103 lines
3.1 KiB
YAML
103 lines
3.1 KiB
YAML
---
|
|
- name: Baseline | PRELIM | Check for supported operating system
|
|
ansible.builtin.assert:
|
|
that:
|
|
- ansible_distribution == "Rocky"
|
|
- ansible_distribution_major_version == "9"
|
|
|
|
- name: Baseline | PRELIM | Include location specific variables
|
|
ansible.builtin.include_vars:
|
|
file: "{{ baseline_location }}.yml"
|
|
|
|
- name: Baseline | PATCH | Configure virtual machine for optimal operation as a SolusVM guest
|
|
ansible.builtin.include_tasks:
|
|
file: "solusvm.yml"
|
|
when: baseline_host_type == "solusvm"
|
|
|
|
- name: Baseline | PATCH | Setup second disk for additional partitions
|
|
ansible.builtin.include_tasks:
|
|
file: disk_partitions.yml
|
|
when: baseline_second_disk_device is defined
|
|
|
|
- name: Baseline | PATCH | Enable EPEL repository
|
|
block:
|
|
- name: Baseline | PATCH | Install epel-release
|
|
ansible.builtin.dnf:
|
|
name: epel-release
|
|
state: present
|
|
- name: Baseline | PATCH | Restrict packages to be installed from EPEL
|
|
community.general.ini_file:
|
|
path: /etc/yum.repos.d/epel.repo
|
|
section: epel
|
|
option: includepkgs
|
|
value: "{{ baseline_epel_packages_allowed | join(',') }}"
|
|
- name: Baseline | PATCH | Disable EPEL openh264 repository
|
|
community.general.ini_file:
|
|
path: /etc/yum.repos.d/epel-cisco-openh264.repo
|
|
section: epel-cisco-openh264
|
|
option: enabled
|
|
value: 0
|
|
when: (baseline_epel_packages_allowed is defined) and (baseline_epel_packages_allowed | length > 0)
|
|
|
|
- name: Baseline | PATCH | Remove EPEL repository
|
|
ansible.builtin.dnf:
|
|
name: epel-release
|
|
state: absent
|
|
when: (baseline_epel_packages_allowed is not defined) or (baseline_epel_packages_allowed | length == 0)
|
|
|
|
- name: Baseline | PATCH | Remove cockpit-ws
|
|
ansible.builtin.dnf:
|
|
name: cockpit-ws
|
|
state: absent
|
|
|
|
- name: Baseline | PATCH | Flush handlers
|
|
ansible.builtin.meta: flush_handlers
|
|
|
|
- name: Baseline | PATCH | Run Ansible Lockdown role
|
|
ansible.builtin.include_tasks:
|
|
file: "lockdown.yml"
|
|
when: baseline_lockdown
|
|
|
|
- name: Baseline | PATCH | Ensure message of the day is configured properly (CIS 1.7.1, 1.7.4)
|
|
ansible.builtin.template:
|
|
src: motd.j2
|
|
dest: /etc/motd
|
|
owner: root
|
|
group: root
|
|
mode: 'u-x,go-wx'
|
|
|
|
- name: Baseline | PATCH | Remove dhcpv6-client service from firewalld
|
|
ansible.posix.firewalld:
|
|
service: dhcpv6-client
|
|
state: disabled
|
|
immediate: true
|
|
permanent: true
|
|
zone: public
|
|
|
|
- name: Baseline | PATCH | Remove mdns service from firewalld
|
|
ansible.posix.firewalld:
|
|
service: mdns
|
|
state: disabled
|
|
immediate: true
|
|
permanent: true
|
|
zone: public
|
|
|
|
- name: Baseline | PATCH | Remove cockpit service from firewalld
|
|
ansible.posix.firewalld:
|
|
service: cockpit
|
|
state: disabled
|
|
immediate: true
|
|
permanent: true
|
|
zone: public
|
|
|
|
- name: Baseline | PATCH | Configure DNS resolver
|
|
ansible.builtin.include_tasks:
|
|
file: dns_resolver.yml
|
|
|
|
- name: Baseline | PATCH | Flush handlers
|
|
ansible.builtin.meta: flush_handlers
|
|
|
|
- name: Baseline | PATCH | Join IPA Domain
|
|
ansible.builtin.include_tasks:
|
|
file: ipaclient.yml
|
|
when: "'ipaservers' not in group_names"
|