refactor(schema): rename nested dict keys and simplify validation

main.yml

@@ -10,7 +10,7 @@
         What is your username?
       private: false
 
-    - name: system_user_public_key
+    - name: system_user_key
       prompt: |
         What is your ssh key?
       private: false
@@ -40,9 +40,9 @@
                     'name': (
                       (system_user_input.name | default('') | string | length) > 0
                     ) | ternary(system_user_input.name | string, system_user_name | default('') | string),
-                    'public_key': (
+                    'key': (
-                      (system_user_input.public_key | default('') | string | length) > 0
+                      (system_user_input.key | default('') | string | length) > 0
-                    ) | ternary(system_user_input.public_key | string, system_user_public_key | default('') | string),
+                    ) | ternary(system_user_input.key | string, system_user_key | default('') | string),
                     'password': (
                       (system_user_input.password | default('') | string | length) > 0
                     ) | ternary(system_user_input.password | string, system_user_password | default('') | string)

roles/cleanup/tasks/virtual.yml

@@ -145,7 +145,7 @@
             hostname: "{{ hypervisor_cfg.url }}"
             username: "{{ hypervisor_cfg.username }}"
             password: "{{ hypervisor_cfg.password }}"
-            validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}"
+            validate_certs: "{{ hypervisor_cfg.certs | bool }}"
             name: "{{ hostname }}"
             folder: "{{ system_cfg.path | default('/') }}"
             state: poweredoff
@@ -160,7 +160,7 @@
             hostname: "{{ hypervisor_cfg.url }}"
             username: "{{ hypervisor_cfg.username }}"
             password: "{{ hypervisor_cfg.password }}"
-            validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}"
+            validate_certs: "{{ hypervisor_cfg.certs | bool }}"
             name: "{{ hostname }}"
             folder: "{{ system_cfg.path | default('/') }}"
             state: absent

roles/cleanup/tasks/vmware.yml

@@ -10,7 +10,7 @@
         hostname: "{{ hypervisor_cfg.url }}"
         username: "{{ hypervisor_cfg.username }}"
         password: "{{ hypervisor_cfg.password }}"
-        validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}"
+        validate_certs: "{{ hypervisor_cfg.certs | bool }}"
         datacenter: "{{ hypervisor_cfg.datacenter }}"
         name: "{{ hostname }}"
         cdrom:
@@ -34,7 +34,7 @@
         hostname: "{{ hypervisor_cfg.url }}"
         username: "{{ hypervisor_cfg.username }}"
         password: "{{ hypervisor_cfg.password }}"
-        validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}"
+        validate_certs: "{{ hypervisor_cfg.certs | bool }}"
         datacenter: "{{ hypervisor_cfg.datacenter }}"
         name: "{{ hostname }}"
         state: powered-on

roles/configuration/tasks/fstab.yml

@@ -16,7 +16,7 @@
     group: root
     mode: "0644"
 
-- name: Remove deprecated attr2 and disable large extent
+- name: Adjust XFS mount options and disable large extent
   when: os in ["almalinux", "rocky", "rhel"] and filesystem == "xfs"
   ansible.builtin.replace:
     path: /mnt/etc/fstab

roles/configuration/tasks/users.yml

@@ -18,7 +18,7 @@
   changed_when: configuration_user_result.rc == 0
 
 - name: Ensure .ssh directory exists
-  when: system_cfg.user.public_key | length > 0
+  when: system_cfg.user.key | length > 0
   ansible.builtin.file:
     path: /mnt/home/{{ system_cfg.user.name }}/.ssh
     state: directory
@@ -27,10 +27,10 @@
     mode: "0700"
 
 - name: Add SSH public key to authorized_keys
-  when: system_cfg.user.public_key | length > 0
+  when: system_cfg.user.key | length > 0
   ansible.builtin.lineinfile:
     path: /mnt/home/{{ system_cfg.user.name }}/.ssh/authorized_keys
-    line: "{{ system_cfg.user.public_key }}"
+    line: "{{ system_cfg.user.key }}"
     owner: 1000
     group: 1000
     mode: "0600"

roles/global_defaults/defaults/main.yml

@@ -11,7 +11,7 @@ hypervisor_defaults:
   storage: ""
   datacenter: ""
   cluster: ""
-  validate_certs: false
+  certs: false
   ssh: false
 
 custom_iso: false
@@ -20,7 +20,7 @@ thirdparty_preparation_tasks_path: "dropins/preparation.yml"
 system_defaults:
   type: "virtual" # virtual|physical
   os: ""
-  os_version: ""
+  version: ""
   name: ""
   id: ""
   cpus: 0
@@ -40,27 +40,28 @@ system_defaults:
   user:
     name: ""
     password: ""
-    public_key: ""
+    key: ""
   root:
     password: ""
   luks:
     enabled: false
     passphrase: ""
-    mapper_name: "SYSTEM_DECRYPTED"
+    mapper: "SYSTEM_DECRYPTED"
-    auto_decrypt: true
+    auto: true
-    auto_decrypt_method: "tpm2"
+    method: "tpm2"
-    tpm2_device: "auto"
+    tpm2:
-    tpm2_pcrs: ""
+      device: "auto"
-    keyfile_size: 64
+      pcrs: ""
+    keysize: 64
     options: "discard,tries=3"
     type: "luks2"
     cipher: "aes-xts-plain64"
     hash: "sha512"
-    iter_time: 4000
+    iter: 4000
-    key_size: 512
+    bits: 512
     pbkdf: "argon2id"
-    use_urandom: true
+    urandom: true
-    verify_passphrase: true
+    verify: true
   features:
     cis:
       enabled: false

roles/global_defaults/tasks/system.yml

@@ -11,17 +11,6 @@
     fail_msg: "system must be a dictionary"
     quiet: true
 
-- name: Reject deprecated top-level system selectors
-  ansible.builtin.assert:
-    that:
-      - os is not defined
-      - os_version is not defined
-      - hostname is not defined
-    fail_msg: >-
-      Top-level `os`, `os_version`, and `hostname` are not supported.
-      Define these values under `system` (`system.os`, `system.os_version`, `system.name`).
-    quiet: true
-
 - name: Build normalized system configuration
   vars:
     system_raw: "{{ system_defaults | combine(system, recursive=True) }}"
@@ -41,6 +30,7 @@
     system_user_raw: "{{ system_raw.user if system_raw.user is mapping else {} }}"
     system_root_raw: "{{ system_raw.root if system_raw.root is mapping else {} }}"
     system_luks_raw: "{{ system_raw.luks if system_raw.luks is mapping else {} }}"
+    system_luks_tpm2_raw: "{{ system_luks_raw.tpm2 if system_luks_raw.tpm2 is mapping else {} }}"
     system_features_raw: "{{ system_raw.features if system_raw.features is mapping else {} }}"
 
