sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:c8d3de3d8db407439bdbf5241a75d79cee79445b
Branches Tags
sandwich:master sandwich:rhel
..
compare: sandwich:master
Branches Tags
sandwich:master sandwich:rhel

23 Commits
c8d3de3d8d ... master

Author SHA1 Message Date
Sandwich
378d9a88c2 Add Debian 13 (Trixie) support 2025-08-11 21:37:25 +02:00
Sandwich
905043baf3 Update doc to Fedora 42 2025-07-07 15:24:17 +02:00
Sandwich
9164815185 Fix rhel10 variable assertion 2025-07-06 04:36:55 +02:00
Sandwich
81f15fffb7 use proper datacenter variable 2025-07-06 04:34:16 +02:00
Sandwich
d454c3cd82 Update Fedora to 42 2025-07-06 04:28:59 +02:00
Sandwich
9ffb2aa69f Use the proper property name 2025-06-24 16:57:18 +02:00
Sandwich
6d843ff409 Fix VM state after cleanup 2025-06-24 16:54:57 +02:00
Sandwich
775dbefa67 use proper filename for role variables 2025-06-17 06:34:39 +02:00
Sandwich
06823044dd Update ubuntu to plucky release 2025-06-17 03:57:58 +02:00
Sandwich
919c44bb29 Add rhel10 support 2025-06-17 03:13:30 +02:00
Sandwich
0d01f2afdc Add ncurses-term package to ubuntu for more legacy terminal descriptors 2025-05-30 09:48:55 +02:00
Sandwich
e532dcac16 Add ncurses-term package for legacy ssh client (terminal descriptors) 2025-05-30 09:14:21 +02:00
Sandwich
6cbecf2db0 Add vm_dns_search to hostname if set 2025-05-26 14:37:28 +02:00
Sandwich
d612f9dabb Improve SSH CIS hardening 2025-05-04 01:41:00 +02:00
Sandwich
00c3cd5180 Fix Typo 2025-04-29 20:30:02 +02:00
Sandwich
fef1f44a07 Improve Arch packages + Disable swap before unmounting 2025-04-29 20:28:55 +02:00
Sandwich
e1464562f7 Document vmware_ssh variable 2025-03-25 13:13:06 +01:00
Sandwich
60c552be45 Fix vm creation when no rhel_iso for vmware 2025-02-20 16:00:39 +01:00
Sandwich
c96fcf5e96 Increase max home size to 20GB 2025-02-18 21:39:58 +01:00
Sandwich
4e70ee2e3e Add guest_id since its necessary 2025-02-17 21:38:56 +01:00
Sandwich
81bbd2b22a Implement VMware annotation 2025-02-17 21:17:18 +01:00
Sandwich
e65fbfd570 Improve Partition calculation algorithm 2025-02-17 20:43:45 +01:00
Sandwich
122bd5cdf4 Add DNS Search option 2025-02-10 15:16:15 +01:00
15 changed files with 332 additions and 206 deletions
Expand all files Collapse all files

