Added sysprep and pve roles

ansible.cfg

@@ -1,4 +1,5 @@
 [defaults]
+remote_user = ansible
 inventory = hosts.yml
 roles_path = ./roles
 vault_password_file = ~/.ansible-vault-key

group_vars/all.yml

@@ -18,7 +18,7 @@ assets: "{{ project_root }}/assets"
 # Remote paths
 remote_stacks: "/home/javi/docker"
 remote_app_mounts: "/home/docker"
-# Sudo password for your servers
+
 # Sudo password for your servers
 ansible_become_pass: !vault |
           $ANSIBLE_VAULT;1.1;AES256
@@ -33,15 +33,15 @@ iscsi_target_ip: nas.lan.xbazzi.com  # TrueNAS IP
 iscsi_target_iqn: iqn.2005-10.org.freenas.ctl:pve-iscsi
 
 # Alma new VM provisioning
-hostname: "prod3"
+# hostname: "prod3"
 timezone: "America/Denver"
+staging_ip: "10.133.7.240"
+# network_config:
+#   interface: "ens18"
+#   address: "{{ staging_host }}"
+#   netmask: "255.255.252.0"
+#   gateway: "10.133.7.1"
+#   dns:  ["10.133.7.1"]
 
-network_config:
-  interface: "ens18"
-  address: ""
-  netmask: "255.255.252.0"
-  gateway: "10.133.7.103"
-  dns:  ["10.133.7.1"]
-
-nfs_mounts:
-  - { src: "nas:/mnt/media", path: "/mnt/media", opts: "defaults,nfsvers=4" }
+# nfs_mounts:
+#   - { src: "nas:/mnt/media", path: "/mnt/media", opts: "defaults,nfsvers=4" }

inventory/hosts.yml

@@ -17,12 +17,5 @@ all:
           ansible_host: prod2
         school:
           ansible_host: school
-        new-vm:
+        staging-vm:
           ansible_host: 10.133.7.240
-    # alma-provision:
-    #   hosts:
-    #     new-alma-vm:
-    #       ansible_host: <ip>
-    #     vars:
-    #       ansible_user: root
-

playbooks/sysprep-alma.yml

@@ -0,0 +1,5 @@
+- name: Sysprep Alma Linux machine
+  hosts: staging-vm
+  become: yes
+  roles:
+    - role: provision/alma/sysprep

roles/provision/alma/common/tasks/main.yml

@@ -1,26 +1,55 @@
 ---
 - name: Set system timezone
-  ansible.builtin.command: timedatectl set-timezone "America/Denver"
+  ansible.builtin.command: timedatectl set-timezone "{{ timezone }}"
   register: output
   changed_when: output.rc != 0
 
-- name: Set hostname
-  ansible.builtin.hostname:
-    name: "{{ hostname }}"
+# - name: Set hostname
+#   ansible.builtin.hostname:
+#     name: "{{ hostname }}"
 
-- name: Set repo
+- name: Upgrade all packages
   ansible.builtin.dnf:
+    name: "*"
+    update_only: true
+
+- name: Add CodeReady Builder repo
+  ansible.builtin.command: dnf config-manager --set-enabled crb
+  register: output
+  changed_when: output.rc != 0
+
+- name: Install QEMU Guest Agent 
+  ansible.builtin.dnf:
+    name:
+      - 'qemu-guest-agent'
+
+- name: Enable and start QEMU Guest Agent
+  ansible.builtin.service:
+    name: qemu-guest-agent
+    enabled: yes
+    state: started
+
+- name: Install EPEL 
+  ansible.builtin.dnf:
+    name:
+      - 'epel-release'
+    update_cache: true
+
+- name: Install Dev Tools
+  ansible.builtin.dnf:
+    name:
+      - '@Development tools'
+    update_cache: true
 
 - name: Install baseline packages
   ansible.builtin.dnf:
     name:
-      - '@Development tools'
       - vim
       - curl
       - git
       - bash-completion
       - firewalld
-      # - fastfetch
-      # - btop
-    state: present
+      - fastfetch
+      - btop
+    state: latest
     update_cache: true

roles/provision/alma/network/tasks/main.yml

@@ -2,11 +2,14 @@
   ansible.builtin.template:
     src: ifcfg-template.j2
     dest: "/etc/sysconfig/network-scripts/ifcfg-{{ network_config.interface }}"
-  notify: Restart network
+  # notify: Restart network
 
