History rewrite

ansible/roles/base/tasks/debian.yml

@@ -0,0 +1,17 @@
+---
+- name: "Updating the guest operating system."
+  apt:
+    force_apt_get: true
+    name: "*"
+    state: latest     # noqa package-latest
+    update_cache: "yes"
+
+- name: "Installing additional packages."
+  apt:
+    name:
+      - bash-completion
+      - curl
+      - wget
+      - unzip
+      - ca-certificates
+    state: latest     # noqa package-latest

ansible/roles/base/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: "Prepare the {{ ansible_facts['distribution'] }} guest operating system."
+  include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
+  when: "ansible_facts['distribution'] == 'Debian'"
+- name: "Prepare the {{ ansible_facts['distribution'] }} guest operating system."
+  include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
+  when: "ansible_facts['distribution'] == 'Ubuntu'"
+- name: "Prepare the {{ ansible_facts['distribution'] }} guest operating system."
+  include_tasks: redhat.yml
+  when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']"

ansible/roles/base/tasks/redhat.yml

@@ -0,0 +1,41 @@
+---
+
+- name: "Checking Red Hat Subscription Manager status."
+  ansible.builtin.shell: "subscription-manager refresh"
+  when: "ansible_facts['distribution'] == 'RedHat'"
+
+- name: "Updating the guest operating system."
+  ansible.builtin.dnf:
+    name: "*"
+    state: latest     # noqa package-latest
+    update_cache: "yes"
+  when: "ansible_facts['distribution_major_version'] >= \"8\""
+
+- name: "Installing additional packages."
+  ansible.builtin.dnf:
+    name:
+      - curl
+      - wget
+      - unzip
+      - ca-certificates
+    state: latest     # noqa package-latest
+  when: "ansible_facts['distribution_major_version'] >= \"8\""
+
+- name: "Updating the guest operating system."
+  when: "ansible_facts['distribution_major_version'] <= \"7\""
+  ansible.builtin.yum:
+    name: "*"
+    state: latest     # noqa package-latest
+    update_cache: "yes"
+
+- name: "Installing additional packages."
+  when: "ansible_facts['distribution_major_version'] <= \"7\""
+  ansible.builtin.yum:
+    name:
+      - curl
+      - wget
+      - unzip
+      - ca-certificates
+    state: latest     # noqa package-latest
+
+...

ansible/roles/base/tasks/ubuntu.yml

@@ -0,0 +1,17 @@
+---
+- name: "Updating the guest operating system."
+  apt:
+    force_apt_get: true
+    name: "*"
+    state: latest     # noqa package-latest
+    update_cache: "yes"
+
+- name: "Installing additional packages."
+  apt:
+    name:
+      - bash-completion
+      - curl
+      - wget
+      - unzip
+      - ca-certificates
+    state: latest     # noqa package-latest

ansible/roles/clean/tasks/debian.yml

@@ -0,0 +1,81 @@
+---
+
+- name: Remove audit log files
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/var/log/audit/audit.log"
+    - "/var/log/wtmp"
+    - "/var/log/lastlog"
+
+- name: Check to see if the /var/log/audit directory exists
+  ansible.builtin.stat:
+    path: "/var/log/audit"
+  register: audit_directory
+
+- name: Ensure /var/log/audit directory exists
+  ansible.builtin.file:
+    path: /var/log/audit
+    state: directory
+    mode: "0750"
+    owner: root
+    group: adm
+  when: audit_directory.stat.exists
+
+- name: Ensure /var/log/audit/audit.log exists
+  ansible.builtin.file:
+    path: /var/log/audit/audit.log
+    state: touch
+    mode: "0640"
+    owner: root
+    group: adm
+  when: audit_directory.stat.exists
+
+- name: Ensure wtmp and lastlog exist with the correct permissions
+  ansible.builtin.copy:
+    dest: "{{ item }}"
+    content: ""
+    mode: "0664"
+    owner: root
+    group: utmp
+  loop:
+    - "/var/log/wtmp"
+    - "/var/log/lastlog"
+
+- name: Cleaning persistent udev rules
+  ansible.builtin.file:
+    path: /etc/udev/rules.d/70-persistent-net.rules
+    state: absent
+
+- name: "Cleaning the /tmp directories"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/tmp/*"
+    - "/var/tmp/*"
+
+- name: "Cleaning the SSH host keys."
+  shell: |
+    rm -f /etc/ssh/ssh_host_*
+
+- name: remove /etc/machine-id
+  file:
+    path: /etc/machine-id
+    state: absent
+
+- name: remove /var/lib/dbus/machine-id
+  file:
+    path: /var/lib/dbus/machine-id
+    state: absent
+
+- name: generate new machine-id
+  command: systemd-machine-id-setup
+
+- name: Cleaning the shell history
+  shell: |
+    unset HISTFILE
+    history -cw
+    echo > ~/.bash_history
+    rm -fr /root/.bash_history

