Add deploy_linux_vm role with LVM and SSH hardening
Features: - Multi-distribution support (Debian, Ubuntu, RHEL, AlmaLinux, Rocky, SUSE) - LVM configuration with meaningful volume groups and logical volumes - 8 LVs: lv_opt, lv_tmp, lv_home, lv_var, lv_var_log, lv_var_tmp, lv_var_audit, lv_swap - Security mount options on sensitive directories SSH Hardening: - GSSAPI authentication disabled - GSSAPI cleanup credentials disabled - Root login disabled via SSH - Password authentication disabled - Key-based authentication only - MaxAuthTries: 3, ClientAliveInterval: 300s Security Features: - SELinux enforcing (RHEL family) - AppArmor enabled (Debian family) - Firewall configuration (UFW/firewalld) - Automatic security updates - Audit daemon (auditd) enabled - Time synchronization (chrony) - Essential security packages (aide, auditd) Role Structure: - Modular task organization (validate, install, download, storage, deploy, lvm) - Tag-based execution for selective deployment - OS-family specific cloud-init templates - Comprehensive variable defaults (100+ configurable options) - Post-deployment validation tasks
This commit is contained in:
Infrastructure Team
100
roles/deploy_linux_vm/templates/user-data-suse.j2
Normal file
100
roles/deploy_linux_vm/templates/user-data-suse.j2
Normal file
@@ -0,0 +1,100 @@
|
||||
#cloud-config
|
||||
hostname: {{ deploy_linux_vm_hostname }}
|
||||
fqdn: {{ deploy_linux_vm_hostname }}.{{ deploy_linux_vm_domain }}
|
||||
manage_etc_hosts: true
|
||||
|
||||
# Create ansible user with sudo privileges
|
||||
users:
|
||||
- name: {{ deploy_linux_vm_ansible_user }}
|
||||
groups: wheel
|
||||
shell: {{ deploy_linux_vm_ansible_user_shell }}
|
||||
sudo: ['ALL=(ALL) NOPASSWD:ALL']
|
||||
ssh_authorized_keys:
|
||||
- {{ deploy_linux_vm_ansible_user_ssh_key }}
|
||||
- name: root
|
||||
lock_passwd: false
|
||||
|
||||
# Set root password (for emergency console access)
|
||||
chpasswd:
|
||||
list: |
|
||||
root:{{ deploy_linux_vm_root_password }}
|
||||
expire: false
|
||||
|
||||
# SSH configuration
|
||||
ssh_pwauth: false
|
||||
disable_root: false
|
||||
|
||||
# Install essential packages
|
||||
packages:
|
||||
- sudo
|
||||
{% for package in deploy_linux_vm_essential_packages %}
|
||||
- {{ package }}
|
||||
{% endfor %}
|
||||
{% for package in deploy_linux_vm_security_packages %}
|
||||
- {{ package }}
|
||||
{% endfor %}
|
||||
- audit
|
||||
- firewalld
|
||||
- lvm2
|
||||
- cloud-utils-growpart
|
||||
- gdisk
|
||||
|
||||
# Security configuration files
|
||||
write_files:
|
||||
- path: /etc/ssh/sshd_config.d/99-security.conf
|
||||
content: |
|
||||
# SSH Security Configuration - CLAUDE.md Compliance
|
||||
PermitRootLogin {{ deploy_linux_vm_ssh_permit_root_login }}
|
||||
PasswordAuthentication {{ deploy_linux_vm_ssh_password_authentication }}
|
||||
PubkeyAuthentication {{ deploy_linux_vm_ssh_pubkey_authentication }}
|
||||
MaxAuthTries {{ deploy_linux_vm_ssh_max_auth_tries }}
|
||||
MaxSessions {{ deploy_linux_vm_ssh_max_sessions }}
|
||||
ClientAliveInterval {{ deploy_linux_vm_ssh_client_alive_interval }}
|
||||
ClientAliveCountMax {{ deploy_linux_vm_ssh_client_alive_count_max }}
|
||||
|
||||
# Disable GSSAPI Authentication (per requirements)
|
||||
GSSAPIAuthentication {{ deploy_linux_vm_ssh_gssapi_authentication }}
|
||||
GSSAPICleanupCredentials {{ deploy_linux_vm_ssh_gssapi_cleanup_credentials }}
|
||||
|
||||
# Additional hardening
|
||||
PermitEmptyPasswords no
|
||||
ChallengeResponseAuthentication no
|
||||
UsePAM yes
|
||||
X11Forwarding no
|
||||
permissions: '0644'
|
||||
|
||||
- path: /etc/sudoers.d/{{ deploy_linux_vm_ansible_user }}
|
||||
content: |
|
||||
{{ deploy_linux_vm_ansible_user }} ALL=(ALL) NOPASSWD:ALL
|
||||
permissions: '0440'
|
||||
|
||||
# System configuration commands
|
||||
runcmd:
|
||||
- systemctl enable sshd
|
||||
- systemctl restart sshd
|
||||
- systemctl enable chronyd
|
||||
- systemctl start chronyd
|
||||
{% if deploy_linux_vm_enable_firewall %}
|
||||
- systemctl enable firewalld
|
||||
- systemctl start firewalld
|
||||
- firewall-cmd --permanent --add-service=ssh
|
||||
- firewall-cmd --reload
|
||||
{% endif %}
|
||||
{% if deploy_linux_vm_enable_auditd %}
|
||||
- systemctl enable auditd
|
||||
- systemctl start auditd
|
||||
{% endif %}
|
||||
- growpart /dev/vda 1 || true
|
||||
- xfs_growfs / || resize2fs /dev/vda1 || btrfs filesystem resize max / || true
|
||||
|
||||
package_update: {{ deploy_linux_vm_package_update | lower }}
|
||||
package_upgrade: {{ deploy_linux_vm_package_upgrade | lower }}
|
||||
package_reboot_if_required: {{ deploy_linux_vm_package_reboot_if_required | lower }}
|
||||
|
||||
timezone: {{ deploy_linux_vm_timezone }}
|
||||
locale: {{ deploy_linux_vm_locale }}
|
||||
|
||||
output:
|
||||
all: '| tee -a /var/log/cloud-init-output.log'
|
||||
|
||||
final_message: "{{ deploy_linux_vm_os_distribution }} VM deployment completed. System is ready after $UPTIME seconds."
|
||||
Reference in New Issue
Block a user