Compare commits

...

8 commits

31 changed files with 262 additions and 324 deletions

View file

@ -2,7 +2,10 @@
DEFAULT_PKGS: DEFAULT_PKGS:
- sudo - sudo
- vim - vim
- vim-default-editor
UNWANTED_PKGS: UNWANTED_PKGS:
- earlyoom - earlyoom
- power-profiles-daemon - power-profiles-daemon
- nano - nano
- nano-default-editor
- systemd-oomd-defaults

View file

@ -1,29 +1,38 @@
--- ---
- name: raise max_parallel_downloads to 20 - name: Raise max_parallel_downloads to 20
lineinfile: become: true
ansible.builtin.lineinfile:
path: /etc/dnf/dnf.conf path: /etc/dnf/dnf.conf
regexp: "^max_parallel_downloads.=" regexp: "^max_parallel_downloads.="
line: "max_parallel_downloads=20" line: "max_parallel_downloads=20"
- name: install dnf-automatic - name: Prepare automatic upgrade w/ dnf-automatic
package: block:
name: dnf-automatic - name: Install dnf-automatic
state: present become: true
ansible.builtin.package:
name: dnf-automatic
state: present
- name: configure dnf-automatic - name: Configure dnf-automatic
become: true become: true
lineinfile: ansible.builtin.lineinfile:
path: /etc/dnf/automatic.conf path: /etc/dnf/automatic.conf
state: present state: present
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
with_items: with_items:
- { regexp: '^upgrade_type.=', line: 'upgrade_type = security' } - {regexp: '^upgrade_type.=', line: 'upgrade_type = default'}
- { regexp: '^emit_via.=', line: 'emit_via = stdio,motd' } - {regexp: '^emit_via.=', line: 'emit_via = stdio,motd'}
- { regexp: '^apply_updates.=', line: 'apply_updates = yes' } - {regexp: '^apply_updates.=', line: 'apply_updates = no'}
- {regexp: '^download_updates.=', line: 'download_updates = yes'}
- name: enable dnf-automatic timer - name: Enable dnf-automatic timer
systemd: become: true
name: dnf-automatic.timer ansible.builtin.systemd:
state: started name: dnf-automatic.timer
enabled: yes state: started
enabled: true
when:
- auto_update is defined
- auto_update | bool

View file

@ -1,104 +1,141 @@
--- ---
- block: - block:
- name: gather package facts - name: Gather package facts
package_facts: ansible.builtin.package_facts:
manager: auto manager: auto
- name: check if atomic - name: Check if atomic
stat: ansible.builtin.stat:
path: /run/ostree-booted path: /run/ostree-booted
register: ostree register: ostree
- name: check for cloud.cfg - name: Check for cloud.cfg
stat: ansible.builtin.stat:
path: /etc/cloud/cloud.cfg path: /etc/cloud/cloud.cfg
register: cloudcfg register: cloudcfg
- name: set fact (atomic state) - name: Set fact (atomic state)
set_fact: ansible.builtin.set_fact:
is_atomic: "{{ ostree.stat.exists }}" is_atomic: "{{ ostree.stat.exists }}"
- name: set fact (cloud.cfg state) - name: Set fact (cloud.cfg state)
set_fact: ansible.builtin.set_fact:
is_cloudy: "{{ cloudcfg.stat.exists }}" is_cloudy: "{{ cloudcfg.stat.exists }}"
- name: include dnf tasks - name: Include dnf tasks
include_tasks: dnf.yml include_tasks: dnf.yml
when: (ansible_distribution in ["Fedora"] and not is_atomic) or (ansible_distribution in ["RedHat", "Red Hat Enterprise Linux", "CentOS"] and ansible_distribution_major_version is version('8', '>=')) when: (ansible_distribution in ["Fedora"] and not is_atomic) or (ansible_distribution in ["RedHat", "Red Hat Enterprise Linux", "CentOS"] and ansible_distribution_major_version is version('8', '>='))
- name: install prereqs - name: Remove unwanted packages
package: become: true
ansible.builtin.package:
name: "{{ item }}"
state: absent
when: "(item in ansible_facts.packages)"
with_items: "{{ UNWANTED_PKGS }}" # see roles/bootstrap/defaults/main.yml
- name: Install prereqs
become: true
ansible.builtin.package:
name: "{{ DEFAULT_PKGS | difference(ansible_facts.packages) }}" name: "{{ DEFAULT_PKGS | difference(ansible_facts.packages) }}"
state: installed state: installed
when: (ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"] and not is_atomic) when: (ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"] and not is_atomic)
- name: disable fastestmirror (fedora - non-atomic) - name: Disable fastestmirror (fedora - non-atomic)
lineinfile: become: true
ansible.builtin.lineinfile:
path: /etc/dnf/dnf.conf path: /etc/dnf/dnf.conf
regexp: "^fastestmirror=" regexp: "^fastestmirror="
line: "fastestmirror=False" line: "fastestmirror=False"
when: ansible_distribution in ["Fedora"] and not is_atomic when: ansible_distribution in ["Fedora"] and not is_atomic
- name: remove update_etc_hosts from cloud.cfg - name: Remove update_etc_hosts from cloud.cfg
lineinfile: become: true
ansible.builtin.lineinfile:
line: ' - update_etc_hosts' line: ' - update_etc_hosts'
path: /etc/cloud/cloud.cfg path: /etc/cloud/cloud.cfg
state: absent state: absent
when: is_cloudy|bool when: is_cloudy|bool
- name: add all hosts to /etc/hosts - name: Add all hosts to /etc/hosts
lineinfile: become: true
ansible.builtin.lineinfile:
path: /etc/hosts path: /etc/hosts
state: present state: present
line: "{{ hostvars[item].ip | default('127.0.0.1') }} {{ hostvars[item].ansible_hostname }}" line: "{{ hostvars[item].ip | default('127.0.0.1') }} {{ hostvars[item].ansible_hostname }}"
regexp: "^{{ hostvars[item].ip | default('127.0.0.1') }}.*{{ hostvars[item].ansible_hostname }}$" regexp: "^{{ hostvars[item].ip | default('127.0.0.1') }}.*{{ hostvars[item].ansible_hostname }}$"
with_items: "{{ groups.all }}" with_items: "{{ groups.all }}"
- name: set hostname to match inventory - name: Set hostname to match inventory
hostname: ansible.builtin.hostname:
name: "{{ inventory_hostname }}" name: "{{ inventory_hostname }}"
register: hostname_change register: hostname_change
- name: remove requiretty - name: Remove requiretty
lineinfile: become: true
ansible.builtin.lineinfile:
regexp: '^\w+\s+requiretty' regexp: '^\w+\s+requiretty'
path: /etc/sudoers path: /etc/sudoers
state: absent state: absent
- name: import epel GPG key - name: Import EPEL GPG key
rpm_key: become: true
ansible.builtin.rpm_key:
state: present state: present
key: https://getfedora.org/static/fedora.gpg key: https://getfedora.org/static/fedora.gpg
when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic
- name: install epel (dist pkg) - name: Install EPEL (dist pkg)
package: become: true
ansible.builtin.package:
name: epel-release name: epel-release
state: latest state: present
when: ansible_distribution in ['CentOS'] and not is_atomic when: ansible_distribution in ['CentOS'] and not is_atomic
- name: install epel (upstream pkg) - name: Install EPEL (upstream pkg)
package: become: true
name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ansible_distribution_major_version}}.noarch.rpm" ansible.builtin.package:
name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
state: present state: present
when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic
- name: remove unwanted packages - name: Disable NetworkManager phoning home on Fedora
package: become: true
name: "{{ item }}" ansible.builtin.file:
state: absent
when: "(item in ansible_facts.packages)"
with_items: "{{ UNWANTED_PKGS }}" # see roles/bootstrap/defaults/main.yml
- name: disable NetworkManager phoning home on Fedora
file:
path: /etc/NetworkManager/conf.d/20-connectivity-fedora.conf path: /etc/NetworkManager/conf.d/20-connectivity-fedora.conf
access_time: preserve # make this properly idempotent, register no change when file exists access_time: preserve # make this properly idempotent, register no change when file exists
modification_time: preserve # ^ modification_time: preserve # ^
state: touch state: touch
mode: 0644 mode: '0644'
when: (ansible_distribution in ['Fedora'] and not is_atomic) and ('NetworkManager' in ansible_facts.packages) when: (ansible_distribution in ['Fedora'] and not is_atomic) and ('NetworkManager' in ansible_facts.packages)
- name: Ensure systemd-oomd service and socket are disabled and stopped
become: true
ansible.builtin.systemd:
name: "{{ item }}"
state: stopped
enabled: false
with_items:
- systemd-oomd.service
- systemd-oomd.socket
when: (ansible_distribution in ['Fedora'] and not is_atomic)
- name: Ensure systemd-oomd service and socket are masked
become: true
ansible.builtin.systemd:
name: "{{ item }}"
masked: true
with_items:
- systemd-oomd.service
- systemd-oomd.socket
when: (ansible_distribution in ['Fedora'] and not is_atomic)
- name: Ensure systemd-oomd-defaults package is removed
become: true
ansible.builtin.package:
name: systemd-oomd-defaults
state: absent
tags: tags:
- bootstrap - bootstrap

