easylinux/proxmox-packer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: reworked most of the ansible playbooks and roles

Browse Source
This commit is contained in:
AJ Schroeder
2024-06-29 10:26:52 -05:00
parent 0eadf8fba9
commit b885f907db
22 changed files with 524 additions and 365 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
ansible/main.yml → ansible/linux-playbook.yml
View File

6
ansible/linux-requirements.yml Normal file
View File

@@ -0,0 +1,6 @@
---
collections:
- name: ansible.posix
version: 1.5.4
- name: community.general
version: 8.5.0

2
ansible/roles/base/defaults/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
enable_cloudinit: false

8
ansible/roles/base/tasks/debian.yml
View File

@@ -1,4 +1,5 @@
---
- block:
- name: "Updating the guest operating system."
ansible.builtin.apt:
@@ -11,3 +12,10 @@
ansible.builtin.apt:
name: "{{ additional_packages[ansible_os_family] }}"
state: latest # noqa package-latest
- name: "Installing cloud-init."
become: true
ansible.builtin.apt:
name: cloud-init
state: latest
when: enable_cloudinit == 'true' and ansible_distribution_version | int >= 11

8
ansible/roles/base/tasks/main.yml
View File

@@ -1,5 +1,9 @@
---
- name: "Getting guest operating system information."
ansible.builtin.debug:
msg: "OS: {{ ansible_distribution }} Version: {{ ansible_distribution_version }} Family: {{ ansible_os_family }}"
- name: Prepare the {{ ansible_facts['distribution'] }} guest operating system
include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
when: "ansible_facts['distribution'] == 'Debian'"
@@ -13,7 +17,7 @@
when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']"
- name: Prepare the {{ ansible_facts['distribution'] }} guest operating system
include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
when: "ansible_facts['distribution'] == 'Suse'"
include_tasks: suse.yml
when: "ansible_facts['distribution'] in ['openSUSE Leap', 'Suse']"
...

9
ansible/roles/base/tasks/redhat.yml
View File

@@ -15,5 +15,12 @@
ansible.builtin.dnf:
name: "{{ additional_packages[ansible_os_family] }}"
state: latest # noqa package-latest
when: ansible_distribution_major_version | int > 8
- name: "Installing cloud-init."
become: true
ansible.builtin.dnf:
name: cloud-init
state: latest
when: enable_cloudinit == 'true' and ansible_distribution_version | int >= 8
when: ansible_os_family == 'RedHat' and ansible_distribution_major_version | int >= 8

24
ansible/roles/base/tasks/suse.yml
View File

@@ -1,9 +1,29 @@
---
- name: Updating the operating system
- block:
- name: Updating the operating system
ansible.builtin.zypper:
name: "*"
state: latest
update_cache: true
...
- name: Installing additional packages
ansible.builtin.zypper:
name: "{{ additional_packages[ansible_os_family] }}"
state: latest
- name: "Configure cloud-init."
block:
- name: "Add the SUSE OSS repo."
become: true
community.general.zypper_repository:
name: repo-oss
repo: "http://download.opensuse.org/distribution/leap/15.5/repo/oss/"
auto_import_keys: true
- name: "Installing cloud-init."
become: true
ansible.builtin.zypper:
name: cloud-init
state: latest
when: enable_cloudinit == 'true'

6
ansible/roles/base/vars/main.yml
View File

@@ -12,6 +12,12 @@ additional_packages:
- curl
- unzip
- wget
Suse:
- bash-completion
- ca-certificates
- curl
- unzip
- wget
Ubuntu:
- bash-completion
- ca-certificates

140
ansible/roles/clean/tasks/debian.yml
View File

@@ -1,81 +1,93 @@
---
# Tasks for setting custom facts.
- name: "Setting custom facts."
set_fact:
enable_cloudinit: "{{ enable_cloudinit | default('false') }}"
- name: Remove audit log files
ansible.builtin.file:
# # Tasks for removing the cloud-init package.
# - name: "Removing the cloud-init package."
# apt:
# name: cloud-init
# state: absent
# when: ansible_distribution == 'Ubuntu' and enable_cloudinit == 'false'
# Tasks to clean the audit logs.
- name: "Cleaning the audit logs."
file:
path: "{{ item }}"
state: absent
loop:
- "/var/log/audit/audit.log"
- "/var/log/wtmp"
- "/var/log/lastlog"
- /var/log/audit/audit.log
- /var/log/auth.log
- /var/log/btmp
- /var/log/dpkg.log
- /var/log/faillog
- /var/log/kern.log
- /var/log/lastlog
- /var/log/syslog
- /var/log/wtmp
- name: Check to see if the /var/log/audit directory exists
ansible.builtin.stat:
path: "/var/log/audit"
register: audit_directory
- name: Ensure /var/log/audit directory exists
ansible.builtin.file:
path: /var/log/audit
state: directory
mode: "0750"
owner: root
group: adm
when: audit_directory.stat.exists
- name: Ensure /var/log/audit/audit.log exists
ansible.builtin.file:
path: /var/log/audit/audit.log
state: touch
mode: "0640"
owner: root
group: adm
when: audit_directory.stat.exists
- name: Ensure wtmp and lastlog exist with the correct permissions
ansible.builtin.copy:
dest: "{{ item }}"
content: ""
mode: "0664"
owner: root
group: utmp
loop:
- "/var/log/wtmp"
- "/var/log/lastlog"
- name: Cleaning persistent udev rules
ansible.builtin.file:
# Tasks to clean the persistent udev rules.
- name: "Cleaning persistent udev rules."
file:
path: /etc/udev/rules.d/70-persistent-net.rules
state: absent
- name: "Cleaning the /tmp directories"
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- "/tmp/*"
- "/var/tmp/*"
# Tasks to find the /tmp directories.
- name: "Finding the /tmp directories."
find:
paths:
- /tmp
- /var/tmp
file_type: any
register: find_tmp_directories
- name: "Cleaning the SSH host keys."
shell: |
rm -f /etc/ssh/ssh_host_*
- name: remove /etc/machine-id
# Tasks to clean the /tmp directories.
- name: "Cleaning the /tmp directories."
file:
path: /etc/machine-id
path: "{{ item.path }}"
state: absent
loop: "{{ find_tmp_directories.files }}"
loop_control:
label: "{{ item.path }}"
- name: remove /var/lib/dbus/machine-id
# Tasks to find the SSH host keys.
- name: "Finding the SSH host keys."
find:
paths: /etc/ssh
patterns: 'ssh_host_*'
register: find_ssh_host_keys
# Tasks to clean the SSH host keys.
- name: "Cleaning the SSH host keys."
file:
path: "{{ item.path }}"
state: absent
loop: "{{ find_ssh_host_keys.files }}"
loop_control:
label: "{{ item.path }}"
# Tasks to clean the machine-id.
- name: "Cleaning the machine-id."
block:
- name: "Emptying the /etc/machine-id."
community.general.filesize:
path: /etc/machine-id
size: 0
- name: "Removing /var/lib/dbus/machine-id."
file:
path: /var/lib/dbus/machine-id
state: absent
- name: "Creating a symbolic link to /etc/machine-id."
file:
src: /etc/machine-id
dest: /var/lib/dbus/machine-id
state: link
- name: generate new machine-id
command: systemd-machine-id-setup
- name: Cleaning the shell history
shell: |
unset HISTFILE
history -cw
echo > ~/.bash_history
rm -fr /root/.bash_history
# Tasks to clean the shell history.
- name: "Cleaning the shell history."
block:
- name: "Cleaning the shell history."
file:
path: "{{ ansible_env.HOME }}/.bash_history"
state: absent

6
ansible/roles/clean/tasks/main.yml
View File

@@ -12,8 +12,8 @@
include_tasks: redhat.yml
when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']"
- name: Prepare the {{ ansible_facts['distribution'] }} guest operating system
include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
when: "ansible_facts['distribution'] == 'Suse'"
- name: Cleaning tasks for the {{ ansible_facts['distribution'] }} guest operating system
include_tasks: suse.yml
when: "ansible_facts['distribution'] in ['openSUSE Leap', 'Suse']"
...

