sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:f967ea1c3b1c07a00ff305d8d31c0b1d14031414
Branches Tags
sandwich:master sandwich:rhel
..
compare: sandwich:master
Branches Tags
sandwich:master sandwich:rhel

67 Commits
f967ea1c3b ... master

Author SHA1 Message Date
Sandwich
378d9a88c2 Add Debian 13 (Trixie) support 2025-08-11 21:37:25 +02:00
Sandwich
905043baf3 Update doc to Fedora 42 2025-07-07 15:24:17 +02:00
Sandwich
9164815185 Fix rhel10 variable assertion 2025-07-06 04:36:55 +02:00
Sandwich
81f15fffb7 use proper datacenter variable 2025-07-06 04:34:16 +02:00
Sandwich
d454c3cd82 Update Fedora to 42 2025-07-06 04:28:59 +02:00
Sandwich
9ffb2aa69f Use the proper property name 2025-06-24 16:57:18 +02:00
Sandwich
6d843ff409 Fix VM state after cleanup 2025-06-24 16:54:57 +02:00
Sandwich
775dbefa67 use proper filename for role variables 2025-06-17 06:34:39 +02:00
Sandwich
06823044dd Update ubuntu to plucky release 2025-06-17 03:57:58 +02:00
Sandwich
919c44bb29 Add rhel10 support 2025-06-17 03:13:30 +02:00
Sandwich
0d01f2afdc Add ncurses-term package to ubuntu for more legacy terminal descriptors 2025-05-30 09:48:55 +02:00
Sandwich
e532dcac16 Add ncurses-term package for legacy ssh client (terminal descriptors) 2025-05-30 09:14:21 +02:00
Sandwich
6cbecf2db0 Add vm_dns_search to hostname if set 2025-05-26 14:37:28 +02:00
Sandwich
d612f9dabb Improve SSH CIS hardening 2025-05-04 01:41:00 +02:00
Sandwich
00c3cd5180 Fix Typo 2025-04-29 20:30:02 +02:00
Sandwich
fef1f44a07 Improve Arch packages + Disable swap before unmounting 2025-04-29 20:28:55 +02:00
Sandwich
e1464562f7 Document vmware_ssh variable 2025-03-25 13:13:06 +01:00
Sandwich
60c552be45 Fix vm creation when no rhel_iso for vmware 2025-02-20 16:00:39 +01:00
Sandwich
c96fcf5e96 Increase max home size to 20GB 2025-02-18 21:39:58 +01:00
Sandwich
4e70ee2e3e Add guest_id since its necessary 2025-02-17 21:38:56 +01:00
Sandwich
81bbd2b22a Implement VMware annotation 2025-02-17 21:17:18 +01:00
Sandwich
e65fbfd570 Improve Partition calculation algorithm 2025-02-17 20:43:45 +01:00
Sandwich
122bd5cdf4 Add DNS Search option 2025-02-10 15:16:15 +01:00
Sandwich
c8d3de3d8d Update README regarding SELinux 2025-02-07 20:50:20 +01:00
Sandwich
4ed15e5ea8 dont fail if selinux is undefined 2025-02-07 20:47:30 +01:00
Sandwich
518babe328 Remove motd files for rhel 2025-02-05 17:14:17 +01:00
Sandwich
918e14051d Enable option to disable selinux for all osses 2025-02-05 01:41:10 +01:00
Sandwich
3d18962160 Include Standard package group for RHEL systems 2025-02-05 00:02:37 +01:00
Sandwich
457d558133 Make sure Volumes are safely unmounted before reboot 2025-01-22 12:34:00 +01:00
Sandwich
e06a95fdbc Fix CIS applienc for RHEL8 2025-01-21 22:34:01 +01:00
Sandwich
7bae512560 Update package name to match correctly 2025-01-21 22:02:43 +01:00
Sandwich
3e91057689 Make sure the VM truly starts 2025-01-21 21:35:47 +01:00
Sandwich
e9647571fc Do not check if VM is back on vmware with cis activated, it will fail 
without the key, and key cannot be set otherwise awx refuses connection
 2025-01-21 21:30:56 +01:00
Sandwich
c32769d831 Add banner 2025-01-21 20:16:05 +01:00
Sandwich
7cfa4aee8d Add ssh key survey 2025-01-21 20:00:18 +01:00
Sandwich
a7e7f49d84 Add missing variable 2025-01-21 19:58:07 +01:00
Sandwich
cfcccbf512 CIS Adjustments 2025-01-21 19:55:36 +01:00
Sandwich
75c4ba6b4c Fix variable distribution 2025-01-21 17:43:18 +01:00
Sandwich
b62066d675 Make Network Assignment more reliable 2025-01-21 16:59:56 +01:00
Sandwich
53a2c27984 Add nms default 2025-01-17 00:50:26 +01:00
Sandwich
bb82ff120b Remove nms from ip since already addition already done internaly 2025-01-17 00:45:42 +01:00
Sandwich
221d77b94d Do not reboot localhost! 2025-01-17 00:38:35 +01:00
Sandwich
d71ea511f9 Don't fail proxmox install if rhel_iso is not defined 2025-01-17 00:07:58 +01:00
Sandwich
b3299781dc use 24 netmask as default if not set 2025-01-17 00:03:38 +01:00
Sandwich
5e7a06b7db Add extra utils 2025-01-14 21:14:40 +01:00
Sandwich
d77f65ce05 Set correct IP NetworkMask if defined 2025-01-14 16:08:10 +01:00
Sandwich
39fc15d7d8 Fix typo 2025-01-14 15:03:06 +01:00
Sandwich
b076968404 Dont fail if vmware_ssh is not defined 2025-01-14 14:58:58 +01:00
Sandwich
4f03ccbfcf Add dig via bind-utils for rhel 2024-12-03 16:42:47 +01:00
Sandwich
5746be4561 RHEL add python package 2024-12-03 13:31:31 +01:00
Sandwich
39cc49a05b Do not hardcode macaddress which makes vm cloning harder 2024-12-02 18:08:48 +01:00
Sandwich
2d63ca9c5a Use RHEL nameing for yum repo file 2024-11-12 14:14:09 +01:00
Sandwich
9f56328890 Fix DNS issue 2024-11-11 17:44:52 +01:00
Sandwich
dc763bdc42 Adjust never libvirt loaders 2024-11-11 17:26:37 +01:00
Sandwich
25deaab87d Add some extra packages and vi mode for bash 2024-11-05 03:36:15 +01:00
Sandwich
89f054e8fd Add final check if the VM is up and running after reboot 2024-11-01 23:58:52 +01:00
Sandwich
cbe238f4d5 Improve the root lv size calculations, still not perfect on bigger disk 
and ram sizes
 2024-10-31 20:07:40 +01:00
Sandwich
c6f1686db8 Preper Shutdown so VMware does not corrupt the installation 2024-10-31 18:27:31 +01:00
Sandwich
c9a15dfccf improve logical volume size calculation 2024-10-31 17:32:27 +01:00
Sandwich
f83a9ebd67 remove zram from debian11 since no support 2024-10-31 16:00:44 +01:00
Sandwich
e16868a78d remove zram for rhel8 since no support 2024-10-31 15:56:42 +01:00
Sandwich
406db38296 dont use sudo for umount 2024-10-31 15:35:22 +01:00
Sandwich
cb3f36a040 Add umount for non RHEL systems 2024-10-31 14:23:55 +01:00
Sandwich
d97f0cfff8 Fix ubuntu install issue 2024-10-31 05:56:20 +01:00
Sandwich
e8f609dd03 Add SWAP support 2024-10-31 05:46:33 +01:00
Sandwich
a599e26a63 Add zram-generator config 2024-10-31 02:18:55 +01:00
Sandwich
3085ebc336 add zram-generator package 2024-10-31 02:10:21 +01:00
23 changed files with 620 additions and 276 deletions
Expand all files Collapse all files