     system_feature_cis_raw: >-
@@ -97,7 +87,7 @@
     system_cfg:
       type: "{{ system_type }}"
       os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
-      os_version: "{{ system_raw.os_version | default('') | string }}"
+      version: "{{ system_raw.version | default('') | string }}"
       name: "{{ system_name }}"
       id: "{{ system_raw.id | default('') | string }}"
       cpus: "{{ [system_raw.cpus | default(0) | int, 0] | max }}"
@@ -152,27 +142,28 @@
       user:
         name: "{{ system_user_raw.name | default('') | string }}"
         password: "{{ system_user_raw.password | default('') | string }}"
-        public_key: "{{ system_user_raw.public_key | default('') | string }}"
+        key: "{{ system_user_raw.key | default('') | string }}"
       root:
         password: "{{ system_root_raw.password | default('') | string }}"
       luks:
         enabled: "{{ system_luks_raw.enabled | default(system_defaults.luks.enabled) | bool }}"
         passphrase: "{{ system_luks_raw.passphrase | default(system_defaults.luks.passphrase) | string }}"
-        mapper_name: "{{ system_luks_raw.mapper_name | default(system_defaults.luks.mapper_name) | string }}"
+        mapper: "{{ system_luks_raw.mapper | default(system_defaults.luks.mapper) | string }}"
-        auto_decrypt: "{{ system_luks_raw.auto_decrypt | default(system_defaults.luks.auto_decrypt) | bool }}"
+        auto: "{{ system_luks_raw.auto | default(system_defaults.luks.auto) | bool }}"
-        auto_decrypt_method: "{{ system_luks_raw.auto_decrypt_method | default(system_defaults.luks.auto_decrypt_method) | string | lower }}"
+        method: "{{ system_luks_raw.method | default(system_defaults.luks.method) | string | lower }}"
-        tpm2_device: "{{ system_luks_raw.tpm2_device | default(system_defaults.luks.tpm2_device) | string }}"
+        tpm2:
-        tpm2_pcrs: "{{ system_luks_raw.tpm2_pcrs | default(system_defaults.luks.tpm2_pcrs) | string }}"
+          device: "{{ system_luks_tpm2_raw.device | default(system_defaults.luks.tpm2.device) | string }}"
-        keyfile_size: "{{ system_luks_raw.keyfile_size | default(system_defaults.luks.keyfile_size) | int }}"
+          pcrs: "{{ system_luks_tpm2_raw.pcrs | default(system_defaults.luks.tpm2.pcrs) | string }}"
+        keysize: "{{ system_luks_raw.keysize | default(system_defaults.luks.keysize) | int }}"
         options: "{{ system_luks_raw.options | default(system_defaults.luks.options) | string }}"
         type: "{{ system_luks_raw.type | default(system_defaults.luks.type) | string }}"
         cipher: "{{ system_luks_raw.cipher | default(system_defaults.luks.cipher) | string }}"
         hash: "{{ system_luks_raw.hash | default(system_defaults.luks.hash) | string }}"
-        iter_time: "{{ system_luks_raw.iter_time | default(system_defaults.luks.iter_time) | int }}"
+        iter: "{{ system_luks_raw.iter | default(system_defaults.luks.iter) | int }}"
-        key_size: "{{ system_luks_raw.key_size | default(system_defaults.luks.key_size) | int }}"
+        bits: "{{ system_luks_raw.bits | default(system_defaults.luks.bits) | int }}"
         pbkdf: "{{ system_luks_raw.pbkdf | default(system_defaults.luks.pbkdf) | string }}"
-        use_urandom: "{{ system_luks_raw.use_urandom | default(system_defaults.luks.use_urandom) | bool }}"
+        urandom: "{{ system_luks_raw.urandom | default(system_defaults.luks.urandom) | bool }}"
-        verify_passphrase: "{{ system_luks_raw.verify_passphrase | default(system_defaults.luks.verify_passphrase) | bool }}"
+        verify: "{{ system_luks_raw.verify | default(system_defaults.luks.verify) | bool }}"
       features:
         cis:
           enabled: "{{ system_feature_cis_raw.enabled | default(system_defaults.features.cis.enabled) | bool }}"
@@ -195,7 +186,7 @@
           tool: "{{ system_feature_chroot_raw.tool | default(system_defaults.features.chroot.tool) | string }}"
     hostname: "{{ system_name }}"
     os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
-    os_version: "{{ system_raw.os_version | default('') | string }}"
+    os_version: "{{ system_raw.version | default('') | string }}"
   changed_when: false
 
 - name: Normalize system disks input

roles/global_defaults/tasks/validation.yml

@@ -37,7 +37,7 @@
       - storage
       - datacenter
       - cluster
-      - validate_certs
+      - certs
       - ssh
     hypervisor_keys: "{{ (hypervisor | default({})) | dict2items | map(attribute='key') | list }}"
     hypervisor_unknown_keys: "{{ hypervisor_keys | difference(hypervisor_allowed_keys) }}"
@@ -52,7 +52,7 @@
     system_allowed_keys:
       - type
       - os
-      - os_version
+      - version
       - name
       - id
       - cpus
@@ -79,85 +79,28 @@
     fail_msg: "Unsupported system keys: {{ system_unknown_keys | join(', ') }}"
     quiet: true
 