135
ansible/roles/clean/tasks/redhat.yml
View File

@@ -1,59 +1,92 @@
---
- name: "Cleaning all audit logs."
shell: |
if [ -f /var/log/audit/audit.log ]; then
cat /dev/null > /var/log/audit/audit.log
fi
if [ -f /var/log/wtmp ]; then
cat /dev/null > /var/log/wtmp
fi
if [ -f /var/log/lastlog ]; then
cat /dev/null > /var/log/lastlog
fi
- name: "Cleaning persistent udev rules."
shell: |
if [ -f /etc/udev/rules.d/70-persistent-net.rules ]; then
rm /etc/udev/rules.d/70-persistent-net.rules
fi
- name: "Cleaning the /tmp directories"
shell: |
rm -rf /tmp/*
rm -rf /var/tmp/*
rm -rf /var/cache/dnf/*
# Tasks to clean the Red Hat Subscription Manager logs.
- name: "Cleaning the Red Hat Subscription Manager logs."
shell: |
rm -rf /var/log/rhsm/*
when: "ansible_facts['distribution'] == 'RedHat'"
ansible.builtin.file:
path: /var/log/rhsm
state: absent
when: ansible_distribution == 'RedHat'
# Tasks to clean the audit logs.
- name: "Cleaning the audit logs."
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /var/log/audit/audit.log
- /var/log/btmp
- /var/log/boot.log
- /var/log/cron
- /var/log/dnf.log
- /var/log/lastlog
- /var/log/maillog
- /var/log/messages
- /var/log/secure
- /var/log/wtmp
- /var/log/yum.log
# Tasks to clean the persistent udev rules.
- name: "Cleaning persistent udev rules."
ansible.builtin.file:
path: /etc/udev/rules.d/70-persistent-net.rules
state: absent
# Tasks to find the /tmp directories.
- name: "Finding the /tmp directories."
ansible.builtin.find:
paths:
- /tmp
- /var/tmp
file_type: any
register: find_tmp_directories
# Tasks to clean the /tmp directories.
- name: "Cleaning the /tmp directories."
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ find_tmp_directories.files }}"
loop_control:
label: "{{ item.path }}"
# Tasks to find the SSH host keys.
- name: "Finding the SSH host keys."
ansible.builtin.find:
paths: /etc/ssh
patterns: 'ssh_host_*'
register: find_ssh_host_keys
# Tasks to clean the SSH host keys.
- name: "Cleaning the SSH host keys."
shell: |
rm -f /etc/ssh/ssh_host_*
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ find_ssh_host_keys.files }}"
loop_control:
label: "{{ item.path }}"
# Tasks to clean the machine-id.
- name: "Emptying the /etc/machine-id."
community.general.filesize:
path: /etc/machine-id
size: 0
- name: "Cleaning the machine-id."
when: 'ansible_facts[''distribution_major_version''] <= "8"'
shell: |
truncate -s 0 /etc/machine-id
rm /var/lib/dbus/machine-id
ln -s /etc/machine-id /var/lib/dbus/machine-id
- name: "Cleaning the machine-id."
when: 'ansible_facts[''distribution_major_version''] >= "9"'
shell: |
truncate -s 0 /etc/machine-id
block:
- name: "Removing /var/lib/dbus/machine-id."
ansible.builtin.file:
path: /var/lib/dbus/machine-id
state: absent
- name: "Creating a symbolic link to /etc/machine-id."
ansible.builtin.file:
src: /etc/machine-id
dest: /var/lib/dbus/machine-id
state: link
when: ansible_distribution_major_version | int <= 8
# Tasks to clean the shell history.
- name: "Cleaning the shell history."
shell: |
unset HISTFILE
history -cw
echo > ~/.bash_history
rm -fr /root/.bash_history
- name: "Running a sync."
shell: |
sync && sync
...
block:
- name: "Cleaning the shell history."
ansible.builtin.file:
path: "{{ ansible_env.HOME }}/.bash_history"
state: absent

17
ansible/roles/clean/tasks/suse.yml
View File

@@ -2,13 +2,14 @@
# Tasks to clean the SUSE Customer Center file.
- name: "Cleaning the SUSE Customer Center file."
file:
ansible.builtin.file:
path: /etc/SUSEConnect
state: absent
when: "ansible_facts['distribution'] != 'openSUSE Leap'"
# Tasks to clean the audit logs.
- name: "Cleaning the audit logs."
file:
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
@@ -24,13 +25,13 @@
# Tasks to clean the persistent udev rules.
- name: "Cleaning persistent udev rules."
file:
ansible.builtin.file:
path: /etc/udev/rules.d/70-persistent-net.rules
state: absent
# Tasks to find the /tmp directories.
- name: "Finding the /tmp directories."
find:
ansible.builtin.find:
paths:
- /tmp
- /var/tmp
@@ -40,7 +41,7 @@
# Tasks to clean the /tmp directories.
- name: "Cleaning the /tmp directories."
file:
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ find_tmp_directories.files }}"
@@ -49,14 +50,14 @@
# Tasks to find the SSH host keys.
- name: "Finding the SSH host keys."
find:
ansible.builtin.find:
paths: /etc/ssh
patterns: 'ssh_host_*'
register: find_ssh_host_keys
# Tasks to clean the SSH host keys.
- name: "Cleaning the SSH host keys."
file:
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ find_ssh_host_keys.files }}"
@@ -73,7 +74,7 @@
- name: "Cleaning the shell history."
block:
- name: "Cleaning the shell history."
file:
ansible.builtin.file:
path: "{{ ansible_env.HOME }}/.bash_history"
state: absent

148
ansible/roles/clean/tasks/ubuntu.yml
View File

@@ -1,93 +1,93 @@
---
# Tasks for setting custom facts.
- name: "Setting custom facts."
ansible.builtin.set_fact:
enable_cloudinit: "{{ enable_cloudinit | default('false') }}"
- name: Remove audit log files
# Tasks for removing the cloud-init package.
- name: "Removing the cloud-init package."
ansible.builtin.apt:
name: cloud-init
state: absent
when: enable_cloudinit == 'false'
# Tasks to clean the audit logs.
- name: "Cleaning the audit logs."
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- "/var/log/audit/audit.log"
- "/var/log/wtmp"
- "/var/log/lastlog"
- /var/log/audit/audit.log
- /var/log/auth.log
- /var/log/btmp
- /var/log/dpkg.log
- /var/log/faillog
- /var/log/kern.log
- /var/log/lastlog
- /var/log/syslog
- /var/log/wtmp
- name: Check to see if the /var/log/audit directory exists
ansible.builtin.stat:
path: "/var/log/audit"
register: audit_directory
- name: Ensure /var/log/audit directory exists
ansible.builtin.file:
path: /var/log/audit
state: directory
mode: "0750"
owner: root
group: adm
when: audit_directory.stat.exists
- name: Ensure /var/log/audit/audit.log exists
ansible.builtin.file:
path: /var/log/audit/audit.log
state: touch
mode: "0640"
owner: root
group: adm
when: audit_directory.stat.exists
- name: Ensure wtmp and lastlog exist with the correct permissions
ansible.builtin.copy:
dest: "{{ item }}"
content: ""
mode: "0664"
owner: root
group: utmp
loop:
- "/var/log/wtmp"
- "/var/log/lastlog"
- name: Cleaning persistent udev rules
# Tasks to clean the persistent udev rules.
- name: "Cleaning persistent udev rules."
ansible.builtin.file:
path: /etc/udev/rules.d/70-persistent-net.rules
state: absent
- name: "Cleaning the /tmp directories"
# Tasks to find the /tmp directories.
- name: "Finding the /tmp directories."
ansible.builtin.find:
paths:
- /tmp
- /var/tmp
file_type: any
register: find_tmp_directories
# Tasks to clean the /tmp directories.
- name: "Cleaning the /tmp directories."
ansible.builtin.file:
path: "{{ item }}"
path: "{{ item.path }}"
state: absent
loop:
- "/tmp/*"
- "/var/tmp/*"
loop: "{{ find_tmp_directories.files }}"
loop_control:
label: "{{ item.path }}"
- name: Cleaning the SSH host keys
shell: |
rm -f /etc/ssh/ssh_host_*
# Tasks to find the SSH host keys.
- name: "Finding the SSH host keys."
ansible.builtin.find:
paths: /etc/ssh
patterns: 'ssh_host_*'
register: find_ssh_host_keys
- name: remove /etc/machine-id
file:
# Tasks to clean the SSH host keys.
- name: "Cleaning the SSH host keys."
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ find_ssh_host_keys.files }}"
loop_control:
label: "{{ item.path }}"
# Tasks to clean the machine-id.
- name: "Cleaning the machine-id."
block:
- name: "Emptying the /etc/machine-id."
community.general.filesize:
path: /etc/machine-id
state: absent
- name: remove /var/lib/dbus/machine-id
file:
size: 0
- name: "Removing /var/lib/dbus/machine-id."
ansible.builtin.file:
path: /var/lib/dbus/machine-id
state: absent
- name: "Creating a symbolic link to /etc/machine-id."
ansible.builtin.file:
src: /etc/machine-id
dest: /var/lib/dbus/machine-id
state: link
- name: generate new machine-id
command: systemd-machine-id-setup
- name: Clean apt
ansible.builtin.apt:
autoclean: yes
autoremove: yes
clean: yes
- name: Cleaning the shell history
shell: |
unset HISTFILE
history -cw
echo > ~/.bash_history
rm -fr /root/.bash_history
- name: Clean cloud-init
ansible.builtin.command: cloud-init clean
when: cloud_init | bool
...
# Tasks to clean the shell history.
- name: "Cleaning the shell history."
block:
- name: "Cleaning the shell history."
ansible.builtin.file:
path: "{{ ansible_env.HOME }}/.bash_history"
state: absent

2
ansible/roles/clean/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
task_name: "Clean the operating system."

85
ansible/roles/configure/tasks/debian.yml
View File

@@ -1,37 +1,54 @@
---
- name: "Configure SSH for Public Key Authentication."
shell: |
sudo sed -i 's/.*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
# Tasks for setting custom facts.
- name: "Setting custom facts."
set_fact:
enable_cloudinit: "{{ enable_cloudinit | default('false') }}"
- name: Creating SSH key regeneration service file
ansible.builtin.copy:
dest: /etc/systemd/system/regenerate_ssh_host_keys.service
# Tasks for configuring SSH for public key authentication.
- name: "Configuring SSH for Public Key Authentication."
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PubkeyAuthentication'
line: 'PubkeyAuthentication yes'
# Tasks for setting the hostname.
- name: "Setting the hostname."
hostname:
name: "localhost"
# Tasks for restarting the SSH daemon.
- name: "Restarting the SSH daemon."
systemd:
name: ssh
state: restarted
daemon_reload: true
# Tasks for disabling systemd-tmpfiles.
- name: "Disabling systemd-tmpfiles."
replace:
path: /usr/lib/tmpfiles.d/tmp.conf
regexp: '^D'
replace: '#D'
# Tasks for configuring cloud-init.
- name: "Configuring cloud-init."
block:
- name: "Message: Configuring cloud-init"
ansible.builtin.debug:
msg: "Configuring cloud-init"
- ansible.builtin.copy:
content: 'datasource_list: [ ConfigDrive, NoCloud ]'
dest: /etc/cloud/cloud.cfg.d/90_dpkg.cfg
when: enable_cloudinit == 'true'
# Tasks for setting SSH keys to regenerate.
- name: "Setting SSH keys to regenerate."
copy:
dest: /etc/rc.local
content: |
[Unit]
Description=Regenerate SSH host keys
Before=ssh.service
ConditionFileIsExecutable=/usr/bin/ssh-keygen
[Service]
Type=oneshot
ExecStartPre=-/bin/dd if=/dev/hwrng of=/dev/urandom count=1 bs=4096
ExecStartPre=-/bin/sh -c "/bin/rm -f -v /etc/ssh/ssh_host_*_key*"
ExecStart=/usr/bin/ssh-keygen -A -v
ExecStartPost=/bin/systemctl disable regenerate_ssh_host_keys
[Install]
WantedBy=multi-user.target
when: not cloud_init | bool
- name: Reload systemd to re-read configurations
ansible.builtin.systemd:
daemon-reload: true
when: not cloud_init | bool
- name: Enable regenerate_ssh_host_keys service
ansible.builtin.systemd:
name: regenerate_ssh_host_keys
enabled: true
when: not cloud_init | bool
...
#!/bin/bash
if test -z "$(find /etc/ssh/ -iname 'ssh_host_*_key*')"; then
dpkg-reconfigure openssh-server
fi
exit 0
mode: 0755

