sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:6df7d5ccfc653ab94302cda8556e6dc94fcf5ea9
Branches Tags
sandwich:master sandwich:rhel
..
compare: sandwich:master
Branches Tags
sandwich:master sandwich:rhel

54 Commits
6df7d5ccfc ... master

Author SHA1 Message Date
Sandwich
378d9a88c2 Add Debian 13 (Trixie) support 2025-08-11 21:37:25 +02:00
Sandwich
905043baf3 Update doc to Fedora 42 2025-07-07 15:24:17 +02:00
Sandwich
9164815185 Fix rhel10 variable assertion 2025-07-06 04:36:55 +02:00
Sandwich
81f15fffb7 use proper datacenter variable 2025-07-06 04:34:16 +02:00
Sandwich
d454c3cd82 Update Fedora to 42 2025-07-06 04:28:59 +02:00
Sandwich
9ffb2aa69f Use the proper property name 2025-06-24 16:57:18 +02:00
Sandwich
6d843ff409 Fix VM state after cleanup 2025-06-24 16:54:57 +02:00
Sandwich
775dbefa67 use proper filename for role variables 2025-06-17 06:34:39 +02:00
Sandwich
06823044dd Update ubuntu to plucky release 2025-06-17 03:57:58 +02:00
Sandwich
919c44bb29 Add rhel10 support 2025-06-17 03:13:30 +02:00
Sandwich
0d01f2afdc Add ncurses-term package to ubuntu for more legacy terminal descriptors 2025-05-30 09:48:55 +02:00
Sandwich
e532dcac16 Add ncurses-term package for legacy ssh client (terminal descriptors) 2025-05-30 09:14:21 +02:00
Sandwich
6cbecf2db0 Add vm_dns_search to hostname if set 2025-05-26 14:37:28 +02:00
Sandwich
d612f9dabb Improve SSH CIS hardening 2025-05-04 01:41:00 +02:00
Sandwich
00c3cd5180 Fix Typo 2025-04-29 20:30:02 +02:00
Sandwich
fef1f44a07 Improve Arch packages + Disable swap before unmounting 2025-04-29 20:28:55 +02:00
Sandwich
e1464562f7 Document vmware_ssh variable 2025-03-25 13:13:06 +01:00
Sandwich
60c552be45 Fix vm creation when no rhel_iso for vmware 2025-02-20 16:00:39 +01:00
Sandwich
c96fcf5e96 Increase max home size to 20GB 2025-02-18 21:39:58 +01:00
Sandwich
4e70ee2e3e Add guest_id since its necessary 2025-02-17 21:38:56 +01:00
Sandwich
81bbd2b22a Implement VMware annotation 2025-02-17 21:17:18 +01:00
Sandwich
e65fbfd570 Improve Partition calculation algorithm 2025-02-17 20:43:45 +01:00
Sandwich
122bd5cdf4 Add DNS Search option 2025-02-10 15:16:15 +01:00
Sandwich
c8d3de3d8d Update README regarding SELinux 2025-02-07 20:50:20 +01:00
Sandwich
4ed15e5ea8 dont fail if selinux is undefined 2025-02-07 20:47:30 +01:00
Sandwich
518babe328 Remove motd files for rhel 2025-02-05 17:14:17 +01:00
Sandwich
918e14051d Enable option to disable selinux for all osses 2025-02-05 01:41:10 +01:00
Sandwich
3d18962160 Include Standard package group for RHEL systems 2025-02-05 00:02:37 +01:00
Sandwich
457d558133 Make sure Volumes are safely unmounted before reboot 2025-01-22 12:34:00 +01:00
Sandwich
e06a95fdbc Fix CIS applienc for RHEL8 2025-01-21 22:34:01 +01:00
Sandwich
7bae512560 Update package name to match correctly 2025-01-21 22:02:43 +01:00
Sandwich
3e91057689 Make sure the VM truly starts 2025-01-21 21:35:47 +01:00
Sandwich
e9647571fc Do not check if VM is back on vmware with cis activated, it will fail 
without the key, and key cannot be set otherwise awx refuses connection
 2025-01-21 21:30:56 +01:00
Sandwich
c32769d831 Add banner 2025-01-21 20:16:05 +01:00
Sandwich
7cfa4aee8d Add ssh key survey 2025-01-21 20:00:18 +01:00
Sandwich
a7e7f49d84 Add missing variable 2025-01-21 19:58:07 +01:00
Sandwich
cfcccbf512 CIS Adjustments 2025-01-21 19:55:36 +01:00
Sandwich
75c4ba6b4c Fix variable distribution 2025-01-21 17:43:18 +01:00
Sandwich
b62066d675 Make Network Assignment more reliable 2025-01-21 16:59:56 +01:00
Sandwich
53a2c27984 Add nms default 2025-01-17 00:50:26 +01:00
Sandwich
bb82ff120b Remove nms from ip since already addition already done internaly 2025-01-17 00:45:42 +01:00
Sandwich
221d77b94d Do not reboot localhost! 2025-01-17 00:38:35 +01:00
Sandwich
d71ea511f9 Don't fail proxmox install if rhel_iso is not defined 2025-01-17 00:07:58 +01:00
Sandwich
b3299781dc use 24 netmask as default if not set 2025-01-17 00:03:38 +01:00
Sandwich
5e7a06b7db Add extra utils 2025-01-14 21:14:40 +01:00
Sandwich
d77f65ce05 Set correct IP NetworkMask if defined 2025-01-14 16:08:10 +01:00
Sandwich
39fc15d7d8 Fix typo 2025-01-14 15:03:06 +01:00
Sandwich
b076968404 Dont fail if vmware_ssh is not defined 2025-01-14 14:58:58 +01:00
Sandwich
4f03ccbfcf Add dig via bind-utils for rhel 2024-12-03 16:42:47 +01:00
Sandwich
5746be4561 RHEL add python package 2024-12-03 13:31:31 +01:00
Sandwich
39cc49a05b Do not hardcode macaddress which makes vm cloning harder 2024-12-02 18:08:48 +01:00
Sandwich
2d63ca9c5a Use RHEL nameing for yum repo file 2024-11-12 14:14:09 +01:00
Sandwich
9f56328890 Fix DNS issue 2024-11-11 17:44:52 +01:00
Sandwich
dc763bdc42 Adjust never libvirt loaders 2024-11-11 17:26:37 +01:00
26 changed files with 1381 additions and 250 deletions
Expand all files Collapse all files

