Fix some regressions + tasks revision
DETAILS: - consolefont: moved to essential role - unbound: copy the config only after everything is set up correctly (or else the validation will complain trusted-key.key and the root hints are not in the chroot) - essential: start dbus service before handling seat management (elogind and seatd services depend on dbus) - use full-path for commands (avoid potential polluted PATH attack) - apk: use '>-' for the package list. See NOTES NOTES: - '|' (literal) interprets new lines with a line break - '>' (folded) produces a single line with a '\n' at the end - '>-' (folded_strip) creates a single line without a line break in the end - '>' (folded scalars) joins all the lines with a space (doesn't preserve numeric, boolean and other non-string types) Check https://adminswerk.de/multi-line-string-yaml-ansible-II/ for some problems on using multiple lines variables
This commit is contained in:
parent
cbb85a7a2c
commit
ff28a00140
|
@ -28,7 +28,8 @@ libvirt_daemons:
|
|||
- virtqemud
|
||||
- virtstoraged
|
||||
|
||||
# Secrets encrypted with ansible-vault
|
||||
# Secrets encrypted with ansible-vault ────────────────────────────────────────
|
||||
|
||||
password: '{{ vault_password }}'
|
||||
|
||||
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
---
|
||||
- name: Update grub config
|
||||
command: grub-mkconfig -o /boot/grub/grub.cfg
|
||||
command: /usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
runlevel: boot
|
||||
enabled: yes
|
||||
|
||||
- name: apparmor | Check whether apparmor is presented in grub boot command
|
||||
- name: apparmor | Check whether apparmor kernel parameters is presented in grub
|
||||
lineinfile:
|
||||
backup: yes
|
||||
path: /etc/default/grub
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
- name: consolefont | Change the console font to ter-h22b
|
||||
lineinfile:
|
||||
path: /etc/conf.d/consolefont
|
||||
state: present
|
||||
regexp: '^consolefont='
|
||||
line: 'consolefont="ter-h22b.psf.gz"'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: consolefont | Start consolefont service on runlevel 'boot'
|
||||
service:
|
||||
name: consolefont
|
||||
runlevel: boot
|
||||
enabled: yes
|
||||
state: started
|
|
@ -1,3 +1,3 @@
|
|||
#!/bin/sh
|
||||
|
||||
btrfs scrub start /
|
||||
/sbin/btrfs scrub start /
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/sh
|
||||
|
||||
find /var/tmp -type d -mindepth 1 -ctime +7 -exec rm -rf {} \;
|
||||
find /var/tmp -mindepth 1 -ctime +7 -exec rm -rf {} \;
|
||||
/usr/bin/find /var/tmp -type d -mindepth 1 -ctime +7 -exec rm -rf {} \;
|
||||
/usr/bin/find /var/tmp -mindepth 1 -ctime +7 -exec rm -rf {} \;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- name: Regenerate initramfs
|
||||
command: 'mkinitfs -c /etc/mkinitfs/mkinitfs.conf {{ ansible_kernel }}'
|
||||
command: '/sbin/mkinitfs -c /etc/mkinitfs/mkinitfs.conf {{ ansible_kernel }}'
|
||||
|
||||
- name: Load custom sysctl settings
|
||||
command: sysctl -p /etc/sysctl.d/custom.conf
|
||||
command: /sbin/sysctl -p /etc/sysctl.d/custom.conf
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
|
||||
- name: essential | Install common dependencies
|
||||
apk:
|
||||
name: >
|
||||
name: >-
|
||||
doas, nftables, zstd, fish, dbus, terminus-font, apparmor-profiles,
|
||||
apparmor, openresolv, libvirt-daemon, qemu-img, qemu-system-x86_64,
|
||||
qemu-modules, shadow-login, unbound, dns-root-hints
|
||||
|
@ -17,6 +17,14 @@
|
|||
update_cache: yes
|
||||
state: present
|
||||
|
||||
- name: essential | Start some services on runlevel 'default'
|
||||
service:
|
||||
name: '{{ item }}'
|
||||
runlevel: default
|
||||
enabled: yes
|
||||
state: started
|
||||
loop: [ dbus, ntpd, cgroups ]
|
||||
|
||||
- block:
|
||||
- name: essential | Install elogind and polkit-elogind
|
||||
apk:
|
||||
|
@ -84,17 +92,9 @@
|
|||
state: started
|
||||
when: seat_manager == 'seatd'
|
||||
|
||||
