grub tasks moved to separate file

2024-11-22 05:01:27 +00:00 · 2020-12-13 19:41:26 +01:00 · 2020-12-13 19:41:26 +01:00 · dca7691f4a
commit dca7691f4a
parent 3379f4d1eb
4 changed files with 60 additions and 53 deletions
--- a/ansible/playbooks/init-rocky-system-config.yml
+++ b/ansible/playbooks/init-rocky-system-config.yml
@ -34,7 +34,10 @@
      import_tasks: tasks/authentication.yml

    - name: Configure auditd
-      include: tasks/auditd.yml
+      import_tasks: tasks/auditd.yml
+
+    - name: Configure grub
+      import_tasks: tasks/grub.yml

  post_tasks:
    - name: Touching run file that ansible has ran here
--- a/ansible/playbooks/tasks/grub.yml
+++ b/ansible/playbooks/tasks/grub.yml
@ -0,0 +1,52 @@
+---
+- name: Reset grub link if we are EFI
+  set_fact:
+    grub_config_path_link: "{{ grub_config_path_efi }}"
+  when:
+    - efi_installed.stat.isdir is defined
+    - efi_installed.stat.isdir
+    - grub_config_path_efi is defined
+  tags:
+    - efi
+
+- name: Create grub.d directory
+  file:
+    name: /etc/default/grub.d
+    owner: root
+    group: root
+    mode: '0755'
+    state: directory
+    recurse: true
+  tags:
+    - grub
+    - kernel
+    - harden
+
+- name: Append /etc/default/grub file
+  lineinfile:
+    path: /etc/default/grub
+    line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
+    state: present
+  tags:
+    - grub
+    - kernel
+    - harden
+
+- name: Command line defaults
+  copy:
+    dest: "/etc/default/grub.d/99-rocky.cfg"
+    owner: root
+    group: root
+    mode: '0644'
+    content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ grub_boot_options }}"'
+  tags:
+    - grub
+    - kernel
+    - harden
+
+- name: Rebuild grub
+  command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}
+  tags:
+    - grub
+    - kernel
+    - harden
--- a/ansible/playbooks/tasks/harden.yml
+++ b/ansible/playbooks/tasks/harden.yml
@ -214,54 +214,3 @@
    state: absent
  tags:
    - harden
-
- name: grub and kernel
-  block:
-    - name: Reset grub link if we are EFI
-      set_fact:
-        grub_config_path_link: "{{ grub_config_path_efi }}"
-      when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir and grub_config_path_efi is defined
-      tags:
-        - efi
-
-    - name: grub.d directory
-      file:
-        name: /etc/default/grub.d
-        owner: root
-        group: root
-        mode: '0755'
-        state: directory
-        recurse: true
-      tags:
-        - grub
-        - kernel
-        - harden
-
-    - name: Append /etc/default/grub file
-      lineinfile:
-        path: /etc/default/grub
-        line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
-        state: present
-      tags:
-        - grub
-        - kernel
-        - harden
-
-    - name: Grub command line defaults
-      copy:
-        dest: "/etc/default/grub.d/99-rocky.cfg"
-        owner: root
-        group: root
-        mode: '0644'
-        content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ kernel_boot_options }}"'
-      tags:
-        - grub
-        - kernel
-        - harden
-
-    - name: rebuild grub
-      command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}
-      tags:
-        - grub
-        - kernel
-        - harden
--- a/ansible/playbooks/vars/RedHat.yml
+++ b/ansible/playbooks/vars/RedHat.yml
@ -3,9 +3,12 @@

 bin_su: /usr/bin/su
 bin_sudo: /usr/bin/sudo
-kernel_boot_options: audit=1
+
+# grub variables
+grub_boot_options: audit=1
 grub_config_path_link: /etc/grub2.cfg
 grub_config_path_efi: /etc/grub2-efi.cfg
+
 ipatype: client

 # Removing TFTP for now because there will likely be tftp/pxe servers