docker: simplify, use dist-based vars

tuned: make more robust, add become
update-packages: become
2023-08-30 20:43:46 -05:00 · 2023-08-30 20:30:26 -05:00 · 2023-08-30 20:29:53 -05:00 · 2023-08-30 20:29:31 -05:00 · 2023-08-30 20:29:05 -05:00 · 2023-08-30 20:28:20 -05:00
31 changed files with 262 additions and 324 deletions
--- a/roles/bootstrap/defaults/main.yml
+++ b/roles/bootstrap/defaults/main.yml
@ -2,7 +2,10 @@
 DEFAULT_PKGS:
  - sudo
  - vim
  - vim-default-editor
 UNWANTED_PKGS:
  - earlyoom
  - power-profiles-daemon
  - nano
  - nano-default-editor
  - systemd-oomd-defaults
--- a/roles/bootstrap/tasks/dnf.yml
+++ b/roles/bootstrap/tasks/dnf.yml
@ -1,29 +1,38 @@
 ---
- name: raise max_parallel_downloads to 20
+- name: Raise max_parallel_downloads to 20
-  lineinfile:
+  become: true
  ansible.builtin.lineinfile:
    path: /etc/dnf/dnf.conf
    regexp: "^max_parallel_downloads.="
    line: "max_parallel_downloads=20"
- name: install dnf-automatic
+- name: Prepare automatic upgrade w/ dnf-automatic
-  package:
+  block:
-    name: dnf-automatic
+    - name: Install dnf-automatic
-    state: present
+      become: true
      ansible.builtin.package:
        name: dnf-automatic
        state: present
- name: configure dnf-automatic
+    - name: Configure dnf-automatic
-  become: true
+      become: true
-  lineinfile:
+      ansible.builtin.lineinfile:
-    path: /etc/dnf/automatic.conf
+        path: /etc/dnf/automatic.conf
-    state: present
+        state: present
-    regexp: "{{ item.regexp }}"
+        regexp: "{{ item.regexp }}"
-    line: "{{ item.line }}"
+        line: "{{ item.line }}"
-  with_items:
+      with_items:
-    - { regexp: '^upgrade_type.=', line: 'upgrade_type = security' }
+        - {regexp: '^upgrade_type.=', line: 'upgrade_type = default'}
-    - { regexp: '^emit_via.=', line: 'emit_via = stdio,motd' }
+        - {regexp: '^emit_via.=', line: 'emit_via = stdio,motd'}
-    - { regexp: '^apply_updates.=', line: 'apply_updates = yes' }
+        - {regexp: '^apply_updates.=', line: 'apply_updates = no'}
        - {regexp: '^download_updates.=', line: 'download_updates = yes'}
- name: enable dnf-automatic timer
+    - name: Enable dnf-automatic timer
-  systemd:
+      become: true
-    name: dnf-automatic.timer
+      ansible.builtin.systemd:
-    state: started
+        name: dnf-automatic.timer
-    enabled: yes
+        state: started
        enabled: true
  when:
    - auto_update is defined
    - auto_update | bool
--- a/roles/bootstrap/tasks/main.yml
+++ b/roles/bootstrap/tasks/main.yml
@ -1,104 +1,141 @@
 ---
 - block:
-    - name: gather package facts
+    - name: Gather package facts
-      package_facts:
+      ansible.builtin.package_facts:
        manager: auto
-    - name: check if atomic
+    - name: Check if atomic
-      stat:
+      ansible.builtin.stat:
        path: /run/ostree-booted
      register: ostree
-    - name: check for cloud.cfg
+    - name: Check for cloud.cfg
-      stat:
+      ansible.builtin.stat:
        path: /etc/cloud/cloud.cfg
      register: cloudcfg
-    - name: set fact (atomic state)
+    - name: Set fact (atomic state)
-      set_fact:
+      ansible.builtin.set_fact:
        is_atomic: "{{ ostree.stat.exists }}"
-    - name: set fact (cloud.cfg state)
+    - name: Set fact (cloud.cfg state)
-      set_fact:
+      ansible.builtin.set_fact:
        is_cloudy: "{{ cloudcfg.stat.exists }}"
-    - name: include dnf tasks
+    - name: Include dnf tasks
      include_tasks: dnf.yml
      when: (ansible_distribution in ["Fedora"] and not is_atomic) or (ansible_distribution in ["RedHat", "Red Hat Enterprise Linux", "CentOS"] and ansible_distribution_major_version is version('8', '>='))
-    - name: install prereqs
+    - name: Remove unwanted packages
-      package:
+      become: true
      ansible.builtin.package:
        name: "{{ item }}"
        state: absent
      when: "(item in ansible_facts.packages)"
      with_items: "{{ UNWANTED_PKGS }}" # see roles/bootstrap/defaults/main.yml
    - name: Install prereqs
      become: true
      ansible.builtin.package:
        name: "{{ DEFAULT_PKGS | difference(ansible_facts.packages) }}"
        state: installed
      when: (ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"] and not is_atomic)
-    - name: disable fastestmirror (fedora - non-atomic)
+    - name: Disable fastestmirror (fedora - non-atomic)
-      lineinfile:
+      become: true
      ansible.builtin.lineinfile:
        path: /etc/dnf/dnf.conf
        regexp: "^fastestmirror="
        line: "fastestmirror=False"
      when: ansible_distribution in ["Fedora"] and not is_atomic
-    - name: remove update_etc_hosts from cloud.cfg
+    - name: Remove update_etc_hosts from cloud.cfg
-      lineinfile:
+      become: true
      ansible.builtin.lineinfile:
        line: ' - update_etc_hosts'
        path: /etc/cloud/cloud.cfg
        state: absent
      when: is_cloudy|bool
- 
+
-    - name: add all hosts to /etc/hosts
+    - name: Add all hosts to /etc/hosts
-      lineinfile:
+      become: true
      ansible.builtin.lineinfile:
        path: /etc/hosts
        state: present
        line: "{{ hostvars[item].ip | default('127.0.0.1') }} {{ hostvars[item].ansible_hostname }}"
        regexp: "^{{ hostvars[item].ip | default('127.0.0.1') }}.*{{ hostvars[item].ansible_hostname }}$"
      with_items: "{{ groups.all }}"
-    - name: set hostname to match inventory
+    - name: Set hostname to match inventory
-      hostname:
+      ansible.builtin.hostname:
        name: "{{ inventory_hostname }}"
      register: hostname_change
-    - name: remove requiretty
+    - name: Remove requiretty
-      lineinfile:
+      become: true
      ansible.builtin.lineinfile:
        regexp: '^\w+\s+requiretty'
        path: /etc/sudoers
        state: absent
-    - name: import epel GPG key
+    - name: Import EPEL GPG key
-      rpm_key:
+      become: true
      ansible.builtin.rpm_key:
        state: present
        key: https://getfedora.org/static/fedora.gpg
      when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic
-    - name: install epel (dist pkg)
+    - name: Install EPEL (dist pkg)
-      package:
+      become: true
      ansible.builtin.package:
        name: epel-release
-        state: latest
+        state: present
      when: ansible_distribution in ['CentOS'] and not is_atomic
-    - name: install epel (upstream pkg)
+    - name: Install EPEL (upstream pkg)
-      package:
+      become: true
-        name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ansible_distribution_major_version}}.noarch.rpm"
+      ansible.builtin.package:
        name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
        state: present
      when: ansible_distribution in ['Red Hat Enterprise Linux', 'RedHat'] and not is_atomic
-    - name: remove unwanted packages
+    - name: Disable NetworkManager phoning home on Fedora
-      package:
+      become: true
-        name: "{{ item }}"
+      ansible.builtin.file:
        state: absent
      when: "(item in ansible_facts.packages)"
      with_items: "{{ UNWANTED_PKGS }}" # see roles/bootstrap/defaults/main.yml
    - name: disable NetworkManager phoning home on Fedora
      file:
        path: /etc/NetworkManager/conf.d/20-connectivity-fedora.conf
        access_time: preserve # make this properly idempotent, register no change when file exists
        modification_time: preserve # ^
        state: touch
-        mode: 0644
+        mode: '0644'
      when: (ansible_distribution in ['Fedora'] and not is_atomic) and ('NetworkManager' in ansible_facts.packages)
    - name: Ensure systemd-oomd service and socket are disabled and stopped
      become: true
      ansible.builtin.systemd:
        name: "{{ item }}"
        state: stopped
        enabled: false
      with_items:
        - systemd-oomd.service
        - systemd-oomd.socket
      when: (ansible_distribution in ['Fedora'] and not is_atomic)
    - name: Ensure systemd-oomd service and socket are masked
      become: true
      ansible.builtin.systemd:
        name: "{{ item }}"
        masked: true
      with_items:
        - systemd-oomd.service
        - systemd-oomd.socket
      when: (ansible_distribution in ['Fedora'] and not is_atomic)
    - name: Ensure systemd-oomd-defaults package is removed
      become: true
      ansible.builtin.package:
        name: systemd-oomd-defaults
        state: absent
  tags:
    - bootstrap
--- a/roles/create-user/defaults/main.yml
+++ b/roles/create-user/defaults/main.yml
@ -1,3 +1,13 @@
 ---
 create_username: "{{ lookup('env','USER') }}"
 create_pwgen: "{{ lookup('password', '/dev/null chars=ascii_letters,digits,hexdigits,punctuation length=32') }}"
 sudo_group_by_fam:
  Debian: sudo
  RedHat: wheel
 created_users_groups: # sorted by os_family
  Debian:
    - "{{ sudo_group_by_fam[ansible_os_family] }}"
  RedHat:
    - "{{ sudo_group_by_fam[ansible_os_family] }}"
    - adm
    - disk
--- a/roles/create-user/handlers/main.yml
+++ b/roles/create-user/handlers/main.yml
@ -0,0 +1,3 @@
 - name: print generated password
  debug:
    var: create_pwgen
--- a/roles/create-user/tasks/deb.yml
+++ b/roles/create-user/tasks/deb.yml
@ -1,23 +0,0 @@
 ---
 - name: creating user {{ create_username }} in sudo group (Debian/Ubuntu)
  user:
    name: "{{ create_username }}"
    password: "{{ create_pwgen | password_hash('sha512') }}"
    state: present
    shell: /bin/bash
    groups: sudo
    append: yes
    generate_ssh_key: yes
    ssh_key_bits: 2048
    ssh_key_file: .ssh/id_rsa
    update_password: on_create
  register: user_created
 - name: enable nopasswd sudo (Debian/Ubuntu)
  lineinfile:
    dest: /etc/sudoers
    regexp: '^%sudo'
    line: "%sudo   ALL=(ALL:ALL) NOPASSWD:ALL"
    state: present
    validate: 'visudo -cf %s'
--- a/roles/create-user/tasks/el.yml
+++ b/roles/create-user/tasks/el.yml
@ -1,23 +0,0 @@
 ---
 - name: creating user {{ create_username }} in wheel group (RHEL/CentOS/Fedora)
  user:
    name: "{{ create_username }}"
    password: "{{ create_pwgen | password_hash('sha512') }}"
    state: present
    shell: /bin/bash
    groups: wheel
    append: yes
    generate_ssh_key: yes
    ssh_key_bits: 2048
    ssh_key_file: .ssh/id_rsa
    update_password: on_create
  register: user_created
 - name: enable nopasswd sudo (RHEL/CentOS/Fedora)
  lineinfile:
    dest: /etc/sudoers
    regexp: '^%wheel'
    line: "%wheel       ALL=(ALL)       NOPASSWD: ALL"
    state: present
    validate: 'visudo -cf %s'
--- a/roles/create-user/tasks/main.yml
+++ b/roles/create-user/tasks/main.yml
@ -1,21 +1,39 @@
 ---
- include_tasks: deb.yml
+- name: Create user {{ create_username }}
-  when: ansible_distribution in ["Debian", "Ubuntu"]
+  become: true
  user:
    name: "{{ create_username }}"
    password: "{{ create_pwgen | password_hash('sha512') }}"
    state: present
    shell: /bin/bash
    groups: "{{ created_users_groups[ansible_os_family] }}"
    append: true
    generate_ssh_key: false
    ssh_key_bits: 2048
    ssh_key_file: .ssh/id_rsa
    update_password: on_create
  register: user_created
  notify: print generated password
- include_tasks: el.yml
+- name: enable nopasswd sudo
-  when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"]
+  become: true
-
+  lineinfile:
- name: print generated password for {{ create_username }} on each host
+    dest: /etc/sudoers
-  debug: var=create_pwgen
+    regexp: '^{{ create_username }}'
-  when: user_created is changed 
+    line: "{{ create_username }}   ALL=(ALL:ALL) NOPASSWD:ALL"
    insertafter: '^%{{ sudo_group_by_fam[ansible_os_family] }}.*$'
