--- # playbooks/docker/heimdall_baseline.yml # Idempotent OS baseline enforcement for the Heimdall edge router host. # # ───────────────────────────────────────────────────────────────────────────── # PURPOSE: Ongoing OS drift enforcement — safe to run any time, safe to schedule. # Does NOT upgrade packages. Does NOT reboot. # Does NOT touch the Traefik/Redis application stack. # For the application stack: use playbooks/self-heal/heimdall.yml # For OS updates: use playbooks/docker/heimdall_update.yml # For audit: use playbooks/docker/heimdall_audit.yml # ───────────────────────────────────────────────────────────────────────────── # # What this enforces (all idempotent): # 0. Packages: Required system packages present (docker-ce, nfs-common, etc.) # 1. Storage: Swap disabled (swapoff + fstab + zram masked) # 2. Sysctl: vm.swappiness=0, bridge netfilter, ip_forward # 3. Docker: /etc/docker/daemon.json with log rotation # # Usage: # ansible-playbook -i inventory/hosts.ini playbooks/docker/heimdall_baseline.yml # # # Dry-run: # ansible-playbook -i inventory/hosts.ini playbooks/docker/heimdall_baseline.yml --check --diff # # # Target a specific section: # ansible-playbook -i inventory/hosts.ini playbooks/docker/heimdall_baseline.yml --tags sysctl - name: Heimdall OS baseline enforcement hosts: heimdall become: true vars: lab_user: "{{ lab_ansible_user | default('chester') }}" handlers: - name: Restart Docker ansible.builtin.service: name: docker state: restarted tasks: - name: "0. Packages: ensure required system packages are present" tags: [packages, baseline] ansible.builtin.apt: name: - docker-ce - docker-ce-cli - containerd.io - nfs-common - curl - htop - ca-certificates state: present update_cache: true - name: "1. Storage: disable swap" tags: [storage, baseline] block: - name: Disable swap immediately (covers traditional + zram) ansible.builtin.command: swapoff -a when: ansible_swaptotal_mb > 0 changed_when: ansible_swaptotal_mb > 0 - name: Comment out swap entries in /etc/fstab ansible.builtin.replace: path: /etc/fstab regexp: '^([^#].*\s+swap\s+.*)$' replace: '# \1' - name: Remove zram-generator config to prevent zram swap at boot ansible.builtin.copy: dest: /etc/systemd/zram-generator.conf owner: root group: root mode: '0644' content: | # Managed by Ansible — heimdall_baseline.yml # Empty config disables zram swap on Ubuntu 24.04. - name: Stop and mask systemd-zram-generator service if present ansible.builtin.systemd: name: systemd-zram-generator state: stopped enabled: false masked: true failed_when: false - name: Swapoff zram devices explicitly ansible.builtin.shell: | for dev in $(ls /dev/zram* 2>/dev/null); do swapoff "$dev" 2>/dev/null || true done changed_when: false - name: "2. Sysctl: Docker networking parameters" tags: [sysctl, baseline] block: - name: Ensure br_netfilter module is loaded community.general.modprobe: name: br_netfilter state: present - name: Persist br_netfilter module load at boot ansible.builtin.copy: dest: /etc/modules-load.d/br_netfilter.conf content: "br_netfilter\n" owner: root group: root mode: '0644' - name: Apply and persist sysctl parameters ansible.posix.sysctl: name: "{{ item.key }}" value: "{{ item.value }}" sysctl_file: /etc/sysctl.d/90-heimdall.conf state: present reload: true loop: - { key: vm.swappiness, value: "0" } - { key: net.bridge.bridge-nf-call-iptables, value: "1" } - { key: net.bridge.bridge-nf-call-ip6tables, value: "1" } - { key: net.ipv4.ip_forward, value: "1" } - name: "3. Docker: daemon configuration and log rotation" tags: [docker, baseline] block: - name: Ensure /etc/docker directory exists ansible.builtin.file: path: /etc/docker state: directory owner: root group: root mode: '0755' - name: Deploy Docker daemon.json with log rotation ansible.builtin.copy: dest: /etc/docker/daemon.json owner: root group: root mode: '0644' content: | { "log-driver": "json-file", "log-opts": { "max-size": "10m", "max-file": "3" } } notify: Restart Docker - name: Ensure '{{ lab_user }}' is in the docker group ansible.builtin.user: name: "{{ lab_user }}" groups: docker append: true