sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:76f1382e3eb07d2bece82557d5ab99519e43e93d
Branches Tags
sandwich:master sandwich:rhel
..
compare: sandwich:rhel
Branches Tags
sandwich:master sandwich:rhel

48 Commits
76f1382e3e ... rhel

Author SHA1 Message Date
Sandwich
cdf2b9fdd7 Adjust examples 2024-11-07 15:02:49 +01:00
Sandwich
6df7d5ccfc Remove non RHEL configuration 2024-11-07 14:57:39 +01:00
Sandwich
75b0e41be6 Remove RHEL ISO variable 2024-11-07 14:26:02 +01:00
Sandwich
38defef1a0 Adjust README for RHEL systems 2024-11-07 14:19:52 +01:00
Sandwich
25deaab87d Add some extra packages and vi mode for bash 2024-11-05 03:36:15 +01:00
Sandwich
89f054e8fd Add final check if the VM is up and running after reboot 2024-11-01 23:58:52 +01:00
Sandwich
cbe238f4d5 Improve the root lv size calculations, still not perfect on bigger disk 
and ram sizes
 2024-10-31 20:07:40 +01:00
Sandwich
c6f1686db8 Preper Shutdown so VMware does not corrupt the installation 2024-10-31 18:27:31 +01:00
Sandwich
c9a15dfccf improve logical volume size calculation 2024-10-31 17:32:27 +01:00
Sandwich
f83a9ebd67 remove zram from debian11 since no support 2024-10-31 16:00:44 +01:00
Sandwich
e16868a78d remove zram for rhel8 since no support 2024-10-31 15:56:42 +01:00
Sandwich
406db38296 dont use sudo for umount 2024-10-31 15:35:22 +01:00
Sandwich
cb3f36a040 Add umount for non RHEL systems 2024-10-31 14:23:55 +01:00
Sandwich
d97f0cfff8 Fix ubuntu install issue 2024-10-31 05:56:20 +01:00
Sandwich
e8f609dd03 Add SWAP support 2024-10-31 05:46:33 +01:00
Sandwich
a599e26a63 Add zram-generator config 2024-10-31 02:18:55 +01:00
Sandwich
3085ebc336 add zram-generator package 2024-10-31 02:10:21 +01:00
Sandwich
f967ea1c3b Add swap optimalisations 2024-10-31 02:05:11 +01:00
Sandwich
2c4995ede8 Make root LV size dynamic based on VM disk size 2024-10-31 01:29:48 +01:00
Sandwich
ccf3193c92 improve VMware cleanup 2024-10-31 01:12:51 +01:00
Sandwich
d92944c345 Fix riski shell pipe 2024-10-31 00:43:49 +01:00
Sandwich
3c94a33ae7 Remove Cloud-init package which can cause issues with NetworkManager on 
bootup
 2024-10-31 00:41:38 +01:00
Sandwich
af82baf1d8 Include MAC-Address into the NetworkManager keyfile 2024-10-31 00:13:23 +01:00
Sandwich
ec55701f00 umount disks before reboot 2024-10-30 23:48:36 +01:00
Sandwich
2a1a47ecc1 Remove VMWare static since not applicable 2024-10-30 23:18:27 +01:00
Sandwich
4808ce4401 Fix DISK removal at cleanup 2024-10-30 23:10:53 +01:00
Sandwich
db1fd13623 Fix variable hierarchy 2024-10-30 22:19:00 +01:00
Sandwich
e5660b0ba7 Fix ISO mounting for VMware Hypervisor 2024-10-30 20:25:41 +01:00
Sandwich
173ecd299b Different aproche for ISO mounting 2024-10-30 19:30:12 +01:00
Sandwich
4d242ad987 Adjust controllerID for RHEL ISO for correct mounting 2024-10-30 19:23:01 +01:00
Sandwich
f8ac22cfab Allow passwordless ssh for VMware Setup 2024-10-30 19:12:36 +01:00
Sandwich
12a7549aaa Speed up setup on VMware if ssh is available 2024-10-30 18:59:32 +01:00
Sandwich
6705411b2d Enable root ssh login 2024-10-30 18:54:15 +01:00
Sandwich
fe2b216fc7 set cis default value 2024-10-30 18:14:29 +01:00
Sandwich
26824ca6bb Improve Ip set on VMware hypervisors 2024-10-30 18:04:46 +01:00
Sandwich
c60fcca86d Fix VM Connection if hypervisor is VMware 2024-10-30 17:57:22 +01:00
Sandwich
cdd8062937 Fix recursion 2024-10-30 17:09:22 +01:00
Sandwich
ebedff1c4e fix jinja syntax 2024-10-30 17:05:50 +01:00
Sandwich
04d05a4e8b Move hypervisor and disk variable from main playbook 2024-10-30 16:58:22 +01:00
Sandwich
ee6e06a3fe lower connection timeout 2024-10-30 16:48:23 +01:00
Sandwich
527bc11d1d Change VMware boot order to boot correctly from ArchISO 2024-10-30 15:59:16 +01:00
Sandwich
d331e07536 Fix VMware Network if no VLAN specified 2024-10-30 15:48:22 +01:00
Sandwich
287036bcb4 use the correct NetworkMask variable name 2024-10-30 14:38:25 +01:00
Sandwich
ca5a3c8807 Add network mask variables for Hypervisor static IP assigments 2024-10-30 14:33:38 +01:00
Sandwich
c8dd89681b move vm_ip back since it is not a permanent/static variable 2024-10-30 14:10:37 +01:00
Sandwich
9d4af56976 Move some persstent Vars to main playbook 2024-10-30 14:01:07 +01:00
Sandwich
3c55eaf4a1 Recommend Ansible Vault for variables storing secrets 2024-10-30 13:45:19 +01:00
Sandwich
d905dce89e Add missing RHEL variable examples 2024-10-30 00:49:37 +01:00
26 changed files with 306 additions and 976 deletions
Expand all files Collapse all files

29
README.md
View File

@@ -1,31 +1,18 @@
# Ansible-Bootstrap
An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner, utilizing ArchISO as the foundational tool.
An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner.
# Info
Most of the roles are adaptable for use with systems beyond ArchLinux, requiring only that the target system can install a necessary package manager, such as `dnf` for RHEL-based systems. Additionally, a replacement for the `arch-chroot` command may be required for these systems.
**NOTE**:
- For RHEL 8 and RHEL 9, repository access requires the `rhel_iso` variable. This variable specifies a local ISO or proxy repository.
- RHEL systems do not support `btrfs`. Use `ext4` or `xfs` as alternatives.
- For RHEL 8, `xfs` may cause installation issues; `ext4` is recommended.
# Supported Distributions
This playbook supports multiple Linux distributions with specific versions tailored to each. Below is a list of supported distributions:
| `os` | Distribution |
|------------|------------------------------------|
| archlinux | ArchLinux (Latest rolling release) |
| almalinux | AlmaLinux 9.x |
| debian11 | Debian 11 (Bullseye) |
| debian12 | Debian 12 (Bookworm) |
| fedora | Fedora 41 |
| rhel8 | Red Hat Enterprise Linux 8 |
| rhel9 | Red Hat Enterprise Linux 9 |
| rocky | Rocky Linux 9.x |
| ubuntu | Ubuntu 24.10 (Oracular Oriole) |
| ubuntu-lts | Ubuntu 24.04 LTS (Noble Numbat) |
# Documentation
@@ -41,7 +28,7 @@ This playbook supports multiple Linux distributions with specific versions tailo
## 1. Overview
The playbook uses the ArchLinux ISO as a foundational tool to provides an efficient and systematic method for the automatic deployment of a variety of Linux distributions on designated target systems. It ensures a standardized setup across different platforms, equipping each system with the essential configurations and software necessary for its designated role.
The playbook uses the RHEL ISO to configure and bootstrap an RHEL system from the ground up.
## 2. Global Variables
@@ -51,7 +38,7 @@ Global variables apply across your Ansible project and are loaded from `vars.yml
|-----------------------|--------------------------------------------------------------------|-----------------------------------------|
| `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` |
| `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. |`local-btrfs:iso/rhel-9.4-x86_64-dvd.iso`|
| `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` |
| `hypervisor` | Type of hypervisor. | `vmware` |
| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` |
| `hypervisor_node` | Hypervisor node name. | `node01` |
| `hypervisor_password` | Password for hypervisor authentication. | `123456` |
@@ -59,9 +46,11 @@ Global variables apply across your Ansible project and are loaded from `vars.yml
| `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` |
| `hypervisor_username` | Username for hypervisor authentication. | `root@pam` |
| `install_drive` | Drive where the system will be installed. | `/dev/sda` |
| `install_type` | Type of installation. | `virtual`, `physical` |
| `install_type` | Type of installation. | `virtual` |
| `vlan_name` (optional)| VLAN for the VM's network interface. | `vlan100` |
To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**.
## 3. Inventory Variables
Inventory variables are defined for individual hosts or VMs in the inventory file, allowing customization of settings such as the operating system, filesystem, and compliance with CIS benchmarks. These variables can be set globally and overridden for specific hosts or VMs.
@@ -69,9 +58,9 @@ Inventory variables are defined for individual hosts or VMs in the inventory fil
| Variable | Description | Example Value |
|-------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------|
| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` |
| `filesystem` | Filesystem type for the VM's primary storage. | `btrfs`, `ext4`, `xfs` |
| `filesystem` | Filesystem type for the VM's primary storage. | `ext4`, `xfs` |
| `hostname` | The hostname assigned to the virtual machine or system. | `vm01` |
| `os` | Operating system to be installed on the VM. | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rocky`, `ubuntu`, `ubuntu-lts` |
| `os` | Operating system to be installed on the VM. | `rhel8`, `rhel9` |
| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` |
| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` |
| `user_password` | Password for the user account within the VM. | `UserPass123` |
@@ -81,6 +70,8 @@ Inventory variables are defined for individual hosts or VMs in the inventory fil
| `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` |
| `vm_id` | Unique identifier for the virtual machine. | `101` |
| `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` |
| `vm_nm` (optional) | IP address netmask assigned to the virtual machine. | `255.255.255.0` |
| `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` |
| `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` |
| `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` |
| `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` |

12
inventory_example.ini
View File

@@ -8,22 +8,18 @@ vm_dns=1.1.1.1
[192.168.122.10]
hostname=proxy
vm_id=300
os=archlinux
filesystem=btrfs
os=rhel8
filesystem=ext4
vm_memory=2048
vm_ballo=1024
vm_cpus=2
vm_size=5
vm_nif=vmbr1
[192.168.122.11]
hostname=database
vm_id=101
os=archlinux
filesystem=btrfs
os=rhel9
filesystem=xfs
vm_memory=6144
vm_ballo=3072
vm_cpus=4
vm_size=40
vm_nif=vmbr1

43
inventory_example.yml
View File

@@ -1,29 +1,56 @@
all:
children:
promox-kvm:
first:
hosts:
192.168.122.10:
hostname: proxy
vm_id: 100
os: archlinux
filesystem: btrfs
os: rhel8
filesystem: ext4
vm_memory: "2048"
vm_ballo: "1024"
vm_cpus: "2"
vm_size: "5"
vm_nif: vmbr1
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1
192.168.122.11:
hostname: database
vm_id: 101
os: rhel9
filesystem: xfs
vm_memory: "6144"
vm_ballo: "3072"
vm_cpus: "4"
vm_size: "40"
vm_nif: vmbr1
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1
rhel_iso: "local-btrfs:iso/rhel-9.4-x86_64-dvd.iso"
192.168.122.12:
hostname: storage
os: rhel9
filesystem: xfs
vm_memory: "2048"
vm_ballo: "1024"
vm_cpus: "2"
vm_size: "40"
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1
second:
hosts:
192.168.122.13:
hostname: proxy02
os: rhel8
filesystem: ext4
vm_memory: "2048"
vm_ballo: "1024"
vm_cpus: "2"
vm_size: "5"
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1
192.168.122.14:
hostname: database02
os: rhel9
filesystem: xfs
vm_memory: "6144"
vm_ballo: "3072"
vm_cpus: "4"
vm_size: "40"
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1