98
README.md
View File

@@ -1,18 +1,35 @@
# Ansible-Bootstrap
An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner.
An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner, utilizing ArchISO as the foundational tool.
# Info
Most of the roles are adaptable for use with systems beyond ArchLinux, requiring only that the target system can install a necessary package manager, such as `dnf` for RHEL-based systems. Additionally, a replacement for the `arch-chroot` command may be required for these systems.
**NOTE**:
- For RHEL 8 and RHEL 9, repository access requires the `rhel_iso` variable. This variable specifies a local ISO or proxy repository.
- RHEL systems do not support `btrfs`. Use `ext4` or `xfs` as alternatives.
- For RHEL 8, `xfs` may cause installation issues; `ext4` is recommended.
# Supported Distributions
This playbook supports multiple Linux distributions with specific versions tailored to each. Below is a list of supported distributions:
| `os` | Distribution |
|------------|------------------------------------|
| ---------- | ---------------------------------- |
| archlinux | ArchLinux (Latest rolling release) |
| almalinux | AlmaLinux 9.x |
| debian11 | Debian 11 (Bullseye) |
| debian12 | Debian 12 (Bookworm) |
| debian13 | Debian 13 (Trixie) |
| fedora | Fedora 42 |
| rhel8 | Red Hat Enterprise Linux 8 |
| rhel9 | Red Hat Enterprise Linux 9 |
| rhel10 | Red Hat Enterprise Linux 10 |
| rocky | Rocky Linux 9.x |
| ubuntu | Ubuntu 25.04 (Plucky Puffin) |
| ubuntu-lts | Ubuntu 24.04 LTS (Noble Numbat) |
# Documentation
@@ -28,26 +45,28 @@ An Ansible playbook for automating system bootstrap processes in an Infrastructu
## 1. Overview
The playbook uses the RHEL ISO to configure and bootstrap an RHEL system from the ground up.
The playbook uses the ArchLinux ISO as a foundational tool to provides an efficient and systematic method for the automatic deployment of a variety of Linux distributions on designated target systems. It ensures a standardized setup across different platforms, equipping each system with the essential configurations and software necessary for its designated role.
## 2. Global Variables
Global variables apply across your Ansible project and are loaded from `vars.yml` by default. These variables define common settings such as hypervisor connection details and the boot ISO path. They can be overridden by inventory variables for specific hosts or VMs if needed.
| Variable | Description | Example Value |
|-----------------------|--------------------------------------------------------------------|-----------------------------------------|
| `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` |
| `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. |`local-btrfs:iso/rhel-9.4-x86_64-dvd.iso`|
| `hypervisor` | Type of hypervisor. | `vmware` |
| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` |
| `hypervisor_node` | Hypervisor node name. | `node01` |
| `hypervisor_password` | Password for hypervisor authentication. | `123456` |
| `hypervisor_storage` | Storage identifier for VM disks. | `local-btrfs` |
| `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` |
| `hypervisor_username` | Username for hypervisor authentication. | `root@pam` |
| `install_drive` | Drive where the system will be installed. | `/dev/sda` |
| `install_type` | Type of installation. | `virtual` |
| `vlan_name` (optional)| VLAN for the VM's network interface. | `vlan100` |
| Variable | Description | Example Value |
| ----------------------- | ---------------------------------------------------------- | ----------------------------------------- |
| `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` |
| `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. | `local-btrfs:iso/rhel-9.4-x86_64-dvd.iso` |
| `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` |
| `vmware_ssh` | If Ansible should use SSH after base VM setup on VMware. | `true`, `false (default)` |
| `hypervisor_datacenter` | Name of the hypervisor datacenter. | `default-datacenter` |
| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` |
| `hypervisor_node` | Hypervisor node name. | `node01` |
| `hypervisor_password` | Password for hypervisor authentication. | `123456` |
| `hypervisor_storage` | Storage identifier for VM disks. | `local-btrfs` |
| `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` |
| `hypervisor_username` | Username for hypervisor authentication. | `root@pam` |
| `install_drive` | Drive where the system will be installed. | `/dev/sda` |
| `install_type` | Type of installation. | `virtual`, `physical` |
| `vlan_name` (optional) | VLAN for the VM's network interface. | `vlan100` |
To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**.
@@ -55,27 +74,30 @@ To protect sensitive information, such as passwords, API keys, and other confide
Inventory variables are defined for individual hosts or VMs in the inventory file, allowing customization of settings such as the operating system, filesystem, and compliance with CIS benchmarks. These variables can be set globally and overridden for specific hosts or VMs.
| Variable | Description | Example Value |
|-------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------|
| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` |
| `filesystem` | Filesystem type for the VM's primary storage. | `ext4`, `xfs` |
| `hostname` | The hostname assigned to the virtual machine or system. | `vm01` |
| `os` | Operating system to be installed on the VM. | `rhel8`, `rhel9` |
| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` |
| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` |
| `user_password` | Password for the user account within the VM. | `UserPass123` |
| `vm_ballo` (optional) | Ballooning memory size for the VM, used to adjust memory allocation dynamically. | `2048` |
| `vm_cpus` | Number of CPU cores assigned to the virtual machine. | `4` |
| `vm_dns` | DNS server IP address(es) for the virtual machine's network configuration. | `1.0.0.1`, `1.1.1.1` |
| `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` |
| `vm_id` | Unique identifier for the virtual machine. | `101` |
| `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` |
| `vm_nm` (optional) | IP address netmask assigned to the virtual machine. | `255.255.255.0` |
| `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` |
| `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` |
| `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` |
| `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` |
| `vm_size` | Disk size allocated for the VM's primary storage (in GB). | `20` |
| Variable | Description | Example Value |
| --------------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` |
| `selinux` (optional) | Toggle SELinux, `false` means it should be disabled.` | `true`, `false` |
| `filesystem` | Filesystem type for the VM's primary storage. | `btrfs`, `ext4`, `xfs` |
| `hostname` | The hostname assigned to the virtual machine or system. | `vm01` |
| `os` | Operating system to be installed on the VM. | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rhel8`, `rhel9`, `rhel10`, `rocky`, `ubuntu`, `ubuntu-lts` |
| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` |
| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` |
| `user_password` | Password for the user account within the VM. | `UserPass123` |
| `user_public_key` | SSH Key for the user account within the VM. | `ssh-ed25519 AAAAC` |
| `vm_ballo` (optional) | Ballooning memory size for the VM, used to adjust memory allocation dynamically. | `2048` |
| `vm_cpus` | Number of CPU cores assigned to the virtual machine. | `4` |
| `vm_dns` | DNS server IP address(es) for the virtual machine's network configuration. | `1.0.0.1`, `1.1.1.1` |
| `vm_dns_search` | DNS search zone for the virtual machine's network configuration. | `example.com` |
| `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` |
| `vm_id` | Unique identifier for the virtual machine. | `101` |
| `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` |
| `vm_nm` (optional) | IP address netmask assigned to the virtual machine. | `255.255.255.0` |
| `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` |
| `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` |
| `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` |
| `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` |
| `vm_size` | Disk size allocated for the VM's primary storage (in GB). | `20` |
## 4. How to Use the Playbook

29
inventory_example.ini
View File

@@ -1,29 +0,0 @@
[promox-kvm]
192.168.122.10
192.168.122.11
[promox-kvm:vars]
vm_gw=192.168.122.1
vm_dns=1.1.1.1
[192.168.122.10]
hostname=proxy
vm_id=300
os=archlinux
filesystem=btrfs
vm_memory=2048
vm_ballo=1024
vm_cpus=2
vm_size=5
vm_nif=vmbr1
[192.168.122.11]
hostname=database
vm_id=101
os=archlinux
filesystem=btrfs
vm_memory=6144
vm_ballo=3072
vm_cpus=4
vm_size=40
vm_nif=vmbr1

2
inventory_example.yml
View File

@@ -3,6 +3,7 @@ all:
hypervisor: 'proxmox'
install_drive: '/dev/sda'
cis: true
boot_iso: "local-btrfs:iso/archlinux-x86_64.iso"
children:
promox-kvm:
hosts:
@@ -18,6 +19,7 @@ all:
vm_nif: vmbr1
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1
vm_dns_search: "example.com"
192.168.122.11:
hostname: database
vm_id: 101

