sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Partitioning idempotency and filesystem tasks

Browse Source
This commit is contained in:
Sandwich
2025-12-26 23:31:54 +01:00
parent 72ec492a33
commit 4bce08e77b
4 changed files with 462 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
roles/partitioning/tasks/btrfs.yml
View File

@@ -3,54 +3,63 @@
block: block:
- name: Create btrfs filesystem in main volume - name: Create btrfs filesystem in main volume
community.general.filesystem: community.general.filesystem:
dev: "{{ install_drive }}{{ main_partition_suffix }}" dev: "{{ partitioning_root_device }}"
fstype: btrfs fstype: btrfs
force: true force: true
opts: >-
{{
'-K'
if (partitioning_luks_enabled | bool)
and not ('discard' in (partitioning_luks_options | default('') | lower))
else omit
}}
- name: Prepare BTRFS Subvolume - name: Prepare BTRFS Subvolume
ansible.posix.mount: ansible.posix.mount:
path: /mnt path: /mnt
src: "{{ install_drive }}{{ main_partition_suffix }}" src: "{{ partitioning_root_device }}"
fstype: btrfs fstype: btrfs
opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async
state: mounted state: mounted
- name: Enable quotas on Btrfs filesystem - name: Enable quotas on Btrfs filesystem
ansible.builtin.command: btrfs quota enable /mnt ansible.builtin.command: btrfs quota enable /mnt
changed_when: result.rc == 0 register: partitioning_btrfs_quota_result
register: result changed_when: false
- name: Make root subvolumes - name: Make root subvolumes
when: cis | bool or item.subvol not in ['var_log_audit'] when: cis | bool or item.subvol not in ['var_log_audit']
ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
changed_when: result.rc == 0 args:
register: result creates: /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
loop: loop:
- { subvol: root } - {subvol: root}
- { subvol: swap } - {subvol: swap}
- { subvol: home } - {subvol: home}
- { subvol: var } - {subvol: var}
- { subvol: var_log } - {subvol: pkg}
- { subvol: var_log_audit } - {subvol: var_log}
- {subvol: var_log_audit}
register: partitioning_btrfs_subvol_result
- name: Set quotas for subvolumes - name: Set quotas for subvolumes
when: cis | bool or item.subvol not in ['var_log_audit'] when: cis | bool
ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
changed_when: result.rc == 0
register: result
loop: loop:
- { subvol: home, quota: 2G } - {subvol: home, quota: 2G}
register: partitioning_btrfs_qgroup_result
changed_when: false
- name: Create a Btrfs swap file - name: Create a Btrfs swap file
ansible.builtin.command: >- ansible.builtin.command: >-
btrfs filesystem mkswapfile --size {{ ((vm_memory | float / 1024 >= 16.0) | ternary((vm_memory btrfs filesystem mkswapfile --size {{ partitioning_swap_size_gb }}g --uuid clear /mnt/@swap/swapfile
| float / 2048) | int, [vm_memory | float / 1024, 4.0] | max) | int) }}g --uuid clear /mnt/@swap/swapfile args:
changed_when: result.rc == 0 creates: /mnt/@swap/swapfile
register: result register: partitioning_btrfs_swap_result
- name: Unmount Partition - name: Unmount Partition
ansible.posix.mount: ansible.posix.mount:
path: /mnt path: /mnt
src: "{{ install_drive }}{{ main_partition_suffix }}" src: "{{ partitioning_root_device }}"
fstype: btrfs fstype: btrfs
state: unmounted state: unmounted

24
roles/partitioning/tasks/ext4.yml
View File

@@ -6,20 +6,20 @@
fstype: ext4 fstype: ext4
force: true force: true
loop: loop:
- { lv: root } - {lv: root}
- { lv: home } - {lv: home}
- { lv: var } - {lv: var}
- { lv: var_log } - {lv: var_log}
- { lv: var_log_audit } - {lv: var_log_audit}
- name: Remove Unsupported features for older Systems - name: Remove Unsupported features for older Systems
when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']) when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}" ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