-- name: Ensure NetworkManager is enabled
-  ansible.builtin.service:
-    name: NetworkManager
-    enabled: true
-    state: restarted
+# - name: Ensure NetworkManager is enabled
+#   ansible.builtin.service:
+#     name: NetworkManager
+#     enabled: true
+#     state: restarted
 
+  # handlers:
+  #   - name: Restart network
+  #     command: nmcli connection reload

roles/provision/alma/sysprep/tasks/main.yml

@@ -0,0 +1,137 @@
+---
+- name: Set up initial CORE interface with DHCP
+  community.general.nmcli:
+    conn_name: core
+    method4: "auto"
+    ifname: ens18
+    type: ethernet
+    state: present
+
+- name: Set hostname to generic localhost
+  ansible.builtin.hostname:
+    name: localhost.localdomain
+    # use: systemd
+
+- name: Ensure IPv4 localhost entry exists in /etc/hosts
+  ansible.builtin.lineinfile:
+    path: /etc/hosts
+    line: "127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4"
+    state: present
+    create: yes
+    regexp: '^127\.0\.0\.1\s+localhost'
+
+- name: Remove IPv6 localhost entry (::1) from /etc/hosts
+  ansible.builtin.lineinfile:
+    path: /etc/hosts
+    regexp: '^::1\s+localhost'
+    state: absent
+
+- name: Remove xbazzi user
+  ansible.builtin.user:
+    name: xbazzi
+    state: absent
+    remove: true
+
+- name: Truncate machine-id
+  ansible.builtin.command: truncate -s 0 /etc/machine-id
+
+- name: Remove DBus machine-id if exists
+  ansible.builtin.file:
+    path: /var/lib/dbus/machine-id
+    state: absent
+
+- name: Remove root SSH folder
+  ansible.builtin.file:
+    path: /root/.ssh
+    state: absent
+
+- name: Remove anaconda kickstart config
+  ansible.builtin.file:
+    path: /root/anaconda-ks.cfg
+    state: absent
+
+- name: Clear logs
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /var/log/boot.log
+    - /var/log/cron
+    - /var/log/dmesg
+    - /var/log/grubby
+    - /var/log/lastlog
+    - /var/log/maillog
+    - /var/log/messages
+    - /var/log/secure
+    - /var/log/spooler
+    - /var/log/tallylog
+    - /var/log/wtmp
+    - /var/log/yum.log
+    - /var/log/audit/audit.log
+    - /var/log/tuned/tuned.log
+    - /var/log/wpa_supplicant.log
+    - /var/log/ovirt-guest-agent/ovirt-guest-agent.log
+
+- name: Rotate and vacuum journal logs
+  ansible.builtin.shell: |
+    journalctl --rotate
+    journalctl --vacuum-time=1s
+  when: ansible_facts['distribution_major_version'] is version('8', '>=')
+
+- name: Clear shell history
+  ansible.builtin.copy:
+    content: ""
+    dest: /root/.bash_history
+    force: true
+
+- name: Find all SSH keys
+  ansible.builtin.find:
+    # path: "{{ item }}"
+    paths:
+      - /etc/ssh
+      - /home/
+    patterns: 
+      - "ssh_host*"
+      - "id_*"
+      - "authorized_keys"
+      - "known_hosts"
+      - "config"
+    use_regex: false
+    recurse: true
+    file_type: file
+  register: ssh_files
+
+- name: Debug found SSH keys
+  debug:
+    msg: "{{ item.path }}"
+  loop: "{{ ssh_files.files }}"
+
+- name: Remove SSH keys
+  ansible.builtin.file:
+    path: "{{  item.path }}"
+    state: absent
+  loop: "{{ ssh_files.files }}"
+  # loop: "{{ ssh_keys.results | map(attribute='files') | flatten }}"
+
+- name: Add ansible user SSH public key
+  ansible.builtin.copy:
+    dest: /home/ansible/.ssh/authorized_keys
+    content: "{{ lookup('file', '~/.ssh/lan_id_ed25519.pub') }}"
+    mode: '0600'
+    owner: "ansible"
+    group: "ansible"
+
+- name: Sync changes to disk
+  ansible.builtin.command: sync
+
+- name: Shutdown the machine for templating
+  community.general.shutdown:
+    delay: 5
+
+- name: Remove old local SSH known_hosts entry
+  become_user: xbazzi
+  local_action: 
+    module: command
+    args:
+      cmd: ssh-keygen -R "{{ hostvars['staging-vm'].ansible_host }}"
+