chore: update cloudinit configs

* make sure ntp is enabled * set timezone * disable makecache timer * write dnf.conf * noatime on root fs * fix package installation and upgrades
2021-05-14 07:24:41 +02:00 · 2021-05-14 07:24:41 +02:00 · f1df309923
commit f1df309923
parent 6fd5e9c4fb
4 changed files with 107 additions and 20 deletions
--- a/vms/cloudinit.host-attacker.cfg
+++ b/vms/cloudinit.host-attacker.cfg
@ -4,6 +4,26 @@
 runcmd:
  - cat /etc/resolv.conf
  - uname -r
  - timedatectl set-ntp 1
  - timedatectl set-timezone Europe/Bratislava
  - systemctl disable --now dnf-makecache.timer
  - dnf config-manager --set-enabled updates updates-testing
  - dnf upgrade --refresh -y
  - dnf distro-sync -y
  - dnf clean all
  - sed -i "s/ext4 * defaults *1 1/ext4 noatime 0 0/" /etc/fstab
 write_files:
  - content: |
      [main]
      gpg_check=1
      installonly_limit=2
      clean_requirements_on_remove=True
      fastestmirror=True
      max_parallel_downloads=7
    path: /etc/dnf/dnf.conf
    owner: root:root
    permissions: '0644'
 ssh_pwauth: true
 chpasswd:
@ -41,9 +61,10 @@ hostname: ${hostname}
 # reboot after fqdn is set to update the info in libvirt's dnsmasq
 power_state:
- delay: "+1"
+  delay: "+1"
- mode: reboot
+  mode: reboot
- condition: true
+  condition: true
  timeout: 120  # seconds
 packages:
  - vim
@ -54,12 +75,15 @@ packages:
  - kernel-devel
  - kernel-headers
  - nmap
-  - python39 # for ansible
+  # use python3 instead of python39 or similar; python3 is certain to point to
-  - "@Security Lab"
+  # the latest python version available in the repositories (apart from
  # python3-devel perhaps)
  - python3  # for ansible
  - "@security-lab"
  - sudo
  - tcpdump
  - tcpflow
  - tcptrack
-package_upgrade: true
+package_upgrade: false
 package_reboot_if_required: true
--- a/vms/cloudinit.host-defender.cfg
+++ b/vms/cloudinit.host-defender.cfg
@ -4,6 +4,26 @@
 runcmd:
  - cat /etc/resolv.conf
  - uname -r
  - timedatectl set-ntp 1
  - timedatectl set-timezone Europe/Bratislava
  - systemctl disable --now dnf-makecache.timer
  - dnf config-manager --set-enabled updates updates-testing
  - dnf upgrade --refresh -y
  - dnf distro-sync -y
  - dnf clean all
  - sed -i "s/ext4 * defaults *1 1/ext4 noatime 0 0/" /etc/fstab
 write_files:
  - content: |
      [main]
      gpg_check=1
      installonly_limit=2
      clean_requirements_on_remove=True
      fastestmirror=True
      max_parallel_downloads=7
    path: /etc/dnf/dnf.conf
    owner: root:root
    permissions: '0644'
 ssh_pwauth: true
 chpasswd:
@ -35,9 +55,10 @@ hostname: ${hostname}
 # reboot after fqdn is set to update the info in libvirt's dnsmasq
 power_state:
- delay: "+1"
+  delay: "+1"
- mode: reboot
+  mode: reboot
- condition: true
+  condition: true
  timeout: 120  # seconds
 packages:
  - vim
@ -48,12 +69,15 @@ packages:
  - kernel-devel
  - kernel-headers
  - nmap
-  - python39 # for ansible
+  # use python3 instead of python39 or similar; python3 is certain to point to
-  - "@Security Lab"
+  # the latest python version available in the repositories (apart from
  # python3-devel perhaps)
  - python3  # for ansible
  - "@security-lab"
  - sudo
  - tcpdump
  - tcpflow
  - tcptrack
-package_upgrade: true
+package_upgrade: false
 package_reboot_if_required: true
--- a/vms/cloudinit.host-victim.cfg
+++ b/vms/cloudinit.host-victim.cfg
@ -4,6 +4,23 @@
 runcmd:
  - cat /etc/resolv.conf
  - uname -r
  # - echo -e "[main]\ngpg_check=1\ninstallonly_limit=2\nclean_requirements_on_remove=True\nfastestmirror=True\nmax_parallel_downloads=7" > /etc/dnf/dnf.conf
  - timedatectl set-ntp 1
  - timedatectl set-timezone Europe/Bratislava
  - dnf config-manager --set-enabled cr powertools
  - sed -i "s/xfs * defaults *1 1/ext4 noatime 0 0/" /etc/fstab
 write_files:
  - content: |
      [main]
      gpg_check=1
      installonly_limit=2
      clean_requirements_on_remove=True
      fastestmirror=True
      max_parallel_downloads=7
    path: /etc/dnf/dnf.conf
    owner: root:root
    permissions: '0644'
 ssh_pwauth: true
 chpasswd:
@ -41,13 +58,16 @@ hostname: ${hostname}
 # reboot after fqdn is set to update the info in libvirt's dnsmasq
 power_state:
- delay: "+1"
+  delay: "+1"
- mode: reboot
+  mode: reboot
- condition: true
+  condition: true
 packages:
  # install python3; it's a metapackage that points to the latest available
  # version in the distro repositories; currently python 3.7.x for centos8
  - python3  # for ansible
  - sudo
-  - python39 # for ansible
+  - vim
 package_upgrade: true
 package_reboot_if_required: true
--- a/vms/cloudinit.router.cfg
+++ b/vms/cloudinit.router.cfg
@ -4,6 +4,22 @@
 runcmd:
  - cat /etc/resolv.conf
  - uname -r
  - timedatectl set-ntp 1
  - timedatectl set-timezone Europe/Bratislava
  - dnf config-manager --set-enabled updates updates-testing
  - sed -i "s/ext4 * defaults *1 1/ext4 noatime 0 0/" /etc/fstab
 write_files:
  - content: |
      [main]
      gpg_check=1
      installonly_limit=2
      clean_requirements_on_remove=True
      fastestmirror=True
      max_parallel_downloads=7
    path: /etc/dnf/dnf.conf
    owner: root:root
    permissions: '0644'
 ssh_pwauth: true
 chpasswd:
@ -35,15 +51,18 @@ hostname: ${hostname}
 # reboot after fqdn is set to update the info in libvirt's dnsmasq
 power_state:
- delay: "+1"
+  delay: "+1"
- mode: reboot
+  mode: reboot
- condition: true
+  condition: true
 packages:
  - vim
  - frr
  - htop
-  - python39 # for ansible
+  # use python3 instead of python39 or similar; python3 is certain to point to
  # the latest python version available in the repositories (apart from
  # python3-devel perhaps)
  - python3  # for ansible
  - sudo
 package_upgrade: true