sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:e1464562f78bdb3fafebd74bdcf54d89ab5ec261
Branches Tags
sandwich:master sandwich:rhel
...
compare: sandwich:master
Branches Tags
sandwich:master sandwich:rhel

16 Commits
e1464562f7 ... master

Author SHA1 Message Date
Sandwich
378d9a88c2 Add Debian 13 (Trixie) support 2025-08-11 21:37:25 +02:00
Sandwich
905043baf3 Update doc to Fedora 42 2025-07-07 15:24:17 +02:00
Sandwich
9164815185 Fix rhel10 variable assertion 2025-07-06 04:36:55 +02:00
Sandwich
81f15fffb7 use proper datacenter variable 2025-07-06 04:34:16 +02:00
Sandwich
d454c3cd82 Update Fedora to 42 2025-07-06 04:28:59 +02:00
Sandwich
9ffb2aa69f Use the proper property name 2025-06-24 16:57:18 +02:00
Sandwich
6d843ff409 Fix VM state after cleanup 2025-06-24 16:54:57 +02:00
Sandwich
775dbefa67 use proper filename for role variables 2025-06-17 06:34:39 +02:00
Sandwich
06823044dd Update ubuntu to plucky release 2025-06-17 03:57:58 +02:00
Sandwich
919c44bb29 Add rhel10 support 2025-06-17 03:13:30 +02:00
Sandwich
0d01f2afdc Add ncurses-term package to ubuntu for more legacy terminal descriptors 2025-05-30 09:48:55 +02:00
Sandwich
e532dcac16 Add ncurses-term package for legacy ssh client (terminal descriptors) 2025-05-30 09:14:21 +02:00
Sandwich
6cbecf2db0 Add vm_dns_search to hostname if set 2025-05-26 14:37:28 +02:00
Sandwich
d612f9dabb Improve SSH CIS hardening 2025-05-04 01:41:00 +02:00
Sandwich
00c3cd5180 Fix Typo 2025-04-29 20:30:02 +02:00
Sandwich
fef1f44a07 Improve Arch packages + Disable swap before unmounting 2025-04-29 20:28:55 +02:00
13 changed files with 290 additions and 162 deletions
Expand all files Collapse all files

89
README.md
View File

@@ -3,9 +3,11 @@
An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner, utilizing ArchISO as the foundational tool.
# Info
Most of the roles are adaptable for use with systems beyond ArchLinux, requiring only that the target system can install a necessary package manager, such as `dnf` for RHEL-based systems. Additionally, a replacement for the `arch-chroot` command may be required for these systems.
**NOTE**:
- For RHEL 8 and RHEL 9, repository access requires the `rhel_iso` variable. This variable specifies a local ISO or proxy repository.
- RHEL systems do not support `btrfs`. Use `ext4` or `xfs` as alternatives.
- For RHEL 8, `xfs` may cause installation issues; `ext4` is recommended.
@@ -15,16 +17,18 @@ Most of the roles are adaptable for use with systems beyond ArchLinux, requiring
This playbook supports multiple Linux distributions with specific versions tailored to each. Below is a list of supported distributions:
| `os` | Distribution |
|------------|------------------------------------|
| ---------- | ---------------------------------- |
| archlinux | ArchLinux (Latest rolling release) |
| almalinux | AlmaLinux 9.x |
| debian11 | Debian 11 (Bullseye) |
| debian12 | Debian 12 (Bookworm) |
| fedora | Fedora 41 |
| debian13 | Debian 13 (Trixie) |
| fedora | Fedora 42 |
| rhel8 | Red Hat Enterprise Linux 8 |
| rhel9 | Red Hat Enterprise Linux 9 |
| rhel10 | Red Hat Enterprise Linux 10 |
| rocky | Rocky Linux 9.x |
| ubuntu | Ubuntu 24.10 (Oracular Oriole) |
| ubuntu | Ubuntu 25.04 (Plucky Puffin) |
| ubuntu-lts | Ubuntu 24.04 LTS (Noble Numbat) |
# Documentation
@@ -47,21 +51,22 @@ The playbook uses the ArchLinux ISO as a foundational tool to provides an effici
Global variables apply across your Ansible project and are loaded from `vars.yml` by default. These variables define common settings such as hypervisor connection details and the boot ISO path. They can be overridden by inventory variables for specific hosts or VMs if needed.
| Variable | Description | Example Value |
|-----------------------|--------------------------------------------------------------------|-----------------------------------------|
| `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` |
| `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. |`local-btrfs:iso/rhel-9.4-x86_64-dvd.iso`|
| `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` |
| `vmware_ssh` | If Ansible should use SSH after base VM setup on VMware. | `true`, `false (default)` |
| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` |
| `hypervisor_node` | Hypervisor node name. | `node01` |
| `hypervisor_password` | Password for hypervisor authentication. | `123456` |
| `hypervisor_storage` | Storage identifier for VM disks. | `local-btrfs` |
| `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` |
| `hypervisor_username` | Username for hypervisor authentication. | `root@pam` |
| `install_drive` | Drive where the system will be installed. | `/dev/sda` |
| `install_type` | Type of installation. | `virtual`, `physical` |
| `vlan_name` (optional)| VLAN for the VM's network interface. | `vlan100` |
| Variable | Description | Example Value |
| ----------------------- | ---------------------------------------------------------- | ----------------------------------------- |
| `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` |
| `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. | `local-btrfs:iso/rhel-9.4-x86_64-dvd.iso` |
| `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` |
| `vmware_ssh` | If Ansible should use SSH after base VM setup on VMware. | `true`, `false (default)` |
| `hypervisor_datacenter` | Name of the hypervisor datacenter. | `default-datacenter` |
| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` |
| `hypervisor_node` | Hypervisor node name. | `node01` |
| `hypervisor_password` | Password for hypervisor authentication. | `123456` |
| `hypervisor_storage` | Storage identifier for VM disks. | `local-btrfs` |
| `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` |
| `hypervisor_username` | Username for hypervisor authentication. | `root@pam` |
| `install_drive` | Drive where the system will be installed. | `/dev/sda` |
| `install_type` | Type of installation. | `virtual`, `physical` |
| `vlan_name` (optional) | VLAN for the VM's network interface. | `vlan100` |
To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**.
@@ -69,30 +74,30 @@ To protect sensitive information, such as passwords, API keys, and other confide
Inventory variables are defined for individual hosts or VMs in the inventory file, allowing customization of settings such as the operating system, filesystem, and compliance with CIS benchmarks. These variables can be set globally and overridden for specific hosts or VMs.
| Variable | Description | Example Value |
|-------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------|
| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` |
| `selinux` (optional) | Toggle SELinux, `false` means it should be disabled.` | `true`, `false` |
| `filesystem` | Filesystem type for the VM's primary storage. | `btrfs`, `ext4`, `xfs` |
| `hostname` | The hostname assigned to the virtual machine or system. | `vm01` |
| `os` | Operating system to be installed on the VM. | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rhel8`, `rhel9`, `rocky`, `ubuntu`, `ubuntu-lts` |
| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` |
| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` |
| `user_password` | Password for the user account within the VM. | `UserPass123` |
| `user_public_key` | SSH Key for the user account within the VM. | `ssh-ed25519 AAAAC` |
| `vm_ballo` (optional) | Ballooning memory size for the VM, used to adjust memory allocation dynamically. | `2048` |
| `vm_cpus` | Number of CPU cores assigned to the virtual machine. | `4` |
| `vm_dns` | DNS server IP address(es) for the virtual machine's network configuration. | `1.0.0.1`, `1.1.1.1` |
| `vm_dns_search` | DNS search zone for the virtual machine's network configuration. | `example.com` |
| `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` |
| `vm_id` | Unique identifier for the virtual machine. | `101` |
| `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` |
| `vm_nm` (optional) | IP address netmask assigned to the virtual machine. | `255.255.255.0` |
| `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` |
| `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` |
| `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` |
| `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` |
| `vm_size` | Disk size allocated for the VM's primary storage (in GB). | `20` |
| Variable | Description | Example Value |
| --------------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` |
| `selinux` (optional) | Toggle SELinux, `false` means it should be disabled.` | `true`, `false` |
| `filesystem` | Filesystem type for the VM's primary storage. | `btrfs`, `ext4`, `xfs` |
| `hostname` | The hostname assigned to the virtual machine or system. | `vm01` |
| `os` | Operating system to be installed on the VM. | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rhel8`, `rhel9`, `rhel10`, `rocky`, `ubuntu`, `ubuntu-lts` |
| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` |
| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` |
| `user_password` | Password for the user account within the VM. | `UserPass123` |
| `user_public_key` | SSH Key for the user account within the VM. | `ssh-ed25519 AAAAC` |
| `vm_ballo` (optional) | Ballooning memory size for the VM, used to adjust memory allocation dynamically. | `2048` |
| `vm_cpus` | Number of CPU cores assigned to the virtual machine. | `4` |
| `vm_dns` | DNS server IP address(es) for the virtual machine's network configuration. | `1.0.0.1`, `1.1.1.1` |
| `vm_dns_search` | DNS search zone for the virtual machine's network configuration. | `example.com` |
| `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` |
| `vm_id` | Unique identifier for the virtual machine. | `101` |
| `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` |
| `vm_nm` (optional) | IP address netmask assigned to the virtual machine. | `255.255.255.0` |
| `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` |
| `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` |
| `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` |
| `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` |
| `vm_size` | Disk size allocated for the VM's primary storage (in GB). | `20` |
## 4. How to Use the Playbook

13
main.yml
View File

@@ -9,7 +9,7 @@
prompt: |
What is your username?
private: false
- name: user_public_key
prompt: |
What is your ssh key?
@@ -27,10 +27,14 @@
vars_files: vars.yml
pre_tasks:
- name: Set ansible_python_interpreter
when: os | lower in ["almalinux", "rhel9", "rhel8", "rocky"]
when: os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"]
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3
- name: Set default variables
ansible.builtin.set_fact:
cis: false
- name: Set SSH Access
when: hypervisor != "vmware"
ansible.builtin.set_fact:
@@ -45,8 +49,8 @@
- hypervisor in ["libvirt", "proxmox", "vmware", "none"]
- filesystem in ["btrfs", "ext4", "xfs"]
- install_drive is defined
- os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rhel8", "rhel9", "rocky", "ubuntu", "ubuntu-lts"]
- os not in ["rhel8", "rhel9"] or rhel_iso is defined
- os in ["archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora", "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"]
- os not in ["rhel8", "rhel9", "rhel10"] or rhel_iso is defined
- (filesystem == "btrfs" and (vm_size | int) >= 10) or (filesystem != "btrfs" and (vm_size | int) >= 20)
- (vm_size | float) >= ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048), [vm_memory | float / 1024, 4.0] | max) + 16)
fail_msg: Invalid input specified, please try again.
@@ -97,4 +101,3 @@
when: not (hypervisor == 'vmware' and cis | bool)
ansible.builtin.wait_for_connection:
timeout: 300

37
roles/bootstrap/tasks/main.yml
View File

@@ -1,26 +1,21 @@
---
- name: Include Packages
ansible.builtin.include_vars:
file: packages.yml
name: role_packages
- name: Run OS-specific bootstrap process
block:
- name: Bootstrap ArchLinux
when: os | lower == 'archlinux'
ansible.builtin.command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit
ansible.builtin.command: pacstrap /mnt {{ archlinux | join(' ') }} --asexplicit
changed_when: result.rc == 0
register: result
- name: Bootstrap Debian System
when: os | lower in ['debian11', 'debian12']
when: os | lower in ['debian11', 'debian12', 'debian13']
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }}
- debootstrap --include={{ vars[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' if os == 'debian12' else 'trixie' }}
/mnt http://deb.debian.org/debian/
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
- arch-chroot /mnt apt install -y {{ vars[os].extra | join(' ') }}
- arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
- name: Bootstrap Ubuntu System
@@ -29,12 +24,12 @@
changed_when: result.rc == 0
register: result
with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'oracular' if os == 'ubuntu' else 'noble' }}
- debootstrap --include={{ vars[os].base | join(',') }} {{ 'plucky' if os == 'ubuntu' else 'noble' }}
/mnt http://archive.ubuntu.com/ubuntu/
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
- arch-chroot /mnt apt update -y
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
- arch-chroot /mnt apt install -y {{ vars[os].extra | join(' ') }}
- name: Bootstrap AlmaLinux 9
when: os | lower == 'almalinux'
@@ -44,18 +39,18 @@
with_items:
- dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.almalinux | join(' ') }}
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ almalinux | join(' ') }}
- name: Bootstrap Fedora 41
- name: Bootstrap Fedora 42
when: os | lower == 'fedora'
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- dnf --releasever=41 --best --repo=fedora --repo=fedora-updates
- dnf --releasever=42 --best --repo=fedora --repo=fedora-updates
--installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=41 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
- arch-chroot /mnt dnf --releasever=42 --setopt=install_weak_deps=False install -y {{ fedora | join(' ') }}
- arch-chroot /mnt dnf reinstall -y kernel-core
- name: Bootstrap RockyLinux 9
@@ -68,14 +63,14 @@
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.rocky | join(' ') }}
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ rocky | join(' ') }}
- name: Bootstrap RHEL System
when: os | lower in ['rhel8', 'rhel9']
when: os | lower in ['rhel8', 'rhel9', 'rhel10']
block:
- name: Install base packages in chroot environment
ansible.builtin.command: >-
dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --repo={{ os | lower }}-baseos
dnf --releasever={{ os | lower | replace('rhel', '') }} --repo={{ os | lower }}-baseos
--installroot=/mnt
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y core base standard
@@ -95,12 +90,12 @@
ansible.builtin.copy:
src: /etc/yum.repos.d/{{ os | lower }}.repo
dest: /mnt/etc/yum.repos.d/redhat.repo
mode: '0644'
mode: "0644"
remote_src: true
- name: Install additional packages in chroot
ansible.builtin.command: >-
arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }}
--setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }}
arch-chroot /mnt dnf --releasever={{ os | lower | replace('rhel', '') }}
--setopt=install_weak_deps=False install -y {{ vars[os] | join(' ') }}
changed_when: result.rc == 0
register: result

85
roles/bootstrap/vars/packages.yml → roles/bootstrap/vars/main.yml
View File

@@ -28,6 +28,7 @@ archlinux:
- cronie
- dhcpcd
- efibootmgr
- fastfetch
- firewalld
- fish
- fzf
@@ -40,7 +41,6 @@ archlinux:
- lsof
- lvm2
- ncdu
- neofetch
- networkmanager
- nfs-utils
- open-vm-tools
@@ -51,9 +51,9 @@ archlinux:
- qemu-guest-agent
- reflector
- rsync
- screen
- sudo
- tldr
- tmux
- vim
- wireguard-tools
- zram-generator
@@ -157,6 +157,55 @@ debian12:
- wget
- zstd
debian13:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- linux-image-amd64
- locales
- logrotate
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bat
- chrony
- curl
- duf
- entr
- fastfetch
- firewalld
- fish
- fzf
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- vim
- wget
- zstd
fedora:
- bat
- bind-utils
@@ -164,10 +213,8 @@ fedora:
- cronie
- dhcp-client
- duf
- dust
- efibootmgr
- entr
- eza
- fish
- fzf
- glibc-langpack-de
@@ -202,11 +249,14 @@ rhel8:
- glibc-langpack-en
- grub2
- grub2-efi-x64
- grub2-tools-extra
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- open-vm-tools
- policycoreutils-python-utils
- python39
- shim
- tmux
@@ -221,11 +271,36 @@ rhel9:
- glibc-langpack-en
- grub2
- grub2-efi
- grub2-tools-extra
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- open-vm-tools
- policycoreutils-python-utils
- python
- shim
- tmux
- vim
- zram-generator
- zstd
rhel10:
- bind-utils
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- kernel
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- open-vm-tools
- policycoreutils-python-utils
- python
- shim
- tmux
@@ -294,6 +369,7 @@ ubuntu:
- lrzsz
- mtr
- ncdu
- ncurses-term
- net-tools
- network-manager
- open-vm-tools
@@ -353,6 +429,7 @@ ubuntu-lts:
- lrzsz
- mtr
- ncdu
- ncurses-term
- net-tools
- network-manager
- open-vm-tools

68
roles/cis/tasks/main.yml
View File

@@ -4,7 +4,7 @@
- name: Disable Kernel Modules
ansible.builtin.copy:
dest: /mnt/etc/modprobe.d/cis.conf
mode: '0644'
mode: "0644"
content: |
CIS LVL 3 Restrictions
install freevxfs /bin/false
@@ -24,7 +24,7 @@
- name: Create USB Rules
ansible.builtin.copy:
dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
mode: '0644'
mode: "0644"
content: |
By default, disable all.
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
@@ -41,7 +41,7 @@
- name: Create a consolidated sysctl configuration file
ansible.builtin.copy:
dest: /mnt/etc/sysctl.d/10-cis.conf
mode: '0644'
mode: "0644"
content: |
## CIS Sysctl configurations
kernel.yama.ptrace_scope=1
@@ -69,7 +69,6 @@
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# - name: Adjust login.defs
# replace:
# path: /mnt/etc/login.defs
@@ -95,9 +94,10 @@
- /mnt/etc/pam.d/password-auth
- name: Configure System Cryptography Policy
when: os in ["almalinux", "rhel9", "rocky"]
ansible.builtin.command:
arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
when: os in ["almalinux", "rhel9", "rhel10", "rocky"]
ansible.builtin.command: arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
register: crypto_policy_result
changed_when: "'Setting system-wide crypto-policies to' in crypto_policy_result.stdout"
- name: Mask Systemd Services
ansible.builtin.command: >
@@ -136,18 +136,39 @@
- { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: umask 077 }
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: export TMOUT=3000 }
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" }
- {
path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"] else "bash.bashrc" }}',
content: umask 077,
}
- {
path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"] else "bash.bashrc" }}',
content: export TMOUT=3000,
}
- {
path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}',
content: Storage=persistent,
}
- {
path: /mnt/etc/sudoers,
content: Defaults logfile="/var/log/sudo.log",
}
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
- { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}',
content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 }
- { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth"
if os == "fedora" else "pam.d/system-auth" }}', content: account required pam_faillock.so }
- { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}',
content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" }
- {
path:
'/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}',
content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900,
}
- {
path:
'/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth"
if os == "fedora" else "pam.d/system-auth" }}',
content: account required pam_faillock.so,
}
- {
path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}',
content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5",
}
- { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
- { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
@@ -167,8 +188,8 @@
{ "path": "/mnt/etc/cron.d", "mode": "0700" },
{ "path": "/mnt/etc/crontab", "mode": "0600" },
{ "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9"] else None,
{ "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rocky"]
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
{ "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rhel10", "rocky"]
else "fusermount"), "mode": "755" },
{ "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
] | reject("none") }}
@@ -214,9 +235,10 @@
### Ciphers and keying ###
RekeyLimit 512M 6h
KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com
KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
###########################
AllowStreamLocalForwarding no

7
roles/cleanup/tasks/main.yml
View File

@@ -3,6 +3,11 @@
vars:
ansible_connection: ssh
block:
- name: Disable Swap
ansible.builtin.command: swapoff -a
register: swapoff_result
changed_when: swapoff_result.rc == 0
- name: Unmount /mnt if mounted
ansible.builtin.command: umount -R /mnt
register: unmount_result
@@ -88,7 +93,7 @@
validate_certs: false
datacenter: "{{ hypervisor_cluster }}"
name: "{{ hostname }}"
state: restarted
state: powered-on
- name: Remove Archiso and cloud-init disks
when: hypervisor == "libvirt"

98
roles/configuration/tasks/main.yml
View File

@@ -7,24 +7,25 @@
register: result
- name: Remove depricated attr2 and disable large extent
when: os in ["almalinux", "rhel8", "rhel9", "rocky"] and filesystem == "xfs"
when: os in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"] and filesystem == "xfs"
ansible.builtin.replace:
path: /mnt/etc/fstab
regexp: '(xfs.*?)(attr2)'
regexp: "(xfs.*?)(attr2)"
replace: '\1allocsize=64m'
- name: Replace ISO UUID entry with /dev/sr0 in fstab
when: os in ["rhel8", "rhel9"]
when: os in ["rhel8", "rhel9", "rhel10"]
ansible.builtin.lineinfile:
path: /mnt/etc/fstab
regexp: '^.*\/dvd.*$'
line: "{{ '/usr/local/install/redhat/rhel.iso /usr/local/install/redhat/dvd iso9660 loop,nofail 0 0' if hypervisor == 'vmware'
else '/dev/sr0 /usr/local/install/redhat/dvd iso9660 ro,relatime,nojoliet,check=s,map=n,nofail 0 0' }}"
line:
"{{ '/usr/local/install/redhat/rhel.iso /usr/local/install/redhat/dvd iso9660 loop,nofail 0 0' if hypervisor == 'vmware'
else '/dev/sr0 /usr/local/install/redhat/dvd iso9660 ro,relatime,nojoliet,check=s,map=n,nofail 0 0' }}"
state: present
backrefs: true
- name: Write image from RHEL ISO to the target machine
when: os in ["rhel8", "rhel9"] and hypervisor == 'vmware'
when: os in ["rhel8", "rhel9", "rhel10"] and hypervisor == 'vmware'
ansible.builtin.command: dd if=/dev/sr1 of=/mnt/usr/local/install/redhat/rhel.iso bs=4M
changed_when: result.rc == 0
register: result
@@ -52,7 +53,7 @@
- name: Setup locales
block:
- name: Configure locale.gen
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
ansible.builtin.lineinfile:
dest: /mnt/etc/locale.gen
regexp: "{{ item.regex }}"
@@ -61,34 +62,34 @@
- { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 }
- name: Generate locales
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
changed_when: result.rc == 0
register: result
- name: Set hostname
ansible.builtin.copy:
content: "{{ hostname }}"
content: "{{ hostname }}{% if vm_dns_search is defined and vm_dns_search | length %}.{{ vm_dns_search }}{% endif %}"
dest: /mnt/etc/hostname
mode: '0644'
mode: "0644"
- name: Add host entry to /etc/hosts
ansible.builtin.lineinfile:
path: /mnt/etc/hosts
line: "{{ ansible_host }} {{ hostname }}"
line: "{{ ansible_host }} {{ hostname }}{% if vm_dns_search is defined and vm_dns_search | length %} {{ hostname }}.{{ vm_dns_search }}{% endif %}"
state: present
- name: Create vconsole.conf
ansible.builtin.copy:
content: KEYMAP=us
dest: /mnt/etc/vconsole.conf
mode: '0644'
mode: "0644"
- name: Create locale.conf
ansible.builtin.copy:
content: LANG=en_US.UTF-8
dest: /mnt/etc/locale.conf
mode: '0644'
mode: "0644"
- name: SSH permit Password
ansible.builtin.replace:
@@ -107,7 +108,7 @@
arch-chroot /mnt systemctl enable NetworkManager
{{
' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
(' sshd' if os | lower not in ['debian11', 'debian12'] else '')
(' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else '')
}}
{{
'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
@@ -117,7 +118,7 @@
register: result
- name: Configure grub
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
block:
- name: Add commandline information to grub config
ansible.builtin.lineinfile:
@@ -135,39 +136,38 @@
block:
- name: Install Bootloader
ansible.builtin.command: arch-chroot /mnt
{% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr
{% if os | lower not in ["archlinux", "debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr
-c -L '{{ os }}' -d "{{ install_drive }}" -p 1
-l '\efi\EFI\{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}\shimx64.efi'
-l '\efi\EFI\{% if os | lower in ["rhel8", "rhel9", "rhel10"] %}redhat{% else %}{{ os | lower }}{% endif %}\shimx64.efi'
{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }}
--bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
{% endif %}
changed_when: result.rc == 0
register: result
- name: Generate grub config
ansible.builtin.command: arch-chroot /mnt
{% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}
/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}/grub.cfg
{% else %}
/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}