35
main.yml
View File

@@ -10,6 +10,11 @@
What is your username?
private: false
- name: user_public_key
prompt: |
What is your ssh key?
private: false
- name: user_password
prompt: |
What is your password?
@@ -22,33 +27,49 @@
vars_files: vars.yml
pre_tasks:
- name: Set ansible_python_interpreter
when: os | lower in ["rhel9", "rhel8"]
when: os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"]
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3
- name: Set default variables
ansible.builtin.set_fact:
cis: false
- name: Set SSH Access
when: hypervisor != "vmware"
ansible.builtin.set_fact:
ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}"
ansible_become_password: "{{ user_password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Validate variables
ansible.builtin.assert:
that:
- filesystem in ["ext4", "xfs"]
- hypervisor in ["libvirt", "proxmox", "vmware", "none"]
- filesystem in ["btrfs", "ext4", "xfs"]
- install_drive is defined
- os in ["rhel8", "rhel9"]
- (vm_size | int) >= 20)
- os in ["archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora", "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"]
- os not in ["rhel8", "rhel9", "rhel10"] or rhel_iso is defined
- (filesystem == "btrfs" and (vm_size | int) >= 10) or (filesystem != "btrfs" and (vm_size | int) >= 20)
- (vm_size | float) >= ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048), [vm_memory | float / 1024, 4.0] | max) + 16)
fail_msg: Invalid input specified, please try again.
- name: Set connection
when: hypervisor == "vmware"
ansible.builtin.set_fact:
ansible_connection: vmware_tools
roles:
- role: virtualization
when: install_type == "virtual"
become: false
vars:
ansible_connection: local
- role: environment
vars:
ansible_connection: vmware
ansible_connection: "{{ 'vmware_tools' if hypervisor == 'vmware' else 'ssh' }}"
- role: partitioning
vars:
@@ -63,12 +84,13 @@
when: cis | bool
- role: cleanup
when: install_type == "virtual"
vars:
ansible_connection: local
tasks:
- name: Set final SSH Credentials
when: vmware_ssh | bool
when: hypervisor != 'vmware' or (hypervisor == 'vmware' and vmware_ssh | bool)
ansible.builtin.set_fact:
ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}"
@@ -76,5 +98,6 @@
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Check if VM is back and running
when: not (hypervisor == 'vmware' and cis | bool)
ansible.builtin.wait_for_connection:
timeout: 300

84
roles/bootstrap/tasks/main.yml
View File

@@ -1,25 +1,85 @@
---
- name: Include Packages
ansible.builtin.include_vars:
file: packages.yml
name: role_packages
- name: Run OS-specific bootstrap process
block:
- name: Bootstrap ArchLinux
when: os | lower == 'archlinux'
ansible.builtin.command: pacstrap /mnt {{ archlinux | join(' ') }} --asexplicit
changed_when: result.rc == 0
register: result
- name: Bootstrap Debian System
when: os | lower in ['debian11', 'debian12', 'debian13']
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- debootstrap --include={{ vars[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' if os == 'debian12' else 'trixie' }}
/mnt http://deb.debian.org/debian/
- arch-chroot /mnt apt install -y {{ vars[os].extra | join(' ') }}
- arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
- name: Bootstrap Ubuntu System
when: os | lower in ['ubuntu', 'ubuntu-lts']
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- debootstrap --include={{ vars[os].base | join(',') }} {{ 'plucky' if os == 'ubuntu' else 'noble' }}
/mnt http://archive.ubuntu.com/ubuntu/
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
- arch-chroot /mnt apt update -y
- arch-chroot /mnt apt install -y {{ vars[os].extra | join(' ') }}
- name: Bootstrap AlmaLinux 9
when: os | lower == 'almalinux'
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ almalinux | join(' ') }}
- name: Bootstrap Fedora 42
when: os | lower == 'fedora'
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- dnf --releasever=42 --best --repo=fedora --repo=fedora-updates
--installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=42 --setopt=install_weak_deps=False install -y {{ fedora | join(' ') }}
- arch-chroot /mnt dnf reinstall -y kernel-core
- name: Bootstrap RockyLinux 9
when: os | lower == 'rocky'
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ rocky | join(' ') }}
- name: Bootstrap RHEL System
when: os | lower in ['rhel8', 'rhel9', 'rhel10']
block:
- name: Install base packages in chroot environment
ansible.builtin.command: >-
dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --repo={{ os | lower }}-baseos
dnf --releasever={{ os | lower | replace('rhel', '') }} --repo={{ os | lower }}-baseos
--installroot=/mnt
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y base core
groupinstall -y core base standard
changed_when: result.rc == 0
register: result
- name: Prepare chroot environment
ansible.builtin.shell: |
ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
mkdir -p /mnt/usr/local/install/redhat/dvd
mount --bind /usr/local/install/redhat/dvd /mnt/usr/local/install/redhat/dvd
arch-chroot /mnt rpm --rebuilddb
@@ -29,13 +89,13 @@
- name: Copy RHEL repo file into chroot environment
ansible.builtin.copy:
src: /etc/yum.repos.d/{{ os | lower }}.repo
dest: /mnt/etc/yum.repos.d/{{ os | lower }}.repo
mode: '0644'
dest: /mnt/etc/yum.repos.d/redhat.repo
mode: "0644"
remote_src: true
- name: Install additional packages in chroot
ansible.builtin.command: >-
arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }}
--setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }}
arch-chroot /mnt dnf --releasever={{ os | lower | replace('rhel', '') }}
--setopt=install_weak_deps=False install -y {{ vars[os] | join(' ') }}
changed_when: result.rc == 0
register: result

455
roles/bootstrap/vars/main.yml Normal file
View File

@@ -0,0 +1,455 @@
almalinux:
- bind-utils
- dbus-daemon
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- lrzsz
- lvm2
- nc
- nfs-utils
- nfsv4-client-utils
- mtr
- open-vm-tools
- ppp
- shim
- tmux
- vim
- wget
- zram-generator
- zstd
archlinux:
- base
- btrfs-progs
- cronie
- dhcpcd
- efibootmgr
- fastfetch
- firewalld
- fish
- fzf
- grub
- htop
- libpwquality
- linux
- logrotate
- lrzsz
- lsof
- lvm2
- ncdu
- networkmanager
- nfs-utils
- open-vm-tools
- openssh
- ppp
- prometheus-node-exporter
- python-psycopg2
- qemu-guest-agent
- reflector
- rsync
- sudo
- tldr
- tmux
- vim
- wireguard-tools
- zram-generator
debian11:
base:
- apparmor-utils
- btrfs-progs
- chrony
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- linux-image-amd64
- locales
- logrotate
- lvm2
- net-tools
- openssh-server
- python3
- sudo
- xfsprogs
extra:
- bat
- curl
- entr
- firewalld
- fish
- fzf
- htop
- jq
- libpam-pwquality
- lrzsz
- mtr
- ncdu
- neofetch
- network-manager
- open-vm-tools
- python-is-python3
- ripgrep
- rsync
- screen
- software-properties-common
- syslog-ng
- tcpd
- tldr
- vim
- wget
- zstd
debian12:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- linux-image-amd64
- locales
- logrotate
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bat
- chrony
- curl
- duf
- entr
- firewalld
- fish
- fzf
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- neofetch
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- vim
- wget
- zstd
debian13:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- linux-image-amd64
- locales
- logrotate
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bat
- chrony
- curl
- duf
- entr
- fastfetch
- firewalld
- fish
- fzf
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- vim
- wget
- zstd
fedora:
- bat
- bind-utils
- btrfs-progs
- cronie
- dhcp-client
- duf
- efibootmgr
- entr
- fish
- fzf
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- htop
- iperf3
- logrotate
- lrzsz
- lvm2
- nc
- nfs-utils
- nfsv4-client-utils
- open-vm-tools
- polkit
- ppp
- ripgrep
- shim
- tmux
- vim-default-editor
- wget
- zoxide
- zram-generator
- zstd
rhel8:
- bind-utils
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi-x64
- grub2-tools-extra
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- open-vm-tools
- policycoreutils-python-utils
- python39
- shim
- tmux
- vim
- zstd
rhel9:
- bind-utils
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- grub2-tools-extra
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- open-vm-tools
- policycoreutils-python-utils
- python
- shim
- tmux
- vim
- zram-generator
- zstd
rhel10:
- bind-utils
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- kernel
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- open-vm-tools
- policycoreutils-python-utils
- python
- shim
- tmux
- vim
- zram-generator
- zstd
rocky:
- bind-utils
- dbus-daemon
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- lrzsz
- lvm2
- mtr
- nc
- nfs-utils
- nfsv4-client-utils
- open-vm-tools
- ppp
- shim
- telnet
- tmux
- util-linux-core
- vim
- wget
- zram-generator
- zstd
ubuntu:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- initramfs-tools
- linux-image-generic
- locales
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bash-completion
- bat
- chrony
- curl
- dnsutils
- duf
- entr
- eza
- fdupes
- fio
- firewalld
- fish
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- ncurses-term
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- tmux
- traceroute
- util-linux-extra
- vim
- wget
- yq
- zoxide
- zstd
ubuntu-lts:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- initramfs-tools
- linux-image-generic
- locales
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bash-completion
- bat
- chrony
- curl
- dnsutils
- duf
- entr
- eza
- fdupes
- fio
- firewalld
- fish
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- ncurses-term
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- tmux
- traceroute
- util-linux-extra
- vim
- wget
- yq
- zoxide
- zstd

32
roles/bootstrap/vars/packages.yml
View File

@@ -1,32 +0,0 @@
rhel8:
- dhcp-client
- efibootmgr
- grub2
- grub2-efi-x64
- lrzsz
- lvm2
- mtr
- nfs-utils
- open-vm-tools
- shim
- telnet
- tmux
- vim
- zstd
rhel9:
- dhcp-client
- efibootmgr
- grub2
- grub2-efi
- lrzsz
- lvm2
- mtr
- nfs-utils
- open-vm-tools
- shim
- telnet
- tmux
- vim
- zram-generator
- zstd

129
roles/cis/tasks/main.yml
View File

@@ -4,26 +4,27 @@
- name: Disable Kernel Modules
ansible.builtin.copy:
dest: /mnt/etc/modprobe.d/cis.conf
mode: '0644'
mode: "0644"
content: |
CIS LVL 3 Restrictions
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install usb-storage /bin/true
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install cramfs /bin/false
install squashfs /bin/false
install udf /bin/false
install usb-storage /bin/false
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install dccp /bin/false
install sctp /bin/false
install rds /bin/false
install tipc /bin/false
- name: Create USB Rules
ansible.builtin.copy:
dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
mode: '0644'
mode: "0644"
content: |
By default, disable all.
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
@@ -40,14 +41,23 @@
- name: Create a consolidated sysctl configuration file
ansible.builtin.copy:
dest: /mnt/etc/sysctl.d/10-cis.conf
mode: '0644'
mode: "0644"
content: |
## CIS Sysctl configurations
kernel.yama.ptrace_scope=1
kernel.randomize_va_space=2
# Network
net.ipv4.ip_forward=0
net.ipv4.tcp_syncookies=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 0
@@ -69,6 +79,32 @@
# - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' }
# - { regexp: '^UMASK.*', replace: 'UMASK 027' }
- name: Ensure the Default UMASK is Set Correctly
ansible.builtin.lineinfile:
path: "/mnt/etc/profile"
regexp: "^(\\s*)umask\\s+\\d+"
line: "umask 027"
- name: Prevent Login to Accounts With Empty Password
ansible.builtin.replace:
dest: "{{ item }}"
regexp: "nullok"
loop:
- /mnt/etc/pam.d/system-auth
- /mnt/etc/pam.d/password-auth
- name: Configure System Cryptography Policy
when: os in ["almalinux", "rhel9", "rhel10", "rocky"]
ansible.builtin.command: arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
register: crypto_policy_result
changed_when: "'Setting system-wide crypto-policies to' in crypto_policy_result.stdout"
- name: Mask Systemd Services
ansible.builtin.command: >
arch-chroot /mnt systemctl mask nftables bluetooth rpcbind
changed_when: result.rc == 0
register: result
- name: Ensure files exist
ansible.builtin.file:
path: "{{ item }}"
@@ -80,6 +116,15 @@
- /mnt/etc/hosts.allow
- /mnt/etc/hosts.deny
- name: Ensure files do not exist
ansible.builtin.file:
path: "{{ item }}"
state: touch
mode: "0600"
loop:
- /mnt/etc/at.deny
- /mnt/etc/cron.deny
- name: Add Security related lines into config files
ansible.builtin.lineinfile:
path: "{{ item.path }}"
@@ -91,16 +136,39 @@
- { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
- { path: '/mnt/etc/bashrc', content: umask 077 }
- { path: '/mnt/etc/bashrc', content: export TMOUT=3000 }
- { path: '/mnt/etc/systemd/journald.conf', content: Storage=persistent }
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" }
- {
path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"] else "bash.bashrc" }}',
content: umask 077,
}
- {
path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"] else "bash.bashrc" }}',
content: export TMOUT=3000,
}
- {
path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}',
content: Storage=persistent,
}
- {
path: /mnt/etc/sudoers,
content: Defaults logfile="/var/log/sudo.log",
}
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
- { path: '/mnt/etc/pam.d/system-auth',
content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 }
- { path: '/mnt/etc/pam.d/system-auth', content: account required pam_faillock.so }
- { path: '/mnt/etc/pam.d/passwd',
content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" }
- {
path:
'/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}',
content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900,
}
- {
path:
'/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth"
if os == "fedora" else "pam.d/system-auth" }}',
content: account required pam_faillock.so,
}
- {
path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}',
content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5",
}
- { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
- { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
@@ -120,10 +188,10 @@
{ "path": "/mnt/etc/cron.d", "mode": "0700" },
{ "path": "/mnt/etc/crontab", "mode": "0600" },
{ "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" },
{ "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["rhel9"]
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
{ "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rhel10", "rocky"]
else "fusermount"), "mode": "755" },
{ "path": "/mnt/usr/bin/write", "mode": "755" }
{ "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
] | reject("none") }}
- name: Adjust SSHD config
@@ -153,7 +221,7 @@
- { option: X11Forwarding, value: "no" }
- { option: PermitUserEnvironment, value: "no" }
- { option: ClientAliveInterval, value: "300" }
- { option: ClientAliveCountMax, value: "0" }
- { option: ClientAliveCountMax, value: "1" }
- { option: PermitTunnel, value: "no" }
- { option: Banner, value: /etc/issue.net }
@@ -167,9 +235,10 @@
### Ciphers and keying ###
RekeyLimit 512M 6h
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
###########################
AllowStreamLocalForwarding no

88
roles/cleanup/tasks/main.yml
View File

@@ -1,10 +1,62 @@
---
- name: Unmount Disks
vars:
ansible_connection: ssh
block:
- name: Disable Swap
ansible.builtin.command: swapoff -a
register: swapoff_result
changed_when: swapoff_result.rc == 0
- name: Unmount /mnt if mounted
ansible.builtin.command: umount -R /mnt
register: unmount_result
changed_when: unmount_result.rc == 0
- name: Verify /mnt is no longer mounted
ansible.builtin.command: grep ' /mnt ' /proc/mounts
register: verify_unmount
retries: 5
delay: 5
until: verify_unmount.rc != 0
when: unmount_result.rc == 0
changed_when: false
failed_when: verify_unmount.rc not in [0, 1]
- name: Shutdown the VM
community.general.shutdown:
vars:
ansible_connection: ssh
- name: Setup Cleanup
when: hypervisor == "proxmox"
delegate_to: localhost
become: false
block:
- name: Cleanup Setup Disks
community.general.proxmox_disk:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
name: "{{ hostname }}"
vmid: "{{ vm_id }}"
disk: "{{ item }}"
state: absent
loop:
- ide0
- ide2
- name: Start the VM
community.general.proxmox_kvm:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
node: "{{ hypervisor_node }}"
vmid: "{{ vm_id }}"
state: restarted
- name: Clean vCenter VM
when: hypervisor == "vmware"
delegate_to: localhost
become: false
block:
@@ -42,3 +94,39 @@
datacenter: "{{ hypervisor_cluster }}"
name: "{{ hostname }}"
state: powered-on
- name: Remove Archiso and cloud-init disks
when: hypervisor == "libvirt"
delegate_to: localhost
become: false
block:
- name: Remove cloud-init disk
ansible.builtin.file:
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"
state: absent
- name: Get list of CD-ROM devices
ansible.builtin.shell: set -o pipefail && virsh --connect qemu:///system domblklist {{ hostname }} --details | grep 'cdrom' | awk '{print $3}'
changed_when: false
register: cdrom_devices
- name: Wait for VM to spin down
ansible.builtin.wait_for:
timeout: 15
- name: Remove CD-ROM devices
when: cdrom_devices.stdout_lines | length > 0
ansible.builtin.command: virsh --connect qemu:///system detach-disk {{ hostname }} {{ item }} --persistent
with_items: "{{ cdrom_devices.stdout_lines | select('ne', 'sdc') | list }}"
changed_when: result.rc == 0
register: result
- name: Start the VM
community.libvirt.virt:
name: "{{ hostname }}"
state: running
- name: Wait for VM to boot up
delegate_to: "{{ inventory_hostname }}"
ansible.builtin.wait_for_connection:
timeout: 300

183
roles/configuration/tasks/main.yml
View File

@@ -6,17 +6,26 @@
changed_when: result.rc == 0
register: result
- name: Remove depricated attr2 and disable large extent
when: os in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"] and filesystem == "xfs"
ansible.builtin.replace:
path: /mnt/etc/fstab
regexp: "(xfs.*?)(attr2)"
replace: '\1allocsize=64m'
- name: Replace ISO UUID entry with /dev/sr0 in fstab
when: os in ["rhel8", "rhel9"]
when: os in ["rhel8", "rhel9", "rhel10"]
ansible.builtin.lineinfile:
path: /mnt/etc/fstab
regexp: '^.*\/dvd.*$'
line: "{{ '/usr/local/install/redhat/rhel.iso /usr/local/install/redhat/dvd iso9660 loop,nofail 0 0' if hypervisor == 'vmware'
else '/dev/sr0 /usr/local/install/redhat/dvd iso9660 ro,relatime,nojoliet,check=s,map=n,nofail 0 0' }}"
line:
"{{ '/usr/local/install/redhat/rhel.iso /usr/local/install/redhat/dvd iso9660 loop,nofail 0 0' if hypervisor == 'vmware'
else '/dev/sr0 /usr/local/install/redhat/dvd iso9660 ro,relatime,nojoliet,check=s,map=n,nofail 0 0' }}"
state: present
backrefs: true
- name: Write image from RHEL ISO to the target machine
when: os in ["rhel8", "rhel9", "rhel10"] and hypervisor == 'vmware'
ansible.builtin.command: dd if=/dev/sr1 of=/mnt/usr/local/install/redhat/rhel.iso bs=4M
changed_when: result.rc == 0
register: result
@@ -31,7 +40,7 @@
- "# TempFS"
- tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0
- tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0
- tmpfs /dev/shm tmpfs defaults,noexec 0 0
- tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0
- name: Set local timezone
ansible.builtin.command: "{{ item }}"
@@ -43,29 +52,44 @@
- name: Setup locales
block:
- name: Configure locale.gen
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
ansible.builtin.lineinfile:
dest: /mnt/etc/locale.gen
regexp: "{{ item.regex }}"
line: "{{ item.line }}"
loop:
- { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 }
- name: Generate locales
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
changed_when: result.rc == 0
register: result
- name: Set hostname
ansible.builtin.copy:
content: "{{ hostname }}"
content: "{{ hostname }}{% if vm_dns_search is defined and vm_dns_search | length %}.{{ vm_dns_search }}{% endif %}"
dest: /mnt/etc/hostname
mode: '0644'
mode: "0644"
- name: Add host entry to /etc/hosts
ansible.builtin.lineinfile:
path: /mnt/etc/hosts
line: "{{ ansible_host }} {{ hostname }}"
line: "{{ ansible_host }} {{ hostname }}{% if vm_dns_search is defined and vm_dns_search | length %} {{ hostname }}.{{ vm_dns_search }}{% endif %}"
state: present
- name: Create vconsole.conf
ansible.builtin.copy:
content: KEYMAP=us
dest: /mnt/etc/vconsole.conf
mode: '0644'
mode: "0644"
- name: Create locale.conf
ansible.builtin.copy:
content: LANG=en_US.UTF-8
dest: /mnt/etc/locale.conf
mode: '0644'
mode: "0644"
- name: SSH permit Password
ansible.builtin.replace:
@@ -80,27 +104,71 @@
replace: "PermitRootLogin yes"
- name: Enable Systemd Services
ansible.builtin.command: arch-chroot /mnt systemctl enable NetworkManager sshd
ansible.builtin.command: >
arch-chroot /mnt systemctl enable NetworkManager
{{
' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
(' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else '')
}}
{{
'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
if os | lower == 'archlinux' else ''
}}
changed_when: result.rc == 0
register: result
- name: Configure grub
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
block:
- name: Add commandline information to grub config
ansible.builtin.lineinfile:
dest: /mnt/etc/default/grub
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT=
line: GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"
- name: Change Grub time
ansible.builtin.lineinfile:
dest: /mnt/etc/default/grub
regexp: ^GRUB_TIMEOUT=
line: GRUB_TIMEOUT=1
- name: Configure Bootloader
block:
- name: Install Bootloader
ansible.builtin.command: arch-chroot /mnt /usr/sbin/efibootmgr -c -L '{{ os }}'
-d "{{ install_drive }}" -p 1
-l '\efi\EFI\redhat\shimx64.efi'
ansible.builtin.command: arch-chroot /mnt
{% if os | lower not in ["archlinux", "debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr
-c -L '{{ os }}' -d "{{ install_drive }}" -p 1
-l '\efi\EFI\{% if os | lower in ["rhel8", "rhel9", "rhel10"] %}redhat{% else %}{{ os | lower }}{% endif %}\shimx64.efi'
{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }}
--bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
{% endif %}
changed_when: result.rc == 0
register: result
- name: Ensure lvm2 for non btrfs filesystems
when: os | lower == "archlinux" and filesystem != "btrfs"
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: "^(HOOKS=.*block)(?!.*lvm2)(.*)"
line: '\1 lvm2\2'
backrefs: true
- name: Regenerate initramfs
when: os | lower not in ["debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"]
ansible.builtin.command: arch-chroot /mnt
{% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P
{% else %} /usr/bin/dracut --regenerate-all --force
{% endif %}
changed_when: result.rc == 0
register: result
- name: Generate grub config
ansible.builtin.command: arch-chroot /mnt /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
changed_when: result.rc == 0
register: result
- name: Regenerate initramfs
when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
ansible.builtin.command: arch-chroot /mnt /usr/bin/dracut --regenerate-all --force
ansible.builtin.command: arch-chroot /mnt
{% if os | lower not in ["archlinux", "debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] %}
/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{% if os | lower in ["rhel8", "rhel9", "rhel10"] %}redhat{% else %}{{ os | lower }}{% endif %}/grub.cfg
{% else %}
/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}
{% endif %}
changed_when: result.rc == 0
register: result
@@ -109,7 +177,9 @@
- name: Append vim configurations to vimrc
failed_when: false
ansible.builtin.blockinfile:
path: "/mnt/etc/vimrc"
path:
"{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts']
else '/mnt/etc/vimrc' }}"
block: |
set encoding=utf-8
set number
@@ -130,10 +200,10 @@
vm.dirty_ratio=10
vm.page-cluster=10
marker: ""
mode: '0644'
mode: "0644"
- name: Create zram config
when: os not in ['rhel8']
when: os not in ['debian11', 'rhel8']
ansible.builtin.copy:
dest: /mnt/etc/systemd/zram-generator.conf
content: |
@@ -142,19 +212,38 @@
compression-algorithm = zstd
swap-priority = 100
fs-type = swap
mode: '0644'
- name: Copy FirstRun Script
ansible.builtin.template:
src: firstrun.sh.j2
dest: /mnt/root/firstrun.sh
mode: "0755"
mode: "0644"
- name: Copy Custom Shell config
ansible.builtin.template:
src: custom.sh.j2
dest: /mnt/etc/profile.d/custom.sh
mode: '0644'
mode: "0644"
- name: Create login banner
ansible.builtin.copy:
dest: "{{ item }}"
content: |
**************************************************************
* WARNING: Unauthorized access to this system is prohibited. *
* All activities are monitored and logged. *
* Disconnect immediately if you are not an authorized user. *
**************************************************************
owner: root
group: root
mode: "0644"
loop:
- /mnt/etc/issue
- /etc/issue.net
- name: Remove motd files
when: os | lower in ["rhel8", "rhel9", "rhel10"]
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /etc/motd.d/cockpit
- /etc/motd.d/insights-client
- name: Setup Network
block:
@@ -179,12 +268,20 @@
dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection
mode: "0600"
- name: Fix Ubuntu unmanaged devices
when: os | lower in ["ubuntu", "ubuntu-lts"]
ansible.builtin.file:
path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
state: touch
mode: "0644"
- name: Setup user account
block:
- name: Create user account
ansible.builtin.command: "{{ item }}"
with_items:
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups wheel
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups
{{ "sudo" if os | lower in ["debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] else "wheel" }}
{{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
changed_when: result.rc == 0
@@ -202,12 +299,26 @@
- name: Give sudo access to wheel group
ansible.builtin.copy:
content: "%wheel ALL=(ALL) ALL"
content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}"
dest: /mnt/etc/sudoers.d/01-wheel
mode: "0440"
validate: /usr/sbin/visudo --check --file=%s
- name: Fix SELinux
ansible.builtin.command: "arch-chroot /mnt /sbin/fixfiles onboot"
changed_when: result.rc == 0
register: result
when: os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
block:
- name: Fix SELinux by pre-labeling the filesystem before first boot
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux | default(true) | bool)
ansible.builtin.command: >
arch-chroot /mnt /sbin/setfiles -v -F
-e /dev -e /proc -e /sys -e /run
/etc/selinux/targeted/contexts/files/file_contexts /
register: setfiles_result
changed_when: setfiles_result.rc == 0
- name: Disable SELinux
when: os | lower == "fedora" or not (selinux | default(true) | bool)
ansible.builtin.lineinfile:
path: /mnt/etc/selinux/config
regexp: ^SELINUX=
line: SELINUX=permissive

