From 46c14b88b7fa4101d3292e85d7b5936c998c10bf Mon Sep 17 00:00:00 2001 From: Josh Lay Date: Wed, 30 Aug 2023 20:26:20 -0500 Subject: [PATCH] make some stuff distro-agnostic --- roles/create-user/defaults/main.yml | 10 ++++++ roles/create-user/handlers/main.yml | 3 ++ roles/create-user/tasks/deb.yml | 23 ------------- roles/create-user/tasks/el.yml | 23 ------------- roles/create-user/tasks/main.yml | 38 ++++++++++++++++------ roles/sysctl/tasks/main.yml | 5 --- roles/tmp-mount-fix/tasks/fix-enable.conf | 3 -- roles/tmp-mount-fix/tasks/main.yml | 20 ------------ roles/zfs/defaults/main.yml | 16 ---------- roles/zfs/tasks/el.yml | 8 ----- roles/zfs/tasks/main.yml | 39 ----------------------- roles/zfs/tasks/ubuntu.yml | 7 ---- roles/zfs/tasks/zfs-release.yml | 19 ----------- 13 files changed, 41 insertions(+), 173 deletions(-) create mode 100644 roles/create-user/handlers/main.yml delete mode 100644 roles/create-user/tasks/deb.yml delete mode 100644 roles/create-user/tasks/el.yml delete mode 100644 roles/sysctl/tasks/main.yml delete mode 100644 roles/tmp-mount-fix/tasks/fix-enable.conf delete mode 100644 roles/tmp-mount-fix/tasks/main.yml delete mode 100644 roles/zfs/defaults/main.yml delete mode 100644 roles/zfs/tasks/el.yml delete mode 100644 roles/zfs/tasks/main.yml delete mode 100644 roles/zfs/tasks/ubuntu.yml delete mode 100644 roles/zfs/tasks/zfs-release.yml diff --git a/roles/create-user/defaults/main.yml b/roles/create-user/defaults/main.yml index 584bf31..eead9bb 100644 --- a/roles/create-user/defaults/main.yml +++ b/roles/create-user/defaults/main.yml @@ -1,3 +1,13 @@ --- create_username: "{{ lookup('env','USER') }}" create_pwgen: "{{ lookup('password', '/dev/null chars=ascii_letters,digits,hexdigits,punctuation length=32') }}" +sudo_group_by_fam: + Debian: sudo + RedHat: wheel +created_users_groups: # sorted by os_family + Debian: + - "{{ sudo_group_by_fam[ansible_os_family] }}" + RedHat: + - "{{ sudo_group_by_fam[ansible_os_family] }}" + - adm + - disk diff --git a/roles/create-user/handlers/main.yml b/roles/create-user/handlers/main.yml new file mode 100644 index 000000000..105f910 --- /dev/null +++ b/roles/create-user/handlers/main.yml @@ -0,0 +1,3 @@ +- name: print generated password + debug: + var: create_pwgen diff --git a/roles/create-user/tasks/deb.yml b/roles/create-user/tasks/deb.yml deleted file mode 100644 index ae9fe0d..000000000 --- a/roles/create-user/tasks/deb.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- name: creating user {{ create_username }} in sudo group (Debian/Ubuntu) - user: - name: "{{ create_username }}" - password: "{{ create_pwgen | password_hash('sha512') }}" - state: present - shell: /bin/bash - groups: sudo - append: yes - generate_ssh_key: yes - ssh_key_bits: 2048 - ssh_key_file: .ssh/id_rsa - update_password: on_create - register: user_created - -- name: enable nopasswd sudo (Debian/Ubuntu) - lineinfile: - dest: /etc/sudoers - regexp: '^%sudo' - line: "%sudo ALL=(ALL:ALL) NOPASSWD:ALL" - state: present - validate: 'visudo -cf %s' diff --git a/roles/create-user/tasks/el.yml b/roles/create-user/tasks/el.yml deleted file mode 100644 index 86834e8..000000000 --- a/roles/create-user/tasks/el.