View file

@ -1,3 +1,13 @@
--- ---
create_username: "{{ lookup('env','USER') }}" create_username: "{{ lookup('env','USER') }}"
create_pwgen: "{{ lookup('password', '/dev/null chars=ascii_letters,digits,hexdigits,punctuation length=32') }}" create_pwgen: "{{ lookup('password', '/dev/null chars=ascii_letters,digits,hexdigits,punctuation length=32') }}"
sudo_group_by_fam:
Debian: sudo
RedHat: wheel
created_users_groups: # sorted by os_family
Debian:
- "{{ sudo_group_by_fam[ansible_os_family] }}"
RedHat:
- "{{ sudo_group_by_fam[ansible_os_family] }}"
- adm
- disk

View file

@ -0,0 +1,3 @@
- name: print generated password
debug:
var: create_pwgen

View file

@ -1,23 +0,0 @@
---
- name: creating user {{ create_username }} in sudo group (Debian/Ubuntu)
user:
name: "{{ create_username }}"
password: "{{ create_pwgen | password_hash('sha512') }}"
state: present
shell: /bin/bash
groups: sudo
append: yes
generate_ssh_key: yes
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
update_password: on_create
register: user_created
- name: enable nopasswd sudo (Debian/Ubuntu)
lineinfile:
dest: /etc/sudoers
regexp: '^%sudo'
line: "%sudo ALL=(ALL:ALL) NOPASSWD:ALL"
state: present
validate: 'visudo -cf %s'

View file

@ -1,23 +0,0 @@
---
- name: creating user {{ create_username }} in wheel group (RHEL/CentOS/Fedora)
user:
name: "{{ create_username }}"
password: "{{ create_pwgen | password_hash('sha512') }}"
state: present
shell: /bin/bash
groups: wheel
append: yes
generate_ssh_key: yes
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
update_password: on_create
register: user_created
- name: enable nopasswd sudo (RHEL/CentOS/Fedora)
lineinfile:
dest: /etc/sudoers
regexp: '^%wheel'
line: "%wheel ALL=(ALL) NOPASSWD: ALL"
state: present
validate: 'visudo -cf %s'