6
roles/configuration/templates/network.j2
View File

@@ -2,14 +2,16 @@
id=LAN
uuid={{ net_uuid.stdout }}
type=ethernet
interface-name={{ net_inf.stdout }}
[ethernet]
mac-address={{ net_mac.stdout }}
[ipv4]
address={{ vm_ip }},{{ vm_gw }}
address={{ vm_ip }}/{{ vm_nms | default (24) }},{{ vm_gw }}
dns={{ vm_dns }}
{% if vm_dns_search is defined %}
dns-search={{ vm_dns_search }}
{% endif %}
method=manual
[ipv6]

30
roles/environment/tasks/main.yml
View File

@@ -20,17 +20,20 @@
msg: This host is not booted from the Arch install media!
when: not archiso_stat.stat.exists
- name: Setect Interface
- name: Register Network Interface
when: hypervisor == "vmware"
ansible.builtin.shell: "set -o pipefail && ip l | awk -F': ' '!/lo/{print $2; exit}'"
changed_when: interface_name.rc == 0
register: interface_name
- name: Set IP-Address
when: hypervisor == "vmware"
ansible.builtin.command: "ip addr replace {{ ansible_host }}/{{ vm_nms | default(24) }} dev {{ interface_name.stdout }}"
changed_when: result.rc == 0
register: result
- name: Set Default Gateway
when: hypervisor == "vmware"
ansible.builtin.command: "ip route replace default via {{ vm_gw }}"
changed_when: result.rc == 0
register: result
@@ -41,7 +44,7 @@
register: result
- name: Configure SSH for root login
when: vmware_ssh | bool
when: hypervisor == "vmware" and (vmware_ssh is defined and vmware_ssh | bool)
block:
- name: Allow empty passwords temporarily
ansible.builtin.replace:
@@ -66,7 +69,7 @@
ansible_user: "root"
ansible_password: ""
ansible_become_password: ""
ansible_ssh_extra_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Speed-up Bootstrap process
ansible.builtin.lineinfile:
@@ -82,41 +85,46 @@
community.general.pacman:
update_cache: true
force: true
name: "{{ item }}"
name: "{{ item.name }}"
state: latest
loop:
- glibc
- dnf
- { name: glibc }
- { name: dnf, os: [almalinux, fedora, rhel8, rhel9, rhel10, rocky] }
- { name: debootstrap, os: [debian11, debian12, debian13, ubuntu, ubuntu-lts] }
- { name: debian-archive-keyring, os: [debian11, debian12, debian13] }
- { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
when: "'os' not in item or os in item.os"
retries: 4
delay: 15
- name: Prepare /iso mount and repository for RHEL-based systems
when: os | lower in ["rhel8", "rhel9"]
when: os | lower in ["rhel8", "rhel9", "rhel10"]
block:
- name: Create /iso directory
ansible.builtin.file:
path: /usr/local/install/redhat/dvd
state: directory
mode: '0755'
mode: "0755"
- name: Mount RHEL ISO
ansible.posix.mount:
src: "/dev/sr1"
src: "{{ '/dev/sr1' if hypervisor == 'vmware' else '/dev/sr2' }}"
path: /usr/local/install/redhat/dvd
fstype: iso9660
opts: "ro,loop"
state: mounted
- name: Configure RHEL Repos for installation
when: os | lower in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"]
block:
- name: Create directories for repository files and RPM GPG keys
ansible.builtin.file:
path: /etc/yum.repos.d
state: directory
mode: '0755'
mode: "0755"
- name: Create RHEL repository file
ansible.builtin.template:
src: "{{ os | lower }}.repo.j2"
dest: /etc/yum.repos.d/{{ os | lower }}.repo
mode: '0644'
mode: "0644"

56
roles/partitioning/tasks/btrfs.yml Normal file
View File

@@ -0,0 +1,56 @@
---
- name: Setup BTRFS
block:
- name: Create btrfs filesystem in main volume
community.general.filesystem:
dev: "{{ install_drive }}{{ main_partition_suffix }}"
fstype: btrfs
force: true
- name: Prepare BTRFS Subvolume
ansible.posix.mount:
path: /mnt
src: "{{ install_drive }}{{ main_partition_suffix }}"
fstype: btrfs
opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async
state: mounted
- name: Enable quotas on Btrfs filesystem
ansible.builtin.command: btrfs quota enable /mnt
changed_when: result.rc == 0
register: result
- name: Make root subvolumes
when: cis | bool or item.subvol not in ['var_log_audit']
ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
changed_when: result.rc == 0
register: result
loop:
- { subvol: root }
- { subvol: swap }
- { subvol: home }
- { subvol: var }
- { subvol: var_log }
- { subvol: var_log_audit }
- name: Set quotas for subvolumes
when: cis | bool or item.subvol not in ['var_log_audit']
ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
changed_when: result.rc == 0
register: result
loop:
- { subvol: home, quota: 2G }
- name: Create a Btrfs swap file
ansible.builtin.command: >-
btrfs filesystem mkswapfile --size {{ ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory
| float / 2048) | int, [vm_memory | float / 1024, 4.0] | max) | int) }}g --uuid clear /mnt/@swap/swapfile
changed_when: result.rc == 0
register: result
- name: Unmount Partition
ansible.posix.mount:
path: /mnt
src: "{{ install_drive }}{{ main_partition_suffix }}"
fstype: btrfs
state: unmounted

12
roles/partitioning/tasks/ext4.yml
View File

@@ -11,3 +11,15 @@
- { lv: var }
- { lv: var_log }
- { lv: var_log_audit }
- name: Remove Unsupported features for older Systems
when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
changed_when: result.rc == 0
register: result
loop:
- { lv: root }
- { lv: home }
- { lv: var }
- { lv: var_log }
- { lv: var_log_audit }

76
roles/partitioning/tasks/main.yml
View File

@@ -9,7 +9,9 @@
loop:
- { cmd: umount -l /mnt }
- { cmd: vgremove -f sys }
- { cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;' }
- {
cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;',
}
loop_control:
label: "{{ item.cmd }}"
@@ -28,6 +30,7 @@
- { number: 2, part_start: 500MiB, name: root }
- name: Create LVM logical volumes
when: filesystem != 'btrfs'
block:
- name: Create LVM volume group
community.general.lvg:
@@ -44,42 +47,25 @@
loop:
- lv: root
size: >-
{{ (
(vm_size | float -
((vm_memory | float / 1024 >= 16.0) | ternary(
(vm_memory | float / 2048) | int,
[vm_memory | float / 1024, 4.0] | max
)) - 0.5 -
(cis | bool | ternary(0, 7.5))
) > 12.0
) | ternary(
(vm_size | float * 0.4) | round(0, 'ceil'),
vm_size | float -
((vm_memory | float / 1024 >= 16.0) | ternary(
(vm_memory | float / 2048) | int,
[vm_memory | float / 1024, 4.0] | max
)) - 0.5 -
(cis | bool | ternary(7.5, 0))
) | string + 'G' }}
{{ [(((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0)) - (((vm_memory | float / 1024) > 16.0)
| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) < 4)
| ternary(4,((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0)) -
(((vm_memory | float / 1024) > 16.0)| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) > 12)
| ternary(((vm_size | float) * 0.4) | round(0, 'ceil'),((vm_size | float) - 0.5 - ((cis | bool)
| ternary(7.5, 0)) - (((vm_memory | float / 1024) > 16.0)
| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024))))))))), 4 ] | max | string + 'G' }}
- lv: swap
size: >-
{{ ((vm_memory | float / 1024 >= 16.0) | ternary(
(vm_memory | float / 2048) | int,
[vm_memory | float / 1024, 4.0] | max
)) | string + 'G' }}
{{ ((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0))) - (((vm_memory | float / 1024) > 16.0)
| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) < 4)
| ternary((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0))) - 4), (((vm_memory | float / 1024) > 16.0)
| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) | string + 'G' }}
- lv: home
size: "2G"
size: "{{ ([([(((vm_size | float) - 20) * 0.1), 2] | max), 20] | min) | string + 'G' }}"
- lv: var
size: "2G"
- lv: var_log
size: "2G"
- lv: var_log_audit
size: "1.5G"
- { lv: var, size: "2G" }
- { lv: var_log, size: "2G" }
- { lv: var_log_audit, size: "1.5G" }
- name: Create filesystems
block:
@@ -91,6 +77,7 @@
force: true
- name: Create swap filesystem
when: filesystem != 'btrfs'
community.general.filesystem:
fstype: swap
dev: /dev/sys/swap
@@ -109,7 +96,7 @@
register: main_uuid
- name: Get UUIDs for LVM filesystems
when: cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit']
when: filesystem != 'btrfs' and (cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit'])
ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }}
changed_when: false
register: uuid_result
@@ -122,6 +109,7 @@
- var_log_audit
- name: Assign UUIDs to Variables
when: filesystem != 'btrfs'
ansible.builtin.set_fact:
uuid_root: "{{ uuid_result.results[0].stdout_lines }}"
uuid_swap: "{{ uuid_result.results[1].stdout_lines }}"
@@ -136,6 +124,7 @@
when:
- cis | bool or (not cis and (item.path == '/var/log' and filesystem == 'btrfs')
or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit']))
- not (item.path == '/swap' and filesystem != 'btrfs')
ansible.posix.mount:
path: /mnt{{ item.path }}
src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
@@ -145,20 +134,25 @@
loop:
- path: ""
uuid: "{{ uuid_root[0] | default(omit) }}"
opts: "defaults"
opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}"
- path: /swap
opts: "rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@swap"
- path: /home
uuid: "{{ uuid_home[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}"
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}"
- path: /var
uuid: "{{ uuid_var[0] | default(omit) }}"
opts: "defaults,nosuid,nodev"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}"
- path: /var/log
uuid: "{{ uuid_var_log[0] | default(omit) }}"
opts: "defaults,nosuid,nodev,noexec"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}"
- path: /var/log/audit
uuid: "{{ uuid_var_log_audit[0] | default(omit) }}"
opts: "defaults,nosuid,nodev,noexec"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}"
- name: Mount tmp and var_tmp filesystems
ansible.posix.mount:
@@ -173,12 +167,12 @@
- name: Mount boot filesystem
ansible.posix.mount:
path: "{{ '/mnt/boot/efi' if os | lower in ['rhel8'] else '/mnt/boot' }}"
path: "{{ '/mnt/boot/efi' if os | lower in ['rhel8', 'ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}"
src: UUID={{ boot_uuid.stdout }}
fstype: vfat
state: mounted
- name: Activate swap
ansible.builtin.command: "{{ 'swapon -U ' + uuid_swap[0] }}"
ansible.builtin.command: "{{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + uuid_swap[0] }}"
changed_when: result.rc == 0
register: result

50
roles/virtualization/tasks/libvirt.yml Normal file
View File

@@ -0,0 +1,50 @@
---
- name: Check if VM disk exists
delegate_to: localhost
ansible.builtin.stat:
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2"
register: vm_disk_stat
- name: Create VM disk
when: not vm_disk_stat.stat.exists
delegate_to: localhost
ansible.builtin.command: qemu-img create -f qcow2 {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2 {{ vm_size }}G
changed_when: result.rc == 0
register: result
- name: Generate Random MAC Address
delegate_to: localhost
ansible.builtin.shell: set -o pipefail && openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//' | sed 's/^/02:/'
changed_when: false
register: mac_address_output
- name: Render cloud config templates
delegate_to: localhost
ansible.builtin.template:
src: "{{ item.src }}"
dest: /tmp/{{ item.dest_prefix }}-{{ hostname }}.yml
mode: '0644'
loop:
- { src: cloud-user-data.yml.j2, dest_prefix: cloud-user-data }
- { src: cloud-network-config.yml.j2, dest_prefix: cloud-network-config }
- name: Create cloud-init disk
delegate_to: localhost
ansible.builtin.command: >
cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}/{{ hostname }}-cloudinit.iso
/tmp/cloud-user-data-{{ hostname }}.yml
-N /tmp/cloud-network-config-{{ hostname }}.yml
changed_when: result.rc == 0
register: result
- name: Create VM using libvirt
delegate_to: localhost
community.libvirt.virt:
command: define
xml: "{{ lookup('template', 'vm.xml.j2') }}"
- name: Start vm
delegate_to: localhost
community.libvirt.virt:
name: "{{ hostname }}"
state: running