ansible/roles/clean/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: "Clean the {{ ansible_facts['distribution'] }} guest operating system."
+  include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
+  when: "ansible_facts['distribution'] == 'Debian'"
+- name: "Clean the {{ ansible_facts['distribution'] }} guest operating system."
+  include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
+  when: "ansible_facts['distribution'] == 'Ubuntu'"
+- name: "Clean the {{ ansible_facts['distribution'] }} guest operating system."
+  include_tasks: redhat.yml
+  when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']"

ansible/roles/clean/tasks/redhat.yml

@@ -0,0 +1,59 @@
+---
+
+- name: "Cleaning all audit logs."
+  shell: |
+    if [ -f /var/log/audit/audit.log ]; then
+    cat /dev/null > /var/log/audit/audit.log
+    fi
+    if [ -f /var/log/wtmp ]; then
+    cat /dev/null > /var/log/wtmp
+    fi
+    if [ -f /var/log/lastlog ]; then
+    cat /dev/null > /var/log/lastlog
+    fi
+
+- name: "Cleaning persistent udev rules."
+  shell: |
+    if [ -f /etc/udev/rules.d/70-persistent-net.rules ]; then
+    rm /etc/udev/rules.d/70-persistent-net.rules
+    fi
+
+- name: "Cleaning the /tmp directories"
+  shell: |
+    rm -rf /tmp/*
+    rm -rf /var/tmp/*
+    rm -rf /var/cache/dnf/*
+
+- name: "Cleaning the Red Hat Subscription Manager logs."
+  shell: |
+    rm -rf /var/log/rhsm/*
+  when: "ansible_facts['distribution'] == 'RedHat'"
+
+- name: "Cleaning the SSH host keys."
+  shell: |
+    rm -f /etc/ssh/ssh_host_*
+
+- name: "Cleaning the machine-id."
+  when: 'ansible_facts[''distribution_major_version''] <= "8"'
+  shell: |
+    truncate -s 0 /etc/machine-id
+    rm /var/lib/dbus/machine-id
+    ln -s /etc/machine-id /var/lib/dbus/machine-id
+
+- name: "Cleaning the machine-id."
+  when: 'ansible_facts[''distribution_major_version''] >= "9"'
+  shell: |
+    truncate -s 0 /etc/machine-id
+
+- name: "Cleaning the shell history."
+  shell: |
+    unset HISTFILE
+    history -cw
+    echo > ~/.bash_history
+    rm -fr /root/.bash_history
+
+- name: "Running a sync."
+  shell: |
+    sync && sync
+
+...

ansible/roles/clean/tasks/ubuntu.yml

@@ -0,0 +1,93 @@
+---
+
+- name: Remove audit log files
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/var/log/audit/audit.log"
+    - "/var/log/wtmp"
+    - "/var/log/lastlog"
+
+- name: Check to see if the /var/log/audit directory exists
+  ansible.builtin.stat:
+    path: "/var/log/audit"
+  register: audit_directory
+
+- name: Ensure /var/log/audit directory exists
+  ansible.builtin.file:
+    path: /var/log/audit
+    state: directory
+    mode: "0750"
+    owner: root
+    group: adm
+  when: audit_directory.stat.exists
+
+- name: Ensure /var/log/audit/audit.log exists
+  ansible.builtin.file:
+    path: /var/log/audit/audit.log
+    state: touch
+    mode: "0640"
+    owner: root
+    group: adm
+  when: audit_directory.stat.exists
+
+- name: Ensure wtmp and lastlog exist with the correct permissions
+  ansible.builtin.copy:
+    dest: "{{ item }}"
+    content: ""
+    mode: "0664"
+    owner: root
+    group: utmp
+  loop:
+    - "/var/log/wtmp"
+    - "/var/log/lastlog"
+
+- name: Cleaning persistent udev rules
+  ansible.builtin.file:
+    path: /etc/udev/rules.d/70-persistent-net.rules
+    state: absent
+
+- name: "Cleaning the /tmp directories"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/tmp/*"
+    - "/var/tmp/*"
+
+- name: Cleaning the SSH host keys
+  shell: |
+    rm -f /etc/ssh/ssh_host_*
+
+- name: remove /etc/machine-id
+  file:
+    path: /etc/machine-id
+    state: absent
+
+- name: remove /var/lib/dbus/machine-id
+  file:
+    path: /var/lib/dbus/machine-id
+    state: absent
+
+- name: generate new machine-id
+  command: systemd-machine-id-setup
+
+- name: Clean apt
+  ansible.builtin.apt:
+    autoclean: yes
+    autoremove: yes
+    clean: yes
+
+- name: Cleaning the shell history
+  shell: |
+    unset HISTFILE
+    history -cw
+    echo > ~/.bash_history
+    rm -fr /root/.bash_history
+
+- name: Clean cloud-init
+  ansible.builtin.command: cloud-init clean
+  when: cloud_init | bool
+
+...

