].stdout_lines if cis | bool else '' }}"
- name: Mount filesystems - name: Mount filesystems
block: block:
- name: Mount filesystems and subvolumes - name: Mount filesystems and subvolumes
when: "cis or (not cis and item.path != '/var/log' and item.path != '/var/log/audit')" when:
mount: - cis | bool or (not cis and (item.path == '/var/log' and filesystem == 'btrfs')
path: "/mnt{{ item.path }}" or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit']))
ansible.posix.mount:
path: /mnt{{ item.path }}
src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}" src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
fstype: "{{ filesystem }}" fstype: "{{ filesystem }}"
opts: "{{ item.opts }}" opts: "{{ item.opts }}"
state: mounted state: mounted
loop: loop:
- { path: '', uuid: "{{ uuid_root[0] | default(omit) }}", opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}" } - path: ""
- { path: '/home', uuid: "{{ uuid_home[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}" } uuid: "{{ uuid_root[0] | default(omit) }}"
- { path: '/var', uuid: "{{ uuid_var[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}" } opts: "defaults"
- { path: '/var/log', uuid: "{{ uuid_var_log[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}" } - path: /home
- { path: '/var/log/audit', uuid: "{{ uuid_var_log_audit[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}" } uuid: "{{ uuid_home[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}"
- path: /var
uuid: "{{ uuid_var[0] | default(omit) }}"
opts: "defaults,nosuid,nodev"
- path: /var/log
uuid: "{{ uuid_var_log[0] | default(omit) }}"
opts: "defaults,nosuid,nodev,noexec"
- path: /var/log/audit
uuid: "{{ uuid_var_log_audit[0] | default(omit) }}"
opts: "defaults,nosuid,nodev,noexec"
- name: Mount tmp and var_tmp filesystems - name: Mount tmp and var_tmp filesystems
mount: ansible.posix.mount:
path: "/mnt{{ item.path }}" path: /mnt{{ item.path }}
src: tmpfs src: tmpfs
fstype: tmpfs fstype: tmpfs
opts: defaults,nosuid,nodev,noexec opts: defaults,nosuid,nodev,noexec
state: mounted state: mounted
loop: loop:
- { path: '/tmp' } - { path: /tmp }
- { path: '/var/tmp' } - { path: /var/tmp }
- name: Mount boot filesystem - name: Mount boot filesystem
mount: ansible.posix.mount:
path: /mnt/boot path: "{{ '/mnt/boot/efi' if os | lower in ['rhel8'] else '/mnt/boot' }}"
src: UUID={{ boot_uuid.stdout }} src: UUID={{ boot_uuid.stdout }}
fstype: vfat fstype: vfat
state: mounted state: mounted
- name: Activate swap
ansible.builtin.command: "{{ 'swapon -U ' + uuid_swap[0] }}"
changed_when: result.rc == 0
register: result

10
roles/partitioning/tasks/xfs.yml
View File

@@ -1,13 +1,13 @@
--- ---
- name: Create and format XFS logical volumes - name: Create and format XFS logical volumes
when: cis == true or item.lv not in ['var_log', 'var_log_audit'] when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
filesystem: community.general.filesystem:
dev: '/dev/sys/{{ item.lv }}' dev: /dev/sys/{{ item.lv }}
fstype: xfs fstype: xfs
force: yes force: true
loop: loop:
- { lv: root } - { lv: root }
- { lv: home } - { lv: home }
- { lv: var } - { lv: var }
- { lv: var_log } - { lv: var_log }
- { lv: var_log_audit } - { lv: var_log_audit }

41
roles/virtualization/tasks/libvirt.yml
View File

@@ -1,41 +0,0 @@
- name: Check if VM disk exists
delegate_to: localhost
stat:
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2"
register: vm_disk_stat
- name: Create VM disk
when: not vm_disk_stat.stat.exists
delegate_to: localhost
command: "qemu-img create -f qcow2 {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2 {{ vm_size }}G"
- name: Generate Random MAC Address
delegate_to: localhost
shell: openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//' | sed 's/^/02:/'
changed_when: false
register: mac_address_output
- name: Render cloud config templates
delegate_to: localhost
template:
src: "{{ item.src }}"
dest: "/tmp/{{ item.dest_prefix }}-{{ hostname }}.yml"
loop:
- { src: "cloud-user-data.yml.j2", dest_prefix: "cloud-user-data" }
- { src: "cloud-network-config.yml.j2", dest_prefix: "cloud-network-config" }
- name: Create cloud-init disk
delegate_to: localhost
command: "cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml -N /tmp/cloud-network-config-{{ hostname }}.yml"
- name: Create VM using libvirt
delegate_to: localhost
community.libvirt.virt:
command: define
xml: "{{ lookup('template', 'vm.xml.j2') }}"
- name: start vm
delegate_to: localhost
community.libvirt.virt:
name: "{{ hostname }}"
state: running

3
roles/virtualization/tasks/main.yml
View File

@@ -1,2 +1,3 @@
---
- name: Create Virtual Machine - name: Create Virtual Machine
include_tasks: "{{ hypervisor }}.yml" ansible.builtin.include_tasks: "{{ hypervisor }}.yml"

48
roles/virtualization/tasks/proxmox.yml
View File

@@ -1,48 +0,0 @@
- name: Deploy VM on Proxmox
delegate_to: localhost
proxmox_kvm:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
ciuser: "{{ user_name }}"
cipassword: "{{ user_password }}"
node: "{{ hypervisor_node }}" # Proxmox node name
vmid: "{{ vm_id }}" # Unique ID for the VM
name: "{{ hostname }}" # Name of the VM
cpu: "host"
cores: "{{ vm_cpus }}" # Number of CPU cores
memory: "{{ vm_memory }}" # Memory size in MB
balloon: "{{ vm_ballo | default(omit) }}" # Minimum Memory size in MB
numa_enabled: true
hotplug: "network,disk"
bios: ovmf
boot: "ac"
scsihw: "virtio-scsi-single"
scsi:
scsi0: "{{ hypervisor_storage }}:{{ vm_size }}" # Disk configuration
efidisk0:
efitype: "4m"
format: "raw"
pre_enrolled_keys: false
storage: "{{ hypervisor_storage }}"
ide:
ide0: "{{ boot_iso }},media=cdrom"
ide1: "{{ hypervisor_storage }}:cloudinit"
net:
net0: "virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}"
ipconfig:
ipconfig0: "ip={{ vm_ip }},gw={{ vm_gw }}"
nameservers: "{{ vm_dns }}"
onboot: true # Start the VM on boot
state: present # Ensure the VM is present
- name: Start VM on Proxmox
delegate_to: localhost
proxmox_kvm:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
node: "{{ hypervisor_node }}"
name: "{{ hostname }}"
vmid: "{{ vm_id }}"
state: started # Ensure the VM is present

20
roles/virtualization/tasks/vmware.yml
View File

@@ -1,15 +1,15 @@
- name: Create VM in vCenter - name: Create VM in vCenter
delegate_to: localhost delegate_to: localhost
vmware_guest: community.vmware.vmware_guest:
hostname: "{{ hypervisor_url }}" hostname: "{{ hypervisor_url }}"
username: "{{ hypervisor_username }}" username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}" password: "{{ hypervisor_password }}"
validate_certs: no validate_certs: false
datacenter: "{{ hypervisor_cluster }}" datacenter: "{{ hypervisor_cluster }}"
cluster: "{{ hypervisor_node }}" cluster: "{{ hypervisor_node }}"
folder: "{{ vm_path }}" folder: "{{ vm_path }}"
name: "{{ hostname }}" name: "{{ hostname }}"
guest_id: "otherGuest64" guest_id: otherGuest64
state: poweredon state: poweredon
disk: disk:
- size_gb: "{{ vm_size }}" - size_gb: "{{ vm_size }}"
@@ -18,16 +18,22 @@
hardware: hardware:
memory_mb: "{{ vm_memory }}" memory_mb: "{{ vm_memory }}"
num_cpus: "{{ vm_cpus }}" num_cpus: "{{ vm_cpus }}"
boot_firmware: "efi" boot_firmware: efi
secure_boot: false secure_boot: false
cdrom: cdrom:
- controller_number: 0 - controller_number: 0
unit_number: 0 unit_number: 0
controller_type: "sata" controller_type: sata
state: present state: present
type: iso type: iso
iso_path: "{{ boot_iso }}" iso_path: "{{ boot_iso }}"
networks: networks:
- vlan: "{{ vlan_name }}" - name: "{{ vm_nif }}"
type: dhcp type: dhcp
ignore_errors: yes vlan: "{{ vlan_name | default(omit) }}"
register: vmware_guest_result
failed_when:
- vmware_guest_result.failed is defined and vmware_guest_result.failed
- "'error' in vmware_guest_result"
- "'failed' in vmware_guest_result"
- vmware_guest_result.rc is defined and vmware_guest_result.rc != 0

11
roles/virtualization/templates/cloud-network-config.yml.j2
View File

@@ -1,11 +0,0 @@
network:
version: 2
ethernets:
id0:
match:
macaddress: "{{ mac_address_output.stdout }}"
addresses:
- "{{ vm_ip }}"
gateway4: "{{ vm_gw }}"
nameservers:
addresses: ['1.1.1.1', '1.0.0.1']

10
roles/virtualization/templates/cloud-user-data.yml.j2
View File

@@ -1,10 +0,0 @@
#cloud-config
hostname: "archiso"
ssh_pwauth: true
users:
- name: "{{ user_name }}"
primary_group: "{{ user_name }}"
groups: users
sudo: ALL=(ALL) NOPASSWD:ALL
passwd: "{{ user_password | password_hash('sha512') }}"
lock_passwd: False