52
main.yml
View File

@@ -19,54 +19,36 @@
prompt: |
What is your root password?
confirm: true
- name: hypervisor
prompt: |
Select an Hypervisor:
- libvirt
- proxmox
- vmware
private: false
default: proxmox
- name: install_drive
prompt: |
"Enter the drive to install the system (default: /dev/sda)"
confirm: true
private: false
default: /dev/sda
vars_files: vars.yml
pre_tasks:
- name: Set ansible_python_interpreter
when: os | lower in ["almalinux", "rhel9", "rhel8", "rocky"]
when: os | lower in ["rhel9", "rhel8"]
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3
- name: Validate variables
ansible.builtin.assert:
that:
- hypervisor in ["libvirt", "proxmox", "vmware", "none"]
- filesystem in ["btrfs", "ext4", "xfs"]
- os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rhel8", "rhel9", "rocky", "ubuntu", "ubuntu-lts"]
- os not in ["rhel8", "rhel9"] or rhel_iso is defined
- (filesystem == "btrfs" and (vm_size | int) >= 10) or (filesystem != "btrfs" and (vm_size | int) >= 20)
- filesystem in ["ext4", "xfs"]
- install_drive is defined
- os in ["rhel8", "rhel9"]
- (vm_size | int) >= 20)
- (vm_size | float) >= ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048), [vm_memory | float / 1024, 4.0] | max) + 16)
fail_msg: Invalid input specified, please try again.
- name: Set connection
when: hypervisor == "vmware"
ansible.builtin.set_fact:
ansible_connection: vmware_tools
roles:
- role: virtualization
when: install_type == "virtual"
become: false
vars:
ansible_connection: local
- role: environment
vars:
ansible_connection: "{{ 'vmware_tools' if hypervisor == 'vmware' else 'ssh' }}"
ansible_connection: vmware
- role: partitioning
vars:
@@ -78,17 +60,21 @@
- role: configuration
- role: cis
when: cis == true
when: cis | bool
- role: cleanup
when: install_type == "virtual"
vars:
ansible_connection: local
tasks:
- name: Reboot system
when: hypervisor != "libvirt"
ansible.builtin.command: reboot
failed_when: false
changed_when: result.rc == 0
register: result
- name: Set final SSH Credentials
when: vmware_ssh | bool
ansible.builtin.set_fact:
ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}"
ansible_become_password: "{{ user_password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Check if VM is back and running
ansible.builtin.wait_for_connection:
timeout: 300

65
roles/bootstrap/tasks/main.yml
View File

@@ -6,72 +6,7 @@
- name: Run OS-specific bootstrap process
block:
- name: Bootstrap ArchLinux
when: os | lower == 'archlinux'
ansible.builtin.command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit
changed_when: result.rc == 0
register: result
- name: Bootstrap Debian System
when: os | lower in ['debian11', 'debian12']
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }}
/mnt http://deb.debian.org/debian/
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
- arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
- name: Bootstrap Ubuntu System
when: os | lower in ['ubuntu', 'ubuntu-lts']
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'oracular' if os == 'ubuntu' else 'noble' }}
/mnt http://archive.ubuntu.com/ubuntu/
- ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
- arch-chroot /mnt apt update -y
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
- name: Bootstrap AlmaLinux 9
when: os | lower == 'almalinux'
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
- ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.almalinux | join(' ') }}
- name: Bootstrap Fedora 41
when: os | lower == 'fedora'
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- dnf --releasever=41 --best --repo=fedora --repo=fedora-updates
--installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
- ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=41 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
- arch-chroot /mnt dnf reinstall -y kernel-core
- name: Bootstrap RockyLinux 9
when: os | lower == 'rocky'
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y base core
- ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.rocky | join(' ') }}
- name: Bootstrap RHEL System
when: os | lower in ['rhel8', 'rhel9']
block:
- name: Install base packages in chroot environment
ansible.builtin.command: >-

288
roles/bootstrap/vars/packages.yml
View File

@@ -1,308 +1,32 @@
---
almalinux:
- bind-utils
- cloud-init
- dbus-daemon
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- lrzsz
- lvm2
- nc
- nfs-utils
- nfsv4-client-utils
- open-vm-tools
- ppp
- shim
- telnet
- vim
- wget
- zstd
archlinux:
- base
- btrfs-progs
- cloud-init
- cronie
- dhcpcd
- efibootmgr
- firewalld
- fish
- grub
- htop
- libpwquality
- linux
- logrotate
- lrzsz
- lsof
- lvm2
- ncdu
- neofetch
- networkmanager
- nfs-utils
- openssh
- open-vm-tools
- ppp
- prometheus-node-exporter
- python-psycopg2
- qemu-guest-agent
- reflector
- rsync
- screen
- sudo
- vim
- wireguard-tools
debian11:
base:
- apparmor-utils
- btrfs-progs
- chrony
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- linux-image-amd64
- locales
- logrotate
- lvm2
- net-tools
- openssh-server
- python3
- sudo
- xfsprogs
extra:
- cloud-init
- curl
- firewalld
- fish
- htop
- libpam-pwquality
- lrzsz
- ncdu
- neofetch
- network-manager
- open-vm-tools
- python-is-python3
- rsync
- screen
- software-properties-common
- syslog-ng
- tcpd
- vim
- wget
- zstd
debian12:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- linux-image-amd64
- locales
- logrotate
- lvm2
- xfsprogs
extra:
- apparmor-utils
- chrony
- cloud-init
- curl
- firewalld
- fish
- htop
- libpam-pwquality
- logrotate
- lrzsz
- ncdu
- neofetch
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- tcpd
- vim
- wget
- zstd
fedora:
- bind-utils
- btrfs-progs
- cloud-init
- cronie
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- logrotate
- lrzsz
- lvm2
- nc
- nfs-utils
- nfsv4-client-utils
- open-vm-tools
- polkit
- ppp
- shim
- telnet
- vim-default-editor
- wget
- zstd
rhel8:
- cloud-init
- dhcp-client
- efibootmgr
- grub2
- grub2-efi-x64
- lrzsz
- lvm2
- mtr
- nfs-utils
- open-vm-tools
- shim
- telnet
- tmux
- vim
- zstd
rhel9:
- cloud-init
- dhcp-client
- efibootmgr
- grub2
- grub2-efi
- lrzsz
- lvm2
- mtr
- nfs-utils
- open-vm-tools
- shim
- telnet
- zstd
rocky:
- bind-utils
- cloud-init
- dbus-daemon
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- lrzsz
- lvm2
- nc
- nfs-utils
- nfsv4-client-utils
- open-vm-tools
- ppp
- shim
- telnet
- util-linux-core
- tmux
- vim
- wget
- zstd
ubuntu:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- initramfs-tools
- linux-image-generic
- locales
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bash-completion
- chrony
- cloud-init
- curl
- dnsutils
- firewalld
- fish
- htop
- libpam-pwquality
- logrotate
- lrzsz
- ncdu
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- tcpd
- vim
- wget
- zstd
ubuntu-lts:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- initramfs-tools
- linux-image-generic
- locales
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bash-completion
- chrony
- cloud-init
- curl
- dnsutils
- firewalld
- fish
- htop
- libpam-pwquality
- logrotate
- lrzsz
- ncdu
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- tcpd
- vim
- wget
- zram-generator
- zstd

20
roles/cis/tasks/main.yml
View File

@@ -91,17 +91,15 @@
- { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: umask 077 }
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: export TMOUT=3000 }
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
- { path: '/mnt/etc/bashrc', content: umask 077 }
- { path: '/mnt/etc/bashrc', content: export TMOUT=3000 }
- { path: '/mnt/etc/systemd/journald.conf', content: Storage=persistent }
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" }
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
- { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}',
- { path: '/mnt/etc/pam.d/system-auth',
content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 }
- { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth"
if os == "fedora" else "pam.d/system-auth" }}', content: account required pam_faillock.so }
- { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}',
- { path: '/mnt/etc/pam.d/system-auth', content: account required pam_faillock.so }
- { path: '/mnt/etc/pam.d/passwd',
content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" }
- { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
- { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
@@ -122,10 +120,10 @@
{ "path": "/mnt/etc/cron.d", "mode": "0700" },
{ "path": "/mnt/etc/crontab", "mode": "0600" },
{ "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9"] else None,
{ "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rocky"]
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" },
{ "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["rhel9"]
else "fusermount"), "mode": "755" },
{ "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
{ "path": "/mnt/usr/bin/write", "mode": "755" }
] | reject("none") }}
- name: Adjust SSHD config

76
roles/cleanup/tasks/main.yml
View File

@@ -1,25 +1,15 @@
---
- name: Setup Cleanup
when: hypervisor == "proxmox"
- name: Shutdown the VM
community.general.shutdown:
vars:
ansible_connection: ssh
- name: Clean vCenter VM
delegate_to: localhost
become: false
block:
- name: Cleanup Setup Disks
community.general.proxmox_disk:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
name: "{{ hostname }}"
vmid: "{{ vm_id }}"
disk: "{{ item }}"
state: absent
loop:
- ide0
- ide2
- name: Remove CD-ROM from VM in vCenter
when: hypervisor == "vmware"
delegate_to: localhost
failed_when: false
community.vmware.vmware_guest:
hostname: "{{ hypervisor_url }}"
@@ -30,49 +20,25 @@
name: "{{ hostname }}"
cdrom:
- controller_number: 0
unit_number: 1
unit_number: 0
controller_type: sata
type: iso
iso_path: "{{ boot_iso }}"
state: absent
- name: Remove Archiso and cloud-init disks
when: hypervisor == "libvirt"
delegate_to: localhost
become: false
block:
- name: Stop the VM
community.libvirt.virt:
name: "{{ hostname }}"
state: shutdown
- name: Remove cloud-init disk
ansible.builtin.file:
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"
- controller_number: 0
unit_number: 1
controller_type: sata
type: iso
iso_path: "{{ rhel_iso | default(omit) }}"
state: absent
- name: Get list of CD-ROM devices
ansible.builtin.shell: set -o pipefail && virsh --connect qemu:///system domblklist {{ hostname }} --details | grep 'cdrom' | awk '{print $3}'
changed_when: false
register: cdrom_devices
- name: Wait for VM to spin down
ansible.builtin.wait_for:
timeout: 15
- name: Remove CD-ROM devices
when: cdrom_devices.stdout_lines | length > 0
ansible.builtin.command: virsh --connect qemu:///system detach-disk {{ hostname }} {{ item }} --persistent
with_items: "{{ cdrom_devices.stdout_lines | select('ne', 'sdc') | list }}"
changed_when: result.rc == 0
register: result
- name: Start the VM
community.libvirt.virt:
- name: Start VM in vCenter
when: hypervisor == "vmware"
community.vmware.vmware_guest_powerstate:
hostname: "{{ hypervisor_url }}"
username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}"
validate_certs: false
datacenter: "{{ hypervisor_cluster }}"
name: "{{ hostname }}"
state: running
- name: Wait for VM to boot up
delegate_to: "{{ inventory_hostname }}"
ansible.builtin.wait_for_connection:
timeout: 300
state: powered-on

158
roles/configuration/tasks/main.yml
View File

@@ -6,22 +6,21 @@
changed_when: result.rc == 0
register: result
- name: Remove depricated attr2 and disable large extent
when: os in ["almalinux", "rhel8", "rhel9", "rocky"] and filesystem == "xfs"
ansible.builtin.replace:
path: /mnt/etc/fstab
regexp: '(xfs.*?)(attr2)'
replace: '\1allocsize=64m'
- name: Replace ISO UUID entry with /dev/sr0 in fstab
when: os in ["rhel8", "rhel9"]
ansible.builtin.lineinfile:
path: /mnt/etc/fstab
regexp: '^.*\/dvd.*$'
line: "{{ '/dev/loop0' if hypervisor == 'vmware' else '/dev/sr0' }} /usr/local/install/redhat/dvd iso9660 ro,relatime,nojoliet,check=s,map=n 0 0"
line: "{{ '/usr/local/install/redhat/rhel.iso /usr/local/install/redhat/dvd iso9660 loop,nofail 0 0' if hypervisor == 'vmware'
else '/dev/sr0 /usr/local/install/redhat/dvd iso9660 ro,relatime,nojoliet,check=s,map=n,nofail 0 0' }}"
state: present
backrefs: true
- name: Write image from RHEL ISO to the target machine
ansible.builtin.command: dd if=/dev/sr1 of=/mnt/usr/local/install/redhat/rhel.iso bs=4M
changed_when: result.rc == 0
register: result
- name: Append TempFS to fstab
ansible.builtin.lineinfile:
path: /mnt/etc/fstab
@@ -44,21 +43,6 @@
- name: Setup locales
block:
- name: Configure locale.gen
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
ansible.builtin.lineinfile:
dest: /mnt/etc/locale.gen
regexp: "{{ item.regex }}"
line: "{{ item.line }}"
loop:
- { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 }
- name: Generate locales
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
changed_when: result.rc == 0
register: result
- name: Set hostname
ansible.builtin.copy:
content: "{{ hostname }}"
@@ -89,85 +73,78 @@
regexp: "#PasswordAuthentication yes"
replace: PasswordAuthentication yes
- name: SSH permit root login
ansible.builtin.replace:
path: /mnt/etc/ssh/sshd_config
regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"
- name: Enable Systemd Services
ansible.builtin.command: >
arch-chroot /mnt systemctl enable NetworkManager
{{
' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
(' sshd' if os | lower not in ['debian11', 'debian12'] else '')
}}
{{
'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
if os | lower == 'archlinux' else ''
}}
ansible.builtin.command: arch-chroot /mnt systemctl enable NetworkManager sshd
changed_when: result.rc == 0
register: result
- name: Configure grub
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
block:
- name: Add commandline information to grub config
ansible.builtin.lineinfile:
dest: /mnt/etc/default/grub
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT=
line: GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"
- name: Change Grub time
ansible.builtin.lineinfile:
dest: /mnt/etc/default/grub
regexp: ^GRUB_TIMEOUT=
line: GRUB_TIMEOUT=1
- name: Configure Bootloader
block:
- name: Install Bootloader
ansible.builtin.command: arch-chroot /mnt
{% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr
-c -L '{{ os }}' -d "{{ install_drive }}" -p 1
-l '\efi\EFI\{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}\shimx64.efi'
{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }}
--bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
{% endif %}
ansible.builtin.command: arch-chroot /mnt /usr/sbin/efibootmgr -c -L '{{ os }}'
-d "{{ install_drive }}" -p 1
-l '\efi\EFI\redhat\shimx64.efi'
changed_when: result.rc == 0
register: result
- name: Generate grub config
ansible.builtin.command: arch-chroot /mnt
{% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}
/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}/grub.cfg
{% else %}
/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}
{% endif %}
ansible.builtin.command: arch-chroot /mnt /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
changed_when: result.rc == 0
register: result
- name: Regenerate initramfs
when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
ansible.builtin.command: arch-chroot /mnt
{% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P
{% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %} /usr/bin/dracut --regenerate-all --force
{% else %} echo "Skipping initramfs regeneration"
{% endif %}
ansible.builtin.command: arch-chroot /mnt /usr/bin/dracut --regenerate-all --force
changed_when: result.rc == 0
register: result
- name: Extra Configuration
block:
- name: Append lines to vimrc
- name: Append vim configurations to vimrc
failed_when: false
ansible.builtin.lineinfile:
path: "{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '/mnt/etc/vimrc' }}"
line: "{{ item }}"
ansible.builtin.blockinfile:
path: "/mnt/etc/vimrc"
block: |
set encoding=utf-8
set number
set autoindent
set smartindent
set mouse=a
insertafter: EOF
with_items:
- set encoding=utf-8
- set number
- set autoindent
- set smartindent
- set mouse=a
marker: ""
- name: Add memory tuning parameters
ansible.builtin.blockinfile:
path: /mnt/etc/sysctl.d/90-memory.conf
create: true
block: |
vm.swappiness=10
vm.vfs_cache_pressure=50
vm.dirty_background_ratio=1
vm.dirty_ratio=10
vm.page-cluster=10
marker: ""
mode: '0644'
- name: Create zram config
when: os not in ['rhel8']
ansible.builtin.copy:
dest: /mnt/etc/systemd/zram-generator.conf
content: |
[zram0]
zram-size = ram / 2
compression-algorithm = zstd
swap-priority = 100
fs-type = swap
mode: '0644'
- name: Copy FirstRun Script
when: os | lower != "archlinux"
ansible.builtin.template:
src: firstrun.sh.j2
dest: /mnt/root/firstrun.sh
@@ -191,26 +168,23 @@
changed_when: net_inf.rc == 0
register: net_inf
- name: Register MAC Address of the Network Interface
ansible.builtin.shell: set -o pipefail && ip link show "{{ net_inf.stdout }}" | awk '/link\/ether/ {print $2}' | tr '[:lower:]' '[:upper:]'
register: net_mac
changed_when: net_mac.rc == 0
- name: Copy NetworkManager keyfile
ansible.builtin.template:
src: network.j2
dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection
mode: "0600"
- name: Fix Ubuntu unmanaged devices
when: os | lower in ["ubuntu", "ubuntu-lts"]
ansible.builtin.file:
path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
state: touch
mode: '0644'
- name: Setup user account
block:
- name: Create user account
ansible.builtin.command: "{{ item }}"
with_items:
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups
{{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "wheel" }}
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups wheel
{{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
changed_when: result.rc == 0
@@ -228,22 +202,12 @@
- name: Give sudo access to wheel group
ansible.builtin.copy:
content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}"
content: "%wheel ALL=(ALL) ALL"
dest: /mnt/etc/sudoers.d/01-wheel
mode: "0440"
validate: /usr/sbin/visudo --check --file=%s
- name: Fix SELinux
block:
- name: Relabel the filesystem
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rocky']
ansible.builtin.command: "arch-chroot /mnt /sbin/fixfiles onboot"
changed_when: result.rc == 0
register: result
- name: Disable SELinux
when: os | lower == "fedora"
ansible.builtin.lineinfile:
path: /mnt/etc/selinux/config
regexp: ^SELINUX=
line: SELINUX=permissive

3
roles/configuration/templates/custom.sh.j2
View File

@@ -10,3 +10,6 @@ PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
# History Size
HISTFILESIZE=
HISTSIZE=
# Enable vi mode
set -o vi

3
roles/configuration/templates/network.j2
View File

@@ -5,6 +5,7 @@ type=ethernet
interface-name={{ net_inf.stdout }}
[ethernet]
mac-address={{ net_mac.stdout }}
[ipv4]
address={{ vm_ip }},{{ vm_gw }}
@@ -12,7 +13,7 @@ dns={{ vm_dns }}
method=manual
[ipv6]
addr-gen-mode=default
addr-gen-mode=stable-privacy
method=disabled
[proxy]

