Appliance Basic Setup - Ansible
Here is my freshly revised Playbook to prepare the Appliance.
And no, i haven't had the need for complex roles so it's just a play.
Requirements on Appliance
- root password set (for access via ssh)
- Network configured (The MachineID fix might lead to a new ip with dhcp)
Requirements on Workstation
mkdir -p group_vars
echo pubkey_url: https://what.ever/some/ >> ~/group_vars/all
cat << EOF > inventory.yaml
- Fixes Systemd-Machine-ID (fixed in 2025.01)
- Enable Systemd-Networkd instead of wicked
- Auto-accept Repo-Keys and apply latest Updates
- Set Timezone
- Install various Software-Packages
- Install virtualizing agent depending on the Hardware (QEMU, VMware or Hyper-V)
- Activate ZRAM (100%)
- Enable etckeeper
- Enable automatic installation of security updates / daily
- Enable group wheel and allow sudo for them (no user creation included)
- Grub timeout 2 seconds instead of 10
- Install SSH pubkey for root via http link
- Disable Password Auth for SSH (pubkey only!)
- Enable tmpfs for /tmp
"name": "Python311",
"hosts": "doesntexist",
"become": false,
"tags": "python",
"tasks": [
"name": "Install Python311",
"": "zypper --quiet --non-interactive install -y --no-recommends --force python311",
"ignore_errors": true
"name": "Reset ssh connection to allow user changes to affect 'current login user'",
"ansible.builtin.meta": "reset_connection"
"name": "NetworkD",
"hosts": "all",
"become": false,
"tags": "systemd",
"tasks": [
"name": "Disable wicked",
"ansible.builtin.systemd_service": {
"name": "wicked",
"enabled": false,
"name": "Enable NetworkD and Resolved",
"ansible.builtin.systemd_service": {
"name": "{{ item }}",
"state": "started",
"enabled": true
"with_items": [
"name": "resolv.conf",
"ansible.builtin.file": {
"src": "/run/systemd/resolve/resolv.conf",
"dest": "/etc/resolv.conf",
"state": "link",
"force": true
"register": "resolvconf",
"changed_when": "resolvconf.changed"
"name": "SystemD",
"hosts": "grommunio",
"become": false,
"tags": "systemd",
"tasks": [
"name": "JournalDPersistent",
"ansible.builtin.blockinfile": {
"path": "/etc/systemd/journald.conf.d/persistent.conf",
"create": true,
"owner": "root",
"group": "root",
"mode": "0660",
"block": "[Journal]\nStorage=persistent\nCompress=no\nSplitMode=no\n"
"tags": "systemd, journald"
"name": "Install Updates",
"hosts": "grommunio",
"become": false,
"tags": "updates",
"tasks": [
"name": "Activate-Grommunio-Repo",
"ansible.builtin.command": "grommunio-repo community",
"register": "grommuniorepo",
"ignore_errors": true,
"changed_when": "grommuniorepo"
"name": "Grommunio-Update Check",
"ansible.builtin.command": "grommunio-update check",
"register": "grommuniorepo",
"ignore_errors": true,
"changed_when": "grommuniorepo"
"name": "TestRepo",
"": "zypper --quiet repos --name grommunio >/dev/null 2>&1",
"register": "grommuniorepo",
"ignore_errors": true,
"changed_when": "grommuniorepo"
"name": "Refresh-Repos-Accept-Keys",
"ansible.builtin.command": "zypper --quiet --gpg-auto-import-keys ref",
"when": "grommuniorepo.rc != 0",
"ignore_errors": true,
"register": "refret",
"changed_when": "refret"
"name": "Activate-Grommunio-Repo-And-Upgrade",
"ansible.builtin.command": "grommunio-update upgrade community --noreboot",
"when": "grommuniorepo.rc != 0",
"ignore_errors": true,
"register": "ignoreerrors",
