configure_rhel.yml

---
- name: Configure RHEL
  hosts: all
  become: true
  gather_facts: false
  collections:
    - myllynen.rhel_ansible_roles
  vars:
    #
    # accounts_local
    #
    # List of local users to delete
    # NB. Will remove users' home dirs
    accounts_local_users_delete:
    #  - testuser

    # List of local groups to delete
    accounts_local_groups_delete:
    #  - testgroup

    # List of local groups to create
    # Mandatory parameters: name, gid
    accounts_local_groups_create:
    #  - name: testgroup
    #    gid: 12345

    # List of local users to create
    # Mandatory parameters: name, uid
    accounts_local_users_create:
    #  - name: testuser
    #    # This should come from vault
    #    # Should be encrypted, see below
    #    password: ...
    #    uid: 12345
    #    group: testgroup
    #    comment: Test User
    #    create_home: true
    #    home: /home/testuser
    #    shell: /bin/bash
    #    expires: -1
    #    password_expire_min: 7
    #    password_expire_max: 365
    #    #password_expire_warn: 14
    #    # Allow or not unlimited sudo for user, this
    #    # creates or removes /etc/sudoers.d/username
    #    sudo_allow_all: false
    #    # Require password or not for the above
    #    sudo_passwordless: false
    #    authorized_keys:
    #      - ssh-ed25519 ... user@cloud
    #    authorized_keys_exclusive: false

    # Use true if providing crypted values,
    # false to encrypt cleartext passwords.
    accounts_local_password_encrypted: true
    # Seed for password_hash salt value
    accounts_local_password_salt_seed: "{{ inventory_hostname }}"

    # Value for no_log parameter when setting passwords
    # Recommended to use true and provide encrypted pws
    accounts_local_no_log: true

    # List of supplementary groups for users
    # Mandatory parameters: name, groups, append
    # Set append to false to make groups explicit
    accounts_local_users_groups:
    #  - name: testuser
    #    groups:
    #      - tcpdump
    #      - wheel
    #    append: false

    #
    # accounts_policy
    #
    # Accounts, login, password, PAM policies and profiles
    # All parameters are optional, unset are left untouched


    # New user defaults file useradd template
    # Role provided alternatives:
    # * useradd_cis.j2         - CIS Level 2 - Server compliant config
    # * useradd_rhel.j2        - RHEL default config
    useradd_defaults_file:

    # Shadow configuration file login.defs template
    # Role provided alternatives:
    # * login.defs_cis.j2      - CIS Level 2 - Server compliant config
    # * login.defs_rhel.j2     - RHEL default config
    login_defs_config_file:

    # PAM login access control file access.conf template
    # Role provided alternatives:
    # * access.conf_rhel.j2    - RHEL default config (empty table)
    login_access_config_file:

    # PAM faillock configuration file faillock.conf template
    # Role provided alternatives:
    # * faillock_cis.conf      - CIS Level 2 - Server compliant config
    # * faillock_rhel.conf     - RHEL default config
    faillock_config_file:

    # PAM password history config file pwhistory.conf template
    # NB. This is currently not compatible with oscap(8)
    # Role provided alternatives:
    # * pwhistory.conf_cis.j2  - CIS Level 2 - Server compliant config
    # * pwhistory.conf_rhel.j2 - RHEL default config
    pwhistory_config_file:

    # PAM password quality config file pwquality.conf template
    # Role provided alternatives:
    # * pwquality.conf_cis.j2  - CIS Level 2 - Server compliant config
    # * pwquality.conf_rhel.j2 - RHEL default config
    pwquality_config_file:


    # Resource limits configuration for users
    # These will be configured in /etc/security/limits.d/95-ansible.conf
    # All of the following are required for each entry:
    #   domain type item value
    # If user_resource_limits is undefined will do nothing.
    # See the limits.conf(5) manual page for details.
    #user_resource_limits:
    #  - domain: "@student"
    #    type: "-"
    #    item: maxlogins
    #    value: 4


    # Either use a system provided profile (e.g., "minimal")
    # or copy and use a custom one. A custom profile must be
    # named as "custom/name". E.g., use "/srv/custom/strict"
    # to copy the profile custom/strict from local path /srv
    # Role provided alternatives:
    # * custom/cis  -  CIS Level 2 - Server compliant profile
    #                  incl. optional support for Centrify.
    system_auth_profile:

