sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:rhel
Branches Tags
sandwich:master
sandwich:rhel
..
compare: sandwich:master
Branches Tags
sandwich:master
sandwich:rhel

6 Commits
rhel ... master

Author SHA1 Message Date
Sandwich
4f03ccbfcf Add dig via bind-utils for rhel 2024-12-03 16:42:47 +01:00
Sandwich
5746be4561 RHEL add python package 2024-12-03 13:31:31 +01:00
Sandwich
39cc49a05b Do not hardcode macaddress which makes vm cloning harder 2024-12-02 18:08:48 +01:00
Sandwich
2d63ca9c5a Use RHEL nameing for yum repo file 2024-11-12 14:14:09 +01:00
Sandwich
9f56328890 Fix DNS issue 2024-11-11 17:44:52 +01:00
Sandwich
dc763bdc42 Adjust never libvirt loaders 2024-11-11 17:26:37 +01:00
24 changed files with 1008 additions and 91 deletions
Show Stats Expand all files Collapse all files

25
README.md
View File

@ -1,18 +1,31 @@
# Ansible-Bootstrap # Ansible-Bootstrap
An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner. An Ansible playbook for automating system bootstrap processes in an Infrastructure-as-Code manner, utilizing ArchISO as the foundational tool.
# Info # Info
Most of the roles are adaptable for use with systems beyond ArchLinux, requiring only that the target system can install a necessary package manager, such as `dnf` for RHEL-based systems. Additionally, a replacement for the `arch-chroot` command may be required for these systems.
**NOTE**:
- For RHEL 8 and RHEL 9, repository access requires the `rhel_iso` variable. This variable specifies a local ISO or proxy repository. - For RHEL 8 and RHEL 9, repository access requires the `rhel_iso` variable. This variable specifies a local ISO or proxy repository.
- RHEL systems do not support `btrfs`. Use `ext4` or `xfs` as alternatives. - RHEL systems do not support `btrfs`. Use `ext4` or `xfs` as alternatives.
- For RHEL 8, `xfs` may cause installation issues; `ext4` is recommended. - For RHEL 8, `xfs` may cause installation issues; `ext4` is recommended.
# Supported Distributions # Supported Distributions
This playbook supports multiple Linux distributions with specific versions tailored to each. Below is a list of supported distributions:
| `os` | Distribution | | `os` | Distribution |
|------------|------------------------------------| |------------|------------------------------------|
| archlinux | ArchLinux (Latest rolling release) |
| almalinux | AlmaLinux 9.x |
| debian11 | Debian 11 (Bullseye) |
| debian12 | Debian 12 (Bookworm) |
| fedora | Fedora 41 |
| rhel8 | Red Hat Enterprise Linux 8 | | rhel8 | Red Hat Enterprise Linux 8 |
| rhel9 | Red Hat Enterprise Linux 9 | | rhel9 | Red Hat Enterprise Linux 9 |
| rocky | Rocky Linux 9.x |
| ubuntu | Ubuntu 24.10 (Oracular Oriole) |
| ubuntu-lts | Ubuntu 24.04 LTS (Noble Numbat) |
# Documentation # Documentation
@ -28,7 +41,7 @@ An Ansible playbook for automating system bootstrap processes in an Infrastructu
## 1. Overview ## 1. Overview
The playbook uses the RHEL ISO to configure and bootstrap an RHEL system from the ground up. The playbook uses the ArchLinux ISO as a foundational tool to provides an efficient and systematic method for the automatic deployment of a variety of Linux distributions on designated target systems. It ensures a standardized setup across different platforms, equipping each system with the essential configurations and software necessary for its designated role.
## 2. Global Variables ## 2. Global Variables
@ -38,7 +51,7 @@ Global variables apply across your Ansible project and are loaded from `vars.yml
|-----------------------|--------------------------------------------------------------------|-----------------------------------------| |-----------------------|--------------------------------------------------------------------|-----------------------------------------|
| `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` | | `boot_iso` | Path to the boot ISO image. | `local-btrfs:iso/archlinux-x86_64.iso` |
| `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. |`local-btrfs:iso/rhel-9.4-x86_64-dvd.iso`| | `rhel_iso` | Path to the RHEL ISO file, required for RHEL 8 and RHEL 9. |`local-btrfs:iso/rhel-9.4-x86_64-dvd.iso`|
| `hypervisor` | Type of hypervisor. | `vmware` | | `hypervisor` | Type of hypervisor. | `libvirt`, `proxmox`, `vmware`, `none` |
| `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` | | `hypervisor_cluster` | Name of the hypervisor cluster. | `default-cluster` |
| `hypervisor_node` | Hypervisor node name. | `node01` | | `hypervisor_node` | Hypervisor node name. | `node01` |
| `hypervisor_password` | Password for hypervisor authentication. | `123456` | | `hypervisor_password` | Password for hypervisor authentication. | `123456` |
@ -46,7 +59,7 @@ Global variables apply across your Ansible project and are loaded from `vars.yml
| `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` | | `hypervisor_url` | URL/IP address for the hypervisor interface. | `192.168.0.2` |
| `hypervisor_username` | Username for hypervisor authentication. | `root@pam` | | `hypervisor_username` | Username for hypervisor authentication. | `root@pam` |
| `install_drive` | Drive where the system will be installed. | `/dev/sda` | | `install_drive` | Drive where the system will be installed. | `/dev/sda` |
| `install_type` | Type of installation. | `virtual` | | `install_type` | Type of installation. | `virtual`, `physical` |
| `vlan_name` (optional)| VLAN for the VM's network interface. | `vlan100` | | `vlan_name` (optional)| VLAN for the VM's network interface. | `vlan100` |
To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**. To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**.
@ -58,9 +71,9 @@ Inventory variables are defined for individual hosts or VMs in the inventory fil
| Variable | Description | Example Value | | Variable | Description | Example Value |
|-------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------| |-------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------|
| `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` | | `cis` (optional) | Adjusts the installation to be CIS level 3 conformant. | `true`, `false` |
| `filesystem` | Filesystem type for the VM's primary storage. | `ext4`, `xfs` | | `filesystem` | Filesystem type for the VM's primary storage. | `btrfs`, `ext4`, `xfs` |
| `hostname` | The hostname assigned to the virtual machine or system. | `vm01` | | `hostname` | The hostname assigned to the virtual machine or system. | `vm01` |
| `os` | Operating system to be installed on the VM. | `rhel8`, `rhel9` | | `os` | Operating system to be installed on the VM. | `archlinux`, `almalinux`, `debian11`, `debian12`, `fedora`, `rhel8`, `rhel9`, `rocky`, `ubuntu`, `ubuntu-lts` |
| `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` | | `root_password` | Root password for the VM or system, used for initial setup or secure access. | `SecurePass123` |
| `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` | | `user_name` | Username for a user account within the VM, often used with cloud-init. | `adminuser` |
| `user_password` | Password for the user account within the VM. | `UserPass123` | | `user_password` | Password for the user account within the VM. | `UserPass123` |

12
inventory_example.ini
View File

@ -8,18 +8,22 @@ vm_dns=1.1.1.1
[192.168.122.10] [192.168.122.10]
hostname=proxy hostname=proxy
os=rhel8 vm_id=300
filesystem=ext4 os=archlinux
filesystem=btrfs
vm_memory=2048 vm_memory=2048
vm_ballo=1024 vm_ballo=1024
vm_cpus=2 vm_cpus=2
vm_size=5 vm_size=5
vm_nif=vmbr1
[192.168.122.11] [192.168.122.11]
hostname=database hostname=database
os=rhel9 vm_id=101
filesystem=xfs os=archlinux
filesystem=btrfs
vm_memory=6144 vm_memory=6144
vm_ballo=3072 vm_ballo=3072
vm_cpus=4 vm_cpus=4
vm_size=40 vm_size=40
vm_nif=vmbr1

47
inventory_example.yml
View File

@ -1,56 +1,33 @@
all: all:
vars:
hypervisor: 'proxmox'
install_drive: '/dev/sda'
cis: true
children: children:
first: promox-kvm:
hosts: hosts:
192.168.122.10: 192.168.122.10:
hostname: proxy hostname: proxy
os: rhel8 vm_id: 100
filesystem: ext4 os: archlinux
filesystem: btrfs
vm_memory: "2048" vm_memory: "2048"
vm_ballo: "1024" vm_ballo: "1024"
vm_cpus: "2" vm_cpus: "2"
vm_size: "5" vm_size: "5"
vm_nif: vmbr1
vm_gw: 192.168.122.1 vm_gw: 192.168.122.1
vm_dns: 1.1.1.1 vm_dns: 1.1.1.1
192.168.122.11: 192.168.122.11:
hostname: database hostname: database
vm_id: 101
os: rhel9 os: rhel9
filesystem: xfs filesystem: xfs
vm_memory: "6144" vm_memory: "6144"
vm_ballo: "3072" vm_ballo: "3072"
vm_cpus: "4" vm_cpus: "4"
vm_size: "40" vm_size: "40"
vm_nif: vmbr1
vm_gw: 192.168.122.1 vm_gw: 192.168.122.1
vm_dns: 1.1.1.1 vm_dns: 1.1.1.1
192.168.122.12: rhel_iso: "local-btrfs:iso/rhel-9.4-x86_64-dvd.iso"
hostname: storage
os: rhel9
filesystem: xfs
vm_memory: "2048"
vm_ballo: "1024"
vm_cpus: "2"
vm_size: "40"
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1
second:
hosts:
192.168.122.13:
hostname: proxy02
os: rhel8
filesystem: ext4
vm_memory: "2048"
vm_ballo: "1024"
vm_cpus: "2"
vm_size: "5"
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1
192.168.122.14:
hostname: database02
os: rhel9
filesystem: xfs
vm_memory: "6144"
vm_ballo: "3072"
vm_cpus: "4"
vm_size: "40"
vm_gw: 192.168.122.1
vm_dns: 1.1.1.1

25
main.yml
View File

@ -22,33 +22,45 @@
vars_files: vars.yml vars_files: vars.yml
pre_tasks: pre_tasks:
- name: Set ansible_python_interpreter - name: Set ansible_python_interpreter
when: os | lower in ["rhel9", "rhel8"] when: os | lower in ["almalinux", "rhel9", "rhel8", "rocky"]
ansible.builtin.set_fact: ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3 ansible_python_interpreter: /usr/bin/python3
- name: Set SSH Access
when: hypervisor != "vmware"
ansible.builtin.set_fact:
ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}"
ansible_become_password: "{{ user_password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Validate variables - name: Validate variables
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- filesystem in ["ext4", "xfs"] - hypervisor in ["libvirt", "proxmox", "vmware", "none"]
- filesystem in ["btrfs", "ext4", "xfs"]
- install_drive is defined - install_drive is defined
- os in ["rhel8", "rhel9"] - os in ["archlinux", "almalinux", "debian11", "debian12", "fedora", "rhel8", "rhel9", "rocky", "ubuntu", "ubuntu-lts"]
- (vm_size | int) >= 20) - os not in ["rhel8", "rhel9"] or rhel_iso is defined
- (filesystem == "btrfs" and (vm_size | int) >= 10) or (filesystem != "btrfs" and (vm_size | int) >= 20)
- (vm_size | float) >= ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048), [vm_memory | float / 1024, 4.0] | max) + 16) - (vm_size | float) >= ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory | float / 2048), [vm_memory | float / 1024, 4.0] | max) + 16)
fail_msg: Invalid input specified, please try again. fail_msg: Invalid input specified, please try again.
- name: Set connection - name: Set connection
when: hypervisor == "vmware"
ansible.builtin.set_fact: ansible.builtin.set_fact:
ansible_connection: vmware_tools ansible_connection: vmware_tools
roles: roles:
- role: virtualization - role: virtualization
when: install_type == "virtual"
become: false become: false
vars: vars:
ansible_connection: local ansible_connection: local
- role: environment - role: environment
vars: vars:
ansible_connection: vmware ansible_connection: "{{ 'vmware_tools' if hypervisor == 'vmware' else 'ssh' }}"
- role: partitioning - role: partitioning
vars: vars:
@ -63,12 +75,13 @@
when: cis | bool when: cis | bool
- role: cleanup - role: cleanup
when: install_type == "virtual"
vars: vars:
ansible_connection: local ansible_connection: local
tasks: tasks:
- name: Set final SSH Credentials - name: Set final SSH Credentials
when: vmware_ssh | bool when: hypervisor == 'vmware' and vmware_ssh | bool
ansible.builtin.set_fact: ansible.builtin.set_fact:
ansible_user: "{{ user_name }}" ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}" ansible_password: "{{ user_password }}"

