grub tasks moved to separate file

This commit is contained in:
danielkubat 2020-12-13 19:41:26 +01:00
parent 3379f4d1eb
commit dca7691f4a
4 changed files with 60 additions and 53 deletions

View File

@ -34,7 +34,10 @@
import_tasks: tasks/authentication.yml
- name: Configure auditd
include: tasks/auditd.yml
import_tasks: tasks/auditd.yml
- name: Configure grub
import_tasks: tasks/grub.yml
post_tasks:
- name: Touching run file that ansible has ran here

View File

@ -0,0 +1,52 @@
---
- name: Reset grub link if we are EFI
set_fact:
grub_config_path_link: "{{ grub_config_path_efi }}"
when:
- efi_installed.stat.isdir is defined
- efi_installed.stat.isdir
- grub_config_path_efi is defined
tags:
- efi
- name: Create grub.d directory
file:
name: /etc/default/grub.d
owner: root
group: root
mode: '0755'
state: directory
recurse: true
tags:
- grub
- kernel
- harden
- name: Append /etc/default/grub file
lineinfile:
path: /etc/default/grub
line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
state: present
tags:
- grub
- kernel
- harden
- name: Command line defaults
copy:
dest: "/etc/default/grub.d/99-rocky.cfg"
owner: root
group: root
mode: '0644'
content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ grub_boot_options }}"'
tags:
- grub
- kernel
- harden
- name: Rebuild grub
command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}
tags:
- grub
- kernel
- harden

View File

@ -214,54 +214,3 @@
state: absent
tags:
- harden
- name: grub and kernel
block:
- name: Reset grub link if we are EFI
set_fact:
grub_config_path_link: "{{ grub_config_path_efi }}"
when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir and grub_config_path_efi is defined
tags:
- efi
- name: grub.d directory
file:
name: /etc/default/grub.d
owner: root
group: root
mode: '0755'
state: directory
recurse: true
tags:
- grub
- kernel
- harden
- name: Append /etc/default/grub file
lineinfile:
path: /etc/default/grub
line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
state: present
tags:
- grub
- kernel
- harden
- name: Grub command line defaults
copy:
dest: "/etc/default/grub.d/99-rocky.cfg"
owner: root
group: root
mode: '0644'
content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ kernel_boot_options }}"'
tags:
- grub
- kernel
- harden
- name: rebuild grub
command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}
tags:
- grub
- kernel
- harden

View File

@ -3,9 +3,12 @@
bin_su: /usr/bin/su
bin_sudo: /usr/bin/sudo
kernel_boot_options: audit=1
# grub variables
grub_boot_options: audit=1
grub_config_path_link: /etc/grub2.cfg
grub_config_path_efi: /etc/grub2-efi.cfg
ipatype: client
# Removing TFTP for now because there will likely be tftp/pxe servers