refactor(schema): rename nested dict keys and simplify validation

2026-02-11 05:37:18 +01:00
parent e2a42771ab
commit 636656214b
11 changed files with 80 additions and 133 deletions
--- a/roles/global_defaults/tasks/validation.yml
+++ b/roles/global_defaults/tasks/validation.yml
@@ -37,7 +37,7 @@
      - storage
      - datacenter
      - cluster
-      - validate_certs
+      - certs
      - ssh
    hypervisor_keys: "{{ (hypervisor | default({})) | dict2items | map(attribute='key') | list }}"
    hypervisor_unknown_keys: "{{ hypervisor_keys | difference(hypervisor_allowed_keys) }}"
@@ -52,7 +52,7 @@
    system_allowed_keys:
      - type
      - os
-      - os_version
+      - version
      - name
      - id
      - cpus
@@ -79,85 +79,28 @@
    fail_msg: "Unsupported system keys: {{ system_unknown_keys | join(', ') }}"
    quiet: true

- name: Reject deprecated top-level input keys
-  vars:
-    deprecated_input_keys:
-      - install_type
-      - vm_ip
-      - vm_id
-      - vm_name
-      - vm_cpus
-      - memory_mb
-      - balloon_mb
-      - dns_servers
-      - dns_search
-      - extra_packages
-      - user_name
-      - user_password
-      - user_public_key
-      - root_password
-      - luks_enabled
-      - luks_passphrase
-      - luks_mapper_name
-      - luks_auto_decrypt
-      - luks_auto_decrypt_method
-      - luks_tpm2_device
-      - luks_tpm2_pcrs
-      - luks_keyfile_size
-      - firewall_enabled
-      - firewall_backend
-      - firewall_toolkit
-      - ssh_enabled
-      - cis
-      - selinux_enabled
-      - zstd_enabled
-      - swap_enabled
-      - motd_enabled
-      - sudo_banner_enabled
-      - chroot_tool
-      - hypervisor_url
-      - hypervisor_username
-      - hypervisor_password
-      - hypervisor_node
-      - hypervisor_storage
-      - hypervisor_datacenter
-      - hypervisor_cluster
-      - hypervisor_validate_certs
-      - hypervisor_ssh
-      - hypervisor_path
-    top_level_input_keys: "{{ (hostvars[inventory_hostname] | dict2items | map(attribute='key') | list) }}"
-    deprecated_input_keys_present: "{{ top_level_input_keys | intersect(deprecated_input_keys) }}"
-  ansible.builtin.assert:
-    that:
-      - deprecated_input_keys_present | length == 0
-    fail_msg: >-
-      Unsupported top-level keys found: {{ deprecated_input_keys_present | join(', ') }}.
-      Use only the `system` and `hypervisor` dictionaries for runtime configuration.
-    quiet: true
-
 - name: Validate nested system schema
  vars:
    dns_allowed_keys: [servers, search]
-    user_allowed_keys: [name, password, public_key]
+    user_allowed_keys: [name, password, key]
    root_allowed_keys: [password]
    luks_allowed_keys:
      - enabled
      - passphrase
-      - mapper_name
-      - auto_decrypt
-      - auto_decrypt_method
-      - tpm2_device
-      - tpm2_pcrs
-      - keyfile_size
+      - mapper
+      - auto
+      - method
+      - tpm2
+      - keysize
      - options
      - type
      - cipher
      - hash
-      - iter_time
-      - key_size
+      - iter
+      - bits
      - pbkdf
-      - use_urandom
-      - verify_passphrase
+      - urandom
+      - verify
    features_allowed_keys:
      - cis
      - selinux
@@ -180,11 +123,20 @@
    user_keys: "{{ (system.user | default({})) | dict2items | map(attribute='key') | list }}"
    root_keys: "{{ (system.root | default({})) | dict2items | map(attribute='key') | list }}"
    luks_keys: "{{ (system.luks | default({})) | dict2items | map(attribute='key') | list }}"
+    tpm2_keys: >-
+      {{
+        (
+          (system.luks if (system.luks is defined and system.luks is mapping) else {}).tpm2
+          | default({})
+        ) | dict2items | map(attribute='key') | list
+      }}
+    tpm2_allowed_keys: [device, pcrs]
    features_keys: "{{ (system.features | default({})) | dict2items | map(attribute='key') | list }}"
    dns_unknown: "{{ dns_keys | difference(dns_allowed_keys) }}"
    user_unknown: "{{ user_keys | difference(user_allowed_keys) }}"
    root_unknown: "{{ root_keys | difference(root_allowed_keys) }}"
    luks_unknown: "{{ luks_keys | difference(luks_allowed_keys) }}"
+    tpm2_unknown: "{{ tpm2_keys | difference(tpm2_allowed_keys) }}"
    features_unknown: "{{ features_keys | difference(features_allowed_keys) }}"
  ansible.builtin.assert:
    that:
@@ -192,11 +144,13 @@
      - system.user is not defined or system.user is mapping
      - system.root is not defined or system.root is mapping
      - system.luks is not defined or system.luks is mapping
+      - system.luks is not defined or system.luks.tpm2 is not defined or system.luks.tpm2 is mapping
      - system.features is not defined or system.features is mapping
      - dns_unknown | length == 0
      - user_unknown | length == 0
      - root_unknown | length == 0
      - luks_unknown | length == 0
+      - tpm2_unknown | length == 0
      - features_unknown | length == 0
    fail_msg: >-
      Invalid nested system schema.
@@ -204,6 +158,7 @@
      user_unknown={{ user_unknown | join(',') }},
      root_unknown={{ root_unknown | join(',') }},
      luks_unknown={{ luks_unknown | join(',') }},
+      tpm2_unknown={{ tpm2_unknown | join(',') }},
      features_unknown={{ features_unknown | join(',') }}
    quiet: true

@@ -305,7 +260,7 @@
        ) or (
          os in ["alpine", "archlinux", "opensuse", "ubuntu", "ubuntu-lts", "void"]
        )
-    fail_msg: "Invalid os/os_version specified. Please check README.md for supported values."
+    fail_msg: "Invalid os/version specified. Please check README.md for supported values."
    quiet: true

 - name: Validate RHEL ISO requirement