diff --git a/roles/bootstrap/defaults/main.yml b/roles/bootstrap/defaults/main.yml index 7dc77f3..0d5c7e1 100644 --- a/roles/bootstrap/defaults/main.yml +++ b/roles/bootstrap/defaults/main.yml @@ -2,10 +2,7 @@ DEFAULT_PKGS: - sudo - vim - - vim-default-editor UNWANTED_PKGS: - earlyoom - power-profiles-daemon - nano - - nano-default-editor - - systemd-oomd-defaults diff --git a/roles/bootstrap/tasks/dnf.yml b/roles/bootstrap/tasks/dnf.yml index 3c9744c..6db3cde 100644 --- a/roles/bootstrap/tasks/dnf.yml +++ b/roles/bootstrap/tasks/dnf.yml @@ -1,38 +1,29 @@ --- -- name: Raise max_parallel_downloads to 20 - become: true - ansible.builtin.lineinfile: +- name: raise max_parallel_downloads to 20 + lineinfile: path: /etc/dnf/dnf.conf regexp: "^max_parallel_downloads.=" line: "max_parallel_downloads=20" -- name: Prepare automatic upgrade w/ dnf-automatic - block: - - name: Install dnf-automatic - become: true - ansible.builtin.package: - name: dnf-automatic - state: present +- name: install dnf-automatic + package: + name: dnf-automatic + state: present - - name: Configure dnf-automatic - become: true - ansible.builtin.lineinfile: - path: /etc/dnf/automatic.conf - state: present - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - {regexp: '^upgrade_type.=', line: 'upgrade_type = default'} - - {regexp: '^emit_via.=', line: 'emit_via = stdio,motd'} - - {regexp: '^apply_updates.=', line: 'apply_updates = no'} - - {regexp: '^download_updates.=', line: 'download_updates = yes'} +- name: configure dnf-automatic + become: true + lineinfile: + path: /etc/dnf/automatic.conf + state: present + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^upgrade_type.=', line: 'upgrade_type = security' } + - { regexp: '^emit_via.=', line: 'emit_via = stdio,motd' } + - { regexp: '^apply_updates.=', line: 'apply_updates = yes' } - - name: Enable dnf-automatic timer - become: true - ansible.builtin.systemd: - name: dnf-automatic.timer - state: started - enabled: true - when: - - auto_update is defined - - auto_update | bool +- name: enable dnf-automatic timer + systemd: + name: dnf-automatic.timer + state: started + enabled: yes diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml index e6c967c..4475c37 100644 --- a/roles/bootstrap/tasks/main.yml +++ b/roles/bootstrap/tasks/main.yml @@ -1,141 +1,104 @@ --- - block: - - name: Gather package facts - ansible.builtin.package_facts: + - name: gather package facts + package_facts: manager: auto - - name: Check if atomic - ansible.builtin.stat: + - name: check if atomic + stat: path: /run/ostree-booted register: ostree - - name: Check for cloud.cfg - ansible.builtin.stat: + - name: check for cloud.cfg + stat: path: /etc/cloud/cloud.cfg register: cloudcfg - - name: Set fact (atomic state) - ansible.builtin.set_fact: + - name: set fact (atomic state) + set_fact: is_atomic: "{{ ostree.stat.exists }}" - - name: Set fact (cloud.cfg state) - ansible.builtin.set_fact: + - name: set fact (cloud.cfg state) + set_fact: is_cloudy: "{{ cloudcfg.stat.exists }}" - - name: Include dnf tasks + - name: include dnf tasks include_tasks: dnf.yml when: (ansible_distribution in ["Fedora"] and not is_atomic) or (ansible_distribution in ["RedHat", "Red Hat Enterprise Linux", "CentOS"] and ansible_distribution_major_version is version('8', '>=')) - - name: Remove unwanted packages - become: true - ansible.builtin.package: - name: "{{ item }}" - state: absent - when: "(item in ansible_facts.packages)" - with_items: "{{ UNWANTED_PKGS }}" # see roles/bootstrap/defaults/main.yml - - - name: Install prereqs - become: true - ansible.builtin.package: + - name: install prereqs + package: name: "{{ DEFAULT_PKGS | difference(ansible_facts.packages) }}" state: installed when: (ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"] and not is_atomic) - - name: Disable fastestmirror (fedora - non-atomic) - become: true - ansible.builtin.lineinfile: + - name: disable fastestmirror (fedora - non-atomic) + lineinfile: path: /etc/dnf/dnf.conf regexp: "^fastestmirror=" line: "fastestmirror=False" when: ansible_distribution in ["Fedora"] and not is_atomic - - name: Remove update_etc_hosts from cloud.cfg - become: true - ansible.builtin.lineinfile: + - name: remove update_etc_hosts from cloud.cfg + lineinfile: line: ' - update_etc_hosts' path: /etc/cloud/cloud.cfg state: absent when: is_cloudy|bool - - - name: Add all hosts to /etc/hosts - become: true - ansible.builtin.lineinfile: + + - name: add all hosts to /etc/hosts + lineinfile: path: /etc/hosts state: present line: "{{ hostvars[item].ip | default('127.0.0.1') }} {{ hostvars[item].ansible_hostname }}" regexp: "^{{ hostvars[item].ip | default('127.0.0.1') }}.*{{ hostvars[item].ansible_hostname }}$" with_items: "{{ groups.all }}" - - name: Set hostname to match inventory - ansible.builtin.hostname: + - name: set hostname to match inventory + hostname: name: "{{ inventory_hostname }}" register: hostname_change - - name: Remove requiretty - become: true - ansible.builtin.lineinfile: + - name: remove requiretty + lineinfile: regexp: '^\w+\s+requiretty' path: /etc/sudoers state: absent - - name: Import EPEL GPG key - become: true - ansible.builtin.rpm_key: + - name: import epel GPG key + rpm_key: state: present key: https://getfedora.org/static/fedora.gpg when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic - - name: Install EPEL (dist pkg) - become: true - ansible.builtin.package: + - name: install epel (dist pkg) + package: name: epel-release - state: present + state: latest when: ansible_distribution in ['CentOS'] and not is_atomic - - name: Install EPEL (upstream pkg) - become: true - ansible.builtin.package: - name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" + - name: install epel (upstream pkg) + package: + name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ansible_distribution_major_version}}.noarch.rpm" state: present when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic - - name: Disable NetworkManager phoning home on Fedora - become: true - ansible.builtin.file: + - name: remove unwanted packages + package: + name: "{{ item }}" + state: absent + when: "(item in ansible_facts.packages)" + with_items: "{{ UNWANTED_PKGS }}" # see roles/bootstrap/defaults/main.yml + + - name: disable NetworkManager phoning home on Fedora + file: path: /etc/NetworkManager/conf.d/20-connectivity-fedora.conf access_time: preserve # make this properly idempotent, register no change when file exists modification_time: preserve # ^ state: touch - mode: '0644' + mode: 0644 when: (ansible_distribution in ['Fedora'] and not is_atomic) and ('NetworkManager' in ansible_facts.packages) - - name: Ensure systemd-oomd service and socket are disabled and stopped - become: true - ansible.builtin.systemd: - name: "{{ item }}" - state: stopped - enabled: false - with_items: - - systemd-oomd.service - - systemd-oomd.socket - when: (ansible_distribution in ['Fedora'] and not is_atomic) - - - name: Ensure systemd-oomd service and socket are masked - become: true - ansible.builtin.systemd: - name: "{{ item }}" - masked: true - with_items: - - systemd-oomd.service - - systemd-oomd.socket - when: (ansible_distribution in ['Fedora'] and not is_atomic) - - - name: Ensure systemd-oomd-defaults package is removed - become: true - ansible.builtin.package: - name: systemd-oomd-defaults - state: absent - tags: - bootstrap diff --git a/roles/create-user/defaults/main.yml b/roles/create-user/defaults/main.yml index eead9bb..584bf31 100644 --- a/roles/create-user/defaults/main.yml +++ b/roles/create-user/defaults/main.yml @@ -1,13 +1,3 @@ --- create_username: "{{ lookup('env','USER') }}" create_pwgen: "{{ lookup('password', '/dev/null chars=ascii_letters,digits,hexdigits,punctuation length=32') }}" -sudo_group_by_fam: - Debian: sudo - RedHat: wheel -created_users_groups: # sorted by os_family - Debian: - - "{{ sudo_group_by_fam[ansible_os_family] }}" - RedHat: - - "{{ sudo_group_by_fam[ansible_os_family] }}" - - adm - - disk diff --git a/roles/create-user/handlers/main.yml b/roles/create-user/handlers/main.yml deleted file mode 100644 index 105f910..000000000 --- a/roles/create-user/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: print generated password - debug: - var: create_pwgen diff --git a/roles/create-user/tasks/deb.yml b/roles/create-user/tasks/deb.yml new file mode 100644 index 000000000..ae9fe0d --- /dev/null +++ b/roles/create-user/tasks/deb.yml @@ -0,0 +1,23 @@ +--- + +- name: creating user {{ create_username }} in sudo group (Debian/Ubuntu) + user: + name: "{{ create_username }}" + password: "{{ create_pwgen | password_hash('sha512') }}" + state: present + shell: /bin/bash + groups: sudo + append: yes + generate_ssh_key: yes + ssh_key_bits: 2048 + ssh_key_file: .ssh/id_rsa + update_password: on_create + register: user_created + +- name: enable nopasswd sudo (Debian/Ubuntu) + lineinfile: + dest: /etc/sudoers + regexp: '^%sudo' + line: "%sudo ALL=(ALL:ALL) NOPASSWD:ALL" + state: present + validate: 'visudo -cf %s' diff --git a/roles/create-user/tasks/el.yml b/roles/create-user/tasks/el.yml new file mode 100644 index 000000000..86834e8 --- /dev/null +++ b/roles/create-user/tasks/el.yml @@ -0,0 +1,23 @@ +--- + +- name: creating user {{ create_username }} in wheel group (RHEL/CentOS/Fedora) + user: + name: "{{ create_username }}" + password: "{{ create_pwgen | password_hash('sha512') }}" + state: present + shell: /bin/bash + groups: wheel + append: yes + generate_ssh_key: yes + ssh_key_bits: 2048 + ssh_key_file: .ssh/id_rsa + update_password: on_create + register: user_created + +- name: enable nopasswd sudo (RHEL/CentOS/Fedora) + lineinfile: + dest: /etc/sudoers + regexp: '^%wheel' + line: "%wheel ALL=(ALL) NOPASSWD: ALL" + state: present + validate: 'visudo -cf %s' diff --git a/roles/create-user/tasks/main.yml b/roles/create-user/tasks/main.yml index 2d36790..323a3ac 100644 --- a/roles/create-user/tasks/main.yml +++ b/roles/create-user/tasks/main.yml @@ -1,39 +1,21 @@ --- -- name: Create user {{ create_username }} - become: true - user: - name: "{{ create_username }}" - password: "{{ create_pwgen | password_hash('sha512') }}" - state: present - shell: /bin/bash - groups: "{{ created_users_groups[ansible_os_family] }}" - append: true - generate_ssh_key: false - ssh_key_bits: 2048 - ssh_key_file: .ssh/id_rsa - update_password: on_create - register: user_created - notify: print generated password +- include_tasks: deb.yml + when: ansible_distribution in ["Debian", "Ubuntu"] -- name: enable nopasswd sudo - become: true - lineinfile: - dest: /etc/sudoers - regexp: '^{{ create_username }}' - line: "{{ create_username }} ALL=(ALL:ALL) NOPASSWD:ALL" - insertafter: '^%{{ sudo_group_by_fam[ansible_os_family] }}.*$' - state: present - validate: 'visudo -cf %s' +- include_tasks: el.yml + when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"] + +- name: print generated password for {{ create_username }} on each host + debug: var=create_pwgen + when: user_created is changed - name: copy current pubkeys to ~{{ create_username }}/.ssh/authorized_keys authorized_key: user: "{{ create_username }}" state: present key: "{{ item }}" -# key: "{{ URL_PUBKEYS }}" - ignore_errors: true # doesn't support sk-ecdsa-sha2-nistp256 keys with_items: + - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}" + - "{{ lookup('file','~/.ssh/id_rsa.pub') }}" - "{{ lookup('file','~/.ssh/id_ecdsa.pub') }}" -# - "{{ lookup('file','~/.ssh/id_ecdsa_sk.pub') }}" -# - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}" diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml deleted file mode 100644 index 85f041a..000000000 --- a/roles/docker/defaults/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -docker_pkgs: - Ubuntu: docker.io - Fedora: moby-engine diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index cf8559a..0e6da6b 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,13 +1,32 @@ --- -# depends on create-user role / create_username var -- name: "Install Docker" - ansible.builtin.package: - name: "{{ docker_pkgs[ansible_distribution] }}" - state: present +- name: install docker + package: + name: docker + state: latest + when: ansible_distribution in ["CentOS", "Fedora", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic + register: docker_installed -- name: Enable/start docker - ansible.builtin.service: +- name: add {{ username }} to 'dockerroot' group + user: + name: "{{ username }}" + groups: dockerroot + append: yes + when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic + + +- name: copy daemon.json + copy: + src: roles/docker/files/daemon.json + dest: /etc/docker/daemon.json + owner: root + group: root + mode: 0644 + when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic + +- name: enable/start docker + service: name: docker state: started - enabled: true + enabled: yes + when: ansible_distribution in ["CentOS", "Fedora", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic diff --git a/roles/fedora-upgrade/defaults/main.yml b/roles/fedora-upgrade/defaults/main.yml index 7c4e83a..e57fbbd 100644 --- a/roles/fedora-upgrade/defaults/main.yml +++ b/roles/fedora-upgrade/defaults/main.yml @@ -1,4 +1,4 @@ --- -fedora_latest: 38 -fedora_minimum: 36 -fedora_target: "{{ fedora_latest | int }}" +fedora_latest: 35 +fedora_minimum: 33 +fedora_target: "{{ fedora_latest|int }}" diff --git a/roles/hardening/handlers/main.yml b/roles/hardening/handlers/main.yml index 49016c1..5b8df80 100644 --- a/roles/hardening/handlers/main.yml +++ b/roles/hardening/handlers/main.yml @@ -1,4 +1,3 @@ --- - name: restart sshd systemd: name=sshd state=restarted - become: true diff --git a/roles/hardening/tasks/centos-selinux.yml b/roles/hardening/tasks/centos-selinux.yml index 5d5fa37..2b3a4e2 100644 --- a/roles/hardening/tasks/centos-selinux.yml +++ b/roles/hardening/tasks/centos-selinux.yml @@ -1,15 +1,13 @@ --- - name: Install required dependency libsemanage-python - become: true yum: name: libsemanage-python - state: present + state: latest when: (ansible_distribution_major_version is version('7', '=')) - name: Install required dependency python3-policycoreutils - become: true dnf: name: python3-policycoreutils - state: present + state: latest when: (ansible_distribution_major_version is version('8', '>=')) diff --git a/roles/hardening/tasks/fedora-selinux.yml b/roles/hardening/tasks/fedora-selinux.yml index 428ab79..6a91c6e 100644 --- a/roles/hardening/tasks/fedora-selinux.yml +++ b/roles/hardening/tasks/fedora-selinux.yml @@ -1,15 +1,13 @@ --- - name: Install required dependency python3-libsemanage - become: true dnf: name: python3-libsemanage - state: present + state: latest when: (ansible_distribution_major_version is version('31', '>=')) - name: Install required dependency libsemanage-python - become: true dnf: name: libsemanage-python - state: present + state: latest when: (ansible_distribution_major_version is version('30', '<=')) diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml index 60ccc96..ef53844 100644 --- a/roles/hardening/tasks/main.yml +++ b/roles/hardening/tasks/main.yml @@ -2,82 +2,48 @@ - name: include SELinux package tasks for EL (CentOS/RHEL) include_tasks: centos-selinux.yml - tags: selinux when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"]) - name: include SELinux package tasks for Fedora (non-atomic) include_tasks: fedora-selinux.yml - tags: selinux when: (ansible_distribution in ["Fedora"] and not is_atomic) # likely to break on non-RHEL/derivatives, could use improvement. -- name: ensure firewalld is installed - become: true - package: - name: firewalld - state: present - - name: enable firewalld - become: true service: name: firewalld state: started - enabled: true + enabled: yes -- name: harden sshd - tags: harden_sshd - become: true - block: - - name: "SSH: disable password auth" - lineinfile: - path: /etc/ssh/sshd_config - regexp: "^PasswordAuthentication" - line: "PasswordAuthentication no" - validate: '/usr/sbin/sshd -t -f %s' - notify: restart sshd - - name: "SSH: config custom port" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^Port ' - line: "Port {{ hardened_ssh_port }}" - insertbefore: "(^|#)AddressFamily.