From f99b379cccafe3c64a60c1b3771d1c99f46fd15e Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Wed, 31 Dec 2025 09:46:53 +0100 Subject: [PATCH 01/48] Add tripwire to the package installation list --- tasks/packages/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/packages/main.yml b/tasks/packages/main.yml index 4330ab4..9f645df 100644 --- a/tasks/packages/main.yml +++ b/tasks/packages/main.yml @@ -81,6 +81,7 @@ - unattended-upgrades - pkg-config - powershell + - tripwire state: present - name: Install PWSH From 36499d5d7875c4b0e9d152f158f07ccfc4f69dde Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sat, 28 Feb 2026 10:53:57 +0100 Subject: [PATCH 02/48] Add recommended partition layout to README Added recommended partition layout for cloud-init. --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index d98ac9d..a3a186d 100644 --- a/README.md +++ b/README.md @@ -45,4 +45,15 @@ Cloud-Init for Ubuntu Server ### Use Raw: - `https://raw.githubusercontent.com/Kipjr/cloud-init_ubuntu/master/site.yml` +# Recommended partition layout +| Mount Point | Size | Filesystem (Recommended) | Remarks | +| ---------------- | ------------------ | ------------------------ | -------------------------------------------------------------------------------------------------------- | +| `/` | 32 GB | ext4 | Root filesystem. Sufficient for base OS, packages, updates. | +| `/home` | 8 GB | ext4 | User data isolation. | +| `/var` | 8 GB | ext4 | Variable state data. Logs excluded. Monitor space usage. | +| `/var/log` | 8 GB | ext4 | Log isolation to prevent root exhaustion. | +| `/var/log/audit` | 4 GB | ext4 | Dedicated audit trail partition (auditd). Prevents log flooding impact. | +| `/var/tmp` | 1 GB | ext4 | Persistent temp storage across reboots. | +| `/tmp` | 1 GB | ext4 or tmpfs | Ephemeral temp storage. Prefer `tmpfs` if RAM allows. | +| `/opt/data` | x GB + remainder | ext4 or XFS | Primary persistent data storage. | From 7736342fb67354d7fe26a6519c92c21bd9e692b6 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 11:29:22 +0100 Subject: [PATCH 03/48] Update README.md --- README.md | 52 +++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 45 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index a3a186d..2b6831d 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,13 @@ -# cloud-init_ubuntu -[![Ansible](https://github.com/Kipjr/cloud-init_ubuntu/actions/workflows/ansible.yml/badge.svg)](https://github.com/Kipjr/cloud-init_ubuntu/actions/workflows/ansible.yml) +# cloud-init_linux +[![Ansible](https://github.com/Kipjr/cloud-init_linux/actions/workflows/ansible.yml/badge.svg)](https://github.com/Kipjr/cloud-init_linux/actions/workflows/ansible.yml) -Cloud-Init for Ubuntu Server +Cloud-Init for + +`Ubuntu 24.04 LTS Noble Numbat (trixie 13)` + +`Ubuntu 22.04 LTS Jammy Jellyfish (bookworm 12)` + +`Debian 13 (trixie)` # Usage @@ -12,6 +18,7 @@ Cloud-Init for Ubuntu Server { "ansible_become_user": "root", "ansible_become_method": "sudo", + "ubtu22_vm": true, "ubtu22_run_task_disk": true, "ubtu22_run_task_packages": true, @@ -23,7 +30,34 @@ Cloud-Init for Ubuntu Server "ubtu22_portainer_host": true, "ubtu22_run_task_configuration": true, "ubtu22_run_task_security": true, - "ubtu22_runcis": false + "ubtu22_runcis": false, + + "ubtu24_vm": true, + "ubtu24_run_task_disk": true, + "ubtu24_run_task_packages": true, + "ubtu24_pkg_webmin": true, + "ubtu24_pkg_snmp": true, + "ubtu24_run_task_docker": true + "ubtu24_docker_type": "rootless", + "ubtu24_portainer_agent": true, + "ubtu24_portainer_host": true, + "ubtu24_run_task_configuration": true, + "ubtu24_run_task_security": true, + "ubtu24_runcis": false, + + "debian13_vm": true, + "debian13_run_task_disk": true, + "debian13_run_task_packages": true, + "debian13_pkg_webmin": true, + "debian13_pkg_snmp": true, + "debian13_run_task_docker": true + "debian13_docker_type": "rootless", + "debian13_portainer_agent": true, + "debian13_portainer_host": true, + "debian13_run_task_configuration": true, + "debian13_run_task_security": true, + "debian13_runcis": false + } ``` ### Use standalone (Installs Ansible and executes playbook) @@ -33,8 +67,12 @@ Cloud-Init for Ubuntu Server ### Use with Proxmox Cloud-Init: - Build template - Do stuff.. - - Use `https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img` as base image. - - Resize image`qemu-img resize jammy-server-cloudimg-amd64.img 8G` + - Use as base image: + - `https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img` + - `https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img` + - Resize image: + - `qemu-img resize jammy-server-cloudimg-amd64.img 8G` + - `qemu-img resize noble-server-cloudimg-amd64.img 8G` - Execute somewhere `./proxmox/new_ci-config.sh` - Store 'ci-config-userdata.yaml' in Proxmox Snippets - Store 'ci-config-vendor.yaml' in Proxmox Snippets @@ -43,7 +81,7 @@ Cloud-Init for Ubuntu Server - `qm set --cicustom "vendor=local:snippets/ci-config-vendor.yaml"` ### Use Raw: -- `https://raw.githubusercontent.com/Kipjr/cloud-init_ubuntu/master/site.yml` +- `https://raw.githubusercontent.com/Kipjr/cloud-init_linux/master/site.yml` # Recommended partition layout | Mount Point | Size | Filesystem (Recommended) | Remarks | From 6e330fdd1ba61874025325bc98a6ea253fa1306c Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 11:30:00 +0100 Subject: [PATCH 04/48] Update GitHub repository URL in playbook --- standalone_ansible_playbook.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/standalone_ansible_playbook.ps1 b/standalone_ansible_playbook.ps1 index d75303d..06f3d3c 100755 --- a/standalone_ansible_playbook.ps1 +++ b/standalone_ansible_playbook.ps1 @@ -1,7 +1,7 @@ #!/usr/bin/env pwsh param ( - [Parameter(Position=0)][string]$GitHubRepoUrl = "https://github.com/Kipjr/cloud-init_ubuntu", + [Parameter(Position=0)][string]$GitHubRepoUrl = "https://github.com/Kipjr/cloud-init_linux", [Parameter(Position=1)][string]$PlaybookName = "site.yml", [Parameter(Position=2)][string]$WorkingDir = "/tmp", [Parameter(Position=3)][string]$AnsibleArg From 7b43921fa2ffdc271d8bde9ae17bd46b8ca6ed9f Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 11:30:18 +0100 Subject: [PATCH 05/48] Update GitHub repository URL in playbook script --- standalone_ansible_playbook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/standalone_ansible_playbook.sh b/standalone_ansible_playbook.sh index 7d05538..c59297a 100755 --- a/standalone_ansible_playbook.sh +++ b/standalone_ansible_playbook.sh @@ -8,7 +8,7 @@ if [ "$UUID" -eq 0 ]; then exit 1 fi -GITHUB_REPO_URL="${1:-https://github.com/Kipjr/cloud-init_ubuntu}" +GITHUB_REPO_URL="${1:-https://github.com/Kipjr/cloud-init_linux}" PLAYBOOK_NAME="${2:-site.yml}" WORKING_DIR="${3:-/tmp}" ANSIBLE_ARG="${4}" From 419d858a573f3d65b5608442b18b3a5860a471d2 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 11:30:31 +0100 Subject: [PATCH 06/48] Rename Ubuntu Installer to Linux Installer --- site.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site.yml b/site.yml index bac030c..adf156f 100644 --- a/site.yml +++ b/site.yml @@ -1,6 +1,6 @@ --- -- name: Ubuntu Installer +- name: Linux Installer hosts: all gather_facts: true environment: From 7a730e3479e1c57d3e6ce339edf516ba1921f8f8 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 11:31:57 +0100 Subject: [PATCH 07/48] Update URL for standalone Ansible playbook script --- proxmox/ci-config-userdata.template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proxmox/ci-config-userdata.template.yaml b/proxmox/ci-config-userdata.template.yaml index ebd4125..09896c7 100644 --- a/proxmox/ci-config-userdata.template.yaml +++ b/proxmox/ci-config-userdata.template.yaml @@ -26,7 +26,7 @@ packages: - git #runcmd: # - sudo -u ${CI_USER} curl https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py && sudo -u ${CI_USER} python3 /tmp/get-pip.py --user -# - wget -O /run/cloud-init/tmp/script.sh https://raw.githubusercontent.com/Kipjr/cloud-init_ubuntu/master/standalone_ansible_playbook.sh +# - wget -O /run/cloud-init/tmp/script.sh https://raw.githubusercontent.com/Kipjr/cloud-init_linux/master/standalone_ansible_playbook.sh # - chmod +x /run/cloud-init/tmp/script.sh # - sudo -iu ${CI_USER} -- /run/cloud-init/tmp/script.sh ansible: From 497a1e673acca9e5a2636e5492489ce74174eb85 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 11:35:40 +0100 Subject: [PATCH 08/48] Add new requirements for Ubuntu 24 and Debian 12 CIS --- roles/requirements.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/requirements.yml b/roles/requirements.yml index d7cc8fc..9be560b 100644 --- a/roles/requirements.yml +++ b/roles/requirements.yml @@ -4,3 +4,11 @@ roles: src: https://github.com/ansible-lockdown/UBUNTU22-CIS.git version: main scm: git + - name: ansible-lockdown.ubuntu24-cis + src: https://github.com/ansible-lockdown/UBUNTU24-CIS.git + version: main + scm: git + - name: ansible-lockdown.debian12-cis + src: https://github.com/ansible-lockdown/DEBIAN12-CIS + version: main + scm: git From 54e90a1faeb0c4ef85e259f831c090e5ad360a1a Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 11:38:10 +0100 Subject: [PATCH 09/48] Change Debian version from 13 to 12 in README Updated Debian version references from 13 to 12 in the README. --- README.md | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 2b6831d..c8f0585 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,9 @@ Cloud-Init for `Ubuntu 22.04 LTS Jammy Jellyfish (bookworm 12)` -`Debian 13 (trixie)` +`Debian 12 (bookworm)` + +_~Debian 13 (trixie)~ - When available on ansible-lockdown.._ # Usage @@ -45,18 +47,18 @@ Cloud-Init for "ubtu24_run_task_security": true, "ubtu24_runcis": false, - "debian13_vm": true, - "debian13_run_task_disk": true, - "debian13_run_task_packages": true, - "debian13_pkg_webmin": true, - "debian13_pkg_snmp": true, - "debian13_run_task_docker": true - "debian13_docker_type": "rootless", - "debian13_portainer_agent": true, - "debian13_portainer_host": true, - "debian13_run_task_configuration": true, - "debian13_run_task_security": true, - "debian13_runcis": false + "debian12_vm": true, + "debian12_run_task_disk": true, + "debian12_run_task_packages": true, + "debian12_pkg_webmin": true, + "debian12_pkg_snmp": true, + "debian12_run_task_docker": true + "debian12_docker_type": "rootless", + "debian12_portainer_agent": true, + "debian12_portainer_host": true, + "debian12_run_task_configuration": true, + "debian12_run_task_security": true, + "debian12_runcis": false } ``` From 074ca085dd680bad545bea5a55902e1ced7e2501 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 11:56:25 +0100 Subject: [PATCH 10/48] Refactor task includes for Debian and Ubuntu versions --- tasks/main.yml | 46 ++++++++++++++++++++-------------------------- 1 file changed, 20 insertions(+), 26 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 2d7edca..069822d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -13,32 +13,26 @@ ansible.builtin.debug: msg: "Running in pipeline: {{ in_pipeline }}" -- name: Disk Configuration - when: ubtu22_run_task_disk - ansible.builtin.import_tasks: packages/main.yml - tags: - - packages +- name: Include Debian 12 tasks + ansible.builtin.include_tasks: debian12.yml + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_version'] is version("12", "==") -- name: Packages - when: ubtu22_run_task_packages - ansible.builtin.import_tasks: packages/main.yml - tags: - - packages +- name: Include Debian 13 tasks + ansible.builtin.include_tasks: debian13.yml + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_version'] is version("13", "==") -- name: Docker - when: ubtu22_run_task_docker - ansible.builtin.import_tasks: docker/main.yml - tags: - - docker +- name: Include Ubuntu 22.04 tasks + ansible.builtin.include_tasks: ubuntu2204.yml + when: + - ansible_facts['distribution'] == "Ubuntu" + - ansible_facts['distribution_version'] is version("22.04", "==") -- name: Configuration - when: ubtu22_run_task_configuration - ansible.builtin.import_tasks: configuration/main.yml - tags: - - configure - -- name: Security - when: ubtu22_run_task_security - ansible.builtin.import_tasks: security/main.yml - tags: - - security +- name: Include Ubuntu 24.04 tasks + ansible.builtin.include_tasks: ubuntu2404.yml + when: + - ansible_facts['distribution'] == "Ubuntu" + - ansible_facts['distribution_version'] is version("24.04", "==") From a9cd0d310cf0720d949d2175d5d4b2bdee72833b Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 11:57:13 +0100 Subject: [PATCH 11/48] Add Ubuntu 22.04 specific task with debug message --- tasks/ubuntu2204.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 tasks/ubuntu2204.yml diff --git a/tasks/ubuntu2204.yml b/tasks/ubuntu2204.yml new file mode 100644 index 0000000..6b7edab --- /dev/null +++ b/tasks/ubuntu2204.yml @@ -0,0 +1,34 @@ +--- +- name: Ubuntu 22.04 specific task + ansible.builtin.debug: + msg: "Running tasks for Ubuntu 22.04" + +- name: Disk Configuration + when: ubtu22_run_task_disk + ansible.builtin.import_tasks: packages/main.yml + tags: + - packages + +- name: Packages + when: ubtu22_run_task_packages + ansible.builtin.import_tasks: packages/main.yml + tags: + - packages + +- name: Docker + when: ubtu22_run_task_docker + ansible.builtin.import_tasks: docker/main.yml + tags: + - docker + +- name: Configuration + when: ubtu22_run_task_configuration + ansible.builtin.import_tasks: configuration/main.yml + tags: + - configure + +- name: Security + when: ubtu22_run_task_security + ansible.builtin.import_tasks: security/main.yml + tags: + - security From de1b89ddc7811c12b3a3b283b44112e9ae46eb1f Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 11:58:16 +0100 Subject: [PATCH 12/48] Add Ubuntu 24.04 specific tasks to playbook --- tasks/ubuntu2404.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 tasks/ubuntu2404.yml diff --git a/tasks/ubuntu2404.yml b/tasks/ubuntu2404.yml new file mode 100644 index 0000000..42161a0 --- /dev/null +++ b/tasks/ubuntu2404.yml @@ -0,0 +1,34 @@ +--- +- name: Ubuntu 24.04 specific task + ansible.builtin.debug: + msg: "Running tasks for Ubuntu 24.04" + +- name: Disk Configuration + when: ubtu24_run_task_disk + ansible.builtin.import_tasks: packages/main.yml + tags: + - packages + +- name: Packages + when: ubtu24_run_task_packages + ansible.builtin.import_tasks: packages/main.yml + tags: + - packages + +- name: Docker + when: ubtu24_run_task_docker + ansible.builtin.import_tasks: docker/main.yml + tags: + - docker + +- name: Configuration + when: ubtu24_run_task_configuration + ansible.builtin.import_tasks: configuration/main.yml + tags: + - configure + +- name: Security + when: ubtu24_run_task_security + ansible.builtin.import_tasks: security/main.yml + tags: + - security From 118ebec23a1ca3f8a979ad116d5efd8aa538266e Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 11:59:36 +0100 Subject: [PATCH 13/48] Add Debian 12 specific tasks Add specific tasks for Debian 12 including disk configuration, package installation, Docker setup, configuration, and security tasks. --- tasks/debian12.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 tasks/debian12.yml diff --git a/tasks/debian12.yml b/tasks/debian12.yml new file mode 100644 index 0000000..f53effa --- /dev/null +++ b/tasks/debian12.yml @@ -0,0 +1,34 @@ +--- +- name: Debian 12 specific task + ansible.builtin.debug: + msg: "Running tasks for Debian 12" + +- name: Disk Configuration + when: deb12_run_task_disk + ansible.builtin.import_tasks: packages/main.yml + tags: + - packages + +- name: Packages + when: deb12_run_task_packages + ansible.builtin.import_tasks: packages/main.yml + tags: + - packages + +- name: Docker + when: deb12_run_task_docker + ansible.builtin.import_tasks: docker/main.yml + tags: + - docker + +- name: Configuration + when: deb12_run_task_configuration + ansible.builtin.import_tasks: configuration/main.yml + tags: + - configure + +- name: Security + when: deb12_run_task_security + ansible.builtin.import_tasks: security/main.yml + tags: + - security From 3287b660d30464528b69cc3d5c23d28137ecc121 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:00:09 +0100 Subject: [PATCH 14/48] Add Debian 13 specific tasks to playbook --- tasks/debian13.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 tasks/debian13.yml diff --git a/tasks/debian13.yml b/tasks/debian13.yml new file mode 100644 index 0000000..d75bec4 --- /dev/null +++ b/tasks/debian13.yml @@ -0,0 +1,34 @@ +--- +- name: Debian 13 specific task + ansible.builtin.debug: + msg: "Running tasks for Debian 13" + +- name: Disk Configuration + when: deb13_run_task_disk + ansible.builtin.import_tasks: packages/main.yml + tags: + - packages + +- name: Packages + when: deb13_run_task_packages + ansible.builtin.import_tasks: packages/main.yml + tags: + - packages + +- name: Docker + when: deb13_run_task_docker + ansible.builtin.import_tasks: docker/main.yml + tags: + - docker + +- name: Configuration + when: deb13_run_task_configuration + ansible.builtin.import_tasks: configuration/main.yml + tags: + - configure + +- name: Security + when: deb13_run_task_security + ansible.builtin.import_tasks: security/main.yml + tags: + - security From 81517d665cd19d1b499fa0bd0c615386dc751fd4 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:01:05 +0100 Subject: [PATCH 15/48] Refactor Debian 12 configuration keys in README Updated Debian 12 configuration keys to a shorter format. --- README.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index c8f0585..6a6492d 100644 --- a/README.md +++ b/README.md @@ -47,18 +47,18 @@ _~Debian 13 (trixie)~ - When available on ansible-lockdown.._ "ubtu24_run_task_security": true, "ubtu24_runcis": false, - "debian12_vm": true, - "debian12_run_task_disk": true, - "debian12_run_task_packages": true, - "debian12_pkg_webmin": true, - "debian12_pkg_snmp": true, - "debian12_run_task_docker": true - "debian12_docker_type": "rootless", - "debian12_portainer_agent": true, - "debian12_portainer_host": true, - "debian12_run_task_configuration": true, - "debian12_run_task_security": true, - "debian12_runcis": false + "deb12_vm": true, + "deb12_run_task_disk": true, + "deb12_run_task_packages": true, + "deb12_pkg_webmin": true, + "deb12_pkg_snmp": true, + "deb12_run_task_docker": true + "deb12_docker_type": "rootless", + "deb12_portainer_agent": true, + "deb12_portainer_host": true, + "deb12_run_task_configuration": true, + "deb12_run_task_security": true, + "deb12_runcis": false } ``` From ba3b67564a2676d803cffd3382a9c9852891afba Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:19:47 +0100 Subject: [PATCH 16/48] Enhance disk management tasks in main.yml --- tasks/disk/main.yml | 147 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 128 insertions(+), 19 deletions(-) diff --git a/tasks/disk/main.yml b/tasks/disk/main.yml index b4a3e89..280cb3b 100644 --- a/tasks/disk/main.yml +++ b/tasks/disk/main.yml @@ -13,35 +13,144 @@ - quota state: present -# sudo modprobe -v xfs +- name: Detect candidate block devices + set_fact: + candidate_disks: >- + {{ + ansible_facts.devices + | dict2items + | rejectattr('key', 'search', '^(loop|ram|sr|dm-)') + | selectattr('value.removable', 'equalto', '0') + | selectattr('value.size', 'defined') + | map(attribute='key') + | list + }} -# fdisk -l -# Disk /dev/xvda: 40 GiB, 42949672960 bytes, 83886080 sectors -# Disk /dev/xvdf: 400 GiB, 429496729600 bytes, 838860800 sectors +- name: Build disk size map (GB numeric) + set_fact: + disk_sizes: >- + {{ + dict(candidate_disks | zip( + candidate_disks + | map('extract', ansible_facts.devices) + | map(attribute='size') + | map('regex_replace','[^0-9.]','') + | map('float') + )) + }} -# mkfs.xfs [options] /dev/device +- name: Sort disks by size + set_fact: + sorted_disks: "{{ disk_sizes | dict2items | sort(attribute='value') | map(attribute='key') | list }}" + disk_count: "{{ sorted_disks | length }}" -# read info and reuse it in subsequent task -- name: Read device info (always use unit when probing) - community.general.parted: - device: /dev/sdb - unit: MiB - register: sdb_info +- name: Detect root source device + set_fact: + root_device: "{{ ansible_facts.mounts | selectattr('mount','equalto','/') | map(attribute='device') | first }}" + root_online: "{{ (ansible_facts.mounts | selectattr('mount','equalto','/') | list | length) > 0 }}" + +######################################################### +# CASE 1: Single disk + online root → SKIP +######################################################### + +- name: Skip disk changes (single disk with active root) + meta: end_play + when: + - disk_count == 1 + - root_online | bool + +######################################################### +# Disk role assignment +######################################################### + +- name: Assign disk roles + set_fact: + smallest_disk: "{{ sorted_disks[0] }}" + largest_disk: "{{ sorted_disks[-1] }}" + when: disk_count >= 2 -- name: Create a new XFS data partition +######################################################### +# Helper: partition suffix handling +######################################################### + +- name: Set partition suffix rule + set_fact: + part_suffix: >- + {{ + 'p' if largest_disk is search('^nvme|^mmcblk') else '' + }} + when: disk_count >= 2 + +######################################################### +# 2 DISKS → DATA ONLY +######################################################### + +- name: Ensure GPT label on largest disk community.general.parted: - device: /dev/sdb + device: "/dev/{{ largest_disk }}" label: gpt - name: data + when: disk_count >= 2 + +- name: Create data partition (64G at start) + community.general.parted: + device: "/dev/{{ largest_disk }}" number: 1 state: present - fs_type: xfs + part_start: 1MiB + part_end: 64G + when: disk_count >= 2 + +- name: Create XFS filesystem for data + ansible.builtin.filesystem: + fstype: xfs + dev: "/dev/{{ largest_disk }}{{ part_suffix }}1" + when: disk_count >= 2 + +- name: Mount data + ansible.posix.mount: + path: /mnt/data + src: "/dev/{{ largest_disk }}{{ part_suffix }}1" + fstype: xfs + state: mounted + when: disk_count >= 2 + +######################################################### +# 3 DISKS → ADDITIONAL LOG DISK +######################################################### + +- name: Set log partition suffix + set_fact: + log_suffix: >- + {{ + 'p' if smallest_disk is search('^nvme|^mmcblk') else '' + }} + when: disk_count == 3 -- name: Create a new log partition +- name: Ensure GPT label on smallest disk community.general.parted: - device: /dev/sdc + device: "/dev/{{ smallest_disk }}" label: gpt - name: log + when: disk_count == 3 + +- name: Create log partition (8G) + community.general.parted: + device: "/dev/{{ smallest_disk }}" number: 1 state: present - fs_type: ext4 + part_start: 1MiB + part_end: 8G + when: disk_count == 3 + +- name: Create ext4 for /var/log + ansible.builtin.filesystem: + fstype: ext4 + dev: "/dev/{{ smallest_disk }}{{ log_suffix }}1" + when: disk_count == 3 + +- name: Mount /var/log + ansible.posix.mount: + path: /var/log + src: "/dev/{{ smallest_disk }}{{ log_suffix }}1" + fstype: ext4 + state: mounted + when: disk_count == 3 From 397a63e5222c685d2e178d5ca9f4a50b565e2f14 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:29:41 +0100 Subject: [PATCH 17/48] Update Docker playbook for better variable usage Refactor Docker installation playbook to use variables for distribution checks and repository settings. --- tasks/docker/main.yml | 75 ++++++++++++++++++++++++++++++++----------- 1 file changed, 56 insertions(+), 19 deletions(-) diff --git a/tasks/docker/main.yml b/tasks/docker/main.yml index ce4b15e..8b78466 100644 --- a/tasks/docker/main.yml +++ b/tasks/docker/main.yml @@ -1,17 +1,54 @@ --- -- name: Add Docker official GPG key - become: true - ansible.builtin.apt_key: - url: https://download.docker.com/linux/ubuntu/gpg - state: present -- name: Add Docker repository - become: true - ansible.builtin.apt_repository: - repo: "deb https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" - filename: docker +- name: Ensure supported distribution + ansible.builtin.assert: + that: + - ansible_facts['distribution'] in ['Debian', 'Ubuntu'] + +- name: Set Docker repo variables + ansible.builtin.set_fact: + docker_repo_base: "https://download.docker.com/linux/{{ ansible_facts['distribution'] | lower }}" + docker_gpg_url: "https://download.docker.com/linux/{{ ansible_facts['distribution'] | lower }}/gpg" + docker_codename: >- + {{ + ansible_facts['distribution_release'] + }} + +- name: Update apt cache + ansible.builtin.apt: + update_cache: true + +- name: Install required packages + ansible.builtin.apt: + name: + - ca-certificates + - curl state: present +- name: Ensure keyring directory exists + ansible.builtin.file: + path: /etc/apt/keyrings + state: directory + mode: "0755" + +- name: Download Docker GPG key + ansible.builtin.get_url: + url: "{{ docker_gpg_url }}" + dest: /etc/apt/keyrings/docker.asc + mode: "0644" + force: true + +- name: Configure Docker apt source + ansible.builtin.copy: + dest: /etc/apt/sources.list.d/docker.sources + mode: "0644" + content: | + Types: deb + URIs: {{ docker_repo_base }} + Suites: {{ docker_codename }} + Components: stable + Signed-By: /etc/apt/keyrings/docker.asc + - name: Ensure all packages are up to date become: true ansible.builtin.apt: @@ -62,7 +99,7 @@ exit 0 - name: Rootfull Docker - when: ubtu22_docker_type == "rootfull" + when: docker_type == "rootfull" block: - name: Set variables ansible.builtin.set_fact: @@ -71,7 +108,7 @@ docker_daemon_conf: /etc/docker/daemon.json - name: Rootless Docker - when: ubtu22_docker_type == "rootless" + when: docker_type == "rootless" block: - name: Set variables ansible.builtin.set_fact: @@ -111,7 +148,7 @@ state: absent - name: Install Docker (rootless, using systemd) - when: not file_check_docker_rootless.stat.exists and ubtu22_docker_type == "rootless" + when: not file_check_docker_rootless.stat.exists and docker_type == "rootless" environment: XDG_RUNTIME_DIR: "/run/user/{{ ansible_user_uid }}" DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ ansible_user_uid }}/bus" @@ -137,7 +174,7 @@ when: bashrc_path_usr_bin_check.rc != 0 - name: Check if DOCKER_HOST is set in .bashrc - when: ubtu22_docker_type == "rootless" + when: docker_type == "rootless" ansible.builtin.command: grep -q 'export DOCKER_HOST=unix:///run/user/{{ ansible_user_uid }}/docker.sock' /home/{{ ansible_user_id }}/.bashrc register: bashrc_docker_host_check ignore_errors: true @@ -245,7 +282,7 @@ - "9443:9443" - name: Update Portainer EE - when: not ubtu22_portainer_host + when: not portainer_host ansible.builtin.blockinfile: path: /home/{{ ansible_user_id }}/docker/portainer/docker-compose.yml marker: "" @@ -256,7 +293,7 @@ - host - name: Update Portainer Agent - when: not ubtu22_portainer_agent + when: not portainer_agent ansible.builtin.blockinfile: path: /home/{{ ansible_user_id }}/docker/portainer/docker-compose.yml marker: "" @@ -270,7 +307,7 @@ when: not in_pipeline block: - name: Run the Docker service - when: ubtu22_docker_type == "rootless" + when: docker_type == "rootless" ansible.builtin.systemd: name: docker enabled: true @@ -278,7 +315,7 @@ scope: user - name: Run the Docker service - when: ubtu22_docker_type == "rootfull" and not in_pipeline + when: docker_type == "rootfull" and not in_pipeline ansible.builtin.systemd: name: docker enabled: true @@ -304,7 +341,7 @@ gateway: 192.168.224.129 - name: Start Docker Portainer - when: ubtu22_docker_type == "rootless" and (ubtu22_portainer_agent or ubtu22_portainer_host) and not in_pipeline + when: docker_type == "rootless" and (portainer_agent or portainer_host) and not in_pipeline community.docker.docker_compose_v2: docker_host: unix://{{ docker_host }} project_src: /home/{{ ansible_user_id }}/docker/portainer From 3a790357110a071a9a27a0a985b03ab9fb9387b3 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:30:47 +0100 Subject: [PATCH 18/48] Update Docker configuration options in README --- README.md | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 6a6492d..2d15632 100644 --- a/README.md +++ b/README.md @@ -20,16 +20,16 @@ _~Debian 13 (trixie)~ - When available on ansible-lockdown.._ { "ansible_become_user": "root", "ansible_become_method": "sudo", + "docker_type": "rootless", + "portainer_agent": true, + "portainer_host": true, "ubtu22_vm": true, "ubtu22_run_task_disk": true, "ubtu22_run_task_packages": true, "ubtu22_pkg_webmin": true, "ubtu22_pkg_snmp": true, - "ubtu22_run_task_docker": true - "ubtu22_docker_type": "rootless", - "ubtu22_portainer_agent": true, - "ubtu22_portainer_host": true, + "ubtu22_run_task_docker": true, "ubtu22_run_task_configuration": true, "ubtu22_run_task_security": true, "ubtu22_runcis": false, @@ -40,9 +40,6 @@ _~Debian 13 (trixie)~ - When available on ansible-lockdown.._ "ubtu24_pkg_webmin": true, "ubtu24_pkg_snmp": true, "ubtu24_run_task_docker": true - "ubtu24_docker_type": "rootless", - "ubtu24_portainer_agent": true, - "ubtu24_portainer_host": true, "ubtu24_run_task_configuration": true, "ubtu24_run_task_security": true, "ubtu24_runcis": false, @@ -53,9 +50,6 @@ _~Debian 13 (trixie)~ - When available on ansible-lockdown.._ "deb12_pkg_webmin": true, "deb12_pkg_snmp": true, "deb12_run_task_docker": true - "deb12_docker_type": "rootless", - "deb12_portainer_agent": true, - "deb12_portainer_host": true, "deb12_run_task_configuration": true, "deb12_run_task_security": true, "deb12_runcis": false From 1fa9f4dc327580468231dba899287ff4de7fccd7 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:32:30 +0100 Subject: [PATCH 19/48] Refactor configuration variables for Ubuntu and Debian --- defaults/main.yml | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 56bc8c5..be2a2e5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,11 +1,20 @@ -ubtu22_vm: true -ubtu22_pkg_webmin: true -ubtu22_pkg_snmp: false -ubtu22_portainer_host: true -ubtu22_portainer_agent: true -ubtu22_docker_type: "rootless" -# ubtu22_docker_type: "rootfull" -ubtu22_docker_rootless_user: "docker" +portainer_host: true +portainer_agent: true +docker_type: "rootless" +# docker_type: "rootfull" +docker_rootless_user: "docker" + +vm: true +pkg_webmin: true +pkg_snmp: false + +deb12_run_task_configuration: true +deb12_run_task_disk: true +deb12_run_task_docker: true +deb12_run_task_packages: true +deb12_run_task_security: true +deb12_runcis: false + ubtu22_run_task_configuration: true ubtu22_run_task_disk: true ubtu22_run_task_docker: true @@ -13,6 +22,13 @@ ubtu22_run_task_packages: true ubtu22_run_task_security: true ubtu22_runcis: false +ubtu24_run_task_configuration: true +ubtu24_run_task_disk: true +ubtu24_run_task_docker: true +ubtu24_run_task_packages: true +ubtu24_run_task_security: true +ubtu24_runcis: false + ### ### ubtu22cis variables ### From cb22f959281b524cfc7df8374d985ee62b451a1a Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:33:58 +0100 Subject: [PATCH 20/48] Replace 'ubtu22_pkg_*' with 'pkg_*' in main.yml --- tasks/packages/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/packages/main.yml b/tasks/packages/main.yml index 9f645df..195af6f 100644 --- a/tasks/packages/main.yml +++ b/tasks/packages/main.yml @@ -34,7 +34,7 @@ register: webmin_repo_download ignore_errors: true when: - - ubtu22_pkg_webmin + - pkg_webmin ansible.builtin.get_url: url: https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh dest: /tmp/setup-repos.sh @@ -42,7 +42,7 @@ - name: Configure Webmin Repo when: - - ubtu22_pkg_webmin + - pkg_webmin - webmin_repo_download.state == "file" become: true args: @@ -94,7 +94,7 @@ - name: Install Webmin when: - - ubtu22_pkg_webmin + - pkg_webmin become: true ansible.builtin.apt: name: @@ -103,7 +103,7 @@ - name: Install hardware packages when: - - not ubtu22_vm + - not vm become: true ansible.builtin.apt: name: @@ -113,7 +113,7 @@ - name: Install SNMP when: - - ubtu22_pkg_snmp + - pkg_snmp become: true ansible.builtin.apt: name: From 4417d619b39de067b0661b45540cb028e00dc141 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:37:25 +0100 Subject: [PATCH 21/48] Update actions and versions in powershell.yml --- .github/workflows/powershell.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/powershell.yml b/.github/workflows/powershell.yml index cd6f826..7c63776 100644 --- a/.github/workflows/powershell.yml +++ b/.github/workflows/powershell.yml @@ -27,10 +27,10 @@ jobs: name: PSScriptAnalyzer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Run PSScriptAnalyzer - uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f + uses: microsoft/psscriptanalyzer-action@v1.1 with: # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. @@ -42,6 +42,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: results.sarif From d80d2d49148273e5670807c4af898f32d9c056a3 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:37:48 +0100 Subject: [PATCH 22/48] Update checkout action version in shellcheck workflow --- .github/workflows/shellcheck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 462353a..ca13036 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -14,6 +14,6 @@ jobs: name: Shellcheck runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Run ShellCheck uses: ludeeus/action-shellcheck@master From c41010fed90a4cb9adef183cee085809efe62c72 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:39:17 +0100 Subject: [PATCH 23/48] Update GitHub Actions to use latest action versions --- .github/workflows/ansible.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ansible.yml b/.github/workflows/ansible.yml index 9d2e8e7..e211c20 100644 --- a/.github/workflows/ansible.yml +++ b/.github/workflows/ansible.yml @@ -34,11 +34,11 @@ jobs: python-version: ["3.13"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Set up Python ${{ matrix.python-version }} id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} @@ -48,7 +48,7 @@ jobs: - name: Cache pipenv id: cache-pipenv - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: ~/.local/share/virtualenvs key: ${{ runner.os }}-pipenv-${{ hashFiles('**/Pipfile.lock') }} @@ -71,7 +71,7 @@ jobs: echo "lint_success: ${{ env.lint_success }}" - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: results.sarif @@ -81,10 +81,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ needs.lint.outputs.python-version }} From c8c20231ff5ac7054e558470f9a53a054694336f Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:51:38 +0100 Subject: [PATCH 24/48] Update set_fact to use ansible.legacy namespace --- tasks/disk/main.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tasks/disk/main.yml b/tasks/disk/main.yml index 280cb3b..4a40cb8 100644 --- a/tasks/disk/main.yml +++ b/tasks/disk/main.yml @@ -14,7 +14,7 @@ state: present - name: Detect candidate block devices - set_fact: + ansible.legacy.set_fact: candidate_disks: >- {{ ansible_facts.devices @@ -27,7 +27,7 @@ }} - name: Build disk size map (GB numeric) - set_fact: + ansible.legacy.set_fact: disk_sizes: >- {{ dict(candidate_disks | zip( @@ -40,13 +40,13 @@ }} - name: Sort disks by size - set_fact: + ansible.legacy.set_fact: sorted_disks: "{{ disk_sizes | dict2items | sort(attribute='value') | map(attribute='key') | list }}" disk_count: "{{ sorted_disks | length }}" - name: Detect root source device - set_fact: - root_device: "{{ ansible_facts.mounts | selectattr('mount','equalto','/') | map(attribute='device') | first }}" + ansible.legacy.set_fact: + root_device: "{{ ansible_facts.mounts | selectattr('mount', 'equalto', '/') | map(attribute='device') | first }}" root_online: "{{ (ansible_facts.mounts | selectattr('mount','equalto','/') | list | length) > 0 }}" ######################################################### @@ -54,7 +54,7 @@ ######################################################### - name: Skip disk changes (single disk with active root) - meta: end_play + ansible.legacy.meta: end_play when: - disk_count == 1 - root_online | bool @@ -101,7 +101,7 @@ when: disk_count >= 2 - name: Create XFS filesystem for data - ansible.builtin.filesystem: + community.general.filesystem: fstype: xfs dev: "/dev/{{ largest_disk }}{{ part_suffix }}1" when: disk_count >= 2 @@ -119,7 +119,7 @@ ######################################################### - name: Set log partition suffix - set_fact: + ansible.builtin.set_fact: log_suffix: >- {{ 'p' if smallest_disk is search('^nvme|^mmcblk') else '' @@ -142,7 +142,7 @@ when: disk_count == 3 - name: Create ext4 for /var/log - ansible.builtin.filesystem: + community.general.filesystem: fstype: ext4 dev: "/dev/{{ smallest_disk }}{{ log_suffix }}1" when: disk_count == 3 From 8bd365f394e21cf2586dce16690ff8df9bb2a1a6 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:53:13 +0100 Subject: [PATCH 25/48] Update set_fact to use ansible.builtin namespace --- tasks/disk/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/disk/main.yml b/tasks/disk/main.yml index 4a40cb8..68db2ca 100644 --- a/tasks/disk/main.yml +++ b/tasks/disk/main.yml @@ -64,7 +64,7 @@ ######################################################### - name: Assign disk roles - set_fact: + ansible.builtin.set_fact: smallest_disk: "{{ sorted_disks[0] }}" largest_disk: "{{ sorted_disks[-1] }}" when: disk_count >= 2 From 7c1f3aca2faf3614167960a23b69d5462cabe6c2 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:53:30 +0100 Subject: [PATCH 26/48] Update set_fact to use ansible.builtin namespace --- tasks/disk/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/disk/main.yml b/tasks/disk/main.yml index 68db2ca..beef9ad 100644 --- a/tasks/disk/main.yml +++ b/tasks/disk/main.yml @@ -74,7 +74,7 @@ ######################################################### - name: Set partition suffix rule - set_fact: + ansible.builtin.set_fact: part_suffix: >- {{ 'p' if largest_disk is search('^nvme|^mmcblk') else '' From e0875a2baa43a11e3b40734fcadf17cc5fa433a7 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 15:35:48 +0100 Subject: [PATCH 27/48] Update Docker installation tasks in main.yml --- tasks/docker/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tasks/docker/main.yml b/tasks/docker/main.yml index 8b78466..0454567 100644 --- a/tasks/docker/main.yml +++ b/tasks/docker/main.yml @@ -15,10 +15,12 @@ }} - name: Update apt cache + become: true ansible.builtin.apt: update_cache: true - name: Install required packages + become: true ansible.builtin.apt: name: - ca-certificates @@ -26,12 +28,14 @@ state: present - name: Ensure keyring directory exists + become: true ansible.builtin.file: path: /etc/apt/keyrings state: directory mode: "0755" - name: Download Docker GPG key + become: true ansible.builtin.get_url: url: "{{ docker_gpg_url }}" dest: /etc/apt/keyrings/docker.asc @@ -39,6 +43,7 @@ force: true - name: Configure Docker apt source + become: true ansible.builtin.copy: dest: /etc/apt/sources.list.d/docker.sources mode: "0644" From 9409d6db23743738e3a43bb1899073888bfc82bb Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 16:07:47 +0100 Subject: [PATCH 28/48] Update main.yml --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 069822d..69a1a89 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -23,7 +23,7 @@ ansible.builtin.include_tasks: debian13.yml when: - ansible_facts['distribution'] == "Debian" - - ansible_facts['distribution_version'] is version("13", "==") + - ansible_facts['distribution_version'] is version("13.3", "==") - name: Include Ubuntu 22.04 tasks ansible.builtin.include_tasks: ubuntu2204.yml From 11c19e8c9f0b2734708949fce0f0051b62df3e38 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 16:10:22 +0100 Subject: [PATCH 29/48] Change imported tasks for disk configuration --- tasks/debian13.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/debian13.yml b/tasks/debian13.yml index d75bec4..cc3dbb9 100644 --- a/tasks/debian13.yml +++ b/tasks/debian13.yml @@ -5,7 +5,7 @@ - name: Disk Configuration when: deb13_run_task_disk - ansible.builtin.import_tasks: packages/main.yml + ansible.builtin.import_tasks: disk/main.yml tags: - packages From 0f869d0780a07b086c3c786be37602a0126a4421 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 16:12:07 +0100 Subject: [PATCH 30/48] Add Debian 13 task configuration options --- defaults/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index be2a2e5..781d999 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -15,6 +15,13 @@ deb12_run_task_packages: true deb12_run_task_security: true deb12_runcis: false +deb13_run_task_configuration: true +deb13_run_task_disk: false +deb13_run_task_docker: false +deb13_run_task_packages: true +deb13_run_task_security: true +deb13_runcis: false + ubtu22_run_task_configuration: true ubtu22_run_task_disk: true ubtu22_run_task_docker: true From a29c9c666bfe2fc7e127b12208058e426a7ed99e Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 16:19:54 +0100 Subject: [PATCH 31/48] Update URL for Microsoft repository key file --- tasks/packages/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/packages/main.yml b/tasks/packages/main.yml index 195af6f..b7d14eb 100644 --- a/tasks/packages/main.yml +++ b/tasks/packages/main.yml @@ -2,7 +2,7 @@ - name: Download the Microsoft repository key file ansible.builtin.get_url: - url: "https://packages.microsoft.com/config/ubuntu/{{ ansible_lsb.release }}/packages-microsoft-prod.deb" + url: "https://packages.microsoft.com/config/{{ ansible_facts['distribution'] }}/{{ {{ ansible_facts['distribution_major_version'] }} }}/packages-microsoft-prod.deb" dest: "/tmp/packages-microsoft-prod.deb" mode: "0644" From 24df8dcc13fdac0c7bd25bb0079abe3cb48868b7 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 16:21:31 +0100 Subject: [PATCH 32/48] Replace ansible_user_id with ansible_facts in main.yml --- tasks/configuration/main.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tasks/configuration/main.yml b/tasks/configuration/main.yml index 8788bc0..f371c26 100644 --- a/tasks/configuration/main.yml +++ b/tasks/configuration/main.yml @@ -4,7 +4,7 @@ when: ansible_fqdn is defined and ansible_fqdn | length <= 32 become: true ansible.builtin.hostname: - name: "{{ ansible_fqdn }}" + name: "{{ ansible_facts['fqdn'] }}" - name: Set timezone to Europe/Amsterdam become: true @@ -28,29 +28,29 @@ - name: Create ~/.ssh if not exist ansible.builtin.file: - path: /home/{{ ansible_user_id }}/.ssh - owner: "{{ ansible_user_id }}" + path: /home/{{ ansible_facts['user_id'] }}/.ssh + owner: "{{ ansible_facts['user_id'] }}" state: directory mode: "0700" - name: Check if SSH private key already exists ansible.builtin.stat: - path: /home/{{ ansible_user_id }}/.ssh/id_rsa + path: /home/{{ ansible_facts['user_id'] }}/.ssh/id_rsa register: file_private_key - name: Generate SSH private and public keys when: not file_private_key.stat.exists community.crypto.openssh_keypair: - path: /home/{{ ansible_user_id }}/.ssh/id_rsa + path: /home/{{ ansible_facts['user_id'] }}/.ssh/id_rsa type: ed25519 - owner: "{{ ansible_user_id }}" + owner: "{{ ansible_facts['user_id'] }}" mode: '0600' register: ssh_keypair - name: Add SSH public key to authorized_keys when: not file_private_key.stat.exists ansible.posix.authorized_key: - user: "{{ ansible_user_id }}" + user: "{{ ansible_facts['user_id'] }}" key: "{{ ssh_keypair.public_key }}" - name: Disable SSH password authentication From be72b284ef9506b9ea8dde7dd6b7f90e56a1d256 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 16:25:54 +0100 Subject: [PATCH 33/48] Update user variables to use ansible_facts --- tasks/docker/main.yml | 52 +++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/tasks/docker/main.yml b/tasks/docker/main.yml index 0454567..33cf9ea 100644 --- a/tasks/docker/main.yml +++ b/tasks/docker/main.yml @@ -117,19 +117,19 @@ block: - name: Set variables ansible.builtin.set_fact: - docker_host: /run/user/{{ ansible_user_uid }}/docker.sock - docker_volumes: /home/{{ ansible_user_id }}/.local/share/docker/volumes - docker_daemon_conf: /home/{{ ansible_user_id }}/.config/docker/daemon.json + docker_host: /run/user/{{ ansible_facts['user_uid'] }}/docker.sock + docker_volumes: /home/{{ ansible_facts['user_id'] }}/.local/share/docker/volumes + docker_daemon_conf: /home/{{ ansible_facts['user_id'] }}/.config/docker/daemon.json - name: Create ~/.config/docker if not exist ansible.builtin.file: - path: /home/{{ ansible_user_id }}/.config/docker + path: /home/{{ ansible_facts['user_id'] }}/.config/docker state: directory mode: "0755" - name: Check if Docker Rootless is installed ansible.builtin.stat: - path: /run/user/{{ ansible_user_uid }}/docker.sock + path: /run/user/{{ ansible_facts['user_uid'] }}/docker.sock register: file_check_docker_rootless - name: Disable Docker.service @@ -155,23 +155,23 @@ - name: Install Docker (rootless, using systemd) when: not file_check_docker_rootless.stat.exists and docker_type == "rootless" environment: - XDG_RUNTIME_DIR: "/run/user/{{ ansible_user_uid }}" - DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ ansible_user_uid }}/bus" - HOME: "/home/{{ ansible_user_id }}" + XDG_RUNTIME_DIR: "/run/user/{{ ansible_facts['user_uid'] }}" + DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ ansible_facts['user_uid'] }}/bus" + HOME: "/home/{{ ansible_facts['user_id'] }}" args: - creates: "/home/{{ ansible_user_id }}/.docker/config.json" + creates: "/home/{{ ansible_facts['user_id'] }}/.docker/config.json" ansible.builtin.shell: | dockerd-rootless-setuptool.sh install - name: Check if /usr/bin is in PATH in .bashrc - ansible.builtin.command: grep -q 'export PATH=/usr/bin:$PATH' /home/{{ ansible_user_id }}/.bashrc + ansible.builtin.command: grep -q 'export PATH=/usr/bin:$PATH' /home/{{ ansible_facts['user_id'] }}/.bashrc register: bashrc_path_usr_bin_check ignore_errors: true changed_when: false - name: Ensure /usr/bin is in PATH in .bashrc ansible.builtin.lineinfile: - path: /home/{{ ansible_user_id }}/.bashrc + path: /home/{{ ansible_facts['user_id'] }}/.bashrc line: 'export PATH=/usr/bin:$PATH' state: present create: true @@ -180,40 +180,40 @@ - name: Check if DOCKER_HOST is set in .bashrc when: docker_type == "rootless" - ansible.builtin.command: grep -q 'export DOCKER_HOST=unix:///run/user/{{ ansible_user_uid }}/docker.sock' /home/{{ ansible_user_id }}/.bashrc + ansible.builtin.command: grep -q 'export DOCKER_HOST=unix:///run/user/{{ ansible_facts['user_uid'] }}/docker.sock' /home/{{ ansible_facts['user_id'] }}/.bashrc register: bashrc_docker_host_check ignore_errors: true changed_when: false - name: Ensure DOCKER_HOST is set in .bashrc ansible.builtin.lineinfile: - path: /home/{{ ansible_user_id }}/.bashrc - line: "export DOCKER_HOST=unix:///run/user/{{ ansible_user_uid }}/docker.sock" + path: /home/{{ ansible_facts['user_id'] }}/.bashrc + line: "export DOCKER_HOST=unix:///run/user/{{ ansible_facts['user_uid'] }}/docker.sock" state: present create: true mode: "0644" when: bashrc_docker_host_check.rc != 0 - name: Check if lingering is enabled for the user - ansible.builtin.command: loginctl show-user {{ ansible_user_id }} --property=Linger + ansible.builtin.command: loginctl show-user {{ ansible_facts['user_id'] }} --property=Linger register: linger_status ignore_errors: true changed_when: false - name: Enable lingering for the user - ansible.builtin.command: loginctl enable-linger {{ ansible_user_id }} + ansible.builtin.command: loginctl enable-linger {{ ansible_facts['user_id'] }} when: linger_status.stdout != 'Linger=yes' changed_when: linger_status.stdout != 'Linger=yes' - name: Ensure the user directory docker service exists ansible.builtin.file: - path: /home/{{ ansible_user_id }}/.config/systemd/user/docker.service.d + path: /home/{{ ansible_facts['user_id'] }}/.config/systemd/user/docker.service.d state: directory mode: "0755" - name: Configure systemd override for user ansible.builtin.copy: - dest: /home/{{ ansible_user_id }}/.config/systemd/user/docker.service.d/override.conf + dest: /home/{{ ansible_facts['user_id'] }}/.config/systemd/user/docker.service.d/override.conf mode: "0644" content: | [Service] @@ -223,7 +223,7 @@ - name: Refresh env changed_when: true ansible.builtin.shell: | - . /home/{{ ansible_user_id }}/.bashrc + . /home/{{ ansible_facts['user_id'] }}/.bashrc exit 0 - name: General (post) Docker @@ -243,7 +243,7 @@ } - name: Ensure the directory for Portainer exists ansible.builtin.file: - path: /home/{{ ansible_user_id }}/docker/portainer + path: /home/{{ ansible_facts['user_id'] }}/docker/portainer state: directory mode: "0750" @@ -252,10 +252,10 @@ append_newline: true prepend_newline: true create: true - path: /home/{{ ansible_user_id }}/docker/portainer/docker-compose.yml + path: /home/{{ ansible_facts['user_id'] }}/docker/portainer/docker-compose.yml mode: "0640" - owner: "{{ ansible_user_uid }}" - group: "{{ ansible_user_gid }}" + owner: "{{ ansible_facts['user_uid'] }}" + group: "{{ ansible_facts['user_gid'] }}" content: | volumes: data: @@ -289,7 +289,7 @@ - name: Update Portainer EE when: not portainer_host ansible.builtin.blockinfile: - path: /home/{{ ansible_user_id }}/docker/portainer/docker-compose.yml + path: /home/{{ ansible_facts['user_id'] }}/docker/portainer/docker-compose.yml marker: "" prepend_newline: true insertafter: "portainer:" @@ -300,7 +300,7 @@ - name: Update Portainer Agent when: not portainer_agent ansible.builtin.blockinfile: - path: /home/{{ ansible_user_id }}/docker/portainer/docker-compose.yml + path: /home/{{ ansible_facts['user_id'] }}/docker/portainer/docker-compose.yml marker: "" prepend_newline: true insertafter: "agent:" @@ -349,5 +349,5 @@ when: docker_type == "rootless" and (portainer_agent or portainer_host) and not in_pipeline community.docker.docker_compose_v2: docker_host: unix://{{ docker_host }} - project_src: /home/{{ ansible_user_id }}/docker/portainer + project_src: /home/{{ ansible_facts['user_id'] }}/docker/portainer state: present From 2a3c4e1545cba3683bd30d0f48b842ce28d6870c Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 16:31:03 +0100 Subject: [PATCH 34/48] add CIS remediation roles Added CIS remediation roles for Ubuntu 24.04, Debian 12, and Debian 13. --- tasks/security/main.yml | 165 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 164 insertions(+), 1 deletion(-) diff --git a/tasks/security/main.yml b/tasks/security/main.yml index 97643b5..e83531d 100644 --- a/tasks/security/main.yml +++ b/tasks/security/main.yml @@ -51,4 +51,167 @@ ubtu22cis_nfs_server: false ubtu22cis_nfs_client: false ubtu22cis_remote_log_server: "127.0.0.1" - ubtu22cis_sshd_allow_users: "{{ ansible_user_id }}" + ubtu22cis_sshd_allow_users: "{{ ansible_facts['user_id'] }}" + +- name: Apply CIS-remediation for Ubuntu 24.04 + when: ubtu24_runcis + ansible.builtin.include_role: + name: ansible-lockdown.ubuntu24-cis + apply: + vars: + ansible_become: true + ansible_become_user: "root" + ansible_become_method: "sudo" + ### Auditing + setup_audit: true + run_audit: true + audit_only: false + ubtu24cis_level_2: false + + # Do not use boot password + ubtu24cis_ask_passwd_to_boot: false + #ubtu24cis_rule_1_4_3: false + # Do not patch UFW to do default deny + #ubtu24cis_rule_3_5_1_7: false + # Takes alot of time: Ensure no unowned files or directories exist | Set unowned files/directories to configured owner + #ubtu24cis_rule_6_1_10: false + # Takes alot of time: Ensure no ungrouped files or directories exist | Get ungrouped files or directories + #ubtu24cis_rule_6_1_11: false + # Takes alot of time: Audit SUID executables | Find SUID executables + #ubtu24cis_rule_6_1_12: false + # Takes alot of time: Audit SGID executables | Find SGID executables + #ubtu24cis_rule_6_1_13: false + + ### + ### CIS Level 2 + ### + # keep squashfs + #ubtu24cis_rule_1_1_1_2: false + # Disable AppArmor enforcement + #ubtu24cis_rule_1_6_1_4: false + ubtu24cis_apparmor_disable: true + ubtu24cis_apparmor_mode: "complain" + # enable audit logs auto delete" + #ubtu24cis_rule_4_1_2_2: false + # disable system disabling when audit logs are full" + #ubtu24cis_rule_4_1_2_3: false + # breaks sudo during remediation: Ensure users must provide password for escalation + #ubtu24cis_rule_5_3_4: false + + ### + ### Generic + ### + ubtu24cis_snmp_server: true + ubtu24cis_nfs_server: false + ubtu24cis_nfs_client: false + ubtu24cis_remote_log_server: "127.0.0.1" + ubtu24cis_sshd_allow_users: "{{ ansible_facts['user_id'] }}" + +- name: Apply CIS-remediation for Debian 12 + when: deb12_runcis + ansible.builtin.include_role: + name: ansible-lockdown.deb12-cis + apply: + vars: + ansible_become: true + ansible_become_user: "root" + ansible_become_method: "sudo" + ### Auditing + setup_audit: true + run_audit: true + audit_only: false + deb12cis_level_2: false + + # Do not use boot password + deb12cis_ask_passwd_to_boot: false + #deb12cis_rule_1_4_3: false + # Do not patch UFW to do default deny + #deb12cis_rule_3_5_1_7: false + # Takes alot of time: Ensure no unowned files or directories exist | Set unowned files/directories to configured owner + #deb12cis_rule_6_1_10: false + # Takes alot of time: Ensure no ungrouped files or directories exist | Get ungrouped files or directories + #deb12cis_rule_6_1_11: false + # Takes alot of time: Audit SUID executables | Find SUID executables + #deb12cis_rule_6_1_12: false + # Takes alot of time: Audit SGID executables | Find SGID executables + #deb12cis_rule_6_1_13: false + + ### + ### CIS Level 2 + ### + # keep squashfs + #deb12cis_rule_1_1_1_2: false + # Disable AppArmor enforcement + #deb12cis_rule_1_6_1_4: false + deb12cis_apparmor_disable: true + deb12cis_apparmor_mode: "complain" + # enable audit logs auto delete" + #deb12cis_rule_4_1_2_2: false + # disable system disabling when audit logs are full" + #deb12cis_rule_4_1_2_3: false + # breaks sudo during remediation: Ensure users must provide password for escalation + #deb12cis_rule_5_3_4: false + + ### + ### Generic + ### + deb12cis_snmp_server: true + deb12cis_nfs_server: false + deb12cis_nfs_client: false + deb12cis_remote_log_server: "127.0.0.1" + deb12cis_sshd_allow_users: "{{ ansible_facts['user_id'] }}" + + +- name: Apply CIS-remediation for Debian 13 + when: deb13_runcis + ansible.builtin.include_role: + name: ansible-lockdown.deb13-cis + apply: + vars: + ansible_become: true + ansible_become_user: "root" + ansible_become_method: "sudo" + ### Auditing + setup_audit: true + run_audit: true + audit_only: false + deb13cis_level_2: false + + # Do not use boot password + #deb13cis_ask_passwd_to_boot: false + #deb13cis_rule_1_4_3: false + # Do not patch UFW to do default deny + #deb13cis_rule_3_5_1_7: false + # Takes alot of time: Ensure no unowned files or directories exist | Set unowned files/directories to configured owner + #deb13cis_rule_6_1_10: false + # Takes alot of time: Ensure no ungrouped files or directories exist | Get ungrouped files or directories + #deb13cis_rule_6_1_11: false + # Takes alot of time: Audit SUID executables | Find SUID executables + #deb13cis_rule_6_1_12: false + # Takes alot of time: Audit SGID executables | Find SGID executables + #deb13cis_rule_6_1_13: false + + ### + ### CIS Level 2 + ### + # keep squashfs + #deb13cis_rule_1_1_1_2: false + # Disable AppArmor enforcement + #deb13cis_rule_1_6_1_4: false + #deb13cis_apparmor_disable: true + #deb13cis_apparmor_mode: "complain" + # enable audit logs auto delete" + #deb13cis_rule_4_1_2_2: false + # disable system disabling when audit logs are full" + #deb13cis_rule_4_1_2_3: false + # breaks sudo during remediation: Ensure users must provide password for escalation + #deb13cis_rule_5_3_4: false + + ### + ### Generic + ### + deb13cis_snmp_server: true + deb13cis_nfs_server: false + deb13cis_nfs_client: false + deb13cis_remote_log_server: "127.0.0.1" + deb13cis_sshd_allow_users: "{{ ansible_facts['user_id'] }}" From 840adfeb076d75a0dc52c3667e51a7d53bdec02d Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 16:34:25 +0100 Subject: [PATCH 35/48] Fix URL syntax in Ansible playbook --- tasks/packages/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/packages/main.yml b/tasks/packages/main.yml index b7d14eb..ff2edde 100644 --- a/tasks/packages/main.yml +++ b/tasks/packages/main.yml @@ -2,7 +2,7 @@ - name: Download the Microsoft repository key file ansible.builtin.get_url: - url: "https://packages.microsoft.com/config/{{ ansible_facts['distribution'] }}/{{ {{ ansible_facts['distribution_major_version'] }} }}/packages-microsoft-prod.deb" + url: "https://packages.microsoft.com/config/{{ ansible_facts['distribution'] }}/{{ ansible_facts['distribution_major_version'] }}/packages-microsoft-prod.deb" dest: "/tmp/packages-microsoft-prod.deb" mode: "0644" From 528eb2c89755c3c8b9c50a0412828937e206529a Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 16:35:59 +0100 Subject: [PATCH 36/48] Fix URL formatting for Microsoft repository key file --- tasks/packages/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/packages/main.yml b/tasks/packages/main.yml index ff2edde..4293746 100644 --- a/tasks/packages/main.yml +++ b/tasks/packages/main.yml @@ -2,7 +2,7 @@ - name: Download the Microsoft repository key file ansible.builtin.get_url: - url: "https://packages.microsoft.com/config/{{ ansible_facts['distribution'] }}/{{ ansible_facts['distribution_major_version'] }}/packages-microsoft-prod.deb" + url: "https://packages.microsoft.com/config/{{ ansible_facts['distribution'] | lower }}/{{ ansible_facts['distribution_major_version'] }}/packages-microsoft-prod.deb" dest: "/tmp/packages-microsoft-prod.deb" mode: "0644" From 6210d675f9460f45ef5b0a17e7e8f4743b2f3c55 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 16:37:28 +0100 Subject: [PATCH 37/48] Remove software-properties-common from package list --- tasks/packages/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/packages/main.yml b/tasks/packages/main.yml index 4293746..8f32d2f 100644 --- a/tasks/packages/main.yml +++ b/tasks/packages/main.yml @@ -74,7 +74,6 @@ - apt-transport-https - ca-certificates - libssl-dev - - software-properties-common - openssh-server - uidmap - dbus-user-session From ae7ea80ab6017a1d65480fb42d49da08de80bb9f Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 16:43:31 +0100 Subject: [PATCH 38/48] Update PWSH installation condition and remove tripwire Add architecture check for PWSH installation condition Remove tripwire as it is unmaintained --- tasks/packages/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tasks/packages/main.yml b/tasks/packages/main.yml index 8f32d2f..5b5143d 100644 --- a/tasks/packages/main.yml +++ b/tasks/packages/main.yml @@ -79,12 +79,10 @@ - dbus-user-session - unattended-upgrades - pkg-config - - powershell - - tripwire state: present - name: Install PWSH - when: msprod.stat.exists + when: msprod.stat.exists and architecture == "amd64" become: true ansible.builtin.apt: name: From 430f1ec991b729b92f99e3ebae9ec6fec0c7ba57 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 16:45:22 +0100 Subject: [PATCH 39/48] Update main.yml --- tasks/packages/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/packages/main.yml b/tasks/packages/main.yml index 5b5143d..e732011 100644 --- a/tasks/packages/main.yml +++ b/tasks/packages/main.yml @@ -82,7 +82,7 @@ state: present - name: Install PWSH - when: msprod.stat.exists and architecture == "amd64" + when: msprod.stat.exists and ansible_facts['architecture'] == "amd64" become: true ansible.builtin.apt: name: From 2708fd9db90d342ffe6dfced2f8496d13cf40431 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 17:00:21 +0100 Subject: [PATCH 40/48] Replace command with lineinfile --- tasks/docker/main.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/tasks/docker/main.yml b/tasks/docker/main.yml index 33cf9ea..6184f57 100644 --- a/tasks/docker/main.yml +++ b/tasks/docker/main.yml @@ -180,10 +180,21 @@ - name: Check if DOCKER_HOST is set in .bashrc when: docker_type == "rootless" - ansible.builtin.command: grep -q 'export DOCKER_HOST=unix:///run/user/{{ ansible_facts['user_uid'] }}/docker.sock' /home/{{ ansible_facts['user_id'] }}/.bashrc - register: bashrc_docker_host_check - ignore_errors: true - changed_when: false + ansible.builtin.lineinfile: + path: "/home/{{ ansible_facts['user_id'] }}/.bashrc" + line: "export DOCKER_HOST=unix:///run/user/{{ ansible_facts['user_uid'] }}/docker.sock" + state: present + register: bashrc_docker_host_check + ignore_errors: true + changed_when: false + +# - name: Check if DOCKER_HOST is set in .bashrc +# when: docker_type == "rootless" +# ansible.builtin.command: | +# grep -q 'export DOCKER_HOST=unix:///run/user/{{ ansible_facts['user_uid'] }}/docker.sock' /home/{{ ansible_facts['user_id'] }}/.bashrc +# register: bashrc_docker_host_check +# ignore_errors: true +# changed_when: false - name: Ensure DOCKER_HOST is set in .bashrc ansible.builtin.lineinfile: From b9ee73eca6e69747c115641acb27e88964266791 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 17:04:40 +0100 Subject: [PATCH 41/48] Update main.yml --- tasks/security/main.yml | 70 ++++++++++++++++++++--------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/tasks/security/main.yml b/tasks/security/main.yml index e83531d..e6d226f 100644 --- a/tasks/security/main.yml +++ b/tasks/security/main.yml @@ -70,17 +70,17 @@ # Do not use boot password ubtu24cis_ask_passwd_to_boot: false - #ubtu24cis_rule_1_4_3: false + # ubtu24cis_rule_1_4_3: false # Do not patch UFW to do default deny - #ubtu24cis_rule_3_5_1_7: false + # ubtu24cis_rule_3_5_1_7: false # Takes alot of time: Ensure no unowned files or directories exist | Set unowned files/directories to configured owner - #ubtu24cis_rule_6_1_10: false + # ubtu24cis_rule_6_1_10: false # Takes alot of time: Ensure no ungrouped files or directories exist | Get ungrouped files or directories - #ubtu24cis_rule_6_1_11: false + # ubtu24cis_rule_6_1_11: false # Takes alot of time: Audit SUID executables | Find SUID executables - #ubtu24cis_rule_6_1_12: false + # ubtu24cis_rule_6_1_12: false # Takes alot of time: Audit SGID executables | Find SGID executables - #ubtu24cis_rule_6_1_13: false + # ubtu24cis_rule_6_1_13: false ### ### CIS Level 2 @@ -88,15 +88,15 @@ # keep squashfs #ubtu24cis_rule_1_1_1_2: false # Disable AppArmor enforcement - #ubtu24cis_rule_1_6_1_4: false + # ubtu24cis_rule_1_6_1_4: false ubtu24cis_apparmor_disable: true ubtu24cis_apparmor_mode: "complain" # enable audit logs auto delete" - #ubtu24cis_rule_4_1_2_2: false + # ubtu24cis_rule_4_1_2_2: false # disable system disabling when audit logs are full" - #ubtu24cis_rule_4_1_2_3: false + # ubtu24cis_rule_4_1_2_3: false # breaks sudo during remediation: Ensure users must provide password for escalation - #ubtu24cis_rule_5_3_4: false + # ubtu24cis_rule_5_3_4: false ### ### Generic @@ -124,33 +124,33 @@ # Do not use boot password deb12cis_ask_passwd_to_boot: false - #deb12cis_rule_1_4_3: false + # deb12cis_rule_1_4_3: false # Do not patch UFW to do default deny - #deb12cis_rule_3_5_1_7: false + # deb12cis_rule_3_5_1_7: false # Takes alot of time: Ensure no unowned files or directories exist | Set unowned files/directories to configured owner - #deb12cis_rule_6_1_10: false + # deb12cis_rule_6_1_10: false # Takes alot of time: Ensure no ungrouped files or directories exist | Get ungrouped files or directories - #deb12cis_rule_6_1_11: false + # deb12cis_rule_6_1_11: false # Takes alot of time: Audit SUID executables | Find SUID executables - #deb12cis_rule_6_1_12: false + # deb12cis_rule_6_1_12: false # Takes alot of time: Audit SGID executables | Find SGID executables - #deb12cis_rule_6_1_13: false + # deb12cis_rule_6_1_13: false ### ### CIS Level 2 ### # keep squashfs - #deb12cis_rule_1_1_1_2: false + # deb12cis_rule_1_1_1_2: false # Disable AppArmor enforcement - #deb12cis_rule_1_6_1_4: false + # deb12cis_rule_1_6_1_4: false deb12cis_apparmor_disable: true deb12cis_apparmor_mode: "complain" # enable audit logs auto delete" - #deb12cis_rule_4_1_2_2: false + # deb12cis_rule_4_1_2_2: false # disable system disabling when audit logs are full" - #deb12cis_rule_4_1_2_3: false + # deb12cis_rule_4_1_2_3: false # breaks sudo during remediation: Ensure users must provide password for escalation - #deb12cis_rule_5_3_4: false + # deb12cis_rule_5_3_4: false ### ### Generic @@ -178,34 +178,34 @@ deb13cis_level_2: false # Do not use boot password - #deb13cis_ask_passwd_to_boot: false - #deb13cis_rule_1_4_3: false + deb13cis_ask_passwd_to_boot: false + # deb13cis_rule_1_4_3: false # Do not patch UFW to do default deny - #deb13cis_rule_3_5_1_7: false + # deb13cis_rule_3_5_1_7: false # Takes alot of time: Ensure no unowned files or directories exist | Set unowned files/directories to configured owner - #deb13cis_rule_6_1_10: false + # deb13cis_rule_6_1_10: false # Takes alot of time: Ensure no ungrouped files or directories exist | Get ungrouped files or directories - #deb13cis_rule_6_1_11: false + # deb13cis_rule_6_1_11: false # Takes alot of time: Audit SUID executables | Find SUID executables - #deb13cis_rule_6_1_12: false + # deb13cis_rule_6_1_12: false # Takes alot of time: Audit SGID executables | Find SGID executables - #deb13cis_rule_6_1_13: false + # deb13cis_rule_6_1_13: false ### ### CIS Level 2 ### # keep squashfs - #deb13cis_rule_1_1_1_2: false + # deb13cis_rule_1_1_1_2: false # Disable AppArmor enforcement - #deb13cis_rule_1_6_1_4: false - #deb13cis_apparmor_disable: true - #deb13cis_apparmor_mode: "complain" + # deb13cis_rule_1_6_1_4: false + deb13cis_apparmor_disable: true + deb13cis_apparmor_mode: "complain" # enable audit logs auto delete" - #deb13cis_rule_4_1_2_2: false + # deb13cis_rule_4_1_2_2: false # disable system disabling when audit logs are full" - #deb13cis_rule_4_1_2_3: false + # deb13cis_rule_4_1_2_3: false # breaks sudo during remediation: Ensure users must provide password for escalation - #deb13cis_rule_5_3_4: false + # deb13cis_rule_5_3_4: false ### ### Generic From 594250c08b17b4ac48ffa140226c5085dd8e4615 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 17:12:15 +0100 Subject: [PATCH 42/48] Fix indentation for Ansible tasks in main.yml --- tasks/docker/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/docker/main.yml b/tasks/docker/main.yml index 6184f57..d18e36a 100644 --- a/tasks/docker/main.yml +++ b/tasks/docker/main.yml @@ -184,9 +184,9 @@ path: "/home/{{ ansible_facts['user_id'] }}/.bashrc" line: "export DOCKER_HOST=unix:///run/user/{{ ansible_facts['user_uid'] }}/docker.sock" state: present - register: bashrc_docker_host_check - ignore_errors: true - changed_when: false + register: bashrc_docker_host_check + ignore_errors: true + changed_when: false # - name: Check if DOCKER_HOST is set in .bashrc # when: docker_type == "rootless" From 555a15c11850578f70d27c51b0b979e05313b475 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 17:16:57 +0100 Subject: [PATCH 43/48] Refactor Microsoft repo key download URL variables --- tasks/packages/main.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tasks/packages/main.yml b/tasks/packages/main.yml index e732011..f8c464f 100644 --- a/tasks/packages/main.yml +++ b/tasks/packages/main.yml @@ -1,9 +1,15 @@ --- +- name: Set Microsoft repo variables + ansible.builtin.set_fact: + ms_base: "https://packages.microsoft.com/config" + ms_distro: "{{ ansible_facts.distribution | lower }}" + ms_major: "{{ ansible_facts['distribution_major_version'] }}" + ms_deb: "packages-microsoft-prod.deb" - name: Download the Microsoft repository key file ansible.builtin.get_url: - url: "https://packages.microsoft.com/config/{{ ansible_facts['distribution'] | lower }}/{{ ansible_facts['distribution_major_version'] }}/packages-microsoft-prod.deb" - dest: "/tmp/packages-microsoft-prod.deb" + url: "{{ ms_base }}/{{ ms_distro }}/{{ ms_major }}/{{ ms_deb }}" + dest: "/tmp/{{ ms_deb }}" mode: "0644" - name: Task name From 4375553504be3e91753f556e00d1cc8a26f79804 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 17:17:36 +0100 Subject: [PATCH 44/48] Fix formatting of commented rule in main.yml --- tasks/security/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/security/main.yml b/tasks/security/main.yml index e6d226f..1c80c80 100644 --- a/tasks/security/main.yml +++ b/tasks/security/main.yml @@ -86,7 +86,7 @@ ### CIS Level 2 ### # keep squashfs - #ubtu24cis_rule_1_1_1_2: false + # ubtu24cis_rule_1_1_1_2: false # Disable AppArmor enforcement # ubtu24cis_rule_1_6_1_4: false ubtu24cis_apparmor_disable: true From 9d7211695c0a8bc4fbe6032b1608bd8cf8f99d54 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 17:28:48 +0100 Subject: [PATCH 45/48] Fix comment --- tasks/docker/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/docker/main.yml b/tasks/docker/main.yml index d18e36a..d3d4f61 100644 --- a/tasks/docker/main.yml +++ b/tasks/docker/main.yml @@ -190,7 +190,7 @@ # - name: Check if DOCKER_HOST is set in .bashrc # when: docker_type == "rootless" -# ansible.builtin.command: | +# ansible.builtin.command: | # grep -q 'export DOCKER_HOST=unix:///run/user/{{ ansible_facts['user_uid'] }}/docker.sock' /home/{{ ansible_facts['user_id'] }}/.bashrc # register: bashrc_docker_host_check # ignore_errors: true From 421db6f28d62a9c41c5085ef3ce58c76614e0162 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sun, 1 Mar 2026 18:19:10 +0100 Subject: [PATCH 46/48] Change SSH key existence check to use find module --- tasks/configuration/main.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tasks/configuration/main.yml b/tasks/configuration/main.yml index f371c26..9fb54a6 100644 --- a/tasks/configuration/main.yml +++ b/tasks/configuration/main.yml @@ -34,9 +34,19 @@ mode: "0700" - name: Check if SSH private key already exists - ansible.builtin.stat: - path: /home/{{ ansible_facts['user_id'] }}/.ssh/id_rsa + ansible.builtin.find: + paths: "/home/{{ ansible_facts.user_id }}/.ssh" + file_type: file + patterns: + - "id_*" + - "*.key" + excludes: + - "*.pub" + - "known_hosts" + - "authorized_keys" + - "config" register: file_private_key + failed_when: false - name: Generate SSH private and public keys when: not file_private_key.stat.exists From 56806d76333f19417be3226e0693a4bb17903808 Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Tue, 3 Mar 2026 08:00:25 +0100 Subject: [PATCH 47/48] Update main.yml --- tasks/packages/main.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/tasks/packages/main.yml b/tasks/packages/main.yml index f8c464f..5968d77 100644 --- a/tasks/packages/main.yml +++ b/tasks/packages/main.yml @@ -1,14 +1,25 @@ --- -- name: Set Microsoft repo variables +- name: Set Microsoft repo variables (Debian / Ubuntu only) ansible.builtin.set_fact: ms_base: "https://packages.microsoft.com/config" - ms_distro: "{{ ansible_facts.distribution | lower }}" - ms_major: "{{ ansible_facts['distribution_major_version'] }}" ms_deb: "packages-microsoft-prod.deb" + ms_repo_path: >- + {% if ansible_facts.distribution == "Debian" %} + debian/{{ ansible_facts['distribution_major_version'] }} + {% elif ansible_facts.distribution == "Ubuntu" %} + ubuntu/{{ ansible_facts['distribution_major_version'] }} + {% else %} + unsupported + {% endif %} +- name: Download the Microsoft repository package + ansible.builtin.get_url: + url: "{{ ms_base }}/{{ ms_repo_path }}" + dest: "/tmp/{{ ms_deb }}" + mode: "0644" - name: Download the Microsoft repository key file ansible.builtin.get_url: - url: "{{ ms_base }}/{{ ms_distro }}/{{ ms_major }}/{{ ms_deb }}" + url: "{{ ms_base }}/{{ ms_repo_path }}/{{ ms_deb }}" dest: "/tmp/{{ ms_deb }}" mode: "0644" From c72222b540e21383ce6a6c85984f9c02367d13be Mon Sep 17 00:00:00 2001 From: Martijn <12066560+Kipjr@users.noreply.github.com> Date: Sat, 7 Mar 2026 11:10:45 +0100 Subject: [PATCH 48/48] Update ansible.yml --- .github/workflows/ansible.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/ansible.yml b/.github/workflows/ansible.yml index e211c20..7a20203 100644 --- a/.github/workflows/ansible.yml +++ b/.github/workflows/ansible.yml @@ -16,6 +16,15 @@ on: required: true default: false type: boolean + runner: + description: "Runner Image" + required: true + type: choice + default: "ubuntu-latest" + options: + - ubuntu-latest + - ubuntu-22.04 + ansible_verbose: description: "Verbose mode" required: true