6
ansible/roles/configure/tasks/main.yml
View File

@@ -12,8 +12,8 @@
include_tasks: redhat.yml
when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux', 'OracleLinux']"
- name: Prepare the {{ ansible_facts['distribution'] }} guest operating system
include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
when: "ansible_facts['distribution'] == 'Suse'"
- name: Configuration tasks for the {{ ansible_facts['distribution'] }} guest operating system
include_tasks: suse.yml
when: "ansible_facts['distribution'] in ['openSUSE Leap', 'Suse']"
...

39
ansible/roles/configure/tasks/redhat.yml
View File

@@ -1,5 +1,36 @@
---
- name: "Configure SSH for Public Key Authentication."
shell: |
sudo sed -i 's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/.*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
# Tasks for unregistering from Red Hat Subscription Manager.
- name: "Unregistering from Red Hat Subscription Manager."
community.general.redhat_subscription:
state: absent
when: ansible_distribution == 'RedHat'
# Tasks for configuring SSH for public key authentication.
- name: "Configuring SSH for Public Key Authentication."
block:
- ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
- ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PubkeyAuthentication'
line: 'PubkeyAuthentication yes'
# Tasks for setting the hostname.
- name: "Setting the hostname."
ansible.builtin.hostname:
name: "localhost"
# Tasks for disabling SELinux.
- name: "Disabling SELinux."
ansible.builtin.selinux:
state: disabled
policy: targeted
# Tasks for restarting the SSH daemon.
- name: "Restarting the SSH daemon."
ansible.builtin.systemd:
name: sshd
state: restarted
daemon_reload: true

27
ansible/roles/configure/tasks/suse.yml
View File

@@ -1,35 +1,52 @@
---
# Tasks for setting custom facts.
- name: "Setting custom facts."
set_fact:
enable_cloudinit: "{{ enable_cloudinit | default('false') }}"
# Tasks for unregistering from SUSE Customer Center.
- name: "Unregistering from SUSE Customer Center."
command:
ansible.builtin.command:
cmd: "{{ item }}"
loop:
- SUSEConnect -d
- SUSEConnect --cleanup
when: "ansible_facts['distribution'] != 'openSUSE Leap'"
# Tasks for configuring SSH for public key authentication.
- name: "Configuring SSH for Public Key Authentication."
block:
- lineinfile:
- ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
- lineinfile:
- ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PubkeyAuthentication'
line: 'PubkeyAuthentication yes'
# Tasks for setting the hostname.
- name: "Setting the hostname."
hostname:
ansible.builtin.hostname:
name: "localhost"
# Tasks for restarting the SSH daemon.
- name: "Restarting the SSH daemon."
systemd:
ansible.builtin.systemd:
name: sshd
state: restarted
daemon_reload: true
# Tasks for configuring cloud-init.
- name: "Configuring cloud-init."
block:
- name: "Message: Configuring cloud-init"
ansible.builtin.debug:
msg: "Configuring cloud-init"
- ansible.builtin.copy:
content: 'datasource_list: [ ConfigDrive, NoCloud ]'
dest: /etc/cloud/cloud.cfg.d/90_dpkg.cfg
when: enable_cloudinit == 'true'
...

118
ansible/roles/configure/tasks/ubuntu.yml
View File

@@ -1,88 +1,62 @@
---
- name: "Configure SSH for Public Key Authentication"
shell: |
sudo sed -i 's/.*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
# Tasks for setting custom facts.
- name: "Setting custom facts."
ansible.builtin.set_fact:
enable_cloudinit: "{{ enable_cloudinit | default('false') }}"
- name: Restarting the SSH daemon
ansible.builtin.service:
# Tasks for configuring SSH for public key authentication.
- name: "Configuring SSH for Public Key Authentication."
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PubkeyAuthentication'
line: 'PubkeyAuthentication yes'
# Tasks for setting the hostname.
- name: "Setting the hostname."
ansible.builtin.hostname:
name: "localhost"
# Tasks for restarting the SSH daemon.
- name: "Restarting the SSH daemon."
ansible.builtin.systemd:
name: ssh
state: restarted
daemon_reload: true
- name: Remove cloud-init files
ansible.builtin.file:
# Tasks for disabling systemd-tmpfiles.
- name: "Disabling systemd-tmpfiles."
ansible.builtin.replace:
path: /usr/lib/tmpfiles.d/tmp.conf
regexp: '^D'
replace: '#D'
# Tasks for configuring cloud-init.
- name: "Configuring cloud-init."
block:
- name: "Message: Configuring cloud-init"
ansible.builtin.debug:
msg: "Configuring cloud-init"
- ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg
- /etc/cloud/cloud.cfg.d/50-curtin-networking.cfg
- /etc/cloud/cloud.cfg.d/curtin-preserve-sources.cfg
- /etc/cloud/cloud.cfg.d/99-installer.cfg
- /etc/netplan/00-installer-config.yaml
when:
- cloud_init | bool
- ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04" or ansible_distribution_version == "24.04"
- name: Disable cloud-init if configured to
block:
- name: Check if /etc/cloud/ exists
ansible.builtin.stat:
path: '/etc/cloud/'
register: etc_cloud_folder
- name: 'Generate /etc/cloud/cloud-init.disabled'
ansible.builtin.copy:
dest: '/etc/cloud/cloud-init.disabled'
content: 'disabled by ansible\n'
owner: 'root'
group: 'root'
mode: '0644'
when:
- 'etc_cloud_folder.stat.exists'
when:
- not cloud_init | bool
- ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04" or ansible_distribution_version == "24.04"
- name: Copy cloud-init PVE default file
ansible.builtin.copy:
- ansible.builtin.copy:
content: 'datasource_list: [ VMware, OVF, None ]'
dest: /etc/cloud/cloud.cfg.d/90_dpkg.cfg
content: |
datasource_list: [ ConfigDrive, NoCloud ]
when: cloud_init | bool
when: enable_cloudinit == 'true'
- name: "Modifying GRUB."
shell: |
sed -i -e "s/GRUB_CMDLINE_LINUX_DEFAULT=\"\(.*\)\"/GRUB_CMDLINE_LINUX_DEFAULT=\"\"/" /etc/default/grub
update-grub
when: ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04" or ansible_distribution_version == "24.04"
- name: Creating SSH key regeneration service file
# Tasks for setting SSH keys to regenerate.
- name: "Setting SSH keys to regenerate."
ansible.builtin.copy:
dest: /etc/systemd/system/regenerate_ssh_host_keys.service
dest: /etc/rc.local
content: |
[Unit]
Description=Regenerate SSH host keys
Before=ssh.service
ConditionFileIsExecutable=/usr/bin/ssh-keygen
[Service]
Type=oneshot
ExecStartPre=-/bin/dd if=/dev/hwrng of=/dev/urandom count=1 bs=4096
ExecStartPre=-/bin/sh -c "/bin/rm -f -v /etc/ssh/ssh_host_*_key*"
ExecStart=/usr/bin/ssh-keygen -A -v
ExecStartPost=/bin/systemctl disable regenerate_ssh_host_keys
[Install]
WantedBy=multi-user.target
when: not cloud_init | bool
- name: Reload systemd to re-read configurations
ansible.builtin.systemd:
daemon-reload: true
when: not cloud_init | bool
- name: Enable regenerate_ssh_host_keys service
ansible.builtin.systemd:
name: regenerate_ssh_host_keys
enabled: true
when: not cloud_init | bool
#!/bin/bash
if test -z "$(find /etc/ssh/ -iname 'ssh_host_*_key*')"; then
dpkg-reconfigure openssh-server
fi
exit 0
mode: 0755

2
ansible/roles/configure/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
task_name: "Configure the operating system."

75
ansible/roles/users/tasks/linux.yml
View File

@@ -1,31 +1,46 @@
---
- name: "Adding authorized_keys for the default local user."
shell: |
sudo mkdir -p /home/{{BUILD_USERNAME}}/.ssh
sudo tee /home/{{BUILD_USERNAME}}/.ssh/authorized_keys << EOF
{{BUILD_SECRET}}
EOF
sudo chown -R {{BUILD_USERNAME}} /home/{{BUILD_USERNAME}}/.ssh
sudo chmod 700 /home/{{BUILD_USERNAME}}/.ssh
sudo chmod 644 /home/{{BUILD_USERNAME}}/.ssh/authorized_keys
- name: "Adding the default local user to passwordless sudoers."
shell: |
sudo bash -c "echo \"""{{BUILD_USERNAME}}"" ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers"
- name: "Creating a local user for Ansible."
shell: |
sudo groupadd {{ANSIBLE_USERNAME}}
sudo useradd -g {{ANSIBLE_USERNAME}} -m -s /bin/bash {{ANSIBLE_USERNAME}}
sudo usermod -aG sudo {{ANSIBLE_USERNAME}}
echo {{ANSIBLE_USERNAME}}:"$(openssl rand -base64 14)" | sudo chpasswd
- name: "Adding authorized_keys to the local user for Ansible."
shell: |
sudo mkdir -p /home/{{ANSIBLE_USERNAME}}/.ssh
sudo tee /home/{{ANSIBLE_USERNAME}}/.ssh/authorized_keys << EOF
{{ANSIBLE_SECRET}}
EOF
sudo chown -R {{ANSIBLE_USERNAME}} /home/{{ANSIBLE_USERNAME}}/.ssh
sudo chmod 700 /home/{{ANSIBLE_USERNAME}}/.ssh
sudo chmod 644 /home/{{ANSIBLE_USERNAME}}/.ssh/authorized_keys
- name: "Adding the local user for Ansible to passwordless sudoers."
shell: |
sudo bash -c "echo \"""{{ANSIBLE_USERNAME}}"" ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers"
# Tasks for setting custom facts.
- name: "Setting custom facts."
ansible.builtin.set_fact:
enable_cloudinit: "{{ enable_cloudinit | default('false') }}"
# Tasks for creating the local group for Ansible.
- name: "Creating the local group for Ansible."
ansible.builtin.group:
name: "{{ ansible_username }}"
# Tasks for creating the sudo group.
- name: "Creating the sudo group."
ansible.builtin.group:
name: sudo
# Tasks for creating the local user for Ansible.
- name: "Creating the local user for Ansible."
ansible.builtin.user:
name: "{{ ansible_username }}"
group: "{{ ansible_username }}"
groups: sudo
password: '!'
shell: /bin/bash
# Tasks for managing the authorized keys for the local users.
- name: "Managing the authorized keys for the local users."
ansible.posix.authorized_key:
user: "{{ item.user }}"
key: "{{ item.key }}"
loop:
- user: "{{ ansible_username }}"
key: "{{ ansible_key }}"
- user: "{{ build_username }}"
key: "{{ build_key }}"
no_log: true
# Tasks for managing sudoers.d for the local users.
- name: "Managing sudoers.d for the local users."
community.general.sudoers:
name: "{{ item }}"
user: "{{ item }}"
commands: ALL
loop:
- "{{ build_username }}"
- "{{ ansible_username }}"

2
ansible/roles/users/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
task_name: "Configure the operating system users."