easylinux/proxmox-packer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: reworked most of the ansible playbooks and roles

Browse Source
This commit is contained in:
AJ Schroeder
2024-06-29 10:26:52 -05:00
parent 0eadf8fba9
commit b885f907db
22 changed files with 524 additions and 365 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
ansible/main.yml → ansible/linux-playbook.yml
View File

6
ansible/linux-requirements.yml Normal file
View File

@@ -0,0 +1,6 @@
---
collections:
- name: ansible.posix
version: 1.5.4
- name: community.general
version: 8.5.0

2
ansible/roles/base/defaults/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
enable_cloudinit: false

8
ansible/roles/base/tasks/debian.yml
View File

@@ -1,4 +1,5 @@
--- ---
- block: - block:
- name: "Updating the guest operating system." - name: "Updating the guest operating system."
ansible.builtin.apt: ansible.builtin.apt:
@@ -11,3 +12,10 @@
ansible.builtin.apt: ansible.builtin.apt:
name: "{{ additional_packages[ansible_os_family] }}" name: "{{ additional_packages[ansible_os_family] }}"
state: latest # noqa package-latest state: latest # noqa package-latest
- name: "Installing cloud-init."
become: true
ansible.builtin.apt:
name: cloud-init
state: latest
when: enable_cloudinit == 'true' and ansible_distribution_version | int >= 11

8
ansible/roles/base/tasks/main.yml
View File

@@ -1,5 +1,9 @@
--- ---
- name: "Getting guest operating system information."
ansible.builtin.debug:
msg: "OS: {{ ansible_distribution }} Version: {{ ansible_distribution_version }} Family: {{ ansible_os_family }}"
- name: Prepare the {{ ansible_facts['distribution'] }} guest operating system - name: Prepare the {{ ansible_facts['distribution'] }} guest operating system
include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml" include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
when: "ansible_facts['distribution'] == 'Debian'" when: "ansible_facts['distribution'] == 'Debian'"
@@ -13,7 +17,7 @@
when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']" when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']"
- name: Prepare the {{ ansible_facts['distribution'] }} guest operating system - name: Prepare the {{ ansible_facts['distribution'] }} guest operating system
include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml" include_tasks: suse.yml
when: "ansible_facts['distribution'] == 'Suse'" when: "ansible_facts['distribution'] in ['openSUSE Leap', 'Suse']"
... ...

9
ansible/roles/base/tasks/redhat.yml
View File

@@ -15,5 +15,12 @@
ansible.builtin.dnf: ansible.builtin.dnf:
name: "{{ additional_packages[ansible_os_family] }}" name: "{{ additional_packages[ansible_os_family] }}"
state: latest # noqa package-latest state: latest # noqa package-latest
when: ansible_distribution_major_version | int > 8
- name: "Installing cloud-init."
become: true
ansible.builtin.dnf:
name: cloud-init
state: latest
when: enable_cloudinit == 'true' and ansible_distribution_version | int >= 8
when: ansible_os_family == 'RedHat' and ansible_distribution_major_version | int >= 8

24
ansible/roles/base/tasks/suse.yml
View File

@@ -1,9 +1,29 @@
--- ---
- name: Updating the operating system - block:
- name: Updating the operating system
ansible.builtin.zypper: ansible.builtin.zypper:
name: "*" name: "*"
state: latest state: latest
update_cache: true update_cache: true
... - name: Installing additional packages
ansible.builtin.zypper:
name: "{{ additional_packages[ansible_os_family] }}"
state: latest
- name: "Configure cloud-init."
block:
- name: "Add the SUSE OSS repo."
become: true
community.general.zypper_repository:
name: repo-oss
repo: "http://download.opensuse.org/distribution/leap/15.5/repo/oss/"
auto_import_keys: true
- name: "Installing cloud-init."
become: true
ansible.builtin.zypper:
name: cloud-init
state: latest
when: enable_cloudinit == 'true'

6
ansible/roles/base/vars/main.yml
View File

@@ -12,6 +12,12 @@ additional_packages:
- curl - curl
- unzip - unzip
- wget - wget
Suse:
- bash-completion
- ca-certificates
- curl
- unzip
- wget
Ubuntu: Ubuntu:
- bash-completion - bash-completion
- ca-certificates - ca-certificates

