ISTI-ansible-roles
/
ansible-role-os-bootstrap
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

First commit. Some tasks from basic-system-setup have been moved here.

This commit is contained in:
Andrea Dell'Amico 2026-02-23 10:47:58 +01:00
parent 503bbea120
commit 76eab10a4f
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
47 changed files with 2233 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.ansible-lint Normal file
View File

@ -0,0 +1,9 @@
---
enable_list:
- name[prefix]
skip_list:
- key-order
warn_list:
- experimental
- no-changed-when
- no-free-form

417
README.md
View File

@ -1,38 +1,409 @@
Role Name
=========
# os-bootstrap
A brief description of the role goes here.
An Ansible role that performs early-stage OS bootstrapping for Linux servers. It runs before any role dependencies (rsyslog, firewall, NTP, etc.) and establishes the baseline system state: locale, timezone, hostname, package prerequisites, network configuration, disk management, sysctl tuning, and PKI infrastructure.
Requirements
------------
This role is designed to be the **first dependency** of higher-level roles such as [basic-system-setup](https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-basic-system-setup).
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
## Requirements
Role Variables
--------------
- Ansible >= 2.9
- Python 3 on target hosts (this role installs additional Python packages needed by subsequent Ansible tasks)
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
### Ansible Collections Required
Dependencies
------------
```bash
ansible-galaxy collection install ansible.posix
ansible-galaxy collection install community.general
```
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
## Supported Platforms
Example Playbook
----------------
- Ubuntu 20.04 (Focal), 22.04 (Jammy), 24.04 (Noble)
- Debian 11 (Bullseye), 12 (Bookworm)
- RHEL / CentOS Stream / Rocky Linux / AlmaLinux 8, 9, 10
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
## Task Descriptions
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
Tasks run in the following order:
License
-------
| Task File | Description | Condition |
| --------- | ----------- | --------- |
| `http_client_proxy.yml` | Configures system-wide HTTP/HTTPS proxy environment variables | `enable_env_proxy` |
| `ansible-python3-pkgs.yml` | Installs Python 3 packages required by Ansible modules | always |
| `hostname.yml` | Sets the system hostname from inventory | `explicitly_set_hostname` |
| `locale.yml` | Generates and configures system locales | always |
| `timezone.yml` | Sets the system timezone | always |
| `etchosts-customizations.yml` | Adds custom entries to `/etc/hosts` | always |
| `network-interfaces.yml` | Configures additional network interfaces via Netplan (Ubuntu) | `ubuntu_configure_additional_interfaces` |
| `additional_disks.yml` | Partitions, formats, and mounts additional disks | `additional_disks` |
| `swap_device.yml` | Configures a swap device | `swap_device` |
| `external_repos_el.yml` | Installs EPEL and optional elrepo repositories | RedHat family only |
| `basic_setup_el.yml` | EL/RedHat package install, SELinux configuration, service management | RedHat family only |
| `deb_general.yml` | Debian/Ubuntu package install, apt proxy, unattended upgrades, service cleanup | Debian family only |
| `sysctl.yml` | Writes custom kernel parameters to `/etc/sysctl.d/` | always |
| `grub_cmdline_parameters.yml` | Appends parameters to `GRUB_CMDLINE_LINUX` | `configure_grub_cmdline_parameters` |
| `pki_dir.yml` | Creates the PKI directory hierarchy | always |
| `self_signed_certificate.yml` | Generates a self-signed certificate with mkcert | `letsencrypt_acme_install` is defined and true |
| `trusted_ca.yml` | Installs Let's Encrypt and custom CA certificates into the system trust store | always |
| `certificate_from_private_ca.yml` | Requests a certificate from a private CA (mkcert) | `mkcert_create_certificate` and no Let's Encrypt |
### Sub-tasks for `deb_general.yml`
| Task File | Description | Condition |
| --------- | ----------- | --------- |
| `apt_proxy.yml` | Configures APT proxy in `/etc/apt/apt.conf.d/02proxy` | `use_apt_proxy` |
| `dist_upgrade.yml` | Performs a full distribution upgrade | `dist_upgrade` |
| `packages_deb.yml` | Installs common and additional packages | always |
| `remove_unneeded_pkgs.yml` | Removes unwanted packages (exim, snapd, lxd, etc.) | always |
| `pubkeys.yml` | Manages root SSH authorized keys | `manage_root_ssh_keys` |
| `unattended_upgrades.yml` | Configures `unattended-upgrades` for automatic security updates | always |
| `disable_services.yml` | Disables unwanted services | `disable_some_not_needed_services` |
## Role Variables
### Timezone and Locale
```yaml
timezone: Europe/Rome
default_locale_lang: en_US.UTF-8
default_deb_locale_messages: C.UTF-8
default_el_locale_messages: en_US.UTF-8
locales_list:
- { name: "{{ default_locale_lang }}" }
- { name: en_US.UTF-8 }
- { name: en_US }
- { name: it_IT.UTF-8 }
- { name: it_IT }
```
### Hostname and /etc/hosts
```yaml
explicitly_set_hostname: true
domain_name: "{{ ansible_domain }}"
# Inline block of hosts entries, e.g.:
# "192.168.1.10 host1.example.com host1"
custom_etc_hosts_entries: ""
custom_etc_hosts_entries_adjunct: ""
```
### Network Interfaces (Ubuntu / Netplan)
```yaml
ubuntu_configure_additional_interfaces: false
ubuntu_configure_additional_int_dhcp_overrides: true
ubuntu_configure_additional_ints_list: []
# Example:
# ubuntu_configure_additional_ints_list:
# - name: eth1
# dhcp4: true
disable_ipv6: false
ipv6_sysctl_value: 1
ipv6_sysctl_file: /etc/sysctl.d/10-ipv6-disable.conf
```
### Sysctl
```yaml
sysctl_custom_file: /etc/sysctl.d/90-custom-values.conf
sysctl_opts_reload: true
sysctl_custom_file_state: present
# Only name and value are mandatory
sysctl_custom_options: []
# - name: 'net.nf_conntrack_max'
# value: '32768'
# sysctlfile: '{{ sysctl_custom_file }}'
# sysctl_reload: '{{ sysctl_opts_reload }}'
# sysctlfile_state: '{{ sysctl_custom_file_state }}'
```
### GRUB
```yaml
configure_grub_cmdline_parameters: false
grub_cmdline_additional_parameters: ""
# Example: "intel_iommu=on quiet"
```
### Additional Disks
```yaml
additional_disks: false
disks_and_mountpoints_list: []
# - mountpoint: '/data'
# device: 'xvda3'
# fstype: 'xfs'
# opts: 'noatime'
# state: 'mounted'
# create_filesystem: true
```
### Swap Device
```yaml
swap_device: false
swap_device_name: /dev/vdxxxxx
```
### HTTP Client Proxy
```yaml
enable_env_proxy: false
env_proxy_http_host: localhost
env_proxy_http_port: "3128"
env_proxy_http_protocol: http
env_proxy_https_protocol: "{{ env_proxy_http_protocol }}"
env_proxy_http_url: "{{ env_proxy_http_protocol }}://{{ env_proxy_http_host }}:{{ env_proxy_http_port }}"
env_proxy_https_url: "{{ env_proxy_http_url }}"
env_proxy_use_authentication: false
env_proxy_username: ""
env_proxy_password: ""
no_proxy_targets:
- ::1
- 127.0.0.1
- localhost
```
### Python 3 Packages for Ansible
```yaml
ansible_python3_debs:
- python3-lxml
ansible_python3_el:
- python3-lxml
```
### PKI Directory and Certificates
```yaml
pki_dir: /etc/pki
pki_subdirs:
- certs
- keys
pki_install_a_custom_ca: false
# Self-signed certificate paths (used when letsencrypt is not available)
self_signed_cert: "{{ pki_dir }}/selfsigned/cert"
self_signed_fullchain: "{{ pki_dir }}/selfsigned/fullchain"
self_signed_key: "{{ pki_dir }}/selfsigned/privkey"
self_signed_subject: /CN={{ ansible_fqdn }} self signed
# Certificate from private CA (mkcert)
mkcert_create_certificate: false
mkcert_cert_name: "{{ ansible_fqdn }}.pem"
mkcert_cert_dest_path: "{{ pki_dir }}/certs"
mkcert_key_name: "{{ ansible_fqdn }}-key.pem"
mkcert_key_dest_path: "{{ pki_dir }}/keys"
mkcert_dsn_and_ip_list: "{{ ansible_fqdn }} {% for ip in ansible_all_ipv4_addresses %}{{ ip }} {% endfor %}"
mkcert_ca_host: localhost
```
### Trusted CA Certificates
```yaml
trusted_ca_el_anchors_path: /etc/pki/ca-trust/source/anchors
trusted_ca_deb_path: /usr/local/share/ca-certificates
# Let's Encrypt intermediate CAs (normally already trusted by the OS)
trusted_ca_letsencrypt_install: false
trusted_ca_letsencrypt_ca_certificates_url: https://letsencrypt.org/certs
# Additional custom CAs to install
trusted_ca_additional_ca_files: []
# - { ca_url: 'https://example.com/foo-ca.pem', ca: 'foo-ca.pem', name: 'foo-ca' }
```
### EL/RedHat — External Repositories
```yaml
centos_install_epel: true
centos_epel_repo_url: epel-release
centos_install_release_scl: false
rh_install_elrepo: false
```
### EL/RedHat — Basic Setup
```yaml
centos_pkg_state: latest
centos_packages_cleanup: true
# SELinux
selinux_policy_type: targeted
selinux_policy_state: enforcing
centos_selinux_daemons_dump_core: false
# Services
centos_disable_avahi: true
centos_remove_avahi: false
centos_disable_networkmanager: false
centos_remove_networkmanager: false
centos_services_to_be_disabled:
- acpid
# DNS (optional, for static resolver configuration)
centos_set_dns_servers: false
dns1: 208.67.220.220
dns2: 208.67.222.222
# Root SSH keys
manage_root_ssh_keys: true
```
### Debian/Ubuntu — Package Management
```yaml
use_apt_proxy: false
apt_proxy_url: http://localhost:3128
dist_upgrade: false
pkg_state: present
common_packages:
- acl
- curl
- wget
- htop
- vim-tiny
- psmisc
- tcpdump
- lsof
- strace
- rsync
- unzip
- tree
- bash-completion
- sudo
- less
# ... see defaults/main.yml for the full list
# Additional packages (define in your playbook or group_vars)
# additional_packages:
# - pkg1
# - pkg2
```
### Debian/Ubuntu — Package Cleanup
```yaml
cleanup_base_packages: true
base_packages_to_remove:
- ppp
- at
- snapd
cleanup_exim_email_server: true
disable_apport_service: true
ubuntu_remove_lxd: true
```
### Debian/Ubuntu — Unattended Upgrades
```yaml
unatt_allowed_origins:
- ${distro_id}:${distro_codename}-security
unatt_autofix: "true"
unatt_minimalsteps: "false"
unatt_install_on_shutdown: "false"
unatt_email_on_error: "false"
unatt_autoremove: "true"
unatt_autoreboot: "false"
unatt_autoreboot_time: now
```
### Debian/Ubuntu — Service Management
```yaml
disable_some_not_needed_services: false
services_to_be_disabled:
- rpcbind
- atd
- acpid
```
## Dependencies
None. This role is intentionally dependency-free so it can run before any other role.
## Example Playbook
Normally you do not invoke `os-bootstrap` directly — it is pulled in automatically as a dependency. If you need to run it standalone:
```yaml
---
- hosts: servers
become: true
roles:
- role: adellam.os_bootstrap
vars:
timezone: Europe/Rome
explicitly_set_hostname: true
disable_ipv6: false
sysctl_custom_options:
- name: net.nf_conntrack_max
value: "65536"
```
### With proxy and extra disk
```yaml
---
- hosts: servers
become: true
roles:
- role: adellam.os_bootstrap
vars:
enable_env_proxy: true
env_proxy_http_host: proxy.example.com
env_proxy_http_port: "3128"
additional_disks: true
disks_and_mountpoints_list:
- mountpoint: /data
device: sdb1
fstype: xfs
opts: noatime
state: mounted
create_filesystem: true
```
### EL with custom SELinux and EPEL
```yaml
---
- hosts: el_servers
become: true
roles:
- role: adellam.os_bootstrap
vars:
centos_install_epel: true
selinux_policy_state: enforcing
selinux_policy_type: targeted
centos_pkg_state: latest
```
## Testing
```bash
source ~/ansible/ansible6/bin/activate
ansible-lint
```
Basic test playbook is in `tests/test.yml`.
## License
EUPL-1.2
Author Information
------------------
## Author Information
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
ISTI-CNR, Pisa, Italy

306
defaults/main.yml
View File

@ -1,2 +1,306 @@
---
# defaults file for ansible-role-template
# timezone
timezone: Europe/Rome
default_locale_lang: en_US.UTF-8
default_deb_locale_messages: C.UTF-8
default_el_locale_messages: en_US.UTF-8
locales_list:
- { name: "{{ default_locale_lang }}" }
- { name: en_US.UTF-8 }
- { name: en_US }
- { name: it_IT.UTF-8 }
- { name: it_IT }
domain_name: "{{ ansible_domain }}"
configure_grub_cmdline_parameters: false
grub_cmdline_additional_parameters: ""
sysctl_custom_file: /etc/sysctl.d/90-custom-values.conf
sysctl_opts_reload: true
sysctl_custom_file_state: present
explicitly_set_hostname: true
custom_etc_hosts_entries: ""
custom_etc_hosts_entries_adjunct: ""
# Only name and value are mandatory. The others have defaults
sysctl_custom_options: []
# - name: 'net.nf_conntrack_max'
# value: '32768'
# sysctlfile: '{{ sysctl_custom_file }}'
# sysctl_reload: '{{ sysctl_opts_reload }}'
# sysctlfile_state: '{{ sysctl_custom_file_state }}'
ubuntu_configure_additional_interfaces: false
ubuntu_configure_additional_int_dhcp_overrides: true
ubuntu_configure_additional_ints_list: []
disable_ipv6: false
ipv6_sysctl_value: 1
ipv6_sysctl_file: /etc/sysctl.d/10-ipv6-disable.conf
#
# Define the following variables to manage additional disks and mount points, even static nfs ones
additional_disks: false
disks_and_mountpoints_list: []
# - { mountpoint: '/data', device: 'xvda3', fstype: 'xfs', opts: 'noatime', state: 'mounted', create_filesystem: True }
swap_device: false
swap_device_name: /dev/vdxxxxx
ansible_python3_debs:
- python3-lxml
ansible_python3_el:
- python3-lxml
#
enable_env_proxy: false
env_proxy_http_host: localhost
env_proxy_http_port: "3128"
env_proxy_http_protocol: http
env_proxy_https_protocol: "{{ env_proxy_http_protocol }}"
env_proxy_http_url: "{{ env_proxy_http_protocol }}://{{ env_proxy_http_host }}:{{ env_proxy_http_port }}"
env_proxy_https_url: "{{ env_proxy_http_url }}"
env_proxy_protocols:
- http_proxy
- https_proxy
- ftp_proxy
- HTTP_PROXY
- HTTPS_PROXY
- FTP_PROXY
env_proxy_use_authentication: false
env_proxy_username: ""
env_proxy_password: ""
no_proxy_targets:
- ::1
- 127.0.0.1
- localhost
# A generic PKI directory where the local certificates will be stored
pki_dir: /etc/pki
pki_subdirs:
- certs
- keys
pki_install_a_custom_ca: false
self_signed_cert: "{{ pki_dir }}/selfsigned/cert"
self_signed_fullchain: "{{ pki_dir }}/selfsigned/fullchain"
self_signed_key: "{{ pki_dir }}/selfsigned/privkey"
self_signed_subject: /CN={{ ansible_fqdn }} self signed
mkcert_create_certificate: false
mkcert_cert_name: "{{ ansible_fqdn }}.pem"
mkcert_cert_dest_path: "{{ pki_dir }}/certs"
mkcert_cert_file_path: "{{ mkcert_cert_dest_path }}/{{ mkcert_cert_name }}"
mkcert_key_name: "{{ ansible_fqdn }}-key.pem"
mkcert_key_dest_path: "{{ pki_dir }}/keys"
mkcert_key_file_path: "{{ mkcert_key_dest_path }}/{{ mkcert_key_name }}"
mkcert_dsn_and_ip_list: "{{ ansible_fqdn }} {% for ip in ansible_all_ipv4_addresses %}{{ ip }} {% endfor %}"
mkcert_ca_host: localhost
trusted_ca_el_anchors_path: /etc/pki/ca-trust/source/anchors
trusted_ca_deb_path: /usr/local/share/ca-certificates
# it shoudn't be needed
trusted_ca_letsencrypt_install: false
trusted_ca_letsencrypt_ca_certificates_url: https://letsencrypt.org/certs
trusted_ca_letsencrypt_ca_files:
- { ca_src: isrgrootx1.pem, ca: isrgrootx1.crt, name: isrg-root-x1 }
- { ca_src: isrg-root-x2.pem, ca: isrg-root-x2.crt, name: isrg-root-x2-not-cross }
- { ca_src: 2024/e5.pem, ca: lets-encrypt-e5.crt, name: lets-encrypt-e5 }
- { ca_src: 2024/e6.pem, ca: lets-encrypt-e6.crt, name: lets-encrypt-e6 }
- { ca_src: 2024/r10.pem, ca: lets-encrypt-r10.crt, name: lets-encrypt-r10-not-cross }
- { ca_src: 2024/r11.pem, ca: lets-encrypt-r11.crt, name: lets-encrypt-r11-not-cross }
- { ca_src: 2024/e7.pem, ca: lets-encrypt-e7.crt, name: lets-encrypt-e7 }
- { ca_src: 2024/e7-cross.pem, ca: lets-encrypt-e7-cross.crt, name: lets-encrypt-e7-cross }
- { ca_src: 2024/e8.pem, ca: lets-encrypt-e8.crt, name: lets-encrypt-e8 }
- { ca_src: 2024/e8-cross.pem, ca: lets-encrypt-e8-cross.crt, name: lets-encrypt-e8-cross }
- { ca_src: 2024/r12.pem, ca: lets-encrypt-r12.crt, name: lets-encrypt-r12-not-cross }
- { ca_src: 2024/r13.pem, ca: lets-encrypt-r13.crt, name: lets-encrypt-r13-not-cross }
expired_ca_letsencrypt_ca_files:
- isrg-root-x2-cross-signed.pem
- lets-encrypt-r3-cross-signed.pem
- lets-encrypt-x3-cross-signed.pem
- letsencryptauthorityx3.pem
trusted_ca_additional_ca_files: []
# - { ca_url: 'https://example.com/foo-ca.pem', ca: 'foo-ca.pem', name: 'foo-ca' }
#
# External Repos (EL/RedHat)
#
centos_install_epel: true
centos_epel_repo_url: epel-release
centos_install_release_scl: false
rh_install_elrepo: false
rh_elrepo_repo_url: http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
#
# CentOS/EL Basic Setup
#
centos_pkg_state: latest
centos_set_dns_servers: false
dns1: 208.67.220.220
dns2: 208.67.222.222
configure_domain_name_in_interface: false
centos_packages_to_install:
- dstat
- lsof
- strace
- traceroute
- bind-utils
- yum-cron
- whois
- iotop
- policycoreutils-python-utils
- firewalld
- ipset
- psmisc
- tcpdump
- tuned
- bash-completion
- rsync
- bzip2
- wget
- curl
- unzip
centos_packages_from_epel:
- htop
- lbzip2
centos_packages_cleanup: true
centos_remove_avahi: false
centos_remove_networkmanager: false
centos_disable_avahi: true
centos_disable_networkmanager: false
centos_packages_to_remove:
- ppp
- wpa_supplicant
centos_nm_packages:
- NetworkManager-tui
- ModemManager-glib
- NetworkManager-glib
- NetworkManager
centos_avahi_packages:
- avahi
- avahi-libs
- avahi-autoipd
centos_services_to_be_disabled:
- acpid
centos_enable_locate: false
centos_locate_package:
- mlocate
centos_hw_packages:
- smartmontools
- system-storage-manager
centos_selinux_daemons_dump_core: false
selinux_policy_type: targeted
selinux_policy_state: enforcing
# selinux_booleans:
# - { name: '', state: '', persistent: 'yes' }
manage_root_ssh_keys: true
#
# Ubuntu/Debian General Setup
#
use_apt_proxy: false
apt_proxy_url: http://localhost:3128
dist_upgrade: false
pkg_state: present
common_packages:
- acl
- zile
- dstat
- iotop
- curl
- wget
- vim-tiny
- psmisc
- tcpdump
- lsof
- strace
- rsync
- multitail
- unzip
- htop
- tree
- bind9-host
- bash-completion
- sudo
- apt-transport-https
- nano
- xmlstarlet
- bsdutils
- less
# Set this variable in your playbook
# additional_packages:
# - pkg1
# - pkg2
# Unattended upgrades
unatt_allowed_origins:
- ${distro_id}:${distro_codename}-security
# unatt_blacklisted:
# - libc6
unatt_autofix: "true"
# When true, the procedure is really slow
unatt_minimalsteps: "false"
unatt_install_on_shutdown: "false"
# unatt_email: sysadmin@example.org
unatt_email_on_error: "false"
unatt_autoremove: "true"
unatt_autoreboot: "false"
unatt_autoreboot_time: now
#
# Package cleanup (Debian/Ubuntu)
#
cleanup_base_packages: true
base_packages_to_remove:
- ppp
- at
- snapd
cleanup_x_base_packages: false
x_base_packages_to_remove:
- firefox-locale-en
- x11-common
cleanup_nfs_packages: false
nfs_packages:
- nfs-common
- portmap
cleanup_rpcbind_packages: false
rpcbind_packages:
- rpcbind
cleanup_exim_email_server: true
exim_email_server_pkgs:
- exim4
- exim4-base
- exim4-config
- exim4-daemon-light
disable_apport_service: true
ubuntu_remove_lxd: true
ubuntu_lxd_pkgs:
- lxd
- lxcfs
disable_some_not_needed_services: false
services_to_be_disabled:
- rpcbind
- atd
- acpid

14
files/letsencrypt_ca_files/isrg-root-x2.pem Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN CERTIFICATE-----
MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
+1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
/q4AaOeMSQ+2b1tbFfLn
-----END CERTIFICATE-----

31
files/letsencrypt_ca_files/isrgrootx1.pem Normal file
View File

@ -0,0 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

17
files/letsencrypt_ca_files/lets-encrypt-e1.pem Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICxjCCAk2gAwIBAgIRALO93/inhFu86QOgQTWzSkUwCgYIKoZIzj0EAwMwTzEL
MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo
IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjAwOTA0MDAwMDAwWhcN
MjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5j
cnlwdDELMAkGA1UEAxMCRTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQkXC2iKv0c
S6Zdl3MnMayyoGli72XoprDwrEuf/xwLcA/TmC9N/A8AmzfwdAVXMpcuBe8qQyWj
+240JxP2T35p0wKZXuskR5LBJJvmsSGPwSSB/GjMH2m6WPUZIvd0xhajggEIMIIB
BDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFFrz7Sv8NsI3eblSMOpUb89V
yy6sMB8GA1UdIwQYMBaAFHxClq7eS0g7+pL4nozPbYupcjeVMDIGCCsGAQUFBwEB
BCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gyLmkubGVuY3Iub3JnLzAnBgNVHR8E
IDAeMBygGqAYhhZodHRwOi8veDIuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYG
Z4EMAQIBMA0GCysGAQQBgt8TAQEBMAoGCCqGSM49BAMDA2cAMGQCMHt01VITjWH+
Dbo/AwCd89eYhNlXLr3pD5xcSAQh8suzYHKOl9YST8pE9kLJ03uGqQIwWrGxtO3q
YJkgsTgDyj2gJrjubi1K9sZmHzOa25JK1fUpE8ZwYii6I4zPPS/Lgul/
-----END CERTIFICATE-----

17
files/letsencrypt_ca_files/lets-encrypt-e2.pem Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICxjCCAkygAwIBAgIQTtI99q9+x/mwxHJv+VEqdzAKBggqhkjOPQQDAzBPMQsw
CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw0y
NTA5MTUxNjAwMDBaMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNy
eXB0MQswCQYDVQQDEwJFMjB2MBAGByqGSM49AgEGBSuBBAAiA2IABCOaLO3lixmN
YVWex+ZVYOiTLgi0SgNWtU4hufk50VU4Zp/LbBVDxCsnsI7vuf4xp4Cu+ETNggGE
yBqJ3j8iUwe5Yt/qfSrRf1/D5R58duaJ+IvLRXeASRqEL+VkDXrW3qOCAQgwggEE
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw
EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUbZkq9U0C6+MRwWC6km+NPS7x
6kQwHwYDVR0jBBgwFoAUfEKWrt5LSDv6kviejM9ti6lyN5UwMgYIKwYBBQUHAQEE
JjAkMCIGCCsGAQUFBzAChhZodHRwOi8veDIuaS5sZW5jci5vcmcvMCcGA1UdHwQg
MB4wHKAaoBiGFmh0dHA6Ly94Mi5jLmxlbmNyLm9yZy8wIgYDVR0gBBswGTAIBgZn
gQwBAgEwDQYLKwYBBAGC3xMBAQEwCgYIKoZIzj0EAwMDaAAwZQIxAPJCN9qpyDmZ
tX8K3m8UYQvK51BrXclM6WfrdeZlUBKyhTXUmFAtJw4X6A0x9mQFPAIwJa/No+KQ
UAM1u34E36neL/Zba7ombkIOchSgx1iVxzqtFWGddgoG+tppRPWhuhhn
-----END CERTIFICATE-----

30
files/letsencrypt_ca_files/lets-encrypt-r3.pem Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

30
files/letsencrypt_ca_files/lets-encrypt-r4.pem Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAIp5IlCr5SxSbO7Pf8lC3WIwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCzKNx3KdPnkb7ztwoAx/vyVQslImNTNq/pCCDfDa8oPs3Gq1e2naQlGaXS
Mm1Jpgi5xy+hm5PFIEBrhDEgoo4wYCVg79kaiT8faXGy2uo/c0HEkG9m/X2eWNh3
z81ZdUTJoQp7nz8bDjpmb7Z1z4vLr53AcMX/0oIKr13N4uichZSk5gA16H5OOYHH
IYlgd+odlvKLg3tHxG0ywFJ+Ix5FtXHuo+8XwgOpk4nd9Z/buvHa4H6Xh3GBHhqC
VuQ+fBiiCOUWX6j6qOBIUU0YFKAMo+W2yrO1VRJrcsdafzuM+efZ0Y4STTMzAyrx
E+FCPMIuWWAubeAHRzNl39Jnyk2FAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFDadPuCxQPYnLHy/jZ0xivZUpkYmMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCJbu5CalWO+H+Az0lmIG14DXmlYHQE
k26umjuCyioWs2icOlZznPTcZvbfq02YPHGTCu3ctggVDULJ+fwOxKekzIqeyLNk
p8dyFwSAr23DYBIVeXDpxHhShvv0MLJzqqDFBTHYe1X5X2Y7oogy+UDJxV2N24/g
Z8lxG4Vr2/VEfUOrw4Tosl5Z+1uzOdvTyBcxD/E5rGgTLczmulctHy3IMTmdTFr0
FnU0/HMQoquWQuODhFqzMqNcsdbjANUBwOEQrKI8Sy6+b84kHP7PtO+S4Ik8R2k7
ZeMlE1JmxBi/PZU860YlwT8/qOYToCHVyDjhv8qutbf2QnUl3SV86th2I1QQE14s
0y7CdAHcHkw3sAEeYGkwCA74MO+VFtnYbf9B2JBOhyyWb5087rGzitu5MTAW41X9
DwTeXEg+a24tAeht+Y1MionHUwa4j7FB/trN3Fnb/r90+4P66ZETVIEcjseUSMHO
w6yqv10/H/dw/8r2EDUincBBX3o9DL3SadqragkKy96HtMiLcqMMGAPm0gti1b6f
bnvOdr0mrIVIKX5nzOeGZORaYLoSD4C8qvFT7U+Um6DMo36cVDNsPmkF575/s3C2
CxGiCPQqVxPgfNSh+2CPd2Xv04lNeuw6gG89DlOhHuoFKRlmPnom+gwqhz3ZXMfz
TfmvjrBokzCICA==
-----END CERTIFICATE-----

17
files/qemu_ag_provisioning-sepol.te Normal file
View File

@ -0,0 +1,17 @@
module qemu_ag_provisioning-sepol 1.0;
require {
type etc_t;
type systemd_timedated_t;
type virt_qemu_ga_t;
type proc_net_t;
class lnk_file unlink;
class file read;
}
#============= systemd_timedated_t ==============
allow systemd_timedated_t etc_t:lnk_file unlink;
#============= virt_qemu_ga_t ==============
allow virt_qemu_ga_t proc_net_t:file read;

12
files/systemd-enable.te Normal file
View File

@ -0,0 +1,12 @@
module systemd-enable-sepol 1.0;
require {
type unconfined_t;
type init_t;
class service enable;
}
#============= unconfined_t ==============
allow unconfined_t init_t:service enable;

5
handlers/main.yml
View File

@ -1,2 +1,5 @@
---
# handlers file for ansible-role-template
- name: Netplan Apply
ansible.builtin.command:
cmd: netplan apply
changed_when: false

76
meta/main.yml
View File

@ -1,61 +1,35 @@
---
galaxy_info:
author: your name
description: your description
author: Andrea Dell'Amico
description: OS bootstrap role - early-stage system setup that must run before role dependencies
company: ISTI-CNR
namespace: adellam
role_name: os_bootstrap
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: EUPL-1.2
license: EUPL 1.2+
min_ansible_version: 2.8
min_ansible_version: "2.9"
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
platforms:
- name: Ubuntu
versions:
- focal
- jammy
- noble
- name: Debian
versions:
- bullseye
- bookworm
- name: EL
versions:
- "8"
- "9"
- "10"
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
galaxy_tags:
- os-setup
- bootstrap
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

45
tasks/additional_disks.yml Normal file
View File

@ -0,0 +1,45 @@
---
- name: additional_disks | Manage the NFS mount points
when: ansible_distribution_file_variety == "Debian"
tags: [data_disk, mountpoint]
block:
- name: additional_disks | Install the NFS client utilities when we are going to mount a NFS file system
ansible.builtin.apt:
pkg: nfs-common
state: present
update_cache: true
cache_valid_time: 1800
loop: "{{ disks_and_mountpoints_list }}"
when: item.fstype == 'nfs'
- name: additional_disks | Install the NFS 4 acl tools if we are going to mount a NFS file system
ansible.builtin.apt:
pkg: nfs4-acl-tools
state: present
update_cache: true
cache_valid_time: 1800
loop: "{{ disks_and_mountpoints_list }}"
when: item.fstype == 'nfs'
- name: additional_disks | Create the file system
tags: [data_disk, mountpoint]
block:
- name: additional_disks | Create a file system on the new disks
community.general.filesystem:
dev: "{{ item.root_device | default('/dev/') }}{{ item.device }}"
fstype: "{{ item.fstype }}"
force: false
loop: "{{ disks_and_mountpoints_list }}"
when:
- additional_disks
- item.create_filesystem
- item.fstype != 'nfs'
- name: additional_disks | Manage the additional file systems
ansible.posix.mount:
name: "{{ item.mountpoint }}"
src: "{% if item.uuid is not defined %}{{ item.root_device | default('/dev/') }}{{ item.device }}{% else %}UUID={{ item.uuid }}{% endif %}"
fstype: "{{ item.fstype }}"
opts: "{{ item.opts }}"
state: "{{ item.state }}"
loop: "{{ disks_and_mountpoints_list }}"

20
tasks/ansible-python3-pkgs.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: ansible-python3-pkgs | Install some python3 packages on deb distributsions
when: ansible_distribution_file_variety == "Debian"
tags: [python, python3]
block:
- name: ansible-python3-pkgs | Install some python3 packages on Ubuntu/Debian
ansible.builtin.apt:
pkg: "{{ ansible_python3_debs }}"
state: present
cache_valid_time: 1800
- name: ansible-python3-pkgs | Install some python3 packages on EL
when: ansible_distribution_file_variety == "RedHat"
tags: [python, python3]
block:
- name: ansible-python3-pkgs | Install some python3 packages on EL
ansible.builtin.yum:
pkg: "{{ ansible_python3_el }}"
state: present

13
tasks/apt_proxy.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: apt_proxy | Setup apt cache proxy
ansible.builtin.template:
src: "02proxy.j2"
dest: /etc/apt/apt.conf.d/02proxy
owner: root
group: root
mode: "0644"
when:
- ansible_distribution_file_variety == "Debian"
- use_apt_proxy
tags:
- aptproxy

251
tasks/basic_setup_el.yml Normal file
View File

@ -0,0 +1,251 @@
---
- name: basic_setup_el | Install the basic packages
ansible.builtin.dnf:
name: "{{ centos_packages_to_install }}"
state: "{{ centos_pkg_state }}"
tags:
- centos
- bootstrap
- packages
- name: basic_setup_el | Install the basic packages from the EPEL repository
ansible.builtin.dnf:
name: "{{ centos_packages_from_epel }}"
state: "{{ centos_pkg_state }}"
when: centos_install_epel
tags:
- centos
- bootstrap
- packages
- name: basic_setup_el | Install the packages we want on a non virtualized host
ansible.builtin.dnf:
name: "{{ centos_hw_packages | default([]) }}"
state: "{{ centos_pkg_state }}"
when: ansible_virtualization_role is defined and ansible_virtualization_role == 'host'
tags:
- centos
- bootstrap
- packages
- name: basic_setup_el | Install the selinux policy file to fix a timedatectl problem and various qemu-ga ones
ansible.builtin.copy:
src: qemu_ag_provisioning-sepol.te
dest: /usr/local/etc/qemu_ag_provisioning-sepol.te
owner: root
group: root
mode: "0644"
register: qemu_ga_selinux_policy
tags:
- centos
- rhel
- selinux
- name: basic_setup_el | Activate the selinux policy for qemu
ansible.builtin.shell: >
checkmodule -M -m -o /usr/local/etc/qemu_ag_provisioning-sepol.mod /usr/local/etc/qemu_ag_provisioning-sepol.te &&
semodule_package -o /usr/local/etc/qemu_ag_provisioning-sepol.pp -m /usr/local/etc/qemu_ag_provisioning-sepol.mod &&
semodule -i /usr/local/etc/qemu_ag_provisioning-sepol.pp
args:
creates: /usr/local/etc/qemu_ag_provisioning-sepol.pp
when: qemu_ga_selinux_policy is changed # noqa: no-handler
tags:
- centos
- rhel
- selinux
- name: basic_setup_el | Install the selinux policy file to fix a systemd policy glitch
ansible.builtin.copy:
src: systemd-enable.te
dest: /usr/local/etc/systemd-enable-sepol.te
owner: root
group: root
mode: "0644"
register: systemd_selinux_policy
tags:
- centos
- rhel
- selinux
- name: basic_setup_el | Activate the selinux policy for systemd
ansible.builtin.shell: >
checkmodule -M -m -o /usr/local/etc/systemd-enable-sepol.mod /usr/local/etc/systemd-enable-sepol.te &&
semodule_package -o /usr/local/etc/systemd-enable-sepol.pp -m /usr/local/etc/systemd-enable-sepol.mod &&
semodule -i /usr/local/etc/systemd-enable-sepol.pp
args:
creates: /usr/local/etc/systemd-enable-sepol.pp
when: systemd_selinux_policy is changed # noqa: no-handler
tags:
- centos
- rhel
- selinux
- name: basic_setup_el | Activate smartmontools on a non virtualized host
ansible.builtin.service:
name: smartd
state: started
enabled: true
when: ansible_virtualization_role is defined and ansible_virtualization_role == 'host'
tags:
- centos
- bootstrap
- packages
- name: basic_setup_el | Install the locate utility if needed
ansible.builtin.dnf:
name: "{{ centos_locate_package }}"
state: "{{ centos_pkg_state }}"
when: centos_enable_locate
tags:
- centos
- bootstrap
- packages
- name: basic_setup_el | Configure the main interface to set the correct resolvers - dns1
ansible.builtin.lineinfile:
name: /etc/sysconfig/network-scripts/ifcfg-eth0
regexp: ^DNS1=
line: DNS1={{ dns1 }}
when: centos_set_dns_servers
tags:
- centos
- bootstrap
- name: basic_setup_el | Configure the main interface to set the correct resolvers - dns2
ansible.builtin.lineinfile:
name: /etc/sysconfig/network-scripts/ifcfg-eth0
regexp: ^DNS2=
line: DNS2={{ dns2 }}
when: centos_set_dns_servers
tags:
- centos
- bootstrap
- name: basic_setup_el | Configure the main interface to set the correct search domain
ansible.builtin.lineinfile:
name: /etc/sysconfig/network-scripts/ifcfg-eth0
regexp: ^DOMAIN=
line: DOMAIN={{ domain_name }}
when: configure_domain_name_in_interface
tags:
- centos
- bootstrap
- name: basic_setup_el | Stop avahi before removing it when it is not needed
ansible.builtin.service:
name: avahi-daemon
state: stopped
enabled: false
when: centos_remove_avahi or centos_disable_avahi
failed_when: false
tags:
- centos
- bootstrap
- avahi
- name: basic_setup_el | Stop and disable NetworkManager when we do not need it
ansible.builtin.service:
name: NetworkManager
state: stopped
enabled: false
when: centos_remove_networkmanager or centos_disable_networkmanager
failed_when: false
tags:
- centos
- bootstrap
- networkmanager
- name: basic_setup_el | Remove some unneeded packages
ansible.builtin.dnf:
name: "{{ centos_packages_to_remove | default([]) }}"
state: absent
when: centos_packages_cleanup
tags:
- centos
- bootstrap
- packages
- name: basic_setup_el | Remove the Avahi packages
ansible.builtin.dnf:
name: "{{ centos_avahi_packages | default([]) }}"
state: absent
when: centos_remove_avahi
tags:
- centos
- bootstrap
- packages
- name: basic_setup_el | Remove the NetworkManager packages
ansible.builtin.dnf:
name: "{{ centos_nm_packages | default([]) }}"
state: absent
when: centos_remove_networkmanager
tags:
- centos
- bootstrap
- packages
- name: basic_setup_el | Disable some unneeded services
ansible.builtin.service:
name: "{{ item }}"
state: stopped
enabled: false
loop: "{{ centos_services_to_be_disabled }}"
when: centos_services_to_be_disabled is defined
failed_when: false
tags:
- centos
- bootstrap
- daemons
- name: basic_setup_el | Configure selinux to permit core dumps by daemons
ansible.posix.seboolean:
name: daemons_dump_core
state: true
persistent: true
when: centos_selinux_daemons_dump_core | bool
tags:
- centos
- bootstrap
- selinux
- name: basic_setup_el | Set other SELinux booleans - Optional
ansible.posix.seboolean:
name: "{{ item.name }}"
state: "{{ item.state }}"
persistent: "{{ item.persistent | default('yes') }}"
loop: "{{ selinux_booleans }}"
when: selinux_booleans is defined
tags:
- centos
- bootstrap
- selinux
- name: basic_setup_el | Set the SELinux global policy - Defaults to Enforcing
ansible.posix.selinux:
policy: "{{ selinux_policy_type }}"
state: "{{ selinux_policy_state }}"
tags:
- centos
- bootstrap
- selinux
- name: basic_setup_el | Add public ssh keys for root
ansible.posix.authorized_key:
user: root
key: "{{ item }}"
state: present
loop: "{{ root_ssh_keys | default([]) }}"
when: manage_root_ssh_keys
tags:
- root_pubkeys
- name: basic_setup_el | Remove obsolete keys from the authorized ones
ansible.posix.authorized_key:
user: root
key: "{{ item }}"
state: absent
loop: "{{ obsolete_root_ssh_keys | default([]) }}"
when: obsolete_root_ssh_keys is defined
tags:
- root_pubkeys

76
tasks/certificate_from_private_ca.yml Normal file
View File

@ -0,0 +1,76 @@
---
- name: certificate_from_private_ca | Create the certificate using the private CA
tags: [pki, tls, tls_certificate]
block:
- name: certificate_from_private_ca | Set the common group between mkcert-ca and ansible
ansible.builtin.set_fact:
ansible_common_remote_group: ansible
- name: certificate_from_private_ca | Remove the already existing certificates from the CA archive (delegate to the CA server)
ansible.builtin.file:
path: /srv/mkcert-ca/{{ item }}
state: absent
loop:
- "{{ mkcert_cert_name }}"
- "{{ mkcert_key_name }}"
- client-{{ mkcert_cert_name }}
- client-{{ mkcert_key_name }}
delegate_to: "{{ mkcert_ca_host }}"
- name: certificate_from_private_ca | Create the certificate (delegate to the CA server)
ansible.builtin.command:
cmd: mkcert -cert-file /srv/mkcert-ca/{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }}
args:
chdir: /srv/mkcert-ca
creates: /srv/mkcert-ca/{{ mkcert_cert_name }}
environment:
CAROOT: /srv/mkcert-ca/.local/share/mkcert
delegate_to: "{{ mkcert_ca_host }}"
- name: certificate_from_private_ca | Create a certificate able to do client authentication (delegate to the CA server)
ansible.builtin.command:
cmd: mkcert -client -cert-file /srv/mkcert-ca/client-{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/client-{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list
}} # yamllint disable-line rule:line-length
args:
chdir: /srv/mkcert-ca
creates: /srv/mkcert-ca/client-{{ mkcert_cert_name }}
environment:
CAROOT: /srv/mkcert-ca/.local/share/mkcert
delegate_to: "{{ mkcert_ca_host }}"
- name: certificate_from_private_ca | Manage the certificate installation
tags: [pki, tls, tls_certificate]
block:
- name: certificate_from_private_ca | Get the certificate and its key from the CA server
ansible.builtin.fetch:
src: /srv/mkcert-ca/{{ item }}
dest: files/
flat: true
loop:
- "{{ mkcert_cert_name }}"
- "{{ mkcert_key_name }}"
- client-{{ mkcert_cert_name }}
- client-{{ mkcert_key_name }}
delegate_to: "{{ mkcert_ca_host }}"
- name: certificate_from_private_ca | Copy the certificate to the destination server
ansible.builtin.copy:
src: files/{{ item }}
dest: "{{ mkcert_cert_dest_path }}"
owner: root
group: root
mode: "0444"
loop:
- "{{ mkcert_cert_name }}"
- client-{{ mkcert_cert_name }}
- name: certificate_from_private_ca | Copy the certificate to the destination server
ansible.builtin.copy:
src: files/{{ item }}
dest: "{{ mkcert_key_dest_path }}"
owner: root
group: root
mode: "0440"
loop:
- "{{ mkcert_key_name }}"
- client-{{ mkcert_key_name }}

23
tasks/deb_general.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: deb_general | Configure APT proxy
ansible.builtin.import_tasks: apt_proxy.yml
- name: deb_general | Perform distribution upgrade
ansible.builtin.import_tasks: dist_upgrade.yml
when: dist_upgrade
- name: deb_general | Install common packages
ansible.builtin.import_tasks: packages_deb.yml
- name: deb_general | Remove unneeded packages
ansible.builtin.import_tasks: remove_unneeded_pkgs.yml
- name: deb_general | Manage SSH public keys
ansible.builtin.import_tasks: pubkeys.yml
when: manage_root_ssh_keys
- name: deb_general | Configure unattended upgrades
ansible.builtin.import_tasks: unattended_upgrades.yml
- name: deb_general | Disable unneeded services
ansible.builtin.import_tasks: disable_services.yml

27
tasks/disable_services.yml Normal file
View File

@ -0,0 +1,27 @@
---
- name: disable_services | Disable some unneeded services
ansible.builtin.service:
name: "{{ item }}"
state: stopped
enabled: false
loop: "{{ services_to_be_disabled }}"
when: disable_some_not_needed_services
failed_when: false
tags:
- bootstrap
- disable_services
- name: disable_services | Disable apport service
ansible.builtin.service:
name: apport
state: stopped
enabled: false
when:
- disable_apport_service
- ansible_distribution == "Ubuntu"
- ansible_distribution_version is version_compare('18.04', '>=')
failed_when: false
tags:
- bootstrap
- disable_services
- apport

13
tasks/dist_upgrade.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: dist_upgrade | Dist upgrade, if requested
ansible.builtin.apt:
upgrade: dist
update_cache: true
cache_valid_time: 1800
autoclean: true
autoremove: true
when: dist_upgrade | bool
tags:
- packages
- upgrade
- dist_upgrade

56
tasks/etchosts-customizations.yml Normal file
View File

@ -0,0 +1,56 @@
---
- name: etchosts-customizations | Add entries to /etc/hosts
when: custom_etc_hosts_entries | length > 0
tags:
- etchosts
block:
- name: etchosts-customizations | Add custom entries to /etc/hosts
ansible.builtin.blockinfile:
path: /etc/hosts
marker_begin: ansible_etchosts_customizations_start
marker_end: ansible_etchosts_customizations_end
marker: "# {mark} hosts entries managed by ansible"
block: "{{ custom_etc_hosts_entries }}"
state: present
- name: etchosts-customizations | Remove entries from /etc/hosts
when: custom_etc_hosts_entries | length == 0
tags:
- etchosts
block:
- name: etchosts-customizations | Remove custom entries from /etc/hosts
ansible.builtin.blockinfile:
path: /etc/hosts
marker_begin: ansible_etchosts_customizations_start
marker_end: ansible_etchosts_customizations_end
marker: "# {mark} hosts entries managed by ansible"
block: "{{ custom_etc_hosts_entries }}"
state: absent
- name: etchosts-customizations | Additional custom entries to /etc/hosts
when: custom_etc_hosts_entries_adjunct | length > 0
tags:
- etchosts
block:
- name: etchosts-customizations | Additional custom entries to /etc/hosts
ansible.builtin.blockinfile:
path: /etc/hosts
marker_begin: ansible_etchosts_adjunct_start
marker_end: ansible_etchosts_adjunct_end
marker: "# {mark} additional hosts entries managed by ansible"
block: "{{ custom_etc_hosts_entries_adjunct }}"
state: present
- name: etchosts-customizations | Remove entries from /etc/hosts
when: custom_etc_hosts_entries_adjunct | length == 0
tags:
- etchosts
block:
- name: etchosts-customizations | Remove the additional custom entries from /etc/hosts
ansible.builtin.blockinfile:
path: /etc/hosts
marker_begin: ansible_etchosts_adjunct_start
marker_end: ansible_etchosts_adjunct_end
marker: "# {mark} additional hosts entries managed by ansible"
block: "{{ custom_etc_hosts_entries_adjunct }}"
state: absent

