- name: Update the /etc/hosts file with node name lineinfile: dest: "/etc/hosts" regexp: ".*\t{{ hostvars[item]['inventory_hostname']}}" line: "{{ hostvars[item]['ansible_host'] }}\t{{ hostvars[item]['inventory_hostname']}}" state: present backup: yes loop: "{{ groups['all'] }}" - name: disable firewalld ansible.builtin.systemd: name: "firewalld" enabled: no masked: no state: stopped ignore_errors: True #this command is not idempotent it seems - name: enable nftables ansible.builtin.systemd: name: "nftables" enabled: yes state: started masked: no - name: add kernel params template: src: kernel_params.conf.j2 dest: /etc/sysctl.d/rke2_kernel_params.conf register: kernel_params - name: load kernel params shell: sysctl --system when: kernel_params.changed - name: add group - etcd group: name: etcd state: present - name: add user - etcd user: name: etcd group: etcd - name: remove rocky user at uid 1000 user: name: rocky state: absent remove: yes ignore_errors: True - name: Download root CA get_url: url: https://curl.se/ca/cacert.pem dest: /etc/ssl/certs - name: Update CA trust shell: update-ca-trust - name: Resize the disks if volume was expanded (experimental) shell: | /usr/bin/growpart /dev/vda 2 /usr/sbin/pvresize -y -q /dev/vda2 /usr/sbin/lvresize -y -q -r -l +100%FREE /dev/mapper/*root - name: Disable SELinux selinux: policy: targeted state: permissive - name: Copy SELinux Policies template: src: ../selinux/my-openstack.te dest: /etc/selinux/targeted/policy/my-openstack.te when: ( 'control-plane' in group_names ) - name: Build SELinux exception module & allow openstack CCM to mount the /etc/ssl/certs files shell: | checkmodule -M -m -o /etc/selinux/targeted/policy/my-openstack.mod /etc/selinux/targeted/policy/my-openstack.te semodule_package -o /etc/selinux/targeted/policy/my-openstack.pp -m /etc/selinux/targeted/policy/my-openstack.mod semodule -i /etc/selinux/targeted/policy/my-openstack.pp when: ( 'control-plane' in group_names ) - name: Copy SELinux Policies (kube-apiserver) template: src: ../selinux/my-kube-apiserver.te dest: /etc/selinux/targeted/policy/my-kube-apiserver.te when: ( 'control-plane' in group_names ) - name: Build SELinux exception module (kube-apiserver) shell: | checkmodule -M -m -o /etc/selinux/targeted/policy/my-kube-apiserver.mod /etc/selinux/targeted/policy/my-kube-apiserver.te semodule_package -o /etc/selinux/targeted/policy/my-kube-apiserver.pp -m /etc/selinux/targeted/policy/my-kube-apiserver.mod semodule -i /etc/selinux/targeted/policy/my-kube-apiserver.pp when: ( 'control-plane' in group_names ) - name: Copy SELinux Policies (prometheus/node_exporter) template: src: ../selinux/my-prometheus_master.te dest: /etc/selinux/targeted/policy/my-prometheus.te when: ( 'control-plane' in group_names ) - name: Copy SELinux Policies (prometheus/node_exporter) on agents template: src: ../selinux/my-prometheus_agent.te dest: /etc/selinux/targeted/policy/my-prometheus.te when: ( 'control-plane' not in group_names ) - name: Build SELinux exception module (prometheus/node_exporter) shell: | checkmodule -M -m -o /etc/selinux/targeted/policy/my-prometheus.mod /etc/selinux/targeted/policy/my-prometheus.te semodule_package -o /etc/selinux/targeted/policy/my-prometheus.pp -m /etc/selinux/targeted/policy/my-prometheus.mod semodule -i /etc/selinux/targeted/policy/my-prometheus.pp - name: Copy SELinux Policies (hubble) on agents template: src: ../selinux/my-hubble.te dest: /etc/selinux/targeted/policy/my-hubble.te when: ( 'control-plane' not in group_names ) - name: Build SELinux exception module (hubble) shell: | checkmodule -M -m -o /etc/selinux/targeted/policy/my-hubble.mod /etc/selinux/targeted/policy/my-hubble.te semodule_package -o /etc/selinux/targeted/policy/my-hubble.pp -m /etc/selinux/targeted/policy/my-hubble.mod semodule -i /etc/selinux/targeted/policy/my-hubble.pp when: ( 'control-plane' not in group_names ) - name: Ensure /var/lib/rancher/rke2/server/manifests file: path: /var/lib/rancher/rke2/server/manifests state: directory recurse: yes - name: Ensure /etc/rancher/rke2 file: path: /etc/rancher/rke2 state: directory recurse: yes - name: Enable SELinux selinux: policy: targeted state: enforcing