From 76eab10a4f30ec77d7a3e4fdf0dbef7d4cfa4fe3 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 23 Feb 2026 10:47:58 +0100 Subject: [PATCH] First commit. Some tasks from basic-system-setup have been moved here. --- .ansible-lint | 9 + README.md | 417 +++++++++++++++++- defaults/main.yml | 306 ++++++++++++- files/letsencrypt_ca_files/isrg-root-x2.pem | 14 + files/letsencrypt_ca_files/isrgrootx1.pem | 31 ++ .../letsencrypt_ca_files/lets-encrypt-e1.pem | 17 + .../letsencrypt_ca_files/lets-encrypt-e2.pem | 17 + .../letsencrypt_ca_files/lets-encrypt-r3.pem | 30 ++ .../letsencrypt_ca_files/lets-encrypt-r4.pem | 30 ++ files/qemu_ag_provisioning-sepol.te | 17 + files/systemd-enable.te | 12 + handlers/main.yml | 5 +- meta/main.yml | 76 ++-- tasks/additional_disks.yml | 45 ++ tasks/ansible-python3-pkgs.yml | 20 + tasks/apt_proxy.yml | 13 + tasks/basic_setup_el.yml | 251 +++++++++++ tasks/certificate_from_private_ca.yml | 76 ++++ tasks/deb_general.yml | 23 + tasks/disable_services.yml | 27 ++ tasks/dist_upgrade.yml | 13 + tasks/etchosts-customizations.yml | 56 +++ tasks/external_repos_el.yml | 30 ++ tasks/grub_cmdline_parameters.yml | 19 + tasks/hostname.yml | 23 + tasks/http_client_proxy.yml | 25 ++ tasks/locale.yml | 42 ++ tasks/main.yml | 69 ++- tasks/network-interfaces.yml | 57 +++ tasks/packages_deb.yml | 40 ++ tasks/pki_dir.yml | 20 + tasks/pubkeys.yml | 20 + tasks/remove_unneeded_pkgs.yml | 56 +++ tasks/self_signed_certificate.yml | 47 ++ tasks/swap_device.yml | 22 + tasks/sysctl.yml | 54 +++ tasks/timezone.yml | 28 ++ tasks/trusted_ca.yml | 136 ++++++ tasks/unattended_upgrades.yml | 21 + templates/02proxy.j2 | 4 + templates/10-caching-proxy.sh.j2 | 5 + templates/10-java-caching-proxy.sh.j2 | 1 + templates/50unattended-upgrades.j2 | 61 +++ templates/etc-timezone.j2 | 1 + templates/grub_cmdline.cfg.j2 | 1 + templates/netplan-70-ansible.yaml.j2 | 14 + tests/test.yml | 11 +- 47 files changed, 2233 insertions(+), 79 deletions(-) create mode 100644 .ansible-lint create mode 100644 files/letsencrypt_ca_files/isrg-root-x2.pem create mode 100644 files/letsencrypt_ca_files/isrgrootx1.pem create mode 100644 files/letsencrypt_ca_files/lets-encrypt-e1.pem create mode 100644 files/letsencrypt_ca_files/lets-encrypt-e2.pem create mode 100644 files/letsencrypt_ca_files/lets-encrypt-r3.pem create mode 100644 files/letsencrypt_ca_files/lets-encrypt-r4.pem create mode 100644 files/qemu_ag_provisioning-sepol.te create mode 100644 files/systemd-enable.te create mode 100644 tasks/additional_disks.yml create mode 100644 tasks/ansible-python3-pkgs.yml create mode 100644 tasks/apt_proxy.yml create mode 100644 tasks/basic_setup_el.yml create mode 100644 tasks/certificate_from_private_ca.yml create mode 100644 tasks/deb_general.yml create mode 100644 tasks/disable_services.yml create mode 100644 tasks/dist_upgrade.yml create mode 100644 tasks/etchosts-customizations.yml create mode 100644 tasks/external_repos_el.yml create mode 100644 tasks/grub_cmdline_parameters.yml create mode 100644 tasks/hostname.yml create mode 100644 tasks/http_client_proxy.yml create mode 100644 tasks/locale.yml create mode 100644 tasks/network-interfaces.yml create mode 100644 tasks/packages_deb.yml create mode 100644 tasks/pki_dir.yml create mode 100644 tasks/pubkeys.yml create mode 100644 tasks/remove_unneeded_pkgs.yml create mode 100644 tasks/self_signed_certificate.yml create mode 100644 tasks/swap_device.yml create mode 100644 tasks/sysctl.yml create mode 100644 tasks/timezone.yml create mode 100644 tasks/trusted_ca.yml create mode 100644 tasks/unattended_upgrades.yml create mode 100644 templates/02proxy.j2 create mode 100644 templates/10-caching-proxy.sh.j2 create mode 100644 templates/10-java-caching-proxy.sh.j2 create mode 100644 templates/50unattended-upgrades.j2 create mode 100644 templates/etc-timezone.j2 create mode 100644 templates/grub_cmdline.cfg.j2 create mode 100644 templates/netplan-70-ansible.yaml.j2 diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..2da727a --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,9 @@ +--- +enable_list: + - name[prefix] +skip_list: + - key-order +warn_list: + - experimental + - no-changed-when + - no-free-form diff --git a/README.md b/README.md index 3637db8..b75d553 100644 --- a/README.md +++ b/README.md @@ -1,38 +1,409 @@ -Role Name -========= +# os-bootstrap -A brief description of the role goes here. +An Ansible role that performs early-stage OS bootstrapping for Linux servers. It runs before any role dependencies (rsyslog, firewall, NTP, etc.) and establishes the baseline system state: locale, timezone, hostname, package prerequisites, network configuration, disk management, sysctl tuning, and PKI infrastructure. -Requirements ------------- +This role is designed to be the **first dependency** of higher-level roles such as [basic-system-setup](https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-basic-system-setup). -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +## Requirements -Role Variables --------------- +- Ansible >= 2.9 +- Python 3 on target hosts (this role installs additional Python packages needed by subsequent Ansible tasks) -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +### Ansible Collections Required -Dependencies ------------- +```bash +ansible-galaxy collection install ansible.posix +ansible-galaxy collection install community.general +``` -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +## Supported Platforms -Example Playbook ----------------- +- Ubuntu 20.04 (Focal), 22.04 (Jammy), 24.04 (Noble) +- Debian 11 (Bullseye), 12 (Bookworm) +- RHEL / CentOS Stream / Rocky Linux / AlmaLinux 8, 9, 10 -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: +## Task Descriptions - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +Tasks run in the following order: -License -------- +| Task File | Description | Condition | +| --------- | ----------- | --------- | +| `http_client_proxy.yml` | Configures system-wide HTTP/HTTPS proxy environment variables | `enable_env_proxy` | +| `ansible-python3-pkgs.yml` | Installs Python 3 packages required by Ansible modules | always | +| `hostname.yml` | Sets the system hostname from inventory | `explicitly_set_hostname` | +| `locale.yml` | Generates and configures system locales | always | +| `timezone.yml` | Sets the system timezone | always | +| `etchosts-customizations.yml` | Adds custom entries to `/etc/hosts` | always | +| `network-interfaces.yml` | Configures additional network interfaces via Netplan (Ubuntu) | `ubuntu_configure_additional_interfaces` | +| `additional_disks.yml` | Partitions, formats, and mounts additional disks | `additional_disks` | +| `swap_device.yml` | Configures a swap device | `swap_device` | +| `external_repos_el.yml` | Installs EPEL and optional elrepo repositories | RedHat family only | +| `basic_setup_el.yml` | EL/RedHat package install, SELinux configuration, service management | RedHat family only | +| `deb_general.yml` | Debian/Ubuntu package install, apt proxy, unattended upgrades, service cleanup | Debian family only | +| `sysctl.yml` | Writes custom kernel parameters to `/etc/sysctl.d/` | always | +| `grub_cmdline_parameters.yml` | Appends parameters to `GRUB_CMDLINE_LINUX` | `configure_grub_cmdline_parameters` | +| `pki_dir.yml` | Creates the PKI directory hierarchy | always | +| `self_signed_certificate.yml` | Generates a self-signed certificate with mkcert | `letsencrypt_acme_install` is defined and true | +| `trusted_ca.yml` | Installs Let's Encrypt and custom CA certificates into the system trust store | always | +| `certificate_from_private_ca.yml` | Requests a certificate from a private CA (mkcert) | `mkcert_create_certificate` and no Let's Encrypt | + +### Sub-tasks for `deb_general.yml` + +| Task File | Description | Condition | +| --------- | ----------- | --------- | +| `apt_proxy.yml` | Configures APT proxy in `/etc/apt/apt.conf.d/02proxy` | `use_apt_proxy` | +| `dist_upgrade.yml` | Performs a full distribution upgrade | `dist_upgrade` | +| `packages_deb.yml` | Installs common and additional packages | always | +| `remove_unneeded_pkgs.yml` | Removes unwanted packages (exim, snapd, lxd, etc.) | always | +| `pubkeys.yml` | Manages root SSH authorized keys | `manage_root_ssh_keys` | +| `unattended_upgrades.yml` | Configures `unattended-upgrades` for automatic security updates | always | +| `disable_services.yml` | Disables unwanted services | `disable_some_not_needed_services` | + +## Role Variables + +### Timezone and Locale + +```yaml +timezone: Europe/Rome + +default_locale_lang: en_US.UTF-8 +default_deb_locale_messages: C.UTF-8 +default_el_locale_messages: en_US.UTF-8 + +locales_list: + - { name: "{{ default_locale_lang }}" } + - { name: en_US.UTF-8 } + - { name: en_US } + - { name: it_IT.UTF-8 } + - { name: it_IT } +``` + +### Hostname and /etc/hosts + +```yaml +explicitly_set_hostname: true +domain_name: "{{ ansible_domain }}" + +# Inline block of hosts entries, e.g.: +# "192.168.1.10 host1.example.com host1" +custom_etc_hosts_entries: "" +custom_etc_hosts_entries_adjunct: "" +``` + +### Network Interfaces (Ubuntu / Netplan) + +```yaml +ubuntu_configure_additional_interfaces: false +ubuntu_configure_additional_int_dhcp_overrides: true +ubuntu_configure_additional_ints_list: [] +# Example: +# ubuntu_configure_additional_ints_list: +# - name: eth1 +# dhcp4: true + +disable_ipv6: false +ipv6_sysctl_value: 1 +ipv6_sysctl_file: /etc/sysctl.d/10-ipv6-disable.conf +``` + +### Sysctl + +```yaml +sysctl_custom_file: /etc/sysctl.d/90-custom-values.conf +sysctl_opts_reload: true +sysctl_custom_file_state: present + +# Only name and value are mandatory +sysctl_custom_options: [] +# - name: 'net.nf_conntrack_max' +# value: '32768' +# sysctlfile: '{{ sysctl_custom_file }}' +# sysctl_reload: '{{ sysctl_opts_reload }}' +# sysctlfile_state: '{{ sysctl_custom_file_state }}' +``` + +### GRUB + +```yaml +configure_grub_cmdline_parameters: false +grub_cmdline_additional_parameters: "" +# Example: "intel_iommu=on quiet" +``` + +### Additional Disks + +```yaml +additional_disks: false +disks_and_mountpoints_list: [] +# - mountpoint: '/data' +# device: 'xvda3' +# fstype: 'xfs' +# opts: 'noatime' +# state: 'mounted' +# create_filesystem: true +``` + +### Swap Device + +```yaml +swap_device: false +swap_device_name: /dev/vdxxxxx +``` + +### HTTP Client Proxy + +```yaml +enable_env_proxy: false +env_proxy_http_host: localhost +env_proxy_http_port: "3128" +env_proxy_http_protocol: http +env_proxy_https_protocol: "{{ env_proxy_http_protocol }}" +env_proxy_http_url: "{{ env_proxy_http_protocol }}://{{ env_proxy_http_host }}:{{ env_proxy_http_port }}" +env_proxy_https_url: "{{ env_proxy_http_url }}" +env_proxy_use_authentication: false +env_proxy_username: "" +env_proxy_password: "" +no_proxy_targets: + - ::1 + - 127.0.0.1 + - localhost +``` + +### Python 3 Packages for Ansible + +```yaml +ansible_python3_debs: + - python3-lxml + +ansible_python3_el: + - python3-lxml +``` + +### PKI Directory and Certificates + +```yaml +pki_dir: /etc/pki +pki_subdirs: + - certs + - keys + +pki_install_a_custom_ca: false + +# Self-signed certificate paths (used when letsencrypt is not available) +self_signed_cert: "{{ pki_dir }}/selfsigned/cert" +self_signed_fullchain: "{{ pki_dir }}/selfsigned/fullchain" +self_signed_key: "{{ pki_dir }}/selfsigned/privkey" +self_signed_subject: /CN={{ ansible_fqdn }} self signed + +# Certificate from private CA (mkcert) +mkcert_create_certificate: false +mkcert_cert_name: "{{ ansible_fqdn }}.pem" +mkcert_cert_dest_path: "{{ pki_dir }}/certs" +mkcert_key_name: "{{ ansible_fqdn }}-key.pem" +mkcert_key_dest_path: "{{ pki_dir }}/keys" +mkcert_dsn_and_ip_list: "{{ ansible_fqdn }} {% for ip in ansible_all_ipv4_addresses %}{{ ip }} {% endfor %}" +mkcert_ca_host: localhost +``` + +### Trusted CA Certificates + +```yaml +trusted_ca_el_anchors_path: /etc/pki/ca-trust/source/anchors +trusted_ca_deb_path: /usr/local/share/ca-certificates + +# Let's Encrypt intermediate CAs (normally already trusted by the OS) +trusted_ca_letsencrypt_install: false +trusted_ca_letsencrypt_ca_certificates_url: https://letsencrypt.org/certs + +# Additional custom CAs to install +trusted_ca_additional_ca_files: [] +# - { ca_url: 'https://example.com/foo-ca.pem', ca: 'foo-ca.pem', name: 'foo-ca' } +``` + +### EL/RedHat — External Repositories + +```yaml +centos_install_epel: true +centos_epel_repo_url: epel-release +centos_install_release_scl: false + +rh_install_elrepo: false +``` + +### EL/RedHat — Basic Setup + +```yaml +centos_pkg_state: latest +centos_packages_cleanup: true + +# SELinux +selinux_policy_type: targeted +selinux_policy_state: enforcing +centos_selinux_daemons_dump_core: false + +# Services +centos_disable_avahi: true +centos_remove_avahi: false +centos_disable_networkmanager: false +centos_remove_networkmanager: false +centos_services_to_be_disabled: + - acpid + +# DNS (optional, for static resolver configuration) +centos_set_dns_servers: false +dns1: 208.67.220.220 +dns2: 208.67.222.222 + +# Root SSH keys +manage_root_ssh_keys: true +``` + +### Debian/Ubuntu — Package Management + +```yaml +use_apt_proxy: false +apt_proxy_url: http://localhost:3128 + +dist_upgrade: false + +pkg_state: present +common_packages: + - acl + - curl + - wget + - htop + - vim-tiny + - psmisc + - tcpdump + - lsof + - strace + - rsync + - unzip + - tree + - bash-completion + - sudo + - less + # ... see defaults/main.yml for the full list + +# Additional packages (define in your playbook or group_vars) +# additional_packages: +# - pkg1 +# - pkg2 +``` + +### Debian/Ubuntu — Package Cleanup + +```yaml +cleanup_base_packages: true +base_packages_to_remove: + - ppp + - at + - snapd + +cleanup_exim_email_server: true +disable_apport_service: true +ubuntu_remove_lxd: true +``` + +### Debian/Ubuntu — Unattended Upgrades + +```yaml +unatt_allowed_origins: + - ${distro_id}:${distro_codename}-security +unatt_autofix: "true" +unatt_minimalsteps: "false" +unatt_install_on_shutdown: "false" +unatt_email_on_error: "false" +unatt_autoremove: "true" +unatt_autoreboot: "false" +unatt_autoreboot_time: now +``` + +### Debian/Ubuntu — Service Management + +```yaml +disable_some_not_needed_services: false +services_to_be_disabled: + - rpcbind + - atd + - acpid +``` + +## Dependencies + +None. This role is intentionally dependency-free so it can run before any other role. + +## Example Playbook + +Normally you do not invoke `os-bootstrap` directly — it is pulled in automatically as a dependency. If you need to run it standalone: + +```yaml +--- +- hosts: servers + become: true + roles: + - role: adellam.os_bootstrap + vars: + timezone: Europe/Rome + explicitly_set_hostname: true + disable_ipv6: false + sysctl_custom_options: + - name: net.nf_conntrack_max + value: "65536" +``` + +### With proxy and extra disk + +```yaml +--- +- hosts: servers + become: true + roles: + - role: adellam.os_bootstrap + vars: + enable_env_proxy: true + env_proxy_http_host: proxy.example.com + env_proxy_http_port: "3128" + additional_disks: true + disks_and_mountpoints_list: + - mountpoint: /data + device: sdb1 + fstype: xfs + opts: noatime + state: mounted + create_filesystem: true +``` + +### EL with custom SELinux and EPEL + +```yaml +--- +- hosts: el_servers + become: true + roles: + - role: adellam.os_bootstrap + vars: + centos_install_epel: true + selinux_policy_state: enforcing + selinux_policy_type: targeted + centos_pkg_state: latest +``` + +## Testing + +```bash +source ~/ansible/ansible6/bin/activate +ansible-lint +``` + +Basic test playbook is in `tests/test.yml`. + +## License EUPL-1.2 -Author Information ------------------- +## Author Information -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +Andrea Dell'Amico + +ISTI-CNR, Pisa, Italy diff --git a/defaults/main.yml b/defaults/main.yml index 95d3c70..c88f8a9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,306 @@ --- -# defaults file for ansible-role-template \ No newline at end of file +# timezone +timezone: Europe/Rome +default_locale_lang: en_US.UTF-8 +default_deb_locale_messages: C.UTF-8 +default_el_locale_messages: en_US.UTF-8 +locales_list: + - { name: "{{ default_locale_lang }}" } + - { name: en_US.UTF-8 } + - { name: en_US } + - { name: it_IT.UTF-8 } + - { name: it_IT } + +domain_name: "{{ ansible_domain }}" + +configure_grub_cmdline_parameters: false +grub_cmdline_additional_parameters: "" +sysctl_custom_file: /etc/sysctl.d/90-custom-values.conf +sysctl_opts_reload: true +sysctl_custom_file_state: present +explicitly_set_hostname: true +custom_etc_hosts_entries: "" +custom_etc_hosts_entries_adjunct: "" + +# Only name and value are mandatory. The others have defaults +sysctl_custom_options: [] +# - name: 'net.nf_conntrack_max' +# value: '32768' +# sysctlfile: '{{ sysctl_custom_file }}' +# sysctl_reload: '{{ sysctl_opts_reload }}' +# sysctlfile_state: '{{ sysctl_custom_file_state }}' + +ubuntu_configure_additional_interfaces: false +ubuntu_configure_additional_int_dhcp_overrides: true +ubuntu_configure_additional_ints_list: [] +disable_ipv6: false +ipv6_sysctl_value: 1 +ipv6_sysctl_file: /etc/sysctl.d/10-ipv6-disable.conf + +# +# Define the following variables to manage additional disks and mount points, even static nfs ones +additional_disks: false +disks_and_mountpoints_list: [] +# - { mountpoint: '/data', device: 'xvda3', fstype: 'xfs', opts: 'noatime', state: 'mounted', create_filesystem: True } + +swap_device: false +swap_device_name: /dev/vdxxxxx + +ansible_python3_debs: + - python3-lxml + +ansible_python3_el: + - python3-lxml + +# +enable_env_proxy: false +env_proxy_http_host: localhost +env_proxy_http_port: "3128" +env_proxy_http_protocol: http +env_proxy_https_protocol: "{{ env_proxy_http_protocol }}" +env_proxy_http_url: "{{ env_proxy_http_protocol }}://{{ env_proxy_http_host }}:{{ env_proxy_http_port }}" +env_proxy_https_url: "{{ env_proxy_http_url }}" +env_proxy_protocols: + - http_proxy + - https_proxy + - ftp_proxy + - HTTP_PROXY + - HTTPS_PROXY + - FTP_PROXY +env_proxy_use_authentication: false +env_proxy_username: "" +env_proxy_password: "" +no_proxy_targets: + - ::1 + - 127.0.0.1 + - localhost + +# A generic PKI directory where the local certificates will be stored +pki_dir: /etc/pki +pki_subdirs: + - certs + - keys +pki_install_a_custom_ca: false +self_signed_cert: "{{ pki_dir }}/selfsigned/cert" +self_signed_fullchain: "{{ pki_dir }}/selfsigned/fullchain" +self_signed_key: "{{ pki_dir }}/selfsigned/privkey" +self_signed_subject: /CN={{ ansible_fqdn }} self signed + +mkcert_create_certificate: false +mkcert_cert_name: "{{ ansible_fqdn }}.pem" +mkcert_cert_dest_path: "{{ pki_dir }}/certs" +mkcert_cert_file_path: "{{ mkcert_cert_dest_path }}/{{ mkcert_cert_name }}" +mkcert_key_name: "{{ ansible_fqdn }}-key.pem" +mkcert_key_dest_path: "{{ pki_dir }}/keys" +mkcert_key_file_path: "{{ mkcert_key_dest_path }}/{{ mkcert_key_name }}" +mkcert_dsn_and_ip_list: "{{ ansible_fqdn }} {% for ip in ansible_all_ipv4_addresses %}{{ ip }} {% endfor %}" +mkcert_ca_host: localhost + +trusted_ca_el_anchors_path: /etc/pki/ca-trust/source/anchors +trusted_ca_deb_path: /usr/local/share/ca-certificates +# it shoudn't be needed +trusted_ca_letsencrypt_install: false +trusted_ca_letsencrypt_ca_certificates_url: https://letsencrypt.org/certs +trusted_ca_letsencrypt_ca_files: + - { ca_src: isrgrootx1.pem, ca: isrgrootx1.crt, name: isrg-root-x1 } + - { ca_src: isrg-root-x2.pem, ca: isrg-root-x2.crt, name: isrg-root-x2-not-cross } + - { ca_src: 2024/e5.pem, ca: lets-encrypt-e5.crt, name: lets-encrypt-e5 } + - { ca_src: 2024/e6.pem, ca: lets-encrypt-e6.crt, name: lets-encrypt-e6 } + - { ca_src: 2024/r10.pem, ca: lets-encrypt-r10.crt, name: lets-encrypt-r10-not-cross } + - { ca_src: 2024/r11.pem, ca: lets-encrypt-r11.crt, name: lets-encrypt-r11-not-cross } + - { ca_src: 2024/e7.pem, ca: lets-encrypt-e7.crt, name: lets-encrypt-e7 } + - { ca_src: 2024/e7-cross.pem, ca: lets-encrypt-e7-cross.crt, name: lets-encrypt-e7-cross } + - { ca_src: 2024/e8.pem, ca: lets-encrypt-e8.crt, name: lets-encrypt-e8 } + - { ca_src: 2024/e8-cross.pem, ca: lets-encrypt-e8-cross.crt, name: lets-encrypt-e8-cross } + - { ca_src: 2024/r12.pem, ca: lets-encrypt-r12.crt, name: lets-encrypt-r12-not-cross } + - { ca_src: 2024/r13.pem, ca: lets-encrypt-r13.crt, name: lets-encrypt-r13-not-cross } + +expired_ca_letsencrypt_ca_files: + - isrg-root-x2-cross-signed.pem + - lets-encrypt-r3-cross-signed.pem + - lets-encrypt-x3-cross-signed.pem + - letsencryptauthorityx3.pem + +trusted_ca_additional_ca_files: [] +# - { ca_url: 