87
README.md
View File

@@ -3,9 +3,11 @@
An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner, utilizing ArchISO as the foundational tool. An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner, utilizing ArchISO as the foundational tool.
# Info # Info
Most of the roles are adaptable for use with systems beyond ArchLinux, requiring only that the target system can install a necessary package manager, such as `dnf` for RHEL-based systems. Additionally, a replacement for the `arch-chroot` command may be required for these systems. Most of the roles are adaptable for use with systems beyond ArchLinux, requiring only that the target system can install a necessary package manager, such as `dnf` for RHEL-based systems. Additionally, a replacement for the `arch-chroot` command may be required for these systems.
**NOTE**: **NOTE**:
- For RHEL 8 and RHEL 9, repository access requires the `rhel_iso` variable. This variable specifies a local ISO or proxy repository. - For RHEL 8 and RHEL 9, repository access requires the `rhel_iso` variable. This variable specifies a local ISO or proxy repository.
- RHEL systems do not support `btrfs`. Use `ext4` or `xfs` as alternatives. - RHEL systems do not support `btrfs`. Use `ext4` or `xfs` as alternatives.
- For RHEL 8, `xfs` may cause installation issues; `ext4` is recommended. - For RHEL 8, `xfs` may cause installation issues; `ext4` is recommended.
@@ -15,16 +17,18 @@ Most of the roles are adaptable for use with systems beyond ArchLinux, requiring
This playbook supports multiple Linux distributions with specific versions tailored to each. Below is a list of supported distributions: This playbook supports multiple Linux distributions with specific versions tailored to each. Below is a list of supported distributions:
| `os` | Distribution | | `os` | Distribution |
|------------|------------------------------------| | ---------- | ---------------------------------- |
| archlinux | ArchLinux (Latest rolling release) | | archlinux | ArchLinux (Latest rolling release) |
| almalinux | AlmaLinux 9.x | | almalinux | AlmaLinux 9.x |
| debian11 | Debian 11 (Bullseye) | | debian11 | Debian 11 (Bullseye) |
| debian12 | Debian 12 (Bookworm) | | debian12 | Debian 12 (Bookworm) |
| fedora | Fedora 41 | | debian13 | Debian 13 (Trixie) |
| fedora | Fedora 42 |
| rhel8 | Red Hat Enterprise Linux 8 | | rhel8 | Red Hat Enterprise Linux 8 |
| rhel9 | Red Hat Enterprise Linux 9 | | rhel9 | Red Hat Enterprise Linux 9 |
| rhel10 | Red Hat Enterprise Linux 10 |
| rocky | Rocky Linux 9.x | | rocky | Rocky Linux 9.x |
| ubuntu | Ubuntu 24.10 (Oracular Oriole) | | ubuntu | Ubuntu 25.04 (Plucky Puffin) |
| ubuntu-lts | Ubuntu 24.04 LTS (Noble Numbat) | | ubuntu-lts | Ubuntu 24.04 LTS (Noble Numbat) |
# Documentation # Documentation
@@ -47,20 +51,22 @@ The playbook uses the ArchLinux ISO as a foundational tool to provides an effici
Global variables apply across your Ansible project and are loaded from `vars.yml` by default. These variables define common settings such as hypervisor connection details and the boot ISO path. They can be overridden by inventory variables for specific hosts or VMs if needed. Global variables apply across your Ansible project and are loaded from `vars.yml` by default. These variables define common settings such as hypervisor connection details and the boot ISO path. They can be overridden by inventory variables for specific hosts or VMs if needed.
| Variable | Description | Example Value | | Variable | Description | Example Value |
|-----------------------|--------------------------------------------------------------------|-----------------------------------------| | ----------------------- | ---------------------------------------------------------- | ----------------------------------------- |
| `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` | | `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` |
| `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. |`local-btrfs:iso/rhel-9.4-x86_64-dvd.iso`| | `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. | `local-btrfs:iso/rhel-9.4-x86_64-dvd.iso` |
| `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` | | `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` |
| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` | | `vmware_ssh` | If Ansible should use SSH after base VM setup on VMware. | `true`, `false (default)` |
| `hypervisor_node` | Hypervisor node name. | `node01` | | `hypervisor_datacenter` | Name of the hypervisor datacenter. | `default-datacenter` |
| `hypervisor_password` | Password for hypervisor authentication. | `123456` | | `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` |
| `hypervisor_storage` | Storage identifier for VM disks. | `local-btrfs` | | `hypervisor_node` | Hypervisor node name. | `node01` |
| `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` | | `hypervisor_password` | Password for hypervisor authentication. | `123456` |
| `hypervisor_username` | Username for hypervisor authentication. | `root@pam` | | `hypervisor_storage` | Storage identifier for VM disks. | `local-btrfs` |
| `install_drive` | Drive where the system will be installed. | `/dev/sda` | | `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` |
| `install_type` | Type of installation. | `virtual`, `physical` | | `hypervisor_username` | Username for hypervisor authentication. | `root@pam` |
| `vlan_name` (optional)| VLAN for the VM's network interface. | `vlan100` | | `install_drive` | Drive where the system will be installed. | `/dev/sda` |
| `install_type` | Type of installation. | `virtual`, `physical` |
| `vlan_name` (optional) | VLAN for the VM's network interface. | `vlan100` |
To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**. To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**.
@@ -68,29 +74,30 @@ To protect sensitive information, such as passwords, API keys, and other confide
Inventory variables are defined for individual hosts or VMs in the inventory file, allowing customization of settings such as the operating system, filesystem, and compliance with CIS benchmarks. These variables can be set globally and overridden for specific hosts or VMs. Inventory variables are defined for individual hosts or VMs in the inventory file, allowing customization of settings such as the operating system, filesystem, and compliance with CIS benchmarks. These variables can be set globally and overridden for specific hosts or VMs.
| Variable | Description | Example Value | | Variable | Description | Example Value |
|-------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------| | --------------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` | | `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` |
| `selinux` (optional) | Toggle SELinux, `false` means it should be disabled.` | `true`, `false` | | `selinux` (optional) | Toggle SELinux, `false` means it should be disabled.` | `true`, `false` |
| `filesystem` | Filesystem type for the VM's primary storage. | `btrfs`, `ext4`, `xfs` | | `filesystem` | Filesystem type for the VM's primary storage. | `btrfs`, `ext4`, `xfs` |
| `hostname` | The hostname assigned to the virtual machine or system. | `vm01` | | `hostname` | The hostname assigned to the virtual machine or system. | `vm01` |
| `os` | Operating system to be installed on the VM. | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rhel8`, `rhel9`, `rocky`, `ubuntu`, `ubuntu-lts` | | `os` | Operating system to be installed on the VM. | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rhel8`, `rhel9`, `rhel10`, `rocky`, `ubuntu`, `ubuntu-lts` |
| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` | | `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` |
| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` | | `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` |
| `user_password` | Password for the user account within the VM. | `UserPass123` | | `user_password` | Password for the user account within the VM. | `UserPass123` |
| `user_public_key` | SSH Key for the user account within the VM. | `ssh-ed25519 AAAAC` | | `user_public_key` | SSH Key for the user account within the VM. | `ssh-ed25519 AAAAC` |
| `vm_ballo` (optional) | Ballooning memory size for the VM, used to adjust memory allocation dynamically. | `2048` | | `vm_ballo` (optional) | Ballooning memory size for the VM, used to adjust memory allocation dynamically. | `2048` |
| `vm_cpus` | Number of CPU cores assigned to the virtual machine. | `4` | | `vm_cpus` | Number of CPU cores assigned to the virtual machine. | `4` |
| `vm_dns` | DNS server IP address(es) for the virtual machine's network configuration. | `1.0.0.1`, `1.1.1.1` | | `vm_dns` | DNS server IP address(es) for the virtual machine's network configuration. | `1.0.0.1`, `1.1.1.1` |
| `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` | | `vm_dns_search` | DNS search zone for the virtual machine's network configuration. | `example.com` |
| `vm_id` | Unique identifier for the virtual machine. | `101` | | `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` |
| `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` | | `vm_id` | Unique identifier for the virtual machine. | `101` |
| `vm_nm` (optional) | IP address netmask assigned to the virtual machine. | `255.255.255.0` | | `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` |
| `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` | | `vm_nm` (optional) | IP address netmask assigned to the virtual machine. | `255.255.255.0` |
| `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` | | `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` |
| `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` | | `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` |
| `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` | | `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` |
| `vm_size` | Disk size allocated for the VM's primary storage (in GB). | `20` | | `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` |
| `vm_size` | Disk size allocated for the VM's primary storage (in GB). | `20` |
## 4. How to Use the Playbook ## 4. How to Use the Playbook

1
inventory_example.yml
View File

@@ -19,6 +19,7 @@ all:
vm_nif: vmbr1 vm_nif: vmbr1
vm_gw: 192.168.122.1 vm_gw: 192.168.122.1
vm_dns: 1.1.1.1 vm_dns: 1.1.1.1
vm_dns_search: "example.com"
192.168.122.11: 192.168.122.11:
hostname: database hostname: database
vm_id: 101 vm_id: 101