-- name: Reject deprecated top-level input keys
-  vars:
-    deprecated_input_keys:
-      - install_type
-      - vm_ip
-      - vm_id
-      - vm_name
-      - vm_cpus
-      - memory_mb
-      - balloon_mb
-      - dns_servers
-      - dns_search
-      - extra_packages
-      - user_name
-      - user_password
-      - user_public_key
-      - root_password
-      - luks_enabled
-      - luks_passphrase
-      - luks_mapper_name
-      - luks_auto_decrypt
-      - luks_auto_decrypt_method
-      - luks_tpm2_device
-      - luks_tpm2_pcrs
-      - luks_keyfile_size
-      - firewall_enabled
-      - firewall_backend
-      - firewall_toolkit
-      - ssh_enabled
-      - cis
-      - selinux_enabled
-      - zstd_enabled
-      - swap_enabled
-      - motd_enabled
-      - sudo_banner_enabled
-      - chroot_tool
-      - hypervisor_url
-      - hypervisor_username
-      - hypervisor_password
-      - hypervisor_node
-      - hypervisor_storage
-      - hypervisor_datacenter
-      - hypervisor_cluster
-      - hypervisor_validate_certs
-      - hypervisor_ssh
-      - hypervisor_path
-    top_level_input_keys: "{{ (hostvars[inventory_hostname] | dict2items | map(attribute='key') | list) }}"
-    deprecated_input_keys_present: "{{ top_level_input_keys | intersect(deprecated_input_keys) }}"
-  ansible.builtin.assert:
-    that:
-      - deprecated_input_keys_present | length == 0
-    fail_msg: >-
-      Unsupported top-level keys found: {{ deprecated_input_keys_present | join(', ') }}.
-      Use only the `system` and `hypervisor` dictionaries for runtime configuration.
-    quiet: true
-
 - name: Validate nested system schema
   vars:
     dns_allowed_keys: [servers, search]
-    user_allowed_keys: [name, password, public_key]
+    user_allowed_keys: [name, password, key]
     root_allowed_keys: [password]
     luks_allowed_keys:
       - enabled
       - passphrase
-      - mapper_name
+      - mapper
-      - auto_decrypt
+      - auto
-      - auto_decrypt_method
+      - method
-      - tpm2_device
+      - tpm2
-      - tpm2_pcrs
+      - keysize
-      - keyfile_size
       - options
       - type
       - cipher
       - hash
-      - iter_time
+      - iter
-      - key_size
+      - bits
       - pbkdf
-      - use_urandom
+      - urandom
-      - verify_passphrase
+      - verify
     features_allowed_keys:
       - cis
       - selinux
@@ -180,11 +123,20 @@
     user_keys: "{{ (system.user | default({})) | dict2items | map(attribute='key') | list }}"
     root_keys: "{{ (system.root | default({})) | dict2items | map(attribute='key') | list }}"
     luks_keys: "{{ (system.luks | default({})) | dict2items | map(attribute='key') | list }}"
+    tpm2_keys: >-
+      {{
+        (
+          (system.luks if (system.luks is defined and system.luks is mapping) else {}).tpm2
+          | default({})
+        ) | dict2items | map(attribute='key') | list
+      }}
+    tpm2_allowed_keys: [device, pcrs]
     features_keys: "{{ (system.features | default({})) | dict2items | map(attribute='key') | list }}"
     dns_unknown: "{{ dns_keys | difference(dns_allowed_keys) }}"
     user_unknown: "{{ user_keys | difference(user_allowed_keys) }}"
     root_unknown: "{{ root_keys | difference(root_allowed_keys) }}"
     luks_unknown: "{{ luks_keys | difference(luks_allowed_keys) }}"
+    tpm2_unknown: "{{ tpm2_keys | difference(tpm2_allowed_keys) }}"
     features_unknown: "{{ features_keys | difference(features_allowed_keys) }}"
   ansible.builtin.assert:
     that:
@@ -192,11 +144,13 @@
       - system.user is not defined or system.user is mapping
       - system.root is not defined or system.root is mapping
       - system.luks is not defined or system.luks is mapping
+      - system.luks is not defined or system.luks.tpm2 is not defined or system.luks.tpm2 is mapping
       - system.features is not defined or system.features is mapping
       - dns_unknown | length == 0
       - user_unknown | length == 0
       - root_unknown | length == 0
       - luks_unknown | length == 0
+      - tpm2_unknown | length == 0
       - features_unknown | length == 0
     fail_msg: >-
       Invalid nested system schema.
@@ -204,6 +158,7 @@
       user_unknown={{ user_unknown | join(',') }},
       root_unknown={{ root_unknown | join(',') }},
       luks_unknown={{ luks_unknown | join(',') }},
+      tpm2_unknown={{ tpm2_unknown | join(',') }},
       features_unknown={{ features_unknown | join(',') }}
     quiet: true
 
@@ -305,7 +260,7 @@
         ) or (
           os in ["alpine", "archlinux", "opensuse", "ubuntu", "ubuntu-lts", "void"]
         )
-    fail_msg: "Invalid os/os_version specified. Please check README.md for supported values."
+    fail_msg: "Invalid os/version specified. Please check README.md for supported values."
     quiet: true
 