- name: essential | Start other services on runlevel 'default'
|
||||
service:
|
||||
name: '{{ item }}'
|
||||
runlevel: default
|
||||
enabled: yes
|
||||
state: started
|
||||
loop: [ dbus, ntpd, cgroups ]
|
||||
|
||||
- name: essential | Setup eudev
|
||||
command:
|
||||
cmd: setup-udev
|
||||
cmd: /sbin/setup-udev
|
||||
creates: /etc/runlevels/sysinit/udev
|
||||
|
||||
- name: essential | Change the default motd
|
||||
|
@ -137,7 +137,7 @@
|
|||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: sysctl | Create a custom sysctl file
|
||||
- name: essential | Create a custom sysctl file
|
||||
copy:
|
||||
src: custom.conf
|
||||
dest: /etc/sysctl.d/custom.conf
|
||||
|
@ -145,3 +145,20 @@
|
|||
group: root
|
||||
mode: 0644
|
||||
notify: Load custom sysctl settings
|
||||
|
||||
- name: essential | Change the console font to ter-h22b
|
||||
lineinfile:
|
||||
path: /etc/conf.d/consolefont
|
||||
state: present
|
||||
regexp: '^consolefont='
|
||||
line: 'consolefont="ter-h22b.psf.gz"'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: essential | Start consolefont service on runlevel 'boot'
|
||||
service:
|
||||
name: consolefont
|
||||
runlevel: boot
|
||||
enabled: yes
|
||||
state: started
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
# Busybox's mount doesn't interpret group name in GID, so check it
|
||||
# wheel group on Alpine by default has GID=10
|
||||
- name: fstab | Check GID of group {{ proc_group }}
|
||||
shell: getent group {{ proc_group }} | awk -F':' '{print $3}'
|
||||
shell: /usr/bin/getent group {{ proc_group }} | awk -F':' '{print $3}'
|
||||
register: proc_gid
|
||||
|
||||
- name: fstab | Restrict read access on /proc for {{ proc_group }} group
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- name: libvirt | Allow IPv6 RA passthrough to libvirt NAT
|
||||
- name: libvirt | Allow IPv6 RA passthrough for libvirt NAT
|
||||
lineinfile:
|
||||
path: /etc/sysctl.d/custom.conf
|
||||
owner: root
|
||||
|
|
|
@ -1,13 +1,4 @@
|
|||
---
|
||||
- name: unbound | Copy unbound config
|
||||
template:
|
||||
src: unbound.j2
|
||||
dest: /etc/unbound/unbound.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
validate: unbound-checkconf %s
|
||||
|
||||
- name: unbound | Create /dev directory inside unbound chroot
|
||||
file:
|
||||
path: /etc/unbound/dev
|
||||
|
@ -20,7 +11,7 @@
|
|||
# copy module doesn't seem to work
|
||||
- name: unbound | Copy needed devices to unbound chroot
|
||||
command:
|
||||
cmd: cp -a /dev/random /dev/urandom /dev/null /etc/unbound/dev/
|
||||
cmd: /bin/cp -a /dev/random /dev/urandom /dev/null /etc/unbound/dev/
|
||||
creates: /etc/unbound/dev/random
|
||||
|
||||
# unbound user needs write permission to the anchor file, and also for the
|
||||
|
@ -48,7 +39,7 @@
|
|||
group: unbound
|
||||
mode: 0644
|
||||
|
||||
- name: unbound | Check package facts
|
||||
- name: unbound | Gather package facts
|
||||
package_facts:
|
||||
manager: 'apk'
|
||||
|
||||
|
@ -77,7 +68,7 @@
|
|||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: unbound | Inject cp command to dns-root-hints cron job
|
||||
- name: unbound | Let dns-root-hints cron job copy root hints to unbound chroot
|
||||
blockinfile:
|
||||
path: /etc/periodic/monthly/dns-root-hints
|
||||
block: |
|
||||
|
@ -94,6 +85,15 @@
|
|||
group: root
|
||||
mode: 0755
|
||||
|
||||
- name: unbound | Copy unbound config
|
||||
template:
|
||||
src: unbound.j2
|
||||
dest: /etc/unbound/unbound.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
validate: /usr/sbin/unbound-checkconf %s
|
||||
|
||||
- name: unbound | Add unbound service to runlevel 'default'
|
||||
service:
|
||||
name: unbound
|
||||
|
|
|
@ -72,7 +72,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
validate: doas -C %s
|
||||
validate: /usr/bin/doas -C %s
|
||||
|
||||
- name: user | Add pam_limits rules for audio group for running realtime processes
|
||||
copy:
|
||||
|
|
Reference in a new issue