View file

@ -1,21 +1,39 @@
--- ---
- include_tasks: deb.yml - name: Create user {{ create_username }}
when: ansible_distribution in ["Debian", "Ubuntu"] become: true
user:
name: "{{ create_username }}"
password: "{{ create_pwgen | password_hash('sha512') }}"
state: present
shell: /bin/bash
groups: "{{ created_users_groups[ansible_os_family] }}"
append: true
generate_ssh_key: false
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
update_password: on_create
register: user_created
notify: print generated password
- include_tasks: el.yml - name: enable nopasswd sudo
when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"] become: true
lineinfile:
- name: print generated password for {{ create_username }} on each host dest: /etc/sudoers
debug: var=create_pwgen regexp: '^{{ create_username }}'
when: user_created is changed line: "{{ create_username }} ALL=(ALL:ALL) NOPASSWD:ALL"
insertafter: '^%{{ sudo_group_by_fam[ansible_os_family] }}.*$'
state: present
validate: 'visudo -cf %s'
- name: copy current pubkeys to ~{{ create_username }}/.ssh/authorized_keys - name: copy current pubkeys to ~{{ create_username }}/.ssh/authorized_keys
authorized_key: authorized_key:
user: "{{ create_username }}" user: "{{ create_username }}"
state: present state: present
key: "{{ item }}" key: "{{ item }}"
# key: "{{ URL_PUBKEYS }}"
ignore_errors: true # doesn't support sk-ecdsa-sha2-nistp256 keys
with_items: with_items:
- "{{ lookup('file','~/.ssh/id_ed25519.pub') }}"
- "{{ lookup('file','~/.ssh/id_rsa.pub') }}"
- "{{ lookup('file','~/.ssh/id_ecdsa.pub') }}" - "{{ lookup('file','~/.ssh/id_ecdsa.pub') }}"
# - "{{ lookup('file','~/.ssh/id_ecdsa_sk.pub') }}"
# - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}"

View file

@ -0,0 +1,4 @@
---
docker_pkgs:
Ubuntu: docker.io
Fedora: moby-engine

View file

@ -1,32 +1,13 @@
--- ---
# depends on create-user role / create_username var
- name: install docker - name: "Install Docker"
package: ansible.builtin.package:
name: docker name: "{{ docker_pkgs[ansible_distribution] }}"
state: latest state: present
when: ansible_distribution in ["CentOS", "Fedora", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic
register: docker_installed
- name: add {{ username }} to 'dockerroot' group - name: Enable/start docker
user: ansible.builtin.service:
name: "{{ username }}"
groups: dockerroot
append: yes
when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic
- name: copy daemon.json
copy:
src: roles/docker/files/daemon.json
dest: /etc/docker/daemon.json
owner: root
group: root
mode: 0644
when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic
- name: enable/start docker
service:
name: docker name: docker
state: started state: started
enabled: yes enabled: true
when: ansible_distribution in ["CentOS", "Fedora", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic

View file

@ -1,4 +1,4 @@
--- ---
fedora_latest: 35 fedora_latest: 38
fedora_minimum: 33 fedora_minimum: 36
fedora_target: "{{ fedora_latest|int }}" fedora_target: "{{ fedora_latest | int }}"

View file

@ -1,3 +1,4 @@
--- ---
- name: restart sshd - name: restart sshd
systemd: name=sshd state=restarted systemd: name=sshd state=restarted
become: true

View file

@ -1,13 +1,15 @@
--- ---
- name: Install required dependency libsemanage-python - name: Install required dependency libsemanage-python
become: true
yum: yum:
name: libsemanage-python name: libsemanage-python
state: latest state: present
when: (ansible_distribution_major_version is version('7', '=')) when: (ansible_distribution_major_version is version('7', '='))
- name: Install required dependency python3-policycoreutils - name: Install required dependency python3-policycoreutils
become: true
dnf: dnf:
name: python3-policycoreutils name: python3-policycoreutils
state: latest state: present
when: (ansible_distribution_major_version is version('8', '>=')) when: (ansible_distribution_major_version is version('8', '>='))

View file

@ -1,13 +1,15 @@
--- ---
- name: Install required dependency python3-libsemanage - name: Install required dependency python3-libsemanage
become: true
dnf: dnf:
name: python3-libsemanage name: python3-libsemanage
state: latest state: present
when: (ansible_distribution_major_version is version('31', '>=')) when: (ansible_distribution_major_version is version('31', '>='))
- name: Install required dependency libsemanage-python - name: Install required dependency libsemanage-python
become: true
dnf: dnf:
name: libsemanage-python name: libsemanage-python
state: latest state: present
when: (ansible_distribution_major_version is version('30', '<=')) when: (ansible_distribution_major_version is version('30', '<='))

View file

@ -2,48 +2,82 @@
- name: include SELinux package tasks for EL (CentOS/RHEL) - name: include SELinux package tasks for EL (CentOS/RHEL)
include_tasks: centos-selinux.yml include_tasks: centos-selinux.yml
tags: selinux
when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"]) when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"])
- name: include SELinux package tasks for Fedora (non-atomic) - name: include SELinux package tasks for Fedora (non-atomic)
include_tasks: fedora-selinux.yml include_tasks: fedora-selinux.yml
tags: selinux
when: (ansible_distribution in ["Fedora"] and not is_atomic) when: (ansible_distribution in ["Fedora"] and not is_atomic)
# likely to break on non-RHEL/derivatives, could use improvement. # likely to break on non-RHEL/derivatives, could use improvement.
- name: ensure firewalld is installed
become: true
package:
name: firewalld
state: present
- name: enable firewalld - name: enable firewalld
become: true
service: service:
name: firewalld name: firewalld
state: started state: started
enabled: yes enabled: true
- name: SSH - disable password auth - name: harden sshd
lineinfile: tags: harden_sshd
dest: /etc/ssh/sshd_config become: true
regexp: "^PasswordAuthentication" block:
line: "PasswordAuthentication no" - name: "SSH: disable password auth"
state: present lineinfile:
notify: restart sshd path: /etc/ssh/sshd_config
regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
validate: '/usr/sbin/sshd -t -f %s'
notify: restart sshd
- name: "SSH: config custom port"
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Port '
line: "Port {{ hardened_ssh_port }}"
insertbefore: "(^|#)AddressFamily.*"
validate: '/usr/sbin/sshd -t -f %s'
when: (hardened_ssh_port is defined)
notify: restart sshd
- name: "only allow root logins with keys"
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin '
line: 'PermitRootLogin prohibit-password'
validate: '/usr/sbin/sshd -t -f %s'
notify: restart sshd
- name: "disallow keyboard interactive auth to address some PAM edge cases"
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^KbdInteractiveAuthentication '
line: 'KbdInteractiveAuthentication no'
validate: '/usr/sbin/sshd -t -f %s'
notify: restart sshd
- name: SSH - config port 1181 - name: "permit custom SSH port ({{ hardened_ssh_port }})"
lineinfile: become: true
path: /etc/ssh/sshd_config
regexp: '^Port '
line: 'Port 1181'
insertbefore: "(^|#)AddressFamily.*"
validate: '/usr/sbin/sshd -t -f %s'
notify: restart sshd
- name: allow custom SSH port in selinux
seport: seport:
ports: 1181 ports: "{{ hardened_ssh_port }}"
proto: tcp proto: tcp
setype: ssh_port_t setype: ssh_port_t
state: present state: present
when: (ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled') when:
- hardened_ssh_port is defined
- ansible_selinux is defined
- ansible_selinux.status == 'enabled'
tags: selinux
# also likely to break on non-RHEL/derivatives, could use improvement too. # also likely to break on non-RHEL/derivatives, could use improvement too.
- name: allow custom SSH port in firewalld - name: "firewalld: grant access to custom SSH port"
become: true
firewalld: firewalld:
port: 1181/tcp port: "{{ hardened_ssh_port }}/tcp"
permanent: yes permanent: true
immediate: yes immediate: true
state: enabled state: enabled
when: (hardened_ssh_port is defined)

View file

@ -22,5 +22,7 @@ EL_PKGS:
- wget - wget
- cockpit - cockpit
- ioping - ioping
- kitty-terminfo
- dnf-plugin-system-upgrade
DEB_PKGS: DEB_PKGS:
- dnsutils - dnsutils

View file

@ -1,6 +1,7 @@
--- ---
- name: install packages (Debian/Ubuntu) - name: install packages (Debian/Ubuntu)
become: true
package: package:
name: "{{ (COMMON_PKGS + DEB_PKGS) | difference(ansible_facts.packages) }}" name: "{{ (COMMON_PKGS + DEB_PKGS) | difference(ansible_facts.packages) }}"
state: present state: present

View file

@ -1,6 +1,7 @@
--- ---
- name: install packages (EPEL/Fedora) - name: install packages (EPEL/Fedora)
become: true
package: package:
name: "{{ (COMMON_PKGS + EL_PKGS) | difference(ansible_facts.packages) }}" name: "{{ (COMMON_PKGS + EL_PKGS) | difference(ansible_facts.packages) }}"
state: present state: present

View file

@ -5,16 +5,3 @@
- include_tasks: el.yml - include_tasks: el.yml
when: ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora"] and not is_atomic when: ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora"] and not is_atomic
# Need an idempotent way to install packages on atomic
# command module isn't idempotent and the package module insists on installing containers.
#- name: install packages (fedora - atomic)
# command: rpm-ostree install '{{ item }}'
# with_items:
# - htop
# - vim
# - iperf3
# - strace
# - nmap
# when: ansible_distribution == 'Fedora' and is_atomic

View file

@ -1,5 +0,0 @@
---
- name: raise somaxconn
sysctl:
name: net.core.somaxconn
value: "1024"

View file

@ -1,3 +0,0 @@
# Make 'systemctl enable tmp.mount' work:
[Install]
WantedBy=local-fs.target

View file

@ -1,20 +0,0 @@
---
- block:
- name: create tmp.mount.d dir
file:
path: /etc/systemd/system/tmp.mount.d/
state: directory
mode: '0755'
register: tmpmnt_directory_state
- name: add drop-in fix
copy:
dest: "/etc/systemd/system/tmp.mount.d/fix-enable.conf"
src: "fix-enable.conf"
register: fix_enable_conf
- name: enable tmp.mount
systemd:
daemon_reload: yes
masked: no
name: tmp.mount
enabled: yes
when: (ansible_distribution in ["CentOS"] and ansible_distribution_major_version in ["8"]) or (ansible_distribution in ["Fedora"] and ansible_distribution_major_version in ["31", "32"])

View file

@ -3,3 +3,6 @@
service: service:
name: tuned name: tuned
state: restarted state: restarted
- name: enable tuned profile
command: "/usr/sbin/tuned-adm profile {{ tuned_custom_profile.name }}"

View file

@ -1,5 +1,6 @@
--- ---
- name: create custom tuned profile directory - name: create custom tuned profile directory
become: true
file: file:
path: "/etc/tuned/{{ tuned_custom_profile.name }}" path: "/etc/tuned/{{ tuned_custom_profile.name }}"
state: directory state: directory
@ -8,16 +9,14 @@
mode: 0755 mode: 0755
- name: copy custom profile configuration file - name: copy custom profile configuration file
become: true
template: template:
src: custom_profile.conf.j2 src: custom_profile.conf.j2
dest: "/etc/tuned/{{ tuned_custom_profile.name }}/tuned.conf" dest: "/etc/tuned/{{ tuned_custom_profile.name }}/tuned.conf"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: restart tuned notify:
- restart tuned
- enable tuned profile
register: tuned_custom_profile_template register: tuned_custom_profile_template
- name: set custom tuned profile
command: "/usr/sbin/tuned-adm profile {{ tuned_custom_profile.name }}"
when:
- tuned_custom_profile_template is changed

View file

@ -1,31 +1,35 @@
--- ---
- name: update apt caches - name: update apt caches
become: true
apt: apt:
update_cache: yes update_cache: true
when: (ansible_os_family in ["Debian"] ) when: (ansible_os_family in ["Debian"] )
- name: install packages - name: install packages
become: true
package: package:
name: "{{ item }}" name: "{{ item }}"
state: latest state: present
with_items: with_items:
- tuned - tuned
- tuned-utils - tuned-utils
# - tuned-profiles-realtime # only on Fedora? not on centos 8 stream # - tuned-profiles-realtime # only on Fedora? not on centos 8 stream
- name: start service - name: start service
become: true
service: service:
name: tuned name: tuned
enabled: yes enabled: true
state: started state: started
- name: get active tuned profile - name: get active tuned profile
become: true
command: /usr/sbin/tuned-adm active command: /usr/sbin/tuned-adm active
register: tuned_active register: tuned_active
changed_when: false changed_when: false
ignore_errors: true ignore_errors: true
- name: deploy {{ tuned_custom_profile }} based on {{ tuned_base_profile }} - name: deploy custom tuned profiles
include: configure-custom-profile.yml include_tasks: configure-custom-profile.yml
when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic) when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic)

View file

@ -32,6 +32,6 @@
timeout: 300 timeout: 300
delay: 20 delay: 20
when: host_reset is changed when: host_reset is changed
become: true
tags: tags:
- update - update

View file

@ -1,16 +0,0 @@
---
zfs_disk: /dev/vdb
zfs_arc_size_mb: "{{ (ansible_memtotal_mb * 0.20)|int|abs }}"
zfs_arc_size_bytes: "{{ zfs_arc_size_mb }}000000"
EL_ZFS_PKGS:
- kernel-devel
- "@Development tools"
- dkms
- libuuid-devel
- libblkid-devel
- libtirpc-devel
- openssl-devel
- zfs
UBUNTU_ZFS_PKGS:
- zfsutils-linux
- zfs-initramfs

View file

@ -1,8 +0,0 @@
---
- name: install zfs packages
package:
name: "{{ item }}"
state: present
with_items: "{{ EL_ZFS_PKGS | difference(ansible_facts.packages) }}"
register: zfs_installed

View file

@ -1,39 +0,0 @@
---
- name: include zfs-release tasks (CentOS/RHEL/Fedora)
include_tasks: zfs-release.yml
when: ('zfs-release' not in ansible_facts.packages) and (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ])
- name: include zfs installation tasks (Ubuntu)
include_tasks: ubuntu.yml
when: ansible_distribution in ["Ubuntu"]
- name: include zfs installation tasks (CentOS/RHEL/Fedora)
include_tasks: el.yml
when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic)
- name: load zfs module
modprobe:
name: zfs
state: present
- name: add zfs to modules-load.d
copy:
dest: "/etc/modules-load.d/zfs.conf"
content: |
zfs
register: zfsload
# does not adjust to 20% of each host, depends on consistency between hosts - inconsistency leads to disproportionate allocations
- name: set zfs_arc_max to 20% of system memory
lineinfile:
path: "/etc/modprobe.d/zfs.conf"
regexp: '^options zfs zfs_arc_max='
line: 'options zfs zfs_arc_max="{{ zfs_arc_size_bytes }}"'
create: yes
# really bad idempotence in here...
#- name: create zpool
# command: "zpool create -f -O compression=lz4 data {{ zfs_disk }} -o ashift=13 -O secondarycache=all"
# args:
# creates: /etc/zvol/data/*

View file

@ -1,7 +0,0 @@
---
- name: install ZFS packages
package:
name: "{{ item }}"
state: present
with_items: "{{ UBUNTU_ZFS_PKGS | difference(ansible_facts.packages) }}"

View file

@ -1,19 +0,0 @@
---
- name: install zfs-release package (EPEL 7)
yum:
name: "http://download.zfsonlinux.org/epel/zfs-release.el7_7.noarch.rpm"
state: present
when: (ansible_distribution_major_version == "7")
- name: install zfs-release package (EPEL 8)
yum:
name: "http://download.zfsonlinux.org/epel/zfs-release.el8_1.noarch.rpm"
state: present
when: (ansible_distribution_major_version == "8")
- name: install/upgrade zfs-release package (Fedora)
dnf:
name: "http://download.zfsonlinux.org/fedora/zfs-release.fc{{ansible_distribution_major_version}}.noarch.rpm"
state: present
when: (ansible_distribution in ["Fedora"] and not is_atomic)