    state: present
    validate: 'visudo -cf %s'
 - name: copy current pubkeys to ~{{ create_username }}/.ssh/authorized_keys
  authorized_key:
    user: "{{ create_username }}"
    state: present
    key: "{{ item }}"
 #    key: "{{ URL_PUBKEYS }}"
  ignore_errors: true # doesn't support sk-ecdsa-sha2-nistp256 keys
  with_items:
    - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}"
    - "{{ lookup('file','~/.ssh/id_rsa.pub') }}"
    - "{{ lookup('file','~/.ssh/id_ecdsa.pub') }}"
 #    - "{{ lookup('file','~/.ssh/id_ecdsa_sk.pub') }}"
 #    - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}"
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@ -0,0 +1,4 @@
 ---
 docker_pkgs:
  Ubuntu: docker.io
  Fedora: moby-engine
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -1,32 +1,13 @@
 ---
 # depends on create-user role / create_username var
- name: install docker
+- name: "Install Docker"
-  package:
+  ansible.builtin.package:
-    name: docker
+    name: "{{ docker_pkgs[ansible_distribution] }}"
-    state: latest
+    state: present
  when: ansible_distribution in ["CentOS", "Fedora", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic
  register: docker_installed
- name: add {{ username }} to 'dockerroot' group
+- name: Enable/start docker
-  user:
+  ansible.builtin.service:
    name: "{{ username }}"
    groups: dockerroot
    append: yes
  when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic
 - name: copy daemon.json
  copy:
    src: roles/docker/files/daemon.json
    dest: /etc/docker/daemon.json
    owner: root
    group: root
    mode: 0644
  when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic
 - name: enable/start docker
  service:
    name: docker
    state: started
-    enabled: yes
+    enabled: true
  when: ansible_distribution in ["CentOS", "Fedora", "Red Hat Enterprise Linux", "RedHat"] and not is_atomic
--- a/roles/fedora-upgrade/defaults/main.yml
+++ b/roles/fedora-upgrade/defaults/main.yml
@ -1,4 +1,4 @@
 ---
-fedora_latest: 35
+fedora_latest: 38
-fedora_minimum: 33
+fedora_minimum: 36
-fedora_target: "{{ fedora_latest|int }}"
+fedora_target: "{{ fedora_latest | int }}"
--- a/roles/hardening/handlers/main.yml
+++ b/roles/hardening/handlers/main.yml
@ -1,3 +1,4 @@
 ---
 - name: restart sshd
  systemd: name=sshd state=restarted
  become: true
--- a/roles/hardening/tasks/centos-selinux.yml
+++ b/roles/hardening/tasks/centos-selinux.yml
@ -1,13 +1,15 @@
 ---
 - name: Install required dependency libsemanage-python
  become: true
  yum:
    name: libsemanage-python
-    state: latest
+    state: present
  when: (ansible_distribution_major_version is version('7', '='))
 - name: Install required dependency python3-policycoreutils
  become: true
  dnf:
    name: python3-policycoreutils
-    state: latest
+    state: present
  when: (ansible_distribution_major_version is version('8', '>='))
--- a/roles/hardening/tasks/fedora-selinux.yml
+++ b/roles/hardening/tasks/fedora-selinux.yml
@ -1,13 +1,15 @@
 ---
 - name: Install required dependency python3-libsemanage
  become: true
  dnf:
    name: python3-libsemanage
-    state: latest
+    state: present
  when: (ansible_distribution_major_version is version('31', '>='))
 - name: Install required dependency libsemanage-python
  become: true
  dnf:
    name: libsemanage-python
-    state: latest
+    state: present
  when: (ansible_distribution_major_version is version('30', '<='))
--- a/roles/hardening/tasks/main.yml
+++ b/roles/hardening/tasks/main.yml
@ -2,48 +2,82 @@
 - name: include SELinux package tasks for EL (CentOS/RHEL)
  include_tasks: centos-selinux.yml
  tags: selinux
  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"])
 - name: include SELinux package tasks for Fedora (non-atomic)
  include_tasks: fedora-selinux.yml
  tags: selinux
  when: (ansible_distribution in ["Fedora"] and not is_atomic)
 # likely to break on non-RHEL/derivatives, could use improvement.
 - name: ensure firewalld is installed
  become: true
  package:
    name: firewalld
    state: present
 - name: enable firewalld
  become: true
  service:
    name: firewalld
    state: started
-    enabled: yes
+    enabled: true
- name: SSH - disable password auth
+- name: harden sshd
-  lineinfile:
+  tags: harden_sshd
-    dest: /etc/ssh/sshd_config 
+  become: true
-    regexp: "^PasswordAuthentication" 
+  block:
-    line: "PasswordAuthentication no"
+    - name: "SSH: disable password auth"
-    state: present
+      lineinfile:
-  notify: restart sshd
+        path: /etc/ssh/sshd_config
        regexp: "^PasswordAuthentication"
        line: "PasswordAuthentication no"
        validate: '/usr/sbin/sshd -t -f %s'
      notify: restart sshd
    - name: "SSH: config custom port"
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^Port '
        line: "Port {{ hardened_ssh_port }}"
        insertbefore: "(^|#)AddressFamily.*"
        validate: '/usr/sbin/sshd -t -f %s'
      when: (hardened_ssh_port is defined)
      notify: restart sshd
    - name: "only allow root logins with keys"
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin '
        line: 'PermitRootLogin prohibit-password'
        validate: '/usr/sbin/sshd -t -f %s'
      notify: restart sshd
    - name: "disallow keyboard interactive auth to address some PAM edge cases"
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^KbdInteractiveAuthentication '
        line: 'KbdInteractiveAuthentication no'
        validate: '/usr/sbin/sshd -t -f %s'
      notify: restart sshd
- name: SSH - config port 1181
+- name: "permit custom SSH port ({{ hardened_ssh_port }})"
-  lineinfile:
+  become: true
    path: /etc/ssh/sshd_config
    regexp: '^Port '
    line: 'Port 1181'
    insertbefore: "(^|#)AddressFamily.*"
    validate: '/usr/sbin/sshd -t -f %s'
  notify: restart sshd
 - name: allow custom SSH port in selinux
  seport:
-    ports: 1181
+    ports: "{{ hardened_ssh_port }}"
    proto: tcp
    setype: ssh_port_t
    state: present
-  when: (ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled')
+  when:
    - hardened_ssh_port is defined
    - ansible_selinux is defined
    - ansible_selinux.status == 'enabled'
  tags: selinux
 # also likely to break on non-RHEL/derivatives, could use improvement too.
- name: allow custom SSH port in firewalld
+- name: "firewalld: grant access to custom SSH port"
  become: true
  firewalld:
-    port: 1181/tcp
+    port: "{{ hardened_ssh_port }}/tcp"
-    permanent: yes
+    permanent: true
-    immediate: yes
+    immediate: true
    state: enabled
  when: (hardened_ssh_port is defined)
--- a/roles/install-packages/defaults/main.yml
+++ b/roles/install-packages/defaults/main.yml
@ -22,5 +22,7 @@ EL_PKGS:
  - wget
  - cockpit
  - ioping
  - kitty-terminfo
  - dnf-plugin-system-upgrade
 DEB_PKGS:
  - dnsutils
--- a/roles/install-packages/tasks/deb.yml
+++ b/roles/install-packages/tasks/deb.yml
@ -1,6 +1,7 @@
 ---
 - name: install packages (Debian/Ubuntu)
  become: true
  package:
    name: "{{ (COMMON_PKGS + DEB_PKGS) | difference(ansible_facts.packages) }}"
    state: present
--- a/roles/install-packages/tasks/el.yml
+++ b/roles/install-packages/tasks/el.yml
@ -1,6 +1,7 @@
 ---
 - name: install packages (EPEL/Fedora)
  become: true
  package:
    name: "{{ (COMMON_PKGS + EL_PKGS) | difference(ansible_facts.packages) }}"
    state: present
--- a/roles/install-packages/tasks/main.yml
+++ b/roles/install-packages/tasks/main.yml
@ -2,19 +2,6 @@
 - include_tasks: deb.yml
  when: ansible_distribution in ["Debian", "Ubuntu"]
- 
+
 - include_tasks: el.yml
  when: ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora"] and not is_atomic
 # Need an idempotent way to install packages on atomic
 # command module isn't idempotent and the package module insists on installing containers.
 #- name: install packages (fedora - atomic)
 #  command: rpm-ostree install '{{ item }}'
 #  with_items:
 #  - htop
 #  - vim
 #  - iperf3
 #  - strace
 #  - nmap
 #  when: ansible_distribution == 'Fedora' and is_atomic
--- a/roles/sysctl/tasks/main.yml
+++ b/roles/sysctl/tasks/main.yml
@ -1,5 +0,0 @@
 ---
 - name: raise somaxconn
  sysctl:
    name: net.core.somaxconn
    value: "1024"
--- a/roles/tmp-mount-fix/tasks/fix-enable.conf
+++ b/roles/tmp-mount-fix/tasks/fix-enable.conf
@ -1,3 +0,0 @@
 # Make 'systemctl enable tmp.mount' work:
 [Install]
 WantedBy=local-fs.target
--- a/roles/tmp-mount-fix/tasks/main.yml
+++ b/roles/tmp-mount-fix/tasks/main.yml
@ -1,20 +0,0 @@
 ---
 - block:
    - name: create tmp.mount.d dir
      file:
        path: /etc/systemd/system/tmp.mount.d/
        state: directory
        mode: '0755'
      register: tmpmnt_directory_state
    - name: add drop-in fix
      copy:
        dest: "/etc/systemd/system/tmp.mount.d/fix-enable.conf"
        src: "fix-enable.conf"
      register: fix_enable_conf
    - name: enable tmp.mount
      systemd:
        daemon_reload: yes
        masked: no
        name: tmp.mount
        enabled: yes
  when: (ansible_distribution in ["CentOS"] and ansible_distribution_major_version in ["8"]) or (ansible_distribution in ["Fedora"] and ansible_distribution_major_version in ["31", "32"])
--- a/roles/tuned/handlers/main.yml
+++ b/roles/tuned/handlers/main.yml
@ -3,3 +3,6 @@
  service:
    name: tuned
    state: restarted
 - name: enable tuned profile
  command: "/usr/sbin/tuned-adm profile {{ tuned_custom_profile.name }}"
--- a/roles/tuned/tasks/configure-custom-profile.yml
+++ b/roles/tuned/tasks/configure-custom-profile.yml
@ -1,5 +1,6 @@
 ---
 - name: create custom tuned profile directory
  become: true
  file:
    path: "/etc/tuned/{{ tuned_custom_profile.name }}"
    state: directory
@ -8,16 +9,14 @@
    mode: 0755
 - name: copy custom profile configuration file
  become: true
  template:
    src: custom_profile.conf.j2
    dest: "/etc/tuned/{{ tuned_custom_profile.name }}/tuned.conf"
    owner: root
    group: root
    mode: 0644
-  notify: restart tuned
+  notify:
    - restart tuned
    - enable tuned profile
  register: tuned_custom_profile_template
 - name: set custom tuned profile
  command: "/usr/sbin/tuned-adm profile {{ tuned_custom_profile.name }}"
  when:
    - tuned_custom_profile_template is changed
--- a/roles/tuned/tasks/main.yml
+++ b/roles/tuned/tasks/main.yml
@ -1,31 +1,35 @@
 ---
 - name: update apt caches
  become: true
  apt:
-    update_cache: yes
+    update_cache: true
  when: (ansible_os_family in ["Debian"] )
 - name: install packages
  become: true
  package:
    name: "{{ item }}"
-    state: latest
+    state: present
  with_items:
-  - tuned
+    - tuned
-  - tuned-utils
+    - tuned-utils
-#  - tuned-profiles-realtime # only on Fedora?  not on centos 8 stream
+#    - tuned-profiles-realtime # only on Fedora?  not on centos 8 stream
 - name: start service
  become: true
  service:
    name: tuned
-    enabled: yes
+    enabled: true
    state: started
 - name: get active tuned profile
  become: true
  command: /usr/sbin/tuned-adm active
  register: tuned_active
  changed_when: false
  ignore_errors: true
- name: deploy {{ tuned_custom_profile }} based on {{ tuned_base_profile }}
+- name: deploy custom tuned profiles
-  include: configure-custom-profile.yml
+  include_tasks: configure-custom-profile.yml
  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic)
--- a/roles/update-packages/tasks/main.yml
+++ b/roles/update-packages/tasks/main.yml
@ -32,6 +32,6 @@