'https://example.com/foo-ca.pem', ca: 'foo-ca.pem', name: 'foo-ca' } + +# +# External Repos (EL/RedHat) +# +centos_install_epel: true +centos_epel_repo_url: epel-release +centos_install_release_scl: false + +rh_install_elrepo: false +rh_elrepo_repo_url: http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm + +# +# CentOS/EL Basic Setup +# +centos_pkg_state: latest +centos_set_dns_servers: false +dns1: 208.67.220.220 +dns2: 208.67.222.222 +configure_domain_name_in_interface: false + +centos_packages_to_install: + - dstat + - lsof + - strace + - traceroute + - bind-utils + - yum-cron + - whois + - iotop + - policycoreutils-python-utils + - firewalld + - ipset + - psmisc + - tcpdump + - tuned + - bash-completion + - rsync + - bzip2 + - wget + - curl + - unzip + +centos_packages_from_epel: + - htop + - lbzip2 + +centos_packages_cleanup: true +centos_remove_avahi: false +centos_remove_networkmanager: false +centos_disable_avahi: true +centos_disable_networkmanager: false + +centos_packages_to_remove: + - ppp + - wpa_supplicant + +centos_nm_packages: + - NetworkManager-tui + - ModemManager-glib + - NetworkManager-glib + - NetworkManager + +centos_avahi_packages: + - avahi + - avahi-libs + - avahi-autoipd + +centos_services_to_be_disabled: + - acpid + +centos_enable_locate: false +centos_locate_package: + - mlocate + +centos_hw_packages: + - smartmontools + - system-storage-manager + +centos_selinux_daemons_dump_core: false +selinux_policy_type: targeted +selinux_policy_state: enforcing +# selinux_booleans: +# - { name: '', state: '', persistent: 'yes' } + +manage_root_ssh_keys: true + +# +# Ubuntu/Debian General Setup +# +use_apt_proxy: false +apt_proxy_url: http://localhost:3128 +dist_upgrade: false + +pkg_state: present +common_packages: + - acl + - zile + - dstat + - iotop + - curl + - wget + - vim-tiny + - psmisc + - tcpdump + - lsof + - strace + - rsync + - multitail + - unzip + - htop + - tree + - bind9-host + - bash-completion + - sudo + - apt-transport-https + - nano + - xmlstarlet + - bsdutils + - less + +# Set this variable in your playbook +# additional_packages: +# - pkg1 +# - pkg2 + +# Unattended upgrades +unatt_allowed_origins: + - ${distro_id}:${distro_codename}-security +# unatt_blacklisted: +# - libc6 +unatt_autofix: "true" +# When true, the procedure is really slow +unatt_minimalsteps: "false" +unatt_install_on_shutdown: "false" +# unatt_email: sysadmin@example.org +unatt_email_on_error: "false" +unatt_autoremove: "true" +unatt_autoreboot: "false" +unatt_autoreboot_time: now + +# +# Package cleanup (Debian/Ubuntu) +# +cleanup_base_packages: true +base_packages_to_remove: + - ppp + - at + - snapd + +cleanup_x_base_packages: false +x_base_packages_to_remove: + - firefox-locale-en + - x11-common + +cleanup_nfs_packages: false +nfs_packages: + - nfs-common + - portmap + +cleanup_rpcbind_packages: false +rpcbind_packages: + - rpcbind + +cleanup_exim_email_server: true +exim_email_server_pkgs: + - exim4 + - exim4-base + - exim4-config + - exim4-daemon-light + +disable_apport_service: true +ubuntu_remove_lxd: true +ubuntu_lxd_pkgs: + - lxd + - lxcfs + +disable_some_not_needed_services: false +services_to_be_disabled: + - rpcbind + - atd + - acpid diff --git a/files/letsencrypt_ca_files/isrg-root-x2.pem b/files/letsencrypt_ca_files/isrg-root-x2.pem new file mode 100644 index 0000000..7d903ed --- /dev/null +++ b/files/letsencrypt_ca_files/isrg-root-x2.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw +CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg +R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00 +MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT +ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw +EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW ++1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9 +ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T +AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI +zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW +tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1 +/q4AaOeMSQ+2b1tbFfLn +-----END CERTIFICATE----- diff --git a/files/letsencrypt_ca_files/isrgrootx1.pem b/files/letsencrypt_ca_files/isrgrootx1.pem new file mode 100644 index 0000000..b85c803 --- /dev/null +++ b/files/letsencrypt_ca_files/isrgrootx1.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 +WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu +ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc +h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ +0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U +A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW +T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH +B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC +B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv +KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn +OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn +jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw +qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI +rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq +hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL +ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ +3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK +NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 +ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur +TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC +jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc +oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq +4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA +mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d +emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= +-----END CERTIFICATE----- diff --git a/files/letsencrypt_ca_files/lets-encrypt-e1.pem b/files/letsencrypt_ca_files/lets-encrypt-e1.pem new file mode 100644 index 0000000..2a19d41 --- /dev/null +++ b/files/letsencrypt_ca_files/lets-encrypt-e1.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAk2gAwIBAgIRALO93/inhFu86QOgQTWzSkUwCgYIKoZIzj0EAwMwTzEL +MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo +IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjAwOTA0MDAwMDAwWhcN +MjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5j +cnlwdDELMAkGA1UEAxMCRTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQkXC2iKv0c +S6Zdl3MnMayyoGli72XoprDwrEuf/xwLcA/TmC9N/A8AmzfwdAVXMpcuBe8qQyWj ++240JxP2T35p0wKZXuskR5LBJJvmsSGPwSSB/GjMH2m6WPUZIvd0xhajggEIMIIB +BDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB +MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFFrz7Sv8NsI3eblSMOpUb89V +yy6sMB8GA1UdIwQYMBaAFHxClq7eS0g7+pL4nozPbYupcjeVMDIGCCsGAQUFBwEB +BCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gyLmkubGVuY3Iub3JnLzAnBgNVHR8E +IDAeMBygGqAYhhZodHRwOi8veDIuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYG +Z4EMAQIBMA0GCysGAQQBgt8TAQEBMAoGCCqGSM49BAMDA2cAMGQCMHt01VITjWH+ +Dbo/AwCd89eYhNlXLr3pD5xcSAQh8suzYHKOl9YST8pE9kLJ03uGqQIwWrGxtO3q +YJkgsTgDyj2gJrjubi1K9sZmHzOa25JK1fUpE8ZwYii6I4zPPS/Lgul/ +-----END CERTIFICATE----- diff --git a/files/letsencrypt_ca_files/lets-encrypt-e2.pem b/files/letsencrypt_ca_files/lets-encrypt-e2.pem new file mode 100644 index 0000000..0fd9f40 --- /dev/null +++ b/files/letsencrypt_ca_files/lets-encrypt-e2.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAkygAwIBAgIQTtI99q9+x/mwxHJv+VEqdzAKBggqhkjOPQQDAzBPMQsw +CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg +R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw0y +NTA5MTUxNjAwMDBaMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNy +eXB0MQswCQYDVQQDEwJFMjB2MBAGByqGSM49AgEGBSuBBAAiA2IABCOaLO3lixmN +YVWex+ZVYOiTLgi0SgNWtU4hufk50VU4Zp/LbBVDxCsnsI7vuf4xp4Cu+ETNggGE +yBqJ3j8iUwe5Yt/qfSrRf1/D5R58duaJ+IvLRXeASRqEL+VkDXrW3qOCAQgwggEE +MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw +EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUbZkq9U0C6+MRwWC6km+NPS7x +6kQwHwYDVR0jBBgwFoAUfEKWrt5LSDv6kviejM9ti6lyN5UwMgYIKwYBBQUHAQEE +JjAkMCIGCCsGAQUFBzAChhZodHRwOi8veDIuaS5sZW5jci5vcmcvMCcGA1UdHwQg +MB4wHKAaoBiGFmh0dHA6Ly94Mi5jLmxlbmNyLm9yZy8wIgYDVR0gBBswGTAIBgZn +gQwBAgEwDQYLKwYBBAGC3xMBAQEwCgYIKoZIzj0EAwMDaAAwZQIxAPJCN9qpyDmZ +tX8K3m8UYQvK51BrXclM6WfrdeZlUBKyhTXUmFAtJw4X6A0x9mQFPAIwJa/No+KQ +UAM1u34E36neL/Zba7ombkIOchSgx1iVxzqtFWGddgoG+tppRPWhuhhn +-----END CERTIFICATE----- diff --git a/files/letsencrypt_ca_files/lets-encrypt-r3.pem b/files/letsencrypt_ca_files/lets-encrypt-r3.pem new file mode 100644 index 0000000..43b222a --- /dev/null +++ b/files/letsencrypt_ca_files/lets-encrypt-r3.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw +WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP +R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx +sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm +NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg +Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG +/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB +Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA +FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw +Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB +gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W +PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl +ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz +CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm +lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 +avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 +yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O +yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids +hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ +HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv +MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX +nLRbwHOoq7hHwg== +-----END CERTIFICATE----- diff --git a/files/letsencrypt_ca_files/lets-encrypt-r4.pem b/files/letsencrypt_ca_files/lets-encrypt-r4.pem new file mode 100644 index 0000000..578b3bd --- /dev/null +++ b/files/letsencrypt_ca_files/lets-encrypt-r4.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFFjCCAv6gAwIBAgIRAIp5IlCr5SxSbO7Pf8lC3WIwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw +WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCUjQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCzKNx3KdPnkb7ztwoAx/vyVQslImNTNq/pCCDfDa8oPs3Gq1e2naQlGaXS +Mm1Jpgi5xy+hm5PFIEBrhDEgoo4wYCVg79kaiT8faXGy2uo/c0HEkG9m/X2eWNh3 +z81ZdUTJoQp7nz8bDjpmb7Z1z4vLr53AcMX/0oIKr13N4uichZSk5gA16H5OOYHH +IYlgd+odlvKLg3tHxG0ywFJ+Ix5FtXHuo+8XwgOpk4nd9Z/buvHa4H6Xh3GBHhqC +VuQ+fBiiCOUWX6j6qOBIUU0YFKAMo+W2yrO1VRJrcsdafzuM+efZ0Y4STTMzAyrx +E+FCPMIuWWAubeAHRzNl39Jnyk2FAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB +Af8CAQAwHQYDVR0OBBYEFDadPuCxQPYnLHy/jZ0xivZUpkYmMB8GA1UdIwQYMBaA +FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw +Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB +gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCJbu5CalWO+H+Az0lmIG14DXmlYHQE +k26umjuCyioWs2icOlZznPTcZvbfq02YPHGTCu3ctggVDULJ+fwOxKekzIqeyLNk +p8dyFwSAr23DYBIVeXDpxHhShvv0MLJzqqDFBTHYe1X5X2Y7oogy+UDJxV2N24/g +Z8lxG4Vr2/VEfUOrw4Tosl5Z+1uzOdvTyBcxD/E5rGgTLczmulctHy3IMTmdTFr0 +FnU0/HMQoquWQuODhFqzMqNcsdbjANUBwOEQrKI8Sy6+b84kHP7PtO+S4Ik8R2k7 +ZeMlE1JmxBi/PZU860YlwT8/qOYToCHVyDjhv8qutbf2QnUl3SV86th2I1QQE14s +0y7CdAHcHkw3sAEeYGkwCA74MO+VFtnYbf9B2JBOhyyWb5087rGzitu5MTAW41X9 +DwTeXEg+a24tAeht+Y1MionHUwa4j7FB/trN3Fnb/r90+4P66ZETVIEcjseUSMHO +w6yqv10/H/dw/8r2EDUincBBX3o9DL3SadqragkKy96HtMiLcqMMGAPm0gti1b6f +bnvOdr0mrIVIKX5nzOeGZORaYLoSD4C8qvFT7U+Um6DMo36cVDNsPmkF575/s3C2 +CxGiCPQqVxPgfNSh+2CPd2Xv04lNeuw6gG89DlOhHuoFKRlmPnom+gwqhz3ZXMfz +TfmvjrBokzCICA== +-----END CERTIFICATE----- diff --git a/files/qemu_ag_provisioning-sepol.te b/files/qemu_ag_provisioning-sepol.te new file mode 100644 index 0000000..b619ffc --- /dev/null +++ b/files/qemu_ag_provisioning-sepol.te @@ -0,0 +1,17 @@ + +module qemu_ag_provisioning-sepol 1.0; + +require { + type etc_t; + type systemd_timedated_t; + type virt_qemu_ga_t; + type proc_net_t; + class lnk_file unlink; + class file read; +} + +#============= systemd_timedated_t ============== +allow systemd_timedated_t etc_t:lnk_file unlink; + +#============= virt_qemu_ga_t ============== +allow virt_qemu_ga_t proc_net_t:file read; diff --git a/files/systemd-enable.te b/files/systemd-enable.te new file mode 100644 index 0000000..9067cf2 --- /dev/null +++ b/files/systemd-enable.te @@ -0,0 +1,12 @@ + +module systemd-enable-sepol 1.0; + +require { + type unconfined_t; + type init_t; + class service enable; +} + +#============= unconfined_t ============== +allow unconfined_t init_t:service enable; + diff --git a/handlers/main.yml b/handlers/main.yml index 27474e0..05effdb 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,5 @@ --- -# handlers file for ansible-role-template \ No newline at end of file +- name: Netplan Apply + ansible.builtin.command: + cmd: netplan apply + changed_when: false diff --git a/meta/main.yml b/meta/main.yml index 1126a5e..52119c9 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,61 +1,35 @@ +--- galaxy_info: - author: your name - description: your description + author: Andrea Dell'Amico + description: OS bootstrap role - early-stage system setup that must run before role dependencies company: ISTI-CNR + namespace: adellam + role_name: os_bootstrap - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning - # Some suggested licenses: - # - BSD (default) - # - MIT - # - GPLv2 - # - GPLv3 - # - Apache - # - CC-BY - license: EUPL-1.2 + license: EUPL 1.2+ - min_ansible_version: 2.8 + min_ansible_version: "2.9" - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: + platforms: + - name: Ubuntu + versions: + - focal + - jammy + - noble + - name: Debian + versions: + - bullseye + - bookworm + - name: EL + versions: + - "8" + - "9" + - "10" - # Optionally specify the branch Galaxy will use when accessing the GitHub - # repo for this role. During role install, if no tags are available, - # Galaxy will use this branch. During import Galaxy will access files on - # this branch. If Travis integration is configured, only notifications for this - # branch will be accepted. Otherwise, in all cases, the repo's default branch - # (usually master) will be used. - #github_branch: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. + galaxy_tags: + - os-setup + - bootstrap dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. - diff --git a/tasks/additional_disks.yml b/tasks/additional_disks.yml new file mode 100644 index 0000000..63e240a --- /dev/null +++ b/tasks/additional_disks.yml @@ -0,0 +1,45 @@ +--- +- name: additional_disks | Manage the NFS mount points + when: ansible_distribution_file_variety == "Debian" + tags: [data_disk, mountpoint] + block: + - name: additional_disks | Install the NFS client utilities when we are going to mount a NFS file system + ansible.builtin.apt: + pkg: nfs-common + state: present + update_cache: true + cache_valid_time: 1800 + loop: "{{ disks_and_mountpoints_list }}" + when: item.fstype == 'nfs' + + - name: additional_disks | Install the NFS 4 acl tools if we are going to mount a NFS file system + ansible.builtin.apt: + pkg: nfs4-acl-tools + state: present + update_cache: true + cache_valid_time: 1800 + loop: "{{ disks_and_mountpoints_list }}" + when: item.fstype == 'nfs' + +- name: additional_disks | Create the file system + tags: [data_disk, mountpoint] + block: + - name: additional_disks | Create a file system on the new disks + community.general.filesystem: + dev: "{{ item.root_device | default('/dev/') }}{{ item.device }}" + fstype: "{{ item.fstype }}" + force: false + loop: "{{ disks_and_mountpoints_list }}" + when: + - additional_disks + - item.create_filesystem + - item.fstype != 'nfs' + + - name: additional_disks | Manage the additional file systems + ansible.posix.mount: + name: "{{ item.mountpoint }}" + src: "{% if item.uuid is not defined %}{{ item.root_device | default('/dev/') }}{{ item.device }}{% else %}UUID={{ item.uuid }}{% endif %}" + fstype: "{{ item.fstype }}" + opts: "{{ item.opts }}" + state: "{{ item.state }}" + loop: "{{ disks_and_mountpoints_list }}" diff --git a/tasks/ansible-python3-pkgs.yml b/tasks/ansible-python3-pkgs.yml new file mode 100644 index 0000000..83eaad0 --- /dev/null +++ b/tasks/ansible-python3-pkgs.yml @@ -0,0 +1,20 @@ +--- +- name: ansible-python3-pkgs | Install some python3 packages on deb distributsions + when: ansible_distribution_file_variety == "Debian" + tags: [python, python3] + + block: + - name: ansible-python3-pkgs | Install some python3 packages on Ubuntu/Debian + ansible.builtin.apt: + pkg: "{{ ansible_python3_debs }}" + state: present + cache_valid_time: 1800 + +- name: ansible-python3-pkgs | Install some python3 packages on EL + when: ansible_distribution_file_variety == "RedHat" + tags: [python, python3] + block: + - name: ansible-python3-pkgs | Install some python3 packages on EL + ansible.builtin.yum: + pkg: "{{ ansible_python3_el }}" + state: present diff --git a/tasks/apt_proxy.yml b/tasks/apt_proxy.yml new file mode 100644 index 0000000..ee46e43 --- /dev/null +++ b/tasks/apt_proxy.yml @@ -0,0 +1,13 @@ +--- +- name: apt_proxy | Setup apt cache proxy + ansible.builtin.template: + src: "02proxy.j2" + dest: /etc/apt/apt.conf.d/02proxy + owner: root + group: root + mode: "0644" + when: + - ansible_distribution_file_variety == "Debian" + - use_apt_proxy + tags: + - aptproxy diff --git a/tasks/basic_setup_el.yml b/tasks/basic_setup_el.yml new file mode 100644 index 0000000..90ce079 --- /dev/null +++ b/tasks/basic_setup_el.yml @@ -0,0 +1,251 @@ +--- +- name: basic_setup_el | Install the basic packages + ansible.builtin.dnf: + name: "{{ centos_packages_to_install }}" + state: "{{ centos_pkg_state }}" + tags: + - centos + - bootstrap + - packages + +- name: basic_setup_el | Install the basic packages from the EPEL repository + ansible.builtin.dnf: + name: "{{ centos_packages_from_epel }}" + state: "{{ centos_pkg_state }}" + when: centos_install_epel + tags: + - centos + - bootstrap + - packages + +- name: basic_setup_el | Install the packages we want on a non virtualized host + ansible.builtin.dnf: + name: "{{ centos_hw_packages | default([]) }}" + state: "{{ centos_pkg_state }}" + when: ansible_virtualization_role is defined and ansible_virtualization_role == 'host' + tags: + - centos + - bootstrap + - packages + +- name: basic_setup_el | Install the selinux policy file to fix a timedatectl problem and various qemu-ga ones + ansible.builtin.copy: + src: qemu_ag_provisioning-sepol.te + dest: /usr/local/etc/qemu_ag_provisioning-sepol.te + owner: root + group: root + mode: "0644" + register: qemu_ga_selinux_policy + tags: + - centos + - rhel + - selinux + +- name: basic_setup_el | Activate the selinux policy for qemu + ansible.builtin.shell: > + checkmodule -M -m -o /usr/local/etc/qemu_ag_provisioning-sepol.mod /usr/local/etc/qemu_ag_provisioning-sepol.te && + semodule_package -o /usr/local/etc/qemu_ag_provisioning-sepol.pp -m /usr/local/etc/qemu_ag_provisioning-sepol.mod && + semodule -i /usr/local/etc/qemu_ag_provisioning-sepol.pp + args: + creates: /usr/local/etc/qemu_ag_provisioning-sepol.pp + when: qemu_ga_selinux_policy is changed # noqa: no-handler + tags: + - centos + - rhel + - selinux + +- name: basic_setup_el | Install the selinux policy file to fix a systemd policy glitch + ansible.builtin.copy: + src: systemd-enable.te + dest: /usr/local/etc/systemd-enable-sepol.te + owner: root + group: root + mode: "0644" + register: systemd_selinux_policy + tags: + - centos + - rhel + - selinux + +- name: basic_setup_el | Activate the selinux policy for systemd + ansible.builtin.shell: > + checkmodule -M -m -o /usr/local/etc/systemd-enable-sepol.mod /usr/local/etc/systemd-enable-sepol.te && + semodule_package -o /usr/local/etc/systemd-enable-sepol.pp -m /usr/local/etc/systemd-enable-sepol.mod && + semodule -i /usr/local/etc/systemd-enable-sepol.pp + args: + creates: /usr/local/etc/systemd-enable-sepol.pp + when: systemd_selinux_policy is changed # noqa: no-handler + tags: + - centos + - rhel + - selinux + +- name: basic_setup_el | Activate smartmontools on a non virtualized host + ansible.builtin.service: + name: smartd + state: started + enabled: true + when: ansible_virtualization_role is defined and ansible_virtualization_role == 'host' + tags: + - centos + - bootstrap + - packages + +- name: basic_setup_el | Install the locate utility if needed + ansible.builtin.dnf: + name: "{{ centos_locate_package }}" + state: "{{ centos_pkg_state }}" + when: centos_enable_locate + tags: + - centos + - bootstrap + - packages + +- name: basic_setup_el | Configure the main interface to set the correct resolvers - dns1 + ansible.builtin.lineinfile: + name: /etc/sysconfig/network-scripts/ifcfg-eth0 + regexp: ^DNS1= + line: DNS1={{ dns1 }} + when: centos_set_dns_servers + tags: + - centos + - bootstrap + +- name: basic_setup_el | Configure the main interface to set the correct resolvers - dns2 + ansible.builtin.lineinfile: + name: /etc/sysconfig/network-scripts/ifcfg-eth0 + regexp: ^DNS2= + line: DNS2={{ dns2 }} + when: centos_set_dns_servers + tags: + - centos + - bootstrap + +- name: basic_setup_el | Configure the main interface to set the correct search domain + ansible.builtin.lineinfile: + name: /etc/sysconfig/network-scripts/ifcfg-eth0 + regexp: ^DOMAIN= + line: DOMAIN={{ domain_name }} + when: configure_domain_name_in_interface + tags: + - centos + - bootstrap + +- name: basic_setup_el | Stop avahi before removing it when it is not needed + ansible.builtin.service: + name: avahi-daemon + state: stopped + enabled: false + when: centos_remove_avahi or centos_disable_avahi + failed_when: false + tags: + - centos + - bootstrap + - avahi + +- name: basic_setup_el | Stop and disable NetworkManager when we do not need it + ansible.builtin.service: + name: NetworkManager + state: stopped + enabled: false + when: centos_remove_networkmanager or centos_disable_networkmanager + failed_when: false + tags: + - centos + - bootstrap + - networkmanager + +- name: basic_setup_el | Remove some unneeded packages + ansible.builtin.dnf: + name: "{{ centos_packages_to_remove | default([]) }}" + state: absent + when: centos_packages_cleanup + tags: + - centos + - bootstrap + - packages + +- name: basic_setup_el | Remove the Avahi packages + ansible.builtin.dnf: + name: "{{ centos_avahi_packages | default([]) }}" + state: absent + when: centos_remove_avahi + tags: + - centos + - bootstrap + - packages + +- name: basic_setup_el | Remove the NetworkManager packages + ansible.builtin.dnf: + name: "{{ centos_nm_packages | default([]) }}" + state: absent + when: centos_remove_networkmanager + tags: + - centos + - bootstrap + - packages + +- name: basic_setup_el | Disable some unneeded services + ansible.builtin.service: + name: "{{ item }}" + state: stopped + enabled: false + loop: "{{ centos_services_to_be_disabled }}" + when: centos_services_to_be_disabled is defined + failed_when: false + tags: + - centos + - bootstrap + - daemons + +- name: basic_setup_el | Configure selinux to permit core dumps by daemons + ansible.posix.seboolean: + name: daemons_dump_core + state: true + persistent: true + when: centos_selinux_daemons_dump_core | bool + tags: + - centos + - bootstrap + - selinux + +- name: basic_setup_el | Set other SELinux booleans - Optional + ansible.posix.seboolean: + name: "{{ item.name }}" + state: "{{ item.state }}" + persistent: "{{ item.persistent | default('yes') }}" + loop: "{{ selinux_booleans }}" + when: selinux_booleans is defined + tags: + - centos + - bootstrap + - selinux + +- name: basic_setup_el | Set the SELinux global policy - Defaults to Enforcing + ansible.posix.selinux: + policy: "{{ selinux_policy_type }}" + state: "{{ selinux_policy_state }}" + tags: + - centos + - bootstrap + - selinux + +- name: basic_setup_el | Add public ssh keys for root + ansible.posix.authorized_key: + user: root + key: "{{ item }}" + state: present + loop: "{{ root_ssh_keys | default([]) }}" + when: manage_root_ssh_keys + tags: + - root_pubkeys + +- name: basic_setup_el | Remove obsolete keys from the authorized ones + ansible.posix.authorized_key: + user: root + key: "{{ item }}" + state: absent + loop: "{{ obsolete_root_ssh_keys | default([]) }}" + when: obsolete_root_ssh_keys is defined + tags: + - root_pubkeys diff --git a/tasks/certificate_from_private_ca.yml b/tasks/certificate_from_private_ca.yml new file mode 100644 index 0000000..a62193f --- /dev/null +++ b/tasks/certificate_from_private_ca.yml @@ -0,0 +1,76 @@ +--- +- name: certificate_from_private_ca | Create the certificate using the private CA + tags: [pki, tls, tls_certificate] + block: + - name: certificate_from_private_ca | Set the common group between mkcert-ca and ansible + ansible.builtin.set_fact: + ansible_common_remote_group: ansible + + - name: certificate_from_private_ca | Remove the already existing certificates from the CA archive (delegate to the CA server) + ansible.builtin.file: + path: /srv/mkcert-ca/{{ item }} + state: absent + loop: + - "{{ mkcert_cert_name }}" + - "{{ mkcert_key_name }}" + - client-{{ mkcert_cert_name }} + - client-{{ mkcert_key_name }} + delegate_to: "{{ mkcert_ca_host }}" + + - name: certificate_from_private_ca | Create the certificate (delegate to the CA server) + ansible.builtin.command: + cmd: mkcert -cert-file /srv/mkcert-ca/{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }} + args: + chdir: /srv/mkcert-ca + creates: /srv/mkcert-ca/{{ mkcert_cert_name }} + environment: + CAROOT: /srv/mkcert-ca/.local/share/mkcert + delegate_to: "{{ mkcert_ca_host }}" + + - name: certificate_from_private_ca | Create a certificate able to do client authentication (delegate to the CA server) + ansible.builtin.command: + cmd: mkcert -client -cert-file /srv/mkcert-ca/client-{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/client-{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list + }} # yamllint disable-line rule:line-length + args: + chdir: /srv/mkcert-ca + creates: /srv/mkcert-ca/client-{{ mkcert_cert_name }} + environment: + CAROOT: /srv/mkcert-ca/.local/share/mkcert + delegate_to: "{{ mkcert_ca_host }}" + +- name: certificate_from_private_ca | Manage the certificate installation + tags: [pki, tls, tls_certificate] + block: + - name: certificate_from_private_ca | Get the certificate and its key from the CA server + ansible.builtin.fetch: + src: /srv/mkcert-ca/{{ item }} + dest: files/ + flat: true + loop: + - "{{ mkcert_cert_name }}" + - "{{ mkcert_key_name }}" + - client-{{ mkcert_cert_name }} + - client-{{ mkcert_key_name }} + delegate_to: "{{ mkcert_ca_host }}" + + - name: certificate_from_private_ca | Copy the certificate to the destination server + ansible.builtin.copy: + src: files/{{ item }} + dest: "{{ mkcert_cert_dest_path }}" + owner: root + group: root + mode: "0444" + loop: + - "{{ mkcert_cert_name }}" + - client-{{ mkcert_cert_name }} + + - name: certificate_from_private_ca | Copy the certificate to the destination server + ansible.builtin.copy: + src: files/{{ item }} + dest: "{{ mkcert_key_dest_path }}" + owner: root + group: root + mode: "0440" + loop: + - "{{ mkcert_key_name }}" + - client-{{ mkcert_key_name }} diff --git a/tasks/deb_general.yml b/tasks/deb_general.yml new file mode 100644 index 0000000..2c88b63 --- /dev/null +++ b/tasks/deb_general.yml @@ -0,0 +1,23 @@ +--- +- name: deb_general | Configure APT proxy + ansible.builtin.import_tasks: apt_proxy.yml + +- name: deb_general | Perform distribution upgrade + ansible.builtin.import_tasks: dist_upgrade.yml + when: dist_upgrade + +- name: deb_general | Install common packages + ansible.builtin.import_tasks: packages_deb.yml + +- name: deb_general | Remove unneeded packages + ansible.builtin.import_tasks: remove_unneeded_pkgs.yml + +- name: deb_general | Manage SSH public keys + ansible.builtin.import_tasks: pubkeys.yml + when: manage_root_ssh_keys + +- name: deb_general | Configure unattended upgrades + ansible.builtin.import_tasks: unattended_upgrades.yml + +- name: deb_general | Disable unneeded services + ansible.builtin.import_tasks: disable_services.yml diff --git a/tasks/disable_services.yml b/tasks/disable_services.yml new file mode 100644 index 0000000..39be670 --- /dev/null +++ b/tasks/disable_services.yml @@ -0,0 +1,27 @@ +--- +- name: disable_services | Disable some unneeded services + ansible.builtin.service: + name: "{{ item }}" + state: stopped + enabled: false + loop: "{{ services_to_be_disabled }}" + when: disable_some_not_needed_services + failed_when: false + tags: + - bootstrap + - disable_services + +- name: disable_services | Disable apport service + ansible.builtin.service: + name: apport + state: stopped + enabled: false + when: + - disable_apport_service + - ansible_distribution == "Ubuntu" + - ansible_distribution_version is version_compare('18.04', '>=') + failed_when: false + tags: + - bootstrap + - disable_services + - apport diff --git a/tasks/dist_upgrade.yml b/tasks/dist_upgrade.yml new file mode 100644 index 0000000..034f114 --- /dev/null +++ b/tasks/dist_upgrade.yml @@ -0,0 +1,13 @@ +--- +- name: dist_upgrade | Dist upgrade, if requested + ansible.builtin.apt: + upgrade: dist + update_cache: true + cache_valid_time: 1800 + autoclean: true + autoremove: true + when: dist_upgrade | bool + tags: + - packages + - upgrade + - dist_upgrade diff --git a/tasks/etchosts-customizations.yml b/tasks/etchosts-customizations.yml new file mode 100644 index 0000000..1fc7c1f --- /dev/null +++ b/tasks/etchosts-customizations.yml @@ -0,0 +1,56 @@ +--- +- name: etchosts-customizations | Add entries to /etc/hosts + when: custom_etc_hosts_entries | length > 0 + tags: + - etchosts + block: + - name: etchosts-customizations | Add custom entries to /etc/hosts + ansible.builtin.blockinfile: + path: /etc/hosts + marker_begin: ansible_etchosts_customizations_start + marker_end: ansible_etchosts_customizations_end + marker: "# {mark} hosts entries managed by ansible" + block: "{{ custom_etc_hosts_entries }}" + state: present + +- name: etchosts-customizations | Remove entries from /etc/hosts + when: custom_etc_hosts_entries | length == 0 + tags: + - etchosts + block: + - name: etchosts-customizations | Remove custom entries from /etc/hosts + ansible.builtin.blockinfile: + path: /etc/hosts + marker_begin: ansible_etchosts_customizations_start + marker_end: ansible_etchosts_customizations_end + marker: "# {mark} hosts entries managed by ansible" + block: "{{ custom_etc_hosts_entries }}" + state: absent + +- name: etchosts-customizations | Additional custom entries to /etc/hosts + when: custom_etc_hosts_entries_adjunct | length > 0 + tags: + - etchosts + block: + - name: etchosts-customizations | Additional custom entries to /etc/hosts + ansible.builtin.blockinfile: + path: /etc/hosts + marker_begin: ansible_etchosts_adjunct_start + marker_end: ansible_etchosts_adjunct_end + marker: "# {mark} additional hosts entries managed by ansible" + block: "{{ custom_etc_hosts_entries_adjunct }}" + state: present + +- name: etchosts-customizations | Remove entries from /etc/hosts + when: custom_etc_hosts_entries_adjunct | length == 0 + tags: + - etchosts + block: + - name: etchosts-customizations | Remove the additional custom entries from /etc/hosts + ansible.builtin.blockinfile: + path: /etc/hosts + marker_begin: ansible_etchosts_adjunct_start + marker_end: ansible_etchosts_adjunct_end + marker: "# {mark} additional hosts entries managed by ansible" + block: "{{ custom_etc_hosts_entries_adjunct }}" + state: absent diff --git a/tasks/external_repos_el.yml b/tasks/external_repos_el.yml new file mode 100644 index 0000000..5e4cb87 --- /dev/null +++ b/tasks/external_repos_el.yml @@ -0,0 +1,30 @@ +--- +- name: external_repos_el | Install the EPEL repository + ansible.builtin.dnf: + name: "{{ centos_epel_repo_url }}" + state: "{{ centos_pkg_state }}" + when: centos_install_epel + tags: + - centos + - rhel + - repo + +- name: external_repos_el | Install the SCL release to access the latest versions of some software + ansible.builtin.dnf: + name: centos-release-scl + state: present + when: centos_install_release_scl + tags: + - centos + - scl + - repo + +- name: external_repos_el | Install the elrepo repository + ansible.builtin.dnf: + name: "{{ rh_elrepo_repo_url }}" + state: present + when: rh_install_elrepo + tags: + - centos + - rhel + - repo diff --git a/tasks/grub_cmdline_parameters.yml b/tasks/grub_cmdline_parameters.yml new file mode 100644 index 0000000..df39f31 --- /dev/null +++ b/tasks/grub_cmdline_parameters.yml @@ -0,0 +1,19 @@ +--- +- name: grub_cmdline_parameters | Manage additional grub command line options + tags: + - grub + - kernel + block: + - name: grub_cmdline_parameters | Install the grub command line configuration + ansible.builtin.template: + src: grub_cmdline.cfg.j2 + dest: /etc/default/grub.d/99-grub-ansible-cmdline.cfg + owner: root + group: root + mode: "0644" + when: configure_grub_cmdline_parameters + - name: grub_cmdline_parameters | Remove the custom grub command line configuration + ansible.builtin.file: + dest: /etc/default/grub.d/99-grub-ansible-cmdline.cfg + state: absent + when: not configure_grub_cmdline_parameters diff --git a/tasks/hostname.yml b/tasks/hostname.yml new file mode 100644 index 0000000..bd791af --- /dev/null +++ b/tasks/hostname.yml @@ -0,0 +1,23 @@ +--- +- name: hostname | Add entries to /etc/hosts + when: explicitly_set_hostname + tags: [systemsetup, hostname] + block: + - name: hostname | Set the hostname when different from the inventory one. + ansible.builtin.hostname: + name: "{{ hostname }}" + when: hostname is defined + + - name: hostname | Set the hostname as defined in the inventory + ansible.builtin.hostname: + name: "{{ inventory_hostname }}" + when: hostname is not defined + + - name: hostname | Add the hostname into the /etc/hosts file + ansible.builtin.blockinfile: + path: /etc/hosts + marker_begin: ansible_hostname_start + marker_end: ansible_hostname_end + marker: "# {mark} hostname entry managed by ansible" + block: "{{ ansible_default_ipv4.address }} {{ hostname }} {{ ansible_hostname }}" + state: present diff --git a/tasks/http_client_proxy.yml b/tasks/http_client_proxy.yml new file mode 100644 index 0000000..a40abe6 --- /dev/null +++ b/tasks/http_client_proxy.yml @@ -0,0 +1,25 @@ +--- +- name: http_client_proxy | Proxy in the global shell environment + block: + - name: http_client_proxy | Install the proxy environment files + ansible.builtin.template: + src: "{{ item }}.j2" + dest: /etc/profile.d/{{ item }} + owner: root + group: root + mode: "0444" + loop: + - 10-caching-proxy.sh + - 10-java-caching-proxy.sh + when: enable_env_proxy + + - name: http_client_proxy | Remove the proxy environment file if not required + ansible.builtin.file: + dest: /etc/profile.d/{{ item }} + state: absent + loop: + - 10-caching-proxy.sh + - 10-java-caching-proxy.sh + when: not enable_env_proxy + + tags: [systemsetup, proxyenv] diff --git a/tasks/locale.yml b/tasks/locale.yml new file mode 100644 index 0000000..8cc02c6 --- /dev/null +++ b/tasks/locale.yml @@ -0,0 +1,42 @@ +--- +- name: locale | Generate locales and set the default locale on Debian and Ubuntu distributions + block: + - name: locale | Add/remove a list of locales + community.general.locale_gen: + name: "{{ item.name }}" + state: "{{ item.state | default('present') }}" + loop: "{{ locales_list }}" + + - name: locale | Set the default locale on Trusty + ansible.builtin.shell: update-locale LANG={{ default_locale_lang }} + when: ansible_distribution_release == "trusty" + changed_when: false + + when: ansible_distribution_file_variety == "Debian" + tags: [systemsetup, locale] + +- name: locale | Set the locale on distributions that run systemd + block: + - name: locale | Check if localectl exists + ansible.builtin.stat: + path: /usr/bin/localectl + register: localectl_executable + + - name: locale | Set the default locale + ansible.builtin.command: localectl set-locale 'LANG={{ default_locale_lang }}' 'LC_MESSAGES={{ default_deb_locale_messages }}' + when: + - localectl_executable.stat.exists | bool + - ansible_distribution_file_variety == "Debian" + changed_when: false + + - name: locale | Set the default locale + ansible.builtin.command: localectl set-locale "{{ item }}" + loop: + - LANG={{ default_locale_lang }} + - LC_MESSAGES={{ default_el_locale_messages }} + when: + - localectl_executable.stat.exists | bool + - ansible_distribution_file_variety == "RedHat" + changed_when: false + + tags: [systemsetup, locale] diff --git a/tasks/main.yml b/tasks/main.yml index 53c6cae..3f1a8b7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,69 @@ --- -# tasks file for ansible-role-template \ No newline at end of file +- name: HTTP client proxy + ansible.builtin.import_tasks: http_client_proxy.yml + +- name: Python3 requirements for ansible + ansible.builtin.import_tasks: ansible-python3-pkgs.yml + +- name: Set the hostname + ansible.builtin.import_tasks: hostname.yml + +- name: Set the locale + ansible.builtin.import_tasks: locale.yml + +- name: Set the timezone + ansible.builtin.import_tasks: timezone.yml + +- name: Manage customizations to the /etc/hosts file + ansible.builtin.import_tasks: etchosts-customizations.yml + +- name: Additional network interfaces + ansible.builtin.import_tasks: network-interfaces.yml + +- name: Manage additional disk volumes + ansible.builtin.import_tasks: additional_disks.yml + when: additional_disks + +- name: Manage a swap device + ansible.builtin.import_tasks: swap_device.yml + when: swap_device + +# +# Distribution-specific setup +# +- name: External repositories for EL/RedHat + ansible.builtin.import_tasks: external_repos_el.yml + when: ansible_distribution_file_variety == "RedHat" + +- name: Basic setup for EL/RedHat + ansible.builtin.import_tasks: basic_setup_el.yml + when: ansible_distribution_file_variety == "RedHat" + +- name: General setup for Debian/Ubuntu + ansible.builtin.import_tasks: deb_general.yml + when: ansible_distribution_file_variety == "Debian" + +# +# Common configuration +# +- name: Sysctl kernel parameters + ansible.builtin.import_tasks: sysctl.yml + +- name: Grub command line parameters + ansible.builtin.import_tasks: grub_cmdline_parameters.yml + +- name: Create a directory that will contain the local generated certificates + ansible.builtin.import_tasks: pki_dir.yml + +- name: Self signed certificates waiting for the letsencrypt ones + ansible.builtin.import_tasks: self_signed_certificate.yml + when: letsencrypt_acme_install is defined and letsencrypt_acme_install + +- name: Manage the trusted CAs + ansible.builtin.import_tasks: trusted_ca.yml + +- name: Certificate from private CA (mkcert) + ansible.builtin.import_tasks: certificate_from_private_ca.yml + when: + - (letsencrypt_acme_install is not defined) or (not letsencrypt_acme_install) + - mkcert_create_certificate diff --git a/tasks/network-interfaces.yml b/tasks/network-interfaces.yml new file mode 100644 index 0000000..4b69847 --- /dev/null +++ b/tasks/network-interfaces.yml @@ -0,0 +1,57 @@ +--- +- name: network-interfaces | Manage additional network interfaces, Ubuntu style + tags: + - network_interface + - networking + when: + - ansible_distribution == 'Ubuntu' + - ubuntu_configure_additional_interfaces + block: + - name: network-interfaces | Check if netplan is in use + ansible.builtin.stat: + path: /etc/netplan + register: netplan_in_use + - name: network-interfaces | Check if additional interfaces have been defined + ansible.builtin.set_fact: + # yamllint disable-line rule:line-length + net_ints: '{% for i in ansible_interfaces %}{% if i != ansible_lo.device and i != ansible_default_ipv4.interface %}"{{ i }}"{% if not loop.last %},{% endif + %}{% endif %}{% endfor %}' + when: netplan_in_use.stat.isdir + - name: network-interfaces | Create a dictionary of additional interfaces + ansible.builtin.set_fact: + # yamllint disable-line rule:line-length + new_ints: '[{% for i in ansible_interfaces %}{% if i != ansible_lo.device and i != ansible_default_ipv4.interface %}"{{ i }}"{% if not loop.last %},{% endif + %}{% endif %}{% endfor %}]' + when: net_ints is defined and net_ints | length != 0 + - name: network-interfaces | Print the loopback interface name + ansible.builtin.debug: + msg: "Loopback interface: {{ ansible_lo.device }}" + - name: network-interfaces | Print the name of the default interface + ansible.builtin.debug: + msg: "Loopback interface: {{ ansible_default_ipv4.interface }}" + - name: network-interfaces | List of interfaces other than the default one + ansible.builtin.debug: + msg: "Interfaces list: {{ new_ints }}" + - name: network-interfaces | Override the interfaces list + ansible.builtin.set_fact: + new_ints: "{{ ubuntu_configure_additional_ints_list }}" + when: ubuntu_configure_additional_ints_list | length != 0 + - name: network-interfaces | List of interfaces that we are going to configure + ansible.builtin.debug: + msg: "Interfaces list: {{ new_ints }}" + when: ubuntu_configure_additional_ints_list | length != 0 + - name: network-interfaces | Install the network interface file + ansible.builtin.template: + src: netplan-70-ansible.yaml.j2 + dest: /etc/netplan/70-ansible.yaml + owner: root + group: root + mode: "0644" + when: new_ints | length != 0 + notify: Netplan Apply + +- name: network-interfaces | Force the Netplan Apply command execution + ansible.builtin.meta: flush_handlers + tags: + - network_interface + - networking diff --git a/tasks/packages_deb.yml b/tasks/packages_deb.yml new file mode 100644 index 0000000..3438202 --- /dev/null +++ b/tasks/packages_deb.yml @@ -0,0 +1,40 @@ +--- +- name: packages_deb | Install aptitude + ansible.builtin.apt: + pkg: aptitude + state: present + cache_valid_time: 1800 + tags: + - packages + +- name: packages_deb | Install software-properties-common if needed + ansible.builtin.apt: + pkg: software-properties-common + state: present + update_cache: true + cache_valid_time: 1800 + when: ansible_distribution == "Ubuntu" + tags: + - packages + +- name: packages_deb | Install common packages + ansible.builtin.apt: + pkg: "{{ common_packages }}" + state: "{{ pkg_state }}" + update_cache: true + cache_valid_time: 1800 + tags: + - packages + - common_pkgs + +- name: packages_deb | Install additional packages, if any + ansible.builtin.apt: + pkg: "{{ additional_packages | default([]) }}" + state: "{{ pkg_state }}" + update_cache: true + cache_valid_time: 1800 + when: additional_packages is defined + tags: + - packages + - common_pkgs + - additional_packages diff --git a/tasks/pki_dir.yml b/tasks/pki_dir.yml new file mode 100644 index 0000000..785a193 --- /dev/null +++ b/tasks/pki_dir.yml @@ -0,0 +1,20 @@ +--- +- name: pki_dir | Manage the PKI directory + tags: [pki, ssl, ca, letsencrypt, tls, tls_certificate] + block: + - name: pki_dir | Ensure that the PKI directory exists + ansible.builtin.file: + path: "{{ pki_dir }}" + state: directory + owner: root + group: root + mode: "0755" + + - name: pki_dir | Ensure that the PKI subdirectories exist + ansible.builtin.file: + path: "{{ pki_dir }}/{{ item }}" + state: directory + owner: root + group: root + mode: "0755" + loop: "{{ pki_subdirs }}" diff --git a/tasks/pubkeys.yml b/tasks/pubkeys.yml new file mode 100644 index 0000000..d00fd12 --- /dev/null +++ b/tasks/pubkeys.yml @@ -0,0 +1,20 @@ +--- +- name: pubkeys | Add public ssh keys for root + ansible.posix.authorized_key: + user: root + key: "{{ item }}" + state: present + loop: "{{ root_ssh_keys | default([]) }}" + when: manage_root_ssh_keys + tags: + - root_pubkeys + +- name: pubkeys | Remove obsolete keys from the authorized ones + ansible.posix.authorized_key: + user: root + key: "{{ item }}" + state: absent + loop: "{{ obsolete_root_ssh_keys | default([]) }}" + when: obsolete_root_ssh_keys is defined + tags: + - root_pubkeys diff --git a/tasks/remove_unneeded_pkgs.yml b/tasks/remove_unneeded_pkgs.yml new file mode 100644 index 0000000..91e5708 --- /dev/null +++ b/tasks/remove_unneeded_pkgs.yml @@ -0,0 +1,56 @@ +--- +- name: remove_unneeded_pkgs | Remove unneeded base packages + ansible.builtin.apt: + pkg: "{{ base_packages_to_remove }}" + state: absent + when: cleanup_base_packages + tags: + - packages + - pkg_cleanup + +- name: remove_unneeded_pkgs | Remove unneeded X packages + ansible.builtin.apt: + pkg: "{{ x_base_packages_to_remove }}" + state: absent + when: cleanup_x_base_packages + tags: + - packages + - pkg_cleanup + +- name: remove_unneeded_pkgs | Remove the nfs packages + ansible.builtin.apt: + pkg: "{{ nfs_packages }}" + state: absent + when: cleanup_nfs_packages + tags: + - packages + - pkg_cleanup + +- name: remove_unneeded_pkgs | Remove rpcbind packages + ansible.builtin.apt: + pkg: "{{ rpcbind_packages }}" + state: absent + when: cleanup_rpcbind_packages + tags: + - packages + - pkg_cleanup + +- name: remove_unneeded_pkgs | Remove the exim packages + ansible.builtin.apt: + name: "{{ exim_email_server_pkgs }}" + state: absent + when: cleanup_exim_email_server + tags: + - packages + - pkg_cleanup + - exim + +- name: remove_unneeded_pkgs | Remove LXD + ansible.builtin.apt: + name: "{{ ubuntu_lxd_pkgs }}" + state: absent + when: ubuntu_remove_lxd + tags: + - packages + - pkg_cleanup + - lxd diff --git a/tasks/self_signed_certificate.yml b/tasks/self_signed_certificate.yml new file mode 100644 index 0000000..8dd0827 --- /dev/null +++ b/tasks/self_signed_certificate.yml @@ -0,0 +1,47 @@ +--- +- name: self_signed_certificate | Letsencrypt is going to manage the certificates. Check if a certificate already exists + tags: [pki, ssl, letsencrypt] + block: + - name: self_signed_certificate | Check if a certificate already exists. If so, skip all the related tasks + ansible.builtin.stat: + path: "{{ letsencrypt_acme_sh_certificates_install_path }}" + register: true_cert + +- name: self_signed_certificate | Manage self signed certificates, if letsencrypt is going to be installed + when: + - true_cert is defined + - true_cert.stat is defined + - true_cert.stat.islnk is not defined + tags: [pki, ssl, letsencrypt] + block: + - name: self_signed_certificate | Create the path to the self signed certificates + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: root + group: root + mode: "0755" + loop: + - "{{ letsencrypt_acme_sh_certificates_install_base_path }}" + - "{{ pki_dir }}/selfsigned" + + - name: self_signed_certificate | Generate the self signed certificate and private key + ansible.builtin.command: openssl req -x509 -newkey rsa:2048 -keyout {{ self_signed_key }} -out {{ self_signed_cert }} -days 365 -nodes -subj '{{ self_signed_subject + }}' + args: + creates: "{{ self_signed_cert }}" + + - name: self_signed_certificate | Copy the cert file into fullchain + ansible.builtin.copy: + src: "{{ self_signed_cert }}" + dest: "{{ self_signed_fullchain }}" + remote_src: true + owner: root + group: root + mode: "0644" + + - name: self_signed_certificate | Create the symbolic link for the certificates into the letsencrypt live directory + ansible.builtin.file: + src: "{{ pki_dir }}/selfsigned" + dest: "{{ letsencrypt_acme_sh_certificates_install_path }}" + state: link diff --git a/tasks/swap_device.yml b/tasks/swap_device.yml new file mode 100644 index 0000000..72a594a --- /dev/null +++ b/tasks/swap_device.yml @@ -0,0 +1,22 @@ +--- +- name: swap_device | Configure and enable a swap device + when: swap_device + tags: + - swap + - swap_device + block: + - name: swap_device | Initialize the swap device + ansible.builtin.shell: mkswap {{ swap_device_name }} && touch /root/.mkswap_executed + args: + creates: /root/.mkswap_executed + register: mkswap_command_execution + - name: swap_device | Enable the swap device + ansible.builtin.shell: swapon {{ swap_device_name }} && touch /root/.swapon_executed + args: + creates: /root/.swapon_executed + + - name: swap_device | Add the swap device to the fstab file + ansible.builtin.lineinfile: + path: /etc/fstab + regexp: ^{{ swap_device_name }} + line: "{{ swap_device_name }} swap swap defaults 0 0" diff --git a/tasks/sysctl.yml b/tasks/sysctl.yml new file mode 100644 index 0000000..1319250 --- /dev/null +++ b/tasks/sysctl.yml @@ -0,0 +1,54 @@ +--- +- name: sysctl | Ensure that /etc/sysctl.d exists + tags: [sysctl, kernel, sysctl_ipv6, ipv6] + block: + - name: sysctl | Ensure that the /etc/sysctl.d directory exists + ansible.builtin.file: + path: /etc/sysctl.d + state: directory + owner: root + group: root + mode: "0755" + +- name: sysctl | Manage sysctl values + tags: [sysctl, kernel] + block: + - name: sysctl | Set the custom sysctl values + ansible.posix.sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + sysctl_file: "{{ item.sysctlfile | default ('/etc/sysctl.d/90-custom-values.conf') }}" + reload: "{{ item.sysctl_reload | default(true) }}" + state: "{{ item.sysctlfile_state | default('present') }}" + loop: "{{ sysctl_custom_options }}" + +- name: sysctl | Manage IPv6 + tags: [sysctl, kernel, sysctl_ipv6, ipv6] + block: + - name: sysctl | Disable the in kernel ipv6 support + ansible.posix.sysctl: + name: "{{ item }}" + value: 1 + sysctl_file: "{{ ipv6_sysctl_file }}" + reload: true + state: present + loop: + - net.ipv6.conf.all.disable_ipv6 + - net.ipv6.conf.default.disable_ipv6 + - net.ipv6.conf.lo.disable_ipv6 + - net.ipv6.conf.{{ ansible_default_ipv4.interface }}.disable_ipv6 + when: disable_ipv6 + + - name: sysctl | Enable the in kernel ipv6 support + ansible.posix.sysctl: + name: "{{ item }}" + value: 0 + sysctl_file: "{{ ipv6_sysctl_file }}" + reload: true + state: present + loop: + - net.ipv6.conf.all.disable_ipv6 + - net.ipv6.conf.default.disable_ipv6 + - net.ipv6.conf.lo.disable_ipv6 + - net.ipv6.conf.{{ ansible_default_ipv4.interface }}.disable_ipv6 + when: not disable_ipv6 diff --git a/tasks/timezone.yml b/tasks/timezone.yml new file mode 100644 index 0000000..46089cd --- /dev/null +++ b/tasks/timezone.yml @@ -0,0 +1,28 @@ +--- +- name: timezone | Manage the timezone in Ubuntu Trusty and older + block: + - name: timezone | Write the timezone file + ansible.builtin.template: + src: etc-timezone.j2 + dest: /etc/timezone + owner: root + group: root + mode: "0644" + register: set_timezone + + - name: timezone | Reconfigure the system tzdata + ansible.builtin.command: dpkg-reconfigure --frontend noninteractive tzdata + when: set_timezone is changed # noqa: no-handler + changed_when: false + + when: ansible_distribution_release == "trusty" + tags: [systemsetup, timezone] + +- name: timezone | Manage the timezone in Ubuntu Bionic or CentOS + block: + - name: timezone | Set the timezone + ansible.builtin.command: timedatectl set-timezone {{ timezone }} + changed_when: false + + when: ansible_facts['distribution_version'] is version_compare('16.04', '>=') or ansible_distribution_file_variety == "RedHat" + tags: [systemsetup, timezone] diff --git a/tasks/trusted_ca.yml b/tasks/trusted_ca.yml new file mode 100644 index 0000000..7ab1ca9 --- /dev/null +++ b/tasks/trusted_ca.yml @@ -0,0 +1,136 @@ +--- +- name: trusted_ca | Manage optional CA files on EL + tags: [pki, trusted_ca, letsencrypt_ca] + block: + - name: trusted_ca | Get the CA files that we want to trust on EL + ansible.builtin.get_url: + url: "{{ item.ca_url }}" + dest: /etc/pki/ca-trust/source/anchors/{{ item.ca }} + owner: root + group: root + mode: "0444" + loop: "{{ trusted_ca_additional_ca_files }}" + register: ca_files_installation + + - name: trusted_ca | Trust the CA files on EL + ansible.builtin.command: /bin/update-ca-trust extract + when: ca_files_installation is changed # noqa: no-handler + changed_when: false + + when: ansible_distribution_file_variety == "RedHat" + +- name: trusted_ca | Manage the Letsencrypt CA files on EL + when: + - trusted_ca_letsencrypt_install + - ansible_distribution_file_variety == "RedHat" + tags: [pki, trusted_ca, letsencrypt_ca] + block: + - name: trusted_ca | Download the letsencrypt CA files on EL + ansible.builtin.get_url: + url: "{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}" + dest: /etc/pki/ca-trust/source/anchors/{{ item.ca }} + owner: root + group: root + mode: "0444" + loop: "{{ trusted_ca_letsencrypt_ca_files }}" + register: letsencrypt_ca_files_installation + + - name: trusted_ca | Rebuild the trust CA files on EL + ansible.builtin.command: /bin/update-ca-trust extract + when: letsencrypt_ca_files_installation is changed # noqa: no-handler + changed_when: false + + - name: trusted_ca | Ensure that the expired CA files are not present + ansible.builtin.file: + dest: /etc/pki/ca-trust/source/anchors/{{ item }} + state: absent + loop: "{{ expired_ca_letsencrypt_ca_files }}" + register: letsencrypt_ca_files_removal + + - name: trusted_ca | Rebuild the trust CA files on EL + ansible.builtin.command: /bin/update-ca-trust extract + when: letsencrypt_ca_files_removal is changed # noqa: no-handler + changed_when: false + +- name: trusted_ca | Manage optional CA files on deb + when: ansible_distribution_file_variety == "Debian" + tags: [pki, trusted_ca, letsencrypt_ca] + block: + - name: trusted_ca | Ensure that ca-certificates is installed and up to date + ansible.builtin.apt: + pkg: ca-certificates + state: present + cache_valid_time: 1800 + + - name: trusted_ca | Get the CA files that we want to trust on deb + ansible.builtin.get_url: + url: "{{ item.ca_url }}" + dest: "{{ trusted_ca_deb_path }}/{{ item.ca }}" + owner: root + group: root + mode: "0444" + loop: "{{ trusted_ca_additional_ca_files }}" + register: ca_files_installation + + - name: trusted_ca | Trust the CA files on deb + ansible.builtin.command: /usr/sbin/update-ca-certificates + when: ca_files_installation is changed # noqa: no-handler + changed_when: false + +- name: trusted_ca | Distrust the DST Root CA X3 in Ubuntu Trusty + when: + - ansible_distribution_file_variety == "Debian" + - ansible_distribution_version is version_compare('14.04', '==') + tags: [pki, obsolete_ca] + block: + - name: trusted_ca | Comment the mozilla/DST_Root_CA_X3.crt entry + ansible.builtin.lineinfile: + path: /etc/ca-certificates.conf + regexp: ^mozilla/DST_Root_CA_X3.crt + line: "!mozilla/DST_Root_CA_X3.crt" + register: dst_x3_distrust + + - name: trusted_ca | Trust the CA files on deb + ansible.builtin.command: /usr/sbin/update-ca-certificates + when: dst_x3_distrust is changed # noqa: no-handler + changed_when: false + +- name: trusted_ca | Manage the Letsencrypt CA files on deb + when: + - trusted_ca_letsencrypt_install + - ansible_distribution_file_variety == "Debian" + tags: [pki, trusted_ca, letsencrypt_ca] + block: + - name: trusted_ca | Download the letsencrypt CA files on deb + ansible.builtin.get_url: + url: "{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}" + dest: "{{ trusted_ca_deb_path }}/{{ item.ca }}" + owner: root + group: root + mode: "0444" + loop: "{{ trusted_ca_letsencrypt_ca_files }}" + register: letsencrypt_ca_files_installation + + - name: trusted_ca | Trust the CA files on deb + ansible.builtin.command: /usr/sbin/update-ca-certificates + when: letsencrypt_ca_files_installation is changed # noqa: no-handler + changed_when: false + + - name: trusted_ca | Ensure that the expired CA files are not present + ansible.builtin.file: + dest: /etc/ssl/certs/{{ item }} + state: absent + loop: "{{ expired_ca_letsencrypt_ca_files }}" + register: letsencrypt_ca_files_removal + + - name: trusted_ca | Ensure that the expired CA files are not present + ansible.builtin.file: + dest: "{{ trusted_ca_deb_path }}/{{ item }}" + state: absent + loop: "{{ expired_ca_letsencrypt_ca_files }}" + register: letsencrypt_ca_files_removal + + - name: trusted_ca | Trust the CA files on deb + ansible.builtin.command: /usr/sbin/update-ca-certificates + when: letsencrypt_ca_files_removal is changed # noqa: no-handler + changed_when: false diff --git a/tasks/unattended_upgrades.yml b/tasks/unattended_upgrades.yml new file mode 100644 index 0000000..ea012e8 --- /dev/null +++ b/tasks/unattended_upgrades.yml @@ -0,0 +1,21 @@ +--- +- name: unattended_upgrades | Install the unattended-upgrades package + ansible.builtin.apt: + pkg: unattended-upgrades + state: present + tags: + - packages + - upgrades + - unattended + +- name: unattended_upgrades | Install the unattended-upgrades configuration + ansible.builtin.template: + src: 50unattended-upgrades.j2 + dest: /etc/apt/apt.conf.d/50unattended-upgrades + owner: root + group: root + mode: "0444" + tags: + - packages + - upgrades + - unattended diff --git a/templates/02proxy.j2 b/templates/02proxy.j2 new file mode 100644 index 0000000..e29b905 --- /dev/null +++ b/templates/02proxy.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} +{% if use_apt_proxy %} +Acquire::http { Proxy "{{ apt_proxy_url }}"; }; +{% endif %} diff --git a/templates/10-caching-proxy.sh.j2 b/templates/10-caching-proxy.sh.j2 new file mode 100644 index 0000000..6e60897 --- /dev/null +++ b/templates/10-caching-proxy.sh.j2 @@ -0,0 +1,5 @@ +{% for proto in env_proxy_protocols %} +export {{ proto }}="{{ env_proxy_http_url }}" +{% endfor %} +export no_proxy="{% for target in no_proxy_targets %}{{ target }}{% if not loop.last %},{% endif %}{% endfor %}" +export NO_PROXY="{% for target in no_proxy_targets %}{{ target }}{% if not loop.last %},{% endif %}{% endfor %}" diff --git a/templates/10-java-caching-proxy.sh.j2 b/templates/10-java-caching-proxy.sh.j2 new file mode 100644 index 0000000..733c7ff --- /dev/null +++ b/templates/10-java-caching-proxy.sh.j2 @@ -0,0 +1 @@ +export JAVA_OPTS="-DproxySet=true -Dhttp.proxyHost={{ env_proxy_http_host }} -Dhttp.proxyPort={{ env_proxy_http_port }} -Dhttps.proxyHost={{ env_proxy_http_host }} -Dhttps.proxyPort={{ env_proxy_http_port }}" diff --git a/templates/50unattended-upgrades.j2 b/templates/50unattended-upgrades.j2 new file mode 100644 index 0000000..5e02421 --- /dev/null +++ b/templates/50unattended-upgrades.j2 @@ -0,0 +1,61 @@ +// {{ ansible_managed }} +// Automatically upgrade packages from these (origin:archive) pairs +Unattended-Upgrade::Allowed-Origins { +{%for allowed in unatt_allowed_origins %} + "{{ allowed }}"; +{%endfor %} +}; + +// List of packages to not update (regexp are supported) +Unattended-Upgrade::Package-Blacklist { +{% if unatt_blacklisted is defined %} +{%for pkg in unatt_blacklisted %} + "{{ pkg }}"; +{%endfor %} +{% endif %} +}; + +// This option allows you to control if on a unclean dpkg exit +// unattended-upgrades will automatically run +// dpkg --force-confold --configure -a +// The default is true, to ensure updates keep getting installed +Unattended-Upgrade::AutoFixInterruptedDpkg "{{ unatt_autofix }}"; + +// Split the upgrade into the smallest possible chunks so that +// they can be interrupted with SIGUSR1. This makes the upgrade +// a bit slower but it has the benefit that shutdown while a upgrade +// is running is possible (with a small delay) +Unattended-Upgrade::MinimalSteps "{{ unatt_minimalsteps }}"; + +// Install all unattended-upgrades when the machine is shuting down +// instead of doing it in the background while the machine is running +// This will (obviously) make shutdown slower +Unattended-Upgrade::InstallOnShutdown "{{ unatt_install_on_shutdown }}"; + +{% if unatt_email is defined %} +// Send email to this address for problems or packages upgrades +// If empty or unset then no email is sent, make sure that you +// have a working mail setup on your system. A package that provides +// 'mailx' must be installed. E.g. "user@example.com" +Unattended-Upgrade::Mail "{{ unatt_email }}"; +// Set this value to "true" to get emails only on errors. Default +// is to always send a mail if Unattended-Upgrade::Mail is set +Unattended-Upgrade::MailOnlyOnError "{{ unatt_email_on_error }}"; +{% endif %} + +// Do automatic removal of new unused dependencies after the upgrade +// (equivalent to apt-get autoremove) +Unattended-Upgrade::Remove-Unused-Dependencies "{{ unatt_autoremove }}"; + +// Automatically reboot *WITHOUT CONFIRMATION* +// if the file /var/run/reboot-required is found after the upgrade +Unattended-Upgrade::Automatic-Reboot "{{ unatt_autoreboot }}"; + +// If automatic reboot is enabled and needed, reboot at the specific +// time instead of immediately +// Default: "now" +Unattended-Upgrade::Automatic-Reboot-Time "{{ unatt_autoreboot_time }}"; + +// Use apt bandwidth limit feature, this example limits the download +// speed to 70kb/sec +//Acquire::http::Dl-Limit "70"; diff --git a/templates/etc-timezone.j2 b/templates/etc-timezone.j2 new file mode 100644 index 0000000..0b6d009 --- /dev/null +++ b/templates/etc-timezone.j2 @@ -0,0 +1 @@ +{{ timezone }} diff --git a/templates/grub_cmdline.cfg.j2 b/templates/grub_cmdline.cfg.j2 new file mode 100644 index 0000000..b35ee6e --- /dev/null +++ b/templates/grub_cmdline.cfg.j2 @@ -0,0 +1 @@ +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ grub_cmdline_additional_parameters }}" diff --git a/templates/netplan-70-ansible.yaml.j2 b/templates/netplan-70-ansible.yaml.j2 new file mode 100644 index 0000000..6603860 --- /dev/null +++ b/templates/netplan-70-ansible.yaml.j2 @@ -0,0 +1,14 @@ +network: + version: 2 + ethernets: +{% for int in new_ints %} + {{ int }}: + dhcp4: true +{% if ubuntu_configure_additional_int_dhcp_overrides | default(true) %} + dhcp4-overrides: + use-dns: false + use-routes: false + use-mtu: true +{% endif %} +{% endfor %} + diff --git a/tests/test.yml b/tests/test.yml index 4ba2a88..54ae365 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -1,5 +1,12 @@ --- -- hosts: localhost +- name: Test os-bootstrap role + hosts: localhost remote_user: root + become: true + vars: + cleanup_base_packages: false + cleanup_exim_email_server: false + ubuntu_remove_lxd: false + disable_some_not_needed_services: false roles: - - ansible-role-template \ No newline at end of file + - adellam.os_bootstrap