30
tasks/external_repos_el.yml Normal file
View File

@ -0,0 +1,30 @@
---
- name: external_repos_el | Install the EPEL repository
ansible.builtin.dnf:
name: "{{ centos_epel_repo_url }}"
state: "{{ centos_pkg_state }}"
when: centos_install_epel
tags:
- centos
- rhel
- repo
- name: external_repos_el | Install the SCL release to access the latest versions of some software
ansible.builtin.dnf:
name: centos-release-scl
state: present
when: centos_install_release_scl
tags:
- centos
- scl
- repo
- name: external_repos_el | Install the elrepo repository
ansible.builtin.dnf:
name: "{{ rh_elrepo_repo_url }}"
state: present
when: rh_install_elrepo
tags:
- centos
- rhel
- repo

19
tasks/grub_cmdline_parameters.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: grub_cmdline_parameters | Manage additional grub command line options
tags:
- grub
- kernel
block:
- name: grub_cmdline_parameters | Install the grub command line configuration
ansible.builtin.template:
src: grub_cmdline.cfg.j2
dest: /etc/default/grub.d/99-grub-ansible-cmdline.cfg
owner: root
group: root
mode: "0644"
when: configure_grub_cmdline_parameters
- name: grub_cmdline_parameters | Remove the custom grub command line configuration
ansible.builtin.file:
dest: /etc/default/grub.d/99-grub-ansible-cmdline.cfg
state: absent
when: not configure_grub_cmdline_parameters

23
tasks/hostname.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: hostname | Add entries to /etc/hosts
when: explicitly_set_hostname
tags: [systemsetup, hostname]
block:
- name: hostname | Set the hostname when different from the inventory one.
ansible.builtin.hostname:
name: "{{ hostname }}"
when: hostname is defined
- name: hostname | Set the hostname as defined in the inventory
ansible.builtin.hostname:
name: "{{ inventory_hostname }}"
when: hostname is not defined
- name: hostname | Add the hostname into the /etc/hosts file
ansible.builtin.blockinfile:
path: /etc/hosts
marker_begin: ansible_hostname_start
marker_end: ansible_hostname_end
marker: "# {mark} hostname entry managed by ansible"
block: "{{ ansible_default_ipv4.address }} {{ hostname }} {{ ansible_hostname }}"
state: present

25
tasks/http_client_proxy.yml Normal file
View File

@ -0,0 +1,25 @@
---
- name: http_client_proxy | Proxy in the global shell environment
block:
- name: http_client_proxy | Install the proxy environment files
ansible.builtin.template:
src: "{{ item }}.j2"
dest: /etc/profile.d/{{ item }}
owner: root
group: root
mode: "0444"
loop:
- 10-caching-proxy.sh
- 10-java-caching-proxy.sh
when: enable_env_proxy
- name: http_client_proxy | Remove the proxy environment file if not required
ansible.builtin.file:
dest: /etc/profile.d/{{ item }}
state: absent
loop:
- 10-caching-proxy.sh
- 10-java-caching-proxy.sh
when: not enable_env_proxy
tags: [systemsetup, proxyenv]

42
tasks/locale.yml Normal file
View File

@ -0,0 +1,42 @@
---
- name: locale | Generate locales and set the default locale on Debian and Ubuntu distributions
block:
- name: locale | Add/remove a list of locales
community.general.locale_gen:
name: "{{ item.name }}"
state: "{{ item.state | default('present') }}"
loop: "{{ locales_list }}"
- name: locale | Set the default locale on Trusty
ansible.builtin.shell: update-locale LANG={{ default_locale_lang }}
when: ansible_distribution_release == "trusty"
changed_when: false
when: ansible_distribution_file_variety == "Debian"
tags: [systemsetup, locale]
- name: locale | Set the locale on distributions that run systemd
block:
- name: locale | Check if localectl exists
ansible.builtin.stat:
path: /usr/bin/localectl
register: localectl_executable
- name: locale | Set the default locale
ansible.builtin.command: localectl set-locale 'LANG={{ default_locale_lang }}' 'LC_MESSAGES={{ default_deb_locale_messages }}'
when:
- localectl_executable.stat.exists | bool
- ansible_distribution_file_variety == "Debian"
changed_when: false
- name: locale | Set the default locale
ansible.builtin.command: localectl set-locale "{{ item }}"
loop:
- LANG={{ default_locale_lang }}
- LC_MESSAGES={{ default_el_locale_messages }}
when:
- localectl_executable.stat.exists | bool
- ansible_distribution_file_variety == "RedHat"
changed_when: false
tags: [systemsetup, locale]

69
tasks/main.yml
View File

@ -1,2 +1,69 @@
---
# tasks file for ansible-role-template
- name: HTTP client proxy
ansible.builtin.import_tasks: http_client_proxy.yml
- name: Python3 requirements for ansible
ansible.builtin.import_tasks: ansible-python3-pkgs.yml
- name: Set the hostname
ansible.builtin.import_tasks: hostname.yml
- name: Set the locale
ansible.builtin.import_tasks: locale.yml
- name: Set the timezone
ansible.builtin.import_tasks: timezone.yml
- name: Manage customizations to the /etc/hosts file
ansible.builtin.import_tasks: etchosts-customizations.yml
- name: Additional network interfaces
ansible.builtin.import_tasks: network-interfaces.yml
- name: Manage additional disk volumes
ansible.builtin.import_tasks: additional_disks.yml
when: additional_disks
- name: Manage a swap device
ansible.builtin.import_tasks: swap_device.yml
when: swap_device
#
# Distribution-specific setup
#
- name: External repositories for EL/RedHat
ansible.builtin.import_tasks: external_repos_el.yml
when: ansible_distribution_file_variety == "RedHat"
- name: Basic setup for EL/RedHat
ansible.builtin.import_tasks: basic_setup_el.yml
when: ansible_distribution_file_variety == "RedHat"
- name: General setup for Debian/Ubuntu
ansible.builtin.import_tasks: deb_general.yml
when: ansible_distribution_file_variety == "Debian"
#
# Common configuration
#
- name: Sysctl kernel parameters
ansible.builtin.import_tasks: sysctl.yml
- name: Grub command line parameters
ansible.builtin.import_tasks: grub_cmdline_parameters.yml
- name: Create a directory that will contain the local generated certificates
ansible.builtin.import_tasks: pki_dir.yml
- name: Self signed certificates waiting for the letsencrypt ones
ansible.builtin.import_tasks: self_signed_certificate.yml
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
- name: Manage the trusted CAs
ansible.builtin.import_tasks: trusted_ca.yml
- name: Certificate from private CA (mkcert)
ansible.builtin.import_tasks: certificate_from_private_ca.yml
when:
- (letsencrypt_acme_install is not defined) or (not letsencrypt_acme_install)
- mkcert_create_certificate

57
tasks/network-interfaces.yml Normal file
View File

@ -0,0 +1,57 @@
---
- name: network-interfaces | Manage additional network interfaces, Ubuntu style
tags:
- network_interface
- networking
when:
- ansible_distribution == 'Ubuntu'
- ubuntu_configure_additional_interfaces
block:
- name: network-interfaces | Check if netplan is in use
ansible.builtin.stat:
path: /etc/netplan
register: netplan_in_use
- name: network-interfaces | Check if additional interfaces have been defined
ansible.builtin.set_fact:
# yamllint disable-line rule:line-length
net_ints: '{% for i in ansible_interfaces %}{% if i != ansible_lo.device and i != ansible_default_ipv4.interface %}"{{ i }}"{% if not loop.last %},{% endif
%}{% endif %}{% endfor %}'
when: netplan_in_use.stat.isdir
- name: network-interfaces | Create a dictionary of additional interfaces
ansible.builtin.set_fact:
# yamllint disable-line rule:line-length
new_ints: '[{% for i in ansible_interfaces %}{% if i != ansible_lo.device and i != ansible_default_ipv4.interface %}"{{ i }}"{% if not loop.last %},{% endif
%}{% endif %}{% endfor %}]'
when: net_ints is defined and net_ints | length != 0
- name: network-interfaces | Print the loopback interface name
ansible.builtin.debug:
msg: "Loopback interface: {{ ansible_lo.device }}"
- name: network-interfaces | Print the name of the default interface
ansible.builtin.debug:
msg: "Loopback interface: {{ ansible_default_ipv4.interface }}"
- name: network-interfaces | List of interfaces other than the default one
ansible.builtin.debug:
msg: "Interfaces list: {{ new_ints }}"
- name: network-interfaces | Override the interfaces list
ansible.builtin.set_fact:
new_ints: "{{ ubuntu_configure_additional_ints_list }}"
when: ubuntu_configure_additional_ints_list | length != 0
- name: network-interfaces | List of interfaces that we are going to configure
ansible.builtin.debug:
msg: "Interfaces list: {{ new_ints }}"
when: ubuntu_configure_additional_ints_list | length != 0
- name: network-interfaces | Install the network interface file
ansible.builtin.template:
src: netplan-70-ansible.yaml.j2
dest: /etc/netplan/70-ansible.yaml
owner: root
group: root
mode: "0644"
when: new_ints | length != 0
notify: Netplan Apply
- name: network-interfaces | Force the Netplan Apply command execution
ansible.builtin.meta: flush_handlers
tags:
- network_interface
- networking

