Move derived vars into role defaults

roles/cis/defaults/main.yml

@@ -0,0 +1,21 @@
+---
+cis_permission_targets: >-
+  {{
+    [
+      { "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
+      { "path": "/mnt/etc/cron.hourly", "mode": "0700" },
+      { "path": "/mnt/etc/cron.daily", "mode": "0700" },
+      { "path": "/mnt/etc/cron.weekly", "mode": "0700" },
+      { "path": "/mnt/etc/cron.monthly", "mode": "0700" },
+      { "path": "/mnt/etc/cron.d", "mode": "0700" },
+      { "path": "/mnt/etc/crontab", "mode": "0600" },
+      { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
+      { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
+      {
+        "path": "/mnt/usr/bin/"
+        + ("fusermount3" if os in ["archlinux", "debian12", "fedora", "rhel9", "rhel10", "rocky"] else "fusermount"),
+        "mode": "755"
+      },
+      { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
+    ] | reject("none")
+  }}

roles/cis/tasks/permissions.yml

@@ -1,25 +1,4 @@
 ---
-- name: Build CIS permission targets
-  ansible.builtin.set_fact:
-    cis_permission_targets: >-
-      {{
-        [
-          { "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
-          { "path": "/mnt/etc/cron.hourly", "mode": "0700" },
-          { "path": "/mnt/etc/cron.daily", "mode": "0700" },
-          { "path": "/mnt/etc/cron.weekly", "mode": "0700" },
-          { "path": "/mnt/etc/cron.monthly", "mode": "0700" },
-          { "path": "/mnt/etc/cron.d", "mode": "0700" },
-          { "path": "/mnt/etc/crontab", "mode": "0600" },
-          { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
-          { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
-          { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["archlinux", "debian12", "fedora", "rhel9",
-            "rhel10", "rocky"] else "fusermount"), "mode": "755" },
-          { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
-        ] | reject("none")
-      }}
-  changed_when: false
-
 - name: Check CIS permission targets
   ansible.builtin.stat:
     path: "{{ item.path }}"

roles/cleanup/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+cleanup_libvirt_image_dir: >-
+  {{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
+cleanup_libvirt_cloudinit_path: >-
+  {{ [cleanup_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}

roles/cleanup/tasks/libvirt.yml

@@ -4,16 +4,6 @@
   delegate_to: localhost
   become: false
   block:
-    - name: Set libvirt image paths
-      vars:
-        cleanup_libvirt_image_dir_value: >-
-          {{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
-      ansible.builtin.set_fact:
-        cleanup_libvirt_image_dir: "{{ cleanup_libvirt_image_dir_value }}"
-        cleanup_libvirt_cloudinit_path: >-
-          {{ [cleanup_libvirt_image_dir_value, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
-      changed_when: false
-
     - name: Read current VM XML definition
       community.libvirt.virt:
         command: get_xml

roles/configuration/tasks/encryption/keyfile.yml

@@ -61,7 +61,7 @@
     - name: Regenerate keyfile and retry adding to LUKS header
       when:
         - configuration_luks_keyfile_unlock_test.rc != 0
-        - configuration_luks_keyfile_copy.changed | default(false) | bool
+        - configuration_luks_keyfile_copy is defined and configuration_luks_keyfile_copy.changed | bool
         - configuration_luks_addkey_result is failed
       block:
         - name: Regenerate LUKS keyfile

roles/virtualization/defaults/main.yml

@@ -1,4 +1,13 @@
 ---
+virtualization_libvirt_image_dir: >-
+  {{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
+virtualization_libvirt_disk_path: >-
+  {{ [virtualization_libvirt_image_dir, hostname ~ '.qcow2'] | ansible.builtin.path_join }}
+virtualization_libvirt_cloudinit_path: >-
+  {{ [virtualization_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
+virtualization_mac_address: >-
+  {{ '52:54:00' | community.general.random_mac(seed=hostname) }}
+
 virtualization_tpm2_enabled: >-
   {{
     (partitioning_luks_enabled | bool)

roles/virtualization/tasks/libvirt.yml

@@ -1,17 +1,4 @@
 ---
-- name: Set libvirt image paths
-  delegate_to: localhost
-  vars:
-    virtualization_libvirt_image_dir_value: >-
-      {{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
-  ansible.builtin.set_fact:
-    virtualization_libvirt_image_dir: "{{ virtualization_libvirt_image_dir_value }}"
-    virtualization_libvirt_disk_path: >-
-      {{ [virtualization_libvirt_image_dir_value, hostname ~ '.qcow2'] | ansible.builtin.path_join }}
-    virtualization_libvirt_cloudinit_path: >-
-      {{ [virtualization_libvirt_image_dir_value, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
-  changed_when: false
-
 - name: Create VM disk
   delegate_to: localhost
   ansible.builtin.command:
@@ -24,13 +11,6 @@
       - "{{ vm_size }}G"
     creates: "{{ virtualization_libvirt_disk_path }}"
 
-- name: Generate VM MAC address
-  delegate_to: localhost
-  ansible.builtin.set_fact:
-    virtualization_mac_address: >-
-      {{ '52:54:00' | community.general.random_mac(seed=hostname) }}
-  changed_when: false
-
 - name: Render cloud config templates
   delegate_to: localhost
   ansible.builtin.template: