diff --git a/ansible.cfg b/ansible.cfg index 6f499f1..5614c82 100755 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,4 +1,5 @@ [defaults] +remote_user = ansible inventory = hosts.yml roles_path = ./roles vault_password_file = ~/.ansible-vault-key diff --git a/group_vars/all.yml b/group_vars/all.yml index 897e3d0..a6efca2 100755 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -18,7 +18,7 @@ assets: "{{ project_root }}/assets" # Remote paths remote_stacks: "/home/javi/docker" remote_app_mounts: "/home/docker" -# Sudo password for your servers + # Sudo password for your servers ansible_become_pass: !vault | $ANSIBLE_VAULT;1.1;AES256 @@ -33,15 +33,15 @@ iscsi_target_ip: nas.lan.xbazzi.com # TrueNAS IP iscsi_target_iqn: iqn.2005-10.org.freenas.ctl:pve-iscsi # Alma new VM provisioning -hostname: "prod3" +# hostname: "prod3" timezone: "America/Denver" +staging_ip: "10.133.7.240" +# network_config: +# interface: "ens18" +# address: "{{ staging_host }}" +# netmask: "255.255.252.0" +# gateway: "10.133.7.1" +# dns: ["10.133.7.1"] -network_config: - interface: "ens18" - address: "" - netmask: "255.255.252.0" - gateway: "10.133.7.103" - dns: ["10.133.7.1"] - -nfs_mounts: - - { src: "nas:/mnt/media", path: "/mnt/media", opts: "defaults,nfsvers=4" } +# nfs_mounts: +# - { src: "nas:/mnt/media", path: "/mnt/media", opts: "defaults,nfsvers=4" } diff --git a/hosts.yml b/inventory/hosts.yml similarity index 70% rename from hosts.yml rename to inventory/hosts.yml index abad0fd..1ec4e18 100755 --- a/hosts.yml +++ b/inventory/hosts.yml @@ -17,12 +17,5 @@ all: ansible_host: prod2 school: ansible_host: school - new-vm: + staging-vm: ansible_host: 10.133.7.240 - # alma-provision: - # hosts: - # new-alma-vm: - # ansible_host: - # vars: - # ansible_user: root - diff --git a/playbooks/sysprep-alma.yml b/playbooks/sysprep-alma.yml new file mode 100644 index 0000000..b03e358 --- /dev/null +++ b/playbooks/sysprep-alma.yml @@ -0,0 +1,5 @@ +- name: Sysprep Alma Linux machine + hosts: staging-vm + become: yes + roles: + - role: provision/alma/sysprep \ No newline at end of file diff --git a/roles/provision/alma/common/tasks/main.yml b/roles/provision/alma/common/tasks/main.yml index b698c89..df1846d 100644 --- a/roles/provision/alma/common/tasks/main.yml +++ b/roles/provision/alma/common/tasks/main.yml @@ -1,26 +1,55 @@ --- - name: Set system timezone - ansible.builtin.command: timedatectl set-timezone "America/Denver" + ansible.builtin.command: timedatectl set-timezone "{{ timezone }}" register: output changed_when: output.rc != 0 -- name: Set hostname - ansible.builtin.hostname: - name: "{{ hostname }}" +# - name: Set hostname +# ansible.builtin.hostname: +# name: "{{ hostname }}" -- name: Set repo +- name: Upgrade all packages ansible.builtin.dnf: + name: "*" + update_only: true + +- name: Add CodeReady Builder repo + ansible.builtin.command: dnf config-manager --set-enabled crb + register: output + changed_when: output.rc != 0 + +- name: Install QEMU Guest Agent + ansible.builtin.dnf: + name: + - 'qemu-guest-agent' + +- name: Enable and start QEMU Guest Agent + ansible.builtin.service: + name: qemu-guest-agent + enabled: yes + state: started + +- name: Install EPEL + ansible.builtin.dnf: + name: + - 'epel-release' + update_cache: true + +- name: Install Dev Tools + ansible.builtin.dnf: + name: + - '@Development tools' + update_cache: true - name: Install baseline packages ansible.builtin.dnf: name: - - '@Development tools' - vim - curl - git - bash-completion - firewalld - # - fastfetch - # - btop - state: present + - fastfetch + - btop + state: latest update_cache: true diff --git a/roles/provision/alma/network/tasks/main.yml b/roles/provision/alma/network/tasks/main.yml index fa5538f..5722879 100644 --- a/roles/provision/alma/network/tasks/main.yml +++ b/roles/provision/alma/network/tasks/main.yml @@ -2,11 +2,14 @@ ansible.builtin.template: src: ifcfg-template.j2 dest: "/etc/sysconfig/network-scripts/ifcfg-{{ network_config.interface }}" - notify: Restart network + # notify: Restart network -- name: Ensure NetworkManager is enabled - ansible.builtin.service: - name: NetworkManager - enabled: true - state: restarted +# - name: Ensure NetworkManager is enabled +# ansible.builtin.service: +# name: NetworkManager +# enabled: true +# state: restarted + # handlers: + # - name: Restart network + # command: nmcli connection reload diff --git a/roles/provision/alma/sysprep/defaults/main.yml b/roles/provision/alma/sysprep/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/provision/alma/sysprep/handlers/main.yml b/roles/provision/alma/sysprep/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/provision/alma/sysprep/tasks/main.yml b/roles/provision/alma/sysprep/tasks/main.yml new file mode 100644 index 0000000..3a87b6f --- /dev/null +++ b/roles/provision/alma/sysprep/tasks/main.yml @@ -0,0 +1,137 @@ +--- +- name: Set up initial CORE interface with DHCP + community.general.nmcli: + conn_name: core + method4: "auto" + ifname: ens18 + type: ethernet + state: present + +- name: Set hostname to generic localhost + ansible.builtin.hostname: + name: localhost.localdomain + # use: systemd + +- name: Ensure IPv4 localhost entry exists in /etc/hosts + ansible.builtin.lineinfile: + path: /etc/hosts + line: "127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4" + state: present + create: yes + regexp: '^127\.0\.0\.1\s+localhost' + +- name: Remove IPv6 localhost entry (::1) from /etc/hosts + ansible.builtin.lineinfile: + path: /etc/hosts + regexp: '^::1\s+localhost' + state: absent + +- name: Remove xbazzi user + ansible.builtin.user: + name: xbazzi + state: absent + remove: true + +- name: Truncate machine-id + ansible.builtin.command: truncate -s 0 /etc/machine-id + +- name: Remove DBus machine-id if exists + ansible.builtin.file: + path: /var/lib/dbus/machine-id + state: absent + +- name: Remove root SSH folder + ansible.builtin.file: + path: /root/.ssh + state: absent + +- name: Remove anaconda kickstart config + ansible.builtin.file: + path: /root/anaconda-ks.cfg + state: absent + +- name: Clear logs + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - /var/log/boot.log + - /var/log/cron + - /var/log/dmesg + - /var/log/grubby + - /var/log/lastlog + - /var/log/maillog + - /var/log/messages + - /var/log/secure + - /var/log/spooler + - /var/log/tallylog + - /var/log/wtmp + - /var/log/yum.log + - /var/log/audit/audit.log + - /var/log/tuned/tuned.log + - /var/log/wpa_supplicant.log + - /var/log/ovirt-guest-agent/ovirt-guest-agent.log + +- name: Rotate and vacuum journal logs + ansible.builtin.shell: | + journalctl --rotate + journalctl --vacuum-time=1s + when: ansible_facts['distribution_major_version'] is version('8', '>=') + +- name: Clear shell history + ansible.builtin.copy: + content: "" + dest: /root/.bash_history + force: true + +- name: Find all SSH keys + ansible.builtin.find: + # path: "{{ item }}" + paths: + - /etc/ssh + - /home/ + patterns: + - "ssh_host*" + - "id_*" + - "authorized_keys" + - "known_hosts" + - "config" + use_regex: false + recurse: true + file_type: file + register: ssh_files + +- name: Debug found SSH keys + debug: + msg: "{{ item.path }}" + loop: "{{ ssh_files.files }}" + +- name: Remove SSH keys + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + loop: "{{ ssh_files.files }}" + # loop: "{{ ssh_keys.results | map(attribute='files') | flatten }}" + +- name: Add ansible user SSH public key + ansible.builtin.copy: + dest: /home/ansible/.ssh/authorized_keys + content: "{{ lookup('file', '~/.ssh/lan_id_ed25519.pub') }}" + mode: '0600' + owner: "ansible" + group: "ansible" + +- name: Sync changes to disk + ansible.builtin.command: sync + +- name: Shutdown the machine for templating + community.general.shutdown: + delay: 5 + +- name: Remove old local SSH known_hosts entry + become_user: xbazzi + local_action: + module: command + args: + cmd: ssh-keygen -R "{{ hostvars['staging-vm'].ansible_host }}" + diff --git a/roles/provision/alma/sysprep/templates/main.yml b/roles/provision/alma/sysprep/templates/main.yml new file mode 100644 index 0000000..e69de29