fix(configuration): tolerate missing units, gate Secure Boot to supported OSes, fix clevis install per family

2026-04-30 20:14:33 +02:00
parent db7dc53bd7
commit 382e82ff85
4 changed files with 28 additions and 3 deletions
--- a/roles/configuration/tasks/secure_boot.yml
+++ b/roles/configuration/tasks/secure_boot.yml
@@ -1,4 +1,15 @@
 ---
+- name: Validate Secure Boot is supported on this OS
+  ansible.builtin.assert:
+    that:
+      - os in ['archlinux', 'debian', 'ubuntu', 'ubuntu-lts',
+              'rhel', 'rocky', 'almalinux', 'fedora']
+    fail_msg: >-
+      Secure Boot is not supported on {{ os }} in this bootstrap. Supported:
+      Arch (sbctl) and Debian/Ubuntu/RHEL/Rocky/Alma/Fedora (shim). Disable
+      system.features.secure_boot.enabled or pick a supported OS.
+    quiet: true
+
 - name: Configure shim-based Secure Boot
  when: os != 'archlinux'
  ansible.builtin.include_tasks: secure_boot/shim.yml