Offline installation full

.gitignore

@@ -50,3 +50,10 @@ cloud.md
 # SELinux build artifacts
 ansible/roles/base/files/selinux/*.mod
 ansible/roles/base/files/selinux/*.pp
+
+# Offline Install
+offline_resources/
+lme-offline-*.tar.gz
+
+# Development scripts (not for production)
+scripts/dev_uninstall_lme.sh

ansible/roles/base/tasks/main.yml

@@ -13,7 +13,10 @@
 
 # Include common OS tasks first
 - name: Include common OS tasks
-  include_tasks: "{{ ansible_distribution | lower }}.yml"
+  include_tasks: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_distribution | lower }}.yml"
+    - "{{ ansible_os_family | lower }}.yml"
   when: ansible_distribution is defined
 
 # Include version-specific tasks with fallback

ansible/roles/base/tasks/redhat.yml

@@ -10,6 +10,12 @@
   delay: 10
   until: dnf_update is success
   ignore_errors: "{{ ansible_check_mode }}"
+  when: not (offline_mode | default(false))
+
+- name: Skip package installation in offline mode
+  debug:
+    msg: "Offline mode enabled - skipping package installation (packages should be pre-installed)"
+  when: offline_mode | default(false)
 
 - name: Check if curl-minimal is installed
   command: rpm -q curl-minimal
@@ -24,6 +30,7 @@
 - name: Debug - Show common packages to be installed
   debug:
     msg: "Installing common packages: {{ common_packages | join(', ') }}"
+  when: not (offline_mode | default(false))
 
 - name: Install common packages
   dnf:
@@ -35,15 +42,17 @@
   delay: 10
   until: dnf_install is success
   ignore_errors: "{{ ansible_check_mode }}"
+  when: not (offline_mode | default(false))
 
 - name: Debug - Show common packages install result
   debug:
     var: dnf_install
-  when: debug_mode | default(false)
+  when: debug_mode | default(false) | bool
 
 - name: Debug - Show Red Hat packages to be installed
   debug:
     msg: "Installing Red Hat packages: {{ redhat_packages | join(', ') }}"
+  when: not (offline_mode | default(false))
 
 - name: Install required Red Hat packages
   dnf:
@@ -55,11 +64,12 @@
   delay: 10
   until: dnf_install_redhat is success
   ignore_errors: "{{ ansible_check_mode }}"
+  when: not (offline_mode | default(false))
 
 - name: Debug - Show Red Hat packages install result
   debug:
     var: dnf_install_redhat
-  when: debug_mode | default(false)
+  when: debug_mode | default(false) | bool
 
 # SELinux setup - run early before any Nix/Podman installation
 - name: Detect if SELinux tooling is available (base role)
@@ -110,7 +120,7 @@
 - name: Debug - Show firewalld disable result
   debug:
     msg: "Firewalld service {{ 'successfully disabled' if firewalld_disable.changed else 'was already disabled or not installed' }}"
-  when: debug_mode | default(false)
+  when: debug_mode | default(false) | bool
 
 - name: Set timezone
   timezone:

ansible/roles/base/tasks/redhat_9.yml

@@ -11,6 +11,7 @@
   delay: 5
   until: epel_key_import is success
   ignore_errors: "{{ ansible_check_mode }}"
+  when: not (offline_mode | default(false))
 
 - name: Install EPEL repository
   dnf:
@@ -22,12 +23,19 @@
   delay: 5
   until: epel_install is success
   ignore_errors: "{{ ansible_check_mode }}"
+  when: not (offline_mode | default(false))
+
+- name: Skip EPEL installation in offline mode
+  debug:
+    msg: "Offline mode enabled - skipping EPEL GPG key and repository installation (should be pre-installed from offline packages)"
+  when: offline_mode | default(false)
 
 - name: Install dnf-plugins-core
   dnf:
     name: dnf-plugins-core
     state: present
   become: yes
+  when: not (offline_mode | default(false))
 
 - name: Check available repositories
   command: dnf repolist --all
@@ -39,23 +47,28 @@
   command: dnf config-manager --set-enabled crb
   become: yes
   changed_when: true
-  when: "'crb' in available_repos.stdout"
+  when:
+    - "'crb' in available_repos.stdout"
+    - not (offline_mode | default(false))
   ignore_errors: true
 
 - name: Enable PowerTools repository (CentOS)
   command: dnf config-manager --set-enabled powertools
   become: yes
   changed_when: true
-  when: "'powertools' in available_repos.stdout"
+  when:
+    - "'powertools' in available_repos.stdout"
+    - not (offline_mode | default(false))
   ignore_errors: true
 