        timeout: 300
        delay: 20
      when: host_reset is changed
-
+  become: true
  tags:
    - update
--- a/roles/zfs/defaults/main.yml
+++ b/roles/zfs/defaults/main.yml
@ -1,16 +0,0 @@
 ---
 zfs_disk: /dev/vdb
 zfs_arc_size_mb: "{{ (ansible_memtotal_mb * 0.20)|int|abs }}"
 zfs_arc_size_bytes: "{{ zfs_arc_size_mb }}000000"
 EL_ZFS_PKGS:
  - kernel-devel
  - "@Development tools"
  - dkms
  - libuuid-devel
  - libblkid-devel
  - libtirpc-devel
  - openssl-devel
  - zfs
 UBUNTU_ZFS_PKGS:
  - zfsutils-linux
  - zfs-initramfs
--- a/roles/zfs/tasks/el.yml
+++ b/roles/zfs/tasks/el.yml
@ -1,8 +0,0 @@
 ---
 - name: install zfs packages
  package:
    name: "{{ item }}"
    state: present
  with_items: "{{ EL_ZFS_PKGS | difference(ansible_facts.packages) }}"
  register: zfs_installed
--- a/roles/zfs/tasks/main.yml
+++ b/roles/zfs/tasks/main.yml
@ -1,39 +0,0 @@
 ---
 - name: include zfs-release tasks (CentOS/RHEL/Fedora)
  include_tasks: zfs-release.yml
  when: ('zfs-release' not in ansible_facts.packages) and (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ])
 - name: include zfs installation tasks (Ubuntu)
  include_tasks: ubuntu.yml
  when: ansible_distribution in ["Ubuntu"]
 - name: include zfs installation tasks (CentOS/RHEL/Fedora)
  include_tasks: el.yml
  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic)
 - name: load zfs module
  modprobe:
    name: zfs
    state: present
 - name: add zfs to modules-load.d
  copy:
    dest: "/etc/modules-load.d/zfs.conf"
    content: |
      zfs
  register: zfsload
 # does not adjust to 20% of each host, depends on consistency between hosts - inconsistency leads to disproportionate allocations
 - name: set zfs_arc_max to 20% of system memory
  lineinfile:
    path: "/etc/modprobe.d/zfs.conf"
    regexp: '^options zfs zfs_arc_max='
    line: 'options zfs zfs_arc_max="{{ zfs_arc_size_bytes }}"'
    create: yes
 # really bad idempotence in here...
 #- name: create zpool
 #  command: "zpool create -f -O compression=lz4 data {{ zfs_disk }} -o ashift=13 -O secondarycache=all"
 #  args:
 #    creates: /etc/zvol/data/*
--- a/roles/zfs/tasks/ubuntu.yml
+++ b/roles/zfs/tasks/ubuntu.yml
@ -1,7 +0,0 @@
 ---
 - name: install ZFS packages
  package:
    name: "{{ item }}"
    state: present
  with_items: "{{ UBUNTU_ZFS_PKGS | difference(ansible_facts.packages) }}"
--- a/roles/zfs/tasks/zfs-release.yml
+++ b/roles/zfs/tasks/zfs-release.yml
@ -1,19 +0,0 @@
 ---
 - name: install zfs-release package (EPEL 7)
  yum:
    name: "http://download.zfsonlinux.org/epel/zfs-release.el7_7.noarch.rpm"
    state: present
  when: (ansible_distribution_major_version == "7")
 - name: install zfs-release package (EPEL 8)
  yum:
    name: "http://download.zfsonlinux.org/epel/zfs-release.el8_1.noarch.rpm"
    state: present
  when: (ansible_distribution_major_version == "8")
 - name: install/upgrade zfs-release package (Fedora)
  dnf:
    name: "http://download.zfsonlinux.org/fedora/zfs-release.fc{{ansible_distribution_major_version}}.noarch.rpm"
    state: present
  when: (ansible_distribution in ["Fedora"] and not is_atomic)
Author	SHA1	Message	Date
Josh Lay	060434541c	docker: simplify, use dist-based vars	2023-08-30 20:43:46 -05:00
Josh Lay	873d670016	tuned: make more robust, add become	2023-08-30 20:30:26 -05:00
Josh Lay	b42c53e50b	update-packages: become	2023-08-30 20:29:53 -05:00
Josh Lay	dc119381c5	fedora-upgrade: bump versions	2023-08-30 20:29:31 -05:00
Josh Lay	4ff53468e6	hardening: updates/new vars	2023-08-30 20:29:05 -05:00
Josh Lay	2db773f15a	install-packages: become, add more pkgs	2023-08-30 20:28:20 -05:00
Josh Lay	2c9f5aecc8	bootstrap: linting, handle oomd	2023-08-30 20:26:56 -05:00
Josh Lay	46c14b88b7	make some stuff distro-agnostic	2023-08-30 20:26:20 -05:00