diff --git a/main.yml b/main.yml index 6c4a8fb..cd61359 100644 --- a/main.yml +++ b/main.yml @@ -10,7 +10,7 @@ What is your username? private: false - - name: system_user_public_key + - name: system_user_key prompt: | What is your ssh key? private: false @@ -40,9 +40,9 @@ 'name': ( (system_user_input.name | default('') | string | length) > 0 ) | ternary(system_user_input.name | string, system_user_name | default('') | string), - 'public_key': ( - (system_user_input.public_key | default('') | string | length) > 0 - ) | ternary(system_user_input.public_key | string, system_user_public_key | default('') | string), + 'key': ( + (system_user_input.key | default('') | string | length) > 0 + ) | ternary(system_user_input.key | string, system_user_key | default('') | string), 'password': ( (system_user_input.password | default('') | string | length) > 0 ) | ternary(system_user_input.password | string, system_user_password | default('') | string) diff --git a/roles/cleanup/tasks/virtual.yml b/roles/cleanup/tasks/virtual.yml index 9f0f093..557c289 100644 --- a/roles/cleanup/tasks/virtual.yml +++ b/roles/cleanup/tasks/virtual.yml @@ -145,7 +145,7 @@ hostname: "{{ hypervisor_cfg.url }}" username: "{{ hypervisor_cfg.username }}" password: "{{ hypervisor_cfg.password }}" - validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}" + validate_certs: "{{ hypervisor_cfg.certs | bool }}" name: "{{ hostname }}" folder: "{{ system_cfg.path | default('/') }}" state: poweredoff @@ -160,7 +160,7 @@ hostname: "{{ hypervisor_cfg.url }}" username: "{{ hypervisor_cfg.username }}" password: "{{ hypervisor_cfg.password }}" - validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}" + validate_certs: "{{ hypervisor_cfg.certs | bool }}" name: "{{ hostname }}" folder: "{{ system_cfg.path | default('/') }}" state: absent diff --git a/roles/cleanup/tasks/vmware.yml b/roles/cleanup/tasks/vmware.yml index bdf3172..e3862dc 100644 --- a/roles/cleanup/tasks/vmware.yml +++ b/roles/cleanup/tasks/vmware.yml @@ -10,7 +10,7 @@ hostname: "{{ hypervisor_cfg.url }}" username: "{{ hypervisor_cfg.username }}" password: "{{ hypervisor_cfg.password }}" - validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}" + validate_certs: "{{ hypervisor_cfg.certs | bool }}" datacenter: "{{ hypervisor_cfg.datacenter }}" name: "{{ hostname }}" cdrom: @@ -34,7 +34,7 @@ hostname: "{{ hypervisor_cfg.url }}" username: "{{ hypervisor_cfg.username }}" password: "{{ hypervisor_cfg.password }}" - validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}" + validate_certs: "{{ hypervisor_cfg.certs | bool }}" datacenter: "{{ hypervisor_cfg.datacenter }}" name: "{{ hostname }}" state: powered-on diff --git a/roles/configuration/tasks/fstab.yml b/roles/configuration/tasks/fstab.yml index d0c1ba8..bf67b50 100644 --- a/roles/configuration/tasks/fstab.yml +++ b/roles/configuration/tasks/fstab.yml @@ -16,7 +16,7 @@ group: root mode: "0644" -- name: Remove deprecated attr2 and disable large extent +- name: Adjust XFS mount options and disable large extent when: os in ["almalinux", "rocky", "rhel"] and filesystem == "xfs" ansible.builtin.replace: path: /mnt/etc/fstab diff --git a/roles/configuration/tasks/users.yml b/roles/configuration/tasks/users.yml index 24f0066..b2faef7 100644 --- a/roles/configuration/tasks/users.yml +++ b/roles/configuration/tasks/users.yml @@ -18,7 +18,7 @@ changed_when: configuration_user_result.rc == 0 - name: Ensure .ssh directory exists - when: system_cfg.user.public_key | length > 0 + when: system_cfg.user.key | length > 0 ansible.builtin.file: path: /mnt/home/{{ system_cfg.user.name }}/.ssh state: directory @@ -27,10 +27,10 @@ mode: "0700" - name: Add SSH public key to authorized_keys - when: system_cfg.user.public_key | length > 0 + when: system_cfg.user.key | length > 0 ansible.builtin.lineinfile: path: /mnt/home/{{ system_cfg.user.name }}/.ssh/authorized_keys - line: "{{ system_cfg.user.public_key }}" + line: "{{ system_cfg.user.key }}" owner: 1000 group: 1000 mode: "0600" diff --git a/roles/global_defaults/defaults/main.yml b/roles/global_defaults/defaults/main.yml index 61c2686..1636f47 100644 --- a/roles/global_defaults/defaults/main.yml +++ b/roles/global_defaults/defaults/main.yml @@ -11,7 +11,7 @@ hypervisor_defaults: storage: "" datacenter: "" cluster: "" - validate_certs: false + certs: false ssh: false custom_iso: false @@ -20,7 +20,7 @@ thirdparty_preparation_tasks_path: "dropins/preparation.yml" system_defaults: type: "virtual" # virtual|physical os: "" - os_version: "" + version: "" name: "" id: "" cpus: 0 @@ -40,27 +40,28 @@ system_defaults: user: name: "" password: "" - public_key: "" + key: "" root: password: "" luks: enabled: false passphrase: "" - mapper_name: "SYSTEM_DECRYPTED" - auto_decrypt: true - auto_decrypt_method: "tpm2" - tpm2_device: "auto" - tpm2_pcrs: "" - keyfile_size: 64 + mapper: "SYSTEM_DECRYPTED" + auto: true + method: "tpm2" + tpm2: + device: "auto" + pcrs: "" + keysize: 64 options: "discard,tries=3" type: "luks2" cipher: "aes-xts-plain64" hash: "sha512" - iter_time: 4000 - key_size: 512 + iter: 4000 + bits: 512 pbkdf: "argon2id" - use_urandom: true - verify_passphrase: true + urandom: true + verify: true features: cis: enabled: false diff --git a/roles/global_defaults/tasks/system.yml b/roles/global_defaults/tasks/system.yml index 42aff2a..6ab7d8b 100644 --- a/roles/global_defaults/tasks/system.yml +++ b/roles/global_defaults/tasks/system.yml @@ -11,17 +11,6 @@ fail_msg: "system must be a dictionary" quiet: true -- name: Reject deprecated top-level system selectors - ansible.builtin.assert: - that: - - os is not defined - - os_version is not defined - - hostname is not defined - fail_msg: >- - Top-level `os`, `os_version`, and `hostname` are not supported. - Define these values under `system` (`system.os`, `system.os_version`, `system.name`). - quiet: true - - name: Build normalized system configuration vars: system_raw: "{{ system_defaults | combine(system, recursive=True) }}" @@ -41,6 +30,7 @@ system_user_raw: "{{ system_raw.user if system_raw.user is mapping else {} }}" system_root_raw: "{{ system_raw.root if system_raw.root is mapping else {} }}" system_luks_raw: "{{ system_raw.luks if system_raw.luks is mapping else {} }}" + system_luks_tpm2_raw: "{{ system_luks_raw.tpm2 if system_luks_raw.tpm2 is mapping else {} }}" system_features_raw: "{{ system_raw.features if system_raw.features is mapping else {} }}" system_feature_cis_raw: >- @@ -97,7 +87,7 @@ system_cfg: type: "{{ system_type }}" os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}" - os_version: "{{ system_raw.os_version | default('') | string }}" + version: "{{ system_raw.version | default('') | string }}" name: "{{ system_name }}" id: "{{ system_raw.id | default('') | string }}" cpus: "{{ [system_raw.cpus | default(0) | int, 0] | max }}" @@ -152,27 +142,28 @@ user: name: "{{ system_user_raw.name | default('') | string }}" password: "{{ system_user_raw.password | default('') | string }}" - public_key: "{{ system_user_raw.public_key | default('') | string }}" + key: "{{ system_user_raw.key | default('') | string }}" root: password: "{{ system_root_raw.password | default('') | string }}" luks: enabled: "{{ system_luks_raw.enabled | default(system_defaults.luks.enabled) | bool }}" passphrase: "{{ system_luks_raw.passphrase | default(system_defaults.luks.passphrase) | string }}" - mapper_name: "{{ system_luks_raw.mapper_name | default(system_defaults.luks.mapper_name) | string }}" - auto_decrypt: "{{ system_luks_raw.auto_decrypt | default(system_defaults.luks.auto_decrypt) | bool }}" - auto_decrypt_method: "{{ system_luks_raw.auto_decrypt_method | default(system_defaults.luks.auto_decrypt_method) | string | lower }}" - tpm2_device: "{{ system_luks_raw.tpm2_device | default(system_defaults.luks.tpm2_device) | string }}" - tpm2_pcrs: "{{ system_luks_raw.tpm2_pcrs | default(system_defaults.luks.tpm2_pcrs) | string }}" - keyfile_size: "{{ system_luks_raw.keyfile_size | default(system_defaults.luks.keyfile_size) | int }}" + mapper: "{{ system_luks_raw.mapper | default(system_defaults.luks.mapper) | string }}" + auto: "{{ system_luks_raw.auto | default(system_defaults.luks.auto) | bool }}" + method: "{{ system_luks_raw.method | default(system_defaults.luks.method) | string | lower }}" + tpm2: + device: "{{ system_luks_tpm2_raw.device | default(system_defaults.luks.tpm2.device) | string }}" + pcrs: "{{ system_luks_tpm2_raw.pcrs | default(system_defaults.luks.tpm2.pcrs) | string }}" + keysize: "{{ system_luks_raw.keysize | default(system_defaults.luks.keysize) | int }}" options: "{{ system_luks_raw.options | default(system_defaults.luks.options) | string }}" type: "{{ system_luks_raw.type | default(system_defaults.luks.type) | string }}" cipher: "{{ system_luks_raw.cipher | default(system_defaults.luks.cipher) | string }}" hash: "{{ system_luks_raw.hash | default(system_defaults.luks.hash) | string }}" - iter_time: "{{ system_luks_raw.iter_time | default(system_defaults.luks.iter_time) | int }}" - key_size: "{{ system_luks_raw.key_size | default(system_defaults.luks.key_size) | int }}" + iter: "{{ system_luks_raw.iter | default(system_defaults.luks.iter) | int }}" + bits: "{{ system_luks_raw.bits | default(system_defaults.luks.bits) | int }}" pbkdf: "{{ system_luks_raw.pbkdf | default(system_defaults.luks.pbkdf) | string }}" - use_urandom: "{{ system_luks_raw.use_urandom | default(system_defaults.luks.use_urandom) | bool }}" - verify_passphrase: "{{ system_luks_raw.verify_passphrase | default(system_defaults.luks.verify_passphrase) | bool }}" + urandom: "{{ system_luks_raw.urandom | default(system_defaults.luks.urandom) | bool }}" + verify: "{{ system_luks_raw.verify | default(system_defaults.luks.verify) | bool }}" features: cis: enabled: "{{ system_feature_cis_raw.enabled | default(system_defaults.features.cis.enabled) | bool }}" @@ -195,7 +186,7 @@ tool: "{{ system_feature_chroot_raw.tool | default(system_defaults.features.chroot.tool) | string }}" hostname: "{{ system_name }}" os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}" - os_version: "{{ system_raw.os_version | default('') | string }}" + os_version: "{{ system_raw.version | default('') | string }}" changed_when: false - name: Normalize system disks input diff --git a/roles/global_defaults/tasks/validation.yml b/roles/global_defaults/tasks/validation.yml index 04f114f..1d5a3f4 100644 --- a/roles/global_defaults/tasks/validation.yml +++ b/roles/global_defaults/tasks/validation.yml @@ -37,7 +37,7 @@ - storage - datacenter - cluster - - validate_certs + - certs - ssh hypervisor_keys: "{{ (hypervisor | default({})) | dict2items | map(attribute='key') | list }}" hypervisor_unknown_keys: "{{ hypervisor_keys | difference(hypervisor_allowed_keys) }}" @@ -52,7 +52,7 @@ system_allowed_keys: - type - os - - os_version + - version - name - id - cpus @@ -79,85 +79,28 @@ fail_msg: "Unsupported system keys: {{ system_unknown_keys | join(', ') }}" quiet: true -- name: Reject deprecated top-level input keys - vars: - deprecated_input_keys: - - install_type - - vm_ip - - vm_id - - vm_name - - vm_cpus - - memory_mb - - balloon_mb - - dns_servers - - dns_search - - extra_packages - - user_name - - user_password - - user_public_key - - root_password - - luks_enabled - - luks_passphrase - - luks_mapper_name - - luks_auto_decrypt - - luks_auto_decrypt_method - - luks_tpm2_device - - luks_tpm2_pcrs - - luks_keyfile_size - - firewall_enabled - - firewall_backend - - firewall_toolkit - - ssh_enabled - - cis - - selinux_enabled - - zstd_enabled - - swap_enabled - - motd_enabled - - sudo_banner_enabled - - chroot_tool - - hypervisor_url - - hypervisor_username - - hypervisor_password - - hypervisor_node - - hypervisor_storage - - hypervisor_datacenter - - hypervisor_cluster - - hypervisor_validate_certs - - hypervisor_ssh - - hypervisor_path - top_level_input_keys: "{{ (hostvars[inventory_hostname] | dict2items | map(attribute='key') | list) }}" - deprecated_input_keys_present: "{{ top_level_input_keys | intersect(deprecated_input_keys) }}" - ansible.builtin.assert: - that: - - deprecated_input_keys_present | length == 0 - fail_msg: >- - Unsupported top-level keys found: {{ deprecated_input_keys_present | join(', ') }}. - Use only the `system` and `hypervisor` dictionaries for runtime configuration. - quiet: true - - name: Validate nested system schema vars: dns_allowed_keys: [servers, search] - user_allowed_keys: [name, password, public_key] + user_allowed_keys: [name, password, key] root_allowed_keys: [password] luks_allowed_keys: - enabled - passphrase - - mapper_name - - auto_decrypt - - auto_decrypt_method - - tpm2_device - - tpm2_pcrs - - keyfile_size + - mapper + - auto + - method + - tpm2 + - keysize - options - type - cipher - hash - - iter_time - - key_size + - iter + - bits - pbkdf - - use_urandom - - verify_passphrase + - urandom + - verify features_allowed_keys: - cis - selinux @@ -180,11 +123,20 @@ user_keys: "{{ (system.user | default({})) | dict2items | map(attribute='key') | list }}" root_keys: "{{ (system.root | default({})) | dict2items | map(attribute='key') | list }}" luks_keys: "{{ (system.luks | default({})) | dict2items | map(attribute='key') | list }}" + tpm2_keys: >- + {{ + ( + (system.luks if (system.luks is defined and system.luks is mapping) else {}).tpm2 + | default({}) + ) | dict2items | map(attribute='key') | list + }} + tpm2_allowed_keys: [device, pcrs] features_keys: "{{ (system.features | default({})) | dict2items | map(attribute='key') | list }}" dns_unknown: "{{ dns_keys | difference(dns_allowed_keys) }}" user_unknown: "{{ user_keys | difference(user_allowed_keys) }}" root_unknown: "{{ root_keys | difference(root_allowed_keys) }}" luks_unknown: "{{ luks_keys | difference(luks_allowed_keys) }}" + tpm2_unknown: "{{ tpm2_keys | difference(tpm2_allowed_keys) }}" features_unknown: "{{ features_keys | difference(features_allowed_keys) }}" ansible.builtin.assert: that: @@ -192,11 +144,13 @@ - system.user is not defined or system.user is mapping - system.root is not defined or system.root is mapping - system.luks is not defined or system.luks is mapping + - system.luks is not defined or system.luks.tpm2 is not defined or system.luks.tpm2 is mapping - system.features is not defined or system.features is mapping - dns_unknown | length == 0 - user_unknown | length == 0 - root_unknown | length == 0 - luks_unknown | length == 0 + - tpm2_unknown | length == 0 - features_unknown | length == 0 fail_msg: >- Invalid nested system schema. @@ -204,6 +158,7 @@ user_unknown={{ user_unknown | join(',') }}, root_unknown={{ root_unknown | join(',') }}, luks_unknown={{ luks_unknown | join(',') }}, + tpm2_unknown={{ tpm2_unknown | join(',') }}, features_unknown={{ features_unknown | join(',') }} quiet: true @@ -305,7 +260,7 @@ ) or ( os in ["alpine", "archlinux", "opensuse", "ubuntu", "ubuntu-lts", "void"] ) - fail_msg: "Invalid os/os_version specified. Please check README.md for supported values." + fail_msg: "Invalid os/version specified. Please check README.md for supported values." quiet: true - name: Validate RHEL ISO requirement diff --git a/roles/partitioning/defaults/main.yml b/roles/partitioning/defaults/main.yml index 35828ba..56c3e6f 100644 --- a/roles/partitioning/defaults/main.yml +++ b/roles/partitioning/defaults/main.yml @@ -1,20 +1,20 @@ --- partitioning_luks_enabled: "{{ system_cfg.luks.enabled | bool }}" partitioning_luks_passphrase: "{{ system_cfg.luks.passphrase }}" -partitioning_luks_mapper_name: "{{ system_cfg.luks.mapper_name }}" +partitioning_luks_mapper_name: "{{ system_cfg.luks.mapper }}" partitioning_luks_type: "{{ system_cfg.luks.type }}" partitioning_luks_cipher: "{{ system_cfg.luks.cipher }}" partitioning_luks_hash: "{{ system_cfg.luks.hash }}" -partitioning_luks_iter_time: "{{ system_cfg.luks.iter_time }}" -partitioning_luks_key_size: "{{ system_cfg.luks.key_size }}" +partitioning_luks_iter_time: "{{ system_cfg.luks.iter }}" +partitioning_luks_key_size: "{{ system_cfg.luks.bits }}" partitioning_luks_pbkdf: "{{ system_cfg.luks.pbkdf }}" -partitioning_luks_use_urandom: "{{ system_cfg.luks.use_urandom | bool }}" -partitioning_luks_verify_passphrase: "{{ system_cfg.luks.verify_passphrase | bool }}" -partitioning_luks_auto_decrypt: "{{ system_cfg.luks.auto_decrypt | bool }}" -partitioning_luks_auto_decrypt_method: "{{ system_cfg.luks.auto_decrypt_method }}" -partitioning_luks_tpm2_device: "{{ system_cfg.luks.tpm2_device }}" -partitioning_luks_tpm2_pcrs: "{{ system_cfg.luks.tpm2_pcrs }}" -partitioning_luks_keyfile_size: "{{ system_cfg.luks.keyfile_size }}" +partitioning_luks_use_urandom: "{{ system_cfg.luks.urandom | bool }}" +partitioning_luks_verify_passphrase: "{{ system_cfg.luks.verify | bool }}" +partitioning_luks_auto_decrypt: "{{ system_cfg.luks.auto | bool }}" +partitioning_luks_auto_decrypt_method: "{{ system_cfg.luks.method }}" +partitioning_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}" +partitioning_luks_tpm2_pcrs: "{{ system_cfg.luks.tpm2.pcrs }}" +partitioning_luks_keyfile_size: "{{ system_cfg.luks.keysize }}" partitioning_luks_options: "{{ system_cfg.luks.options }}" partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if system_cfg.features.zstd.enabled | bool else '' }}" partitioning_boot_partition_suffix: 1 diff --git a/roles/system_check/tasks/main.yml b/roles/system_check/tasks/main.yml index 46932fc..677e4aa 100644 --- a/roles/system_check/tasks/main.yml +++ b/roles/system_check/tasks/main.yml @@ -135,7 +135,7 @@ hostname: "{{ hypervisor_cfg.url }}" username: "{{ hypervisor_cfg.username }}" password: "{{ hypervisor_cfg.password }}" - validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}" + validate_certs: "{{ hypervisor_cfg.certs | bool }}" datacenter: "{{ hypervisor_cfg.datacenter }}" name: "{{ hostname }}" folder: "{{ system_cfg.path if system_cfg.path | length > 0 else omit }}" diff --git a/roles/virtualization/tasks/vmware.yml b/roles/virtualization/tasks/vmware.yml index a7f1590..01369ac 100644 --- a/roles/virtualization/tasks/vmware.yml +++ b/roles/virtualization/tasks/vmware.yml @@ -18,7 +18,7 @@ hostname: "{{ hypervisor_cfg.url }}" username: "{{ hypervisor_cfg.username }}" password: "{{ hypervisor_cfg.password }}" - validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}" + validate_certs: "{{ hypervisor_cfg.certs | bool }}" datacenter: "{{ hypervisor_cfg.datacenter }}" cluster: "{{ hypervisor_cfg.cluster }}" folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}" @@ -74,7 +74,7 @@ hostname: "{{ hypervisor_cfg.url }}" username: "{{ hypervisor_cfg.username }}" password: "{{ hypervisor_cfg.password }}" - validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}" + validate_certs: "{{ hypervisor_cfg.certs | bool }}" datacenter: "{{ hypervisor_cfg.datacenter }}" folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}" name: "{{ hostname }}" @@ -87,7 +87,7 @@ hostname: "{{ hypervisor_cfg.url }}" username: "{{ hypervisor_cfg.username }}" password: "{{ hypervisor_cfg.password }}" - validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}" + validate_certs: "{{ hypervisor_cfg.certs | bool }}" datacenter: "{{ hypervisor_cfg.datacenter }}" name: "{{ hostname }}" state: powered-on