diff --git a/nova/core/galaxy.yml b/nova/core/galaxy.yml index 7160a1717..b50d195e8 100644 --- a/nova/core/galaxy.yml +++ b/nova/core/galaxy.yml @@ -1,10 +1,11 @@ namespace: nova name: core -version: 6.10.4 +version: 6.10.17 readme: README.md authors: - https://github.com/novateams -description: This is a collection of public roles and plugins that are developed by the Nova team. +description: + This is a collection of public roles and plugins that are developed by the Nova team. These roles go very well with Catapult https://github.com/ClarifiedSecurity/catapult but can be used separately. license: - AGPL-3.0-or-later diff --git a/nova/core/roles/accounts/defaults/main.yml b/nova/core/roles/accounts/defaults/main.yml index 255280b35..6a0f304cb 100644 --- a/nova/core/roles/accounts/defaults/main.yml +++ b/nova/core/roles/accounts/defaults/main.yml @@ -27,7 +27,8 @@ pregenerated_password: >- + '/data/' + item.secrets_vault_secrets_path | default(secrets_vault_secrets_path) | default(project_fullname) + ':' + inventory_hostname + '_' + item.username) }} {%- else -%} - {{ lookup('password', '/dev/null length=17 chars=ascii_lowercase,ascii_uppercase,hexdigits,digits') }} + {{ lookup('community.general.random_string', min_lower=1, min_upper=1, min_numeric=1, length=17, special=false, ignore_similar_chars=true, + similar_chars=(item.username | lower + item.username | upper)) }} {%- endif -%} # Windows defaults @@ -77,3 +78,15 @@ unix_distro_sudoers_map: Parrot: /etc/sudoers.d/10-installer accounts_panos_temp_username: temp # The username to use for the temporary account to change the admin_accounts password(s) in PanOS + +# For training, lab and exercise environments in can be very common to have more than (the default accepted by sshd) 6 keys in an ssh agent. +# If that's the case the SSH authentication will fail, so by default setting the MaxAuthTries sshd value to 20. +# Currently this variable is applicable to Unix and Windows hosts +accounts_configure_ssh_maxauthtries: true +accounts_ssh_maxauthtries: 20 + +# Since different OS families have different service names the sshd service name is set here +accounts_os_family_service_name: + Debian: ssh + RedHat: sshd + Archlinux: sshd diff --git a/nova/core/roles/accounts/tasks/create_accounts_lists.yml b/nova/core/roles/accounts/tasks/create_accounts_lists.yml index 49d4f44e0..e57f55a18 100644 --- a/nova/core/roles/accounts/tasks/create_accounts_lists.yml +++ b/nova/core/roles/accounts/tasks/create_accounts_lists.yml @@ -47,7 +47,7 @@ loop: "{{ domain_user_accounts }}" loop_control: label: "{{ item.username }}" - when: ansible_windows_domain_role == "Primary domain controller" + when: ansible_facts.windows_domain_role == "Primary domain controller" - name: Creating combined users lists... ansible.builtin.set_fact: diff --git a/nova/core/roles/accounts/tasks/macos_remove.yml b/nova/core/roles/accounts/tasks/macos_remove.yml index 6f24223fe..9ebb5b89d 100644 --- a/nova/core/roles/accounts/tasks/macos_remove.yml +++ b/nova/core/roles/accounts/tasks/macos_remove.yml @@ -12,8 +12,7 @@ # Filtering out empty lines - name: Getting profiles not defined in accounts list... ansible.builtin.set_fact: - user_profiles_to_remove: - "{{ home_profiles.stdout_lines | select('string') | select('regex', '.+') + user_profiles_to_remove: "{{ home_profiles.stdout_lines | select('string') | select('regex', '.+') | difference(local_accounts_with_password | map(attribute='username')) }}" - name: Removing stale user accounts and profiles... diff --git a/nova/core/roles/accounts/tasks/main.yml b/nova/core/roles/accounts/tasks/main.yml index 907761a6d..0b466c4be 100644 --- a/nova/core/roles/accounts/tasks/main.yml +++ b/nova/core/roles/accounts/tasks/main.yml @@ -31,51 +31,53 @@ block: - name: Including Windows accounts creation tasks... ansible.builtin.include_tasks: windows_create.yml - when: ansible_system == 'Win32NT' + when: ansible_facts.system | default('') == 'Win32NT' - name: Including Unix accounts creation tasks... ansible.builtin.include_tasks: unix_create.yml - when: ansible_system in ["FreeBSD", "Linux"] + when: ansible_facts.system | default('') in ["FreeBSD", "Linux"] - name: Including MacOS accounts creation tasks... ansible.builtin.include_tasks: macos_create.yml - when: ansible_system == "Darwin" + when: ansible_facts.system | default('') == "Darwin" + or ansible_custom_facts.system | default('') == "Darwin" - name: Configuring Network OS accounts... when: ansible_network_os is defined block: - name: Configure RouterOS accounts... ansible.builtin.include_tasks: routeros.yml - when: ansible_network_os == 'community.routeros.routeros' + when: ansible_network_os | default('') == 'community.routeros.routeros' - name: Configure VyOS accounts... ansible.builtin.include_tasks: vyos.yml - when: ansible_network_os == 'vyos.vyos.vyos' + when: ansible_network_os | default('') == 'vyos.vyos.vyos' - name: Configure Cisco-IOS accounts... ansible.builtin.include_tasks: ios.yml - when: ansible_network_os == 'cisco.ios.ios' + when: ansible_network_os | default('') == 'cisco.ios.ios' - name: Configure pfSense accounts... ansible.builtin.include_tasks: pfsense.yml - when: ansible_network_os == 'pfsense' + when: ansible_network_os | default('') == 'pfsense' - name: Configure OPNsense accounts... ansible.builtin.include_tasks: opnsense.yml - when: ansible_network_os == 'opnsense' + when: ansible_network_os | default('') == 'opnsense' - name: Configure PanOS accounts... ansible.builtin.include_tasks: panos.yml - when: ansible_network_os == 'panos' + when: ansible_network_os | default('') == 'panos' - name: Setting {{ ansible_deployer_username }} as connection user... ansible.builtin.set_fact: ansible_user: "{{ ansible_deployer_username }}" ansible_password: "{{ ansible_deployer_password | default(omit) }}" # Updated ansible_deployer_password - # To avoid SSH MaxAuthTries limit in cloud environments with cloud templates - ansible_ssh_extra_args: "{{ accounts_custom_ansible_ssh_extra_args - | default('-o IdentitiesOnly=no' if fresh_deploy else omit) }}" + # Setting custom or restoring default SSH key and connection parameters + # This is mostly because initial connection parameters for cloud templates need to be customized to match specific VM template defaults + ansible_ssh_private_key_file: "{{ accounts_custom_ansible_ssh_private_key_file | default(default_ansible_private_key_file) | default('') }}" + ansible_ssh_extra_args: "{{ accounts_custom_ansible_ssh_extra_args | default(default_ansible_ssh_extra_args) | default('') }}" - name: Including gather_facts role... # Since the connection account changed and we need to gather facts with the new account ansible.builtin.include_role: @@ -91,24 +93,25 @@ block: - name: Including Unix accounts removal tasks... ansible.builtin.include_tasks: unix_remove.yml - when: ansible_system in ["FreeBSD", "Linux"] + when: ansible_facts.system | default('') in ["FreeBSD", "Linux"] - name: Including Windows accounts removal tasks... ansible.builtin.include_tasks: windows_remove.yml - when: ansible_system == 'Win32NT' + when: ansible_facts.system | default('') == 'Win32NT' - name: Including MacOS accounts removal tasks... ansible.builtin.include_tasks: macos_remove.yml - when: ansible_system == "Darwin" + when: ansible_facts.system | default('') == "Darwin" + or ansible_custom_facts.system | default('') == "Darwin" # Cloud temp keys removal - name: Removing {{ infra_env }} temp ssh key for {{ inventory_hostname }}... ansible.builtin.file: - path: "{{ vars['machine_operations_' ~ infra_env ~ '_temp_ssh_key_path'] }}" + path: "{{ lookup('vars', 'machine_operations_' ~ infra_env ~ '_temp_ssh_key_path') | default('') }}" state: absent delegate_to: localhost become: false - when: vars['machine_operations_' ~ infra_env ~ '_temp_ssh_key_path'] is defined + when: lookup('vars', 'machine_operations_' ~ infra_env ~ '_temp_ssh_key_path') is defined - name: Including following accounts post-roles... ansible.builtin.include_role: diff --git a/nova/core/roles/accounts/tasks/unix_create.yml b/nova/core/roles/accounts/tasks/unix_create.yml index 31c146705..ca7630af2 100644 --- a/nova/core/roles/accounts/tasks/unix_create.yml +++ b/nova/core/roles/accounts/tasks/unix_create.yml @@ -1,7 +1,7 @@ --- -- name: Setting the correct sudo group for {{ ansible_distribution }}... +- name: Setting the correct sudo group for {{ ansible_facts.distribution }}... ansible.builtin.set_fact: - root_group: "{{ unix_distro_root_group_map[ansible_distribution] }}" + root_group: "{{ unix_distro_root_group_map[ansible_facts.distribution] }}" - name: Making sure the sudo group exists... ansible.builtin.group: @@ -10,20 +10,20 @@ # This required so this role can clean up the default cloud users if they are not in the local_accounts_with_password list - name: Adding source creation flag for default cloud account... - when: vars[infra_env ~ '_template_username'] | default('') not in [admin_account, ''] + when: lookup('vars', infra_env ~ '_template_username') | default('') not in [admin_account, ''] block: - - name: Checking if {{ vars[infra_env ~ '_template_username'] | default('') }} user exists... + - name: Checking if {{ lookup('vars', infra_env ~ '_template_username') | default('') }} user exists... ansible.builtin.stat: - path: /home/{{ vars[infra_env ~ '_template_username'] | default('') }} + path: /home/{{ lookup('vars', infra_env ~ '_template_username') | default('') }} register: template_user - - name: Adding account creation source flag for {{ vars[infra_env ~ '_template_username'] | default('') }}... + - name: Adding account creation source flag for {{ lookup('vars', infra_env ~ '_template_username') | default('') }}... ansible.builtin.lineinfile: - dest: /home/{{ vars[infra_env ~ '_template_username'] | default('') }}/.created + dest: /home/{{ lookup('vars', infra_env ~ '_template_username') | default('') }}/.created line: This account was created with {{ ansible_role_name }} role state: present create: true - owner: "{{ vars[infra_env ~ '_template_username'] | default('') }}" + owner: "{{ lookup('vars', infra_env ~ '_template_username') | default('') }}" mode: "0600" when: template_user.stat.exists @@ -34,8 +34,8 @@ groups: "{{ item.groups | default(root_group if item.username in admin_accounts | map(attribute='username') else 'users') }}" name: "{{ item.username }}" password: "{{ item.password | password_hash('sha512') }}" - shell: "{{ item.shell | default(unix_distro_shell_map[ansible_distribution] | default('/bin/bash')) }}" - skeleton: "{{ unix_distro_skel_map[ansible_distribution] | default('/etc/skel') }}" + shell: "{{ item.shell | default(unix_distro_shell_map[ansible_facts.distribution] | default('/bin/bash')) }}" + skeleton: "{{ unix_distro_skel_map[ansible_facts.distribution] | default('/etc/skel') }}" uid: "{{ item.uid | default(omit) }}" update_password: "{{ item.update_password | default('always') }}" # always or on_create register: created_account @@ -47,8 +47,7 @@ ansible.builtin.set_fact: ansible_deployer_password: "{{ local_accounts_with_password | selectattr('username', 'equalto', ansible_deployer_username) | map(attribute='password') | first }}" - when: - created_account.results | selectattr('changed', 'equalto', true) | map(attribute='item.username') + when: created_account.results | selectattr('changed', 'equalto', true) | map(attribute='item.username') | list | intersect([ansible_deployer_username]) | length > 0 - name: Adding account creation source flag... @@ -78,7 +77,7 @@ - name: Enabling password requirement for sudo... ansible.builtin.lineinfile: - dest: "{{ unix_distro_sudoers_map[ansible_distribution] | default('/etc/sudoers') }}" + dest: "{{ unix_distro_sudoers_map[ansible_facts.distribution] | default('/etc/sudoers') }}" state: present regexp: ^%{{ root_group }} line: "%{{ root_group }} ALL=(ALL:ALL) ALL" @@ -87,7 +86,7 @@ - name: Disabling password requirement for sudo... ansible.builtin.lineinfile: - dest: "{{ unix_distro_sudoers_map[ansible_distribution] | default('/etc/sudoers') }}" + dest: "{{ unix_distro_sudoers_map[ansible_facts.distribution] | default('/etc/sudoers') }}" state: present regexp: ^%{{ root_group }} line: "%{{ root_group }} ALL=(ALL) NOPASSWD: ALL" @@ -103,5 +102,23 @@ state: present when: - use_ssh_agent_for_sudo - - ansible_system == 'Linux' - - ansible_os_family != 'Alpine' + - ansible_facts.system == 'Linux' + - ansible_facts.os_family != 'Alpine' + +- name: Configuring SSHD in cloud environments... + when: accounts_configure_ssh_maxauthtries + block: + # This to avoid errors when someone has more that 6 SSH keys in their agent + - name: Setting SSHD MaxAuthTries to {{ accounts_ssh_maxauthtries }}... + ansible.builtin.replace: + dest: /etc/ssh/sshd_config + regexp: .*MaxAuthTries.* + replace: MaxAuthTries {{ accounts_ssh_maxauthtries }} + register: maxauthtries + become: true + + - name: Restarting SSHD... # noqa: no-handler + ansible.builtin.systemd: + name: "{{ accounts_os_family_service_name[ansible_facts.os_family] | default('sshd') }}" + state: restarted + when: maxauthtries.changed diff --git a/nova/core/roles/accounts/tasks/windows_create.yml b/nova/core/roles/accounts/tasks/windows_create.yml index 53228b1d6..061663d70 100644 --- a/nova/core/roles/accounts/tasks/windows_create.yml +++ b/nova/core/roles/accounts/tasks/windows_create.yml @@ -1,16 +1,16 @@ --- # This required so this role can clean up the default cloud users if they are not in the local_accounts_with_password list - name: Adding source creation flag for default cloud account... - when: vars[infra_env ~ '_template_username'] | default('') not in [admin_account, ''] + when: lookup('vars', infra_env ~ '_template_username') | default('') not in [admin_account, ''] block: - - name: Checking if {{ vars[infra_env ~ '_template_username'] | default('') }} user exists... + - name: Checking if {{ lookup('vars', infra_env ~ '_template_username') | default('') }} user exists... ansible.windows.win_stat: - path: C:\Users\{{ vars[infra_env ~ '_template_username'] | default('') }} + path: C:\Users\{{ lookup('vars', infra_env ~ '_template_username') | default('') }} register: template_user - - name: Adding account creation source flag for {{ vars[infra_env ~ '_template_username'] | default('') }}... + - name: Adding account creation source flag for {{ lookup('vars', infra_env ~ '_template_username') | default('') }}... community.windows.win_lineinfile: - path: C:\Users\{{ vars[infra_env ~ '_template_username'] | default('') }}\.created + path: C:\Users\{{ lookup('vars', infra_env ~ '_template_username') | default('') }}\.created line: This account was created with {{ ansible_role_name }} role state: present create: true @@ -18,16 +18,16 @@ - name: Configuring Domain Organizational Units... ansible.builtin.include_tasks: create_domain_ous.yml - when: ansible_windows_domain_role == "Primary domain controller" + when: ansible_facts.windows_domain_role == "Primary domain controller" - name: Configuring Domain groups... ansible.builtin.include_tasks: create_domain_groups.yml - when: ansible_windows_domain_role == "Primary domain controller" + when: ansible_facts.windows_domain_role == "Primary domain controller" - name: Configuring local accounts... when: - - ansible_windows_domain_role != "Primary domain controller" - - ansible_windows_domain_role != "Backup domain controller" + - ansible_facts.windows_domain_role != "Primary domain controller" + - ansible_facts.windows_domain_role != "Backup domain controller" block: - name: Creating following local accounts... ansible.windows.win_user: @@ -47,12 +47,11 @@ ansible.builtin.set_fact: ansible_deployer_password: "{{ admin_accounts_with_password | selectattr('username', 'equalto', ansible_deployer_username) | map(attribute='password') | first }}" - when: - created_account.results | selectattr('changed', 'equalto', true) | map(attribute='item.username') + when: created_account.results | selectattr('changed', 'equalto', true) | map(attribute='item.username') | list | intersect([ansible_deployer_username]) | length > 0 - name: Checking and creating domain accounts... - when: ansible_windows_domain_role == "Primary domain controller" + when: ansible_facts.windows_domain_role == "Primary domain controller" block: - name: DC post-reboot availability check... # Sometimes DCs are not available right after initial deployment if they are not sysprepped ansible.builtin.include_role: @@ -84,8 +83,7 @@ ansible.builtin.set_fact: ansible_deployer_password: "{{ admin_accounts_with_password | selectattr('username', 'equalto', ansible_deployer_username) | map(attribute='password') | first }}" - when: - win_domain_user.results | selectattr('changed', 'equalto', true) | map(attribute='item.username') + when: win_domain_user.results | selectattr('changed', 'equalto', true) | map(attribute='item.username') | list | intersect([ansible_deployer_username]) | length > 0 # To make sure that we are setting the password for the correct account on non-primary domain controller @@ -93,7 +91,7 @@ ansible.builtin.set_fact: ansible_deployer_password: "{{ admin_accounts_with_password | selectattr('username', 'equalto', ansible_deployer_username) | map(attribute='password') | first }}" - when: ansible_windows_domain_role == "Backup domain controller" + when: ansible_facts.windows_domain_role == "Backup domain controller" - name: Creating a profiles for... ansible.windows.win_user_profile: @@ -169,3 +167,20 @@ - name: Setting correct administrators_authorized_keys permissions... ansible.windows.win_shell: icacls.exe C:\ProgramData\ssh\administrators_authorized_keys /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F" + +- name: Configuring SSHD in cloud environments... + when: accounts_configure_ssh_maxauthtries + block: + # This to avoid errors when someone has more that 6 SSH keys in their agent + - name: Increasing SSHD MaxAuthTries to {{ accounts_ssh_maxauthtries }}... + community.windows.win_lineinfile: + path: C:\ProgramData\ssh\sshd_config + regexp: .*MaxAuthTries.* + line: MaxAuthTries {{ accounts_ssh_maxauthtries }} + register: maxauthtries + + - name: Restarting SSHD... # noqa: no-handler + ansible.windows.win_service: + name: sshd + state: restarted + when: maxauthtries.changed diff --git a/nova/core/roles/cleanup/tasks/linux.yml b/nova/core/roles/cleanup/tasks/linux.yml index 19c82720a..6d450dc59 100644 --- a/nova/core/roles/cleanup/tasks/linux.yml +++ b/nova/core/roles/cleanup/tasks/linux.yml @@ -2,7 +2,7 @@ # No systemd (journal) in FreeBSD - name: Cleaning up Linux machine... ansible.builtin.shell: | - {{ 'setenv HISTFILE "/dev/null"' if ansible_system == 'FreeBSD' else 'export HISTFILE=/dev/null' }} + {{ 'setenv HISTFILE "/dev/null"' if ansible_facts.system == 'FreeBSD' else 'export HISTFILE=/dev/null' }} rm -f /home/*/.ssh/known_hosts rm -f /home/*/.sudo_as_admin_successful rm -f /root/.bconsole_history @@ -49,10 +49,12 @@ rm -rf /home/*/.cache/* rm -rf /home/gt/.bash_history rm -rf /var/log/installer/* - {{ 'service apache2 restart || true' if ansible_distribution | default('') != 'Alpine' else '' }} - {{ 'if [ -d "/run/log/journal" ]; then find /run/log/journal -name "*.journal" | xargs rm -f; fi' if ansible_system | default('') != 'FreeBSD' }} + {{ 'service apache2 restart || true' if ansible_facts.distribution | default('') != 'Alpine' else '' }} + {{ 'if [ -d "/run/log/journal" ]; then find /run/log/journal -name "*.journal" | xargs rm -f; fi' if ansible_facts.system | default('') != 'FreeBSD' }} args: - executable: "/bin/{{ 'tcsh' if ansible_system | default('') == 'FreeBSD' else 'sh' if ansible_distribution | default('') == 'Alpine' else 'bash' }}" + executable: + "/bin/{{ 'tcsh' if ansible_facts.system | default('') == 'FreeBSD' else 'sh' if ansible_facts.distribution | default('') + == 'Alpine' else 'bash' }}" changed_when: true - name: Removing Linux shell history... @@ -60,14 +62,16 @@ rm -f /home/*/.*_history rm -f /root/.*_history args: - executable: "/bin/{{ 'tcsh' if ansible_system | default('') == 'FreeBSD' else 'sh' if ansible_distribution | default('') == 'Alpine' else 'bash' }}" + executable: + "/bin/{{ 'tcsh' if ansible_facts.system | default('') == 'FreeBSD' else 'sh' if ansible_facts.distribution | default('') + == 'Alpine' else 'bash' }}" changed_when: true when: cleanup_remove_bash_history - name: Clearing journalctl... ansible.builtin.command: journalctl --rotate --vacuum-time=1s changed_when: true - when: ansible_distribution | default('') != 'Alpine' + when: ansible_facts.distribution | default('') != 'Alpine' - name: Setting reboot_on_finalize to true... # This will reboot the VM during nova.core.finalize role ansible.builtin.set_fact: diff --git a/nova/core/roles/cleanup/tasks/main.yml b/nova/core/roles/cleanup/tasks/main.yml index 318ad37f3..2276235a4 100644 --- a/nova/core/roles/cleanup/tasks/main.yml +++ b/nova/core/roles/cleanup/tasks/main.yml @@ -1,18 +1,14 @@ --- -- name: Inlcuding non-network OS cleanup tasks... - when: ansible_network_os is not defined - block: - - name: Including Windows cleanup tasks... - ansible.builtin.include_tasks: windows.yml - when: ansible_system == "Win32NT" +- name: Including Windows cleanup tasks... + ansible.builtin.include_tasks: windows.yml + when: ansible_facts.system | default('') == "Win32NT" - - name: Including Linux cleanup tasks... - ansible.builtin.include_tasks: linux.yml - when: ansible_system == "Linux" +- name: Including Linux cleanup tasks... + ansible.builtin.include_tasks: linux.yml + when: + - ansible_facts.system | default('') == "Linux" + - ansible_network_os | default('') != 'vyos.vyos.vyos' -- name: Including network OS cleanup tasks... - when: ansible_network_os is defined - block: - - name: Including Vyos cleanup tasks... - ansible.builtin.include_tasks: vyos.yml - when: ansible_network_os == 'vyos.vyos.vyos' +- name: Including VyOS cleanup tasks... + ansible.builtin.include_tasks: vyos.yml + when: ansible_network_os | default('') == 'vyos.vyos.vyos' diff --git a/nova/core/roles/cleanup/tasks/windows.yml b/nova/core/roles/cleanup/tasks/windows.yml index ffeb49bbf..4c4af0ddd 100644 --- a/nova/core/roles/cleanup/tasks/windows.yml +++ b/nova/core/roles/cleanup/tasks/windows.yml @@ -23,7 +23,7 @@ ansible.windows.win_service: name: UsoSvc state: stopped - when: ansible_facts['distribution_version'] is version('6.3.9600.0', '>') # Greater than Windows 8.1 & Server 2012 R2 + when: ansible_facts.distribution_version is version('6.3.9600.0', '>') # Greater than Windows 8.1 & Server 2012 R2 - name: Cleaning up Windows machine logs... ansible.windows.win_shell: "{{ lookup('template', 'Windows-Cleanup.ps1') }}" diff --git a/nova/core/roles/configure_networking/tasks/aws/networkd.yml b/nova/core/roles/configure_networking/tasks/aws/networkd.yml index 7f7aa256f..a4b2accf4 100644 --- a/nova/core/roles/configure_networking/tasks/aws/networkd.yml +++ b/nova/core/roles/configure_networking/tasks/aws/networkd.yml @@ -6,7 +6,6 @@ changed_when: true become: true -# This step is not actually very useful for debugging - name: Templating interface(s) configuration(s)... ansible.builtin.template: src: networkd.network @@ -75,7 +74,7 @@ - name: Applying network configuration on Debian... become: true - when: ansible_distribution | default(false) == "Debian" + when: ansible_facts.distribution | default('') == "Debian" block: - name: Configuring network interface(s) names on Debian... ansible.builtin.command: update-initramfs -k all -u @@ -96,7 +95,7 @@ ansible.builtin.command: mkinitcpio -P changed_when: true become: true - when: ansible_distribution | default(false) == "Archlinux" + when: ansible_facts.distribution | default('') == "Archlinux" - name: Rebooting... ansible.builtin.reboot: diff --git a/nova/core/roles/configure_networking/tasks/vsphere/nmcli.yml b/nova/core/roles/configure_networking/tasks/vsphere/nmcli.yml index e912d5151..9e16e5b4a 100644 --- a/nova/core/roles/configure_networking/tasks/vsphere/nmcli.yml +++ b/nova/core/roles/configure_networking/tasks/vsphere/nmcli.yml @@ -162,6 +162,12 @@ ansible.builtin.set_fact: configure_networking_rescue_count: "{{ configure_networking_rescue_count | default(0) | int + 1 }}" + - name: Restarting {{ custom_vm_name | default(vm_name) }} VM... + ansible.builtin.include_role: + name: nova.core.powerstate + vars: + restart: true + - name: Re-including vSphere network configuration tasks... ansible.builtin.include_tasks: main.yml diff --git a/nova/core/roles/configure_package_mirrors/tasks/debian.yml b/nova/core/roles/configure_package_mirrors/tasks/debian.yml index 087fb40c4..70c09d46c 100644 --- a/nova/core/roles/configure_package_mirrors/tasks/debian.yml +++ b/nova/core/roles/configure_package_mirrors/tasks/debian.yml @@ -12,9 +12,9 @@ mode: "0644" when: not apt_backup_file.stat.exists -- name: Templating custom debian-{{ ansible_distribution_release }}.list to {{ inventory_hostname }}... +- name: Templating custom debian-{{ ansible_facts.distribution_release }}.list to {{ inventory_hostname }}... ansible.builtin.template: - src: debian-{{ ansible_distribution_release }}.list + src: debian-{{ ansible_facts.distribution_release }}.list dest: /etc/apt/sources.list mode: "0644" register: apt_sources diff --git a/nova/core/roles/configure_package_mirrors/tasks/main.yml b/nova/core/roles/configure_package_mirrors/tasks/main.yml index 77133775d..2678cecf9 100644 --- a/nova/core/roles/configure_package_mirrors/tasks/main.yml +++ b/nova/core/roles/configure_package_mirrors/tasks/main.yml @@ -4,32 +4,32 @@ block: - name: Including Windows Chocolatey mirror tasks... ansible.builtin.include_tasks: choco.yml - when: ansible_os_family == "Windows" + when: ansible_facts.os_family | default('') == "Windows" - name: Configuring Debian family sources.list - when: ansible_os_family == "Debian" + when: ansible_facts.os_family | default('') == "Debian" block: - name: Including Kali mirror tasks... ansible.builtin.include_tasks: kali.yml when: - - ansible_distribution == "Kali" + - ansible_facts.distribution | default('') == "Kali" - package_mirror_kali_uri != {} - name: Including Ubuntu mirror tasks... ansible.builtin.include_tasks: ubuntu.yml when: - - ansible_distribution == "Ubuntu" + - ansible_facts.distribution | default('') == "Ubuntu" - package_mirror_ubuntu_uri != {} - name: Including Debian mirror tasks... ansible.builtin.include_tasks: debian.yml when: - - ansible_distribution == "Debian" + - ansible_facts.distribution | default('') == "Debian" - customization_method != "proxmox" - package_mirror_debian_uri != {} - name: Including Parrot mirror tasks... ansible.builtin.include_tasks: parrot.yml when: - - ansible_distribution == "Parrot" + - ansible_facts.distribution | default('') == "Parrot" - package_mirror_parrot_uri != {} diff --git a/nova/core/roles/configure_package_mirrors/tasks/ubuntu.yml b/nova/core/roles/configure_package_mirrors/tasks/ubuntu.yml index 88909b393..53aad1f30 100644 --- a/nova/core/roles/configure_package_mirrors/tasks/ubuntu.yml +++ b/nova/core/roles/configure_package_mirrors/tasks/ubuntu.yml @@ -1,13 +1,13 @@ --- - name: Configuring Ubuntu < 24.04 sources.list - when: ansible_distribution_release != "noble" + when: ansible_facts.distribution_release != "noble" block: - name: Checking if sources.list backup exists... ansible.builtin.stat: path: /etc/apt/sources.list_backup register: non_noble_apt_backup_file - - name: Backing up existing {{ ansible_distribution_release }} sources.list... + - name: Backing up existing {{ ansible_facts.distribution_release }} sources.list... ansible.builtin.copy: src: /etc/apt/sources.list dest: /etc/apt/sources.list_backup @@ -23,7 +23,7 @@ register: non_noble_apt_sources - name: Configuring Ubuntu 24.04 sources.list - when: ansible_distribution_release == "noble" + when: ansible_facts.distribution_release == "noble" block: - name: Checking if ubuntu.sources backup exists... ansible.builtin.stat: @@ -38,7 +38,7 @@ path: /etc/apt/sources.list.d/ubuntu.sources register: ubuntu_sources_state - - name: Backing up existing {{ ansible_distribution_release }} ubuntu.sources... + - name: Backing up existing {{ ansible_facts.distribution_release }} ubuntu.sources... ansible.builtin.copy: src: /etc/apt/sources.list.d/ubuntu.sources dest: /etc/apt/ubuntu.sources_backup diff --git a/nova/core/roles/configure_package_mirrors/templates/ubuntu-sources.list b/nova/core/roles/configure_package_mirrors/templates/ubuntu-sources.list index 834a2fc44..76b237bf1 100644 --- a/nova/core/roles/configure_package_mirrors/templates/ubuntu-sources.list +++ b/nova/core/roles/configure_package_mirrors/templates/ubuntu-sources.list @@ -1,4 +1,4 @@ -# The original sources.list is backed up as {{ '/etc/apt/sources.list_backup' if ansible_distribution_release != 'noble' else '/etc/apt/ubuntu.sources_backup' }} +# The original sources.list is backed up as {{ '/etc/apt/sources.list_backup' if ansible_facts.distribution_release != 'noble' else '/etc/apt/ubuntu.sources_backup' }} deb {{ package_mirror_ubuntu_uri.general }} {{ ansible_facts.lsb.codename }} main restricted deb {{ package_mirror_ubuntu_uri.general }} {{ ansible_facts.lsb.codename }} universe diff --git a/nova/core/roles/connection/tasks/aws.yml b/nova/core/roles/connection/tasks/aws.yml index c9ba106cb..84f8174a9 100644 --- a/nova/core/roles/connection/tasks/aws.yml +++ b/nova/core/roles/connection/tasks/aws.yml @@ -1,4 +1,13 @@ --- +- name: Saving default connection parameters... + ansible.builtin.set_fact: + default_ansible_private_key_file: "{{ ansible_private_key_file | default('') }}" + default_ansible_ssh_extra_args: "{{ ansible_ssh_extra_args | default('') }}" + when: + - fresh_deploy + - default_ansible_private_key_file is not defined + - default_ansible_ssh_extra_args is not defined + - name: Connecting as {{ aws_template_username | default(template_username) if fresh_deploy else ansible_deployer_username }} to {{ inventory_hostname }} using {{ default_connection_plugin | upper @@ -17,7 +26,5 @@ {%- endif -%} # Initial connection will be done with temporary SSH key ansible_private_key_file: "{{ machine_operations_aws_temp_ssh_key_path if fresh_deploy else omit }}" - # To avoid SSH MaxAuthTries limit - ansible_ssh_extra_args: "{{ connection_custom_ansible_ssh_extra_args - | default('-o PreferredAuthentications=password' if fresh_deploy and 'os_windows' in group_names else - '-o IdentitiesOnly=yes' if fresh_deploy and 'os_windows' not in group_names else omit) }}" + # To avoid SSH MaxAuthTries limit if a user has more then 6 keys added to their ssh agent + ansible_ssh_extra_args: "{{ connection_custom_ansible_ssh_extra_args | default('-o IdentitiesOnly=yes' if fresh_deploy else omit) }}" diff --git a/nova/core/roles/connection/tasks/main.yml b/nova/core/roles/connection/tasks/main.yml index 7035c7302..14fcf817f 100644 --- a/nova/core/roles/connection/tasks/main.yml +++ b/nova/core/roles/connection/tasks/main.yml @@ -42,27 +42,43 @@ ip_address: "{{ ansible_host }}" username: "{{ template_username if fresh_deploy else ansible_deployer_username }}" password: "{{ template_password if fresh_deploy else ansible_deployer_password }}" - when: - - ansible_network_os is defined - - ansible_network_os == "panos" + when: ansible_network_os | default('') == "panos" + +- name: Checking for MacOS Python... + when: ("os_macos" in group_names) + block: + - name: Checking if Xcode exists on MacOS... + ansible.builtin.raw: | + if [ -d /Applications/Xcode.app ]; then + echo "Xcode installed" + else + echo "Xcode NOT installed" + fi + register: xcode_check + changed_when: false + + - name: Setting MacOS Xcode check fact... + ansible.builtin.set_fact: + darwin_with_python: "{{ true if 'Xcode installed' in xcode_check.stdout else false }}" - name: Running different wait_for_connection methods based on OS... when: - not role_only - not role_only_wp block: + # false by default for MacOS but defaulting to true here to avoid errors on non-MacOS systems - name: Waiting for connection to {{ inventory_hostname }}... ansible.builtin.wait_for_connection: timeout: 300 - when: ansible_system is not defined # Meaning gether facts hasn't run yet so we don't know the OS + when: darwin_with_python | default(true) - - name: Waiting for connection to {{ inventory_hostname }}... + - name: Waiting Pythonless MacOS connection to {{ inventory_hostname }}... ansible.builtin.raw: echo " " changed_when: true retries: 30 delay: 5 until: true - when: ansible_system | default(false) == "Darwin" # Since MacOS does not have Python installed by default ansible_system is defined in OS group var + when: not darwin_with_python | default(true) - name: Including connect role... ansible.builtin.include_role: @@ -76,7 +92,6 @@ - name: Optimizing Powershell... ansible.windows.win_shell: "{{ lookup('file', 'Optimize-PowerShell.ps1') }}" when: - - ansible_system is defined - - ansible_system == "Win32NT" + - ansible_facts.system | default('') == "Win32NT" - not role_only - not role_only_wp diff --git a/nova/core/roles/customization/tasks/main.yml b/nova/core/roles/customization/tasks/main.yml index 688841849..893759065 100644 --- a/nova/core/roles/customization/tasks/main.yml +++ b/nova/core/roles/customization/tasks/main.yml @@ -14,8 +14,8 @@ path: "{{ post_scripts_folder_on_target }}" state: directory when: - - ansible_system is defined - - ansible_system == "Win32NT" + - ansible_facts.system is defined + - ansible_facts.system == "Win32NT" - name: Including {{ customization_role_path }}/{{ role }} role... ansible.builtin.include_role: diff --git a/nova/core/roles/customization_single_role/tasks/main.yml b/nova/core/roles/customization_single_role/tasks/main.yml index 937e15003..b96b48272 100644 --- a/nova/core/roles/customization_single_role/tasks/main.yml +++ b/nova/core/roles/customization_single_role/tasks/main.yml @@ -4,8 +4,8 @@ path: "{{ post_scripts_folder_on_target }}" state: directory when: - - ansible_system is defined - - ansible_system == "Win32NT" + - ansible_facts.system is defined + - ansible_facts.system == "Win32NT" - name: Including {{ single_role if single_role is defined else omit }} role... ansible.builtin.include_role: diff --git a/nova/core/roles/deploy_vars/defaults/main.yml b/nova/core/roles/deploy_vars/defaults/main.yml index da43f6c6b..a51284ba7 100644 --- a/nova/core/roles/deploy_vars/defaults/main.yml +++ b/nova/core/roles/deploy_vars/defaults/main.yml @@ -166,23 +166,24 @@ azure_location: westeurope azure_defaults: # Current subscription ID from https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade subscription_id: - "{{ vars[environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_azure_subscription_id'] - | default(vars[project_fullname | default('') ~ '_azure_subscription_id']) + "{{ lookup('vars', environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_azure_subscription_id') + | default(lookup('vars', project_fullname | default('') ~ '_azure_subscription_id')) | default(azure_subscription_id) | default('') }}" # The Service Principal Name's (Service Account used for deployment) ID from # https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps - client_id: "{{ vars[environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_azure_client_id'] - | default(vars[project_fullname | default('') ~ '_azure_client_id']) + client_id: + "{{ lookup('vars', environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_azure_client_id') + | default(lookup('vars', project_fullname | default('') ~ '_azure_client_id')) | default(azure_client_id) | default('') }}" # The current Tenant's ID from https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps - tenant: "{{ vars[environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_azure_tenant_id'] - | default(vars[project_fullname | default('') ~ '_azure_tenant_id']) + tenant: "{{ lookup('vars', environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_azure_tenant_id') + | default(lookup('vars', project_fullname | default('') ~ '_azure_tenant_id')) | default(azure_tenant_id) | default('') }}" secret: - "{{ vars[environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_azure_service_principal_secret'] - | default(vars[project_fullname | default('') ~ '_azure_service_principal_secret']) + "{{ lookup('vars', environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_azure_service_principal_secret') + | default(lookup('vars', project_fullname | default('') ~ '_azure_service_principal_secret')) | default(azure_service_principal_secret) | default('') }}" ########### @@ -191,16 +192,17 @@ azure_defaults: proxmox_defaults: api_host: "{{ proxmox_api_host | default('') }}" - api_user: "{{ vars[environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_proxmox_api_user'] - | default(vars[project_fullname | default('') ~ '_proxmox_api_user']) + api_user: + "{{ lookup('vars', environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_proxmox_api_user') + | default(lookup('vars', project_fullname | default('') ~ '_proxmox_api_user')) | default(proxmox_api_user) | default('') }}" api_token_id: - "{{ vars[environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_proxmox_api_token_id'] - | default(vars[project_fullname | default('') ~ '_proxmox_api_token_id']) + "{{ lookup('vars', environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_proxmox_api_token_id') + | default(lookup('vars', project_fullname | default('') ~ '_proxmox_api_token_id')) | default(proxmox_api_token_id) | default('') }}" api_token_secret: - "{{ vars[environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_proxmox_api_token_secret'] - | default(vars[project_fullname | default('') ~ '_proxmox_api_token_secret']) + "{{ lookup('vars', environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_proxmox_api_token_secret') + | default(lookup('vars', project_fullname | default('') ~ '_proxmox_api_token_secret')) | default(proxmox_api_token_secret) | default('') }}" proxmox_validate_certs: true @@ -221,14 +223,14 @@ openstack_defaults: password: "{{ openstack_password | default(env_project_deployer_password) | default(project_deployer_password) | default(deployer_password) | default('') }}" project_id: - "{{ vars[environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_openstack_project_id'] - | default(vars[project_fullname | default('') ~ '_openstack_project_id']) + "{{ lookup('vars', environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_openstack_project_id') + | default(lookup('vars', project_fullname | default('') ~ '_openstack_project_id')) | default(openstack_project_id) | default('') }}" user_domain_name: - "{{ vars[environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_openstack_user_domain_name'] - | default(vars[project_fullname | default('') ~ '_openstack_user_domain_name']) + "{{ lookup('vars', environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_openstack_user_domain_name') + | default(lookup('vars', project_fullname | default('') ~ '_openstack_user_domain_name')) | default(openstack_user_domain_name) | default('Default') }}" project_domain_name: - "{{ vars[environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_openstack_project_domain_name'] - | default(vars[project_fullname | default('') ~ '_openstack_project_domain_name']) + "{{ lookup('vars', environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_openstack_project_domain_name') + | default(lookup('vars', project_fullname | default('') ~ '_openstack_project_domain_name')) | default(openstack_project_domain_name) | default('Default') }}" diff --git a/nova/core/roles/docker/defaults/main.yml b/nova/core/roles/docker/defaults/main.yml index 6c148c7d7..edd5f48cd 100644 --- a/nova/core/roles/docker/defaults/main.yml +++ b/nova/core/roles/docker/defaults/main.yml @@ -41,7 +41,7 @@ docker_networks: docker_engine_version: {} # Docker APT proxy -docker_apt_proxy: https://download.docker.com/linux/{{ ansible_distribution | lower }} +docker_apt_proxy: https://download.docker.com/linux/{{ ansible_facts.distribution | lower }} # Mapping for non-default Debian OS based distributions like Kali, Parrot, etc. # This is used to set the correct distribution and codename for the Docker APT repository diff --git a/nova/core/roles/docker/tasks/debian_os_default.yml b/nova/core/roles/docker/tasks/debian_os_default.yml index f2973f19b..361f942a7 100644 --- a/nova/core/roles/docker/tasks/debian_os_default.yml +++ b/nova/core/roles/docker/tasks/debian_os_default.yml @@ -11,9 +11,9 @@ delay: 6 - name: Including Docker for default Debian based OS... - when: ansible_distribution not in docker_non_default_debian_os_list + when: ansible_facts.distribution not in docker_non_default_debian_os_list block: - - name: Adding Docker repo key for {{ ansible_distribution }}... + - name: Adding Docker repo key for {{ ansible_facts.distribution }}... ansible.builtin.get_url: url: "{{ docker_apt_proxy }}/gpg" dest: /etc/apt/trusted.gpg.d/docker.asc @@ -26,7 +26,7 @@ # Using copy because ansible.builtin.apt_repository does not have a feature to override existing repository in *.list file - name: Adding Docker repository... ansible.builtin.copy: - content: deb [arch=amd64] {{ docker_apt_proxy }} {{ ansible_distribution_release }} stable + content: deb [arch=amd64] {{ docker_apt_proxy }} {{ ansible_facts.distribution_release }} stable dest: /etc/apt/sources.list.d/docker.list mode: "0644" diff --git a/nova/core/roles/docker/tasks/debian_os_non_default.yml b/nova/core/roles/docker/tasks/debian_os_non_default.yml index 9b51119c4..4bb77c67b 100644 --- a/nova/core/roles/docker/tasks/debian_os_non_default.yml +++ b/nova/core/roles/docker/tasks/debian_os_non_default.yml @@ -1,5 +1,5 @@ --- -- name: Adding Docker repo key for {{ ansible_distribution_release }}... +- name: Adding Docker repo key for {{ ansible_facts.distribution_release }}... ansible.builtin.get_url: url: "{{ docker_apt_proxy }}/gpg" dest: /etc/apt/trusted.gpg.d/docker.asc @@ -9,17 +9,19 @@ retries: 10 delay: 6 vars: - # Overriding ansible_distribution and ansible_distribution_release to match Debian - ansible_distribution_release: bookworm - ansible_distribution: Debian + # Overriding ansible_facts.distribution and ansible_facts.distribution_release to match Debian + ansible_facts: + distribution_release: bookworm + distribution: Debian # Using copy because ansible.builtin.apt_repository does not have a feature to override existing repository in *.list file - name: Adding Docker repository... ansible.builtin.copy: - content: deb [arch=amd64] {{ docker_apt_proxy }} {{ ansible_distribution_release }} stable + content: deb [arch=amd64] {{ docker_apt_proxy }} {{ ansible_facts.distribution_release }} stable dest: /etc/apt/sources.list.d/docker.list mode: "0644" vars: - # Overriding ansible_distribution and ansible_distribution_release to match Debian - ansible_distribution_release: bookworm - ansible_distribution: Debian + # Overriding ansible_facts.distribution and ansible_facts.distribution_release to match Debian + ansible_facts: + distribution_release: bookworm + distribution: Debian diff --git a/nova/core/roles/docker/tasks/main.yml b/nova/core/roles/docker/tasks/main.yml index 33e9a4d1d..c15613ec0 100644 --- a/nova/core/roles/docker/tasks/main.yml +++ b/nova/core/roles/docker/tasks/main.yml @@ -2,17 +2,17 @@ - name: Installing Docker on Windows machine... ansible.builtin.include_tasks: windows.yml when: - - ansible_os_family | default('') == "Windows" - - ansible_os_installation_type | default('') == "Server" + - ansible_facts.os_family | default('') == "Windows" + - ansible_facts.installation_type | default('') == "Server" - name: Including non-default Debian based OS repo tasks... ansible.builtin.include_tasks: debian_os_non_default.yml - when: ansible_distribution | default('') in docker_non_default_debian_os_list + when: ansible_facts.distribution | default('') in docker_non_default_debian_os_list - name: Installing Docker on Debian based Linux machine... ansible.builtin.include_tasks: debian_os_default.yml - when: ansible_os_family | default('') == "Debian" + when: ansible_facts.os_family | default('') == "Debian" - name: Installing Docker on Archlinux based machine... ansible.builtin.include_tasks: archlinux.yml - when: ansible_os_family | default('') == "Archlinux" + when: ansible_facts.os_family | default('') == "Archlinux" diff --git a/nova/core/roles/finalize/tasks/main.yml b/nova/core/roles/finalize/tasks/main.yml index d41f5306b..53188d123 100644 --- a/nova/core/roles/finalize/tasks/main.yml +++ b/nova/core/roles/finalize/tasks/main.yml @@ -23,18 +23,18 @@ block: - name: Including Windows finalization