51
roles/virtualization/tasks/proxmox.yml Normal file
View File

@@ -0,0 +1,51 @@
---
- name: Deploy VM on Proxmox
delegate_to: localhost
community.general.proxmox_kvm:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
ciuser: "{{ user_name }}"
cipassword: "{{ user_password }}"
ciupgrade: false
node: "{{ hypervisor_node }}"
vmid: "{{ vm_id }}"
name: "{{ hostname }}"
cpu: host
cores: "{{ vm_cpus }}"
memory: "{{ vm_memory }}"
balloon: "{{ vm_ballo | default(omit) }}"
numa_enabled: true
hotplug: network,disk
bios: ovmf
boot: ac
scsihw: virtio-scsi-single
scsi:
scsi0: "{{ hypervisor_storage }}:{{ vm_size }}"
efidisk0:
efitype: 4m
format: raw
pre_enrolled_keys: false
storage: "{{ hypervisor_storage }}"
ide:
ide0: "{{ boot_iso }},media=cdrom"
ide1: "{{ rhel_iso + ',media=cdrom' if rhel_iso is defined else omit }}"
ide2: "{{ hypervisor_storage }}:cloudinit"
net:
net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}
ipconfig:
ipconfig0: ip={{ vm_ip }}/{{ vm_nms | default(24) }},gw={{ vm_gw }}
nameservers: "{{ vm_dns }}"
onboot: true
state: present
- name: Start VM on Proxmox
delegate_to: localhost
community.general.proxmox_kvm:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
node: "{{ hypervisor_node }}"
name: "{{ hostname }}"
vmid: "{{ vm_id }}"
state: started

35
roles/virtualization/tasks/vmware.yml
View File

@@ -5,11 +5,13 @@
username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}"
validate_certs: false
datacenter: "{{ hypervisor_cluster }}"
cluster: "{{ hypervisor_node }}"
datacenter: "{{ hypervisor_datacenter }}"
cluster: "{{ hypervisor_cluster }}"
folder: "{{ vm_path }}"
name: "{{ hostname }}"
guest_id: otherGuest64
guest_id: otherLinux64Guest
annotation: |
{{ note | default('') }}
state: poweredon
disk:
- size_gb: "{{ vm_size }}"
@@ -20,13 +22,26 @@
num_cpus: "{{ vm_cpus }}"
boot_firmware: efi
secure_boot: false
cdrom:
- controller_number: 0
unit_number: 0
controller_type: sata
state: present
type: iso
iso_path: "{{ boot_iso }}"
cdrom: >-
{{
[ {
"controller_number": 0,
"unit_number": 0,
"controller_type": "sata",
"state": "present",
"type": "iso",
"iso_path": boot_iso
} ]
+
( [ {
"controller_number": 0,
"unit_number": 1,
"controller_type": "sata",
"state": "present",
"type": "iso",
"iso_path": rhel_iso
} ] if rhel_iso is defined and rhel_iso|length > 0 else [] )
}}
networks:
- name: "{{ vm_nif }}"
type: dhcp

11
roles/virtualization/templates/cloud-network-config.yml.j2 Normal file
View File

@@ -0,0 +1,11 @@
network:
version: 2
ethernets:
id0:
match:
macaddress: "{{ mac_address_output.stdout }}"
addresses:
- "{{ vm_ip }}"
gateway4: "{{ vm_gw }}"
nameservers:
addresses: ['1.1.1.1', '1.0.0.1']

12
roles/virtualization/templates/cloud-user-data.yml.j2 Normal file
View File

@@ -0,0 +1,12 @@
#cloud-config
hostname: "archiso"
ssh_pwauth: true
package_update: false
package_upgrade: false
users:
- name: "{{ user_name }}"
primary_group: "{{ user_name }}"
groups: users
sudo: ALL=(ALL) NOPASSWD:ALL
passwd: "{{ user_password | password_hash('sha512') }}"
lock_passwd: False

62
roles/virtualization/templates/vm.xml.j2 Normal file
View File

@@ -0,0 +1,62 @@
<domain type='kvm'>
<name>{{ hostname }}</name>
<memory>{{ vm_memory | int * 1024 }}</memory>
{% if vm_ballo is defined %}<currentMemory>{{ vm_ballo | int * 1024 }}</currentMemory>{% endif %}
<vcpu placement='static'>{{ vm_cpus }}</vcpu>
<os>
<type arch='x86_64' machine="pc-q35-8.0">hvm</type>
<bootmenu enable='no'/>
<boot dev='hd'/>
<boot dev='cdrom'/>
<loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd</loader>
<nvram template="/usr/share/edk2/x64/OVMF_VARS.4m.fd"/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<cpu mode="host-passthrough" check="none" migratable="on"/>
<clock offset="utc"/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2'/>
<target dev='vda' bus='virtio'/>
</disk>
<disk type="file" device="cdrom">
<driver name="qemu" type="raw"/>
<source file="{{ boot_iso }}"/>
<target dev="sda" bus="sata"/>
</disk>
<disk type="file" device="cdrom">
<driver name="qemu" type="raw"/>
<source file="{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"/>
<target dev="sdb" bus="sata"/>
</disk>
{% if rhel_iso is defined %}
<disk type="file" device="cdrom">
<driver name="qemu" type="raw"/>
<source file="{{ rhel_iso }}"/>
<target dev="sdc" bus="sata"/>
</disk>
{% endif %}
<interface type='network'>
<mac address="{{ mac_address_output.stdout }}"/>
<source network='default'/>
<model type='virtio'/>
</interface>
<input type="tablet" bus="usb"/>
<input type="mouse" bus="ps2"/>
<input type="keyboard" bus="ps2"/>
<graphics type='spice' autoport="yes">
<listen type="address"/>
</graphics>
<video>
<model type="virtio" heads="1" primary="yes"/>
</video>
</devices>
</domain>

43
templates/almalinux.repo.j2 Normal file
View File

@@ -0,0 +1,43 @@
[alma-appstream]
name=AlmaLinux $releasever - AppStream
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream
# baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=1
[alma-baseos]
name=AlmaLinux $releasever - BaseOS
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=1
[alma-extras]
name=AlmaLinux $releasever - Extras
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras
# baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=0
[alma-highavailability]
name=AlmaLinux $releasever - HighAvailability
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/highavailability
# baseurl=https://repo.almalinux.org/almalinux/$releasever/HighAvailability/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=0

25
templates/fedora.repo.j2 Normal file
View File

@@ -0,0 +1,25 @@
[fedora]
name=Fedora $releasever - $basearch
#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
enabled=1
countme=1
metadata_expire=86400
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=https://fedoraproject.org/fedora.gpg
skip_if_unavailable=False
[fedora-updates]
name=Fedora $releasever - $basearch - Updates
#baseurl=http://download.example/pub/fedora/linux/updates/$releasever/Everything/$basearch/
metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
enabled=1
countme=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=86400
gpgkey=https://fedoraproject.org/fedora.gpg
skip_if_unavailable=False

13
templates/rhel10.repo.j2 Normal file
View File

@@ -0,0 +1,13 @@
[rhel10-baseos]
name=RHEL 10 BaseOS
baseurl=file:///usr/local/install/redhat/dvd/BaseOS
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release
[rhel10-appstream]
name=RHEL 10 AppStream
baseurl=file:///usr/local/install/redhat/dvd/AppStream
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release

10
templates/rocky.repo.j2 Normal file
View File

@@ -0,0 +1,10 @@
[rocky-baseos]
name=Rocky Linux $releasever - BaseOS
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/
gpgcheck=1
enabled=1
countme=1
gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever
metadata_expire=86400
enabled_metadata=1

4
vars_example.yml
View File

@@ -1,13 +1,11 @@
vm_ip: "{{ inventory_hostname }}/{{ vm_nms }}"
vm_ip: "{{ inventory_hostname }}"
install_type: "virtual"
cis: false
hypervisor_url: "192.168.0.2"
hypervisor_username: "root@pam"
hypervisor_password: "SomePassword"
hypervisor_node: "NodeName"
hypervisor_storage: "local-btrfs"
boot_iso: "local-btrfs:rhel-9.4-x86_64-dvd.iso"
# For VMware-Tools
ansible_vmware_host: "{{ hypervisor_url }}"