13
main.yml
View File

@@ -9,7 +9,7 @@
prompt: | prompt: |
What is your username? What is your username?
private: false private: false
- name: user_public_key - name: user_public_key
prompt: | prompt: |
What is your ssh key? What is your ssh key?
@@ -27,10 +27,14 @@
vars_files: vars.yml vars_files: vars.yml
pre_tasks: pre_tasks:
- name: Set ansible_python_interpreter - name: Set ansible_python_interpreter
when: os | lower in ["almalinux", "rhel9", "rhel8", "rocky"] when: os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"]
ansible.builtin.set_fact: ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3 ansible_python_interpreter: /usr/bin/python3
- name: Set default variables
ansible.builtin.set_fact:
cis: false
- name: Set SSH Access - name: Set SSH Access
when: hypervisor != "vmware" when: hypervisor != "vmware"
ansible.builtin.set_fact: ansible.builtin.set_fact:
@@ -45,8 +49,8 @@
- hypervisor in ["libvirt", "proxmox", "vmware", "none"] - hypervisor in ["libvirt", "proxmox", "vmware", "none"]
- filesystem in ["btrfs", "ext4", "xfs"] - filesystem in ["btrfs", "ext4", "xfs"]
- install_drive is defined - install_drive is defined
- os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rhel8", "rhel9", "rocky", "ubuntu", "ubuntu-lts"] - os in ["archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora", "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"]
- os not in ["rhel8", "rhel9"] or rhel_iso is defined - os not in ["rhel8", "rhel9", "rhel10"] or rhel_iso is defined
- (filesystem == "btrfs" and (vm_size | int) >= 10) or (filesystem != "btrfs" and (vm_size | int) >= 20) - (filesystem == "btrfs" and (vm_size | int) >= 10) or (filesystem != "btrfs" and (vm_size | int) >= 20)
- (vm_size | float) >= ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048), [vm_memory | float / 1024, 4.0] | max) + 16) - (vm_size | float) >= ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048), [vm_memory | float / 1024, 4.0] | max) + 16)
fail_msg: Invalid input specified, please try again. fail_msg: Invalid input specified, please try again.
@@ -97,4 +101,3 @@
when: not (hypervisor == 'vmware' and cis | bool) when: not (hypervisor == 'vmware' and cis | bool)
ansible.builtin.wait_for_connection: ansible.builtin.wait_for_connection:
timeout: 300 timeout: 300

37
roles/bootstrap/tasks/main.yml
View File

@@ -1,26 +1,21 @@
--- ---
- name: Include Packages
ansible.builtin.include_vars:
file: packages.yml
name: role_packages
- name: Run OS-specific bootstrap process - name: Run OS-specific bootstrap process
block: block:
- name: Bootstrap ArchLinux - name: Bootstrap ArchLinux
when: os | lower == 'archlinux' when: os | lower == 'archlinux'
ansible.builtin.command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit ansible.builtin.command: pacstrap /mnt {{ archlinux | join(' ') }} --asexplicit
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
- name: Bootstrap Debian System - name: Bootstrap Debian System
when: os | lower in ['debian11', 'debian12'] when: os | lower in ['debian11', 'debian12', 'debian13']
ansible.builtin.command: "{{ item }}" ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
with_items: with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} - debootstrap --include={{ vars[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' if os == 'debian12' else 'trixie' }}
/mnt http://deb.debian.org/debian/ /mnt http://deb.debian.org/debian/
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }} - arch-chroot /mnt apt install -y {{ vars[os].extra | join(' ') }}
- arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data - arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
- name: Bootstrap Ubuntu System - name: Bootstrap Ubuntu System
@@ -29,12 +24,12 @@
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
with_items: with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'oracular' if os == 'ubuntu' else 'noble' }} - debootstrap --include={{ vars[os].base | join(',') }} {{ 'plucky' if os == 'ubuntu' else 'noble' }}
/mnt http://archive.ubuntu.com/ubuntu/ /mnt http://archive.ubuntu.com/ubuntu/
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list - arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
- arch-chroot /mnt apt update -y - arch-chroot /mnt apt update -y
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }} - arch-chroot /mnt apt install -y {{ vars[os].extra | join(' ') }}
- name: Bootstrap AlmaLinux 9 - name: Bootstrap AlmaLinux 9
when: os | lower == 'almalinux' when: os | lower == 'almalinux'
@@ -44,18 +39,18 @@
with_items: with_items:
- dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core - dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.almalinux | join(' ') }} - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ almalinux | join(' ') }}
- name: Bootstrap Fedora 41 - name: Bootstrap Fedora 42
when: os | lower == 'fedora' when: os | lower == 'fedora'
ansible.builtin.command: "{{ item }}" ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
with_items: with_items:
- dnf --releasever=41 --best --repo=fedora --repo=fedora-updates - dnf --releasever=42 --best --repo=fedora --repo=fedora-updates
--installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=41 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }} - arch-chroot /mnt dnf --releasever=42 --setopt=install_weak_deps=False install -y {{ fedora | join(' ') }}
- arch-chroot /mnt dnf reinstall -y kernel-core - arch-chroot /mnt dnf reinstall -y kernel-core
- name: Bootstrap RockyLinux 9 - name: Bootstrap RockyLinux 9
@@ -68,14 +63,14 @@
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y base core groupinstall -y base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.rocky | join(' ') }} - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ rocky | join(' ') }}
- name: Bootstrap RHEL System - name: Bootstrap RHEL System
when: os | lower in ['rhel8', 'rhel9'] when: os | lower in ['rhel8', 'rhel9', 'rhel10']
block: block:
- name: Install base packages in chroot environment - name: Install base packages in chroot environment
ansible.builtin.command: >- ansible.builtin.command: >-
dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --repo={{ os | lower }}-baseos dnf --releasever={{ os | lower | replace('rhel', '') }} --repo={{ os | lower }}-baseos
--installroot=/mnt --installroot=/mnt
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y core base standard groupinstall -y core base standard
@@ -95,12 +90,12 @@
ansible.builtin.copy: ansible.builtin.copy:
src: /etc/yum.repos.d/{{ os | lower }}.repo src: /etc/yum.repos.d/{{ os | lower }}.repo
dest: /mnt/etc/yum.repos.d/redhat.repo dest: /mnt/etc/yum.repos.d/redhat.repo
mode: '0644' mode: "0644"
remote_src: true remote_src: true
- name: Install additional packages in chroot - name: Install additional packages in chroot
ansible.builtin.command: >- ansible.builtin.command: >-
arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }} arch-chroot /mnt dnf --releasever={{ os | lower | replace('rhel', '') }}
--setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }} --setopt=install_weak_deps=False install -y {{ vars[os] | join(' ') }}
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result