85
README.md
View File

@@ -3,9 +3,11 @@
An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner, utilizing ArchISO as the foundational tool.
# Info
Most of the roles are adaptable for use with systems beyond ArchLinux, requiring only that the target system can install a necessary package manager, such as `dnf` for RHEL-based systems. Additionally, a replacement for the `arch-chroot` command may be required for these systems.
**NOTE**:
- For RHEL 8 and RHEL 9, repository access requires the `rhel_iso` variable. This variable specifies a local ISO or proxy repository.
- RHEL systems do not support `btrfs`. Use `ext4` or `xfs` as alternatives.
- For RHEL 8, `xfs` may cause installation issues; `ext4` is recommended.
@@ -15,16 +17,18 @@ Most of the roles are adaptable for use with systems beyond ArchLinux, requiring
This playbook supports multiple Linux distributions with specific versions tailored to each. Below is a list of supported distributions:
| `os` | Distribution |
|------------|------------------------------------|
| ---------- | ---------------------------------- |
| archlinux | ArchLinux (Latest rolling release) |
| almalinux | AlmaLinux 9.x |
| debian11 | Debian 11 (Bullseye) |
| debian12 | Debian 12 (Bookworm) |
| fedora | Fedora 41 |
| debian13 | Debian 13 (Trixie) |
| fedora | Fedora 42 |
| rhel8 | Red Hat Enterprise Linux 8 |
| rhel9 | Red Hat Enterprise Linux 9 |
| rhel10 | Red Hat Enterprise Linux 10 |
| rocky | Rocky Linux 9.x |
| ubuntu | Ubuntu 24.10 (Oracular Oriole) |
| ubuntu | Ubuntu 25.04 (Plucky Puffin) |
| ubuntu-lts | Ubuntu 24.04 LTS (Noble Numbat) |
# Documentation
@@ -47,20 +51,22 @@ The playbook uses the ArchLinux ISO as a foundational tool to provides an effici
Global variables apply across your Ansible project and are loaded from `vars.yml` by default. These variables define common settings such as hypervisor connection details and the boot ISO path. They can be overridden by inventory variables for specific hosts or VMs if needed.
| Variable | Description | Example Value |
|-----------------------|--------------------------------------------------------------------|-----------------------------------------|
| `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` |
| `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. |`local-btrfs:iso/rhel-9.4-x86_64-dvd.iso`|
| `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` |
| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` |
| `hypervisor_node` | Hypervisor node name. | `node01` |
| `hypervisor_password` | Password for hypervisor authentication. | `123456` |
| `hypervisor_storage` | Storage identifier for VM disks. | `local-btrfs` |
| `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` |
| `hypervisor_username` | Username for hypervisor authentication. | `root@pam` |
| `install_drive` | Drive where the system will be installed. | `/dev/sda` |
| `install_type` | Type of installation. | `virtual`, `physical` |
| `vlan_name` (optional)| VLAN for the VM's network interface. | `vlan100` |
| Variable | Description | Example Value |
| ----------------------- | ---------------------------------------------------------- | ----------------------------------------- |
| `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` |
| `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. | `local-btrfs:iso/rhel-9.4-x86_64-dvd.iso` |
| `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` |
| `vmware_ssh` | If Ansible should use SSH after base VM setup on VMware. | `true`, `false (default)` |
| `hypervisor_datacenter` | Name of the hypervisor datacenter. | `default-datacenter` |
| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` |
| `hypervisor_node` | Hypervisor node name. | `node01` |
| `hypervisor_password` | Password for hypervisor authentication. | `123456` |
| `hypervisor_storage` | Storage identifier for VM disks. | `local-btrfs` |
| `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` |
| `hypervisor_username` | Username for hypervisor authentication. | `root@pam` |
| `install_drive` | Drive where the system will be installed. | `/dev/sda` |
| `install_type` | Type of installation. | `virtual`, `physical` |
| `vlan_name` (optional) | VLAN for the VM's network interface. | `vlan100` |
To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**.
@@ -68,27 +74,30 @@ To protect sensitive information, such as passwords, API keys, and other confide
Inventory variables are defined for individual hosts or VMs in the inventory file, allowing customization of settings such as the operating system, filesystem, and compliance with CIS benchmarks. These variables can be set globally and overridden for specific hosts or VMs.
| Variable | Description | Example Value |
|-------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------|
| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` |
| `filesystem` | Filesystem type for the VM's primary storage. | `btrfs`, `ext4`, `xfs` |
| `hostname` | The hostname assigned to the virtual machine or system. | `vm01` |
| `os` | Operating system to be installed on the VM. | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rhel8`, `rhel9`, `rocky`, `ubuntu`, `ubuntu-lts` |
| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` |
| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` |
| `user_password` | Password for the user account within the VM. | `UserPass123` |
| `vm_ballo` (optional) | Ballooning memory size for the VM, used to adjust memory allocation dynamically. | `2048` |
| `vm_cpus` | Number of CPU cores assigned to the virtual machine. | `4` |
| `vm_dns` | DNS server IP address(es) for the virtual machine's network configuration. | `1.0.0.1`, `1.1.1.1` |
| `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` |
| `vm_id` | Unique identifier for the virtual machine. | `101` |
| `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` |
| `vm_nm` (optional) | IP address netmask assigned to the virtual machine. | `255.255.255.0` |
| `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` |
| `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` |
| `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` |
| `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` |
| `vm_size` | Disk size allocated for the VM's primary storage (in GB). | `20` |
| Variable | Description | Example Value |
| --------------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` |
| `selinux` (optional) | Toggle SELinux, `false` means it should be disabled.` | `true`, `false` |
| `filesystem` | Filesystem type for the VM's primary storage. | `btrfs`, `ext4`, `xfs` |
| `hostname` | The hostname assigned to the virtual machine or system. | `vm01` |
| `os` | Operating system to be installed on the VM. | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rhel8`, `rhel9`, `rhel10`, `rocky`, `ubuntu`, `ubuntu-lts` |
| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` |
| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` |
| `user_password` | Password for the user account within the VM. | `UserPass123` |
| `user_public_key` | SSH Key for the user account within the VM. | `ssh-ed25519 AAAAC` |
| `vm_ballo` (optional) | Ballooning memory size for the VM, used to adjust memory allocation dynamically. | `2048` |
| `vm_cpus` | Number of CPU cores assigned to the virtual machine. | `4` |
| `vm_dns` | DNS server IP address(es) for the virtual machine's network configuration. | `1.0.0.1`, `1.1.1.1` |
| `vm_dns_search` | DNS search zone for the virtual machine's network configuration. | `example.com` |
| `vm_gw` | Default gateway IP address for the virtual machine's network configuration. | `192.168.0.1` |
| `vm_id` | Unique identifier for the virtual machine. | `101` |
| `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` |
| `vm_nm` (optional) | IP address netmask assigned to the virtual machine. | `255.255.255.0` |
| `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` |
| `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` |
| `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` |
| `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` |
| `vm_size` | Disk size allocated for the VM's primary storage (in GB). | `20` |
## 4. How to Use the Playbook

29
inventory_example.ini
View File

@@ -1,29 +0,0 @@
[promox-kvm]
192.168.122.10
192.168.122.11
[promox-kvm:vars]
vm_gw=192.168.122.1
vm_dns=1.1.1.1
[192.168.122.10]
hostname=proxy
vm_id=300
os=archlinux
filesystem=btrfs
vm_memory=2048
vm_ballo=1024
vm_cpus=2
vm_size=5
vm_nif=vmbr1
[192.168.122.11]
hostname=database
vm_id=101
os=archlinux
filesystem=btrfs
vm_memory=6144
vm_ballo=3072
vm_cpus=4
vm_size=40
vm_nif=vmbr1

2
inventory_example.yml
View File

@@ -3,6 +3,7 @@ all:
hypervisor: 'proxmox'
install_drive: '/dev/sda'
cis: true
boot_iso: "local-btrfs:iso/archlinux-x86_64.iso"
children:
promox-kvm:
hosts:
@@ -18,6 +19,7 @@ all:
vm_nif: vmbr1
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1
vm_dns_search: "example.com"
192.168.122.11:
hostname: database
vm_id: 101

36
main.yml
View File

@@ -10,6 +10,11 @@
What is your username?
private: false
- name: user_public_key
prompt: |
What is your ssh key?
private: false
- name: user_password
prompt: |
What is your password?
@@ -22,17 +27,21 @@
vars_files: vars.yml
pre_tasks:
- name: Set ansible_python_interpreter
when: os | lower in ["almalinux", "rhel9", "rhel8", "rocky"]
when: os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"]
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3
- name: Set default variables
ansible.builtin.set_fact:
cis: false
- name: Set SSH Access
when: hypervisor != "vmware"
ansible.builtin.set_fact:
ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}"
ansible_become_password: "{{ user_password }}"
ansible_ssh_extra_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Validate variables
ansible.builtin.assert:
@@ -40,9 +49,10 @@
- hypervisor in ["libvirt", "proxmox", "vmware", "none"]
- filesystem in ["btrfs", "ext4", "xfs"]
- install_drive is defined
- os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rhel8", "rhel9", "rocky", "ubuntu", "ubuntu-lts"]
- os not in ["rhel8", "rhel9"] or rhel_iso is defined
- os in ["archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora", "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"]
- os not in ["rhel8", "rhel9", "rhel10"] or rhel_iso is defined
- (filesystem == "btrfs" and (vm_size | int) >= 10) or (filesystem != "btrfs" and (vm_size | int) >= 20)
- (vm_size | float) >= ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048), [vm_memory | float / 1024, 4.0] | max) + 16)
fail_msg: Invalid input specified, please try again.
- name: Set connection
@@ -79,9 +89,15 @@
ansible_connection: local
tasks:
- name: Reboot system
when: hypervisor == "proxmox"
ansible.builtin.command: reboot
failed_when: false
changed_when: result.rc == 0
register: result
- name: Set final SSH Credentials
when: hypervisor != 'vmware' or (hypervisor == 'vmware' and vmware_ssh | bool)
ansible.builtin.set_fact:
ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}"
ansible_become_password: "{{ user_password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Check if VM is back and running
when: not (hypervisor == 'vmware' and cis | bool)
ansible.builtin.wait_for_connection:
timeout: 300

51
roles/bootstrap/tasks/main.yml
View File

@@ -1,26 +1,21 @@
---
- name: Include Packages
ansible.builtin.include_vars:
file: packages.yml
name: role_packages
- name: Run OS-specific bootstrap process
block:
- name: Bootstrap ArchLinux
when: os | lower == 'archlinux'
ansible.builtin.command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit
ansible.builtin.command: pacstrap /mnt {{ archlinux | join(' ') }} --asexplicit
changed_when: result.rc == 0
register: result
- name: Bootstrap Debian System
when: os | lower in ['debian11', 'debian12']
when: os | lower in ['debian11', 'debian12', 'debian13']
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }}
- debootstrap --include={{ vars[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' if os == 'debian12' else 'trixie' }}
/mnt http://deb.debian.org/debian/
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
- arch-chroot /mnt apt install -y {{ vars[os].extra | join(' ') }}
- arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
- name: Bootstrap Ubuntu System
@@ -29,12 +24,12 @@
changed_when: result.rc == 0
register: result
with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'oracular' if os == 'ubuntu' else 'noble' }}
- debootstrap --include={{ vars[os].base | join(',') }} {{ 'plucky' if os == 'ubuntu' else 'noble' }}
/mnt http://archive.ubuntu.com/ubuntu/
- ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
- arch-chroot /mnt apt update -y
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
- arch-chroot /mnt apt install -y {{ vars[os].extra | join(' ') }}
- name: Bootstrap AlmaLinux 9
when: os | lower == 'almalinux'
@@ -43,19 +38,19 @@
register: result
with_items:
- dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
- ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.almalinux | join(' ') }}
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ almalinux | join(' ') }}
- name: Bootstrap Fedora 41
- name: Bootstrap Fedora 42
when: os | lower == 'fedora'
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- dnf --releasever=41 --best --repo=fedora --repo=fedora-updates
- dnf --releasever=42 --best --repo=fedora --repo=fedora-updates
--installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
- ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=41 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=42 --setopt=install_weak_deps=False install -y {{ fedora | join(' ') }}
- arch-chroot /mnt dnf reinstall -y kernel-core
- name: Bootstrap RockyLinux 9
@@ -67,24 +62,24 @@
- dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y base core
- ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.rocky | join(' ') }}
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ rocky | join(' ') }}
- name: Bootstrap RHEL System
when: os | lower in ['rhel8', 'rhel9']
when: os | lower in ['rhel8', 'rhel9', 'rhel10']
block:
- name: Install base packages in chroot environment
ansible.builtin.command: >-
dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --repo={{ os | lower }}-baseos
dnf --releasever={{ os | lower | replace('rhel', '') }} --repo={{ os | lower }}-baseos
--installroot=/mnt
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y base core
groupinstall -y core base standard
changed_when: result.rc == 0
register: result
- name: Prepare chroot environment
ansible.builtin.shell: |
ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
mkdir -p /mnt/usr/local/install/redhat/dvd
mount --bind /usr/local/install/redhat/dvd /mnt/usr/local/install/redhat/dvd
arch-chroot /mnt rpm --rebuilddb
@@ -94,13 +89,13 @@
- name: Copy RHEL repo file into chroot environment
ansible.builtin.copy:
src: /etc/yum.repos.d/{{ os | lower }}.repo
dest: /mnt/etc/yum.repos.d/{{ os | lower }}.repo
mode: '0644'
dest: /mnt/etc/yum.repos.d/redhat.repo
mode: "0644"
remote_src: true
- name: Install additional packages in chroot
ansible.builtin.command: >-
arch-chroot /mnt dnf --releasever={{ '8' if os == 'rhel8' else '9' }}
--setopt=install_weak_deps=False install -y {{ role_packages[os] | join(' ') }}
arch-chroot /mnt dnf --releasever={{ os | lower | replace('rhel', '') }}
--setopt=install_weak_deps=False install -y {{ vars[os] | join(' ') }}
changed_when: result.rc == 0
register: result

171
roles/bootstrap/vars/packages.yml → roles/bootstrap/vars/main.yml
View File

@@ -1,4 +1,3 @@
---
almalinux:
- bind-utils
- dbus-daemon
@@ -13,12 +12,14 @@ almalinux:
- nc
- nfs-utils
- nfsv4-client-utils
- mtr
- open-vm-tools
- ppp
- shim
- telnet
- tmux
- vim
- wget
- zram-generator
- zstd
archlinux:
@@ -27,8 +28,10 @@ archlinux:
- cronie
- dhcpcd
- efibootmgr
- fastfetch
- firewalld
- fish
- fzf
- grub
- htop
- libpwquality
@@ -38,21 +41,22 @@ archlinux:
- lsof
- lvm2
- ncdu
- neofetch
- networkmanager
- nfs-utils
- openssh
- open-vm-tools
- openssh
- ppp
- prometheus-node-exporter
- python-psycopg2
- qemu-guest-agent
- reflector
- rsync
- screen
- sudo
- tldr
- tmux
- vim
- wireguard-tools
- zram-generator
debian11:
base:
@@ -75,22 +79,29 @@ debian11:
- xfsprogs
extra:
- bat
- curl
- entr
- firewalld
- fish
- fzf
- htop
- jq
- libpam-pwquality
- lrzsz
- mtr
- ncdu
- neofetch
- network-manager
- open-vm-tools
- python-is-python3
- ripgrep
- rsync
- screen
- software-properties-common
- syslog-ng
- tcpd
- tldr
- vim
- wget
- zstd
@@ -111,14 +122,20 @@ debian12:
extra:
- apparmor-utils
- bat
- chrony
- curl
- duf
- entr
- firewalld
- fish
- fzf
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- neofetch
- net-tools
@@ -127,26 +144,85 @@ debian12:
- openssh-server
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- vim
- wget
- zstd
debian13:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- linux-image-amd64
- locales
- logrotate
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bat
- chrony
- curl
- duf
- entr
- fastfetch
- firewalld
- fish
- fzf
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- vim
- wget
- zstd
fedora:
- bat
- bind-utils
- btrfs-progs
- cronie
- dhcp-client
- duf
- efibootmgr
- entr
- fish
- fzf
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- htop
- iperf3
- logrotate
- lrzsz
- lvm2
@@ -156,38 +232,80 @@ fedora:
- open-vm-tools
- polkit
- ppp
- ripgrep
- shim
- telnet
- tmux
- vim-default-editor
- wget
- zoxide
- zram-generator
- zstd
rhel8:
- bind-utils
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi-x64
- grub2-tools-extra
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- open-vm-tools
- policycoreutils-python-utils
- python39
- shim
- telnet
- tmux
- vim
- zstd
rhel9:
- bind-utils
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- grub2-tools-extra
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- open-vm-tools
- policycoreutils-python-utils
- python
- shim
- telnet
- tmux
- vim
- zram-generator
- zstd
rhel10:
- bind-utils
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- kernel
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- open-vm-tools
- policycoreutils-python-utils
- python
- shim
- tmux
- vim
- zram-generator
- zstd
rocky:
@@ -201,6 +319,7 @@ rocky:
- grub2-efi
- lrzsz
- lvm2
- mtr
- nc
- nfs-utils
- nfsv4-client-utils
@@ -208,9 +327,11 @@ rocky:
- ppp
- shim
- telnet
- tmux
- util-linux-core
- vim
- wget
- zram-generator
- zstd
ubuntu:
@@ -230,30 +351,47 @@ ubuntu:
extra:
- apparmor-utils
- bash-completion
- bat
- chrony
- curl
- dnsutils
- duf
- entr
- eza
- fdupes
- fio
- firewalld
- fish
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- ncurses-term
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- tmux
- traceroute
- util-linux-extra
- vim
- wget
- yq
- zoxide
- zstd
ubuntu-lts:
@@ -273,28 +411,45 @@ ubuntu-lts:
extra:
- apparmor-utils
- bash-completion
- bat
- chrony
- curl
- dnsutils
- duf
- entr
- eza
- fdupes
- fio
- firewalld
- fish
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- ncurses-term
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- tmux
- traceroute
- util-linux-extra
- vim
- wget
- yq
- zoxide
- zstd

129
roles/cis/tasks/main.yml
View File

@@ -4,26 +4,27 @@
- name: Disable Kernel Modules
ansible.builtin.copy:
dest: /mnt/etc/modprobe.d/cis.conf
mode: '0644'
mode: "0644"
content: |
CIS LVL 3 Restrictions
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install usb-storage /bin/true
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install cramfs /bin/false
install squashfs /bin/false
install udf /bin/false
install usb-storage /bin/false
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install dccp /bin/false
install sctp /bin/false
install rds /bin/false
install tipc /bin/false
- name: Create USB Rules
ansible.builtin.copy:
dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
mode: '0644'
mode: "0644"
content: |
By default, disable all.
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
@@ -40,14 +41,23 @@
- name: Create a consolidated sysctl configuration file
ansible.builtin.copy:
dest: /mnt/etc/sysctl.d/10-cis.conf
mode: '0644'
mode: "0644"
content: |
## CIS Sysctl configurations
kernel.yama.ptrace_scope=1
kernel.randomize_va_space=2
# Network
net.ipv4.ip_forward=0
net.ipv4.tcp_syncookies=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 0
@@ -69,6 +79,32 @@
# - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' }
# - { regexp: '^UMASK.*', replace: 'UMASK 027' }
- name: Ensure the Default UMASK is Set Correctly
ansible.builtin.lineinfile:
path: "/mnt/etc/profile"
regexp: "^(\\s*)umask\\s+\\d+"
line: "umask 027"
- name: Prevent Login to Accounts With Empty Password
ansible.builtin.replace:
dest: "{{ item }}"
regexp: "nullok"
loop:
- /mnt/etc/pam.d/system-auth
- /mnt/etc/pam.d/password-auth
- name: Configure System Cryptography Policy
when: os in ["almalinux", "rhel9", "rhel10", "rocky"]
ansible.builtin.command: arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
register: crypto_policy_result
changed_when: "'Setting system-wide crypto-policies to' in crypto_policy_result.stdout"
- name: Mask Systemd Services
ansible.builtin.command: >
arch-chroot /mnt systemctl mask nftables bluetooth rpcbind
changed_when: result.rc == 0
register: result
- name: Ensure files exist
ansible.builtin.file:
path: "{{ item }}"
@@ -80,6 +116,15 @@
- /mnt/etc/hosts.allow
- /mnt/etc/hosts.deny
- name: Ensure files do not exist
ansible.builtin.file:
path: "{{ item }}"
state: touch
mode: "0600"
loop:
- /mnt/etc/at.deny
- /mnt/etc/cron.deny
- name: Add Security related lines into config files
ansible.builtin.lineinfile:
path: "{{ item.path }}"
@@ -91,18 +136,39 @@
- { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: umask 077 }
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: export TMOUT=3000 }
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" }
- {
path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"] else "bash.bashrc" }}',
content: umask 077,
}
- {
path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"] else "bash.bashrc" }}',
content: export TMOUT=3000,
}
- {
path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}',
content: Storage=persistent,
}
- {
path: /mnt/etc/sudoers,
content: Defaults logfile="/var/log/sudo.log",
}
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
- { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}',
content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 }
- { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth"
if os == "fedora" else "pam.d/system-auth" }}', content: account required pam_faillock.so }
- { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}',
content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" }
- {
path:
'/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}',
content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900,
}
- {
path:
'/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth"
if os == "fedora" else "pam.d/system-auth" }}',
content: account required pam_faillock.so,
}
- {
path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}',
content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5",
}
- { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
- { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
@@ -122,8 +188,8 @@
{ "path": "/mnt/etc/cron.d", "mode": "0700" },
{ "path": "/mnt/etc/crontab", "mode": "0600" },
{ "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9"] else None,
{ "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rocky"]
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
{ "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rhel10", "rocky"]
else "fusermount"), "mode": "755" },
{ "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
] | reject("none") }}
@@ -155,7 +221,7 @@
- { option: X11Forwarding, value: "no" }
- { option: PermitUserEnvironment, value: "no" }
- { option: ClientAliveInterval, value: "300" }
- { option: ClientAliveCountMax, value: "0" }
- { option: ClientAliveCountMax, value: "1" }
- { option: PermitTunnel, value: "no" }
- { option: Banner, value: /etc/issue.net }
@@ -169,9 +235,10 @@
### Ciphers and keying ###
RekeyLimit 512M 6h
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
###########################
AllowStreamLocalForwarding no

