Unified playbooks

.github/workflows/os_builder.yaml

@@ -19,7 +19,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y ansible
       - name: Run pre-prep playbook
-        run: cd os_builders && ansible-playbook -i inventory/localhost.yml playbooks/prep_builder.yml
+        run: cd os_builders && ansible-playbook -i inventory/localhost.yml playbooks/prepare_user_image.yml
 
   validate_packer:
       strategy:
@@ -34,7 +34,7 @@ jobs:
             sudo apt-get update
             sudo apt-get install -y ansible
             cd os_builders
-            ansible-playbook -i inventory/localhost.yml playbooks/prep_builder.yml
+            ansible-playbook -i inventory/localhost.yml playbooks/prepare_user_image.yml
 
         - name: Validate packer files
           run: |
@@ -66,7 +66,7 @@ jobs:
           run: |
            . venv/bin/activate
            cd os_builders && sed -i 's/all/default/g' inventory/localhost.yml
-           ansible-playbook -i inventory/localhost.yml playbooks/provision_image.yml --extra-vars provision_this_machine=True
+           ansible-playbook -i inventory/localhost.yml playbooks/prepare_user_image.yml --extra-vars provision_this_machine=True
 
   test_image_prep_rocky:
     strategy:
@@ -83,4 +83,4 @@ jobs:
       - name: Run pre-prep playbook
         run: |
           cd os_builders && sed -i 's/all/default/g' inventory/localhost.yml
-          ansible-playbook -i inventory/localhost.yml playbooks/provision_image.yml --extra-vars provision_this_machine=True
+          ansible-playbook -i inventory/localhost.yml playbooks/prepare_user_image.yml --extra-vars provision_this_machine=True

os_builders/packfiles/build.pkr.hcl

@@ -14,11 +14,11 @@ build{
   ]
 
   provisioner "ansible" {
-  user = "packer"
-  playbook_file = "${path.root}/../playbooks/provision_image.yml"
-  extra_arguments = [
+    user          = "packer"
+    playbook_file = "${path.root}/../playbooks/prepare_user_image.yml"
+    extra_arguments = [
       # Include safety checks
-      "--extra-vars", "provision_this_machine=true",
+      "--extra-vars", "provision_this_machine=true, tidy_image=True",
       # Workaround https://github.com/hashicorp/packer/issues/12416
       #"--scp-extra-args", "'-O'",
       #"--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa"

os_builders/playbooks/prepare_user_image.yml

@@ -1,5 +1,5 @@
 - name: Prep STFC Cloud User Image
-  hosts: localhost
+  hosts: all
   become: true
 
   pre_tasks:
@@ -11,3 +11,5 @@
     - role: ../roles/vm_baseline
     - role: ../roles/container_registry
     - role: ../roles/nubes_bootcontext
+    - role: ../roles/tidy_image
+      when: "{{ tidy_image|default(false)|bool == True }}"

os_builders/roles/tidy_image/tasks/cleanout_rc_directories.yml

@@ -0,0 +1,14 @@
+- name: Cleanout rc.loacl
+  file:
+    path: "/etc/rc.d/rc.local"
+    state: absent
+
+- name: Cleanout /etc/nubes-bootcontext.sh
+  file:
+    path: "/etc/nubes-bootcontext.sh"
+    state: absent
+
+- name: Cleanout /etc/nubes-bootcontext.sh
+  file:
+    path: "/etc/rc*/S99-nubes-boot*"
+    state: absent

os_builders/roles/tidy_image/tasks/cleanout_tmp.yml

@@ -0,0 +1,9 @@
+- name: Cleanout /tmp/*
+  file:
+    path: "/tmp/*"
+    state: absent
+
+- name: Cleanout /var/tmp/*
+  file:
+    path: "/var/tmp/*"
+    state: absent

os_builders/roles/tidy_image/tasks/cleanup_network_conf.yml

@@ -0,0 +1,14 @@
+- name: Cleanout /etc/sysconfig/network-scripts/ifcfg-e*
+  file:
+    path: "/etc/sysconfig/network-scripts/ifcfg-e*"
+    state: absent
+
+- name: Cleanout /etc/udev/rules.d/70*
+  file:
+    path: "/etc/udev/rules.d/70*"
+    state: absent
+
+- name: Cleanout /etc/sysconfig/network
+  file:
+    path: "/etc/sysconfig/network"
+    state: absent

os_builders/roles/tidy_image/tasks/cleanup_old_kernels.yml

@@ -0,0 +1,15 @@
+- name: Cleanup old kernels Ubuntu
+  block:
+  - name: cleanup old kernels
+    shell: "dpkg --list | egrep -i 'linux-image|linux-headers|linux-modules' | cut -d ' ' -f 3 | grep -v $(uname -r) | grep -v 'linux-headers-generic' | grep -v 'linux-headers-virtual' | grep -v 'linux-image-virtual' | xargs apt-get remove -y"
+    become: true
+    when: ( ansible_facts.packages['linux-image'] | length > 1)
+  when: ansible_distribution == "Ubuntu" and "linux-image" in ansible_facts.packages
+
+- name: Cleanup old kernels Rocky
+  block:
+  - name: cleanup old kernels
+    command:
+      cmd: "dnf remove --oldinstallonly kernel -y"
+    when: ( ansible_facts.packages['kernel'] | length > 1)
+  when: ansible_distribution == "Rocky" and "kernel" in ansible_facts.packages

os_builders/roles/tidy_image/tasks/cleanup_packages.yml

@@ -0,0 +1,18 @@
+- name: Cleanout *.rpm
+  file:
+    path: "*.rpm"
+    state: absent
+
+- name: Cleanout *.deb
+  file:
+    path: "*.deb"
+    state: absent
+
+- name: clean yum/dnf
+  command: yum clean all
+  when: ansible_distribution == "Rocky"
+
+- name: clean apt cache
+  ansible.builtin.apt:
+    clean: yes
+  when: ansible_distribution == "Ubuntu"

os_builders/roles/tidy_image/tasks/cleanup_quattor.yml

@@ -0,0 +1,25 @@
+- name: Cleanout Quattor
+  block:
+    - name: Cleanout Quattor
+      stat:
+        path: /etc/ccm.conf
+      register: ccm_conf_exists
+
+    - name: Cleanout ccm config file
+      file:
+        path: "/etc/ccm.conf"
+        state: absent
+      when: ccm_conf_exists
+
+    - name: Cleanout quattor profile
+      file:
+        path: "/var/lib/profile*"
+        state: absent
+      when: ccm_conf_exists
+
+    - name: Stop quattor listener
+      become: true
+      ansible.builtin.command:
+        cmd: "systemctl stop ncm-cdispd.service"
+      when: ccm_conf_exists
+  when: ansible_distribution == "Rocky"  and "ccm" in ansible_facts.packages

os_builders/roles/tidy_image/tasks/cleanup_sudoers.yml

@@ -0,0 +1,4 @@
+- name: Cleanout /etc/sudoers.d/cloud
+  file:
+    path: "/etc/sudoers.d/cloud"
+    state: absent

os_builders/roles/tidy_image/tasks/cleanup_users.yml

@@ -0,0 +1,12 @@
+- name: Cleanup users
+  ansible.builtin.user:
+    name: "{{ item }}"
+    remove: true
+    state: absent
+  loop:
+  - "nagios"
+
+- name: mark next boot as first boot
+  file:
+      path: /var/lock/firstboot
+      state: touch

os_builders/roles/tidy_image/tasks/clear_audit_log.yml

@@ -0,0 +1,14 @@
+- name: Clear EL audits
+  block:
+  - name: Clear Audit log
+    shell: "/bin/cat /dev/null > /var/log/audit/audit.log"
+  when: ansible_distribution == "Rocky"
+
+- name: Clear Audit log
+  shell: "/bin/cat /dev/null > /var/log/wtmp"
+
+- name: Clear Ubuntu audits
+  block:
+  - name: Clear Audit log
+    shell: "/bin/cat /dev/null > /var/log/auth.log"
+  when: ansible_distribution == "Ubuntu"

os_builders/roles/tidy_image/tasks/get_package_facts.yml

@@ -0,0 +1,3 @@
+- name: Gather the package facts
+  ansible.builtin.package_facts:
+    manager: auto

os_builders/roles/tidy_image/tasks/logrotate.yml

@@ -0,0 +1,20 @@
+- name: Remove duplicate /etc/logrotate.d/btmp
+  file:
+    path: "/etc/logrotate.d/btmp"
+    state: absent
+  when: ansible_distribution == "Rocky"  and "ccm" in ansible_facts.packages
+
+- name: Remove duplicate /etc/logrotate.d/wtmp
+  file:
+    path: "/etc/logrotate.d/wtmp"
+    state: absent
+  when: ansible_distribution == "Rocky"  and "ccm" in ansible_facts.packages
+
+
+- name: Clear Audit log
+  shell: "sudo logrotate -f /etc/logrotate.conf"
+
+- name: Cleanout /var/log/*.gz
+  file:
+    path: "/var/log/*.gz"
+    state: absent

os_builders/roles/tidy_image/tasks/main.yml

@@ -0,0 +1,26 @@
+# Cleanup machine
+
+- include_tasks: reboot.yml
+- include_tasks: get_package_facts.yml
+- include_tasks: run_quattor.yml
+  when: ansible_distribution == "Rocky"  and "ccm" in ansible_facts.packages
+- include_tasks: get_package_facts.yml
+- include_tasks: cleanout_tmp.yml
+- include_tasks: cleanout_rc_directories.yml
+- include_tasks: cleanup_network_conf.yml
+- include_tasks: run_update_keys.yml
+- include_tasks: set_locale.yml
+- include_tasks: wazuh.yml
+- include_tasks: cleanup_quattor.yml
+  when: ansible_distribution == "Rocky"  and "ccm" in ansible_facts.packages
+- include_tasks: run_pakiti.yml
+- include_tasks: cleanup_users.yml
+- include_tasks: cleanup_old_kernels.yml
+- include_tasks: remove_host_ssh_keys.yml
+- include_tasks: cleanup_packages.yml
+
+# Cleanup history of build
+- include_tasks: logrotate.yml
+- include_tasks: clear_audit_log.yml
+- include_tasks: remove_shell_history.yml
+- include_tasks: cleanup_sudoers.yml