ansible/roles/configure/tasks/debian.yml

@@ -0,0 +1,37 @@
+---
+- name: "Configure SSH for Public Key Authentication."
+  shell: |
+    sudo sed -i 's/.*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
+
+- name: Creating SSH key regeneration service file
+  ansible.builtin.copy:
+    dest: /etc/systemd/system/regenerate_ssh_host_keys.service
+    content: |
+      [Unit]
+      Description=Regenerate SSH host keys
+      Before=ssh.service
+      ConditionFileIsExecutable=/usr/bin/ssh-keygen
+
+      [Service]
+      Type=oneshot
+      ExecStartPre=-/bin/dd if=/dev/hwrng of=/dev/urandom count=1 bs=4096
+      ExecStartPre=-/bin/sh -c "/bin/rm -f -v /etc/ssh/ssh_host_*_key*"
+      ExecStart=/usr/bin/ssh-keygen -A -v
+      ExecStartPost=/bin/systemctl disable regenerate_ssh_host_keys
+
+      [Install]
+      WantedBy=multi-user.target
+  when: not cloud_init | bool
+
+- name: Reload systemd to re-read configurations
+  ansible.builtin.systemd:
+    daemon-reload: true
+  when: not cloud_init | bool
+
+- name: Enable regenerate_ssh_host_keys service
+  ansible.builtin.systemd:
+    name: regenerate_ssh_host_keys
+    enabled: true
+  when: not cloud_init | bool
+
+...

ansible/roles/configure/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: "Configure the {{ ansible_facts['distribution'] }} guest operating system."
+  include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
+  when: "ansible_facts['distribution'] == 'Debian'"
+- name: "Configure the {{ ansible_facts['distribution'] }} guest operating system."
+  include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
+  when: "ansible_facts['distribution'] == 'Ubuntu'"
+- name: "Configure the {{ ansible_facts['distribution'] }} guest operating system."
+  include_tasks: redhat.yml
+  when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']"

ansible/roles/configure/tasks/redhat.yml

@@ -0,0 +1,5 @@
+---
+- name: "Configure SSH for Public Key Authentication."
+  shell: |
+    sudo sed -i 's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+    sudo sed -i 's/.*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config

