tegwick
ff59d4e0f8
T01: roles/swapfile — idempotent 4GB swapfile, vm.swappiness=10, fstab entry
T02: roles/resource_limits — PAM nproc caps (512/1024), systemd user-1000.slice
memory limits (1500M/512M); templated per-host via host_vars
- inventory/host_vars/CoulombCore.yml — host-specific vars for both roles
- inventory/servers.yaml — add CoulombCore with id_ops SSH key
- inventory_from_yaml.py — load host_vars files into Ansible hostvars
- playbooks/bootstrap.yaml — include swapfile + resource_limits roles
- workplans/WP-0004 — flag T04/T09/T10 needs_human, add CoulombCore-local convergence note
Codifies manual INC-002 hardening. See RAIL-HO-WP-0004-T01/T02.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
36 lines
1.3 KiB
YAML
36 lines
1.3 KiB
YAML
---
|
|
# resource_limits role — PAM nproc caps + systemd user slice memory limits
|
|
#
|
|
# Variables (set per-host in host_vars):
|
|
# resource_limit_user: username to limit (default: tegwick)
|
|
# resource_limit_uid: UID for systemd user slice (default: 1000)
|
|
# nproc_soft: soft nproc limit (default: 512)
|
|
# nproc_hard: hard nproc limit (default: 1024)
|
|
# user_memory_max: systemd MemoryMax (default: 1500M)
|
|
# user_memory_swap_max: systemd MemorySwapMax (default: 512M)
|
|
|
|
- name: Set PAM nproc limits
|
|
ansible.builtin.template:
|
|
src: nproc-limits.conf.j2
|
|
dest: /etc/security/limits.d/60-nproc-{{ resource_limit_user | default('tegwick') }}.conf
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
|
|
- name: Ensure systemd user slice override directory
|
|
ansible.builtin.file:
|
|
path: "/etc/systemd/system/user-{{ resource_limit_uid | default(1000) }}.slice.d"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
|
|
- name: Set systemd user slice memory limits
|
|
ansible.builtin.template:
|
|
src: user-slice-limits.conf.j2
|
|
dest: "/etc/systemd/system/user-{{ resource_limit_uid | default(1000) }}.slice.d/limits.conf"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify: Reload systemd daemon
|