From b885f907db475234178a99ef91bc2f86b418f1e0 Mon Sep 17 00:00:00 2001 From: AJ Schroeder <6432150+ajschroeder@users.noreply.github.com> Date: Sat, 29 Jun 2024 10:26:52 -0500 Subject: [PATCH] feat: reworked most of the ansible playbooks and roles --- ansible/{main.yml => linux-playbook.yml} | 0 ansible/linux-requirements.yml | 6 + ansible/roles/base/defaults/main.yml | 2 + ansible/roles/base/tasks/debian.yml | 8 ++ ansible/roles/base/tasks/main.yml | 8 +- ansible/roles/base/tasks/redhat.yml | 9 +- ansible/roles/base/tasks/suse.yml | 32 ++++- ansible/roles/base/vars/main.yml | 6 + ansible/roles/clean/tasks/debian.yml | 144 ++++++++++++---------- ansible/roles/clean/tasks/main.yml | 6 +- ansible/roles/clean/tasks/redhat.yml | 135 ++++++++++++-------- ansible/roles/clean/tasks/suse.yml | 17 +-- ansible/roles/clean/tasks/ubuntu.yml | 150 +++++++++++------------ ansible/roles/clean/vars/main.yml | 2 + ansible/roles/configure/tasks/debian.yml | 85 ++++++++----- ansible/roles/configure/tasks/main.yml | 6 +- ansible/roles/configure/tasks/redhat.yml | 39 +++++- ansible/roles/configure/tasks/suse.yml | 27 +++- ansible/roles/configure/tasks/ubuntu.yml | 128 ++++++++----------- ansible/roles/configure/vars/main.yml | 2 + ansible/roles/users/tasks/linux.yml | 75 +++++++----- ansible/roles/users/vars/main.yml | 2 + 22 files changed, 524 insertions(+), 365 deletions(-) rename ansible/{main.yml => linux-playbook.yml} (100%) create mode 100644 ansible/linux-requirements.yml create mode 100644 ansible/roles/base/defaults/main.yml create mode 100644 ansible/roles/clean/vars/main.yml create mode 100644 ansible/roles/configure/vars/main.yml create mode 100644 ansible/roles/users/vars/main.yml diff --git a/ansible/main.yml b/ansible/linux-playbook.yml similarity index 100% rename from ansible/main.yml rename to ansible/linux-playbook.yml diff --git a/ansible/linux-requirements.yml b/ansible/linux-requirements.yml new file mode 100644 index 0000000..babfada --- /dev/null +++ b/ansible/linux-requirements.yml @@ -0,0 +1,6 @@ +--- +collections: + - name: ansible.posix + version: 1.5.4 + - name: community.general + version: 8.5.0 \ No newline at end of file diff --git a/ansible/roles/base/defaults/main.yml b/ansible/roles/base/defaults/main.yml new file mode 100644 index 0000000..ee29246 --- /dev/null +++ b/ansible/roles/base/defaults/main.yml @@ -0,0 +1,2 @@ +--- +enable_cloudinit: false \ No newline at end of file diff --git a/ansible/roles/base/tasks/debian.yml b/ansible/roles/base/tasks/debian.yml index 5314222..97fa550 100644 --- a/ansible/roles/base/tasks/debian.yml +++ b/ansible/roles/base/tasks/debian.yml @@ -1,4 +1,5 @@ --- + - block: - name: "Updating the guest operating system." ansible.builtin.apt: @@ -11,3 +12,10 @@ ansible.builtin.apt: name: "{{ additional_packages[ansible_os_family] }}" state: latest # noqa package-latest + + - name: "Installing cloud-init." + become: true + ansible.builtin.apt: + name: cloud-init + state: latest + when: enable_cloudinit == 'true' and ansible_distribution_version | int >= 11 diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml index 2e51352..dc5169c 100644 --- a/ansible/roles/base/tasks/main.yml +++ b/ansible/roles/base/tasks/main.yml @@ -1,5 +1,9 @@ --- +- name: "Getting guest operating system information." + ansible.builtin.debug: + msg: "OS: {{ ansible_distribution }} Version: {{ ansible_distribution_version }} Family: {{ ansible_os_family }}" + - name: Prepare the {{ ansible_facts['distribution'] }} guest operating system include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml" when: "ansible_facts['distribution'] == 'Debian'" @@ -13,7 +17,7 @@ when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']" - name: Prepare the {{ ansible_facts['distribution'] }} guest operating system - include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml" - when: "ansible_facts['distribution'] == 'Suse'" + include_tasks: suse.yml + when: "ansible_facts['distribution'] in ['openSUSE Leap', 'Suse']" ... \ No newline at end of file diff --git a/ansible/roles/base/tasks/redhat.yml b/ansible/roles/base/tasks/redhat.yml index c2b27f5..88a2889 100644 --- a/ansible/roles/base/tasks/redhat.yml +++ b/ansible/roles/base/tasks/redhat.yml @@ -15,5 +15,12 @@ ansible.builtin.dnf: name: "{{ additional_packages[ansible_os_family] }}" state: latest # noqa package-latest - when: ansible_distribution_major_version | int > 8 + + - name: "Installing cloud-init." + become: true + ansible.builtin.dnf: + name: cloud-init + state: latest + when: enable_cloudinit == 'true' and ansible_distribution_version | int >= 8 + when: ansible_os_family == 'RedHat' and ansible_distribution_major_version | int >= 8 diff --git a/ansible/roles/base/tasks/suse.yml b/ansible/roles/base/tasks/suse.yml index 82f24a2..ab9792f 100644 --- a/ansible/roles/base/tasks/suse.yml +++ b/ansible/roles/base/tasks/suse.yml @@ -1,9 +1,29 @@ --- -- name: Updating the operating system - ansible.builtin.zypper: - name: "*" - state: latest - update_cache: true +- block: + - name: Updating the operating system + ansible.builtin.zypper: + name: "*" + state: latest + update_cache: true -... \ No newline at end of file + - name: Installing additional packages + ansible.builtin.zypper: + name: "{{ additional_packages[ansible_os_family] }}" + state: latest + +- name: "Configure cloud-init." + block: + - name: "Add the SUSE OSS repo." + become: true + community.general.zypper_repository: + name: repo-oss + repo: "http://download.opensuse.org/distribution/leap/15.5/repo/oss/" + auto_import_keys: true + + - name: "Installing cloud-init." + become: true + ansible.builtin.zypper: + name: cloud-init + state: latest + when: enable_cloudinit == 'true' diff --git a/ansible/roles/base/vars/main.yml b/ansible/roles/base/vars/main.yml index 0d2cbc6..f5a8a78 100644 --- a/ansible/roles/base/vars/main.yml +++ b/ansible/roles/base/vars/main.yml @@ -12,6 +12,12 @@ additional_packages: - curl - unzip - wget + Suse: + - bash-completion + - ca-certificates + - curl + - unzip + - wget Ubuntu: - bash-completion - ca-certificates diff --git a/ansible/roles/clean/tasks/debian.yml b/ansible/roles/clean/tasks/debian.yml index d084e3c..e86081d 100644 --- a/ansible/roles/clean/tasks/debian.yml +++ b/ansible/roles/clean/tasks/debian.yml @@ -1,81 +1,93 @@ --- +# Tasks for setting custom facts. +- name: "Setting custom facts." + set_fact: + enable_cloudinit: "{{ enable_cloudinit | default('false') }}" -- name: Remove audit log files - ansible.builtin.file: +# # Tasks for removing the cloud-init package. +# - name: "Removing the cloud-init package." +# apt: +# name: cloud-init +# state: absent +# when: ansible_distribution == 'Ubuntu' and enable_cloudinit == 'false' + +# Tasks to clean the audit logs. +- name: "Cleaning the audit logs." + file: path: "{{ item }}" state: absent loop: - - "/var/log/audit/audit.log" - - "/var/log/wtmp" - - "/var/log/lastlog" + - /var/log/audit/audit.log + - /var/log/auth.log + - /var/log/btmp + - /var/log/dpkg.log + - /var/log/faillog + - /var/log/kern.log + - /var/log/lastlog + - /var/log/syslog + - /var/log/wtmp -- name: Check to see if the /var/log/audit directory exists - ansible.builtin.stat: - path: "/var/log/audit" - register: audit_directory - -- name: Ensure /var/log/audit directory exists - ansible.builtin.file: - path: /var/log/audit - state: directory - mode: "0750" - owner: root - group: adm - when: audit_directory.stat.exists - -- name: Ensure /var/log/audit/audit.log exists - ansible.builtin.file: - path: /var/log/audit/audit.log - state: touch - mode: "0640" - owner: root - group: adm - when: audit_directory.stat.exists - -- name: Ensure wtmp and lastlog exist with the correct permissions - ansible.builtin.copy: - dest: "{{ item }}" - content: "" - mode: "0664" - owner: root - group: utmp - loop: - - "/var/log/wtmp" - - "/var/log/lastlog" - -- name: Cleaning persistent udev rules - ansible.builtin.file: +# Tasks to clean the persistent udev rules. +- name: "Cleaning persistent udev rules." + file: path: /etc/udev/rules.d/70-persistent-net.rules state: absent -- name: "Cleaning the /tmp directories" - ansible.builtin.file: - path: "{{ item }}" - state: absent - loop: - - "/tmp/*" - - "/var/tmp/*" +# Tasks to find the /tmp directories. +- name: "Finding the /tmp directories." + find: + paths: + - /tmp + - /var/tmp + file_type: any + register: find_tmp_directories +# Tasks to clean the /tmp directories. +- name: "Cleaning the /tmp directories." + file: + path: "{{ item.path }}" + state: absent + loop: "{{ find_tmp_directories.files }}" + loop_control: + label: "{{ item.path }}" + +# Tasks to find the SSH host keys. +- name: "Finding the SSH host keys." + find: + paths: /etc/ssh + patterns: 'ssh_host_*' + register: find_ssh_host_keys + +# Tasks to clean the SSH host keys. - name: "Cleaning the SSH host keys." - shell: | - rm -f /etc/ssh/ssh_host_* - -- name: remove /etc/machine-id file: - path: /etc/machine-id + path: "{{ item.path }}" state: absent + loop: "{{ find_ssh_host_keys.files }}" + loop_control: + label: "{{ item.path }}" -- name: remove /var/lib/dbus/machine-id - file: - path: /var/lib/dbus/machine-id - state: absent +# Tasks to clean the machine-id. +- name: "Cleaning the machine-id." + block: + - name: "Emptying the /etc/machine-id." + community.general.filesize: + path: /etc/machine-id + size: 0 + - name: "Removing /var/lib/dbus/machine-id." + file: + path: /var/lib/dbus/machine-id + state: absent + - name: "Creating a symbolic link to /etc/machine-id." + file: + src: /etc/machine-id + dest: /var/lib/dbus/machine-id + state: link -- name: generate new machine-id - command: systemd-machine-id-setup - -- name: Cleaning the shell history - shell: | - unset HISTFILE - history -cw - echo > ~/.bash_history - rm -fr /root/.bash_history +# Tasks to clean the shell history. +- name: "Cleaning the shell history." + block: + - name: "Cleaning the shell history." + file: + path: "{{ ansible_env.HOME }}/.bash_history" + state: absent \ No newline at end of file diff --git a/ansible/roles/clean/tasks/main.yml b/ansible/roles/clean/tasks/main.yml index 2e51352..5c3566f 100644 --- a/ansible/roles/clean/tasks/main.yml +++ b/ansible/roles/clean/tasks/main.yml @@ -12,8 +12,8 @@ include_tasks: redhat.yml when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']" -- name: Prepare the {{ ansible_facts['distribution'] }} guest operating system - include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml" - when: "ansible_facts['distribution'] == 'Suse'" +- name: Cleaning tasks for the {{ ansible_facts['distribution'] }} guest operating system + include_tasks: suse.yml + when: "ansible_facts['distribution'] in ['openSUSE Leap', 'Suse']" ... \ No newline at end of file diff --git a/ansible/roles/clean/tasks/redhat.yml b/ansible/roles/clean/tasks/redhat.yml index 28e91cc..20c1503 100644 --- a/ansible/roles/clean/tasks/redhat.yml +++ b/ansible/roles/clean/tasks/redhat.yml @@ -1,59 +1,92 @@ --- - -- name: "Cleaning all audit logs." - shell: | - if [ -f /var/log/audit/audit.log ]; then - cat /dev/null > /var/log/audit/audit.log - fi - if [ -f /var/log/wtmp ]; then - cat /dev/null > /var/log/wtmp - fi - if [ -f /var/log/lastlog ]; then - cat /dev/null > /var/log/lastlog - fi - -- name: "Cleaning persistent udev rules." - shell: | - if [ -f /etc/udev/rules.d/70-persistent-net.rules ]; then - rm /etc/udev/rules.d/70-persistent-net.rules - fi - -- name: "Cleaning the /tmp directories" - shell: | - rm -rf /tmp/* - rm -rf /var/tmp/* - rm -rf /var/cache/dnf/* - +# Tasks to clean the Red Hat Subscription Manager logs. - name: "Cleaning the Red Hat Subscription Manager logs." - shell: | - rm -rf /var/log/rhsm/* - when: "ansible_facts['distribution'] == 'RedHat'" + ansible.builtin.file: + path: /var/log/rhsm + state: absent + when: ansible_distribution == 'RedHat' +# Tasks to clean the audit logs. +- name: "Cleaning the audit logs." + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - /var/log/audit/audit.log + - /var/log/btmp + - /var/log/boot.log + - /var/log/cron + - /var/log/dnf.log + - /var/log/lastlog + - /var/log/maillog + - /var/log/messages + - /var/log/secure + - /var/log/wtmp + - /var/log/yum.log + +# Tasks to clean the persistent udev rules. +- name: "Cleaning persistent udev rules." + ansible.builtin.file: + path: /etc/udev/rules.d/70-persistent-net.rules + state: absent + +# Tasks to find the /tmp directories. +- name: "Finding the /tmp directories." + ansible.builtin.find: + paths: + - /tmp + - /var/tmp + file_type: any + register: find_tmp_directories + +# Tasks to clean the /tmp directories. +- name: "Cleaning the /tmp directories." + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + loop: "{{ find_tmp_directories.files }}" + loop_control: + label: "{{ item.path }}" + +# Tasks to find the SSH host keys. +- name: "Finding the SSH host keys." + ansible.builtin.find: + paths: /etc/ssh + patterns: 'ssh_host_*' + register: find_ssh_host_keys + +# Tasks to clean the SSH host keys. - name: "Cleaning the SSH host keys." - shell: | - rm -f /etc/ssh/ssh_host_* + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + loop: "{{ find_ssh_host_keys.files }}" + loop_control: + label: "{{ item.path }}" + +# Tasks to clean the machine-id. +- name: "Emptying the /etc/machine-id." + community.general.filesize: + path: /etc/machine-id + size: 0 - name: "Cleaning the machine-id." - when: 'ansible_facts[''distribution_major_version''] <= "8"' - shell: | - truncate -s 0 /etc/machine-id - rm /var/lib/dbus/machine-id - ln -s /etc/machine-id /var/lib/dbus/machine-id - -- name: "Cleaning the machine-id." - when: 'ansible_facts[''distribution_major_version''] >= "9"' - shell: | - truncate -s 0 /etc/machine-id + block: + - name: "Removing /var/lib/dbus/machine-id." + ansible.builtin.file: + path: /var/lib/dbus/machine-id + state: absent + - name: "Creating a symbolic link to /etc/machine-id." + ansible.builtin.file: + src: /etc/machine-id + dest: /var/lib/dbus/machine-id + state: link + when: ansible_distribution_major_version | int <= 8 +# Tasks to clean the shell history. - name: "Cleaning the shell history." - shell: | - unset HISTFILE - history -cw - echo > ~/.bash_history - rm -fr /root/.bash_history - -- name: "Running a sync." - shell: | - sync && sync - -... \ No newline at end of file + block: + - name: "Cleaning the shell history." + ansible.builtin.file: + path: "{{ ansible_env.HOME }}/.bash_history" + state: absent \ No newline at end of file diff --git a/ansible/roles/clean/tasks/suse.yml b/ansible/roles/clean/tasks/suse.yml index a4299ba..5323171 100644 --- a/ansible/roles/clean/tasks/suse.yml +++ b/ansible/roles/clean/tasks/suse.yml @@ -2,13 +2,14 @@ # Tasks to clean the SUSE Customer Center file. - name: "Cleaning the SUSE Customer Center file." - file: + ansible.builtin.file: path: /etc/SUSEConnect state: absent + when: "ansible_facts['distribution'] != 'openSUSE Leap'" # Tasks to clean the audit logs. - name: "Cleaning the audit logs." - file: + ansible.builtin.file: path: "{{ item }}" state: absent loop: @@ -24,13 +25,13 @@ # Tasks to clean the persistent udev rules. - name: "Cleaning persistent udev rules." - file: + ansible.builtin.file: path: /etc/udev/rules.d/70-persistent-net.rules state: absent # Tasks to find the /tmp directories. - name: "Finding the /tmp directories." - find: + ansible.builtin.find: paths: - /tmp - /var/tmp @@ -40,7 +41,7 @@ # Tasks to clean the /tmp directories. - name: "Cleaning the /tmp directories." - file: + ansible.builtin.file: path: "{{ item.path }}" state: absent loop: "{{ find_tmp_directories.files }}" @@ -49,14 +50,14 @@ # Tasks to find the SSH host keys. - name: "Finding the SSH host keys." - find: + ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*' register: find_ssh_host_keys # Tasks to clean the SSH host keys. - name: "Cleaning the SSH host keys." - file: + ansible.builtin.file: path: "{{ item.path }}" state: absent loop: "{{ find_ssh_host_keys.files }}" @@ -73,7 +74,7 @@ - name: "Cleaning the shell history." block: - name: "Cleaning the shell history." - file: + ansible.builtin.file: path: "{{ ansible_env.HOME }}/.bash_history" state: absent diff --git a/ansible/roles/clean/tasks/ubuntu.yml b/ansible/roles/clean/tasks/ubuntu.yml index 0125776..3016532 100644 --- a/ansible/roles/clean/tasks/ubuntu.yml +++ b/ansible/roles/clean/tasks/ubuntu.yml @@ -1,93 +1,93 @@ --- +# Tasks for setting custom facts. +- name: "Setting custom facts." + ansible.builtin.set_fact: + enable_cloudinit: "{{ enable_cloudinit | default('false') }}" -- name: Remove audit log files +# Tasks for removing the cloud-init package. +- name: "Removing the cloud-init package." + ansible.builtin.apt: + name: cloud-init + state: absent + when: enable_cloudinit == 'false' + +# Tasks to clean the audit logs. +- name: "Cleaning the audit logs." ansible.builtin.file: path: "{{ item }}" state: absent loop: - - "/var/log/audit/audit.log" - - "/var/log/wtmp" - - "/var/log/lastlog" + - /var/log/audit/audit.log + - /var/log/auth.log + - /var/log/btmp + - /var/log/dpkg.log + - /var/log/faillog + - /var/log/kern.log + - /var/log/lastlog + - /var/log/syslog + - /var/log/wtmp -- name: Check to see if the /var/log/audit directory exists - ansible.builtin.stat: - path: "/var/log/audit" - register: audit_directory - -- name: Ensure /var/log/audit directory exists - ansible.builtin.file: - path: /var/log/audit - state: directory - mode: "0750" - owner: root - group: adm - when: audit_directory.stat.exists - -- name: Ensure /var/log/audit/audit.log exists - ansible.builtin.file: - path: /var/log/audit/audit.log - state: touch - mode: "0640" - owner: root - group: adm - when: audit_directory.stat.exists - -- name: Ensure wtmp and lastlog exist with the correct permissions - ansible.builtin.copy: - dest: "{{ item }}" - content: "" - mode: "0664" - owner: root - group: utmp - loop: - - "/var/log/wtmp" - - "/var/log/lastlog" - -- name: Cleaning persistent udev rules +# Tasks to clean the persistent udev rules. +- name: "Cleaning persistent udev rules." ansible.builtin.file: path: /etc/udev/rules.d/70-persistent-net.rules state: absent -- name: "Cleaning the /tmp directories" +# Tasks to find the /tmp directories. +- name: "Finding the /tmp directories." + ansible.builtin.find: + paths: + - /tmp + - /var/tmp + file_type: any + register: find_tmp_directories + +# Tasks to clean the /tmp directories. +- name: "Cleaning the /tmp directories." ansible.builtin.file: - path: "{{ item }}" + path: "{{ item.path }}" state: absent - loop: - - "/tmp/*" - - "/var/tmp/*" + loop: "{{ find_tmp_directories.files }}" + loop_control: + label: "{{ item.path }}" -- name: Cleaning the SSH host keys - shell: | - rm -f /etc/ssh/ssh_host_* +# Tasks to find the SSH host keys. +- name: "Finding the SSH host keys." + ansible.builtin.find: + paths: /etc/ssh + patterns: 'ssh_host_*' + register: find_ssh_host_keys -- name: remove /etc/machine-id - file: - path: /etc/machine-id +# Tasks to clean the SSH host keys. +- name: "Cleaning the SSH host keys." + ansible.builtin.file: + path: "{{ item.path }}" state: absent + loop: "{{ find_ssh_host_keys.files }}" + loop_control: + label: "{{ item.path }}" -- name: remove /var/lib/dbus/machine-id - file: - path: /var/lib/dbus/machine-id - state: absent +# Tasks to clean the machine-id. +- name: "Cleaning the machine-id." + block: + - name: "Emptying the /etc/machine-id." + community.general.filesize: + path: /etc/machine-id + size: 0 + - name: "Removing /var/lib/dbus/machine-id." + ansible.builtin.file: + path: /var/lib/dbus/machine-id + state: absent + - name: "Creating a symbolic link to /etc/machine-id." + ansible.builtin.file: + src: /etc/machine-id + dest: /var/lib/dbus/machine-id + state: link -- name: generate new machine-id - command: systemd-machine-id-setup - -- name: Clean apt - ansible.builtin.apt: - autoclean: yes - autoremove: yes - clean: yes - -- name: Cleaning the shell history - shell: | - unset HISTFILE - history -cw - echo > ~/.bash_history - rm -fr /root/.bash_history - -- name: Clean cloud-init - ansible.builtin.command: cloud-init clean - when: cloud_init | bool - -... +# Tasks to clean the shell history. +- name: "Cleaning the shell history." + block: + - name: "Cleaning the shell history." + ansible.builtin.file: + path: "{{ ansible_env.HOME }}/.bash_history" + state: absent \ No newline at end of file diff --git a/ansible/roles/clean/vars/main.yml b/ansible/roles/clean/vars/main.yml new file mode 100644 index 0000000..075e3e0 --- /dev/null +++ b/ansible/roles/clean/vars/main.yml @@ -0,0 +1,2 @@ +--- +task_name: "Clean the operating system." \ No newline at end of file diff --git a/ansible/roles/configure/tasks/debian.yml b/ansible/roles/configure/tasks/debian.yml index 35250c6..1fd82e2 100644 --- a/ansible/roles/configure/tasks/debian.yml +++ b/ansible/roles/configure/tasks/debian.yml @@ -1,37 +1,54 @@ --- -- name: "Configure SSH for Public Key Authentication." - shell: | - sudo sed -i 's/.*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config +# Tasks for setting custom facts. +- name: "Setting custom facts." + set_fact: + enable_cloudinit: "{{ enable_cloudinit | default('false') }}" -- name: Creating SSH key regeneration service file - ansible.builtin.copy: - dest: /etc/systemd/system/regenerate_ssh_host_keys.service +# Tasks for configuring SSH for public key authentication. +- name: "Configuring SSH for Public Key Authentication." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PubkeyAuthentication' + line: 'PubkeyAuthentication yes' + +# Tasks for setting the hostname. +- name: "Setting the hostname." + hostname: + name: "localhost" + +# Tasks for restarting the SSH daemon. +- name: "Restarting the SSH daemon." + systemd: + name: ssh + state: restarted + daemon_reload: true + +# Tasks for disabling systemd-tmpfiles. +- name: "Disabling systemd-tmpfiles." + replace: + path: /usr/lib/tmpfiles.d/tmp.conf + regexp: '^D' + replace: '#D' + +# Tasks for configuring cloud-init. +- name: "Configuring cloud-init." + block: + - name: "Message: Configuring cloud-init" + ansible.builtin.debug: + msg: "Configuring cloud-init" + - ansible.builtin.copy: + content: 'datasource_list: [ ConfigDrive, NoCloud ]' + dest: /etc/cloud/cloud.cfg.d/90_dpkg.cfg + when: enable_cloudinit == 'true' + +# Tasks for setting SSH keys to regenerate. +- name: "Setting SSH keys to regenerate." + copy: + dest: /etc/rc.local content: | - [Unit] - Description=Regenerate SSH host keys - Before=ssh.service - ConditionFileIsExecutable=/usr/bin/ssh-keygen - - [Service] - Type=oneshot - ExecStartPre=-/bin/dd if=/dev/hwrng of=/dev/urandom count=1 bs=4096 - ExecStartPre=-/bin/sh -c "/bin/rm -f -v /etc/ssh/ssh_host_*_key*" - ExecStart=/usr/bin/ssh-keygen -A -v - ExecStartPost=/bin/systemctl disable regenerate_ssh_host_keys - - [Install] - WantedBy=multi-user.target - when: not cloud_init | bool - -- name: Reload systemd to re-read configurations - ansible.builtin.systemd: - daemon-reload: true - when: not cloud_init | bool - -- name: Enable regenerate_ssh_host_keys service - ansible.builtin.systemd: - name: regenerate_ssh_host_keys - enabled: true - when: not cloud_init | bool - -... + #!/bin/bash + if test -z "$(find /etc/ssh/ -iname 'ssh_host_*_key*')"; then + dpkg-reconfigure openssh-server + fi + exit 0 + mode: 0755 diff --git a/ansible/roles/configure/tasks/main.yml b/ansible/roles/configure/tasks/main.yml index 2e51352..b295b54 100644 --- a/ansible/roles/configure/tasks/main.yml +++ b/ansible/roles/configure/tasks/main.yml @@ -12,8 +12,8 @@ include_tasks: redhat.yml when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']" -- name: Prepare the {{ ansible_facts['distribution'] }} guest operating system - include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml" - when: "ansible_facts['distribution'] == 'Suse'" +- name: Configuration tasks for the {{ ansible_facts['distribution'] }} guest operating system + include_tasks: suse.yml + when: "ansible_facts['distribution'] in ['openSUSE Leap', 'Suse']" ... \ No newline at end of file diff --git a/ansible/roles/configure/tasks/redhat.yml b/ansible/roles/configure/tasks/redhat.yml index a36b764..d071913 100644 --- a/ansible/roles/configure/tasks/redhat.yml +++ b/ansible/roles/configure/tasks/redhat.yml @@ -1,5 +1,36 @@ --- -- name: "Configure SSH for Public Key Authentication." - shell: | - sudo sed -i 's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config - sudo sed -i 's/.*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config +# Tasks for unregistering from Red Hat Subscription Manager. +- name: "Unregistering from Red Hat Subscription Manager." + community.general.redhat_subscription: + state: absent + when: ansible_distribution == 'RedHat' + +# Tasks for configuring SSH for public key authentication. +- name: "Configuring SSH for Public Key Authentication." + block: + - ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitRootLogin' + line: 'PermitRootLogin no' + - ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PubkeyAuthentication' + line: 'PubkeyAuthentication yes' + +# Tasks for setting the hostname. +- name: "Setting the hostname." + ansible.builtin.hostname: + name: "localhost" + +# Tasks for disabling SELinux. +- name: "Disabling SELinux." + ansible.builtin.selinux: + state: disabled + policy: targeted + +# Tasks for restarting the SSH daemon. +- name: "Restarting the SSH daemon." + ansible.builtin.systemd: + name: sshd + state: restarted + daemon_reload: true diff --git a/ansible/roles/configure/tasks/suse.yml b/ansible/roles/configure/tasks/suse.yml index 01517ef..96f092e 100644 --- a/ansible/roles/configure/tasks/suse.yml +++ b/ansible/roles/configure/tasks/suse.yml @@ -1,35 +1,52 @@ --- +# Tasks for setting custom facts. +- name: "Setting custom facts." + set_fact: + enable_cloudinit: "{{ enable_cloudinit | default('false') }}" + # Tasks for unregistering from SUSE Customer Center. - name: "Unregistering from SUSE Customer Center." - command: + ansible.builtin.command: cmd: "{{ item }}" loop: - SUSEConnect -d - SUSEConnect --cleanup + when: "ansible_facts['distribution'] != 'openSUSE Leap'" # Tasks for configuring SSH for public key authentication. - name: "Configuring SSH for Public Key Authentication." block: - - lineinfile: + - ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitRootLogin' line: 'PermitRootLogin no' - - lineinfile: + - ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^PubkeyAuthentication' line: 'PubkeyAuthentication yes' # Tasks for setting the hostname. - name: "Setting the hostname." - hostname: + ansible.builtin.hostname: name: "localhost" # Tasks for restarting the SSH daemon. - name: "Restarting the SSH daemon." - systemd: + ansible.builtin.systemd: name: sshd state: restarted daemon_reload: true +# Tasks for configuring cloud-init. +- name: "Configuring cloud-init." + block: + - name: "Message: Configuring cloud-init" + ansible.builtin.debug: + msg: "Configuring cloud-init" + - ansible.builtin.copy: + content: 'datasource_list: [ ConfigDrive, NoCloud ]' + dest: /etc/cloud/cloud.cfg.d/90_dpkg.cfg + when: enable_cloudinit == 'true' + ... \ No newline at end of file diff --git a/ansible/roles/configure/tasks/ubuntu.yml b/ansible/roles/configure/tasks/ubuntu.yml index dad1976..56a5ee8 100644 --- a/ansible/roles/configure/tasks/ubuntu.yml +++ b/ansible/roles/configure/tasks/ubuntu.yml @@ -1,88 +1,62 @@ --- -- name: "Configure SSH for Public Key Authentication" - shell: | - sudo sed -i 's/.*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config +# Tasks for setting custom facts. +- name: "Setting custom facts." + ansible.builtin.set_fact: + enable_cloudinit: "{{ enable_cloudinit | default('false') }}" -- name: Restarting the SSH daemon - ansible.builtin.service: +# Tasks for configuring SSH for public key authentication. +- name: "Configuring SSH for Public Key Authentication." + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PubkeyAuthentication' + line: 'PubkeyAuthentication yes' + +# Tasks for setting the hostname. +- name: "Setting the hostname." + ansible.builtin.hostname: + name: "localhost" + +# Tasks for restarting the SSH daemon. +- name: "Restarting the SSH daemon." + ansible.builtin.systemd: name: ssh state: restarted + daemon_reload: true -- name: Remove cloud-init files - ansible.builtin.file: - path: "{{ item }}" - state: absent - loop: - - /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg - - /etc/cloud/cloud.cfg.d/50-curtin-networking.cfg - - /etc/cloud/cloud.cfg.d/curtin-preserve-sources.cfg - - /etc/cloud/cloud.cfg.d/99-installer.cfg - - /etc/netplan/00-installer-config.yaml - when: - - cloud_init | bool - - ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04" or ansible_distribution_version == "24.04" +# Tasks for disabling systemd-tmpfiles. +- name: "Disabling systemd-tmpfiles." + ansible.builtin.replace: + path: /usr/lib/tmpfiles.d/tmp.conf + regexp: '^D' + replace: '#D' -- name: Disable cloud-init if configured to +# Tasks for configuring cloud-init. +- name: "Configuring cloud-init." block: - - name: Check if /etc/cloud/ exists - ansible.builtin.stat: - path: '/etc/cloud/' - register: etc_cloud_folder + - name: "Message: Configuring cloud-init" + ansible.builtin.debug: + msg: "Configuring cloud-init" + - ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg + - /etc/cloud/cloud.cfg.d/99-installer.cfg + - /etc/netplan/00-installer-config.yaml + - ansible.builtin.copy: + content: 'datasource_list: [ VMware, OVF, None ]' + dest: /etc/cloud/cloud.cfg.d/90_dpkg.cfg + when: enable_cloudinit == 'true' - - name: 'Generate /etc/cloud/cloud-init.disabled' - ansible.builtin.copy: - dest: '/etc/cloud/cloud-init.disabled' - content: 'disabled by ansible\n' - owner: 'root' - group: 'root' - mode: '0644' - when: - - 'etc_cloud_folder.stat.exists' - when: - - not cloud_init | bool - - ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04" or ansible_distribution_version == "24.04" - -- name: Copy cloud-init PVE default file +# Tasks for setting SSH keys to regenerate. +- name: "Setting SSH keys to regenerate." ansible.builtin.copy: - dest: /etc/cloud/cloud.cfg.d/90_dpkg.cfg + dest: /etc/rc.local content: | - datasource_list: [ ConfigDrive, NoCloud ] - when: cloud_init | bool - -- name: "Modifying GRUB." - shell: | - sed -i -e "s/GRUB_CMDLINE_LINUX_DEFAULT=\"\(.