40
tasks/packages_deb.yml Normal file
View File

@ -0,0 +1,40 @@
---
- name: packages_deb | Install aptitude
ansible.builtin.apt:
pkg: aptitude
state: present
cache_valid_time: 1800
tags:
- packages
- name: packages_deb | Install software-properties-common if needed
ansible.builtin.apt:
pkg: software-properties-common
state: present
update_cache: true
cache_valid_time: 1800
when: ansible_distribution == "Ubuntu"
tags:
- packages
- name: packages_deb | Install common packages
ansible.builtin.apt:
pkg: "{{ common_packages }}"
state: "{{ pkg_state }}"
update_cache: true
cache_valid_time: 1800
tags:
- packages
- common_pkgs
- name: packages_deb | Install additional packages, if any
ansible.builtin.apt:
pkg: "{{ additional_packages | default([]) }}"
state: "{{ pkg_state }}"
update_cache: true
cache_valid_time: 1800
when: additional_packages is defined
tags:
- packages
- common_pkgs
- additional_packages

20
tasks/pki_dir.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: pki_dir | Manage the PKI directory
tags: [pki, ssl, ca, letsencrypt, tls, tls_certificate]
block:
- name: pki_dir | Ensure that the PKI directory exists
ansible.builtin.file:
path: "{{ pki_dir }}"
state: directory
owner: root
group: root
mode: "0755"
- name: pki_dir | Ensure that the PKI subdirectories exist
ansible.builtin.file:
path: "{{ pki_dir }}/{{ item }}"
state: directory
owner: root
group: root
mode: "0755"
loop: "{{ pki_subdirs }}"

20
tasks/pubkeys.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: pubkeys | Add public ssh keys for root
ansible.posix.authorized_key:
user: root
key: "{{ item }}"
state: present
loop: "{{ root_ssh_keys | default([]) }}"
when: manage_root_ssh_keys
tags:
- root_pubkeys
- name: pubkeys | Remove obsolete keys from the authorized ones
ansible.posix.authorized_key:
user: root
key: "{{ item }}"
state: absent
loop: "{{ obsolete_root_ssh_keys | default([]) }}"
when: obsolete_root_ssh_keys is defined
tags:
- root_pubkeys

56
tasks/remove_unneeded_pkgs.yml Normal file
View File

@ -0,0 +1,56 @@
---
- name: remove_unneeded_pkgs | Remove unneeded base packages
ansible.builtin.apt:
pkg: "{{ base_packages_to_remove }}"
state: absent
when: cleanup_base_packages
tags:
- packages
- pkg_cleanup
- name: remove_unneeded_pkgs | Remove unneeded X packages
ansible.builtin.apt:
pkg: "{{ x_base_packages_to_remove }}"
state: absent
when: cleanup_x_base_packages
tags:
- packages
- pkg_cleanup
- name: remove_unneeded_pkgs | Remove the nfs packages
ansible.builtin.apt:
pkg: "{{ nfs_packages }}"
state: absent
when: cleanup_nfs_packages
tags:
- packages
- pkg_cleanup
- name: remove_unneeded_pkgs | Remove rpcbind packages
ansible.builtin.apt:
pkg: "{{ rpcbind_packages }}"
state: absent
when: cleanup_rpcbind_packages
tags:
- packages
- pkg_cleanup
- name: remove_unneeded_pkgs | Remove the exim packages
ansible.builtin.apt:
name: "{{ exim_email_server_pkgs }}"
state: absent
when: cleanup_exim_email_server
tags:
- packages
- pkg_cleanup
- exim
- name: remove_unneeded_pkgs | Remove LXD
ansible.builtin.apt:
name: "{{ ubuntu_lxd_pkgs }}"
state: absent
when: ubuntu_remove_lxd
tags:
- packages
- pkg_cleanup
- lxd

47
tasks/self_signed_certificate.yml Normal file
View File

@ -0,0 +1,47 @@
---
- name: self_signed_certificate | Letsencrypt is going to manage the certificates. Check if a certificate already exists
tags: [pki, ssl, letsencrypt]
block:
- name: self_signed_certificate | Check if a certificate already exists. If so, skip all the related tasks
ansible.builtin.stat:
path: "{{ letsencrypt_acme_sh_certificates_install_path }}"
register: true_cert
- name: self_signed_certificate | Manage self signed certificates, if letsencrypt is going to be installed
when:
- true_cert is defined
- true_cert.stat is defined
- true_cert.stat.islnk is not defined
tags: [pki, ssl, letsencrypt]
block:
- name: self_signed_certificate | Create the path to the self signed certificates
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: "0755"
loop:
- "{{ letsencrypt_acme_sh_certificates_install_base_path }}"
- "{{ pki_dir }}/selfsigned"
- name: self_signed_certificate | Generate the self signed certificate and private key
ansible.builtin.command: openssl req -x509 -newkey rsa:2048 -keyout {{ self_signed_key }} -out {{ self_signed_cert }} -days 365 -nodes -subj '{{ self_signed_subject
}}'
args:
creates: "{{ self_signed_cert }}"
- name: self_signed_certificate | Copy the cert file into fullchain
ansible.builtin.copy:
src: "{{ self_signed_cert }}"
dest: "{{ self_signed_fullchain }}"
remote_src: true
owner: root
group: root
mode: "0644"
- name: self_signed_certificate | Create the symbolic link for the certificates into the letsencrypt live directory
ansible.builtin.file:
src: "{{ pki_dir }}/selfsigned"
dest: "{{ letsencrypt_acme_sh_certificates_install_path }}"
state: link

22
tasks/swap_device.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: swap_device | Configure and enable a swap device
when: swap_device
tags:
- swap
- swap_device
block:
- name: swap_device | Initialize the swap device
ansible.builtin.shell: mkswap {{ swap_device_name }} && touch /root/.mkswap_executed
args:
creates: /root/.mkswap_executed
register: mkswap_command_execution
- name: swap_device | Enable the swap device
ansible.builtin.shell: swapon {{ swap_device_name }} && touch /root/.swapon_executed
args:
creates: /root/.swapon_executed
- name: swap_device | Add the swap device to the fstab file
ansible.builtin.lineinfile:
path: /etc/fstab
regexp: ^{{ swap_device_name }}
line: "{{ swap_device_name }} swap swap defaults 0 0"

54
tasks/sysctl.yml Normal file
View File

@ -0,0 +1,54 @@
---
- name: sysctl | Ensure that /etc/sysctl.d exists
tags: [sysctl, kernel, sysctl_ipv6, ipv6]
block:
- name: sysctl | Ensure that the /etc/sysctl.d directory exists
ansible.builtin.file:
path: /etc/sysctl.d
state: directory
owner: root
group: root
mode: "0755"
- name: sysctl | Manage sysctl values
tags: [sysctl, kernel]
block:
- name: sysctl | Set the custom sysctl values
ansible.posix.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl_file: "{{ item.sysctlfile | default ('/etc/sysctl.d/90-custom-values.conf') }}"
reload: "{{ item.sysctl_reload | default(true) }}"
state: "{{ item.sysctlfile_state | default('present') }}"
loop: "{{ sysctl_custom_options }}"
- name: sysctl | Manage IPv6
tags: [sysctl, kernel, sysctl_ipv6, ipv6]
block:
- name: sysctl | Disable the in kernel ipv6 support
ansible.posix.sysctl:
name: "{{ item }}"
value: 1
sysctl_file: "{{ ipv6_sysctl_file }}"
reload: true
state: present
loop:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6
- net.ipv6.conf.{{ ansible_default_ipv4.interface }}.disable_ipv6
when: disable_ipv6
- name: sysctl | Enable the in kernel ipv6 support
ansible.posix.sysctl:
name: "{{ item }}"
value: 0
sysctl_file: "{{ ipv6_sysctl_file }}"
reload: true
state: present
loop:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6
- net.ipv6.conf.{{ ansible_default_ipv4.interface }}.disable_ipv6
when: not disable_ipv6

28
tasks/timezone.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: timezone | Manage the timezone in Ubuntu Trusty and older
block:
- name: timezone | Write the timezone file
ansible.builtin.template:
src: etc-timezone.j2
dest: /etc/timezone
owner: root
group: root
mode: "0644"
register: set_timezone
- name: timezone | Reconfigure the system tzdata
ansible.builtin.command: dpkg-reconfigure --frontend noninteractive tzdata
when: set_timezone is changed # noqa: no-handler
changed_when: false
when: ansible_distribution_release == "trusty"
tags: [systemsetup, timezone]
- name: timezone | Manage the timezone in Ubuntu Bionic or CentOS
block:
- name: timezone | Set the timezone
ansible.builtin.command: timedatectl set-timezone {{ timezone }}
changed_when: false
when: ansible_facts['distribution_version'] is version_compare('16.04', '>=') or ansible_distribution_file_variety == "RedHat"
tags: [systemsetup, timezone]

