92 lines
3.1 KiB
Django/Jinja
92 lines
3.1 KiB
Django/Jinja
skipx
|
|
firewall --enabled --ssh
|
|
|
|
repo --name="AppStream" --baseurl=http://yum.oracle.com/repo/OracleLinux/OL9/appstream/x86_64
|
|
repo --name="UEK" --baseurl=http://yum.oracle.com/repo/OracleLinux/OL9/UEKR7/x86_64
|
|
|
|
%addon com_redhat_kdump --enable --reserve-mb='auto'
|
|
|
|
%end
|
|
|
|
%addon com_redhat_oscap
|
|
content-type = scap-security-guide
|
|
datastream-id = scap_org.open-scap_datastream_from_xccdf_ssg-ol9-xccdf-1.2.xml
|
|
xccdf-id = scap_org.open-scap_cref_ssg-ol9-xccdf-1.2.xml
|
|
profile = xccdf_org.ssgproject.content_profile_standard
|
|
%end
|
|
|
|
{% if ansible_host is defined and ansible_host | ipaddr %}
|
|
network --bootproto=static --gateway={{
|
|
gateway | default((((ansible_host + '/255.255.255.0') | ansible.utils.ipaddr('network') | ansible.utils.ipaddr('int'))+1)|string|ansible.utils.ipaddr)
|
|
}} --ip={{ ansible_host }} --nameserver={{
|
|
nameserver | default((((ansible_host + '/255.255.255.0') | ansible.utils.ipaddr('network') | ansible.utils.ipaddr('int'))+1)|string|ansible.utils.ipaddr)
|
|
}} --netmask={{ netmask | default('255.255.255.0') }}
|
|
{%- else %}
|
|
network --bootproto=dhcp --hostname={{ inventory_hostname }}
|
|
{%- endif %} --device=enp0s3 --onboot=on --hostname={{ inventory_hostname }}
|
|
user --name={{ ansible_user | default(lookup('pipe', 'whoami')) }} --groups=wheel --password={{ ansible_password | password_hash }} --iscrypted
|
|
|
|
# Keyboard layouts
|
|
keyboard --xlayouts='de'
|
|
# System language
|
|
lang en_US.UTF-8
|
|
|
|
# Use network installation
|
|
url --url="https://yum.oracle.com/repo/OracleLinux/OL9/baseos/latest/x86_64"
|
|
|
|
%packages
|
|
@^server-product-environment
|
|
openscap
|
|
openscap-scanner
|
|
rsyslog
|
|
scap-security-guide
|
|
|
|
%end
|
|
|
|
%post --interpreter=/bin/bash
|
|
|
|
#---- Install our SSH key ----
|
|
mkdir -p -m0700 /home/{{ ansible_user | default(lookup('pipe', 'whoami')) }}/.ssh/
|
|
|
|
cat <<EOF >/home/{{ ansible_user | default(lookup('pipe', 'whoami')) }}/.ssh/authorized_keys
|
|
{% for ssh_key in ssh_keys %}
|
|
{{ ssh_key }}
|
|
{% endfor %}
|
|
EOF
|
|
|
|
### set permissions
|
|
chmod 0600 /home/{{ ansible_user | default(lookup('pipe', 'whoami')) }}/.ssh/authorized_keys
|
|
|
|
### change owner
|
|
chown -R {{ ansible_user | default(lookup('pipe', 'whoami')) }}:{{ ansible_user | default(lookup('pipe', 'whoami')) }} /home/{{ ansible_user | default(lookup('pipe', 'whoami')) }}/.ssh
|
|
|
|
### fix up selinux context
|
|
restorecon -R /home/{{ ansible_user | default(lookup('pipe', 'whoami')) }}/.ssh/
|
|
|
|
%end
|
|
|
|
# Run the Setup Agent on first boot
|
|
firstboot --enable
|
|
|
|
# Generated using Blivet version 3.4.0
|
|
ignoredisk --only-use=sda
|
|
# Partition clearing information
|
|
clearpart --all --initlabel
|
|
# Disk partitioning information
|
|
part pv.116 --fstype="lvmpv" --ondisk=sda --grow --size=25600 --encrypted --cipher=aes-xts-plain64 --passphrase={{ luks_passphrase }}
|
|
part /boot --fstype="xfs" --ondisk=sda --size=1024
|
|
volgroup ol --pesize=4096 pv.116
|
|
logvol /var/log --fstype="xfs" --size=2048 --name=var_log --vgname=ol
|
|
logvol /var/log/audit --fstype="xfs" --size=1024 --name=var_log_audit --vgname=ol
|
|
logvol / --fstype="xfs" --grow --name=root --vgname=ol --size 20480
|
|
|
|
# System timezone
|
|
timezone Europe/Berlin --utc
|
|
|
|
# Disable root password
|
|
rootpw --lock
|
|
{% if reboot_after_installation %}
|
|
# Reboot after installation
|
|
reboot
|
|
{% endif %}
|