From dca7691f4ae80f6c55af38bf749b84d260086544 Mon Sep 17 00:00:00 2001
From: danielkubat <dan.kubat@gmail.com>
Date: Sun, 13 Dec 2020 19:41:26 +0100
Subject: [PATCH 1/2] grub tasks moved to separate file

---
 .../playbooks/init-rocky-system-config.yml    |  5 +-
 ansible/playbooks/tasks/grub.yml              | 52 +++++++++++++++++++
 ansible/playbooks/tasks/harden.yml            | 51 ------------------
 ansible/playbooks/vars/RedHat.yml             |  5 +-
 4 files changed, 60 insertions(+), 53 deletions(-)
 create mode 100644 ansible/playbooks/tasks/grub.yml

diff --git a/ansible/playbooks/init-rocky-system-config.yml b/ansible/playbooks/init-rocky-system-config.yml
index dda3b5c..b57b649 100644
--- a/ansible/playbooks/init-rocky-system-config.yml
+++ b/ansible/playbooks/init-rocky-system-config.yml
@@ -34,7 +34,10 @@
       import_tasks: tasks/authentication.yml
 
     - name: Configure auditd
-      include: tasks/auditd.yml
+      import_tasks: tasks/auditd.yml
+
+    - name: Configure grub
+      import_tasks: tasks/grub.yml
 
   post_tasks:
     - name: Touching run file that ansible has ran here
diff --git a/ansible/playbooks/tasks/grub.yml b/ansible/playbooks/tasks/grub.yml
new file mode 100644
index 0000000..df8e431
--- /dev/null
+++ b/ansible/playbooks/tasks/grub.yml
@@ -0,0 +1,52 @@
+---
+- name: Reset grub link if we are EFI
+  set_fact:
+    grub_config_path_link: "{{ grub_config_path_efi }}"
+  when:
+    - efi_installed.stat.isdir is defined
+    - efi_installed.stat.isdir
+    - grub_config_path_efi is defined
+  tags:
+    - efi
+
+- name: Create grub.d directory
+  file:
+    name: /etc/default/grub.d
+    owner: root
+    group: root
+    mode: '0755'
+    state: directory
+    recurse: true
+  tags:
+    - grub
+    - kernel
+    - harden
+
+- name: Append /etc/default/grub file
+  lineinfile:
+    path: /etc/default/grub
+    line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
+    state: present
+  tags:
+    - grub
+    - kernel
+    - harden
+
+- name: Command line defaults
+  copy:
+    dest: "/etc/default/grub.d/99-rocky.cfg"
+    owner: root
+    group: root
+    mode: '0644'
+    content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ grub_boot_options }}"'
+  tags:
+    - grub
+    - kernel
+    - harden
+
+- name: Rebuild grub
+  command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}
+  tags:
+    - grub
+    - kernel
+    - harden
diff --git a/ansible/playbooks/tasks/harden.yml b/ansible/playbooks/tasks/harden.yml
index 619f352..997ce49 100644
--- a/ansible/playbooks/tasks/harden.yml
+++ b/ansible/playbooks/tasks/harden.yml
@@ -214,54 +214,3 @@
     state: absent
   tags:
     - harden
-
-- name: grub and kernel
-  block:
-    - name: Reset grub link if we are EFI
-      set_fact:
-        grub_config_path_link: "{{ grub_config_path_efi }}"
-      when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir and grub_config_path_efi is defined
-      tags:
-        - efi
-
-    - name: grub.d directory
-      file:
-        name: /etc/default/grub.d
-        owner: root
-        group: root
-        mode: '0755'
-        state: directory
-        recurse: true
-      tags:
-        - grub
-        - kernel
-        - harden
-
-    - name: Append /etc/default/grub file
-      lineinfile:
-        path: /etc/default/grub
-        line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
-        state: present
-      tags:
-        - grub
-        - kernel
-        - harden
-
-    - name: Grub command line defaults
-      copy:
-        dest: "/etc/default/grub.d/99-rocky.cfg"
-        owner: root
-        group: root
-        mode: '0644'
-        content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ kernel_boot_options }}"'
-      tags:
-        - grub
-        - kernel
-        - harden
-
-    - name: rebuild grub
-      command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}
-      tags:
-        - grub
-        - kernel
-        - harden
diff --git a/ansible/playbooks/vars/RedHat.yml b/ansible/playbooks/vars/RedHat.yml
index 64c9bab..9f6b27c 100644
--- a/ansible/playbooks/vars/RedHat.yml
+++ b/ansible/playbooks/vars/RedHat.yml
@@ -3,9 +3,12 @@
 
 bin_su: /usr/bin/su
 bin_sudo: /usr/bin/sudo
-kernel_boot_options: audit=1
+
+# grub variables
+grub_boot_options: audit=1
 grub_config_path_link: /etc/grub2.cfg
 grub_config_path_efi: /etc/grub2-efi.cfg
+
 ipatype: client
 
 # Removing TFTP for now because there will likely be tftp/pxe servers

From dec785e225cd16b2de9c9f6391de58410aee06d3 Mon Sep 17 00:00:00 2001
From: danielkubat <dan.kubat@gmail.com>
Date: Sun, 13 Dec 2020 19:46:38 +0100
Subject: [PATCH 2/2] make linter happy

---
 ansible/playbooks/tasks/grub.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ansible/playbooks/tasks/grub.yml b/ansible/playbooks/tasks/grub.yml
index df8e431..a7e776b 100644
--- a/ansible/playbooks/tasks/grub.yml
+++ b/ansible/playbooks/tasks/grub.yml
@@ -45,7 +45,8 @@
     - harden
 
 - name: Rebuild grub
-  command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}
+  command: "/usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}"
+  changed_when: flase
   tags:
     - grub
     - kernel