85
roles/bootstrap/vars/packages.yml → roles/bootstrap/vars/main.yml
View File

@@ -28,6 +28,7 @@ archlinux:
- cronie - cronie
- dhcpcd - dhcpcd
- efibootmgr - efibootmgr
- fastfetch
- firewalld - firewalld
- fish - fish
- fzf - fzf
@@ -40,7 +41,6 @@ archlinux:
- lsof - lsof
- lvm2 - lvm2
- ncdu - ncdu
- neofetch
- networkmanager - networkmanager
- nfs-utils - nfs-utils
- open-vm-tools - open-vm-tools
@@ -51,9 +51,9 @@ archlinux:
- qemu-guest-agent - qemu-guest-agent
- reflector - reflector
- rsync - rsync
- screen
- sudo - sudo
- tldr - tldr
- tmux
- vim - vim
- wireguard-tools - wireguard-tools
- zram-generator - zram-generator
@@ -157,6 +157,55 @@ debian12:
- wget - wget
- zstd - zstd
debian13:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- linux-image-amd64
- locales
- logrotate
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bat
- chrony
- curl
- duf
- entr
- fastfetch
- firewalld
- fish
- fzf
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- vim
- wget
- zstd
fedora: fedora:
- bat - bat
- bind-utils - bind-utils
@@ -164,10 +213,8 @@ fedora:
- cronie - cronie
- dhcp-client - dhcp-client
- duf - duf
- dust
- efibootmgr - efibootmgr
- entr - entr
- eza
- fish - fish
- fzf - fzf
- glibc-langpack-de - glibc-langpack-de
@@ -202,11 +249,14 @@ rhel8:
- glibc-langpack-en - glibc-langpack-en
- grub2 - grub2
- grub2-efi-x64 - grub2-efi-x64
- grub2-tools-extra
- lrzsz - lrzsz
- lvm2 - lvm2
- mtr - mtr
- ncurses-term
- nfs-utils - nfs-utils
- open-vm-tools - open-vm-tools
- policycoreutils-python-utils
- python39 - python39
- shim - shim
- tmux - tmux
@@ -221,11 +271,36 @@ rhel9:
- glibc-langpack-en - glibc-langpack-en
- grub2 - grub2
- grub2-efi - grub2-efi
- grub2-tools-extra
- lrzsz - lrzsz
- lvm2 - lvm2
- mtr - mtr
- ncurses-term
- nfs-utils - nfs-utils
- open-vm-tools - open-vm-tools
- policycoreutils-python-utils
- python
- shim
- tmux
- vim
- zram-generator
- zstd
rhel10:
- bind-utils
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- kernel
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- open-vm-tools
- policycoreutils-python-utils
- python - python
- shim - shim
- tmux - tmux
@@ -294,6 +369,7 @@ ubuntu:
- lrzsz - lrzsz
- mtr - mtr
- ncdu - ncdu
- ncurses-term
- net-tools - net-tools
- network-manager - network-manager
- open-vm-tools - open-vm-tools
@@ -353,6 +429,7 @@ ubuntu-lts:
- lrzsz - lrzsz
- mtr - mtr
- ncdu - ncdu
- ncurses-term
- net-tools - net-tools
- network-manager - network-manager
- open-vm-tools - open-vm-tools

