sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f8e3ce62d406820ef1f0f794d66da93a912cafe9
Ansible-Bootstrap/main.yml

326 lines
12 KiB
YAML
Raw Blame History

---
- name: Create and configure VMs
hosts: all
strategy: free # noqa: run-once[play]
gather_facts: false
become: true
vars_prompt:
- name: user_name
prompt: |
What is your username?
private: false
- name: user_public_key
prompt: |
What is your ssh key?
private: false
- name: user_password
prompt: |
What is your password?
confirm: true
- name: root_password
prompt: |
What is your root password?
confirm: true
vars_files: vars.yml
pre_tasks:
- name: Load global defaults
ansible.builtin.import_role:
name: global_defaults
- name: Apply global defaults
vars:
global_defaults_hypervisor_value: >-
{{ hypervisor if hypervisor is defined else global_defaults_hypervisor }}
global_defaults_custom_iso_value: >-
{{ custom_iso if custom_iso is defined else global_defaults_custom_iso }}
global_defaults_cis_value: >-
{{ cis if cis is defined else global_defaults_cis }}
global_defaults_selinux_value: >-
{{ selinux if selinux is defined else global_defaults_selinux }}
global_defaults_vmware_ssh_value: >-
{{ vmware_ssh if vmware_ssh is defined else global_defaults_vmware_ssh }}
global_defaults_firewalld_enabled_value: >-
{{
firewalld_enabled
if firewalld_enabled is defined
else global_defaults_firewalld_enabled
}}
global_defaults_luks_enabled_value: >-
{{ luks_enabled if luks_enabled is defined else global_defaults_luks_enabled }}
global_defaults_luks_mapper_name_value: >-
{{
luks_mapper_name
if luks_mapper_name is defined
else global_defaults_luks_mapper_name
}}
global_defaults_luks_auto_decrypt_value: >-
{{
luks_auto_decrypt
if luks_auto_decrypt is defined
else global_defaults_luks_auto_decrypt
}}
global_defaults_luks_auto_decrypt_method_value: >-
{{
luks_auto_decrypt_method
if luks_auto_decrypt_method is defined
else global_defaults_luks_auto_decrypt_method
}}
global_defaults_luks_tpm2_device_value: >-
{{
luks_tpm2_device
if luks_tpm2_device is defined
else global_defaults_luks_tpm2_device
}}
global_defaults_luks_tpm2_pcrs_value: >-
{{
luks_tpm2_pcrs
if luks_tpm2_pcrs is defined
else global_defaults_luks_tpm2_pcrs
}}
global_defaults_luks_keyfile_size_value: >-
{{
luks_keyfile_size
if luks_keyfile_size is defined
else global_defaults_luks_keyfile_size
}}
global_defaults_luks_options_value: >-
{{ luks_options if luks_options is defined else global_defaults_luks_options }}
global_defaults_luks_type_value: >-
{{ luks_type if luks_type is defined else global_defaults_luks_type }}
global_defaults_luks_cipher_value: >-
{{ luks_cipher if luks_cipher is defined else global_defaults_luks_cipher }}
global_defaults_luks_hash_value: >-
{{ luks_hash if luks_hash is defined else global_defaults_luks_hash }}
global_defaults_luks_iter_time_value: >-
{{ luks_iter_time if luks_iter_time is defined else global_defaults_luks_iter_time }}
global_defaults_luks_key_size_value: >-
{{ luks_key_size if luks_key_size is defined else global_defaults_luks_key_size }}
global_defaults_luks_pbkdf_value: >-
{{ luks_pbkdf if luks_pbkdf is defined else global_defaults_luks_pbkdf }}
global_defaults_luks_use_urandom_value: >-
{{
luks_use_urandom
if luks_use_urandom is defined
else global_defaults_luks_use_urandom
}}
global_defaults_luks_verify_passphrase_value: >-
{{
luks_verify_passphrase
if luks_verify_passphrase is defined
else global_defaults_luks_verify_passphrase
}}
ansible.builtin.set_fact:
hypervisor: "{{ global_defaults_hypervisor_value }}"
custom_iso: "{{ global_defaults_custom_iso_value }}"
cis: "{{ global_defaults_cis_value }}"
selinux: "{{ global_defaults_selinux_value }}"
vmware_ssh: "{{ global_defaults_vmware_ssh_value }}"
firewalld_enabled: "{{ global_defaults_firewalld_enabled_value }}"
cis_enabled: "{{ global_defaults_cis_value | bool }}"
custom_iso_enabled: "{{ global_defaults_custom_iso_value | bool }}"
luks_enabled: "{{ global_defaults_luks_enabled_value }}"
luks_mapper_name: "{{ global_defaults_luks_mapper_name_value }}"
luks_auto_decrypt: "{{ global_defaults_luks_auto_decrypt_value }}"
luks_auto_decrypt_method: "{{ global_defaults_luks_auto_decrypt_method_value }}"
luks_tpm2_device: "{{ global_defaults_luks_tpm2_device_value }}"
luks_tpm2_pcrs: "{{ global_defaults_luks_tpm2_pcrs_value }}"
luks_keyfile_size: "{{ global_defaults_luks_keyfile_size_value }}"
luks_options: "{{ global_defaults_luks_options_value }}"
luks_type: "{{ global_defaults_luks_type_value }}"
luks_cipher: "{{ global_defaults_luks_cipher_value }}"
luks_hash: "{{ global_defaults_luks_hash_value }}"
luks_iter_time: "{{ global_defaults_luks_iter_time_value }}"