55
roles/virtualization/templates/vm.xml.j2
View File

@@ -1,55 +0,0 @@
<domain type='kvm'>
<name>{{ hostname }}</name>
<memory>{{ vm_memory | int * 1024 }}</memory>
{% if vm_ballo is defined %}<currentMemory>{{ vm_ballo | int * 1024 }}</currentMemory>{% endif %}
<vcpu placement='static'>{{ vm_cpus }}</vcpu>
<os>
<type arch='x86_64' machine="pc-q35-8.0">hvm</type>
<bootmenu enable='no'/>
<boot dev='hd'/>
<boot dev='cdrom'/>
<loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.fd</loader>
<nvram template="/usr/share/edk2/x64/OVMF_VARS.fd"/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<cpu mode="host-passthrough" check="none" migratable="on"/>
<clock offset="utc"/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2'/>
<target dev='vda' bus='virtio'/>
</disk>
<disk type="file" device="cdrom">
<driver name="qemu" type="raw"/>
<source file="{{ boot_iso }}"/>
<target dev="sda" bus="sata"/>
</disk>
<disk type="file" device="cdrom">
<driver name="qemu" type="raw"/>
<source file="{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"/>
<target dev="sdb" bus="sata"/>
</disk>
<interface type='network'>
<mac address="{{ mac_address_output.stdout }}"/>
<source network='default'/>
<model type='virtio'/>
</interface>
<input type="tablet" bus="usb"/>
<input type="mouse" bus="ps2"/>
<input type="keyboard" bus="ps2"/>
<graphics type='spice' autoport="yes">
<listen type="address"/>
</graphics>
<video>
<model type="virtio" heads="1" primary="yes"/>
</video>
</devices>
</domain>

43
templates/almalinux.repo.j2
View File

@@ -1,43 +0,0 @@
[alma-appstream]
name=AlmaLinux $releasever - AppStream
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream
# baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=1
[alma-baseos]
name=AlmaLinux $releasever - BaseOS
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=1
[alma-extras]
name=AlmaLinux $releasever - Extras
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras
# baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=0
[alma-highavailability]
name=AlmaLinux $releasever - HighAvailability
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/highavailability
# baseurl=https://repo.almalinux.org/almalinux/$releasever/HighAvailability/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=0

25
templates/fedora.repo.j2
View File

@@ -1,25 +0,0 @@
[fedora]
name=Fedora $releasever - $basearch
#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
enabled=1
countme=1
metadata_expire=86400
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=https://getfedora.org/static/fedora.gpg
skip_if_unavailable=False
[fedora-updates]
name=Fedora $releasever - $basearch - Updates
#baseurl=http://download.example/pub/fedora/linux/updates/$releasever/Everything/$basearch/
metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
enabled=1
countme=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=86400
gpgkey=https://getfedora.org/static/fedora.gpg
skip_if_unavailable=False

13
templates/rhel8.repo.j2 Normal file
View File

@@ -0,0 +1,13 @@
[rhel8-baseos]
name=RHEL 8 BaseOS
baseurl=file:///usr/local/install/redhat/dvd/BaseOS
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release
[rhel8-appstream]
name=RHEL 8 AppStream
baseurl=file:///usr/local/install/redhat/dvd/AppStream
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release

13
templates/rhel9.repo.j2 Normal file
View File

@@ -0,0 +1,13 @@
[rhel9-baseos]
name=RHEL 9 BaseOS
baseurl=file:///usr/local/install/redhat/dvd/BaseOS
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release
[rhel9-appstream]
name=RHEL 9 AppStream
baseurl=file:///usr/local/install/redhat/dvd/AppStream
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release

19
vars_example.yml
View File

@@ -1,9 +1,4 @@
ansible_user: "{{ user_name }}" vm_ip: "{{ inventory_hostname }}/{{ vm_nms }}"
ansible_password: "{{ user_password }}"
ansible_become_password: "{{ user_password }}"
ansible_ssh_extra_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
vm_ip: "{{ inventory_hostname }}/24"
install_type: "virtual" install_type: "virtual"
cis: false cis: false
@@ -12,4 +7,14 @@ hypervisor_username: "root@pam"
hypervisor_password: "SomePassword" hypervisor_password: "SomePassword"
hypervisor_node: "NodeName" hypervisor_node: "NodeName"
hypervisor_storage: "local-btrfs" hypervisor_storage: "local-btrfs"
boot_iso: "local-btrfs:iso/archlinux-x86_64.iso" boot_iso: "local-btrfs:rhel-9.4-x86_64-dvd.iso"
# For VMware-Tools
ansible_vmware_host: "{{ hypervisor_url }}"
ansible_vmware_user: "{{ hypervisor_username }}"
ansible_vmware_password: "{{ hypervisor_password }}"
ansible_vmware_guest_path: "/{{ hypervisor_cluster }}/vm{{ vm_path }}/{{ hostname }}"
ansible_vmware_validate_certs: no
ansible_vmware_tools_user: "root"
ansible_vmware_tools_password: ""
vmware_ssh: true