68
roles/cis/tasks/main.yml
View File

@@ -4,7 +4,7 @@
- name: Disable Kernel Modules - name: Disable Kernel Modules
ansible.builtin.copy: ansible.builtin.copy:
dest: /mnt/etc/modprobe.d/cis.conf dest: /mnt/etc/modprobe.d/cis.conf
mode: '0644' mode: "0644"
content: | content: |
CIS LVL 3 Restrictions CIS LVL 3 Restrictions
install freevxfs /bin/false install freevxfs /bin/false
@@ -24,7 +24,7 @@
- name: Create USB Rules - name: Create USB Rules
ansible.builtin.copy: ansible.builtin.copy:
dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
mode: '0644' mode: "0644"
content: | content: |
By default, disable all. By default, disable all.
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0" ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
@@ -41,7 +41,7 @@
- name: Create a consolidated sysctl configuration file - name: Create a consolidated sysctl configuration file
ansible.builtin.copy: ansible.builtin.copy:
dest: /mnt/etc/sysctl.d/10-cis.conf dest: /mnt/etc/sysctl.d/10-cis.conf
mode: '0644' mode: "0644"
content: | content: |
## CIS Sysctl configurations ## CIS Sysctl configurations
kernel.yama.ptrace_scope=1 kernel.yama.ptrace_scope=1
@@ -69,7 +69,6 @@
net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
# - name: Adjust login.defs # - name: Adjust login.defs
# replace: # replace:
# path: /mnt/etc/login.defs # path: /mnt/etc/login.defs
@@ -95,9 +94,10 @@
- /mnt/etc/pam.d/password-auth - /mnt/etc/pam.d/password-auth
- name: Configure System Cryptography Policy - name: Configure System Cryptography Policy
when: os in ["almalinux", "rhel9", "rocky"] when: os in ["almalinux", "rhel9", "rhel10", "rocky"]
ansible.builtin.command: ansible.builtin.command: arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1 register: crypto_policy_result
changed_when: "'Setting system-wide crypto-policies to' in crypto_policy_result.stdout"
- name: Mask Systemd Services - name: Mask Systemd Services
ansible.builtin.command: > ansible.builtin.command: >
@@ -136,18 +136,39 @@
- { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 } - { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 } - { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 } - { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: umask 077 } - {
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: export TMOUT=3000 } path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"] else "bash.bashrc" }}',
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent } content: umask 077,
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" } }
- {
path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"] else "bash.bashrc" }}',
content: export TMOUT=3000,
}
- {
path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}',
content: Storage=persistent,
}
- {
path: /mnt/etc/sudoers,
content: Defaults logfile="/var/log/sudo.log",
}
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so } - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
- { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] - {
else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', path:
content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 } '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
- { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}',
if os == "fedora" else "pam.d/system-auth" }}', content: account required pam_faillock.so } content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900,
- { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}', }
content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" } - {
path:
'/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth"
if os == "fedora" else "pam.d/system-auth" }}',
content: account required pam_faillock.so,
}
- {
path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}',
content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5",
}
- { path: /mnt/etc/hosts.deny, content: "ALL: ALL" } - { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
- { path: /mnt/etc/hosts.allow, content: "sshd: ALL" } - { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
@@ -167,8 +188,8 @@
{ "path": "/mnt/etc/cron.d", "mode": "0700" }, { "path": "/mnt/etc/cron.d", "mode": "0700" },
{ "path": "/mnt/etc/crontab", "mode": "0600" }, { "path": "/mnt/etc/crontab", "mode": "0600" },
{ "path": "/mnt/etc/logrotate.conf", "mode": "0644" }, { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9"] else None, { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
{ "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rocky"] { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rhel10", "rocky"]
else "fusermount"), "mode": "755" }, else "fusermount"), "mode": "755" },
{ "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" } { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
] | reject("none") }} ] | reject("none") }}
@@ -214,9 +235,10 @@
### Ciphers and keying ### ### Ciphers and keying ###
RekeyLimit 512M 6h RekeyLimit 512M 6h
KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
########################### ###########################
AllowStreamLocalForwarding no AllowStreamLocalForwarding no

7
roles/cleanup/tasks/main.yml
View File

@@ -3,6 +3,11 @@
vars: vars:
ansible_connection: ssh ansible_connection: ssh
block: block:
- name: Disable Swap
ansible.builtin.command: swapoff -a
register: swapoff_result
changed_when: swapoff_result.rc == 0
- name: Unmount /mnt if mounted - name: Unmount /mnt if mounted
ansible.builtin.command: umount -R /mnt ansible.builtin.command: umount -R /mnt
register: unmount_result register: unmount_result
@@ -88,7 +93,7 @@
validate_certs: false validate_certs: false
datacenter: "{{ hypervisor_cluster }}" datacenter: "{{ hypervisor_cluster }}"
name: "{{ hostname }}" name: "{{ hostname }}"
state: restarted state: powered-on
- name: Remove Archiso and cloud-init disks - name: Remove Archiso and cloud-init disks
when: hypervisor == "libvirt" when: hypervisor == "libvirt"

