Add Debian 13 (Trixie) support

without the key, and key cannot be set otherwise awx refuses connection

README.md

@@ -3,27 +3,33 @@
 An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner, utilizing ArchISO as the foundational tool.
 
 # Info
+
 Most of the roles are adaptable for use with systems beyond ArchLinux, requiring only that the target system can install a necessary package manager, such as `dnf` for RHEL-based systems. Additionally, a replacement for the `arch-chroot` command may be required for these systems.
 
 **NOTE**:
-- RHEL Systems are not currently supported due to restricted access to their repositories.
+
-  A workaround could involve using an ISO as a local repository or setting up a proxy repository to facilitate access.
+- For RHEL 8 and RHEL 9, repository access requires the `rhel_iso` variable. This variable specifies a local ISO or proxy repository.
+- RHEL systems do not support `btrfs`. Use `ext4` or `xfs` as alternatives.
+- For RHEL 8, `xfs` may cause installation issues; `ext4` is recommended.
 
 # Supported Distributions
 
 This playbook supports multiple Linux distributions with specific versions tailored to each. Below is a list of supported distributions:
 
 | `os`       | Distribution                       |
-|------------|------------------------------------|
+| ---------- | ---------------------------------- |
 | archlinux  | ArchLinux (Latest rolling release) |
 | almalinux  | AlmaLinux 9.x                      |
 | debian11   | Debian 11 (Bullseye)               |
 | debian12   | Debian 12 (Bookworm)               |
-| fedora     | Fedora 40                          |
+| debian13   | Debian 13 (Trixie)                 |
+| fedora     | Fedora 42                          |
+| rhel8      | Red Hat Enterprise Linux 8         |
+| rhel9      | Red Hat Enterprise Linux 9         |
+| rhel10     | Red Hat Enterprise Linux 10        |
 | rocky      | Rocky Linux 9.x                    |
-| ubuntu     | Ubuntu 23.10 (Mantic Minotaur)     |
+| ubuntu     | Ubuntu 25.04 (Plucky Puffin)       |
-| ubuntu-lts | Ubuntu 22.04 LTS (Jammy Jellyfish) |
+| ubuntu-lts | Ubuntu 24.04 LTS (Noble Numbat)    |
-
 
 # Documentation
 
@@ -46,9 +52,12 @@ The playbook uses the ArchLinux ISO as a foundational tool to provides an effici
 Global variables apply across your Ansible project and are loaded from `vars.yml` by default. These variables define common settings such as hypervisor connection details and the boot ISO path. They can be overridden by inventory variables for specific hosts or VMs if needed.
 
 | Variable                | Description                                                | Example Value                             |
-|-----------------------|--------------------------------------------------------------------|-----------------------------------------|
+| ----------------------- | ---------------------------------------------------------- | ----------------------------------------- |
 | `boot_iso`              | Path to the boot ISO image.                                | `local-btrfs:iso/archlinux-x86_64.iso`    |
+| `rhel_iso`              | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. | `local-btrfs:iso/rhel-9.4-x86_64-dvd.iso` |
 | `hypervisor`            | Type of hypervisor.                                        | `libvirt`, `proxmox`, `vmware`, `none`    |
+| `vmware_ssh`            | If Ansible should use SSH after base VM setup on VMware.   | `true`, `false (default)`                 |
+| `hypervisor_datacenter` | Name of the hypervisor datacenter.                         | `default-datacenter`                      |
 | `hypervisor_cluster`    | Name of the hypervisor cluster.                            | `default-cluster`                         |
 | `hypervisor_node`       | Hypervisor node name.                                      | `node01`                                  |
 | `hypervisor_password`   | Password for hypervisor authentication.                    | `123456`                                  |
@@ -59,25 +68,32 @@ Global variables apply across your Ansible project and are loaded from `vars.yml
 | `install_type`          | Type of installation.                                      | `virtual`, `physical`                     |
 | `vlan_name` (optional)  | VLAN for the VM's network interface.                       | `vlan100`                                 |
 
+To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**.
+
 ## 3. Inventory Variables
 
 Inventory variables are defined for individual hosts or VMs in the inventory file, allowing customization of settings such as the operating system, filesystem, and compliance with CIS benchmarks. These variables can be set globally and overridden for specific hosts or VMs.
 
 | Variable              | Description                                                                      | Example Value                                                                                                           |
-|-------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------|
+| --------------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
 | `cis` (optional)      | Adjusts the installation to be CIS level 3 conformant.                           | `true`, `false`                                                                                                         |
+| `selinux` (optional)  | Toggle SELinux, `false` means it should be disabled.`                            | `true`, `false`                                                                                                         |
 | `filesystem`          | Filesystem type for the VM's primary storage.                                    | `btrfs`, `ext4`, `xfs`                                                                                                  |
 | `hostname`            | The hostname assigned to the virtual machine or system.                          | `vm01`                                                                                                                  |
-| `os`                    | Operating system to be installed on the VM.                                       | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rocky`, `ubuntu`, `ubuntu-lts` |
+| `os`                  | Operating system to be installed on the VM.                                      | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rhel8`, `rhel9`, `rhel10`, `rocky`, `ubuntu`, `ubuntu-lts` |
 | `root_password`       | Root password for the VM or system, used for initial setup or secure access.     | `SecurePass123`                                                                                                         |
 | `user_name`           | Username for a user account within the VM, often used with cloud-init.           | `adminuser`                                                                                                             |
 | `user_password`       | Password for the user account within the VM.                                     | `UserPass123`                                                                                                           |
+| `user_public_key`     | SSH Key for the user account within the VM.                                      | `ssh-ed25519 AAAAC`                                                                                                     |
 | `vm_ballo` (optional) | Ballooning memory size for the VM, used to adjust memory allocation dynamically. | `2048`                                                                                                                  |
 | `vm_cpus`             | Number of CPU cores assigned to the virtual machine.                             | `4`                                                                                                                     |
 | `vm_dns`              | DNS server IP address(es) for the virtual machine's network configuration.       | `1.0.0.1`, `1.1.1.1`                                                                                                    |
+| `vm_dns_search`       | DNS search zone for the virtual machine's network configuration.                 | `example.com`                                                                                                           |
 | `vm_gw`               | Default gateway IP address for the virtual machine's network configuration.      | `192.168.0.1`                                                                                                           |
 | `vm_id`               | Unique identifier for the virtual machine.                                       | `101`                                                                                                                   |
 | `vm_ip`               | IP address assigned to the virtual machine.                                      | `192.168.0.10`                                                                                                          |
+| `vm_nm` (optional)    | IP address netmask assigned to the virtual machine.                              | `255.255.255.0`                                                                                                         |
+| `vm_nms` (optional)   | IP address netmask assigned to the virtual machine.                              | `24`                                                                                                                    |
 | `vm_memory`           | Amount of memory (in MB) allocated to the virtual machine.                       | `2048`                                                                                                                  |
 | `vm_nif`              | Network interface type or identifier for the VM's network connection.            | `vmbr0`                                                                                                                 |
 | `vm_path (optional)`  | Path or folder where the VM configuration or related files will be stored.       | `/var/lib/libvirt/images/`                                                                                              |

inventory_example.ini

@@ -1,29 +0,0 @@
-[promox-kvm]
-192.168.122.10
-192.168.122.11
-
-[promox-kvm:vars]
-vm_gw=192.168.122.1
-vm_dns=1.1.1.1
-
-[192.168.122.10]
-hostname=proxy
-vm_id=300
-os=archlinux
-filesystem=btrfs
-vm_memory=2048
-vm_ballo=1024
-vm_cpus=2
-vm_size=5
-vm_nif=vmbr1
-
-[192.168.122.11]
-hostname=database
-vm_id=101
-os=archlinux
-filesystem=btrfs
-vm_memory=6144
-vm_ballo=3072
-vm_cpus=4
-vm_size=40
-vm_nif=vmbr1

inventory_example.yml

@@ -1,4 +1,9 @@
 all:
+  vars:
+    hypervisor: 'proxmox'
+    install_drive: '/dev/sda'
+    cis: true
+    boot_iso: "local-btrfs:iso/archlinux-x86_64.iso"
   children:
       promox-kvm:
         hosts:
@@ -14,11 +19,12 @@ all:
             vm_nif: vmbr1
             vm_gw: 192.168.122.1
             vm_dns: 1.1.1.1
+            vm_dns_search: "example.com"
           192.168.122.11:
             hostname: database
             vm_id: 101
-            os: archlinux
+            os: rhel9
-            filesystem: btrfs
+            filesystem: xfs
             vm_memory: "6144"
             vm_ballo: "3072"
             vm_cpus: "4"
@@ -26,3 +32,4 @@ all:
             vm_nif: vmbr1
             vm_gw: 192.168.122.1
             vm_dns: 1.1.1.1
+            rhel_iso: "local-btrfs:iso/rhel-9.4-x86_64-dvd.iso"

main.yml

@@ -10,6 +10,11 @@
         What is your username?
       private: false
 
+    - name: user_public_key
+      prompt: |
+        What is your ssh key?
+      private: false
+
     - name: user_password
       prompt: |
         What is your password?
@@ -19,36 +24,36 @@
       prompt: |
         What is your root password?
       confirm: true
-
-    - name: hypervisor
-      prompt: |
-        Select an Hypervisor:
-        - libvirt
-        - proxmox
-        - vmware
-      private: false
-      default: proxmox
-
-    - name: install_drive
-      prompt: |
-        "Enter the drive to install the system (default: /dev/sda)"
-      confirm: true
-      private: false
-      default: /dev/sda
   vars_files: vars.yml
   pre_tasks:
     - name: Set ansible_python_interpreter
-      when: os | lower in ["almalinux", "rhel9", "rhel8", "rocky"]
+      when: os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"]
       ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
 
+    - name: Set default variables
+      ansible.builtin.set_fact:
+        cis: false
+
+    - name: Set SSH Access
+      when: hypervisor != "vmware"
+      ansible.builtin.set_fact:
+        ansible_user: "{{ user_name }}"
+        ansible_password: "{{ user_password }}"
+        ansible_become_password: "{{ user_password }}"
+        ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
     - name: Validate variables
       ansible.builtin.assert:
         that:
           - hypervisor in ["libvirt", "proxmox", "vmware", "none"]
           - filesystem in ["btrfs", "ext4", "xfs"]
-          - os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rocky", "ubuntu", "ubuntu-lts"]
+          - install_drive is defined
-        fail_msg: Invalid input specified, please try again
+          - os in ["archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora", "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"]
+          - os not in ["rhel8", "rhel9", "rhel10"] or rhel_iso is defined
+          - (filesystem == "btrfs" and (vm_size | int) >= 10) or (filesystem != "btrfs" and (vm_size | int) >= 20)
+          - (vm_size | float) >= ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048), [vm_memory | float / 1024, 4.0] | max) + 16)
+        fail_msg: Invalid input specified, please try again.
 
     - name: Set connection
       when: hypervisor == "vmware"
@@ -76,7 +81,7 @@
     - role: configuration
 
     - role: cis
-      when: cis == true
+      when: cis | bool
 
     - role: cleanup
       when: install_type == "virtual"
@@ -84,7 +89,15 @@
         ansible_connection: local
 
   tasks:
-    - name: Reboot system
+    - name: Set final SSH Credentials
-      when: hypervisor != "libvirt"
+      when: hypervisor != 'vmware' or (hypervisor == 'vmware' and vmware_ssh | bool)
-      ansible.builtin.command: reboot
+      ansible.builtin.set_fact:
-      ignore_errors: true
+        ansible_user: "{{ user_name }}"
+        ansible_password: "{{ user_password }}"
+        ansible_become_password: "{{ user_password }}"
+        ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+    - name: Check if VM is back and running
+      when: not (hypervisor == 'vmware' and cis | bool)
+      ansible.builtin.wait_for_connection:
+        timeout: 300

roles/bootstrap/tasks/main.yml

@@ -1,65 +1,101 @@
 ---
-- name: Include Packages
-  ansible.builtin.include_vars:
-    file: packages.yml
-    name: role_packages
-
 - name: Run OS-specific bootstrap process
   block:
     - name: Bootstrap ArchLinux
       when: os | lower == 'archlinux'
-      ansible.builtin.command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit
+      ansible.builtin.command: pacstrap /mnt {{ archlinux | join(' ') }} --asexplicit
+      changed_when: result.rc == 0
+      register: result
+
     - name: Bootstrap Debian System
-      when: os | lower in ['debian11', 'debian12']
+      when: os | lower in ['debian11', 'debian12', 'debian13']
       ansible.builtin.command: "{{ item }}"
+      changed_when: result.rc == 0
+      register: result
       with_items:
-        - |
+        - debootstrap --include={{ vars[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' if os == 'debian12' else 'trixie' }}
-          debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} \
           /mnt http://deb.debian.org/debian/
-        - arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
+        - arch-chroot /mnt apt install -y {{ vars[os].extra | join(' ') }}
         - arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
 
     - name: Bootstrap Ubuntu System
       when: os | lower in ['ubuntu', 'ubuntu-lts']
       ansible.builtin.command: "{{ item }}"
+      changed_when: result.rc == 0
+      register: result
       with_items:
-        - |
+        - debootstrap --include={{ vars[os].base | join(',') }} {{ 'plucky' if os == 'ubuntu' else 'noble' }}
-          debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'mantic' if os == 'ubuntu' else 'jammy' }} \
           /mnt http://archive.ubuntu.com/ubuntu/
+        - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
         - arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
         - arch-chroot /mnt apt update -y
-        - arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
+        - arch-chroot /mnt apt install -y {{ vars[os].extra | join(' ') }}
 
     - name: Bootstrap AlmaLinux 9
       when: os | lower == 'almalinux'
       ansible.builtin.command: "{{ item }}"
+      changed_when: result.rc == 0
+      register: result
       with_items:
         - dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
-        - echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf
+        - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
-        - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.almalinux | join(' ') }}
+        - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ almalinux | join(' ') }}
 
-    - name: Bootstrap Fedora 40
+    - name: Bootstrap Fedora 42
       when: os | lower == 'fedora'
       ansible.builtin.command: "{{ item }}"
+      changed_when: result.rc == 0
+      register: result
       with_items:
-        - |
+        - dnf --releasever=42 --best --repo=fedora --repo=fedora-updates
-          dnf --releasever=40 --best --repo=fedora --repo=fedora-updates \
           --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
-        - arch-chroot /mnt dnf --releasever=40 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
+        - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
+        - arch-chroot /mnt dnf --releasever=42 --setopt=install_weak_deps=False install -y {{ fedora | join(' ') }}
         - arch-chroot /mnt dnf reinstall -y kernel-core
 
     - name: Bootstrap RockyLinux 9
       when: os | lower == 'rocky'
       ansible.builtin.command: "{{ item }}"
+      changed_when: result.rc == 0
+      register: result
       with_items:
-        - dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
+        - dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt
-        - echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf
+          --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
-        - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.rocky | join(' ') }}
+          groupinstall -y base core
+        - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
+        - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ rocky | join(' ') }}
 
     - name: Bootstrap RHEL System
-      when: os | lower in ['rhel8', 'rhel9']
+      when: os | lower in ['rhel8', 'rhel9', 'rhel10']
-      ansible.builtin.command: "{{ item }}"
+      block:
-      with_items:
+        - name: Install base packages in chroot environment
-        - dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
+          ansible.builtin.command: >-
-        - echo 'nameserver 1.0.0.1' > /mnt/etc/resolv.conf
+            dnf --releasever={{ os | lower | replace('rhel', '') }} --repo={{ os | lower }}-baseos
-        - arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }}
+            --installroot=/mnt
+            --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
+            groupinstall -y core base standard
+          changed_when: result.rc == 0
+          register: result
+
+        - name: Prepare chroot environment
+          ansible.builtin.shell: |
+            ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
+            mkdir -p /mnt/usr/local/install/redhat/dvd
+            mount --bind /usr/local/install/redhat/dvd /mnt/usr/local/install/redhat/dvd
+            arch-chroot /mnt rpm --rebuilddb
+          changed_when: result.rc == 0
+          register: result
+
+        - name: Copy RHEL repo file into chroot environment
+          ansible.builtin.copy:
+            src: /etc/yum.repos.d/{{ os | lower }}.repo
+            dest: /mnt/etc/yum.repos.d/redhat.repo
+            mode: "0644"
+            remote_src: true
+
+        - name: Install additional packages in chroot
+          ansible.builtin.command: >-
+            arch-chroot /mnt dnf --releasever={{ os | lower | replace('rhel', '') }}
+            --setopt=install_weak_deps=False install -y {{ vars[os] | join(' ') }}
+          changed_when: result.rc == 0
+          register: result

roles/bootstrap/vars/main.yml

@@ -1,7 +1,5 @@
----
 almalinux:
   - bind-utils
-  - cloud-init
   - dbus-daemon
   - dhcp-client
   - efibootmgr
@@ -14,23 +12,26 @@ almalinux:
   - nc
   - nfs-utils
   - nfsv4-client-utils
+  - mtr
   - open-vm-tools
   - ppp
   - shim
-  - telnet
+  - tmux
   - vim
   - wget
+  - zram-generator
   - zstd
 
 archlinux:
   - base
   - btrfs-progs
-  - cloud-init
   - cronie
   - dhcpcd
   - efibootmgr
+  - fastfetch
   - firewalld
   - fish
+  - fzf
   - grub
   - htop
   - libpwquality
@@ -40,21 +41,22 @@ archlinux:
   - lsof
   - lvm2
   - ncdu
-  - neofetch
   - networkmanager
   - nfs-utils
-  - openssh
   - open-vm-tools
+  - openssh
   - ppp
   - prometheus-node-exporter
   - python-psycopg2
   - qemu-guest-agent
   - reflector
   - rsync
-  - screen
   - sudo
+  - tldr
+  - tmux
   - vim
   - wireguard-tools
+  - zram-generator
 
