Overhaul reuse structure from role to task orientation
The overall config this will end up with is going to be nowhere near complicated enough to require the segmented structure of roles. A single directory of reusable tasks and resources will be much better
This commit is contained in:
@@ -1,62 +1,61 @@
|
||||
---
|
||||
- name: Disable kernel installation from base repository
|
||||
# This is a workaround for Cent8 removing drivers from the kernel that are required for
|
||||
# my RAID cards to work. Kernel-Plus includes the drivers, thus one of the first things
|
||||
# we need to do is to replace the kernel before doing an update.
|
||||
- name: Replace default kernel with kernel-plus on CentOS 8
|
||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/yum.repos.d/CentOS-Base.repo
|
||||
line: exclude=kernel*
|
||||
block:
|
||||
- name: Disable kernel installation from base repository
|
||||
lineinfile:
|
||||
path: /etc/yum.repos.d/CentOS-Base.repo
|
||||
line: exclude=kernel*
|
||||
|
||||
- name: Enable Centos-plus repository
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/yum.repos.d/CentOS-centosplus.repo
|
||||
regexp: "#?enabled=(0|1)"
|
||||
line: enabled=1
|
||||
- name: Enable Centos-plus repository
|
||||
lineinfile:
|
||||
path: /etc/yum.repos.d/CentOS-centosplus.repo
|
||||
regexp: "#?enabled=(0|1)"
|
||||
line: enabled=1
|
||||
|
||||
- name: Enable kernel installation from plus repository
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/yum.repos.d/CentOS-centosplus.repo
|
||||
line: includepkgs=kernel*
|
||||
- name: Enable kernel installation from plus repository
|
||||
lineinfile:
|
||||
path: /etc/yum.repos.d/CentOS-centosplus.repo
|
||||
line: includepkgs=kernel*
|
||||
|
||||
# Note that the order of the next four tasks is very specific and intentional
|
||||
# See this wiki page: https://plone.lucidsolutions.co.nz/linux/centos/7/install-centos-plus-kernel-kernel-plus/view
|
||||
- name: Install kernel-plus
|
||||
become: true
|
||||
dnf:
|
||||
name:
|
||||
- kernel-plus
|
||||
- kernel-plus-devel
|
||||
state: latest
|
||||
register: _dnf_kernel_plus
|
||||
# Note that the order of the next four tasks is very specific and intentional
|
||||
# See this wiki page: https://plone.lucidsolutions.co.nz/linux/centos/7/install-centos-plus-kernel-kernel-plus/view
|
||||
- name: Install kernel-plus
|
||||
dnf:
|
||||
state: "{{ _runtime_update_state }}"
|
||||
name:
|
||||
- kernel-plus
|
||||
- kernel-plus-devel
|
||||
register: _dnf_kernel_plus
|
||||
|
||||
- name: Uninstall kernel-tools
|
||||
become: true
|
||||
dnf:
|
||||
name:
|
||||
- kernel-tools
|
||||
- kernel-tools-libs
|
||||
state: absent
|
||||
- name: Uninstall kernel-tools
|
||||
dnf:
|
||||
name:
|
||||
- kernel-tools
|
||||
- kernel-tools-libs
|
||||
state: absent
|
||||
|
||||
- name: Install kernel-plus-tools
|
||||
become: true
|
||||
dnf:
|
||||
name:
|
||||
- kernel-plus-tools
|
||||
- kernel-plus-tools-libs
|
||||
state: latest
|
||||
- name: Install kernel-plus-tools
|
||||
dnf:
|
||||
state: "{{ _runtime_update_state }}"
|
||||
name:
|
||||
- kernel-plus-tools
|
||||
- kernel-plus-tools-libs
|
||||
|
||||
- name: Reboot into new kernel
|
||||
become: true
|
||||
when: _dnf_kernel_plus.changed is true and "centos.plus" not in ansible_kernel
|
||||
reboot:
|
||||
reboot_timeout: 3600
|
||||
- name: Reboot into new kernel
|
||||
when: _dnf_kernel_plus.changed is true and "centos.plus" not in ansible_kernel
|
||||
reboot:
|
||||
reboot_timeout: 3600
|
||||
|
||||
- name: Uninstall kernel
|
||||
become: true
|
||||
dnf:
|
||||
name:
|
||||
- kernel
|
||||
- kernel-devel
|
||||
- kernel-core
|
||||
- kernel-modules
|
||||
state: absent
|
||||
- name: Uninstall kernel
|
||||
dnf:
|
||||
state: absent
|
||||
name:
|
||||
- kernel
|
||||
- kernel-devel
|
||||
- kernel-core
|
||||
- kernel-modules
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
---
|
||||
- name: Create SSH directory
|
||||
become: true
|
||||
file:
|
||||
path: /home/{{ item.name }}/.ssh
|
||||
state: directory
|
||||
owner: "{{ item.name }}"
|
||||
group: "{{ item.name }}"
|
||||
mode: 0755
|
||||
loop: "{{ _users_local }}"
|
||||
|
||||
- name: Update authorized keys
|
||||
become: true
|
||||
authorized_key:
|
||||
user: "{{ item.name }}"
|
||||
key: "{{ item.sshkeys | join('\n') }}"
|
||||
state: present
|
||||
exclusive: true
|
||||
loop: "{{ _users_local }}"
|
||||
|
||||
- name: Enforce ownership of authorized keys
|
||||
become: true
|
||||
file:
|
||||
path: /home/{{ item.name }}/.ssh/authorized_keys
|
||||
state: touch
|
||||
owner: "{{ item.name }}"
|
||||
group: "{{ item.name }}"
|
||||
mode: 0444
|
||||
loop: "{{ _users_local }}"
|
||||
36
tasks/docker/install.yml
Normal file
36
tasks/docker/install.yml
Normal file
@@ -0,0 +1,36 @@
|
||||
---
|
||||
# Just use the same repo for cent7 and cent8 because ¯\_(ツ)_/¯
|
||||
- name: Install Docker repository
|
||||
become: true
|
||||
when: ansible_distribution == "CentOS"
|
||||
yum_repository:
|
||||
name: docker-ce-stable
|
||||
description: Docker CE Stable - $basearch
|
||||
file: docker-ce-stable
|
||||
baseurl: https://download.docker.com/linux/centos/7/$basearch/stable
|
||||
gpgcheck: false
|
||||
|
||||
- name: Install Docker on Cent7
|
||||
become: true
|
||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
||||
yum:
|
||||
# Update the cache to update with the new docker repo
|
||||
update_cache: true
|
||||
state: "{{ _runtime_update_state }}"
|
||||
name:
|
||||
- device-mapper-persistent-data # Required for docker devicestorage driver
|
||||
- lvm2 # same
|
||||
- docker-ce
|
||||
- containerd.io
|
||||
|
||||
- name: Install Docker on Cent8
|
||||
become: true
|
||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
||||
dnf:
|
||||
# Update the cache to update with the new docker repo
|
||||
update_cache: true
|
||||
state: "{{ _runtime_update_state }}"
|
||||
name:
|
||||
- device-mapper-persistent-data # Required for docker devicestorage driver
|
||||
- lvm2 # same
|
||||
- docker-ce-3:18.09.1-3.el7
|
||||
24
tasks/networkd/configure.yml
Normal file
24
tasks/networkd/configure.yml
Normal file
@@ -0,0 +1,24 @@
|
||||
---
|
||||
- name: Configure networking via systemd
|
||||
become: true
|
||||
when: omni_networking is defined
|
||||
block:
|
||||
- name: Create the networkd config directory
|
||||
file:
|
||||
path: /etc/systemd/network
|
||||
state: directory
|
||||
mode: 0755
|
||||
|
||||
- name: Make network files
|
||||
template:
|
||||
src: networkd/network.j2
|
||||
dest: "/etc/systemd/network/{{ item.key }}.network"
|
||||
mode: 0644
|
||||
loop: "{{ omni_networking | dict2items }}"
|
||||
|
||||
- name: Make netdev files
|
||||
template:
|
||||
src: networkd/netdev.j2
|
||||
dest: "/etc/systemd/network/{{ item.0.key + '.' + item.1 }}.netdev"
|
||||
mode: 0644
|
||||
loop: "{{ omni_networking | dict2items | subelements('value.vlans', true) }}"
|
||||
26
tasks/networkd/install.yml
Normal file
26
tasks/networkd/install.yml
Normal file
@@ -0,0 +1,26 @@
|
||||
---
|
||||
- name: Install systemd-networkd on CentOS 7
|
||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
||||
become: true
|
||||
yum:
|
||||
state: "{{ _runtime_update_state }}"
|
||||
name:
|
||||
- systemd-networkd
|
||||
- systemd-resolved
|
||||
|
||||
- name: Install systemd-networkd on CentOS 8
|
||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
||||
become: true
|
||||
dnf:
|
||||
state: "{{ _runtime_update_state }}"
|
||||
name: systemd-networkd
|
||||
|
||||
|
||||
- name: Install systemd-networkd on Fedora
|
||||
when: ansible_distribution == "Fedora" and ansible_distribution_major_version == "8"
|
||||
become: true
|
||||
dnf:
|
||||
state: "{{ _runtime_update_state }}"
|
||||
name:
|
||||
- systemd-networkd
|
||||
- systemd-resolved
|
||||
36
tasks/networkd/services.yml
Normal file
36
tasks/networkd/services.yml
Normal file
@@ -0,0 +1,36 @@
|
||||
---
|
||||
- name: Disable NetworkManager
|
||||
become: true
|
||||
systemd:
|
||||
name: "{{ item }}"
|
||||
enabled: false
|
||||
loop:
|
||||
- NetworkManager
|
||||
- NetworkManager-wait-online
|
||||
|
||||
- name: Enable systemd-networkd
|
||||
become: true
|
||||
systemd:
|
||||
name: "{{ item }}"
|
||||
enabled: true
|
||||
loop:
|
||||
- systemd-networkd
|
||||
- systemd-resolved
|
||||
- systemd-networkd-wait-online
|
||||
|
||||
- name: Symlink so systemd-resolved uses /etc/resolv.conf
|
||||
become: true
|
||||
file:
|
||||
dest: /etc/resolv.conf
|
||||
src: /run/systemd/resolve/resolv.conf
|
||||
state: link
|
||||
force: true
|
||||
setype: net_conf_t
|
||||
|
||||
- name: Symlink so /etc/resolv.conf uses systemd
|
||||
become: true
|
||||
file:
|
||||
dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
|
||||
src: /usr/lib/systemd/system/systemd-resolved.service
|
||||
state: link
|
||||
force: true
|
||||
17
tasks/packages/clean.yml
Normal file
17
tasks/packages/clean.yml
Normal file
@@ -0,0 +1,17 @@
|
||||
---
|
||||
# I'm honestly not sure why these 304 warnings are being raised by the linter here...
|
||||
- name: Clean DNF cache # noqa: 304
|
||||
when: ansible_distribution == "Fedora" or (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8")
|
||||
become: true
|
||||
command:
|
||||
cmd: /usr/bin/dnf clean all
|
||||
warn: false
|
||||
changed_when: true
|
||||
|
||||
- name: Clean YUM cache # noqa: 304
|
||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
||||
become: true
|
||||
command:
|
||||
cmd: /usr/bin/yum clean all
|
||||
warn: false
|
||||
changed_when: true
|
||||
21
tasks/packages/install.yml
Normal file
21
tasks/packages/install.yml
Normal file
@@ -0,0 +1,21 @@
|
||||
# NOTE: This is currently horrifically broken. See the ongoing drama around
|
||||
# systemd-networkd on cent8. Basically triggering an update- or an install- will give
|
||||
# a conflict error due to the spicy-jankaroni-with-extra-cheese edition of
|
||||
# systemd-networkd I'm running. We can exclude "systemd*", but we need to install
|
||||
# systemd-devel so then we get a package not found error. Its a truly stupid problem
|
||||
# that will hopefully all go away when this bug gets fixed and systemd-networkd becomes
|
||||
# available in EPEL:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1789146
|
||||
- name: Install packages on CentOS 8
|
||||
become: true
|
||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
||||
dnf:
|
||||
state: "{{ _runtime_update_state }}"
|
||||
name: "{{ omni_packages_global + omni_packages_centos_8 }}"
|
||||
|
||||
- name: Install packages on CentOS 7
|
||||
become: true
|
||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
||||
yum:
|
||||
state: "{{ _runtime_update_state }}"
|
||||
name: "{{ omni_packages_global + omni_packages_centos_7 }}"
|
||||
32
tasks/packages/repos.yml
Normal file
32
tasks/packages/repos.yml
Normal file
@@ -0,0 +1,32 @@
|
||||
---
|
||||
- name: Install repositories on CentOS 8
|
||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
||||
become: true
|
||||
block:
|
||||
- name: Enable Extra Packages for Enterprise Linux on CentOS 8
|
||||
dnf:
|
||||
state: present
|
||||
name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
|
||||
|
||||
# The testing repo had to be enabled for a previous version of systemd-networkd
|
||||
# to be installed
|
||||
- name: Disable EPEL-Testing repository on CentOS 8
|
||||
lineinfile:
|
||||
path: /etc/yum.repos.d/epel-testing.repo
|
||||
regexp: "enabled=(0|1)"
|
||||
line: "enabled=0"
|
||||
insertbefore: "^$"
|
||||
firstmatch: true
|
||||
|
||||
- name: Enable the power tools repository on CentOS 8
|
||||
lineinfile:
|
||||
path: /etc/yum.repos.d/CentOS-PowerTools.repo
|
||||
regexp: "enabled=(0|1)"
|
||||
line: "enabled=1"
|
||||
|
||||
- name: Enable Extra Packages for Enterprise Linux on CentOS 7
|
||||
become: true
|
||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
||||
yum:
|
||||
state: present
|
||||
name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
|
||||
32
tasks/packages/update.yml
Normal file
32
tasks/packages/update.yml
Normal file
@@ -0,0 +1,32 @@
|
||||
---
|
||||
# Ansible Lint 403 ("Package installs should not use latest") is silenced here because
|
||||
# it would defeat the point otherwise
|
||||
- name: Upgrade Fedora and CentOS 8 packages # noqa: 403
|
||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
|
||||
become: true
|
||||
dnf:
|
||||
state: latest
|
||||
name: "*"
|
||||
exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}"
|
||||
|
||||
- name: Upgrade CentOS 7 packages # noqa: 403
|
||||
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
|
||||
become: true
|
||||
yum:
|
||||
state: latest
|
||||
name: "*"
|
||||
exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}"
|
||||
|
||||
- name: Upgrade Fedora packages # noqa: 403
|
||||
when: ansible_distribution == "Fedora"
|
||||
become: true
|
||||
dnf:
|
||||
state: latest
|
||||
name: "*"
|
||||
exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}"
|
||||
|
||||
# Yeah I'll get here eventually
|
||||
# - name: Upgrade APT packages
|
||||
# when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
|
||||
# become: true
|
||||
# apt:
|
||||
@@ -1,39 +0,0 @@
|
||||
---
|
||||
- name: Load users variables
|
||||
include_vars:
|
||||
file: users.yml
|
||||
|
||||
- name: Reconcile user targets with host targets to get host users
|
||||
set_fact:
|
||||
_users_local: >-
|
||||
{{
|
||||
_users_local | default([]) + ([item] if item.targets | intersect(omni_local_targets) else [])
|
||||
}}
|
||||
loop: "{{ omni_users }}"
|
||||
|
||||
- name: Determine local user names
|
||||
set_fact:
|
||||
_users_local_names: "{{ _users_local_names | default([]) + [item.name] }}"
|
||||
loop: "{{ _users_local }}"
|
||||
|
||||
- name: Determine administrative users
|
||||
set_fact:
|
||||
_users_local_admin: >-
|
||||
{{
|
||||
_users_local_admin | default([]) + ([item] if item.admin | default(False) else [])
|
||||
}}
|
||||
loop: "{{ _users_local }}"
|
||||
|
||||
- name: Determine existing users
|
||||
shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"'
|
||||
changed_when: false
|
||||
register: _users_local_existing
|
||||
|
||||
- name: Determine removed users
|
||||
set_fact:
|
||||
_users_local_removed: >-
|
||||
{{
|
||||
_users_local_removed | default([]) +
|
||||
([item] if item not in _users_local_names else [])
|
||||
}}
|
||||
loop: "{{ _users_local_existing.stdout_lines }}"
|
||||
7
tasks/sshd/banner.yml
Normal file
7
tasks/sshd/banner.yml
Normal file
@@ -0,0 +1,7 @@
|
||||
---
|
||||
- name: Install SSH Banner
|
||||
become: true
|
||||
template:
|
||||
src: motd.j2
|
||||
dest: /etc/issue.net
|
||||
mode: 0644
|
||||
29
tasks/sshd/secure.yml
Normal file
29
tasks/sshd/secure.yml
Normal file
@@ -0,0 +1,29 @@
|
||||
---
|
||||
- name: Set parameters in sshd config
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "{{ item.match }}"
|
||||
line: "{{ item.set }}"
|
||||
state: present
|
||||
loop:
|
||||
- match: "#?PermitRootLogin (yes|no)"
|
||||
set: "PermitRootLogin no"
|
||||
- match: "#?Banner (none|/etc/issue.net)"
|
||||
set: "Banner /etc/issue.net"
|
||||
- match: "#?PasswordAuthentication (yes|no)"
|
||||
set: "PasswordAuthentication no"
|
||||
- match: "#?GSSAPIAuthentication (yes|no)"
|
||||
set: "GSSAPIAuthentication no"
|
||||
- match: "#?ChallengeResponseAuthentication (yes|no)"
|
||||
set: "ChallengeResponseAuthentication no"
|
||||
loop_control:
|
||||
label: "{{ item.set }}"
|
||||
register: _sshd_config_result
|
||||
|
||||
- name: Restart sshd service
|
||||
when: _sshd_config_result.changed
|
||||
become: true
|
||||
systemd:
|
||||
name: sshd
|
||||
state: restarted
|
||||
Reference in New Issue
Block a user