Initial import; migrate some roles from irl.wip

2025-10-31 22:36:32 +00:00 · 2025-10-31 22:36:32 +00:00 · 2ba6c6691b
commit 2ba6c6691b
44 changed files with 1573 additions and 0 deletions
--- a/roles/baseline/tasks/main.yml
+++ b/roles/baseline/tasks/main.yml
@ -0,0 +1,103 @@
+---
+- name: Baseline | PRELIM | Check for supported operating system
+  ansible.builtin.assert:
+    that:
+      - ansible_distribution == "Rocky"
+      - ansible_distribution_major_version == "9"
+
+- name: Baseline | PRELIM | Include location specific variables
+  ansible.builtin.include_vars:
+    file: "{{ baseline_location }}.yml"
+
+- name: Baseline | PATCH | Configure virtual machine for optimal operation as a SolusVM guest
+  ansible.builtin.include_tasks:
+    file: "solusvm.yml"
+  when: baseline_host_type == "solusvm"
+
+- name: Baseline | PATCH | Setup second disk for additional partitions
+  ansible.builtin.include_tasks:
+    file: disk_partitions.yml
+  when: baseline_second_disk_device is defined
+
+- name: Baseline | PATCH | Enable EPEL repository
+  block:
+    - name: Baseline | PATCH | Install epel-release
+      ansible.builtin.dnf:
+        name: epel-release
+        state: present
+    - name: Baseline | PATCH | Restrict packages to be installed from EPEL
+      community.general.ini_file:
+        path: /etc/yum.repos.d/epel.repo
+        section: epel
+        option: includepkgs
+        value: "{{ baseline_epel_packages_allowed | join(',') }}"
+    - name: Baseline | PATCH | Disable EPEL openh264 repository
+      community.general.ini_file:
+        path: /etc/yum.repos.d/epel-cisco-openh264.repo
+        section: epel-cisco-openh264
+        option: enabled
+        value: 0
+  when: (baseline_epel_packages_allowed is defined) and (baseline_epel_packages_allowed | length > 0)
+
+- name: Baseline | PATCH | Remove EPEL repository
+  ansible.builtin.dnf:
+    name: epel-release
+    state: absent
+  when: (baseline_epel_packages_allowed is not defined) or (baseline_epel_packages_allowed | length == 0)
+
+- name: Baseline | PATCH | Remove cockpit-ws
+  ansible.builtin.dnf:
+    name: cockpit-ws
+    state: absent
+
+- name: Baseline | PATCH | Flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Baseline | PATCH | Run Ansible Lockdown role
+  ansible.builtin.include_tasks:
+    file: "lockdown.yml"
+  when: baseline_lockdown
+
+- name: Baseline | PATCH | Ensure message of the day is configured properly (CIS 1.7.1, 1.7.4)
+  ansible.builtin.template:
+    src: motd.j2
+    dest: /etc/motd
+    owner: root
+    group: root
+    mode: 'u-x,go-wx'
+
+- name: Baseline | PATCH | Remove dhcpv6-client service from firewalld
+  ansible.posix.firewalld:
+    service: dhcpv6-client
+    state: disabled
+    immediate: true
+    permanent: true
+    zone: public
+
+- name: Baseline | PATCH | Remove mdns service from firewalld
+  ansible.posix.firewalld:
+    service: mdns
+    state: disabled
+    immediate: true
+    permanent: true
+    zone: public
+
+- name: Baseline | PATCH | Remove cockpit service from firewalld
+  ansible.posix.firewalld:
+    service: cockpit
+    state: disabled
+    immediate: true
+    permanent: true
+    zone: public
+
+- name: Baseline | PATCH | Configure DNS resolver
+  ansible.builtin.include_tasks:
+    file: dns_resolver.yml
+
+- name: Baseline | PATCH | Flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Baseline | PATCH | Join IPA Domain
+  ansible.builtin.include_tasks:
+    file: ipaclient.yml
+  when: "'ipaservers' not in group_names"