{% endif %}
changed_when: result.rc == 0
register: result
- name: Ensure lvm2 for non btrfs filesystems
when: os | lower == "archlinux" and filesystem != "btrfs"
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: '^(HOOKS=.*block)(?!.*lvm2)(.*)'
regexp: "^(HOOKS=.*block)(?!.*lvm2)(.*)"
line: '\1 lvm2\2'
backrefs: true
- name: Regenerate initramfs
when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
when: os | lower not in ["debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"]
ansible.builtin.command: arch-chroot /mnt
{% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P
{% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %} /usr/bin/dracut --regenerate-all --force
{% else %} echo "Skipping initramfs regeneration"
{% else %} /usr/bin/dracut --regenerate-all --force
{% endif %}
changed_when: result.rc == 0
register: result
- name: Generate grub config
ansible.builtin.command: arch-chroot /mnt
{% if os | lower not in ["archlinux", "debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] %}
/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{% if os | lower in ["rhel8", "rhel9", "rhel10"] %}redhat{% else %}{{ os | lower }}{% endif %}/grub.cfg
{% else %}
/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}
{% endif %}
changed_when: result.rc == 0
register: result
@@ -177,8 +177,9 @@
- name: Append vim configurations to vimrc
failed_when: false
ansible.builtin.blockinfile:
path: "{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts']
else '/mnt/etc/vimrc' }}"
path:
"{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts']
else '/mnt/etc/vimrc' }}"
block: |
set encoding=utf-8
set number
@@ -199,7 +200,7 @@
vm.dirty_ratio=10
vm.page-cluster=10
marker: ""
mode: '0644'
mode: "0644"
- name: Create zram config
when: os not in ['debian11', 'rhel8']
@@ -211,13 +212,13 @@
compression-algorithm = zstd
swap-priority = 100
fs-type = swap
mode: '0644'
mode: "0644"
- name: Copy Custom Shell config
ansible.builtin.template:
src: custom.sh.j2
dest: /mnt/etc/profile.d/custom.sh
mode: '0644'
mode: "0644"
- name: Create login banner
ansible.builtin.copy:
@@ -230,13 +231,13 @@
**************************************************************
owner: root
group: root
mode: '0644'
mode: "0644"
loop:
- /mnt/etc/issue
- /etc/issue.net
- name: Remove motd files
when: os | lower in ["rhel8", "rhel9"]
when: os | lower in ["rhel8", "rhel9", "rhel10"]
ansible.builtin.file:
path: "{{ item }}"
state: absent
@@ -272,7 +273,7 @@
ansible.builtin.file:
path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
state: touch
mode: '0644'
mode: "0644"
- name: Setup user account
block:
@@ -280,7 +281,7 @@
ansible.builtin.command: "{{ item }}"
with_items:
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups
{{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "wheel" }}
{{ "sudo" if os | lower in ["debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] else "wheel" }}
{{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
changed_when: result.rc == 0
@@ -298,19 +299,22 @@
- name: Give sudo access to wheel group
ansible.builtin.copy:
content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}"
content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}"
dest: /mnt/etc/sudoers.d/01-wheel
mode: "0440"
validate: /usr/sbin/visudo --check --file=%s
- name: Fix SELinux
when: os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
when: os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
block:
- name: Relabel the filesystem
when: os | lower != "fedora"
ansible.builtin.command: "arch-chroot /mnt /sbin/fixfiles onboot"
changed_when: result.rc == 0
register: result
- name: Fix SELinux by pre-labeling the filesystem before first boot
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux | default(true) | bool)
ansible.builtin.command: >
arch-chroot /mnt /sbin/setfiles -v -F
-e /dev -e /proc -e /sys -e /run
/etc/selinux/targeted/contexts/files/file_contexts /
register: setfiles_result
changed_when: setfiles_result.rc == 0
- name: Disable SELinux
when: os | lower == "fedora" or not (selinux | default(true) | bool)

18
roles/environment/tasks/main.yml
View File

@@ -69,7 +69,7 @@
ansible_user: "root"
ansible_password: ""
ansible_become_password: ""
ansible_ssh_extra_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Speed-up Bootstrap process
ansible.builtin.lineinfile:
@@ -89,22 +89,22 @@
state: latest
loop:
- { name: glibc }
- { name: dnf, os: [almalinux, fedora, rhel9, rhel8, rocky] }
- { name: debootstrap, os: [debian11, debian12, ubuntu, ubuntu-lts] }
- { name: debian-archive-keyring, os: [debian11, debian12] }
- { name: dnf, os: [almalinux, fedora, rhel8, rhel9, rhel10, rocky] }
- { name: debootstrap, os: [debian11, debian12, debian13, ubuntu, ubuntu-lts] }
- { name: debian-archive-keyring, os: [debian11, debian12, debian13] }
- { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
when: "'os' not in item or os in item.os"
retries: 4
delay: 15
- name: Prepare /iso mount and repository for RHEL-based systems
when: os | lower in ["rhel8", "rhel9"]
when: os | lower in ["rhel8", "rhel9", "rhel10"]
block:
- name: Create /iso directory
ansible.builtin.file:
path: /usr/local/install/redhat/dvd
state: directory
mode: '0755'
mode: "0755"
- name: Mount RHEL ISO
ansible.posix.mount:
@@ -115,16 +115,16 @@
state: mounted
- name: Configure RHEL Repos for installation
when: os | lower in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"]
when: os | lower in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"]
block:
- name: Create directories for repository files and RPM GPG keys
ansible.builtin.file:
path: /etc/yum.repos.d
state: directory
mode: '0755'
mode: "0755"
- name: Create RHEL repository file
ansible.builtin.template:
src: "{{ os | lower }}.repo.j2"
dest: /etc/yum.repos.d/{{ os | lower }}.repo
mode: '0644'
mode: "0644"

12
roles/partitioning/tasks/main.yml
View File

@@ -9,7 +9,9 @@
loop:
- { cmd: umount -l /mnt }
- { cmd: vgremove -f sys }
- { cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;' }
- {
cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;',
}
loop_control:
label: "{{ item.cmd }}"
@@ -138,19 +140,19 @@
- path: /home
uuid: "{{ uuid_home[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}"
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}"
- path: /var
uuid: "{{ uuid_var[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}"
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}"
- path: /var/log
uuid: "{{ uuid_var_log[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}"
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}"
- path: /var/log/audit
uuid: "{{ uuid_var_log_audit[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}"
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}"
- name: Mount tmp and var_tmp filesystems
ansible.posix.mount:

4
roles/virtualization/tasks/vmware.yml
View File

@@ -5,8 +5,8 @@
username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}"
validate_certs: false
datacenter: "{{ hypervisor_cluster }}"
cluster: "{{ hypervisor_node }}"
datacenter: "{{ hypervisor_datacenter }}"
cluster: "{{ hypervisor_cluster }}"
folder: "{{ vm_path }}"
name: "{{ hostname }}"
guest_id: otherLinux64Guest

4
roles/virtualization/templates/cloud-user-data.yml.j2
View File

@@ -1,10 +1,12 @@
#cloud-config
hostname: "archiso"
ssh_pwauth: true
package_update: false
package_upgrade: false
users:
- name: "{{ user_name }}"
primary_group: "{{ user_name }}"
groups: users
sudo: ALL=(ALL) NOPASSWD:ALL
passwd: "{{ user_password | password_hash('sha512') }}"
lock_passwd: False
lock_passwd: False

4
templates/fedora.repo.j2
View File

@@ -8,7 +8,7 @@ metadata_expire=86400
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=https://getfedora.org/static/fedora.gpg
gpgkey=https://fedoraproject.org/fedora.gpg
skip_if_unavailable=False
[fedora-updates]
@@ -21,5 +21,5 @@ repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=86400
gpgkey=https://getfedora.org/static/fedora.gpg
gpgkey=https://fedoraproject.org/fedora.gpg
skip_if_unavailable=False

13
templates/rhel10.repo.j2 Normal file
View File

@@ -0,0 +1,13 @@
[rhel10-baseos]
name=RHEL 10 BaseOS
baseurl=file:///usr/local/install/redhat/dvd/BaseOS
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release
[rhel10-appstream]
name=RHEL 10 AppStream
baseurl=file:///usr/local/install/redhat/dvd/AppStream
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release