refactor(schema): rename nested dict keys and simplify validation

2026-02-11 05:37:18 +01:00
parent e2a42771ab
commit 636656214b
11 changed files with 80 additions and 133 deletions
--- a/roles/global_defaults/tasks/system.yml
+++ b/roles/global_defaults/tasks/system.yml
@@ -11,17 +11,6 @@
    fail_msg: "system must be a dictionary"
    quiet: true

- name: Reject deprecated top-level system selectors
-  ansible.builtin.assert:
-    that:
-      - os is not defined
-      - os_version is not defined
-      - hostname is not defined
-    fail_msg: >-
-      Top-level `os`, `os_version`, and `hostname` are not supported.
-      Define these values under `system` (`system.os`, `system.os_version`, `system.name`).
-    quiet: true
-
 - name: Build normalized system configuration
  vars:
    system_raw: "{{ system_defaults | combine(system, recursive=True) }}"
@@ -41,6 +30,7 @@
    system_user_raw: "{{ system_raw.user if system_raw.user is mapping else {} }}"
    system_root_raw: "{{ system_raw.root if system_raw.root is mapping else {} }}"
    system_luks_raw: "{{ system_raw.luks if system_raw.luks is mapping else {} }}"
+    system_luks_tpm2_raw: "{{ system_luks_raw.tpm2 if system_luks_raw.tpm2 is mapping else {} }}"
    system_features_raw: "{{ system_raw.features if system_raw.features is mapping else {} }}"

    system_feature_cis_raw: >-
@@ -97,7 +87,7 @@
    system_cfg:
      type: "{{ system_type }}"
      os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
-      os_version: "{{ system_raw.os_version | default('') | string }}"
+      version: "{{ system_raw.version | default('') | string }}"
      name: "{{ system_name }}"
      id: "{{ system_raw.id | default('') | string }}"
      cpus: "{{ [system_raw.cpus | default(0) | int, 0] | max }}"
@@ -152,27 +142,28 @@
      user:
        name: "{{ system_user_raw.name | default('') | string }}"
        password: "{{ system_user_raw.password | default('') | string }}"
-        public_key: "{{ system_user_raw.public_key | default('') | string }}"
+        key: "{{ system_user_raw.key | default('') | string }}"
      root:
        password: "{{ system_root_raw.password | default('') | string }}"
      luks:
        enabled: "{{ system_luks_raw.enabled | default(system_defaults.luks.enabled) | bool }}"
        passphrase: "{{ system_luks_raw.passphrase | default(system_defaults.luks.passphrase) | string }}"
-        mapper_name: "{{ system_luks_raw.mapper_name | default(system_defaults.luks.mapper_name) | string }}"
-        auto_decrypt: "{{ system_luks_raw.auto_decrypt | default(system_defaults.luks.auto_decrypt) | bool }}"
-        auto_decrypt_method: "{{ system_luks_raw.auto_decrypt_method | default(system_defaults.luks.auto_decrypt_method) | string | lower }}"
-        tpm2_device: "{{ system_luks_raw.tpm2_device | default(system_defaults.luks.tpm2_device) | string }}"
-        tpm2_pcrs: "{{ system_luks_raw.tpm2_pcrs | default(system_defaults.luks.tpm2_pcrs) | string }}"
-        keyfile_size: "{{ system_luks_raw.keyfile_size | default(system_defaults.luks.keyfile_size) | int }}"
+        mapper: "{{ system_luks_raw.mapper | default(system_defaults.luks.mapper) | string }}"
+        auto: "{{ system_luks_raw.auto | default(system_defaults.luks.auto) | bool }}"
+        method: "{{ system_luks_raw.method | default(system_defaults.luks.method) | string | lower }}"
+        tpm2:
+          device: "{{ system_luks_tpm2_raw.device | default(system_defaults.luks.tpm2.device) | string }}"
+          pcrs: "{{ system_luks_tpm2_raw.pcrs | default(system_defaults.luks.tpm2.pcrs) | string }}"
+        keysize: "{{ system_luks_raw.keysize | default(system_defaults.luks.keysize) | int }}"
        options: "{{ system_luks_raw.options | default(system_defaults.luks.options) | string }}"
        type: "{{ system_luks_raw.type | default(system_defaults.luks.type) | string }}"
        cipher: "{{ system_luks_raw.cipher | default(system_defaults.luks.cipher) | string }}"
        hash: "{{ system_luks_raw.hash | default(system_defaults.luks.hash) | string }}"
-        iter_time: "{{ system_luks_raw.iter_time | default(system_defaults.luks.iter_time) | int }}"
-        key_size: "{{ system_luks_raw.key_size | default(system_defaults.luks.key_size) | int }}"
+        iter: "{{ system_luks_raw.iter | default(system_defaults.luks.iter) | int }}"
+        bits: "{{ system_luks_raw.bits | default(system_defaults.luks.bits) | int }}"
        pbkdf: "{{ system_luks_raw.pbkdf | default(system_defaults.luks.pbkdf) | string }}"
-        use_urandom: "{{ system_luks_raw.use_urandom | default(system_defaults.luks.use_urandom) | bool }}"
-        verify_passphrase: "{{ system_luks_raw.verify_passphrase | default(system_defaults.luks.verify_passphrase) | bool }}"
+        urandom: "{{ system_luks_raw.urandom | default(system_defaults.luks.urandom) | bool }}"
+        verify: "{{ system_luks_raw.verify | default(system_defaults.luks.verify) | bool }}"
      features:
        cis:
          enabled: "{{ system_feature_cis_raw.enabled | default(system_defaults.features.cis.enabled) | bool }}"
@@ -195,7 +186,7 @@
          tool: "{{ system_feature_chroot_raw.tool | default(system_defaults.features.chroot.tool) | string }}"
    hostname: "{{ system_name }}"
    os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
-    os_version: "{{ system_raw.os_version | default('') | string }}"
+    os_version: "{{ system_raw.version | default('') | string }}"
  changed_when: false

 - name: Normalize system disks input