69
roles/bootstrap/tasks/main.yml
View File

@ -6,7 +6,72 @@
- name: Run OS-specific bootstrap process - name: Run OS-specific bootstrap process
block: block:
- name: Bootstrap ArchLinux
when: os | lower == 'archlinux'
ansible.builtin.command: pacstrap /mnt {{ role_packages.archlinux | join(' ') }} --asexplicit
changed_when: result.rc == 0
register: result
- name: Bootstrap Debian System
when: os | lower in ['debian11', 'debian12']
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }}
/mnt http://deb.debian.org/debian/
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
- arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
- name: Bootstrap Ubuntu System
when: os | lower in ['ubuntu', 'ubuntu-lts']
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'oracular' if os == 'ubuntu' else 'noble' }}
/mnt http://archive.ubuntu.com/ubuntu/
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
- arch-chroot /mnt apt update -y
- arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
- name: Bootstrap AlmaLinux 9
when: os | lower == 'almalinux'
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- dnf --releasever=9 --best --repo=alma-baseos --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.almalinux | join(' ') }}
- name: Bootstrap Fedora 41
when: os | lower == 'fedora'
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- dnf --releasever=41 --best --repo=fedora --repo=fedora-updates
--installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=41 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
- arch-chroot /mnt dnf reinstall -y kernel-core
- name: Bootstrap RockyLinux 9
when: os | lower == 'rocky'
ansible.builtin.command: "{{ item }}"
changed_when: result.rc == 0
register: result
with_items:
- dnf --releasever=9 --best --repo=rocky-baseos --installroot=/mnt
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y base core
- ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
- arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False install -y {{ role_packages.rocky | join(' ') }}
- name: Bootstrap RHEL System - name: Bootstrap RHEL System
when: os | lower in ['rhel8', 'rhel9']
block: block:
- name: Install base packages in chroot environment - name: Install base packages in chroot environment
ansible.builtin.command: >- ansible.builtin.command: >-
@ -19,7 +84,7 @@
- name: Prepare chroot environment - name: Prepare chroot environment
ansible.builtin.shell: | ansible.builtin.shell: |
ln -sf /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
mkdir -p /mnt/usr/local/install/redhat/dvd mkdir -p /mnt/usr/local/install/redhat/dvd
mount --bind /usr/local/install/redhat/dvd /mnt/usr/local/install/redhat/dvd mount --bind /usr/local/install/redhat/dvd /mnt/usr/local/install/redhat/dvd
arch-chroot /mnt rpm --rebuilddb arch-chroot /mnt rpm --rebuilddb
@ -29,7 +94,7 @@
- name: Copy RHEL repo file into chroot environment - name: Copy RHEL repo file into chroot environment
ansible.builtin.copy: ansible.builtin.copy:
src: /etc/yum.repos.d/{{ os | lower }}.repo src: /etc/yum.repos.d/{{ os | lower }}.repo
dest: /mnt/etc/yum.repos.d/{{ os | lower }}.repo dest: /mnt/etc/yum.repos.d/redhat.repo
mode: '0644' mode: '0644'
remote_src: true remote_src: true

344
roles/bootstrap/vars/packages.yml
View File

@ -1,4 +1,203 @@
almalinux:
- bind-utils
- dbus-daemon
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- lrzsz
- lvm2
- nc
- nfs-utils
- nfsv4-client-utils
- mtr
- open-vm-tools
- ppp
- shim
- telnet
- tmux
- vim
- wget
- zram-generator
- zstd
archlinux:
- base
- btrfs-progs
- cronie
- dhcpcd
- efibootmgr
- firewalld
- fish
- fzf
- grub
- htop
- libpwquality
- linux
- logrotate
- lrzsz
- lsof
- lvm2
- ncdu
- neofetch
- networkmanager
- nfs-utils
- open-vm-tools
- openssh
- ppp
- prometheus-node-exporter
- python-psycopg2
- qemu-guest-agent
- reflector
- rsync
- screen
- sudo
- tldr
- vim
- wireguard-tools
- zram-generator
debian11:
base:
- apparmor-utils
- btrfs-progs
- chrony
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- linux-image-amd64
- locales
- logrotate
- lvm2
- net-tools
- openssh-server
- python3
- sudo
- xfsprogs
extra:
- bat
- curl
- entr
- firewalld
- fish
- fzf
- htop
- jq
- libpam-pwquality
- lrzsz
- mtr
- ncdu
- neofetch
- network-manager
- open-vm-tools
- python-is-python3
- ripgrep
- rsync
- screen
- software-properties-common
- syslog-ng
- tcpd
- tldr
- vim
- wget
- zstd
debian12:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- linux-image-amd64
- locales
- logrotate
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bat
- chrony
- curl
- duf
- entr
- firewalld
- fish
- fzf
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- neofetch
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- vim
- wget
- zstd
fedora:
- bat
- bind-utils
- btrfs-progs
- cronie
- dhcp-client
- duf
- dust
- efibootmgr
- entr
- eza
- fish
- fzf
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- htop
- iperf3
- logrotate
- lrzsz
- lvm2
- nc
- nfs-utils
- nfsv4-client-utils
- open-vm-tools
- polkit
- ppp
- ripgrep
- shim
- telnet
- tmux
- vim-default-editor
- wget
- zoxide
- zram-generator
- zstd
rhel8: rhel8:
- bind-utils
- dhcp-client - dhcp-client
- efibootmgr - efibootmgr
- grub2 - grub2
@ -8,6 +207,7 @@ rhel8:
- mtr - mtr
- nfs-utils - nfs-utils
- open-vm-tools - open-vm-tools
- python
- shim - shim
- telnet - telnet
- tmux - tmux
@ -15,6 +215,7 @@ rhel8:
- zstd - zstd
rhel9: rhel9:
- bind-utils
- dhcp-client - dhcp-client
- efibootmgr - efibootmgr
- grub2 - grub2
@ -24,9 +225,152 @@ rhel9:
- mtr - mtr
- nfs-utils - nfs-utils
- open-vm-tools - open-vm-tools
- python
- shim - shim
- telnet - telnet
- tmux - tmux
- vim - vim
- zram-generator - zram-generator
- zstd - zstd
rocky:
- bind-utils
- dbus-daemon
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- lrzsz
- lvm2
- mtr
- nc
- nfs-utils
- nfsv4-client-utils
- open-vm-tools
- ppp
- shim
- telnet
- tmux
- util-linux-core
- vim
- wget
- zram-generator
- zstd
ubuntu:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- initramfs-tools
- linux-image-generic
- locales
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bash-completion
- bat
- chrony
- curl
- dnsutils
- duf
- entr
- eza
- fdupes
- fio
- firewalld
- fish
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- tmux
- traceroute
- vim
- wget
- yq
- zoxide
- zstd
ubuntu-lts:
base:
- btrfs-progs
- cron
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- initramfs-tools
- linux-image-generic
- locales
- lvm2
- xfsprogs
extra:
- apparmor-utils
- bash-completion
- bat
- chrony
- curl
- dnsutils
- duf
- entr
- eza
- fdupes
- fio
- firewalld
- fish
- htop
- jq
- libpam-pwquality
- logrotate
- lrzsz
- mtr
- ncdu
- net-tools
- network-manager
- open-vm-tools
- openssh-server
- python-is-python3
- python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- tmux
- traceroute
- vim
- wget
- yq
- zoxide
- zstd

20
roles/cis/tasks/main.yml
View File

@ -91,15 +91,17 @@
- { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 } - { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 } - { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 } - { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
- { path: '/mnt/etc/bashrc', content: umask 077 } - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: umask 077 }
- { path: '/mnt/etc/bashrc', content: export TMOUT=3000 } - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: export TMOUT=3000 }
- { path: '/mnt/etc/systemd/journald.conf', content: Storage=persistent } - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" } - { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" }
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so } - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
- { path: '/mnt/etc/pam.d/system-auth', - { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}',
content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 } content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 }
- { path: '/mnt/etc/pam.d/system-auth', content: account required pam_faillock.so } - { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth"
- { path: '/mnt/etc/pam.d/passwd', if os == "fedora" else "pam.d/system-auth" }}', content: account required pam_faillock.so }
- { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}',
content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" } content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" }
- { path: /mnt/etc/hosts.deny, content: "ALL: ALL" } - { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
- { path: /mnt/etc/hosts.allow, content: "sshd: ALL" } - { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
@ -120,10 +122,10 @@
{ "path": "/mnt/etc/cron.d", "mode": "0700" }, { "path": "/mnt/etc/cron.d", "mode": "0700" },
{ "path": "/mnt/etc/crontab", "mode": "0600" }, { "path": "/mnt/etc/crontab", "mode": "0600" },
{ "path": "/mnt/etc/logrotate.conf", "mode": "0644" }, { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" }, { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9"] else None,
{ "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["rhel9"] { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rocky"]
else "fusermount"), "mode": "755" }, else "fusermount"), "mode": "755" },
{ "path": "/mnt/usr/bin/write", "mode": "755" } { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
] | reject("none") }} ] | reject("none") }}
- name: Adjust SSHD config - name: Adjust SSHD config

60
roles/cleanup/tasks/main.yml
View File

@ -4,7 +4,31 @@
vars: vars:
ansible_connection: ssh ansible_connection: ssh
- name: Setup Cleanup
when: hypervisor == "proxmox"
delegate_to: localhost
become: false
block:
- name: Cleanup Setup Disks
community.general.proxmox_disk:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
name: "{{ hostname }}"
vmid: "{{ vm_id }}"
disk: "{{ item }}"
state: absent
loop:
- ide0
- ide2
- name: Reboot system
ansible.builtin.command: reboot
failed_when: false
changed_when: false
- name: Clean vCenter VM - name: Clean vCenter VM
when: hypervisor == "vmware"
delegate_to: localhost delegate_to: localhost
become: false become: false
block: block:
@ -42,3 +66,39 @@
datacenter: "{{ hypervisor_cluster }}" datacenter: "{{ hypervisor_cluster }}"
name: "{{ hostname }}" name: "{{ hostname }}"
state: powered-on state: powered-on
- name: Remove Archiso and cloud-init disks
when: hypervisor == "libvirt"
delegate_to: localhost
become: false
block:
- name: Remove cloud-init disk
ansible.builtin.file:
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"
state: absent
- name: Get list of CD-ROM devices
ansible.builtin.shell: set -o pipefail && virsh --connect qemu:///system domblklist {{ hostname }} --details | grep 'cdrom' | awk '{print $3}'
changed_when: false
register: cdrom_devices
- name: Wait for VM to spin down
ansible.builtin.wait_for:
timeout: 15
- name: Remove CD-ROM devices
when: cdrom_devices.stdout_lines | length > 0
ansible.builtin.command: virsh --connect qemu:///system detach-disk {{ hostname }} {{ item }} --persistent
with_items: "{{ cdrom_devices.stdout_lines | select('ne', 'sdc') | list }}"
changed_when: result.rc == 0
register: result
- name: Start the VM
community.libvirt.virt:
name: "{{ hostname }}"
state: running
- name: Wait for VM to boot up
delegate_to: "{{ inventory_hostname }}"
ansible.builtin.wait_for_connection:
timeout: 300

114
roles/configuration/tasks/main.yml
View File

@ -6,6 +6,13 @@
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
- name: Remove depricated attr2 and disable large extent
when: os in ["almalinux", "rhel8", "rhel9", "rocky"] and filesystem == "xfs"
ansible.builtin.replace:
path: /mnt/etc/fstab
regexp: '(xfs.*?)(attr2)'
replace: '\1allocsize=64m'
- name: Replace ISO UUID entry with /dev/sr0 in fstab - name: Replace ISO UUID entry with /dev/sr0 in fstab
when: os in ["rhel8", "rhel9"] when: os in ["rhel8", "rhel9"]
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -17,6 +24,7 @@
backrefs: true backrefs: true
- name: Write image from RHEL ISO to the target machine - name: Write image from RHEL ISO to the target machine
when: os in ["rhel8", "rhel9"] and hypervisor == 'vmware'
ansible.builtin.command: dd if=/dev/sr1 of=/mnt/usr/local/install/redhat/rhel.iso bs=4M ansible.builtin.command: dd if=/dev/sr1 of=/mnt/usr/local/install/redhat/rhel.iso bs=4M
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
@ -43,6 +51,21 @@
- name: Setup locales - name: Setup locales
block: block:
- name: Configure locale.gen
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
ansible.builtin.lineinfile:
dest: /mnt/etc/locale.gen
regexp: "{{ item.regex }}"
line: "{{ item.line }}"
loop:
- { regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8 }
- name: Generate locales
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
changed_when: result.rc == 0
register: result
- name: Set hostname - name: Set hostname
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ hostname }}" content: "{{ hostname }}"
@ -80,27 +103,72 @@
replace: "PermitRootLogin yes" replace: "PermitRootLogin yes"
- name: Enable Systemd Services - name: Enable Systemd Services
ansible.builtin.command: arch-chroot /mnt systemctl enable NetworkManager sshd ansible.builtin.command: >
arch-chroot /mnt systemctl enable NetworkManager
{{
' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
(' sshd' if os | lower not in ['debian11', 'debian12'] else '')
}}
{{
'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
if os | lower == 'archlinux' else ''
}}
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
- name: Configure grub
when: os | lower not in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rocky']
block:
- name: Add commandline information to grub config
ansible.builtin.lineinfile:
dest: /mnt/etc/default/grub
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT=
line: GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"
- name: Change Grub time
ansible.builtin.lineinfile:
dest: /mnt/etc/default/grub
regexp: ^GRUB_TIMEOUT=
line: GRUB_TIMEOUT=1
- name: Configure Bootloader - name: Configure Bootloader
block: block:
- name: Install Bootloader - name: Install Bootloader
ansible.builtin.command: arch-chroot /mnt /usr/sbin/efibootmgr -c -L '{{ os }}' ansible.builtin.command: arch-chroot /mnt
-d "{{ install_drive }}" -p 1 {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr
-l '\efi\EFI\redhat\shimx64.efi' -c -L '{{ os }}' -d "{{ install_drive }}" -p 1
-l '\efi\EFI\{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}\shimx64.efi'
{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }}
--bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
{% endif %}
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
- name: Generate grub config - name: Generate grub config
ansible.builtin.command: arch-chroot /mnt /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg ansible.builtin.command: arch-chroot /mnt
{% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}
/usr/sbin/grub2-mkconfig -o /boot/efi/EFI/{% if os | lower in ["rhel8", "rhel9"] %}redhat{% else %}{{ os | lower }}{% endif %}/grub.cfg
{% else %}
/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}
{% endif %}
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
- name: Ensure lvm2 for non btrfs filesystems
when: os | lower == "archlinux" and filesystem != "btrfs"
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: '^(HOOKS=.*block)(?!.*lvm2)(.*)'
line: '\1 lvm2\2'
backrefs: true
- name: Regenerate initramfs - name: Regenerate initramfs
when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
ansible.builtin.command: arch-chroot /mnt /usr/bin/dracut --regenerate-all --force ansible.builtin.command: arch-chroot /mnt
{% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P
{% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %} /usr/bin/dracut --regenerate-all --force
{% else %} echo "Skipping initramfs regeneration"
{% endif %}
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
@ -109,7 +177,8 @@
- name: Append vim configurations to vimrc - name: Append vim configurations to vimrc
failed_when: false failed_when: false
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: "/mnt/etc/vimrc" path: "{{ '/mnt/etc/vim/vimrc' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts']
else '/mnt/etc/vimrc' }}"
block: | block: |
set encoding=utf-8 set encoding=utf-8
set number set number
@ -133,7 +202,7 @@
mode: '0644' mode: '0644'
- name: Create zram config - name: Create zram config
when: os not in ['rhel8'] when: os not in ['debian11', 'rhel8']
ansible.builtin.copy: ansible.builtin.copy:
dest: /mnt/etc/systemd/zram-generator.conf dest: /mnt/etc/systemd/zram-generator.conf
content: | content: |
@ -145,6 +214,7 @@
mode: '0644' mode: '0644'
- name: Copy FirstRun Script - name: Copy FirstRun Script
when: os | lower != "archlinux"
ansible.builtin.template: ansible.builtin.template:
src: firstrun.sh.j2 src: firstrun.sh.j2
dest: /mnt/root/firstrun.sh dest: /mnt/root/firstrun.sh
@ -179,12 +249,20 @@
dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection dest: /mnt/etc/NetworkManager/system-connections/LAN.nmconnection
mode: "0600" mode: "0600"
- name: Fix Ubuntu unmanaged devices
when: os | lower in ["ubuntu", "ubuntu-lts"]
ansible.builtin.file:
path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
state: touch
mode: '0644'
- name: Setup user account - name: Setup user account
block: block:
- name: Create user account - name: Create user account
ansible.builtin.command: "{{ item }}" ansible.builtin.command: "{{ item }}"
with_items: with_items:
- arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups wheel - arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups
{{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "wheel" }}
{{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
- arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash - arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
changed_when: result.rc == 0 changed_when: result.rc == 0
@ -202,12 +280,22 @@
- name: Give sudo access to wheel group - name: Give sudo access to wheel group
ansible.builtin.copy: ansible.builtin.copy:
content: "%wheel ALL=(ALL) ALL" content: "{{ '%sudo ALL=(ALL) ALL' if os | lower in ['debian11', 'debian12', 'ubuntu', 'ubuntu-lts'] else '%wheel ALL=(ALL) ALL' }}"
dest: /mnt/etc/sudoers.d/01-wheel dest: /mnt/etc/sudoers.d/01-wheel
mode: "0440" mode: "0440"
validate: /usr/sbin/visudo --check --file=%s validate: /usr/sbin/visudo --check --file=%s
- name: Fix SELinux - name: Fix SELinux
ansible.builtin.command: "arch-chroot /mnt /sbin/fixfiles onboot" block:
changed_when: result.rc == 0 - name: Relabel the filesystem
register: result when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rocky']
ansible.builtin.command: "arch-chroot /mnt /sbin/fixfiles onboot"
changed_when: result.rc == 0
register: result
- name: Disable SELinux
when: os | lower == "fedora"
ansible.builtin.lineinfile:
path: /mnt/etc/selinux/config
regexp: ^SELINUX=
line: SELINUX=permissive

3
roles/configuration/templates/network.j2
View File

@ -4,9 +4,6 @@ uuid={{ net_uuid.stdout }}
type=ethernet type=ethernet
interface-name={{ net_inf.stdout }} interface-name={{ net_inf.stdout }}
[ethernet]
mac-address={{ net_mac.stdout }}
[ipv4] [ipv4]
address={{ vm_ip }},{{ vm_gw }} address={{ vm_ip }},{{ vm_gw }}
dns={{ vm_dns }} dns={{ vm_dns }}

18
roles/environment/tasks/main.yml
View File

@ -21,16 +21,19 @@
when: not archiso_stat.stat.exists when: not archiso_stat.stat.exists
- name: Setect Interface - name: Setect Interface
when: hypervisor == "vmware"
ansible.builtin.shell: "set -o pipefail && ip l | awk -F': ' '!/lo/{print $2; exit}'" ansible.builtin.shell: "set -o pipefail && ip l | awk -F': ' '!/lo/{print $2; exit}'"
changed_when: interface_name.rc == 0 changed_when: interface_name.rc == 0
register: interface_name register: interface_name
- name: Set IP-Address - name: Set IP-Address
when: hypervisor == "vmware"
ansible.builtin.command: "ip addr replace {{ ansible_host }}/{{ vm_nms | default(24) }} dev {{ interface_name.stdout }}" ansible.builtin.command: "ip addr replace {{ ansible_host }}/{{ vm_nms | default(24) }} dev {{ interface_name.stdout }}"
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
- name: Set Default Gateway - name: Set Default Gateway
when: hypervisor == "vmware"
ansible.builtin.command: "ip route replace default via {{ vm_gw }}" ansible.builtin.command: "ip route replace default via {{ vm_gw }}"
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result
@ -41,7 +44,7 @@
register: result register: result
- name: Configure SSH for root login - name: Configure SSH for root login
when: vmware_ssh | bool when: hypervisor == "vmware" and vmware_ssh | bool
block: block:
- name: Allow empty passwords temporarily - name: Allow empty passwords temporarily
ansible.builtin.replace: ansible.builtin.replace:
@ -82,11 +85,15 @@
community.general.pacman: community.general.pacman:
update_cache: true update_cache: true
force: true force: true
name: "{{ item }}" name: "{{ item.name }}"
state: latest state: latest
loop: loop:
- glibc - { name: glibc }
- dnf - { name: dnf, os: [almalinux, fedora, rhel9, rhel8, rocky] }
- { name: debootstrap, os: [debian11, debian12, ubuntu, ubuntu-lts] }
- { name: debian-archive-keyring, os: [debian11, debian12] }
- { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
when: "'os' not in item or os in item.os"
retries: 4 retries: 4
delay: 15 delay: 15
@ -101,13 +108,14 @@
- name: Mount RHEL ISO - name: Mount RHEL ISO
ansible.posix.mount: ansible.posix.mount:
src: "/dev/sr1" src: "{{ '/dev/sr1' if hypervisor == 'vmware' else '/dev/sr2' }}"
path: /usr/local/install/redhat/dvd path: /usr/local/install/redhat/dvd
fstype: iso9660 fstype: iso9660
opts: "ro,loop" opts: "ro,loop"
state: mounted state: mounted
- name: Configure RHEL Repos for installation - name: Configure RHEL Repos for installation
when: os | lower in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"]
block: block:
- name: Create directories for repository files and RPM GPG keys - name: Create directories for repository files and RPM GPG keys
ansible.builtin.file: ansible.builtin.file:

56
roles/partitioning/tasks/btrfs.yml Normal file
View File

@ -0,0 +1,56 @@
---
- name: Setup BTRFS
block:
- name: Create btrfs filesystem in main volume
community.general.filesystem:
dev: "{{ install_drive }}{{ main_partition_suffix }}"
fstype: btrfs
force: true
- name: Prepare BTRFS Subvolume
ansible.posix.mount:
path: /mnt
src: "{{ install_drive }}{{ main_partition_suffix }}"
fstype: btrfs
opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async
state: mounted
- name: Enable quotas on Btrfs filesystem
ansible.builtin.command: btrfs quota enable /mnt
changed_when: result.rc == 0
register: result
- name: Make root subvolumes
when: cis | bool or item.subvol not in ['var_log_audit']
ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
changed_when: result.rc == 0
register: result
loop:
- { subvol: root }
- { subvol: swap }
- { subvol: home }
- { subvol: var }
- { subvol: var_log }
- { subvol: var_log_audit }
- name: Set quotas for subvolumes
when: cis | bool or item.subvol not in ['var_log_audit']
ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
changed_when: result.rc == 0
register: result
loop:
- { subvol: home, quota: 2G }
- name: Create a Btrfs swap file
ansible.builtin.command: >-
btrfs filesystem mkswapfile --size {{ ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory
| float / 2048) | int, [vm_memory | float / 1024, 4.0] | max) | int) }}g --uuid clear /mnt/@swap/swapfile
changed_when: result.rc == 0
register: result
- name: Unmount Partition
ansible.posix.mount:
path: /mnt
src: "{{ install_drive }}{{ main_partition_suffix }}"
fstype: btrfs
state: unmounted

12
roles/partitioning/tasks/ext4.yml
View File

@ -11,3 +11,15 @@
- { lv: var } - { lv: var }
- { lv: var_log } - { lv: var_log }
- { lv: var_log_audit } - { lv: var_log_audit }
- name: Remove Unsupported features for older Systems
when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
changed_when: result.rc == 0
register: result
loop:
- { lv: root }
- { lv: home }
- { lv: var }
- { lv: var_log }
- { lv: var_log_audit }