changed_when: result.rc == 0
register: result
loop: loop:
- { lv: root } - {lv: root}
- { lv: home } - {lv: home}
- { lv: var } - {lv: var}
- { lv: var_log } - {lv: var_log}
- { lv: var_log_audit } - {lv: var_log_audit}
register: partitioning_ext4_tune_result
changed_when: partitioning_ext4_tune_result.rc == 0

502
roles/partitioning/tasks/main.yml
View File

@@ -1,33 +1,304 @@
--- ---
- name: Set partitioning defaults
ansible.builtin.set_fact:
partitioning_luks_enabled: "{{ partitioning_luks_enabled | default(luks_enabled | default(false)) | bool }}"
partitioning_luks_mapper_name: "{{ partitioning_luks_mapper_name | default(luks_mapper_name | default('SYSTEM_DECRYPTED')) }}"
partitioning_luks_type: "{{ partitioning_luks_type | default(luks_type | default('luks2')) }}"
partitioning_luks_cipher: "{{ partitioning_luks_cipher | default(luks_cipher | default('aes-xts-plain64')) }}"
partitioning_luks_hash: "{{ partitioning_luks_hash | default(luks_hash | default('sha512')) }}"
partitioning_luks_iter_time: "{{ partitioning_luks_iter_time | default(luks_iter_time | default(4000)) }}"
partitioning_luks_key_size: "{{ partitioning_luks_key_size | default(luks_key_size | default(512)) }}"
partitioning_luks_pbkdf: "{{ partitioning_luks_pbkdf | default(luks_pbkdf | default('argon2id')) }}"
partitioning_luks_use_urandom: "{{ partitioning_luks_use_urandom | default(luks_use_urandom | default(true)) | bool }}"
partitioning_luks_verify_passphrase: "{{ partitioning_luks_verify_passphrase | default(luks_verify_passphrase | default(true)) | bool }}"
partitioning_luks_auto_decrypt: "{{ partitioning_luks_auto_decrypt | default(luks_auto_decrypt | default(true)) | bool }}"
partitioning_luks_auto_decrypt_method: "{{ partitioning_luks_auto_decrypt_method | default(luks_auto_decrypt_method | default('tpm2')) }}"
partitioning_luks_tpm2_device: "{{ partitioning_luks_tpm2_device | default(luks_tpm2_device | default('auto')) }}"
partitioning_luks_tpm2_pcrs: "{{ partitioning_luks_tpm2_pcrs | default(luks_tpm2_pcrs | default('')) }}"
partitioning_luks_keyfile_size: "{{ partitioning_luks_keyfile_size | default(luks_keyfile_size | default(64)) }}"
partitioning_luks_options: "{{ partitioning_luks_options | default(luks_options | default('discard,tries=3')) }}"
partitioning_luks_device: >-
{{ install_drive ~ (partitioning_main_partition_suffix | string) }}
- name: Set partitioning root device
ansible.builtin.set_fact:
partitioning_root_device: >-
{{
'/dev/mapper/' + partitioning_luks_mapper_name
if partitioning_luks_enabled | bool
else install_drive ~ (partitioning_main_partition_suffix | string)
}}
- name: Set partitioning vm_size from input
when: vm_size is defined or partitioning_vm_size is defined
ansible.builtin.set_fact:
partitioning_vm_size: "{{ (partitioning_vm_size | default(vm_size)) | float }}"
- name: Set partitioning vm memory from input
when: vm_memory is defined or partitioning_vm_memory is defined
ansible.builtin.set_fact:
partitioning_vm_memory: "{{ (partitioning_vm_memory | default(vm_memory)) | float }}"
- name: Detect system memory for swap sizing
when: partitioning_vm_memory is not defined
block:
- name: Read system memory
ansible.builtin.command: awk '/MemTotal/ {print int($2/1024)}' /proc/meminfo
register: partitioning_memtotal_mb
changed_when: false
failed_when: false
- name: Set partitioning vm memory default
ansible.builtin.set_fact:
partitioning_vm_memory: "{{ (partitioning_memtotal_mb.stdout | default('4096') | int) | float }}"
- name: Calculate swap size
ansible.builtin.set_fact:
partitioning_swap_size_gb: >-
{{
((partitioning_vm_memory | float / 1024) >= 16.0)
| ternary(
(partitioning_vm_memory | float / 2048) | int,
[partitioning_vm_memory | float / 1024, 4.0] | max | int
)
}}
- name: Set partitioning vm_size for physical installs
when:
- install_type == "physical"
- partitioning_vm_size is not defined
- install_drive is defined
block:
- name: Detect install drive size
ansible.builtin.command: "lsblk -b -dn -o SIZE {{ install_drive }}"
register: partitioning_disk_size_bytes
changed_when: false
- name: Set partitioning vm_size from install drive size
when:
- partitioning_disk_size_bytes.stdout is defined
- (partitioning_disk_size_bytes.stdout | trim | length) > 0
ansible.builtin.set_fact:
partitioning_vm_size: >-
{{
(partitioning_disk_size_bytes.stdout | trim | int / 1024 / 1024 / 1024)
| round(2, 'floor')
}}
- name: Partition install drive - name: Partition install drive
block: block:
- name: Prepare partitions - name: Prepare partitions
failed_when: false block:
ansible.builtin.command: "{{ item.cmd }}" - name: Disable swap
changed_when: result.rc == 0 ansible.builtin.command: swapoff -a
register: result changed_when: false
loop: failed_when: false
- { cmd: umount -l /mnt }
- { cmd: vgremove -f sys } - name: Find mounts under /mnt
- { ansible.builtin.command: findmnt -R /mnt -n -o TARGET
cmd: 'find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;', register: partitioning_mounted_paths
} changed_when: false
loop_control: failed_when: false
label: "{{ item.cmd }}"
- name: Unmount /mnt mounts
when: partitioning_mounted_paths.stdout_lines | length > 0
ansible.posix.mount:
path: "{{ item }}"
state: unmounted
loop: "{{ partitioning_mounted_paths.stdout_lines | reverse }}"
loop_control:
label: "{{ item }}"
failed_when: false
- name: Remove LVM volume group
community.general.lvg:
vg: sys
state: absent
force: true
failed_when: false
- name: Close LUKS mapper
when: partitioning_luks_enabled | bool
community.crypto.luks_device:
name: "{{ partitioning_luks_mapper_name }}"
state: closed
failed_when: false
- name: Remove LUKS mapper device
when: partitioning_luks_enabled | bool
ansible.builtin.command: >-
dmsetup remove --force --retry {{ partitioning_luks_mapper_name }}
register: partitioning_dmsetup_remove
changed_when: partitioning_dmsetup_remove.rc == 0
failed_when: false
- name: Remove LUKS signatures
when: partitioning_luks_enabled | bool
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: absent
failed_when: false
- name: Wipe filesystem signatures
ansible.builtin.command: >-
find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;
register: partitioning_wipefs_result
changed_when: false
failed_when: false
- name: Refresh kernel partition table
ansible.builtin.command: "{{ item }}"
loop:
- "partprobe {{ install_drive }}"
- "blockdev --rereadpt {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_result
changed_when: false
failed_when: false
- name: Define partitions - name: Define partitions
community.general.parted: block:
device: "{{ install_drive }}" - name: Create partition layout
label: gpt community.general.parted:
number: "{{ item.number }}" device: "{{ install_drive }}"
part_end: "{{ item.part_end | default(omit) }}" label: gpt
part_start: "{{ item.part_start | default(omit) }}" number: "{{ item.number }}"
name: "{{ item.name }}" part_end: "{{ item.part_end | default(omit) }}"
flags: "{{ item.flags | default(omit) }}" part_start: "{{ item.part_start | default(omit) }}"
state: present name: "{{ item.name }}"
flags: "{{ item.flags | default(omit) }}"
state: present
loop:
- {number: 1, part_end: 500MiB, name: boot, flags: [boot, esp]}
- {number: 2, part_start: 500MiB, name: root}
rescue:
- name: Refresh kernel partition table after failure
ansible.builtin.command: "{{ item }}"
loop:
- "partprobe {{ install_drive }}"
- "blockdev --rereadpt {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_retry
changed_when: false
failed_when: false
