clusterapps.rhbase
Ansible Role: rhbase
This Ansible role is for setting up a server running a RedHat-based Linux distribution (like CentOS, Fedora, RHEL, etc.). It handles:
- Managing software repositories,
- Installing and removing packages,
- Starting or stopping services,
- Creating users and groups,
- Setting up an admin account with an SSH key,
- Applying basic security settings, including enabling SELinux and the firewall,
- Managing firewall rules in the public zone.
This version is a modified copy of bertvv.rh-base. While the original is excellent, I wanted to take a different approach.
Requirements
No special requirements.
Role Variables
| Variable | Default | Description (type) |
|---|---|---|
rhbase_enable_repos |
[] | List of repositories to enable. |
rhbase_firewall_allow_ports |
[] | List of ports to allow through the firewall (e.g., 80/tcp, 53/udp). |
rhbase_firewall_allow_services |
[] | List of services allowed through the firewall (e.g., http, dns). |
rhbase_firewall_interfaces |
[] | List of network interfaces to add to the firewall's public zone. |
rhbase_hosts_entry |
true | If true, adds the machine's host name to /etc/hosts, speeding up fact gathering. |
rhbase_install_packages |
[] | List of packages to install; URLs are permitted. |
rhbase_motd |
false | If true, installs a custom /etc/motd with information about the host name and IP addresses. |
rhbase_override_firewalld_zones |
false | If true, allows NetworkManager to override firewall zones set by the admin (for a CentOS bug). |
rhbase_remove_packages |
[] | List of packages that should not be installed. |
rhbase_repo_exclude_from_update |
[] | List of packages to exclude from updates (wildcards permitted, e.g., kernel*). |
rhbase_repo_exclude |
[] | List of repositories to disable in yum/dnf.conf. |
rhbase_repo_gpgcheck |
false | If true, performs GPG checks when installing packages. |
rhbase_repo_installonly_limit |
3 | Maximum number of package versions (like kernel) that can be installed at once (should be at least 2). |
rhbase_repo_remove_dependencies |
true | If true, removes any unused dependencies after a package is removed. |
rhbase_repositories |
[] | List of RPM packages (including URLs) to install external repositories (e.g., epel-release). |
rhbase_selinux_state |
enforcing | Default SELinux state for the system. |
rhbase_selinux_booleans |
[] | List of SELinux boolean values to enable (e.g., httpd_can_network_connect). |
rhbase_ssh_key |
- | The public SSH key for the admin user, allowing password-less login (the user must exist). |
rhbase_ssh_user |
- | Name of the user managing this machine (the SSH key will be added to their home directory). |
rhbase_start_services |
[] | List of services that should be running and enabled. |
rhbase_stop_services |
[] | List of services that should not be running. |
rhbase_tz |
:/etc/localtime | Sets the $TZ environment variable. |
rhbase_update |
false | If true, performs a package update. |
rhbase_user_groups |
[] | List of user groups to create. |
rhbase_users |
[] | List of users to create, specified by dictionaries. |
rhbase_taskrunner_key |
[] | Authorized public key to connect as taskrunner. |
Notes:
- Services that can be specified in
rhbase_firewall_allow_servicescan be checked withfirewall-cmd --get-services. - Setting
rhbase_ssh_userdoes not create the user; it adds therhbase_ssh_keyto an existing user's home directory. - Setting the
$TZvariable can optimize system performance by reducing system calls.
Enabling Repositories
To enable repositories that are installed but disabled, use rhbase_enable_repos as a list of dictionaries with keys name: (required) and section: (optional), like this:
rhbase_enable_repos:
- name: CentOS-fasttrack
section: fasttrack
- name: epel-testing
If section is not specified, it defaults to the repository name.
Adding Users
You can specify users using dictionaries like this:
rhbase_users:
- name: johndoe
comment: 'John Doe'
groups:
- users
- devs
password: '$6$WIFkXf07Kn3kALDp$fHbqRKztuufS895easdT [...]'
- name: janedoe
The only required key is name.
| Key | Required | Default | Description |
|---|---|---|---|
name |
yes | - | User name |
comment |
no | '' | Comment for the user |
shell |
no | '/bin/bash' | User's command shell |
groups |
no | [] | Groups the user should belong to |
password |
no | '!!' | User's hashed password |
Notes:
- To make a user an administrator, ensure they are in the
wheelgroup. - The password should be provided as a hash in the format
$algo$salt$hash. You can use tools like mkpasswd.net to create these hashes.
Dependencies
No dependencies.
Example Playbook
Coming Soon
Testing
Coming Soon
Contributing
Please share any issues, feature requests, or ideas in the Issues section.
Pull requests are also welcome. To submit a PR, fork this project, create a separate branch for your change, and push that branch to your fork. GitHub will assist in creating a PR. Don't forget to add your name to the contributor list!
License
BSD
Contributors
- Michael Cleary (maintainer)
Original Contributors:
- Bert Van Vreckem
- Jeroen De Meerleer
- Sebastien Nussbaum
Informazioni sul progetto
Base setup of a server with a RedHat-based Linux distribution with the systemd init system.
Installa
ansible-galaxy install clusterapps.rhbaseLicenza
other
Download
215
Proprietario
I'm here to read the articles.