Add deploy_linux_vm role with LVM and SSH hardening

Features: - Multi-distribution support (Debian, Ubuntu, RHEL, AlmaLinux, Rocky, SUSE) - LVM configuration with meaningful volume groups and logical volumes - 8 LVs: lv_opt, lv_tmp, lv_home, lv_var, lv_var_log, lv_var_tmp, lv_var_audit, lv_swap - Security mount options on sensitive directories SSH Hardening: - GSSAPI authentication disabled - GSSAPI cleanup credentials disabled - Root login disabled via SSH - Password authentication disabled - Key-based authentication only - MaxAuthTries: 3, ClientAliveInterval: 300s Security Features: - SELinux enforcing (RHEL family) - AppArmor enabled (Debian family) - Firewall configuration (UFW/firewalld) - Automatic security updates - Audit daemon (auditd) enabled - Time synchronization (chrony) - Essential security packages (aide, auditd) Role Structure: - Modular task organization (validate, install, download, storage, deploy, lvm) - Tag-based execution for selective deployment - OS-family specific cloud-init templates - Comprehensive variable defaults (100+ configurable options) - Post-deployment validation tasks
2025-11-10 22:51:51 +01:00
parent 47df4035c3
commit eec15a1cc2
18 changed files with 1869 additions and 0 deletions
--- a/roles/deploy_linux_vm/tasks/install.yml
+++ b/roles/deploy_linux_vm/tasks/install.yml
@@ -0,0 +1,64 @@
+---
+# =============================================================================
+# Installation Tasks - Install Required Packages on Hypervisor
+# =============================================================================
+
+- name: Install required packages for VM deployment (Debian/Ubuntu)
+  apt:
+    name:
+      - libvirt-daemon-system
+      - libvirt-clients
+      - virtinst
+      - qemu-kvm
+      - qemu-utils
+      - cloud-image-utils
+      - genisoimage
+      - wget
+      - curl
+      - python3-libvirt
+      - lvm2
+      - parted
+    state: present
+    update_cache: yes
+  when: ansible_os_family == "Debian"
+  tags: [install]
+
+- name: Install required packages for VM deployment (RHEL/CentOS)
+  dnf:
+    name:
+      - libvirt
+      - libvirt-client
+      - virt-install
+      - qemu-kvm
+      - qemu-img
+      - cloud-utils
+      - genisoimage
+      - wget
+      - curl
+      - python3-libvirt
+      - lvm2
+      - parted
+    state: present
+  when: ansible_os_family == "RedHat"
+  tags: [install]
+
+- name: Ensure libvirtd service is running
+  systemd:
+    name: libvirtd
+    state: started
+    enabled: yes
+  tags: [install]
+
+- name: Ensure default libvirt network is active
+  command: virsh net-start default
+  register: deploy_linux_vm_net_start
+  failed_when: false
+  changed_when: deploy_linux_vm_net_start.rc == 0
+  tags: [install]
+
+- name: Ensure default libvirt network is autostarted
+  command: virsh net-autostart default
+  register: deploy_linux_vm_net_autostart
+  failed_when: false
+  changed_when: false
+  tags: [install]