Add alma linux template generation

ansible/packer.yml

@@ -3,11 +3,14 @@
   hosts: default
   become: true
   roles:
+    - role: dnf
+      when: ansible_facts['os_family'] == "RedHat"
     - auditd
     - fail2ban
     - journald
     - sshd
-    - timesyncd
+    - role: timesyncd
+      when: ansible_facts['os_family'] == "Ubuntu"
   post_tasks:
     - name: Clean cloud-init
       ansible.builtin.command: "cloud-init clean"

ansible/roles/auditd/tasks/main.yml

@@ -6,6 +6,16 @@
   notify:
     - Start auditd
     - Enable auditd
+  when: ansible_facts['os_family'] == "Debian"
+
+- name: Install audit
+  ansible.builtin.dnf:
+    name: audit
+    state: latest
+  notify:
+    - Start auditd
+    - Enable auditd
+  when: ansible_facts['os_family'] == "RedHat"
 
 - name: Add rules
   ansible.builtin.copy:

ansible/roles/dnf/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Upgrade all packages
+  ansible.builtin.dnf:
+    name: "*"
+    state: latest
+
+- name: Install epel
+  ansible.builtin.dnf:
+    name: "epel-release"
+    state: "latest"

ansible/roles/fail2ban/files/sshd.conf

@@ -1,4 +0,0 @@
-[sshd]
-enabled = true
-bantime = -1
-maxretry = 3

ansible/roles/fail2ban/tasks/main.yml

@@ -3,10 +3,17 @@
   ansible.builtin.apt:
     name: "fail2ban"
     state: latest
+  when: ansible_facts['os_family'] == "Debian"
+
+- name: Install fail2ban
+  ansible.builtin.dnf:
+    name: "fail2ban"
+    state: latest
+  when: ansible_facts['os_family'] == "RedHat"
 
 - name: Copy sshd.conf
-  ansible.builtin.copy:
-    src: 'sshd.conf'
+  ansible.builtin.template:
+    src: 'sshd.conf.j2'
     dest: '/etc/fail2ban/jail.d/sshd.conf'
     mode: "0640"
   notify:

ansible/roles/fail2ban/templates/sshd.conf.j2

@@ -0,0 +1,8 @@
+[sshd]
+enabled = true
+bantime = -1
+maxretry = 3
+{% if ansible_facts['os_family'] == "RedHat" %}
+backend = systemd
+banaction = firewallcmd-ipset
+{% endif %}

packer/alma/alma-9.pkr.hcl

@@ -0,0 +1,115 @@
+packer {
+  required_plugins {
+    name = {
+      version = "~> 1"
+      source  = "github.com/hashicorp/proxmox"
+    }
+    ansible = {
+      version = "~> 1"
+      source = "github.com/hashicorp/ansible"
+    }
+  }
+}
+
+
+variable "proxmox_user" {
+  type = string
+  default = "packer"
+}
+
+variable "proxmox_token" {
+    type = string
+    default = null
+}
+
+variable "proxmox_url" {
+    type = string
+    default = null
+}
+
+variable "grub_password_crypt" {
+    type = string
+    default = null
+}
+
+variable "ssh_password_crypt" {
+    type = string
+    default = null
+}
+
+variable "ssh_password" {
+    type = string
+    default = null
+}
+
+source "proxmox-iso" "alma-9" {
+    http_content = {
+      "/ks.cfg" = templatefile("http/ks.cfg", { grub_password = var.grub_password_crypt, password_crypt = var.ssh_password_crypt })
+    }
+    
+
+    boot_command = [
+      "e<wait><down><down><end>",
+      " inst.ks=http://{{.HTTPIP}}:{{.HTTPPort}}/ks.cfg",
+      "<leftCtrlOn>x<leftCtrlOff>",
+    ]
+
+
+    boot_wait = "10s"
+
+    disks {
+        disk_size         = "10G"
+        storage_pool      = "lab"
+        type              = "virtio"
+    }
+    scsi_controller       = "virtio-scsi-single"
+
+    bios  = "ovmf"
+    efi_config {
+        efi_storage_pool  = "lab"
+        efi_type          = "4m"
+        pre_enrolled_keys = true
+    }
+
+    insecure_skip_tls_verify = true
+
+    iso_checksum            = "af5377a1d16bbe599ea91a8761ad645f2f54687075802bdc0c0703ee610182e9"
+    iso_url                 = "https://repo.almalinux.org/almalinux/9.3/isos/x86_64/AlmaLinux-9.3-x86_64-boot.iso"
+    iso_storage_pool        = "local"
+    iso_download_pve        = true
+    unmount_iso             = true
+    
+    network_adapters {
+        bridge = "vmbr20"
+        model  = "virtio"
+    }
+
+    memory               = 8192
+    cores                = 4
+    cpu_type             = "host"
+    vm_id                = 9001
+
+    node                 = "sorm"
+    username             = "${var.proxmox_user}"
+    token                = "${var.proxmox_token}"
+    proxmox_url          = "${var.proxmox_url}/api2/json"
+    ssh_username         = "root"
+    ssh_password         = "${var.ssh_password}"
+    ssh_timeout          = "15m"
+    template_description = "Alma Linux 9 build by packer on ${timestamp()}"
+    template_name        = "alma-9-r4"
+    cloud_init           = true
+    cloud_init_storage_pool = "local-lvm"
+}
+
+
+build {
+  sources = ["source.proxmox-iso.alma-9"]
+  provisioner "ansible" {
+      ansible_env_vars = ["ANSIBLE_CONFIG=../../ansible/ansible.cfg", "ANSIBLE_HOST_KEY_CHECKING=False", "ANSIBLE_BECOME_PASS=${var.ssh_password}"]
+      extra_arguments  = [ "--scp-extra-args", "'-O'", "-vv", "--extra-vars", "ansible_become_password=${var.ssh_password}" ]
+      command          = "ansible-playbook"
+      roles_path       = "../../ansible/roles"
+      playbook_file    = "../../ansible/packer.yml"
+  }
+}

packer/alma/http/ks.cfg

@@ -0,0 +1,66 @@
+# AlmaLinux 9 kickstart file for Generic Cloud (OpenStack) x86-64-v2 image
+
+url --url https://repo.almalinux.org/almalinux/9/BaseOS/x86_64/kickstart/
+repo --name=BaseOS --baseurl=https://repo.almalinux.org/almalinux/9/BaseOS/x86_64/os/
+repo --name=AppStream --baseurl=https://repo.almalinux.org/almalinux/9/AppStream/x86_64/os/
+
+text
+skipx
+eula --agreed
+firstboot --disabled
+
+lang en_US
+keyboard --xlayouts='us'
+timezone Europe/Brussels --utc
+
+network --bootproto=dhcp
+firewall --enabled --service=ssh
+selinux --enforcing
+
+bootloader --timeout=1 --location=mbr --append="console=tty0 console=ttyS0,115200n8 no_timer_check crashkernel=auto net.ifnames=0" --iscrypted --password=${grub_password}
+
+%pre --erroronfail
+
+parted -s -a optimal /dev/vda -- mklabel gpt
+parted -s -a optimal /dev/vda -- mkpart biosboot 1MiB 2MiB set 1 bios_grub on
+parted -s -a optimal /dev/vda -- mkpart '"EFI System Partition"' fat32 2MiB 202MiB set 2 esp on
+parted -s -a optimal /dev/vda -- mkpart boot xfs 202MiB 714MiB
+parted -s -a optimal /dev/vda -- mkpart root xfs 714MiB 100%
+
+%end
+
+part biosboot --fstype=biosboot --onpart=vda1
+part /boot/efi --fstype=efi --onpart=vda2
+part /boot --fstype=xfs --onpart=vda3
+part / --fstype=xfs --onpart=vda4
+
+rootpw ${password_crypt} --iscrypted
+
+reboot
+
+
+%packages
+@core
+dracut-config-generic
+grub2-pc
+usermode
+qemu-guest-agent
+cloud-init
+-iwl*-firmware
+-cronie
+-chrony
+-mdadm
+
+%end
+
+%addon com_redhat_kdump --disable
+%end
+
+%post --erroronfail
+
+grub2-install --target=i386-pc /dev/vda
+
+# permit root login via SSH with password authetication
+echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/01-permitrootlogin.conf
+
+%end

packer/ubuntu/ubuntu-2204.pkr.hcl

@@ -86,6 +86,7 @@ source "proxmox-iso" "ubuntu-2204" {
 
     memory               = 8192
     cores                = 4
+    cpu_type             = "host"
     vm_id                = 9000
 
     node                 = "sorm"
@@ -105,11 +106,10 @@ source "proxmox-iso" "ubuntu-2204" {
 build {
   sources = ["source.proxmox-iso.ubuntu-2204"]
   provisioner "ansible" {
-      ansible_env_vars = ["ANSIBLE_CONFIG=../ansible/ansible.cfg", "ANSIBLE_HOST_KEY_CHECKING=False", "ANSIBLE_BECOME_PASS=${var.ssh_password}"]
+      ansible_env_vars = ["ANSIBLE_CONFIG=../../ansible/ansible.cfg", "ANSIBLE_HOST_KEY_CHECKING=False", "ANSIBLE_BECOME_PASS=${var.ssh_password}"]
       extra_arguments  = [ "--scp-extra-args", "'-O'", "-vv", "--extra-vars", "ansible_become_password=${var.ssh_password}" ]
       command          = "ansible-playbook"
-      roles_path       = "../ansible/roles"
-      playbook_file    = "../ansible/packer.yml"
+      roles_path       = "../../ansible/roles"
+      playbook_file    = "../../ansible/packer.yml"
   }
-
 }