57
roles/cleanup/tasks/main.yml
View File

@@ -1,8 +1,32 @@
---
- name: Unmount /mnt recursively
ansible.builtin.command: umount -l /mnt
changed_when: result.rc == 0
register: result
- name: Unmount Disks
vars:
ansible_connection: ssh
block:
- name: Disable Swap
ansible.builtin.command: swapoff -a
register: swapoff_result
changed_when: swapoff_result.rc == 0
- name: Unmount /mnt if mounted
ansible.builtin.command: umount -R /mnt
register: unmount_result
changed_when: unmount_result.rc == 0
- name: Verify /mnt is no longer mounted
ansible.builtin.command: grep ' /mnt ' /proc/mounts
register: verify_unmount
retries: 5
delay: 5
until: verify_unmount.rc != 0
when: unmount_result.rc == 0
changed_when: false
failed_when: verify_unmount.rc not in [0, 1]
- name: Shutdown the VM
community.general.shutdown:
vars:
ansible_connection: ssh
- name: Setup Cleanup
when: hypervisor == "proxmox"
@@ -22,22 +46,20 @@
- ide0
- ide2
- name: Start the VM
community.general.proxmox_kvm:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
node: "{{ hypervisor_node }}"
vmid: "{{ vm_id }}"
state: restarted
- name: Clean vCenter VM
when: hypervisor == "vmware"
delegate_to: localhost
become: false
block:
- name: Shutdown VM in vCenter
when: hypervisor == "vmware"
community.vmware.vmware_guest_powerstate:
hostname: "{{ hypervisor_url }}"
username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}"
validate_certs: false
datacenter: "{{ hypervisor_cluster }}"
name: "{{ hostname }}"
state: powered-off
- name: Remove CD-ROM from VM in vCenter
when: hypervisor == "vmware"
failed_when: false
@@ -78,11 +100,6 @@
delegate_to: localhost
become: false
block:
- name: Stop the VM
community.libvirt.virt:
name: "{{ hostname }}"
state: shutdown
- name: Remove cloud-init disk
ansible.builtin.file:
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"

137
roles/configuration/tasks/main.yml
View File

@@ -7,24 +7,25 @@
register: result
- name: Remove depricated attr2 and disable large extent
when: os in ["almalinux", "rhel8", "rhel9", "rocky"] and filesystem == "xfs"
when: os in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"] and filesystem == "xfs"
ansible.builtin.replace:
path: /mnt/etc/fstab
regexp: '(xfs.*?)(attr2)'
regexp: "(xfs.*?)(attr2)"
replace: '\1allocsize=64m'
- name: Replace ISO UUID entry with /dev/sr0 in fstab
when: os in ["rhel8", "rhel9"]
when: os in ["rhel8", "rhel9", "rhel10"]
ansible.builtin.lineinfile:
path: /mnt/etc/fstab
regexp: '^.*\/dvd.*$'
line: "{{ '/usr/local/install/redhat/rhel.iso /usr/local/install/redhat/dvd iso9660 loop,nofail 0 0' if hypervisor == 'vmware'
else '/dev/sr0 /usr/local/install/redhat/dvd iso9660 ro,relatime,nojoliet,check=s,map=n,nofail 0 0' }}"
line:
"{{ '/usr/local/install/redhat/rhel.iso /usr/local/install/redhat/dvd iso9660 loop,nofail 0 0' if hypervisor == 'vmware'
else '/dev/sr0 /usr/local/install/redhat/dvd iso9660 ro,relatime,nojoliet,check=s,map=n,nofail 0 0' }}"
state: present
backrefs: true
- name: Write image from RHEL ISO to the target machine
when: os in ["rhel8", "rhel9"] and hypervisor == 'vmware'
when: os in ["rhel8", "rhel9", "rhel10"] and hypervisor == 'vmware'
ansible.builtin.command: dd if=/dev/sr1 of=/mnt/usr/local/install/redhat/rhel.iso bs=4M
changed_when: result.rc == 0
register: result
@@ -39,7 +40,7 @@
- "# TempFS"
- tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0
- tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0
- tmpfs /dev/shm tmpfs defaults,noexec 0 0
- tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0
- name: Set local timezone
ansible.builtin.command: "{{ item }}"
@@ -52,7 +53,7 @@
- name: Setup locales
block:
- name: Configure locale.gen
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
ansible.builtin.lineinfile:
dest: /mnt/etc/locale.gen
regexp: "{{ item.regex }}"
@@ -61,34 +62,34 @@
- { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 }
- name: Generate locales
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
changed_when: result.rc == 0
register: result
- name: Set hostname
ansible.builtin.copy:
content: "{{ hostname }}"
content: "{{ hostname }}{% if vm_dns_search is defined and vm_dns_search | length %}.{{ vm_dns_search }}{% endif %}"
dest: /mnt/etc/hostname
mode: '0644'
mode: "0644"
- name: Add host entry to /etc/hosts
ansible.builtin.lineinfile:
path: /mnt/etc/hosts
line: "{{ ansible_host }} {{ hostname }}"
line: "{{ ansible_host }} {{ hostname }}{% if vm_dns_search is defined and vm_dns_search | length %} {{ hostname }}.{{ vm_dns_search }}{% endif %}"
state: present
- name: Create vconsole.conf
ansible.builtin.copy:
content: KEYMAP=us
dest: /mnt/etc/vconsole.conf
mode: '0644'
mode: "0644"
- name: Create locale.conf
ansible.builtin.copy:
content: LANG=en_US.UTF-8
dest: /mnt/etc/locale.conf
mode: '0644'
mode: "0644"
- name: SSH permit Password
ansible.builtin.replace:
@@ -107,7 +108,7 @@
arch-chroot /mnt systemctl enable NetworkManager
{{
' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
(' sshd' if os | lower not in ['debian11', 'debian12'] else '')
(' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else '')
}}
{{
'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
@@ -117,7 +118,7 @@
register: result
- name: Configure grub
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
block:
- name: Add commandline information to grub config
ansible.builtin.lineinfile:
@@ -135,31 +136,38 @@
block:
- name: Install Bootloader
ansible.builtin.command: arch-chroot /mnt
{% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr
{% if os | lower not in ["archlinux", "debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr
-c -L '{{ os }}' -d "{{ install_drive }}" -p 1
-l '\efi\EFI\{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}\shimx64.efi'
-l '\efi\EFI\{% if os | lower in ["rhel8", "rhel9", "rhel10"] %}redhat{% else %}{{ os | lower }}{% endif %}\shimx64.efi'
{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }}
--bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
{% endif %}
changed_when: result.rc == 0
register: result
- name: Generate grub config
- name: Ensure lvm2 for non btrfs filesystems
when: os | lower == "archlinux" and filesystem != "btrfs"
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: "^(HOOKS=.*block)(?!.*lvm2)(.*)"
line: '\1 lvm2\2'
backrefs: true
- name: Regenerate initramfs
when: os | lower not in ["debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"]
ansible.builtin.command: arch-chroot /mnt
{% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}
/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}/grub.cfg
{% else %}
/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}
{% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P
{% else %} /usr/bin/dracut --regenerate-all --force
{% endif %}
changed_when: result.rc == 0
register: result
- name: Regenerate initramfs
when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
- name: Generate grub config
ansible.builtin.command: arch-chroot /mnt
{% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P
{% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %} /usr/bin/dracut --regenerate-all --force
{% else %} echo "Skipping initramfs regeneration"
{% if os | lower not in ["archlinux", "debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] %}
/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{% if os | lower in ["rhel8", "rhel9", "rhel10"] %}redhat{% else %}{{ os | lower }}{% endif %}/grub.cfg
{% else %}
/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}
{% endif %}
changed_when: result.rc == 0
register: result
@@ -169,8 +177,9 @@
- name: Append vim configurations to vimrc
failed_when: false
ansible.builtin.blockinfile:
path: "{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts']
else '/mnt/etc/vimrc' }}"
path:
"{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts']
else '/mnt/etc/vimrc' }}"
block: |
set encoding=utf-8
set number
@@ -191,20 +200,50 @@
vm.dirty_ratio=10
vm.page-cluster=10
marker: ""
mode: '0644'
mode: "0644"
- name: Copy FirstRun Script
when: os | lower != "archlinux"
ansible.builtin.template:
src: firstrun.sh.j2
dest: /mnt/root/firstrun.sh
mode: "0755"
- name: Create zram config
when: os not in ['debian11', 'rhel8']
ansible.builtin.copy:
dest: /mnt/etc/systemd/zram-generator.conf
content: |
[zram0]
zram-size = ram / 2
compression-algorithm = zstd
swap-priority = 100
fs-type = swap
mode: "0644"
- name: Copy Custom Shell config
ansible.builtin.template:
src: custom.sh.j2
dest: /mnt/etc/profile.d/custom.sh
mode: '0644'
mode: "0644"
- name: Create login banner
ansible.builtin.copy:
dest: "{{ item }}"
content: |
**************************************************************
* WARNING: Unauthorized access to this system is prohibited. *
* All activities are monitored and logged. *
* Disconnect immediately if you are not an authorized user. *
**************************************************************
owner: root
group: root
mode: "0644"
loop:
- /mnt/etc/issue
- /etc/issue.net
- name: Remove motd files
when: os | lower in ["rhel8", "rhel9", "rhel10"]
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /etc/motd.d/cockpit
- /etc/motd.d/insights-client
- name: Setup Network
block:
@@ -234,7 +273,7 @@
ansible.builtin.file:
path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
state: touch
mode: '0644'
mode: "0644"
- name: Setup user account
block:
@@ -242,7 +281,7 @@
ansible.builtin.command: "{{ item }}"
with_items:
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups
{{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "wheel" }}
{{ "sudo" if os | lower in ["debian11", "debian12", "debian13", "ubuntu", "ubuntu-lts"] else "wheel" }}
{{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
changed_when: result.rc == 0
@@ -260,21 +299,25 @@
- name: Give sudo access to wheel group
ansible.builtin.copy:
content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}"
content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}"
dest: /mnt/etc/sudoers.d/01-wheel
mode: "0440"
validate: /usr/sbin/visudo --check --file=%s
- name: Fix SELinux
when: os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky']
block:
- name: Relabel the filesystem
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rocky']
ansible.builtin.command: "arch-chroot /mnt /sbin/fixfiles onboot"
changed_when: result.rc == 0
register: result
- name: Fix SELinux by pre-labeling the filesystem before first boot
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux | default(true) | bool)
ansible.builtin.command: >
arch-chroot /mnt /sbin/setfiles -v -F
-e /dev -e /proc -e /sys -e /run
/etc/selinux/targeted/contexts/files/file_contexts /
register: setfiles_result
changed_when: setfiles_result.rc == 0
- name: Disable SELinux
when: os | lower == "fedora"
when: os | lower == "fedora" or not (selinux | default(true) | bool)
ansible.builtin.lineinfile:
path: /mnt/etc/selinux/config
regexp: ^SELINUX=

5
roles/configuration/templates/custom.sh.j2
View File

@@ -9,4 +9,7 @@ PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
# History Size
HISTFILESIZE=
HISTSIZE=
HISTSIZE=
# Enable vi mode
set -o vi

6
roles/configuration/templates/network.j2
View File

@@ -2,14 +2,16 @@
id=LAN
uuid={{ net_uuid.stdout }}
type=ethernet
interface-name={{ net_inf.stdout }}
[ethernet]
mac-address={{ net_mac.stdout }}
[ipv4]
address={{ vm_ip }},{{ vm_gw }}
address={{ vm_ip }}/{{ vm_nms | default (24) }},{{ vm_gw }}
dns={{ vm_dns }}
{% if vm_dns_search is defined %}
dns-search={{ vm_dns_search }}
{% endif %}
method=manual
[ipv6]

