Add deploy_linux_vm role with LVM and SSH hardening

Features: - Multi-distribution support (Debian, Ubuntu, RHEL, AlmaLinux, Rocky, SUSE) - LVM configuration with meaningful volume groups and logical volumes - 8 LVs: lv_opt, lv_tmp, lv_home, lv_var, lv_var_log, lv_var_tmp, lv_var_audit, lv_swap - Security mount options on sensitive directories SSH Hardening: - GSSAPI authentication disabled - GSSAPI cleanup credentials disabled - Root login disabled via SSH - Password authentication disabled - Key-based authentication only - MaxAuthTries: 3, ClientAliveInterval: 300s Security Features: - SELinux enforcing (RHEL family) - AppArmor enabled (Debian family) - Firewall configuration (UFW/firewalld) - Automatic security updates - Audit daemon (auditd) enabled - Time synchronization (chrony) - Essential security packages (aide, auditd) Role Structure: - Modular task organization (validate, install, download, storage, deploy, lvm) - Tag-based execution for selective deployment - OS-family specific cloud-init templates - Comprehensive variable defaults (100+ configurable options) - Post-deployment validation tasks
2025-11-10 22:51:51 +01:00
parent 47df4035c3
commit eec15a1cc2
18 changed files with 1869 additions and 0 deletions
--- a/roles/deploy_linux_vm/tasks/cloud-init.yml
+++ b/roles/deploy_linux_vm/tasks/cloud-init.yml
@@ -0,0 +1,70 @@
+---
+# =============================================================================
+# Cloud-Init Tasks - Generate Cloud-Init Configuration
+# =============================================================================
+
+- name: Create cloud-init directory
+  file:
+    path: /tmp/cloud-init-{{ deploy_linux_vm_name }}
+    state: directory
+    mode: '0755'
+  tags: [cloud-init]
+
+- name: Create cloud-init meta-data
+  template:
+    src: meta-data.j2
+    dest: /tmp/cloud-init-{{ deploy_linux_vm_name }}/meta-data
+    mode: '0644'
+  tags: [cloud-init]
+
+- name: Create cloud-init user-data for Debian/Ubuntu
+  template:
+    src: user-data-debian.j2
+    dest: /tmp/cloud-init-{{ deploy_linux_vm_name }}/user-data
+    mode: '0644'
+  when: deploy_linux_vm_distro_config.family == "debian"
+  tags: [cloud-init]
+
+- name: Create cloud-init user-data for RHEL/CentOS/Rocky/Alma
+  template:
+    src: user-data-rhel.j2
+    dest: /tmp/cloud-init-{{ deploy_linux_vm_name }}/user-data
+    mode: '0644'
+  when: deploy_linux_vm_distro_config.family == "rhel"
+  tags: [cloud-init]
+
+- name: Create cloud-init user-data for SUSE/openSUSE
+  template:
+    src: user-data-suse.j2
+    dest: /tmp/cloud-init-{{ deploy_linux_vm_name }}/user-data
+    mode: '0644'
+  when: deploy_linux_vm_distro_config.family == "suse"
+  tags: [cloud-init]
+
+- name: Create cloud-init ISO
+  command: >
+    genisoimage -output {{ deploy_linux_vm_cloud_init_iso_path }}
+    -volid cidata -joliet -rock
+    /tmp/cloud-init-{{ deploy_linux_vm_name }}/user-data
+    /tmp/cloud-init-{{ deploy_linux_vm_name }}/meta-data
+  args:
+    creates: "{{ deploy_linux_vm_cloud_init_iso_path }}"
+  tags: [cloud-init]
+
+- name: Set proper permissions on cloud-init ISO (Debian/Ubuntu)
+  file:
+    path: "{{ deploy_linux_vm_cloud_init_iso_path }}"
+    owner: libvirt-qemu
+    group: kvm
+    mode: '0644'
+  when: ansible_os_family == "Debian"
+  tags: [cloud-init]
+
+- name: Set proper permissions on cloud-init ISO (RHEL)
+  file:
+    path: "{{ deploy_linux_vm_cloud_init_iso_path }}"
+    owner: qemu
+    group: qemu
+    mode: '0644'
+  when: ansible_os_family == "RedHat"
+  tags: [cloud-init]