136
tasks/trusted_ca.yml Normal file
View File

@ -0,0 +1,136 @@
---
- name: trusted_ca | Manage optional CA files on EL
tags: [pki, trusted_ca, letsencrypt_ca]
block:
- name: trusted_ca | Get the CA files that we want to trust on EL
ansible.builtin.get_url:
url: "{{ item.ca_url }}"
dest: /etc/pki/ca-trust/source/anchors/{{ item.ca }}
owner: root
group: root
mode: "0444"
loop: "{{ trusted_ca_additional_ca_files }}"
register: ca_files_installation
- name: trusted_ca | Trust the CA files on EL
ansible.builtin.command: /bin/update-ca-trust extract
when: ca_files_installation is changed # noqa: no-handler
changed_when: false
when: ansible_distribution_file_variety == "RedHat"
- name: trusted_ca | Manage the Letsencrypt CA files on EL
when:
- trusted_ca_letsencrypt_install
- ansible_distribution_file_variety == "RedHat"
tags: [pki, trusted_ca, letsencrypt_ca]
block:
- name: trusted_ca | Download the letsencrypt CA files on EL
ansible.builtin.get_url:
url: "{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}"
dest: /etc/pki/ca-trust/source/anchors/{{ item.ca }}
owner: root
group: root
mode: "0444"
loop: "{{ trusted_ca_letsencrypt_ca_files }}"
register: letsencrypt_ca_files_installation
- name: trusted_ca | Rebuild the trust CA files on EL
ansible.builtin.command: /bin/update-ca-trust extract
when: letsencrypt_ca_files_installation is changed # noqa: no-handler
changed_when: false
- name: trusted_ca | Ensure that the expired CA files are not present
ansible.builtin.file:
dest: /etc/pki/ca-trust/source/anchors/{{ item }}
state: absent
loop: "{{ expired_ca_letsencrypt_ca_files }}"
register: letsencrypt_ca_files_removal
- name: trusted_ca | Rebuild the trust CA files on EL
ansible.builtin.command: /bin/update-ca-trust extract
when: letsencrypt_ca_files_removal is changed # noqa: no-handler
changed_when: false
- name: trusted_ca | Manage optional CA files on deb
when: ansible_distribution_file_variety == "Debian"
tags: [pki, trusted_ca, letsencrypt_ca]
block:
- name: trusted_ca | Ensure that ca-certificates is installed and up to date
ansible.builtin.apt:
pkg: ca-certificates
state: present
cache_valid_time: 1800
- name: trusted_ca | Get the CA files that we want to trust on deb
ansible.builtin.get_url:
url: "{{ item.ca_url }}"
dest: "{{ trusted_ca_deb_path }}/{{ item.ca }}"
owner: root
group: root
mode: "0444"
loop: "{{ trusted_ca_additional_ca_files }}"
register: ca_files_installation
- name: trusted_ca | Trust the CA files on deb
ansible.builtin.command: /usr/sbin/update-ca-certificates
when: ca_files_installation is changed # noqa: no-handler
changed_when: false
- name: trusted_ca | Distrust the DST Root CA X3 in Ubuntu Trusty
when:
- ansible_distribution_file_variety == "Debian"
- ansible_distribution_version is version_compare('14.04', '==')
tags: [pki, obsolete_ca]
block:
- name: trusted_ca | Comment the mozilla/DST_Root_CA_X3.crt entry
ansible.builtin.lineinfile:
path: /etc/ca-certificates.conf
regexp: ^mozilla/DST_Root_CA_X3.crt
line: "!mozilla/DST_Root_CA_X3.crt"
register: dst_x3_distrust
- name: trusted_ca | Trust the CA files on deb
ansible.builtin.command: /usr/sbin/update-ca-certificates
when: dst_x3_distrust is changed # noqa: no-handler
changed_when: false
- name: trusted_ca | Manage the Letsencrypt CA files on deb
when:
- trusted_ca_letsencrypt_install
- ansible_distribution_file_variety == "Debian"
tags: [pki, trusted_ca, letsencrypt_ca]
block:
- name: trusted_ca | Download the letsencrypt CA files on deb
ansible.builtin.get_url:
url: "{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}"
dest: "{{ trusted_ca_deb_path }}/{{ item.ca }}"
owner: root
group: root
mode: "0444"
loop: "{{ trusted_ca_letsencrypt_ca_files }}"
register: letsencrypt_ca_files_installation
- name: trusted_ca | Trust the CA files on deb
ansible.builtin.command: /usr/sbin/update-ca-certificates
when: letsencrypt_ca_files_installation is changed # noqa: no-handler
changed_when: false
- name: trusted_ca | Ensure that the expired CA files are not present
ansible.builtin.file:
dest: /etc/ssl/certs/{{ item }}
state: absent
loop: "{{ expired_ca_letsencrypt_ca_files }}"
register: letsencrypt_ca_files_removal
- name: trusted_ca | Ensure that the expired CA files are not present
ansible.builtin.file:
dest: "{{ trusted_ca_deb_path }}/{{ item }}"
state: absent
loop: "{{ expired_ca_letsencrypt_ca_files }}"
register: letsencrypt_ca_files_removal
- name: trusted_ca | Trust the CA files on deb
ansible.builtin.command: /usr/sbin/update-ca-certificates
when: letsencrypt_ca_files_removal is changed # noqa: no-handler
changed_when: false

21
tasks/unattended_upgrades.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: unattended_upgrades | Install the unattended-upgrades package
ansible.builtin.apt:
pkg: unattended-upgrades
state: present
tags:
- packages
- upgrades
- unattended
- name: unattended_upgrades | Install the unattended-upgrades configuration
ansible.builtin.template:
src: 50unattended-upgrades.j2
dest: /etc/apt/apt.conf.d/50unattended-upgrades
owner: root
group: root
mode: "0444"
tags:
- packages
- upgrades
- unattended

4
templates/02proxy.j2 Normal file
View File

@ -0,0 +1,4 @@
# {{ ansible_managed }}
{% if use_apt_proxy %}
Acquire::http { Proxy "{{ apt_proxy_url }}"; };
{% endif %}

5
templates/10-caching-proxy.sh.j2 Normal file
View File

@ -0,0 +1,5 @@
{% for proto in env_proxy_protocols %}
export {{ proto }}="{{ env_proxy_http_url }}"
{% endfor %}
export no_proxy="{% for target in no_proxy_targets %}{{ target }}{% if not loop.last %},{% endif %}{% endfor %}"
export NO_PROXY="{% for target in no_proxy_targets %}{{ target }}{% if not loop.last %},{% endif %}{% endfor %}"

1
templates/10-java-caching-proxy.sh.j2 Normal file
View File

@ -0,0 +1 @@
export JAVA_OPTS="-DproxySet=true -Dhttp.proxyHost={{ env_proxy_http_host }} -Dhttp.proxyPort={{ env_proxy_http_port }} -Dhttps.proxyHost={{ env_proxy_http_host }} -Dhttps.proxyPort={{ env_proxy_http_port }}"

61
templates/50unattended-upgrades.j2 Normal file
View File

@ -0,0 +1,61 @@
// {{ ansible_managed }}
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
{%for allowed in unatt_allowed_origins %}
"{{ allowed }}";
{%endfor %}
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
{% if unatt_blacklisted is defined %}
{%for pkg in unatt_blacklisted %}
"{{ pkg }}";
{%endfor %}
{% endif %}
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
Unattended-Upgrade::AutoFixInterruptedDpkg "{{ unatt_autofix }}";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
Unattended-Upgrade::MinimalSteps "{{ unatt_minimalsteps }}";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
Unattended-Upgrade::InstallOnShutdown "{{ unatt_install_on_shutdown }}";
{% if unatt_email is defined %}
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "{{ unatt_email }}";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "{{ unatt_email_on_error }}";
{% endif %}
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "{{ unatt_autoremove }}";
// Automatically reboot *WITHOUT CONFIRMATION*
// if the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "{{ unatt_autoreboot }}";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "{{ unatt_autoreboot_time }}";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

1
templates/etc-timezone.j2 Normal file
View File

@ -0,0 +1 @@
{{ timezone }}

1
templates/grub_cmdline.cfg.j2 Normal file
View File

@ -0,0 +1 @@
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ grub_cmdline_additional_parameters }}"

14
templates/netplan-70-ansible.yaml.j2 Normal file
View File

@ -0,0 +1,14 @@
network:
version: 2
ethernets:
{% for int in new_ints %}
{{ int }}:
dhcp4: true
{% if ubuntu_configure_additional_int_dhcp_overrides | default(true) %}
dhcp4-overrides:
use-dns: false
use-routes: false
use-mtu: true
{% endif %}
{% endfor %}

11
tests/test.yml
View File

@ -1,5 +1,12 @@
---
- hosts: localhost
- name: Test os-bootstrap role
hosts: localhost
remote_user: root
become: true
vars:
cleanup_base_packages: false
cleanup_exim_email_server: false
ubuntu_remove_lxd: false
disable_some_not_needed_services: false
roles:
- ansible-role-template
- adellam.os_bootstrap