ansible/roles/configure/tasks/ubuntu.yml

@@ -0,0 +1,87 @@
+---
+- name: "Configure SSH for Public Key Authentication"
+  shell: |
+    sudo sed -i 's/.*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
+- name: "Restarting the SSH daemon."
+  shell: |
+    sudo systemctl restart sshd
+
+- name: Remove cloud-init files
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg
+    - /etc/cloud/cloud.cfg.d/50-curtin-networking.cfg
+    - /etc/cloud/cloud.cfg.d/curtin-preserve-sources.cfg
+    - /etc/cloud/cloud.cfg.d/99-installer.cfg
+    - /etc/netplan/00-installer-config.yaml
+  when:
+    - cloud_init | bool
+    - ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04"
+
+- name: Disable cloud-init if configured to 
+  block:
+    - name: Check if /etc/cloud/ exists
+      ansible.builtin.stat:
+        path: '/etc/cloud/'
+      register: etc_cloud_folder
+
+    - name: 'Generate /etc/cloud/cloud-init.disabled'
+      ansible.builtin.copy:
+        dest: '/etc/cloud/cloud-init.disabled'
+        content: 'disabled by ansible\n'
+        owner: 'root'
+        group: 'root'
+        mode: '0644'
+      when:
+        - 'etc_cloud_folder.stat.exists'
+  when: 
+    - not cloud_init | bool
+    - ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04"
+
+- name: Copy cloud-init PVE default file
+  ansible.builtin.copy:
+    dest: /etc/cloud/cloud.cfg.d/90_dpkg.cfg
+    content: |
+      datasource_list: [ ConfigDrive, NoCloud ]
+  when: cloud_init | bool
+
+- name: "Modifying GRUB."
+  shell: |
+    sed -i -e "s/GRUB_CMDLINE_LINUX_DEFAULT=\"\(.*\)\"/GRUB_CMDLINE_LINUX_DEFAULT=\"\"/" /etc/default/grub
+    update-grub
+  when: ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04"
+
+- name: Creating SSH key regeneration service file
+  ansible.builtin.copy:
+    dest: /etc/systemd/system/regenerate_ssh_host_keys.service
+    content: |
+      [Unit]
+      Description=Regenerate SSH host keys
+      Before=ssh.service
+      ConditionFileIsExecutable=/usr/bin/ssh-keygen
+
+      [Service]
+      Type=oneshot
+      ExecStartPre=-/bin/dd if=/dev/hwrng of=/dev/urandom count=1 bs=4096
+      ExecStartPre=-/bin/sh -c "/bin/rm -f -v /etc/ssh/ssh_host_*_key*"
+      ExecStart=/usr/bin/ssh-keygen -A -v
+      ExecStartPost=/bin/systemctl disable regenerate_ssh_host_keys
+
+      [Install]
+      WantedBy=multi-user.target
+  when: not cloud_init | bool
+
+- name: Reload systemd to re-read configurations
+  ansible.builtin.systemd:
+    daemon-reload: true
+  when: not cloud_init | bool
+
+- name: Enable regenerate_ssh_host_keys service
+  ansible.builtin.systemd:
+    name: regenerate_ssh_host_keys
+    enabled: true
+  when: not cloud_init | bool
+
+...

ansible/roles/users/tasks/linux.yml

@@ -0,0 +1,31 @@
+---
+- name: "Adding authorized_keys for the default local user."
+  shell: |
+    sudo mkdir -p /home/{{BUILD_USERNAME}}/.ssh
+    sudo tee /home/{{BUILD_USERNAME}}/.ssh/authorized_keys << EOF
+    {{BUILD_SECRET}}
+    EOF
+    sudo chown -R {{BUILD_USERNAME}} /home/{{BUILD_USERNAME}}/.ssh
+    sudo chmod 700 /home/{{BUILD_USERNAME}}/.ssh
+    sudo chmod 644 /home/{{BUILD_USERNAME}}/.ssh/authorized_keys
+- name: "Adding the default local user to passwordless sudoers."
+  shell: |
+    sudo bash -c "echo \"""{{BUILD_USERNAME}}"" ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers"
+- name: "Creating a local user for Ansible."
+  shell: |
+    sudo groupadd {{ANSIBLE_USERNAME}}
+    sudo useradd -g {{ANSIBLE_USERNAME}} -m -s /bin/bash {{ANSIBLE_USERNAME}}
+    sudo usermod -aG sudo {{ANSIBLE_USERNAME}}
+    echo {{ANSIBLE_USERNAME}}:"$(openssl rand -base64 14)" | sudo chpasswd
+- name: "Adding authorized_keys to the local user for Ansible."
+  shell: |
+    sudo mkdir -p /home/{{ANSIBLE_USERNAME}}/.ssh
+    sudo tee /home/{{ANSIBLE_USERNAME}}/.ssh/authorized_keys << EOF
+    {{ANSIBLE_SECRET}}
+    EOF
+    sudo chown -R {{ANSIBLE_USERNAME}} /home/{{ANSIBLE_USERNAME}}/.ssh
+    sudo chmod 700 /home/{{ANSIBLE_USERNAME}}/.ssh
+    sudo chmod 644 /home/{{ANSIBLE_USERNAME}}/.ssh/authorized_keys
+- name: "Adding the local user for Ansible to passwordless sudoers."
+  shell: |
+    sudo bash -c "echo \"""{{ANSIBLE_USERNAME}}"" ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers"

ansible/roles/users/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: "Configure users on {{ ansible_facts['distribution'] }} guest operating system."
+  include_tasks: linux.yml
+  when: "ansible_facts['distribution'] == 'Debian'"
+- name: "Configure users on {{ ansible_facts['distribution'] }} guest operating system."
+  include_tasks: linux.yml
+  when: "ansible_facts['distribution'] == 'Ubuntu'"
+- name: "Configure users on {{ ansible_facts['distribution'] }} guest operating system."
+  include_tasks: linux.yml
+  when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']"