From cbdd4251fdb95220f33d25cdaa0f74fdf6ed768e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 6 Mar 2024 10:19:03 +0000 Subject: [PATCH 1/2] set sysctl conf dir as default variable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- defaults/main/sysctl.yml | 1 + tasks/facts.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/defaults/main/sysctl.yml b/defaults/main/sysctl.yml index 1e4e19a4..7e706a90 100644 --- a/defaults/main/sysctl.yml +++ b/defaults/main/sysctl.yml @@ -1,5 +1,6 @@ --- manage_sysctl: true +sysctl_conf_dir: "{{ '/usr/lib/sysctl.d' if usr_lib_sysctl_d_dir else '/etc/sysctl.d' }}" sysctl_dev_tty_ldisc_autoload: 0 diff --git a/tasks/facts.yml b/tasks/facts.yml index ba248b82..38762866 100644 --- a/tasks/facts.yml +++ b/tasks/facts.yml @@ -55,7 +55,7 @@ - name: Set sysctl fact ansible.builtin.set_fact: - sysctl_conf_dir: "{{ '/usr/lib/sysctl.d' if usr_lib_sysctl_d.stat.exists else '/etc/sysctl.d' }}" + usr_lib_sysctl_d_dir: "{{ true if usr_lib_sysctl_d.stat.exists else false }}" - name: Set crypto-policies config as fact block: From 86932c3c849230b9b13f538ebe4fc8734d8cbf80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 6 Mar 2024 13:17:37 +0000 Subject: [PATCH 2/2] add verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- molecule/default/molecule.yml | 2 ++ molecule/default/verify.yml | 25 +++++++++++++++---------- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index afd2e32b..a7e1eb98 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -36,6 +36,7 @@ provisioner: - sudo sshd_host_keys_group: ssh_keys sshd_update_moduli: true + sysctl_conf_dir: /etc/sysctl.d/ system_upgrade: false bookworm: ansible_become_pass: vagrant @@ -59,6 +60,7 @@ provisioner: - sudo sshd_update_moduli: true suid_sgid_permissions: false + sysctl_conf_dir: /etc/sysctl.d/ umask_value: "027" jammy: disable_ipv6: true diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 00a621ec..d4236dec 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -42,6 +42,17 @@ ansible.builtin.set_fact: crypto_policies_config: "{{ stat_crypto_policies_config.stat.exists }}" + - name: Set sysctl configuration directory as fact + block: + - name: Stat /usr/lib/sysctl.d/ exists + ansible.builtin.stat: + path: /usr/lib/sysctl.d/ + register: usr_lib_sysctl_d + + - name: Set sysctl fact + ansible.builtin.set_fact: + usr_lib_sysctl_d_dir: "{{ true if usr_lib_sysctl_d.stat.exists else false }}" + - name: Ensure test groups exists become: true ansible.builtin.group: @@ -67,16 +78,6 @@ - testuser01 - testuser02 - - name: Set sysctl configuration directory as fact - tags: - - fact - - sysctl - block: - - name: Stat /usr/lib/sysctl.d/ exists - ansible.builtin.stat: - path: /usr/lib/sysctl.d/ - register: usr_lib_sysctl_d - - name: Get installed sshd version environment: PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin/ @@ -459,6 +460,10 @@ - HashKnownHosts yes - RekeyLimit {{ sshd_rekey_limit }} + - name: Print sysctl configuration directory + ansible.builtin.debug: + msg: "{{ sysctl_conf_dir }}" + - name: Merge sysctl settings ansible.builtin.set_fact: sysctl_settings: "{{ generic_sysctl_settings | combine(ipv4_sysctl_settings) }}"