Update README regarding SELinux

without the key, and key cannot be set otherwise awx refuses connection

README.md

@@ -71,12 +71,14 @@ Inventory variables are defined for individual hosts or VMs in the inventory fil
 | Variable                | Description                                                                       | Example Value                                      |
 |-------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------|
 | `cis` (optional)        | Adjusts the installation to be CIS level 3 conformant.                            | `true`, `false`                                    |
+| `selinux` (optional)    | Toggle SELinux, `false` means it should be disabled.`                             | `true`, `false`                                    |
 | `filesystem`            | Filesystem type for the VM's primary storage.                                     | `btrfs`, `ext4`, `xfs`                             |
 | `hostname`              | The hostname assigned to the virtual machine or system.                           | `vm01`                                             |
 | `os`                    | Operating system to be installed on the VM.                                       | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rhel8`, `rhel9`, `rocky`, `ubuntu`, `ubuntu-lts` |
 | `root_password`         | Root password for the VM or system, used for initial setup or secure access.      | `SecurePass123`                                    |
 | `user_name`             | Username for a user account within the VM, often used with cloud-init.            | `adminuser`                                        |
 | `user_password`         | Password for the user account within the VM.                                      | `UserPass123`                                      |
+| `user_public_key`       | SSH Key for the user account within the VM.                                       | `ssh-ed25519 AAAAC`                                |
 | `vm_ballo` (optional)   | Ballooning memory size for the VM, used to adjust memory allocation dynamically.  | `2048`                                             |
 | `vm_cpus`               | Number of CPU cores assigned to the virtual machine.                              | `4`                                                |
 | `vm_dns`                | DNS server IP address(es) for the virtual machine's network configuration.        | `1.0.0.1`, `1.1.1.1`                               |
@@ -84,7 +86,7 @@ Inventory variables are defined for individual hosts or VMs in the inventory fil
 | `vm_id`                 | Unique identifier for the virtual machine.                                        | `101`                                              |
 | `vm_ip`                 | IP address assigned to the virtual machine.                                       | `192.168.0.10`                                     |
 | `vm_nm` (optional)      | IP address netmask assigned to the virtual machine.                               | `255.255.255.0`                                    |
-| `vm_nms` (optional)     | IP address netmask assigned to the virtual machine.                               | `24`                                    |
+| `vm_nms` (optional)     | IP address netmask assigned to the virtual machine.                               | `24`                                               |
 | `vm_memory`             | Amount of memory (in MB) allocated to the virtual machine.                        | `2048`                                             |
 | `vm_nif`                | Network interface type or identifier for the VM's network connection.             | `vmbr0`                                            |
 | `vm_path (optional)`    | Path or folder where the VM configuration or related files will be stored.        | `/var/lib/libvirt/images/`                         |

inventory_example.ini

@@ -1,29 +0,0 @@
-[promox-kvm]
-192.168.122.10
-192.168.122.11
-
-[promox-kvm:vars]
-vm_gw=192.168.122.1
-vm_dns=1.1.1.1
-
-[192.168.122.10]
-hostname=proxy
-vm_id=300
-os=archlinux
-filesystem=btrfs
-vm_memory=2048
-vm_ballo=1024
-vm_cpus=2
-vm_size=5
-vm_nif=vmbr1
-
-[192.168.122.11]
-hostname=database
-vm_id=101
-os=archlinux
-filesystem=btrfs
-vm_memory=6144
-vm_ballo=3072
-vm_cpus=4
-vm_size=40
-vm_nif=vmbr1

inventory_example.yml

@@ -3,6 +3,7 @@ all:
     hypervisor: 'proxmox'
     install_drive: '/dev/sda'
     cis: true
+    boot_iso: "local-btrfs:iso/archlinux-x86_64.iso"
   children:
       promox-kvm:
         hosts:

main.yml

@@ -10,6 +10,11 @@
         What is your username?
       private: false
     
+    - name: user_public_key
+      prompt: |
+        What is your ssh key?
+      private: false
+
     - name: user_password
       prompt: |
         What is your password?
@@ -81,7 +86,7 @@
 
   tasks:
     - name: Set final SSH Credentials
-      when: hypervisor == 'vmware' and vmware_ssh | bool
+      when: hypervisor != 'vmware' or (hypervisor == 'vmware' and vmware_ssh | bool)
       ansible.builtin.set_fact:
         ansible_user: "{{ user_name }}"
         ansible_password: "{{ user_password }}"
@@ -89,5 +94,7 @@
         ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
 