98
roles/configuration/tasks/main.yml
View File

@@ -7,24 +7,25 @@
register: result register: result
- name: Remove depricated attr2 and disable large extent - name: Remove depricated attr2 and disable large extent
when: os in ["almalinux", "rhel8", "rhel9", "rocky"] and filesystem == "xfs" when: os in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"] and filesystem == "xfs"
ansible.builtin.replace: ansible.builtin.replace:
path: /mnt/etc/fstab path: /mnt/etc/fstab
regexp: '(xfs.*?)(attr2)' regexp: "(xfs.*?)(attr2)"
replace: '\1allocsize=64m' replace: '\1allocsize=64m'
- name: Replace ISO UUID entry with /dev/sr0 in fstab - name: Replace ISO UUID entry with /dev/sr0 in fstab
when: os in ["rhel8", "rhel9"] when: os in ["rhel8", "rhel9", "rhel10"]
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/fstab path: /mnt/etc/fstab
regexp: '^.*\/dvd.*$' regexp: '^.*\/dvd.*$'
line: "{{ '/usr/local/install/redhat/rhel.iso /usr/local/install/redhat/dvd iso9660 loop,nofail 0 0' if hypervisor == 'vmware' line:
else '/dev/sr0 /usr/local/install/redhat/dvd iso9660 ro,relatime,nojoliet,check=s,map=n,nofail 0 0' }}" "{{ '/usr/local/install/redhat/rhel.iso /usr/local/install/redhat/dvd iso9660 loop,nofail 0 0' if hypervisor == 'vmware'
else '/dev/sr0 /usr/local/install/redhat/dvd iso9660 ro,relatime,nojoliet,check=s,map=n,nofail 0 0' }}"
state: present state: present
backrefs: true backrefs: true
- name: Write image from RHEL ISO to the target machine - name: Write image from RHEL ISO to the target machine
when: os in ["rhel8", "rhel9"] and hypervisor == 'vmware' when: os in ["rhel8", "rhel9", "rhel10"] and hypervisor == 'vmware'
ansible.builtin.command: dd if=/dev/sr1 of=/mnt/usr/local/install/redhat/rhel.iso bs=4M ansible.builtin.command: dd if=/dev/sr1 of=/mnt/usr/local/install/redhat/rhel.iso bs=4M
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
@@ -52,7 +53,7 @@
- name: Setup locales - name: Setup locales
block: block:
- name: Configure locale.gen - name: Configure locale.gen
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: /mnt/etc/locale.gen dest: /mnt/etc/locale.gen
regexp: "{{ item.regex }}" regexp: "{{ item.regex }}"
@@ -61,34 +62,34 @@
- { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 } - { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 }
- name: Generate locales - name: Generate locales
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
- name: Set hostname - name: Set hostname
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ hostname }}" content: "{{ hostname }}{% if vm_dns_search is defined and vm_dns_search | length %}.{{ vm_dns_search }}{% endif %}"
dest: /mnt/etc/hostname dest: /mnt/etc/hostname
mode: '0644' mode: "0644"
- name: Add host entry to /etc/hosts - name: Add host entry to /etc/hosts
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/hosts path: /mnt/etc/hosts
line: "{{ ansible_host }} {{ hostname }}" line: "{{ ansible_host }} {{ hostname }}{% if vm_dns_search is defined and vm_dns_search | length %} {{ hostname }}.{{ vm_dns_search }}{% endif %}"
state: present state: present
- name: Create vconsole.conf - name: Create vconsole.conf
ansible.builtin.copy: ansible.builtin.copy:
content: KEYMAP=us content: KEYMAP=us
dest: /mnt/etc/vconsole.conf dest: /mnt/etc/vconsole.conf
mode: '0644' mode: "0644"
- name: Create locale.conf - name: Create locale.conf
ansible.builtin.copy: ansible.builtin.copy:
content: LANG=en_US.UTF-8 content: LANG=en_US.UTF-8
dest: /mnt/etc/locale.conf dest: /mnt/etc/locale.conf
mode: '0644' mode: "0644"
- name: SSH permit Password - name: SSH permit Password
ansible.builtin.replace: ansible.builtin.replace:
@@ -107,7 +108,7 @@
arch-chroot /mnt systemctl enable NetworkManager arch-chroot /mnt systemctl enable NetworkManager
{{ {{
' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else ' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
(' sshd' if os | lower not in ['debian11', 'debian12'] else '') (' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else '')
}} }}
{{ {{
'logrotate systemd-resolved systemd-timesyncd systemd-networkd' 'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
@@ -117,7 +118,7 @@
register: result register: result
- name: Configure grub - name: Configure grub
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
block: block:
- name: Add commandline information to grub config - name: Add commandline information to grub config
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@@ -135,39 +136,38 @@
block: block:
- name: Install Bootloader - name: Install Bootloader
ansible.builtin.command: arch-chroot /mnt ansible.builtin.command: arch-chroot /mnt
{% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr {% if os | lower not in ["archlinux", "debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr
-c -L '{{ os }}' -d "{{ install_drive }}" -p 1 -c -L '{{ os }}' -d "{{ install_drive }}" -p 1
-l '\efi\EFI\{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}\shimx64.efi' -l '\efi\EFI\{% if os | lower in ["rhel8", "rhel9", "rhel10"] %}redhat{% else %}{{ os | lower }}{% endif %}\shimx64.efi'
{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }} {% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }}
--bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }} --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
{% endif %} {% endif %}
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
- name: Generate grub config
ansible.builtin.command: arch-chroot /mnt
{% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}
/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}/grub.cfg
{% else %}
/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}
{% endif %}
changed_when: result.rc == 0
register: result
- name: Ensure lvm2 for non btrfs filesystems - name: Ensure lvm2 for non btrfs filesystems
when: os | lower == "archlinux" and filesystem != "btrfs" when: os | lower == "archlinux" and filesystem != "btrfs"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf path: /mnt/etc/mkinitcpio.conf
regexp: '^(HOOKS=.*block)(?!.*lvm2)(.*)' regexp: "^(HOOKS=.*block)(?!.*lvm2)(.*)"
line: '\1 lvm2\2' line: '\1 lvm2\2'
backrefs: true backrefs: true
- name: Regenerate initramfs - name: Regenerate initramfs
when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] when: os | lower not in ["debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"]
ansible.builtin.command: arch-chroot /mnt ansible.builtin.command: arch-chroot /mnt
{% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P {% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P
{% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %} /usr/bin/dracut --regenerate-all --force {% else %} /usr/bin/dracut --regenerate-all --force
{% else %} echo "Skipping initramfs regeneration" {% endif %}
changed_when: result.rc == 0
register: result
- name: Generate grub config
ansible.builtin.command: arch-chroot /mnt
{% if os | lower not in ["archlinux", "debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] %}
/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{% if os | lower in ["rhel8", "rhel9", "rhel10"] %}redhat{% else %}{{ os | lower }}{% endif %}/grub.cfg
{% else %}
/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}
{% endif %} {% endif %}
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
@@ -177,8 +177,9 @@
- name: Append vim configurations to vimrc - name: Append vim configurations to vimrc
failed_when: false failed_when: false
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: "{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] path:
else '/mnt/etc/vimrc' }}" "{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts']
else '/mnt/etc/vimrc' }}"
block: | block: |
set encoding=utf-8 set encoding=utf-8
set number set number
@@ -199,7 +200,7 @@
vm.dirty_ratio=10 vm.dirty_ratio=10
vm.page-cluster=10 vm.page-cluster=10
marker: "" marker: ""
mode: '0644' mode: "0644"
- name: Create zram config - name: Create zram config
when: os not in ['debian11', 'rhel8'] when: os not in ['debian11', 'rhel8']
@@ -211,13 +212,13 @@
compression-algorithm = zstd compression-algorithm = zstd
swap-priority = 100 swap-priority = 100
fs-type = swap fs-type = swap
mode: '0644' mode: "0644"
- name: Copy Custom Shell config - name: Copy Custom Shell config
ansible.builtin.template: ansible.builtin.template:
src: custom.sh.j2 src: custom.sh.j2
dest: /mnt/etc/profile.d/custom.sh dest: /mnt/etc/profile.d/custom.sh
mode: '0644' mode: "0644"
- name: Create login banner - name: Create login banner
ansible.builtin.copy: ansible.builtin.copy:
@@ -230,13 +231,13 @@
************************************************************** **************************************************************
owner: root owner: root
group: root group: root
mode: '0644' mode: "0644"
loop: loop:
- /mnt/etc/issue - /mnt/etc/issue
- /etc/issue.net - /etc/issue.net
- name: Remove motd files - name: Remove motd files
when: os | lower in ["rhel8", "rhel9"] when: os | lower in ["rhel8", "rhel9", "rhel10"]
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
state: absent state: absent
@@ -272,7 +273,7 @@
ansible.builtin.file: ansible.builtin.file:
path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
state: touch state: touch
mode: '0644' mode: "0644"
- name: Setup user account - name: Setup user account
block: block:
@@ -280,7 +281,7 @@
ansible.builtin.command: "{{ item }}" ansible.builtin.command: "{{ item }}"
with_items: with_items:
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups - arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups
{{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "wheel" }} {{ "sudo" if os | lower in ["debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] else "wheel" }}
{{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash - arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
changed_when: result.rc == 0 changed_when: result.rc == 0
@@ -298,19 +299,22 @@
- name: Give sudo access to wheel group - name: Give sudo access to wheel group
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}" content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}"
dest: /mnt/etc/sudoers.d/01-wheel dest: /mnt/etc/sudoers.d/01-wheel
mode: "0440" mode: "0440"
validate: /usr/sbin/visudo --check --file=%s validate: /usr/sbin/visudo --check --file=%s
- name: Fix SELinux - name: Fix SELinux
when: os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky'] when: os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
block: block:
- name: Relabel the filesystem - name: Fix SELinux by pre-labeling the filesystem before first boot
when: os | lower != "fedora" when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux | default(true) | bool)
ansible.builtin.command: "arch-chroot /mnt /sbin/fixfiles onboot" ansible.builtin.command: >
changed_when: result.rc == 0 arch-chroot /mnt /sbin/setfiles -v -F
register: result -e /dev -e /proc -e /sys -e /run
/etc/selinux/targeted/contexts/files/file_contexts /
register: setfiles_result
changed_when: setfiles_result.rc == 0
- name: Disable SELinux - name: Disable SELinux
when: os | lower == "fedora" or not (selinux | default(true) | bool) when: os | lower == "fedora" or not (selinux | default(true) | bool)

