Add deploy_linux_vm role with LVM and SSH hardening

Features: - Multi-distribution support (Debian, Ubuntu, RHEL, AlmaLinux, Rocky, SUSE) - LVM configuration with meaningful volume groups and logical volumes - 8 LVs: lv_opt, lv_tmp, lv_home, lv_var, lv_var_log, lv_var_tmp, lv_var_audit, lv_swap - Security mount options on sensitive directories SSH Hardening: - GSSAPI authentication disabled - GSSAPI cleanup credentials disabled - Root login disabled via SSH - Password authentication disabled - Key-based authentication only - MaxAuthTries: 3, ClientAliveInterval: 300s Security Features: - SELinux enforcing (RHEL family) - AppArmor enabled (Debian family) - Firewall configuration (UFW/firewalld) - Automatic security updates - Audit daemon (auditd) enabled - Time synchronization (chrony) - Essential security packages (aide, auditd) Role Structure: - Modular task organization (validate, install, download, storage, deploy, lvm) - Tag-based execution for selective deployment - OS-family specific cloud-init templates - Comprehensive variable defaults (100+ configurable options) - Post-deployment validation tasks
2025-11-10 22:51:51 +01:00
parent 47df4035c3
commit eec15a1cc2
18 changed files with 1869 additions and 0 deletions
--- a/roles/deploy_linux_vm/defaults/main.yml
+++ b/roles/deploy_linux_vm/defaults/main.yml
@@ -0,0 +1,163 @@
+---
+# =============================================================================
+# Deploy Linux VM Role - Default Variables
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# VM Configuration
+# -----------------------------------------------------------------------------
+deploy_linux_vm_name: "linux-guest"
+deploy_linux_vm_hostname: "linux-vm"
+deploy_linux_vm_domain: "localdomain"
+deploy_linux_vm_vcpus: 2
+deploy_linux_vm_memory_mb: 2048
+deploy_linux_vm_disk_size_gb: 30
+
+# -----------------------------------------------------------------------------
+# Distribution Selection (REQUIRED)
+# -----------------------------------------------------------------------------
+# Format: "distro-version" or "distro-major.minor"
+# Examples: debian-12, ubuntu-22.04, rhel-9, centos-stream-9, almalinux-9
+deploy_linux_vm_os_distribution: "debian-12"
+
+# -----------------------------------------------------------------------------
+# Network Configuration
+# -----------------------------------------------------------------------------
+deploy_linux_vm_network: "default"
+deploy_linux_vm_bridge: "virbr0"
+
+# -----------------------------------------------------------------------------
+# Storage Configuration
+# -----------------------------------------------------------------------------
+deploy_linux_vm_disk_path: "/var/lib/libvirt/images/{{ deploy_linux_vm_name }}.qcow2"
+deploy_linux_vm_cloud_init_iso_path: "/var/lib/libvirt/images/{{ deploy_linux_vm_name }}-cloud-init.iso"
+deploy_linux_vm_images_dir: "/var/lib/libvirt/images"
+
+# -----------------------------------------------------------------------------
+# LVM Configuration (CLAUDE.md Compliance)
+# -----------------------------------------------------------------------------
+deploy_linux_vm_use_lvm: true
+deploy_linux_vm_lvm_vg_name: "vg_system"
+deploy_linux_vm_lvm_pv_device: "/dev/vdb"
+
+# LVM Logical Volumes - Per CLAUDE.md Requirements
+deploy_linux_vm_lvm_volumes:
+  - name: lv_opt
+    size: 3G
+    mount: /opt
+    fstype: ext4
+    mount_options: defaults
+  - name: lv_tmp
+    size: 1G
+    mount: /tmp
+    fstype: ext4
+    mount_options: noexec,nosuid,nodev
+  - name: lv_home
+    size: 2G
+    mount: /home
+    fstype: ext4
+    mount_options: defaults
+  - name: lv_var
+    size: 5G
+    mount: /var
+    fstype: ext4
+    mount_options: defaults
+  - name: lv_var_log
+    size: 2G
+    mount: /var/log
+    fstype: ext4
+    mount_options: defaults
+  - name: lv_var_tmp
+    size: 5G
+    mount: /var/tmp
+    fstype: ext4
+    mount_options: noexec,nosuid,nodev
+  - name: lv_var_audit
+    size: 1G
+    mount: /var/log/audit
+    fstype: ext4
+    mount_options: defaults
+  - name: lv_swap
+    size: 2G
+    mount: none
+    fstype: swap
+    mount_options: sw
+
+# -----------------------------------------------------------------------------
+# Ansible User Configuration
+# -----------------------------------------------------------------------------
+deploy_linux_vm_ansible_user: "ansible"
+deploy_linux_vm_ansible_user_ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILBrnivsqjhAxWYeuuvnYc3neeRRuHsr2SjeKv+Drtpu user@debian"
+deploy_linux_vm_ansible_user_shell: "/bin/bash"
+
+# Root password for emergency console access
+deploy_linux_vm_root_password: "ChangeMe123!"
+
+# -----------------------------------------------------------------------------
+# SSH Configuration
+# -----------------------------------------------------------------------------
+deploy_linux_vm_ssh_permit_root_login: "no"
+deploy_linux_vm_ssh_password_authentication: "no"
+deploy_linux_vm_ssh_pubkey_authentication: "yes"
+deploy_linux_vm_ssh_max_auth_tries: 3
+deploy_linux_vm_ssh_max_sessions: 10
+deploy_linux_vm_ssh_client_alive_interval: 300
+deploy_linux_vm_ssh_client_alive_count_max: 2
+deploy_linux_vm_ssh_gssapi_authentication: "no"  # Disable GSSAPI
+deploy_linux_vm_ssh_gssapi_cleanup_credentials: "no"
+
+# -----------------------------------------------------------------------------
+# Security Configuration
+# -----------------------------------------------------------------------------
+deploy_linux_vm_enable_firewall: true
+deploy_linux_vm_enable_selinux: true  # RHEL family only
+deploy_linux_vm_enable_apparmor: true  # Debian family only
+deploy_linux_vm_enable_auditd: true
+deploy_linux_vm_enable_automatic_updates: true
+deploy_linux_vm_automatic_reboot: false
+
+# -----------------------------------------------------------------------------
+# Essential Packages (Per CLAUDE.md)
+# -----------------------------------------------------------------------------
+deploy_linux_vm_essential_packages:
+  - vim
+  - htop
+  - tmux
+  - jq
+  - bc
+  - curl
+  - wget
+  - rsync
+  - git
+  - python3
+  - python3-pip
+
+deploy_linux_vm_security_packages:
+  - aide
+  - chrony
+
+# -----------------------------------------------------------------------------
+# System Configuration
+# -----------------------------------------------------------------------------
+deploy_linux_vm_timezone: "UTC"
+deploy_linux_vm_locale: "en_US.UTF-8"
+
+# -----------------------------------------------------------------------------
+# Cloud-Init Configuration
+# -----------------------------------------------------------------------------
+deploy_linux_vm_package_update: true
+deploy_linux_vm_package_upgrade: true
+deploy_linux_vm_package_reboot_if_required: false
+
+# -----------------------------------------------------------------------------
+# Validation and Deployment Options
+# -----------------------------------------------------------------------------
+deploy_linux_vm_wait_for_boot_seconds: 90
+deploy_linux_vm_ssh_wait_timeout: 300
+deploy_linux_vm_skip_validation: false
+
+# -----------------------------------------------------------------------------
+# Cleanup Options
+# -----------------------------------------------------------------------------
+deploy_linux_vm_cleanup_temp_files: true
+deploy_linux_vm_remove_cloud_init_iso_after_boot: false