ansible-role-os-bootstrap/tasks/basic_setup_el.yml

---
- name: basic_setup_el | Install the basic packages
  ansible.builtin.dnf:
    name: "{{ centos_packages_to_install }}"
    state: "{{ centos_pkg_state }}"
  tags:
    - centos
    - bootstrap
    - packages

- name: basic_setup_el | Install the basic packages from the EPEL repository
  ansible.builtin.dnf:
    name: "{{ centos_packages_from_epel }}"
    state: "{{ centos_pkg_state }}"
  when: centos_install_epel
  tags:
    - centos
    - bootstrap
    - packages

- name: basic_setup_el | Install the packages we want on a non virtualized host
  ansible.builtin.dnf:
    name: "{{ centos_hw_packages | default([]) }}"
    state: "{{ centos_pkg_state }}"
  when: ansible_virtualization_role is defined and ansible_virtualization_role == 'host'
  tags:
    - centos
    - bootstrap
    - packages

- name: basic_setup_el | Install the selinux policy file to fix a timedatectl problem and various qemu-ga ones
  ansible.builtin.copy:
    src: qemu_ag_provisioning-sepol.te
    dest: /usr/local/etc/qemu_ag_provisioning-sepol.te
    owner: root
    group: root
    mode: "0644"
  register: qemu_ga_selinux_policy
  tags:
    - centos
    - rhel
    - selinux

- name: basic_setup_el | Activate the selinux policy for qemu
  ansible.builtin.shell: >
    checkmodule -M -m -o /usr/local/etc/qemu_ag_provisioning-sepol.mod /usr/local/etc/qemu_ag_provisioning-sepol.te &&
    semodule_package -o /usr/local/etc/qemu_ag_provisioning-sepol.pp -m /usr/local/etc/qemu_ag_provisioning-sepol.mod &&
    semodule -i /usr/local/etc/qemu_ag_provisioning-sepol.pp    
  args:
    creates: /usr/local/etc/qemu_ag_provisioning-sepol.pp
  when: qemu_ga_selinux_policy is changed # noqa: no-handler
  tags:
    - centos
    - rhel
    - selinux

- name: basic_setup_el | Install the selinux policy file to fix a systemd policy glitch
  ansible.builtin.copy:
    src: systemd-enable.te
    dest: /usr/local/etc/systemd-enable-sepol.te
    owner: root
    group: root
    mode: "0644"
  register: systemd_selinux_policy
  tags:
    - centos
    - rhel
    - selinux

- name: basic_setup_el | Activate the selinux policy for systemd
  ansible.builtin.shell: >
    checkmodule -M -m -o /usr/local/etc/systemd-enable-sepol.mod /usr/local/etc/systemd-enable-sepol.te &&
    semodule_package -o /usr/local/etc/systemd-enable-sepol.pp -m /usr/local/etc/systemd-enable-sepol.mod &&
    semodule -i /usr/local/etc/systemd-enable-sepol.pp    
  args:
    creates: /usr/local/etc/systemd-enable-sepol.pp
  when: systemd_selinux_policy is changed # noqa: no-handler
  tags:
    - centos
    - rhel
    - selinux

- name: basic_setup_el | Activate smartmontools on a non virtualized host
  ansible.builtin.service:
    name: smartd
    state: started
    enabled: true
  when: ansible_virtualization_role is defined and ansible_virtualization_role == 'host'
  tags:
    - centos
    - bootstrap
    - packages

- name: basic_setup_el | Install the locate utility if needed
  ansible.builtin.dnf:
    name: "{{ centos_locate_package }}"
    state: "{{ centos_pkg_state }}"
  when: centos_enable_locate
  tags:
    - centos
    - bootstrap
    - packages

- name: basic_setup_el | Configure the main interface to set the correct resolvers - dns1
  ansible.builtin.lineinfile:
    name: /etc/sysconfig/network-scripts/ifcfg-eth0
    regexp: ^DNS1=
    line: DNS1={{ dns1 }}
  when: centos_set_dns_servers
  tags:
    - centos
    - bootstrap

- name: basic_setup_el | Configure the main interface to set the correct resolvers - dns2
  ansible.builtin.lineinfile:
    name: /etc/sysconfig/network-scripts/ifcfg-eth0
    regexp: ^DNS2=
    line: DNS2={{ dns2 }}
  when: centos_set_dns_servers
  tags:
    - centos
    - bootstrap

- name: basic_setup_el | Configure the main interface to set the correct search domain
  ansible.builtin.lineinfile:
    name: /etc/sysconfig/network-scripts/ifcfg-eth0
    regexp: ^DOMAIN=
    line: DOMAIN={{ domain_name }}
  when: configure_domain_name_in_interface
  tags:
    - centos
    - bootstrap

- name: basic_setup_el | Stop avahi before removing it when it is not needed
  ansible.builtin.service:
    name: avahi-daemon
    state: stopped
    enabled: false
  when: centos_remove_avahi or centos_disable_avahi
  failed_when: false
  tags:
    - centos
    - bootstrap
    - avahi

- name: basic_setup_el | Stop and disable NetworkManager when we do not need it
  ansible.builtin.service:
    name: NetworkManager
    state: stopped
    enabled: false
  when: centos_remove_networkmanager or centos_disable_networkmanager
  failed_when: false
  tags:
    - centos
    - bootstrap
    - networkmanager

- name: basic_setup_el | Remove some unneeded packages
  ansible.builtin.dnf:
    name: "{{ centos_packages_to_remove | default([]) }}"
    state: absent
  when: centos_packages_cleanup
  tags:
    - centos
    - bootstrap
    - packages

- name: basic_setup_el | Remove the Avahi packages
  ansible.builtin.dnf:
    name: "{{ centos_avahi_packages | default([]) }}"
    state: absent
  when: centos_remove_avahi
  tags:
    - centos
    - bootstrap
    - packages

- name: basic_setup_el | Remove the NetworkManager packages
  ansible.builtin.dnf:
    name: "{{ centos_nm_packages | default([]) }}"
    state: absent
  when: centos_remove_networkmanager
  tags:
    - centos
    - bootstrap
    - packages

- name: basic_setup_el | Disable some unneeded services
  ansible.builtin.service:
    name: "{{ item }}"
    state: stopped
    enabled: false
  loop: "{{ centos_services_to_be_disabled }}"
  when: centos_services_to_be_disabled is defined
  failed_when: false
  tags:
    - centos
    - bootstrap
    - daemons

- name: basic_setup_el | Configure selinux to permit core dumps by daemons
  ansible.posix.seboolean:
    name: daemons_dump_core
    state: true
    persistent: true
  when: centos_selinux_daemons_dump_core | bool
  tags:
    - centos
    - bootstrap
    - selinux

- name: basic_setup_el | Set other SELinux booleans - Optional
  ansible.posix.seboolean:
    name: "{{ item.name }}"
    state: "{{ item.state }}"
    persistent: "{{ item.persistent | default('yes') }}"
  loop: "{{ selinux_booleans }}"
  when: selinux_booleans is defined
  tags:
    - centos
    - bootstrap
    - selinux

- name: basic_setup_el | Set the SELinux global policy - Defaults to Enforcing
  ansible.posix.selinux:
    policy: "{{ selinux_policy_type }}"
    state: "{{ selinux_policy_state }}"
  tags:
    - centos
    - bootstrap
    - selinux

- name: basic_setup_el | Add public ssh keys for root
  ansible.posix.authorized_key:
    user: root
    key: "{{ item }}"
    state: present
  loop: "{{ root_ssh_keys | default([]) }}"
  when: manage_root_ssh_keys
  tags:
    - root_pubkeys

- name: basic_setup_el | Remove obsolete keys from the authorized ones
  ansible.posix.authorized_key:
    user: root
    key: "{{ item }}"
    state: absent
  loop: "{{ obsolete_root_ssh_keys | default([]) }}"
  when: obsolete_root_ssh_keys is defined
  tags:
    - root_pubkeys