     - name: Check if VM is back and running
+      when: not (hypervisor == 'vmware' and cis | bool)
       ansible.builtin.wait_for_connection:
         timeout: 300
+        

roles/bootstrap/tasks/main.yml

@@ -31,7 +31,7 @@
       with_items:
         - debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'oracular' if os == 'ubuntu' else 'noble' }}
           /mnt http://archive.ubuntu.com/ubuntu/
-        - ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
+        - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
         - arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
         - arch-chroot /mnt apt update -y
         - arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
@@ -43,7 +43,7 @@
       register: result
       with_items:
         - dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
-        - ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
+        - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
         - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.almalinux | join(' ') }}
 
     - name: Bootstrap Fedora 41
@@ -54,7 +54,7 @@
       with_items:
         - dnf --releasever=41 --best --repo=fedora --repo=fedora-updates
           --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
-        - ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
+        - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
         - arch-chroot /mnt dnf --releasever=41 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
         - arch-chroot /mnt dnf reinstall -y kernel-core
 
@@ -67,7 +67,7 @@
         - dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt
           --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
           groupinstall -y base core
-        - ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
+        - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
         - arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.rocky | join(' ') }}
 
     - name: Bootstrap RHEL System
@@ -78,13 +78,13 @@
             dnf --releasever={{ '8' if os == 'rhel8' else '9' }} --repo={{ os | lower }}-baseos
             --installroot=/mnt
             --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
-            groupinstall -y base core
+            groupinstall -y core base standard
           changed_when: result.rc == 0
           register: result
 
         - name: Prepare chroot environment
           ansible.builtin.shell: |
-            ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
+            ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
             mkdir -p /mnt/usr/local/install/redhat/dvd
             mount --bind /usr/local/install/redhat/dvd /mnt/usr/local/install/redhat/dvd
             arch-chroot /mnt rpm --rebuilddb
@@ -94,7 +94,7 @@
         - name: Copy RHEL repo file into chroot environment
           ansible.builtin.copy:
             src: /etc/yum.repos.d/{{ os | lower }}.repo
-            dest: /mnt/etc/yum.repos.d/{{ os | lower }}.repo
+            dest: /mnt/etc/yum.repos.d/redhat.repo
             mode: '0644'
             remote_src: true
 

roles/bootstrap/vars/packages.yml

@@ -16,7 +16,6 @@ almalinux:
   - open-vm-tools
   - ppp
   - shim
-  - telnet
   - tmux
   - vim
   - wget
@@ -188,7 +187,6 @@ fedora:
   - ppp
   - ripgrep
   - shim
-  - telnet
   - tmux
   - vim-default-editor
   - wget
@@ -197,8 +195,11 @@ fedora:
   - zstd
 
 rhel8:
+  - bind-utils
   - dhcp-client
   - efibootmgr
+  - glibc-langpack-de
+  - glibc-langpack-en
   - grub2
   - grub2-efi-x64
   - lrzsz
@@ -206,15 +207,18 @@ rhel8:
   - mtr
   - nfs-utils
   - open-vm-tools
+  - python39
   - shim
-  - telnet
   - tmux
   - vim
   - zstd
 
 rhel9:
+  - bind-utils
   - dhcp-client
   - efibootmgr
+  - glibc-langpack-de
+  - glibc-langpack-en
   - grub2
   - grub2-efi
   - lrzsz
@@ -222,8 +226,8 @@ rhel9:
   - mtr
   - nfs-utils
   - open-vm-tools
+  - python
   - shim
-  - telnet
   - tmux
   - vim
   - zram-generator
@@ -307,6 +311,7 @@ ubuntu:
     - tldr
     - tmux
     - traceroute
+    - util-linux-extra
     - vim
     - wget
     - yq
@@ -365,6 +370,7 @@ ubuntu-lts:
     - tldr
     - tmux
     - traceroute
+    - util-linux-extra
     - vim
     - wget
     - yq

