sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor(schema): simplify dict normalization and schema checks

Browse Source
This commit is contained in:
Sandwich
2026-02-11 05:37:18 +01:00
parent aac2bd0b06
commit 5326907ae9
4 changed files with 207 additions and 269 deletions
Download Patch File Download Diff File Expand all files Collapse all files

285
roles/global_defaults/tasks/validation.yml
View File

@@ -28,17 +28,7 @@
- name: Validate hypervisor schema
vars:
hypervisor_allowed_keys:
- type
- url
- username
- password
- host
- storage
- datacenter
- cluster
- certs
- ssh
hypervisor_allowed_keys: "{{ hypervisor_defaults | dict2items | map(attribute='key') | list }}"
hypervisor_keys: "{{ (hypervisor | default({})) | dict2items | map(attribute='key') | list }}"
hypervisor_unknown_keys: "{{ hypervisor_keys | difference(hypervisor_allowed_keys) }}"
ansible.builtin.assert:
@@ -49,192 +39,129 @@
- name: Validate system schema
vars:
system_allowed_keys:
- type
- os
- version
- name
- id
- cpus
- memory
- balloon
- network
- vlan
- ip
- prefix
- gateway
- dns
- path
- packages
- disks
- user
- root
- luks
- features
system_allowed_keys: "{{ system_defaults | dict2items | map(attribute='key') | list }}"
system_keys: "{{ (system | default({})) | dict2items | map(attribute='key') | list }}"
system_unknown_keys: "{{ system_keys | difference(system_allowed_keys) }}"
ansible.builtin.assert:
that:
- system_unknown_keys | length == 0
fail_msg: "Unsupported system keys: {{ system_unknown_keys | join(', ') }}"
fail_msg: "Unsupported system keys: {{ system_unknown_keys | join(', ') }}."
quiet: true
- name: Validate nested system schema
- name: Validate nested system mappings
loop:
- dns
- user
- root
- luks
- features
loop_control:
label: "{{ item }}"
ansible.builtin.assert:
that:
- system[item] is not defined or system[item] is mapping
fail_msg: "system.{{ item }} must be a dictionary."
quiet: true
- name: Validate system.dns schema
vars:
dns_allowed_keys: [servers, search]
user_allowed_keys: [name, password, key]
root_allowed_keys: [password]
luks_allowed_keys:
- enabled
- passphrase
- mapper
- auto
- method
- tpm2
- keysize
- options
- type
- cipher
- hash
- iter
- bits
- pbkdf
- urandom
- verify
features_allowed_keys:
- cis
- selinux
- firewall
- ssh
- zstd
- swap
- banner
- chroot
feature_leaf_allowed:
cis: [enabled]
selinux: [enabled]
firewall: [enabled, backend, toolkit]
ssh: [enabled]
zstd: [enabled]
swap: [enabled]
banner: [motd, sudo]
chroot: [tool]
dns_keys: "{{ (system.dns | default({})) | dict2items | map(attribute='key') | list }}"
user_keys: "{{ (system.user | default({})) | dict2items | map(attribute='key') | list }}"
root_keys: "{{ (system.root | default({})) | dict2items | map(attribute='key') | list }}"
luks_keys: "{{ (system.luks | default({})) | dict2items | map(attribute='key') | list }}"
tpm2_keys: >-
dns_allowed_keys: "{{ system_defaults.dns | dict2items | map(attribute='key') | list }}"
dns_unknown: >-
{{
(
(system.luks if (system.luks is defined and system.luks is mapping) else {}).tpm2
| default({})
) | dict2items | map(attribute='key') | list
((system.dns | default({})) | dict2items | map(attribute='key') | list)
| difference(dns_allowed_keys)
}}
tpm2_allowed_keys: [device, pcrs]
features_keys: "{{ (system.features | default({})) | dict2items | map(attribute='key') | list }}"
dns_unknown: "{{ dns_keys | difference(dns_allowed_keys) }}"
user_unknown: "{{ user_keys | difference(user_allowed_keys) }}"
root_unknown: "{{ root_keys | difference(root_allowed_keys) }}"
luks_unknown: "{{ luks_keys | difference(luks_allowed_keys) }}"
tpm2_unknown: "{{ tpm2_keys | difference(tpm2_allowed_keys) }}"
features_unknown: "{{ features_keys | difference(features_allowed_keys) }}"
ansible.builtin.assert:
that:
- system.dns is not defined or system.dns is mapping
- system.user is not defined or system.user is mapping
- system.root is not defined or system.root is mapping
- system.luks is not defined or system.luks is mapping
- system.luks is not defined or system.luks.tpm2 is not defined or system.luks.tpm2 is mapping
- system.features is not defined or system.features is mapping
- dns_unknown | length == 0
- user_unknown | length == 0
- root_unknown | length == 0
- luks_unknown | length == 0
- tpm2_unknown | length == 0
- features_unknown | length == 0
fail_msg: >-
Invalid nested system schema.
dns_unknown={{ dns_unknown | join(',') }},
user_unknown={{ user_unknown | join(',') }},
root_unknown={{ root_unknown | join(',') }},
luks_unknown={{ luks_unknown | join(',') }},
tpm2_unknown={{ tpm2_unknown | join(',') }},
features_unknown={{ features_unknown | join(',') }}
fail_msg: "Unsupported system.dns keys: {{ dns_unknown | join(', ') }}"
