cloud-images/ansible/roles/cleanup_vm/tasks/main.yml

149 lines
3.6 KiB

---
- name: Remove old kernels
ansible.builtin.shell: dnf remove -y $(dnf repoquery --installonly --latest-limit=-1 -q)
- name: Delete DNF cache
ansible.builtin.command: dnf clean all
- name: Find DNF history files
ansible.builtin.find:
paths: /var/lib/dnf
patterns: "history*"
register: dnf_history
- name: Reset DNF history
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ dnf_history.files }}"
- name: Find temporary files
ansible.builtin.find:
file_type: any
paths:
- /tmp
- /var/tmp
patterns: '*'
register: tmp_files
- name: Remove temporary files
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ tmp_files.files }}"
- name: Find SSH host keys
ansible.builtin.find:
paths: /etc/ssh
patterns: '*host*key*'
register: host_keys
- name: Remove SSH host keys
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ host_keys.files }}"
- name: Remove kickstart files
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /root/anaconda-ks.cfg
- /root/original-ks.cfg
- name: Truncate files
ansible.builtin.command: "truncate -s 0 {{ item }}"
loop:
- /etc/machine-id
- /etc/resolv.conf
- /var/log/audit/audit.log
- /var/log/wtmp
- /var/log/lastlog
- /var/log/btmp
- /var/log/cron
- /var/log/maillog
- /var/log/messages
- /var/log/secure
- /var/log/spooler
- name: Remove log folders.
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /var/log/anaconda
- /var/log/qemu-ga
- /var/log/tuned
- /var/lib/cloud
- /etc/hostname
- /etc/machine-info
- /var/lib/systemd/credential.secret
- name: Find log files.
ansible.builtin.find:
paths:
- /var/log
- /var/log/sssd
patterns: '*log,*.old,*.log.gz,*.[0-9],*.gz,*-????????'
register: log_files
- name: Remove log files
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ log_files.files }}"
- name: Remove random-seed
ansible.builtin.file:
path: /var/lib/systemd/random-seed
state: absent
- name: Disable root SSH login via password
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-permitrootlogin.conf
state: absent
when: ansible_facts['distribution_major_version'] == '9'
- name: Fill free space with zeroes
ansible.builtin.shell: dd if=/dev/zero of=/zeroed_file bs=1M oflag=direct || rm -f /zeroed_file
- name: Detect swap partition
ansible.builtin.command: grep -oP '^/dev/[\w-]+' /proc/swaps
register: swaps
ignore_errors: true
- name: Wipe out swap data
block:
- name: Get swap partition UUID
ansible.builtin.command: "blkid {{ swaps.stdout }} -s UUID -o value"
register: swap_blkid
- name: Unmount swap partition
ansible.builtin.command: "swapoff {{ swaps.stdout }}"
- name: Fill swap partition with zeroes
ansible.builtin.shell: "dd if=/dev/zero of={{ swaps.stdout }} bs=1M oflag=direct || /bin/true"
- name: Format swap partition
ansible.builtin.command: "mkswap -U {{ swap_blkid.stdout }} -f {{ swaps.stdout }}"
- name: Mount swap partition
ansible.builtin.command: "swapon {{ swaps.stdout }}"
when: swaps.rc == 0
- name: Sync disc
ansible.builtin.command: sync
- name: Clear shell history
ansible.builtin.shell: history -c
- name: Check if WALinuxAgent is installed
ansible.builtin.stat:
path: /usr/sbin/waagent
register: cleanup_vm_waagent
- name: Deprovision WALinuxAgent
ansible.builtin.command: waagent -deprovision+user -force
when: cleanup_vm_waagent.stat.exists