roles/cis/tasks/main.yml

@@ -7,18 +7,19 @@
         mode: '0644'
         content: |
           CIS LVL 3 Restrictions
-          install freevxfs        /bin/true
+          install freevxfs        /bin/false
-          install jffs2           /bin/true
+          install jffs2           /bin/false
-          install hfs             /bin/true
+          install hfs             /bin/false
-          install hfsplus         /bin/true
+          install hfsplus         /bin/false
-          install squashfs        /bin/true
+          install cramfs          /bin/false
-          install udf             /bin/true
+          install squashfs        /bin/false
-          install usb-storage     /bin/true
+          install udf             /bin/false
+          install usb-storage     /bin/false
 
-          install dccp            /bin/true
+          install dccp            /bin/false
-          install sctp            /bin/true
+          install sctp            /bin/false
-          install rds             /bin/true
+          install rds             /bin/false
-          install tipc            /bin/true
+          install tipc            /bin/false
 
     - name: Create USB Rules
       ansible.builtin.copy:
@@ -43,11 +44,20 @@
         mode: '0644'
         content: |
           ## CIS Sysctl configurations
+          kernel.yama.ptrace_scope=1
+          kernel.randomize_va_space=2
+
+          # Network
+          net.ipv4.ip_forward=0
+          net.ipv4.tcp_syncookies=1
+          net.ipv4.icmp_echo_ignore_broadcasts=1
+          net.ipv4.icmp_ignore_bogus_error_responses=1
           net.ipv4.conf.all.log_martians = 1
           net.ipv4.conf.all.rp_filter = 1
           net.ipv4.conf.all.secure_redirects = 0
           net.ipv4.conf.all.send_redirects = 0
           net.ipv4.conf.all.accept_redirects = 0
+          net.ipv4.conf.all.accept_source_route=0
           net.ipv4.conf.default.log_martians = 1
           net.ipv4.conf.default.rp_filter = 1
           net.ipv4.conf.default.secure_redirects = 0
@@ -59,6 +69,7 @@
           net.ipv6.conf.default.disable_ipv6 = 1
           net.ipv6.conf.lo.disable_ipv6 = 1
 
+
     # - name: Adjust login.defs
     #   replace:
     #     path: /mnt/etc/login.defs
@@ -69,6 +80,31 @@
     #     - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' }
     #     - { regexp: '^UMASK.*', replace: 'UMASK           027' }
 
+    - name: Ensure the Default UMASK is Set Correctly
+      ansible.builtin.lineinfile:
+        path: "/mnt/etc/profile"
+        regexp: "^(\\s*)umask\\s+\\d+"
+        line: "umask 027"
+
+    - name: Prevent Login to Accounts With Empty Password
+      ansible.builtin.replace:
+        dest: "{{ item }}"
+        regexp: "nullok"
+      loop:
+        - /mnt/etc/pam.d/system-auth
+        - /mnt/etc/pam.d/password-auth
+
+    - name: Configure System Cryptography Policy
+      when: os in ["almalinux", "rhel9", "rocky"]
+      ansible.builtin.command:
+        arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
+
+    - name: Mask Systemd Services
+      ansible.builtin.command: >
+        arch-chroot /mnt systemctl mask nftables bluetooth rpcbind
+      changed_when: result.rc == 0
+      register: result
+
     - name: Ensure files exist
       ansible.builtin.file:
         path: "{{ item }}"
@@ -80,6 +116,15 @@
         - /mnt/etc/hosts.allow
         - /mnt/etc/hosts.deny
 
+    - name: Ensure files do not exist
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: touch
+        mode: "0600"
+      loop:
+        - /mnt/etc/at.deny
+        - /mnt/etc/cron.deny
+
     - name: Add Security related lines into config files
       ansible.builtin.lineinfile:
         path: "{{ item.path }}"
@@ -155,7 +200,7 @@
         - { option: X11Forwarding, value: "no" }
         - { option: PermitUserEnvironment, value: "no" }
         - { option: ClientAliveInterval, value: "300" }
-        - { option: ClientAliveCountMax, value: "0" }
+        - { option: ClientAliveCountMax, value: "1" }
         - { option: PermitTunnel, value: "no" }
         - { option: Banner, value: /etc/issue.net }
 
