Initial import; migrate some roles from irl.wip

2025-10-31 22:36:32 +00:00 · 2025-10-31 22:36:32 +00:00 · 2ba6c6691b
commit 2ba6c6691b
44 changed files with 1573 additions and 0 deletions
--- a/roles/baseline/tasks/disk_partitions.yml
+++ b/roles/baseline/tasks/disk_partitions.yml
@ -0,0 +1,160 @@
+---
+- name: Disk Partitions | PRELIM | Ensure baseline_home_luks_passphrase is defined
+  ansible.builtin.assert:
+    that:
+      - baseline_home_luks_passphrase is defined
+    msg: "Variable 'baseline_home_luks_passphrase' must be defined."
+
+- name: Disk Partitions | PRELIM | Ensure baseline_second_disk_device is defined
+  ansible.builtin.assert:
+    that:
+      - baseline_second_disk_device is defined
+    msg: "Variable 'baseline_second_disk_device' must be defined."
+
+- name: Disk Partitions | PATCH | Ensure lvm2 is installed
+  ansible.builtin.package:
+    name: lvm2
+    state: present
+
+- name: Disk Partitions | PATCH | Create LVM partition spanning entire disk
+  community.general.parted:
+    device: "{{ baseline_second_disk_device }}"
+    number: 1
+    flags: [ lvm ]
+    state: present
+    part_start: "0%"
+    part_end: "100%"
+
+- name: Disk Partitions | PATCH | Create volume group
+  community.general.lvg:
+    vg: "{{ baseline_second_disk_vg_name }}"
+    pvs: "{{ baseline_second_disk_device }}1"
+
+- name: Disk Partitions | PATCH | Create /var logical volume
+  community.general.lvol:
+    vg: "{{ baseline_second_disk_vg_name }}"
+    lv: var
+    size: "{{ baseline_second_disk_var_size }}"
+
+- name: Disk Partitions | PATCH | Create /var/log logical volume
+  community.general.lvol:
+    vg: "{{ baseline_second_disk_vg_name }}"
+    lv: var_log
+    size: "{{ baseline_second_disk_var_log_size }}"
+
+- name: Disk Partitions | PATCH | Create /var/log/audit logical volume
+  community.general.lvol:
+    vg: "{{ baseline_second_disk_vg_name }}"
+    lv: var_log_audit
+    size: "{{ baseline_second_disk_var_log_audit_size }}"
+
+- name: Disk Partitions | PATCH | Create /var/tmp logical volume
+  community.general.lvol:
+    vg: "{{ baseline_second_disk_vg_name }}"
+    lv: var_tmp
+    size: "{{ baseline_second_disk_var_tmp_size }}"
+
+- name: Disk Partitions | PATCH | Create /home logical volume with remaining space
+  community.general.lvol:
+    vg: "{{ baseline_second_disk_vg_name }}"
+    lv: home
+    shrink: false  # make idempotent
+    size: "100%FREE"
+
+- name: Disk Partitions | PATCH | Ensure cryptsetup is installed
+  ansible.builtin.package:
+    name: cryptsetup
+    state: present
+
+- name: Disk Partitions | PATCH | Encrypt /home with LUKS2 and provided passphrase
+  community.crypto.luks_device:
+    device: "/dev/{{ baseline_second_disk_vg_name }}/home"
+    state: present
+    passphrase: "{{ baseline_home_luks_passphrase }}"
+    type: luks2
+
+- name: Disk Partitions | PATCH | Open LUKS device
+  community.crypto.luks_device:
+    device: "/dev/{{ baseline_second_disk_vg_name }}/home"
+    name: home_crypt
+    state: opened
+    passphrase: "{{ baseline_home_luks_passphrase }}"
+
+- name: Disk Partitions | PATCH | Add /home logical volume to crypttab
+  community.general.crypttab:
+    backing_device: /dev/mapper/datavg-home
+    name: home_crypt
+    opts: discard
+    state: present
+
+- name: Disk Partitions | PATCH | Create xfs filesystems on new partitions
+  community.general.filesystem:
+    dev: "{{ item }}"
+    fstype: xfs
+  with_items:
+    - /dev/mapper/datavg-var
+    - /dev/mapper/datavg-var_log
+    - /dev/mapper/datavg-var_log_audit
+    - /dev/mapper/datavg-var_tmp
+    - /dev/mapper/home_crypt
+
+- name: Disk Partitions | AUDIT | Check if /home is mounted
+  ansible.builtin.command:
+    cmd: mountpoint -q /home
+  register: baseline_second_disk_home_mounted
+  changed_when: false
+  failed_when: false
+
+- name: Disk Partitions | AUDIT | Check if /home is empty
+  ansible.builtin.command:
+    cmd: ls -A /home
+  register: baseline_second_disk_home_files
+  when: baseline_second_disk_home_mounted.rc != 0
+  changed_when: false
+
+- name: Disk Partitions | AUDIT | Fail if /home is not mounted and not empty
+  ansible.builtin.assert:
+    that:
+      - ((baseline_second_disk_home_files.skipped is defined) and baseline_second_disk_home_files.skipped) or (baseline_second_disk_home_files.stdout == "")
+
+- name: Disk Partitions | PATCH | Ensure /home is mounted
+  ansible.posix.mount:
+    src: "/dev/mapper/home_crypt"
+    path: '/home'
+    fstype: 'xfs'
+    opts: 'rw,nosuid,nodev'
+    state: mounted
+
+- name: Disk Partitions | AUDIT | Check if /var is mounted
+  ansible.builtin.command:
+    cmd: mountpoint -q /var
+  register: baseline_second_disk_var_mounted
+  changed_when: false
+  failed_when: false
+
+- name: Disk Partitions | PATCH | Migrate content if /var is not mounted
+  when: baseline_second_disk_var_mounted.rc != 0
+  block:
+    - name: Disk Partitions | PATCH | Enter emergency mode
+      ansible.builtin.command:
+        cmd: systemctl isolate emergency.target
+
+    - name: Disk Partitions | PATCH | Unmount /var/lib/nfs/rpc_pipefs if mounted
+      ansible.posix.mount:
+        path: /var/lib/nfs/rpc_pipefs
+        state: unmounted
+
+    - name: Disk Partitions | PATCH | Migrate data to new partitions
+      ansible.builtin.include_tasks:
+        file: disk_partitions_migrate.yml
+      vars:
+        baseline_second_disk_migrate_path: "{{ item }}"
+      with_items:
+        - "/var"
+        - "/var/log"
+        - "/var/log/audit"
+        - "/var/tmp"
+
+    - name: Disk Partitions | PATCH | Restore default mode
+      ansible.builtin.command:
+        cmd: systemctl isolate default.target