23
roles/partitioning/tasks/main.yml
View File

@ -28,6 +28,7 @@
- { number: 2, part_start: 500MiB, name: root } - { number: 2, part_start: 500MiB, name: root }
- name: Create LVM logical volumes - name: Create LVM logical volumes
when: filesystem != 'btrfs'
block: block:
- name: Create LVM volume group - name: Create LVM volume group
community.general.lvg: community.general.lvg:
@ -91,6 +92,7 @@
force: true force: true
- name: Create swap filesystem - name: Create swap filesystem
when: filesystem != 'btrfs'
community.general.filesystem: community.general.filesystem:
fstype: swap fstype: swap
dev: /dev/sys/swap dev: /dev/sys/swap
@ -109,7 +111,7 @@
register: main_uuid register: main_uuid
- name: Get UUIDs for LVM filesystems - name: Get UUIDs for LVM filesystems
when: cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit'] when: filesystem != 'btrfs' and (cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit'])
ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }} ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }}
changed_when: false changed_when: false
register: uuid_result register: uuid_result
@ -122,6 +124,7 @@
- var_log_audit - var_log_audit
- name: Assign UUIDs to Variables - name: Assign UUIDs to Variables
when: filesystem != 'btrfs'
ansible.builtin.set_fact: ansible.builtin.set_fact:
uuid_root: "{{ uuid_result.results[0].stdout_lines }}" uuid_root: "{{ uuid_result.results[0].stdout_lines }}"
uuid_swap: "{{ uuid_result.results[1].stdout_lines }}" uuid_swap: "{{ uuid_result.results[1].stdout_lines }}"
@ -136,6 +139,7 @@
when: when:
- cis | bool or (not cis and (item.path == '/var/log' and filesystem == 'btrfs') - cis | bool or (not cis and (item.path == '/var/log' and filesystem == 'btrfs')
or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit'])) or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit']))
- not (item.path == '/swap' and filesystem != 'btrfs')
ansible.posix.mount: ansible.posix.mount:
path: /mnt{{ item.path }} path: /mnt{{ item.path }}
src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}" src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
@ -145,20 +149,25 @@
loop: loop:
- path: "" - path: ""
uuid: "{{ uuid_root[0] | default(omit) }}" uuid: "{{ uuid_root[0] | default(omit) }}"
opts: "defaults" opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}"
- path: /swap
opts: "rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@swap"
- path: /home - path: /home
uuid: "{{ uuid_home[0] | default(omit) }}" uuid: "{{ uuid_home[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}" else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}"
- path: /var - path: /var
uuid: "{{ uuid_var[0] | default(omit) }}" uuid: "{{ uuid_var[0] | default(omit) }}"
opts: "defaults,nosuid,nodev" opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}"
- path: /var/log - path: /var/log
uuid: "{{ uuid_var_log[0] | default(omit) }}" uuid: "{{ uuid_var_log[0] | default(omit) }}"
opts: "defaults,nosuid,nodev,noexec" opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}"
- path: /var/log/audit - path: /var/log/audit
uuid: "{{ uuid_var_log_audit[0] | default(omit) }}" uuid: "{{ uuid_var_log_audit[0] | default(omit) }}"
opts: "defaults,nosuid,nodev,noexec" opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}"
- name: Mount tmp and var_tmp filesystems - name: Mount tmp and var_tmp filesystems
ansible.posix.mount: ansible.posix.mount:
@ -173,12 +182,12 @@
- name: Mount boot filesystem - name: Mount boot filesystem
ansible.posix.mount: ansible.posix.mount:
path: "{{ '/mnt/boot/efi' if os | lower in ['rhel8'] else '/mnt/boot' }}" path: "{{ '/mnt/boot/efi' if os | lower in ['rhel8', 'ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}"
src: UUID={{ boot_uuid.stdout }} src: UUID={{ boot_uuid.stdout }}
fstype: vfat fstype: vfat
state: mounted state: mounted
- name: Activate swap - name: Activate swap
ansible.builtin.command: "{{ 'swapon -U ' + uuid_swap[0] }}" ansible.builtin.command: "{{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + uuid_swap[0] }}"
changed_when: result.rc == 0 changed_when: result.rc == 0
register: result register: result

50
roles/virtualization/tasks/libvirt.yml Normal file
View File

@ -0,0 +1,50 @@
---
- name: Check if VM disk exists
delegate_to: localhost
ansible.builtin.stat:
path: "{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2"
register: vm_disk_stat
- name: Create VM disk
when: not vm_disk_stat.stat.exists
delegate_to: localhost
ansible.builtin.command: qemu-img create -f qcow2 {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2 {{ vm_size }}G
changed_when: result.rc == 0
register: result
- name: Generate Random MAC Address
delegate_to: localhost
ansible.builtin.shell: set -o pipefail && openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//' | sed 's/^/02:/'
changed_when: false
register: mac_address_output
- name: Render cloud config templates
delegate_to: localhost
ansible.builtin.template:
src: "{{ item.src }}"
dest: /tmp/{{ item.dest_prefix }}-{{ hostname }}.yml
mode: '0644'
loop:
- { src: cloud-user-data.yml.j2, dest_prefix: cloud-user-data }
- { src: cloud-network-config.yml.j2, dest_prefix: cloud-network-config }
- name: Create cloud-init disk
delegate_to: localhost
ansible.builtin.command: >
cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}/{{ hostname }}-cloudinit.iso
/tmp/cloud-user-data-{{ hostname }}.yml
-N /tmp/cloud-network-config-{{ hostname }}.yml
changed_when: result.rc == 0
register: result
- name: Create VM using libvirt
delegate_to: localhost
community.libvirt.virt:
command: define
xml: "{{ lookup('template', 'vm.xml.j2') }}"
- name: Start vm
delegate_to: localhost
community.libvirt.virt:
name: "{{ hostname }}"
state: running

51
roles/virtualization/tasks/proxmox.yml Normal file
View File

@ -0,0 +1,51 @@
---
- name: Deploy VM on Proxmox
delegate_to: localhost
community.general.proxmox_kvm:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
ciuser: "{{ user_name }}"
cipassword: "{{ user_password }}"
ciupgrade: false
node: "{{ hypervisor_node }}"
vmid: "{{ vm_id }}"
name: "{{ hostname }}"
cpu: host
cores: "{{ vm_cpus }}"
memory: "{{ vm_memory }}"
balloon: "{{ vm_ballo | default(omit) }}"
numa_enabled: true
hotplug: network,disk
bios: ovmf
boot: ac
scsihw: virtio-scsi-single
scsi:
scsi0: "{{ hypervisor_storage }}:{{ vm_size }}"
efidisk0:
efitype: 4m
format: raw
pre_enrolled_keys: false
storage: "{{ hypervisor_storage }}"
ide:
ide0: "{{ boot_iso }},media=cdrom"
ide1: "{{ rhel_iso | default(omit) }},media=cdrom"
ide2: "{{ hypervisor_storage }}:cloudinit"
net:
net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}
ipconfig:
ipconfig0: ip={{ vm_ip }},gw={{ vm_gw }}
nameservers: "{{ vm_dns }}"
onboot: true
state: present
- name: Start VM on Proxmox
delegate_to: localhost
community.general.proxmox_kvm:
api_host: "{{ hypervisor_url }}"
api_user: "{{ hypervisor_username }}"
api_password: "{{ hypervisor_password }}"
node: "{{ hypervisor_node }}"
name: "{{ hostname }}"
vmid: "{{ vm_id }}"
state: started

