fix(vars): enforce strict list-only DNS and user.key format for IaC compatibility

2026-02-12 21:50:55 +01:00
parent 673a9b6062
commit 67c320fcc2
4 changed files with 38 additions and 36 deletions
--- a/main.yml
+++ b/main.yml
@@ -31,7 +31,7 @@
        system_user_input: "{{ (system_input.user | default({})) if (system_input.user is mapping) else {} }}"
        system_root_input: "{{ (system_input.root | default({})) if (system_input.root is mapping) else {} }}"
        prompt_user_name: "{{ user_name | default(system_user_name | default(''), true) | string }}"
-        prompt_user_key: "{{ user_public_key | default(user_key | default(system_user_key | default(''), true), true) | string }}"
+        prompt_user_key: "{{ user_public_key | default(user_key | default(system_user_key | default(''), true), true) | string | trim }}"
        prompt_user_password: "{{ user_password | default(system_user_password | default(''), true) | string }}"
        prompt_root_password: "{{ root_password | default(system_root_password | default(''), true) | string }}"
      ansible.builtin.set_fact:
@@ -45,8 +45,14 @@
                      (system_user_input.name | default('') | string | length) > 0
                    ) | ternary(system_user_input.name | string, prompt_user_name),
                    'key': (
-                      (system_user_input.key | default('') | string | length) > 0
-                    ) | ternary(system_user_input.key | string, prompt_user_key),
+                      system_user_input.key
+                      if (system_user_input.key is iterable and system_user_input.key is not string and system_user_input.key | length > 0)
+                      else (
+                        [prompt_user_key]
+                        if (prompt_user_key | length > 0)
+                        else []
+                      )
+                    ),
                    'password': (
                      (system_user_input.password | default('') | string | length) > 0
                    ) | ternary(system_user_input.password | string, prompt_user_password)
@@ -60,7 +66,6 @@
                recursive=True
              )
          }}
-      changed_when: false

    - name: Load global defaults
      ansible.builtin.import_role:
@@ -109,7 +114,6 @@
              and (ansible_host | default('') | string | length) > 0
            )
          }}
-      changed_when: false

    - name: Reset SSH connection before post-reboot tasks
      when: