eec15a1cc2
Features: - Multi-distribution support (Debian, Ubuntu, RHEL, AlmaLinux, Rocky, SUSE) - LVM configuration with meaningful volume groups and logical volumes - 8 LVs: lv_opt, lv_tmp, lv_home, lv_var, lv_var_log, lv_var_tmp, lv_var_audit, lv_swap - Security mount options on sensitive directories SSH Hardening: - GSSAPI authentication disabled - GSSAPI cleanup credentials disabled - Root login disabled via SSH - Password authentication disabled - Key-based authentication only - MaxAuthTries: 3, ClientAliveInterval: 300s Security Features: - SELinux enforcing (RHEL family) - AppArmor enabled (Debian family) - Firewall configuration (UFW/firewalld) - Automatic security updates - Audit daemon (auditd) enabled - Time synchronization (chrony) - Essential security packages (aide, auditd) Role Structure: - Modular task organization (validate, install, download, storage, deploy, lvm) - Tag-based execution for selective deployment - OS-family specific cloud-init templates - Comprehensive variable defaults (100+ configurable options) - Post-deployment validation tasks
122 lines
3.8 KiB
Django/Jinja
122 lines
3.8 KiB
Django/Jinja
#cloud-config
|
|
hostname: {{ deploy_linux_vm_hostname }}
|
|
fqdn: {{ deploy_linux_vm_hostname }}.{{ deploy_linux_vm_domain }}
|
|
manage_etc_hosts: true
|
|
|
|
# Create ansible user with sudo privileges
|
|
users:
|
|
- name: {{ deploy_linux_vm_ansible_user }}
|
|
groups: sudo
|
|
shell: {{ deploy_linux_vm_ansible_user_shell }}
|
|
sudo: ['ALL=(ALL) NOPASSWD:ALL']
|
|
ssh_authorized_keys:
|
|
- {{ deploy_linux_vm_ansible_user_ssh_key }}
|
|
- name: root
|
|
lock_passwd: false
|
|
|
|
# Set root password (for emergency console access)
|
|
chpasswd:
|
|
list: |
|
|
root:{{ deploy_linux_vm_root_password }}
|
|
expire: false
|
|
|
|
# SSH configuration
|
|
ssh_pwauth: false
|
|
disable_root: false
|
|
|
|
# Install essential packages per CLAUDE.md guidelines
|
|
packages:
|
|
- sudo
|
|
{% for package in deploy_linux_vm_essential_packages %}
|
|
- {{ package }}
|
|
{% endfor %}
|
|
{% for package in deploy_linux_vm_security_packages %}
|
|
- {{ package }}
|
|
{% endfor %}
|
|
- auditd
|
|
- ufw
|
|
- lvm2
|
|
- cloud-guest-utils
|
|
- parted
|
|
- unattended-upgrades
|
|
- apt-listchanges
|
|
|
|
# Security configuration files
|
|
write_files:
|
|
- path: /etc/ssh/sshd_config.d/99-security.conf
|
|
content: |
|
|
# SSH Security Configuration - CLAUDE.md Compliance
|
|
PermitRootLogin {{ deploy_linux_vm_ssh_permit_root_login }}
|
|
PasswordAuthentication {{ deploy_linux_vm_ssh_password_authentication }}
|
|
PubkeyAuthentication {{ deploy_linux_vm_ssh_pubkey_authentication }}
|
|
MaxAuthTries {{ deploy_linux_vm_ssh_max_auth_tries }}
|
|
MaxSessions {{ deploy_linux_vm_ssh_max_sessions }}
|
|
ClientAliveInterval {{ deploy_linux_vm_ssh_client_alive_interval }}
|
|
ClientAliveCountMax {{ deploy_linux_vm_ssh_client_alive_count_max }}
|
|
|
|
# Disable GSSAPI Authentication (per requirements)
|
|
GSSAPIAuthentication {{ deploy_linux_vm_ssh_gssapi_authentication }}
|
|
GSSAPICleanupCredentials {{ deploy_linux_vm_ssh_gssapi_cleanup_credentials }}
|
|
|
|
# Additional hardening
|
|
PermitEmptyPasswords no
|
|
ChallengeResponseAuthentication no
|
|
UsePAM yes
|
|
X11Forwarding no
|
|
PrintMotd no
|
|
AcceptEnv LANG LC_*
|
|
permissions: '0644'
|
|
|
|
- path: /etc/sudoers.d/{{ deploy_linux_vm_ansible_user }}
|
|
content: |
|
|
{{ deploy_linux_vm_ansible_user }} ALL=(ALL) NOPASSWD:ALL
|
|
permissions: '0440'
|
|
|
|
- path: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
content: |
|
|
Unattended-Upgrade::Allowed-Origins {
|
|
"${distro_id}:${distro_codename}-security";
|
|
};
|
|
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
|
Unattended-Upgrade::MinimalSteps "true";
|
|
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
|
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
|
Unattended-Upgrade::Automatic-Reboot "{{ 'true' if deploy_linux_vm_automatic_reboot else 'false' }}";
|
|
permissions: '0644'
|
|
|
|
- path: /etc/apt/apt.conf.d/20auto-upgrades
|
|
content: |
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
APT::Periodic::AutocleanInterval "7";
|
|
permissions: '0644'
|
|
|
|
# System configuration commands
|
|
runcmd:
|
|
- systemctl enable ssh
|
|
- systemctl restart ssh
|
|
- systemctl enable chrony
|
|
- systemctl start chrony
|
|
{% if deploy_linux_vm_enable_firewall %}
|
|
- ufw --force enable
|
|
- ufw allow ssh
|
|
{% endif %}
|
|
{% if deploy_linux_vm_enable_auditd %}
|
|
- systemctl enable auditd
|
|
- systemctl start auditd
|
|
{% endif %}
|
|
- growpart /dev/vda 1 || true
|
|
- resize2fs /dev/vda1 || true
|
|
|
|
package_update: {{ deploy_linux_vm_package_update | lower }}
|
|
package_upgrade: {{ deploy_linux_vm_package_upgrade | lower }}
|
|
package_reboot_if_required: {{ deploy_linux_vm_package_reboot_if_required | lower }}
|
|
|
|
timezone: {{ deploy_linux_vm_timezone }}
|
|
locale: {{ deploy_linux_vm_locale }}
|
|
|
|
output:
|
|
all: '| tee -a /var/log/cloud-init-output.log'
|
|
|
|
final_message: "{{ deploy_linux_vm_os_distribution }} VM deployment completed. System is ready after $UPTIME seconds."
|