tasks... ansible.builtin.include_tasks: windows.yml - when: ansible_system == 'Win32NT' + when: ansible_facts.system | default('') == 'Win32NT' - name: Including Unix finalization tasks... ansible.builtin.include_tasks: unix.yml - when: ansible_system in ["FreeBSD", "Linux"] + when: ansible_facts.system | default('') in ["FreeBSD", "Linux"] - name: Configuring Network OS accounts... when: ansible_network_os is defined block: - name: Including VyOS finalization tasks... ansible.builtin.include_tasks: vyos.yml - when: ansible_network_os == 'vyos.vyos.vyos' + when: ansible_network_os | default('') == 'vyos.vyos.vyos' - name: Including metadata posting role... ansible.builtin.include_role: diff --git a/nova/core/roles/finalize/tasks/unix.yml b/nova/core/roles/finalize/tasks/unix.yml index 8ca0dd8b4..9a55b2477 100644 --- a/nova/core/roles/finalize/tasks/unix.yml +++ b/nova/core/roles/finalize/tasks/unix.yml @@ -23,8 +23,8 @@ line: APT::Periodic::Update-Package-Lists "0"; when: - disable_auto_updates - - ansible_os_family is defined - - ansible_os_family == 'Debian' + - ansible_facts.os_family is defined + - ansible_facts.os_family == 'Debian' - name: Rebooting... ansible.builtin.reboot: diff --git a/nova/core/roles/firewall/handlers/main.yml b/nova/core/roles/firewall/handlers/main.yml index e15c51574..74144f285 100644 --- a/nova/core/roles/firewall/handlers/main.yml +++ b/nova/core/roles/firewall/handlers/main.yml @@ -17,4 +17,4 @@ - name: Rebooting Unix... ansible.builtin.reboot: listen: reboot_unix - when: ansible_os_family == "Archlinux" # For some reason nftables does not work without a reboot on Archlinux + when: ansible_facts.os_family == "Archlinux" # For some reason nftables does not work without a reboot on Archlinux diff --git a/nova/core/roles/firewall/tasks/iptables.yml b/nova/core/roles/firewall/tasks/iptables.yml index 0d2f73ffb..a2d94ea8c 100644 --- a/nova/core/roles/firewall/tasks/iptables.yml +++ b/nova/core/roles/firewall/tasks/iptables.yml @@ -21,7 +21,7 @@ mode: "0755" - name: Installing and configuring iptables for Debian based OS... - when: ansible_os_family == "Debian" + when: ansible_facts.os_family == "Debian" block: - name: Installing iptables-persistent... ansible.builtin.package: diff --git a/nova/core/roles/gather_facts/defaults/main.yml b/nova/core/roles/gather_facts/defaults/main.yml deleted file mode 100644 index 3b5f7a6a1..000000000 --- a/nova/core/roles/gather_facts/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# By default MacOS does not have Python installed so it cannot use ansible.builtin.setup -macos_has_python: false diff --git a/nova/core/roles/gather_facts/tasks/main.yml b/nova/core/roles/gather_facts/tasks/main.yml index b673434f1..b0ce90676 100644 --- a/nova/core/roles/gather_facts/tasks/main.yml +++ b/nova/core/roles/gather_facts/tasks/main.yml @@ -2,21 +2,21 @@ - name: Gathering RouterOS facts... community.routeros.facts: retries: 3 - when: ansible_network_os | default(false) == 'community.routeros.routeros' + when: ansible_network_os | default('') == 'community.routeros.routeros' - name: Gathering VyOS facts... vyos.vyos.vyos_facts: - when: ansible_network_os | default(false) == 'vyos.vyos.vyos' + when: ansible_network_os | default('') == 'vyos.vyos.vyos' - name: Gathering Cisco IOS facts... cisco.ios.ios_facts: - when: ansible_network_os | default(false) == 'cisco.ios.ios' + when: ansible_network_os | default('') == 'cisco.ios.ios' - name: Gathering facts for FortiOS... fortinet.fortios.fortios_configuration_fact: access_token: "{{ fortios_access_token }}" selector: system_global - when: ansible_network_os | default(false) == 'fortinet.fortios.fortios' + when: ansible_network_os | default('') == 'fortinet.fortios.fortios' - name: Gathering facts for pfSense/OPNsense... ansible.builtin.setup: @@ -33,26 +33,29 @@ delay: 3 delegate_to: localhost become: false - when: ansible_network_os | default(false) == 'panos' + when: ansible_network_os | default('') == 'panos' +# macos_has_python is a MacOS specific var set in nova.core.connection role to indicate if Python is installed +# false by default for MacOS but defaulting to true here to avoid errors on non-MacOS systems - name: Gathering facts for {{ inventory_hostname }}... ansible.builtin.setup: gather_timeout: 60 when: - - ansible_system | default(false) == "Darwin" - - macos_has_python + - ansible_network_os is not defined + - darwin_with_python | default(true) -- name: Gathering facts for {{ inventory_hostname }}... - ansible.builtin.setup: - gather_timeout: 60 +- name: Setting minimal facts for Pythonless MacOS {{ inventory_hostname }}... + ansible.builtin.set_fact: + ansible_custom_facts: + system: Darwin when: - - ansible_network_os is not defined - - ansible_system is not defined or ansible_system != "Darwin" -# # Useful when debugging facts gathered from different operating systems + - darwin_with_python is defined + - not darwin_with_python +# Useful when debugging facts gathered from different operating systems # - name: Saving ansible_facts to file... # ansible.builtin.copy: # content: "{{ ansible_facts | to_nice_yaml }}" -# dest: "{{ inventory_hostname }}.yaml" +# dest: "{{ inventory_hostname }}.yml" # mode: "0644" # delegate_to: localhost # become: false diff --git a/nova/core/roles/gitlab/defaults/main.yml b/nova/core/roles/gitlab/defaults/main.yml index 47bf7b060..d8afdfc45 100644 --- a/nova/core/roles/gitlab/defaults/main.yml +++ b/nova/core/roles/gitlab/defaults/main.yml @@ -1,10 +1,10 @@ --- ### gitlab general -gitlab_version: 18.6.2-ee.0 +gitlab_version: 18.7.0-ee.0 gitlab_ssh_port: 10022 # Increase gitlab ssh MaxAuthTries to avoid connection issues for users with more than 6 keys in their SSH agent set to {} to disable gitlab_ssh_max_auth_tries: 20 -gitlab_fqdn: "{{ fqdn | default(ansible_fqdn) }}" +gitlab_fqdn: "{{ fqdn | default(ansible_facts.fqdn) }}" gitlab_url: https://{{ gitlab_fqdn }} gitlab_url_api: https://{{ gitlab_fqdn }}/api/v4 diff --git a/nova/core/roles/join_domain/tasks/linux.yml b/nova/core/roles/join_domain/tasks/linux.yml index f477ff3cd..aff2b4a61 100644 --- a/nova/core/roles/join_domain/tasks/linux.yml +++ b/nova/core/roles/join_domain/tasks/linux.yml @@ -56,18 +56,18 @@ - name: Creating user home folder automatically... ansible.builtin.command: pam-auth-update --enable mkhomedir changed_when: true - when: ansible_os_family == "Debian" + when: ansible_facts.os_family == "Debian" - name: Creating user home folder automatically for RedHat... - when: ansible_os_family == "RedHat" + when: ansible_facts.os_family == "RedHat" block: - - name: Installing required packages for {{ ansible_os_family }}... + - name: Installing required packages for {{ ansible_facts.os_family }}... ansible.builtin.package: name: authconfig state: present update_cache: true - - name: Creating user home folder automatically for {{ ansible_os_family }}... + - name: Creating user home folder automatically for {{ ansible_facts.os_family }}... ansible.builtin.command: authconfig --enablemkhomedir --update changed_when: true diff --git a/nova/core/roles/join_domain/tasks/main.yml b/nova/core/roles/join_domain/tasks/main.yml index f2ac16949..b8877fdea 100644 --- a/nova/core/roles/join_domain/tasks/main.yml +++ b/nova/core/roles/join_domain/tasks/main.yml @@ -2,12 +2,12 @@ - name: Including Linux domain join tasks... ansible.builtin.include_tasks: linux.yml when: - - ansible_system == "Linux" - - ansible_distribution not in ["Kali", "Archlinux"] # Kali and Archlinux are currently not supported + - ansible_facts.system == "Linux" + - ansible_facts.distribution not in ["Kali", "Archlinux"] # Kali and Archlinux are currently not supported - name: Including Windows domain join tasks... ansible.builtin.include_tasks: windows.yml - when: ansible_system == "Win32NT" + when: ansible_facts.system == "Win32NT" - name: Including metadata generation role... # EXPERIMENTAL feature, expect future changes ansible.builtin.include_role: diff --git a/nova/core/roles/linux_xrdp_server/README.md b/nova/core/roles/linux_xrdp_server/README.md index 49b2e4462..914be9302 100644 --- a/nova/core/roles/linux_xrdp_server/README.md +++ b/nova/core/roles/linux_xrdp_server/README.md @@ -1,6 +1,6 @@ # linux_xrdp_server -This roles installs and configures xrdp on a Linux machine. +This roles installs and configures XRDP on a Debian based Linux machine. ## Requirements @@ -8,7 +8,7 @@ none ## Role Variables -All required role variables are coming from gather_facts. +Refer to [defaults/main.yml](https://github.com/novateams/nova.core/blob/main/nova/core/roles/linux_xrdp_server/defaults/main.yml) for the full list of variables, their default values and descriptions. ## Dependencies diff --git a/nova/core/roles/linux_xrdp_server/defaults/main.yml b/nova/core/roles/linux_xrdp_server/defaults/main.yml index c3d4d1938..37501cb98 100644 --- a/nova/core/roles/linux_xrdp_server/defaults/main.yml +++ b/nova/core/roles/linux_xrdp_server/defaults/main.yml @@ -1,3 +1,8 @@ --- -# Locking since the latest version is currently broken +# Can be used to lock to a specific version when the latest is not desired or is temporarily broken linux_xrdp_server_xorgxrdp_version: {} + +# Kali & Ubuntu 24 and later + +# To modify polkit permissions pass a custom file using this variable +linux_xrdp_server_kali_polkit_file: 10-configuration.rules diff --git a/nova/core/roles/linux_xrdp_server/files/10-configuration.rules b/nova/core/roles/linux_xrdp_server/files/10-configuration.rules index c46bb2d66..618a5653d 100644 --- a/nova/core/roles/linux_xrdp_server/files/10-configuration.rules +++ b/nova/core/roles/linux_xrdp_server/files/10-configuration.rules @@ -1,16 +1,23 @@ polkit.addRule(function(action, subject) { - if ((action.id == "org.freedesktop.color-manager.create-device" || - action.id == "org.freedesktop.color-manager.create-profile" || - action.id == "org.freedesktop.color-manager.delete-device" || - action.id == "org.freedesktop.color-manager.delete-profile" || - action.id == "org.freedesktop.color-manager.modify-device" || - action.id == "org.freedesktop.color-manager.modify-profile" || - action.id == "org.freedesktop.login1.reboot" || - action.id == "org.freedesktop.login1.power-off" || - action.id == "org.freedesktop.login1.suspend" || - action.id == "org.freedesktop.login1.hibernate" || - action.id == "org.freedesktop.login1.reboot-multiple-sessions" || - action.id == "org.freedesktop.login1.power-off-multiple-sessions")) { - return polkit.Result.YES; - } - }); \ No newline at end of file + if (( + + action.id == "org.freedesktop.color-manager.create-device" || + action.id == "org.freedesktop.color-manager.create-profile" || + action.id == "org.freedesktop.color-manager.delete-device" || + action.id == "org.freedesktop.color-manager.delete-profile" || + action.id == "org.freedesktop.color-manager.modify-device" || + action.id == "org.freedesktop.color-manager.modify-profile" || + action.id == "org.freedesktop.login1.reboot" || + action.id == "org.freedesktop.login1.power-off" || + action.id == "org.freedesktop.login1.suspend" || + action.id == "org.freedesktop.login1.hibernate" || + action.id == "org.freedesktop.login1.reboot-multiple-sessions" || + action.id == "org.freedesktop.login1.power-off-multiple-sessions" || + action.id == "org.freedesktop.NetworkManager.network-control" || + action.id == "org.freedesktop.NetworkManager.settings.modify.system" + + )) + + {return polkit.Result.YES;} + +}); \ No newline at end of file diff --git a/nova/core/roles/linux_xrdp_server/tasks/debian_os.yml b/nova/core/roles/linux_xrdp_server/tasks/debian_os.yml index 6f80a3951..34ddf90cb 100644 --- a/nova/core/roles/linux_xrdp_server/tasks/debian_os.yml +++ b/nova/core/roles/linux_xrdp_server/tasks/debian_os.yml @@ -51,13 +51,13 @@ line: ls_background_image= # Enables setting login screen background notify: Restarting xrdp service... -- name: Including {{ ansible_distribution }} specific tasks... +- name: Including {{ ansible_facts.distribution }} specific tasks... ansible.builtin.include_tasks: ubuntu.yml - when: ansible_distribution == "Ubuntu" + when: ansible_facts.distribution == "Ubuntu" -- name: Including {{ ansible_distribution }} specific tasks... +- name: Including {{ ansible_facts.distribution }} specific tasks... ansible.builtin.include_tasks: kali.yml - when: ansible_distribution == 'Kali' + when: ansible_facts.distribution == 'Kali' - name: Enabling xrdp service... ansible.builtin.systemd_service: diff --git a/nova/core/roles/linux_xrdp_server/tasks/main.yml b/nova/core/roles/linux_xrdp_server/tasks/main.yml index 1c123d8c4..83e095467 100644 --- a/nova/core/roles/linux_xrdp_server/tasks/main.yml +++ b/nova/core/roles/linux_xrdp_server/tasks/main.yml @@ -1,4 +1,4 @@ --- - name: Installing xrdp on Debian based OS... ansible.builtin.include_tasks: debian_os.yml - when: ansible_os_family == "Debian" + when: ansible_facts.os_family == "Debian" diff --git a/nova/core/roles/linux_xrdp_server/tasks/ubuntu.yml b/nova/core/roles/linux_xrdp_server/tasks/ubuntu.yml index c0bfc1566..5323eaba6 100644 --- a/nova/core/roles/linux_xrdp_server/tasks/ubuntu.yml +++ b/nova/core/roles/linux_xrdp_server/tasks/ubuntu.yml @@ -1,6 +1,6 @@ --- - name: Configuring older Ubuntu versions... - when: ansible_distribution_major_version is version(22, '<=') + when: ansible_facts.distribution_major_version is version(22, '<=') block: - name: Creating /etc/polkit-1/localauthority/50-local.d ansible.builtin.file: @@ -22,4 +22,4 @@ src: 10-configuration.rules dest: /etc/polkit-1/rules.d/10-configuration.rules mode: "0644" - when: ansible_distribution_major_version is version(24, '>=') + when: ansible_facts.distribution_major_version is version(24, '>=') diff --git a/nova/core/roles/machine_operations/defaults/main.yml b/nova/core/roles/machine_operations/defaults/main.yml index 01f1412c9..d4adffeff 100644 --- a/nova/core/roles/machine_operations/defaults/main.yml +++ b/nova/core/roles/machine_operations/defaults/main.yml @@ -58,8 +58,8 @@ machine_operations_vsphere_video_memory: 64 machine_operations_vsphere_video_3d: false machine_operations_vsphere_video_3d_memory: 256 -vm_description: Created on {{ ansible_date_time.iso8601 }} by {{ project_deployer_username | default(deployer_username) }} - {{ inventory_hostname }} -template_description: Created on {{ ansible_date_time.iso8601 }} +vm_description: Created on {{ ansible_facts.date_time.iso8601 }} by {{ deployer_username | default('deployer_username_undefined') }} - {{ inventory_hostname }} +template_description: Created on {{ ansible_facts.date_time.iso8601 }} # Add a list of custom attributes to add to the VM # https://docs.ansible.com/ansible/latest/collections/community/vmware/vmware_guest_custom_attributes_module.html @@ -100,7 +100,11 @@ machine_operations_vmware_workstation_custom_params: [] # AWS defaults # ################ -aws_access_key: {} # Can be defined in your Ansible Vault +# The ID of the VPC where the instance will be created +# If left empty the default VPC for the region will be used +# If a VPC ID is defined then the the subnet ID must also be defined +# For that either use machine_operations_aws_subnet_id in code or define it in the "ID in cloud" field in Providentia +aws_vpc_id: {} # Temporary ssh key path on your container machine_operations_aws_temp_ssh_key_path: /tmp/{{ project_fullname | default('') }}_{{ inventory_hostname }}_aws_key diff --git a/nova/core/roles/machine_operations/tasks/aws/create.yml b/nova/core/roles/machine_operations/tasks/aws/create.yml index a19823ae8..dbe6cd010 100644 --- a/nova/core/roles/machine_operations/tasks/aws/create.yml +++ b/nova/core/roles/machine_operations/tasks/aws/create.yml @@ -37,6 +37,11 @@ key_type: rsa file_name: "{{ machine_operations_aws_temp_ssh_key_path }}" + - name: Slurping {{ machine_operations_aws_temp_ssh_key_path }} file... + ansible.builtin.slurp: + src: "{{ machine_operations_aws_temp_ssh_key_path }}" + register: slurped_aws_temp_ssh_key + - name: Generating {{ aws_template_username | default(template_username) }} user account password... ansible.builtin.set_fact: template_password: "{{ lookup('password', '/dev/null length=32 chars=hexdigits') }}" @@ -65,7 +70,7 @@ description: Security group for {{ custom_vm_name | default(vm_name) }} rules: "{{ machine_operations_aws_security_group_rules }}" state: present - vpc_id: "{{ aws_vpc_id | default(omit) }}" + vpc_id: "{{ omit if aws_vpc_id == {} else aws_vpc_id }}" register: created_security_group when: - machine_operations_create_aws_security_group diff --git a/nova/core/roles/machine_operations/tasks/aws/remove.yml b/nova/core/roles/machine_operations/tasks/aws/remove.yml index 2ef17640d..82f200fb8 100644 --- a/nova/core/roles/machine_operations/tasks/aws/remove.yml +++ b/nova/core/roles/machine_operations/tasks/aws/remove.yml @@ -18,7 +18,7 @@ - name: Deleting AWS security group for {{ custom_vm_name | default(vm_name) }}..." amazon.aws.ec2_security_group: name: "{{ custom_vm_name | default(vm_name) }}" - vpc_id: "{{ aws_vpc_id | default(omit) }}" + vpc_id: "{{ omit if aws_vpc_id == {} else aws_vpc_id }}" state: absent - name: Removing ssh key for {{ custom_vm_name | default(vm_name) }}... diff --git a/nova/core/roles/machine_operations/tasks/proxmox/disk_cleanup.yml b/nova/core/roles/machine_operations/tasks/proxmox/disk_cleanup.yml index 8e70e6dad..216b1ff1d 100644 --- a/nova/core/roles/machine_operations/tasks/proxmox/disk_cleanup.yml +++ b/nova/core/roles/machine_operations/tasks/proxmox/disk_cleanup.yml @@ -13,7 +13,8 @@ block: - name: Removing following {{ custom_vm_name | default(vm_name) }} unreferenced disks... ansible.builtin.uri: - url: "{{ proxmox_api_url }}/nodes/{{ proxmox_vm_exists.proxmox_vms[0].node + url: + "{{ proxmox_api_url }}/nodes/{{ proxmox_vm_exists.proxmox_vms[0].node | default(proxmox_node) }}/storage/{{ proxmox_storage }}/content/{{ disk.volid }}" headers: Authorization: PVEAPIToken={{ proxmox_defaults.api_user }}!{{ proxmox_defaults.api_token_id }}={{ proxmox_defaults.api_token_secret }} @@ -44,8 +45,8 @@ msg: Timeout {{ proxmox_machine_operations_operation_timeout }}s reached when trying to remove unreferenced disks for {{ custom_vm_name | default(vm_name) }} - when: proxmox_disk_cleanup_start_time.ansible_facts.ansible_date_time.epoch | int - + proxmox_machine_operations_operation_timeout < ansible_date_time.epoch | int + when: proxmox_disk_cleanup_start_time.ansible_facts.date_time.epoch | int + + proxmox_machine_operations_operation_timeout < ansible_facts.date_time.epoch | int # Under high load the disk cleanup can fail without reporting back an error so looping until the disks are removed - name: Re-including disk_cleanup tasks... diff --git a/nova/core/roles/machine_operations/tasks/vmware_workstation/create.yml b/nova/core/roles/machine_operations/tasks/vmware_workstation/create.yml index a7cf93c64..c654ca49b 100644 --- a/nova/core/roles/machine_operations/tasks/vmware_workstation/create.yml +++ b/nova/core/roles/machine_operations/tasks/vmware_workstation/create.yml @@ -38,7 +38,7 @@ - name: Downloading or updating VM template... when: - - not vm_template_presence.stat.exists or ((ansible_date_time.epoch | int) - (vm_template_presence.stat.ctime | round) + - not vm_template_presence.stat.exists or ((ansible_facts.date_time.epoch | int) - (vm_template_presence.stat.ctime | round) >= machine_operations_vmware_workstation_template_update_interval_days * 86400) - not role_only - not role_only_wp @@ -132,6 +132,8 @@ - regex: vhv.enable.* line: vhv.enable = "TRUE" + # macos_has_python is a MacOS specific OS group var to indicate if Python is installed + # In this instance it can be used to determine if we should run MacOS specific tasks for Pythonless MacOS systems - name: Setting compatible Darwin OS type... ansible.builtin.lineinfile: path: "{{ vmware_workstation.local_vmx_path }}" @@ -143,9 +145,7 @@ loop: - regex: guestos.* line: guestos = "darwin20-64" - when: - - ansible_system is defined - - ansible_system == "Darwin" + when: ("os_macos" in group_names) - name: Configuring {{ custom_vm_name | default(vm_name) }} custom parameters... ansible.builtin.lineinfile: diff --git a/nova/core/roles/machine_operations/templates/Configure-CloudWindows.ps1 b/nova/core/roles/machine_operations/templates/Configure-CloudWindows.ps1 index 8080144e9..056acb8d4 100644 --- a/nova/core/roles/machine_operations/templates/Configure-CloudWindows.ps1 +++ b/nova/core/roles/machine_operations/templates/Configure-CloudWindows.ps1 @@ -18,6 +18,10 @@ Write-Host "Setting Administrator password" $Password = "{{ template_password }}" $SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force Set-LocalUser -Name "Administrator" -Password $SecurePassword + +Write-Host "Setting temporary SSH key for Administrator user" +$TempSSHKey = "{{ slurped_aws_temp_ssh_key.content | b64decode }}" +Set-Content -Path "C:\ProgramData\ssh\administrators_authorized_keys" -Value $TempSSHKey -Force {% endif %} {% if infra_env == "azure" %} diff --git a/nova/core/roles/nexus/defaults/main.yml b/nova/core/roles/nexus/defaults/main.yml index c7bb57993..c82658745 100644 --- a/nova/core/roles/nexus/defaults/main.yml +++ b/nova/core/roles/nexus/defaults/main.yml @@ -3,7 +3,7 @@ nexus_docker_network: local-network # The network where the container will be at nexus_proxy_container_name: {} # Name of the proxy container to restart after composing Nexus. nexus_container_config_folder: /srv/nexus # Path where Nexus application data is stored -nexus_fqdn: "{{ fqdn | default(ansible_fqdn) }}" # FQDN of the Nexus server, usually comes from Providentia or all.yml +nexus_fqdn: "{{ fqdn | default(ansible_facts.fqdn) }}" # FQDN of the Nexus server, usually comes from Providentia or all.yml nexus_configure: false # Set to true to also configure Nexus after installation nexus_configure_ldap: false # Set to true to also configure LDAP after installation nexus_create_repos: false # Set to true to also create default repositories after installation diff --git a/nova/core/roles/os_configuration/tasks/linux.yml b/nova/core/roles/os_configuration/tasks/linux.yml index 7198d6ef8..6d3ae03ea 100644 --- a/nova/core/roles/os_configuration/tasks/linux.yml +++ b/nova/core/roles/os_configuration/tasks/linux.yml @@ -1,8 +1,4 @@ --- -- name: Including Linux in Cloud configuration tasks... - ansible.builtin.include_tasks: linux_cloud.yml - when: infra_env in os_configuration_cloud_envs - - name: Adding temp hostname... # This is so that sudo will not hang due to unknown hostname ansible.builtin.lineinfile: dest: /etc/hosts @@ -33,8 +29,8 @@ name: "{{ os_configuration_locale }}" state: present when: - - ansible_os_family != 'RedHat' - - ansible_os_family != 'Alpine' + - ansible_facts.os_family != 'RedHat' + - ansible_facts.os_family != 'Alpine' # For latest Debian versions the localectl command gives access denied so using lineinfile - name: Setting the default locale... @@ -44,7 +40,7 @@ line: LANG={{ os_configuration_locale }} mode: "0644" create: true - when: ansible_os_family != 'Alpine' + when: ansible_facts.os_family != 'Alpine' - name: Setting the default locale for Alpine... ansible.builtin.copy: @@ -52,7 +48,7 @@ export LANG={{ os_configuration_locale }} dest: /etc/profile.d/locale.sh mode: "0755" - when: ansible_os_family == 'Alpine' + when: ansible_facts.os_family == 'Alpine' - name: Enabling SSH forwarding for sudo... ansible.builtin.lineinfile: @@ -86,7 +82,7 @@ - name: Set NTP server for Debian and Archlinux like OS... when: - ntp_servers != [] - - ansible_os_family in [ "Debian", "Archlinux" ] + - ansible_facts.os_family in [ "Debian", "Archlinux" ] block: - name: Check if timesyncd.conf file exists... ansible.builtin.stat: @@ -110,7 +106,7 @@ - name: Set NTP server for ReadHat like OS... when: - ntp_servers != [] - - ansible_os_family in [ "RedHat" ] + - ansible_facts.os_family in [ "RedHat" ] block: - name: Check if chrony.conf file exists... ansible.builtin.stat: @@ -141,7 +137,7 @@ - name: Set NTP server for Alpine... when: - ntp_servers != [] - - ansible_os_family in ["Alpine"] + - ansible_facts.os_family in ["Alpine"] block: - name: Configuring NTP in /etc/conf.d/ntpd... ansible.builtin.copy: @@ -149,7 +145,7 @@ NTPD_OPTS="-s {{ ntp_servers | join(' -s ') }}" dest: /etc/conf.d/ntpd mode: "0644" - when: ansible_os_family == 'Alpine' + when: ansible_facts.os_family == 'Alpine' - name: Waiting until {{ wait_for_address }} is reachable... ansible.builtin.wait_for: @@ -183,7 +179,7 @@ - name: Restarting required services... # noqa: no-handler when: - regenerate_machine_id.changed - - ansible_os_family != 'Alpine' + - ansible_facts.os_family != 'Alpine' block: - name: Checking if systemd-journald service exists... ansible.builtin.systemd: @@ -206,3 +202,7 @@ name: NetworkManager.service state: restarted when: networkmanager_service_exists.status.LoadState in ["enabled", "loaded"] + +- name: Including Linux in Cloud configuration tasks... + ansible.builtin.include_tasks: linux_cloud.yml + when: infra_env in os_configuration_cloud_envs diff --git a/nova/core/roles/os_configuration/tasks/linux_cloud.yml b/nova/core/roles/os_configuration/tasks/linux_cloud.yml index d986cc687..e6e836ddf 100644 --- a/nova/core/roles/os_configuration/tasks/linux_cloud.yml +++ b/nova/core/roles/os_configuration/tasks/linux_cloud.yml @@ -1,44 +1,67 @@ --- -# Universal -- name: Updating SSHD MaxAuthTries for Cloud {{ inventory_hostname }}... - when: os_configuration_configure_ssh_maxauthtries - block: - - name: Setting SSHD MaxAuthTries to {{ os_configuration_ssh_maxauthtries }}... - ansible.builtin.replace: - dest: /etc/ssh/sshd_config - regexp: .*MaxAuthTries.* - replace: MaxAuthTries {{ os_configuration_ssh_maxauthtries }} - register: maxauthtries - - - name: Restarting SSHD... # noqa: no-handler - ansible.builtin.systemd: - name: "{{ os_configuration_os_family_service_name[ansible_os_family] | default('sshd') }}" - state: restarted - when: maxauthtries.changed - -# AWS -- name: Cleaning up {{ infra_env }} configurations for {{ inventory_hostname }}... - when: infra_env in os_configuration_cloud_envs - block: - - name: Removing cloud managed hostname... - ansible.builtin.replace: - dest: /etc/cloud/cloud.cfg - regexp: ^ - update_etc_hosts - replace: "# - update_etc_hosts" +- name: Removing cloud managed hostname... + ansible.builtin.replace: + dest: /etc/cloud/cloud.cfg + regexp: ^ - update_etc_hosts + replace: "# - update_etc_hosts" - name: Installing Gnome for Ubuntu Desktop... - ansible.builtin.apt: - name: ubuntu-gnome-desktop - state: present - update_cache: true when: group_names | intersect(["os_ubuntu_desktop_20_04", "os_ubuntu_desktop_22_04", "os_ubuntu_desktop_24_04"]) | length > 0 + block: + - name: Trying to install Gnome... + block: + # The Gnome installation can fail if the OS is not fully up-to-date + - name: Including nova.core.updates role... + ansible.builtin.include_role: + name: nova.core.updates + + - name: Installing Gnome... + ansible.builtin.apt: + name: ubuntu-gnome-desktop + state: present + update_cache: true + + rescue: + - name: Restarting {{ custom_vm_name | default(vm_name) }} VM... + ansible.builtin.include_role: + name: nova.core.powerstate + vars: + restart: true + + - name: Retrying Gnome installation... + ansible.builtin.apt: + name: ubuntu-gnome-desktop + state: present + update_cache: true - name: Installing Xfce for Kali... - ansible.builtin.apt: - name: kali-desktop-xfce - state: present - update_cache: true - when: ansible_distribution == "Kali" + when: ansible_facts.distribution == "Kali" + block: + - name: Trying to install Xfce... + block: + # The Xfce installation can fail if the OS is not fully up-to-date + - name: Including nova.core.updates role... + ansible.builtin.include_role: + name: nova.core.updates + + - name: Installing Xfce... + ansible.builtin.apt: + name: kali-desktop-xfce + state: present + update_cache: true + + rescue: + - name: Restarting {{ custom_vm_name | default(vm_name) }} VM... + ansible.builtin.include_role: + name: nova.core.powerstate + vars: + restart: true + + - name: Retrying Xfce installation... + ansible.builtin.apt: + name: kali-desktop-xfce + state: present + update_cache: true - name: Including XRDP roles... ansible.builtin.include_role: diff --git a/nova/core/roles/os_configuration/tasks/main.yml b/nova/core/roles/os_configuration/tasks/main.yml index 946414065..2cc931cad 100644 --- a/nova/core/roles/os_configuration/tasks/main.yml +++ b/nova/core/roles/os_configuration/tasks/main.yml @@ -5,13 +5,11 @@ - infra_env != "my_host" # my_host is computer where you run the play from block: - name: Configuring non-Network OS ... - when: - - ansible_network_os is not defined - - "'os_macos' not in group_names" + when: ansible_network_os is not defined block: - name: Including Windows configuration tasks... ansible.builtin.include_tasks: windows.yml - when: ansible_system == "Win32NT" + when: ansible_facts.system | default('') == "Win32NT" # This needs to be before the Linux tasks # Because Proxmox might have specific cluster configuration tasks @@ -21,11 +19,16 @@ - name: Including Linux configuration tasks... ansible.builtin.include_tasks: linux.yml - when: ansible_system == "Linux" + when: ansible_facts.system | default('') == "Linux" - name: Including FreeBSD configuration tasks... ansible.builtin.include_tasks: freebsd.yml - when: ansible_system == "FreeBSD" + when: ansible_facts.system | default('') == "FreeBSD" + + - name: Including MacOS configuration tasks... + ansible.builtin.include_tasks: macos.yml + when: ansible_facts.system | default('') == "Darwin" + or ansible_custom_facts.system | default('') == "Darwin" - name: Configuring Network OS... when: ansible_network_os is defined @@ -58,10 +61,6 @@ ansible.builtin.include_tasks: panos.yml when: ansible_network_os == 'panos' - - name: Including MacOS configuration tasks... - ansible.builtin.include_tasks: macos.yml - when: "'os_macos' in group_names" - # Since there can be so many different partitioning methods and file systems we'll leave to the user to create a role that matches their templates # When `os_configuration_expand_os_disk_role_name` variable is defined then the role will be included here - name: Including OS disk expansion role... diff --git a/nova/core/roles/os_configuration/tasks/routeros.yml b/nova/core/roles/os_configuration/tasks/routeros.yml index 776a48462..a45dafd33 100644 --- a/nova/core/roles/os_configuration/tasks/routeros.yml +++ b/nova/core/roles/os_configuration/tasks/routeros.yml @@ -10,7 +10,7 @@ commands: - /system ntp client set enabled=yes server-dns-names={{ ntp_servers[0] }} primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0 when: - - ansible_net_version.startswith('6') + - ansible_facts.net_version.startswith('6') - not ntp_servers[0] | ansible.utils.ipaddr # Setting NTP servers for RouterOS when NTP server is an IP address @@ -20,14 +20,14 @@ - /system ntp client set enabled=yes server-dns-names="" primary-ntp={{ ntp_servers[0] }} secondary-ntp={{ ntp_servers[1] | default(ntp_servers[0]) }} when: - - ansible_net_version.startswith('6') + - ansible_facts.net_version.startswith('6') - ntp_servers[0] | ansible.utils.ipaddr != false - name: Setting NTP servers for RouterOS 7... community.routeros.command: commands: - /system ntp client set enabled=yes servers={{ ntp_servers | join(",") }} - when: ansible_net_version.startswith('7') + when: ansible_facts.net_version.startswith('7') - name: Generating new system ID for license... community.routeros.command: diff --git a/nova/core/roles/os_configuration/tasks/windows_cloud.yml b/nova/core/roles/os_configuration/tasks/windows_cloud.yml index c4a67437b..866cfd023 100644 --- a/nova/core/roles/os_configuration/tasks/windows_cloud.yml +++ b/nova/core/roles/os_configuration/tasks/windows_cloud.yml @@ -5,22 +5,4 @@ name: Shell data: PowerShell.exe -NoExit type: string - when: ansible_os_installation_type == 'Server Core' - -# SSHD Configuration -# This to avoid errors when someone has more that 6 SSH keys in their agent -- name: Updating SSHD MaxAuthTries for Cloud {{ inventory_hostname }}... - when: os_configuration_configure_ssh_maxauthtries - block: - - name: Increasing SSHD MaxAuthTries to {{ os_configuration_ssh_maxauthtries }}... - community.windows.win_lineinfile: - path: C:\ProgramData\ssh\sshd_config - regexp: .*MaxAuthTries.* - line: MaxAuthTries {{ os_configuration_ssh_maxauthtries }} - register: maxauthtries - - - name: Restarting SSHD... # noqa: no-handler - ansible.windows.win_service: - name: sshd - state: restarted - when: maxauthtries.changed + when: ansible_facts.os_installation_type == 'Server Core' diff --git a/nova/core/roles/os_configuration/templates/regenerate-machine-id.sh b/nova/core/roles/os_configuration/templates/regenerate-machine-id.sh index 106ae0e26..10116fcce 100644 --- a/nova/core/roles/os_configuration/templates/regenerate-machine-id.sh +++ b/nova/core/roles/os_configuration/templates/regenerate-machine-id.sh @@ -14,7 +14,7 @@ if [ -z "$(grep -r {{ hostname }} /etc/ssh/)" ]; then ssh-keygen -A rm -f /etc/machine-id - {% if ansible_os_family | default(true) not in ["Alpine"] %} + {% if ansible_facts.os_family | default(true) not in ["Alpine"] %} systemd-machine-id-setup # Restarting SSH service diff --git a/nova/core/roles/secrets_to_vault/README.md b/nova/core/roles/secrets_to_vault/README.md index 1b46f6b13..f49ab8373 100644 --- a/nova/core/roles/secrets_to_vault/README.md +++ b/nova/core/roles/secrets_to_vault/README.md @@ -28,6 +28,32 @@ Refer to [defaults/main.yml](https://github.com/novateams/nova.core/blob/main/no ## Example +### Saving accounts passwords or pre-deployment secrets to Vault + +```yaml +# In group_vars/all.yml or host_vars/hostname.yml +# Defining the admin accounts for the group or host and saving them to Vault on a very early stage of the deployment +admin_accounts: + - username: admin # REQUIRED + password: password1 # OPTIONAL, will be autogenerated if not defined + save_password_to_vault: true # OPTIONAL, default: true, set to false to skip saving this account password to Vault + secrets_vault_engine_path: secrets # OPTIONAL, default: value of secrets_vault_engine_path on a project level + secrets_vault_secrets_path: admins # OPTIONAL, default: value of secrets_vault_secrets_path on a project level +``` + +```yaml +# In group_vars/all.yml or host_vars/hostname.yml +# Defining secrets to save to Vault on a very early stage of the deployment +secrets_to_vault_pre_deploy_secrets: + - key: db_user # REQUIRED + value: pass1 # OPTIONAL, will be autogenerated if not defined + secrets_vault_engine_path: db_secrets # OPTIONAL, default: value of secrets_vault_engine_path on a project level + secrets_vault_secrets_path: database # OPTIONAL, default: value of secrets_vault_secrets_path on a project level + autogenerated_secret: true # OPTIONAL, default: false, set to true to overwrite any existing secret with the same key +``` + +### Passing the secrets list to the role + ```yaml - name: Saving secrets to Vault... ansible.builtin.include_role: diff --git a/nova/core/roles/secrets_to_vault/defaults/main.yml b/nova/core/roles/secrets_to_vault/defaults/main.yml index 000555807..0b96829eb 100644 --- a/nova/core/roles/secrets_to_vault/defaults/main.yml +++ b/nova/core/roles/secrets_to_vault/defaults/main.yml @@ -17,9 +17,13 @@ domain_user_accounts: [] # Secrets # ########### -# List of secrets to save to Vault before deploying the host, can be defined in group_vars, host_vars or passed as role vars +# List of key: value to pass to this role to save to Vault +# Refer to the README.md for examples secrets: [] +# List of key: value to pass to this role to save to Vault before deployment starts +# This is useful for secrets that are needed in a very early stage of the deployment +# Refer to the README.md for examples secrets_to_vault_pre_deploy_secrets: [] # When the value in the accounts, secrets or secrets_to_vault_pre_deploy_secrets list is not defined. @@ -30,6 +34,7 @@ secrets_to_vault_autogenerated_key_secret: # Set to true if you want to overwrite existing secret otherwise the task will skip saving the secret # autogenerated_secret can also be set per item in the secrets list +# autogenerated_secret can also be set per item in the secrets_to_vault_pre_deploy_secrets, secrets or accounts list autogenerated_secret: false # Combine the above variables to create the full path to the secrets based on Vault's API. diff --git a/nova/core/roles/secrets_to_vault/tasks/check_and_add.yml b/nova/core/roles/secrets_to_vault/tasks/check_and_add.yml new file mode 100644 index 000000000..cc6f901f7 --- /dev/null +++ b/nova/core/roles/secrets_to_vault/tasks/check_and_add.yml @@ -0,0 +1,69 @@ +--- +- name: Including secrets save tasks... + delegate_to: localhost + become: false + block: + - name: Listing all secrets in {{ secrets_by_group | map(attribute='vault_path') | first }}... + ansible.builtin.uri: + url: "{{ secrets_by_group | map(attribute='vault_path') | first }}" + method: GET + headers: + X-Vault-Request: true + X-Vault-Token: "{{ vault_access_token | default(auth.json.auth.client_token) }}" + body_format: json + validate_certs: "{{ validate_vault_certs }}" + status_code: + - 200 + - 404 + register: existing_secrets + + - name: Creating {{ secrets_by_group | map(attribute='vault_path') | first }} path... + ansible.builtin.uri: + url: "{{ secrets_by_group | map(attribute='vault_path') | first }}" + method: POST + headers: + X-Vault-Request: true + X-Vault-Token: "{{ vault_access_token | default(auth.json.auth.client_token) }}" + body: + data: {} + validate_certs: "{{ validate_vault_certs }}" + body_format: json + when: existing_secrets.status == 404 + + - name: Updating following secrets in {{ secrets_by_group | map(attribute='vault_path') | first }}... + ansible.builtin.uri: + url: "{{ secrets_by_group | map(attribute='vault_path') | first }}" + method: PATCH + headers: + X-Vault-Request: true + X-Vault-Token: "{{ vault_access_token | default(auth.json.auth.client_token) }}" + Content-Type: application/merge-patch+json + body: "{{ {'data': {account_key_name if sct.username is defined else sct.key: + (sct.value | default(sct.password) | default(secrets_to_vault_autogenerated_key_secret))}} }}" + body_format: json + validate_certs: "{{ validate_vault_certs }}" + loop: "{{ secrets_by_group }}" + loop_control: + loop_var: sct + label: "{{ account_key_name if sct.username is defined else sct.key }}" + when: autogenerated_secret or sct.autogenerated_secret | default(false) + + - name: Saving following secrets to {{ secrets_by_group | map(attribute='vault_path') | first }}... + ansible.builtin.uri: + url: "{{ secrets_by_group | map(attribute='vault_path') | first }}" + method: PATCH + headers: + X-Vault-Request: true + X-Vault-Token: "{{ vault_access_token | default(auth.json.auth.client_token) }}" + Content-Type: application/merge-patch+json + body: "{{ {'data': {account_key_name if sct.username is defined else sct.key: + (sct.value | default(sct.password) | default(secrets_to_vault_autogenerated_key_secret))}} }}" + body_format: json + validate_certs: "{{ validate_vault_certs }}" + loop: "{{ secrets_by_group }}" + loop_control: + loop_var: sct + label: "{{ account_key_name if sct.username is defined else sct.key }}" + when: + - existing_secrets.status == 404 or (account_key_name if sct.username is defined else sct.key) not in existing_secrets.json.data.data | default([]) + - not autogenerated_secret or not sct.autogenerated_secret | default(false) diff --git a/nova/core/roles/secrets_to_vault/tasks/check_and_prepare_vault.yml b/nova/core/roles/secrets_to_vault/tasks/check_and_prepare_vault.yml deleted file mode 100644 index ddb032045..000000000 --- a/nova/core/roles/secrets_to_vault/tasks/check_and_prepare_vault.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -- name: Including Vault preparation tasks... - delegate_to: localhost - become: false - block: - - name: Checking if {{ sct.secrets_vault_engine_path | default(secrets_vault_engine_path) }}/data/{{ - sct.secrets_vault_secrets_path | default(secrets_vault_secrets_path) }} path already exists... - ansible.builtin.uri: - url: "{{ secrets_vault_data_fullpath }}" - method: GET - headers: - X-Vault-Request: true - X-Vault-Token: "{{ vault_access_token | default(auth.json.auth.client_token) }}" - body_format: json - status_code: - - 200 - - 404 - validate_certs: "{{ validate_vault_certs }}" - register: secrets_path - - - name: Creating {{ sct.secrets_vault_engine_path | default(secrets_vault_engine_path) }}/data/{{ - sct.secrets_vault_secrets_path | default(secrets_vault_secrets_path) }} path... - ansible.builtin.uri: - url: "{{ secrets_vault_data_fullpath }}" - method: POST - headers: - X-Vault-Request: true - X-Vault-Token: "{{ vault_access_token | default(auth.json.auth.client_token) }}" - body: - data: {} - validate_certs: "{{ validate_vault_certs }}" - body_format: json - when: secrets_path.status == 404 - - - name: Listing all secrets in {{ sct.secrets_vault_engine_path | default(secrets_vault_engine_path) }}/data/{{ - sct.secrets_vault_secrets_path | default(secrets_vault_secrets_path) }}... - ansible.builtin.uri: - url: "{{ secrets_vault_data_fullpath }}" - method: GET - headers: - X-Vault-Request: true - X-Vault-Token: "{{ vault_access_token | default(auth.json.auth.client_token) }}" - body_format: json - validate_certs: "{{ validate_vault_certs }}" - register: existing_secrets diff --git a/nova/core/roles/secrets_to_vault/tasks/main.yml b/nova/core/roles/secrets_to_vault/tasks/main.yml index c3758d82e..41868516e 100644 --- a/nova/core/roles/secrets_to_vault/tasks/main.yml +++ b/nova/core/roles/secrets_to_vault/tasks/main.yml @@ -13,40 +13,15 @@ become: false when: vault_access_token is not defined # This usually comes from nova.core.deploy_vars role -# This usually get's defined in group_vars or host_vars -- name: Including save pre secrets tasks for secrets... - ansible.builtin.include_tasks: save_pre_secrets.yml - loop: "{{ secrets_to_vault_pre_deploy_secrets }}" - loop_control: - loop_var: sct - label: "{{ sct.key }}" - when: - - secrets_to_vault_pre_deploy_secrets != [] - - secrets == [] +- name: Including pre-secrets and accounts save tasks... + ansible.builtin.include_tasks: save_pre_secrets_and_accounts.yml + when: secrets == [] -# This usually get's passed as a variable to the role - name: Including save secrets tasks for secrets... ansible.builtin.include_tasks: save_secrets.yml - loop: "{{ secrets }}" - loop_control: - loop_var: sct - label: "{{ sct.key }}" when: secrets != [] -# Combine all account types to one list -# Since this can use Vault lookups, we want to avoid evaluating it unless needed -# For that reason, this variable is set by set_fact instead of defaults/main.yml -- name: Setting accounts variable +# This is needed so that the fact does not persist when including this role multiple times +- name: Clearing secrets_to_vault_enriched_list fact... ansible.builtin.set_fact: - accounts: "{{ user_accounts + admin_accounts + domain_user_accounts }}" - -- name: Including accounts save secrets tasks... - ansible.builtin.include_tasks: save_account_password.yml - loop: "{{ accounts if secrets == [] else [] }}" # This is to avoid evaluating Vault lookups when not saving account passwords to Vault - loop_control: - loop_var: sct - label: "{{ sct.username }}" - when: - - secrets == [] - - customization_context == "host" # Alternative is container that doesn't need this task because it's running on the host - - sct.save_password_to_vault | default(true) + secrets_to_vault_enriched_list: [] diff --git a/nova/core/roles/secrets_to_vault/tasks/save_account_password.yml b/nova/core/roles/secrets_to_vault/tasks/save_account_password.yml deleted file mode 100644 index 8f5f09706..000000000 --- a/nova/core/roles/secrets_to_vault/tasks/save_account_password.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- name: Including Vault preparation tasks... - ansible.builtin.include_tasks: check_and_prepare_vault.yml - -# Use the commented out body can be used when moving to Ansible >= 2.19 -- name: - Saving {{ sct.username }} password to {{ sct.secrets_vault_engine_path | default(secrets_vault_engine_path) }}/{{ - sct.secrets_vault_secrets_path | default(secrets_vault_secrets_path) }}... - ansible.builtin.uri: - url: "{{ secrets_vault_data_fullpath }}" - method: PATCH - headers: - X-Vault-Request: true - X-Vault-Token: "{{ vault_access_token | default(auth.json.auth.client_token) }}" - Content-Type: application/merge-patch+json - # body: "{{ {'data': {account_key_name: (sct.password | default(secrets_to_vault_autogenerated_key_secret))}} }}" - body: - "{{ {'data': {account_key_name: (secrets_to_vault_autogenerated_key_secret if sct.password is not defined or sct.password - | regex_search('.*__omit_place_holder__.*') else sct.password)}} }}" - body_format: json - validate_certs: "{{ validate_vault_certs }}" - when: account_key_name not in existing_secrets.json.data.data - delegate_to: localhost - become: false diff --git a/nova/core/roles/secrets_to_vault/tasks/save_pre_secrets.yml b/nova/core/roles/secrets_to_vault/tasks/save_pre_secrets.yml deleted file mode 100644 index 60ba13468..000000000 --- a/nova/core/roles/secrets_to_vault/tasks/save_pre_secrets.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -- name: Including Vault preparation tasks... - ansible.builtin.include_tasks: check_and_prepare_vault.yml - -- name: Saving pre-deploy {{ sct.key }} to {{ sct.secrets_vault_engine_path - | default(secrets_vault_engine_path) }}/{{ sct.secrets_vault_secrets_path | default(secrets_vault_secrets_path) }}... - ansible.builtin.uri: - url: "{{ secrets_vault_data_fullpath }}" - method: PATCH - headers: - X-Vault-Request: true - X-Vault-Token: "{{ vault_access_token | default(auth.json.auth.client_token) }}" - Content-Type: application/merge-patch+json - body: "{{ {'data': {sct.key: (sct.value | default(secrets_to_vault_autogenerated_key_secret))}} }}" - body_format: json - validate_certs: "{{ validate_vault_certs }}" - delegate_to: localhost - become: false - when: autogenerated_secret or sct.autogenerated_secret | default(false) - -- name: Saving pre-deploy {{ sct.key }} to {{ sct.secrets_vault_engine_path - | default(secrets_vault_engine_path) }}/{{ sct.secrets_vault_secrets_path | default(secrets_vault_secrets_path) }}... - ansible.builtin.uri: - url: "{{ secrets_vault_data_fullpath }}" - method: PATCH - headers: - X-Vault-Request: true - X-Vault-Token: "{{ vault_access_token | default(auth.json.auth.client_token) }}" - Content-Type: application/merge-patch+json - body: "{{ {'data': {sct.key: (sct.value | default(secrets_to_vault_autogenerated_key_secret))}} }}" - body_format: json - validate_certs: "{{ validate_vault_certs }}" - delegate_to: localhost - become: false - when: - - sct.key not in existing_secrets.json.data.data - - not autogenerated_secret or not sct.autogenerated_secret | default(false) diff --git a/nova/core/roles/secrets_to_vault/tasks/save_pre_secrets_and_accounts.yml b/nova/core/roles/secrets_to_vault/tasks/save_pre_secrets_and_accounts.yml new file mode 100644 index 000000000..db5029c4b --- /dev/null +++ b/nova/core/roles/secrets_to_vault/tasks/save_pre_secrets_and_accounts.yml @@ -0,0 +1,26 @@ +--- +# Combine all account types to one list +# Since this can use Vault lookups, we want to avoid evaluating it unless needed +# For that reason, this variable is set by set_fact instead of defaults/main.yml +# Also only set if customization_context is host meaning not saving account passwords for containers +- name: Setting accounts variable + ansible.builtin.set_fact: + accounts: "{{ (user_accounts + admin_accounts + domain_user_accounts) if customization_context == 'host' else [] }}" + +- name: Appending Vault path to each secret... + ansible.builtin.set_fact: + secrets_to_vault_enriched_list: "{{ secrets_to_vault_enriched_list | default([]) + [sct | combine({'vault_path': secrets_vault_data_fullpath})] }}" + loop: "{{ accounts + secrets_to_vault_pre_deploy_secrets }}" + loop_control: + loop_var: sct + label: "{{ sct.key | default(sct.username) }}" + when: sct.save_password_to_vault | default(true) + +# This loop will group the secrets by their vault_path to to avoid running requests multiple times for the same path +- name: Including check and add secrets tasks... + ansible.builtin.include_tasks: check_and_add.yml + loop: "{{ secrets_to_vault_enriched_list | default([]) | ansible.builtin.groupby('vault_path') | list | map(attribute='1') | list }}" + loop_control: + loop_var: secrets_by_group + label: "{{ secrets_by_group | map(attribute='vault_path') | first }}" + when: secrets_to_vault_enriched_list != [] diff --git a/nova/core/roles/secrets_to_vault/tasks/save_secrets.yml b/nova/core/roles/secrets_to_vault/tasks/save_secrets.yml index 179cc3471..68e3e4c82 100644 --- a/nova/core/roles/secrets_to_vault/tasks/save_secrets.yml +++ b/nova/core/roles/secrets_to_vault/tasks/save_secrets.yml @@ -1,37 +1,16 @@ --- -- name: Including Vault preparation tasks... - ansible.builtin.include_tasks: check_and_prepare_vault.yml +- name: Appending Vault path to each secret... + ansible.builtin.set_fact: + secrets_to_vault_enriched_list: "{{ secrets_to_vault_enriched_list | default([]) + [sct | combine({'vault_path': secrets_vault_data_fullpath})] }}" + loop: "{{ secrets }}" + loop_control: + loop_var: sct + label: "{{ sct.key }}" -- name: Saving autogenerated {{ sct.key }} {{ sct.secrets_vault_engine_path - | default(secrets_vault_engine_path) }}/{{ sct.secrets_vault_secrets_path | default(secrets_vault_secrets_path) }}... - ansible.builtin.uri: - url: "{{ secrets_vault_data_fullpath }}" - method: PATCH - headers: - X-Vault-Request: true - X-Vault-Token: "{{ vault_access_token | default(auth.json.auth.client_token) }}" - Content-Type: application/merge-patch+json - body: "{{ {'data': {sct.key: (sct.value | default(secrets_to_vault_autogenerated_key_secret))}} }}" - body_format: json - validate_certs: "{{ validate_vault_certs }}" - delegate_to: localhost - become: false - when: autogenerated_secret or sct.autogenerated_secret | default(false) - -- name: Saving {{ sct.key }} to {{ sct.secrets_vault_engine_path - | default(secrets_vault_engine_path) }}/{{ sct.secrets_vault_secrets_path | default(secrets_vault_secrets_path) }}... - ansible.builtin.uri: - url: "{{ secrets_vault_data_fullpath }}" - method: PATCH - headers: - X-Vault-Request: true - X-Vault-Token: "{{ vault_access_token | default(auth.json.auth.client_token) }}" - Content-Type: application/merge-patch+json - body: "{{ {'data': {sct.key: (sct.value | default(secrets_to_vault_autogenerated_key_secret))}} }}" - body_format: json - validate_certs: "{{ validate_vault_certs }}" - delegate_to: localhost - become: false - when: - - sct.key not in existing_secrets.json.data.data - - not autogenerated_secret or not sct.autogenerated_secret | default(false) +# This loop will group the secrets by their vault_path to to avoid running requests multiple times for the same path +- name: Including check and add secrets tasks... + ansible.builtin.include_tasks: check_and_add.yml + loop: "{{ secrets_to_vault_enriched_list | ansible.builtin.groupby('vault_path') | list | map(attribute='1') | list }}" + loop_control: + loop_var: secrets_by_group + label: "{{ secrets_by_group | map(attribute='vault_path') | first }}" diff --git a/nova/core/roles/snapshots/proxmox/snapshot.yml b/nova/core/roles/snapshots/proxmox/snapshot.yml index 28c46656c..6acdb54eb 100644 --- a/nova/core/roles/snapshots/proxmox/snapshot.yml +++ b/nova/core/roles/snapshots/proxmox/snapshot.yml @@ -30,8 +30,8 @@ hostname: "{{ custom_vm_name | default(vm_name) }}" state: present # Using Snapshot- prefix and regex_replace tp make sure the default snapshot name fit's the Proxmox naming convention - snapname: "{{ snapshot_name | default('Snapshot-' + ansible_date_time.iso8601) | regex_replace(':', '-') }}" - description: Created at {{ ansible_date_time.iso8601 | regex_replace(':', '-') }} by {{ project_deployer_username | default(deployer_username) }} + snapname: "{{ snapshot_name | default('Snapshot-' + ansible_facts.date_time.iso8601) | regex_replace(':', '-') }}" + description: Created at {{ ansible_facts.date_time.iso8601 | regex_replace(':', '-') }} by {{ project_deployer_username | default(deployer_username) }} retention: "{{ 1 if snapshot_mode == 'clean-snap' else omit }}" vmstate: "{{ true if live_snap else false }}" # Memory dump timeout: "{{ proxmox_machine_operations_operation_timeout }}" diff --git a/nova/core/roles/snapshots/vmware_workstation/revert.yml b/nova/core/roles/snapshots/vmware_workstation/revert.yml index 0e696ba0a..3b8f5cbed 100644 --- a/nova/core/roles/snapshots/vmware_workstation/revert.yml +++ b/nova/core/roles/snapshots/vmware_workstation/revert.yml @@ -1,4 +1,9 @@ --- +- name: NO SNAPSHOTS FOUND + when: (all_snapshots.stdout | from_yaml).snapshots == [] + ansible.builtin.debug: + msg: No snapshots found for {{ inventory_hostname }}, skipping revert. + - name: Reverting to snapshot... when: (all_snapshots.stdout | from_yaml).snapshots != [] block: @@ -28,13 +33,11 @@ changed_when: true when: snapshot_name is not defined - - name: Reverting to {{ snapshot_name }} snapshot... + - name: Reverting to {{ snapshot_name | default('') }} snapshot... + ansible.builtin.command: vmcli snapshot revert {{ (all_snapshots.stdout | from_yaml).snapshots + | selectattr('displayName', 'equalto', snapshot_name) | map(attribute='uid') | first }} {{ vmware_workstation.local_vmx_path }} + changed_when: true when: snapshot_name is defined - block: - - name: Reverting to {{ snapshot_name }} snapshot... - ansible.builtin.command: vmcli snapshot revert {{ (all_snapshots.stdout | from_yaml).snapshots - | selectattr('displayName', 'equalto', snapshot_name) | map(attribute='uid') | first }} {{ vmware_workstation.local_vmx_path }} - changed_when: true - name: Starting {{ inventory_hostname }}... ansible.builtin.command: vmcli power start {{ vmware_workstation.local_vmx_path }} diff --git a/nova/core/roles/snapshots/vmware_workstation/snapshot.yml b/nova/core/roles/snapshots/vmware_workstation/snapshot.yml index f7ebc1d9c..c76938895 100644 --- a/nova/core/roles/snapshots/vmware_workstation/snapshot.yml +++ b/nova/core/roles/snapshots/vmware_workstation/snapshot.yml @@ -12,5 +12,5 @@ - snapshot_mode == 'clean-snap' - name: Creating a snapshot... - ansible.builtin.command: vmcli snapshot take {{ snapshot_name | default(ansible_date_time.iso8601) }} {{ vmware_workstation.local_vmx_path }} + ansible.builtin.command: vmcli snapshot take {{ snapshot_name | default(ansible_facts.date_time.iso8601) }} {{ vmware_workstation.local_vmx_path }} changed_when: true diff --git a/nova/core/roles/snapshots/vsphere/snapshot.yml b/nova/core/roles/snapshots/vsphere/snapshot.yml index 6ad4a8165..5e0efaa47 100644 --- a/nova/core/roles/snapshots/vsphere/snapshot.yml +++ b/nova/core/roles/snapshots/vsphere/snapshot.yml @@ -27,15 +27,15 @@ ansible.builtin.setup: filter: "*_time" - - name: Creating a snapshot - {{ snapshot_name | default(ansible_date_time.iso8601) }}... + - name: Creating a snapshot - {{ snapshot_name | default(ansible_facts.date_time.iso8601) }}... vmware.vmware.vm_snapshot: datacenter: "{{ datacenter }}" folder: "{{ folder }}" name: "{{ custom_vm_name | default(vm_name) }}" state: present memory_dump: "{{ true if live_snap else false }}" - snapshot_name: "{{ snapshot_name | default(ansible_date_time.iso8601) }}" - description: Created at {{ ansible_date_time.iso8601 }} by {{ project_deployer_username | default(deployer_username) }} + snapshot_name: "{{ snapshot_name | default(ansible_facts.date_time.iso8601) }}" + description: Created at {{ ansible_facts.date_time.iso8601 }} by {{ project_deployer_username | default(deployer_username) }} - name: Including powerstate role... ansible.builtin.include_role: diff --git a/nova/core/roles/template_os_configuration/tasks/debian_family.yml b/nova/core/roles/template_os_configuration/tasks/debian_family.yml index fc8bd22e0..ccff8a018 100644 --- a/nova/core/roles/template_os_configuration/tasks/debian_family.yml +++ b/nova/core/roles/template_os_configuration/tasks/debian_family.yml @@ -19,7 +19,7 @@ - libpam-ssh-agent-auth # Required when using ssh-agent for sudo state: present update-cache: true - when: ansible_distribution != 'Kali' + when: ansible_facts.distribution != 'Kali' - name: Running apt cleanup... ansible.builtin.apt: diff --git a/nova/core/roles/template_os_configuration/tasks/grub.yml b/nova/core/roles/template_os_configuration/tasks/grub.yml index dd12605d9..009314058 100644 --- a/nova/core/roles/template_os_configuration/tasks/grub.yml +++ b/nova/core/roles/template_os_configuration/tasks/grub.yml @@ -17,14 +17,14 @@ - name: Applying GRUB configuration... ansible.builtin.command: update-grub changed_when: true - when: ansible_os_family == "Debian" + when: ansible_facts.os_family == "Debian" - name: Applying GRUB configuration... ansible.builtin.command: grub2-mkconfig -o /boot/grub2/grub.cfg changed_when: true - when: ansible_os_family == "RedHat" + when: ansible_facts.os_family == "RedHat" - name: Applying GRUB configuration... ansible.builtin.command: grub-mkconfig -o /boot/grub/grub.cfg changed_when: true - when: ansible_os_family == 'Archlinux' + when: ansible_facts.os_family == 'Archlinux' diff --git a/nova/core/roles/template_os_configuration/tasks/main.yml b/nova/core/roles/template_os_configuration/tasks/main.yml index 11b43d62e..acc91a53b 100644 --- a/nova/core/roles/template_os_configuration/tasks/main.yml +++ b/nova/core/roles/template_os_configuration/tasks/main.yml @@ -18,13 +18,13 @@ - name: Configure Windows machine ansible.builtin.include_tasks: windows.yml - when: ansible_system | default(false) == "Win32NT" + when: ansible_facts.system | default(false) == "Win32NT" - name: Including Unix configuration tasks... ansible.builtin.include_tasks: unix.yml when: - - ansible_system | default([]) in ["Linux", "FreeBSD"] - - ansible_network_os is not defined # Since PFsens and OPNsense also return FreeBSD as ansible_system + - ansible_facts.system | default([]) in ["Linux", "FreeBSD"] + - ansible_network_os is not defined # Since PFsens and OPNsense also return FreeBSD as ansible_facts.system - name: Configure RouterOS machine ansible.builtin.include_tasks: routeros.yml @@ -56,7 +56,7 @@ name: nova.core.win_sysprep when: - template_os_configuration_sysprep - - ansible_system | default(false) == "Win32NT" + - ansible_facts.system | default(false) == "Win32NT" - name: Including snapshots role... ansible.builtin.include_role: diff --git a/nova/core/roles/template_os_configuration/tasks/unix.yml b/nova/core/roles/template_os_configuration/tasks/unix.yml index d5afb5d04..9956f1ece 100644 --- a/nova/core/roles/template_os_configuration/tasks/unix.yml +++ b/nova/core/roles/template_os_configuration/tasks/unix.yml @@ -14,7 +14,7 @@ - vim # Useful for editing files over SSH - wget # Useful for downloading files state: present - update_cache: "{{ true if ansible_os_family in ['Debian', 'RedHat'] else omit }}" + update_cache: "{{ true if ansible_facts.os_family in ['Debian', 'RedHat'] else omit }}" # These packages are only available on non-Alpine Linux systems - name: Installing universal Linux packages... @@ -27,10 +27,10 @@ - net-tools # Useful for network troubleshooting - traceroute # Useful for network troubleshooting state: present - update_cache: "{{ true if ansible_os_family in ['Debian', 'RedHat', 'Archlinux'] else omit }}" + update_cache: "{{ true if ansible_facts.os_family in ['Debian', 'RedHat', 'Archlinux'] else omit }}" when: - - ansible_system == "Linux" - - ansible_distribution != "Alpine" + - ansible_facts.system == "Linux" + - ansible_facts.distribution != "Alpine" # These packages are only available on Alpine Linux systems - name: Installing Alpine Linux packages... @@ -44,23 +44,23 @@ - musl-locales-lang # Required for locale support state: present update_cache: true - when: ansible_distribution == "Alpine" + when: ansible_facts.distribution == "Alpine" - name: Include Ubuntu specific configuration... ansible.builtin.include_tasks: ubuntu.yml - when: ansible_distribution == "Ubuntu" + when: ansible_facts.distribution == "Ubuntu" - name: Include Archlinux specific configuration... ansible.builtin.include_tasks: arch.yml - when: ansible_os_family == "Archlinux" + when: ansible_facts.os_family == "Archlinux" - name: Include Debian based OS specific configuration... ansible.builtin.include_tasks: debian_family.yml - when: ansible_os_family == "Debian" + when: ansible_facts.os_family == "Debian" - name: Include RedHat based OS specific configuration... ansible.builtin.include_tasks: redhat_family.yml - when: ansible_os_family == "RedHat" + when: ansible_facts.os_family == "RedHat" # SSHD Configuration # This to avoid errors when someone has more that 6 SSH keys in their agent @@ -80,7 +80,7 @@ dest: /etc/network/interfaces line: iface ens192 inet6 dhcp when: - - ansible_distribution | intersect(["Debian", "Kali"]) | length > 0 + - ansible_facts.distribution | intersect(["Debian", "Kali"]) | length > 0 - customization_method != "proxmox" # Because Proxmox will not boot after this change # Cleaning up current machine ID diff --git a/nova/core/roles/template_os_configuration/tasks/windows.yml b/nova/core/roles/template_os_configuration/tasks/windows.yml index d21044d34..8f3e59d4f 100644 --- a/nova/core/roles/template_os_configuration/tasks/windows.yml +++ b/nova/core/roles/template_os_configuration/tasks/windows.yml @@ -151,10 +151,8 @@ when: dotnet_install.reboot_required - name: Installing Chocolatey... - ansible.windows.win_shell: - Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = - [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex - ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')) + chocolatey.chocolatey.win_chocolatey: + name: chocolatey - name: Configuring Chocolatey features... chocolatey.chocolatey.win_chocolatey_feature: diff --git a/nova/core/roles/trusted_certificates/tasks/main.yml b/nova/core/roles/trusted_certificates/tasks/main.yml index 26184b32b..c7a94c74e 100644 --- a/nova/core/roles/trusted_certificates/tasks/main.yml +++ b/nova/core/roles/trusted_certificates/tasks/main.yml @@ -4,24 +4,27 @@ block: - name: Including Windows trusted certificates tasks for Windows systems... ansible.builtin.include_tasks: windows.yml - when: ansible_system | default(false) == "Win32NT" + when: ansible_facts.system | default('') == "Win32NT" - name: Including trusted certificates tasks for Unix-like systems... ansible.builtin.include_tasks: unix.yml - when: ansible_system | default(false) in ['Linux', 'FreeBSD'] + when: + - ansible_facts.system | default('') in ['Linux', 'FreeBSD'] + - ansible_network_os | default('') not in ['opnsense', 'pfsense', 'vyos.vyos.vyos'] # These are based on Unix but have their own tasks - name: Including certificates tasks for MacOS systems... ansible.builtin.include_tasks: macos.yml - when: ansible_system | default(false) == 'Darwin' + when: ansible_facts.system | default('') == "Darwin" + or ansible_custom_facts.system | default('') == "Darwin" - name: Including trusted certificates tasks for VyOS systems... ansible.builtin.include_tasks: vyos.yml - when: ansible_network_os | default(false) == "vyos.vyos.vyos" + when: ansible_network_os | default('') == "vyos.vyos.vyos" - name: Including trusted certificates tasks for OPNsense and pfSense systems... ansible.builtin.include_tasks: sense.yml - when: ansible_network_os | default(false) in ['opnsense', 'pfsense'] + when: ansible_network_os | default('') in ['opnsense', 'pfsense'] - name: Including certificates tasks for PAN-OS systems... ansible.builtin.include_tasks: panos.yml - when: ansible_network_os | default(false) == 'panos' + when: ansible_network_os | default('') == 'panos' diff --git a/nova/core/roles/trusted_certificates/tasks/sense.yml b/nova/core/roles/trusted_certificates/tasks/sense.yml index 8d015dda9..3212f842b 100644 --- a/nova/core/roles/trusted_certificates/tasks/sense.yml +++ b/nova/core/roles/trusted_certificates/tasks/sense.yml @@ -1,30 +1,30 @@ --- -- name: Creating folder - {{ unix_os_family_trusted_certificates_paths[ansible_os_family] }}... +- name: Creating folder - {{ unix_os_family_trusted_certificates_paths[ansible_facts.os_family] }}... ansible.builtin.file: - path: "{{ unix_os_family_trusted_certificates_paths[ansible_os_family] }}" + path: "{{ unix_os_family_trusted_certificates_paths[ansible_facts.os_family] }}" state: directory mode: "0755" - name: Copying trusted certificates(s) to {{ inventory_hostname }}... ansible.builtin.copy: src: "{{ item.src }}" - dest: "{{ unix_os_family_trusted_certificates_paths[ansible_os_family] }}/{{ item.name }}.crt" + dest: "{{ unix_os_family_trusted_certificates_paths[ansible_facts.os_family] }}/{{ item.name }}.crt" mode: "0644" loop: "{{ trusted_certificates_list }}" loop_control: - label: "{{ unix_os_family_trusted_certificates_paths[ansible_os_family] }}/{{ item.name }}.crt" + label: "{{ unix_os_family_trusted_certificates_paths[ansible_facts.os_family] }}/{{ item.name }}.crt" when: not item.src.startswith('http') - name: Downloading trusted certificates(s) to {{ inventory_hostname }}... ansible.builtin.get_url: url: "{{ item.src }}" - dest: "{{ unix_os_family_trusted_certificates_paths[ansible_os_family] }}/{{ item.name }}.crt" + dest: "{{ unix_os_family_trusted_certificates_paths[ansible_facts.os_family] }}/{{ item.name }}.crt" mode: "0644" timeout: 60 validate_certs: "{{ trusted_certificates_validate_certs }}" loop: "{{ trusted_certificates_list }}" loop_control: - label: "{{ unix_os_family_trusted_certificates_paths[ansible_os_family] }}/{{ item.name }}.crt" + label: "{{ unix_os_family_trusted_certificates_paths[ansible_facts.os_family] }}/{{ item.name }}.crt" when: item.src.startswith('http') - name: Updating CA certificates... diff --git a/nova/core/roles/trusted_certificates/tasks/unix.yml b/nova/core/roles/trusted_certificates/tasks/unix.yml index 74d954a19..da5fe9c48 100644 --- a/nova/core/roles/trusted_certificates/tasks/unix.yml +++ b/nova/core/roles/trusted_certificates/tasks/unix.yml @@ -1,52 +1,52 @@ --- -- name: Creating folder - {{ unix_os_family_trusted_certificates_paths[ansible_os_family] }}... +- name: Creating folder - {{ unix_os_family_trusted_certificates_paths[ansible_facts.os_family] }}... ansible.builtin.file: - path: "{{ unix_os_family_trusted_certificates_paths[ansible_os_family] }}" + path: "{{ unix_os_family_trusted_certificates_paths[ansible_facts.os_family] }}" state: directory mode: "0755" - when: ansible_os_family == "FreeBSD" + when: ansible_facts.os_family == "FreeBSD" - name: Copying trusted certificates(s) to {{ inventory_hostname }}... ansible.builtin.copy: src: "{{ item.src }}" - dest: "{{ unix_os_family_trusted_certificates_paths[ansible_os_family] }}/{{ item.name }}.crt" + dest: "{{ unix_os_family_trusted_certificates_paths[ansible_facts.os_family] }}/{{ item.name }}.crt" mode: "0644" loop: "{{ trusted_certificates_list }}" loop_control: - label: "{{ unix_os_family_trusted_certificates_paths[ansible_os_family] }}/{{ item.name }}.crt" + label: "{{ unix_os_family_trusted_certificates_paths[ansible_facts.os_family] }}/{{ item.name }}.crt" when: not item.src.startswith('http') - name: Downloading trusted certificates(s) to {{ inventory_hostname }}... ansible.builtin.get_url: url: "{{ item.src }}" - dest: "{{ unix_os_family_trusted_certificates_paths[ansible_os_family] }}/{{ item.name }}.crt" + dest: "{{ unix_os_family_trusted_certificates_paths[ansible_facts.os_family] }}/{{ item.name }}.crt" mode: "0644" timeout: 60 validate_certs: "{{ trusted_certificates_validate_certs }}" loop: "{{ trusted_certificates_list }}" loop_control: - label: "{{ unix_os_family_trusted_certificates_paths[ansible_os_family] }}/{{ item.name }}.crt" + label: "{{ unix_os_family_trusted_certificates_paths[ansible_facts.os_family] }}/{{ item.name }}.crt" when: item.src.startswith('http') - name: Updating CA certificates... ansible.builtin.command: update-ca-certificates --fresh changed_when: true - when: ansible_os_family in ['Debian', 'Alpine'] + when: ansible_facts.os_family in ['Debian', 'Alpine'] - name: Trusting installed certificates... ansible.builtin.command: trust extract-compat changed_when: true - when: ansible_os_family == "Archlinux" + when: ansible_facts.os_family == "Archlinux" - name: Updating CA certificates... ansible.builtin.command: update-ca-trust extract changed_when: true - when: ansible_os_family == "RedHat" + when: ansible_facts.os_family == "RedHat" - name: Updating CA certificates... ansible.builtin.command: certctl rehash changed_when: true - when: ansible_os_family == "FreeBSD" + when: ansible_facts.os_family == "FreeBSD" - name: Adding trusted certificate(s) to Java keystore(s)... when: trusted_certificates_to_jks @@ -68,7 +68,7 @@ - name: Getting all trusted CAs ansible.builtin.find: - paths: "{{ unix_os_family_trusted_certificates_paths[ansible_os_family] }}" + paths: "{{ unix_os_family_trusted_certificates_paths[ansible_facts.os_family] }}" register: trusted_cas - name: Creating a JKS truststore from following certificates... diff --git a/nova/core/roles/updates/tasks/main.yml b/nova/core/roles/updates/tasks/main.yml index e68e3e64a..aafdcf65a 100644 --- a/nova/core/roles/updates/tasks/main.yml +++ b/nova/core/roles/updates/tasks/main.yml @@ -1,32 +1,35 @@ --- - name: Including Windows update tasks... ansible.builtin.include_tasks: windows.yml - when: ansible_os_family | default('') == "Windows" + when: ansible_facts.os_family | default('') == "Windows" - name: Including Debian family update tasks... ansible.builtin.include_tasks: debian_family.yml - when: ansible_os_family | default('') == 'Debian' + when: + - ansible_facts.os_family | default('') == "Debian" + - ansible_network_os | default('') != "vyos.vyos.vyos" - name: Including Archlinux update tasks... ansible.builtin.include_tasks: archlinux_family.yml - when: ansible_os_family | default('') == 'Archlinux' + when: ansible_facts.os_family | default('') == "Archlinux" - name: Including RedHat family update tasks... ansible.builtin.include_tasks: redhat_family.yml - when: ansible_os_family | default('') == 'RedHat' + when: ansible_facts.os_family | default('') == "RedHat" - name: Including Alpine update tasks... ansible.builtin.include_tasks: alpine.yml - when: ansible_os_family | default('') == 'Alpine' + when: ansible_facts.os_family | default('') == "Alpine" - name: Including FreeBSD update tasks... ansible.builtin.include_tasks: freebsd.yml - when: ansible_system | default('') == "FreeBSD" + when: ansible_facts.system | default('') == "FreeBSD" - name: Including MacOS update tasks... ansible.builtin.include_tasks: macos.yml - when: ansible_system | default('') == "Darwin" + when: ansible_facts.system | default('') == "Darwin" + or ansible_custom_facts.system | default('') == "Darwin" - name: Including RouterOS update tasks... ansible.builtin.include_tasks: routeros.yml - when: ansible_network_os | default('') == 'community.routeros.routeros' + when: ansible_network_os | default('') == "community.routeros.routeros" diff --git a/nova/core/roles/updates/tasks/windows.yml b/nova/core/roles/updates/tasks/windows.yml index 18ac41380..a8bc9c35c 100644 --- a/nova/core/roles/updates/tasks/windows.yml +++ b/nova/core/roles/updates/tasks/windows.yml @@ -18,7 +18,7 @@ until: not usosvc_service.failed retries: 10 delay: 30 - when: ansible_distribution_version is version('6.3.9600.0', '>') # Greater than Windows 8.1 & Server 2012 R2 + when: ansible_facts.distribution_version is version('6.3.9600.0', '>') # Greater than Windows 8.1 & Server 2012 R2 # Using this block and rescue approach in order to avoid this issue: # https://github.com/ansible-collections/ansible.windows/issues/762 @@ -89,7 +89,7 @@ ansible.windows.win_service: name: UsoSvc state: stopped - when: ansible_distribution_version is version('6.3.9600.0', '>') + when: ansible_facts.distribution_version is version('6.3.9600.0', '>') # Removing Windows Update cache using rd because Powershell (win_file module) can't do it in some cases although it's possible manually # The issue is most likely related to long paths @@ -116,4 +116,4 @@ - name: Running interactive scan... # Runs a scan for updates to clean up the GUI ansible.windows.win_command: UsoClient.exe StartInteractiveScan changed_when: false - when: ansible_distribution_version is version('6.3.9600.0', '>') # Greater than Windows 8.1 & Server 2012 R2 + when: ansible_facts.distribution_version is version('6.3.9600.0', '>') # Greater than Windows 8.1 & Server 2012 R2 diff --git a/nova/core/roles/vault/defaults/main.yml b/nova/core/roles/vault/defaults/main.yml index e0bb15e0a..a22a764a5 100644 --- a/nova/core/roles/vault/defaults/main.yml +++ b/nova/core/roles/vault/defaults/main.yml @@ -168,4 +168,4 @@ vault_ldap_configuration: # On 2038-01-19 UNIX epoch will not fit into 32-bit signed integer. This may # cause issues on some software. Taking into account timezones, 2038-01-17 # is the last Y2038 safe day. -vault_y2038_hours_left: "{{ (2147292000 - (ansible_date_time.epoch | int)) / 3600 | round | int }}" +vault_y2038_hours_left: "{{ (2147292000 - (ansible_facts.date_time.epoch | int)) / 3600 | round | int }}" diff --git a/nova/core/roles/win_sysprep/tasks/main.yml b/nova/core/roles/win_sysprep/tasks/main.yml index b5e452c29..743d51f35 100644 --- a/nova/core/roles/win_sysprep/tasks/main.yml +++ b/nova/core/roles/win_sysprep/tasks/main.yml @@ -5,9 +5,9 @@ changed_when: ("BitLocker not enabled" not in disable_bitlocker_result.stdout) - name: Including sysprep fix tasks... - when: ansible_distribution | regex_search('Microsoft Windows 1(0|1).*') != none # Windows 10 and 11 + when: ansible_facts.distribution | regex_search('Microsoft Windows 1(0|1).*') != none # Windows 10 and 11 block: - - name: Removing sysprep-blocking packages from {{ ansible_distribution }}... + - name: Removing sysprep-blocking packages from {{ ansible_facts.distribution }}... ansible.windows.win_shell: | Get-AppxPackage Microsoft.BingSearch* | Remove-AppPackage Get-AppxPackage Microsoft.Copilot* | Remove-AppPackage