50
roles/environment/tasks/main.yml
View File

@@ -4,7 +4,7 @@
block:
- name: Wait for connection
ansible.builtin.wait_for_connection:
timeout: 300
timeout: 60
delay: 5
- name: Gather facts
@@ -21,20 +21,17 @@
when: not archiso_stat.stat.exists
- name: Setect Interface
when: hypervisor == "vmware"
ansible.builtin.shell: "set -o pipefail && ip l | awk -F': ' '!/lo/{print $2; exit}'"
changed_when: interface_name.rc == 0
register: interface_name
- name: Set IP-Address
when: hypervisor == "vmware"
ansible.builtin.command: ip addr replace {{ ansible_host }}/24 dev {{ interface_name.stdout }}
ansible.builtin.command: "ip addr replace {{ ansible_host }}/{{ vm_nms | default(24) }} dev {{ interface_name.stdout }}"
changed_when: result.rc == 0
register: result
- name: Set Default Gateway
when: hypervisor == "vmware"
ansible.builtin.command: ip route replace default via {{ vm_gw }}
ansible.builtin.command: "ip route replace default via {{ vm_gw }}"
changed_when: result.rc == 0
register: result
@@ -43,6 +40,34 @@
changed_when: result.rc == 0
register: result
- name: Configure SSH for root login
when: vmware_ssh | bool
block:
- name: Allow empty passwords temporarily
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: "^#?PermitEmptyPasswords.*"
replace: "PermitEmptyPasswords yes"
- name: Allow root login
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"
- name: Reload SSH service to apply changes
ansible.builtin.service:
name: sshd
state: reloaded
- name: Set connection back to SSH
ansible.builtin.set_fact:
ansible_connection: ssh
ansible_user: "root"
ansible_password: ""
ansible_become_password: ""
ansible_ssh_extra_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
- name: Speed-up Bootstrap process
ansible.builtin.lineinfile:
path: /etc/pacman.conf
@@ -57,15 +82,11 @@
community.general.pacman:
update_cache: true
force: true
name: "{{ item.name }}"
name: "{{ item }}"
state: latest
loop:
- { name: glibc }
- { name: dnf, os: [almalinux, fedora, rhel9, rhel8, rocky] }
- { name: debootstrap, os: [debian11, debian12, ubuntu, ubuntu-lts] }
- { name: debian-archive-keyring, os: [debian11, debian12] }
- { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
when: "'os' not in item or os in item.os"
- glibc
- dnf
retries: 4
delay: 15
@@ -80,14 +101,13 @@
- name: Mount RHEL ISO
ansible.posix.mount:
src: /dev/sr2
src: "/dev/sr1"
path: /usr/local/install/redhat/dvd
fstype: iso9660
opts: "ro,loop"
state: mounted
- name: Configure RHEL Repos for installation
when: os | lower in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"]
block:
- name: Create directories for repository files and RPM GPG keys
ansible.builtin.file:

48
roles/partitioning/tasks/btrfs.yml
View File

@@ -1,48 +0,0 @@
---
- name: Setup BTRFS
block:
- name: Create btrfs filesystem in main volume
community.general.filesystem:
dev: "{{ install_drive }}{{ main_partition_suffix }}"
fstype: btrfs
force: true
- name: Prepare BTRFS Subvolume
ansible.posix.mount:
path: /mnt
src: "{{ install_drive }}{{ main_partition_suffix }}"
fstype: btrfs
opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async
state: mounted
- name: Enable quotas on Btrfs filesystem
ansible.builtin.command: btrfs quota enable /mnt
changed_when: result.rc == 0
register: result
- name: Make root subvolumes
when: cis | bool or item.subvol not in ['var_log', 'var_log_audit']
ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
changed_when: result.rc == 0
register: result
loop:
- { subvol: root }
- { subvol: home }
- { subvol: var }
- { subvol: var_log }
- { subvol: var_log_audit }
- name: Set quotas for subvolumes
when: cis | bool or item.subvol not in ['var_log', 'var_log_audit']
ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
changed_when: result.rc == 0
register: result
loop:
- { subvol: home, quota: 2G }
- name: Unmount Partition
ansible.posix.mount:
path: /mnt
src: "{{ install_drive }}{{ main_partition_suffix }}"
fstype: btrfs
state: unmounted

14
roles/partitioning/tasks/ext4.yml
View File

@@ -1,6 +1,6 @@
---
- name: Create and format ext4 logical volumes
when: cis | bool or item.lv not in ['var_log', 'var_log_audit']
when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.filesystem:
dev: /dev/sys/{{ item.lv }}
fstype: ext4
@@ -11,15 +11,3 @@
- { lv: var }
- { lv: var_log }
- { lv: var_log_audit }
- name: Remove Unsupported features for older Systems
when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis | bool or item.lv not in ['var_log', 'var_log_audit'])
ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
changed_when: result.rc == 0
register: result
loop:
- { lv: root }
- { lv: home }
- { lv: var }
- { lv: var_log }
- { lv: var_log_audit }

