Add deploy_linux_vm role with LVM and SSH hardening

Features: - Multi-distribution support (Debian, Ubuntu, RHEL, AlmaLinux, Rocky, SUSE) - LVM configuration with meaningful volume groups and logical volumes - 8 LVs: lv_opt, lv_tmp, lv_home, lv_var, lv_var_log, lv_var_tmp, lv_var_audit, lv_swap - Security mount options on sensitive directories SSH Hardening: - GSSAPI authentication disabled - GSSAPI cleanup credentials disabled - Root login disabled via SSH - Password authentication disabled - Key-based authentication only - MaxAuthTries: 3, ClientAliveInterval: 300s Security Features: - SELinux enforcing (RHEL family) - AppArmor enabled (Debian family) - Firewall configuration (UFW/firewalld) - Automatic security updates - Audit daemon (auditd) enabled - Time synchronization (chrony) - Essential security packages (aide, auditd) Role Structure: - Modular task organization (validate, install, download, storage, deploy, lvm) - Tag-based execution for selective deployment - OS-family specific cloud-init templates - Comprehensive variable defaults (100+ configurable options) - Post-deployment validation tasks
2025-11-10 22:51:51 +01:00
parent 47df4035c3
commit eec15a1cc2
18 changed files with 1869 additions and 0 deletions
--- a/roles/deploy_linux_vm/tasks/storage.yml
+++ b/roles/deploy_linux_vm/tasks/storage.yml
@@ -0,0 +1,64 @@
+---
+# =============================================================================
+# Storage Tasks - Create VM Disk Images
+# =============================================================================
+
+- name: Create primary VM disk from cloud image
+  command: >
+    qemu-img create -f qcow2 -F qcow2
+    -b {{ deploy_linux_vm_image_cache_path }}
+    {{ deploy_linux_vm_disk_path }}
+    {{ deploy_linux_vm_disk_size_gb }}G
+  args:
+    creates: "{{ deploy_linux_vm_disk_path }}"
+  tags: [storage]
+
+- name: Set proper permissions on VM disk (Debian/Ubuntu)
+  file:
+    path: "{{ deploy_linux_vm_disk_path }}"
+    owner: libvirt-qemu
+    group: kvm
+    mode: '0600'
+  when: ansible_os_family == "Debian"
+  tags: [storage]
+
+- name: Set proper permissions on VM disk (RHEL)
+  file:
+    path: "{{ deploy_linux_vm_disk_path }}"
+    owner: qemu
+    group: qemu
+    mode: '0600'
+  when: ansible_os_family == "RedHat"
+  tags: [storage]
+
+- name: Create LVM data disk for VM
+  command: >
+    qemu-img create -f qcow2
+    {{ deploy_linux_vm_images_dir }}/{{ deploy_linux_vm_name }}-lvm.qcow2
+    30G
+  args:
+    creates: "{{ deploy_linux_vm_images_dir }}/{{ deploy_linux_vm_name }}-lvm.qcow2"
+  when: deploy_linux_vm_use_lvm | bool
+  tags: [storage, lvm]
+
+- name: Set proper permissions on LVM disk (Debian/Ubuntu)
+  file:
+    path: "{{ deploy_linux_vm_images_dir }}/{{ deploy_linux_vm_name }}-lvm.qcow2"
+    owner: libvirt-qemu
+    group: kvm
+    mode: '0600'
+  when:
+    - deploy_linux_vm_use_lvm | bool
+    - ansible_os_family == "Debian"
+  tags: [storage, lvm]
+
+- name: Set proper permissions on LVM disk (RHEL)
+  file:
+    path: "{{ deploy_linux_vm_images_dir }}/{{ deploy_linux_vm_name }}-lvm.qcow2"
+    owner: qemu
+    group: qemu
+    mode: '0600'
+  when:
+    - deploy_linux_vm_use_lvm | bool
+    - ansible_os_family == "RedHat"
+  tags: [storage, lvm]