-
Notifications
You must be signed in to change notification settings - Fork 0
/
playbook.01-ostree.yml
executable file
·154 lines (136 loc) · 5.37 KB
/
playbook.01-ostree.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#
# Fedora CoreOS installs packages in layers. The new
# layer does not become active until the server reboots.
# Therefore server configuration happens in two phases; one before
# reboot and another after.
#
# This is the before reboot phase.
#
#
# Ansible complains about rpm used to check if a package has been
# installed. That's why each command has warnings turned off.
#
---
- hosts: fcos
become: yes
gather_facts: false
vars_files:
- external_vars.yml
tasks:
- name: Create Lynis Yum repository file.
copy:
dest: /etc/yum.repos.d/lynis.repo
content: |
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
priority=2
mode: "644"
#
# I ran into trouble installing aide. There was a library mismatch.
# Forbidden base package replacements:
# pcre2 10.35-1.fc32 -> 10.35-3.fc32 (updates)
# pcre2-syntax 10.35-1.fc32 -> 10.35-3.fc32 (updates)
#
# - name: Install aide.
# shell: rpm-ostree install aide
# register: output
# changed_when: "'start a reboot' in output.stdout"
# failed_when: "'start a reboot' not in output.stdout and 'already requested' not in output.stderr"
# args:
# warn: false
- name: Install audit.
shell: rpm-ostree install audit
register: output
changed_when: "'start a reboot' in output.stdout"
failed_when: "'start a reboot' not in output.stdout and 'already requested' not in output.stderr"
args:
warn: false
- name: Install conntrack.
shell: rpm-ostree install conntrack
register: output
changed_when: "'start a reboot' in output.stdout"
failed_when: "'start a reboot' not in output.stdout and 'already requested' not in output.stderr"
args:
warn: false
- name: Install ethtool.
shell: rpm-ostree install ethtool
register: output
changed_when: "'start a reboot' in output.stdout"
failed_when: "'start a reboot' not in output.stdout and 'already requested' not in output.stderr"
args:
warn: false
# - name: Install goland.
# shell: rpm-ostree install golang
# register: output
# changed_when: "'start a reboot' in output.stdout"
# failed_when: "'start a reboot' not in output.stdout and 'already requested' not in output.stderr"
# args:
# warn: false
- name: Install lynis.
shell: rpm-ostree install lynis
register: output
changed_when: "'start a reboot' in output.stdout"
failed_when: "'start a reboot' not in output.stdout and 'already requested' not in output.stderr"
args:
warn: false
- name: Install make.
shell: rpm-ostree install make
register: output
changed_when: "'start a reboot' in output.stdout"
failed_when: "'start a reboot' not in output.stdout and 'already requested' not in output.stderr"
args:
warn: false
- name: Install openscap-scanner.
shell: rpm-ostree install openscap-scanner
register: output
changed_when: "'start a reboot' in output.stdout"
failed_when: "'start a reboot' not in output.stdout and 'already requested' not in output.stderr"
args:
warn: false
- name: Install scap-security-guide.
shell: rpm-ostree install scap-security-guide
register: output
changed_when: "'start a reboot' in output.stdout"
failed_when: "'start a reboot' not in output.stdout and 'already requested' not in output.stderr"
args:
warn: false
- name: Install setools.
shell: rpm-ostree install setools
register: output
changed_when: "'start a reboot' in output.stdout"
failed_when: "'start a reboot' not in output.stdout and 'already requested' not in output.stderr"
args:
warn: false
#
# I ran into trouble installing setroubleshoot. There was a library mismatch.
# Forbidden base package replacements:
# pcre2 10.35-1.fc32 -> 10.35-3.fc32 (updates)
# pcre2-syntax 10.35-1.fc32 -> 10.35-3.fc32 (updates)
#
# - name: Install setroubleshoot.
# shell: rpm-ostree install setroubleshoot
# register: output
# changed_when: "'start a reboot' in output.stdout"
# failed_when: "'start a reboot' not in output.stdout and 'already requested' not in output.stderr"
# args:
# warn: false
- name: Install usbguard.
shell: rpm-ostree install usbguard
register: output
changed_when: "'start a reboot' in output.stdout"
failed_when: "'start a reboot' not in output.stdout and 'already requested' not in output.stderr"
args:
warn: false
- name: Install zip.
shell: rpm-ostree install zip
register: output
changed_when: "'start a reboot' in output.stdout"
failed_when: "'start a reboot' not in output.stdout and 'already requested' not in output.stderr"
args:
warn: false
- name: Unconditionally reboot the machine
reboot: