feat(global_defaults): add semantic validations for IP, hostname, LUKS method, and interface prefix

2026-02-22 02:22:05 +01:00
parent 5abdc76c86
commit 5e72394bf8
2 changed files with 42 additions and 1 deletions
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -34,6 +34,7 @@ hypervisor_defaults:
  storage: ""
  datacenter: ""
  cluster: ""
  folder: ""
  certs: false
  ssh: false
--- a/roles/global_defaults/tasks/validation.yml
+++ b/roles/global_defaults/tasks/validation.yml
@@ -347,8 +347,48 @@
    that:
      - item is mapping
      - item.bridge is defined and (item.bridge | string | length) > 0
-    fail_msg: "Each system.network.interfaces[] entry must be a dict with at least a 'bridge' key."
+      - >-
        (item.ip | default('') | string | length) == 0
        or (item.prefix | default('') | string | length) > 0
    fail_msg: "Each system.network.interfaces[] entry must have a 'bridge' key and 'prefix' when 'ip' is set."
    quiet: true
  loop: "{{ system_cfg.network.interfaces }}"
  loop_control:
    label: "{{ item | to_json }}"
 - name: Validate hostname format
  ansible.builtin.assert:
    that:
      - hostname is regex("^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$")
    fail_msg: "hostname '{{ hostname }}' contains invalid characters. Use only alphanumeric, hyphens, dots, and underscores."
    quiet: true
 - name: Validate IP address format
  when: system_cfg.network.ip is defined and (system_cfg.network.ip | string | length) > 0
  ansible.builtin.assert:
    that:
      - system_cfg.network.ip is regex("^([0-9]{1,3}\\.){3}[0-9]{1,3}$")
    fail_msg: "system.network.ip '{{ system_cfg.network.ip }}' is not a valid IPv4 address."
    quiet: true
 - name: Validate DNS server format
  when:
    - system_cfg.network.dns.servers is defined
    - system_cfg.network.dns.servers | length > 0
  ansible.builtin.assert:
    that:
      - item is regex("^([0-9]{1,3}\\.){3}[0-9]{1,3}$")
    fail_msg: "DNS server '{{ item }}' is not a valid IPv4 address."
    quiet: true
  loop: "{{ system_cfg.network.dns.servers }}"
 - name: Validate LUKS method
  when: system_cfg.luks.enabled | bool
  ansible.builtin.assert:
    that:
      - system_cfg.luks.method in ["tpm2", "keyfile"]
      - >-
        (system_cfg.luks.passphrase | string | length) > 0
    fail_msg: "system.luks.method must be 'tpm2' or 'keyfile', and luks.passphrase must be set when LUKS is enabled."
    quiet: true
  no_log: true