sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:d0b26a57effab0f9cd65a7cba304ed2c5db3cbd2
Branches Tags
sandwich:master
...
compare: sandwich:master
Branches Tags
sandwich:master

196 Commits
d0b26a57ef ... master

Author SHA1 Message Date
Sandwich
8056890460 fix(partitioning): add LVM extent headroom 2026-02-06 00:43:02 +01:00
Sandwich
085e16abe9 fix(network): Removes hardcoded MAC-Address from NetworkManager config 
This fixes an issue that in some virtual environments the NICs
MAC-Address gets changes and the config no longer applies.
 2026-01-05 18:22:18 +01:00
Sandwich
23f08b350b refactor(services): remove unnecessary firewalld services disablement. 
It is not needed if the firewalld package is not installed in the first
place
 2026-01-05 18:19:14 +01:00
Sandwich
315fdef69f feat(services): implement SSH server toggeling 2026-01-05 18:18:18 +01:00
Sandwich
2d4127a688 Force local stat for third-party prep tasks 2026-01-02 19:15:34 +01:00
Sandwich
1cc1966b97 Force local connection for third-party prep check 2026-01-02 19:14:11 +01:00
Sandwich
4d72a8999f Run third-party prep check locally 2026-01-02 19:02:00 +01:00
Sandwich
e264d1cabc Fix localhost delegate for third-party prep check 2026-01-02 18:58:40 +01:00
Sandwich
aa6e356444 Add third-party preparation task hook 2026-01-02 18:55:45 +01:00
Sandwich
fe0b72c9d8 Make chroot command configurable 2026-01-02 18:53:55 +01:00
Sandwich
ce972e55dd Add swap_enabled toggle for swap setup 2026-01-02 18:51:27 +01:00
Sandwich
2891de8fef Add zstd toggle for btrfs and zram 2026-01-02 18:47:32 +01:00
Sandwich
696df925c6 Update LVM swap sizing policy 2026-01-02 16:29:24 +01:00
Sandwich
65ef8cb1ca Enforce 20GiB minimum vm_size 2026-01-02 16:18:14 +01:00
Sandwich
396d802dc3 Enable full-disk LVM root sizing 2026-01-02 16:11:06 +01:00
Sandwich
90cc9add01 Use systemd module and link timezone 2026-01-02 16:10:50 +01:00
Sandwich
eeaf3b0f0a Document partitioning overrides and inventory host vars 2026-01-02 16:10:50 +01:00
Sandwich
0a76e07b39 Fix post-reboot extra packages task 2026-01-02 15:55:27 +01:00
Sandwich
82a1548b2e Align ESP sizing to full 512 MiB 2026-01-02 15:10:35 +01:00
Sandwich
95b793885a Mount Debian ESP on /boot/efi without LUKS 2026-01-02 15:10:35 +01:00
Sandwich
f7c020de52 Drop vars.yml usage 2026-01-02 15:10:35 +01:00
Sandwich
7e4c2d87e2 Make inventory examples more generic 2026-01-02 15:10:34 +01:00
Sandwich
bc6bd2823f Inline extra package normalization 2026-01-02 15:10:34 +01:00
Sandwich
01e0ea8b4b Move pre-tasks into global defaults 2026-01-02 15:10:34 +01:00
Sandwich
75395cc8d2 Drop custom_iso_enabled and log defaults 2026-01-02 15:10:34 +01:00
Sandwich
be80c4096c Restore global defaults lint exclusion 2026-01-02 15:10:34 +01:00
Sandwich
f8e3ce62d4 Map global defaults in playbook 2026-01-02 15:10:34 +01:00
Sandwich
78316a8946 Fix lint formatting and exceptions 2026-01-02 15:10:34 +01:00
Sandwich
5226206cab Increase EFI system partition size 2026-01-02 15:10:34 +01:00
Sandwich
d9e42c0c84 Add Molecule scaffolding 2026-01-02 11:26:21 +01:00
Sandwich
b9484dadab Add libvirt inventory matrix example 2026-01-02 11:26:06 +01:00
Sandwich
230b14e2ab Move derived vars into role defaults 2026-01-02 11:25:51 +01:00
Sandwich
f9a8791b4d Add firewalld_enabled toggle 2026-01-02 11:25:40 +01:00
Sandwich
f46dea0748 Define optional defaults and require vm_cpus 2026-01-02 11:25:06 +01:00
Sandwich
b1eedd30dc Move partitioning LUKS defaults into role 2026-01-02 11:23:31 +01:00
Sandwich
98d0a4954d Remove defaults for required vars 2025-12-28 17:10:00 +01:00
Sandwich
fd37b4ee96 Move global defaults into role defaults 2025-12-28 16:47:53 +01:00
Sandwich
7fe2a0dcc1 Normalize user-facing defaults 2025-12-28 16:41:11 +01:00
Sandwich
cc77f646d7 Normalize LUKS boot layout and partitioning defaults 2025-12-28 16:00:49 +01:00
Sandwich
2be6117aac Update Fedora to 43 2025-12-28 04:04:27 +01:00
Sandwich
232ab244ca Restore Debian ESP mount layout 2025-12-28 02:24:33 +01:00
Sandwich
ef945d925a Fix Debian initramfs regeneration 2025-12-28 01:54:14 +01:00
Sandwich
366299ea6d Ensure initramfs-tools for Debian/Ubuntu 2025-12-28 01:29:26 +01:00
Sandwich
3da6894ff1 Enable GRUB cryptodisk defaults 2025-12-28 00:46:09 +01:00
Sandwich
e1db2ce434 Fix bootstrap package list rendering 2025-12-28 00:12:37 +01:00
Sandwich
ae4fb6f43c Condition LUKS and guest tools in bootstrap vars 2025-12-27 23:52:06 +01:00
Sandwich
2c23ce6cbb Fix Debian EFI mount layout 2025-12-27 23:49:21 +01:00
Sandwich
0211efbae7 Docs, examples, and tooling 2025-12-27 23:07:47 +01:00
Sandwich
dda1287f23 CIS role split and permission safety 2025-12-27 22:27:26 +01:00
Sandwich
f62dba3ed6 Cleanup refactor and libvirt removal tooling 2025-12-27 21:44:33 +01:00
Sandwich
f08855456a Virtualization TPM2 and cloud-init fixes 2025-12-27 20:19:11 +01:00
Sandwich
4bce08e77b Partitioning idempotency and filesystem tasks 2025-12-26 23:31:54 +01:00
Sandwich
72ec492a33 LUKS enrollment and RHEL cmdline/BLS 2025-12-26 22:09:08 +01:00
Sandwich
efad1b9a67 Configuration role refactor and network template 2025-12-26 20:38:42 +01:00
Sandwich
732784fa2d Split bootstrap by OS 2025-12-25 22:12:19 +01:00
Sandwich
a71d27c29d Playbook flow and environment prep 2025-12-25 20:47:37 +01:00
Sandwich
7953c2c285 Add Debian 13 (Trixie) support 2025-08-11 21:37:25 +02:00
Sandwich
7a1a44220b Update doc to Fedora 42 2025-07-07 15:24:17 +02:00
Sandwich
970af5ff73 Fix rhel10 variable assertion 2025-07-06 04:36:55 +02:00
Sandwich
035189d326 use proper datacenter variable 2025-07-06 04:34:16 +02:00
Sandwich
ede6829a89 Update Fedora to 42 2025-07-06 04:28:59 +02:00
Sandwich
b9156a0cac Use the proper property name 2025-06-24 16:57:18 +02:00
Sandwich
1c5f93e76f Fix VM state after cleanup 2025-06-24 16:54:57 +02:00
Sandwich
fe635b0783 use proper filename for role variables 2025-06-17 06:34:39 +02:00
Sandwich
0b4d2320c0 Update ubuntu to plucky release 2025-06-17 03:57:58 +02:00
Sandwich
11f7af1d9f Add rhel10 support 2025-06-17 03:13:30 +02:00
Sandwich
e3a52b889b Add ncurses-term package to ubuntu for more legacy terminal descriptors 2025-05-30 09:48:55 +02:00
Sandwich
ff2e5fb6b8 Add ncurses-term package for legacy ssh client (terminal descriptors) 2025-05-30 09:14:21 +02:00
Sandwich
db62d360b7 Add vm_dns_search to hostname if set 2025-05-26 14:37:28 +02:00
Sandwich
3d3f1caa14 Improve SSH CIS hardening 2025-05-04 01:41:00 +02:00
Sandwich
200e73e3ef Fix Typo 2025-04-29 20:30:02 +02:00
Sandwich
f5fda74cad Improve Arch packages + Disable swap before unmounting 2025-04-29 20:28:55 +02:00
Sandwich
9e4ae3ae33 Document vmware_ssh variable 2025-03-25 13:13:06 +01:00
Sandwich
052c89aa3e Fix vm creation when no rhel_iso for vmware 2025-02-20 16:00:39 +01:00
Sandwich
21e6edcf63 Increase max home size to 20GB 2025-02-18 21:39:58 +01:00
Sandwich
4961cc4b03 Add guest_id since its necessary 2025-02-17 21:38:56 +01:00
Sandwich
a7497dbb0e Implement VMware annotation 2025-02-17 21:17:18 +01:00
Sandwich
c764c209cb Improve Partition calculation algorithm 2025-02-17 20:43:45 +01:00
Sandwich
9096a8fc18 Add DNS Search option 2025-02-10 15:16:15 +01:00
Sandwich
236df77406 Update README regarding SELinux 2025-02-07 20:50:20 +01:00
Sandwich
ba6938b225 dont fail if selinux is undefined 2025-02-07 20:47:30 +01:00
Sandwich
919c2085d2 Remove motd files for rhel 2025-02-05 17:14:17 +01:00
Sandwich
55e7b5e98c Enable option to disable selinux for all osses 2025-02-05 01:41:10 +01:00
Sandwich
ef81e6b121 Include Standard package group for RHEL systems 2025-02-05 00:02:37 +01:00
Sandwich
2cf2f71b9c Make sure Volumes are safely unmounted before reboot 2025-01-22 12:34:00 +01:00
Sandwich
7b972053ef Fix CIS applienc for RHEL8 2025-01-21 22:34:01 +01:00
Sandwich
1afe5155ce Update package name to match correctly 2025-01-21 22:02:43 +01:00
Sandwich
67065520a2 Make sure the VM truly starts 2025-01-21 21:35:47 +01:00
Sandwich
b3b6376d81 Do not check if VM is back on vmware with cis activated, it will fail 
without the key, and key cannot be set otherwise awx refuses connection
 2025-01-21 21:30:56 +01:00
Sandwich
9f14556ef6 Add banner 2025-01-21 20:16:05 +01:00
Sandwich
293b608c84 Add ssh key survey 2025-01-21 20:00:18 +01:00
Sandwich
50a7011de7 Add missing variable 2025-01-21 19:58:07 +01:00
Sandwich
8d0c948dff CIS Adjustments 2025-01-21 19:55:36 +01:00
Sandwich
183ec709f6 Fix variable distribution 2025-01-21 17:43:18 +01:00
Sandwich
6dd32b5a63 Make Network Assignment more reliable 2025-01-21 16:59:56 +01:00
Sandwich
9fdf83aad3 Add nms default 2025-01-17 00:50:26 +01:00
Sandwich
15fc6e0dd1 Remove nms from ip since already addition already done internaly 2025-01-17 00:45:42 +01:00
Sandwich
f866502d47 Do not reboot localhost! 2025-01-17 00:38:35 +01:00
Sandwich
4291aa8c4a Don't fail proxmox install if rhel_iso is not defined 2025-01-17 00:07:58 +01:00
Sandwich
6e8ac0283a use 24 netmask as default if not set 2025-01-17 00:03:38 +01:00
Sandwich
c650c2b50c Add extra utils 2025-01-14 21:14:40 +01:00
Sandwich
2cc06e3f7d Set correct IP NetworkMask if defined 2025-01-14 16:08:10 +01:00
Sandwich
8ba12fe4bf Fix typo 2025-01-14 15:03:06 +01:00
Sandwich
c72ccd06aa Dont fail if vmware_ssh is not defined 2025-01-14 14:58:58 +01:00
Sandwich
bfadc82e82 Add dig via bind-utils for rhel 2024-12-03 16:42:47 +01:00
Sandwich
c1b5793cab RHEL add python package 2024-12-03 13:31:31 +01:00
Sandwich
72dabe3107 Do not hardcode macaddress which makes vm cloning harder 2024-12-02 18:08:48 +01:00
Sandwich
0ff03d9d6f Use RHEL nameing for yum repo file 2024-11-12 14:14:09 +01:00
Sandwich
247e3e6c3b Fix DNS issue 2024-11-11 17:44:52 +01:00
Sandwich
d864a492ee Adjust never libvirt loaders 2024-11-11 17:26:37 +01:00
Sandwich
2e7e4d6423 Add some extra packages and vi mode for bash 2024-11-05 03:36:15 +01:00
Sandwich
2d96b12367 Add final check if the VM is up and running after reboot 2024-11-01 23:58:52 +01:00
Sandwich
9f3d638381 Improve the root lv size calculations, still not perfect on bigger disk 
and ram sizes
 2024-10-31 20:07:40 +01:00
Sandwich
88aebd5276 Preper Shutdown so VMware does not corrupt the installation 2024-10-31 18:27:31 +01:00
Sandwich
29a493bf13 improve logical volume size calculation 2024-10-31 17:32:27 +01:00
Sandwich
99e0fb9e5c remove zram from debian11 since no support 2024-10-31 16:00:44 +01:00
Sandwich
8618f8cf03 remove zram for rhel8 since no support 2024-10-31 15:56:42 +01:00
Sandwich
ccc53081f4 dont use sudo for umount 2024-10-31 15:35:22 +01:00
Sandwich
46b7f56425 Add umount for non RHEL systems 2024-10-31 14:23:55 +01:00
Sandwich
3994d4192d Fix ubuntu install issue 2024-10-31 05:56:20 +01:00
Sandwich
e22cf5cc60 Add SWAP support 2024-10-31 05:46:33 +01:00
Sandwich
08a35b2b6b Add zram-generator config 2024-10-31 02:18:55 +01:00
Sandwich
e357c7881a add zram-generator package 2024-10-31 02:10:21 +01:00
Sandwich
10d6095aad Add swap optimalisations 2024-10-31 02:05:11 +01:00
Sandwich
fcc2ace185 Make root LV size dynamic based on VM disk size 2024-10-31 01:29:48 +01:00
Sandwich
e3d61d5fdc improve VMware cleanup 2024-10-31 01:12:51 +01:00
Sandwich
1af1ea8ffb Fix riski shell pipe 2024-10-31 00:43:49 +01:00
Sandwich
9ebfc500a2 Remove Cloud-init package which can cause issues with NetworkManager on 
bootup
 2024-10-31 00:41:38 +01:00
Sandwich
8a655993bd Include MAC-Address into the NetworkManager keyfile 2024-10-31 00:13:23 +01:00
Sandwich
ff4f9cdb07 umount disks before reboot 2024-10-30 23:48:36 +01:00
Sandwich
d8d4371195 Remove VMWare static since not applicable 2024-10-30 23:18:27 +01:00
Sandwich
fea97ba140 Fix DISK removal at cleanup 2024-10-30 23:10:53 +01:00
Sandwich
72305d48a3 Fix variable hierarchy 2024-10-30 22:19:00 +01:00
Sandwich
03cc238237 Fix ISO mounting for VMware Hypervisor 2024-10-30 20:25:41 +01:00
Sandwich
5328d7cce3 Different aproche for ISO mounting 2024-10-30 19:30:12 +01:00
Sandwich
785667c0d6 Adjust controllerID for RHEL ISO for correct mounting 2024-10-30 19:23:01 +01:00
Sandwich
4cfde890f3 Allow passwordless ssh for VMware Setup 2024-10-30 19:12:36 +01:00
Sandwich
5bc981ffc7 Speed up setup on VMware if ssh is available 2024-10-30 18:59:32 +01:00
Sandwich
510bf0af89 Enable root ssh login 2024-10-30 18:54:15 +01:00
Sandwich
fa175eeb78 set cis default value 2024-10-30 18:14:29 +01:00
Sandwich
42b38f0d02 Improve Ip set on VMware hypervisors 2024-10-30 18:04:46 +01:00
Sandwich
98bdb9b824 Fix VM Connection if hypervisor is VMware 2024-10-30 17:57:22 +01:00
Sandwich
d499e222bb Fix recursion 2024-10-30 17:09:22 +01:00
Sandwich
1201fe8f4b fix jinja syntax 2024-10-30 17:05:50 +01:00
Sandwich
5742a9fd78 Move hypervisor and disk variable from main playbook 2024-10-30 16:58:22 +01:00
Sandwich
0c82d4da87 lower connection timeout 2024-10-30 16:48:23 +01:00
Sandwich
5930ef0759 Change VMware boot order to boot correctly from ArchISO 2024-10-30 15:59:16 +01:00
Sandwich
6e60a6e4b4 Fix VMware Network if no VLAN specified 2024-10-30 15:48:22 +01:00
Sandwich
0a3363f725 use the correct NetworkMask variable name 2024-10-30 14:38:25 +01:00
Sandwich
367a77945e Add network mask variables for Hypervisor static IP assigments 2024-10-30 14:33:38 +01:00
Sandwich
b6ab48d062 move vm_ip back since it is not a permanent/static variable 2024-10-30 14:10:37 +01:00
Sandwich
8cc54806c1 Move some persstent Vars to main playbook 2024-10-30 14:01:07 +01:00
Sandwich
bcbddf0955 Recommend Ansible Vault for variables storing secrets 2024-10-30 13:45:19 +01:00
Sandwich
111cb79f2f Add missing RHEL variable examples 2024-10-30 00:49:37 +01:00
Sandwich
c437e4c43d Assertion for minimum filesystem size 2024-10-30 00:44:19 +01:00
Sandwich
d164b6a573 remove deperacted parameter causing sshd startup fails 2024-10-30 00:32:08 +01:00
Sandwich
1e625fd138 Add RHEL8 and RHEL9 support 2024-10-30 00:29:46 +01:00
Sandwich
051b7a376f Update Ubuntu to Oracular Oriole and Ubuntu-LTS to Noble Numbat 2024-10-29 15:08:43 +01:00
Sandwich
77b5920ddb Remove SSH Config multiline since OpenSSH does not support it 2024-10-29 14:25:53 +01:00
Sandwich
61fdf1461a Update Fedora to Version 41 2024-10-29 14:17:01 +01:00
Sandwich
6c311159d8 Disable Cloud-init updates on boot to prevent loopdevice out of storage 2024-10-29 12:59:50 +01:00
Sandwich
7e6d8e73b4 Use command module instead of shell if possible 2024-10-28 21:15:10 +01:00
Sandwich
7374b0a4e2 Fix command module formating 2024-10-28 21:07:33 +01:00
Sandwich
ab694ef49c Fix connection DNS resolving inside chroot 2024-10-28 20:26:15 +01:00
Sandwich
48cedc8efc ensure variable is not empty 2024-10-28 19:25:49 +01:00
Sandwich
ca5caba602 Specify changed_when for shell commands 2024-10-28 19:20:05 +01:00
Sandwich
9ad4e96806 Replace ignore_errors with failed_when 2024-10-28 18:56:00 +01:00
Sandwich
6e2f081794 fix risky-shell-pipe 2024-10-28 18:47:31 +01:00
Sandwich
8ac881ada1 Fix risky-file-permissions because of unpecified mode 2024-10-28 18:37:44 +01:00
Sandwich
446736da3b Fix line-length 2024-10-28 18:26:54 +01:00
Sandwich
15706c5d84 Adjust literal-compare to use correct bool comparison 2024-10-28 17:17:24 +01:00
Sandwich
2cba40508b dont use ignore-errors 2024-07-11 22:31:13 +02:00
Sandwich
d8f39e855c add missing task name 2024-07-11 22:22:43 +02:00
Sandwich
86656f6dbb ansible-lint fixes 2024-07-11 22:20:45 +02:00
Sandwich
3af9ccddf2 use correct boolean values 2024-07-11 22:09:58 +02:00
Sandwich
b2fa0ab91d fix jinja formating 2024-07-11 22:03:15 +02:00
Sandwich
8fef1b695b remove btrfs quota limits 2024-05-21 14:20:28 +02:00
Sandwich
1130c1688a correct README 2024-04-17 14:38:47 +02:00
Sandwich
3d56456ad4 Add supported distro to the README 2024-04-17 14:37:47 +02:00
Sandwich
2b97049dec fix cis support for all distros 2024-04-17 14:09:32 +02:00
Sandwich
82118be5f9 add ubuntu-lts support 2024-04-17 12:17:19 +02:00
Sandwich
92a0f18240 add ubuntu support 2024-04-17 10:53:09 +02:00
Sandwich
bd8ae76703 fix fedora boot issue 2024-04-17 06:02:32 +02:00
Sandwich
a3d2452cd6 add essential almalinux packages 2024-04-17 05:06:45 +02:00
Sandwich
8cdf32e85e install dnf if {{ os }} is fedora 2024-04-17 04:47:33 +02:00
Sandwich
58e9ded653 add rocky to README example 2024-04-17 04:39:29 +02:00
Sandwich
187c5feac2 Add essential rockylinux packages 2024-04-17 04:32:11 +02:00
Sandwich
d21351aed9 Add en and de langauge support for rockylinux 2024-04-17 04:19:32 +02:00
Sandwich
559fa6eab7 Add cloud-init support 2024-04-16 01:17:48 +02:00
Sandwich
7ac696393a Add RockyLinux support 2024-04-16 01:14:12 +02:00
Sandwich
bf1ee09d48 Add RockyLinux support 2024-04-16 01:14:05 +02:00
Sandwich
f65d8cff98 Add RockyLinux Repo file 2024-04-15 21:30:04 +02:00
Sandwich
f698e04779 move assertion list to main playbook 2024-04-15 21:23:32 +02:00
Sandwich
1272a30e2e Enable systemd-resolved and systemd-timesyncd services for ArchLinux 2024-03-28 03:50:04 +01:00
Sandwich
3a512213d0 Update gitignore 2024-03-22 12:48:49 +01:00
Sandwich
689be63a16 Add inventory example in yaml 2024-03-22 12:43:13 +01:00
80 changed files with 4314 additions and 1027 deletions
Expand all files Collapse all files

4
.ansible-lint Normal file
View File

@@ -0,0 +1,4 @@
skip_list:
- run-once
exclude_paths:
- roles/global_defaults/

3
.gitignore vendored
View File

@@ -1,5 +1,8 @@
inventory.yml inventory.yml
inventory.yaml inventory.yaml
inventory_libvirt.yml
vars.yml vars.yml
vars.yaml vars.yaml
vars_kvm.yml
vars_libvirt.yml