luks_key_size: "{{ global_defaults_luks_key_size_value }}"
luks_pbkdf: "{{ global_defaults_luks_pbkdf_value }}"
luks_use_urandom: "{{ global_defaults_luks_use_urandom_value }}"
luks_verify_passphrase: "{{ global_defaults_luks_verify_passphrase_value }}"
changed_when: false
- name: Validate variables
ansible.builtin.assert:
that:
- install_type is defined and install_type in ["virtual", "physical"]
- hypervisor in ["libvirt", "proxmox", "vmware", "none"]
- >-
install_type is defined and (
install_type == "physical"
or hypervisor in ["libvirt", "proxmox", "vmware"]
)
- filesystem is defined and filesystem in ["btrfs", "ext4", "xfs"]
- install_drive is defined and install_drive | length > 0
- hostname is defined and hostname | length > 0
- >-
os is defined and os in [
"archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora",
"rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"
]
- >-
os is defined and (
os not in ["rhel8", "rhel9", "rhel10"]
or (rhel_iso is defined and rhel_iso | length > 0)
)
- >-
install_type is defined and (
install_type == "physical"
or (boot_iso is defined and boot_iso | length > 0)
)
- >-
install_type is defined and (
install_type == "physical"
or (vm_cpus is defined and (vm_cpus | int) > 0)
)
- >-
install_type is defined and (
install_type == "physical"
or (vm_size is defined and (vm_size | float) > 0)
)
- >-
install_type is defined and (
install_type == "physical"
or (vm_memory is defined and (vm_memory | float) > 0)
)
- >-
install_type is defined and filesystem is defined and (
install_type == "physical"
or (
vm_size is defined
and (
(filesystem == "btrfs" and (vm_size | int) >= 10)
or (filesystem != "btrfs" and (vm_size | int) >= 20)
)
)
)
- >-
install_type is defined and (
install_type == "physical"
or (
vm_size is defined
and vm_memory is defined
and (
(vm_size | float)
>= (
(vm_memory | float / 1024 >= 16.0)
| ternary(
(vm_memory | float / 2048),
[vm_memory | float / 1024, 4.0] | max
)
+ 16
)
)
)
)
- >-
vm_ip is not defined
or vm_ip | length == 0
or (vm_nms is defined and (vm_nms | int) > 0)
fail_msg: Invalid input specified, please try again.
- name: Set OS family flags
ansible.builtin.set_fact:
is_rhel: "{{ os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky'] }}"
is_debian: "{{ os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'] }}"
changed_when: false
- name: Set Python interpreter for RHEL-based installers
when:
- ansible_python_interpreter is not defined
- os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"]
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3
changed_when: false
- name: Set SSH access
when:
- install_type == "virtual"
- hypervisor != "vmware"
ansible.builtin.set_fact:
ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}"
ansible_become_password: "{{ user_password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Set connection for VMware
when: hypervisor == "vmware"
ansible.builtin.set_fact:
ansible_connection: vmware_tools
roles:
- role: virtualization
when: install_type == "virtual"
become: false
vars:
ansible_connection: local
- role: environment
vars:
ansible_connection: "{{ 'vmware_tools' if hypervisor == 'vmware' else 'ssh' }}"
- role: partitioning
vars:
partitioning_boot_partition_suffix: 1
partitioning_main_partition_suffix: 2
- role: bootstrap
- role: configuration
- role: cis
when: cis_enabled
- role: cleanup
when: install_type in ["virtual", "physical"]
become: false
post_tasks:
- name: Set post-reboot connection flags
ansible.builtin.set_fact:
post_reboot_can_connect: >-
{{
(ansible_connection | default('ssh')) != 'ssh'
or (vm_ip is defined and (vm_ip | string | length) > 0)
or (
install_type == 'physical'
and (ansible_host | default('') | string | length) > 0
)
}}
changed_when: false
- name: Set final SSH credentials for post-reboot tasks
when:
- post_reboot_can_connect | bool
ansible.builtin.set_fact:
ansible_user: "{{ user_name }}"
ansible_password: "{{ user_password }}"
ansible_become_password: "{{ user_password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Install post-reboot extra packages
when:
- post_reboot_can_connect | bool
- extra_packages is defined
- extra_packages | length > 0
block:
- name: Normalize extra package list
ansible.builtin.set_fact:
post_install_extra_packages: >-
{{
(
extra_packages
if (extra_packages is iterable and extra_packages is not string)
else (extra_packages | string).split(',')
)
| map('trim')
| reject('equalto', '')
| list
}}
changed_when: false
- name: Install extra packages
when: post_install_extra_packages | length > 0
ansible.builtin.package:
name: "{{ post_install_extra_packages }}"
state: present
Reference in New Issue View Git Blame Copy Permalink