86
roles/partitioning/tasks/main.yml
View File

@@ -28,7 +28,6 @@
- { number: 2, part_start: 500MiB, name: root }
- name: Create LVM logical volumes
when: filesystem != 'btrfs'
block:
- name: Create LVM volume group
community.general.lvg:
@@ -36,18 +35,51 @@
pvs: "{{ install_drive }}{{ main_partition_suffix }}"
- name: Create LVM logical volumes
when: cis or (not cis and item.lv != 'var_log' and item.lv != 'var_log_audit')
when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.lvol:
vg: sys
lv: "{{ item.lv }}"
size: "{{ item.size }}"
state: present
loop:
- { lv: root, size: 12G }
- { lv: home, size: 2G }
- { lv: var, size: 2G }
- { lv: var_log, size: 2G }
- { lv: var_log_audit, size: 1.5G }
- lv: root
size: >-
{{ (
(vm_size | float -
((vm_memory | float / 1024 >= 16.0) | ternary(
(vm_memory | float / 2048) | int,
[vm_memory | float / 1024, 4.0] | max
)) - 0.5 -
(cis | bool | ternary(0, 7.5))
) > 12.0
) | ternary(
(vm_size | float * 0.4) | round(0, 'ceil'),
vm_size | float -
((vm_memory | float / 1024 >= 16.0) | ternary(
(vm_memory | float / 2048) | int,
[vm_memory | float / 1024, 4.0] | max
)) - 0.5 -
(cis | bool | ternary(7.5, 0))
) | string + 'G' }}
- lv: swap
size: >-
{{ ((vm_memory | float / 1024 >= 16.0) | ternary(
(vm_memory | float / 2048) | int,
[vm_memory | float / 1024, 4.0] | max
)) | string + 'G' }}
- lv: home
size: "2G"
- lv: var
size: "2G"
- lv: var_log
size: "2G"
- lv: var_log_audit
size: "1.5G"
- name: Create filesystems
block:
@@ -58,6 +90,11 @@
opts: -F32 -n BOOT
force: true
- name: Create swap filesystem
community.general.filesystem:
fstype: swap
dev: /dev/sys/swap
- name: Create filesystem
ansible.builtin.include_tasks: "{{ filesystem }}.yml"
@@ -72,12 +109,13 @@
register: main_uuid
- name: Get UUIDs for LVM filesystems
when: filesystem != 'btrfs' and (cis | bool or item not in ['var_log', 'var_log_audit'])
when: cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit']
ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }}
changed_when: false
register: uuid_result
loop:
- root
- swap
- home
- var
- var_log
@@ -86,16 +124,18 @@
- name: Assign UUIDs to Variables
ansible.builtin.set_fact:
uuid_root: "{{ uuid_result.results[0].stdout_lines }}"
uuid_home: "{{ uuid_result.results[1].stdout_lines }}"
uuid_var: "{{ uuid_result.results[2].stdout_lines }}"
uuid_var_log: "{{ uuid_result.results[3].stdout_lines if cis == true else '' }}"
uuid_var_log_audit: "{{ uuid_result.results[4].stdout_lines if cis == true else '' }}"
when: filesystem != 'btrfs'
uuid_swap: "{{ uuid_result.results[1].stdout_lines }}"
uuid_home: "{{ uuid_result.results[2].stdout_lines if cis | bool else '' }}"
uuid_var: "{{ uuid_result.results[3].stdout_lines if cis | bool else '' }}"
uuid_var_log: "{{ uuid_result.results[4].stdout_lines if cis | bool else '' }}"
uuid_var_log_audit: "{{ uuid_result.results[5].stdout_lines if cis | bool else '' }}"
- name: Mount filesystems
block:
- name: Mount filesystems and subvolumes
when: cis | bool or (not cis and item.path != '/var/log' and item.path != '/var/log/audit')
when:
- cis | bool or (not cis and (item.path == '/var/log' and filesystem == 'btrfs')
or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit']))
ansible.posix.mount:
path: /mnt{{ item.path }}
src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
@@ -105,23 +145,20 @@
loop:
- path: ""
uuid: "{{ uuid_root[0] | default(omit) }}"
opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}"
opts: "defaults"
- path: /home
uuid: "{{ uuid_home[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}"
- path: /var
uuid: "{{ uuid_var[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}"
opts: "defaults,nosuid,nodev"
- path: /var/log
uuid: "{{ uuid_var_log[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}"
opts: "defaults,nosuid,nodev,noexec"
- path: /var/log/audit
uuid: "{{ uuid_var_log_audit[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}"
opts: "defaults,nosuid,nodev,noexec"
- name: Mount tmp and var_tmp filesystems
ansible.posix.mount:
@@ -136,7 +173,12 @@
- name: Mount boot filesystem
ansible.posix.mount:
path: "{{ '/mnt/boot/efi' if os | lower in ['rhel8', 'ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}"
path: "{{ '/mnt/boot/efi' if os | lower in ['rhel8'] else '/mnt/boot' }}"
src: UUID={{ boot_uuid.stdout }}
fstype: vfat
state: mounted
- name: Activate swap
ansible.builtin.command: "{{ 'swapon -U ' + uuid_swap[0] }}"
changed_when: result.rc == 0
register: result

2
roles/partitioning/tasks/xfs.yml
View File

@@ -1,6 +1,6 @@
---
- name: Create and format XFS logical volumes
when: cis | bool or item.lv not in ['var_log', 'var_log_audit']
when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.filesystem:
dev: /dev/sys/{{ item.lv }}
fstype: xfs

50
roles/virtualization/tasks/libvirt.yml
View File

@@ -1,50 +0,0 @@
---
- name: Check if VM disk exists
delegate_to: localhost
ansible.builtin.stat:
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2"
register: vm_disk_stat
- name: Create VM disk
when: not vm_disk_stat.stat.exists
delegate_to: localhost
ansible.builtin.command: qemu-img create -f qcow2 {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2 {{ vm_size }}G
changed_when: result.rc == 0
register: result
- name: Generate Random MAC Address
delegate_to: localhost
ansible.builtin.shell: set -o pipefail && openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//' | sed 's/^/02:/'
changed_when: false
register: mac_address_output
- name: Render cloud config templates
delegate_to: localhost
ansible.builtin.template:
src: "{{ item.src }}"
dest: /tmp/{{ item.dest_prefix }}-{{ hostname }}.yml
mode: '0644'
loop:
- { src: cloud-user-data.yml.j2, dest_prefix: cloud-user-data }
- { src: cloud-network-config.yml.j2, dest_prefix: cloud-network-config }
- name: Create cloud-init disk
delegate_to: localhost
ansible.builtin.command: >
cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}/{{ hostname }}-cloudinit.iso
/tmp/cloud-user-data-{{ hostname }}.yml
-N /tmp/cloud-network-config-{{ hostname }}.yml
changed_when: result.rc == 0
register: result
- name: Create VM using libvirt
delegate_to: localhost
community.libvirt.virt:
command: define
xml: "{{ lookup('template', 'vm.xml.j2') }}"
- name: Start vm
delegate_to: localhost
community.libvirt.virt:
name: "{{ hostname }}"
state: running

51
roles/virtualization/tasks/proxmox.yml
View File

@@ -1,51 +0,0 @@
---
- name: Deploy VM on Proxmox
delegate_to: localhost
community.general.proxmox_kvm:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
ciuser: "{{ user_name }}"
cipassword: "{{ user_password }}"
ciupgrade: false
node: "{{ hypervisor_node }}"
vmid: "{{ vm_id }}"
name: "{{ hostname }}"
cpu: host
cores: "{{ vm_cpus }}"
memory: "{{ vm_memory }}"
balloon: "{{ vm_ballo | default(omit) }}"
numa_enabled: true
hotplug: network,disk
bios: ovmf
boot: ac
scsihw: virtio-scsi-single
scsi:
scsi0: "{{ hypervisor_storage }}:{{ vm_size }}"
efidisk0:
efitype: 4m
format: raw
pre_enrolled_keys: false
storage: "{{ hypervisor_storage }}"
ide:
ide0: "{{ boot_iso }},media=cdrom"
ide1: "{{ rhel_iso | default(omit) }},media=cdrom"
ide2: "{{ hypervisor_storage }}:cloudinit"
net:
net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}
ipconfig:
ipconfig0: ip={{ vm_ip }},gw={{ vm_gw }}
nameservers: "{{ vm_dns }}"
onboot: true
state: present
- name: Start VM on Proxmox
delegate_to: localhost
community.general.proxmox_kvm:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
node: "{{ hypervisor_node }}"
name: "{{ hostname }}"
vmid: "{{ vm_id }}"
state: started

9
roles/virtualization/tasks/vmware.yml
View File

@@ -26,16 +26,11 @@
controller_type: sata
state: present
type: iso
iso_path: "{{ rhel_iso | default(omit) }}"
- controller_number: 0
unit_number: 1
controller_type: sata
state: present
type: iso
iso_path: "{{ boot_iso }}"
networks:
- vlan: "{{ vlan_name }}"
- name: "{{ vm_nif }}"
type: dhcp
vlan: "{{ vlan_name | default(omit) }}"
register: vmware_guest_result
failed_when:
- vmware_guest_result.failed is defined and vmware_guest_result.failed

11
roles/virtualization/templates/cloud-network-config.yml.j2
View File

@@ -1,11 +0,0 @@
network:
version: 2
ethernets:
id0:
match:
macaddress: "{{ mac_address_output.stdout }}"
addresses:
- "{{ vm_ip }}"
gateway4: "{{ vm_gw }}"
nameservers:
addresses: ['1.1.1.1', '1.0.0.1']

10
roles/virtualization/templates/cloud-user-data.yml.j2
View File

@@ -1,10 +0,0 @@
#cloud-config
hostname: "archiso"
ssh_pwauth: true
users:
- name: "{{ user_name }}"
primary_group: "{{ user_name }}"
groups: users
sudo: ALL=(ALL) NOPASSWD:ALL
passwd: "{{ user_password | password_hash('sha512') }}"
lock_passwd: False

62
roles/virtualization/templates/vm.xml.j2
View File

@@ -1,62 +0,0 @@
<domain type='kvm'>
<name>{{ hostname }}</name>
<memory>{{ vm_memory | int * 1024 }}</memory>
{% if vm_ballo is defined %}<currentMemory>{{ vm_ballo | int * 1024 }}</currentMemory>{% endif %}
<vcpu placement='static'>{{ vm_cpus }}</vcpu>
<os>
<type arch='x86_64' machine="pc-q35-8.0">hvm</type>
<bootmenu enable='no'/>
<boot dev='hd'/>
<boot dev='cdrom'/>
<loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.fd</loader>
<nvram template="/usr/share/edk2/x64/OVMF_VARS.fd"/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<cpu mode="host-passthrough" check="none" migratable="on"/>
<clock offset="utc"/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2'/>
<target dev='vda' bus='virtio'/>
</disk>
<disk type="file" device="cdrom">
<driver name="qemu" type="raw"/>
<source file="{{ boot_iso }}"/>
<target dev="sda" bus="sata"/>
</disk>
<disk type="file" device="cdrom">
<driver name="qemu" type="raw"/>
<source file="{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"/>
<target dev="sdb" bus="sata"/>
</disk>
{% if rhel_iso is defined %}
<disk type="file" device="cdrom">
<driver name="qemu" type="raw"/>
<source file="{{ rhel_iso }}"/>
<target dev="sdc" bus="sata"/>
</disk>
{% endif %}
<interface type='network'>
<mac address="{{ mac_address_output.stdout }}"/>
<source network='default'/>
<model type='virtio'/>
</interface>
<input type="tablet" bus="usb"/>
<input type="mouse" bus="ps2"/>
<input type="keyboard" bus="ps2"/>
<graphics type='spice' autoport="yes">
<listen type="address"/>
</graphics>
<video>
<model type="virtio" heads="1" primary="yes"/>
</video>
</devices>
</domain>

43
templates/almalinux.repo.j2
View File

@@ -1,43 +0,0 @@
[alma-appstream]
name=AlmaLinux $releasever - AppStream
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream
# baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=1
[alma-baseos]
name=AlmaLinux $releasever - BaseOS
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=1
[alma-extras]
name=AlmaLinux $releasever - Extras
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras
# baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=0
[alma-highavailability]
name=AlmaLinux $releasever - HighAvailability
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/highavailability
# baseurl=https://repo.almalinux.org/almalinux/$releasever/HighAvailability/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=0

25
templates/fedora.repo.j2
View File

@@ -1,25 +0,0 @@
[fedora]
name=Fedora $releasever - $basearch
#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
enabled=1
countme=1
metadata_expire=86400
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=https://getfedora.org/static/fedora.gpg
skip_if_unavailable=False
[fedora-updates]
name=Fedora $releasever - $basearch - Updates
#baseurl=http://download.example/pub/fedora/linux/updates/$releasever/Everything/$basearch/
metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
enabled=1
countme=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=86400
gpgkey=https://getfedora.org/static/fedora.gpg
skip_if_unavailable=False

10
templates/rocky.repo.j2
View File

@@ -1,10 +0,0 @@
[rocky-baseos]
name=Rocky Linux $releasever - BaseOS
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/
gpgcheck=1
enabled=1
countme=1
gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever
metadata_expire=86400
enabled_metadata=1

20
vars_example.yml
View File

@@ -1,9 +1,4 @@
ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}"
ansible_become_password: "{{ user_password }}"
ansible_ssh_extra_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
vm_ip: "{{ inventory_hostname }}/24"
vm_ip: "{{ inventory_hostname }}/{{ vm_nms }}"
install_type: "virtual"
cis: false
@@ -12,5 +7,14 @@ hypervisor_username: "root@pam"
hypervisor_password: "SomePassword"
hypervisor_node: "NodeName"
hypervisor_storage: "local-btrfs"
boot_iso: "local-btrfs:iso/archlinux-x86_64.iso"
rhel_iso: "local-btrfs:rhel-9.4-x86_64-dvd.iso"
boot_iso: "local-btrfs:rhel-9.4-x86_64-dvd.iso"
# For VMware-Tools
ansible_vmware_host: "{{ hypervisor_url }}"
ansible_vmware_user: "{{ hypervisor_username }}"
ansible_vmware_password: "{{ hypervisor_password }}"
ansible_vmware_guest_path: "/{{ hypervisor_cluster }}/vm{{ vm_path }}/{{ hostname }}"
ansible_vmware_validate_certs: no
ansible_vmware_tools_user: "root"
ansible_vmware_tools_password: ""
vmware_ssh: true