    # Profile parameters string for "authselect select" command
    # See the "authselect show 'profile'" output for details
    # E.g., with "minimal" use without-nullok with-pamaccess
    # With "custom/cis" the following parameters can be used:
    #   with-centrify with-mkhomedir with-pamaccess with-systemd
    system_auth_profile_parameters:

    # Optional PAM su configuration file template
    # Role provides CIS-compliant pam_d_su.j2 which enables
    # Centrify support automatically if using with-centrify
    system_auth_pam_d_su_file:

    #
    # aide_setup
    #
    # aide config file to copy, if defined
    aide_setup_config_file:

    # Initialize aide database if not present
    aide_setup_initialize_database: true

    # Enable daily aide check using cron
    aide_setup_cron_setup: true

    #
    # audit_setup
    #
    # Optional auditd config file to copy
    # Role provided alternatives:
    # * auditd_cis.conf   - CIS Level 2 - Server compliant config
    # * auditd_rhel.conf  - RHEL default config
    audit_setup_config_file:

    # Optional audit rules file to copy
    audit_setup_rules_file:

    # Action with locked rules if rules changed
    # Allowed values: fail, ignore, reboot
    audit_setup_update_lock: fail

    # Remove unrecognized audit rules files
    audit_setup_exclusive: false

    # List of recognized audit rules files
    # in addition to the role created zz-ansible.rules
    # Other files in /etc/audit/rules.d will be removed
    # NB. Ensure these files contain expected parameters!
    # NB. This list must be updated for use with OpenSCAP!
    audit_setup_files_known:
      - /etc/audit/rules.d/audit.rules

    #
    # boot_parameters
    #
    boot_parameters_enable:
      - quiet

    boot_parameters_disable:
      - debug
      #- no_timer_check
      #- rd.lvm.lv
      #- resume
      - rhgb

    boot_parameters_timeout: 1

    # Protect boot parameters with password
    # NB. For the time being this should be
    # PBKDF2 hash to allow idempotency, use
    # grub2-mkpasswd-pbkdf2(3) to create one
    # Boot loader username is always 'root'
    # This should come from vault. If unset
    # current configuration is not touched,
    # setting to empty will remove password
    #boot_parameters_password:

    # Reboot system after parameter changes
    boot_parameters_reboot: true

    #
    # certificates
    #
    # See update-ca-trust(8) for descriptions of
    # different source formats and subdirectories

    # List of certificate files to be copied
    # to /etc/pki/ca-trust/source/anchors/
    certificates_files_anchors:
    #  - local-ca-bundle.pem

    # List of certificate files to be copied
    # to /etc/pki/ca-trust/source/blocklist/
    # (or blacklist on older RHEL versions)
    certificates_files_blocklist:
    #  - local-blocklist.pem

    # List of certificate files to be copied
    # to /etc/pki/ca-trust/source/
    certificates_files_ext_format:
    #  - local-trusts.pem

    # Remove unrecognized certificate files
    # This will remove all files from the above
    # directories except for the ones listed in
    # the configurations above and below - this
    # should be done only after careful testing
    certificates_exclusive: false

    # List of additionally recognized cert files
    # NB. Ensure these files are trustworthy!
    certificates_files_known:
    #  - /etc/pki/ca-trust/source/anchors/old.pem

    #
    # dns_cache
    #
    # Enable or disable DNS cache
    dns_cache_enable: true

    # DNS caching component (dnsmasq recommended)
    # Allowed values: dnsmasq, nscd, systemd-resolved
    # See https://access.redhat.com/solutions/2189381
    dns_cache_component: dnsmasq

    # Minimum cache/local/negative TTL value for dnsmasq
    # to use in case none is provided in upstream reply
    dns_cache_dnsmasq_ttl: 10

    # Optional value for dnsmasq 'local' config option
    dns_cache_dnsmasq_local_domain:

    # NetworkManager dnsmasq configuration template
    # to use instead of the role provided default one
    dns_cache_nm_dnsmasq_config_file:

    #
    # domain_ad
    #
    # Allowed actions: join, leave
    domain_ad_action: join
    domain_ad_domain:

    # These should come from vault
    #domain_ad_admin_username:
    #domain_ad_admin_password:

    # Set these to false if AD computer objects are
    # created and deleted separately, without adcli
    domain_ad_join_computer_create: true
    domain_ad_leave_computer_delete: true
    # Remove cached users and secrets when leaving
    domain_ad_leave_sssd_cache_delete: true

    domain_ad_allow_groups:
    #  - GROUP@example.com

    # Enable or disable running authconfig/authselect
    # If false then setup by this role is not complete
    domain_ad_auth_config_update: true

