Add alma linux template generation
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
This commit is contained in:
parent
f1117e7936
commit
5d1011ed41
11 changed files with 226 additions and 11 deletions
|
@ -3,11 +3,14 @@
|
||||||
hosts: default
|
hosts: default
|
||||||
become: true
|
become: true
|
||||||
roles:
|
roles:
|
||||||
|
- role: dnf
|
||||||
|
when: ansible_facts['os_family'] == "RedHat"
|
||||||
- auditd
|
- auditd
|
||||||
- fail2ban
|
- fail2ban
|
||||||
- journald
|
- journald
|
||||||
- sshd
|
- sshd
|
||||||
- timesyncd
|
- role: timesyncd
|
||||||
|
when: ansible_facts['os_family'] == "Ubuntu"
|
||||||
post_tasks:
|
post_tasks:
|
||||||
- name: Clean cloud-init
|
- name: Clean cloud-init
|
||||||
ansible.builtin.command: "cloud-init clean"
|
ansible.builtin.command: "cloud-init clean"
|
||||||
|
|
|
@ -6,6 +6,16 @@
|
||||||
notify:
|
notify:
|
||||||
- Start auditd
|
- Start auditd
|
||||||
- Enable auditd
|
- Enable auditd
|
||||||
|
when: ansible_facts['os_family'] == "Debian"
|
||||||
|
|
||||||
|
- name: Install audit
|
||||||
|
ansible.builtin.dnf:
|
||||||
|
name: audit
|
||||||
|
state: latest
|
||||||
|
notify:
|
||||||
|
- Start auditd
|
||||||
|
- Enable auditd
|
||||||
|
when: ansible_facts['os_family'] == "RedHat"
|
||||||
|
|
||||||
- name: Add rules
|
- name: Add rules
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
|
|
10
ansible/roles/dnf/tasks/main.yml
Normal file
10
ansible/roles/dnf/tasks/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
- name: Upgrade all packages
|
||||||
|
ansible.builtin.dnf:
|
||||||
|
name: "*"
|
||||||
|
state: latest
|
||||||
|
|
||||||
|
- name: Install epel
|
||||||
|
ansible.builtin.dnf:
|
||||||
|
name: "epel-release"
|
||||||
|
state: "latest"
|
|
@ -1,4 +0,0 @@
|
||||||
[sshd]
|
|
||||||
enabled = true
|
|
||||||
bantime = -1
|
|
||||||
maxretry = 3
|
|
|
@ -3,10 +3,17 @@
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: "fail2ban"
|
name: "fail2ban"
|
||||||
state: latest
|
state: latest
|
||||||
|
when: ansible_facts['os_family'] == "Debian"
|
||||||
|
|
||||||
|
- name: Install fail2ban
|
||||||
|
ansible.builtin.dnf:
|
||||||
|
name: "fail2ban"
|
||||||
|
state: latest
|
||||||
|
when: ansible_facts['os_family'] == "RedHat"
|
||||||
|
|
||||||
- name: Copy sshd.conf
|
- name: Copy sshd.conf
|
||||||
ansible.builtin.copy:
|
ansible.builtin.template:
|
||||||
src: 'sshd.conf'
|
src: 'sshd.conf.j2'
|
||||||
dest: '/etc/fail2ban/jail.d/sshd.conf'
|
dest: '/etc/fail2ban/jail.d/sshd.conf'
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
notify:
|
notify:
|
||||||
|
|
8
ansible/roles/fail2ban/templates/sshd.conf.j2
Executable file
8
ansible/roles/fail2ban/templates/sshd.conf.j2
Executable file
|
@ -0,0 +1,8 @@
|
||||||
|
[sshd]
|
||||||
|
enabled = true
|
||||||
|
bantime = -1
|
||||||
|
maxretry = 3
|
||||||
|
{% if ansible_facts['os_family'] == "RedHat" %}
|
||||||
|
backend = systemd
|
||||||
|
banaction = firewallcmd-ipset
|
||||||
|
{% endif %}
|
115
packer/alma/alma-9.pkr.hcl
Normal file
115
packer/alma/alma-9.pkr.hcl
Normal file
|
@ -0,0 +1,115 @@
|
||||||
|
packer {
|
||||||
|
required_plugins {
|
||||||
|
name = {
|
||||||
|
version = "~> 1"
|
||||||
|
source = "github.com/hashicorp/proxmox"
|
||||||
|
}
|
||||||
|
ansible = {
|
||||||
|
version = "~> 1"
|
||||||
|
source = "github.com/hashicorp/ansible"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
variable "proxmox_user" {
|
||||||
|
type = string
|
||||||
|
default = "packer"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "proxmox_token" {
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "proxmox_url" {
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "grub_password_crypt" {
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "ssh_password_crypt" {
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "ssh_password" {
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
source "proxmox-iso" "alma-9" {
|
||||||
|
http_content = {
|
||||||
|
"/ks.cfg" = templatefile("http/ks.cfg", { grub_password = var.grub_password_crypt, password_crypt = var.ssh_password_crypt })
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
boot_command = [
|
||||||
|
"e<wait><down><down><end>",
|
||||||
|
" inst.ks=http://{{.HTTPIP}}:{{.HTTPPort}}/ks.cfg",
|
||||||
|
"<leftCtrlOn>x<leftCtrlOff>",
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
boot_wait = "10s"
|
||||||
|
|
||||||
|
disks {
|
||||||
|
disk_size = "10G"
|
||||||
|
storage_pool = "lab"
|
||||||
|
type = "virtio"
|
||||||
|
}
|
||||||
|
scsi_controller = "virtio-scsi-single"
|
||||||
|
|
||||||
|
bios = "ovmf"
|
||||||
|
efi_config {
|
||||||
|
efi_storage_pool = "lab"
|
||||||
|
efi_type = "4m"
|
||||||
|
pre_enrolled_keys = true
|
||||||
|
}
|
||||||
|
|
||||||
|
insecure_skip_tls_verify = true
|
||||||
|
|
||||||
|
iso_checksum = "af5377a1d16bbe599ea91a8761ad645f2f54687075802bdc0c0703ee610182e9"
|
||||||
|
iso_url = "https://repo.almalinux.org/almalinux/9.3/isos/x86_64/AlmaLinux-9.3-x86_64-boot.iso"
|
||||||
|
iso_storage_pool = "local"
|
||||||
|
iso_download_pve = true
|
||||||
|
unmount_iso = true
|
||||||
|
|
||||||
|
network_adapters {
|
||||||
|
bridge = "vmbr20"
|
||||||
|
model = "virtio"
|
||||||
|
}
|
||||||
|
|
||||||
|
memory = 8192
|
||||||
|
cores = 4
|
||||||
|
cpu_type = "host"
|
||||||
|
vm_id = 9001
|
||||||
|
|
||||||
|
node = "sorm"
|
||||||
|
username = "${var.proxmox_user}"
|
||||||
|
token = "${var.proxmox_token}"
|
||||||
|
proxmox_url = "${var.proxmox_url}/api2/json"
|
||||||
|
ssh_username = "root"
|
||||||
|
ssh_password = "${var.ssh_password}"
|
||||||
|
ssh_timeout = "15m"
|
||||||
|
template_description = "Alma Linux 9 build by packer on ${timestamp()}"
|
||||||
|
template_name = "alma-9-r4"
|
||||||
|
cloud_init = true
|
||||||
|
cloud_init_storage_pool = "local-lvm"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
build {
|
||||||
|
sources = ["source.proxmox-iso.alma-9"]
|
||||||
|
provisioner "ansible" {
|
||||||
|
ansible_env_vars = ["ANSIBLE_CONFIG=../../ansible/ansible.cfg", "ANSIBLE_HOST_KEY_CHECKING=False", "ANSIBLE_BECOME_PASS=${var.ssh_password}"]
|
||||||
|
extra_arguments = [ "--scp-extra-args", "'-O'", "-vv", "--extra-vars", "ansible_become_password=${var.ssh_password}" ]
|
||||||
|
command = "ansible-playbook"
|
||||||
|
roles_path = "../../ansible/roles"
|
||||||
|
playbook_file = "../../ansible/packer.yml"
|
||||||
|
}
|
||||||
|
}
|
66
packer/alma/http/ks.cfg
Normal file
66
packer/alma/http/ks.cfg
Normal file
|
@ -0,0 +1,66 @@
|
||||||
|
# AlmaLinux 9 kickstart file for Generic Cloud (OpenStack) x86-64-v2 image
|
||||||
|
|
||||||
|
url --url https://repo.almalinux.org/almalinux/9/BaseOS/x86_64/kickstart/
|
||||||
|
repo --name=BaseOS --baseurl=https://repo.almalinux.org/almalinux/9/BaseOS/x86_64/os/
|
||||||
|