22
roles/environment/tasks/main.yml
View File

@@ -20,7 +20,7 @@
msg: This host is not booted from the Arch install media!
when: not archiso_stat.stat.exists
- name: Setect Interface
- name: Register Network Interface
when: hypervisor == "vmware"
ansible.builtin.shell: "set -o pipefail && ip l | awk -F': ' '!/lo/{print $2; exit}'"
changed_when: interface_name.rc == 0
@@ -44,7 +44,7 @@
register: result
- name: Configure SSH for root login
when: hypervisor == "vmware" and vmware_ssh | bool
when: hypervisor == "vmware" and (vmware_ssh is defined and vmware_ssh | bool)
block:
- name: Allow empty passwords temporarily
ansible.builtin.replace:
@@ -69,7 +69,7 @@
ansible_user: "root"
ansible_password: ""
ansible_become_password: ""
ansible_ssh_extra_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Speed-up Bootstrap process
ansible.builtin.lineinfile:
@@ -89,22 +89,22 @@
state: latest
loop:
- { name: glibc }
- { name: dnf, os: [almalinux, fedora, rhel9, rhel8, rocky] }
- { name: debootstrap, os: [debian11, debian12, ubuntu, ubuntu-lts] }
- { name: debian-archive-keyring, os: [debian11, debian12] }
- { name: dnf, os: [almalinux, fedora, rhel8, rhel9, rhel10, rocky] }
- { name: debootstrap, os: [debian11, debian12, debian13, ubuntu, ubuntu-lts] }
- { name: debian-archive-keyring, os: [debian11, debian12, debian13] }
- { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
when: "'os' not in item or os in item.os"
retries: 4
delay: 15
- name: Prepare /iso mount and repository for RHEL-based systems
when: os | lower in ["rhel8", "rhel9"]
when: os | lower in ["rhel8", "rhel9", "rhel10"]
block:
- name: Create /iso directory
ansible.builtin.file:
path: /usr/local/install/redhat/dvd
state: directory
mode: '0755'
mode: "0755"
- name: Mount RHEL ISO
ansible.posix.mount:
@@ -115,16 +115,16 @@
state: mounted
- name: Configure RHEL Repos for installation
when: os | lower in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"]
when: os | lower in ["almalinux", "fedora", "rhel8", "rhel9", "rhel10", "rocky"]
block:
- name: Create directories for repository files and RPM GPG keys
ansible.builtin.file:
path: /etc/yum.repos.d
state: directory
mode: '0755'
mode: "0755"
- name: Create RHEL repository file
ansible.builtin.template:
src: "{{ os | lower }}.repo.j2"
dest: /etc/yum.repos.d/{{ os | lower }}.repo
mode: '0644'
mode: "0644"

12
roles/partitioning/tasks/btrfs.yml
View File

@@ -21,25 +21,33 @@
register: result
- name: Make root subvolumes
when: cis | bool or item.subvol not in ['var_log', 'var_log_audit']
when: cis | bool or item.subvol not in ['var_log_audit']
ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
changed_when: result.rc == 0
register: result
loop:
- { subvol: root }
- { subvol: swap }
- { subvol: home }
- { subvol: var }
- { subvol: var_log }
- { subvol: var_log_audit }
- name: Set quotas for subvolumes
when: cis | bool or item.subvol not in ['var_log', 'var_log_audit']
when: cis | bool or item.subvol not in ['var_log_audit']
ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
changed_when: result.rc == 0
register: result
loop:
- { subvol: home, quota: 2G }
- name: Create a Btrfs swap file
ansible.builtin.command: >-
btrfs filesystem mkswapfile --size {{ ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory
| float / 2048) | int, [vm_memory | float / 1024, 4.0] | max) | int) }}g --uuid clear /mnt/@swap/swapfile
changed_when: result.rc == 0
register: result
- name: Unmount Partition
ansible.posix.mount:
path: /mnt

4
roles/partitioning/tasks/ext4.yml
View File

@@ -1,6 +1,6 @@
---
- name: Create and format ext4 logical volumes
when: cis | bool or item.lv not in ['var_log', 'var_log_audit']
when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.filesystem:
dev: /dev/sys/{{ item.lv }}
fstype: ext4
@@ -13,7 +13,7 @@
- { lv: var_log_audit }
- name: Remove Unsupported features for older Systems
when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis | bool or item.lv not in ['var_log', 'var_log_audit'])
when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
changed_when: result.rc == 0
register: result

73
roles/partitioning/tasks/main.yml
View File

@@ -9,7 +9,9 @@
loop:
- { cmd: umount -l /mnt }
- { cmd: vgremove -f sys }
- { cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;' }
- {
cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;',
}
loop_control:
label: "{{ item.cmd }}"
@@ -36,19 +38,34 @@
pvs: "{{ install_drive }}{{ main_partition_suffix }}"
- name: Create LVM logical volumes
when: cis | bool or item.lv not in ['var_log', 'var_log_audit']
when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.lvol:
vg: sys
lv: "{{ item.lv }}"
size: "{{ item.size }}"
state: present
loop:
- { lv: root, size: "{{ '12G' if (vm_size | int * 0.4) < 12
else (vm_size | int * 0.4) | round(0, 'ceil') | int | string + 'G' }}" }
- { lv: home, size: 2G }
- { lv: var, size: 2G }
- { lv: var_log, size: 2G }
- { lv: var_log_audit, size: 1.5G }
- lv: root
size: >-
{{ [(((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0)) - (((vm_memory | float / 1024) > 16.0)
| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) < 4)
| ternary(4,((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0)) -
(((vm_memory | float / 1024) > 16.0)| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) > 12)
| ternary(((vm_size | float) * 0.4) | round(0, 'ceil'),((vm_size | float) - 0.5 - ((cis | bool)
| ternary(7.5, 0)) - (((vm_memory | float / 1024) > 16.0)
| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024))))))))), 4 ] | max | string + 'G' }}
- lv: swap
size: >-
{{ ((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0))) - (((vm_memory | float / 1024) > 16.0)
| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) < 4)
| ternary((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0))) - 4), (((vm_memory | float / 1024) > 16.0)
| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) | string + 'G' }}
- lv: home
size: "{{ ([([(((vm_size | float) - 20) * 0.1), 2] | max), 20] | min) | string + 'G' }}"
- { lv: var, size: "2G" }
- { lv: var_log, size: "2G" }
- { lv: var_log_audit, size: "1.5G" }
- name: Create filesystems
block:
@@ -59,6 +76,12 @@
opts: -F32 -n BOOT
force: true
- name: Create swap filesystem
when: filesystem != 'btrfs'
community.general.filesystem:
fstype: swap
dev: /dev/sys/swap
- name: Create filesystem
ansible.builtin.include_tasks: "{{ filesystem }}.yml"
@@ -73,30 +96,35 @@
register: main_uuid
- name: Get UUIDs for LVM filesystems
when: filesystem != 'btrfs' and (cis | bool or item not in ['var_log', 'var_log_audit'])
when: filesystem != 'btrfs' and (cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit'])
ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }}
changed_when: false
register: uuid_result
loop:
- root
- swap
- home
- var
- var_log
- var_log_audit
- name: Assign UUIDs to Variables
when: filesystem != 'btrfs'
ansible.builtin.set_fact:
uuid_root: "{{ uuid_result.results[0].stdout_lines }}"
uuid_home: "{{ uuid_result.results[1].stdout_lines }}"
uuid_var: "{{ uuid_result.results[2].stdout_lines }}"
uuid_var_log: "{{ uuid_result.results[3].stdout_lines if cis == true else '' }}"
uuid_var_log_audit: "{{ uuid_result.results[4].stdout_lines if cis == true else '' }}"
when: filesystem != 'btrfs'
uuid_swap: "{{ uuid_result.results[1].stdout_lines }}"
uuid_home: "{{ uuid_result.results[2].stdout_lines if cis | bool else '' }}"
uuid_var: "{{ uuid_result.results[3].stdout_lines if cis | bool else '' }}"
uuid_var_log: "{{ uuid_result.results[4].stdout_lines if cis | bool else '' }}"
uuid_var_log_audit: "{{ uuid_result.results[5].stdout_lines if cis | bool else '' }}"
- name: Mount filesystems
block:
- name: Mount filesystems and subvolumes
when: cis | bool or (not cis and item.path != '/var/log' and item.path != '/var/log/audit')
when:
- cis | bool or (not cis and (item.path == '/var/log' and filesystem == 'btrfs')
or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit']))
- not (item.path == '/swap' and filesystem != 'btrfs')
ansible.posix.mount:
path: /mnt{{ item.path }}
src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
@@ -107,22 +135,24 @@
- path: ""
uuid: "{{ uuid_root[0] | default(omit) }}"
opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}"
- path: /swap
opts: "rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@swap"
- path: /home
uuid: "{{ uuid_home[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}"
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}"
- path: /var
uuid: "{{ uuid_var[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}"
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}"
- path: /var/log
uuid: "{{ uuid_var_log[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}"
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}"
- path: /var/log/audit
uuid: "{{ uuid_var_log_audit[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}"
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}"
- name: Mount tmp and var_tmp filesystems
ansible.posix.mount:
@@ -141,3 +171,8 @@
src: UUID={{ boot_uuid.stdout }}
fstype: vfat
state: mounted
- name: Activate swap
ansible.builtin.command: "{{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + uuid_swap[0] }}"
changed_when: result.rc == 0
register: result

