sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(cleanup,config): xen tmp cleanup, tpm2 fallback warning, add code comments

Browse Source
This commit is contained in:
Sandwich
2026-02-22 01:59:01 +01:00
parent a2b206127f
commit 3f2f4055f0
5 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
roles/cleanup/tasks/xen.yml
View File

@@ -11,7 +11,7 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
cleanup_xen_disks: "{{ cleanup_xen_disks | default([]) + [cleanup_xen_disk_cfg] }}" cleanup_xen_disks: "{{ cleanup_xen_disks | default([]) + [cleanup_xen_disk_cfg] }}"
vars: vars:
device_letter_map: "abcdefghijklmnopqrstuvwxyz" device_letter_map: "{{ disk_letter_map }}"
device_letter: "{{ device_letter_map[ansible_loop.index0] }}" device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
cleanup_xen_disk_cfg: >- cleanup_xen_disk_cfg: >-
{{ {{
@@ -58,3 +58,8 @@
- /tmp/xen-{{ hostname }}.cfg - /tmp/xen-{{ hostname }}.cfg
register: cleanup_xen_start_result register: cleanup_xen_start_result
changed_when: cleanup_xen_start_result.rc == 0 changed_when: cleanup_xen_start_result.rc == 0
- name: Remove temporary Xen configuration file
ansible.builtin.file:
path: /tmp/xen-{{ hostname }}.cfg
state: absent

5
roles/configuration/tasks/encryption/tpm2.yml
View File

@@ -80,10 +80,11 @@
host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }} host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
rescue: rescue:
- name: Warn about TPM2 enrollment failure - name: Warn about TPM2 enrollment failure
ansible.builtin.debug: ansible.builtin.fail:
msg: >- msg: >-
TPM2 enrollment failed — falling back to keyfile auto-decrypt. WARNING: TPM2 enrollment failed — falling back to keyfile auto-decrypt.
The system will use a keyfile instead of TPM2 for automatic LUKS unlock. The system will use a keyfile instead of TPM2 for automatic LUKS unlock.
ignore_errors: true
- name: Fallback to keyfile auto-decrypt - name: Fallback to keyfile auto-decrypt
ansible.builtin.set_fact: ansible.builtin.set_fact:

6
roles/configuration/tasks/extras.yml
View File

@@ -12,6 +12,8 @@
marker: "# {mark} CUSTOM VIM CONFIG" marker: "# {mark} CUSTOM VIM CONFIG"
failed_when: false failed_when: false
# Tuned for VM workloads: low swappiness, aggressive writeback, large page-cluster
# for zram. Override post-bootstrap via the linux role or sysctl if needed.
- name: Add memory tuning parameters - name: Add memory tuning parameters
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /mnt/etc/sysctl.d/90-memory.conf path: /mnt/etc/sysctl.d/90-memory.conf
@@ -41,7 +43,7 @@
mode: "0644" mode: "0644"
- name: Copy Custom Shell config - name: Copy Custom Shell config
ansible.builtin.template: ansible.builtin.copy:
src: custom.sh.j2 src: custom.sh
dest: /mnt/etc/profile.d/custom.sh dest: /mnt/etc/profile.d/custom.sh
mode: "0644" mode: "0644"

2
roles/configuration/tasks/selinux.yml
View File

@@ -11,6 +11,8 @@
register: configuration_setfiles_result register: configuration_setfiles_result
changed_when: configuration_setfiles_result.rc == 0 changed_when: configuration_setfiles_result.rc == 0
# Fedora: setfiles segfaults during bootstrap chroot relabeling, so SELinux
# is left permissive and expected to relabel on first boot.
- name: Disable SELinux - name: Disable SELinux
when: os == "fedora" or not system_cfg.features.selinux.enabled | bool when: os == "fedora" or not system_cfg.features.selinux.enabled | bool
ansible.builtin.lineinfile: ansible.builtin.lineinfile:

2
roles/configuration/tasks/ssh.yml
View File

@@ -1,4 +1,6 @@
--- ---
# Bootstrap-only: permissive SSH for initial Ansible access.
# Post-bootstrap hardening (key-only, no root login) is handled by the linux role.
- name: Ensure SSH password authentication is enabled - name: Ensure SSH password authentication is enabled
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/ssh/sshd_config path: /mnt/etc/ssh/sshd_config