- name: Retry partition layout
community.general.parted:
device: "{{ install_drive }}"
label: gpt
number: "{{ item.number }}"
part_end: "{{ item.part_end | default(omit) }}"
part_start: "{{ item.part_start | default(omit) }}"
name: "{{ item.name }}"
flags: "{{ item.flags | default(omit) }}"
state: present
loop:
- {number: 1, part_end: 500MiB, name: boot, flags: [boot, esp]}
- {number: 2, part_start: 500MiB, name: root}
- name: Settle partition table
ansible.builtin.command: "{{ item }}"
loop: loop:
- { number: 1, part_end: 500MiB, name: boot, flags: [boot, esp] } - "partprobe {{ install_drive }}"
- { number: 2, part_start: 500MiB, name: root } - "udevadm settle"
register: partitioning_partprobe_settle
changed_when: false
failed_when: false
- name: Configure LUKS encryption
when: partitioning_luks_enabled | bool
vars:
partitioning_luks_passphrase_effective: >-
{{ (partitioning_luks_passphrase | default(luks_passphrase | default(''))) | string }}
block:
- name: Validate LUKS passphrase
ansible.builtin.assert:
that:
- partitioning_luks_passphrase_effective | length > 0
fail_msg: luks_passphrase (or partitioning_luks_passphrase) must be set when LUKS is enabled.
no_log: true
- name: Ensure LUKS container exists
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: present
type: "{{ partitioning_luks_type }}"
cipher: "{{ partitioning_luks_cipher }}"
hash: "{{ partitioning_luks_hash }}"
keysize: "{{ partitioning_luks_key_size }}"
pbkdf:
algorithm: "{{ partitioning_luks_pbkdf }}"
iteration_time: "{{ (partitioning_luks_iter_time | float) / 1000 }}"
passphrase: "{{ partitioning_luks_passphrase_effective }}"
register: partitioning_luks_format_result
no_log: true
- name: Force-close LUKS mapper
community.crypto.luks_device:
name: "{{ partitioning_luks_mapper_name }}"
state: closed
failed_when: false
- name: Force-remove LUKS mapper device
ansible.builtin.command: >-
dmsetup remove --force --retry {{ partitioning_luks_mapper_name }}
register: partitioning_dmsetup_remove_after_format
changed_when: partitioning_dmsetup_remove_after_format.rc == 0
failed_when: false
- name: Settle udev after removing LUKS mapper
ansible.builtin.command: udevadm settle
changed_when: false
failed_when: false
- name: Ensure LUKS mapper is opened
block:
- name: Open LUKS device
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: opened
name: "{{ partitioning_luks_mapper_name }}"
passphrase: "{{ partitioning_luks_passphrase_effective }}"
allow_discards: "{{ 'discard' in (partitioning_luks_options | default('') | lower) }}"
register: partitioning_luks_open_result
no_log: true
rescue:
- name: Force-close stale LUKS mapper
community.crypto.luks_device:
name: "{{ partitioning_luks_mapper_name }}"
state: closed
failed_when: false
- name: Force-remove stale LUKS mapper device
ansible.builtin.command: >-
dmsetup remove --force --retry {{ partitioning_luks_mapper_name }}
register: partitioning_dmsetup_remove_retry
changed_when: partitioning_dmsetup_remove_retry.rc == 0
failed_when: false
- name: Settle udev after removing stale LUKS mapper
ansible.builtin.command: udevadm settle
changed_when: false
failed_when: false
- name: Retry opening LUKS device
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: opened
name: "{{ partitioning_luks_mapper_name }}"
passphrase: "{{ partitioning_luks_passphrase_effective }}"
allow_discards: "{{ 'discard' in (partitioning_luks_options | default('') | lower) }}"
register: partitioning_luks_open_retry
no_log: true
- name: Get LUKS UUID
ansible.builtin.command: "cryptsetup luksUUID {{ partitioning_luks_device }}"
register: partitioning_luks_uuid_result
changed_when: false
- name: Store LUKS UUID
ansible.builtin.set_fact:
partitioning_luks_uuid: "{{ partitioning_luks_uuid_result.stdout | trim }}"