*" - validate: '/usr/sbin/sshd -t -f %s' - when: (hardened_ssh_port is defined) - notify: restart sshd - - name: "only allow root logins with keys" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitRootLogin ' - line: 'PermitRootLogin prohibit-password' - validate: '/usr/sbin/sshd -t -f %s' - notify: restart sshd - - name: "disallow keyboard interactive auth to address some PAM edge cases" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^KbdInteractiveAuthentication ' - line: 'KbdInteractiveAuthentication no' - validate: '/usr/sbin/sshd -t -f %s' - notify: restart sshd +- name: SSH - disable password auth + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + state: present + notify: restart sshd -- name: "permit custom SSH port ({{ hardened_ssh_port }})" - become: true +- name: SSH - config port 1181 + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Port ' + line: 'Port 1181' + insertbefore: "(^|#)AddressFamily.*" + validate: '/usr/sbin/sshd -t -f %s' + notify: restart sshd + +- name: allow custom SSH port in selinux seport: - ports: "{{ hardened_ssh_port }}" + ports: 1181 proto: tcp setype: ssh_port_t state: present - when: - - hardened_ssh_port is defined - - ansible_selinux is defined - - ansible_selinux.status == 'enabled' - tags: selinux + when: (ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled') # also likely to break on non-RHEL/derivatives, could use improvement too. -- name: "firewalld: grant access to custom SSH port" - become: true +- name: allow custom SSH port in firewalld firewalld: - port: "{{ hardened_ssh_port }}/tcp" - permanent: true - immediate: true + port: 1181/tcp + permanent: yes + immediate: yes state: enabled - when: (hardened_ssh_port is defined) diff --git a/roles/install-packages/defaults/main.yml b/roles/install-packages/defaults/main.yml index b1b5ca0..3369ece 100644 --- a/roles/install-packages/defaults/main.yml +++ b/roles/install-packages/defaults/main.yml @@ -22,7 +22,5 @@ EL_PKGS: - wget - cockpit - ioping - - kitty-terminfo - - dnf-plugin-system-upgrade DEB_PKGS: - dnsutils diff --git a/roles/install-packages/tasks/deb.yml b/roles/install-packages/tasks/deb.yml index fbe758e..83608f6 100644 --- a/roles/install-packages/tasks/deb.yml +++ b/roles/install-packages/tasks/deb.yml @@ -1,7 +1,6 @@ --- - name: install packages (Debian/Ubuntu) - become: true package: name: "{{ (COMMON_PKGS + DEB_PKGS) | difference(ansible_facts.packages) }}" state: present diff --git a/roles/install-packages/tasks/el.yml b/roles/install-packages/tasks/el.yml index 34d6211..82128b4 100644 --- a/roles/install-packages/tasks/el.yml +++ b/roles/install-packages/tasks/el.yml @@ -1,7 +1,6 @@ --- - name: install packages (EPEL/Fedora) - become: true package: name: "{{ (COMMON_PKGS + EL_PKGS) | difference(ansible_facts.packages) }}" state: present diff --git a/roles/install-packages/tasks/main.yml b/roles/install-packages/tasks/main.yml index cef579f..72c4982 100644 --- a/roles/install-packages/tasks/main.yml +++ b/roles/install-packages/tasks/main.yml @@ -2,6 +2,19 @@ - include_tasks: deb.yml when: ansible_distribution in ["Debian", "Ubuntu"] - + - include_tasks: el.yml when: ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora"] and not is_atomic + +# Need an idempotent way to install packages on atomic +# command module isn't idempotent and the package module insists on installing containers. + +#- name: install packages (fedora - atomic) +# command: rpm-ostree install '{{ item }}' +# with_items: +# - htop +# - vim +# - iperf3 +# - strace +# - nmap +# when: ansible_distribution == 'Fedora' and is_atomic diff --git a/roles/sysctl/tasks/main.yml b/roles/sysctl/tasks/main.yml new file mode 100644 index 000000000..4f24388 --- /dev/null +++ b/roles/sysctl/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: raise somaxconn + sysctl: + name: net.core.somaxconn + value: "1024" diff --git a/roles/tmp-mount-fix/tasks/fix-enable.conf b/roles/tmp-mount-fix/tasks/fix-enable.conf new file mode 100644 index 000000000..85e40a4 --- /dev/null +++ b/roles/tmp-mount-fix/tasks/fix-enable.conf @@ -0,0 +1,3 @@ +# Make 'systemctl enable tmp.mount' work: +[Install] +WantedBy=local-fs.target diff --git a/roles/tmp-mount-fix/tasks/main.yml b/roles/tmp-mount-fix/tasks/main.yml new file mode 100644 index 000000000..c4d5179 --- /dev/null +++ b/roles/tmp-mount-fix/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- block: + - name: create tmp.mount.d dir + file: + path: /etc/systemd/system/tmp.mount.d/ + state: directory + mode: '0755' + register: tmpmnt_directory_state + - name: add drop-in fix + copy: + dest: "/etc/systemd/system/tmp.mount.d/fix-enable.conf" + src: "fix-enable.conf" + register: fix_enable_conf + - name: enable tmp.mount + systemd: + daemon_reload: yes + masked: no + name: tmp.mount + enabled: yes + when: (ansible_distribution in ["CentOS"] and ansible_distribution_major_version in ["8"]) or (ansible_distribution in ["Fedora"] and ansible_distribution_major_version in ["31", "32"]) diff --git a/roles/tuned/handlers/main.yml b/roles/tuned/handlers/main.yml index 9a9188c..fb4ce78 100644 --- a/roles/tuned/handlers/main.yml +++ b/roles/tuned/handlers/main.yml @@ -3,6 +3,3 @@ service: name: tuned state: restarted - -- name: enable tuned profile - command: "/usr/sbin/tuned-adm profile {{ tuned_custom_profile.name }}" diff --git a/roles/tuned/tasks/configure-custom-profile.yml b/roles/tuned/tasks/configure-custom-profile.yml index 6f1286a..73c114d 100644 --- a/roles/tuned/tasks/configure-custom-profile.yml +++ b/roles/tuned/tasks/configure-custom-profile.yml @@ -1,6 +1,5 @@ --- - name: create custom tuned profile directory - become: true file: path: "/etc/tuned/{{ tuned_custom_profile.name }}" state: directory @@ -9,14 +8,16 @@ mode: 0755 - name: copy custom profile configuration file - become: true template: src: custom_profile.conf.j2 dest: "/etc/tuned/{{ tuned_custom_profile.name }}/tuned.conf" owner: root group: root mode: 0644 - notify: - - restart tuned - - enable tuned profile + notify: restart tuned register: tuned_custom_profile_template + +- name: set custom tuned profile + command: "/usr/sbin/tuned-adm profile {{ tuned_custom_profile.name }}" + when: + - tuned_custom_profile_template is changed diff --git a/roles/tuned/tasks/main.yml b/roles/tuned/tasks/main.yml index c75baee..62b1542 100644 --- a/roles/tuned/tasks/main.yml +++ b/roles/tuned/tasks/main.yml @@ -1,35 +1,31 @@ --- - name: update apt caches - become: true apt: - update_cache: true + update_cache: yes when: (ansible_os_family in ["Debian"] ) - name: install packages - become: true package: name: "{{ item }}" - state: present + state: latest with_items: - - tuned - - tuned-utils -# - tuned-profiles-realtime # only on Fedora? not on centos 8 stream + - tuned + - tuned-utils +# - tuned-profiles-realtime # only on Fedora? not on centos 8 stream - name: start service - become: true service: name: tuned - enabled: true + enabled: yes state: started - name: get active tuned profile - become: true command: /usr/sbin/tuned-adm active register: tuned_active changed_when: false ignore_errors: true -- name: deploy custom tuned profiles - include_tasks: configure-custom-profile.yml +- name: deploy {{ tuned_custom_profile }} based on {{ tuned_base_profile }} + include: configure-custom-profile.yml when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic) diff --git a/roles/update-packages/tasks/main.yml b/roles/update-packages/tasks/main.yml index bc85cf2..67cb672 100644 --- a/roles/update-packages/tasks/main.yml +++ b/roles/update-packages/tasks/main.yml @@ -32,6 +32,6 @@ timeout: 300 delay: 20 when: host_reset is changed - become: true + tags: - update diff --git a/roles/zfs/defaults/main.yml b/roles/zfs/defaults/main.yml new file mode 100644 index 000000000..3c0c98c --- /dev/null +++ b/roles/zfs/defaults/main.yml @@ -0,0 +1,16 @@ +--- +zfs_disk: /dev/vdb +zfs_arc_size_mb: "{{ (ansible_memtotal_mb * 0.20)|int|abs }}" +zfs_arc_size_bytes: "{{ zfs_arc_size_mb }}000000" +EL_ZFS_PKGS: + - kernel-devel + - "@Development tools" + - dkms + - libuuid-devel + - libblkid-devel + - libtirpc-devel + - openssl-devel + - zfs +UBUNTU_ZFS_PKGS: + - zfsutils-linux + - zfs-initramfs diff --git a/roles/zfs/tasks/el.yml b/roles/zfs/tasks/el.yml new file mode 100644 index 000000000..f19204e --- /dev/null +++ b/roles/zfs/tasks/el.yml @@ -0,0 +1,8 @@ +--- + +- name: install zfs packages + package: + name: "{{ item }}" + state: present + with_items: "{{ EL_ZFS_PKGS | difference(ansible_facts.packages) }}" + register: zfs_installed diff --git a/roles/zfs/tasks/main.yml b/roles/zfs/tasks/main.yml new file mode 100644 index 000000000..0fb926c --- /dev/null +++ b/roles/zfs/tasks/main.yml @@ -0,0 +1,39 @@ +--- + +- name: include zfs-release tasks (CentOS/RHEL/Fedora) + include_tasks: zfs-release.yml + when: ('zfs-release' not in ansible_facts.packages) and (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ]) + +- name: include zfs installation tasks (Ubuntu) + include_tasks: ubuntu.yml + when: ansible_distribution in ["Ubuntu"] + +- name: include zfs installation tasks (CentOS/RHEL/Fedora) + include_tasks: el.yml + when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic) + +- name: load zfs module + modprobe: + name: zfs + state: present + +- name: add zfs to modules-load.d + copy: + dest: "/etc/modules-load.d/zfs.conf" + content: | + zfs + register: zfsload + +# does not adjust to 20% of each host, depends on consistency between hosts - inconsistency leads to disproportionate allocations +- name: set zfs_arc_max to 20% of system memory + lineinfile: + path: "/etc/modprobe.d/zfs.conf" + regexp: '^options zfs zfs_arc_max=' + line: 'options zfs zfs_arc_max="{{ zfs_arc_size_bytes }}"' + create: yes + +# really bad idempotence in here... +#- name: create zpool +# command: "zpool create -f -O compression=lz4 data {{ zfs_disk }} -o ashift=13 -O secondarycache=all" +# args: +# creates: /etc/zvol/data/* diff --git a/roles/zfs/tasks/ubuntu.yml b/roles/zfs/tasks/ubuntu.yml new file mode 100644 index 000000000..14d44ad --- /dev/null +++ b/roles/zfs/tasks/ubuntu.yml @@ -0,0 +1,7 @@ +--- + +- name: install ZFS packages + package: + name: "{{ item }}" + state: present + with_items: "{{ UBUNTU_ZFS_PKGS | difference(ansible_facts.packages) }}" diff --git a/roles/zfs/tasks/zfs-release.yml b/roles/zfs/tasks/zfs-release.yml new file mode 100644 index 000000000..7a9273f --- /dev/null +++ b/roles/zfs/tasks/zfs-release.yml @@ -0,0 +1,19 @@ +--- + +- name: install zfs-release package (EPEL 7) + yum: + name: "http://download.zfsonlinux.org/epel/zfs-release.el7_7.noarch.rpm" + state: present + when: (ansible_distribution_major_version == "7") + +- name: install zfs-release package (EPEL 8) + yum: + name: "http://download.zfsonlinux.org/epel/zfs-release.el8_1.noarch.rpm" + state: present + when: (ansible_distribution_major_version == "8") + +- name: install/upgrade zfs-release package (Fedora) + dnf: + name: "http://download.zfsonlinux.org/fedora/zfs-release.fc{{ansible_distribution_major_version}}.noarch.rpm" + state: present + when: (ansible_distribution in ["Fedora"] and not is_atomic)