6
roles/virtualization/tasks/vmware.yml
View File

@ -27,6 +27,12 @@
state: present state: present
type: iso type: iso
iso_path: "{{ boot_iso }}" iso_path: "{{ boot_iso }}"
- controller_number: 0
unit_number: 1
controller_type: sata
state: present
type: iso
iso_path: "{{ rhel_iso | default(omit) }}"
networks: networks:
- name: "{{ vm_nif }}" - name: "{{ vm_nif }}"
type: dhcp type: dhcp

11
roles/virtualization/templates/cloud-network-config.yml.j2 Normal file
View File

@ -0,0 +1,11 @@
network:
version: 2
ethernets:
id0:
match:
macaddress: "{{ mac_address_output.stdout }}"
addresses:
- "{{ vm_ip }}"
gateway4: "{{ vm_gw }}"
nameservers:
addresses: ['1.1.1.1', '1.0.0.1']

10
roles/virtualization/templates/cloud-user-data.yml.j2 Normal file
View File

@ -0,0 +1,10 @@
#cloud-config
hostname: "archiso"
ssh_pwauth: true
users:
- name: "{{ user_name }}"
primary_group: "{{ user_name }}"
groups: users
sudo: ALL=(ALL) NOPASSWD:ALL
passwd: "{{ user_password | password_hash('sha512') }}"
lock_passwd: False

62
roles/virtualization/templates/vm.xml.j2 Normal file
View File

@ -0,0 +1,62 @@
<domain type='kvm'>
<name>{{ hostname }}</name>
<memory>{{ vm_memory | int * 1024 }}</memory>
{% if vm_ballo is defined %}<currentMemory>{{ vm_ballo | int * 1024 }}</currentMemory>{% endif %}
<vcpu placement='static'>{{ vm_cpus }}</vcpu>
<os>
<type arch='x86_64' machine="pc-q35-8.0">hvm</type>
<bootmenu enable='no'/>
<boot dev='hd'/>
<boot dev='cdrom'/>
<loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd</loader>
<nvram template="/usr/share/edk2/x64/OVMF_VARS.4m.fd"/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<cpu mode="host-passthrough" check="none" migratable="on"/>
<clock offset="utc"/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}.qcow2'/>
<target dev='vda' bus='virtio'/>
</disk>
<disk type="file" device="cdrom">
<driver name="qemu" type="raw"/>
<source file="{{ boot_iso }}"/>
<target dev="sda" bus="sata"/>
</disk>
<disk type="file" device="cdrom">
<driver name="qemu" type="raw"/>
<source file="{{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso"/>
<target dev="sdb" bus="sata"/>
</disk>
{% if rhel_iso is defined %}
<disk type="file" device="cdrom">
<driver name="qemu" type="raw"/>
<source file="{{ rhel_iso }}"/>
<target dev="sdc" bus="sata"/>
</disk>
{% endif %}
<interface type='network'>
<mac address="{{ mac_address_output.stdout }}"/>
<source network='default'/>
<model type='virtio'/>
</interface>
<input type="tablet" bus="usb"/>
<input type="mouse" bus="ps2"/>
<input type="keyboard" bus="ps2"/>
<graphics type='spice' autoport="yes">
<listen type="address"/>
</graphics>
<video>
<model type="virtio" heads="1" primary="yes"/>
</video>
</devices>
</domain>

43
templates/almalinux.repo.j2 Normal file
View File

@ -0,0 +1,43 @@
[alma-appstream]
name=AlmaLinux $releasever - AppStream
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream
# baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=1
[alma-baseos]
name=AlmaLinux $releasever - BaseOS
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=1
[alma-extras]
name=AlmaLinux $releasever - Extras
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras
# baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=0
[alma-highavailability]
name=AlmaLinux $releasever - HighAvailability
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/highavailability
# baseurl=https://repo.almalinux.org/almalinux/$releasever/HighAvailability/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=0

25
templates/fedora.repo.j2 Normal file
View File

@ -0,0 +1,25 @@
[fedora]
name=Fedora $releasever - $basearch
#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
enabled=1
countme=1
metadata_expire=86400
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=https://getfedora.org/static/fedora.gpg
skip_if_unavailable=False
[fedora-updates]
name=Fedora $releasever - $basearch - Updates
#baseurl=http://download.example/pub/fedora/linux/updates/$releasever/Everything/$basearch/
metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
enabled=1
countme=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=86400
gpgkey=https://getfedora.org/static/fedora.gpg
skip_if_unavailable=False

10
templates/rocky.repo.j2 Normal file
View File

@ -0,0 +1,10 @@
[rocky-baseos]
name=Rocky Linux $releasever - BaseOS
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/
gpgcheck=1
enabled=1
countme=1
gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever
metadata_expire=86400
enabled_metadata=1

3
vars_example.yml
View File

@ -7,7 +7,8 @@ hypervisor_username: "root@pam"
hypervisor_password: "SomePassword" hypervisor_password: "SomePassword"
hypervisor_node: "NodeName" hypervisor_node: "NodeName"
hypervisor_storage: "local-btrfs" hypervisor_storage: "local-btrfs"
boot_iso: "local-btrfs:rhel-9.4-x86_64-dvd.iso" boot_iso: "local-btrfs:iso/archlinux-x86_64.iso"
rhel_iso: "local-btrfs:rhel-9.4-x86_64-dvd.iso"
# For VMware-Tools # For VMware-Tools
ansible_vmware_host: "{{ hypervisor_url }}" ansible_vmware_host: "{{ hypervisor_url }}"