- name: Create LVM logical volumes - name: Create LVM logical volumes
when: filesystem != 'btrfs' when: filesystem != 'btrfs'
@@ -35,7 +306,7 @@
- name: Create LVM volume group - name: Create LVM volume group
community.general.lvg: community.general.lvg:
vg: sys vg: sys
pvs: "{{ install_drive }}{{ main_partition_suffix }}" pvs: "{{ partitioning_root_device }}"
- name: Create LVM logical volumes - name: Create LVM logical volumes
when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
@@ -47,31 +318,37 @@
loop: loop:
- lv: root - lv: root
size: >- size: >-
{{ [(((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0)) - (((vm_memory | float / 1024) > 16.0) {{ [(((((partitioning_vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0)) - (((partitioning_vm_memory | float / 1024) > 16.0)
| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) < 4) | ternary(((partitioning_vm_memory | float / 2048) | int), (partitioning_vm_memory | float / 1024)))) < 4)
| ternary(4,((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0)) - | ternary(4,((((partitioning_vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0)) -
(((vm_memory | float / 1024) > 16.0)| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) > 12) (((partitioning_vm_memory | float / 1024) > 16.0)
| ternary(((vm_size | float) * 0.4) | round(0, 'ceil'),((vm_size | float) - 0.5 - ((cis | bool) | ternary(
| ternary(7.5, 0)) - (((vm_memory | float / 1024) > 16.0) ((partitioning_vm_memory | float / 2048) | int),
| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024))))))))), 4 ] | max | string + 'G' }} (partitioning_vm_memory | float / 1024)
)))
> 12)
| ternary(((partitioning_vm_size | float) * 0.4) | round(0, 'ceil'),((partitioning_vm_size | float) - 0.5 - ((cis | bool)
| ternary(7.5, 0)) - (((partitioning_vm_memory | float / 1024) > 16.0)
| ternary(((partitioning_vm_memory | float / 2048) | int), (partitioning_vm_memory | float / 1024))))))))), 4 ] | max | string +
'G' }}
- lv: swap - lv: swap
size: >- size: >-
{{ ((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0))) - (((vm_memory | float / 1024) > 16.0) {{ ((((partitioning_vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0))) - (((partitioning_vm_memory | float / 1024) > 16.0)
| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) < 4) | ternary(((partitioning_vm_memory | float / 2048) | int), (partitioning_vm_memory | float / 1024)))) < 4)
| ternary((((vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0))) - 4), (((vm_memory | float / 1024) > 16.0) | ternary((((partitioning_vm_size | float) - 0.5 - ((cis | bool) | ternary(7.5, 0))) - 4), (((partitioning_vm_memory | float / 1024)
| ternary(((vm_memory | float / 2048) | int), (vm_memory | float / 1024)))) | string + 'G' }} > 16.0)
| ternary(((partitioning_vm_memory | float / 2048) | int), (partitioning_vm_memory | float / 1024)))) | string + 'G' }}
- lv: home - lv: home
size: "{{ ([([(((vm_size | float) - 20) * 0.1), 2] | max), 20] | min) | string + 'G' }}" size: "{{ ([([(((partitioning_vm_size | float) - 20) * 0.1), 2] | max), 20] | min) | string + 'G' }}"
- {lv: var, size: "2G"}
- { lv: var, size: "2G" } - {lv: var_log, size: "2G"}
- { lv: var_log, size: "2G" } - {lv: var_log_audit, size: "1.5G"}
- { lv: var_log_audit, size: "1.5G" }
- name: Create filesystems - name: Create filesystems
block: block:
- name: Create FAT32 filesystem in boot partition - name: Create FAT32 filesystem in boot partition
community.general.filesystem: community.general.filesystem:
dev: "{{ install_drive }}{{ boot_partition_suffix }}" dev: "{{ install_drive }}{{ partitioning_boot_partition_suffix }}"
fstype: vfat fstype: vfat
opts: -F32 -n BOOT opts: -F32 -n BOOT
force: true force: true
@@ -86,20 +363,18 @@
ansible.builtin.include_tasks: "{{ filesystem }}.yml" ansible.builtin.include_tasks: "{{ filesystem }}.yml"
