bootstrap: linting, handle oomd

This commit is contained in:
Josh Lay 2023-08-30 20:26:56 -05:00
parent 46c14b88b7
commit 2c9f5aecc8
Signed by: jlay
GPG key ID: B265E45CACAD108A
3 changed files with 113 additions and 64 deletions

View file

@ -2,7 +2,10 @@
DEFAULT_PKGS: DEFAULT_PKGS:
- sudo - sudo
- vim - vim
- vim-default-editor
UNWANTED_PKGS: UNWANTED_PKGS:
- earlyoom - earlyoom
- power-profiles-daemon - power-profiles-daemon
- nano - nano
- nano-default-editor
- systemd-oomd-defaults

View file

@ -1,29 +1,38 @@
--- ---
- name: raise max_parallel_downloads to 20 - name: Raise max_parallel_downloads to 20
lineinfile: become: true
ansible.builtin.lineinfile:
path: /etc/dnf/dnf.conf path: /etc/dnf/dnf.conf
regexp: "^max_parallel_downloads.=" regexp: "^max_parallel_downloads.="
line: "max_parallel_downloads=20" line: "max_parallel_downloads=20"
- name: install dnf-automatic - name: Prepare automatic upgrade w/ dnf-automatic
package: block:
- name: Install dnf-automatic
become: true
ansible.builtin.package:
name: dnf-automatic name: dnf-automatic
state: present state: present
- name: configure dnf-automatic - name: Configure dnf-automatic
become: true become: true
lineinfile: ansible.builtin.lineinfile:
path: /etc/dnf/automatic.conf path: /etc/dnf/automatic.conf
state: present state: present
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
with_items: with_items:
- { regexp: '^upgrade_type.=', line: 'upgrade_type = security' } - {regexp: '^upgrade_type.=', line: 'upgrade_type = default'}
- {regexp: '^emit_via.=', line: 'emit_via = stdio,motd'} - {regexp: '^emit_via.=', line: 'emit_via = stdio,motd'}
- { regexp: '^apply_updates.=', line: 'apply_updates = yes' } - {regexp: '^apply_updates.=', line: 'apply_updates = no'}
- {regexp: '^download_updates.=', line: 'download_updates = yes'}
- name: enable dnf-automatic timer - name: Enable dnf-automatic timer
systemd: become: true
ansible.builtin.systemd:
name: dnf-automatic.timer name: dnf-automatic.timer
state: started state: started
enabled: yes enabled: true
when:
- auto_update is defined
- auto_update | bool

View file

@ -1,104 +1,141 @@
--- ---
- block: - block:
- name: gather package facts - name: Gather package facts
package_facts: ansible.builtin.package_facts:
manager: auto manager: auto
- name: check if atomic - name: Check if atomic
stat: ansible.builtin.stat:
path: /run/ostree-booted path: /run/ostree-booted
register: ostree register: ostree
- name: check for cloud.cfg - name: Check for cloud.cfg
stat: ansible.builtin.stat:
path: /etc/cloud/cloud.cfg path: /etc/cloud/cloud.cfg
register: cloudcfg register: cloudcfg
- name: set fact (atomic state) - name: Set fact (atomic state)
set_fact: ansible.builtin.set_fact:
is_atomic: "{{ ostree.stat.exists }}" is_atomic: "{{ ostree.stat.exists }}"
- name: set fact (cloud.cfg state) - name: Set fact (cloud.cfg state)
set_fact: ansible.builtin.set_fact:
is_cloudy: "{{ cloudcfg.stat.exists }}" is_cloudy: "{{ cloudcfg.stat.exists }}"
- name: include dnf tasks - name: Include dnf tasks
include_tasks: dnf.yml include_tasks: dnf.yml
when: (ansible_distribution in ["Fedora"] and not is_atomic) or (ansible_distribution in ["RedHat", "Red Hat Enterprise Linux", "CentOS"] and ansible_distribution_major_version is version('8', '>=')) when: (ansible_distribution in ["Fedora"] and not is_atomic) or (ansible_distribution in ["RedHat", "Red Hat Enterprise Linux", "CentOS"] and ansible_distribution_major_version is version('8', '>='))
- name: install prereqs - name: Remove unwanted packages
package: become: true
ansible.builtin.package:
name: "{{ item }}"
state: absent
when: "(item in ansible_facts.packages)"
with_items: "{{ UNWANTED_PKGS }}" # see roles/bootstrap/defaults/main.yml
- name: Install prereqs
become: true
ansible.builtin.package:
name: "{{ DEFAULT_PKGS | difference(ansible_facts.packages) }}" name: "{{ DEFAULT_PKGS | difference(ansible_facts.packages) }}"
state: installed state: installed
when: (ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"] and not is_atomic) when: (ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"] and not is_atomic)
- name: disable fastestmirror (fedora - non-atomic) - name: Disable fastestmirror (fedora - non-atomic)
lineinfile: become: true
ansible.builtin.lineinfile:
path: /etc/dnf/dnf.conf path: /etc/dnf/dnf.conf
regexp: "^fastestmirror=" regexp: "^fastestmirror="
line: "fastestmirror=False" line: "fastestmirror=False"
when: ansible_distribution in ["Fedora"] and not is_atomic when: ansible_distribution in ["Fedora"] and not is_atomic
- name: remove update_etc_hosts from cloud.cfg - name: Remove update_etc_hosts from cloud.cfg
lineinfile: become: true
ansible.builtin.lineinfile:
line: ' - update_etc_hosts' line: ' - update_etc_hosts'
path: /etc/cloud/cloud.cfg path: /etc/cloud/cloud.cfg
state: absent state: absent
when: is_cloudy|bool when: is_cloudy|bool
- name: add all hosts to /etc/hosts - name: Add all hosts to /etc/hosts
lineinfile: become: true
ansible.builtin.lineinfile:
path: /etc/hosts path: /etc/hosts
state: present state: present
line: "{{ hostvars[item].ip | default('127.0.0.1') }} {{ hostvars[item].ansible_hostname }}" line: "{{ hostvars[item].ip | default('127.0.0.1') }} {{ hostvars[item].ansible_hostname }}"
regexp: "^{{ hostvars[item].ip | default('127.0.0.1') }}.*{{ hostvars[item].ansible_hostname }}$" regexp: "^{{ hostvars[item].ip | default('127.0.0.1') }}.*{{ hostvars[item].ansible_hostname }}$"
with_items: "{{ groups.all }}" with_items: "{{ groups.all }}"
- name: set hostname to match inventory - name: Set hostname to match inventory
hostname: ansible.builtin.hostname:
name: "{{ inventory_hostname }}" name: "{{ inventory_hostname }}"
register: hostname_change register: hostname_change
- name: remove requiretty - name: Remove requiretty
lineinfile: become: true
ansible.builtin.lineinfile:
regexp: '^\w+\s+requiretty' regexp: '^\w+\s+requiretty'
path: /etc/sudoers path: /etc/sudoers
state: absent state: absent
- name: import epel GPG key - name: Import EPEL GPG key
rpm_key: become: true
ansible.builtin.rpm_key:
state: present state: present
key: https://getfedora.org/static/fedora.gpg key: https://getfedora.org/static/fedora.gpg
when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic
- name: install epel (dist pkg) - name: Install EPEL (dist pkg)
package: become: true
ansible.builtin.package:
name: epel-release name: epel-release
state: latest state: present
when: ansible_distribution in ['CentOS'] and not is_atomic when: ansible_distribution in ['CentOS'] and not is_atomic
- name: install epel (upstream pkg) - name: Install EPEL (upstream pkg)
package: become: true
ansible.builtin.package:
name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
state: present state: present
when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic
- name: remove unwanted packages - name: Disable NetworkManager phoning home on Fedora
package: become: true
name: "{{ item }}" ansible.builtin.file:
state: absent
when: "(item in ansible_facts.packages)"
with_items: "{{ UNWANTED_PKGS }}" # see roles/bootstrap/defaults/main.yml
- name: disable NetworkManager phoning home on Fedora
file:
path: /etc/NetworkManager/conf.d/20-connectivity-fedora.conf path: /etc/NetworkManager/conf.d/20-connectivity-fedora.conf
access_time: preserve # make this properly idempotent, register no change when file exists access_time: preserve # make this properly idempotent, register no change when file exists
modification_time: preserve # ^ modification_time: preserve # ^
state: touch state: touch
mode: 0644 mode: '0644'
when: (ansible_distribution in ['Fedora'] and not is_atomic) and ('NetworkManager' in ansible_facts.packages) when: (ansible_distribution in ['Fedora'] and not is_atomic) and ('NetworkManager' in ansible_facts.packages)
- name: Ensure systemd-oomd service and socket are disabled and stopped
become: true
ansible.builtin.systemd:
name: "{{ item }}"
state: stopped
enabled: false
with_items:
- systemd-oomd.service
- systemd-oomd.socket
when: (ansible_distribution in ['Fedora'] and not is_atomic)
- name: Ensure systemd-oomd service and socket are masked
become: true
ansible.builtin.systemd:
name: "{{ item }}"
masked: true
with_items:
- systemd-oomd.service
- systemd-oomd.socket
when: (ansible_distribution in ['Fedora'] and not is_atomic)
- name: Ensure systemd-oomd-defaults package is removed
become: true
ansible.builtin.package:
name: systemd-oomd-defaults
state: absent
tags: tags:
- bootstrap - bootstrap