@@ -169,9 +214,9 @@
 
           ### Ciphers and keying ###
           RekeyLimit 512M 6h
-          KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+          KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
           Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+          MACs -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com
           ###########################
 
           AllowStreamLocalForwarding no

roles/cleanup/tasks/main.yml

@@ -1,4 +1,23 @@
 ---
+- name: Unmount Disks
+  vars:
+    ansible_connection: ssh
+  block:
+    - name: Unmount /mnt if mounted
+      ansible.builtin.command: umount -R /mnt
+      register: unmount_result
+      changed_when: unmount_result.rc == 0
+
+    - name: Verify /mnt is no longer mounted
+      ansible.builtin.command: grep ' /mnt ' /proc/mounts
+      register: verify_unmount
+      retries: 5
+      delay: 5
+      until: verify_unmount.rc != 0
+      when: unmount_result.rc == 0
+      changed_when: false
+      failed_when: verify_unmount.rc not in [0, 1]
+
 - name: Shutdown the VM
   community.general.shutdown:
   vars:
@@ -22,10 +41,14 @@
         - ide0
         - ide2
 
-    - name: Reboot system
+    - name: Start the VM
-      ansible.builtin.command: reboot
+      community.general.proxmox_kvm:
-      failed_when: false
+        api_host: "{{ hypervisor_url }}"
-      changed_when: false
+        api_user: "{{ hypervisor_username }}"
+        api_password: "{{ hypervisor_password }}"
+        node: "{{ hypervisor_node }}"
+        vmid: "{{ vm_id }}"
+        state: restarted
 
 - name: Clean vCenter VM
   when: hypervisor == "vmware"
@@ -65,7 +88,7 @@
         validate_certs: false
         datacenter: "{{ hypervisor_cluster }}"
         name: "{{ hostname }}"
-        state: powered-on
+        state: restarted
 
 - name: Remove Archiso and cloud-init disks
   when: hypervisor == "libvirt"

roles/configuration/tasks/main.yml

@@ -39,7 +39,7 @@
         - "# TempFS"
         - tmpfs           /tmp            tmpfs           defaults,nosuid,nodev,noexec    0 0
         - tmpfs           /var/tmp        tmpfs           defaults,nosuid,nodev,noexec    0 0
-        - tmpfs           /dev/shm        tmpfs           defaults,noexec    0 0
+        - tmpfs           /dev/shm        tmpfs           defaults,nosuid,nodev,noexec    0 0
 
     - name: Set local timezone
       ansible.builtin.command: "{{ item }}"
@@ -213,19 +213,37 @@
               fs-type = swap
             mode: '0644'
 
-        - name: Copy FirstRun Script
-          when: os | lower != "archlinux"
-          ansible.builtin.template:
-            src: firstrun.sh.j2
-            dest: /mnt/root/firstrun.sh
-            mode: "0755"
-
         - name: Copy Custom Shell config
           ansible.builtin.template:
             src: custom.sh.j2
             dest: /mnt/etc/profile.d/custom.sh
             mode: '0644'
 
+        - name: Create login banner
+          ansible.builtin.copy:
+            dest: "{{ item }}"
+            content: |
+              **************************************************************
+              * WARNING: Unauthorized access to this system is prohibited. *
+              * All activities are monitored and logged.                   *
+              * Disconnect immediately if you are not an authorized user.  *
+              **************************************************************
+            owner: root
+            group: root
+            mode: '0644'
+          loop:
+            - /mnt/etc/issue
+            - /etc/issue.net
+
+        - name: Remove motd files
+          when: os | lower in ["rhel8", "rhel9"]
+          ansible.builtin.file:
+            path: "{{ item }}"
+            state: absent
+          loop:
+            - /etc/motd.d/cockpit
+            - /etc/motd.d/insights-client
+
     - name: Setup Network
       block:
         - name: Generate UUID for Network Profile
@@ -286,15 +304,16 @@
         validate: /usr/sbin/visudo --check --file=%s
 
     - name: Fix SELinux
+      when: os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
       block:
         - name: Relabel the filesystem
-          when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rocky']
+          when: os | lower != "fedora" 
           ansible.builtin.command: "arch-chroot /mnt /sbin/fixfiles onboot"
           changed_when: result.rc == 0
           register: result
 
         - name: Disable SELinux
-          when: os | lower == "fedora"
+          when: os | lower == "fedora" or not (selinux | default(true) | bool)
           ansible.builtin.lineinfile:
             path: /mnt/etc/selinux/config
             regexp: ^SELINUX=

roles/configuration/templates/network.j2

@@ -2,13 +2,12 @@
 id=LAN
 uuid={{ net_uuid.stdout }}
 type=ethernet
-interface-name={{ net_inf.stdout }}
 
 [ethernet]
 mac-address={{ net_mac.stdout }}
 
 [ipv4]
-address={{ vm_ip }},{{ vm_gw }}
+address={{ vm_ip }}/{{ vm_nms | default (24) }},{{ vm_gw }}
 dns={{ vm_dns }}
 method=manual
 

roles/environment/tasks/main.yml

@@ -20,7 +20,7 @@
         msg: This host is not booted from the Arch install media!
       when: not archiso_stat.stat.exists
 
-    - name: Setect Interface
+    - name: Register Network Interface
       when: hypervisor == "vmware"
       ansible.builtin.shell: "set -o pipefail && ip l | awk -F': ' '!/lo/{print $2; exit}'"
       changed_when: interface_name.rc == 0
@@ -44,7 +44,7 @@
       register: result
 
     - name: Configure SSH for root login
-      when: hypervisor == "vmware" and vmware_ssh | bool
+      when: hypervisor == "vmware" and (vmware_ssh is defined and vmware_ssh | bool)
       block:
         - name: Allow empty passwords temporarily
           ansible.builtin.replace:

roles/virtualization/tasks/proxmox.yml

@@ -29,12 +29,12 @@
       storage: "{{ hypervisor_storage }}"
     ide:
       ide0: "{{ boot_iso }},media=cdrom"
-      ide1: "{{ rhel_iso | default(omit) }},media=cdrom"
+      ide1: "{{ rhel_iso + ',media=cdrom' if rhel_iso is defined else omit }}"
       ide2: "{{ hypervisor_storage }}:cloudinit"
     net:
       net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}
     ipconfig:
-      ipconfig0: ip={{ vm_ip }},gw={{ vm_gw }}
+      ipconfig0: ip={{ vm_ip }}/{{ vm_nms | default(24) }},gw={{ vm_gw }}
     nameservers: "{{ vm_dns }}"
     onboot: true
     state: present

roles/virtualization/templates/vm.xml.j2

@@ -8,8 +8,8 @@
     <bootmenu enable='no'/>
     <boot dev='hd'/>
     <boot dev='cdrom'/>
-    <loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.fd</loader>
+    <loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd</loader>
-    <nvram template="/usr/share/edk2/x64/OVMF_VARS.fd"/>
+    <nvram template="/usr/share/edk2/x64/OVMF_VARS.4m.fd"/>
   </os>
   <features>
     <acpi/>

vars_example.yml

@@ -1,14 +1,11 @@
-vm_ip: "{{ inventory_hostname }}/{{ vm_nms }}"
+vm_ip: "{{ inventory_hostname }}"
 install_type: "virtual"
-cis: false
 
 hypervisor_url:      "192.168.0.2"
 hypervisor_username: "root@pam"
 hypervisor_password: "SomePassword"
 hypervisor_node:     "NodeName"
 hypervisor_storage:  "local-btrfs"
-boot_iso: "local-btrfs:iso/archlinux-x86_64.iso"
-rhel_iso: "local-btrfs:rhel-9.4-x86_64-dvd.iso"
 
 # For VMware-Tools
 ansible_vmware_host: "{{ hypervisor_url }}"