Compare commits
29 Commits
rhel
...
518babe328
| Author | SHA1 | Date | |
|---|---|---|---|
| 518babe328 | |||
| 918e14051d | |||
| 3d18962160 | |||
| 457d558133 | |||
| e06a95fdbc | |||
| 7bae512560 | |||
| 3e91057689 | |||
| e9647571fc | |||
| c32769d831 | |||
| 7cfa4aee8d | |||
| a7e7f49d84 | |||
| cfcccbf512 | |||
| 75c4ba6b4c | |||
| b62066d675 | |||
| 53a2c27984 | |||
| bb82ff120b | |||
| 221d77b94d | |||
| d71ea511f9 | |||
| b3299781dc | |||
| 5e7a06b7db | |||
| d77f65ce05 | |||
| 39fc15d7d8 | |||
| b076968404 | |||
| 4f03ccbfcf | |||
| 5746be4561 | |||
| 39cc49a05b | |||
| 2d63ca9c5a | |||
| 9f56328890 | |||
| dc763bdc42 |
@@ -77,6 +77,7 @@ Inventory variables are defined for individual hosts or VMs in the inventory fil
|
||||
| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` |
|
||||
| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` |
|
||||
| `user_password` | Password for the user account within the VM. | `UserPass123` |
|
||||
| `user_public_key` | SSH Key for the user account within the VM. | `ssh-ed25519 AAAAC` |
|
||||
| `vm_ballo` (optional) | Ballooning memory size for the VM, used to adjust memory allocation dynamically. | `2048` |
|
||||
| `vm_cpus` | Number of CPU cores assigned to the virtual machine. | `4` |
|
||||
| `vm_dns` | DNS server IP address(es) for the virtual machine's network configuration. | `1.0.0.1`, `1.1.1.1` |
|
||||
@@ -84,7 +85,7 @@ Inventory variables are defined for individual hosts or VMs in the inventory fil
|
||||
| `vm_id` | Unique identifier for the virtual machine. | `101` |
|
||||
| `vm_ip` | IP address assigned to the virtual machine. | `192.168.0.10` |
|
||||
| `vm_nm` (optional) | IP address netmask assigned to the virtual machine. | `255.255.255.0` |
|
||||
| `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` |
|
||||
| `vm_nms` (optional) | IP address netmask assigned to the virtual machine. | `24` |
|
||||
| `vm_memory` | Amount of memory (in MB) allocated to the virtual machine. | `2048` |
|
||||
| `vm_nif` | Network interface type or identifier for the VM's network connection. | `vmbr0` |
|
||||
| `vm_path (optional)` | Path or folder where the VM configuration or related files will be stored. | `/var/lib/libvirt/images/` |
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
[promox-kvm]
|
||||
192.168.122.10
|
||||
192.168.122.11
|
||||
|
||||
[promox-kvm:vars]
|
||||
vm_gw=192.168.122.1
|
||||
vm_dns=1.1.1.1
|
||||
|
||||
[192.168.122.10]
|
||||
hostname=proxy
|
||||
vm_id=300
|
||||
os=archlinux
|
||||
filesystem=btrfs
|
||||
vm_memory=2048
|
||||
vm_ballo=1024
|
||||
vm_cpus=2
|
||||
vm_size=5
|
||||
vm_nif=vmbr1
|
||||
|
||||
[192.168.122.11]
|
||||
hostname=database
|
||||
vm_id=101
|
||||
os=archlinux
|
||||
filesystem=btrfs
|
||||
vm_memory=6144
|
||||
vm_ballo=3072
|
||||
vm_cpus=4
|
||||
vm_size=40
|
||||
vm_nif=vmbr1
|
||||
@@ -3,6 +3,7 @@ all:
|
||||
hypervisor: 'proxmox'
|
||||
install_drive: '/dev/sda'
|
||||
cis: true
|
||||
boot_iso: "local-btrfs:iso/archlinux-x86_64.iso"
|
||||
children:
|
||||
promox-kvm:
|
||||
hosts:
|
||||
|
||||
9
main.yml
9
main.yml
@@ -9,6 +9,11 @@
|
||||
prompt: |
|
||||
What is your username?
|
||||
private: false
|
||||
|
||||
- name: user_public_key
|
||||
prompt: |
|
||||
What is your ssh key?
|
||||
private: false
|
||||
|
||||
- name: user_password
|
||||
prompt: |
|
||||
@@ -81,7 +86,7 @@
|
||||
|
||||
tasks:
|
||||
- name: Set final SSH Credentials
|
||||
when: hypervisor == 'vmware' and vmware_ssh | bool
|
||||
when: hypervisor != 'vmware' or (hypervisor == 'vmware' and vmware_ssh | bool)
|
||||
ansible.builtin.set_fact:
|
||||
ansible_user: "{{ user_name }}"
|
||||
ansible_password: "{{ user_password }}"
|
||||
@@ -89,5 +94,7 @@
|
||||
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
|
||||
|
||||
- name: Check if VM is back and running
|
||||
when: not (hypervisor == 'vmware' and cis | bool)
|
||||
ansible.builtin.wait_for_connection:
|
||||
timeout: 300
|
||||
|
||||
|
||||
@@ -31,7 +31,7 @@
|
||||
with_items:
|
||||
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'oracular' if os == 'ubuntu' else 'noble' }}
|
||||
/mnt http://archive.ubuntu.com/ubuntu/
|
||||
- ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
|
||||
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
|
||||
- arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
|
||||
- arch-chroot /mnt apt update -y
|
||||
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
|
||||
@@ -43,7 +43,7 @@
|
||||
register: result
|
||||
with_items:
|
||||
- dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
|
||||
- ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
|
||||
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
|
||||
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.almalinux | join(' ') }}
|
||||
|
||||
- name: Bootstrap Fedora 41
|
||||
@@ -54,7 +54,7 @@
|
||||
with_items:
|
||||
- dnf --releasever=41 --best --repo=fedora --repo=fedora-updates
|
||||
--installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
|
||||
- ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
|
||||
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
|
||||
- arch-chroot /mnt dnf --releasever=41 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
|
||||
- arch-chroot /mnt dnf reinstall -y kernel-core
|
||||
|
||||
@@ -67,7 +67,7 @@
|
||||
- dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt
|
||||
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
|
||||
groupinstall -y base core
|
||||
- ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
|
||||
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
|
||||
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.rocky | join(' ') }}
|
||||
|
||||
- name: Bootstrap RHEL System
|
||||
@@ -78,13 +78,13 @@
|
||||
dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --repo={{ os | lower }}-baseos
|
||||
--installroot=/mnt
|
||||
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
|
||||
groupinstall -y base core
|
||||
groupinstall -y core base standard
|
||||
changed_when: result.rc == 0
|
||||
register: result
|
||||
|
||||
- name: Prepare chroot environment
|
||||
ansible.builtin.shell: |
|
||||
ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
|
||||
ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
|
||||
mkdir -p /mnt/usr/local/install/redhat/dvd
|
||||
mount --bind /usr/local/install/redhat/dvd /mnt/usr/local/install/redhat/dvd
|
||||
arch-chroot /mnt rpm --rebuilddb
|
||||
@@ -94,7 +94,7 @@
|
||||
- name: Copy RHEL repo file into chroot environment
|
||||
ansible.builtin.copy:
|
||||
src: /etc/yum.repos.d/{{ os | lower }}.repo
|
||||
dest: /mnt/etc/yum.repos.d/{{ os | lower }}.repo
|
||||
dest: /mnt/etc/yum.repos.d/redhat.repo
|
||||
mode: '0644'
|
||||
remote_src: true
|
||||
|
||||
|
||||
@@ -16,7 +16,6 @@ almalinux:
|
||||
- open-vm-tools
|
||||
- ppp
|
||||
- shim
|
||||
- telnet
|
||||
- tmux
|
||||
- vim
|
||||
- wget
|
||||
@@ -188,7 +187,6 @@ fedora:
|
||||
- ppp
|
||||
- ripgrep
|
||||
- shim
|
||||
- telnet
|
||||
- tmux
|
||||
- vim-default-editor
|
||||
- wget
|
||||
@@ -197,8 +195,11 @@ fedora:
|
||||
- zstd
|
||||
|
||||
rhel8:
|
||||
- bind-utils
|
||||
- dhcp-client
|
||||
- efibootmgr
|
||||
- glibc-langpack-de
|
||||
- glibc-langpack-en
|
||||
- grub2
|
||||
- grub2-efi-x64
|
||||
- lrzsz
|
||||
@@ -206,15 +207,18 @@ rhel8:
|
||||
- mtr
|
||||
- nfs-utils
|
||||
- open-vm-tools
|
||||
- python39
|
||||
- shim
|
||||
- telnet
|
||||
- tmux
|
||||
- vim
|
||||
- zstd
|
||||
|
||||
rhel9:
|
||||
- bind-utils
|
||||
- dhcp-client
|
||||
- efibootmgr
|
||||
- glibc-langpack-de
|
||||
- glibc-langpack-en
|
||||
- grub2
|
||||
- grub2-efi
|
||||
- lrzsz
|
||||
@@ -222,8 +226,8 @@ rhel9:
|
||||
- mtr
|
||||
- nfs-utils
|
||||
- open-vm-tools
|
||||
- python
|
||||
- shim
|
||||
- telnet
|
||||
- tmux
|
||||
- vim
|
||||
- zram-generator
|
||||
@@ -307,6 +311,7 @@ ubuntu:
|
||||
- tldr
|
||||
- tmux
|
||||
- traceroute
|
||||
- util-linux-extra
|
||||
- vim
|
||||
- wget
|
||||
- yq
|
||||
@@ -365,6 +370,7 @@ ubuntu-lts:
|
||||
- tldr
|
||||
- tmux
|
||||
- traceroute
|
||||
- util-linux-extra
|
||||
- vim
|
||||
- wget
|
||||
- yq
|
||||
|
||||
@@ -7,18 +7,19 @@
|
||||
mode: '0644'
|
||||
content: |
|
||||
CIS LVL 3 Restrictions
|
||||
install freevxfs /bin/true
|
||||
install jffs2 /bin/true
|
||||
install hfs /bin/true
|
||||
install hfsplus /bin/true
|
||||
install squashfs /bin/true
|
||||
install udf /bin/true
|
||||
install usb-storage /bin/true
|
||||
install freevxfs /bin/false
|
||||
install jffs2 /bin/false
|
||||
install hfs /bin/false
|
||||
install hfsplus /bin/false
|
||||
install cramfs /bin/false
|
||||
install squashfs /bin/false
|
||||
install udf /bin/false
|
||||
install usb-storage /bin/false
|
||||
|
||||
install dccp /bin/true
|
||||
install sctp /bin/true
|
||||
install rds /bin/true
|
||||
install tipc /bin/true
|
||||
install dccp /bin/false
|
||||
install sctp /bin/false
|
||||
install rds /bin/false
|
||||
install tipc /bin/false
|
||||
|
||||
- name: Create USB Rules
|
||||
ansible.builtin.copy:
|
||||
@@ -43,11 +44,20 @@
|
||||
mode: '0644'
|
||||
content: |
|
||||
## CIS Sysctl configurations
|
||||
kernel.yama.ptrace_scope=1
|
||||
kernel.randomize_va_space=2
|
||||
|
||||
# Network
|
||||
net.ipv4.ip_forward=0
|
||||
net.ipv4.tcp_syncookies=1
|
||||
net.ipv4.icmp_echo_ignore_broadcasts=1
|
||||
net.ipv4.icmp_ignore_bogus_error_responses=1
|
||||
net.ipv4.conf.all.log_martians = 1
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.conf.all.secure_redirects = 0
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.all.accept_source_route=0
|
||||
net.ipv4.conf.default.log_martians = 1
|
||||
net.ipv4.conf.default.rp_filter = 1
|
||||
net.ipv4.conf.default.secure_redirects = 0
|
||||
@@ -59,6 +69,7 @@
|
||||
net.ipv6.conf.default.disable_ipv6 = 1
|
||||
net.ipv6.conf.lo.disable_ipv6 = 1
|
||||
|
||||
|
||||
# - name: Adjust login.defs
|
||||
# replace:
|
||||
# path: /mnt/etc/login.defs
|
||||
@@ -69,6 +80,31 @@
|
||||
# - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' }
|
||||
# - { regexp: '^UMASK.*', replace: 'UMASK 027' }
|
||||
|
||||
- name: Ensure the Default UMASK is Set Correctly
|
||||
ansible.builtin.lineinfile:
|
||||
path: "/mnt/etc/profile"
|
||||
regexp: "^(\\s*)umask\\s+\\d+"
|
||||
line: "umask 027"
|
||||
|
||||
- name: Prevent Login to Accounts With Empty Password
|
||||
ansible.builtin.replace:
|
||||
dest: "{{ item }}"
|
||||
regexp: "nullok"
|
||||
loop:
|
||||
- /mnt/etc/pam.d/system-auth
|
||||
- /mnt/etc/pam.d/password-auth
|
||||
|
||||
- name: Configure System Cryptography Policy
|
||||
when: os in ["almalinux", "rhel9", "rocky"]
|
||||
ansible.builtin.command:
|
||||
arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
|
||||
|
||||
- name: Mask Systemd Services
|
||||
ansible.builtin.command: >
|
||||
arch-chroot /mnt systemctl mask nftables bluetooth rpcbind
|
||||
changed_when: result.rc == 0
|
||||
register: result
|
||||
|
||||
- name: Ensure files exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
@@ -80,6 +116,15 @@
|
||||
- /mnt/etc/hosts.allow
|
||||
- /mnt/etc/hosts.deny
|
||||
|
||||
- name: Ensure files do not exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: touch
|
||||
mode: "0600"
|
||||
loop:
|
||||
- /mnt/etc/at.deny
|
||||
- /mnt/etc/cron.deny
|
||||
|
||||
- name: Add Security related lines into config files
|
||||
ansible.builtin.lineinfile:
|
||||
path: "{{ item.path }}"
|
||||
@@ -155,7 +200,7 @@
|
||||
- { option: X11Forwarding, value: "no" }
|
||||
- { option: PermitUserEnvironment, value: "no" }
|
||||
- { option: ClientAliveInterval, value: "300" }
|
||||
- { option: ClientAliveCountMax, value: "0" }
|
||||
- { option: ClientAliveCountMax, value: "1" }
|
||||
- { option: PermitTunnel, value: "no" }
|
||||
- { option: Banner, value: /etc/issue.net }
|
||||
|
||||
@@ -169,9 +214,9 @@
|
||||
|
||||
### Ciphers and keying ###
|
||||
RekeyLimit 512M 6h
|
||||
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||
KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
|
||||
MACs -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com
|
||||
###########################
|
||||
|
||||
AllowStreamLocalForwarding no
|
||||
|
||||
@@ -1,4 +1,23 @@
|
||||
---
|
||||
- name: Unmount Disks
|
||||
vars:
|
||||
ansible_connection: ssh
|
||||
block:
|
||||
- name: Unmount /mnt if mounted
|
||||
ansible.builtin.command: umount -R /mnt
|
||||
register: unmount_result
|
||||
changed_when: unmount_result.rc == 0
|
||||
|
||||
- name: Verify /mnt is no longer mounted
|
||||
ansible.builtin.command: grep ' /mnt ' /proc/mounts
|
||||
register: verify_unmount
|
||||
retries: 5
|
||||
delay: 5
|
||||
until: verify_unmount.rc != 0
|
||||
when: unmount_result.rc == 0
|
||||
changed_when: false
|
||||
failed_when: verify_unmount.rc not in [0, 1]
|
||||
|
||||
- name: Shutdown the VM
|
||||
community.general.shutdown:
|
||||
vars:
|
||||
@@ -22,10 +41,14 @@
|
||||
- ide0
|
||||
- ide2
|
||||
|
||||
- name: Reboot system
|
||||
ansible.builtin.command: reboot
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
- name: Start the VM
|
||||
community.general.proxmox_kvm:
|
||||
api_host: "{{ hypervisor_url }}"
|
||||
api_user: "{{ hypervisor_username }}"
|
||||
api_password: "{{ hypervisor_password }}"
|
||||
node: "{{ hypervisor_node }}"
|
||||
vmid: "{{ vm_id }}"
|
||||
state: restarted
|
||||
|
||||
- name: Clean vCenter VM
|
||||
when: hypervisor == "vmware"
|
||||
@@ -65,7 +88,7 @@
|
||||
validate_certs: false
|
||||
datacenter: "{{ hypervisor_cluster }}"
|
||||
name: "{{ hostname }}"
|
||||
state: powered-on
|
||||
state: restarted
|
||||
|
||||
- name: Remove Archiso and cloud-init disks
|
||||
when: hypervisor == "libvirt"
|
||||
|
||||
@@ -39,7 +39,7 @@
|
||||
- "# TempFS"
|
||||
- tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0
|
||||
- tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0
|
||||
- tmpfs /dev/shm tmpfs defaults,noexec 0 0
|
||||
- tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0
|
||||
|
||||
- name: Set local timezone
|
||||
ansible.builtin.command: "{{ item }}"
|
||||
@@ -213,19 +213,37 @@
|
||||
fs-type = swap
|
||||
mode: '0644'
|
||||
|
||||
- name: Copy FirstRun Script
|
||||
when: os | lower != "archlinux"
|
||||
ansible.builtin.template:
|
||||
src: firstrun.sh.j2
|
||||
dest: /mnt/root/firstrun.sh
|
||||
mode: "0755"
|
||||
|
||||
- name: Copy Custom Shell config
|
||||
ansible.builtin.template:
|
||||
src: custom.sh.j2
|
||||
dest: /mnt/etc/profile.d/custom.sh
|
||||
mode: '0644'
|
||||
|
||||
- name: Create login banner
|
||||
ansible.builtin.copy:
|
||||
dest: "{{ item }}"
|
||||
content: |
|
||||
**************************************************************
|
||||
* WARNING: Unauthorized access to this system is prohibited. *
|
||||
* All activities are monitored and logged. *
|
||||
* Disconnect immediately if you are not an authorized user. *
|
||||
**************************************************************
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
loop:
|
||||
- /mnt/etc/issue
|
||||
- /etc/issue.net
|
||||
|
||||
- name: Remove motd files
|
||||
when: os | lower in ["rhel8", "rhel9"]
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- /etc/motd.d/cockpit
|
||||
- /etc/motd.d/insights-client
|
||||
|
||||
- name: Setup Network
|
||||
block:
|
||||
- name: Generate UUID for Network Profile
|
||||
@@ -286,15 +304,16 @@
|
||||
validate: /usr/sbin/visudo --check --file=%s
|
||||
|
||||
- name: Fix SELinux
|
||||
when: os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
|
||||
block:
|
||||
- name: Relabel the filesystem
|
||||
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rocky']
|
||||
when: os | lower != "fedora"
|
||||
ansible.builtin.command: "arch-chroot /mnt /sbin/fixfiles onboot"
|
||||
changed_when: result.rc == 0
|
||||
register: result
|
||||
|
||||
- name: Disable SELinux
|
||||
when: os | lower == "fedora"
|
||||
when: os | lower == "fedora" or not selinux | bool
|
||||
ansible.builtin.lineinfile:
|
||||
path: /mnt/etc/selinux/config
|
||||
regexp: ^SELINUX=
|
||||
|
||||
@@ -2,13 +2,12 @@
|
||||
id=LAN
|
||||
uuid={{ net_uuid.stdout }}
|
||||
type=ethernet
|
||||
interface-name={{ net_inf.stdout }}
|
||||
|
||||
[ethernet]
|
||||
mac-address={{ net_mac.stdout }}
|
||||
|
||||
[ipv4]
|
||||
address={{ vm_ip }},{{ vm_gw }}
|
||||
address={{ vm_ip }}/{{ vm_nms | default (24) }},{{ vm_gw }}
|
||||
dns={{ vm_dns }}
|
||||
method=manual
|
||||
|
||||
|
||||
@@ -20,7 +20,7 @@
|
||||
msg: This host is not booted from the Arch install media!