"changed_when": "ignoreerrors"
"name": "Virtualization",
"hosts": "grommunio",
"become": false,
"tags": "virtualization",
"gather_facts": true,
"tasks": [
"name": "Install QemuGuestAgent",
"community.general.zypper": {
"name": [
"state": "installed",
"disable_recommends": true,
"clean_deps": true
"tags": "hypervisor",
"when": "ansible_system_vendor == \"QEMU\""
"name": "Enable qemu-guest-agent",
"ansible.builtin.systemd_service": {
"name": "qemu-guest-agent",
"state": "started",
"enabled": true
"tags": "hypervisor",
"when": "ansible_system_vendor == \"QEMU\""
"name": "Install HyperV agent",
"community.general.zypper": {
"name": [
"state": "installed",
"disable_recommends": true,
"clean_deps": true
"tags": "hypervisor",
"when": "ansible_system_vendor == \"Microsoft Corporation\""
"name": "Enable HyperV agent",
"ansible.builtin.systemd_service": {
"name": "{{ item }}",
"state": "started",
"enabled": true
"with_items": [
"tags": "hypervisor",
"when": "ansible_system_vendor == \"Microsoft Corporation\""
"name": "Install OpenVMTools",
"community.general.zypper": {
"name": [
"state": "installed",
"disable_recommends": true,
"clean_deps": true
"tags": "hypervisor",
"when": "ansible_system_vendor == \"VMware, Inc.\""
"name": "Enable OpenVMTools",
"ansible.builtin.systemd_service": {
"name": "{{ item }}",
"state": "started",
"enabled": true
"with_items": [
"tags": "hypervisor",
"when": "ansible_system_vendor == \"VMware, Inc.\""
"name": "TmpFS_Enable",
"hosts": "grommunio",
"tags": "tmpfs",
"become": false,
"tasks": [
"name": "FindMntTmp",
"ansible.builtin.command": "findmnt --types=tmpfs --target=/tmp --noheadings",
"ignore_errors": true,
"register": "notmpfs"
"name": "DeleteTmp",
"ansible.builtin.file": {
"path": "/tmp",
"state": "absent"
"when": "notmpfs.rc != 0",
"register": "tmpfsdeleted"
"name": "CreateTmp",
"ansible.builtin.file": {
"path": "/tmp",
"state": "directory",
"mode": "0755"
"when": "notmpfs != 0",
"register": "tmpfsempty"
"name": "TmpfsEnable",
"ansible.builtin.file": {
"src": "/usr/share/systemd/tmp.mount",
"dest": "/etc/systemd/system/tmp.mount",
"state": "link"
"register": "tmpfsenabled",
"when": "tmpfsempty",
"changed_when": "tmpfsenabled.changed"
"name": "Reboot",
"ansible.builtin.reboot": {
"msg": "Reboot initiated by Ansible for TmpFS",
"connect_timeout": 5,
"reboot_timeout": 300,
"pre_reboot_delay": 0,
"post_reboot_delay": 30,
"test_command": "uptime"
"when": "tmpfsenabled.changed"
"name": "Basics",
"hosts": "grommunio",
"become": false,
"gather_facts": true,
"handlers": [
"name": "Restart ssh",
"ansible.builtin.systemd_service": {
"name": "sshd",
"daemon_reload": true
"name": "Grub2MkConfig",
"ansible.builtin.command": "grub2-mkconfig -o /boot/grub2/grub.cfg"
"tasks": [
"name": "Timezone",
"community.general.timezone": {
"name": "UTC"
"name": "Required-software",
"community.general.zypper": {
"name": [
"state": "present",
"disable_recommends": false,
"force_resolution": true
"tags": "software"
"name": "Uninstall replaced thingies",
"community.general.zypper": {
"name": [
"state": "absent"
"tags": [ "software", "uninstall", "deprecated" ]
"name": "Cleanup yast2-online-update-configuration",
"ansible.builtin.file": {
"path": "{{ item }}",
"state": "absent"
"with_items": [
"name": "Install os-update + rebootmgr",
"community.general.zypper": {