quiet: true
- name: Validate feature leaf schemas
- name: Validate system.user schema
vars:
system_features: "{{ system.features | default({}) }}"
feature_keys: "{{ system_features | dict2items | map(attribute='key') | list }}"
feature_leaf_allowed:
cis: [enabled]
selinux: [enabled]
firewall: [enabled, backend, toolkit]
ssh: [enabled]
zstd: [enabled]
swap: [enabled]
banner: [motd, sudo]
chroot: [tool]
user_allowed_keys: "{{ system_defaults.user | dict2items | map(attribute='key') | list }}"
user_unknown: >-
{{
((system.user | default({})) | dict2items | map(attribute='key') | list)
| difference(user_allowed_keys)
}}
ansible.builtin.assert:
that:
- >-
(
feature_keys
| map('extract', system_features)
| select('mapping')
| list
| length
)
== (feature_keys | length)
- >-
(
(
system_features.cis | default({})
) | dict2items | map(attribute='key') | list | difference(feature_leaf_allowed.cis)
) | length == 0
- >-
(
(
system_features.selinux | default({})
) | dict2items | map(attribute='key') | list | difference(feature_leaf_allowed.selinux)
) | length == 0
- >-
(
(
system_features.firewall | default({})
) | dict2items | map(attribute='key') | list | difference(feature_leaf_allowed.firewall)
) | length == 0
- >-
(
(
system_features.ssh | default({})
) | dict2items | map(attribute='key') | list | difference(feature_leaf_allowed.ssh)
) | length == 0
- >-
(
(
system_features.zstd | default({})
) | dict2items | map(attribute='key') | list | difference(feature_leaf_allowed.zstd)
) | length == 0
- >-
(
(
system_features.swap | default({})
) | dict2items | map(attribute='key') | list | difference(feature_leaf_allowed.swap)
) | length == 0
- >-
(
(
system_features.banner | default({})
) | dict2items | map(attribute='key') | list | difference(feature_leaf_allowed.banner)
) | length == 0
- >-
(
(
system_features.chroot | default({})
) | dict2items | map(attribute='key') | list | difference(feature_leaf_allowed.chroot)
) | length == 0
fail_msg: "Invalid system.features schema detected."
- user_unknown | length == 0
fail_msg: "Unsupported system.user keys: {{ user_unknown | join(', ') }}"
quiet: true
- name: Validate system.root schema
vars:
root_allowed_keys: "{{ system_defaults.root | dict2items | map(attribute='key') | list }}"
root_unknown: >-
{{
((system.root | default({})) | dict2items | map(attribute='key') | list)
| difference(root_allowed_keys)
}}
ansible.builtin.assert:
that:
- root_unknown | length == 0
fail_msg: "Unsupported system.root keys: {{ root_unknown | join(', ') }}"
quiet: true
- name: Validate system.luks schema
vars:
luks_allowed_keys: "{{ system_defaults.luks | dict2items | map(attribute='key') | list }}"
luks_unknown: >-
{{
((system.luks | default({})) | dict2items | map(attribute='key') | list)
| difference(luks_allowed_keys)
}}
ansible.builtin.assert:
that:
- luks_unknown | length == 0
fail_msg: "Unsupported system.luks keys: {{ luks_unknown | join(', ') }}"
quiet: true
- name: Validate system.luks.tpm2 schema
vars:
tpm2_input: >-
{{
(system.luks if (system.luks is defined and system.luks is mapping) else {}).tpm2
| default({})
}}
tpm2_allowed_keys: "{{ system_defaults.luks.tpm2 | dict2items | map(attribute='key') | list }}"
tpm2_unknown: "{{ (tpm2_input | dict2items | map(attribute='key') | list) | difference(tpm2_allowed_keys) }}"
ansible.builtin.assert:
that:
- system.luks is not defined or system.luks.tpm2 is not defined or system.luks.tpm2 is mapping
- tpm2_unknown | length == 0
fail_msg: "Unsupported system.luks.tpm2 keys: {{ tpm2_unknown | join(', ') }}"
quiet: true
- name: Validate system.features schema
vars:
features_allowed_keys: "{{ system_defaults.features | dict2items | map(attribute='key') | list }}"
features_unknown: >-
{{
((system.features | default({})) | dict2items | map(attribute='key') | list)
| difference(features_allowed_keys)
}}
ansible.builtin.assert:
that:
- features_unknown | length == 0
fail_msg: "Unsupported system.features keys: {{ features_unknown | join(', ') }}"
quiet: true
- name: Validate system.features leaf schemas
loop: "{{ system_defaults.features | dict2items }}"
loop_control:
label: "system.features.{{ item.key }}"
vars:
feature_input: "{{ (system.features | default({}))[item.key] | default({}) }}"
feature_allowed_keys: "{{ item.value | dict2items | map(attribute='key') | list }}"
feature_unknown: "{{ (feature_input | dict2items | map(attribute='key') | list) | difference(feature_allowed_keys) }}"
ansible.builtin.assert:
that:
- feature_input is mapping
- feature_unknown | length == 0
fail_msg: "Unsupported system.features.{{ item.key }} keys: {{ feature_unknown | join(', ') }}"
quiet: true
- name: Validate OS and version inputs