fix: encryption, partitioning, cis and virtualization hardening

2026-05-30 18:05:14 +02:00
parent b1e938b7f0
commit 55b21eae5d
14 changed files with 46 additions and 25 deletions
--- a/roles/partitioning/defaults/main.yml
+++ b/roles/partitioning/defaults/main.yml
@@ -1,7 +1,7 @@
 ---
 partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if system_cfg.features.zstd.enabled | bool else '' }}"
 # Partition separator: 'p' for NVMe/mmcblk (device path ends in digit), empty for SCSI/virtio.
-# Examples: /dev/sda → /dev/sda1, /dev/nvme0n1 → /dev/nvme0n1p1
+# Examples: /dev/sda -> /dev/sda1, /dev/nvme0n1 -> /dev/nvme0n1p1
 partitioning_part_sep: "{{ 'p' if (install_drive | default('') | regex_search('\\d$')) else '' }}"
 partitioning_boot_partition_suffix: 1
 partitioning_main_partition_suffix: 2
--- a/roles/partitioning/tasks/_create_lvm.yml
+++ b/roles/partitioning/tasks/_create_lvm.yml
@@ -4,14 +4,14 @@
 # Sizes are computed from disk_size_gb, memory_mb, and feature flags.
 #
 # Swap sizing:
-#   - RAM >= 16 GB → swap = RAM/2 (in GB)
-#   - RAM <  16 GB → swap = max(RAM_GB, 2)
+#   - RAM >= 16 GB -> swap = RAM/2 (in GB)
+#   - RAM <  16 GB -> swap = max(RAM_GB, 2)
 #   - Capped to: min(target, 4 + max(disk - overhead, 0))
 #   - Further capped to: max available after subtracting reserved + CIS + extent reserve + 4 GB buffer
 #
 # Root sizing:
 #   - Full-disk mode (default): disk - reserved - swap - extent_reserve - (CIS volumes if enabled)
-#   - Partial mode: tiered — <4 GB available → 4 GB, 4-12 GB → all available, >12 GB → 40% of disk
+#   - Partial mode: tiered - <4 GB available -> 4 GB, 4-12 GB -> all available, >12 GB -> 40% of disk
 #
 # CIS volumes (only when CIS enabled):
 #   - /home: max(min(home_raw, home_max), home_min) where home_raw = (disk - overhead) * 10%