- name: Get UUID for boot filesystem - name: Get UUID for boot filesystem
ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ boot_partition_suffix }}' ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ partitioning_boot_partition_suffix }}'
register: partitioning_boot_uuid
changed_when: false changed_when: false
register: boot_uuid
- name: Get UUID for main filesystem - name: Get UUID for main filesystem
ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ main_partition_suffix }}' ansible.builtin.command: blkid -s UUID -o value '{{ partitioning_root_device }}'
register: partitioning_main_uuid
changed_when: false changed_when: false
register: main_uuid
- name: Get UUIDs for LVM filesystems - name: Get UUIDs for LVM filesystems
when: filesystem != 'btrfs' and (cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit']) when: filesystem != 'btrfs' and (cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit'])
ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }} ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }}
changed_when: false
register: uuid_result
loop: loop:
- root - root
- swap - swap
@@ -107,72 +382,125 @@
- var - var
- var_log - var_log
- var_log_audit - var_log_audit
register: partitioning_uuid_result
changed_when: false
- name: Assign UUIDs to Variables - name: Assign UUIDs to Variables
when: filesystem != 'btrfs' when: filesystem != 'btrfs'
ansible.builtin.set_fact: ansible.builtin.set_fact:
uuid_root: "{{ uuid_result.results[0].stdout_lines }}" partitioning_uuid_root: "{{ partitioning_uuid_result.results[0].stdout_lines }}"
uuid_swap: "{{ uuid_result.results[1].stdout_lines }}" partitioning_uuid_swap: "{{ partitioning_uuid_result.results[1].stdout_lines }}"
uuid_home: "{{ uuid_result.results[2].stdout_lines if cis | bool else '' }}" partitioning_uuid_home: "{{ partitioning_uuid_result.results[2].stdout_lines if cis | bool else '' }}"
uuid_var: "{{ uuid_result.results[3].stdout_lines if cis | bool else '' }}" partitioning_uuid_var: "{{ partitioning_uuid_result.results[3].stdout_lines if cis | bool else '' }}"
uuid_var_log: "{{ uuid_result.results[4].stdout_lines if cis | bool else '' }}" partitioning_uuid_var_log: "{{ partitioning_uuid_result.results[4].stdout_lines if cis | bool else '' }}"
uuid_var_log_audit: "{{ uuid_result.results[5].stdout_lines if cis | bool else '' }}" partitioning_uuid_var_log_audit: "{{ partitioning_uuid_result.results[5].stdout_lines if cis | bool else '' }}"
- name: Mount filesystems - name: Mount filesystems
block: block:
- name: Mount filesystems and subvolumes - name: Mount filesystems and subvolumes
when: when:
- cis | bool or (not cis and (item.path == '/var/log' and filesystem == 'btrfs') - >-
or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit'])) cis | bool or (
- not (item.path == '/swap' and filesystem != 'btrfs') not cis and (
(filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg'])
or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg'])
)
)
- >-
not (item.path in ['/swap', '/var/cache/pacman/pkg'] and filesystem != 'btrfs')
ansible.posix.mount: ansible.posix.mount:
path: /mnt{{ item.path }} path: /mnt{{ item.path }}
src: "{{ 'UUID=' + (main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}" src: "{{ 'UUID=' + (partitioning_main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
fstype: "{{ filesystem }}" fstype: "{{ filesystem }}"
opts: "{{ item.opts }}" opts: "{{ item.opts }}"
state: mounted state: mounted
loop: loop:
- path: "" - path: ""
uuid: "{{ uuid_root[0] | default(omit) }}" uuid: "{{ partitioning_uuid_root[0] | default(omit) }}"
opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}" opts: >-
{{
'defaults'
if filesystem != 'btrfs'
else [
'rw', 'relatime', 'compress=zstd:15', 'ssd', 'space_cache=v2',
