Don't install intel-microcode on Xen guests.

It should be installed on the dom0 instead.
author: Guilhem Moulin <guilhem@fripost.org> 2014-07-14 03:41:06 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:53:10 +0200
commit: b715d884782d2d49ec499d3f8fda20e5a7f973cb (patch)
tree: 5c61194bd26204d22702109ceeb28eee4c9cd973
parent: 3a5a4b57c83d9a6b06807315fd2de33852e23257 (diff)
3 files changed, 9 insertions, 5 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index c98af99..caecf9a 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,38 +1,41 @@
 ---
 - include: sysctl.yml   tags=sysctl
 - include: hosts.yml
 - include: apt.yml      tags=apt
+- name: Install intel-microcode
+  apt: pkg=intel-microcode
+  when: "ansible_processor[0] | search('^Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')"
+  tags: intel
 - include: firewall.yml tags=firewall,iptables
 - include: samhain.yml  tags=samhain
 - include: auditd.yml   tags=auditd
 - include: rkhunter.yml tags=rkhunter
 - include: clamav.yml   tags=clamav
 - include: fail2ban.yml tags=fail2ban
 - include: smart.yml    tags=smartmontools,smart
   when: "not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')"
 - include: haveged.yml  tags=haveged,entropy
 - name: Copy genkeypair.sh
   copy: src=usr/local/bin/genkeypair.sh
         dest=/usr/local/bin/genkeypair.sh
         owner=root group=root
         mode=0755
-  tags:
-    - genkey
+  tags: genkey
 - include: logging.yml  tags=logging
 - include: ntp.yml      tags=ntp
 - include: mail.yml     tags=mail,postfix
 
 - name: Install common packages
   apt: pkg={{ item }}
   with_items:
     - ca-certificates
     - etckeeper
     - ethtool
     - git
     - harden-clients
     - harden-servers
     - htop
     - molly-guard
     - rsync
     - screen
     - telnet-ssl
diff --git a/roles/common/templates/etc/apt/preferences.j2 b/roles/common/templates/etc/apt/preferences.j2
index a3a7595..2821f6d 100644
--- a/roles/common/templates/etc/apt/preferences.j2
+++ b/roles/common/templates/etc/apt/preferences.j2
@@ -2,35 +2,36 @@
 # Do NOT edit this file directly!
 
 # Install updates as soon as they're available
 Package: *
 Pin: release a={{ ansible_lsb.codename }}-updates
 Pin-Priority: 990
 
 {% if 'backports' in group_names -%}
 # Automatically packages from backports (those manually installed)
 Package: *
 Pin: release a={{ ansible_lsb.codename }}-backports
 Pin-Priority: 200
 {% endif %}
 
 {% if 'non-free' in group_names -%}
 # Automatically upgrade non-free firmwares (when manually installed)
 Package: firmware-linux-nonfree
 Pin-Priority: 200
 {% endif %}
 
-{% if ansible_processor[0] | search("^Intel.*") -%}
+{% if ansible_processor[0] | search('^Intel.*') and
+      not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') -%}
 # Automatically upgrade the microcode (when manually installed)
 Package: intel-microcode iucode-tool
 Pin-Priority: 200
 {% endif %}
 
 # Never, ever install things from contrib or non-free unless they have been
 # whitelisted above
 Package: *
 Pin: release c=contrib
 Pin-Priority: -1
 
 Package: *
 Pin: release c=non-free
 Pin-Priority: -1
diff --git a/roles/common/templates/etc/apt/sources.list.j2 b/roles/common/templates/etc/apt/sources.list.j2
index b6d0a64..ee4f20d 100644
--- a/roles/common/templates/etc/apt/sources.list.j2
+++ b/roles/common/templates/etc/apt/sources.list.j2
@@ -1,13 +1,13 @@
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 # vim: set filetype=debsources :
 
-deb http://ftp.se.debian.org/debian/ {{ ansible_lsb.codename }}         main{% if 'non-free' in group_names or ansible_processor[0] | search("^Intel.*") %} contrib non-free{% endif %}
+deb http://ftp.se.debian.org/debian/ {{ ansible_lsb.codename }}         main{% if 'non-free' in group_names or (ansible_processor[0] | search("^Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %}
 
-deb http://security.debian.org/      {{ ansible_lsb.codename }}/updates main{% if 'non-free' in group_names or ansible_processor[0] | search("^Intel.*") %} contrib non-free{% endif %}
+deb http://security.debian.org/      {{ ansible_lsb.codename }}/updates main{% if 'non-free' in group_names or (ansible_processor[0] | search("^Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %}
 
 deb http://ftp.se.debian.org/debian/ {{ ansible_lsb.codename }}-updates main
 
 {% if 'backports' in group_names -%}
 deb http://ftp.debian.org/debian/    {{ ansible_lsb.codename }}-backports main
 {% endif %}
author	Guilhem Moulin <guilhem@fripost.org>	2014-07-14 03:41:06 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:53:10 +0200
commit	b715d884782d2d49ec499d3f8fda20e5a7f973cb (patch)
tree	5c61194bd26204d22702109ceeb28eee4c9cd973
parent	3a5a4b57c83d9a6b06807315fd2de33852e23257 (diff)