203
README.md
View File

@@ -1,13 +1,37 @@
# Ansible-Bootstrap # Ansible-Bootstrap
An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner, utilizing ArchISO as the foundational tool. An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner.
# Info # Info
Most of the roles are adaptable for use with systems beyond ArchLinux, requiring only that the target system can install a necessary package manager, such as `dnf` for RHEL-based systems. Additionally, a replacement for the `arch-chroot` command may be required for these systems. Most of the roles are adaptable for use with systems beyond ArchLinux, requiring only that the target system can install a necessary package manager, such as `dnf` for RHEL-based systems. Additionally, a replacement for the `arch-chroot` command may be required for these systems.
**NOTE**: **NOTE**:
- RHEL Systems are not currently supported due to restricted access to their repositories.
A workaround could involve using an ISO as a local repository or setting up a proxy repository to facilitate access. - For RHEL 8, RHEL 9, and RHEL 10, repository access requires the `rhel_iso` variable. This variable specifies a local ISO or proxy repository.
- RHEL systems do not support `btrfs`. Use `ext4` or `xfs` as alternatives.
- For RHEL 8, `xfs` may cause installation issues; `ext4` is recommended.
- `custom_iso: true` skips ArchISO validation and pacman setup, your installer ISO must provide the tools required by the selected roles.
# Supported Distributions
This playbook supports multiple Linux distributions with specific versions tailored to each.
Below is a list of supported distributions:
| `os` | Distribution |
| ---------- | ---------------------------------- |
| archlinux | ArchLinux (Latest rolling release) |
| almalinux | AlmaLinux 9.x |
| debian11 | Debian 11 (Bullseye) |
| debian12 | Debian 12 (Bookworm) |
| debian13 | Debian 13 (Trixie) |
| fedora | Fedora 43 |
| rhel8 | Red Hat Enterprise Linux 8 |
| rhel9 | Red Hat Enterprise Linux 9 |
| rhel10 | Red Hat Enterprise Linux 10 |
| rocky | Rocky Linux 9.x |
| ubuntu | Ubuntu 25.04 (Plucky Puffin) |
| ubuntu-lts | Ubuntu 24.04 LTS (Noble Numbat) |
# Documentation # Documentation
@@ -27,45 +51,139 @@ The playbook uses the ArchLinux ISO as a foundational tool to provides an effici
## 2. Global Variables ## 2. Global Variables
Global variables apply across your Ansible project and are loaded from `vars.yml` by default. These variables define common settings such as hypervisor connection details and the boot ISO path. They can be overridden by inventory variables for specific hosts or VMs if needed. Global variables apply across your Ansible project and can be supplied via inventory or `-e @vars_example.yml`. These variables define common settings such as hypervisor connection details and the boot ISO path. They can be overridden by inventory variables for specific hosts or VMs if needed.
### 2.1 Core Provisioning
| Variable | Description | Example Value | | Variable | Description | Example Value |
|-----------------------|--------------------------------------------------------------------|-----------------------------------------| | ----------------------- | ---------------------------------------------------------- | ----------------------------------------- |
| `install_type` | Type of installation. | `virtual`, `physical` |
| `hypervisor` | Type of hypervisor (required for virtual installs). | `libvirt`, `proxmox`, `vmware`, `none` |
| `install_drive` | Drive where the system will be installed. | `/dev/sda` |
| `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` | | `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` |
| `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` | | `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8/9/10. | `local-btrfs:iso/rhel-9.4-x86_64-dvd.iso` |
| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` | | `custom_iso` (optional) | Skip ArchISO checks and pacman setup on installer media. | `true`, `false (default)` |
| `hypervisor_node` | Hypervisor node name. | `node01` | | `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false (default)` |
| `hypervisor_password` | Password for hypervisor authentication. | `123456` | | `selinux` (optional) | Toggle SELinux where supported. | `true (default)`, `false` |
| `hypervisor_storage` | Storage identifier for VM disks. | `local-btrfs` | | `firewalld_enabled` (optional) | Toggle firewalld package/service enablement. | `true (default)`, `false` |
| `ssh_enabled` (optional) | Toggle SSH server package/service enablement. | `true (default)`, `false` |
### 2.2 Hypervisor Access (virtual installs)
| Variable | Description | Example Value |
| ----------------------- | ---------------------------------------------------------- | -------------------- |
| `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` | | `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` |
| `hypervisor_username` | Username for hypervisor authentication. | `root@pam` | | `hypervisor_username` | Username for hypervisor authentication. | `root@pam` |
| `install_drive` | Drive where the system will be installed. | `/dev/sda` | | `hypervisor_password` | Password for hypervisor authentication. | `123456` |
| `install_type` | Type of installation. | `virtual`, `physical` | | `hypervisor_datacenter` | Name of the hypervisor datacenter. | `default-datacenter` |
| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` |
| `hypervisor_node` | Hypervisor node name. | `node01` |
| `hypervisor_storage` | Storage identifier for VM disks. | `local-btrfs` |
| `vm_path` (optional) | Libvirt image dir or VMware folder path. | `/var/lib/libvirt/images` |
| `vmware_ssh` | If Ansible should use SSH after base VMware setup. | `true`, `false (default)` |
| `vlan_name` (optional) | VLAN for the VM's network interface. | `vlan100` | | `vlan_name` (optional) | VLAN for the VM's network interface. | `vlan100` |
| `note` (optional) | VMware VM annotation. | `Provisioned by Ansible` |
### 2.3 VMware Tools connection (VMware installs)
These are required when `hypervisor: vmware` uses the `vmware_tools` connection.
| Variable | Description | Example Value |
| ------------------------------- | ------------------------------------------ | -------------------------------------- |
| `ansible_vmware_tools_user` | Guest OS user for guest operations. | `root` |
| `ansible_vmware_tools_password` | Guest OS password for guest operations. | `""` |
| `ansible_vmware_guest_path` | VM inventory path (datacenter + folder). | `/dc01/vm/Folder/vm01.example.com` |
| `ansible_vmware_host` | vCenter/ESXi hostname. | `vcenter01.example.com` |
| `ansible_vmware_user` | vCenter/ESXi username. | `administrator@vsphere.local` |
| `ansible_vmware_password` | vCenter/ESXi password. | `********` |
| `ansible_vmware_validate_certs` | Validate vCenter/ESXi TLS certs. | `false` |
### 2.4 Disk Encryption (optional)
| Variable | Description | Example Value |
| -------------------------- | ----------------------------------------------- | ------------------ |
| `luks_enabled` | Enable LUKS encryption for the root volume. | `true`, `false` |
| `luks_passphrase` | Passphrase used for initial LUKS format/unlock. | `1234` |
| `luks_mapper_name` | Decrypted mapper name. | `SYSTEM_DECRYPTED` |
| `luks_auto_decrypt` | Enable automatic unlock on boot. | `true`, `false` |
| `luks_auto_decrypt_method` | Auto-unlock method. | `tpm2`, `keyfile`, `manual` |
| `luks_tpm2_device` | TPM2 device for enrollment. | `auto` |
| `luks_tpm2_pcrs` | TPM2 PCR list (systemd-cryptenroll). | `7` |
| `luks_keyfile_size` | Keyfile size in bytes for initramfs. | `64` |
| `luks_options` | LUKS options passed to crypttab/kernel. | `discard,tries=3` |
| `luks_type` | LUKS format type. | `luks2` |
| `luks_cipher` | LUKS cipher. | `aes-xts-plain64` |
| `luks_hash` | LUKS hash. | `sha512` |
| `luks_iter_time` | LUKS iter time in milliseconds. | `4000` |
| `luks_key_size` | LUKS key size in bits. | `512` |
| `luks_pbkdf` | LUKS PBKDF algorithm. | `argon2id` |
| `luks_use_urandom` | Reserved; module uses cryptsetup defaults. | `true` |
| `luks_verify_passphrase` | Reserved; module uses cryptsetup defaults. | `true` |
### 2.5 Partitioning Overrides (advanced)
Use these only when you need to override the default layout logic.
| Variable | Description | Example Value |
| ---------------------------- | -------------------------------------------------------- | ------------- |
| `partitioning_efi_size_mib` | ESP size in MiB. | `512` |
| `partitioning_boot_size_mib` | `/boot` size in MiB when a separate boot is used. | `1024` |
| `partitioning_separate_boot` | Force a separate `/boot` partition. | `true` |
| `partitioning_boot_fs_fstype` | Filesystem for `/boot` when separate. | `ext4` |
| `partitioning_use_full_disk` | Use remaining LVM space for the root volume. | `true` |
To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**.
## 3. Inventory Variables ## 3. Inventory Variables
Inventory variables are defined for individual hosts or VMs in the inventory file, allowing customization of settings such as the operating system, filesystem, and compliance with CIS benchmarks. These variables can be set globally and overridden for specific hosts or VMs. Inventory variables are defined for individual hosts or VMs in the inventory file, allowing customization of settings such as the operating system, filesystem, and compliance with CIS benchmarks. These variables can be set globally and overridden for specific hosts or VMs.
### 3.1 System Identity and OS
| Variable | Description | Example Value | | Variable | Description | Example Value |
|-------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------| | ------------ | -------------------------------------- | ---------------------- |
| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` | | `ansible_host` | Ansible connection address for the host. | `192.168.0.10` |
| `filesystem` | Filesystem type for the VM's primary storage. | `btrfs`, `ext4`, `xfs` | | `os` | Operating system to be installed. | `ubuntu-lts` |
| `hostname` | The hostname assigned to the virtual machine or system. | `vm01` | | `filesystem` | Filesystem type for the root volume. | `btrfs`, `ext4`, `xfs` |
| `os` | Operating system to be installed on the VM. | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora` | | `hostname` | The hostname assigned to the system. | `vm01` |
| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` |
| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` | ### 3.2 Credentials and Access
| `user_password` | Password for the user account within the VM. | `UserPass123` |
| `vm_ballo` (optional) | Ballooning memory size for the VM, used to adjust memory allocation dynamically. | `2048` | These are prompted by default via `vars_prompt` in `main.yml`, but can be supplied via inventory/vars/`-e` for non-interactive runs.
| `vm_cpus` | Number of CPU cores assigned to the virtual machine. | `4` |
| `vm_dns` | DNS server IP address(es) for the virtual machine's network configuration. | `1.0.0.1`, `1.1.1.1` | | Variable | Description | Example Value |
| `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` | | ----------------- | ---------------------------------- | ----------------- |
| `vm_id` | Unique identifier for the virtual machine. | `101` | | `root_password` | Root password (vault recommended). | `SecurePass123` |
| `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` | | `user_name` | Username for a user account. | `adminuser` |
| `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` | | `user_password` | Password for the user account. | `UserPass123` |
| `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` | | `user_public_key` | SSH Key for the user account. | `ssh-ed25519 AAAA` |
| `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` |
| `vm_size` | Disk size allocated for the VM's primary storage (in GB). | `20` | ### 3.3 Networking
| Variable | Description | Example Value |
| --------------- | -------------------------------------------------------------- | ----------------- |
| `vm_ip` | IP address assigned to the system (omit to use DHCP). | `192.168.0.10` |
| `vm_nms` | Netmask bits for static addressing. | `24` |
| `vm_gw` | Default gateway IP address (static only). | `192.168.0.1` |
| `vm_dns` | DNS server IP address(es). | `1.0.0.1,1.1.1.1` |
| `vm_dns_search` | DNS search zone(s) for the network configuration. | `example.com` |
| `vm_nif` | Network interface/bridge for the VM's network connection. | `vmbr0` |
### 3.4 VM Sizing (virtual installs)
| Variable | Description | Example Value |
| ----------- | --------------------------------- | ------------- |
| `vm_id` | Unique identifier for the VM. | `101` |
| `vm_size` | Disk size allocated in GB (min 20). | `20` |
| `vm_memory` | Amount of memory in MB. | `2048` |
| `vm_cpus` | Number of CPU cores (virtual installs). | `4` |
| `vm_ballo` | Ballooning memory size (optional).| `2048` |
### 3.5 Post-install Packages
| Variable | Description | Example Value |
| ------------------------ | --------------------------------------------------------------------- | ------------------ |
| `extra_packages` (optional) | Additional packages installed after the first boot into the installed OS. | `["git", "jq"]` |
## 4. How to Use the Playbook ## 4. How to Use the Playbook
@@ -75,14 +193,31 @@ Before running the playbook, ensure you have Ansible installed and configured co
### 4.2 Running the Playbook ### 4.2 Running the Playbook
Execute the playbook using the `ansible-playbook` command, ensuring that all necessary variables are defined, typically by specifying a `vars.yml` file containing the required configurations. Execute the playbook using the `ansible-playbook` command, ensuring that all necessary variables are defined, typically by specifying a vars file (such as `vars_example.yml`) containing the required configurations.
### 4.3 Example Usage ### 4.3 Example Usage
An effective way to use the playbook involves defining all necessary configurations within a `vars.yml` file. This file should include all relevant global variables tailored to your specific deployment requirements. Additionally, you should prepare an inventory file (`inventory.yml`) that lists all the hosts along with any specific inventory variables they might need. Then, you can run the playbook as follows: An effective way to use the playbook involves defining all necessary configurations within a vars file (for example, `vars_example.yml`). This file should include all relevant global variables tailored to your specific deployment requirements. Additionally, you should prepare an inventory file (`inventory.yml`) that lists all the hosts along with any specific inventory variables they might need. Then, you can run the playbook as follows:
```bash ```bash
ansible-playbook -i inventory.yml -e @vars.yml main.yml ansible-playbook -i inventory.yml -e @vars_example.yml main.yml
``` ```
This command prompts Ansible to execute the `main.yml` playbook, applying configurations defined in both `vars.yml` and the inventory file. This command prompts Ansible to execute the `main.yml` playbook, applying configurations defined in both the vars file and the inventory file.
Use `inventory_example.yml`, `inventory_libvirt_example.yml`, `vars_example.yml`, and the bare-metal examples as starting points for new inventories.
## Notes
- `vm_size`/`vm_memory`/`vm_cpus` are required for virtual installs only, physical installs use the full disk.
- `vm_dns` and `vm_dns_search` accept comma-separated strings or YAML lists.
- `hypervisor` determines which backend-specific roles run.
- Guest tools are installed based on `hypervisor`: `qemu-guest-agent` for `libvirt`/`proxmox`, `open-vm-tools` for `vmware`, otherwise none.
- Molecule is scaffolded with a delegated driver and a no-op converge for lint-only validation.
- With LUKS enabled on Debian/Ubuntu and RHEL-based systems, provisioning uses an ESP (512 MiB), a separate `/boot`
(1 GiB, same as `filesystem` unless `btrfs` uses ext4 on Debian/Ubuntu or xfs on RHEL-based), and the encrypted root;
adjust sizes via
`partitioning_efi_size_mib` and `partitioning_boot_size_mib` if needed.
- With `luks_auto_decrypt_method: tpm2` on virtual installs, the virtualization role enables a TPM2 device (libvirt/proxmox/vmware).
- For VMware, `vmware_ssh: true` enables SSH on the guest and switches the connection to SSH for the remaining tasks.
- For physical installs, set `ansible_user`/`ansible_password` for the installer environment when it differs from the prompted user credentials.

9
collections/requirements.yml Normal file
View File

@@ -0,0 +1,9 @@
---
collections:
- name: ansible.posix
- name: community.general
- name: community.libvirt
- name: community.crypto
- name: community.proxmox
- name: community.vmware
- name: vmware.vmware

9
inventory_baremetal_example.yml Normal file
View File

@@ -0,0 +1,9 @@
---
all:
hosts:
baremetal01.example.com:
ansible_host: 10.0.0.162
ansible_user: root
ansible_password: "1234"
ansible_become_password: "1234"
hostname: "baremetal01.example.com"

50
inventory_example.yml Normal file
View File

@@ -0,0 +1,50 @@
---
all:
vars:
install_type: "virtual"
hypervisor: "proxmox"
install_drive: "/dev/sda"
boot_iso: "local:iso/archlinux-x86_64.iso"
vm_nif: "vmbr0"
children:
proxmox:
hosts:
app01.example.com:
ansible_host: 10.0.0.10
hostname: "app01.example.com"
os: "archlinux"
filesystem: "btrfs"
vm_id: 100
vm_cpus: 2
vm_memory: 4096
vm_size: 40
vm_ip: 10.0.0.10
vm_nms: 24
vm_gw: 10.0.0.1
vm_dns:
- 1.1.1.1
- 1.0.0.1
extra_packages:
- jq
- tmux
db01.example.com:
ansible_host: 10.0.0.11
hostname: "db01.example.com"
os: "rhel9"
filesystem: "xfs"
vm_id: 101
vm_cpus: 4
vm_memory: 8192
vm_size: 80
vm_ip: 10.0.0.11
vm_nms: 24
vm_gw: 10.0.0.1
vm_dns: "1.1.1.1,1.0.0.1"
rhel_iso: "local:iso/rhel-9.4-x86_64-dvd.iso"
luks_enabled: true
luks_passphrase: "CHANGE_ME"
luks_auto_decrypt_method: "keyfile"
luks_keyfile_size: 128
cis: true
selinux: false
firewalld_enabled: false

56
inventory_libvirt_example.yml Normal file
View File

@@ -0,0 +1,56 @@
---
all:
vars:
install_type: "virtual"
hypervisor: "libvirt"
install_drive: "/dev/vda"
boot_iso: "/var/lib/libvirt/images/archlinux-x86_64.iso"
children:
libvirt:
hosts:
web01.example.com:
ansible_host: 192.168.122.10
hostname: "web01.example.com"
os: "debian12"
filesystem: "ext4"
vm_cpus: 2
vm_memory: 2048
vm_size: 30
vm_ip: 192.168.122.10
vm_nms: 24
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1
extra_packages:
- nginx
- fail2ban
vault01.example.com:
ansible_host: 192.168.122.11
hostname: "vault01.example.com"
os: "ubuntu-lts"
filesystem: "btrfs"
vm_cpus: 2
vm_memory: 4096
vm_size: 40
vm_ip: 192.168.122.11
vm_nms: 24
vm_gw: 192.168.122.1
vm_dns_search: "example.com"
luks_enabled: true
luks_passphrase: "CHANGE_ME"
luks_auto_decrypt_method: "keyfile"
firewalld_enabled: false
rhel9.example.com:
ansible_host: 192.168.122.12
hostname: "rhel9.example.com"
os: "rhel9"
filesystem: "xfs"
vm_cpus: 4
vm_memory: 8192
vm_size: 80
vm_ip: 192.168.122.12
vm_nms: 24
vm_gw: 192.168.122.1
vm_dns: "1.1.1.1,1.0.0.1"
vm_path: "/srv/libvirt/images"
rhel_iso: "/var/lib/libvirt/images/rhel-9.4-x86_64-dvd.iso"
vlan_name: "100"

29
inventory_sample.ini
View File

@@ -1,29 +0,0 @@
[promox-kvm]
192.168.122.10
192.168.122.11
[promox-kvm:vars]
vm_gw=192.168.122.1
vm_dns=1.1.1.1
[192.168.122.10]
hostname=proxy
vm_id=300
os=archlinux
filesystem=btrfs
vm_memory=2048
vm_ballo=1024
vm_cpus=2
vm_size=5
vm_nif=vmbr1
[192.168.122.11]
hostname=database
vm_id=101
os=archlinux
filesystem=btrfs
vm_memory=6144
vm_ballo=3072
vm_cpus=4
vm_size=40
vm_nif=vmbr1

105
main.yml
View File

@@ -1,7 +1,7 @@
--- ---
- name: Create and configure VMs - name: Create and configure VMs
hosts: all hosts: all
strategy: free strategy: free # noqa: run-once[play]
gather_facts: false gather_facts: false
become: true become: true
vars_prompt: vars_prompt:
@@ -10,6 +10,11 @@
What is your username? What is your username?
private: false private: false
- name: user_public_key
prompt: |
What is your ssh key?
private: false
- name: user_password - name: user_password
prompt: | prompt: |
What is your password? What is your password?
@@ -19,44 +24,12 @@
prompt: | prompt: |
What is your root password? What is your root password?
confirm: true confirm: true
- name: hypervisor
prompt: |
Select an Hypervisor:
- libvirt
- proxmox
- vmware
private: false
default: "proxmox"
- name: install_drive
prompt: |
"Enter the drive to install the system (default: /dev/sda)"
confirm: true
private: false
default: "/dev/sda"
vars_files: vars.yml
pre_tasks: pre_tasks:
- name: Set ansible_python_interpreter - name: Load global defaults
when: os | lower in ["almalinux", "rhel9", "rhel8"] ansible.builtin.import_role:
set_fact: name: global_defaults
ansible_python_interpreter: /usr/bin/python3
- name: Validate variables
assert:
that:
- hypervisor in hypervisor_list
- filesystem in filesystem_list
- os in os_list
fail_msg: "Invalid input specified, please try again"
- name: Set connection
when: hypervisor == "vmware"
set_fact:
ansible_connection: vmware_tools
roles: roles:
- role: virtualization - role: virtualization
when: install_type == "virtual" when: install_type == "virtual"
become: false become: false
@@ -69,23 +42,61 @@
- role: partitioning - role: partitioning
vars: vars:
boot_partition_suffix: 1 partitioning_boot_partition_suffix: 1
main_partition_suffix: 2 partitioning_main_partition_suffix: 2
- role: bootstrap - role: bootstrap
- role: configuration - role: configuration
- role: cis - role: cis
when: cis == true when: cis_enabled
- role: cleanup - role: cleanup
when: install_type == "virtual" when: install_type in ["virtual", "physical"]
vars: become: false
ansible_connection: local
tasks: post_tasks:
- name: Reboot system - name: Set post-reboot connection flags
when: hypervisor != "libvirt" ansible.builtin.set_fact:
command: reboot post_reboot_can_connect: >-
ignore_errors: true {{
(ansible_connection | default('ssh')) != 'ssh'
or (vm_ip is defined and (vm_ip | string | length) > 0)
or (
install_type == 'physical'
and (ansible_host | default('') | string | length) > 0
)
}}
changed_when: false
- name: Set final SSH credentials for post-reboot tasks
when:
- post_reboot_can_connect | bool
ansible.builtin.set_fact:
ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}"
ansible_become_password: "{{ user_password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Install post-reboot extra packages
vars:
post_install_extra_packages: >-
{{
(
extra_packages
if (extra_packages is iterable and extra_packages is not string)
else (extra_packages | string).split(',')
)
| map('trim')
| reject('equalto', '')
| list
}}
when:
- post_reboot_can_connect | bool
- extra_packages is defined
- extra_packages | length > 0
- post_install_extra_packages | length > 0
ansible.builtin.package:
name: "{{ post_install_extra_packages }}"
state: present

8
molecule/default/converge.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Molecule converge placeholder
hosts: all
gather_facts: false
tasks:
- name: Skip destructive provisioning in Molecule
ansible.builtin.debug:
msg: "Molecule scenario is lint-only; run main.yml against disposable hosts."

19
molecule/default/molecule.yml Normal file
View File

@@ -0,0 +1,19 @@
---
dependency:
name: galaxy
driver:
name: delegated
platforms:
- name: localhost
provisioner:
name: ansible
playbooks:
converge: converge.yml
inventory:
host_vars:
localhost:
ansible_connection: local
lint:
name: ansible-lint
verifier:
name: ansible

9
molecule/default/verify.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Molecule verify placeholder
hosts: all
gather_facts: false
tasks:
- name: Verify placeholder
ansible.builtin.assert:
that:
- true

20
roles/bootstrap/tasks/almalinux.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Bootstrap AlmaLinux 9
vars:
bootstrap_alma_extra: >-
{{
lookup('vars', bootstrap_var_key)
| reject('equalto', '')
| join(' ')
}}
ansible.builtin.command: "{{ item }}"
loop:
- >-
dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt
--setopt=install_weak_deps=False groupinstall -y base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- >-
{{ chroot_command }} /mnt dnf --releasever=9 --setopt=install_weak_deps=False
install -y {{ bootstrap_alma_extra }}
register: bootstrap_result
changed_when: bootstrap_result.rc == 0

11
roles/bootstrap/tasks/archlinux.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Bootstrap ArchLinux
vars:
bootstrap_archlinux_packages: >-
{{
lookup('vars', bootstrap_var_key)
}}
ansible.builtin.command: >-
pacstrap /mnt {{ bootstrap_archlinux_packages | reject('equalto', '') | join(' ') }} --asexplicit
register: bootstrap_result
changed_when: bootstrap_result.rc == 0

29
roles/bootstrap/tasks/debian.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Bootstrap Debian System
vars:
bootstrap_debian_release: >-
{{
'bullseye' if bootstrap_os_key == 'debian11'
else 'bookworm' if bootstrap_os_key == 'debian12'
else 'trixie'
}}
bootstrap_debian_base_list: "{{ lookup('vars', bootstrap_var_key).base | default([]) }}"
bootstrap_debian_extra_list: "{{ lookup('vars', bootstrap_var_key).extra | default([]) }}"
bootstrap_debian_base: "{{ bootstrap_debian_base_list | reject('equalto', '') | join(',') }}"
bootstrap_debian_extra: >-
{{
(
bootstrap_debian_extra_list
)
| reject('equalto', '')
| join(' ')
}}
ansible.builtin.command: "{{ item }}"
loop:
- >-
debootstrap --include={{ bootstrap_debian_base }}
{{ bootstrap_debian_release }} /mnt http://deb.debian.org/debian/
- "{{ chroot_command }} /mnt apt install -y {{ bootstrap_debian_extra }}"
- "{{ chroot_command }} /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data"
register: bootstrap_result
changed_when: bootstrap_result.rc == 0

22
roles/bootstrap/tasks/fedora.yml Normal file
View File

@@ -0,0 +1,22 @@
---
- name: Bootstrap Fedora 43
vars:
bootstrap_fedora_extra: >-
{{
lookup('vars', bootstrap_var_key)
| reject('equalto', '')
| join(' ')
}}
ansible.builtin.command: "{{ item }}"
loop:
- >-
dnf --releasever=43 --best --repo=fedora --repo=fedora-updates
--installroot=/mnt --setopt=install_weak_deps=False
groupinstall -y critical-path-base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- >-
{{ chroot_command }} /mnt dnf --releasever=43 --setopt=install_weak_deps=False
install -y {{ bootstrap_fedora_extra }}
- "{{ chroot_command }} /mnt dnf reinstall -y kernel-core"
register: bootstrap_result
changed_when: bootstrap_result.rc == 0

62
roles/bootstrap/tasks/main.yml
View File

@@ -1,43 +1,33 @@
--- ---
- name: Include Packages
include_vars:
file: packages.yml
name: role_packages
- name: Run OS-specific bootstrap process - name: Run OS-specific bootstrap process
vars:
bootstrap_os_key: "{{ os | lower }}"
bootstrap_var_key: "{{ 'bootstrap_' + (os | lower | replace('-', '_')) }}"
block: block:
- name: Bootstrap ArchLinux - name: Include AlmaLinux bootstrap tasks
when: os | lower == 'archlinux' when: bootstrap_os_key == 'almalinux'
command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit ansible.builtin.include_tasks: almalinux.yml
- name: Bootstrap Debian System - name: Include ArchLinux bootstrap tasks
when: os | lower in ['debian11', 'debian12'] when: bootstrap_os_key == 'archlinux'
shell: "{{ item }}" ansible.builtin.include_tasks: archlinux.yml
with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} /mnt http://deb.debian.org/debian/
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
- arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
- name: Bootstrap AlmaLinux 9 - name: Include Debian bootstrap tasks
when: os | lower == 'almalinux' when: bootstrap_os_key in ['debian11', 'debian12', 'debian13']
shell: "{{ item }}" ansible.builtin.include_tasks: debian.yml
with_items:
- dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
- echo "nameserver 1.0.0.1" > /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.almalinux | join(' ') }}
- name: Bootstrap Fedora 39 - name: Include Fedora bootstrap tasks
when: os | lower == 'fedora' when: bootstrap_os_key == 'fedora'
shell: "{{ item }}" ansible.builtin.include_tasks: fedora.yml
with_items:
- dnf --releasever=39 --best --repo=fedora --repo=fedora-updates --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
- arch-chroot /mnt dnf --releasever=39 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
- arch-chroot /mnt dnf reinstall -y grub2-efi-x64 kernel
- name: Bootstrap RHEL System - name: Include Rocky bootstrap tasks
when: os | lower in ['rhel8', 'rhel9'] when: bootstrap_os_key == 'rocky'
shell: "{{ item }}" ansible.builtin.include_tasks: rocky.yml
with_items:
- "dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core" - name: Include RHEL bootstrap tasks
- "echo 'nameserver 1.0.0.1' > /mnt/etc/resolv.conf" when: bootstrap_os_key in ['rhel8', 'rhel9', 'rhel10']
- "arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }}" ansible.builtin.include_tasks: rhel.yml
- name: Include Ubuntu bootstrap tasks
when: bootstrap_os_key in ['ubuntu', 'ubuntu-lts']
ansible.builtin.include_tasks: ubuntu.yml

61
roles/bootstrap/tasks/rhel.yml Normal file
View File

@@ -0,0 +1,61 @@
---
- name: Bootstrap RHEL System
block:
- name: Install base packages in chroot environment
vars:
bootstrap_rhel_release: "{{ bootstrap_os_key | replace('rhel', '') }}"
ansible.builtin.command: >-
dnf --releasever={{ bootstrap_rhel_release }} --repo={{ bootstrap_os_key }}-baseos
--installroot=/mnt
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y core base standard
register: bootstrap_result
changed_when: bootstrap_result.rc == 0
- name: Ensure chroot has resolv.conf
ansible.builtin.file:
src: /run/NetworkManager/resolv.conf
dest: /mnt/etc/resolv.conf
state: link
force: true
- name: Ensure chroot RHEL DVD directory exists
ansible.builtin.file:
path: /mnt/usr/local/install/redhat/dvd
state: directory
mode: "0755"
- name: Bind mount RHEL DVD into chroot
ansible.posix.mount:
src: /usr/local/install/redhat/dvd
path: /mnt/usr/local/install/redhat/dvd
fstype: none
opts: bind
state: mounted
- name: Rebuild RPM database inside chroot
ansible.builtin.command: "{{ chroot_command }} /mnt rpm --rebuilddb"
register: bootstrap_rpm_rebuild_result
changed_when: bootstrap_rpm_rebuild_result.rc == 0
- name: Copy RHEL repo file into chroot environment
ansible.builtin.copy:
src: /etc/yum.repos.d/{{ bootstrap_os_key }}.repo
dest: /mnt/etc/yum.repos.d/redhat.repo
mode: "0644"
remote_src: true
- name: Install additional packages in chroot
vars:
bootstrap_rhel_release: "{{ bootstrap_os_key | replace('rhel', '') }}"
bootstrap_rhel_extra: >-
{{
lookup('vars', bootstrap_var_key)
| reject('equalto', '')
| join(' ')
}}
ansible.builtin.command: >-
{{ chroot_command }} /mnt dnf --releasever={{ bootstrap_rhel_release }}
--setopt=install_weak_deps=False install -y {{ bootstrap_rhel_extra }}
register: bootstrap_result
changed_when: bootstrap_result.rc == 0

21
roles/bootstrap/tasks/rocky.yml Normal file
View File

@@ -0,0 +1,21 @@
---
- name: Bootstrap RockyLinux 9
vars:
bootstrap_rocky_extra: >-
{{
lookup('vars', bootstrap_var_key)
| reject('equalto', '')
| join(' ')
}}
ansible.builtin.command: "{{ item }}"
loop:
- >-
dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- >-
{{ chroot_command }} /mnt dnf --releasever=9 --setopt=install_weak_deps=False
install -y {{ bootstrap_rocky_extra }}
register: bootstrap_result
changed_when: bootstrap_result.rc == 0

27
roles/bootstrap/tasks/ubuntu.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- name: Bootstrap Ubuntu System
vars:
bootstrap_ubuntu_release: >-
{{ 'plucky' if bootstrap_os_key == 'ubuntu' else 'noble' }}
bootstrap_ubuntu_base_list: "{{ lookup('vars', bootstrap_var_key).base | default([]) }}"
bootstrap_ubuntu_extra_list: "{{ lookup('vars', bootstrap_var_key).extra | default([]) }}"
bootstrap_ubuntu_base: "{{ bootstrap_ubuntu_base_list | reject('equalto', '') | join(',') }}"
bootstrap_ubuntu_extra: >-
{{
(
bootstrap_ubuntu_extra_list
)
| reject('equalto', '')
| join(' ')
}}
ansible.builtin.command: "{{ item }}"
loop:
- >-
debootstrap --include={{ bootstrap_ubuntu_base }}
{{ bootstrap_ubuntu_release }} /mnt http://archive.ubuntu.com/ubuntu/
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- "{{ chroot_command }} /mnt sed -i '1s|$| universe|' /etc/apt/sources.list"
- "{{ chroot_command }} /mnt apt update"
- "{{ chroot_command }} /mnt apt install -y {{ bootstrap_ubuntu_extra }}"
register: bootstrap_result
changed_when: bootstrap_result.rc == 0

500
roles/bootstrap/vars/main.yml Normal file
View File

@@ -0,0 +1,500 @@
---
bootstrap_almalinux:
- bind-utils
- dbus-daemon
- dhcp-client
- efibootmgr
- "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- lrzsz
- lvm2
- nc
- nfs-utils
- nfsv4-client-utils
- mtr
- ppp
- shim
- tmux
- "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim
- wget
- zram-generator
- zstd
bootstrap_archlinux:
- base
- btrfs-progs
- cronie
- dhcpcd
- efibootmgr
- fastfetch
- "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
- fish
- fzf
- grub
- htop
- libpwquality
- linux
- logrotate
- lrzsz
- lsof
- lvm2
- ncdu
- networkmanager
- nfs-utils
- "{{ 'openssh' if ssh_enabled | bool else '' }}"
- ppp
- prometheus-node-exporter
- python-psycopg2
- reflector
- rsync
- sudo
- tldr
- tmux
- "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim
- wireguard-tools
- zram-generator
bootstrap_debian11:
base:
- apparmor-utils
- btrfs-progs
- chrony
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
- linux-image-amd64
- locales
- logrotate
- lvm2
- net-tools
- "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
- python3
- sudo
- xfsprogs
extra:
- bat
- curl
- entr
- "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
- fish
- fzf
- htop
- jq
- libpam-pwquality
- lrzsz
- mtr
- ncdu
- neofetch
- network-manager
- python-is-python3
- ripgrep
- rsync
- screen
- software-properties-common
- syslog-ng
- tcpd
- tldr
- "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim
- wget
- zstd
bootstrap_debian12:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
- linux-image-amd64
- locales
- logrotate
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bat
- chrony
- curl
- duf
- entr
- "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
- fish
- fzf
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- neofetch
- net-tools
- network-manager
- "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim
- wget
- zstd
bootstrap_debian13:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
- linux-image-amd64
- locales
- logrotate
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bat
- chrony
- curl
- duf
- entr
- fastfetch
- "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
- fish
- fzf
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- net-tools
- network-manager
- "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim
- wget
- zstd
bootstrap_fedora:
- bat
- bind-utils
- btrfs-progs
- cronie
- dhcp-client
- duf
- efibootmgr
- entr
- "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
- fish
- fzf
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- htop
- iperf3
- logrotate
- lrzsz
- lvm2
- nc
- nfs-utils
- nfsv4-client-utils
- polkit
- ppp
- ripgrep
- shim
- tmux
- "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim-default-editor
- wget
- zoxide
- zram-generator
- zstd
bootstrap_rhel8:
- bind-utils
- dhcp-client
- efibootmgr
- "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi-x64
- grub2-tools-extra
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- policycoreutils-python-utils
- python39
- shim
- tmux
- "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim
- zstd
bootstrap_rhel9:
- bind-utils
- dhcp-client
- efibootmgr
- "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- grub2-tools-extra
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- policycoreutils-python-utils
- python
- shim
- tmux
- "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim
- zram-generator
- zstd
bootstrap_rhel10:
- bind-utils
- efibootmgr
- "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- kernel
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- policycoreutils-python-utils
- python
- shim
- tmux
- "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- vim
- zram-generator
- zstd
bootstrap_rocky:
- bind-utils
- dbus-daemon
- dhcp-client
- efibootmgr
- "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- lrzsz
- lvm2
- mtr
- nc
- nfs-utils
- nfsv4-client-utils
- ppp
- shim
- telnet
- tmux
- "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- util-linux-core
- vim
- wget
- zram-generator
- zstd
bootstrap_ubuntu:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
- linux-image-generic
- locales
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bash-completion
- bat
- chrony
- curl
- dnsutils
- duf
- entr
- eza
- fdupes
- fio
- "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
- fish
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- ncurses-term
- net-tools
- network-manager
- "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- tmux
- "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- traceroute
- util-linux-extra
- vim
- wget
- yq
- zoxide
- zstd
bootstrap_ubuntu_lts:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- "{{ 'cryptsetup' if luks_enabled else '' }}"
- "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
- linux-image-generic
- locales
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bash-completion
- bat
- chrony
- curl
- dnsutils
- duf
- entr
- eza
- fdupes
- fio
- "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
- fish
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- ncurses-term
- net-tools
- network-manager
- "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- tmux
- "{{ 'tpm2-tools' if luks_enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
- traceroute
- util-linux-extra
- vim
- wget
- yq
- zoxide
- zstd

160
roles/bootstrap/vars/packages.yml
View File

@@ -1,160 +0,0 @@
---
archlinux:
- base
- btrfs-progs
- cronie
- dhcpcd
- efibootmgr
- firewalld
- fish
- grub
- htop
- linux
- logrotate
- lrzsz
- lsof
- lvm2
- ncdu
- neofetch
- networkmanager
- nfs-utils
- openssh
- open-vm-tools
- prometheus-node-exporter
- python-psycopg2
- qemu-guest-agent
- reflector
- rsync
- screen
- sudo
- vim
- wireguard-tools
debian11:
base:
- apparmor-utils
- btrfs-progs
- xfsprogs
- chrony
- cron
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- gnupg
- linux-image-amd64
- locales
- logrotate
- lvm2
- net-tools
- openssh-server
- python3
- sudo
extra:
- curl
- firewalld
- htop
- network-manager
- screen
- open-vm-tools
- python-is-python3
- ncdu
- neofetch
- lrzsz
- libpam-pwquality
- rsync
- software-properties-common
- syslog-ng
- tcpd
- fish
- vim
- wget
debian12:
base:
- btrfs-progs
- xfsprogs
- cron
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- gnupg
- linux-image-amd64
- locales
- lvm2
extra:
- apparmor-utils
- chrony
- curl
- firewalld
- fish
- htop
- network-manager
- screen
- open-vm-tools
- python-is-python3
- ncdu
- neofetch
- logrotate
- lrzsz
- libpam-pwquality
- rsync
- software-properties-common
- sudo
- syslog-ng
- tcpd
- net-tools
- openssh-server
- python3
- vim
- wget
fedora:
- dhcp-client
- efibootmgr
- grub2
- grub2-efi-x64-modules
- lrzsz
- nfs-utils
- open-vm-tools
- shim
- telnet
- vim-default-editor
- zstd
almalinux:
- dhcp-client
- efibootmgr
- grub2
- grub2-efi-x64-modules
- lrzsz
- nfs-utils
- open-vm-tools
- shims
- telnet
- vim
- zstd
rhel8:
- dhcp-client
- efibootmgr
- grub2
- grub2-efi-x64-modules
- lrzsz
- nfs-utils
- open-vm-tools
- shim
- telnet
- zstd
rhel9:
- dhcp-client
- efibootmgr
- grub2
- grub2-efi-x64-modules
- lrzsz
- nfs-utils
- open-vm-tools
- shim
- telnet
- zstd

21
roles/cis/defaults/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
cis_permission_targets: >-
{{
[
{ "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
{ "path": "/mnt/etc/cron.hourly", "mode": "0700" },
{ "path": "/mnt/etc/cron.daily", "mode": "0700" },
{ "path": "/mnt/etc/cron.weekly", "mode": "0700" },
{ "path": "/mnt/etc/cron.monthly", "mode": "0700" },
{ "path": "/mnt/etc/cron.d", "mode": "0700" },
{ "path": "/mnt/etc/crontab", "mode": "0600" },
{ "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
{
"path": "/mnt/usr/bin/"
+ ("fusermount3" if os in ["archlinux", "debian12", "fedora", "rhel9", "rhel10", "rocky"] else "fusermount"),
"mode": "755"
},
{ "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
] | reject("none")
}}

15
roles/cis/tasks/auth.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: Ensure the Default UMASK is Set Correctly
ansible.builtin.lineinfile:
path: "/mnt/etc/profile"
regexp: "^(\\s*)umask\\s+\\d+"
line: "umask 027"
- name: Prevent Login to Accounts With Empty Password
ansible.builtin.replace:
dest: "{{ item }}"
regexp: "\\s*nullok"
replace: ""
loop:
- /mnt/etc/pam.d/system-auth
- /mnt/etc/pam.d/password-auth

12
roles/cis/tasks/crypto.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Configure System Cryptography Policy
when: os in ["almalinux", "rhel9", "rhel10", "rocky"]
ansible.builtin.command: "{{ chroot_command }} /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"
register: cis_crypto_policy_result
changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout"
- name: Mask Systemd Services
ansible.builtin.command: >
{{ chroot_command }} /mnt systemctl mask nftables bluetooth rpcbind
register: cis_mask_services_result
changed_when: cis_mask_services_result.rc == 0

19
roles/cis/tasks/files.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: Ensure files exist
ansible.builtin.file:
path: "{{ item }}"
state: touch
mode: "0600"
loop:
- /mnt/etc/at.allow
- /mnt/etc/cron.allow
- /mnt/etc/hosts.allow
- /mnt/etc/hosts.deny
- name: Ensure files do not exist
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /mnt/etc/at.deny
- /mnt/etc/cron.deny

187
roles/cis/tasks/main.yml
View File

@@ -1,175 +1,14 @@
- name: Configurationg System for CIS conformity ---
block: - name: Include CIS hardening tasks
- name: Disable Kernel Modules ansible.builtin.include_tasks: "{{ cis_task }}"
copy:
dest: /mnt/etc/modprobe.d/cis.conf
content: |
CIS LVL 3 Restrictions
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install usb-storage /bin/true
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
- name: Create USB Rules
copy:
dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
content: |
By default, disable all.
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
Enable hub devices.
ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1"
Enables keyboard devices
ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1"
PS2-USB converter
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
- name: Create a consolidated sysctl configuration file
copy:
dest: /mnt/etc/sysctl.d/10-cis.conf
content: |
## CIS Sysctl configurations
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# - name: Adjust login.defs
# replace:
# path: /mnt/etc/login.defs
# regexp: "{{ item.regexp }}"
# replace: "{{ item.replace }}"
# loop:
# - { regexp: '^PASS_MAX_DAYS.*', replace: 'PASS_MAX_DAYS 90' }
# - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' }
# - { regexp: '^UMASK.*', replace: 'UMASK 027' }
- name: Create allow files
file:
path: "{{ item }}"
state: touch
mode: '0600'
loop: loop:
- /mnt/etc/at.allow - modules.yml
- /mnt/etc/cron.allow - sysctl.yml
- auth.yml
- name: Add Security related lines into config files - crypto.yml
lineinfile: - files.yml
path: "{{ item.path }}" - security_lines.yml
line: "{{ item.content }}" - permissions.yml
loop: - sshd.yml
- { path: '/mnt/etc/security/limits.conf', content: '* hard core 0' } loop_control:
- { path: '/mnt/etc/security/pwquality.conf', content: 'minlen = 14' } loop_var: cis_task
- { path: '/mnt/etc/security/pwquality.conf', content: 'dcredit = -1' }
- { path: '/mnt/etc/security/pwquality.conf', content: 'ucredit = -1' }
- { path: '/mnt/etc/security/pwquality.conf', content: 'ocredit = -1' }
- { path: '/mnt/etc/security/pwquality.conf', content: 'lcredit = -1' }
- { path: '/mnt/etc/bash.bashrc', content: 'umask 077' }
- { path: '/mnt/etc/bash.bashrc', content: 'export TMOUT=3000' }
- { path: '/mnt/etc/systemd/journald.conf', content: 'Storage=persistent' }
- { path: '/mnt/etc/sudoers', content: 'Defaults logfile="/var/log/sudo.log"' }
- { path: '/mnt/etc/pam.d/su', content: 'auth required pam_wheel.so' }
- { path: '/mnt/etc/pam.d/common-auth', content: 'auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900' }
- { path: '/mnt/etc/pam.d/common-account', content: 'account required pam_faillock.so' }
- { path: '/mnt/etc/pam.d/common-password', content: 'password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5' }
- { path: '/mnt/etc/hosts.deny', content: 'ALL: ALL' }
- { path: '/mnt/etc/hosts.allow', content: 'sshd: ALL' }
- name: Set permissions for various files and directories
file:
path: "{{ item.path }}"
owner: "{{ item.owner | default(omit) }}"
group: "{{ item.group | default(omit) }}"
mode: "{{ item.mode }}"
loop:
- { path: '/mnt/etc/ssh/sshd_config', mode: '0600' }
- { path: '/mnt/etc/cron.hourly', mode: '0700' }
- { path: '/mnt/etc/cron.daily', mode: '0700' }
- { path: '/mnt/etc/cron.weekly', mode: '0700' }
- { path: '/mnt/etc/cron.monthly', mode: '0700' }
- { path: '/mnt/etc/cron.d', mode: '0700' }
- { path: '/mnt/etc/crontab', mode: '0600' }
- { path: '/mnt/etc/logrotate.conf', mode: '0644' }
- { path: '/mnt/usr/sbin/pppd', mode: '754' }
- { path: '/mnt/usr/lib/dbus-1.0/dbus-daemon-launch-helper', mode: '754' }
- { path: '/mnt/usr/libexec/polkit-agent-helper-1', mode: '755' }
- { path: '/mnt/usr/bin/{{ "fusermount" if os == "debian11" else "fusermount3" }}', mode: '755' }
- { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: '755' }
- { path: '/mnt/usr/lib/x86_64-linux-gnu/utempter/utempter', mode: '755' }
- { path: '/mnt/home/svcansible', mode: '750' }
- name: Adjust SSHD config
lineinfile:
path: /mnt/etc/ssh/sshd_config
regexp: '^\s*#?{{ item.option }}\s+.*$'
line: '{{ item.option }} {{ item.value }}'
with_items:
- {option: 'LogLevel', value: 'VERBOSE'}
- {option: 'LoginGraceTime', value: '60'}
- {option: 'PermitRootLogin', value: 'no'}
- {option: 'StrictModes', value: 'yes'}
- {option: 'MaxAuthTries', value: '4'}
- {option: 'MaxSessions', value: '10'}
- {option: 'MaxStartups', value: '10:30:60'}
- {option: 'PubkeyAuthentication', value: 'yes'}
- {option: 'HostbasedAuthentication', value: 'no'}
- {option: 'IgnoreRhosts', value: 'yes'}
- {option: 'PasswordAuthentication', value: 'no'}
- {option: 'PermitEmptyPasswords', value: 'no'}
- {option: 'KerberosAuthentication', value: 'no'}
- {option: 'GSSAPIAuthentication', value: 'no'}
- {option: 'GSSAPIKeyExchange', value: 'no'}
- {option: 'AllowAgentForwarding', value: 'no'}
- {option: 'AllowTcpForwarding', value: 'no'}
- {option: 'ChallengeResponseAuthentication', value: 'no'}
- {option: 'GatewayPorts', value: 'no'}
- {option: 'X11Forwarding', value: 'no'}
- {option: 'PermitUserEnvironment', value: 'no'}
- {option: 'ClientAliveInterval', value: '300'}
- {option: 'ClientAliveCountMax', value: '0'}
- {option: 'PermitTunnel', value: 'no'}
- {option: 'Banner', value: '/etc/issue.net'}
- name: Append CIS Specific configurations to sshd_config
lineinfile:
path: /mnt/etc/ssh/sshd_config
line: |
## CIS Specific
Protocol 2
### Ciphers and keying ###
RekeyLimit 512M 6h
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
###########################
AllowStreamLocalForwarding no
PermitUserRC no
AllowUsers svcansible
AllowGroups *
DenyUsers nobody
DenyGroups nobody

38
roles/cis/tasks/modules.yml Normal file
View File

@@ -0,0 +1,38 @@
---
- name: Disable Kernel Modules
ansible.builtin.copy:
dest: /mnt/etc/modprobe.d/cis.conf
mode: "0644"
content: |
# CIS LVL 3 Restrictions
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install cramfs /bin/false
install squashfs /bin/false
install udf /bin/false
install usb-storage /bin/false
install dccp /bin/false
install sctp /bin/false
install rds /bin/false
install tipc /bin/false
- name: Remove legacy USB rules file
ansible.builtin.file:
path: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
state: absent
- name: Create USB rules
ansible.builtin.copy:
dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.rules
mode: "0644"
content: |
# By default, disable all.
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
# Enable hub devices.
ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1"
# Enable keyboard devices.
ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1"
# PS2-USB converter.
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"

16
roles/cis/tasks/permissions.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Check CIS permission targets
ansible.builtin.stat:
path: "{{ item.path }}"
loop: "{{ cis_permission_targets }}"
register: cis_permission_stats
changed_when: false
- name: Set permissions for existing targets
ansible.builtin.file:
path: "{{ item.item.path }}"
owner: "{{ item.item.owner | default(omit) }}"
group: "{{ item.item.group | default(omit) }}"
mode: "{{ item.item.mode }}"
loop: "{{ cis_permission_stats.results }}"
when: item.stat.exists

46
roles/cis/tasks/security_lines.yml Normal file
View File

@@ -0,0 +1,46 @@
---
- name: Add Security related lines into config files
ansible.builtin.lineinfile:
path: "{{ item.path }}"
line: "{{ item.content }}"
loop:
- {path: /mnt/etc/security/limits.conf, content: "* hard core 0"}
- {path: /mnt/etc/security/pwquality.conf, content: minlen = 14}
- {path: /mnt/etc/security/pwquality.conf, content: dcredit = -1}
- {path: /mnt/etc/security/pwquality.conf, content: ucredit = -1}
- {path: /mnt/etc/security/pwquality.conf, content: ocredit = -1}
- {path: /mnt/etc/security/pwquality.conf, content: lcredit = -1}
- {path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077}
- {path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=3000}
- {path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent}
- {path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log"}
- {path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so}
- path: >-
/mnt/etc/{{
"pam.d/common-auth"
if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
else "authselect/system-auth"
if os == "fedora"
else "pam.d/system-auth"
}}
content: >-
auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900
- path: >-
/mnt/etc/{{
"pam.d/common-account"
if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
else "authselect/system-auth"
if os == "fedora"
else "pam.d/system-auth"
}}
content: account required pam_faillock.so
- path: >-
/mnt/etc/pam.d/{{
"common-password"
if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
else "passwd"
}}
content: >-
password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
- {path: /mnt/etc/hosts.deny, content: "ALL: ALL"}
- {path: /mnt/etc/hosts.allow, content: "sshd: ALL"}

51
roles/cis/tasks/sshd.yml Normal file
View File

@@ -0,0 +1,51 @@
---
- name: Adjust SSHD config
ansible.builtin.lineinfile:
path: /mnt/etc/ssh/sshd_config
regexp: ^\s*#?{{ item.option }}\s+.*$
line: "{{ item.option }} {{ item.value }}"
loop:
- {option: LogLevel, value: VERBOSE}
- {option: LoginGraceTime, value: "60"}
- {option: PermitRootLogin, value: "no"}
- {option: StrictModes, value: "yes"}
- {option: MaxAuthTries, value: "4"}
- {option: MaxSessions, value: "10"}
- {option: MaxStartups, value: "10:30:60"}
- {option: PubkeyAuthentication, value: "yes"}
- {option: HostbasedAuthentication, value: "no"}
- {option: IgnoreRhosts, value: "yes"}
- {option: PasswordAuthentication, value: "no"}
- {option: PermitEmptyPasswords, value: "no"}
- {option: KerberosAuthentication, value: "no"}
- {option: GSSAPIAuthentication, value: "no"}
- {option: AllowAgentForwarding, value: "no"}
- {option: AllowTcpForwarding, value: "no"}
- {option: ChallengeResponseAuthentication, value: "no"}
- {option: GatewayPorts, value: "no"}
- {option: X11Forwarding, value: "no"}
- {option: PermitUserEnvironment, value: "no"}
- {option: ClientAliveInterval, value: "300"}
- {option: ClientAliveCountMax, value: "1"}
- {option: PermitTunnel, value: "no"}
- {option: Banner, value: /etc/issue.net}
- name: Append CIS specific configurations to sshd_config
ansible.builtin.blockinfile:
path: /mnt/etc/ssh/sshd_config
marker: "# {mark} CIS SSH HARDENING"
block: |-
## CIS Specific
Protocol 2
### Ciphers and keying ###
RekeyLimit 512M 6h
KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
###########################
AllowStreamLocalForwarding no
PermitUserRC no
AllowUsers *
AllowGroups *
DenyUsers nobody
DenyGroups nobody

30
roles/cis/tasks/sysctl.yml Normal file
View File

@@ -0,0 +1,30 @@
---
- name: Create a consolidated sysctl configuration file
ansible.builtin.copy:
dest: /mnt/etc/sysctl.d/10-cis.conf
mode: "0644"
content: |
## CIS Sysctl configurations
kernel.yama.ptrace_scope=1
kernel.randomize_va_space=2
# Network
net.ipv4.ip_forward=0
net.ipv4.tcp_syncookies=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

5
roles/cleanup/defaults/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
cleanup_libvirt_image_dir: >-
{{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
cleanup_libvirt_cloudinit_path: >-
{{ [cleanup_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}

104
roles/cleanup/tasks/libvirt.yml Normal file
View File

@@ -0,0 +1,104 @@
---
- name: Remove Archiso and cloud-init disks
when: hypervisor == "libvirt"
delegate_to: localhost
become: false
block:
- name: Read current VM XML definition
community.libvirt.virt:
command: get_xml
name: "{{ hostname }}"
register: cleanup_libvirt_get_xml
changed_when: false
- name: Initialize cleaned VM XML
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_get_xml.get_xml }}"
changed_when: false
- name: Remove boot ISO device from VM XML (target match)
community.general.xml:
xmlstring: "{{ cleanup_libvirt_domain_xml }}"
xpath: "/domain/devices/disk[target/@dev='sda']"
state: absent
register: cleanup_libvirt_xml_strip_boot
- name: Update cleaned VM XML after removing boot ISO
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot.xmlstring }}"
changed_when: false
- name: Remove boot ISO device from VM XML (source match)
when: boot_iso is defined and boot_iso | length > 0
community.general.xml:
xmlstring: "{{ cleanup_libvirt_domain_xml }}"
xpath: "/domain/devices/disk[contains(source/@file, '{{ boot_iso | basename }}')]"
state: absent
register: cleanup_libvirt_xml_strip_boot_source
- name: Update cleaned VM XML after removing boot ISO source match
when: boot_iso is defined and boot_iso | length > 0
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot_source.xmlstring }}"
changed_when: false
- name: Remove cloud-init ISO device from VM XML (target match)
community.general.xml:
xmlstring: "{{ cleanup_libvirt_domain_xml }}"
xpath: "/domain/devices/disk[target/@dev='sdb']"
state: absent
register: cleanup_libvirt_xml_strip_cloudinit
- name: Update cleaned VM XML after removing cloud-init ISO
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit.xmlstring }}"
changed_when: false
- name: Remove cloud-init ISO device from VM XML (source match)
community.general.xml:
xmlstring: "{{ cleanup_libvirt_domain_xml }}"
xpath: "/domain/devices/disk[contains(source/@file, '{{ hostname }}-cloudinit.iso')]"
state: absent
register: cleanup_libvirt_xml_strip_cloudinit_source
- name: Update cleaned VM XML after removing cloud-init ISO source match
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit_source.xmlstring }}"
changed_when: false
- name: Strip XML declaration for libvirt define
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml_clean: >-
{{
cleanup_libvirt_domain_xml
| replace('\ufeff', '')
| regex_replace("(?is)<\\?xml[^>]*\\?>", "")
| regex_replace("(?i)encoding=[\"'][^\"']+[\"']", "")
| trim
}}
changed_when: false
- name: Update VM definition without installer media
community.libvirt.virt:
command: define
xml: "{{ cleanup_libvirt_domain_xml_clean }}"
- name: Remove cloud-init disk
ansible.builtin.file:
path: "{{ cleanup_libvirt_cloudinit_path }}"
state: absent
- name: Ensure VM is powered off before restart
community.libvirt.virt:
name: "{{ hostname }}"
state: destroyed
- name: Start the VM
community.libvirt.virt:
name: "{{ hostname }}"
state: running
- name: Wait for VM to boot up
delegate_to: "{{ inventory_hostname }}"
ansible.builtin.wait_for_connection:
timeout: 300

81
roles/cleanup/tasks/main.yml
View File

@@ -1,75 +1,8 @@
- name: Setup Cleanup ---
when: hypervisor == "proxmox" - name: Cleanup physical install
delegate_to: localhost when: install_type == "physical"
become: false ansible.builtin.include_tasks: physical.yml
block:
- name: Cleanup Setup Disks
community.general.proxmox_disk:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
name: "{{ hostname }}"
vmid: "{{ vm_id }}"
disk: "{{ item }}"
state: absent
loop:
- ide0
- ide1
- name: Remove CD-ROM from VM in vCenter - name: Cleanup virtual install
when: hypervisor == "vmware" when: install_type == "virtual"
delegate_to: localhost ansible.builtin.include_tasks: virtual.yml
ignore_errors: true
vmware_guest:
hostname: "{{ hypervisor_url }}"
username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}"
validate_certs: no
datacenter: "{{ hypervisor_cluster }}"
name: "{{ hostname }}"
cdrom:
- controller_number: 0
unit_number: 0
controller_type: "sata"
type: iso
iso_path: "{{ boot_iso }}"
state: absent
- name: Remove Archiso and cloud-init disks
when: hypervisor == "libvirt"
delegate_to: localhost
become: false
block:
- name: Stop the VM
community.libvirt.virt:
name: "{{ hostname }}"
state: shutdown
- name: Remove cloud-init disk
file:
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"
state: absent
- name: Get list of CD-ROM devices
shell: virsh --connect qemu:///system domblklist {{ hostname }} --details | grep 'cdrom' | awk '{print $3}'
changed_when: false
register: cdrom_devices
- name: Wait for VM to spin down
wait_for:
timeout: 15
- name: Remove CD-ROM devices
when: cdrom_devices.stdout_lines | length > 0
command: virsh --connect qemu:///system detach-disk {{ hostname }} {{ item }} --persistent
with_items: "{{ cdrom_devices.stdout_lines }}"
- name: Start the VM
community.libvirt.virt:
name: "{{ hostname }}"
state: running
- name: Wait for VM to boot up
delegate_to: "{{ inventory_hostname }}"
wait_for_connection:
timeout: 300

13
roles/cleanup/tasks/physical.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Unmount installer mounts
ansible.builtin.include_tasks: unmount.yml
- name: Trigger reboot into installed system
ansible.builtin.command:
argv:
- reboot
async: 1
poll: 0
changed_when: true
failed_when: false
ignore_unreachable: true

27
roles/cleanup/tasks/proxmox.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- name: Setup Cleanup
when: hypervisor == "proxmox"
delegate_to: localhost
become: false
block:
- name: Cleanup Setup Disks
community.proxmox.proxmox_disk:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
name: "{{ hostname }}"
vmid: "{{ vm_id }}"
disk: "{{ item }}"
state: absent
loop:
- ide0
- ide2
- name: Start the VM
community.proxmox.proxmox_kvm:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
node: "{{ hypervisor_node }}"
vmid: "{{ vm_id }}"
state: restarted

4
roles/cleanup/tasks/shutdown.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: Shutdown the VM
become: true
community.general.shutdown:

23
roles/cleanup/tasks/unmount.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Unmount Disks
become: true
block:
- name: Disable Swap
ansible.builtin.command: swapoff -a
register: cleanup_swapoff_result
changed_when: cleanup_swapoff_result.rc == 0
- name: Unmount /mnt if mounted
ansible.builtin.command: umount -R /mnt
register: cleanup_unmount_result
changed_when: cleanup_unmount_result.rc == 0
failed_when: false
- name: Verify /mnt is no longer mounted
ansible.builtin.command: grep ' /mnt ' /proc/mounts
until: cleanup_verify_unmount.rc != 0
retries: 5
delay: 5
register: cleanup_verify_unmount
changed_when: false
failed_when: cleanup_verify_unmount.rc not in [0, 1]

15
roles/cleanup/tasks/virtual.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: Unmount installer mounts
ansible.builtin.include_tasks: unmount.yml
- name: Shutdown installer environment
ansible.builtin.include_tasks: shutdown.yml
- name: Cleanup hypervisor resources
ansible.builtin.include_tasks: proxmox.yml
- name: Cleanup vCenter resources
ansible.builtin.include_tasks: vmware.yml
- name: Cleanup libvirt resources
ansible.builtin.include_tasks: libvirt.yml

40
roles/cleanup/tasks/vmware.yml Normal file
View File

@@ -0,0 +1,40 @@
---
- name: Clean vCenter VM
when: hypervisor == "vmware"
delegate_to: localhost
become: false
block:
- name: Remove CD-ROM from VM in vCenter
when: hypervisor == "vmware"
community.vmware.vmware_guest:
hostname: "{{ hypervisor_url }}"
username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}"
validate_certs: false
datacenter: "{{ hypervisor_datacenter }}"
name: "{{ hostname }}"
cdrom:
- controller_number: 0
unit_number: 0
controller_type: sata
type: iso
iso_path: "{{ boot_iso }}"
state: absent
- controller_number: 0
unit_number: 1
controller_type: sata
type: iso
iso_path: "{{ rhel_iso if rhel_iso is defined and rhel_iso | length > 0 else omit }}"
state: absent
failed_when: false
- name: Start VM in vCenter
when: hypervisor == "vmware"
vmware.vmware.vm_powerstate:
hostname: "{{ hypervisor_url }}"
username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}"
validate_certs: false
datacenter: "{{ hypervisor_datacenter }}"
name: "{{ hostname }}"
state: powered-on

64
roles/configuration/tasks/bootloader.yml Normal file
View File

@@ -0,0 +1,64 @@
---
- name: Configure Bootloader
block:
- name: Install Bootloader
vars:
configuration_use_efibootmgr: "{{ is_rhel | bool }}"
configuration_efi_dir: "{{ partitioning_efi_mountpoint }}"
configuration_bootloader_id: >-
{{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
configuration_efi_vendor: >-
{{ "redhat" if os | lower in ["rhel8", "rhel9", "rhel10"] else os | lower }}
configuration_efibootmgr_cmd: >-
/usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -p 1
-l '\efi\EFI\{{ configuration_efi_vendor }}\shimx64.efi'
configuration_grub_cmd: >-
/usr/sbin/grub-install --target=x86_64-efi
--efi-directory={{ configuration_efi_dir }}
--bootloader-id={{ configuration_bootloader_id }}
configuration_bootloader_cmd: >-
{{ configuration_efibootmgr_cmd if configuration_use_efibootmgr else configuration_grub_cmd }}
ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_bootloader_cmd }}"
register: configuration_bootloader_result
changed_when: configuration_bootloader_result.rc == 0
- name: Ensure lvm2 for non btrfs filesystems
when: os | lower == "archlinux" and filesystem != "btrfs"
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: "^(HOOKS=.*block)(?!.*lvm2)(.*)"
line: '\1 lvm2\2'
backrefs: true
- name: Regenerate initramfs
vars:
configuration_initramfs_cmd: >-
{{
'/usr/sbin/mkinitcpio -P'
if os | lower == "archlinux"
else (
'/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin '
+ '/usr/sbin/update-initramfs -u -k all'
if is_debian | bool
else '/usr/bin/dracut --regenerate-all --force'
)
}}
ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_initramfs_cmd }}"
register: configuration_initramfs_result
changed_when: configuration_initramfs_result.rc == 0
- name: Generate grub config
vars:
configuration_efi_vendor: >-
{{ "redhat" if os | lower in ["rhel8", "rhel9", "rhel10"] else os | lower }}
configuration_grub_cfg_cmd: >-
{{
'/usr/sbin/grub2-mkconfig -o '
+ partitioning_efi_mountpoint
+ '/EFI/' + configuration_efi_vendor + '/grub.cfg'
if is_rhel | bool
else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg'
}}
ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_grub_cfg_cmd }}"
register: configuration_grub_result
changed_when: configuration_grub_result.rc == 0

355
roles/configuration/tasks/encryption.yml Normal file
View File

@@ -0,0 +1,355 @@
---
- name: Configure disk encryption
when: partitioning_luks_enabled | bool
vars:
configuration_luks_passphrase_effective: >-
{{ partitioning_luks_passphrase | string }}
block:
- name: Set LUKS configuration facts
vars:
configuration_luks_mapper_name_value: >-
{{ partitioning_luks_mapper_name }}
configuration_luks_device_value: "{{ partitioning_luks_device }}"
configuration_luks_tpm2_pcrs_raw: >-
{{ partitioning_luks_tpm2_pcrs }}
configuration_luks_tpm2_pcrs_effective_value: >-
{{
(
configuration_luks_tpm2_pcrs_raw
if configuration_luks_tpm2_pcrs_raw is string
else (configuration_luks_tpm2_pcrs_raw | map('string') | join('+'))
)
| string
| replace(',', '+')
| regex_replace('\\s+', '')
| regex_replace('^\\+|\\+$', '')
}}
ansible.builtin.set_fact:
configuration_luks_mapper_name: "{{ configuration_luks_mapper_name_value }}"
configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"
configuration_luks_device: "{{ configuration_luks_device_value }}"
configuration_luks_options: >-
{{ partitioning_luks_options }}
configuration_luks_auto_method: >-
{{
(partitioning_luks_auto_decrypt | bool)
| ternary(
partitioning_luks_auto_decrypt_method,
'manual'
)
}}
configuration_luks_tpm2_device: >-
{{ partitioning_luks_tpm2_device }}
configuration_luks_tpm2_pcrs: "{{ configuration_luks_tpm2_pcrs_raw }}"
configuration_luks_tpm2_pcrs_effective: "{{ configuration_luks_tpm2_pcrs_effective_value }}"
configuration_luks_keyfile_path: >-
/etc/cryptsetup-keys.d/{{ configuration_luks_mapper_name_value }}.key
changed_when: false
- name: Validate LUKS UUID is available
ansible.builtin.assert:
that:
- configuration_luks_uuid | length > 0
fail_msg: LUKS UUID not available. Ensure partitioning ran before configuration.
- name: Validate LUKS passphrase for auto-decrypt
when: configuration_luks_auto_method in ['tpm2', 'keyfile']
ansible.builtin.assert:
that:
- configuration_luks_passphrase_effective | length > 0
fail_msg: luks_passphrase (or partitioning_luks_passphrase) must be set for LUKS auto-decrypt.
no_log: true
- name: Enroll TPM2 for LUKS
when: configuration_luks_auto_method == 'tpm2'
ansible.builtin.include_tasks: encryption/tpm2.yml
- name: Configure LUKS keyfile auto-decrypt
when: configuration_luks_auto_method == 'keyfile'
ansible.builtin.include_tasks: encryption/keyfile.yml
- name: Build LUKS parameters
vars:
configuration_luks_keyfile_in_use_value: "{{ configuration_luks_auto_method == 'keyfile' }}"
configuration_luks_option_list_value: >-
{{
(configuration_luks_options | trim).split(',')
if configuration_luks_options | trim | length > 0
else []
}}
configuration_luks_tpm2_option_list_value: >-
{{
(configuration_luks_auto_method == 'tpm2')
| ternary(
['tpm2-device=' + configuration_luks_tpm2_device]
+ (['tpm2-pcrs=' + configuration_luks_tpm2_pcrs_effective]
if configuration_luks_tpm2_pcrs_effective | length > 0 else []),
[]
)
}}
configuration_luks_crypttab_keyfile_value: >-
{{ configuration_luks_keyfile_path if configuration_luks_keyfile_in_use_value else 'none' }}
configuration_luks_crypttab_options_value: >-
{{
(['luks'] + configuration_luks_option_list_value + configuration_luks_tpm2_option_list_value)
| join(',')
}}
configuration_luks_rd_options_value: >-
{{ (configuration_luks_option_list_value + configuration_luks_tpm2_option_list_value) | join(',') }}
configuration_luks_kernel_args_value: >-
{{
(
['rd.luks.name=' + configuration_luks_uuid + '=' + configuration_luks_mapper_name]
+ (
['rd.luks.options=' + configuration_luks_uuid + '=' + configuration_luks_rd_options_value]
if configuration_luks_rd_options_value | length > 0 else []
)
+ (
['rd.luks.key=' + configuration_luks_uuid + '=' + configuration_luks_keyfile_path]
if configuration_luks_keyfile_in_use_value else []
)
) | join(' ')
}}
ansible.builtin.set_fact:
configuration_luks_keyfile_in_use: "{{ configuration_luks_keyfile_in_use_value }}"
configuration_luks_option_list: "{{ configuration_luks_option_list_value }}"
configuration_luks_tpm2_option_list: "{{ configuration_luks_tpm2_option_list_value }}"
configuration_luks_crypttab_keyfile: "{{ configuration_luks_crypttab_keyfile_value }}"
configuration_luks_crypttab_options: "{{ configuration_luks_crypttab_options_value }}"
configuration_luks_rd_options: "{{ configuration_luks_rd_options_value }}"
configuration_luks_kernel_args: "{{ configuration_luks_kernel_args_value }}"
- name: Remove LUKS keyfile if TPM2 auto-decrypt is active
when: configuration_luks_auto_method == 'tpm2'
ansible.builtin.file:
path: /mnt{{ configuration_luks_keyfile_path }}
state: absent
- name: Write crypttab entry
ansible.builtin.lineinfile:
path: /mnt/etc/crypttab
regexp: "^{{ configuration_luks_mapper_name }}\\s"
line: >-
{{ configuration_luks_mapper_name }} UUID={{ configuration_luks_uuid }}
{{ configuration_luks_crypttab_keyfile }} {{ configuration_luks_crypttab_options }}
create: true
mode: "0600"
- name: Ensure keyfile pattern for initramfs-tools
when:
- is_debian | bool
- configuration_luks_keyfile_in_use
ansible.builtin.lineinfile:
path: /mnt/etc/cryptsetup-initramfs/conf-hook
regexp: '^KEYFILE_PATTERN='
line: 'KEYFILE_PATTERN=/etc/cryptsetup-keys.d/*.key'
create: true
mode: "0644"
- name: Configure mkinitcpio hooks for LUKS
when: os | lower == 'archlinux'
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: '^HOOKS='
line: >-
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole
block sd-encrypt lvm2 filesystems fsck)
- name: Read mkinitcpio configuration
when: os | lower == 'archlinux'
ansible.builtin.slurp:
src: /mnt/etc/mkinitcpio.conf
register: configuration_mkinitcpio_slurp
- name: Build mkinitcpio FILES list
when: os | lower == 'archlinux'
vars:
configuration_mkinitcpio_files_list_value: >-
{{
(
configuration_mkinitcpio_slurp.content | b64decode
| regex_findall('^FILES=\\(([^)]*)\\)', multiline=True)
| default([])
| first
| default('')
).split()
}}
configuration_mkinitcpio_files_list_new_value: >-
{{
(
(configuration_mkinitcpio_files_list_value + [configuration_luks_keyfile_path])
if configuration_luks_keyfile_in_use
else (
configuration_mkinitcpio_files_list_value
| reject('equalto', configuration_luks_keyfile_path)
| list
)
)
| unique
}}
ansible.builtin.set_fact:
configuration_mkinitcpio_files_list_new: "{{ configuration_mkinitcpio_files_list_new_value }}"
- name: Configure mkinitcpio FILES list
when: os | lower == 'archlinux'
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: '^FILES='
line: >-
FILES=({{
configuration_mkinitcpio_files_list_new | join(' ')
}})
- name: Ensure dracut config directory exists
when: is_rhel | bool
ansible.builtin.file:
path: /mnt/etc/dracut.conf.d
state: directory
mode: "0755"
- name: Configure dracut for LUKS
when: is_rhel | bool
ansible.builtin.copy:
dest: /mnt/etc/dracut.conf.d/crypt.conf
content: |
add_dracutmodules+=" crypt "
{% if configuration_luks_keyfile_in_use %}
install_items+=" {{ configuration_luks_keyfile_path }} "
{% endif %}
mode: "0644"
- name: Read kernel cmdline defaults
when: is_rhel | bool
ansible.builtin.slurp:
src: /mnt/etc/kernel/cmdline
register: configuration_kernel_cmdline_slurp
- name: Build kernel cmdline with LUKS args
when: is_rhel | bool
vars:
configuration_kernel_cmdline_current_value: >-
{{ configuration_kernel_cmdline_slurp.content | b64decode | trim }}
configuration_kernel_cmdline_list_value: >-
{{
configuration_kernel_cmdline_current_value.split()
if configuration_kernel_cmdline_current_value | length > 0 else []
}}
configuration_kernel_cmdline_filtered_value: >-
{{
configuration_kernel_cmdline_list_value
| reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
| list
}}
configuration_kernel_cmdline_new_value: >-
{{
(configuration_kernel_cmdline_filtered_value + configuration_luks_kernel_args.split())
| unique
| join(' ')
}}
ansible.builtin.set_fact:
configuration_kernel_cmdline_new: "{{ configuration_kernel_cmdline_new_value }}"
changed_when: false
- name: Write kernel cmdline with LUKS args
when: is_rhel | bool
ansible.builtin.copy:
dest: /mnt/etc/kernel/cmdline
mode: "0644"
content: "{{ configuration_kernel_cmdline_new }}\n"
- name: Find BLS entries
when: is_rhel | bool
ansible.builtin.find:
paths: /mnt/boot/loader/entries
patterns: "*.conf"
register: configuration_kernel_bls_entries
changed_when: false
- name: Update BLS options with LUKS args
when:
- is_rhel | bool
- configuration_kernel_bls_entries.files | length > 0
ansible.builtin.lineinfile:
path: "{{ item.path }}"
regexp: '^options '
line: "options {{ configuration_kernel_cmdline_new }}"
loop: "{{ configuration_kernel_bls_entries.files }}"
loop_control:
label: "{{ item.path }}"
- name: Read grub defaults
when: not is_rhel | bool
ansible.builtin.slurp:
src: /mnt/etc/default/grub
register: configuration_grub_slurp
- name: Build grub command lines with LUKS args
when: not is_rhel | bool
vars:
configuration_grub_content_value: "{{ configuration_grub_slurp.content | b64decode }}"
configuration_grub_cmdline_linux_value: >-
{{
configuration_grub_content_value
| regex_findall('^GRUB_CMDLINE_LINUX=\"(.*)\"', multiline=True)
| default([])
| first
| default('')
}}
configuration_grub_cmdline_default_value: >-
{{
configuration_grub_content_value
| regex_findall('^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)\"', multiline=True)
| default([])
| first
| default('')
}}
configuration_grub_cmdline_linux_list_value: >-
{{
configuration_grub_cmdline_linux_value.split()
if configuration_grub_cmdline_linux_value | length > 0 else []
}}
configuration_grub_cmdline_default_list_value: >-
{{
configuration_grub_cmdline_default_value.split()
if configuration_grub_cmdline_default_value | length > 0 else []
}}
configuration_luks_kernel_args_list_value: "{{ configuration_luks_kernel_args.split() }}"
configuration_grub_cmdline_linux_new_value: >-
{{
(
(
configuration_grub_cmdline_linux_list_value
| reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
| list
)
+ configuration_luks_kernel_args_list_value
)
| unique
| join(' ')
}}
configuration_grub_cmdline_default_new_value: >-
{{
(
(
configuration_grub_cmdline_default_list_value
| reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
| list
)
+ configuration_luks_kernel_args_list_value
)
| unique
| join(' ')
}}
ansible.builtin.set_fact:
configuration_grub_content: "{{ configuration_grub_content_value }}"
configuration_grub_cmdline_linux: "{{ configuration_grub_cmdline_linux_value }}"
configuration_grub_cmdline_default: "{{ configuration_grub_cmdline_default_value }}"
configuration_grub_cmdline_linux_new: "{{ configuration_grub_cmdline_linux_new_value }}"
configuration_grub_cmdline_default_new: "{{ configuration_grub_cmdline_default_new_value }}"
- name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS
when: not is_rhel | bool
ansible.builtin.lineinfile:
path: /mnt/etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX_DEFAULT='
line: 'GRUB_CMDLINE_LINUX_DEFAULT="{{ configuration_grub_cmdline_default_new }}"'

110
roles/configuration/tasks/encryption/keyfile.yml Normal file
View File

@@ -0,0 +1,110 @@
---
- name: Configure LUKS keyfile auto-decrypt
block:
- name: Ensure cryptsetup key directory exists
ansible.builtin.file:
path: /mnt/etc/cryptsetup-keys.d
state: directory
owner: root
group: root
mode: "0700"
- name: Ensure LUKS keyfile exists
ansible.builtin.copy:
dest: /mnt{{ configuration_luks_keyfile_path }}
content: >-
{{
lookup(
'community.general.random_string',
length=(partitioning_luks_keyfile_size | int),
override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
)
}}
owner: root
group: root
mode: "0600"
force: false
register: configuration_luks_keyfile_copy
no_log: true
- name: Ensure keyfile permissions
ansible.builtin.file:
path: /mnt{{ configuration_luks_keyfile_path }}
owner: root
group: root
mode: "0600"
- name: Check whether keyfile already unlocks the LUKS device
ansible.builtin.command:
argv:
- cryptsetup
- luksOpen
- --test-passphrase
- --key-file
- "/mnt{{ configuration_luks_keyfile_path }}"
- "{{ configuration_luks_device }}"
register: configuration_luks_keyfile_unlock_test
changed_when: false
failed_when: false
no_log: true
- name: Add keyfile to LUKS header
when: configuration_luks_keyfile_unlock_test.rc != 0
community.crypto.luks_device:
device: "{{ configuration_luks_device }}"
passphrase: "{{ configuration_luks_passphrase_effective }}"
new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}"
register: configuration_luks_addkey_result
failed_when: false
no_log: true
- name: Regenerate keyfile and retry adding to LUKS header
when:
- configuration_luks_keyfile_unlock_test.rc != 0
- configuration_luks_keyfile_copy is defined and configuration_luks_keyfile_copy.changed | bool
- configuration_luks_addkey_result is failed
block:
- name: Regenerate LUKS keyfile
ansible.builtin.copy:
dest: /mnt{{ configuration_luks_keyfile_path }}
content: >-
{{
lookup(
'community.general.random_string',
length=(partitioning_luks_keyfile_size | int),
override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
)
}}
owner: root
group: root
mode: "0600"
force: true
no_log: true
- name: Retry adding keyfile to LUKS header
community.crypto.luks_device:
device: "{{ configuration_luks_device }}"
passphrase: "{{ configuration_luks_passphrase_effective }}"
new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}"
register: configuration_luks_addkey_retry
failed_when: false
no_log: true
- name: Re-check whether keyfile unlocks the LUKS device
ansible.builtin.command:
argv:
- cryptsetup
- luksOpen
- --test-passphrase
- --key-file
- "/mnt{{ configuration_luks_keyfile_path }}"
- "{{ configuration_luks_device }}"
register: configuration_luks_keyfile_unlock_test_after
changed_when: false
failed_when: false
no_log: true
- name: Fallback to manual LUKS unlock if keyfile enrollment failed
when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0
ansible.builtin.set_fact:
configuration_luks_auto_method: manual

90
roles/configuration/tasks/encryption/tpm2.yml Normal file
View File

@@ -0,0 +1,90 @@
---
- name: Enroll TPM2 for LUKS
block:
- name: Create temporary passphrase file for TPM2 enrollment
ansible.builtin.tempfile:
path: /mnt/tmp
prefix: luks-passphrase-
state: file
register: configuration_luks_tpm2_passphrase_tempfile
- name: Write passphrase into temporary file for TPM2 enrollment
ansible.builtin.copy:
dest: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
content: "{{ configuration_luks_passphrase_effective }}"
owner: root
group: root
mode: "0600"
no_log: true
- name: Enroll TPM2 token
vars:
configuration_luks_enroll_args: >-
{{
[
'/usr/bin/systemd-cryptenroll',
'--tpm2-device=' + configuration_luks_tpm2_device,
'--tpm2-with-pin=false',
'--wipe-slot=tpm2',
'--unlock-key-file=' + (
configuration_luks_tpm2_passphrase_tempfile.path
| regex_replace('^/mnt', '')
)
]
+ (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_effective]
if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
+ [configuration_luks_device]
}}
configuration_luks_enroll_chroot_cmd: >-
{{ chroot_command }} /mnt {{ configuration_luks_enroll_args | join(' ') }}
ansible.builtin.command: "{{ configuration_luks_enroll_chroot_cmd }}"
register: configuration_luks_tpm2_enroll_chroot
changed_when: configuration_luks_tpm2_enroll_chroot.rc == 0
failed_when: false
- name: Retry TPM2 enrollment in installer environment
when:
- (configuration_luks_tpm2_enroll_chroot.rc | default(1)) != 0
vars:
configuration_luks_enroll_args: >-
{{
[
'/usr/bin/systemd-cryptenroll',
'--tpm2-device=' + configuration_luks_tpm2_device,
'--tpm2-with-pin=false',
'--wipe-slot=tpm2',
'--unlock-key-file=' + configuration_luks_tpm2_passphrase_tempfile.path
]
+ (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_effective]
if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
+ [configuration_luks_device]
}}
ansible.builtin.command:
argv: "{{ configuration_luks_enroll_args }}"
register: configuration_luks_tpm2_enroll_host
changed_when: configuration_luks_tpm2_enroll_host.rc == 0
failed_when: false
- name: Validate TPM2 enrollment succeeded
ansible.builtin.assert:
that:
- >-
(configuration_luks_tpm2_enroll_chroot.rc | default(1)) == 0
or (configuration_luks_tpm2_enroll_host.rc | default(1)) == 0
fail_msg: >-
TPM2 enrollment failed.
chroot rc={{ configuration_luks_tpm2_enroll_chroot.rc | default('n/a') }},
host rc={{ configuration_luks_tpm2_enroll_host.rc | default('n/a') }},
chroot stderr={{ configuration_luks_tpm2_enroll_chroot.stderr | default('') }},
host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
rescue:
- name: Fallback to keyfile auto-decrypt
ansible.builtin.set_fact:
configuration_luks_auto_method: keyfile
always:
- name: Remove TPM2 enrollment passphrase file
when: configuration_luks_tpm2_passphrase_tempfile.path is defined
ansible.builtin.file:
path: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
state: absent
changed_when: false

71
roles/configuration/tasks/extras.yml Normal file
View File

@@ -0,0 +1,71 @@
---
- name: Append vim configurations to vimrc
ansible.builtin.blockinfile:
path: "{{ '/mnt/etc/vim/vimrc' if is_debian | bool else '/mnt/etc/vimrc' }}"
block: |
set encoding=utf-8
set number
set autoindent
set smartindent
set mouse=a
insertafter: EOF
marker: ""
failed_when: false
- name: Add memory tuning parameters
ansible.builtin.blockinfile:
path: /mnt/etc/sysctl.d/90-memory.conf
create: true
block: |
vm.swappiness=10
vm.vfs_cache_pressure=50
vm.dirty_background_ratio=1
vm.dirty_ratio=10
vm.page-cluster=10
marker: ""
mode: "0644"
- name: Create zram config
when:
- os | lower not in ['debian11', 'rhel8']
- swap_enabled | bool
ansible.builtin.copy:
dest: /mnt/etc/systemd/zram-generator.conf
content: |
[zram0]
zram-size = ram / 2
compression-algorithm = {{ 'zstd' if zstd_enabled | bool else 'lz4' }}
swap-priority = 100
fs-type = swap
mode: "0644"
- name: Copy Custom Shell config
ansible.builtin.template:
src: custom.sh.j2
dest: /mnt/etc/profile.d/custom.sh
mode: "0644"
- name: Create login banner
ansible.builtin.copy:
dest: "{{ item }}"
content: |
**************************************************************
* WARNING: Unauthorized access to this system is prohibited. *
* All activities are monitored and logged. *
* Disconnect immediately if you are not an authorized user. *
**************************************************************
owner: root
group: root
mode: "0644"
loop:
- /mnt/etc/issue
- /mnt/etc/issue.net
- name: Remove motd files
when: os | lower in ["rhel8", "rhel9", "rhel10"]
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /mnt/etc/motd.d/cockpit
- /mnt/etc/motd.d/insights-client

65
roles/configuration/tasks/fstab.yml Normal file
View File

@@ -0,0 +1,65 @@
---
- name: Generate fstab content
ansible.builtin.command:
argv:
- genfstab
- -LU
- /mnt
register: configuration_fstab_result
changed_when: false
- name: Write fstab
ansible.builtin.copy:
dest: /mnt/etc/fstab
content: "{{ configuration_fstab_result.stdout }}\n"
owner: root
group: root
mode: "0644"
- name: Remove deprecated attr2 and disable large extent
when: os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"] and filesystem == "xfs"
ansible.builtin.replace:
path: /mnt/etc/fstab
regexp: "(xfs.*?)(attr2)"
replace: '\1allocsize=64m'
- name: Replace ISO UUID entry with /dev/sr0 in fstab
when: os in ["rhel8", "rhel9", "rhel10"]
vars:
configuration_fstab_dvd_line: >-
{{
'/usr/local/install/redhat/rhel.iso /usr/local/install/redhat/dvd iso9660 loop,nofail 0 0'
if hypervisor == 'vmware'
else '/dev/sr0 /usr/local/install/redhat/dvd iso9660 ro,relatime,nojoliet,check=s,map=n,nofail 0 0'
}}
ansible.builtin.lineinfile:
path: /mnt/etc/fstab
regexp: '^.*\/dvd.*$'
line: "{{ configuration_fstab_dvd_line }}"
state: present
- name: Write image from RHEL ISO to the target machine
when: os in ["rhel8", "rhel9", "rhel10"] and hypervisor == 'vmware'
ansible.builtin.command:
argv:
- dd
- if=/dev/sr1
- of=/mnt/usr/local/install/redhat/rhel.iso
- bs=4M
creates: /mnt/usr/local/install/redhat/rhel.iso
register: configuration_rhel_iso_result
changed_when: configuration_rhel_iso_result.rc == 0
- name: Ensure TempFS is configured in fstab
ansible.builtin.lineinfile:
path: /mnt/etc/fstab
regexp: "{{ fstab_entry.regexp }}"
line: "{{ fstab_entry.line }}"
insertafter: EOF
loop:
- {regexp: '^# TempFS$', line: '# TempFS'}
- {regexp: '^tmpfs\\s+/tmp\\s+', line: 'tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0'}
- {regexp: '^tmpfs\\s+/var/tmp\\s+', line: 'tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0'}
- {regexp: '^tmpfs\\s+/dev/shm\\s+', line: 'tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0'}
loop_control:
loop_var: fstab_entry

120
roles/configuration/tasks/grub.yml Normal file
View File

@@ -0,0 +1,120 @@
---
- name: Configure grub defaults
when: not is_rhel | bool
ansible.builtin.lineinfile:
dest: /mnt/etc/default/grub
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- regexp: ^GRUB_CMDLINE_LINUX_DEFAULT=
line: GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"
- regexp: ^GRUB_TIMEOUT=
line: GRUB_TIMEOUT=1
- name: Ensure grub defaults file exists for RHEL-based systems
when: is_rhel | bool
block:
- name: Build RHEL kernel command line defaults
vars:
configuration_grub_root_uuid_value: >-
{{
(
partitioning_main_uuid.stdout
if (filesystem | lower) == 'btrfs'
else (partitioning_uuid_root | default([]) | first | default(''))
)
| default('')
| trim
}}
configuration_grub_lvm_args_value: >-
{{
(
['rd.lvm.lv=sys/root']
+ (
['rd.lvm.lv=sys/swap', 'resume=/dev/mapper/sys-swap']
if swap_enabled | bool
else []
)
)
if (filesystem | lower) != 'btrfs'
else []
}}
configuration_grub_root_flags_value: >-
{{ ['rootflags=subvol=@'] if (filesystem | lower) == 'btrfs' else [] }}
configuration_grub_cmdline_linux_base_value: >-
{{
(['crashkernel=auto'] + configuration_grub_lvm_args_value)
| join(' ')
}}
configuration_grub_kernel_cmdline_base_value: >-
{{
(
(['root=UUID=' + configuration_grub_root_uuid_value]
if configuration_grub_root_uuid_value | length > 0 else [])
+ ['ro', 'crashkernel=auto']
+ configuration_grub_lvm_args_value
+ configuration_grub_root_flags_value
)
| join(' ')
}}
ansible.builtin.set_fact:
configuration_grub_cmdline_linux_base: "{{ configuration_grub_cmdline_linux_base_value }}"
configuration_kernel_cmdline_base: "{{ configuration_grub_kernel_cmdline_base_value }}"
changed_when: false
- name: Check if grub defaults file exists
ansible.builtin.stat:
path: /mnt/etc/default/grub
register: configuration_grub_defaults_stat
changed_when: false
- name: Create default grub configuration
when: not configuration_grub_defaults_stat.stat.exists
ansible.builtin.copy:
dest: /mnt/etc/default/grub
mode: "0644"
content: |
GRUB_TIMEOUT=1
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="{{ configuration_grub_cmdline_linux_base }}"
GRUB_DISABLE_RECOVERY="true"
GRUB_ENABLE_BLSCFG=true
- name: Ensure kernel cmdline directory exists
ansible.builtin.file:
path: /mnt/etc/kernel
state: directory
mode: "0755"
- name: Write kernel cmdline defaults
ansible.builtin.copy:
dest: /mnt/etc/kernel/cmdline
mode: "0644"
content: "{{ configuration_kernel_cmdline_base }}\n"
- name: Find BLS entries
ansible.builtin.find:
paths: /mnt/boot/loader/entries
patterns: "*.conf"
register: configuration_grub_bls_entries
changed_when: false
- name: Update BLS options with kernel cmdline defaults
when: configuration_grub_bls_entries.files | length > 0
ansible.builtin.lineinfile:
path: "{{ item.path }}"
regexp: '^options '
line: "options {{ configuration_kernel_cmdline_base }}"
loop: "{{ configuration_grub_bls_entries.files }}"
loop_control:
label: "{{ item.path }}"
- name: Enable GRUB cryptodisk for encrypted /boot
when: partitioning_grub_enable_cryptodisk | bool
ansible.builtin.lineinfile:
path: /mnt/etc/default/grub
regexp: '^GRUB_ENABLE_CRYPTODISK='
line: GRUB_ENABLE_CRYPTODISK=y

91
roles/configuration/tasks/locales.yml Normal file
View File

@@ -0,0 +1,91 @@
---
- name: Reload systemd in installer environment
ansible.builtin.systemd:
daemon_reload: true
- name: Set local timezone
ansible.builtin.file:
src: /usr/share/zoneinfo/Europe/Vienna
dest: /mnt/etc/localtime
state: link
force: true
- name: Setup locales
block:
- name: Configure locale.gen
when: not is_rhel | bool
ansible.builtin.lineinfile:
dest: /mnt/etc/locale.gen
regexp: "{{ item.regex }}"
line: "{{ item.line }}"
loop:
- {regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8}
- name: Generate locales
when: not is_rhel | bool
ansible.builtin.command: "{{ chroot_command }} /mnt /usr/sbin/locale-gen"
register: configuration_locale_result
changed_when: configuration_locale_result.rc == 0
- name: Set hostname
vars:
configuration_hostname_fqdn: >-
{{
hostname
if '.' in hostname
else (
hostname + '.' + vm_dns_search
if vm_dns_search is defined and vm_dns_search | length
else hostname
)
}}
ansible.builtin.copy:
content: "{{ configuration_hostname_fqdn }}"
dest: /mnt/etc/hostname
mode: "0644"
- name: Add host entry to /etc/hosts
vars:
configuration_hostname_fqdn: >-
{{
hostname
if '.' in hostname
else (
hostname + '.' + vm_dns_search
if vm_dns_search is defined and vm_dns_search | length
else hostname
)
}}
configuration_hostname_short: "{{ hostname.split('.')[0] }}"
configuration_hostname_entries: >-
{{ [configuration_hostname_fqdn, configuration_hostname_short] | unique | join(' ') }}
configuration_hosts_line: >-
{{ (vm_ip if vm_ip is defined and vm_ip | length > 0 else inventory_hostname) }} {{ configuration_hostname_entries }}
ansible.builtin.lineinfile:
path: /mnt/etc/hosts
line: "{{ configuration_hosts_line }}"
state: present
- name: Create vconsole.conf
ansible.builtin.copy:
content: KEYMAP=us
dest: /mnt/etc/vconsole.conf
mode: "0644"
- name: Create locale.conf
ansible.builtin.copy:
content: LANG=en_US.UTF-8
dest: /mnt/etc/locale.conf
mode: "0644"
- name: Ensure SSH password authentication is enabled
ansible.builtin.lineinfile:
path: /mnt/etc/ssh/sshd_config
regexp: "^#?PasswordAuthentication\\s+"
line: "PasswordAuthentication yes"
- name: SSH permit root login
ansible.builtin.replace:
path: /mnt/etc/ssh/sshd_config
regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"

180
roles/configuration/tasks/main.yml
View File

@@ -1,165 +1,17 @@
- name: Configuration ---
block: - name: Include configuration tasks
- name: Generate fstab ansible.builtin.include_tasks: "{{ configuration_task }}"
shell: genfstab -LU /mnt > /mnt/etc/fstab
- name: Append TempFS to fstab
lineinfile:
path: /mnt/etc/fstab
line: "{{ item }}"
insertafter: EOF
with_items:
- ""
- "# TempFS"
- "tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0"
- "tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0"
- "tmpfs /dev/shm tmpfs defaults,noexec 0 0"
- name: Set local timezone
command: '{{ item }}'
with_items:
- systemctl daemon-reload
- arch-chroot /mnt ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime
- name: Generate adjtime file
command: arch-chroot /mnt /usr/sbin/hwclock --systohc
- name: Setup locales
block:
- name: Configure locale.gen
lineinfile:
dest: /mnt/etc/locale.gen
regexp: '{{ item.regex }}'
line: '{{ item.line }}'
loop: loop:
- {regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8} - fstab.yml
- locales.yml
- name: Generate locales - services.yml
command: arch-chroot /mnt /usr/sbin/locale-gen - grub.yml
- encryption.yml
- name: Set hostname - bootloader.yml
copy: - extras.yml
content: "{{ hostname }}" - network.yml
dest: /mnt/etc/hostname - users.yml
- sudo.yml
- name: Add host entry to /etc/hosts - selinux.yml
lineinfile: loop_control:
path: /mnt/etc/hosts loop_var: configuration_task
line: "{{ ansible_host }} {{ hostname }}"
state: present
- name: Create vconsole.conf
copy:
content: "KEYMAP=de-latin1-nodeadkeys"
dest: /mnt/etc/vconsole.conf
- name: Create locale.conf
copy:
content: "LANG=en_US.UTF-8"
dest: /mnt/etc/locale.conf
- name: SSH permit Password
replace:
path: /mnt/etc/ssh/sshd_config
regexp: '#PasswordAuthentication yes'
replace: 'PasswordAuthentication yes'
- name: Enable Systemd Services
block:
- name: Enable sshd
when: os | lower == "archlinux"
command: arch-chroot /mnt systemctl enable sshd NetworkManager logrotate
- name: Configure grub
when: os | lower != "fedora" and os | lower != "almalinux" and os | lower != "rhel8" and os | lower != "rhel9"
block:
- name: Add commandline information to grub config
lineinfile:
dest: /mnt/etc/default/grub
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT=
line: 'GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"'
- name: Change Grub time
lineinfile:
dest: /mnt/etc/default/grub
regexp: ^GRUB_TIMEOUT=
line: 'GRUB_TIMEOUT=0'
- name: Configure Bootloader
block:
- name: Install Bootloader
command: arch-chroot /mnt {% if os | lower != "archlinux" and os | lower != "debian11" and os | lower != "debian12" %}/usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -wwp 1 -l '\efi\EFI\{{ os }}\shimx64.efi'{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id={{ os }}{% endif %}
- name: Generate grub config
command: arch-chroot /mnt {% if os | lower != "archlinux" and os | lower != "debian11" and os | lower != "debian12" %}/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{{ os }}/grub.cfg{% else %}/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg{% endif %}
- name: Extra Configuration
when: os | lower != "archlinux"
block:
- name: Append lines to vimrc
lineinfile:
path: "{{ '/mnt/etc/vim/vimrc' if os|lower == 'debian11' or os|lower == 'debian12' else '/mnt/etc/vimrc' }}"
line: "{{ item }}"
insertafter: EOF
with_items:
- "set encoding=utf-8"
- "set number"
- "set autoindent"
- "set smartindent"
- "set mouse=a"
- name: Copy FirstRun Script
template:
src: firstrun.sh.j2
dest: /mnt/root/firstrun.sh
mode: '0755'
- name: Copy Custom Shell config
template:
src: custom.sh.j2
dest: /mnt/etc/profile.d/custom.sh
- name: Setup Network
block:
- name: Generate UUID for Network Profile
command: "uuidgen"
register: net_uuid
- name: Retrieve Network Interface Name
shell: "ip r | awk 'NR==1 {print $5}'"
register: net_inf
- name: Copy NetworkManager keyfile
template:
src: network.j2
dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection
mode: '0600'
- name: Setup user account
block:
- name: Create user account
command: '{{ item }}'
with_items:
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups {{ "sudo" if os|lower == "debian11" or os|lower == "debian12" else "wheel" }} {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
- name: Add SSH public key to authorized_keys
when: user_public_key is defined
lineinfile:
path: "/mnt/home/{{ user_name }}/.ssh/authorized_keys"
line: "{{ user_public_key }}"
owner: 1000
group: 1000
mode: "0600"
create: yes
- name: Give sudo access to wheel group
copy:
content: "{{ '%sudo ALL=(ALL) ALL' if os|lower == 'debian11' or os|lower == 'debian12' else '%wheel ALL=(ALL) ALL' }}"
dest: /mnt/etc/sudoers.d/01-wheel
mode: 0440
validate: /usr/sbin/visudo --check --file=%s
- name: Fix SELinux
when: (os | lower == "almalinux" or os | lower == "fedora" or os | lower == "rhel8" or os | lower == "rhel9")
command: touch /mnt/.autorelabel

96
roles/configuration/tasks/network.yml Normal file
View File

@@ -0,0 +1,96 @@
---
- name: Generate UUID for Network Profile
ansible.builtin.set_fact:
configuration_net_uuid: "{{ ('LAN-' ~ hostname) | ansible.builtin.to_uuid }}"
changed_when: false
- name: Read network interfaces
ansible.builtin.command:
argv:
- ip
- -o
- link
- show
register: configuration_ip_link
changed_when: false
failed_when: false
- name: Resolve network interface and MAC address
vars:
configuration_net_inf_from_facts: "{{ (ansible_default_ipv4 | default({})).get('interface', '') }}"
configuration_net_inf_from_ip: >-
{{
(
configuration_ip_link.stdout
| default('')
| regex_findall('^[0-9]+: ([^:]+):', multiline=True)
| reject('equalto', 'lo')
| list
| first
)
| default('')
}}
configuration_net_inf_effective: >-
{{ configuration_net_inf_from_facts | default(configuration_net_inf_from_ip, true) }}
configuration_net_inf_regex: "{{ configuration_net_inf_effective | ansible.builtin.regex_escape }}"
configuration_net_mac_from_virtualization: "{{ virtualization_mac_address | default('') }}"
configuration_net_mac_from_facts: >-
{{
(
(ansible_facts | default({})).get(configuration_net_inf_effective, {}).get('macaddress', '')
)
| default(
(ansible_facts | default({})).get('ansible_' + configuration_net_inf_effective, {}).get('macaddress', ''),
true
)
}}
configuration_net_mac_from_ip: >-
{{
(
configuration_ip_link.stdout
| default('')
| regex_findall(
'^\\d+: ' ~ configuration_net_inf_regex ~ ':.*?link/ether\\s+([0-9A-Fa-f:]{17})',
multiline=True
)
| first
)
| default('')
}}
ansible.builtin.set_fact:
configuration_net_inf: "{{ configuration_net_inf_effective }}"
configuration_net_mac: >-
{{
(
configuration_net_mac_from_virtualization
| default(configuration_net_mac_from_facts, true)
| default(configuration_net_mac_from_ip, true)
)
| upper
}}
changed_when: false
- name: Validate Network Interface Name
ansible.builtin.assert:
that:
- configuration_net_inf | length > 0
fail_msg: Failed to detect an active network interface.
- name: Validate Network Interface MAC Address
ansible.builtin.assert:
that:
- configuration_net_mac | length > 0
fail_msg: Failed to detect the MAC address for network interface {{ configuration_net_inf }}.
- name: Copy NetworkManager keyfile
ansible.builtin.template:
src: network.j2
dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection
mode: "0600"
- name: Fix Ubuntu unmanaged devices
when: os | lower in ["ubuntu", "ubuntu-lts"]
ansible.builtin.file:
path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
state: touch
mode: "0644"

19
roles/configuration/tasks/selinux.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: Fix SELinux
when: is_rhel | bool
block:
- name: Fix SELinux by pre-labeling the filesystem before first boot
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and selinux | bool
ansible.builtin.command: >
{{ chroot_command }} /mnt /sbin/setfiles -v -F
-e /dev -e /proc -e /sys -e /run
/etc/selinux/targeted/contexts/files/file_contexts /
register: configuration_setfiles_result
changed_when: configuration_setfiles_result.rc == 0
- name: Disable SELinux
when: os | lower == "fedora" or not selinux | bool
ansible.builtin.lineinfile:
path: /mnt/etc/selinux/config
regexp: ^SELINUX=
line: SELINUX=permissive

16
roles/configuration/tasks/services.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Enable Systemd Services
ansible.builtin.command: >
{{ chroot_command }} /mnt systemctl enable NetworkManager
{{ ' firewalld' if firewalld_enabled | bool else '' }}
{{
(' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
(' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else ''))
if ssh_enabled | bool else ''
}}
{{
'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
if os | lower == 'archlinux' else ''
}}
register: configuration_enable_services_result
changed_when: configuration_enable_services_result.rc == 0

7
roles/configuration/tasks/sudo.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Give sudo access to wheel group
ansible.builtin.copy:
content: "{{ '%sudo ALL=(ALL) ALL' if is_debian | bool else '%wheel ALL=(ALL) ALL' }}"
dest: /mnt/etc/sudoers.d/01-wheel
mode: "0440"
validate: /usr/sbin/visudo --check --file=%s

37
roles/configuration/tasks/users.yml Normal file
View File

@@ -0,0 +1,37 @@
---
- name: Create user account
vars:
configuration_user_group: >-
{{ "sudo" if is_debian | bool else "wheel" }}
configuration_useradd_cmd: >-
{{ chroot_command }} /mnt /usr/sbin/useradd --create-home --user-group
--groups {{ configuration_user_group }} {{ user_name }}
--password {{ user_password | password_hash('sha512') }} --shell /bin/bash
configuration_root_cmd: >-
{{ chroot_command }} /mnt /usr/sbin/usermod --password
'{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
ansible.builtin.command: "{{ item }}"
loop:
- "{{ configuration_useradd_cmd }}"
- "{{ configuration_root_cmd }}"
register: configuration_user_result
changed_when: configuration_user_result.rc == 0
- name: Ensure .ssh directory exists
when: user_public_key | length > 0
ansible.builtin.file:
path: /mnt/home/{{ user_name }}/.ssh
state: directory
owner: 1000
group: 1000
mode: "0700"
- name: Add SSH public key to authorized_keys
when: user_public_key | length > 0
ansible.builtin.lineinfile:
path: /mnt/home/{{ user_name }}/.ssh/authorized_keys
line: "{{ user_public_key }}"
owner: 1000
group: 1000
mode: "0600"
create: true

3
roles/configuration/templates/custom.sh.j2
View File

@@ -10,3 +10,6 @@ PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
# History Size # History Size
HISTFILESIZE= HISTFILESIZE=
HISTSIZE= HISTSIZE=
# Enable vi mode
set -o vi

29
roles/configuration/templates/network.j2
View File

@@ -1,18 +1,33 @@
[connection] [connection]
id=LAN id=LAN
uuid={{ net_uuid.stdout }} uuid={{ configuration_net_uuid }}
type=ethernet type=ethernet
interface-name={{ net_inf.stdout }}
[ethernet]
[ipv4] [ipv4]
address={{ vm_ip }},{{ vm_gw }} {% set dns_value = vm_dns if vm_dns is defined else '' %}
dns={{ vm_dns }} {% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %}
{% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %}
{% set search_value = vm_dns_search if vm_dns_search is defined else '' %}
{% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %}
{% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %}
{% if vm_ip is defined and vm_ip | length %}
address1={{ vm_ip }}/{{ vm_nms }}{{ (',' ~ vm_gw) if (vm_gw is defined and vm_gw | length) else '' }}
method=manual method=manual
{% else %}
method=auto
{% endif %}
{% if dns_list %}
dns={{ dns_list | join(';') }}
{% endif %}
{% if dns_list or search_list %}
ignore-auto-dns=true
{% endif %}
{% if search_list %}
dns-search={{ search_list | join(';') }}
{% endif %}
[ipv6] [ipv6]
addr-gen-mode=default addr-gen-mode=stable-privacy
method=disabled method=disabled
[proxy] [proxy]

183
roles/environment/tasks/main.yml
View File

@@ -1,74 +1,187 @@
- name: Configre work environment ---
become: true - name: Configure work environment
become: "{{ hypervisor != 'vmware' }}"
block: block:
- name: Wait for connection - name: Wait for connection
wait_for_connection: ansible.builtin.wait_for_connection:
timeout: 300 timeout: 180
delay: 5 delay: 5
- name: Gather facts - name: Gather facts
setup: ansible.builtin.setup:
- name: Check if host is booted from the Arch install media - name: Check if host is booted from the Arch install media
stat: ansible.builtin.stat:
path: /run/archiso path: /run/archiso
register: archiso_stat register: environment_archiso_stat
- name: Abort if the host is not booted from the Arch install media - name: Abort if the host is not booted from the Arch install media
fail: when:
msg: "This host is not booted from the Arch install media!" - not (custom_iso | bool)
when: not archiso_stat.stat.exists - not environment_archiso_stat.stat.exists
ansible.builtin.fail:
msg: This host is not booted from the Arch install media!
- name: Setect Interface - name: Select primary Network Interface
when: hypervisor == "vmware" when: hypervisor == "vmware"
shell: "ip l | awk -F': ' '!/lo/{print $2; exit}'" ansible.builtin.set_fact:
register: interface_name environment_interface_name: >-
{{
(
(ansible_facts.interfaces | default(ansible_facts['ansible_interfaces'] | default([])))
| reject('equalto', 'lo')
| list
| first
)
| default('')
}}
changed_when: false
- name: Set IP-Address - name: Set IP-Address
when: hypervisor == "vmware" when:
command: ip addr replace {{ ansible_host }}/24 dev {{ interface_name.stdout }} - hypervisor == "vmware"
- vm_ip is defined and vm_ip | length > 0
ansible.builtin.command: >-
ip addr replace {{ vm_ip }}/{{ vm_nms }}
dev {{ environment_interface_name }}
register: environment_ip_result
changed_when: environment_ip_result.rc == 0
- name: Set Default Gateway - name: Set Default Gateway
when: hypervisor == "vmware" when:
command: ip route replace default via {{ vm_gw }} - hypervisor == "vmware"
- vm_gw is defined and vm_gw | length > 0
- vm_ip is defined and vm_ip | length > 0
ansible.builtin.command: "ip route replace default via {{ vm_gw }}"
register: environment_gateway_result
changed_when: environment_gateway_result.rc == 0
- name: Synchronize clock via NTP - name: Synchronize clock via NTP
command: timedatectl set-ntp true ansible.builtin.command: timedatectl set-ntp true
register: environment_ntp_result
changed_when: false
- name: Configure SSH for root login
when: hypervisor == "vmware" and vmware_ssh | bool
block:
- name: Allow login
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
replace: "{{ item.replace }}"
loop:
- regexp: "^#?PermitEmptyPasswords.*"
replace: "PermitEmptyPasswords yes"
- regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"
- name: Reload SSH service to apply changes
ansible.builtin.service:
name: sshd
state: reloaded
- name: Set SSH connection for VMware
ansible.builtin.set_fact:
ansible_connection: ssh
ansible_user: root
- name: Prepare installer environment
block:
- name: Speed-up Bootstrap process - name: Speed-up Bootstrap process
lineinfile: when: not (custom_iso | bool)
ansible.builtin.lineinfile:
path: /etc/pacman.conf path: /etc/pacman.conf
regexp: '^#ParallelDownloads =' regexp: ^#ParallelDownloads =
line: 'ParallelDownloads = 20' line: ParallelDownloads = 20
- name: Wait for Pacman - name: Wait for pacman lock to be released
wait_for: when: not (custom_iso | bool)
timeout: 15 ansible.builtin.wait_for:
path: /var/lib/pacman/db.lck
state: absent
timeout: 120
changed_when: false
- name: Setup Pacman - name: Setup Pacman
pacman: when:
- not (custom_iso | bool)
- "'os' not in item or os in item.os"
community.general.pacman:
update_cache: true update_cache: true
force: true force: true
name: "{{ item.name }}" name: "{{ item.name }}"
state: latest state: latest
loop: loop:
- { name: 'glibc' } - {name: glibc}
- { name: 'dnf', os: ['almalinux', 'rhel9', 'rhel8'] } - {name: dnf, os: [almalinux, fedora, rhel8, rhel9, rhel10, rocky]}
- { name: 'debootstrap', os: ['debian11', 'debian12'] } - {name: debootstrap, os: [debian11, debian12, debian13, ubuntu, ubuntu-lts]}
- { name: 'debian-archive-keyring', os: ['debian11', 'debian12'] } - {name: debian-archive-keyring, os: [debian11, debian12, debian13]}
when: "'os' not in item or os in item.os" - {name: ubuntu-keyring, os: [ubuntu, ubuntu-lts]}
retries: 4 retries: 4
delay: 15 delay: 15
- name: Prepare /iso mount and repository for RHEL-based systems
when: os | lower in ["rhel8", "rhel9", "rhel10"]
block:
- name: Create /iso directory
ansible.builtin.file:
path: /usr/local/install/redhat/dvd
state: directory
mode: "0755"
- name: Mount RHEL ISO
ansible.posix.mount:
src: "{{ '/dev/sr1' if hypervisor == 'vmware' else '/dev/sr2' }}"
path: /usr/local/install/redhat/dvd
fstype: iso9660
opts: "ro,loop"
state: mounted
- name: Configure RHEL Repos for installation - name: Configure RHEL Repos for installation
when: os | lower == "almalinux" or os | lower == "fedora" when: is_rhel | bool
block: block:
- name: Create directories for repository files and RPM GPG keys - name: Create directories for repository files and RPM GPG keys
file: ansible.builtin.file:
path: /etc/yum.repos.d path: /etc/yum.repos.d
state: directory state: directory
mode: "0755"
- name: Create RHEL repository file - name: Create RHEL repository file
template: ansible.builtin.template:
src: '{{ os | lower }}.repo.j2' src: "{{ os | lower }}.repo.j2"
dest: '/etc/yum.repos.d/{{ os | lower }}.repo' dest: /etc/yum.repos.d/{{ os | lower }}.repo
mode: "0644"
- name: Check for third-party preparation tasks
run_once: true
become: false
delegate_to: localhost
vars:
ansible_connection: local
block:
- name: Resolve third-party preparation task path
ansible.builtin.set_fact:
environment_thirdparty_tasks_path: >-
{{
thirdparty_preparation_tasks_path
if thirdparty_preparation_tasks_path | regex_search('^/')
else playbook_dir + '/' + thirdparty_preparation_tasks_path
}}
changed_when: false
- name: Stat third-party preparation tasks
ansible.builtin.stat:
path: "{{ environment_thirdparty_tasks_path }}"
register: environment_thirdparty_tasks_stat
changed_when: false
- name: Run third-party preparation tasks
when:
- thirdparty_preparation_tasks_path | length > 0
- environment_thirdparty_tasks_stat.stat.exists
ansible.builtin.include_tasks: >-
{{
thirdparty_preparation_tasks_path
if thirdparty_preparation_tasks_path | regex_search('^/')
else playbook_dir + '/' + thirdparty_preparation_tasks_path
}}

31
roles/global_defaults/defaults/main.yml Normal file
View File

@@ -0,0 +1,31 @@
---
hypervisor: "none"
custom_iso: false
cis: false
selinux: true
vmware_ssh: false
firewalld_enabled: true
ssh_enabled: true
zstd_enabled: true
swap_enabled: true
chroot_command: "arch-chroot"
thirdparty_preparation_tasks_path: "dropins/preparation.yml"
cis_enabled: "{{ cis | bool }}"
luks_enabled: false
luks_mapper_name: "SYSTEM_DECRYPTED"
luks_auto_decrypt: true
luks_auto_decrypt_method: "tpm2"
luks_tpm2_device: "auto"
luks_tpm2_pcrs: ""
luks_keyfile_size: 64
luks_options: "discard,tries=3"
luks_type: "luks2"
luks_cipher: "aes-xts-plain64"
luks_hash: "sha512"
luks_iter_time: 4000
luks_key_size: 512
luks_pbkdf: "argon2id"
luks_use_urandom: true
luks_verify_passphrase: true

114
roles/global_defaults/tasks/main.yml Normal file
View File

@@ -0,0 +1,114 @@
---
- name: Global defaults loaded
ansible.builtin.debug:
msg: Global defaults loaded.
changed_when: false
- name: Validate variables
ansible.builtin.assert:
that:
- install_type is defined and install_type in ["virtual", "physical"]
- hypervisor in ["libvirt", "proxmox", "vmware", "none"]
- >-
install_type is defined and (
install_type == "physical"
or hypervisor in ["libvirt", "proxmox", "vmware"]
)
- filesystem is defined and filesystem in ["btrfs", "ext4", "xfs"]
- install_drive is defined and install_drive | length > 0
- hostname is defined and hostname | length > 0
- >-
os is defined and os in [
"archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora",
"rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"
]
- >-
os is defined and (
os not in ["rhel8", "rhel9", "rhel10"]
or (rhel_iso is defined and rhel_iso | length > 0)
)
- >-
install_type is defined and (
install_type == "physical"
or (boot_iso is defined and boot_iso | length > 0)
)
- >-
install_type is defined and (
install_type == "physical"
or (vm_cpus is defined and (vm_cpus | int) > 0)
)
- >-
install_type is defined and (
install_type == "physical"
or (vm_size is defined and (vm_size | float) > 0)
)
- >-
install_type is defined and (
install_type == "physical"
or (vm_memory is defined and (vm_memory | float) > 0)
)
- >-
install_type is defined and filesystem is defined and (
install_type == "physical"
or (
vm_size is defined
and (vm_size | int) >= 20
)
)
- >-
install_type is defined and (
install_type == "physical"
or (
vm_size is defined
and vm_memory is defined
and filesystem is defined
and (
filesystem != "btrfs"
or (
(vm_size | float)
>= (
(vm_memory | float / 1024 >= 16.0)
| ternary(
(vm_memory | float / 2048),
[vm_memory | float / 1024, 4.0] | max
)
+ 5.5
)
)
)
)
)
- >-
vm_ip is not defined
or vm_ip | length == 0
or (vm_nms is defined and (vm_nms | int) > 0)
fail_msg: Invalid input specified, please try again.
- name: Set OS family flags
ansible.builtin.set_fact:
is_rhel: "{{ os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky'] }}"
is_debian: "{{ os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'] }}"
changed_when: false
- name: Set Python interpreter for RHEL-based installers
when:
- ansible_python_interpreter is not defined
- os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"]
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3
changed_when: false
- name: Set SSH access
when:
- install_type == "virtual"
- hypervisor != "vmware"
ansible.builtin.set_fact:
ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}"
ansible_become_password: "{{ user_password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Set connection for VMware
when: hypervisor == "vmware"
ansible.builtin.set_fact:
ansible_connection: vmware_tools

142
roles/partitioning/defaults/main.yml Normal file
View File

@@ -0,0 +1,142 @@
---
partitioning_luks_enabled: "{{ luks_enabled | bool }}"
partitioning_luks_passphrase: "{{ luks_passphrase }}"
partitioning_luks_mapper_name: "{{ luks_mapper_name }}"
partitioning_luks_type: "{{ luks_type }}"
partitioning_luks_cipher: "{{ luks_cipher }}"
partitioning_luks_hash: "{{ luks_hash }}"
partitioning_luks_iter_time: "{{ luks_iter_time }}"
partitioning_luks_key_size: "{{ luks_key_size }}"
partitioning_luks_pbkdf: "{{ luks_pbkdf }}"
partitioning_luks_use_urandom: "{{ luks_use_urandom | bool }}"
partitioning_luks_verify_passphrase: "{{ luks_verify_passphrase | bool }}"
partitioning_luks_auto_decrypt: "{{ luks_auto_decrypt | bool }}"
partitioning_luks_auto_decrypt_method: "{{ luks_auto_decrypt_method }}"
partitioning_luks_tpm2_device: "{{ luks_tpm2_device }}"
partitioning_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
partitioning_luks_keyfile_size: "{{ luks_keyfile_size }}"
partitioning_luks_options: "{{ luks_options }}"
partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if zstd_enabled | bool else '' }}"
partitioning_boot_partition_suffix: 1
partitioning_main_partition_suffix: 2
partitioning_efi_size_mib: 512
partitioning_efi_start_mib: 1
partitioning_efi_end_mib: "{{ (partitioning_efi_start_mib | int) + (partitioning_efi_size_mib | int) }}"
partitioning_boot_size_mib: 1024
partitioning_use_full_disk: true
partitioning_separate_boot: >-
{{
(partitioning_luks_enabled | bool)
and (os | lower not in ['archlinux'])
}}
partitioning_boot_fs_fstype: >-
{{
(filesystem | lower)
if (filesystem | lower) != 'btrfs'
else ('xfs' if is_rhel else 'ext4')
}}
partitioning_boot_fs_partition_suffix: >-
{{
((partitioning_boot_partition_suffix | int) + 1)
if (partitioning_separate_boot | bool) else ''
}}
partitioning_root_partition_suffix: >-
{{
(partitioning_main_partition_suffix | int)
+ (1 if (partitioning_separate_boot | bool) else 0)
}}
partitioning_efi_mountpoint: >-
{{
'/boot/efi'
if (partitioning_separate_boot | bool)
else (
'/boot/efi'
if is_rhel or (os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'])
else '/boot'
)
}}
partitioning_boot_end_mib: "{{ (partitioning_efi_end_mib | int) + (partitioning_boot_size_mib | int) }}"
partitioning_reserved_gb: >-
{{
(
(partitioning_efi_size_mib | float)
+ ((partitioning_boot_size_mib | float) if (partitioning_separate_boot | bool) else 0)
) / 1024
}}
partitioning_layout: >-
{{
[
{
'number': 1,
'part_start': (partitioning_efi_start_mib | string) + 'MiB',
'part_end': (partitioning_efi_end_mib | string) + 'MiB',
'name': 'efi',
'flags': ['boot', 'esp']
},
{
'number': 2,
'part_start': (partitioning_efi_end_mib | string) + 'MiB',
'part_end': (partitioning_boot_end_mib | string) + 'MiB',
'name': 'boot'
},
{
'number': 3,
'part_start': (partitioning_boot_end_mib | string) + 'MiB',
'name': 'root'
}
]
if partitioning_separate_boot | bool else
[
{
'number': 1,
'part_start': (partitioning_efi_start_mib | string) + 'MiB',
'part_end': (partitioning_efi_end_mib | string) + 'MiB',
'name': 'boot',
'flags': ['boot', 'esp']
},
{
'number': 2,
'part_start': (partitioning_efi_end_mib | string) + 'MiB',
'name': 'root'
}
]
}}
partitioning_grub_enable_cryptodisk: >-
{{
(partitioning_luks_enabled | bool)
and not (partitioning_separate_boot | bool)
and (partitioning_efi_mountpoint == '/boot/efi')
}}
partitioning_luks_device: "{{ install_drive ~ (partitioning_root_partition_suffix | string) }}"
partitioning_root_device: >-
{{
'/dev/mapper/' + partitioning_luks_mapper_name
if (partitioning_luks_enabled | bool)
else install_drive ~ (partitioning_root_partition_suffix | string)
}}
partitioning_vm_size_effective: >-
{{
(
partitioning_vm_size
if (partitioning_vm_size is defined and (partitioning_vm_size | float) > 0)
else (vm_size if vm_size is defined else 0)
)
| float
}}
partitioning_vm_memory_effective: >-
{{
(
partitioning_vm_memory
if (partitioning_vm_memory is defined and (partitioning_vm_memory | float) > 0)
else (vm_memory if vm_memory is defined else 0)
)
| float
}}
partitioning_swap_size_gb: >-
{{
((partitioning_vm_memory_effective / 1024) >= 16.0)
| ternary(
(partitioning_vm_memory_effective / 2048) | int,
[partitioning_vm_memory_effective / 1024, 4.0] | max | int
)
}}

70
roles/partitioning/tasks/btrfs.yml
View File

@@ -2,45 +2,79 @@
- name: Setup BTRFS - name: Setup BTRFS
block: block:
- name: Create btrfs filesystem in main volume - name: Create btrfs filesystem in main volume
filesystem: community.general.filesystem:
dev: '{{ install_drive }}{{ main_partition_suffix }}' dev: "{{ partitioning_root_device }}"
fstype: btrfs fstype: btrfs
force: yes force: true
opts: >-
{{
'-K'
if (partitioning_luks_enabled | bool)
and not ('discard' in (partitioning_luks_options | lower))
else omit
}}
- name: Prepare BTRFS Subvolume - name: Prepare BTRFS Subvolume
mount: ansible.posix.mount:
path: /mnt path: /mnt
src: '{{ install_drive }}{{ main_partition_suffix }}' src: "{{ partitioning_root_device }}"
fstype: btrfs fstype: btrfs
opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async opts: >-
{{
[
'rw',
'relatime',
partitioning_btrfs_compress_opt,
'ssd',
'space_cache=v2',
'discard=async'
]
| reject('equalto', '')
| join(',')
}}
state: mounted state: mounted
- name: Enable quotas on Btrfs filesystem - name: Enable quotas on Btrfs filesystem
command: btrfs quota enable /mnt ansible.builtin.command: btrfs quota enable /mnt
register: partitioning_btrfs_quota_result
changed_when: false
- name: Make root subvolumes - name: Make root subvolumes
when: cis == true or item.subvol not in ['var_log', 'var_log_audit'] when:
command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} - cis_enabled or item.subvol not in ['var_log_audit']
- swap_enabled | bool or item.subvol != 'swap'
ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
args:
creates: /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
loop: loop:
- {subvol: root} - {subvol: root}
- {subvol: swap}
- {subvol: home} - {subvol: home}
- {subvol: var} - {subvol: var}
- {subvol: pkg}
- {subvol: var_log} - {subvol: var_log}
- {subvol: var_log_audit} - {subvol: var_log_audit}
register: partitioning_btrfs_subvol_result
- name: Set quotas for subvolumes - name: Set quotas for subvolumes
when: cis == true or item.subvol not in ['var_log', 'var_log_audit'] when: cis_enabled
command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
loop: loop:
- { subvol: root, quota: '12G' } - {subvol: home, quota: 2G}
- { subvol: home, quota: '2G' } register: partitioning_btrfs_qgroup_result
- { subvol: var, quota: '2G' } changed_when: false
- { subvol: var_log, quota: '2G' }
- { subvol: var_log_audit, quota: '1536M' } - name: Create a Btrfs swap file
when: swap_enabled | bool
ansible.builtin.command: >-
btrfs filesystem mkswapfile --size {{ partitioning_swap_size_gb }}g --uuid clear /mnt/@swap/swapfile
args:
creates: /mnt/@swap/swapfile
register: partitioning_btrfs_swap_result
- name: Unmount Partition - name: Unmount Partition
mount: ansible.posix.mount:
path: /mnt path: /mnt
src: '{{ install_drive }}{{ main_partition_suffix }}' src: "{{ partitioning_root_device }}"
fstype: btrfs fstype: btrfs
state: unmounted state: unmounted

14
roles/partitioning/tasks/ext4.yml
View File

@@ -1,10 +1,10 @@
--- ---
- name: Create and format ext4 logical volumes - name: Create and format ext4 logical volumes
when: cis == true or item.lv not in ['var_log', 'var_log_audit'] when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
filesystem: community.general.filesystem:
dev: '/dev/sys/{{ item.lv }}' dev: /dev/sys/{{ item.lv }}
fstype: ext4 fstype: ext4
force: yes force: true
loop: loop:
- {lv: root} - {lv: root}
- {lv: home} - {lv: home}
@@ -13,11 +13,13 @@
- {lv: var_log_audit} - {lv: var_log_audit}
- name: Remove Unsupported features for older Systems - name: Remove Unsupported features for older Systems
when: (os | lower == 'debian11') and (cis == true or item.lv not in ['var_log', 'var_log_audit']) when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}" ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
loop: loop:
- {lv: root} - {lv: root}
- {lv: home} - {lv: home}
- {lv: var} - {lv: var}
- {lv: var_log} - {lv: var_log}
- {lv: var_log_audit} - {lv: var_log_audit}
register: partitioning_ext4_tune_result
changed_when: partitioning_ext4_tune_result.rc == 0

674
roles/partitioning/tasks/main.yml
View File

@@ -1,18 +1,118 @@
--- ---
- name: Detect system memory for swap sizing
when:
- swap_enabled | bool
- partitioning_vm_memory is not defined or (partitioning_vm_memory | float) <= 0
- vm_memory is not defined or (vm_memory | float) <= 0
block:
- name: Read system memory
ansible.builtin.command: awk '/MemTotal/ {print int($2/1024)}' /proc/meminfo
register: partitioning_memtotal_mb
changed_when: false
failed_when: false
- name: Set partitioning vm memory default
ansible.builtin.set_fact:
partitioning_vm_memory: "{{ (partitioning_memtotal_mb.stdout | default('4096') | int) | float }}"
- name: Set partitioning vm_size for physical installs
when:
- install_type == "physical"
- partitioning_vm_size is not defined or (partitioning_vm_size | float) <= 0
- vm_size is not defined or (vm_size | float) <= 0
- install_drive | length > 0
block:
- name: Detect install drive size
ansible.builtin.command: "lsblk -b -dn -o SIZE {{ install_drive }}"
register: partitioning_disk_size_bytes
changed_when: false
- name: Set partitioning vm_size from install drive size
when:
- partitioning_disk_size_bytes.stdout is defined
- (partitioning_disk_size_bytes.stdout | trim | length) > 0
ansible.builtin.set_fact:
partitioning_vm_size: >-
{{
(partitioning_disk_size_bytes.stdout | trim | int / 1024 / 1024 / 1024)
| round(2, 'floor')
}}
- name: Partition install drive - name: Partition install drive
block: block:
- name: Prepare partitions - name: Prepare partitions
ignore_errors: true block:
command: "{{ item.cmd }}" - name: Disable swap
loop: ansible.builtin.command: swapoff -a
- { cmd: "umount -l /mnt" } changed_when: false
- { cmd: "vgremove -f sys" } failed_when: false
- { cmd: "find /dev -wholename \"{{ install_drive }}*\" -exec wipefs --force --all {} \\;" }
- name: Find mounts under /mnt
ansible.builtin.command: findmnt -R /mnt -n -o TARGET
register: partitioning_mounted_paths
changed_when: false
failed_when: false
- name: Unmount /mnt mounts
when: partitioning_mounted_paths.stdout_lines | length > 0
ansible.posix.mount:
path: "{{ item }}"
state: unmounted
loop: "{{ partitioning_mounted_paths.stdout_lines | reverse }}"
loop_control: loop_control:
label: "{{ item.cmd }}" label: "{{ item }}"
failed_when: false
- name: Remove LVM volume group
community.general.lvg:
vg: sys
state: absent
force: true
failed_when: false
- name: Close LUKS mapper
when: partitioning_luks_enabled | bool
community.crypto.luks_device:
name: "{{ partitioning_luks_mapper_name }}"
state: closed
failed_when: false
- name: Remove LUKS mapper device
when: partitioning_luks_enabled | bool
ansible.builtin.command: >-
dmsetup remove --force --retry {{ partitioning_luks_mapper_name }}
register: partitioning_dmsetup_remove
changed_when: partitioning_dmsetup_remove.rc == 0
failed_when: false
- name: Remove LUKS signatures
when: partitioning_luks_enabled | bool
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: absent
failed_when: false
- name: Wipe filesystem signatures
ansible.builtin.command: >-
find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;
register: partitioning_wipefs_result
changed_when: false
failed_when: false
- name: Refresh kernel partition table
ansible.builtin.command: "{{ item }}"
loop:
- "partprobe {{ install_drive }}"
- "blockdev --rereadpt {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_result
changed_when: false
failed_when: false
- name: Define partitions - name: Define partitions
parted: block:
- name: Create partition layout
community.general.parted:
device: "{{ install_drive }}" device: "{{ install_drive }}"
label: gpt label: gpt
number: "{{ item.number }}" number: "{{ item.number }}"
@@ -21,105 +121,545 @@
name: "{{ item.name }}" name: "{{ item.name }}"
flags: "{{ item.flags | default(omit) }}" flags: "{{ item.flags | default(omit) }}"
state: present state: present
loop: "{{ partitioning_layout }}"
rescue:
- name: Refresh kernel partition table after failure
ansible.builtin.command: "{{ item }}"
loop: loop:
- { number: 1, part_end: '500MiB', name: 'boot', flags: ['boot', 'esp'] } - "partprobe {{ install_drive }}"
- { number: 2, part_start: '500MiB', name: 'root' } - "blockdev --rereadpt {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_retry
changed_when: false
failed_when: false
- name: Retry partition layout
community.general.parted:
device: "{{ install_drive }}"
label: gpt
number: "{{ item.number }}"
part_end: "{{ item.part_end | default(omit) }}"
part_start: "{{ item.part_start | default(omit) }}"
name: "{{ item.name }}"
flags: "{{ item.flags | default(omit) }}"
state: present
loop: "{{ partitioning_layout }}"
- name: Settle partition table
ansible.builtin.command: "{{ item }}"
loop:
- "partprobe {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_settle
changed_when: false
failed_when: false
- name: Configure LUKS encryption
when: partitioning_luks_enabled | bool
vars:
partitioning_luks_passphrase_effective: >-
{{ partitioning_luks_passphrase | string }}
block:
- name: Validate LUKS passphrase
ansible.builtin.assert:
that:
- partitioning_luks_passphrase_effective | length > 0
fail_msg: luks_passphrase (or partitioning_luks_passphrase) must be set when LUKS is enabled.
no_log: true
- name: Ensure LUKS container exists
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: present
type: "{{ partitioning_luks_type }}"
cipher: "{{ partitioning_luks_cipher }}"
hash: "{{ partitioning_luks_hash }}"
keysize: "{{ partitioning_luks_key_size }}"
pbkdf:
algorithm: "{{ partitioning_luks_pbkdf }}"
iteration_time: "{{ (partitioning_luks_iter_time | float) / 1000 }}"
passphrase: "{{ partitioning_luks_passphrase_effective }}"
register: partitioning_luks_format_result
no_log: true
- name: Force-close LUKS mapper
community.crypto.luks_device:
name: "{{ partitioning_luks_mapper_name }}"
state: closed
failed_when: false
- name: Force-remove LUKS mapper device
ansible.builtin.command: >-
dmsetup remove --force --retry {{ partitioning_luks_mapper_name }}
register: partitioning_dmsetup_remove_after_format
changed_when: partitioning_dmsetup_remove_after_format.rc == 0
failed_when: false
- name: Settle udev after removing LUKS mapper
ansible.builtin.command: udevadm settle
changed_when: false
failed_when: false
- name: Ensure LUKS mapper is opened
block:
- name: Open LUKS device
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: opened
name: "{{ partitioning_luks_mapper_name }}"
passphrase: "{{ partitioning_luks_passphrase_effective }}"
allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}"
register: partitioning_luks_open_result
no_log: true
rescue:
- name: Force-close stale LUKS mapper
community.crypto.luks_device:
name: "{{ partitioning_luks_mapper_name }}"
state: closed
failed_when: false
- name: Force-remove stale LUKS mapper device
ansible.builtin.command: >-
dmsetup remove --force --retry {{ partitioning_luks_mapper_name }}
register: partitioning_dmsetup_remove_retry
changed_when: partitioning_dmsetup_remove_retry.rc == 0
failed_when: false
- name: Settle udev after removing stale LUKS mapper
ansible.builtin.command: udevadm settle
changed_when: false
failed_when: false
- name: Retry opening LUKS device
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: opened
name: "{{ partitioning_luks_mapper_name }}"
passphrase: "{{ partitioning_luks_passphrase_effective }}"
allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}"
register: partitioning_luks_open_retry
no_log: true
- name: Get LUKS UUID
ansible.builtin.command: "cryptsetup luksUUID {{ partitioning_luks_device }}"
register: partitioning_luks_uuid_result
changed_when: false
- name: Store LUKS UUID
ansible.builtin.set_fact:
partitioning_luks_uuid: "{{ partitioning_luks_uuid_result.stdout | trim }}"
- name: Create LVM logical volumes - name: Create LVM logical volumes
when: filesystem != 'btrfs' when: filesystem != 'btrfs'
block: block:
- name: Create LVM volume group - name: Create LVM volume group
lvg: community.general.lvg:
vg: sys vg: sys
pvs: '{{ install_drive }}{{ main_partition_suffix }}' pvs: "{{ partitioning_root_device }}"
- name: Create LVM logical volumes - name: Create LVM logical volumes
when: cis or (not cis and item.lv != 'var_log' and item.lv != 'var_log_audit') when:
lvol: - cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
- swap_enabled | bool or item.lv != 'swap'
vars:
partitioning_lvm_extent_reserve_count: 10
partitioning_lvm_extent_size_mib: 4
partitioning_lvm_extent_reserve_gb: >-
{{
(
(partitioning_lvm_extent_reserve_count | float)
* (partitioning_lvm_extent_size_mib | float)
/ 1024
) | round(2, 'ceil')
}}
partitioning_lvm_swap_target_gb: >-
{{
(
[
(partitioning_vm_memory_effective | float / 1024),
4
] | max | float
)
if swap_enabled | bool
else 0
}}
partitioning_lvm_swap_cap_gb: >-
{{
(
4
+ [
(partitioning_vm_size_effective | float) - 20,
0
] | max
)
if swap_enabled | bool
else 0
}}
partitioning_lvm_swap_target_effective_gb: >-
{{
(
[
partitioning_lvm_swap_target_gb,
partitioning_lvm_swap_cap_gb
] | min
)
if swap_enabled | bool
else 0
}}
partitioning_lvm_swap_max_gb: >-
{{
(
[
(
(partitioning_vm_size_effective | float)
- (partitioning_reserved_gb | float)
- (cis_enabled | ternary(7.5, 0))
- partitioning_lvm_extent_reserve_gb
- 4
),
0
] | max
)
if swap_enabled | bool
else 0
}}
partitioning_lvm_available_gb: >-
{{
(
(partitioning_vm_size_effective | float)
- (partitioning_reserved_gb | float)
- (cis_enabled | ternary(7.5, 0))
- partitioning_lvm_extent_reserve_gb
- partitioning_lvm_swap_target_effective_gb
) | float
}}
partitioning_lvm_home_gb: >-
{{
([([(((partitioning_vm_size_effective | float) - 20) * 0.1), 2] | max), 20] | min)
}}
partitioning_lvm_root_default_gb: >-
{{
[
(
((partitioning_lvm_available_gb | float) < 4)
| ternary(
4,
(
((partitioning_lvm_available_gb | float) > 12)
| ternary(
((partitioning_vm_size_effective | float) * 0.4)
| round(0, 'ceil'),
partitioning_lvm_available_gb
)
)
)
),
4
] | max
}}
partitioning_lvm_swap_gb: >-
{{
(
[
partitioning_lvm_swap_target_effective_gb,
partitioning_lvm_swap_max_gb
] | min | round(2, 'floor')
)
if swap_enabled | bool
else 0
}}
partitioning_lvm_root_full_gb: >-
{{
[
(
(partitioning_vm_size_effective | float)
- (partitioning_reserved_gb | float)
- (partitioning_lvm_swap_gb | float)
- partitioning_lvm_extent_reserve_gb
- (
(partitioning_lvm_home_gb | float) + 5.5
if cis_enabled
else 0
)
),
4
] | max | round(2, 'floor')
}}
partitioning_lvm_root_gb: >-
{{
partitioning_lvm_root_full_gb
if partitioning_use_full_disk | bool
else partitioning_lvm_root_default_gb
}}
community.general.lvol:
vg: sys vg: sys
lv: "{{ item.lv }}" lv: "{{ item.lv }}"
size: "{{ item.size }}" size: "{{ item.size }}"
state: present state: present
loop: loop:
- { lv: 'root', size: '12G' } - lv: root
- { lv: 'home', size: '2G' } size: "{{ partitioning_lvm_root_gb | string + 'G' }}"
- { lv: 'var', size: '2G' } - lv: swap
- { lv: 'var_log', size: '2G' } size: "{{ partitioning_lvm_swap_gb | string + 'G' }}"
- { lv: 'var_log_audit', size: '1.5G' } - lv: home
size: "{{ partitioning_lvm_home_gb | string + 'G' }}"
- {lv: var, size: "2G"}
- {lv: var_log, size: "2G"}
- {lv: var_log_audit, size: "1.5G"}
- name: Create filesystems - name: Create filesystems
block: block:
- name: Create FAT32 filesystem in boot partition - name: Create FAT32 filesystem in boot partition
filesystem: community.general.filesystem:
dev: '{{ install_drive }}{{ boot_partition_suffix }}' dev: "{{ install_drive }}{{ partitioning_boot_partition_suffix }}"
fstype: vfat fstype: vfat
opts: -F32 opts: -F32 -n BOOT
force: yes force: true
- name: Create filesystem for /boot partition
when: partitioning_separate_boot | bool
community.general.filesystem:
dev: "{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}"
fstype: "{{ partitioning_boot_fs_fstype }}"
force: true
- name: Remove unsupported ext4 features from /boot
when:
- partitioning_separate_boot | bool
- partitioning_boot_fs_fstype == 'ext4'
- os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']
ansible.builtin.command: >-
tune2fs -O "^orphan_file,^metadata_csum_seed"
"{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}"
register: partitioning_boot_ext4_tune_result
changed_when: partitioning_boot_ext4_tune_result.rc == 0
- name: Create swap filesystem
when:
- filesystem != 'btrfs'
- swap_enabled | bool
community.general.filesystem:
fstype: swap
dev: /dev/sys/swap
- name: Create filesystem - name: Create filesystem
include_tasks: "{{ filesystem }}.yml" ansible.builtin.include_tasks: "{{ filesystem }}.yml"
- name: Get UUID for boot filesystem - name: Get UUID for boot filesystem
command: blkid -s UUID -o value '{{ install_drive }}{{ boot_partition_suffix }}' ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ partitioning_boot_partition_suffix }}'
register: partitioning_boot_uuid
changed_when: false
- name: Get UUID for /boot filesystem
when: partitioning_separate_boot | bool
ansible.builtin.command: >-
blkid -s UUID -o value '{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}'
register: partitioning_boot_fs_uuid
changed_when: false changed_when: false
register: boot_uuid
- name: Get UUID for main filesystem - name: Get UUID for main filesystem
command: blkid -s UUID -o value '{{ install_drive }}{{ main_partition_suffix }}' ansible.builtin.command: blkid -s UUID -o value '{{ partitioning_root_device }}'
register: partitioning_main_uuid
changed_when: false changed_when: false
register: main_uuid
- name: Get UUIDs for LVM filesystems - name: Get UUID for LVM root filesystem
when: filesystem != 'btrfs' and (cis == true or item not in ['var_log', 'var_log_audit'])
command: blkid -s UUID -o value /dev/sys/{{ item }}
changed_when: false
register: uuid_result
loop:
- root
- home
- var
- var_log
- var_log_audit
- set_fact:
uuid_root: "{{ uuid_result.results[0].stdout_lines }}"
uuid_home: "{{ uuid_result.results[1].stdout_lines }}"
uuid_var: "{{ uuid_result.results[2].stdout_lines }}"
uuid_var_log: "{{ uuid_result.results[3].stdout_lines if cis == true else '' }}"
uuid_var_log_audit: "{{ uuid_result.results[4].stdout_lines if cis == true else '' }}"
when: filesystem != 'btrfs' when: filesystem != 'btrfs'
ansible.builtin.command: blkid -s UUID -o value /dev/sys/root
register: partitioning_uuid_root_result
changed_when: false
- name: Get UUID for LVM swap filesystem
when:
- filesystem != 'btrfs'
- swap_enabled | bool
ansible.builtin.command: blkid -s UUID -o value /dev/sys/swap
register: partitioning_uuid_swap_result
changed_when: false
- name: Get UUID for LVM home filesystem
when:
- filesystem != 'btrfs'
- cis_enabled
ansible.builtin.command: blkid -s UUID -o value /dev/sys/home
register: partitioning_uuid_home_result
changed_when: false
- name: Get UUID for LVM var filesystem
when:
- filesystem != 'btrfs'
- cis_enabled
ansible.builtin.command: blkid -s UUID -o value /dev/sys/var
register: partitioning_uuid_var_result
changed_when: false
- name: Get UUID for LVM var_log filesystem
when:
- filesystem != 'btrfs'
- cis_enabled
ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log
register: partitioning_uuid_var_log_result
changed_when: false
- name: Get UUID for LVM var_log_audit filesystem
when:
- filesystem != 'btrfs'
- cis_enabled
ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log_audit
register: partitioning_uuid_var_log_audit_result
changed_when: false
- name: Assign UUIDs to Variables
when: filesystem != 'btrfs'
ansible.builtin.set_fact:
partitioning_uuid_root: "{{ partitioning_uuid_root_result.stdout_lines | default([]) }}"
partitioning_uuid_swap: >-
{{
partitioning_uuid_swap_result.stdout_lines | default([])
if swap_enabled | bool
else ''
}}
partitioning_uuid_home: >-
{{
partitioning_uuid_home_result.stdout_lines | default([])
if cis_enabled
else ''
}}
partitioning_uuid_var: >-
{{
partitioning_uuid_var_result.stdout_lines | default([])
if cis_enabled
else ''
}}
partitioning_uuid_var_log: >-
{{
partitioning_uuid_var_log_result.stdout_lines | default([])
if cis_enabled
else ''
}}
partitioning_uuid_var_log_audit: >-
{{
partitioning_uuid_var_log_audit_result.stdout_lines | default([])
if cis_enabled
else ''
}}
- name: Mount filesystems - name: Mount filesystems
block: block:
- name: Mount filesystems and subvolumes - name: Mount filesystems and subvolumes
when: "cis or (not cis and item.path != '/var/log' and item.path != '/var/log/audit')" when:
mount: - >-
path: "/mnt{{ item.path }}" cis_enabled or (
src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}" not cis_enabled and (
(filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg'])
or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg'])
)
)
- >-
not (item.path in ['/swap', '/var/cache/pacman/pkg'] and filesystem != 'btrfs')
- swap_enabled | bool or item.path != '/swap'
ansible.posix.mount:
path: /mnt{{ item.path }}
src: "{{ 'UUID=' + (partitioning_main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
fstype: "{{ filesystem }}" fstype: "{{ filesystem }}"
opts: "{{ item.opts }}" opts: "{{ item.opts }}"
state: mounted state: mounted
loop: loop:
- { path: '', uuid: "{{ uuid_root[0] | default(omit) }}", opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}" } - path: ""
- { path: '/home', uuid: "{{ uuid_home[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}" } uuid: "{{ partitioning_uuid_root[0] | default(omit) }}"
- { path: '/var', uuid: "{{ uuid_var[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}" } opts: >-
- { path: '/var/log', uuid: "{{ uuid_var_log[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}" } {{
- { path: '/var/log/audit', uuid: "{{ uuid_var_log_audit[0] | default(omit) }}", opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}" } 'defaults'
if filesystem != 'btrfs'
else [
'rw', 'relatime', partitioning_btrfs_compress_opt, 'ssd', 'space_cache=v2',
'discard=async', 'subvol=@'
] | reject('equalto', '') | join(',')
}}
- path: /swap
opts: >-
{{
[
'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
'space_cache=v2', 'discard=async', 'subvol=@swap'
] | reject('equalto', '') | join(',')
}}
- path: /home
uuid: "{{ partitioning_uuid_home[0] | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev'
if filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
'space_cache=v2', 'discard=async', 'subvol=@home'
] | reject('equalto', '') | join(',')
}}
- path: /var
uuid: "{{ partitioning_uuid_var[0] | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev'
if filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
'space_cache=v2', 'discard=async', 'subvol=@var'
] | reject('equalto', '') | join(',')
}}
- path: /var/log
uuid: "{{ partitioning_uuid_var_log[0] | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev,noexec'
if filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log'
] | reject('equalto', '') | join(',')
}}
- path: /var/cache/pacman/pkg
uuid: "{{ partitioning_uuid_root | default([]) | first | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev,noexec'
if filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@pkg'
] | reject('equalto', '') | join(',')
}}
- path: /var/log/audit
uuid: "{{ partitioning_uuid_var_log_audit[0] | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev,noexec'
if filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log_audit'
] | reject('equalto', '') | join(',')
}}
- name: Mount tmp and var_tmp filesystems - name: Mount /boot filesystem
mount: when: partitioning_separate_boot | bool
path: "/mnt{{ item.path }}" ansible.posix.mount:
src: tmpfs path: /mnt/boot
fstype: tmpfs src: "UUID={{ partitioning_boot_fs_uuid.stdout }}"
opts: defaults,nosuid,nodev,noexec fstype: "{{ partitioning_boot_fs_fstype }}"
opts: defaults
state: mounted state: mounted
loop:
- { path: '/tmp' }
- { path: '/var/tmp' }
- name: Mount boot filesystem - name: Mount boot filesystem
mount: ansible.posix.mount:
path: /mnt/boot path: "/mnt{{ partitioning_efi_mountpoint }}"
src: UUID={{ boot_uuid.stdout }} src: UUID={{ partitioning_boot_uuid.stdout }}
fstype: vfat fstype: vfat
state: mounted state: mounted
- name: Activate swap
when: swap_enabled | bool
vars:
partitioning_swap_cmd: >-
{{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + partitioning_uuid_swap[0] }}
ansible.builtin.command: "{{ partitioning_swap_cmd }}"
register: partitioning_swap_activate_result
changed_when: partitioning_swap_activate_result.rc == 0

8
roles/partitioning/tasks/xfs.yml
View File

@@ -1,10 +1,10 @@
--- ---
- name: Create and format XFS logical volumes - name: Create and format XFS logical volumes
when: cis == true or item.lv not in ['var_log', 'var_log_audit'] when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
filesystem: community.general.filesystem:
dev: '/dev/sys/{{ item.lv }}' dev: /dev/sys/{{ item.lv }}
fstype: xfs fstype: xfs
force: yes force: true
loop: loop:
- {lv: root} - {lv: root}
- {lv: home} - {lv: home}

19
roles/virtualization/defaults/main.yml Normal file
View File

@@ -0,0 +1,19 @@
---
virtualization_libvirt_image_dir: >-
{{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
virtualization_libvirt_disk_path: >-
{{ [virtualization_libvirt_image_dir, hostname ~ '.qcow2'] | ansible.builtin.path_join }}
virtualization_libvirt_cloudinit_path: >-
{{ [virtualization_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
virtualization_mac_address: >-
{{ '52:54:00' | community.general.random_mac(seed=hostname) }}
virtualization_tpm2_enabled: >-
{{
(partitioning_luks_enabled | bool)
and (partitioning_luks_auto_decrypt | bool)
and (
(partitioning_luks_auto_decrypt_method | lower)
== 'tpm2'
)
}}

44
roles/virtualization/tasks/libvirt.yml
View File

@@ -1,32 +1,36 @@
- name: Check if VM disk exists ---
delegate_to: localhost
stat:
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2"
register: vm_disk_stat
- name: Create VM disk - name: Create VM disk
when: not vm_disk_stat.stat.exists
delegate_to: localhost delegate_to: localhost
command: "qemu-img create -f qcow2 {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2 {{ vm_size }}G" ansible.builtin.command:
argv:
- name: Generate Random MAC Address - qemu-img
delegate_to: localhost - create
shell: openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//' | sed 's/^/02:/' - -f
changed_when: false - qcow2
register: mac_address_output - "{{ virtualization_libvirt_disk_path }}"
- "{{ vm_size }}G"
creates: "{{ virtualization_libvirt_disk_path }}"
- name: Render cloud config templates - name: Render cloud config templates
delegate_to: localhost delegate_to: localhost
template: ansible.builtin.template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "/tmp/{{ item.dest_prefix }}-{{ hostname }}.yml" dest: /tmp/{{ item.dest_prefix }}-{{ hostname }}.yml
mode: '0644'
loop: loop:
- { src: "cloud-user-data.yml.j2", dest_prefix: "cloud-user-data" } - {src: cloud-user-data.yml.j2, dest_prefix: cloud-user-data}
- { src: "cloud-network-config.yml.j2", dest_prefix: "cloud-network-config" } - {src: cloud-network-config.yml.j2, dest_prefix: cloud-network-config}
- name: Create cloud-init disk - name: Create cloud-init disk
delegate_to: localhost delegate_to: localhost
command: "cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml -N /tmp/cloud-network-config-{{ hostname }}.yml" ansible.builtin.command:
argv:
- cloud-localds
- "{{ virtualization_libvirt_cloudinit_path }}"
- "/tmp/cloud-user-data-{{ hostname }}.yml"
- -N
- "/tmp/cloud-network-config-{{ hostname }}.yml"
creates: "{{ virtualization_libvirt_cloudinit_path }}"
- name: Create VM using libvirt - name: Create VM using libvirt
delegate_to: localhost delegate_to: localhost
@@ -34,7 +38,7 @@
command: define command: define
xml: "{{ lookup('template', 'vm.xml.j2') }}" xml: "{{ lookup('template', 'vm.xml.j2') }}"
- name: start vm - name: Start vm
delegate_to: localhost delegate_to: localhost
community.libvirt.virt: community.libvirt.virt:
name: "{{ hostname }}" name: "{{ hostname }}"

3
roles/virtualization/tasks/main.yml
View File

@@ -1,2 +1,3 @@
---
- name: Create Virtual Machine - name: Create Virtual Machine
include_tasks: "{{ hypervisor }}.yml" ansible.builtin.include_tasks: "{{ hypervisor }}.yml"

82
roles/virtualization/tasks/proxmox.yml
View File

@@ -1,48 +1,86 @@
---
- name: Deploy VM on Proxmox - name: Deploy VM on Proxmox
delegate_to: localhost delegate_to: localhost
proxmox_kvm: vars:
virtualization_dns_value: "{{ vm_dns if vm_dns is defined else '' }}"
virtualization_dns_list_raw: >-
{{
virtualization_dns_value
if virtualization_dns_value is iterable and virtualization_dns_value is not string
else virtualization_dns_value.split(',')
}}
virtualization_dns_list: >-
{{ virtualization_dns_list_raw | map('trim') | reject('equalto', '') | list }}
virtualization_search_value: "{{ vm_dns_search if vm_dns_search is defined else '' }}"
virtualization_search_list_raw: >-
{{
virtualization_search_value
if virtualization_search_value is iterable and virtualization_search_value is not string
else virtualization_search_value.split(',')
}}
virtualization_search_list: >-
{{ virtualization_search_list_raw | map('trim') | reject('equalto', '') | list }}
community.proxmox.proxmox_kvm:
api_host: "{{ hypervisor_url }}" api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}" api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}" api_password: "{{ hypervisor_password }}"
ciuser: "{{ user_name }}" ciuser: "{{ user_name }}"
cipassword: "{{ user_password }}" cipassword: "{{ user_password }}"
node: "{{ hypervisor_node }}" # Proxmox node name ciupgrade: false
vmid: "{{ vm_id }}" # Unique ID for the VM node: "{{ hypervisor_node }}"
name: "{{ hostname }}" # Name of the VM vmid: "{{ vm_id }}"
cpu: "host" name: "{{ hostname }}"
cores: "{{ vm_cpus }}" # Number of CPU cores cpu: host
memory: "{{ vm_memory }}" # Memory size in MB cores: "{{ vm_cpus }}"
balloon: "{{ vm_ballo | default(omit) }}" # Minimum Memory size in MB memory: "{{ vm_memory }}"
balloon: "{{ vm_ballo if vm_ballo is defined and vm_ballo | int > 0 else omit }}"
numa_enabled: true numa_enabled: true
hotplug: "network,disk" hotplug: network,disk
update: "{{ virtualization_tpm2_enabled | bool }}"
update_unsafe: "{{ virtualization_tpm2_enabled | bool }}"
bios: ovmf bios: ovmf
boot: "ac" machine: "{{ 'q35' if virtualization_tpm2_enabled | bool else omit }}"
scsihw: "virtio-scsi-single" boot: ac
scsihw: virtio-scsi-single
scsi: scsi:
scsi0: "{{ hypervisor_storage }}:{{ vm_size }}" # Disk configuration scsi0: "{{ hypervisor_storage }}:{{ vm_size }}"
efidisk0: efidisk0:
efitype: "4m" efitype: 4m
format: "raw" format: raw
pre_enrolled_keys: false pre_enrolled_keys: false
storage: "{{ hypervisor_storage }}" storage: "{{ hypervisor_storage }}"
tpmstate0: >-
{{
{'storage': hypervisor_storage, 'version': '2.0'}
if virtualization_tpm2_enabled | bool
else omit
}}
ide: ide:
ide0: "{{ boot_iso }},media=cdrom" ide0: "{{ boot_iso }},media=cdrom"
ide1: "{{ hypervisor_storage }}:cloudinit" ide1: "{{ rhel_iso + ',media=cdrom' if rhel_iso is defined and rhel_iso | length > 0 else omit }}"
ide2: "{{ hypervisor_storage }}:cloudinit"
net: net:
net0: "virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}" net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name | length > 0 %},tag={{ vlan_name }}{% endif %}
ipconfig: ipconfig:
ipconfig0: "ip={{ vm_ip }},gw={{ vm_gw }}" ipconfig0: >-
nameservers: "{{ vm_dns }}" {{
onboot: true # Start the VM on boot 'ip=' ~ vm_ip ~ '/' ~ vm_nms
state: present # Ensure the VM is present ~ (',gw=' ~ vm_gw if vm_gw is defined and vm_gw | length else '')
if vm_ip is defined and vm_ip | length
else 'ip=dhcp'
}}
nameservers: "{{ virtualization_dns_list if virtualization_dns_list | length else omit }}"
searchdomains: "{{ virtualization_search_list if virtualization_search_list | length else omit }}"
onboot: true
state: present
- name: Start VM on Proxmox - name: Start VM on Proxmox
delegate_to: localhost delegate_to: localhost
proxmox_kvm: community.proxmox.proxmox_kvm:
api_host: "{{ hypervisor_url }}" api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}" api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}" api_password: "{{ hypervisor_password }}"
node: "{{ hypervisor_node }}" node: "{{ hypervisor_node }}"
name: "{{ hostname }}" name: "{{ hostname }}"
vmid: "{{ vm_id }}" vmid: "{{ vm_id }}"
state: started # Ensure the VM is present state: started

75
roles/virtualization/tasks/vmware.yml
View File

@@ -1,16 +1,19 @@
---
- name: Create VM in vCenter - name: Create VM in vCenter
delegate_to: localhost delegate_to: localhost
vmware_guest: community.vmware.vmware_guest:
hostname: "{{ hypervisor_url }}" hostname: "{{ hypervisor_url }}"
username: "{{ hypervisor_username }}" username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}" password: "{{ hypervisor_password }}"
validate_certs: no validate_certs: false
datacenter: "{{ hypervisor_cluster }}" datacenter: "{{ hypervisor_datacenter }}"
cluster: "{{ hypervisor_node }}" cluster: "{{ hypervisor_cluster }}"
folder: "{{ vm_path }}" folder: "{{ vm_path if vm_path is defined and vm_path | length > 0 else omit }}"
name: "{{ hostname }}" name: "{{ hostname }}"
guest_id: "otherGuest64" guest_id: otherLinux64Guest
state: poweredon annotation: |
{{ note if note is defined else '' }}
state: "{{ 'poweredoff' if virtualization_tpm2_enabled | bool else 'poweredon' }}"
disk: disk:
- size_gb: "{{ vm_size }}" - size_gb: "{{ vm_size }}"
type: thin type: thin
@@ -18,16 +21,54 @@
hardware: hardware:
memory_mb: "{{ vm_memory }}" memory_mb: "{{ vm_memory }}"
num_cpus: "{{ vm_cpus }}" num_cpus: "{{ vm_cpus }}"
boot_firmware: "efi" boot_firmware: efi
secure_boot: false secure_boot: false
cdrom: cdrom: >-
- controller_number: 0 {{
unit_number: 0 [ {
controller_type: "sata" "controller_number": 0,
state: present "unit_number": 0,
type: iso "controller_type": "sata",
iso_path: "{{ boot_iso }}" "state": "present",
"type": "iso",
"iso_path": boot_iso
} ]
+
( [ {
"controller_number": 0,
"unit_number": 1,
"controller_type": "sata",
"state": "present",
"type": "iso",
"iso_path": rhel_iso
} ] if rhel_iso is defined and rhel_iso | length > 0 else [] )
}}
networks: networks:
- vlan: "{{ vlan_name }}" - name: "{{ vm_nif }}"
type: dhcp type: dhcp
ignore_errors: yes vlan: "{{ vlan_name if vlan_name is defined and vlan_name | length > 0 else omit }}"
- name: Ensure vTPM2 is enabled when required
when: virtualization_tpm2_enabled | bool
delegate_to: localhost
community.vmware.vmware_guest_tpm:
hostname: "{{ hypervisor_url }}"
username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}"
validate_certs: false
datacenter: "{{ hypervisor_datacenter }}"
folder: "{{ vm_path if vm_path is defined and vm_path | length > 0 else omit }}"
name: "{{ hostname }}"
state: present
- name: Start VM in vCenter
when: virtualization_tpm2_enabled | bool
delegate_to: localhost
vmware.vmware.vm_powerstate:
hostname: "{{ hypervisor_url }}"
username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}"
validate_certs: false
datacenter: "{{ hypervisor_datacenter }}"
name: "{{ hostname }}"
state: powered-on

41
roles/virtualization/templates/cloud-network-config.yml.j2
View File

@@ -3,9 +3,44 @@ network:
ethernets: ethernets:
id0: id0:
match: match:
macaddress: "{{ mac_address_output.stdout }}" macaddress: "{{ virtualization_mac_address }}"
{% set has_static = vm_ip is defined and vm_ip | length %}
{% set dns_value = vm_dns if vm_dns is defined else '' %}
{% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %}
{% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %}
{% set search_value = vm_dns_search if vm_dns_search is defined else '' %}
{% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %}
{% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %}
{% if has_static %}
addresses: addresses:
- "{{ vm_ip }}" - "{{ vm_ip }}/{{ vm_nms }}"
{% if vm_gw is defined and vm_gw | length %}
gateway4: "{{ vm_gw }}" gateway4: "{{ vm_gw }}"
{% endif %}
{% else %}
dhcp4: true
{% if (vm_dns is defined and vm_dns | length) or (vm_dns_search is defined and vm_dns_search | length) %}
dhcp4-overrides:
{% if vm_dns is defined and vm_dns | length %}
use-dns: false
{% endif %}
{% if vm_dns_search is defined and vm_dns_search | length %}
use-domains: false
{% endif %}
{% endif %}
{% endif %}
{% if dns_list or search_list %}
nameservers: nameservers:
addresses: ['1.1.1.1', '1.0.0.1'] {% if dns_list %}
addresses:
{% for dns in dns_list %}
- "{{ dns }}"
{% endfor %}
{% endif %}
{% if search_list %}
search:
{% for search in search_list %}
- "{{ search }}"
{% endfor %}
{% endif %}
{% endif %}

2
roles/virtualization/templates/cloud-user-data.yml.j2
View File

@@ -1,6 +1,8 @@
#cloud-config #cloud-config
hostname: "archiso" hostname: "archiso"
ssh_pwauth: true ssh_pwauth: true
package_update: false
package_upgrade: false
users: users:
- name: "{{ user_name }}" - name: "{{ user_name }}"
primary_group: "{{ user_name }}" primary_group: "{{ user_name }}"

24
roles/virtualization/templates/vm.xml.j2
View File

@@ -1,15 +1,15 @@
<domain type='kvm'> <domain type='kvm'>
<name>{{ hostname }}</name> <name>{{ hostname }}</name>
<memory>{{ vm_memory | int * 1024 }}</memory> <memory>{{ vm_memory | int * 1024 }}</memory>
{% if vm_ballo is defined %}<currentMemory>{{ vm_ballo | int * 1024 }}</currentMemory>{% endif %} {% if vm_ballo is defined and vm_ballo | int > 0 %}<currentMemory>{{ vm_ballo | int * 1024 }}</currentMemory>{% endif %}
<vcpu placement='static'>{{ vm_cpus }}</vcpu> <vcpu placement='static'>{{ vm_cpus }}</vcpu>
<os> <os>
<type arch='x86_64' machine="pc-q35-8.0">hvm</type> <type arch='x86_64' machine="pc-q35-8.0">hvm</type>
<bootmenu enable='no'/> <bootmenu enable='no'/>
<boot dev='hd'/> <boot dev='hd'/>
<boot dev='cdrom'/> <boot dev='cdrom'/>
<loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.fd</loader> <loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd</loader>
<nvram template="/usr/share/edk2/x64/OVMF_VARS.fd"/> <nvram template="/usr/share/edk2/x64/OVMF_VARS.4m.fd"/>
</os> </os>
<features> <features>
<acpi/> <acpi/>
@@ -24,7 +24,7 @@
<devices> <devices>
<disk type='file' device='disk'> <disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/> <driver name='qemu' type='qcow2'/>
<source file='{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2'/> <source file='{{ virtualization_libvirt_disk_path }}'/>
<target dev='vda' bus='virtio'/> <target dev='vda' bus='virtio'/>
</disk> </disk>
<disk type="file" device="cdrom"> <disk type="file" device="cdrom">
@@ -34,14 +34,26 @@
</disk> </disk>
<disk type="file" device="cdrom"> <disk type="file" device="cdrom">
<driver name="qemu" type="raw"/> <driver name="qemu" type="raw"/>
<source file="{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"/> <source file="{{ virtualization_libvirt_cloudinit_path }}"/>
<target dev="sdb" bus="sata"/> <target dev="sdb" bus="sata"/>
</disk> </disk>
{% if rhel_iso is defined and rhel_iso | length > 0 %}
<disk type="file" device="cdrom">
<driver name="qemu" type="raw"/>
<source file="{{ rhel_iso }}"/>
<target dev="sdc" bus="sata"/>
</disk>
{% endif %}
<interface type='network'> <interface type='network'>
<mac address="{{ mac_address_output.stdout }}"/> <mac address="{{ virtualization_mac_address }}"/>
<source network='default'/> <source network='default'/>
<model type='virtio'/> <model type='virtio'/>
</interface> </interface>
{% if virtualization_tpm2_enabled %}
<tpm model='tpm-crb'>
<backend type='emulator' version='2.0'/>
</tpm>
{% endif %}
<input type="tablet" bus="usb"/> <input type="tablet" bus="usb"/>
<input type="mouse" bus="ps2"/> <input type="mouse" bus="ps2"/>
<input type="keyboard" bus="ps2"/> <input type="keyboard" bus="ps2"/>

4
templates/fedora.repo.j2
View File

@@ -8,7 +8,7 @@ metadata_expire=86400
repo_gpgcheck=0 repo_gpgcheck=0
type=rpm type=rpm
gpgcheck=1 gpgcheck=1
gpgkey=https://getfedora.org/static/fedora.gpg gpgkey=https://fedoraproject.org/fedora.gpg
skip_if_unavailable=False skip_if_unavailable=False
[fedora-updates] [fedora-updates]
@@ -21,5 +21,5 @@ repo_gpgcheck=0
type=rpm type=rpm
gpgcheck=1 gpgcheck=1
metadata_expire=86400 metadata_expire=86400
gpgkey=https://getfedora.org/static/fedora.gpg gpgkey=https://fedoraproject.org/fedora.gpg
skip_if_unavailable=False skip_if_unavailable=False

13
templates/rhel10.repo.j2 Normal file
View File

@@ -0,0 +1,13 @@
[rhel10-baseos]
name=RHEL 10 BaseOS
baseurl=file:///usr/local/install/redhat/dvd/BaseOS
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release
[rhel10-appstream]
name=RHEL 10 AppStream
baseurl=file:///usr/local/install/redhat/dvd/AppStream
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release

13
templates/rhel8.repo.j2 Normal file
View File

@@ -0,0 +1,13 @@
[rhel8-baseos]
name=RHEL 8 BaseOS
baseurl=file:///usr/local/install/redhat/dvd/BaseOS
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release
[rhel8-appstream]
name=RHEL 8 AppStream
baseurl=file:///usr/local/install/redhat/dvd/AppStream
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release

13
templates/rhel9.repo.j2 Normal file
View File

@@ -0,0 +1,13 @@
[rhel9-baseos]
name=RHEL 9 BaseOS
baseurl=file:///usr/local/install/redhat/dvd/BaseOS
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release
[rhel9-appstream]
name=RHEL 9 AppStream
baseurl=file:///usr/local/install/redhat/dvd/AppStream
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release

10
templates/rocky.repo.j2 Normal file
View File

@@ -0,0 +1,10 @@
[rocky-baseos]
name=Rocky Linux $releasever - BaseOS
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/
gpgcheck=1
enabled=1
countme=1
gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever
metadata_expire=86400
enabled_metadata=1

19
vars_baremetal_example.yml Normal file
View File

@@ -0,0 +1,19 @@
---
hypervisor: "none"
install_type: "physical"
install_drive: "/dev/sda"
os: "archlinux"
filesystem: "btrfs"
cis: false
selinux: true
firewalld_enabled: true
luks_enabled: true
luks_passphrase: "1234"
luks_mapper_name: "SYSTEM_DECRYPTED"
luks_auto_decrypt: true
luks_auto_decrypt_method: "tpm2"
luks_tpm2_device: "auto"
luks_tpm2_pcrs: "7"

52
vars_example.yml
View File

@@ -1,18 +1,42 @@
ansible_user: "{{ user_name }}" ---
ansible_password: "{{ user_password }}" # Set vm_ip for static addressing. Remove vm_ip to use DHCP.
ansible_become_password: "{{ user_password }}" vm_ip: "{{ inventory_hostname }}"
ansible_ssh_extra_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
vm_ip: "{{ inventory_hostname }}/24"
hypervisor_list: ["libvirt", "proxmox", "vmware", "none"]
filesystem_list: ["btrfs", "ext4", "xfs"]
os_list: ["archlinux", "almalinux", "debian11", "debian12", "fedora"]
install_type: "virtual" install_type: "virtual"
cis: false install_drive: "/dev/sda" # Use /dev/vda for virtio/libvirt.
custom_iso: false # Set true to skip ArchISO-specific validation and pacman setup.
cis: false # Set true to enable CIS hardening.
selinux: true # Toggle SELinux where supported.
firewalld_enabled: true # Toggle firewalld package and service.
hypervisor_url: "192.168.0.2" hypervisor_url: "pve01.example.com"
hypervisor_username: "root@pam" hypervisor_username: "root@pam"
hypervisor_password: "SomePassword" hypervisor_password: "CHANGE_ME"
hypervisor_node: "NodeName" hypervisor_node: "pve01"
hypervisor_storage: "local-btrfs" hypervisor_storage: "local-lvm"
boot_iso: "local-btrfs:iso/archlinux-x86_64.iso" hypervisor_datacenter: "dc01"
hypervisor_cluster: "cluster01"
# VMware (only needed when hypervisor: vmware)
# vm_path: "/Folder" # Optional folder path segment in vCenter.
vmware_ssh: true
# LUKS disk encryption (optional)
# These map to partitioning_luks_* internally.
luks_enabled: false
luks_passphrase: "CHANGE_ME"
luks_mapper_name: "SYSTEM_DECRYPTED"
luks_auto_decrypt: true
luks_auto_decrypt_method: "tpm2"
luks_tpm2_device: "auto"
luks_tpm2_pcrs: "7"
luks_keyfile_size: 64
luks_options: "discard,tries=3"
luks_type: "luks2"
luks_cipher: "aes-xts-plain64"
luks_hash: "sha512"
luks_iter_time: 4000
luks_key_size: 512
luks_pbkdf: "argon2id"
luks_use_urandom: true
luks_verify_passphrase: true