'discard=async', 'subvol=@'
] | join(',')
}}
- path: /swap - path: /swap
opts: "rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@swap" opts: >-
{{
[
'rw', 'nosuid', 'nodev', 'relatime', 'compress=zstd:15', 'ssd',
'space_cache=v2', 'discard=async', 'subvol=@swap'
] | join(',')
}}
- path: /home - path: /home
uuid: "{{ uuid_home[0] | default(omit) }}" uuid: "{{ partitioning_uuid_home[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' opts: >-
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}" {{
'defaults,nosuid,nodev'
if filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'relatime', 'compress=zstd:15', 'ssd',
'space_cache=v2', 'discard=async', 'subvol=@home'
] | join(',')
}}
- path: /var - path: /var
uuid: "{{ uuid_var[0] | default(omit) }}" uuid: "{{ partitioning_uuid_var[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' opts: >-
else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}" {{
'defaults,nosuid,nodev'
if filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'relatime', 'compress=zstd:15', 'ssd',
'space_cache=v2', 'discard=async', 'subvol=@var'
] | join(',')
}}
- path: /var/log - path: /var/log
uuid: "{{ uuid_var_log[0] | default(omit) }}" uuid: "{{ partitioning_uuid_var_log[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' opts: >-
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}" {{
'defaults,nosuid,nodev,noexec'
if filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', 'compress=zstd:15',
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log'
] | join(',')
}}
- path: /var/cache/pacman/pkg
uuid: "{{ partitioning_uuid_root | default([]) | first | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev,noexec'
if filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', 'compress=zstd:15',
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@pkg'
] | join(',')
}}
- path: /var/log/audit - path: /var/log/audit
uuid: "{{ uuid_var_log_audit[0] | default(omit) }}" uuid: "{{ partitioning_uuid_var_log_audit[0] | default(omit) }}"
opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' opts: >-
else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}" {{
'defaults,nosuid,nodev,noexec'
- name: Mount tmp and var_tmp filesystems if filesystem != 'btrfs'
ansible.posix.mount: else [
path: /mnt{{ item.path }} 'rw', 'nosuid', 'nodev', 'noexec', 'relatime', 'compress=zstd:15',
src: tmpfs 'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log_audit'
fstype: tmpfs ] | join(',')
opts: defaults,nosuid,nodev,noexec }}
state: mounted
loop:
- { path: /tmp }
- { path: /var/tmp }
- name: Mount boot filesystem - name: Mount boot filesystem
ansible.posix.mount: ansible.posix.mount:
path: "{{ '/mnt/boot/efi' if os | lower in ['rhel8', 'ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}" path: "{{ '/mnt/boot/efi' if os | lower in ['rhel8', 'ubuntu', 'ubuntu-lts'] else '/mnt/boot' }}"
src: UUID={{ boot_uuid.stdout }} src: UUID={{ partitioning_boot_uuid.stdout }}
fstype: vfat fstype: vfat
state: mounted state: mounted
- name: Activate swap - name: Activate swap
ansible.builtin.command: "{{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + uuid_swap[0] }}" vars:
changed_when: result.rc == 0 partitioning_swap_cmd: >-
register: result {{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + partitioning_uuid_swap[0] }}
ansible.builtin.command: "{{ partitioning_swap_cmd }}"
register: partitioning_swap_activate_result
changed_when: partitioning_swap_activate_result.rc == 0

10
roles/partitioning/tasks/xfs.yml
View File

@@ -6,8 +6,8 @@
fstype: xfs fstype: xfs
force: true force: true
loop: loop:
- { lv: root } - {lv: root}
- { lv: home } - {lv: home}
- { lv: var } - {lv: var}
- { lv: var_log } - {lv: var_log}
- { lv: var_log_audit } - {lv: var_log_audit}