From 230b14e2abd6a5192300f85114fb7e5bcc405da2 Mon Sep 17 00:00:00 2001
From: Sandwich <sandwich@archworks.co>
Date: Fri, 2 Jan 2026 11:25:51 +0100
Subject: [PATCH] Move derived vars into role defaults

---
 roles/cis/defaults/main.yml                   | 21 +++++++++++++++++++
 roles/cis/tasks/permissions.yml               | 21 -------------------
 roles/cleanup/defaults/main.yml               |  5 +++++
 roles/cleanup/tasks/libvirt.yml               | 10 ---------
 .../tasks/encryption/keyfile.yml              |  2 +-
 roles/virtualization/defaults/main.yml        |  9 ++++++++
 roles/virtualization/tasks/libvirt.yml        | 20 ------------------
 7 files changed, 36 insertions(+), 52 deletions(-)
 create mode 100644 roles/cis/defaults/main.yml
 create mode 100644 roles/cleanup/defaults/main.yml

diff --git a/roles/cis/defaults/main.yml b/roles/cis/defaults/main.yml
new file mode 100644
index 0000000..ebc2892
--- /dev/null
+++ b/roles/cis/defaults/main.yml
@@ -0,0 +1,21 @@
+---
+cis_permission_targets: >-
+  {{
+    [
+      { "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
+      { "path": "/mnt/etc/cron.hourly", "mode": "0700" },
+      { "path": "/mnt/etc/cron.daily", "mode": "0700" },
+      { "path": "/mnt/etc/cron.weekly", "mode": "0700" },
+      { "path": "/mnt/etc/cron.monthly", "mode": "0700" },
+      { "path": "/mnt/etc/cron.d", "mode": "0700" },
+      { "path": "/mnt/etc/crontab", "mode": "0600" },
+      { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
+      { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
+      {
+        "path": "/mnt/usr/bin/"
+        + ("fusermount3" if os in ["archlinux", "debian12", "fedora", "rhel9", "rhel10", "rocky"] else "fusermount"),
+        "mode": "755"
+      },
+      { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
+    ] | reject("none")
+  }}
diff --git a/roles/cis/tasks/permissions.yml b/roles/cis/tasks/permissions.yml
index 086fbd7..1acf70d 100644
--- a/roles/cis/tasks/permissions.yml
+++ b/roles/cis/tasks/permissions.yml
@@ -1,25 +1,4 @@
 ---
-- name: Build CIS permission targets
-  ansible.builtin.set_fact:
-    cis_permission_targets: >-
-      {{
-        [
-          { "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
-          { "path": "/mnt/etc/cron.hourly", "mode": "0700" },
-          { "path": "/mnt/etc/cron.daily", "mode": "0700" },
-          { "path": "/mnt/etc/cron.weekly", "mode": "0700" },
-          { "path": "/mnt/etc/cron.monthly", "mode": "0700" },
-          { "path": "/mnt/etc/cron.d", "mode": "0700" },
-          { "path": "/mnt/etc/crontab", "mode": "0600" },
-          { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
-          { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
-          { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["archlinux", "debian12", "fedora", "rhel9",
-            "rhel10", "rocky"] else "fusermount"), "mode": "755" },
-          { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
-        ] | reject("none")
-      }}
-  changed_when: false
-
 - name: Check CIS permission targets
   ansible.builtin.stat:
     path: "{{ item.path }}"
diff --git a/roles/cleanup/defaults/main.yml b/roles/cleanup/defaults/main.yml
new file mode 100644
index 0000000..9e84ae4
--- /dev/null
+++ b/roles/cleanup/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+cleanup_libvirt_image_dir: >-
+  {{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
+cleanup_libvirt_cloudinit_path: >-
+  {{ [cleanup_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
