diff --git a/roles/bootstrap/defaults/main.yml b/roles/bootstrap/defaults/main.yml index 0d5c7e1..7dc77f3 100644 --- a/roles/bootstrap/defaults/main.yml +++ b/roles/bootstrap/defaults/main.yml @@ -2,7 +2,10 @@ DEFAULT_PKGS: - sudo - vim + - vim-default-editor UNWANTED_PKGS: - earlyoom - power-profiles-daemon - nano + - nano-default-editor + - systemd-oomd-defaults diff --git a/roles/bootstrap/tasks/dnf.yml b/roles/bootstrap/tasks/dnf.yml index 6db3cde..3c9744c 100644 --- a/roles/bootstrap/tasks/dnf.yml +++ b/roles/bootstrap/tasks/dnf.yml @@ -1,29 +1,38 @@ --- -- name: raise max_parallel_downloads to 20 - lineinfile: +- name: Raise max_parallel_downloads to 20 + become: true + ansible.builtin.lineinfile: path: /etc/dnf/dnf.conf regexp: "^max_parallel_downloads.=" line: "max_parallel_downloads=20" -- name: install dnf-automatic - package: - name: dnf-automatic - state: present +- name: Prepare automatic upgrade w/ dnf-automatic + block: + - name: Install dnf-automatic + become: true + ansible.builtin.package: + name: dnf-automatic + state: present -- name: configure dnf-automatic - become: true - lineinfile: - path: /etc/dnf/automatic.conf - state: present - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^upgrade_type.=', line: 'upgrade_type = security' } - - { regexp: '^emit_via.=', line: 'emit_via = stdio,motd' } - - { regexp: '^apply_updates.=', line: 'apply_updates = yes' } + - name: Configure dnf-automatic + become: true + ansible.builtin.lineinfile: + path: /etc/dnf/automatic.conf + state: present + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - {regexp: '^upgrade_type.=', line: 'upgrade_type = default'} + - {regexp: '^emit_via.=', line: 'emit_via = stdio,motd'} + - {regexp: '^apply_updates.=', line: 'apply_updates = no'} + - {regexp: '^download_updates.=', line: 'download_updates = yes'} -- name: enable dnf-automatic timer - systemd: - name: dnf-automatic.timer - state: started - enabled: yes + - name: Enable dnf-automatic timer + become: true + ansible.builtin.systemd: + name: dnf-automatic.timer + state: started + enabled: true + when: + - auto_update is defined + - auto_update | bool diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml index 4475c37..e6c967c 100644 --- a/roles/bootstrap/tasks/main.yml +++ b/roles/bootstrap/tasks/main.yml @@ -1,104 +1,141 @@ --- - block: - - name: gather package facts - package_facts: + - name: Gather package facts + ansible.builtin.package_facts: manager: auto - - name: check if atomic - stat: + - name: Check if atomic + ansible.builtin.stat: path: /run/ostree-booted register: ostree - - name: check for cloud.cfg - stat: + - name: Check for cloud.cfg + ansible.builtin.stat: path: /etc/cloud/cloud.cfg register: cloudcfg - - name: set fact (atomic state) - set_fact: + - name: Set fact (atomic state) + ansible.builtin.set_fact: is_atomic: "{{ ostree.stat.exists }}" - - name: set fact (cloud.cfg state) - set_fact: + - name: Set fact (cloud.cfg state) + ansible.builtin.set_fact: is_cloudy: "{{ cloudcfg.stat.exists }}" - - name: include dnf tasks + - name: Include dnf tasks include_tasks: dnf.yml when: (ansible_distribution in ["Fedora"] and not is_atomic) or (ansible_distribution in ["RedHat", "Red Hat Enterprise Linux", "CentOS"] and ansible_distribution_major_version is version('8', '>=')) - - name: install prereqs - package: + - name: Remove unwanted packages + become: true + ansible.builtin.package: + name: "{{ item }}" + state: absent + when: "(item in ansible_facts.packages)" + with_items: "{{ UNWANTED_PKGS }}" # see roles/bootstrap/defaults/main.yml + + - name: Install prereqs + become: true + ansible.builtin.package: name: "{{ DEFAULT_PKGS | difference(ansible_facts.packages) }}" state: installed when: (ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"] and not is_atomic) - - name: disable fastestmirror (fedora - non-atomic) - lineinfile: + - name: Disable fastestmirror (fedora - non-atomic) + become: true + ansible.builtin.lineinfile: path: /etc/dnf/dnf.conf regexp: "^fastestmirror=" line: "fastestmirror=False" when: ansible_distribution in ["Fedora"] and not is_atomic - - name: remove update_etc_hosts from cloud.cfg - lineinfile: + - name: Remove update_etc_hosts from cloud.cfg + become: true + ansible.builtin.lineinfile: line: ' - update_etc_hosts' path: /etc/cloud/cloud.cfg state: absent when: is_cloudy|bool - - - name: add all hosts to /etc/hosts - lineinfile: + + - name: Add all hosts to /etc/hosts + become: true + ansible.builtin.lineinfile: path: /etc/hosts state: present line: "{{ hostvars[item].ip | default('127.0.0.1') }} {{ hostvars[item].ansible_hostname }}" regexp: "^{{ hostvars[item].ip | default('127.0.0.1') }}.*{{ hostvars[item].ansible_hostname }}$" with_items: "{{ groups.all }}" - - name: set hostname to match inventory - hostname: + - name: Set hostname to match inventory + ansible.builtin.hostname: name: "{{ inventory_hostname }}" register: hostname_change - - name: remove requiretty - lineinfile: + - name: Remove requiretty + become: true + ansible.builtin.lineinfile: regexp: '^\w+\s+requiretty' path: /etc/sudoers state: absent - - name: import epel GPG key - rpm_key: + - name: Import EPEL GPG key + become: true + ansible.builtin.rpm_key: state: present key: https://getfedora.org/static/fedora.gpg when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic - - name: install epel (dist pkg) - package: + - name: Install EPEL (dist pkg) + become: true + ansible.builtin.package: name: epel-release - state: latest + state: present when: ansible_distribution in ['CentOS'] and not is_atomic - - name: install epel (upstream pkg) - package: - name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ansible_distribution_major_version}}.noarch.rpm" + - name: Install EPEL (upstream pkg) + become: true + ansible.builtin.package: + name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" state: present when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic - - name: remove unwanted packages - package: - name: "{{ item }}" - state: absent - when: "(item in ansible_facts.packages)" - with_items: "{{ UNWANTED_PKGS }}" # see roles/bootstrap/defaults/main.yml - - - name: disable NetworkManager phoning home on Fedora - file: + - name: Disable NetworkManager phoning home on Fedora + become: true + ansible.builtin.file: path: /etc/NetworkManager/conf.d/20-connectivity-fedora.conf access_time: preserve # make this properly idempotent, register no change when file exists modification_time: preserve # ^ state: touch - mode: 0644 + mode: '0644' when: (ansible_distribution in ['Fedora'] and not is_atomic) and ('NetworkManager' in ansible_facts.packages) + - name: Ensure systemd-oomd service and socket are disabled and stopped + become: true + ansible.builtin.systemd: + name: "{{ item }}" + state: stopped + enabled: false + with_items: + - systemd-oomd.service + - systemd-oomd.socket + when: (ansible_distribution in ['Fedora'] and not is_atomic) + + - name: Ensure systemd-oomd service and socket are masked + become: true + ansible.builtin.systemd: + name: "{{ item }}" + masked: true + with_items: + - systemd-oomd.service + - systemd-oomd.socket + when: (ansible_distribution in ['Fedora'] and not is_atomic) + + - name: Ensure systemd-oomd-defaults package is removed + become: true + ansible.builtin.package: + name: systemd-oomd-defaults + state: absent + tags: - bootstrap diff --git a/roles/create-user/defaults/main.yml b/roles/create-user/defaults/main.yml index 584bf31..eead9bb 100644 --- a/roles/create-user/defaults/main.yml +++ b/roles/create-user/defaults/main.yml @@ -1,3 +1,13 @@ --- create_username: "{{ lookup('env','USER') }}" create_pwgen: "{{ lookup('password', '/dev/null chars=ascii_letters,digits,hexdigits,punctuation length=32') }}" +sudo_group_by_fam: + Debian: sudo + RedHat: wheel +created_users_groups: # sorted by os_family + Debian: + - "{{ sudo_group_by_fam[ansible_os_family] }}" + RedHat: + - "{{ sudo_group_by_fam[ansible_os_family] }}" + - adm + - disk diff --git a/roles/create-user/handlers/main.yml b/roles/create-user/handlers/main.yml new file mode 100644 index 000000000..105f910 --- /dev/null +++ b/roles/create-user/handlers/main.yml @@ -0,0 +1,3 @@ +- name: print generated password + debug: + var: create_pwgen diff --git a/roles/create-user/tasks/deb.yml b/roles/create-user/tasks/deb.yml deleted file mode 100644 index ae9fe0d..000000000 --- a/roles/create-user/tasks/deb.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- name: creating user {{ create_username }} in sudo group (Debian/Ubuntu) - user: - name: "{{ create_username }}" - password: "{{ create_pwgen | password_hash('sha512') }}" - state: present - shell: /bin/bash - groups: sudo - append: yes - generate_ssh_key: yes - ssh_key_bits: 2048 - ssh_key_file: .ssh/id_rsa - update_password: on_create - register: user_created - -- name: enable nopasswd sudo (Debian/Ubuntu) - lineinfile: - dest: /etc/sudoers - regexp: '^%sudo' - line: "%sudo ALL=(ALL:ALL) NOPASSWD:ALL" - state: present - validate: 'visudo -cf %s' diff --git a/roles/create-user/tasks/el.yml b/roles/create-user/tasks/el.yml deleted file mode 100644 index 86834e8..000000000 --- a/roles/create-user/tasks/el.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- name: creating user {{ create_username }} in wheel group (RHEL/CentOS/Fedora) - user: - name: "{{ create_username }}" - password: "{{ create_pwgen | password_hash('sha512') }}" - state: present - shell: /bin/bash - groups: wheel - append: yes - generate_ssh_key: yes - ssh_key_bits: 2048 - ssh_key_file: .ssh/id_rsa - update_password: on_create - register: user_created - -- name: enable nopasswd sudo (RHEL/CentOS/Fedora) - lineinfile: - dest: /etc/sudoers - regexp: '^%wheel' - line: "%wheel ALL=(ALL) NOPASSWD: ALL" - state: present - validate: 'visudo -cf %s' diff --git a/roles/create-user/tasks/main.yml b/roles/create-user/tasks/main.yml index 323a3ac..2d36790 100644 --- a/roles/create-user/tasks/main.yml +++ b/roles/create-user/tasks/main.yml @@ -1,21 +1,39 @@ --- -- include_tasks: deb.yml - when: ansible_distribution in ["Debian", "Ubuntu"] +- name: Create user {{ create_username }} + become: true + user: + name: "{{ create_username }}" + password: "{{ create_pwgen | password_hash('sha512') }}" + state: present + shell: /bin/bash + groups: "{{ created_users_groups[ansible_os_family] }}" + append: true + generate_ssh_key: false + ssh_key_bits: 2048 + ssh_key_file: .ssh/id_rsa + update_password: on_create + register: user_created + notify: print generated password -- include_tasks: el.yml - when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"] - -- name: print generated password for {{ create_username }} on each host - debug: var=create_pwgen - when: user_created is changed +- name: enable nopasswd sudo + become: true + lineinfile: + dest: /etc/sudoers + regexp: '^{{ create_username }}' + line: "{{ create_username }} ALL=(ALL:ALL) NOPASSWD:ALL" + insertafter: '^%{{ sudo_group_by_fam[ansible_os_family] }}.*$' + state: present + validate: 'visudo -cf %s' - name: copy current pubkeys to ~{{ create_username }}/.ssh/authorized_keys authorized_key: user: "{{ create_username }}" state: present key: "{{ item }}" +# key: "{{ URL_PUBKEYS }}" + ignore_errors: true # doesn't support sk-ecdsa-sha2-nistp256 keys with_items: - - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}" - - "{{ lookup('file','~/.ssh/id_rsa.pub') }}" - "{{ lookup('file','~/.ssh/id_ecdsa.pub') }}" +# - "{{ lookup('file','~/.ssh/id_ecdsa_sk.pub') }}" +# - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}" diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml new file mode 100644 index 000000000..85f041a --- /dev/null +++ b/roles/docker/defaults/main.yml @@ -0,0 +1,4 @@ +--- +docker_pkgs: + Ubuntu: docker.io + Fedora: moby-engine diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 0e6da6b..cf8559a 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,32 +1,13 @@ --- +# depends on create-user role / create_username var -- name: install docker - package: - name: docker - state: latest - when: ansible_distribution in ["CentOS", "Fedora", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic - register: docker_installed +- name: "Install Docker" + ansible.builtin.package: + name: "{{ docker_pkgs[ansible_distribution] }}" + state: present -- name: add {{ username }} to 'dockerroot' group - user: - name: "{{ username }}" - groups: dockerroot - append: yes - when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic - - -- name: copy daemon.json - copy: - src: roles/docker/files/daemon.json - dest: /etc/docker/daemon.json - owner: root - group: root - mode: 0644 - when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic - -- name: enable/start docker - service: +- name: Enable/start docker + ansible.builtin.service: name: docker state: started - enabled: yes - when: ansible_distribution in ["CentOS", "Fedora", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic + enabled: true diff --git a/roles/fedora-upgrade/defaults/main.yml b/roles/fedora-upgrade/defaults/main.yml index e57fbbd..7c4e83a 100644 --- a/roles/fedora-upgrade/defaults/main.yml +++ b/roles/fedora-upgrade/defaults/main.yml @@ -1,4 +1,4 @@ --- -fedora_latest: 35 -fedora_minimum: 33 -fedora_target: "{{ fedora_latest|int }}" +fedora_latest: 38 +fedora_minimum: 36 +fedora_target: "{{ fedora_latest | int }}" diff --git a/roles/hardening/handlers/main.yml b/roles/hardening/handlers/main.yml index 5b8df80..49016c1 100644 --- a/roles/hardening/handlers/main.yml +++ b/roles/hardening/handlers/main.yml @@ -1,3 +1,4 @@ --- - name: restart sshd systemd: name=sshd state=restarted + become: true diff --git a/roles/hardening/tasks/centos-selinux.yml b/roles/hardening/tasks/centos-selinux.yml index 2b3a4e2..5d5fa37 100644 --- a/roles/hardening/tasks/centos-selinux.yml +++ b/roles/hardening/tasks/centos-selinux.yml @@ -1,13 +1,15 @@ --- - name: Install required dependency libsemanage-python + become: true yum: name: libsemanage-python - state: latest + state: present when: (ansible_distribution_major_version is version('7', '=')) - name: Install required dependency python3-policycoreutils + become: true dnf: name: python3-policycoreutils - state: latest + state: present when: (ansible_distribution_major_version is version('8', '>=')) diff --git a/roles/hardening/tasks/fedora-selinux.yml b/roles/hardening/tasks/fedora-selinux.yml index 6a91c6e..428ab79 100644 --- a/roles/hardening/tasks/fedora-selinux.yml +++ b/roles/hardening/tasks/fedora-selinux.yml @@ -1,13 +1,15 @@ --- - name: Install required dependency python3-libsemanage + become: true dnf: name: python3-libsemanage - state: latest + state: present when: (ansible_distribution_major_version is version('31', '>=')) - name: Install required dependency libsemanage-python + become: true dnf: name: libsemanage-python - state: latest + state: present when: (ansible_distribution_major_version is version('30', '<=')) diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml index ef53844..60ccc96 100644 --- a/roles/hardening/tasks/main.yml +++ b/roles/hardening/tasks/main.yml @@ -2,48 +2,82 @@ - name: include SELinux package tasks for EL (CentOS/RHEL) include_tasks: centos-selinux.yml + tags: selinux when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"]) - name: include SELinux package tasks for Fedora (non-atomic) include_tasks: fedora-selinux.yml + tags: selinux when: (ansible_distribution in ["Fedora"] and not is_atomic) # likely to break on non-RHEL/derivatives, could use improvement. +- name: ensure firewalld is installed + become: true + package: + name: firewalld + state: present + - name: enable firewalld + become: true service: name: firewalld state: started - enabled: yes + enabled: true -- name: SSH - disable password auth - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^PasswordAuthentication" - line: "PasswordAuthentication no" - state: present - notify: restart sshd +- name: harden sshd + tags: harden_sshd + become: true + block: + - name: "SSH: disable password auth" + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + validate: '/usr/sbin/sshd -t -f %s' + notify: restart sshd + - name: "SSH: config custom port" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Port ' + line: "Port {{ hardened_ssh_port }}" + insertbefore: "(^|#)AddressFamily.*" + validate: '/usr/sbin/sshd -t -f %s' + when: (hardened_ssh_port is defined) + notify: restart sshd + - name: "only allow root logins with keys" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitRootLogin ' + line: 'PermitRootLogin prohibit-password' + validate: '/usr/sbin/sshd -t -f %s' + notify: restart sshd + - name: "disallow keyboard interactive auth to address some PAM edge cases" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^KbdInteractiveAuthentication ' + line: 'KbdInteractiveAuthentication no' + validate: '/usr/sbin/sshd -t -f %s' + notify: restart sshd -- name: SSH - config port 1181 - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^Port ' - line: 'Port 1181' - insertbefore: "(^|#)AddressFamily.*" - validate: '/usr/sbin/sshd -t -f %s' - notify: restart sshd - -- name: allow custom SSH port in selinux +- name: "permit custom SSH port ({{ hardened_ssh_port }})" + become: true seport: - ports: 1181 + ports: "{{ hardened_ssh_port }}" proto: tcp setype: ssh_port_t state: present - when: (ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled') + when: + - hardened_ssh_port is defined + - ansible_selinux is defined + - ansible_selinux.status == 'enabled' + tags: selinux # also likely to break on non-RHEL/derivatives, could use improvement too. -- name: allow custom SSH port in firewalld +- name: "firewalld: grant access to custom SSH port" + become: true firewalld: - port: 1181/tcp - permanent: yes - immediate: yes + port: "{{ hardened_ssh_port }}/tcp" + permanent: true + immediate: true state: enabled + when: (hardened_ssh_port is defined) diff --git a/roles/install-packages/defaults/main.yml b/roles/install-packages/defaults/main.yml index 3369ece..b1b5ca0 100644 --- a/roles/install-packages/defaults/main.yml +++ b/roles/install-packages/defaults/main.yml @@ -22,5 +22,7 @@ EL_PKGS: - wget - cockpit - ioping + - kitty-terminfo + - dnf-plugin-system-upgrade DEB_PKGS: - dnsutils diff --git a/roles/install-packages/tasks/deb.yml b/roles/install-packages/tasks/deb.yml index 83608f6..fbe758e 100644 --- a/roles/install-packages/tasks/deb.yml +++ b/roles/install-packages/tasks/deb.yml @@ -1,6 +1,7 @@ --- - name: install packages (Debian/Ubuntu) + become: true package: name: "{{ (COMMON_PKGS + DEB_PKGS) | difference(ansible_facts.packages) }}" state: present diff --git a/roles/install-packages/tasks/el.yml b/roles/install-packages/tasks/el.yml index 82128b4..34d6211 100644 --- a/roles/install-packages/tasks/el.yml +++ b/roles/install-packages/tasks/el.yml @@ -1,6 +1,7 @@ --- - name: install packages (EPEL/Fedora) + become: true package: name: "{{ (COMMON_PKGS + EL_PKGS) | difference(ansible_facts.packages) }}" state: present diff --git a/roles/install-packages/tasks/main.yml b/roles/install-packages/tasks/main.yml index 72c4982..cef579f 100644 --- a/roles/install-packages/tasks/main.yml +++ b/roles/install-packages/tasks/main.yml @@ -2,19 +2,6 @@ - include_tasks: deb.yml when: ansible_distribution in ["Debian", "Ubuntu"] - + - include_tasks: el.yml when: ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora"] and not is_atomic - -# Need an idempotent way to install packages on atomic -# command module isn't idempotent and the package module insists on installing containers. - -#- name: install packages (fedora - atomic) -# command: rpm-ostree install '{{ item }}' -# with_items: -# - htop -# - vim -# - iperf3 -# - strace -# - nmap -# when: ansible_distribution == 'Fedora' and is_atomic diff --git a/roles/sysctl/tasks/main.yml b/roles/sysctl/tasks/main.yml deleted file mode 100644 index 4f24388..000000000 --- a/roles/sysctl/tasks/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: raise somaxconn - sysctl: - name: net.core.somaxconn - value: "1024" diff --git a/roles/tmp-mount-fix/tasks/fix-enable.conf b/roles/tmp-mount-fix/tasks/fix-enable.conf deleted file mode 100644 index 85e40a4..000000000 --- a/roles/tmp-mount-fix/tasks/fix-enable.conf +++ /dev/null @@ -1,3 +0,0 @@ -# Make 'systemctl enable tmp.mount' work: -[Install] -WantedBy=local-fs.target diff --git a/roles/tmp-mount-fix/tasks/main.yml b/roles/tmp-mount-fix/tasks/main.yml deleted file mode 100644 index c4d5179..000000000 --- a/roles/tmp-mount-fix/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- block: - - name: create tmp.mount.d dir - file: - path: /etc/systemd/system/tmp.mount.d/ - state: directory - mode: '0755' - register: tmpmnt_directory_state - - name: add drop-in fix - copy: - dest: "/etc/systemd/system/tmp.mount.d/fix-enable.conf" - src: "fix-enable.conf" - register: fix_enable_conf - - name: enable tmp.mount - systemd: - daemon_reload: yes - masked: no - name: tmp.mount - enabled: yes - when: (ansible_distribution in ["CentOS"] and ansible_distribution_major_version in ["8"]) or (ansible_distribution in ["Fedora"] and ansible_distribution_major_version in ["31", "32"]) diff --git a/roles/tuned/handlers/main.yml b/roles/tuned/handlers/main.yml index fb4ce78..9a9188c 100644 --- a/roles/tuned/handlers/main.yml +++ b/roles/tuned/handlers/main.yml @@ -3,3 +3,6 @@ service: name: tuned state: restarted + +- name: enable tuned profile + command: "/usr/sbin/tuned-adm profile {{ tuned_custom_profile.name }}" diff --git a/roles/tuned/tasks/configure-custom-profile.yml b/roles/tuned/tasks/configure-custom-profile.yml index 73c114d..6f1286a 100644 --- a/roles/tuned/tasks/configure-custom-profile.yml +++ b/roles/tuned/tasks/configure-custom-profile.yml @@ -1,5 +1,6 @@ --- - name: create custom tuned profile directory + become: true file: path: "/etc/tuned/{{ tuned_custom_profile.name }}" state: directory @@ -8,16 +9,14 @@ mode: 0755 - name: copy custom profile configuration file + become: true template: src: custom_profile.conf.j2 dest: "/etc/tuned/{{ tuned_custom_profile.name }}/tuned.conf" owner: root group: root mode: 0644 - notify: restart tuned + notify: + - restart tuned + - enable tuned profile register: tuned_custom_profile_template - -- name: set custom tuned profile - command: "/usr/sbin/tuned-adm profile {{ tuned_custom_profile.name }}" - when: - - tuned_custom_profile_template is changed diff --git a/roles/tuned/tasks/main.yml b/roles/tuned/tasks/main.yml index 62b1542..c75baee 100644 --- a/roles/tuned/tasks/main.yml +++ b/roles/tuned/tasks/main.yml @@ -1,31 +1,35 @@ --- - name: update apt caches + become: true apt: - update_cache: yes + update_cache: true when: (ansible_os_family in ["Debian"] ) - name: install packages + become: true package: name: "{{ item }}" - state: latest + state: present with_items: - - tuned - - tuned-utils -# - tuned-profiles-realtime # only on Fedora? not on centos 8 stream + - tuned + - tuned-utils +# - tuned-profiles-realtime # only on Fedora? not on centos 8 stream - name: start service + become: true service: name: tuned - enabled: yes + enabled: true state: started - name: get active tuned profile + become: true command: /usr/sbin/tuned-adm active register: tuned_active changed_when: false ignore_errors: true -- name: deploy {{ tuned_custom_profile }} based on {{ tuned_base_profile }} - include: configure-custom-profile.yml +- name: deploy custom tuned profiles + include_tasks: configure-custom-profile.yml when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic) diff --git a/roles/update-packages/tasks/main.yml b/roles/update-packages/tasks/main.yml index 67cb672..bc85cf2 100644 --- a/roles/update-packages/tasks/main.yml +++ b/roles/update-packages/tasks/main.yml @@ -32,6 +32,6 @@ timeout: 300 delay: 20 when: host_reset is changed - + become: true tags: - update diff --git a/roles/zfs/defaults/main.yml b/roles/zfs/defaults/main.yml deleted file mode 100644 index 3c0c98c..000000000 --- a/roles/zfs/defaults/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -zfs_disk: /dev/vdb -zfs_arc_size_mb: "{{ (ansible_memtotal_mb * 0.20)|int|abs }}" -zfs_arc_size_bytes: "{{ zfs_arc_size_mb }}000000" -EL_ZFS_PKGS: - - kernel-devel - - "@Development tools" - - dkms - - libuuid-devel - - libblkid-devel - - libtirpc-devel - - openssl-devel - - zfs -UBUNTU_ZFS_PKGS: - - zfsutils-linux - - zfs-initramfs diff --git a/roles/zfs/tasks/el.yml b/roles/zfs/tasks/el.yml deleted file mode 100644 index f19204e..000000000 --- a/roles/zfs/tasks/el.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: install zfs packages - package: - name: "{{ item }}" - state: present - with_items: "{{ EL_ZFS_PKGS | difference(ansible_facts.packages) }}" - register: zfs_installed diff --git a/roles/zfs/tasks/main.yml b/roles/zfs/tasks/main.yml deleted file mode 100644 index 0fb926c..000000000 --- a/roles/zfs/tasks/main.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- - -- name: include zfs-release tasks (CentOS/RHEL/Fedora) - include_tasks: zfs-release.yml - when: ('zfs-release' not in ansible_facts.packages) and (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ]) - -- name: include zfs installation tasks (Ubuntu) - include_tasks: ubuntu.yml - when: ansible_distribution in ["Ubuntu"] - -- name: include zfs installation tasks (CentOS/RHEL/Fedora) - include_tasks: el.yml - when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic) - -- name: load zfs module - modprobe: - name: zfs - state: present - -- name: add zfs to modules-load.d - copy: - dest: "/etc/modules-load.d/zfs.conf" - content: | - zfs - register: zfsload - -# does not adjust to 20% of each host, depends on consistency between hosts - inconsistency leads to disproportionate allocations -- name: set zfs_arc_max to 20% of system memory - lineinfile: - path: "/etc/modprobe.d/zfs.conf" - regexp: '^options zfs zfs_arc_max=' - line: 'options zfs zfs_arc_max="{{ zfs_arc_size_bytes }}"' - create: yes - -# really bad idempotence in here... -#- name: create zpool -# command: "zpool create -f -O compression=lz4 data {{ zfs_disk }} -o ashift=13 -O secondarycache=all" -# args: -# creates: /etc/zvol/data/* diff --git a/roles/zfs/tasks/ubuntu.yml b/roles/zfs/tasks/ubuntu.yml deleted file mode 100644 index 14d44ad..000000000 --- a/roles/zfs/tasks/ubuntu.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: install ZFS packages - package: - name: "{{ item }}" - state: present - with_items: "{{ UBUNTU_ZFS_PKGS | difference(ansible_facts.packages) }}" diff --git a/roles/zfs/tasks/zfs-release.yml b/roles/zfs/tasks/zfs-release.yml deleted file mode 100644 index 7a9273f..000000000 --- a/roles/zfs/tasks/zfs-release.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: install zfs-release package (EPEL 7) - yum: - name: "http://download.zfsonlinux.org/epel/zfs-release.el7_7.noarch.rpm" - state: present - when: (ansible_distribution_major_version == "7") - -- name: install zfs-release package (EPEL 8) - yum: - name: "http://download.zfsonlinux.org/epel/zfs-release.el8_1.noarch.rpm" - state: present - when: (ansible_distribution_major_version == "8") - -- name: install/upgrade zfs-release package (Fedora) - dnf: - name: "http://download.zfsonlinux.org/fedora/zfs-release.fc{{ansible_distribution_major_version}}.noarch.rpm" - state: present - when: (ansible_distribution in ["Fedora"] and not is_atomic)