Update tags and add kernel-cleanup script

roles/base/tasks/main.yml

@@ -18,10 +18,12 @@
 #
 # Remove obsolete issue-gen
 #
-- name: remove obsolete issue-gen script
+- name: remove obsolete issue-gen script from PVC installer
   file:
     dest: /etc/network/if-up.d/issue-gen
     state: absent
+  when: newhost is defined and newhost
+  tags: always
 
 #
 # Install custom fact scripts
@@ -31,6 +33,7 @@
     dest: "/etc/ansible/facts.d"
     state: directory
     recurse: yes
+  tags: base-ansible
 
 - name: install custom facts
   template:
@@ -42,22 +45,27 @@
     - host_id
     - host_group
     - dhcp_status
+  tags: base-ansible
 
 - name: regather facts
   setup:
   when: installed_facts.changed
+  tags: base-ansible
 
 - debug:
     var: ansible_local.host_group
     verbosity: 1
+  tags: always
   
 - debug:
     var: ansible_local.host_id
     verbosity: 1
+  tags: always
   
 - debug:
     var: ansible_local.dhcp_status
     verbosity: 1
+  tags: always
 
 #
 # Configure APT
@@ -71,14 +79,14 @@
     - { src: "etc/apt/apt.conf.d/10norecommends.j2", dest: "/etc/apt/apt.conf.d/10norecommends" }
     - { src: "etc/apt/preferences.d/pins.j2", dest: "/etc/apt/preferences.d/pins" }
     - { src: "etc/apt/sources.list.{{ ansible_machine }}.j2", dest: "/etc/apt/sources.list" }
-  tags: apt
+  tags: base-apt
 
 - name: add key for bonilan repo
   apt_key:
     url: "https://repo.bonifacelabs.net/debian/bonifacelabs_signing_key.pub"
     id: "83D07192314835D4"
     state: present
-  tags: apt
+  tags: base-apt
 
 #
 # Safe apt upgrades (on first install only)
@@ -87,6 +95,8 @@
 - name: apt update
   apt:
     update-cache: yes
+  when: newhost is defined and newhost
+  tags: base-apt
 
 - name: aptitude safe upgrade with autoremove
   apt:
@@ -94,6 +104,7 @@
     autoremove: yes
     upgrade: safe
   when: newhost is defined and newhost
+  tags: base-apt
 
 - name: install dbus
   apt:
@@ -101,12 +112,14 @@
       - dbus
     state: latest
   when: newhost is defined and newhost
+  tags: base-apt
 
 - name: clean out apt cache
   file:
     path: "/var/cache/apt/archives"
     state: absent
   when: newhost is defined and newhost
+  tags: base-apt
 
 #
 # Purge unneeded packages
@@ -123,15 +136,13 @@
     state: absent
     purge: yes
     autoremove: yes
-
+  tags: base-packages
-#
-# Install common packages
-#
 
 - name: set override debconf selections
   shell: 'echo "{{ item }}" | debconf-set-selections'
   with_items:
     - "wireshark-common wireshark-common/install-setuid boolean true"
+  tags: base-packages
 
 - name: install common packages (all arch)
   apt:
@@ -202,6 +213,17 @@
       - haveged
       - linux-image-amd64
       - linux-headers-amd64
+  tags: base-packages
+
+- name: install cleanup scripts
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0755
+  with_items:
+    - { src: "usr/local/sbin/kernel-cleanup.sh.j2", dest: "/usr/local/sbin/kernel-cleanup.sh" }
+    - { src: "usr/local/sbin/dpkg-cleanup.sh.j2", dest: "/usr/local/sbin/dpkg-cleanup.sh" }
+  tags: base-packages
 
 #
 # System configuration
@@ -212,7 +234,7 @@
   template:
     src: etc/network/interfaces.j2
     dest: /etc/network/interfaces
-  tags: network
+  tags: base-network
 
 - name: install per-interface files
   template:
@@ -221,13 +243,14 @@
   with_dict: "{{ networks }}"
   loop_control:
     loop_var: network
-  tags: network
+  tags: base-network
 
 # capabilities
 - name: set ping capabilities
   capabilities:
     path: /bin/ping
     capability: cap_net_raw=ep
+  tags: base-system
 
 # locale
 - name: install locale config files
@@ -239,6 +262,7 @@
   with_items:
     - { src: "etc/default/locale.j2", dest: "/etc/default/locale" }
     - { src: "etc/locale.gen.j2", dest: "/etc/locale.gen" }
+  tags: base-system
 
 - name: set timezone
   file:
@@ -246,6 +270,30 @@
     dest: /etc/localtime
     state: link
     force: yes
+  tags: base-system
+
+# sysctl
+- name: install sysctl tweaks
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  with_items:
+    - { src: "etc/sysctl.d/pvc.conf.j2", dest: "/etc/sysctl.d/pvc.conf" }
+  tags: base-system
+
+- name: activate sysctl tweaks
+  shell: "sysctl -p {{ item }}"
+  with_items:
+    - /etc/sysctl.d/pvc.conf
+  tags: base-system
+
+# sudo
+- name: write the sudoers file
+  template:
+    src: "etc/sudoers.j2"
+    dest: "/etc/sudoers"
+    mode: 0440
+  tags: base-system
 
 # dns
 - name: write the hosts config
@@ -254,29 +302,16 @@
     dest: "{{ item.dest }}"
   with_items:
     - { src: "etc/hosts.j2", dest: "/etc/hosts" }
-  tags: dns
+  tags: base-dns
 
 - name: write the resolver configs
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
   with_items:
-    - { src: "etc/dhcp/dhclient-enter-hooks.d/noresolv.j2", dest: "/etc/dhcp/dhclient-enter-hooks.d/noresolv" }
     - { src: "etc/resolv.conf.j2", dest: "/etc/resolv.conf" }
-  tags: dns
+    - { src: "etc/dhcp/dhclient-enter-hooks.d/noresolv.j2", dest: "/etc/dhcp/dhclient-enter-hooks.d/noresolv" }
-
+  tags: base-dns
-# acpi
-- name: install sysctl tweaks
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-  with_items:
-    - { src: "etc/sysctl.d/pvc.conf.j2", dest: "/etc/sysctl.d/pvc.conf" }
-
-- name: activate sysctl tweaks
-  shell: "sysctl -p {{ item }}"
-  with_items:
-    - /etc/sysctl.d/pvc.conf
 
 # syslog
 - name: install rsyslog and logrotate configs
@@ -288,7 +323,7 @@
   with_items:
     - { src: "etc/rsyslog.conf.j2", dest: "/etc/rsyslog.conf" }
     - { src: "etc/logrotate.d/rsyslog.j2", dest: "/etc/logrotate.d/rsyslog" }
-  tags: rsyslog
+  tags: base-syslog
 
 - name: set journalctl persistence
   template:
@@ -297,7 +332,7 @@
     mode: 0644
   with_items:
     - { src: "etc/systemd/journald.conf.j2", dest: "/etc/systemd/journald.conf" }
-  tags: rsyslog
+  tags: base-syslog
 
 # cron
 - name: install crontab
@@ -307,6 +342,7 @@
     mode: 0755
   with_items:
     - { src: "etc/crontab.j2", dest: "/etc/crontab" }
+  tags: base-cron
 
 # mta
 - name: install postfix generic config
@@ -315,15 +351,14 @@
     dest: "/etc/postfix/main.cf"
   notify:
     - restart postfix
+  tags: base-mta
 
 - name: touch the postfix aliases file
   file:
     dest: /etc/postfix/aliases
     state: touch
+  tags: base-mta
 
-#
-# Local alias maps
-#
 - name: install local alias maps for various users
   lineinfile:
     dest: "/etc/aliases"
@@ -337,6 +372,7 @@
     - clamav
   notify:
     - newaliases
+  tags: base-mta
 
 # ntp
 - name: write the NTP config file
@@ -347,23 +383,26 @@
     - restart ntp
   with_items:
     - { src: "etc/ntp.conf.j2", dest: "/etc/ntp.conf" }
-  tags: ntp
+  tags: base-time
 
 # ssl
 - name: ensure haveged is running
   service:
     name: haveged
     state: started
+  tags: base-ssl
 
 - name: generate diffie-hellman parameters
   command: openssl dhparam -out /etc/ssl/dhparams.pem 2048
   args:
     creates: /etc/ssl/dhparams.pem
+  tags: base-ssl
 
 - name: correct permissions on dhparams
   file:
     dest: /etc/ssl/dhparams.pem
     mode: 0440
+  tags: base-ssl
 
 # ssh
 - name: write the sshd_config files
@@ -377,13 +416,13 @@
     - { src: 'etc/ssh/sshd_config.j2', dest: '/etc/ssh/sshd_config' }
     - { src: 'etc/ssh/shosts.equiv.j2', dest: '/etc/ssh/shosts.equiv' }
     - { src: 'etc/ssh/ssh_known_hosts.j2', dest: '/etc/ssh/ssh_known_hosts' }
-  tags: ssh
+  tags: base-ssh
 
 - name: write sshd pam.d config
   template:
     src: "etc/pam.d/sshd.j2"
     dest: "/etc/pam.d/sshd"
-  tags: ssh
+  tags: base-ssh
 
 - name: remove unneeded SSH keys (leave only RSA and ED25519)
   file:
@@ -396,7 +435,7 @@
     - /etc/ssh/ssh_host_ecdsa_key.pub
   notify:
     - restart ssh
-  tags: ssh
+  tags: base-ssh
 
 - name: set permissions on rsa and ed25519 host keys (just in case they're wrong)
   file:
@@ -407,20 +446,14 @@
     - { name: 'ssh_host_rsa_key.pub', mode: '644' }
     - { name: 'ssh_host_ed25519_key', mode: '600' }
     - { name: 'ssh_host_ed25519_key.pub', mode: '644' }
-  tags: ssh
+  tags: base-ssh
-
-# sudo
-- name: write the sudoers file
-  template:
-    src: "etc/sudoers.j2"
-    dest: "/etc/sudoers"
-    mode: 0440
 
 # bash
 - name: write the bash.bashrc config file
   template:
     src: "etc/bash.bashrc.j2"
     dest: "/etc/bash.bashrc"
+  tags: base-shell
 
 # motd
 - name: ensure update-motd and profile.d scripts are present
@@ -432,7 +465,7 @@
     - { src: "usr/local/sbin/update-motd.sh.j2", dest: "/usr/local/sbin/update-motd.sh" }
     - { src: "etc/profile.d/w.sh.j2", dest: "/etc/profile.d/w.sh" }
     - { src: "etc/profile.d/pvc.sh.j2", dest: "/etc/profile.d/zzz_pvc.sh" }
-  tags: motd
+  tags: base-shell
 
 - name: install update-motd crontab
   template:
@@ -441,23 +474,13 @@
     mode: 0644
   with_items:
     - { src: "etc/cron.d/update-motd.j2", dest: "/etc/cron.d/update-motd" }
-  tags: motd
+  tags: base-shell
 
 - name: ensure /etc/motd is absent
   file:
     dest: "/etc/motd"
     state: absent
-  tags: motd
+  tags: base-shell
-
-# dpkg
-- name: install dpkg-cleanup script
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    mode: 0755
-  with_items:
-    - { src: "usr/local/sbin/dpkg-cleanup.sh.j2", dest: "/usr/local/sbin/dpkg-cleanup.sh" }
-  tags: dpkg
 
 # fail2ban
 - name: install fail2ban configurations
@@ -471,7 +494,7 @@
     - { src: "etc/fail2ban/filter.d/sshd.conf.j2", dest: "/etc/fail2ban/filter.d/sshd.conf" }
     - { src: "etc/fail2ban/jail.d/sshd.conf.j2", dest: "/etc/fail2ban/jail.d/sshd.conf" }
     - { src: "etc/fail2ban/jail.d/sshd.local.j2", dest: "/etc/fail2ban/jail.d/sshd.local" }
-  tags: fail2ban
+  tags: base-fail2ban
 
 # check-mk-agent
 - name: install check_mk agent plugins
@@ -487,7 +510,7 @@
     - freshness
     - kernelversion
     - ownership
-  tags: check-mk-agent
+  tags: base-cmkagent
 
 #
 # Configure users
@@ -734,7 +757,7 @@
 - name: create vimdir
   file:
     state: directory
-    dest: /var/home/{{ item.name }}/.vim
+   dest: /var/home/{{ item.name }}/.vim
     owner: "{{ item.name }}"
     group: operator
     mode: 0700
@@ -756,5 +779,6 @@
     - postfix
     - ntp
     - ssh
+  tags: base-services
 
 - meta: flush_handlers

roles/base/templates/usr/local/sbin/kernel-cleanup.sh.j2

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# kernel-cleanup.sh - Remove obsolete packages and config files
+# {{ ansible_managed }}
+
+# Determine the active running kernel
+RUNNING_KERNEL="$( uname -v | awk '{ print $4 }' )"
+
+# Determine the list of installed kernels (latest is always last)
+INSTALLED_KERNELS=( $( dpkg -l | grep 'linux-image-[0-9]' | awk '{ print $3 }' ) )
+NUM_INSTALLED=${{ '{#' }}INSTALLED_KERNELS[@]}
+
+if [[ ${NUM_INSTALLED} -le 1 ]]; then
+    echo "A single kernel is installed, aborting cleanly."
+    exit 0
+fi
+
+LATEST_KERNEL="${INSTALLED_KERNELS[-1]}"
+if [[ ${LATEST_KERNEL} == ${RUNNING_KERNEL} ]]; then
+    force="--allow-remove-essential"
+else
+    force=""
+fi
+
+# Remove the latest kernel from the array
+NUM_REMOVABLE=$(( ${NUM_INSTALLED} - 1 ))
+REMOVABLE_KERNELS=( ${INSTALLED_KERNELS[@]:0:${NUM_REMOVABLE}} )
+
+PURGE_PACKAGES=()
+for KERNEL in ${REMOVABLE_KERNELS[@]}; do
+    PURGE_PACKAGES+=( $( dpkg -l | grep ${KERNEL} | awk '{ print $2 }' ) )
+done
+
+# Override the "linux-check-removal" script
+mv /usr/bin/linux-check-removal /usr/bin/linux-check-removal.orig
+echo -e '#!/bin/sh\necho "Overriding default linux-check-removal script!"\nexit 0' > /usr/bin/linux-check-removal
+chmod +x /usr/bin/linux-check-removal
+
+# Remove the packages
+echo "Removing: ${PURGE_PACKAGES[@]}"
+apt-get purge --yes ${force} ${PURGE_PACKAGES[@]}
+
+# Restore the "linux-check-removal" script
+mv /usr/bin/linux-check-removal.orig /usr/bin/linux-check-removal
+
+# Make sure there is still a valid kernel installed (just in case something broke)
+if [[ $( dpkg -l | grep 'linux-image-[0-9]' | wc -l ) -lt 1 ]]; then
+    echo "WARNING: NO KERNEL IS INSTALLED. THROWING ERROR AND ABORTING."
+    exit 1
+fi
+exit 0