 - name: Enable CodeReady Builder for RHEL (if registered)
   command: subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms
   become: yes
   changed_when: true
-  when: 
+  when:
     - "'codeready-builder' in available_repos.stdout"
     - ansible_distribution == "RedHat"
+    - not (offline_mode | default(false))
   ignore_errors: true
 
 - name: Install Red Hat 9-specific packages
@@ -67,4 +80,10 @@
   retries: 60
   delay: 10
   until: dnf_install_rh9 is success
-  ignore_errors: "{{ ansible_check_mode }}"
+  ignore_errors: "{{ ansible_check_mode }}"
+  when: not (offline_mode | default(false))
+
+- name: Skip Red Hat 9-specific packages installation in offline mode
+  debug:
+    msg: "Offline mode enabled - skipping Red Hat 9-specific packages installation (should be pre-installed)"
+  when: offline_mode | default(false)

ansible/roles/base/tasks/selinux_setup.yml

@@ -34,7 +34,7 @@
       - Available: {{ selinux_available | default(false) }}
       - Current mode: {{ getenforce_out.stdout | default('N/A') }}
       - Was enforcing: {{ selinux_was_enforcing | default(false) }}
-  when: debug_mode | default(false)
+  when: debug_mode | default(false) | bool
 
 # Install SELinux policy tools early
 - name: Ensure SELinux policy tools are present
@@ -49,7 +49,16 @@
       - container-selinux
     state: present
   become: yes
-  when: selinux_available | default(false)
+  when:
+    - selinux_available | default(false)
+    - not (offline_mode | default(false))
+
+- name: Skip SELinux policy tools installation in offline mode
+  debug:
+    msg: "Offline mode enabled - skipping SELinux policy tools installation (should be pre-installed)"
+  when:
+    - selinux_available | default(false)
+    - offline_mode | default(false)
 
 - name: Ensure SELinux policy directory exists
   file:
@@ -106,7 +115,7 @@
 - name: Debug SELinux compile result
   debug:
     var: selinux_compile
-  when: debug_mode | default(false) and selinux_compile is defined
+  when: debug_mode | default(false) | bool and selinux_compile is defined
 
 - name: Check if SELinux module already present (pre-load)
   shell: semodule -l | grep -E "^lme_policy(\\s|$)" || true
@@ -178,5 +187,5 @@
       - LME policy loaded: {{ 'Yes' if lme_policy_present.rc == 0 else 'No' }}
       - Ready for Nix/Podman installation with proper contexts
   when: 
-    - debug_mode | default(false)
+    - debug_mode | default(false) | bool
     - selinux_available | default(false)

ansible/roles/base/tasks/selinux_vars.yml

@@ -37,6 +37,6 @@
       - "Active (not disabled): {{ selinux_active }}"
       - "Context supported:     {{ selinux_context_supported }}"
       - "cp preserve cmd:       {{ cp_preserve_cmd }}"
-  when: debug_mode | default(false)
+  when: debug_mode | default(false) | bool
 
 

ansible/roles/base/tasks/setup_passwords.yml

@@ -40,11 +40,19 @@
         method: GET
         return_content: yes
       register: hibp_response
+      when: not (offline_mode | default(false))
+
+    - name: Skip HIBP check in offline mode
+      debug:
+        msg: "Offline mode enabled - skipping HIBP password breach check"
+      when: offline_mode | default(false)
 
     - name: Fail if password is found in breaches
       fail:
         msg: "The password has been found in breaches... this should only happen if you provided a password via the cli... choose a different password"
-      when: hibp_response.content | regex_search(suffix)
+      when:
+        - not (offline_mode | default(false))
+        - hibp_response.content | regex_search(suffix)
 
 - name: check if vault-pass.sh is created
   stat:

ansible/roles/base/tasks/ubuntu.yml

@@ -10,6 +10,12 @@
   delay: 10
   until: apt_update is success
   ignore_errors: "{{ ansible_check_mode }}"
+  when: not (offline_mode | default(false))
+
+- name: Skip package installation in offline mode
+  debug:
+    msg: "Offline mode enabled - skipping package installation (packages should be pre-installed)"
+  when: offline_mode | default(false)
 
 - name: Install common packages
   apt:
@@ -21,6 +27,7 @@
   delay: 10
   until: apt_install is success
   ignore_errors: "{{ ansible_check_mode }}"
+  when: not (offline_mode | default(false))
 
 - name: Install required Ubuntu packages
   apt:
@@ -32,6 +39,7 @@
   delay: 10
   until: apt_install_ubuntu is success
   ignore_errors: "{{ ansible_check_mode }}"
+  when: not (offline_mode | default(false))
 
 - name: Set timezone information
   debconf:

ansible/roles/base/tasks/ubuntu_24_04.yml

@@ -5,3 +5,4 @@
     name: "{{ ubuntu_24_04_packages | default([]) }}"
     state: present
   become: yes
+  when: not (offline_mode | default(false))

ansible/roles/fleet/tasks/main.yml

@@ -48,6 +48,35 @@
       - "wazuh_api password is set: {{ wazuh_api_password | length > 0 }}"
   when: debug_mode | bool
 
+# Start Fleet distribution server FIRST in offline mode (before any package queries)
+- name: Enable and start Fleet distribution service
+  systemd:
+    name: lme-fleet-distribution
+    enabled: yes
+    state: started
+    daemon_reload: yes
+  become: yes
+  when: offline_mode | default(false)
+
+- name: Wait for Fleet distribution server to be ready
+  uri:
+    url: "https://{{ ipvar }}:8080/health"
+    method: GET
+    validate_certs: no
+    status_code: [200]
+  register: distribution_health
+  until: distribution_health.status is defined and distribution_health.status == 200
+  retries: 60
+  delay: 5
+  when: offline_mode | default(false)
+
+- name: Check if Fleet distribution server is ready
+  fail:
+    msg: "Fleet distribution server failed to start after 5 minutes"
+  when:
+    - offline_mode | default(false)
+    - distribution_health.status is not defined or distribution_health.status != 200
+
 # Wait for Kibana to be fully ready
 - name: Wait for Kibana to be fully ready
   uri:
@@ -184,22 +213,41 @@
   no_log: "{{ not debug_mode }}"
   ignore_errors: yes
 
-- name: Get CA fingerprint
+- name: Get CA fingerprint (Nix podman)
   ansible.builtin.shell: |
     set -a
     . {{ playbook_dir }}/../scripts/extract_secrets.sh -q
     set +a
     /nix/var/nix/profiles/default/bin/podman exec -w /usr/share/elasticsearch/config/certs/ca lme-elasticsearch cat ca.crt | openssl x509 -noout -fingerprint -sha256 | cut -d "=" -f 2 | tr -d : | head -n1
   args:
     executable: /bin/bash
-  register: ca_fingerprint
+  register: ca_fingerprint_nix
   changed_when: false
   become: yes
   no_log: "{{ not debug_mode }}"
+  when: not (offline_mode | default(false) and ansible_os_family == "RedHat")
+
+- name: Get CA fingerprint (System podman - RHEL offline)
+  ansible.builtin.shell: |
+    set -a
+    . {{ playbook_dir }}/../scripts/extract_secrets.sh -q
+    set +a
+    podman exec -w /usr/share/elasticsearch/config/certs/ca lme-elasticsearch cat ca.crt | openssl x509 -noout -fingerprint -sha256 | cut -d "=" -f 2 | tr -d : | head -n1
+  args:
+    executable: /bin/bash
+  register: ca_fingerprint_system
+  changed_when: false
+  become: yes
+  no_log: "{{ not debug_mode }}"
+  when: offline_mode | default(false) and ansible_os_family == "RedHat"
+
+- name: Set CA fingerprint fact
+  set_fact:
+    ca_fingerprint: "{{ ca_fingerprint_nix.stdout if ca_fingerprint_nix is not skipped else ca_fingerprint_system.stdout }}"
 
 - name: Debug CA fingerprint
   debug:
-    var: ca_fingerprint.stdout
+    var: ca_fingerprint
   when: debug_mode | bool
 
 - name: Set Fleet server hosts
@@ -270,7 +318,7 @@
       Content-Type: "application/json"
     body_format: json
     body:
-      ca_trusted_fingerprint: "{{ ca_fingerprint.stdout }}"
+      ca_trusted_fingerprint: "{{ ca_fingerprint }}"
   register: fleet_output_fingerprint_result
   until: fleet_output_fingerprint_result.status == 200
   retries: 12
@@ -627,3 +675,7 @@
       - "wazuh_api={{ wazuh_api_password }}"
   when: debug_mode | bool
   no_log: "{{ not debug_mode }}"
+
+# Note: Kibana offline mode configuration now happens in podman role
+# (before Kibana starts) instead of here
+