    # Extra parameters for "authselect select" command
    # See the "authselect show sssd" output for details
    domain_ad_auth_select_parameters: without-nullok with-pamaccess with-mkhomedir

    # krb5.conf and sssd.conf template files to use
    # if not using the role provided default files
    domain_ad_krb5_config_file:
    domain_ad_sssd_config_file:

    #
    # etc_hosts
    #
    # /etc/hosts header to always apply (subject to etc_hosts_omit_entries)
    # This default header matches the most recent Fedora/upstream headers
    etc_hosts_header: |
      # Loopback entries; do not change.
      # For historical reasons, localhost precedes localhost.localdomain:
      127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
      ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

    # Add entry for host itself based on Ansible facts
    # This should be disabled when not using static IP
    etc_hosts_self_add: true

    # Force domain name used in host self entry
    # If unset defaults to ansible_facts.domain
    # Required if ansible_facts.domain is empty
    etc_hosts_self_domain:

    # List of lines to add to /etc/hosts
    # NB. Other entries will be removed
    etc_hosts_entries:
    #  - 192.168.122.1    gateway.example.com gateway
    #  - 192.168.122.150  bastion.example.com bastion

    # /etc/hosts entries to omit
    # none - do not omit entries
    # ipv4 - omit all IPv4 entries
    # ipv6 - omit all IPv6 entries
    etc_hosts_omit_entries: none

    #
    # fapolicyd_setup
    #
    # Enable or not the service after configuration
    # to allow testing and verification before use.
    fapolicyd_setup_enable_service: false

    # fapolicyd config file to copy
    # Role provided alternatives:
    # * fapolicyd.conf  - RHEL default config file
    fapolicyd_setup_config_file:

    # fapolicyd rules file to copy
    fapolicyd_setup_rules_file:

    # fapolicyd trust file to copy
    # Role provided alternatives:
    # * fapolicyd.trust - RHEL default trust file
    fapolicyd_setup_trust_file:

    # fapolicyd RPM filter file to copy
    # Role provided alternatives:
    # * rpm-filter.conf - RHEL default trust file
    fapolicyd_setup_rpm_filter_file:

    # Remove unrecognized rules and trust files
    fapolicyd_setup_exclusive: false

    # List of recognized rules and trust files
    # in addition to the role created ones
    # (zz-ansible.rules and zz-ansible.trust)
    # Other files in rules.d and trust.d will
    # be removed meaning this MUST be tested!
    # NB. Ensure these files are trustworthy!
    fapolicyd_setup_files_known:
    #  - /etc/fapolicyd/rules.d/50-os.rules
    #  - /etc/fapolicyd/trust.d/50-os.trust

    #
    # files_{copy,create,fetch,get,remove} - omitted here for brevity
    #

    #
    # fips_setup
    #
    # NB! It is best to enable FIPS mode during OS
    # installation in order to ensure all keys are
    # being generated with FIPS-compliant algorithms.

    # Enable & check or not FIPS mode
    # Disabling FIPS mode is unsupported
    fips_setup_enable: false

    #
    # firewall
    #
    # This role provides only very basic firewall setup
    # Use system_roles.firewall for more complete setups

    # Enable or disable firewall
    # Set to null to leave untouched
    firewall_enable: null

    # Firewall default zone to set and configure
    firewall_default_zone: public

    # List of ports to open
    firewall_open_ports:
    #  - 321/udp

    # List of services to open
    firewall_open_services:
    #  - samba

    # Close unconfigured ports and services
    # The ssh service will not be closed by
    # this role regardless of configuration
    firewall_close_unconfigured: false

    #
    # guest_agent
    #
    # Install or remove server VM guest agents
    # This role will detect and enable correct
    # agent and remove other agents if present
    # Will uninstall all agents if set to false
    # NB. Only agents from RHEL repositories
    #     are considered for un/installation
    #     Currently recognized platforms are:
    #       - Azure
    #       - KVM/Qemu
    #       - VMware
    guest_agent_enable: true

    # Remove unneeded firmware packages on VMs
    # VMs with device passthrough may need these
    guest_agent_remove_firmware: true

    #
    # insights_client
    #
    # Register or unregister the system with Red Hat Insights
    # See https://access.redhat.com/products/red-hat-insights
    insights_client_register: true

    # Optional tag/value pairs to apply for the system
    insights_client_tags:
    #  group: prod
    #  security: strict
    #  network_performance: latency

    # Enable remote host configuration (rhc)
    # See https://access.redhat.com/articles/rhc
    insights_client_rhc_enable: true

    # Install OpenSCAP packages to allow compliance scanning
    # See https://access.redhat.com/articles/4602981
    insights_client_scap_enable: true

    # Proxy server to use with insights-client
    insights_client_proxy_server:

    #
    # ipv6_setup
    #
    # Enable or disable IPv6 using sysctl settings
    # Boot parameter to disable IPv6 will be removed
    # See https://access.redhat.com/solutions/8709
    ipv6_setup_enable: true

    # Some applications (e.g., Samba) require IPv6 stack
    # to be enabled to function but need no IPv6 routing
    # This option keeps IPv6 on for the loopback device
    # This option has effect only when disabling IPv6
    ipv6_setup_loopback_persist: false

    # Set to true to configure NetworkManager/IPv6 with this role
    # When using system_roles.network to configure NM set to false
    ipv6_setup_configure_nm: true

    #
    # motd_issue
    #
    # motd template to use
    motd_template:

    # issue template to use
    issue_template:

    #
    # multipath_setup
    #
    # Multipath config file to copy
    multipath_setup_config_file:

    # Reboot system after changes
    # Config file will be reloaded if no reboot
    multipath_setup_reboot: true

    #
    # packages_install - default list omitted here for brevity
    #
    #packages_install:
    #  -

    # Enable or disable dnf module 'install_weak_deps' parameter
    packages_install_weak_deps: true

    # Display results on output
    packages_install_display_results: false

    #
    # packages_remove - default list omitted here for brevity
    #
    #packages_remove:
    #  -

    # Remove all "leaf" packages no longer required,
    # see dnf module autoremove parameter description
    packages_remove_autoremove: false

    # Display results on output
    packages_remove_display_results: false

    #
    # performance_tuning
    #
    tuned_profile: "{{ 'virtual-guest' if ansible_facts.virtualization_role == 'guest' else 'throughput-performance' }}"

    #
    # repository_setup - config omitted here for brevity
    #

    #
    # rescue_image
    #
    # Enable or disable rescue image
    # NB. Rescue images will be created on next kernel install
    rescue_image_enable: false

    #
    # resolver_configuration
    #
    # Method for configuring resolver, /etc/resolv.conf
    # nm - configure resolver with NetworkManager
    #      global options overriding connection
    #      profile file configuration options
    # direct - prevent NM updating resolver and update
    #          the /etc/resolv.conf file directly
    # remove - remove NM configurations by this role,
    #          leave /etc/resolv.conf untouched
    # nothing - do nothing
    resolver_configuration_method: nothing

    # At least one nameserver must be specified
    resolver_nameservers:
      - 1.1.1.1
      - 8.8.8.8

    resolver_search_domains:
    #  - corp.local
    #  - example.com

    resolver_options:
    #  - edns0
    #  - rotate
    #  - no-aaaa
    #  - trust-ad
    #  - timeout:1
    #  - attempts:1

    #
    # root_password
    #
    # Use true if providing crypted value,
    # false to encrypt cleartext password.
    root_password_encrypted: true

    # Seed for password_hash salt value
    root_password_salt_seed: "{{ inventory_hostname }}"

    # This should come from vault
    #root_password:

    #
    # scap_compliance
    #
    # RHEL provided OpenSCAP security profile
    # to apply and / or check for compliance.
    # Profile will be applied using oscap(8).
    # Switching from one security profile to
    # another may not work and is unsupported
    scap_compliance_profile: cis

    # Optional custom tailoring template to use
    # Needs scap_compliance_tailoring_file_path
    # This is copied from controller to remote
    scap_compliance_tailoring_file_template:

    # Optional remote tailoring file to use
    # This is tailoring file path on remote
    scap_compliance_tailoring_file_path:

    # State of OpenSCAP packages on the target
    # Allowed states: present, latest
    scap_compliance_package_state: present

    # Where to store oscap tool execution results
    # NB. Only the most recent results are stored
    scap_compliance_report_dir: /root/oscap/results