|
||||
when: not archiso_stat.stat.exists
|
||||
|
||||
- name: Setect Interface
|
||||
- name: Register Network Interface
|
||||
when: hypervisor == "vmware"
|
||||
ansible.builtin.shell: "set -o pipefail && ip l | awk -F': ' '!/lo/{print $2; exit}'"
|
||||
changed_when: interface_name.rc == 0
|
||||
@@ -44,7 +44,7 @@
|
||||
register: result
|
||||
|
||||
- name: Configure SSH for root login
|
||||
when: hypervisor == "vmware" and vmware_ssh | bool
|
||||
when: hypervisor == "vmware" and (vmware_ssh is defined and vmware_ssh | bool)
|
||||
block:
|
||||
- name: Allow empty passwords temporarily
|
||||
ansible.builtin.replace:
|
||||
|
||||
@@ -29,12 +29,12 @@
|
||||
storage: "{{ hypervisor_storage }}"
|
||||
ide:
|
||||
ide0: "{{ boot_iso }},media=cdrom"
|
||||
ide1: "{{ rhel_iso | default(omit) }},media=cdrom"
|
||||
ide1: "{{ rhel_iso + ',media=cdrom' if rhel_iso is defined else omit }}"
|
||||
ide2: "{{ hypervisor_storage }}:cloudinit"
|
||||
net:
|
||||
net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}
|
||||
ipconfig:
|
||||
ipconfig0: ip={{ vm_ip }},gw={{ vm_gw }}
|
||||
ipconfig0: ip={{ vm_ip }}/{{ vm_nms | default(24) }},gw={{ vm_gw }}
|
||||
nameservers: "{{ vm_dns }}"
|
||||
onboot: true
|
||||
state: present
|
||||
|
||||
@@ -8,8 +8,8 @@
|
||||
<bootmenu enable='no'/>
|
||||
<boot dev='hd'/>
|
||||
<boot dev='cdrom'/>
|
||||
<loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.fd</loader>
|
||||
<nvram template="/usr/share/edk2/x64/OVMF_VARS.fd"/>
|
||||
<loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd</loader>
|
||||
<nvram template="/usr/share/edk2/x64/OVMF_VARS.4m.fd"/>
|
||||
</os>
|
||||
<features>
|
||||
<acpi/>
|
||||
|
||||
@@ -1,14 +1,11 @@
|
||||
vm_ip: "{{ inventory_hostname }}/{{ vm_nms }}"
|
||||
vm_ip: "{{ inventory_hostname }}"
|
||||
install_type: "virtual"
|
||||
cis: false
|
||||
|
||||
hypervisor_url: "192.168.0.2"
|
||||
hypervisor_username: "root@pam"
|
||||
hypervisor_password: "SomePassword"
|
||||
hypervisor_node: "NodeName"
|
||||
hypervisor_storage: "local-btrfs"
|
||||
boot_iso: "local-btrfs:iso/archlinux-x86_64.iso"
|
||||
rhel_iso: "local-btrfs:rhel-9.4-x86_64-dvd.iso"
|
||||
|
||||
# For VMware-Tools
|
||||
ansible_vmware_host: "{{ hypervisor_url }}"
|
||||
|
||||
Reference in New Issue
Block a user