 debian11:
   base:
@@ -77,23 +79,29 @@ debian11:
     - xfsprogs
 
   extra:
-    - cloud-init
+    - bat
     - curl
+    - entr
     - firewalld
     - fish
+    - fzf
     - htop
+    - jq
     - libpam-pwquality
     - lrzsz
+    - mtr
     - ncdu
     - neofetch
     - network-manager
     - open-vm-tools
     - python-is-python3
+    - ripgrep
     - rsync
     - screen
     - software-properties-common
     - syslog-ng
     - tcpd
+    - tldr
     - vim
     - wget
     - zstd
@@ -114,15 +122,20 @@ debian12:
 
   extra:
     - apparmor-utils
+    - bat
     - chrony
-    - cloud-init
     - curl
+    - duf
+    - entr
     - firewalld
     - fish
+    - fzf
     - htop
+    - jq
     - libpam-pwquality
     - logrotate
     - lrzsz
+    - mtr
     - ncdu
     - neofetch
     - net-tools
@@ -131,27 +144,85 @@ debian12:
     - openssh-server
     - python-is-python3
     - python3
+    - ripgrep
     - rsync
     - screen
     - software-properties-common
     - sudo
     - syslog-ng
+    - systemd-zram-generator
+    - tcpd
+    - tldr
+    - vim
+    - wget
+    - zstd
+
+debian13:
+  base:
+    - btrfs-progs
+    - cron
+    - gnupg
+    - grub-efi
+    - grub-efi-amd64-signed
+    - grub2-common
+    - linux-image-amd64
+    - locales
+    - logrotate
+    - lvm2
+    - xfsprogs
+
+  extra:
+    - apparmor-utils
+    - bat
+    - chrony
+    - curl
+    - duf
+    - entr
+    - fastfetch
+    - firewalld
+    - fish
+    - fzf
+    - htop
+    - jq
+    - libpam-pwquality
+    - logrotate
+    - lrzsz
+    - mtr
+    - ncdu
+    - net-tools
+    - network-manager
+    - open-vm-tools
+    - openssh-server
+    - python-is-python3
+    - python3
+    - ripgrep
+    - rsync
+    - screen
+    - sudo
+    - syslog-ng
+    - systemd-zram-generator
     - tcpd
     - vim
     - wget
     - zstd
 
 fedora:
+  - bat
   - bind-utils
   - btrfs-progs
-  - cloud-init
   - cronie
   - dhcp-client
+  - duf
   - efibootmgr
+  - entr
+  - fish
+  - fzf
   - glibc-langpack-de
   - glibc-langpack-en
   - grub2
   - grub2-efi
+  - htop
+  - iperf3
   - logrotate
   - lrzsz
   - lvm2
@@ -161,43 +232,84 @@ fedora:
   - open-vm-tools
   - polkit
   - ppp
+  - ripgrep
   - shim
-  - telnet
+  - tmux
   - vim-default-editor
   - wget
+  - zoxide
+  - zram-generator
   - zstd
 
 rhel8:
-  - cloud-init
+  - bind-utils
   - dhcp-client
   - efibootmgr
+  - glibc-langpack-de
+  - glibc-langpack-en
   - grub2
-  - grub2-efi
+  - grub2-efi-x64
+  - grub2-tools-extra
   - lrzsz
   - lvm2
+  - mtr
+  - ncurses-term
   - nfs-utils
   - open-vm-tools
+  - policycoreutils-python-utils
+  - python39
   - shim
-  - telnet
+  - tmux
+  - vim
   - zstd
 
 rhel9:
-  - cloud-init
+  - bind-utils
   - dhcp-client
   - efibootmgr
+  - glibc-langpack-de
+  - glibc-langpack-en
   - grub2
   - grub2-efi
+  - grub2-tools-extra
   - lrzsz
   - lvm2
+  - mtr
+  - ncurses-term
   - nfs-utils
   - open-vm-tools
+  - policycoreutils-python-utils
+  - python
   - shim
-  - telnet
+  - tmux
+  - vim
+  - zram-generator
+  - zstd
+
+rhel10:
+  - bind-utils
+  - efibootmgr
+  - glibc-langpack-de
+  - glibc-langpack-en
+  - grub2
+  - grub2-efi
+  - kernel
+  - lrzsz
+  - lvm2
+  - mtr
+  - ncurses-term
+  - nfs-utils
+  - open-vm-tools
+  - policycoreutils-python-utils
+  - python
+  - shim
+  - tmux
+  - vim
+  - zram-generator
   - zstd
 
 rocky:
   - bind-utils
-  - cloud-init
   - dbus-daemon
   - dhcp-client
   - efibootmgr
@@ -207,6 +319,7 @@ rocky:
   - grub2-efi
   - lrzsz
   - lvm2
+  - mtr
   - nc
   - nfs-utils
   - nfsv4-client-utils
@@ -214,9 +327,11 @@ rocky:
   - ppp
   - shim
   - telnet
+  - tmux
   - util-linux-core
   - vim
   - wget
+  - zram-generator
   - zstd
 
 ubuntu:
@@ -236,31 +351,47 @@ ubuntu:
   extra:
     - apparmor-utils
     - bash-completion
+    - bat
     - chrony
-    - cloud-init
     - curl
     - dnsutils
+    - duf
+    - entr
+    - eza
+    - fdupes
+    - fio
     - firewalld
     - fish
     - htop
+    - jq
     - libpam-pwquality
     - logrotate
     - lrzsz
+    - mtr
     - ncdu
+    - ncurses-term
     - net-tools
     - network-manager
     - open-vm-tools
     - openssh-server
     - python-is-python3
     - python3
+    - ripgrep
     - rsync
     - screen
     - software-properties-common
     - sudo
     - syslog-ng
+    - systemd-zram-generator
     - tcpd
+    - tldr
+    - tmux
+    - traceroute
+    - util-linux-extra
     - vim
     - wget
+    - yq
+    - zoxide
     - zstd
 
 ubuntu-lts:
@@ -280,29 +411,45 @@ ubuntu-lts:
   extra:
     - apparmor-utils
     - bash-completion
+    - bat
     - chrony
-    - cloud-init
     - curl
     - dnsutils
+    - duf
+    - entr
+    - eza
+    - fdupes
+    - fio
     - firewalld
     - fish
     - htop
+    - jq
     - libpam-pwquality
     - logrotate
     - lrzsz
+    - mtr
     - ncdu
+    - ncurses-term
     - net-tools
     - network-manager
     - open-vm-tools
     - openssh-server
     - python-is-python3
     - python3
+    - ripgrep
     - rsync
     - screen
     - software-properties-common
     - sudo
     - syslog-ng
+    - systemd-zram-generator
     - tcpd
+    - tldr
+    - tmux
+    - traceroute
+    - util-linux-extra
     - vim
     - wget
+    - yq
+    - zoxide
     - zstd

roles/cis/tasks/main.yml

@@ -4,26 +4,27 @@
     - name: Disable Kernel Modules
       ansible.builtin.copy:
         dest: /mnt/etc/modprobe.d/cis.conf
-        mode: '0644'
+        mode: "0644"
         content: |
           CIS LVL 3 Restrictions
-          install freevxfs        /bin/true
+          install freevxfs        /bin/false
-          install jffs2           /bin/true
+          install jffs2           /bin/false
-          install hfs             /bin/true
+          install hfs             /bin/false
-          install hfsplus         /bin/true
+          install hfsplus         /bin/false
-          install squashfs        /bin/true
+          install cramfs          /bin/false
-          install udf             /bin/true
+          install squashfs        /bin/false
-          install usb-storage     /bin/true
+          install udf             /bin/false
+          install usb-storage     /bin/false
 
-          install dccp            /bin/true
+          install dccp            /bin/false
-          install sctp            /bin/true
+          install sctp            /bin/false
-          install rds             /bin/true
+          install rds             /bin/false
-          install tipc            /bin/true
+          install tipc            /bin/false
 
     - name: Create USB Rules
       ansible.builtin.copy:
         dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
-        mode: '0644'
+        mode: "0644"
         content: |
           By default, disable all.
           ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
@@ -40,14 +41,23 @@
     - name: Create a consolidated sysctl configuration file
       ansible.builtin.copy:
         dest: /mnt/etc/sysctl.d/10-cis.conf
-        mode: '0644'
+        mode: "0644"
         content: |
           ## CIS Sysctl configurations
+          kernel.yama.ptrace_scope=1
+          kernel.randomize_va_space=2
+
+          # Network
+          net.ipv4.ip_forward=0
+          net.ipv4.tcp_syncookies=1
+          net.ipv4.icmp_echo_ignore_broadcasts=1
+          net.ipv4.icmp_ignore_bogus_error_responses=1
           net.ipv4.conf.all.log_martians = 1
           net.ipv4.conf.all.rp_filter = 1
           net.ipv4.conf.all.secure_redirects = 0
           net.ipv4.conf.all.send_redirects = 0
           net.ipv4.conf.all.accept_redirects = 0
+          net.ipv4.conf.all.accept_source_route=0
           net.ipv4.conf.default.log_martians = 1
           net.ipv4.conf.default.rp_filter = 1
           net.ipv4.conf.default.secure_redirects = 0
@@ -69,6 +79,32 @@
     #     - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' }
     #     - { regexp: '^UMASK.*', replace: 'UMASK           027' }
 
+    - name: Ensure the Default UMASK is Set Correctly
+      ansible.builtin.lineinfile:
+        path: "/mnt/etc/profile"
+        regexp: "^(\\s*)umask\\s+\\d+"
+        line: "umask 027"
+
+    - name: Prevent Login to Accounts With Empty Password
+      ansible.builtin.replace:
+        dest: "{{ item }}"
+        regexp: "nullok"
+      loop:
+        - /mnt/etc/pam.d/system-auth
+        - /mnt/etc/pam.d/password-auth
+
+    - name: Configure System Cryptography Policy
+      when: os in ["almalinux", "rhel9", "rhel10", "rocky"]
+      ansible.builtin.command: arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
+      register: crypto_policy_result
+      changed_when: "'Setting system-wide crypto-policies to' in crypto_policy_result.stdout"
+
+    - name: Mask Systemd Services
+      ansible.builtin.command: >
+        arch-chroot /mnt systemctl mask nftables bluetooth rpcbind
+      changed_when: result.rc == 0
+      register: result
+
     - name: Ensure files exist
       ansible.builtin.file:
         path: "{{ item }}"
@@ -80,6 +116,15 @@
         - /mnt/etc/hosts.allow
         - /mnt/etc/hosts.deny
 
+    - name: Ensure files do not exist
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: touch
+        mode: "0600"
+      loop:
+        - /mnt/etc/at.deny
+        - /mnt/etc/cron.deny
+
     - name: Add Security related lines into config files
       ansible.builtin.lineinfile:
         path: "{{ item.path }}"
@@ -91,18 +136,39 @@
         - { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 }
         - { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
         - { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
-        - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: umask 077 }
+        - {
-        - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: export TMOUT=3000 }
+            path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"] else "bash.bashrc" }}',
-        - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
+            content: umask 077,
-        - { path: /mnt/etc/sudoers, content: Defaults        logfile="/var/log/sudo.log" }
+          }
+        - {
+            path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"] else "bash.bashrc" }}',
+            content: export TMOUT=3000,
+          }
+        - {
+            path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}',
+            content: Storage=persistent,
+          }
+        - {
+            path: /mnt/etc/sudoers,
+            content: Defaults        logfile="/var/log/sudo.log",
+          }
         - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
-        - { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
+        - {
+            path:
+              '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
               else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}',
-            content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 }
+            content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900,
-        - { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth"
+          }
-            if os == "fedora" else "pam.d/system-auth" }}', content: account required pam_faillock.so }
+        - {
-        - { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}',
+            path:
-            content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" }
+              '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth"
+              if os == "fedora" else "pam.d/system-auth" }}',
+            content: account required pam_faillock.so,
+          }
+        - {
+            path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}',
+            content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5",
+          }
         - { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
         - { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
 
@@ -112,18 +178,21 @@
         owner: "{{ item.owner | default(omit) }}"
         group: "{{ item.group | default(omit) }}"
         mode: "{{ item.mode }}"
-      loop:
+      loop: >
-        - { path: /mnt/etc/ssh/sshd_config, mode: "0600" }
+        {{ [
-        - { path: /mnt/etc/cron.hourly, mode: "0700" }
+          { "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
-        - { path: /mnt/etc/cron.daily, mode: "0700" }
+          { "path": "/mnt/etc/cron.hourly", "mode": "0700" },
-        - { path: /mnt/etc/cron.weekly, mode: "0700" }
+          { "path": "/mnt/etc/cron.daily", "mode": "0700" },
-        - { path: /mnt/etc/cron.monthly, mode: "0700" }
+          { "path": "/mnt/etc/cron.weekly", "mode": "0700" },
-        - { path: /mnt/etc/cron.d, mode: "0700" }
+          { "path": "/mnt/etc/cron.monthly", "mode": "0700" },
-        - { path: /mnt/etc/crontab, mode: "0600" }
+          { "path": "/mnt/etc/cron.d", "mode": "0700" },
-        - { path: /mnt/etc/logrotate.conf, mode: "0644" }
+          { "path": "/mnt/etc/crontab", "mode": "0600" },
-        - { path: /mnt/usr/sbin/pppd, mode: "754" }
+          { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
-        - { path: '/mnt/usr/bin/{{ "fusermount3" if os in ["archlinux", "debian12", "fedora"] else "fusermount" }}', mode: "755" }
+          { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
-        - { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: "755" }
+          { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rhel10", "rocky"]
+            else "fusermount"), "mode": "755" },
+          { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
+        ] | reject("none") }}
 
     - name: Adjust SSHD config
       ansible.builtin.lineinfile:
@@ -145,7 +214,6 @@
         - { option: PermitEmptyPasswords, value: "no" }
         - { option: KerberosAuthentication, value: "no" }
         - { option: GSSAPIAuthentication, value: "no" }
-        - { option: GSSAPIKeyExchange, value: "no" }
         - { option: AllowAgentForwarding, value: "no" }
         - { option: AllowTcpForwarding, value: "no" }
         - { option: ChallengeResponseAuthentication, value: "no" }
@@ -153,7 +221,7 @@
         - { option: X11Forwarding, value: "no" }
         - { option: PermitUserEnvironment, value: "no" }
         - { option: ClientAliveInterval, value: "300" }
-        - { option: ClientAliveCountMax, value: "0" }
+        - { option: ClientAliveCountMax, value: "1" }
         - { option: PermitTunnel, value: "no" }
         - { option: Banner, value: /etc/issue.net }
 
@@ -167,14 +235,10 @@
 
           ### Ciphers and keying ###
           RekeyLimit 512M 6h
-          KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,
+          KexAlgorithms  mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
-            diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,
+          Ciphers        aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-            diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,
+          MACs           hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
-            ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+
-          Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,
-            aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
-            hmac-sha2-512,hmac-sha2-256
           ###########################
 
           AllowStreamLocalForwarding no

roles/cleanup/tasks/main.yml

@@ -1,4 +1,33 @@
 ---
+- name: Unmount Disks
+  vars:
+    ansible_connection: ssh
+  block:
+    - name: Disable Swap
+      ansible.builtin.command: swapoff -a
+      register: swapoff_result
+      changed_when: swapoff_result.rc == 0
+
+    - name: Unmount /mnt if mounted
+      ansible.builtin.command: umount -R /mnt
+      register: unmount_result
+      changed_when: unmount_result.rc == 0
+
+    - name: Verify /mnt is no longer mounted
+      ansible.builtin.command: grep ' /mnt ' /proc/mounts
+      register: verify_unmount
+      retries: 5
+      delay: 5
+      until: verify_unmount.rc != 0
+      when: unmount_result.rc == 0
+      changed_when: false
+      failed_when: verify_unmount.rc not in [0, 1]
+
+- name: Shutdown the VM
+  community.general.shutdown:
+  vars:
+    ansible_connection: ssh
+
 - name: Setup Cleanup
   when: hypervisor == "proxmox"
   delegate_to: localhost
@@ -15,12 +44,25 @@
         state: absent
       loop:
         - ide0
-        - ide1
+        - ide2
 
-- name: Remove CD-ROM from VM in vCenter
+    - name: Start the VM
+      community.general.proxmox_kvm:
+        api_host: "{{ hypervisor_url }}"
+        api_user: "{{ hypervisor_username }}"
+        api_password: "{{ hypervisor_password }}"
+        node: "{{ hypervisor_node }}"
+        vmid: "{{ vm_id }}"
+        state: restarted
+
+- name: Clean vCenter VM
   when: hypervisor == "vmware"
   delegate_to: localhost
-  ignore_errors: true
+  become: false
+  block:
+    - name: Remove CD-ROM from VM in vCenter
+      when: hypervisor == "vmware"
+      failed_when: false
       community.vmware.vmware_guest:
         hostname: "{{ hypervisor_url }}"
         username: "{{ hypervisor_username }}"
@@ -35,17 +77,29 @@
             type: iso
             iso_path: "{{ boot_iso }}"
             state: absent
+          - controller_number: 0
+            unit_number: 1
+            controller_type: sata
+            type: iso
+            iso_path: "{{ rhel_iso | default(omit) }}"
+            state: absent
+
+    - name: Start VM in vCenter
+      when: hypervisor == "vmware"
+      community.vmware.vmware_guest_powerstate:
+        hostname: "{{ hypervisor_url }}"
+        username: "{{ hypervisor_username }}"
+        password: "{{ hypervisor_password }}"
+        validate_certs: false
+        datacenter: "{{ hypervisor_cluster }}"
+        name: "{{ hostname }}"
+        state: powered-on
 
 - name: Remove Archiso and cloud-init disks
   when: hypervisor == "libvirt"
   delegate_to: localhost
   become: false
   block:
-    - name: Stop the VM
-      community.libvirt.virt:
-        name: "{{ hostname }}"
-        state: shutdown
-
     - name: Remove cloud-init disk
       ansible.builtin.file:
         path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"
@@ -63,7 +117,9 @@
     - name: Remove CD-ROM devices
       when: cdrom_devices.stdout_lines | length > 0
       ansible.builtin.command: virsh --connect qemu:///system detach-disk {{ hostname }} {{ item }} --persistent
-      with_items: "{{ cdrom_devices.stdout_lines }}"
+      with_items: "{{ cdrom_devices.stdout_lines | select('ne', 'sdc') | list }}"
+      changed_when: result.rc == 0
+      register: result
 
     - name: Start the VM
       community.libvirt.virt:

roles/configuration/tasks/main.yml

@@ -3,6 +3,33 @@
   block:
     - name: Generate fstab
       ansible.builtin.shell: genfstab -LU /mnt > /mnt/etc/fstab
+      changed_when: result.rc == 0
+      register: result
+
+    - name: Remove depricated attr2 and disable large extent
+      when: os in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"] and filesystem == "xfs"
+      ansible.builtin.replace:
+        path: /mnt/etc/fstab
+        regexp: "(xfs.*?)(attr2)"
+        replace: '\1allocsize=64m'
+
+    - name: Replace ISO UUID entry with /dev/sr0 in fstab
+      when: os in ["rhel8", "rhel9", "rhel10"]
+      ansible.builtin.lineinfile:
+        path: /mnt/etc/fstab
+        regexp: '^.*\/dvd.*$'
+        line:
+          "{{ '/usr/local/install/redhat/rhel.iso /usr/local/install/redhat/dvd iso9660 loop,nofail 0 0' if hypervisor == 'vmware'
+          else '/dev/sr0 /usr/local/install/redhat/dvd iso9660 ro,relatime,nojoliet,check=s,map=n,nofail 0 0' }}"
+        state: present
+        backrefs: true
+
+    - name: Write image from RHEL ISO to the target machine
+      when: os in ["rhel8", "rhel9", "rhel10"] and hypervisor == 'vmware'
+      ansible.builtin.command: dd if=/dev/sr1 of=/mnt/usr/local/install/redhat/rhel.iso bs=4M
+      changed_when: result.rc == 0
+      register: result
+
     - name: Append TempFS to fstab
       ansible.builtin.lineinfile:
         path: /mnt/etc/fstab
@@ -13,10 +40,12 @@
         - "# TempFS"
         - tmpfs           /tmp            tmpfs           defaults,nosuid,nodev,noexec    0 0
         - tmpfs           /var/tmp        tmpfs           defaults,nosuid,nodev,noexec    0 0
-        - tmpfs           /dev/shm        tmpfs           defaults,noexec    0 0
+        - tmpfs           /dev/shm        tmpfs           defaults,nosuid,nodev,noexec    0 0
 
     - name: Set local timezone
       ansible.builtin.command: "{{ item }}"
+      changed_when: result.rc == 0
+      register: result
       with_items:
         - systemctl daemon-reload
         - arch-chroot /mnt ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime
@@ -24,7 +53,7 @@
     - name: Setup locales
       block:
         - name: Configure locale.gen
-          when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
+          when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
           ansible.builtin.lineinfile:
             dest: /mnt/etc/locale.gen
             regexp: "{{ item.regex }}"
@@ -32,32 +61,35 @@
           loop:
             - { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 }
 
-        - name: Generate locales\
+        - name: Generate locales
-          when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
+          when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
           ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
+          changed_when: result.rc == 0
+          register: result
+
         - name: Set hostname
           ansible.builtin.copy:
-            content: "{{ hostname }}"
+            content: "{{ hostname }}{% if vm_dns_search is defined and vm_dns_search | length %}.{{ vm_dns_search }}{% endif %}"
             dest: /mnt/etc/hostname
-            mode: '0644'
+            mode: "0644"
 
         - name: Add host entry to /etc/hosts
           ansible.builtin.lineinfile:
             path: /mnt/etc/hosts
-            line: "{{ ansible_host }}    {{ hostname }}"
+            line: "{{ ansible_host }}    {{ hostname }}{% if vm_dns_search is defined and vm_dns_search | length %} {{ hostname }}.{{ vm_dns_search }}{% endif %}"
             state: present
 
         - name: Create vconsole.conf
           ansible.builtin.copy:
             content: KEYMAP=us
             dest: /mnt/etc/vconsole.conf
-            mode: '0644'
+            mode: "0644"
 
         - name: Create locale.conf
           ansible.builtin.copy:
             content: LANG=en_US.UTF-8
             dest: /mnt/etc/locale.conf
-            mode: '0644'
+            mode: "0644"
 
         - name: SSH permit Password
           ansible.builtin.replace:
@@ -65,13 +97,28 @@
             regexp: "#PasswordAuthentication yes"
             replace: PasswordAuthentication yes
 
+        - name: SSH permit root login
+          ansible.builtin.replace:
+            path: /mnt/etc/ssh/sshd_config
+            regexp: "^#?PermitRootLogin.*"
+            replace: "PermitRootLogin yes"
+
     - name: Enable Systemd Services
-      block:
+      ansible.builtin.command: >
-        - name: Enable sshd
+        arch-chroot /mnt systemctl enable NetworkManager
-          when: os | lower == "archlinux"
+        {{
-          ansible.builtin.command: arch-chroot /mnt systemctl enable sshd logrotate systemd-resolved systemd-timesyncd NetworkManager
+          ' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
+          (' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else '')
+        }}
+        {{
+          'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
+          if os | lower == 'archlinux' else ''
+        }}
+      changed_when: result.rc == 0
+      register: result
+
     - name: Configure grub
-      when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
+      when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
       block:
         - name: Add commandline information to grub config
           ansible.builtin.lineinfile:
@@ -89,78 +136,156 @@
       block:
         - name: Install Bootloader
           ansible.builtin.command: arch-chroot /mnt
-            {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr
+            {% if os | lower not in ["archlinux", "debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr
-            -c -L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ os }}\shimx64.efi'
+            -c -L '{{ os }}' -d "{{ install_drive }}" -p 1
+            -l '\efi\EFI\{% if os | lower in ["rhel8", "rhel9", "rhel10"] %}redhat{% else %}{{ os | lower }}{% endif %}\shimx64.efi'
             {% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }}
             --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
             {% endif %}
-        - name: Generate grub config
+          changed_when: result.rc == 0
-          ansible.builtin.command: arch-chroot /mnt
+          register: result
-            {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/grub2-mkconfig
+
-            -o /boot/efi/EFI/{{ os }}/grub.cfg
+        - name: Ensure lvm2 for non btrfs filesystems
-            {% else %}/usr/sbin/grub-mkconfig -o
+          when: os | lower == "archlinux" and filesystem != "btrfs"
-            {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}
+          ansible.builtin.lineinfile:
-            {% endif %}
+            path: /mnt/etc/mkinitcpio.conf
+            regexp: "^(HOOKS=.*block)(?!.*lvm2)(.*)"
+            line: '\1 lvm2\2'
+            backrefs: true
+
         - name: Regenerate initramfs
-          when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
+          when: os | lower not in ["debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"]
           ansible.builtin.command: arch-chroot /mnt
             {% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P
-            {% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %} /usr/bin/dracut --regenerate-all --force
+            {% else %} /usr/bin/dracut --regenerate-all --force
-            {% else %} echo "Skipping initramfs regeneration"
             {% endif %}
+          changed_when: result.rc == 0
+          register: result
+
+        - name: Generate grub config
+          ansible.builtin.command: arch-chroot /mnt
+            {% if os | lower not in ["archlinux", "debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] %}
+            /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{% if os | lower in ["rhel8", "rhel9", "rhel10"] %}redhat{% else %}{{ os | lower }}{% endif %}/grub.cfg
+            {% else %}
+            /usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}
+            {% endif %}
+          changed_when: result.rc == 0
+          register: result
+
     - name: Extra Configuration
       block:
-        - name: Append lines to vimrc
+        - name: Append vim configurations to vimrc
-          ignore_errors: true
+          failed_when: false
-          ansible.builtin.lineinfile:
+          ansible.builtin.blockinfile:
-            path: "{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '/mnt/etc/vimrc' }}"
+            path:
-            line: "{{ item }}"
+              "{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts']
+              else '/mnt/etc/vimrc' }}"
+            block: |
+              set encoding=utf-8
+              set number
+              set autoindent
+              set smartindent
+              set mouse=a
             insertafter: EOF
-          with_items:
+            marker: ""
-            - set encoding=utf-8
-            - set number
-            - set autoindent
-            - set smartindent
-            - set mouse=a
 
-        - name: Copy FirstRun Script
+        - name: Add memory tuning parameters
-          when: os | lower != "archlinux"
+          ansible.builtin.blockinfile:
-          ansible.builtin.template:
+            path: /mnt/etc/sysctl.d/90-memory.conf
-            src: firstrun.sh.j2
+            create: true
-            dest: /mnt/root/firstrun.sh
+            block: |
-            mode: "0755"
+              vm.swappiness=10
+              vm.vfs_cache_pressure=50
+              vm.dirty_background_ratio=1
+              vm.dirty_ratio=10
+              vm.page-cluster=10
+            marker: ""
+            mode: "0644"
+
+        - name: Create zram config
+          when: os not in ['debian11', 'rhel8']
+          ansible.builtin.copy:
+            dest: /mnt/etc/systemd/zram-generator.conf
+            content: |
+              [zram0]
+              zram-size  = ram / 2
+              compression-algorithm = zstd
+              swap-priority = 100
+              fs-type = swap
+            mode: "0644"
 
         - name: Copy Custom Shell config
           ansible.builtin.template:
             src: custom.sh.j2
             dest: /mnt/etc/profile.d/custom.sh
-            mode: '0644'
+            mode: "0644"
+
+        - name: Create login banner
+          ansible.builtin.copy:
+            dest: "{{ item }}"
+            content: |
+              **************************************************************
+              * WARNING: Unauthorized access to this system is prohibited. *
+              * All activities are monitored and logged.                   *
+              * Disconnect immediately if you are not an authorized user.  *
+              **************************************************************
+            owner: root
+            group: root
+            mode: "0644"
+          loop:
+            - /mnt/etc/issue
+            - /etc/issue.net
+
+        - name: Remove motd files
+          when: os | lower in ["rhel8", "rhel9", "rhel10"]
+          ansible.builtin.file:
+            path: "{{ item }}"
+            state: absent
+          loop:
+            - /etc/motd.d/cockpit
+            - /etc/motd.d/insights-client
 
     - name: Setup Network
       block:
         - name: Generate UUID for Network Profile
           ansible.builtin.command: uuidgen
+          changed_when: net_uuid.rc == 0
           register: net_uuid
 
         - name: Retrieve Network Interface Name
           ansible.builtin.shell: set -o pipefail && ip r | awk 'NR==1 {print $5}'
+          changed_when: net_inf.rc == 0
           register: net_inf
 
+        - name: Register MAC Address of the Network Interface
+          ansible.builtin.shell: set -o pipefail && ip link show "{{ net_inf.stdout }}" | awk '/link\/ether/ {print $2}' | tr '[:lower:]' '[:upper:]'
+          register: net_mac
+          changed_when: net_mac.rc == 0
+
         - name: Copy NetworkManager keyfile
           ansible.builtin.template:
             src: network.j2
             dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection
             mode: "0600"
 
+        - name: Fix Ubuntu unmanaged devices
+          when: os | lower in ["ubuntu", "ubuntu-lts"]
+          ansible.builtin.file:
+            path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
+            state: touch
+            mode: "0644"
+
     - name: Setup user account
       block:
         - name: Create user account
           ansible.builtin.command: "{{ item }}"
           with_items:
             - arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups
-              {{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "wheel" }}
+              {{ "sudo" if os | lower in ["debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] else "wheel" }}
               {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
             - arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
+          changed_when: result.rc == 0
+          register: result
 
         - name: Add SSH public key to authorized_keys
           when: user_public_key is defined
@@ -174,18 +299,25 @@
 
     - name: Give sudo access to wheel group
       ansible.builtin.copy:
-        content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}"
+        content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}"
         dest: /mnt/etc/sudoers.d/01-wheel
         mode: "0440"
         validate: /usr/sbin/visudo --check --file=%s
 
     - name: Fix SELinux
+      when: os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
       block:
-        - name: Relabel the filesystem
+        - name: Fix SELinux by pre-labeling the filesystem before first boot
-          when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rocky']
+          when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux | default(true) | bool)
-          ansible.builtin.command: touch /mnt/.autorelabel
+          ansible.builtin.command: >
+            arch-chroot /mnt /sbin/setfiles -v -F
+            -e /dev -e /proc -e /sys -e /run
+            /etc/selinux/targeted/contexts/files/file_contexts /
+          register: setfiles_result
+          changed_when: setfiles_result.rc == 0
+
         - name: Disable SELinux
-          when: os | lower == "fedora"
+          when: os | lower == "fedora" or not (selinux | default(true) | bool)
           ansible.builtin.lineinfile:
             path: /mnt/etc/selinux/config
             regexp: ^SELINUX=

roles/configuration/templates/custom.sh.j2

@@ -10,3 +10,6 @@ PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
 # History Size
 HISTFILESIZE=
 HISTSIZE=
+
+# Enable vi mode
+set -o vi

roles/configuration/templates/network.j2

@@ -2,17 +2,20 @@
 id=LAN
 uuid={{ net_uuid.stdout }}
 type=ethernet
-interface-name={{ net_inf.stdout }}
 
 [ethernet]
+mac-address={{ net_mac.stdout }}
 
 [ipv4]
-address={{ vm_ip }},{{ vm_gw }}
+address={{ vm_ip }}/{{ vm_nms | default (24) }},{{ vm_gw }}
 dns={{ vm_dns }}
+{% if vm_dns_search is defined %}
+dns-search={{ vm_dns_search }}
+{% endif %}
 method=manual
 
 [ipv6]
-addr-gen-mode=default
+addr-gen-mode=stable-privacy
 method=disabled
 
 [proxy]

roles/environment/tasks/main.yml

@@ -4,7 +4,7 @@
   block:
     - name: Wait for connection
       ansible.builtin.wait_for_connection:
-        timeout: 300
+        timeout: 60
         delay: 5
 
     - name: Gather facts
@@ -20,19 +20,57 @@
         msg: This host is not booted from the Arch install media!
       when: not archiso_stat.stat.exists
 
-    - name: Setect Interface
+    - name: Register Network Interface
       when: hypervisor == "vmware"
       ansible.builtin.shell: "set -o pipefail && ip l | awk -F': ' '!/lo/{print $2; exit}'"
+      changed_when: interface_name.rc == 0
       register: interface_name
 
     - name: Set IP-Address
       when: hypervisor == "vmware"
-      ansible.builtin.command: ip addr replace {{ ansible_host }}/24 dev {{ interface_name.stdout }}
+      ansible.builtin.command: "ip addr replace {{ ansible_host }}/{{ vm_nms | default(24) }} dev {{ interface_name.stdout }}"
+      changed_when: result.rc == 0
+      register: result
+
     - name: Set Default Gateway
       when: hypervisor == "vmware"
-      ansible.builtin.command: ip route replace default via {{ vm_gw }}
+      ansible.builtin.command: "ip route replace default via {{ vm_gw }}"
+      changed_when: result.rc == 0
+      register: result
+
     - name: Synchronize clock via NTP
       ansible.builtin.command: timedatectl set-ntp true
+      changed_when: result.rc == 0
+      register: result
+
+    - name: Configure SSH for root login
+      when: hypervisor == "vmware" and (vmware_ssh is defined and vmware_ssh | bool)
+      block:
+        - name: Allow empty passwords temporarily
+          ansible.builtin.replace:
+            path: /etc/ssh/sshd_config
+            regexp: "^#?PermitEmptyPasswords.*"
+            replace: "PermitEmptyPasswords yes"
+
+        - name: Allow root login
+          ansible.builtin.replace:
+            path: /etc/ssh/sshd_config
+            regexp: "^#?PermitRootLogin.*"
+            replace: "PermitRootLogin yes"
+
+        - name: Reload SSH service to apply changes
+          ansible.builtin.service:
+            name: sshd
+            state: reloaded
+
+        - name: Set connection back to SSH
+          ansible.builtin.set_fact:
+            ansible_connection: ssh
+            ansible_user: "root"
+            ansible_password: ""
+            ansible_become_password: ""
+            ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
     - name: Speed-up Bootstrap process
       ansible.builtin.lineinfile:
         path: /etc/pacman.conf
@@ -51,25 +89,42 @@
         state: latest
       loop:
         - { name: glibc }
-        - { name: dnf, os: [almalinux, fedora, rhel9, rhel8, rocky] }
+        - { name: dnf, os: [almalinux, fedora, rhel8, rhel9, rhel10, rocky] }
-        - { name: debootstrap, os: [debian11, debian12, ubuntu, ubuntu-lts] }
+        - { name: debootstrap, os: [debian11, debian12, debian13, ubuntu, ubuntu-lts] }
-        - { name: debian-archive-keyring, os: [debian11, debian12] }
+        - { name: debian-archive-keyring, os: [debian11, debian12, debian13] }
         - { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
       when: "'os' not in item or os in item.os"
       retries: 4
       delay: 15
 
+    - name: Prepare /iso mount and repository for RHEL-based systems
+      when: os | lower in ["rhel8", "rhel9", "rhel10"]
+      block:
+        - name: Create /iso directory
+          ansible.builtin.file:
+            path: /usr/local/install/redhat/dvd
+            state: directory
+            mode: "0755"
+
+        - name: Mount RHEL ISO
+          ansible.posix.mount:
+            src: "{{ '/dev/sr1' if hypervisor == 'vmware' else '/dev/sr2' }}"
+            path: /usr/local/install/redhat/dvd
+            fstype: iso9660
+            opts: "ro,loop"
+            state: mounted
+
     - name: Configure RHEL Repos for installation
-      when: os | lower in ["almalinux", "fedora", "rocky"]
+      when: os | lower in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"]
       block:
         - name: Create directories for repository files and RPM GPG keys
           ansible.builtin.file:
             path: /etc/yum.repos.d
             state: directory
-            mode: '0755'
+            mode: "0755"
 
         - name: Create RHEL repository file
           ansible.builtin.template:
             src: "{{ os | lower }}.repo.j2"
             dest: /etc/yum.repos.d/{{ os | lower }}.repo
-            mode: '0644'
+            mode: "0644"

roles/partitioning/tasks/btrfs.yml

@@ -17,23 +17,37 @@
 
     - name: Enable quotas on Btrfs filesystem
       ansible.builtin.command: btrfs quota enable /mnt
+      changed_when: result.rc == 0
+      register: result
 