*\)\"/GRUB_CMDLINE_LINUX_DEFAULT=\"\"/" /etc/default/grub - update-grub - when: ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04" or ansible_distribution_version == "24.04" - -- name: Creating SSH key regeneration service file - ansible.builtin.copy: - dest: /etc/systemd/system/regenerate_ssh_host_keys.service - content: | - [Unit] - Description=Regenerate SSH host keys - Before=ssh.service - ConditionFileIsExecutable=/usr/bin/ssh-keygen - - [Service] - Type=oneshot - ExecStartPre=-/bin/dd if=/dev/hwrng of=/dev/urandom count=1 bs=4096 - ExecStartPre=-/bin/sh -c "/bin/rm -f -v /etc/ssh/ssh_host_*_key*" - ExecStart=/usr/bin/ssh-keygen -A -v - ExecStartPost=/bin/systemctl disable regenerate_ssh_host_keys - - [Install] - WantedBy=multi-user.target - when: not cloud_init | bool - -- name: Reload systemd to re-read configurations - ansible.builtin.systemd: - daemon-reload: true - when: not cloud_init | bool - -- name: Enable regenerate_ssh_host_keys service - ansible.builtin.systemd: - name: regenerate_ssh_host_keys - enabled: true - when: not cloud_init | bool + #!/bin/bash + if test -z "$(find /etc/ssh/ -iname 'ssh_host_*_key*')"; then + dpkg-reconfigure openssh-server + fi + exit 0 + mode: 0755 diff --git a/ansible/roles/configure/vars/main.yml b/ansible/roles/configure/vars/main.yml new file mode 100644 index 0000000..c4b5142 --- /dev/null +++ b/ansible/roles/configure/vars/main.yml @@ -0,0 +1,2 @@ +--- +task_name: "Configure the operating system." \ No newline at end of file diff --git a/ansible/roles/users/tasks/linux.yml b/ansible/roles/users/tasks/linux.yml index f0f6a68..6737ba7 100644 --- a/ansible/roles/users/tasks/linux.yml +++ b/ansible/roles/users/tasks/linux.yml @@ -1,31 +1,46 @@ --- -- name: "Adding authorized_keys for the default local user." - shell: | - sudo mkdir -p /home/{{BUILD_USERNAME}}/.ssh - sudo tee /home/{{BUILD_USERNAME}}/.ssh/authorized_keys << EOF - {{BUILD_SECRET}} - EOF - sudo chown -R {{BUILD_USERNAME}} /home/{{BUILD_USERNAME}}/.ssh - sudo chmod 700 /home/{{BUILD_USERNAME}}/.ssh - sudo chmod 644 /home/{{BUILD_USERNAME}}/.ssh/authorized_keys -- name: "Adding the default local user to passwordless sudoers." - shell: | - sudo bash -c "echo \"""{{BUILD_USERNAME}}"" ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers" -- name: "Creating a local user for Ansible." - shell: | - sudo groupadd {{ANSIBLE_USERNAME}} - sudo useradd -g {{ANSIBLE_USERNAME}} -m -s /bin/bash {{ANSIBLE_USERNAME}} - sudo usermod -aG sudo {{ANSIBLE_USERNAME}} - echo {{ANSIBLE_USERNAME}}:"$(openssl rand -base64 14)" | sudo chpasswd -- name: "Adding authorized_keys to the local user for Ansible." - shell: | - sudo mkdir -p /home/{{ANSIBLE_USERNAME}}/.ssh - sudo tee /home/{{ANSIBLE_USERNAME}}/.ssh/authorized_keys << EOF - {{ANSIBLE_SECRET}} - EOF - sudo chown -R {{ANSIBLE_USERNAME}} /home/{{ANSIBLE_USERNAME}}/.ssh - sudo chmod 700 /home/{{ANSIBLE_USERNAME}}/.ssh - sudo chmod 644 /home/{{ANSIBLE_USERNAME}}/.ssh/authorized_keys -- name: "Adding the local user for Ansible to passwordless sudoers." - shell: | - sudo bash -c "echo \"""{{ANSIBLE_USERNAME}}"" ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers" +# Tasks for setting custom facts. +- name: "Setting custom facts." + ansible.builtin.set_fact: + enable_cloudinit: "{{ enable_cloudinit | default('false') }}" + +# Tasks for creating the local group for Ansible. +- name: "Creating the local group for Ansible." + ansible.builtin.group: + name: "{{ ansible_username }}" + +# Tasks for creating the sudo group. +- name: "Creating the sudo group." + ansible.builtin.group: + name: sudo + +# Tasks for creating the local user for Ansible. +- name: "Creating the local user for Ansible." + ansible.builtin.user: + name: "{{ ansible_username }}" + group: "{{ ansible_username }}" + groups: sudo + password: '!' + shell: /bin/bash + +# Tasks for managing the authorized keys for the local users. +- name: "Managing the authorized keys for the local users." + ansible.posix.authorized_key: + user: "{{ item.user }}" + key: "{{ item.key }}" + loop: + - user: "{{ ansible_username }}" + key: "{{ ansible_key }}" + - user: "{{ build_username }}" + key: "{{ build_key }}" + no_log: true + +# Tasks for managing sudoers.d for the local users. +- name: "Managing sudoers.d for the local users." + community.general.sudoers: + name: "{{ item }}" + user: "{{ item }}" + commands: ALL + loop: + - "{{ build_username }}" + - "{{ ansible_username }}" diff --git a/ansible/roles/users/vars/main.yml b/ansible/roles/users/vars/main.yml new file mode 100644 index 0000000..ef9eb71 --- /dev/null +++ b/ansible/roles/users/vars/main.yml @@ -0,0 +1,2 @@ +--- +task_name: "Configure the operating system users." \ No newline at end of file