Dev

.github/workflows/ansible.yml

@@ -16,6 +16,15 @@ on:
         required: true
         default: false
         type: boolean
+      runner:
+        description: "Runner Image"
+        required: true    
+        type: choice
+        default: "ubuntu-latest"
+        options:
+          - ubuntu-latest
+          - ubuntu-22.04
+
       ansible_verbose:
         description: "Verbose mode"
         required: true
@@ -34,7 +43,7 @@ jobs:
         python-version: ["3.13"]
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Set up Python ${{ matrix.python-version }}
         id: setup-python
@@ -48,7 +57,7 @@ jobs:
 
       - name: Cache pipenv
         id: cache-pipenv
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.local/share/virtualenvs
           key: ${{ runner.os }}-pipenv-${{ hashFiles('**/Pipfile.lock') }}
@@ -81,7 +90,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Python
         uses: actions/setup-python@v6

.github/workflows/powershell.yml

@@ -27,10 +27,10 @@ jobs:
     name: PSScriptAnalyzer
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Run PSScriptAnalyzer
-        uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f
+        uses: microsoft/psscriptanalyzer-action@v1.1
         with:
           # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options.
           # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules.

.github/workflows/shellcheck.yml

@@ -14,6 +14,6 @@ jobs:
     name: Shellcheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@master

README.md

@@ -1,7 +1,15 @@
-# cloud-init_ubuntu
-[![Ansible](https://github.com/Kipjr/cloud-init_ubuntu/actions/workflows/ansible.yml/badge.svg)](https://github.com/Kipjr/cloud-init_ubuntu/actions/workflows/ansible.yml)
+# cloud-init_linux
+[![Ansible](https://github.com/Kipjr/cloud-init_linux/actions/workflows/ansible.yml/badge.svg)](https://github.com/Kipjr/cloud-init_linux/actions/workflows/ansible.yml)
 
-Cloud-Init for Ubuntu Server
+Cloud-Init for
+
+`Ubuntu 24.04 LTS 	Noble Numbat (trixie 13)`
+
+`Ubuntu 22.04 LTS 	Jammy Jellyfish (bookworm 12)`
+
+`Debian 12 (bookworm)`
+
+_~Debian 13 (trixie)~ - When available on ansible-lockdown.._
 
 # Usage
 
@@ -12,18 +20,40 @@ Cloud-Init for Ubuntu Server
 {
   "ansible_become_user": "root",
   "ansible_become_method": "sudo",
+  "docker_type": "rootless",
+  "portainer_agent": true,
+  "portainer_host": true,
+
   "ubtu22_vm": true,
   "ubtu22_run_task_disk": true,
   "ubtu22_run_task_packages": true,
   "ubtu22_pkg_webmin": true,
   "ubtu22_pkg_snmp": true,
-  "ubtu22_run_task_docker": true
-  "ubtu22_docker_type": "rootless",
-  "ubtu22_portainer_agent": true,
-  "ubtu22_portainer_host": true,
+  "ubtu22_run_task_docker": true,
   "ubtu22_run_task_configuration": true,
   "ubtu22_run_task_security": true,
-  "ubtu22_runcis": false
+  "ubtu22_runcis": false,
+
+  "ubtu24_vm": true,
+  "ubtu24_run_task_disk": true,
+  "ubtu24_run_task_packages": true,
+  "ubtu24_pkg_webmin": true,
+  "ubtu24_pkg_snmp": true,
+  "ubtu24_run_task_docker": true
+  "ubtu24_run_task_configuration": true,
+  "ubtu24_run_task_security": true,
+  "ubtu24_runcis": false,
+
+  "deb12_vm": true,
+  "deb12_run_task_disk": true,
+  "deb12_run_task_packages": true,
+  "deb12_pkg_webmin": true,
+  "deb12_pkg_snmp": true,
+  "deb12_run_task_docker": true
+  "deb12_run_task_configuration": true,
+  "deb12_run_task_security": true,
+  "deb12_runcis": false
+
 }
 ```
 ### Use standalone (Installs Ansible and executes playbook)
@@ -33,8 +63,12 @@ Cloud-Init for Ubuntu Server
 ### Use with Proxmox Cloud-Init: 
 - Build template
   - Do stuff..
-  - Use `https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img` as base image.
-    - Resize image`qemu-img resize jammy-server-cloudimg-amd64.img 8G`
+  - Use as base image:
+    - `https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img`
+    - `https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img`
+    - Resize image:
+      - `qemu-img resize jammy-server-cloudimg-amd64.img 8G`
+      - `qemu-img resize noble-server-cloudimg-amd64.img 8G`
 - Execute somewhere `./proxmox/new_ci-config.sh`
 - Store 'ci-config-userdata.yaml' in Proxmox Snippets
 - Store 'ci-config-vendor.yaml' in Proxmox Snippets
@@ -43,6 +77,17 @@ Cloud-Init for Ubuntu Server
   - `qm set <vmid> --cicustom "vendor=local:snippets/ci-config-vendor.yaml"`
 
 ### Use Raw:
-- `https://raw.githubusercontent.com/Kipjr/cloud-init_ubuntu/master/site.yml`
+- `https://raw.githubusercontent.com/Kipjr/cloud-init_linux/master/site.yml`
 
+# Recommended partition layout 
+| Mount Point      | Size               | Filesystem (Recommended) | Remarks                                                                                                  |
+| ---------------- | ------------------ | ------------------------ | -------------------------------------------------------------------------------------------------------- |
+| `/`              | 32 GB              | ext4                     | Root filesystem. Sufficient for base OS, packages, updates.                                              |
+| `/home`          | 8 GB               | ext4                     | User data isolation.                                                                                     |
+| `/var`           | 8 GB               | ext4                     | Variable state data. Logs excluded. Monitor space usage.                                                 |
+| `/var/log`       | 8 GB               | ext4                     | Log isolation to prevent root exhaustion.                                                                |
+| `/var/log/audit` | 4 GB               | ext4                     | Dedicated audit trail partition (auditd). Prevents log flooding impact.                                  |
+| `/var/tmp`       | 1 GB               | ext4                     | Persistent temp storage across reboots.                                                                  |
+| `/tmp`           | 1 GB               | ext4 or tmpfs            | Ephemeral temp storage. Prefer `tmpfs` if RAM allows.                                                    |
+| `/opt/data`      | x GB + remainder   | ext4 or XFS              | Primary persistent data storage.                                                                         |
 

defaults/main.yml

@@ -1,18 +1,41 @@
-ubtu22_vm: true
-ubtu22_pkg_webmin: true
-ubtu22_pkg_snmp: false
-ubtu22_portainer_host: true
-ubtu22_portainer_agent: true
-ubtu22_docker_type: "rootless"
-# ubtu22_docker_type: "rootfull"
-ubtu22_docker_rootless_user: "docker"
+portainer_host: true
+portainer_agent: true
+docker_type: "rootless"
+# docker_type: "rootfull"
+docker_rootless_user: "docker"
+
+vm: true
+pkg_webmin: true
+pkg_snmp: false
+
+deb12_run_task_configuration: true
+deb12_run_task_disk: true
+deb12_run_task_docker: true
+deb12_run_task_packages: true
+deb12_run_task_security: true
+deb12_runcis: false
+
+deb13_run_task_configuration: true
+deb13_run_task_disk: false
+deb13_run_task_docker: false
+deb13_run_task_packages: true
+deb13_run_task_security: true
+deb13_runcis: false
+
 ubtu22_run_task_configuration: true
 ubtu22_run_task_disk: true
 ubtu22_run_task_docker: true
 ubtu22_run_task_packages: true
 ubtu22_run_task_security: true
 ubtu22_runcis: false
 
+ubtu24_run_task_configuration: true
+ubtu24_run_task_disk: true
+ubtu24_run_task_docker: true
+ubtu24_run_task_packages: true
+ubtu24_run_task_security: true
+ubtu24_runcis: false
+
 ###
 ### ubtu22cis variables
 ###

proxmox/ci-config-userdata.template.yaml

@@ -26,7 +26,7 @@ packages:
   - git
 #runcmd:
 #  - sudo -u ${CI_USER} curl https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py && sudo -u ${CI_USER} python3 /tmp/get-pip.py --user
-#  - wget -O /run/cloud-init/tmp/script.sh https://raw.githubusercontent.com/Kipjr/cloud-init_ubuntu/master/standalone_ansible_playbook.sh
+#  - wget -O /run/cloud-init/tmp/script.sh https://raw.githubusercontent.com/Kipjr/cloud-init_linux/master/standalone_ansible_playbook.sh
 #  - chmod +x /run/cloud-init/tmp/script.sh 
 #  - sudo -iu ${CI_USER} -- /run/cloud-init/tmp/script.sh
 ansible:

roles/requirements.yml

@@ -4,3 +4,11 @@ roles:
     src: https://github.com/ansible-lockdown/UBUNTU22-CIS.git
     version: main
     scm: git
+  - name: ansible-lockdown.ubuntu24-cis
+    src: https://github.com/ansible-lockdown/UBUNTU24-CIS.git
+    version: main
+    scm: git
+  - name: ansible-lockdown.debian12-cis
+    src: https://github.com/ansible-lockdown/DEBIAN12-CIS
+    version: main
+    scm: git

site.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: Ubuntu Installer
+- name: Linux Installer
   hosts: all
   gather_facts: true
   environment:

standalone_ansible_playbook.ps1

@@ -1,7 +1,7 @@
 #!/usr/bin/env pwsh
 
 param (
-    [Parameter(Position=0)][string]$GitHubRepoUrl = "https://github.com/Kipjr/cloud-init_ubuntu",
+    [Parameter(Position=0)][string]$GitHubRepoUrl = "https://github.com/Kipjr/cloud-init_linux",
     [Parameter(Position=1)][string]$PlaybookName = "site.yml",
     [Parameter(Position=2)][string]$WorkingDir = "/tmp",
     [Parameter(Position=3)][string]$AnsibleArg

standalone_ansible_playbook.sh

@@ -8,7 +8,7 @@ if [ "$UUID" -eq 0 ]; then
     exit 1
 fi
 
-GITHUB_REPO_URL="${1:-https://github.com/Kipjr/cloud-init_ubuntu}"
+GITHUB_REPO_URL="${1:-https://github.com/Kipjr/cloud-init_linux}"
 PLAYBOOK_NAME="${2:-site.yml}"
 WORKING_DIR="${3:-/tmp}"
 ANSIBLE_ARG="${4}"

tasks/configuration/main.yml

@@ -4,7 +4,7 @@
   when: ansible_fqdn is defined and ansible_fqdn | length <= 32
   become: true
   ansible.builtin.hostname:
-    name: "{{ ansible_fqdn }}"
+    name: "{{ ansible_facts['fqdn'] }}"
 
 - name: Set timezone to Europe/Amsterdam
   become: true
@@ -28,29 +28,39 @@
 
 - name: Create ~/.ssh if not exist
   ansible.builtin.file:
-    path: /home/{{ ansible_user_id }}/.ssh
-    owner: "{{ ansible_user_id }}"
+    path: /home/{{ ansible_facts['user_id'] }}/.ssh
+    owner: "{{ ansible_facts['user_id'] }}"
     state: directory
     mode: "0700"
 
 - name: Check if SSH private key already exists
-  ansible.builtin.stat:
-    path: /home/{{ ansible_user_id }}/.ssh/id_rsa
+  ansible.builtin.find:
+    paths: "/home/{{ ansible_facts.user_id }}/.ssh"
+    file_type: file
+    patterns:
+      - "id_*"
+      - "*.key"
+    excludes:
+      - "*.pub"
+      - "known_hosts"
+      - "authorized_keys"
+      - "config"
   register: file_private_key
+  failed_when: false
 
 - name: Generate SSH private and public keys
   when: not file_private_key.stat.exists
   community.crypto.openssh_keypair:
-    path: /home/{{ ansible_user_id }}/.ssh/id_rsa
+    path: /home/{{ ansible_facts['user_id'] }}/.ssh/id_rsa
     type: ed25519
-    owner: "{{ ansible_user_id }}"
+    owner: "{{ ansible_facts['user_id'] }}"
     mode: '0600'
   register: ssh_keypair
 
 - name: Add SSH public key to authorized_keys
   when: not file_private_key.stat.exists
   ansible.posix.authorized_key:
-    user: "{{ ansible_user_id }}"
+    user: "{{ ansible_facts['user_id'] }}"
     key: "{{ ssh_keypair.public_key }}"
 
 - name: Disable SSH password authentication

tasks/debian12.yml

@@ -0,0 +1,34 @@
+---
+- name: Debian 12 specific task
+  ansible.builtin.debug:
+    msg: "Running tasks for Debian 12"
+
+- name: Disk Configuration
+  when: deb12_run_task_disk
+  ansible.builtin.import_tasks: packages/main.yml
+  tags:
+    - packages
+
+- name: Packages
+  when: deb12_run_task_packages
+  ansible.builtin.import_tasks: packages/main.yml
+  tags:
+    - packages
+
+- name: Docker
+  when: deb12_run_task_docker
+  ansible.builtin.import_tasks: docker/main.yml
+  tags:
+    - docker
+
+- name: Configuration
+  when: deb12_run_task_configuration
+  ansible.builtin.import_tasks: configuration/main.yml
+  tags:
+    - configure
+
+- name: Security
+  when: deb12_run_task_security
+  ansible.builtin.import_tasks: security/main.yml
+  tags:
+    - security

tasks/debian13.yml

@@ -0,0 +1,34 @@
+---
+- name: Debian 13 specific task
+  ansible.builtin.debug:
+    msg: "Running tasks for Debian 13"
+
+- name: Disk Configuration
+  when: deb13_run_task_disk
+  ansible.builtin.import_tasks: disk/main.yml
+  tags:
+    - packages
+
+- name: Packages
+  when: deb13_run_task_packages
+  ansible.builtin.import_tasks: packages/main.yml
+  tags:
+    - packages
+
+- name: Docker
+  when: deb13_run_task_docker
+  ansible.builtin.import_tasks: docker/main.yml
+  tags:
+    - docker
+
+- name: Configuration
+  when: deb13_run_task_configuration
+  ansible.builtin.import_tasks: configuration/main.yml
+  tags:
+    - configure
+
+- name: Security
+  when: deb13_run_task_security
+  ansible.builtin.import_tasks: security/main.yml
+  tags:
+    - security