     - name: Make root subvolumes
-      when: cis | bool or item.subvol not in ['var_log', 'var_log_audit']
+      when: cis | bool or item.subvol not in ['var_log_audit']
       ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
+      changed_when: result.rc == 0
+      register: result
       loop:
         - { subvol: root }
+        - { subvol: swap }
         - { subvol: home }
         - { subvol: var }
         - { subvol: var_log }
         - { subvol: var_log_audit }
 
     - name: Set quotas for subvolumes
-      when: cis | bool or item.subvol not in ['var_log', 'var_log_audit']
+      when: cis | bool or item.subvol not in ['var_log_audit']
       ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
+      changed_when: result.rc == 0
+      register: result
       loop:
         - { subvol: home, quota: 2G }
 
+    - name: Create a Btrfs swap file
+      ansible.builtin.command: >-
+        btrfs filesystem mkswapfile --size {{ ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory
+        | float / 2048) | int, [vm_memory | float / 1024, 4.0] | max) | int) }}g --uuid clear /mnt/@swap/swapfile
+      changed_when: result.rc == 0
+      register: result
+
     - name: Unmount Partition
       ansible.posix.mount:
         path: /mnt

roles/partitioning/tasks/ext4.yml

@@ -1,6 +1,6 @@
 ---
 - name: Create and format ext4 logical volumes
-  when: cis | bool or item.lv not in ['var_log', 'var_log_audit']
+  when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
   community.general.filesystem:
     dev: /dev/sys/{{ item.lv }}
     fstype: ext4
@@ -13,8 +13,10 @@
     - { lv: var_log_audit }
 
 - name: Remove Unsupported features for older Systems
-  when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky', 'ubuntu-lts']) and (cis | bool or item.lv not in ['var_log', 'var_log_audit'])
+  when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
   ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
+  changed_when: result.rc == 0
+  register: result
   loop:
     - { lv: root }
     - { lv: home }

roles/partitioning/tasks/main.yml

@@ -2,12 +2,16 @@
 - name: Partition install drive
   block:
     - name: Prepare partitions
-      ignore_errors: true
+      failed_when: false
       ansible.builtin.command: "{{ item.cmd }}"
+      changed_when: result.rc == 0
+      register: result
       loop:
         - { cmd: umount -l /mnt }
         - { cmd: vgremove -f sys }
-        - { cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;' }
+        - {
+            cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;',
+          }
       loop_control:
         label: "{{ item.cmd }}"
 
@@ -34,18 +38,34 @@
         pvs: "{{ install_drive }}{{ main_partition_suffix }}"
 
     - name: Create LVM logical volumes
-      when: cis or (not cis and item.lv != 'var_log' and item.lv != 'var_log_audit')
+      when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
       community.general.lvol:
         vg: sys
         lv: "{{ item.lv }}"
         size: "{{ item.size }}"
         state: present
       loop:
-        - { lv: root, size: 12G }
+        - lv: root
-        - { lv: home, size: 2G }
+          size: >-
-        - { lv: var, size: 2G }
+            {{ [(((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0)) - (((vm_memory | float / 1024) > 16.0)
-        - { lv: var_log, size: 2G }
+                 | ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) < 4)
-        - { lv: var_log_audit, size: 1.5G }
+                 | ternary(4,((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0)) -
+                (((vm_memory | float / 1024) > 16.0)| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) > 12)
+                  | ternary(((vm_size | float) * 0.4) | round(0, 'ceil'),((vm_size | float) - 0.5 - ((cis | bool)
+                  | ternary(7.5, 0)) - (((vm_memory | float / 1024) > 16.0)
+                  | ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024))))))))), 4 ] | max | string + 'G' }}
+        - lv: swap
+          size: >-
+            {{ ((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0))) - (((vm_memory | float / 1024) > 16.0)
+                | ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) < 4)
+                | ternary((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0))) - 4), (((vm_memory | float / 1024) > 16.0)
+                | ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) | string + 'G' }}
+        - lv: home
+          size: "{{ ([([(((vm_size | float) - 20) * 0.1), 2] | max), 20] | min) | string + 'G' }}"
+
+        - { lv: var, size: "2G" }
+        - { lv: var_log, size: "2G" }
+        - { lv: var_log_audit, size: "1.5G" }
 
 - name: Create filesystems
   block:
@@ -53,9 +73,15 @@
       community.general.filesystem:
         dev: "{{ install_drive }}{{ boot_partition_suffix }}"
         fstype: vfat
-        opts: -F32
+        opts: -F32 -n BOOT
         force: true
 
+    - name: Create swap filesystem
+      when: filesystem != 'btrfs'
+      community.general.filesystem:
+        fstype: swap
+        dev: /dev/sys/swap
+
     - name: Create filesystem
       ansible.builtin.include_tasks: "{{ filesystem }}.yml"
 
@@ -70,30 +96,35 @@
       register: main_uuid
 
     - name: Get UUIDs for LVM filesystems
-      when: filesystem != 'btrfs' and (cis | bool or item not in ['var_log', 'var_log_audit'])
+      when: filesystem != 'btrfs' and (cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit'])
       ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }}
       changed_when: false
       register: uuid_result
       loop:
         - root
+        - swap
         - home
         - var
         - var_log
         - var_log_audit
 
     - name: Assign UUIDs to Variables
+      when: filesystem != 'btrfs'
       ansible.builtin.set_fact:
         uuid_root: "{{ uuid_result.results[0].stdout_lines }}"
-        uuid_home: "{{ uuid_result.results[1].stdout_lines }}"
+        uuid_swap: "{{ uuid_result.results[1].stdout_lines }}"
-        uuid_var: "{{ uuid_result.results[2].stdout_lines }}"
+        uuid_home: "{{ uuid_result.results[2].stdout_lines if cis | bool else '' }}"
-        uuid_var_log: "{{ uuid_result.results[3].stdout_lines if cis == true else '' }}"
+        uuid_var: "{{ uuid_result.results[3].stdout_lines if cis | bool else '' }}"
-        uuid_var_log_audit: "{{ uuid_result.results[4].stdout_lines if cis == true else '' }}"
+        uuid_var_log: "{{ uuid_result.results[4].stdout_lines if cis | bool else '' }}"
-      when: filesystem != 'btrfs'
+        uuid_var_log_audit: "{{ uuid_result.results[5].stdout_lines if cis | bool else '' }}"
 
 - name: Mount filesystems
   block:
     - name: Mount filesystems and subvolumes
-      when: cis | bool or (not cis and item.path != '/var/log' and item.path != '/var/log/audit')
+      when:
+        - cis | bool or (not cis and (item.path == '/var/log' and filesystem == 'btrfs')
+          or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit']))
+        - not (item.path == '/swap' and filesystem != 'btrfs')
       ansible.posix.mount:
         path: /mnt{{ item.path }}
         src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
@@ -104,6 +135,8 @@
         - path: ""
           uuid: "{{ uuid_root[0] | default(omit) }}"
           opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}"
+        - path: /swap
+          opts: "rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@swap"
         - path: /home
           uuid: "{{ uuid_home[0] | default(omit) }}"
           opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
@@ -134,7 +167,12 @@
 
     - name: Mount boot filesystem
       ansible.posix.mount:
-        path: "{{ '/mnt/boot/efi' if os | lower in ['ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}"
+        path: "{{ '/mnt/boot/efi' if os | lower in ['rhel8', 'ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}"
         src: UUID={{ boot_uuid.stdout }}
         fstype: vfat
         state: mounted
+
+    - name: Activate swap
+      ansible.builtin.command: "{{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + uuid_swap[0] }}"
+      changed_when: result.rc == 0
+      register: result

roles/partitioning/tasks/xfs.yml

@@ -1,6 +1,6 @@
 ---
 - name: Create and format XFS logical volumes
-  when: cis | bool or item.lv not in ['var_log', 'var_log_audit']
+  when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
   community.general.filesystem:
     dev: /dev/sys/{{ item.lv }}
     fstype: xfs

roles/virtualization/tasks/libvirt.yml

@@ -9,6 +9,8 @@
   when: not vm_disk_stat.stat.exists
   delegate_to: localhost
   ansible.builtin.command: qemu-img create -f qcow2 {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2 {{ vm_size }}G
+  changed_when: result.rc == 0
+  register: result
 
 - name: Generate Random MAC Address
   delegate_to: localhost
@@ -28,10 +30,12 @@
 
 - name: Create cloud-init disk
   delegate_to: localhost
-  ansible.builtin.command: cloud-localds
+  ansible.builtin.command: >
-    {{ vm_path | default('/var/lib/libvirt/images/') }}
+    cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}/{{ hostname }}-cloudinit.iso
-    {{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml
+    /tmp/cloud-user-data-{{ hostname }}.yml
     -N /tmp/cloud-network-config-{{ hostname }}.yml
+  changed_when: result.rc == 0
+  register: result
 
 - name: Create VM using libvirt
   delegate_to: localhost

roles/virtualization/tasks/proxmox.yml

@@ -7,20 +7,21 @@
     api_password: "{{ hypervisor_password }}"
     ciuser: "{{ user_name }}"
     cipassword: "{{ user_password }}"
-    node: "{{ hypervisor_node }}" # Proxmox node name
+    ciupgrade: false
-    vmid: "{{ vm_id }}" # Unique ID for the VM
+    node: "{{ hypervisor_node }}"
-    name: "{{ hostname }}" # Name of the VM
+    vmid: "{{ vm_id }}"
+    name: "{{ hostname }}"
     cpu: host
-    cores: "{{ vm_cpus }}" # Number of CPU cores
+    cores: "{{ vm_cpus }}"
-    memory: "{{ vm_memory }}" # Memory size in MB
+    memory: "{{ vm_memory }}"
-    balloon: "{{ vm_ballo | default(omit) }}" # Minimum Memory size in MB
+    balloon: "{{ vm_ballo | default(omit) }}"
     numa_enabled: true
     hotplug: network,disk
     bios: ovmf
     boot: ac
     scsihw: virtio-scsi-single
     scsi:
-      scsi0: "{{ hypervisor_storage }}:{{ vm_size }}" # Disk configuration
+      scsi0: "{{ hypervisor_storage }}:{{ vm_size }}"
     efidisk0:
       efitype: 4m
       format: raw
@@ -28,14 +29,15 @@
       storage: "{{ hypervisor_storage }}"
     ide:
       ide0: "{{ boot_iso }},media=cdrom"
-      ide1: "{{ hypervisor_storage }}:cloudinit"
+      ide1: "{{ rhel_iso + ',media=cdrom' if rhel_iso is defined else omit }}"
+      ide2: "{{ hypervisor_storage }}:cloudinit"
     net:
       net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}
     ipconfig:
-      ipconfig0: ip={{ vm_ip }},gw={{ vm_gw }}
+      ipconfig0: ip={{ vm_ip }}/{{ vm_nms | default(24) }},gw={{ vm_gw }}
     nameservers: "{{ vm_dns }}"
-    onboot: true # Start the VM on boot
+    onboot: true
-    state: present # Ensure the VM is present
+    state: present
 
 - name: Start VM on Proxmox
   delegate_to: localhost
@@ -46,4 +48,4 @@
     node: "{{ hypervisor_node }}"
     name: "{{ hostname }}"
     vmid: "{{ vm_id }}"
-    state: started # Ensure the VM is present
+    state: started

roles/virtualization/tasks/vmware.yml

@@ -1,4 +1,3 @@
----
 - name: Create VM in vCenter
   delegate_to: localhost
   community.vmware.vmware_guest:
@@ -6,11 +5,13 @@
     username: "{{ hypervisor_username }}"
     password: "{{ hypervisor_password }}"
     validate_certs: false
-    datacenter: "{{ hypervisor_cluster }}"
+    datacenter: "{{ hypervisor_datacenter }}"
-    cluster: "{{ hypervisor_node }}"
+    cluster: "{{ hypervisor_cluster }}"
     folder: "{{ vm_path }}"
     name: "{{ hostname }}"
-    guest_id: otherGuest64
+    guest_id: otherLinux64Guest
+    annotation: |
+      {{ note | default('') }}
     state: poweredon
     disk:
       - size_gb: "{{ vm_size }}"
@@ -21,19 +22,33 @@
       num_cpus: "{{ vm_cpus }}"
       boot_firmware: efi
       secure_boot: false
-    cdrom:
+    cdrom: >-
-      - controller_number: 0
+      {{
-        unit_number: 0
+        [ {
-        controller_type: sata
+            "controller_number": 0,
-        state: present
+            "unit_number": 0,
-        type: iso
+            "controller_type": "sata",
-        iso_path: "{{ boot_iso }}"
+            "state": "present",
+            "type": "iso",
+            "iso_path": boot_iso
+          } ]
+        +
+        ( [ {
+            "controller_number": 0,
+            "unit_number": 1,
+            "controller_type": "sata",
+            "state": "present",
+            "type": "iso",
+            "iso_path": rhel_iso
+          } ] if rhel_iso is defined and rhel_iso|length > 0 else [] )
+      }}
     networks:
-      - vlan: "{{ vlan_name }}"
+      - name: "{{ vm_nif }}"
         type: dhcp
+        vlan: "{{ vlan_name | default(omit) }}"
   register: vmware_guest_result
   failed_when:
-    - vmware_guest_result.failed
+    - vmware_guest_result.failed is defined and vmware_guest_result.failed
     - "'error' in vmware_guest_result"
     - "'failed' in vmware_guest_result"
     - vmware_guest_result.rc is defined and vmware_guest_result.rc != 0

roles/virtualization/templates/cloud-user-data.yml.j2

@@ -1,6 +1,8 @@
 #cloud-config
 hostname: "archiso"
 ssh_pwauth: true
+package_update: false
+package_upgrade: false
 users:
   - name: "{{ user_name }}"
     primary_group: "{{ user_name }}"

roles/virtualization/templates/vm.xml.j2

@@ -8,8 +8,8 @@
     <bootmenu enable='no'/>
     <boot dev='hd'/>
     <boot dev='cdrom'/>
-    <loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.fd</loader>
+    <loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd</loader>
-    <nvram template="/usr/share/edk2/x64/OVMF_VARS.fd"/>
+    <nvram template="/usr/share/edk2/x64/OVMF_VARS.4m.fd"/>
   </os>
   <features>
     <acpi/>
@@ -37,6 +37,13 @@
       <source file="{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"/>
       <target dev="sdb" bus="sata"/>
     </disk>
+    {% if rhel_iso is defined %}
+    <disk type="file" device="cdrom">
+      <driver name="qemu" type="raw"/>
+      <source file="{{ rhel_iso }}"/>
+      <target dev="sdc" bus="sata"/>
+    </disk>
+    {% endif %}
     <interface type='network'>
       <mac address="{{ mac_address_output.stdout }}"/>
       <source network='default'/>

templates/fedora.repo.j2

@@ -8,7 +8,7 @@ metadata_expire=86400
 repo_gpgcheck=0
 type=rpm
 gpgcheck=1
-gpgkey=https://getfedora.org/static/fedora.gpg
+gpgkey=https://fedoraproject.org/fedora.gpg
 skip_if_unavailable=False
 
 [fedora-updates]
@@ -21,5 +21,5 @@ repo_gpgcheck=0
 type=rpm
 gpgcheck=1
 metadata_expire=86400
-gpgkey=https://getfedora.org/static/fedora.gpg
+gpgkey=https://fedoraproject.org/fedora.gpg
 skip_if_unavailable=False

templates/rhel10.repo.j2

@@ -0,0 +1,13 @@
+[rhel10-baseos]
+name=RHEL 10 BaseOS
+baseurl=file:///usr/local/install/redhat/dvd/BaseOS
+enabled=1
+gpgcheck=0
+gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release
+
+[rhel10-appstream]
+name=RHEL 10 AppStream
+baseurl=file:///usr/local/install/redhat/dvd/AppStream
+enabled=1
+gpgcheck=0
+gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release

templates/rhel8.repo.j2

@@ -0,0 +1,13 @@
+[rhel8-baseos]
+name=RHEL 8 BaseOS
+baseurl=file:///usr/local/install/redhat/dvd/BaseOS
+enabled=1
+gpgcheck=0
+gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release
+
+[rhel8-appstream]
+name=RHEL 8 AppStream
+baseurl=file:///usr/local/install/redhat/dvd/AppStream
+enabled=1
+gpgcheck=0
+gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release

templates/rhel9.repo.j2

@@ -0,0 +1,13 @@
+[rhel9-baseos]
+name=RHEL 9 BaseOS
+baseurl=file:///usr/local/install/redhat/dvd/BaseOS
+enabled=1
+gpgcheck=0
+gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release
+
+[rhel9-appstream]
+name=RHEL 9 AppStream
+baseurl=file:///usr/local/install/redhat/dvd/AppStream
+enabled=1
+gpgcheck=0
+gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release

vars_example.yml

@@ -1,15 +1,18 @@
-ansible_user: "{{ user_name }}"
+vm_ip: "{{ inventory_hostname }}"
-ansible_password: "{{ user_password }}"
-ansible_become_password: "{{ user_password }}"
-ansible_ssh_extra_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
-
-vm_ip: "{{ inventory_hostname }}/24"
 install_type: "virtual"
-cis: false
 
 hypervisor_url:      "192.168.0.2"
 hypervisor_username: "root@pam"
 hypervisor_password: "SomePassword"
 hypervisor_node:     "NodeName"
 hypervisor_storage:  "local-btrfs"
-boot_iso: "local-btrfs:iso/archlinux-x86_64.iso"
+
+# For VMware-Tools
+ansible_vmware_host: "{{ hypervisor_url }}"
+ansible_vmware_user: "{{ hypervisor_username }}"
+ansible_vmware_password: "{{ hypervisor_password }}"
+ansible_vmware_guest_path: "/{{ hypervisor_cluster }}/vm{{ vm_path }}/{{ hostname }}"
+ansible_vmware_validate_certs: no 
+ansible_vmware_tools_user: "root"
+ansible_vmware_tools_password: ""
+vmware_ssh: true