diff --git a/roles/bootstrap/defaults/main.yml b/roles/bootstrap/defaults/main.yml index 0d5c7e1..7dc77f3 100644 --- a/roles/bootstrap/defaults/main.yml +++ b/roles/bootstrap/defaults/main.yml @@ -2,7 +2,10 @@ DEFAULT_PKGS: - sudo - vim + - vim-default-editor UNWANTED_PKGS: - earlyoom - power-profiles-daemon - nano + - nano-default-editor + - systemd-oomd-defaults diff --git a/roles/bootstrap/tasks/dnf.yml b/roles/bootstrap/tasks/dnf.yml index 6db3cde..3c9744c 100644 --- a/roles/bootstrap/tasks/dnf.yml +++ b/roles/bootstrap/tasks/dnf.yml @@ -1,29 +1,38 @@ --- -- name: raise max_parallel_downloads to 20 - lineinfile: +- name: Raise max_parallel_downloads to 20 + become: true + ansible.builtin.lineinfile: path: /etc/dnf/dnf.conf regexp: "^max_parallel_downloads.=" line: "max_parallel_downloads=20" -- name: install dnf-automatic - package: - name: dnf-automatic - state: present +- name: Prepare automatic upgrade w/ dnf-automatic + block: + - name: Install dnf-automatic + become: true + ansible.builtin.package: + name: dnf-automatic + state: present -- name: configure dnf-automatic - become: true - lineinfile: - path: /etc/dnf/automatic.conf - state: present - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^upgrade_type.=', line: 'upgrade_type = security' } - - { regexp: '^emit_via.=', line: 'emit_via = stdio,motd' } - - { regexp: '^apply_updates.=', line: 'apply_updates = yes' } + - name: Configure dnf-automatic + become: true + ansible.builtin.lineinfile: + path: /etc/dnf/automatic.conf + state: present + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - {regexp: '^upgrade_type.=', line: 'upgrade_type = default'} + - {regexp: '^emit_via.=', line: 'emit_via = stdio,motd'} + - {regexp: '^apply_updates.=', line: 'apply_updates = no'} + - {regexp: '^download_updates.=', line: 'download_updates = yes'} -- name: enable dnf-automatic timer - systemd: - name: dnf-automatic.timer - state: started - enabled: yes + - name: Enable dnf-automatic timer + become: true + ansible.builtin.systemd: + name: dnf-automatic.timer + state: started + enabled: true + when: + - auto_update is defined + - auto_update | bool diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml index 4475c37..e6c967c 100644 --- a/roles/bootstrap/tasks/main.yml +++ b/roles/bootstrap/tasks/main.yml @@ -1,104 +1,141 @@ --- - block: - - name: gather package facts - package_facts: + - name: Gather package facts + ansible.builtin.package_facts: manager: auto - - name: check if atomic - stat: + - name: Check if atomic + ansible.builtin.stat: path: /run/ostree-booted register: ostree - - name: check for cloud.cfg - stat: + - name: Check for cloud.cfg + ansible.builtin.stat: path: /etc/cloud/cloud.cfg register: cloudcfg - - name: set fact (atomic state) - set_fact: + - name: Set fact (atomic state) + ansible.builtin.set_fact: is_atomic: "{{ ostree.stat.exists }}" - - name: set fact (cloud.cfg state) - set_fact: + - name: Set fact (cloud.cfg state) + ansible.builtin.set_fact: is_cloudy: "{{ cloudcfg.stat.exists }}" - - name: include dnf tasks + - name: Include dnf tasks include_tasks: dnf.yml when: (ansible_distribution in ["Fedora"] and not is_atomic) or (ansible_distribution in ["RedHat", "Red Hat Enterprise Linux", "CentOS"] and ansible_distribution_major_version is version('8', '>=')) - - name: install prereqs - package: + - name: Remove unwanted packages + become: true + ansible.builtin.package: + name: "{{ item }}" + state: absent + when: "(item in ansible_facts.packages)" + with_items: "{{ UNWANTED_PKGS }}" # see roles/bootstrap/defaults/main.yml + + - name: Install prereqs + become: true + ansible.builtin.package: name: "{{ DEFAULT_PKGS | difference(ansible_facts.packages) }}" state: installed when: (ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"] and not is_atomic) - - name: disable fastestmirror (fedora - non-atomic) - lineinfile: + - name: Disable fastestmirror (fedora - non-atomic) + become: true + ansible.builtin.lineinfile: path: /etc/dnf/dnf.conf regexp: "^fastestmirror=" line: "fastestmirror=False" when: ansible_distribution in ["Fedora"] and not is_atomic - - name: remove update_etc_hosts from cloud.cfg - lineinfile: + - name: Remove update_etc_hosts from cloud.cfg + become: true + ansible.builtin.lineinfile: line: ' - update_etc_hosts' path: /etc/cloud/cloud.cfg state: absent when: is_cloudy|bool - - - name: add all hosts to /etc/hosts - lineinfile: + + - name: Add all hosts to /etc/hosts + become: true + ansible.builtin.lineinfile: path: /etc/hosts state: present line: "{{ hostvars[item].ip | default('127.0.0.1') }} {{ hostvars[item].ansible_hostname }}" regexp: "^{{ hostvars[item].ip | default('127.0.0.1') }}.*{{ hostvars[item].ansible_hostname }}$" with_items: "{{ groups.all }}" - - name: set hostname to match inventory - hostname: + - name: Set hostname to match inventory + ansible.builtin.hostname: name: "{{ inventory_hostname }}" register: hostname_change - - name: remove requiretty - lineinfile: + - name: Remove requiretty + become: true + ansible.builtin.lineinfile: regexp: '^\w+\s+requiretty' path: /etc/sudoers state: absent - - name: import epel GPG key - rpm_key: + - name: Import EPEL GPG key + become: true + ansible.builtin.rpm_key: state: present key: https://getfedora.org/static/fedora.gpg when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic - - name: install epel (dist pkg) - package: + - name: Install EPEL (dist pkg) + become: true + ansible.builtin.package: name: epel-release - state: latest + state: present when: ansible_distribution in ['CentOS'] and not is_atomic - - name: install epel (upstream pkg) - package: - name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ansible_distribution_major_version}}.noarch.rpm" + - name: Install EPEL (upstream pkg) + become: true + ansible.builtin.package: + name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" state: present when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic - - name: remove unwanted packages - package: - name: "{{ item }}" - state: absent - when: "(item in ansible_facts.packages)" - with_items: "{{ UNWANTED_PKGS }}" # see roles/bootstrap/defaults/main.yml - - - name: disable NetworkManager phoning home on Fedora - file: + - name: Disable NetworkManager phoning home on Fedora + become: true + ansible.builtin.file: path: /etc/NetworkManager/conf.d/20-connectivity-fedora.conf access_time: preserve # make this properly idempotent, register no change when file exists modification_time: preserve # ^ state: touch - mode: 0644 + mode: '0644' when: (ansible_distribution in ['Fedora'] and not is_atomic) and ('NetworkManager' in ansible_facts.packages) + - name: Ensure systemd-oomd service and socket are disabled and stopped + become: true + ansible.builtin.systemd: + name: "{{ item }}" + state: stopped + enabled: false + with_items: + - systemd-oomd.service + - systemd-oomd.socket + when: (ansible_distribution in ['Fedora'] and not is_atomic) + + - name: Ensure systemd-oomd service and socket are masked + become: true + ansible.builtin.systemd: + name: "{{ item }}" + masked: true + with_items: + - systemd-oomd.service + - systemd-oomd.socket + when: (ansible_distribution in ['Fedora'] and not is_atomic) + + - name: Ensure systemd-oomd-defaults package is removed + become: true + ansible.builtin.package: + name: systemd-oomd-defaults + state: absent + tags: - bootstrap