fix(cleanup,config): xen tmp cleanup, tpm2 fallback warning, add code comments

2026-02-22 01:59:01 +01:00
parent dc5aa5077e
commit 4efd64664d
5 changed files with 17 additions and 5 deletions
--- a/roles/cleanup/tasks/xen.yml
+++ b/roles/cleanup/tasks/xen.yml
@@ -11,7 +11,7 @@
      ansible.builtin.set_fact:
        cleanup_xen_disks: "{{ cleanup_xen_disks | default([]) + [cleanup_xen_disk_cfg] }}"
      vars:
-        device_letter_map: "abcdefghijklmnopqrstuvwxyz"
+        device_letter_map: "{{ disk_letter_map }}"
        device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
        cleanup_xen_disk_cfg: >-
          {{
@@ -58,3 +58,8 @@
          - /tmp/xen-{{ hostname }}.cfg
      register: cleanup_xen_start_result
      changed_when: cleanup_xen_start_result.rc == 0
+
+    - name: Remove temporary Xen configuration file
+      ansible.builtin.file:
+        path: /tmp/xen-{{ hostname }}.cfg
+        state: absent
--- a/roles/configuration/tasks/encryption/tpm2.yml
+++ b/roles/configuration/tasks/encryption/tpm2.yml
@@ -80,10 +80,11 @@
          host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
  rescue:
    - name: Warn about TPM2 enrollment failure
-      ansible.builtin.debug:
+      ansible.builtin.fail:
        msg: >-
-          TPM2 enrollment failed — falling back to keyfile auto-decrypt.
+          WARNING: TPM2 enrollment failed — falling back to keyfile auto-decrypt.
          The system will use a keyfile instead of TPM2 for automatic LUKS unlock.
+      ignore_errors: true

    - name: Fallback to keyfile auto-decrypt
      ansible.builtin.set_fact:
--- a/roles/configuration/tasks/extras.yml
+++ b/roles/configuration/tasks/extras.yml
@@ -12,6 +12,8 @@
    marker: "# {mark} CUSTOM VIM CONFIG"
  failed_when: false

+# Tuned for VM workloads: low swappiness, aggressive writeback, large page-cluster
+# for zram. Override post-bootstrap via the linux role or sysctl if needed.
 - name: Add memory tuning parameters
  ansible.builtin.blockinfile:
    path: /mnt/etc/sysctl.d/90-memory.conf
@@ -41,7 +43,7 @@
    mode: "0644"

 - name: Copy Custom Shell config
-  ansible.builtin.template:
-    src: custom.sh.j2
+  ansible.builtin.copy:
+    src: custom.sh
    dest: /mnt/etc/profile.d/custom.sh
    mode: "0644"
--- a/roles/configuration/tasks/selinux.yml
+++ b/roles/configuration/tasks/selinux.yml
@@ -11,6 +11,8 @@
      register: configuration_setfiles_result
      changed_when: configuration_setfiles_result.rc == 0

+    # Fedora: setfiles segfaults during bootstrap chroot relabeling, so SELinux
+    # is left permissive and expected to relabel on first boot.
    - name: Disable SELinux
      when: os == "fedora" or not system_cfg.features.selinux.enabled | bool
      ansible.builtin.lineinfile:
--- a/roles/configuration/tasks/ssh.yml
+++ b/roles/configuration/tasks/ssh.yml
@@ -1,4 +1,6 @@
 ---
+# Bootstrap-only: permissive SSH for initial Ansible access.
+# Post-bootstrap hardening (key-only, no root login) is handled by the linux role.
 - name: Ensure SSH password authentication is enabled
  ansible.builtin.lineinfile:
    path: /mnt/etc/ssh/sshd_config