    # Remediate compliance issues
    # Warning: Reverting changes is not supported
    scap_compliance_remediate: false

    # Reboot system if remediation changed anything
    scap_compliance_remediate_reboot: true

    # Display complete results of compliance check
    # Failed check items will always be displayed
    scap_compliance_check_result_show_all: false

    # Allow role complete even if compliance check fails
    scap_compliance_check_fail_role_pass: false

    #
    # security_hardening
    #
    # Verify Secure Boot
    # Fails if UEFI Secure Boot is not enabled
    secure_boot_verify: false

    # One of: disabled, integrity, confidentiality
    # NB. Enabling lockdown will prevent using kdump
    # NB. Supported RHEL versions: RHEL 9+
    kernel_lockdown: disabled

    # SELinux state
    selinux: enforcing

    # System-wide crypto policy
    crypto_policy: DEFAULT

    # Enable or disable SCP protocol (not scp(1))
    # NB. Supported RHEL versions: RHEL 9 only
    scp_protocol_disable: false

    #
    # service_state
    #
    # List of services/units to mask
    service_state_mask:
    #  - dnf-makecache.timer

    # List of services/units to unmask
    service_state_unmask:
    #  - httpd.service

    # List of services/units to disable and stop
    service_state_disable:
    #  - mlocate-updatedb.timer
    #  - nfs-client.target
    #  - rpcbind.service
    #  - rpcbind.socket

    # List of services/units to enable and start
    service_state_enable:
    #  - irqbalance.service

    # Skip missing services/units instead of
    # failing when trying to enable/start them
    service_state_skip_missing: false

    #
    # shell_profile
    #
    # Shell profile template to use
    shell_profile_file:

    #
    # splunk_forwarder
    #
    splunk_deployment_server:
    splunk_deployment_server_port: 8089
    splunk_deployment_server_check: true

    # Local 'splunk' user UID to use. A local user
    # will be created if no local/remote user exists
    splunk_user_uid: 4445
    # This should come from vault
    #splunk_user_password_hash:

    splunk_phonehome_secs: 600

    # Allowed states: present, latest
    splunk_forwarder_package_state: present

    # Deployment and user configuration templates
    # to use if not using the role provided defaults
    splunk_deployment_config_file:
    splunk_user_config_file:

    #
    # sshd_configuration
    #
    # These options will be enabled/updated in config
    # In case /etc/ssh/sshd_config.d is present these
    # will be exclusively configured in 0-ansible.conf
    # ListenAddress and Match supported only >= RHEL 9
    sshd_options:
      #AddressFamily: inet
      #ListenAddress:
      #  - 10.0.0.1
      #  - 10.0.0.2
      #Match User backup:
      #  - PermitTTY no
      #  - X11Forwarding no
      #PermitRootLogin: prohibit-password
      #X11Forwarding: 'no'

    # These options will be commented out from all
    # sshd configuration files found on the target
    sshd_options_disable:
    #  - Protocol

    # Optional file to copy as /etc/sysconfig/sshd
    # NB. This is supported on RHEL 9 and newer only
    sshd_sysconfig_file:

    # Reset sshd configuration to RHEL RPM defaults
    # NB. This is supported only for RHEL 9+ and may
    # cause idempotency issues with option disabling,
    # this only resets RPM provided files, not others
    # Consider using the file_copy role on older RHEL
    # Default files used by this role from: RHEL 9.3
    sshd_configuration_config_reset: false

    # Remove unrecognized sshd configuration files
    # On systems without sshd_config.d does nothing
    sshd_configuration_exclusive: false

    # List of recognized sshd configuration files
    # in addition to the role created 0-ansible.conf
    # Other files in sshd_config.d will be removed
    # NB. Ensure these files contain expected parameters!
    sshd_configuration_files_known:
      - /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
      - /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      - /etc/ssh/sshd_config.d/01-permitrootlogin.conf
      - /etc/ssh/sshd_config.d/50-redhat.conf

    #
    # swap_setup
    #
    # NB. This is a (hopefully) temporary helper role to
    # setup swap on VMs created by RHEL Image Builder with
    # no swap partition, see this issue for current status:
    # https://issues.redhat.com/browse/RHEL-4636

    # Existing VG where to create LV for swap
    # If this is unset then role does nothing
    # Image Builder uses by default VG rootvg
    swap_setup_vg_name:

    # LV for swap name
    swap_setup_lv_name: swap

    # LV for swap size
    swap_setup_lv_size: 2G

    # Enable swap after LV/fstab configuration
    swap_setup_enable_swap: true

    #
    # system_coredump
    #
    # Enable or disable system-wide coredumps
    system_coredump_enable: false

    #
    # system_hostname
    #
    # System hostname to be configured in /etc/hostname
    #
    # Should be short name (not FQDN) when using DHCP,
    # FQDN might be better option when using static IP
    # but some software will require using short names
    # Note that maximum allowed length is 63 characters
    system_hostname: "{{ ansible_facts.fqdn | lower }}"

    #
    # system_init
    #
    # Perform minor cleanups after system
    # initial installation. See the tasks
    # for details. Using this role is by
    # no means mandatory or required.

    # Actions to take after initialization
    # reboot - reboot after initialization
    # syslog - write message to system log
    # NB. 'localhost' will not be rebooted
    system_init_final_actions:
      - reboot
      - syslog

    #
    # system_keyboard
    #
    system_keyboard: us
    system_font: eurlatgr

    #
    # system_locale
    #
    # Available locale choices:
    # C.UTF-8 - properly supported on RHEL 9+
    # en_US.UTF-8 - supported on all RHEL versions
    # auto - use C.UTF-8 if RHEL 9+ else en_US.UTF-8
    system_locale: auto

    # Reboot system after changes
    system_locale_reboot: true

    #
    # system_reboot
    #
    # Reboot policy
    # never - never reboot
    # when_needed - reboot if needs-restarting says so
    # always - always reboot
    system_reboot_policy: when_needed

    #
    # system_unregister
    #
    # This role unconditionally unregisters a RHEL system from
    # both Red Hat Insights and Red Hat Subscription Management

    #
    # system_update
    #
    # Reboot policy after applying updates
    # never - never reboot even if updates would require reboot
    # when_needed - reboot only when needed (using needs-restarting)
    # when_updated - reboot if updates were installed
    # always - always reboot even if no updates were installed
    system_update_reboot_policy: when_needed

    # Display list of updated packages on output
    system_update_display_updates: false

    # Send an email report of updated packages
    system_update_email_report: false

    # Parameters for the community.general.mail module
    # Subject, reply, and to are mandatory, rest optional
    system_update_email_parameters:
      #host: localhost
      #port: 25
      #secure: try
      #timeout: 20

      #ehlohost:
      #username:
      #password:

      charset: us-ascii
      #headers:
      #subtype:
      subject: "[INFO] System Update"
      sender: no-reply@localhost
      to: root@localhost
      #cc:
      #bcc:

    # Attach PDF version of the report to the email
    # PDFs will be generated on the control host using
    # utilities from enscript and ghostscript packages
    # and those packages must be installed separately.
    system_update_report_pdf: false

    # Local directory to use for generating PDF files
    system_update_report_pdf_dir: /tmp/.ansible.pdf

    # Preamble text to include in all generated PDFs
    # <HOST> will be replaced with inventory hostname
    # <OSREL> will be replaced with OS release name
    # <DATE> will be replaced with patching date/time
    # <REBOOT> will be indicate reboot, true or false
    system_update_report_pdf_preamble: "
      System Update Report\n\n\n
      Server: <HOST>\n
      Patch date: <DATE>\n
      OS version: <OSREL>\n
      Server rebooted: <REBOOT>\n\n\n
      The following packages were updated:\n"

    #
    # system_update_report_pre
    #
    # Display list of pending updates on output
    system_update_report_pre_display_updates: false

    # Send an email report of pending updates
    system_update_report_pre_email_report: false

    # Parameters for the community.general.mail module
    # Subject, reply, and to are mandatory, rest optional
    system_update_report_pre_email_parameters:
      #host: localhost
      #port: 25
      #secure: try
      #timeout: 20

      #ehlohost:
      #username:
      #password:

      charset: us-ascii
      #headers:
      #subtype:
      subject: "[INFO] Upcoming System Update"
      sender: no-reply@localhost
      to: root@localhost
      #cc:
      #bcc:

    # Attach PDF version of the report to the email
    # PDFs will be generated on the control host using
    # utilities from enscript and ghostscript packages
    # and those packages must be installed separately.
    system_update_report_pre_pdf: false

    # Directory used to generate PDF files
    system_update_report_pre_pdf_dir: /tmp/.ansible.pdf

    # Preamble text to include in all generated PDFs
    # <HOST> will be replaced with inventory hostname
    # <OSREL> will be replaced with OS release name
    system_update_report_pre_pdf_preamble: "
      Upcoming System Update Report\n\n\n
      Server: <HOST>\n
      OS version: <OSREL>\n\n\n
      The following package updates will be installed:\n"

    #
    # timesync
    #
    # This role is a wrapper for redhat.rhel_system_roles.timesync
    # that takes a list of NTP servers as input and after running
    # the system role flushes handlers to update time immediately
    # See the system role documentation for details of the config
    timesync_ntp_servers:
      - hostname: 0.rhel.pool.ntp.org
        iburst: true
      - hostname: 1.rhel.pool.ntp.org
        iburst: true
      - hostname: 2.rhel.pool.ntp.org
        iburst: true
      - hostname: 3.rhel.pool.ntp.org
        iburst: true
      - hostname: time.cloudflare.com
        iburst: true

    #
    # timezone
    #
    timezone: UTC

    #
    # troubleshooting_tools - default list omitted here for brevity
    #
    # Install a set of commonly used troubleshooting tools
    #troubleshooting_tools:
    #  -

    # Enable PCP performance metrics as needed
    troubleshooting_tools_enable_perf_metrics: true

    #
    # usbguard_setup
    #
    # To completely disable the USB subsystem
    # use the usbcore.nousb boot parameter,
    # also see usbcore.authorized_default.

    # Policy to apply to USB devices
    # reject - block and reject all devices
    # custom - custom configuration, see below
    # allow  - disable USBGuard and allow all USB devices
    usbguard_setup_policy: reject

    # Custom USBGuard configuration file
    # Role provided alternatives:
    # * usbguard-daemon_rhel.conf  - RHEL default config
    usbguard_setup_config_file:

    # Custom USBGuard rules file template to use
    usbguard_setup_rules_file:

    # Custom USBGuard IPC access control template to use
    usbguard_setup_ipc_access_file:

    # Remove unrecognized rules and IPC access control files
    usbguard_setup_exclusive: false

    # List of recognized rules and IPC files
    # in addition to the role created ones
    # Other such config files will be removed
    # NB. Ensure these files are trustworthy!
    usbguard_setup_files_known:
    #  - /etc/usbguard/rules.d/50-os.conf

    #
    # watchdog
    #
    watchdog_enable: true

    # Configure systemd watchdog options,
    # see systemd-system.conf(5) for info
    watchdog_runtime_sec: '60s'
    watchdog_reboot_sec: #'10min'
    watchdog_kexec_sec: #'off'
    watchdog_device: #/dev/watchdog0

  roles:
    #- system_hostname
    #- swap_setup
    - ipv6_setup
    - etc_hosts
    #- redhat.rhel_system_roles.rhc
    #- repository_setup
    - guest_agent
    #- redhat.rhel_system_roles.network
    #- dns_cache
    - resolver_configuration
    #- timezone
    - timesync
    - packages_remove
    - boot_parameters
    #- system_keyboard
    - system_locale
    - audit_setup
    #- { role: multipath_setup, when: ansible_facts.virtualization_role != 'guest' }
    #- redhat.rhel_system_roles.kernel_settings
    #- redhat.rhel_system_roles.storage
    #- redhat.rhel_system_roles.kdump
    #- system_update_report_pre
    #- system_update
    #- aide_setup
    #- accounts_policy
    #- accounts_local
    - certificates
    #- { role: domain_ad, when: domain_ad_admin_username is defined }
    #- { role: ipaclient, state: present, when: ipaclient_domain is defined }
    ##- ima_evm_setup
    #- fapolicyd_setup
    #- fips_setup
    - firewall
    #- redhat.rhel_system_roles.firewall
    - watchdog
    #- motd_issue
    - packages_install
    - performance_tuning
    #- rescue_image
    - root_password
    - security_hardening
    - service_state
    #- shell_profile
    - sshd_configuration
    #- community.general.ssh_config
    #- redhat.rhel_system_roles.ssh
    #- redhat.rhel_system_roles.sshd
    #- troubleshooting_tools
    #- usbguard_setup
    #- redhat.rhel_system_roles.cockpit
    #- redhat.rhel_system_roles.logging
    #- redhat.rhel_system_roles.metrics
    #- { role: splunk_forwarder, when: splunk_user_password_hash is defined }
    #- system_coredump
    #- scap_compliance
    #- insights_client
    - system_init