2
roles/partitioning/tasks/xfs.yml
View File

@@ -1,6 +1,6 @@
---
- name: Create and format XFS logical volumes
when: cis | bool or item.lv not in ['var_log', 'var_log_audit']
when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.filesystem:
dev: /dev/sys/{{ item.lv }}
fstype: xfs

4
roles/virtualization/tasks/proxmox.yml
View File

@@ -29,12 +29,12 @@
storage: "{{ hypervisor_storage }}"
ide:
ide0: "{{ boot_iso }},media=cdrom"
ide1: "{{ rhel_iso | default(omit) }},media=cdrom"
ide1: "{{ rhel_iso + ',media=cdrom' if rhel_iso is defined else omit }}"
ide2: "{{ hypervisor_storage }}:cloudinit"
net:
net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}
ipconfig:
ipconfig0: ip={{ vm_ip }},gw={{ vm_gw }}
ipconfig0: ip={{ vm_ip }}/{{ vm_nms | default(24) }},gw={{ vm_gw }}
nameservers: "{{ vm_dns }}"
onboot: true
state: present

41
roles/virtualization/tasks/vmware.yml
View File

@@ -5,11 +5,13 @@
username: "{{ hypervisor_username }}"
password: "{{ hypervisor_password }}"
validate_certs: false
datacenter: "{{ hypervisor_cluster }}"
cluster: "{{ hypervisor_node }}"
datacenter: "{{ hypervisor_datacenter }}"
cluster: "{{ hypervisor_cluster }}"
folder: "{{ vm_path }}"
name: "{{ hostname }}"
guest_id: otherGuest64
guest_id: otherLinux64Guest
annotation: |
{{ note | default('') }}
state: poweredon
disk:
- size_gb: "{{ vm_size }}"
@@ -20,19 +22,26 @@
num_cpus: "{{ vm_cpus }}"
boot_firmware: efi
secure_boot: false
cdrom:
- controller_number: 0
unit_number: 0
controller_type: sata
state: present
type: iso
iso_path: "{{ boot_iso }}"
- controller_number: 0
unit_number: 1
controller_type: sata
state: present
type: iso
iso_path: "{{ rhel_iso | default(omit) }}"
cdrom: >-
{{
[ {
"controller_number": 0,
"unit_number": 0,
"controller_type": "sata",
"state": "present",
"type": "iso",
"iso_path": boot_iso
} ]
+
( [ {
"controller_number": 0,
"unit_number": 1,
"controller_type": "sata",
"state": "present",
"type": "iso",
"iso_path": rhel_iso
} ] if rhel_iso is defined and rhel_iso|length > 0 else [] )
}}
networks:
- name: "{{ vm_nif }}"
type: dhcp

4
roles/virtualization/templates/cloud-user-data.yml.j2
View File

@@ -1,10 +1,12 @@
#cloud-config
hostname: "archiso"
ssh_pwauth: true
package_update: false
package_upgrade: false
users:
- name: "{{ user_name }}"
primary_group: "{{ user_name }}"
groups: users
sudo: ALL=(ALL) NOPASSWD:ALL
passwd: "{{ user_password | password_hash('sha512') }}"
lock_passwd: False
lock_passwd: False

4
roles/virtualization/templates/vm.xml.j2
View File

@@ -8,8 +8,8 @@
<bootmenu enable='no'/>
<boot dev='hd'/>
<boot dev='cdrom'/>
<loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.fd</loader>
<nvram template="/usr/share/edk2/x64/OVMF_VARS.fd"/>
<loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd</loader>
<nvram template="/usr/share/edk2/x64/OVMF_VARS.4m.fd"/>
</os>
<features>
<acpi/>

4
templates/fedora.repo.j2
View File

@@ -8,7 +8,7 @@ metadata_expire=86400
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=https://getfedora.org/static/fedora.gpg
gpgkey=https://fedoraproject.org/fedora.gpg
skip_if_unavailable=False
[fedora-updates]
@@ -21,5 +21,5 @@ repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=86400
gpgkey=https://getfedora.org/static/fedora.gpg
gpgkey=https://fedoraproject.org/fedora.gpg
skip_if_unavailable=False

13
templates/rhel10.repo.j2 Normal file
View File

@@ -0,0 +1,13 @@
[rhel10-baseos]
name=RHEL 10 BaseOS
baseurl=file:///usr/local/install/redhat/dvd/BaseOS
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release
[rhel10-appstream]
name=RHEL 10 AppStream
baseurl=file:///usr/local/install/redhat/dvd/AppStream
enabled=1
gpgcheck=0
gpgkey=file:///usr/local/install/redhat/dvd/RPM-GPG-KEY-redhat-release

5
vars_example.yml
View File

@@ -1,14 +1,11 @@
vm_ip: "{{ inventory_hostname }}/{{ vm_nms }}"
vm_ip: "{{ inventory_hostname }}"
install_type: "virtual"
cis: false
hypervisor_url: "192.168.0.2"
hypervisor_username: "root@pam"
hypervisor_password: "SomePassword"
hypervisor_node: "NodeName"
hypervisor_storage: "local-btrfs"
boot_iso: "local-btrfs:iso/archlinux-x86_64.iso"
rhel_iso: "local-btrfs:rhel-9.4-x86_64-dvd.iso"
# For VMware-Tools
ansible_vmware_host: "{{ hypervisor_url }}"