ansible/infra-automation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df628983d1987c8a46d6e862455ea1d1531ad20f
infra-automation/roles/deploy_linux_vm/tasks/download.yml
Infrastructure Team eec15a1cc2 Add deploy_linux_vm role with LVM and SSH hardening 
Features:
- Multi-distribution support (Debian, Ubuntu, RHEL, AlmaLinux, Rocky, SUSE)
- LVM configuration with meaningful volume groups and logical volumes
- 8 LVs: lv_opt, lv_tmp, lv_home, lv_var, lv_var_log, lv_var_tmp, lv_var_audit, lv_swap
- Security mount options on sensitive directories

SSH Hardening:
- GSSAPI authentication disabled
- GSSAPI cleanup credentials disabled
- Root login disabled via SSH
- Password authentication disabled
- Key-based authentication only
- MaxAuthTries: 3, ClientAliveInterval: 300s

Security Features:
- SELinux enforcing (RHEL family)
- AppArmor enabled (Debian family)
- Firewall configuration (UFW/firewalld)
- Automatic security updates
- Audit daemon (auditd) enabled
- Time synchronization (chrony)
- Essential security packages (aide, auditd)

Role Structure:
- Modular task organization (validate, install, download, storage, deploy, lvm)
- Tag-based execution for selective deployment
- OS-family specific cloud-init templates
- Comprehensive variable defaults (100+ configurable options)
- Post-deployment validation tasks
2025-11-10 22:51:51 +01:00

80 lines
2.9 KiB
YAML
Raw Blame History

---
# =============================================================================
# Download Tasks - Download and Verify Cloud Images
# =============================================================================
- name: Check if cloud image already exists
stat:
path: "{{ deploy_linux_vm_image_cache_path }}"
register: deploy_linux_vm_cloud_image_stat
tags: [download]
- name: Display image cache status
debug:
msg: "Cloud image {{ 'exists' if deploy_linux_vm_cloud_image_stat.stat.exists else 'not found' }}: {{ deploy_linux_vm_image_cache_path }}"
tags: [download]
- name: Check for manual download requirement
debug:
msg:
- "WARNING: {{ deploy_linux_vm_os_distribution }} requires manual download"
- "{{ deploy_linux_vm_distro_config.note | default('') }}"
- "Please download the image and place it at: {{ deploy_linux_vm_image_cache_path }}"
when:
- not deploy_linux_vm_cloud_image_stat.stat.exists
- deploy_linux_vm_distro_config.note is defined
tags: [download]
- name: Download cloud image
get_url:
url: "{{ deploy_linux_vm_distro_config.url }}"
dest: "{{ deploy_linux_vm_image_cache_path }}"
mode: '0644'
timeout: 1200
when:
- not deploy_linux_vm_cloud_image_stat.stat.exists
- deploy_linux_vm_distro_config.note is not defined
register: deploy_linux_vm_download_result
tags: [download]
- name: Download checksum file
get_url:
url: "{{ deploy_linux_vm_distro_config.checksum_url }}"
dest: "/tmp/{{ deploy_linux_vm_os_distribution }}-CHECKSUM"
mode: '0644'
when:
- deploy_linux_vm_distro_config.checksum_url is defined
- deploy_linux_vm_download_result is changed or deploy_linux_vm_cloud_image_stat.stat.exists
tags: [download, verify]
- name: Verify cloud image checksum (SHA512)
shell: |
cd {{ deploy_linux_vm_images_dir }}
grep "{{ deploy_linux_vm_distro_config.cache_name }}" /tmp/{{ deploy_linux_vm_os_distribution }}-CHECKSUM | sha512sum -c -
register: deploy_linux_vm_checksum_result
changed_when: false
when:
- deploy_linux_vm_distro_config.checksum_type is defined
- deploy_linux_vm_distro_config.checksum_type == "sha512"
- deploy_linux_vm_distro_config.checksum_url is defined
tags: [verify]
- name: Verify cloud image checksum (SHA256)
shell: |
cd {{ deploy_linux_vm_images_dir }}
grep "{{ deploy_linux_vm_distro_config.cache_name }}" /tmp/{{ deploy_linux_vm_os_distribution }}-CHECKSUM | sha256sum -c -
register: deploy_linux_vm_checksum_result
changed_when: false
when:
- deploy_linux_vm_distro_config.checksum_type is defined
- deploy_linux_vm_distro_config.checksum_type == "sha256"
- deploy_linux_vm_distro_config.checksum_url is defined
tags: [verify]
- name: Ensure image file exists before proceeding
stat:
path: "{{ deploy_linux_vm_image_cache_path }}"
register: deploy_linux_vm_final_image_check
failed_when: not deploy_linux_vm_final_image_check.stat.exists
tags: [verify]
Reference in New Issue View Git Blame Copy Permalink