3
roles/configuration/templates/network.j2
View File

@@ -9,6 +9,9 @@ mac-address={{ net_mac.stdout }}
[ipv4] [ipv4]
address={{ vm_ip }}/{{ vm_nms | default (24) }},{{ vm_gw }} address={{ vm_ip }}/{{ vm_nms | default (24) }},{{ vm_gw }}
dns={{ vm_dns }} dns={{ vm_dns }}
{% if vm_dns_search is defined %}
dns-search={{ vm_dns_search }}
{% endif %}
method=manual method=manual
[ipv6] [ipv6]

18
roles/environment/tasks/main.yml
View File

@@ -69,7 +69,7 @@
ansible_user: "root" ansible_user: "root"
ansible_password: "" ansible_password: ""
ansible_become_password: "" ansible_become_password: ""
ansible_ssh_extra_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Speed-up Bootstrap process - name: Speed-up Bootstrap process
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@@ -89,22 +89,22 @@
state: latest state: latest
loop: loop:
- { name: glibc } - { name: glibc }
- { name: dnf, os: [almalinux, fedora, rhel9, rhel8, rocky] } - { name: dnf, os: [almalinux, fedora, rhel8, rhel9, rhel10, rocky] }
- { name: debootstrap, os: [debian11, debian12, ubuntu, ubuntu-lts] } - { name: debootstrap, os: [debian11, debian12, debian13, ubuntu, ubuntu-lts] }
- { name: debian-archive-keyring, os: [debian11, debian12] } - { name: debian-archive-keyring, os: [debian11, debian12, debian13] }
- { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] } - { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
when: "'os' not in item or os in item.os" when: "'os' not in item or os in item.os"
retries: 4 retries: 4
delay: 15 delay: 15
- name: Prepare /iso mount and repository for RHEL-based systems - name: Prepare /iso mount and repository for RHEL-based systems
when: os | lower in ["rhel8", "rhel9"] when: os | lower in ["rhel8", "rhel9", "rhel10"]
block: block:
- name: Create /iso directory - name: Create /iso directory
ansible.builtin.file: ansible.builtin.file:
path: /usr/local/install/redhat/dvd path: /usr/local/install/redhat/dvd
state: directory state: directory
mode: '0755' mode: "0755"
- name: Mount RHEL ISO - name: Mount RHEL ISO
ansible.posix.mount: ansible.posix.mount:
@@ -115,16 +115,16 @@
state: mounted state: mounted
- name: Configure RHEL Repos for installation - name: Configure RHEL Repos for installation
when: os | lower in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] when: os | lower in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"]
block: block:
- name: Create directories for repository files and RPM GPG keys - name: Create directories for repository files and RPM GPG keys
ansible.builtin.file: ansible.builtin.file:
path: /etc/yum.repos.d path: /etc/yum.repos.d
state: directory state: directory
mode: '0755' mode: "0755"
- name: Create RHEL repository file - name: Create RHEL repository file
ansible.builtin.template: ansible.builtin.template:
src: "{{ os | lower }}.repo.j2" src: "{{ os | lower }}.repo.j2"
dest: /etc/yum.repos.d/{{ os | lower }}.repo dest: /etc/yum.repos.d/{{ os | lower }}.repo
mode: '0644' mode: "0644"

