docs(bootstrap): fix users dict format in examples, sync schema defaults, document secure_boot/rhel_repo
This commit is contained in:
28
README.md
28
README.md
@@ -122,7 +122,7 @@ all:
|
||||
path: /data
|
||||
fstype: xfs
|
||||
users:
|
||||
- name: ops
|
||||
ops:
|
||||
password: !vault |
|
||||
$ANSIBLE_VAULT...
|
||||
keys:
|
||||
@@ -167,7 +167,7 @@ Top-level variables outside `system`/`hypervisor`/`cis`.
|
||||
| `type` | string | `virtual` | `virtual` or `physical` |
|
||||
| `os` | string | -- | Target distribution (see [table](#distributions)) |
|
||||
| `version` | string | -- | Version selector for versioned distros |
|
||||
| `filesystem` | string | -- | `btrfs`, `ext4`, or `xfs` |
|
||||
| `filesystem` | string | `ext4` | `btrfs`, `ext4`, or `xfs` |
|
||||
| `name` | string | inventory hostname | Final hostname |
|
||||
| `timezone` | string | `Europe/Vienna` | System timezone (tz database name) |
|
||||
| `locale` | string | `en_US.UTF-8` | System locale |
|
||||
@@ -176,11 +176,12 @@ Top-level variables outside `system`/`hypervisor`/`cis`.
|
||||
| `cpus` | int | `0` | vCPU count (required for virtual) |
|
||||
| `memory` | int | `0` | Memory in MiB (required for virtual) |
|
||||
| `balloon` | int | `0` | Balloon memory in MiB (Proxmox) |
|
||||
| `path` | string | -- | Hypervisor folder/path |
|
||||
| `path` | string | -- | Hypervisor folder/path (falls back to `hypervisor.folder`) |
|
||||
| `mirror` | string | per-distro default | Override package mirror (Debian/Ubuntu) |
|
||||
| `packages` | list | `[]` | Additional packages installed post-reboot |
|
||||
| `network` | dict | see below | Network configuration |
|
||||
| `disks` | list | `[]` | Disk layout (see [Multi-Disk Schema](#46-multi-disk-schema)) |
|
||||
| `users` | list | `[]` | User accounts |
|
||||
| `users` | dict | `{}` | User accounts (keyed by username) |
|
||||
| `root` | dict | see below | Root account settings |
|
||||
| `luks` | dict | see below | Encryption settings |
|
||||
| `features` | dict | see below | Feature toggles |
|
||||
@@ -228,9 +229,10 @@ Users must be defined in inventory. The dict format enables additive merging acr
|
||||
|
||||
#### `system.root`
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
| ---------- | ------ | ------- | ------------- |
|
||||
| `password` | string | -- | Root password |
|
||||
| Key | Type | Default | Description |
|
||||
| ---------- | ------ | ----------- | ------------- |
|
||||
| `password` | string | -- | Root password |
|
||||
| `shell` | string | `/bin/bash` | Login shell |
|
||||
|
||||
#### `system.luks`
|
||||
|
||||
@@ -249,8 +251,6 @@ Users must be defined in inventory. The dict format enables additive merging acr
|
||||
| `iter` | int | `4000` | PBKDF iteration time (ms) |
|
||||
| `bits` | int | `512` | Key size (bits) |
|
||||
| `pbkdf` | string | `argon2id` | PBKDF algorithm |
|
||||
| `urandom` | bool | `true` | Use urandom during key generation |
|
||||
| `verify` | bool | `true` | Verify passphrase during format |
|
||||
|
||||
#### `system.luks.tpm2`
|
||||
|
||||
@@ -283,6 +283,10 @@ The bootstrap auto-switches to dracut when `method: tpm2` is set. Override via `
|
||||
| `banner.sudo` | bool | `true` | Sudo banner |
|
||||
| `chroot.tool` | string | `arch-chroot` | `arch-chroot`, `chroot`, or `systemd-nspawn` |
|
||||
| `initramfs.generator` | string | auto-detected | Override initramfs generator (see below) |
|
||||
| `rhel_repo.source` | string | `iso` | RHEL post-install repo source: `iso`, `satellite`, or `none` |
|
||||
| `rhel_repo.url` | string | -- | Satellite/custom repo URL when `source: satellite` |
|
||||
| `secure_boot.enabled` | bool | `false` | Enable Secure Boot (Arch via sbctl, others via shim) |
|
||||
| `secure_boot.method` | string | -- | Arch only: `sbctl` (default) or `uki` |
|
||||
| `desktop.*` | dict | see below | Desktop environment settings (see [4.2.5](#425-systemfeaturesdesktop)) |
|
||||
| `firmware.*` | dict | see below | Vendor firmware blobs and CPU microcode (see [4.2.6](#426-systemfeaturesfirmware)) |
|
||||
| `gpu.*` | dict | see below | Mesa/Vulkan and per-vendor GPU userspace (see [4.2.7](#427-systemfeaturesgpu)) |
|
||||
@@ -393,7 +397,7 @@ system:
|
||||
| `storage` | string | -- | Storage identifier (Proxmox/VMware) |
|
||||
| `datacenter` | string | -- | VMware datacenter |
|
||||
| `cluster` | string | -- | VMware cluster |
|
||||
| `certs` | bool | `true` | TLS certificate validation (VMware) |
|
||||
| `certs` | bool | `false` | TLS certificate validation (VMware) |
|
||||
| `ssh` | bool | `false` | Enable SSH on guest and switch connection (VMware) |
|
||||
|
||||
### 4.4 `cis` Dictionary
|
||||
@@ -505,9 +509,9 @@ Roles execute in this order:
|
||||
1. **global_defaults** -- normalize inputs, validate, set OS flags
|
||||
2. **system_check** -- detect installer environment, verify live/non-prod target
|
||||
3. **virtualization** -- create VM (if virtual), attach disks, cloud-init
|
||||
4. **environment** -- prepare installer: mount ISO, configure repos, setup pacman
|
||||
4. **environment** -- prepare installer: mount ISO, configure repos, setup pacman, detect hardware
|
||||
5. **partitioning** -- create partitions, LVM, LUKS, mount filesystems
|
||||
6. **bootstrap** -- install base system and packages (OS-specific)
|
||||
6. **bootstrap** -- install base system, packages, and vendor-matched hardware bits
|
||||
7. **configuration** -- users, fstab, locales, bootloader, encryption enrollment, networking
|
||||
8. **cis** -- CIS hardening (when `system.features.cis.enabled: true`)
|
||||
9. **cleanup** -- unmount, shutdown installer, remove media, verify boot
|
||||
|
||||
@@ -9,8 +9,11 @@ all:
|
||||
baremetal01.example.com:
|
||||
ansible_host: 10.0.0.162
|
||||
ansible_user: root
|
||||
ansible_password: "1234"
|
||||
ansible_become_password: "1234"
|
||||
ansible_password: "CHANGE_ME"
|
||||
ansible_become_password: "CHANGE_ME"
|
||||
# Required for physical installs: confirms the operator accepts that
|
||||
# install_drive will be wiped. system_check refuses to run without it.
|
||||
physical_install_confirmed: true
|
||||
system:
|
||||
type: "physical"
|
||||
os: "archlinux"
|
||||
@@ -18,3 +21,10 @@ all:
|
||||
disks:
|
||||
- device: "/dev/sda"
|
||||
size: 120
|
||||
users:
|
||||
admin:
|
||||
password: "CHANGE_ME"
|
||||
keys:
|
||||
- "ssh-ed25519 AAAA..."
|
||||
root:
|
||||
password: "CHANGE_ME"
|
||||
|
||||
@@ -43,7 +43,7 @@ all:
|
||||
label: DATA
|
||||
opts: defaults
|
||||
users:
|
||||
- name: "ops"
|
||||
ops:
|
||||
password: "CHANGE_ME"
|
||||
keys:
|
||||
- "ssh-ed25519 AAAA..."
|
||||
@@ -100,7 +100,7 @@ all:
|
||||
path: /srv/data
|
||||
fstype: ext4
|
||||
users:
|
||||
- name: "dbadmin"
|
||||
dbadmin:
|
||||
password: "CHANGE_ME"
|
||||
keys:
|
||||
- "ssh-ed25519 AAAA..."
|
||||
|
||||
@@ -6,7 +6,6 @@ all:
|
||||
url: "localhost"
|
||||
username: ""
|
||||
password: ""
|
||||
host: ""
|
||||
storage: "default"
|
||||
boot_iso: "/var/lib/libvirt/images/archlinux-x86_64.iso"
|
||||
children:
|
||||
@@ -40,7 +39,7 @@ all:
|
||||
path: /var/www
|
||||
fstype: xfs
|
||||
users:
|
||||
- name: "web"
|
||||
web:
|
||||
password: "CHANGE_ME"
|
||||
keys:
|
||||
- "ssh-ed25519 AAAA..."
|
||||
@@ -82,7 +81,7 @@ all:
|
||||
path: /data
|
||||
fstype: ext4
|
||||
users:
|
||||
- name: "db"
|
||||
db:
|
||||
password: "CHANGE_ME"
|
||||
keys:
|
||||
- "ssh-ed25519 AAAA..."
|
||||
@@ -123,7 +122,7 @@ all:
|
||||
path: /data
|
||||
fstype: btrfs
|
||||
users:
|
||||
- name: "compute"
|
||||
compute:
|
||||
password: "CHANGE_ME"
|
||||
keys:
|
||||
- "ssh-ed25519 AAAA..."
|
||||
|
||||
@@ -26,7 +26,7 @@ system:
|
||||
path: /data
|
||||
fstype: ext4
|
||||
users:
|
||||
- name: "admin"
|
||||
admin:
|
||||
password: "CHANGE_ME"
|
||||
keys:
|
||||
- "ssh-ed25519 AAAA..."
|
||||
|
||||
@@ -56,7 +56,7 @@ system:
|
||||
label: DATA
|
||||
opts: defaults
|
||||
users:
|
||||
- name: "ops"
|
||||
ops:
|
||||
password: "CHANGE_ME"
|
||||
keys:
|
||||
- "ssh-ed25519 AAAA..."
|
||||
|
||||
Reference in New Issue
Block a user