os_builders/roles/tidy_image/tasks/reboot.yml

@@ -0,0 +1,8 @@
+- name: Reboot machine
+  ansible.builtin.reboot:
+
+- name: Wait for SSH to come up
+  wait_for_connection:
+    delay: 10
+    timeout: 300
+

os_builders/roles/tidy_image/tasks/remove_host_ssh_keys.yml

@@ -0,0 +1,4 @@
+- name: Cleanout Host SSH Keys
+  file:
+    path: "/etc/ssh/*key*"
+    state: absent

os_builders/roles/tidy_image/tasks/remove_shell_history.yml

@@ -0,0 +1,9 @@
+- name: Cleanout Host SSH Keys
+  file:
+    path: "/home/*/.bash_history"
+    state: absent
+
+- name: Cleanout Host SSH Keys
+  file:
+    path: "/root/.bash_history"
+    state: absent

os_builders/roles/tidy_image/tasks/run_pakiti.yml

@@ -0,0 +1,3 @@
+- name: Run pakiti
+  command:
+    cmd: "pakiti2-client"

os_builders/roles/tidy_image/tasks/run_quattor.yml

@@ -0,0 +1,4 @@
+- name: run quattor
+  shell: "sudo quattor-fetch && sudo quattor-configure --all --verbose"
+  ignore_errors: true
+  when: ansible_distribution == "Rocky"  and "ccm" in ansible_facts.packages

os_builders/roles/tidy_image/tasks/run_update_keys.yml

@@ -0,0 +1,3 @@
+- name: Update admin keys
+  command:
+    cmd: "/usr/local/sbin/update_keys.sh"

os_builders/roles/tidy_image/tasks/set_locale.yml

@@ -0,0 +1,58 @@
+# - name: set locale to set
+#   set_fact:
+#     config_system_locale: "en_GB.UTF-8"
+#     config_system_language: "en_GB.UTF-8"
+
+- name: set locale to set
+  set_fact:
+    config_system_locale: "en_US.UTF-8"
+    config_system_language: "en_US.UTF-8"
+
+- name: check if locale exists
+  shell: "locale -a | grep -i {{ config_system_locale | regex_replace('-', '') | quote }}"
+  register: found_locale
+  changed_when: no
+  failed_when: no
+
+- name: create locale
+  command: "localedef -i {{ config_system_locale | regex_replace('(.*)\\..*', '\\1') | quote }} -f {{ config_system_locale | regex_replace('.*\\.(.*)', '\\1') | quote }} {{ config_system_locale | quote }}"
+  when: not ansible_check_mode and found_locale.rc != 0
+
+- name: check if language exists
+  shell: "locale -a | grep -i {{ config_system_language | regex_replace('-', '') | quote }}"
+  register: found_language
+  changed_when: no
+  failed_when: no
+
+- name: create language
+  command: "localedef -i {{ config_system_language | regex_replace('(.*)\\..*', '\\1') | quote }} -f {{ config_system_language | regex_replace('.*\\.(.*)', '\\1') | quote }} {{ config_system_language | quote }}"
+  when: not ansible_check_mode and found_language.rc != 0
+
+- name: Get current locale and language configuration
+  command: localectl status
+  register: locale_status
+  changed_when: false
+
+- name: Parse 'LANG' from current locale and language configuration
+  set_fact:
+    locale_lang: "{{ locale_status.stdout | regex_search('LANG=([^\n]+)', '\\1') | first }}"
+
+- name: Parse 'LANGUAGE' from current locale and language configuration
+  set_fact:
+    locale_language: "{{ locale_status.stdout | regex_search('LANGUAGE=([^\n]+)', '\\1') | default([locale_lang], true) | first }}"
+
+- name: Configure locale to '{{ config_system_locale }}' and language to '{{ config_system_language }}'
+  command: localectl set-locale LANG={{ config_system_locale }} LANGUAGE={{ config_system_language }}
+
+- name: Set locale keymap
+  command: localectl set-keymap gb
+  when: ansible_distribution == "Rocky"
+
+# - name: Set locale keymap
+#   command: loadkeys uk
+#   when: ansible_distribution == "Ubuntu"
+
+
+# - name: Set locale x11 keymap
+#   command: localeclt set-x11-keymap gb
+#   when: ansible_distribution == "Rocky"

os_builders/roles/tidy_image/tasks/wazuh.yml

@@ -0,0 +1,15 @@
+- name: Set wazuh package name variable
+  set_fact:
+    wazuh_package_name: "wazuh-agent"
+
+- name: Stop wazuh-agent service
+  become: true
+  ansible.builtin.command:
+    cmd: "systemctl stop wazuh-agent.service"
+  when: wazuh_package_name in ansible_facts.packages
+  ignore_errors: True
+
+- name: Clean Wazuh agent history
+  file:
+    path: "/var/ossec/etc/client.keys"
+    state: absent