 - name: Validate RHEL ISO requirement

roles/partitioning/defaults/main.yml

@@ -1,20 +1,20 @@
 ---
 partitioning_luks_enabled: "{{ system_cfg.luks.enabled | bool }}"
 partitioning_luks_passphrase: "{{ system_cfg.luks.passphrase }}"
-partitioning_luks_mapper_name: "{{ system_cfg.luks.mapper_name }}"
+partitioning_luks_mapper_name: "{{ system_cfg.luks.mapper }}"
 partitioning_luks_type: "{{ system_cfg.luks.type }}"
 partitioning_luks_cipher: "{{ system_cfg.luks.cipher }}"
 partitioning_luks_hash: "{{ system_cfg.luks.hash }}"
-partitioning_luks_iter_time: "{{ system_cfg.luks.iter_time }}"
+partitioning_luks_iter_time: "{{ system_cfg.luks.iter }}"
-partitioning_luks_key_size: "{{ system_cfg.luks.key_size }}"
+partitioning_luks_key_size: "{{ system_cfg.luks.bits }}"
 partitioning_luks_pbkdf: "{{ system_cfg.luks.pbkdf }}"
-partitioning_luks_use_urandom: "{{ system_cfg.luks.use_urandom | bool }}"
+partitioning_luks_use_urandom: "{{ system_cfg.luks.urandom | bool }}"
-partitioning_luks_verify_passphrase: "{{ system_cfg.luks.verify_passphrase | bool }}"
+partitioning_luks_verify_passphrase: "{{ system_cfg.luks.verify | bool }}"
-partitioning_luks_auto_decrypt: "{{ system_cfg.luks.auto_decrypt | bool }}"
+partitioning_luks_auto_decrypt: "{{ system_cfg.luks.auto | bool }}"
-partitioning_luks_auto_decrypt_method: "{{ system_cfg.luks.auto_decrypt_method }}"
+partitioning_luks_auto_decrypt_method: "{{ system_cfg.luks.method }}"
-partitioning_luks_tpm2_device: "{{ system_cfg.luks.tpm2_device }}"
+partitioning_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}"
-partitioning_luks_tpm2_pcrs: "{{ system_cfg.luks.tpm2_pcrs }}"
+partitioning_luks_tpm2_pcrs: "{{ system_cfg.luks.tpm2.pcrs }}"
-partitioning_luks_keyfile_size: "{{ system_cfg.luks.keyfile_size }}"
+partitioning_luks_keyfile_size: "{{ system_cfg.luks.keysize }}"
 partitioning_luks_options: "{{ system_cfg.luks.options }}"
 partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if system_cfg.features.zstd.enabled | bool else '' }}"
 partitioning_boot_partition_suffix: 1

roles/system_check/tasks/main.yml

@@ -135,7 +135,7 @@
         hostname: "{{ hypervisor_cfg.url }}"
         username: "{{ hypervisor_cfg.username }}"
         password: "{{ hypervisor_cfg.password }}"
-        validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}"
+        validate_certs: "{{ hypervisor_cfg.certs | bool }}"
         datacenter: "{{ hypervisor_cfg.datacenter }}"
         name: "{{ hostname }}"
         folder: "{{ system_cfg.path if system_cfg.path | length > 0 else omit }}"

roles/virtualization/tasks/vmware.yml

@@ -18,7 +18,7 @@
     hostname: "{{ hypervisor_cfg.url }}"
     username: "{{ hypervisor_cfg.username }}"
     password: "{{ hypervisor_cfg.password }}"
-    validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}"
+    validate_certs: "{{ hypervisor_cfg.certs | bool }}"
     datacenter: "{{ hypervisor_cfg.datacenter }}"
     cluster: "{{ hypervisor_cfg.cluster }}"
     folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}"
@@ -74,7 +74,7 @@
     hostname: "{{ hypervisor_cfg.url }}"
     username: "{{ hypervisor_cfg.username }}"
     password: "{{ hypervisor_cfg.password }}"
-    validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}"
+    validate_certs: "{{ hypervisor_cfg.certs | bool }}"
     datacenter: "{{ hypervisor_cfg.datacenter }}"
     folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}"
     name: "{{ hostname }}"
@@ -87,7 +87,7 @@
     hostname: "{{ hypervisor_cfg.url }}"
     username: "{{ hypervisor_cfg.username }}"
     password: "{{ hypervisor_cfg.password }}"
-    validate_certs: "{{ hypervisor_cfg.validate_certs | bool }}"
+    validate_certs: "{{ hypervisor_cfg.certs | bool }}"
     datacenter: "{{ hypervisor_cfg.datacenter }}"
     name: "{{ hostname }}"
     state: powered-on