140
ansible/roles/clean/tasks/debian.yml
View File

@@ -1,81 +1,93 @@
--- ---
# Tasks for setting custom facts.
- name: "Setting custom facts."
set_fact:
enable_cloudinit: "{{ enable_cloudinit | default('false') }}"
- name: Remove audit log files # # Tasks for removing the cloud-init package.
ansible.builtin.file: # - name: "Removing the cloud-init package."
# apt:
# name: cloud-init
# state: absent
# when: ansible_distribution == 'Ubuntu' and enable_cloudinit == 'false'
# Tasks to clean the audit logs.
- name: "Cleaning the audit logs."
file:
path: "{{ item }}" path: "{{ item }}"
state: absent state: absent
loop: loop:
- "/var/log/audit/audit.log" - /var/log/audit/audit.log
- "/var/log/wtmp" - /var/log/auth.log
- "/var/log/lastlog" - /var/log/btmp
- /var/log/dpkg.log
- /var/log/faillog
- /var/log/kern.log
- /var/log/lastlog
- /var/log/syslog
- /var/log/wtmp
- name: Check to see if the /var/log/audit directory exists # Tasks to clean the persistent udev rules.
ansible.builtin.stat: - name: "Cleaning persistent udev rules."
path: "/var/log/audit" file:
register: audit_directory
- name: Ensure /var/log/audit directory exists
ansible.builtin.file:
path: /var/log/audit
state: directory
mode: "0750"
owner: root
group: adm
when: audit_directory.stat.exists
- name: Ensure /var/log/audit/audit.log exists
ansible.builtin.file:
path: /var/log/audit/audit.log
state: touch
mode: "0640"
owner: root
group: adm
when: audit_directory.stat.exists
- name: Ensure wtmp and lastlog exist with the correct permissions
ansible.builtin.copy:
dest: "{{ item }}"
content: ""
mode: "0664"
owner: root
group: utmp
loop:
- "/var/log/wtmp"
- "/var/log/lastlog"
- name: Cleaning persistent udev rules
ansible.builtin.file:
path: /etc/udev/rules.d/70-persistent-net.rules path: /etc/udev/rules.d/70-persistent-net.rules
state: absent state: absent
- name: "Cleaning the /tmp directories" # Tasks to find the /tmp directories.
ansible.builtin.file: - name: "Finding the /tmp directories."
path: "{{ item }}" find:
state: absent paths:
loop: - /tmp
- "/tmp/*" - /var/tmp
- "/var/tmp/*" file_type: any
register: find_tmp_directories
- name: "Cleaning the SSH host keys." # Tasks to clean the /tmp directories.
shell: | - name: "Cleaning the /tmp directories."
rm -f /etc/ssh/ssh_host_*
- name: remove /etc/machine-id
file: file:
path: /etc/machine-id path: "{{ item.path }}"
state: absent state: absent
loop: "{{ find_tmp_directories.files }}"
loop_control:
label: "{{ item.path }}"
- name: remove /var/lib/dbus/machine-id # Tasks to find the SSH host keys.
- name: "Finding the SSH host keys."
find:
paths: /etc/ssh
patterns: 'ssh_host_*'
register: find_ssh_host_keys
# Tasks to clean the SSH host keys.
- name: "Cleaning the SSH host keys."
file:
path: "{{ item.path }}"
state: absent
loop: "{{ find_ssh_host_keys.files }}"
loop_control:
label: "{{ item.path }}"
# Tasks to clean the machine-id.
- name: "Cleaning the machine-id."
block:
- name: "Emptying the /etc/machine-id."
community.general.filesize:
path: /etc/machine-id
size: 0
- name: "Removing /var/lib/dbus/machine-id."
file: file:
path: /var/lib/dbus/machine-id path: /var/lib/dbus/machine-id
state: absent state: absent
- name: "Creating a symbolic link to /etc/machine-id."
file:
src: /etc/machine-id
dest: /var/lib/dbus/machine-id
state: link
- name: generate new machine-id # Tasks to clean the shell history.
command: systemd-machine-id-setup - name: "Cleaning the shell history."
block:
- name: Cleaning the shell history - name: "Cleaning the shell history."
shell: | file:
unset HISTFILE path: "{{ ansible_env.HOME }}/.bash_history"
history -cw state: absent
echo > ~/.bash_history
rm -fr /root/.bash_history

6
ansible/roles/clean/tasks/main.yml
View File

@@ -12,8 +12,8 @@
include_tasks: redhat.yml include_tasks: redhat.yml
when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']" when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']"
- name: Prepare the {{ ansible_facts['distribution'] }} guest operating system - name: Cleaning tasks for the {{ ansible_facts['distribution'] }} guest operating system
include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml" include_tasks: suse.yml
when: "ansible_facts['distribution'] == 'Suse'" when: "ansible_facts['distribution'] in ['openSUSE Leap', 'Suse']"
... ...

135
ansible/roles/clean/tasks/redhat.yml
View File

@@ -1,59 +1,92 @@
--- ---
# Tasks to clean the Red Hat Subscription Manager logs.
- name: "Cleaning all audit logs."
shell: |
if [ -f /var/log/audit/audit.log ]; then
cat /dev/null > /var/log/audit/audit.log
fi
if [ -f /var/log/wtmp ]; then
cat /dev/null > /var/log/wtmp
fi
if [ -f /var/log/lastlog ]; then
cat /dev/null > /var/log/lastlog
fi
- name: "Cleaning persistent udev rules."
shell: |
if [ -f /etc/udev/rules.d/70-persistent-net.rules ]; then
rm /etc/udev/rules.d/70-persistent-net.rules
fi
- name: "Cleaning the /tmp directories"
shell: |
rm -rf /tmp/*
rm -rf /var/tmp/*
rm -rf /var/cache/dnf/*
- name: "Cleaning the Red Hat Subscription Manager logs." - name: "Cleaning the Red Hat Subscription Manager logs."
shell: | ansible.builtin.file:
rm -rf /var/log/rhsm/* path: /var/log/rhsm
when: "ansible_facts['distribution'] == 'RedHat'" state: absent
when: ansible_distribution == 'RedHat'
# Tasks to clean the audit logs.
- name: "Cleaning the audit logs."
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /var/log/audit/audit.log
- /var/log/btmp
- /var/log/boot.log
- /var/log/cron
- /var/log/dnf.log
- /var/log/lastlog
- /var/log/maillog
- /var/log/messages
- /var/log/secure
- /var/log/wtmp
- /var/log/yum.log
# Tasks to clean the persistent udev rules.
- name: "Cleaning persistent udev rules."
ansible.builtin.file:
path: /etc/udev/rules.d/70-persistent-net.rules
state: absent
# Tasks to find the /tmp directories.
- name: "Finding the /tmp directories."
ansible.builtin.find:
paths:
- /tmp
- /var/tmp
file_type: any
register: find_tmp_directories
# Tasks to clean the /tmp directories.
- name: "Cleaning the /tmp directories."
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ find_tmp_directories.files }}"
loop_control:
label: "{{ item.path }}"
# Tasks to find the SSH host keys.
- name: "Finding the SSH host keys."
ansible.builtin.find:
paths: /etc/ssh
patterns: 'ssh_host_*'
register: find_ssh_host_keys
# Tasks to clean the SSH host keys.
- name: "Cleaning the SSH host keys." - name: "Cleaning the SSH host keys."
shell: | ansible.builtin.file:
rm -f /etc/ssh/ssh_host_* path: "{{ item.path }}"
state: absent
loop: "{{ find_ssh_host_keys.files }}"
loop_control:
label: "{{ item.path }}"
# Tasks to clean the machine-id.
- name: "Emptying the /etc/machine-id."
community.general.filesize:
path: /etc/machine-id
size: 0
- name: "Cleaning the machine-id." - name: "Cleaning the machine-id."
when: 'ansible_facts[''distribution_major_version''] <= "8"' block:
shell: | - name: "Removing /var/lib/dbus/machine-id."
truncate -s 0 /etc/machine-id ansible.builtin.file:
rm /var/lib/dbus/machine-id path: /var/lib/dbus/machine-id
ln -s /etc/machine-id /var/lib/dbus/machine-id state: absent
- name: "Creating a symbolic link to /etc/machine-id."
- name: "Cleaning the machine-id." ansible.builtin.file:
when: 'ansible_facts[''distribution_major_version''] >= "9"' src: /etc/machine-id
shell: | dest: /var/lib/dbus/machine-id
truncate -s 0 /etc/machine-id state: link
when: ansible_distribution_major_version | int <= 8
# Tasks to clean the shell history.
- name: "Cleaning the shell history." - name: "Cleaning the shell history."
shell: | block:
unset HISTFILE - name: "Cleaning the shell history."
history -cw ansible.builtin.file:
echo > ~/.bash_history path: "{{ ansible_env.HOME }}/.bash_history"
rm -fr /root/.bash_history state: absent
- name: "Running a sync."
shell: |
sync && sync
...

17
ansible/roles/clean/tasks/suse.yml
View File

@@ -2,13 +2,14 @@
# Tasks to clean the SUSE Customer Center file. # Tasks to clean the SUSE Customer Center file.
- name: "Cleaning the SUSE Customer Center file." - name: "Cleaning the SUSE Customer Center file."
file: ansible.builtin.file:
path: /etc/SUSEConnect path: /etc/SUSEConnect
state: absent state: absent
when: "ansible_facts['distribution'] != 'openSUSE Leap'"
# Tasks to clean the audit logs. # Tasks to clean the audit logs.
- name: "Cleaning the audit logs." - name: "Cleaning the audit logs."
file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
state: absent state: absent
loop: loop:
@@ -24,13 +25,13 @@
# Tasks to clean the persistent udev rules. # Tasks to clean the persistent udev rules.
- name: "Cleaning persistent udev rules." - name: "Cleaning persistent udev rules."
file: ansible.builtin.file:
path: /etc/udev/rules.d/70-persistent-net.rules path: /etc/udev/rules.d/70-persistent-net.rules
state: absent state: absent
# Tasks to find the /tmp directories. # Tasks to find the /tmp directories.
- name: "Finding the /tmp directories." - name: "Finding the /tmp directories."
find: ansible.builtin.find:
paths: paths:
- /tmp - /tmp
- /var/tmp - /var/tmp
@@ -40,7 +41,7 @@
# Tasks to clean the /tmp directories. # Tasks to clean the /tmp directories.
- name: "Cleaning the /tmp directories." - name: "Cleaning the /tmp directories."
file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
state: absent state: absent
loop: "{{ find_tmp_directories.files }}" loop: "{{ find_tmp_directories.files }}"
@@ -49,14 +50,14 @@
# Tasks to find the SSH host keys. # Tasks to find the SSH host keys.
- name: "Finding the SSH host keys." - name: "Finding the SSH host keys."
find: ansible.builtin.find:
paths: /etc/ssh paths: /etc/ssh
patterns: 'ssh_host_*' patterns: 'ssh_host_*'
register: find_ssh_host_keys register: find_ssh_host_keys
# Tasks to clean the SSH host keys. # Tasks to clean the SSH host keys.
- name: "Cleaning the SSH host keys." - name: "Cleaning the SSH host keys."
file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
state: absent state: absent
loop: "{{ find_ssh_host_keys.files }}" loop: "{{ find_ssh_host_keys.files }}"
@@ -73,7 +74,7 @@
- name: "Cleaning the shell history." - name: "Cleaning the shell history."
block: block:
- name: "Cleaning the shell history." - name: "Cleaning the shell history."
file: ansible.builtin.file:
path: "{{ ansible_env.HOME }}/.bash_history" path: "{{ ansible_env.HOME }}/.bash_history"
state: absent state: absent

148
ansible/roles/clean/tasks/ubuntu.yml
View File

@@ -1,93 +1,93 @@
--- ---
# Tasks for setting custom facts.
- name: "Setting custom facts."
ansible.builtin.set_fact:
enable_cloudinit: "{{ enable_cloudinit | default('false') }}"
- name: Remove audit log files # Tasks for removing the cloud-init package.
- name: "Removing the cloud-init package."
ansible.builtin.apt:
name: cloud-init
state: absent
when: enable_cloudinit == 'false'
# Tasks to clean the audit logs.
- name: "Cleaning the audit logs."
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
state: absent state: absent
loop: loop:
- "/var/log/audit/audit.log" - /var/log/audit/audit.log
- "/var/log/wtmp" - /var/log/auth.log
- "/var/log/lastlog" - /var/log/btmp
- /var/log/dpkg.log
- /var/log/faillog
- /var/log/kern.log
- /var/log/lastlog
- /var/log/syslog
- /var/log/wtmp
- name: Check to see if the /var/log/audit directory exists # Tasks to clean the persistent udev rules.
ansible.builtin.stat: - name: "Cleaning persistent udev rules."
path: "/var/log/audit"
register: audit_directory
- name: Ensure /var/log/audit directory exists
ansible.builtin.file:
path: /var/log/audit
state: directory
mode: "0750"
owner: root
group: adm
when: audit_directory.stat.exists
- name: Ensure /var/log/audit/audit.log exists
ansible.builtin.file:
path: /var/log/audit/audit.log
state: touch
mode: "0640"
owner: root
group: adm
when: audit_directory.stat.exists
- name: Ensure wtmp and lastlog exist with the correct permissions
ansible.builtin.copy:
dest: "{{ item }}"
content: ""
mode: "0664"
owner: root
group: utmp
loop:
- "/var/log/wtmp"
- "/var/log/lastlog"
- name: Cleaning persistent udev rules
ansible.builtin.file: ansible.builtin.file:
path: /etc/udev/rules.d/70-persistent-net.rules path: /etc/udev/rules.d/70-persistent-net.rules
state: absent state: absent
- name: "Cleaning the /tmp directories" # Tasks to find the /tmp directories.
- name: "Finding the /tmp directories."
ansible.builtin.find:
paths:
- /tmp
- /var/tmp
file_type: any
register: find_tmp_directories
# Tasks to clean the /tmp directories.
- name: "Cleaning the /tmp directories."
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item.path }}"
state: absent state: absent
loop: loop: "{{ find_tmp_directories.files }}"
- "/tmp/*" loop_control:
- "/var/tmp/*" label: "{{ item.path }}"
- name: Cleaning the SSH host keys # Tasks to find the SSH host keys.
shell: | - name: "Finding the SSH host keys."
rm -f /etc/ssh/ssh_host_* ansible.builtin.find:
paths: /etc/ssh
patterns: 'ssh_host_*'
register: find_ssh_host_keys
- name: remove /etc/machine-id # Tasks to clean the SSH host keys.
file: - name: "Cleaning the SSH host keys."
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ find_ssh_host_keys.files }}"
loop_control:
label: "{{ item.path }}"
# Tasks to clean the machine-id.
- name: "Cleaning the machine-id."
block:
- name: "Emptying the /etc/machine-id."
community.general.filesize:
path: /etc/machine-id path: /etc/machine-id
state: absent size: 0
- name: "Removing /var/lib/dbus/machine-id."
- name: remove /var/lib/dbus/machine-id ansible.builtin.file:
file:
path: /var/lib/dbus/machine-id path: /var/lib/dbus/machine-id
state: absent state: absent
- name: "Creating a symbolic link to /etc/machine-id."
ansible.builtin.file:
src: /etc/machine-id
dest: /var/lib/dbus/machine-id
state: link
- name: generate new machine-id # Tasks to clean the shell history.
command: systemd-machine-id-setup - name: "Cleaning the shell history."
block:
- name: Clean apt - name: "Cleaning the shell history."
ansible.builtin.apt: ansible.builtin.file:
autoclean: yes path: "{{ ansible_env.HOME }}/.bash_history"
autoremove: yes state: absent
clean: yes
- name: Cleaning the shell history
shell: |
unset HISTFILE
history -cw
echo > ~/.bash_history
rm -fr /root/.bash_history
- name: Clean cloud-init
ansible.builtin.command: cloud-init clean
when: cloud_init | bool
...

2
ansible/roles/clean/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
task_name: "Clean the operating system."

85
ansible/roles/configure/tasks/debian.yml
View File

@@ -1,37 +1,54 @@
--- ---
- name: "Configure SSH for Public Key Authentication." # Tasks for setting custom facts.
shell: | - name: "Setting custom facts."
sudo sed -i 's/.*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config set_fact:
enable_cloudinit: "{{ enable_cloudinit | default('false') }}"
- name: Creating SSH key regeneration service file # Tasks for configuring SSH for public key authentication.
ansible.builtin.copy: - name: "Configuring SSH for Public Key Authentication."
dest: /etc/systemd/system/regenerate_ssh_host_keys.service lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PubkeyAuthentication'
line: 'PubkeyAuthentication yes'
# Tasks for setting the hostname.
- name: "Setting the hostname."
hostname:
name: "localhost"
# Tasks for restarting the SSH daemon.
- name: "Restarting the SSH daemon."
systemd:
name: ssh
state: restarted
daemon_reload: true
# Tasks for disabling systemd-tmpfiles.
- name: "Disabling systemd-tmpfiles."
replace:
path: /usr/lib/tmpfiles.d/tmp.conf
regexp: '^D'
replace: '#D'
# Tasks for configuring cloud-init.
- name: "Configuring cloud-init."
block:
- name: "Message: Configuring cloud-init"
ansible.builtin.debug:
msg: "Configuring cloud-init"
- ansible.builtin.copy:
content: 'datasource_list: [ ConfigDrive, NoCloud ]'
dest: /etc/cloud/cloud.cfg.d/90_dpkg.cfg
when: enable_cloudinit == 'true'
# Tasks for setting SSH keys to regenerate.
- name: "Setting SSH keys to regenerate."
copy:
dest: /etc/rc.local
content: | content: |
[Unit] #!/bin/bash
Description=Regenerate SSH host keys if test -z "$(find /etc/ssh/ -iname 'ssh_host_*_key*')"; then
Before=ssh.service dpkg-reconfigure openssh-server
ConditionFileIsExecutable=/usr/bin/ssh-keygen fi
exit 0
[Service] mode: 0755
Type=oneshot
ExecStartPre=-/bin/dd if=/dev/hwrng of=/dev/urandom count=1 bs=4096
ExecStartPre=-/bin/sh -c "/bin/rm -f -v /etc/ssh/ssh_host_*_key*"
ExecStart=/usr/bin/ssh-keygen -A -v
ExecStartPost=/bin/systemctl disable regenerate_ssh_host_keys
[Install]
WantedBy=multi-user.target
when: not cloud_init | bool
- name: Reload systemd to re-read configurations
ansible.builtin.systemd:
daemon-reload: true
when: not cloud_init | bool
- name: Enable regenerate_ssh_host_keys service
ansible.builtin.systemd:
name: regenerate_ssh_host_keys
enabled: true
when: not cloud_init | bool
...

6
ansible/roles/configure/tasks/main.yml
View File

@@ -12,8 +12,8 @@
include_tasks: redhat.yml include_tasks: redhat.yml
when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']" when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']"
- name: Prepare the {{ ansible_facts['distribution'] }} guest operating system - name: Configuration tasks for the {{ ansible_facts['distribution'] }} guest operating system
include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml" include_tasks: suse.yml
when: "ansible_facts['distribution'] == 'Suse'" when: "ansible_facts['distribution'] in ['openSUSE Leap', 'Suse']"
... ...

39
ansible/roles/configure/tasks/redhat.yml
View File

@@ -1,5 +1,36 @@
--- ---
- name: "Configure SSH for Public Key Authentication." # Tasks for unregistering from Red Hat Subscription Manager.
shell: | - name: "Unregistering from Red Hat Subscription Manager."
sudo sed -i 's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config community.general.redhat_subscription:
sudo sed -i 's/.*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config state: absent
when: ansible_distribution == 'RedHat'
# Tasks for configuring SSH for public key authentication.
- name: "Configuring SSH for Public Key Authentication."
block:
- ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
- ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PubkeyAuthentication'
line: 'PubkeyAuthentication yes'
# Tasks for setting the hostname.
- name: "Setting the hostname."
ansible.builtin.hostname:
name: "localhost"
# Tasks for disabling SELinux.
- name: "Disabling SELinux."
ansible.builtin.selinux:
state: disabled
policy: targeted
# Tasks for restarting the SSH daemon.
- name: "Restarting the SSH daemon."
ansible.builtin.systemd:
name: sshd
state: restarted
daemon_reload: true

27
ansible/roles/configure/tasks/suse.yml
View File

@@ -1,35 +1,52 @@
--- ---
# Tasks for setting custom facts.
- name: "Setting custom facts."
set_fact:
enable_cloudinit: "{{ enable_cloudinit | default('false') }}"
# Tasks for unregistering from SUSE Customer Center. # Tasks for unregistering from SUSE Customer Center.
- name: "Unregistering from SUSE Customer Center." - name: "Unregistering from SUSE Customer Center."
command: ansible.builtin.command:
cmd: "{{ item }}" cmd: "{{ item }}"
loop: loop:
- SUSEConnect -d - SUSEConnect -d
- SUSEConnect --cleanup - SUSEConnect --cleanup
when: "ansible_facts['distribution'] != 'openSUSE Leap'"
# Tasks for configuring SSH for public key authentication. # Tasks for configuring SSH for public key authentication.
- name: "Configuring SSH for Public Key Authentication." - name: "Configuring SSH for Public Key Authentication."
block: block:
- lineinfile: - ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin' regexp: '^PermitRootLogin'
line: 'PermitRootLogin no' line: 'PermitRootLogin no'
- lineinfile: - ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '^PubkeyAuthentication' regexp: '^PubkeyAuthentication'
line: 'PubkeyAuthentication yes' line: 'PubkeyAuthentication yes'
# Tasks for setting the hostname. # Tasks for setting the hostname.
- name: "Setting the hostname." - name: "Setting the hostname."
hostname: ansible.builtin.hostname:
name: "localhost" name: "localhost"
# Tasks for restarting the SSH daemon. # Tasks for restarting the SSH daemon.
- name: "Restarting the SSH daemon." - name: "Restarting the SSH daemon."
systemd: ansible.builtin.systemd:
name: sshd name: sshd
state: restarted state: restarted
daemon_reload: true daemon_reload: true
# Tasks for configuring cloud-init.
- name: "Configuring cloud-init."
block:
- name: "Message: Configuring cloud-init"
ansible.builtin.debug:
msg: "Configuring cloud-init"
- ansible.builtin.copy:
content: 'datasource_list: [ ConfigDrive, NoCloud ]'
dest: /etc/cloud/cloud.cfg.d/90_dpkg.cfg
when: enable_cloudinit == 'true'
... ...

118
ansible/roles/configure/tasks/ubuntu.yml
View File

@@ -1,88 +1,62 @@
--- ---
- name: "Configure SSH for Public Key Authentication" # Tasks for setting custom facts.
shell: | - name: "Setting custom facts."
sudo sed -i 's/.*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config ansible.builtin.set_fact:
enable_cloudinit: "{{ enable_cloudinit | default('false') }}"
- name: Restarting the SSH daemon # Tasks for configuring SSH for public key authentication.
ansible.builtin.service: - name: "Configuring SSH for Public Key Authentication."
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PubkeyAuthentication'
line: 'PubkeyAuthentication yes'
# Tasks for setting the hostname.
- name: "Setting the hostname."
ansible.builtin.hostname:
name: "localhost"
# Tasks for restarting the SSH daemon.
- name: "Restarting the SSH daemon."
ansible.builtin.systemd:
name: ssh name: ssh
state: restarted state: restarted
daemon_reload: true
- name: Remove cloud-init files # Tasks for disabling systemd-tmpfiles.
ansible.builtin.file: - name: "Disabling systemd-tmpfiles."
ansible.builtin.replace:
path: /usr/lib/tmpfiles.d/tmp.conf
regexp: '^D'
replace: '#D'
# Tasks for configuring cloud-init.
- name: "Configuring cloud-init."
block:
- name: "Message: Configuring cloud-init"
ansible.builtin.debug:
msg: "Configuring cloud-init"
- ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
state: absent state: absent
loop: loop:
- /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg - /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg
- /etc/cloud/cloud.cfg.d/50-curtin-networking.cfg
- /etc/cloud/cloud.cfg.d/curtin-preserve-sources.cfg
- /etc/cloud/cloud.cfg.d/99-installer.cfg - /etc/cloud/cloud.cfg.d/99-installer.cfg
- /etc/netplan/00-installer-config.yaml - /etc/netplan/00-installer-config.yaml
when: - ansible.builtin.copy:
- cloud_init | bool content: 'datasource_list: [ VMware, OVF, None ]'
- ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04" or ansible_distribution_version == "24.04"
- name: Disable cloud-init if configured to
block:
- name: Check if /etc/cloud/ exists
ansible.builtin.stat:
path: '/etc/cloud/'
register: etc_cloud_folder
- name: 'Generate /etc/cloud/cloud-init.disabled'
ansible.builtin.copy:
dest: '/etc/cloud/cloud-init.disabled'
content: 'disabled by ansible\n'
owner: 'root'
group: 'root'
mode: '0644'
when:
- 'etc_cloud_folder.stat.exists'
when:
- not cloud_init | bool
- ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04" or ansible_distribution_version == "24.04"
- name: Copy cloud-init PVE default file
ansible.builtin.copy:
dest: /etc/cloud/cloud.cfg.d/90_dpkg.cfg dest: /etc/cloud/cloud.cfg.d/90_dpkg.cfg
content: | when: enable_cloudinit == 'true'
datasource_list: [ ConfigDrive, NoCloud ]
when: cloud_init | bool
- name: "Modifying GRUB." # Tasks for setting SSH keys to regenerate.
shell: | - name: "Setting SSH keys to regenerate."
sed -i -e "s/GRUB_CMDLINE_LINUX_DEFAULT=\"\(.*\)\"/GRUB_CMDLINE_LINUX_DEFAULT=\"\"/" /etc/default/grub
update-grub
when: ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04" or ansible_distribution_version == "24.04"
- name: Creating SSH key regeneration service file
ansible.builtin.copy: ansible.builtin.copy:
dest: /etc/systemd/system/regenerate_ssh_host_keys.service dest: /etc/rc.local
content: | content: |
[Unit] #!/bin/bash
Description=Regenerate SSH host keys if test -z "$(find /etc/ssh/ -iname 'ssh_host_*_key*')"; then
Before=ssh.service dpkg-reconfigure openssh-server
ConditionFileIsExecutable=/usr/bin/ssh-keygen fi
exit 0
[Service] mode: 0755
Type=oneshot
ExecStartPre=-/bin/dd if=/dev/hwrng of=/dev/urandom count=1 bs=4096
ExecStartPre=-/bin/sh -c "/bin/rm -f -v /etc/ssh/ssh_host_*_key*"
ExecStart=/usr/bin/ssh-keygen -A -v
ExecStartPost=/bin/systemctl disable regenerate_ssh_host_keys
[Install]
WantedBy=multi-user.target
when: not cloud_init | bool
- name: Reload systemd to re-read configurations
ansible.builtin.systemd:
daemon-reload: true
when: not cloud_init | bool
- name: Enable regenerate_ssh_host_keys service
ansible.builtin.systemd:
name: regenerate_ssh_host_keys
enabled: true
when: not cloud_init | bool

2
ansible/roles/configure/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
task_name: "Configure the operating system."

75
ansible/roles/users/tasks/linux.yml
View File

@@ -1,31 +1,46 @@
--- ---
- name: "Adding authorized_keys for the default local user." # Tasks for setting custom facts.
shell: | - name: "Setting custom facts."
sudo mkdir -p /home/{{BUILD_USERNAME}}/.ssh ansible.builtin.set_fact:
sudo tee /home/{{BUILD_USERNAME}}/.ssh/authorized_keys << EOF enable_cloudinit: "{{ enable_cloudinit | default('false') }}"
{{BUILD_SECRET}}
EOF # Tasks for creating the local group for Ansible.
sudo chown -R {{BUILD_USERNAME}} /home/{{BUILD_USERNAME}}/.ssh - name: "Creating the local group for Ansible."
sudo chmod 700 /home/{{BUILD_USERNAME}}/.ssh ansible.builtin.group:
sudo chmod 644 /home/{{BUILD_USERNAME}}/.ssh/authorized_keys name: "{{ ansible_username }}"
- name: "Adding the default local user to passwordless sudoers."
shell: | # Tasks for creating the sudo group.
sudo bash -c "echo \"""{{BUILD_USERNAME}}"" ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers" - name: "Creating the sudo group."
- name: "Creating a local user for Ansible." ansible.builtin.group:
shell: | name: sudo
sudo groupadd {{ANSIBLE_USERNAME}}
sudo useradd -g {{ANSIBLE_USERNAME}} -m -s /bin/bash {{ANSIBLE_USERNAME}} # Tasks for creating the local user for Ansible.
sudo usermod -aG sudo {{ANSIBLE_USERNAME}} - name: "Creating the local user for Ansible."
echo {{ANSIBLE_USERNAME}}:"$(openssl rand -base64 14)" | sudo chpasswd ansible.builtin.user:
- name: "Adding authorized_keys to the local user for Ansible." name: "{{ ansible_username }}"
shell: | group: "{{ ansible_username }}"
sudo mkdir -p /home/{{ANSIBLE_USERNAME}}/.ssh groups: sudo
sudo tee /home/{{ANSIBLE_USERNAME}}/.ssh/authorized_keys << EOF password: '!'
{{ANSIBLE_SECRET}} shell: /bin/bash
EOF
sudo chown -R {{ANSIBLE_USERNAME}} /home/{{ANSIBLE_USERNAME}}/.ssh # Tasks for managing the authorized keys for the local users.
sudo chmod 700 /home/{{ANSIBLE_USERNAME}}/.ssh - name: "Managing the authorized keys for the local users."
sudo chmod 644 /home/{{ANSIBLE_USERNAME}}/.ssh/authorized_keys ansible.posix.authorized_key:
- name: "Adding the local user for Ansible to passwordless sudoers." user: "{{ item.user }}"
shell: | key: "{{ item.key }}"
sudo bash -c "echo \"""{{ANSIBLE_USERNAME}}"" ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers" loop:
- user: "{{ ansible_username }}"
key: "{{ ansible_key }}"
- user: "{{ build_username }}"
key: "{{ build_key }}"
no_log: true
# Tasks for managing sudoers.d for the local users.
- name: "Managing sudoers.d for the local users."
community.general.sudoers:
name: "{{ item }}"
user: "{{ item }}"
commands: ALL
loop:
- "{{ build_username }}"
- "{{ ansible_username }}"

2
ansible/roles/users/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
task_name: "Configure the operating system users."