59
roles/partitioning/tasks/main.yml
View File

@@ -9,7 +9,9 @@
loop: loop:
- { cmd: umount -l /mnt } - { cmd: umount -l /mnt }
- { cmd: vgremove -f sys } - { cmd: vgremove -f sys }
- { cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;' } - {
cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;',
}
loop_control: loop_control:
label: "{{ item.cmd }}" label: "{{ item.cmd }}"
@@ -45,42 +47,25 @@
loop: loop:
- lv: root - lv: root
size: >- size: >-
{{ ( {{ [(((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0)) - (((vm_memory | float / 1024) > 16.0)
(vm_size | float - | ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) < 4)
((vm_memory | float / 1024 >= 16.0) | ternary( | ternary(4,((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0)) -
(vm_memory | float / 2048) | int, (((vm_memory | float / 1024) > 16.0)| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) > 12)
[vm_memory | float / 1024, 4.0] | max | ternary(((vm_size | float) * 0.4) | round(0, 'ceil'),((vm_size | float) - 0.5 - ((cis | bool)
)) - 0.5 - | ternary(7.5, 0)) - (((vm_memory | float / 1024) > 16.0)
(cis | bool | ternary(0, 7.5)) | ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024))))))))), 4 ] | max | string + 'G' }}
) > 12.0
) | ternary(
(vm_size | float * 0.4) | round(0, 'ceil'),
vm_size | float -
((vm_memory | float / 1024 >= 16.0) | ternary(
(vm_memory | float / 2048) | int,
[vm_memory | float / 1024, 4.0] | max
)) - 0.5 -
(cis | bool | ternary(7.5, 0))
) | string + 'G' }}
- lv: swap - lv: swap
size: >- size: >-
{{ ((vm_memory | float / 1024 >= 16.0) | ternary( {{ ((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0))) - (((vm_memory | float / 1024) > 16.0)
(vm_memory | float / 2048) | int, | ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) < 4)
[vm_memory | float / 1024, 4.0] | max | ternary((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0))) - 4), (((vm_memory | float / 1024) > 16.0)
)) | string + 'G' }} | ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) | string + 'G' }}
- lv: home - lv: home
size: "2G" size: "{{ ([([(((vm_size | float) - 20) * 0.1), 2] | max), 20] | min) | string + 'G' }}"
- lv: var - { lv: var, size: "2G" }
size: "2G" - { lv: var_log, size: "2G" }
- { lv: var_log_audit, size: "1.5G" }
- lv: var_log
size: "2G"
- lv: var_log_audit
size: "1.5G"
- name: Create filesystems - name: Create filesystems
block: block:
@@ -155,19 +140,19 @@
- path: /home - path: /home
uuid: "{{ uuid_home[0] | default(omit) }}" uuid: "{{ uuid_home[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}" else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}"
- path: /var - path: /var
uuid: "{{ uuid_var[0] | default(omit) }}" uuid: "{{ uuid_var[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}" else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}"
- path: /var/log - path: /var/log
uuid: "{{ uuid_var_log[0] | default(omit) }}" uuid: "{{ uuid_var_log[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}" else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}"
- path: /var/log/audit - path: /var/log/audit
uuid: "{{ uuid_var_log_audit[0] | default(omit) }}" uuid: "{{ uuid_var_log_audit[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}" else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}"
- name: Mount tmp and var_tmp filesystems - name: Mount tmp and var_tmp filesystems
ansible.posix.mount: ansible.posix.mount:

41
roles/virtualization/tasks/vmware.yml
View File

@@ -5,11 +5,13 @@
username: "{{ hypervisor_username }}" username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}" password: "{{ hypervisor_password }}"
validate_certs: false validate_certs: false
datacenter: "{{ hypervisor_cluster }}" datacenter: "{{ hypervisor_datacenter }}"
cluster: "{{ hypervisor_node }}" cluster: "{{ hypervisor_cluster }}"
folder: "{{ vm_path }}" folder: "{{ vm_path }}"
name: "{{ hostname }}" name: "{{ hostname }}"
guest_id: otherGuest64 guest_id: otherLinux64Guest
annotation: |
{{ note | default('') }}
state: poweredon state: poweredon
disk: disk:
- size_gb: "{{ vm_size }}" - size_gb: "{{ vm_size }}"
@@ -20,19 +22,26 @@
num_cpus: "{{ vm_cpus }}" num_cpus: "{{ vm_cpus }}"
boot_firmware: efi boot_firmware: efi
secure_boot: false secure_boot: false
cdrom: cdrom: >-
- controller_number: 0 {{
unit_number: 0 [ {
controller_type: sata "controller_number": 0,
state: present "unit_number": 0,
type: iso "controller_type": "sata",
iso_path: "{{ boot_iso }}" "state": "present",
- controller_number: 0 "type": "iso",
unit_number: 1 "iso_path": boot_iso
controller_type: sata } ]
state: present +
type: iso ( [ {
iso_path: "{{ rhel_iso | default(omit) }}" "controller_number": 0,
"unit_number": 1,
"controller_type": "sata",
"state": "present",
"type": "iso",
"iso_path": rhel_iso
} ] if rhel_iso is defined and rhel_iso|length > 0 else [] )
}}
networks: networks:
- name: "{{ vm_nif }}" - name: "{{ vm_nif }}"
type: dhcp type: dhcp

4
roles/virtualization/templates/cloud-user-data.yml.j2
View File

@@ -1,10 +1,12 @@
#cloud-config #cloud-config
hostname: "archiso" hostname: "archiso"
ssh_pwauth: true ssh_pwauth: true
package_update: false
package_upgrade: false
users: users:
- name: "{{ user_name }}" - name: "{{ user_name }}"
primary_group: "{{ user_name }}" primary_group: "{{ user_name }}"
groups: users groups: users
sudo: ALL=(ALL) NOPASSWD:ALL sudo: ALL=(ALL) NOPASSWD:ALL
passwd: "{{ user_password | password_hash('sha512') }}" passwd: "{{ user_password | password_hash('sha512') }}"
lock_passwd: False lock_passwd: False

4
templates/fedora.repo.j2
View File

@@ -8,7 +8,7 @@ metadata_expire=86400
repo_gpgcheck=0 repo_gpgcheck=0
type=rpm type=rpm
gpgcheck=1 gpgcheck=1
gpgkey=https://getfedora.org/static/fedora.gpg gpgkey=https://fedoraproject.org/fedora.gpg
skip_if_unavailable=False skip_if_unavailable=False
[fedora-updates] [fedora-updates]
@@ -21,5 +21,5 @@ repo_gpgcheck=0
type=rpm type=rpm
gpgcheck=1 gpgcheck=1
metadata_expire=86400 metadata_expire=86400
gpgkey=https://getfedora.org/static/fedora.gpg gpgkey=https://fedoraproject.org/fedora.gpg
skip_if_unavailable=False skip_if_unavailable=False

13
templates/rhel10.repo.j2 Normal file
View File

@@ -0,0 +1,13 @@
[rhel10-baseos]
name=RHEL 10 BaseOS
baseurl=file:///usr/local/install/redhat/dvd/BaseOS
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release
[rhel10-appstream]
name=RHEL 10 AppStream
baseurl=file:///usr/local/install/redhat/dvd/AppStream
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release