summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--roles/common/tasks/main.yml7
-rw-r--r--roles/common/templates/etc/apt/preferences.j23
-rw-r--r--roles/common/templates/etc/apt/sources.list.j24
3 files changed, 9 insertions, 5 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index c98af99..caecf9a 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -2,6 +2,10 @@
- include: sysctl.yml tags=sysctl
- include: hosts.yml
- include: apt.yml tags=apt
+- name: Install intel-microcode
+ apt: pkg=intel-microcode
+ when: "ansible_processor[0] | search('^Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')"
+ tags: intel
- include: firewall.yml tags=firewall,iptables
- include: samhain.yml tags=samhain
- include: auditd.yml tags=auditd
@@ -16,8 +20,7 @@
dest=/usr/local/bin/genkeypair.sh
owner=root group=root
mode=0755
- tags:
- - genkey
+ tags: genkey
- include: logging.yml tags=logging
- include: ntp.yml tags=ntp
- include: mail.yml tags=mail,postfix
diff --git a/roles/common/templates/etc/apt/preferences.j2 b/roles/common/templates/etc/apt/preferences.j2
index a3a7595..2821f6d 100644
--- a/roles/common/templates/etc/apt/preferences.j2
+++ b/roles/common/templates/etc/apt/preferences.j2
@@ -19,7 +19,8 @@ Package: firmware-linux-nonfree
Pin-Priority: 200
{% endif %}
-{% if ansible_processor[0] | search("^Intel.*") -%}
+{% if ansible_processor[0] | search('^Intel.*') and
+ not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') -%}
# Automatically upgrade the microcode (when manually installed)
Package: intel-microcode iucode-tool
Pin-Priority: 200
diff --git a/roles/common/templates/etc/apt/sources.list.j2 b/roles/common/templates/etc/apt/sources.list.j2
index b6d0a64..ee4f20d 100644
--- a/roles/common/templates/etc/apt/sources.list.j2
+++ b/roles/common/templates/etc/apt/sources.list.j2
@@ -2,9 +2,9 @@
# Do NOT edit this file directly!
# vim: set filetype=debsources :
-deb http://ftp.se.debian.org/debian/ {{ ansible_lsb.codename }} main{% if 'non-free' in group_names or ansible_processor[0] | search("^Intel.*") %} contrib non-free{% endif %}
+deb http://ftp.se.debian.org/debian/ {{ ansible_lsb.codename }} main{% if 'non-free' in group_names or (ansible_processor[0] | search("^Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %}
-deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main{% if 'non-free' in group_names or ansible_processor[0] | search("^Intel.*") %} contrib non-free{% endif %}
+deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main{% if 'non-free' in group_names or (ansible_processor[0] | search("^Intel.*") and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')) %} contrib non-free{% endif %}
deb http://ftp.se.debian.org/debian/ {{ ansible_lsb.codename }}-updates main