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- name: creating user {{ create_username }} in wheel group (RHEL/CentOS/Fedora) - user: - name: "{{ create_username }}" - password: "{{ create_pwgen | password_hash('sha512') }}" - state: present - shell: /bin/bash - groups: wheel - append: yes - generate_ssh_key: yes - ssh_key_bits: 2048 - ssh_key_file: .ssh/id_rsa - update_password: on_create - register: user_created - -- name: enable nopasswd sudo (RHEL/CentOS/Fedora) - lineinfile: - dest: /etc/sudoers - regexp: '^%wheel' - line: "%wheel ALL=(ALL) NOPASSWD: ALL" - state: present - validate: 'visudo -cf %s' diff --git a/roles/create-user/tasks/main.yml b/roles/create-user/tasks/main.yml index 323a3ac..2d36790 100644 --- a/roles/create-user/tasks/main.yml +++ b/roles/create-user/tasks/main.yml @@ -1,21 +1,39 @@ --- -- include_tasks: deb.yml - when: ansible_distribution in ["Debian", "Ubuntu"] +- name: Create user {{ create_username }} + become: true + user: + name: "{{ create_username }}" + password: "{{ create_pwgen | password_hash('sha512') }}" + state: present + shell: /bin/bash + groups: "{{ created_users_groups[ansible_os_family] }}" + append: true + generate_ssh_key: false + ssh_key_bits: 2048 + ssh_key_file: .ssh/id_rsa + update_password: on_create + register: user_created + notify: print generated password -- include_tasks: el.yml - when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"] - -- name: print generated password for {{ create_username }} on each host - debug: var=create_pwgen - when: user_created is changed +- name: enable nopasswd sudo + become: true + lineinfile: + dest: /etc/sudoers + regexp: '^{{ create_username }}' + line: "{{ create_username }} ALL=(ALL:ALL) NOPASSWD:ALL" + insertafter: '^%{{ sudo_group_by_fam[ansible_os_family] }}.*$' + state: present + validate: 'visudo -cf %s' - name: copy current pubkeys to ~{{ create_username }}/.ssh/authorized_keys authorized_key: user: "{{ create_username }}" state: present key: "{{ item }}" +# key: "{{ URL_PUBKEYS }}" + ignore_errors: true # doesn't support sk-ecdsa-sha2-nistp256 keys with_items: - - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}" - - "{{ lookup('file','~/.ssh/id_rsa.pub') }}" - "{{ lookup('file','~/.ssh/id_ecdsa.pub') }}" +# - "{{ lookup('file','~/.ssh/id_ecdsa_sk.pub') }}" +# - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}" diff --git a/roles/sysctl/tasks/main.yml b/roles/sysctl/tasks/main.yml deleted file mode 100644 index 4f24388..000000000 --- a/roles/sysctl/tasks/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: raise somaxconn - sysctl: - name: net.core.somaxconn - value: "1024" diff --git a/roles/tmp-mount-fix/tasks/fix-enable.conf b/roles/tmp-mount-fix/tasks/fix-enable.conf deleted file mode 100644 index 85e40a4..000000000 --- a/roles/tmp-mount-fix/tasks/fix-enable.conf +++ /dev/null @@ -1,3 +0,0 @@ -# Make 'systemctl enable tmp.mount' work: -[Install] -WantedBy=local-fs.target diff --git a/roles/tmp-mount-fix/tasks/main.yml b/roles/tmp-mount-fix/tasks/main.yml deleted file mode 100644 index c4d5179..000000000 --- a/roles/tmp-mount-fix/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- block: - - name: create tmp.mount.d dir - file: - path: /etc/systemd/system/tmp.mount.d/ - state: directory - mode: '0755' - register: tmpmnt_directory_state - - name: add drop-in fix - copy: - dest: "/etc/systemd/system/tmp.mount.d/fix-enable.conf" - src: "fix-enable.conf" - register: fix_enable_conf - - name: enable tmp.mount - systemd: - daemon_reload: yes - masked: no - name: tmp.mount - enabled: yes - when: (ansible_distribution in ["CentOS"] and ansible_distribution_major_version in ["8"]) or (ansible_distribution in ["Fedora"] and ansible_distribution_major_version in ["31", "32"]) diff --git a/roles/zfs/defaults/main.yml b/roles/zfs/defaults/main.yml deleted file mode 100644 index 3c0c98c..000000000 --- a/roles/zfs/defaults/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -zfs_disk: /dev/vdb -zfs_arc_size_mb: "{{ (ansible_memtotal_mb * 0.20)|int|abs }}" -zfs_arc_size_bytes: "{{ zfs_arc_size_mb }}000000" -EL_ZFS_PKGS: - - kernel-devel - - "@Development tools" - - dkms - - libuuid-devel - - libblkid-devel - - libtirpc-devel - - openssl-devel - - zfs -UBUNTU_ZFS_PKGS: - - zfsutils-linux - - zfs-initramfs diff --git a/roles/zfs/tasks/el.yml b/roles/zfs/tasks/el.yml deleted file mode 100644 index f19204e..000000000 --- a/roles/zfs/tasks/el.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: install zfs packages - package: - name: "{{ item }}" - state: present - with_items: "{{ EL_ZFS_PKGS | difference(ansible_facts.packages) }}" - register: zfs_installed diff --git a/roles/zfs/tasks/main.yml b/roles/zfs/tasks/main.yml deleted file mode 100644 index 0fb926c..000000000 --- a/roles/zfs/tasks/main.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- - -- name: include zfs-release tasks (CentOS/RHEL/Fedora) - include_tasks: zfs-release.yml - when: ('zfs-release' not in ansible_facts.packages) and (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ]) - -- name: include zfs installation tasks (Ubuntu) - include_tasks: ubuntu.yml - when: ansible_distribution in ["Ubuntu"] - -- name: include zfs installation tasks (CentOS/RHEL/Fedora) - include_tasks: el.yml - when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic) - -- name: load zfs module - modprobe: - name: zfs - state: present - -- name: add zfs to modules-load.d - copy: - dest: "/etc/modules-load.d/zfs.conf" - content: | - zfs - register: zfsload - -# does not adjust to 20% of each host, depends on consistency between hosts - inconsistency leads to disproportionate allocations -- name: set zfs_arc_max to 20% of system memory - lineinfile: - path: "/etc/modprobe.d/zfs.conf" - regexp: '^options zfs zfs_arc_max=' - line: 'options zfs zfs_arc_max="{{ zfs_arc_size_bytes }}"' - create: yes - -# really bad idempotence in here... -#- name: create zpool -# command: "zpool create -f -O compression=lz4 data {{ zfs_disk }} -o ashift=13 -O secondarycache=all" -# args: -# creates: /etc/zvol/data/* diff --git a/roles/zfs/tasks/ubuntu.yml b/roles/zfs/tasks/ubuntu.yml deleted file mode 100644 index 14d44ad..000000000 --- a/roles/zfs/tasks/ubuntu.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: install ZFS packages - package: - name: "{{ item }}" - state: present - with_items: "{{ UBUNTU_ZFS_PKGS | difference(ansible_facts.packages) }}" diff --git a/roles/zfs/tasks/zfs-release.yml b/roles/zfs/tasks/zfs-release.yml deleted file mode 100644 index 7a9273f..000000000 --- a/roles/zfs/tasks/zfs-release.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: install zfs-release package (EPEL 7) - yum: - name: "http://download.zfsonlinux.org/epel/zfs-release.el7_7.noarch.rpm" - state: present - when: (ansible_distribution_major_version == "7") - -- name: install zfs-release package (EPEL 8) - yum: - name: "http://download.zfsonlinux.org/epel/zfs-release.el8_1.noarch.rpm" - state: present - when: (ansible_distribution_major_version == "8") - -- name: install/upgrade zfs-release package (Fedora) - dnf: - name: "http://download.zfsonlinux.org/fedora/zfs-release.fc{{ansible_distribution_major_version}}.noarch.rpm" - state: present - when: (ansible_distribution in ["Fedora"] and not is_atomic)