infra-automation/roles/deploy_linux_vm/templates/user-data-rhel.j2

#cloud-config
hostname: {{ deploy_linux_vm_hostname }}
fqdn: {{ deploy_linux_vm_hostname }}.{{ deploy_linux_vm_domain }}
manage_etc_hosts: true

# Create ansible user with sudo privileges
users:
  - name: {{ deploy_linux_vm_ansible_user }}
    groups: wheel
    shell: {{ deploy_linux_vm_ansible_user_shell }}
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    ssh_authorized_keys:
      - {{ deploy_linux_vm_ansible_user_ssh_key }}
  - name: root
    lock_passwd: false

# Set root password (for emergency console access)
chpasswd:
  list: |
    root:{{ deploy_linux_vm_root_password }}
  expire: false

# SSH configuration
ssh_pwauth: false
disable_root: false

# Install essential packages per CLAUDE.md guidelines
packages:
  - sudo
{% for package in deploy_linux_vm_essential_packages %}
  - {{ package }}
{% endfor %}
{% for package in deploy_linux_vm_security_packages %}
  - {{ package }}
{% endfor %}
  - audit
  - firewalld
  - lvm2
  - cloud-utils-growpart
  - gdisk
  - dnf-automatic
  - policycoreutils-python-utils

# Security configuration files
write_files:
  - path: /etc/ssh/sshd_config.d/99-security.conf
    content: |
      # SSH Security Configuration - CLAUDE.md Compliance
      PermitRootLogin {{ deploy_linux_vm_ssh_permit_root_login }}
      PasswordAuthentication {{ deploy_linux_vm_ssh_password_authentication }}
      PubkeyAuthentication {{ deploy_linux_vm_ssh_pubkey_authentication }}
      MaxAuthTries {{ deploy_linux_vm_ssh_max_auth_tries }}
      MaxSessions {{ deploy_linux_vm_ssh_max_sessions }}
      ClientAliveInterval {{ deploy_linux_vm_ssh_client_alive_interval }}
      ClientAliveCountMax {{ deploy_linux_vm_ssh_client_alive_count_max }}

      # Disable GSSAPI Authentication (per requirements)
      GSSAPIAuthentication {{ deploy_linux_vm_ssh_gssapi_authentication }}
      GSSAPICleanupCredentials {{ deploy_linux_vm_ssh_gssapi_cleanup_credentials }}

      # Additional hardening
      PermitEmptyPasswords no
      ChallengeResponseAuthentication no
      UsePAM yes
      X11Forwarding no
    permissions: '0644'

  - path: /etc/sudoers.d/{{ deploy_linux_vm_ansible_user }}
    content: |
      {{ deploy_linux_vm_ansible_user }} ALL=(ALL) NOPASSWD:ALL
    permissions: '0440'

  - path: /etc/dnf/automatic.conf
    content: |
      [commands]
      upgrade_type = security
      download_updates = yes
      apply_updates = {{ 'yes' if deploy_linux_vm_enable_automatic_updates else 'no' }}

      [emitters]
      emit_via = stdio

      [email]
      email_from = root@{{ deploy_linux_vm_hostname }}.{{ deploy_linux_vm_domain }}

      [base]
      debuglevel = 1
    permissions: '0644'

# System configuration commands
runcmd:
  - systemctl enable sshd
  - systemctl restart sshd
  - systemctl enable chronyd
  - systemctl start chronyd
{% if deploy_linux_vm_enable_firewall %}
  - systemctl enable firewalld
  - systemctl start firewalld
  - firewall-cmd --permanent --add-service=ssh
  - firewall-cmd --reload
{% endif %}
{% if deploy_linux_vm_enable_auditd %}
  - systemctl enable auditd
  - systemctl start auditd
{% endif %}
{% if deploy_linux_vm_enable_automatic_updates %}
  - systemctl enable dnf-automatic.timer
  - systemctl start dnf-automatic.timer
{% endif %}
{% if deploy_linux_vm_enable_selinux %}
  - setenforce 1
  - sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
{% endif %}
  - growpart /dev/vda 1 || true
  - xfs_growfs / || resize2fs /dev/vda1 || true

package_update: {{ deploy_linux_vm_package_update | lower }}
package_upgrade: {{ deploy_linux_vm_package_upgrade | lower }}
package_reboot_if_required: {{ deploy_linux_vm_package_reboot_if_required | lower }}

timezone: {{ deploy_linux_vm_timezone }}
locale: {{ deploy_linux_vm_locale }}

output:
  all: '| tee -a /var/log/cloud-init-output.log'

final_message: "{{ deploy_linux_vm_os_distribution }} VM deployment completed. System is ready after $UPTIME seconds."