"name": [
"state": "present",
"disable_recommends": true
"tags": [ "software", "os-update", "updates", "rebootmgr" ]
"name": "os-update only do security-updates",
"ansible.builtin.lineinfile": {
"dest": "/etc/os-update.conf",
"regexp": "^UPDATE_CMD=.*",
"line": "UPDATE_CMD=\"security\"",
"state": "present"
"tags": [ "os-update", "updates" ]
"name": "Enable os-update.timer",
"ansible.builtin.systemd_service": {
"name": "os-update.timer",
"enabled": true
"tags": "software"
"name": "Etckeeper install",
"community.general.zypper": {
"name": [
"state": "present",
"disable_recommends": true
"tags": [ "software", "etckeeper" ]
"name": "Enable etckeeper.timer",
"ansible.builtin.systemd_service": {
"name": "etckeeper.timer",
"enabled": true
"tags": "software"
"name": "Check if Etckeeper is already initialized",
"ansible.builtin.stat": {
"path": "/etc/.git/"
"register": "etckeeperinit"
"name": "Etckeeper init",
"ansible.builtin.command": "etckeeper init",
"when": "not etckeeperinit.stat.exists",
"tags": [ "software", "etckeeper" ]
"name": "Etckeeper Commit",
"ansible.builtin.command": "etckeeper commit -m 'init'",
"when": "not etckeeperinit.stat.exists",
"tags": [ "software", "etckeeper" ]
"name": "Enable purgekernels",
"ansible.builtin.systemd_service": {
"name": "purge-kernels",
"enabled": true
"tags": "software"
"name": "Enable Zram0",
"ansible.builtin.blockinfile": {
"path": "/etc/systemd/zram-generator.conf.d/0.conf",
"create": true,
"owner": "root",
"group": "root",
"mode": "0660",
"block": "[zram0]\nzram-size = int(ram)\n"
"tags": "zram"
"name": "Sudoers g=wheel",
"ansible.builtin.blockinfile": {
"path": "/etc/sudoers.d/wheel",
"create": true,
"owner": "root",
"group": "root",
"mode": "0440",
"block": "%wheel ALL=(ALL:ALL) ALL\n"
"tags": "sudo"
"name": "Grub2Timeout 2sec",
"ansible.builtin.lineinfile": {
"dest": "/etc/default/grub",
"regexp": "^GRUB_TIMEOUT=10",
"line": "GRUB_TIMEOUT=2",
"state": "present"
"tags": "grub",
"notify": [
"name": "Sudoers use userpass",
"ansible.builtin.replace": {
"path": "/etc/sudoers",
"regexp": "'^Defaults targetpw'",
"replace": "'#Defaults targetpw'"
"tags": "sudo"
"name": "Set authorized_keys for root",
"tags": "ssh",
"ansible.posix.authorized_key": {
"user": "root",
"state": "present",
"key": "{{ lookup('url', pubkey_url, split_lines=False) }}"
"name": "SSHD No PasswordAuthentication",
"ansible.builtin.lineinfile": {
"dest": "/etc/ssh/sshd_config",
"regexp": "^#PasswordAuthe.*$",
"line": "PasswordAuthentication no",
"state": "present",
"backup": true
"tags": "ssh"
"name": "SSHD No ChallengeResponseAuthentication",
"ansible.builtin.lineinfile": {
"dest": "/etc/ssh/sshd_config",
"regexp": "^#ChallengeResponse.*$",
"line": "ChallengeResponseAuthentication no",
"state": "present",
"backup": true
"tags": "ssh"
"name": "SSHD PermitRootlogin without-password",
"ansible.builtin.lineinfile": {
"dest": "/etc/ssh/sshd_config",
"regexp": "^PermitRootLogin",
"line": "PermitRootLogin without-password",
"state": "present",
"backup": true
"notify": [
"Restart ssh"
"tags": "ssh"
First run with ask-pass
ansible-playbook prepare-appliance.json -l -k
If everything worked out you will need to ommit the -k
as that is only for password auth.
From here i usually configure an additional mount for /var/lib/gromox
but that i do manually followed by grommunio-setup