repo --name=AppStream --baseurl=https://repo.almalinux.org/almalinux/9/AppStream/x86_64/os/
|
||||||
|
|
||||||
|
text
|
||||||
|
skipx
|
||||||
|
eula --agreed
|
||||||
|
firstboot --disabled
|
||||||
|
|
||||||
|
lang en_US
|
||||||
|
keyboard --xlayouts='us'
|
||||||
|
timezone Europe/Brussels --utc
|
||||||
|
|
||||||
|
network --bootproto=dhcp
|
||||||
|
firewall --enabled --service=ssh
|
||||||
|
selinux --enforcing
|
||||||
|
|
||||||
|
bootloader --timeout=1 --location=mbr --append="console=tty0 console=ttyS0,115200n8 no_timer_check crashkernel=auto net.ifnames=0" --iscrypted --password=${grub_password}
|
||||||
|
|
||||||
|
%pre --erroronfail
|
||||||
|
|
||||||
|
parted -s -a optimal /dev/vda -- mklabel gpt
|
||||||
|
parted -s -a optimal /dev/vda -- mkpart biosboot 1MiB 2MiB set 1 bios_grub on
|
||||||
|
parted -s -a optimal /dev/vda -- mkpart '"EFI System Partition"' fat32 2MiB 202MiB set 2 esp on
|
||||||
|
parted -s -a optimal /dev/vda -- mkpart boot xfs 202MiB 714MiB
|
||||||
|
parted -s -a optimal /dev/vda -- mkpart root xfs 714MiB 100%
|
||||||
|
|
||||||
|
%end
|
||||||
|
|
||||||
|
part biosboot --fstype=biosboot --onpart=vda1
|
||||||
|
part /boot/efi --fstype=efi --onpart=vda2
|
||||||
|
part /boot --fstype=xfs --onpart=vda3
|
||||||
|
part / --fstype=xfs --onpart=vda4
|
||||||
|
|
||||||
|
rootpw ${password_crypt} --iscrypted
|
||||||
|
|
||||||
|
reboot
|
||||||
|
|
||||||
|
|
||||||
|
%packages
|
||||||
|
@core
|
||||||
|
dracut-config-generic
|
||||||
|
grub2-pc
|
||||||
|
usermode
|
||||||
|
qemu-guest-agent
|
||||||
|
cloud-init
|
||||||
|
-iwl*-firmware
|
||||||
|
-cronie
|
||||||
|
-chrony
|
||||||
|
-mdadm
|
||||||
|
|
||||||
|
%end
|
||||||
|
|
||||||
|
%addon com_redhat_kdump --disable
|
||||||
|
%end
|
||||||
|
|
||||||
|
%post --erroronfail
|
||||||
|
|
||||||
|
grub2-install --target=i386-pc /dev/vda
|
||||||
|
|
||||||
|
# permit root login via SSH with password authetication
|
||||||
|
echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/01-permitrootlogin.conf
|
||||||
|
|
||||||
|
%end
|
|
@ -86,6 +86,7 @@ source "proxmox-iso" "ubuntu-2204" {
|
||||||
|
|
||||||
memory = 8192
|
memory = 8192
|
||||||
cores = 4
|
cores = 4
|
||||||
|
cpu_type = "host"
|
||||||
vm_id = 9000
|
vm_id = 9000
|
||||||
|
|
||||||
node = "sorm"
|
node = "sorm"
|
||||||
|
@ -105,11 +106,10 @@ source "proxmox-iso" "ubuntu-2204" {
|
||||||
build {
|
build {
|
||||||
sources = ["source.proxmox-iso.ubuntu-2204"]
|
sources = ["source.proxmox-iso.ubuntu-2204"]
|
||||||
provisioner "ansible" {
|
provisioner "ansible" {
|
||||||
ansible_env_vars = ["ANSIBLE_CONFIG=../ansible/ansible.cfg", "ANSIBLE_HOST_KEY_CHECKING=False", "ANSIBLE_BECOME_PASS=${var.ssh_password}"]
|
ansible_env_vars = ["ANSIBLE_CONFIG=../../ansible/ansible.cfg", "ANSIBLE_HOST_KEY_CHECKING=False", "ANSIBLE_BECOME_PASS=${var.ssh_password}"]
|
||||||
extra_arguments = [ "--scp-extra-args", "'-O'", "-vv", "--extra-vars", "ansible_become_password=${var.ssh_password}" ]
|
extra_arguments = [ "--scp-extra-args", "'-O'", "-vv", "--extra-vars", "ansible_become_password=${var.ssh_password}" ]
|
||||||
command = "ansible-playbook"
|
command = "ansible-playbook"
|
||||||
roles_path = "../ansible/roles"
|
roles_path = "../../ansible/roles"
|
||||||
playbook_file = "../ansible/packer.yml"
|
playbook_file = "../../ansible/packer.yml"
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
Loading…
Reference in a new issue