Add configuration and playbook for virtualization host setup
- Create host variable file for vh-01.alexpires.dev with user, SSH, firewall, and VM configurations. - Update playbook_duo_security.yml to target the 2fa group. - Introduce playbook_virt_host.yml for setting up GPU passthrough on Fedora with QEMU/KVM. - Add required collections to requirements.yml for Podman and Libvirt. - Modify ctrlaltdel.yml to remove existing symlink for ctrl-alt-del.target before masking it. - Enhance users.yml to show warnings for users that could not be removed. - Update Duo Security role to use the correct repository and package names. - Improve login role to handle user UID and group assignments. - Create udev rules template for NVMe devices. - Add blacklist template for VFIO drivers. - Implement domain XML template for virtual machines with detailed configurations. - Update inventory to include vh-01.alexpires.dev in relevant groups. - Refactor cpu_power_monitor.py for improved error handling and modularity.
This commit is contained in:
@@ -12,7 +12,18 @@
|
||||
- CCE-80785-9
|
||||
- systemd
|
||||
|
||||
- name: Disable systemd ctrl-alt-del - RedHat family
|
||||
- name: Remove existing symlink for ctrl-alt-del.target if it exists
|
||||
become: true
|
||||
ansible.builtin.file:
|
||||
path: /etc/systemd/system/ctrl-alt-del.target
|
||||
state: absent
|
||||
when: ansible_os_family == "RedHat"
|
||||
tags:
|
||||
- ctrl-alt-del
|
||||
- CCE-80785-9
|
||||
- systemd
|
||||
|
||||
- name: Mask ctrl-alt-del.target to disable Ctrl+Alt+Del
|
||||
become: true
|
||||
ansible.builtin.systemd:
|
||||
name: ctrl-alt-del.target
|
||||
@@ -25,4 +36,4 @@
|
||||
- ctrl-alt-del
|
||||
- CCE-80785-9
|
||||
- systemd
|
||||
...
|
||||
|
||||
|
||||
@@ -5,13 +5,17 @@
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
remove: true
|
||||
loop: "{{ delete_users }}"
|
||||
register: remove_users
|
||||
with_items:
|
||||
- "{{ delete_users }}"
|
||||
failed_when: >
|
||||
remove_users is not success and
|
||||
not ("not removing" in remove_users.msg or
|
||||
"not found" in remove_users.msg)
|
||||
ignore_errors: true
|
||||
tags:
|
||||
- users
|
||||
|
||||
- name: Show warning for users that could not be removed
|
||||
debug:
|
||||
msg: "Could not remove user '{{ item.item }}'. Error: {{ item.msg | default('unknown error') }}"
|
||||
loop: "{{ remove_users.results | selectattr('failed', 'equalto', true) | list }}"
|
||||
when: remove_users is defined
|
||||
tags:
|
||||
- users
|
||||
|
||||
|
||||
@@ -47,9 +47,9 @@
|
||||
- name: Add Duo Source (RedHat)
|
||||
become: true
|
||||
ansible.builtin.yum_repository:
|
||||
name: Duo Security
|
||||
name: duo-security
|
||||
description: Duo Security Repository
|
||||
baseurl: https://pkg.duosecurity.com/RHEL/$releasever/$basearch
|
||||
baseurl: https://pkg.duosecurity.com/Fedora/$releasever/$basearch
|
||||
gpgcheck: true
|
||||
gpgkey: https://duo.com/DUO-GPG-PUBLIC-KEY.asc
|
||||
enabled: true
|
||||
@@ -57,7 +57,7 @@
|
||||
- name: Install Duo Unix Application Integration
|
||||
become: true
|
||||
ansible.builtin.dnf:
|
||||
name: duo-unix
|
||||
name: duo_unix
|
||||
state: present
|
||||
|
||||
- name: Install Duo config
|
||||
|
||||
@@ -11,17 +11,20 @@
|
||||
password: "{{ lookup('env', 'USER_PASSWORD_' + (item.username | upper)) | password_hash('sha512', user_password_salt) }}"
|
||||
state: "{{ 'absent' if item.enabled is defined and not item.enabled else 'present' }}"
|
||||
shell: "{{ item.shell if item.shell is defined else '/bin/bash' }}"
|
||||
groups: "{{ item.groups | default(omit) }}"
|
||||
uid: "{{ item.uid | default(omit) }}"
|
||||
loop: "{{ login_users }}"
|
||||
|
||||
|
||||
- name: Disable password expiration
|
||||
ansible.builtin.command: chage -M -1 "{{ item.username }}"
|
||||
become: yes
|
||||
become: true
|
||||
when: item.password_expiration is defined and not item.password_expiration
|
||||
loop: "{{ login_users }}"
|
||||
|
||||
- name: Disable password login
|
||||
ansible.builtin.command: passwd -d "{{ item.username }}"
|
||||
become: yes
|
||||
become: true
|
||||
when: item.password_disabled is defined and item.password_disabled
|
||||
loop: "{{ login_users }}"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user