diff --git a/roles/cleanup/tasks/libvirt.yml b/roles/cleanup/tasks/libvirt.yml
index 6a84eae..dc99e00 100644
--- a/roles/cleanup/tasks/libvirt.yml
+++ b/roles/cleanup/tasks/libvirt.yml
@@ -4,16 +4,6 @@
   delegate_to: localhost
   become: false
   block:
-    - name: Set libvirt image paths
-      vars:
-        cleanup_libvirt_image_dir_value: >-
-          {{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
-      ansible.builtin.set_fact:
-        cleanup_libvirt_image_dir: "{{ cleanup_libvirt_image_dir_value }}"
-        cleanup_libvirt_cloudinit_path: >-
-          {{ [cleanup_libvirt_image_dir_value, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
-      changed_when: false
-
     - name: Read current VM XML definition
       community.libvirt.virt:
         command: get_xml
diff --git a/roles/configuration/tasks/encryption/keyfile.yml b/roles/configuration/tasks/encryption/keyfile.yml
index 8cbc39c..05b6f5f 100644
--- a/roles/configuration/tasks/encryption/keyfile.yml
+++ b/roles/configuration/tasks/encryption/keyfile.yml
@@ -61,7 +61,7 @@
     - name: Regenerate keyfile and retry adding to LUKS header
       when:
         - configuration_luks_keyfile_unlock_test.rc != 0
-        - configuration_luks_keyfile_copy.changed | default(false) | bool
+        - configuration_luks_keyfile_copy is defined and configuration_luks_keyfile_copy.changed | bool
         - configuration_luks_addkey_result is failed
       block:
         - name: Regenerate LUKS keyfile
diff --git a/roles/virtualization/defaults/main.yml b/roles/virtualization/defaults/main.yml
index ffff2ed..f1e02d8 100644
--- a/roles/virtualization/defaults/main.yml
+++ b/roles/virtualization/defaults/main.yml
@@ -1,4 +1,13 @@
 ---
+virtualization_libvirt_image_dir: >-
+  {{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
+virtualization_libvirt_disk_path: >-
+  {{ [virtualization_libvirt_image_dir, hostname ~ '.qcow2'] | ansible.builtin.path_join }}
+virtualization_libvirt_cloudinit_path: >-
+  {{ [virtualization_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
+virtualization_mac_address: >-
+  {{ '52:54:00' | community.general.random_mac(seed=hostname) }}
+
 virtualization_tpm2_enabled: >-
   {{
     (partitioning_luks_enabled | bool)
diff --git a/roles/virtualization/tasks/libvirt.yml b/roles/virtualization/tasks/libvirt.yml
index 3d886fc..c08a662 100644
--- a/roles/virtualization/tasks/libvirt.yml
+++ b/roles/virtualization/tasks/libvirt.yml
@@ -1,17 +1,4 @@
 ---
-- name: Set libvirt image paths
-  delegate_to: localhost
-  vars:
-    virtualization_libvirt_image_dir_value: >-
-      {{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
-  ansible.builtin.set_fact:
-    virtualization_libvirt_image_dir: "{{ virtualization_libvirt_image_dir_value }}"
-    virtualization_libvirt_disk_path: >-
-      {{ [virtualization_libvirt_image_dir_value, hostname ~ '.qcow2'] | ansible.builtin.path_join }}
-    virtualization_libvirt_cloudinit_path: >-
-      {{ [virtualization_libvirt_image_dir_value, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
-  changed_when: false
-
 - name: Create VM disk
   delegate_to: localhost
   ansible.builtin.command:
@@ -24,13 +11,6 @@
       - "{{ vm_size }}G"
     creates: "{{ virtualization_libvirt_disk_path }}"
 
-- name: Generate VM MAC address
-  delegate_to: localhost
-  ansible.builtin.set_fact:
-    virtualization_mac_address: >-
-      {{ '52:54:00' | community.general.random_mac(seed=hostname) }}
-  changed_when: false
-
 - name: Render cloud config templates
   delegate_to: localhost
   ansible.builtin.template: