From 7c44cb1ff054ecded7162a8565b0d1f87ee7f622 Mon Sep 17 00:00:00 2001 From: Sandwich Date: Sat, 2 May 2026 21:42:09 +0200 Subject: [PATCH] docs(bootstrap): fix users dict format in examples, sync schema defaults, document secure_boot/rhel_repo --- README.md | 28 ++++++++++++++++------------ inventory_baremetal_example.yml | 14 ++++++++++++-- inventory_example.yml | 4 ++-- inventory_libvirt_example.yml | 7 +++---- vars_baremetal_example.yml | 2 +- vars_example.yml | 2 +- 6 files changed, 35 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index f406661..bb3a036 100644 --- a/README.md +++ b/README.md @@ -122,7 +122,7 @@ all: path: /data fstype: xfs users: - - name: ops + ops: password: !vault | $ANSIBLE_VAULT... keys: @@ -167,7 +167,7 @@ Top-level variables outside `system`/`hypervisor`/`cis`. | `type` | string | `virtual` | `virtual` or `physical` | | `os` | string | -- | Target distribution (see [table](#distributions)) | | `version` | string | -- | Version selector for versioned distros | -| `filesystem` | string | -- | `btrfs`, `ext4`, or `xfs` | +| `filesystem` | string | `ext4` | `btrfs`, `ext4`, or `xfs` | | `name` | string | inventory hostname | Final hostname | | `timezone` | string | `Europe/Vienna` | System timezone (tz database name) | | `locale` | string | `en_US.UTF-8` | System locale | @@ -176,11 +176,12 @@ Top-level variables outside `system`/`hypervisor`/`cis`. | `cpus` | int | `0` | vCPU count (required for virtual) | | `memory` | int | `0` | Memory in MiB (required for virtual) | | `balloon` | int | `0` | Balloon memory in MiB (Proxmox) | -| `path` | string | -- | Hypervisor folder/path | +| `path` | string | -- | Hypervisor folder/path (falls back to `hypervisor.folder`) | +| `mirror` | string | per-distro default | Override package mirror (Debian/Ubuntu) | | `packages` | list | `[]` | Additional packages installed post-reboot | | `network` | dict | see below | Network configuration | | `disks` | list | `[]` | Disk layout (see [Multi-Disk Schema](#46-multi-disk-schema)) | -| `users` | list | `[]` | User accounts | +| `users` | dict | `{}` | User accounts (keyed by username) | | `root` | dict | see below | Root account settings | | `luks` | dict | see below | Encryption settings | | `features` | dict | see below | Feature toggles | @@ -228,9 +229,10 @@ Users must be defined in inventory. The dict format enables additive merging acr #### `system.root` -| Key | Type | Default | Description | -| ---------- | ------ | ------- | ------------- | -| `password` | string | -- | Root password | +| Key | Type | Default | Description | +| ---------- | ------ | ----------- | ------------- | +| `password` | string | -- | Root password | +| `shell` | string | `/bin/bash` | Login shell | #### `system.luks` @@ -249,8 +251,6 @@ Users must be defined in inventory. The dict format enables additive merging acr | `iter` | int | `4000` | PBKDF iteration time (ms) | | `bits` | int | `512` | Key size (bits) | | `pbkdf` | string | `argon2id` | PBKDF algorithm | -| `urandom` | bool | `true` | Use urandom during key generation | -| `verify` | bool | `true` | Verify passphrase during format | #### `system.luks.tpm2` @@ -283,6 +283,10 @@ The bootstrap auto-switches to dracut when `method: tpm2` is set. Override via ` | `banner.sudo` | bool | `true` | Sudo banner | | `chroot.tool` | string | `arch-chroot` | `arch-chroot`, `chroot`, or `systemd-nspawn` | | `initramfs.generator` | string | auto-detected | Override initramfs generator (see below) | +| `rhel_repo.source` | string | `iso` | RHEL post-install repo source: `iso`, `satellite`, or `none` | +| `rhel_repo.url` | string | -- | Satellite/custom repo URL when `source: satellite` | +| `secure_boot.enabled` | bool | `false` | Enable Secure Boot (Arch via sbctl, others via shim) | +| `secure_boot.method` | string | -- | Arch only: `sbctl` (default) or `uki` | | `desktop.*` | dict | see below | Desktop environment settings (see [4.2.5](#425-systemfeaturesdesktop)) | | `firmware.*` | dict | see below | Vendor firmware blobs and CPU microcode (see [4.2.6](#426-systemfeaturesfirmware)) | | `gpu.*` | dict | see below | Mesa/Vulkan and per-vendor GPU userspace (see [4.2.7](#427-systemfeaturesgpu)) | @@ -393,7 +397,7 @@ system: | `storage` | string | -- | Storage identifier (Proxmox/VMware) | | `datacenter` | string | -- | VMware datacenter | | `cluster` | string | -- | VMware cluster | -| `certs` | bool | `true` | TLS certificate validation (VMware) | +| `certs` | bool | `false` | TLS certificate validation (VMware) | | `ssh` | bool | `false` | Enable SSH on guest and switch connection (VMware) | ### 4.4 `cis` Dictionary @@ -505,9 +509,9 @@ Roles execute in this order: 1. **global_defaults** -- normalize inputs, validate, set OS flags 2. **system_check** -- detect installer environment, verify live/non-prod target 3. **virtualization** -- create VM (if virtual), attach disks, cloud-init -4. **environment** -- prepare installer: mount ISO, configure repos, setup pacman +4. **environment** -- prepare installer: mount ISO, configure repos, setup pacman, detect hardware 5. **partitioning** -- create partitions, LVM, LUKS, mount filesystems -6. **bootstrap** -- install base system and packages (OS-specific) +6. **bootstrap** -- install base system, packages, and vendor-matched hardware bits 7. **configuration** -- users, fstab, locales, bootloader, encryption enrollment, networking 8. **cis** -- CIS hardening (when `system.features.cis.enabled: true`) 9. **cleanup** -- unmount, shutdown installer, remove media, verify boot diff --git a/inventory_baremetal_example.yml b/inventory_baremetal_example.yml index 72ada42..366f9c4 100644 --- a/inventory_baremetal_example.yml +++ b/inventory_baremetal_example.yml @@ -9,8 +9,11 @@ all: baremetal01.example.com: ansible_host: 10.0.0.162 ansible_user: root - ansible_password: "1234" - ansible_become_password: "1234" + ansible_password: "CHANGE_ME" + ansible_become_password: "CHANGE_ME" + # Required for physical installs: confirms the operator accepts that + # install_drive will be wiped. system_check refuses to run without it. + physical_install_confirmed: true system: type: "physical" os: "archlinux" @@ -18,3 +21,10 @@ all: disks: - device: "/dev/sda" size: 120 + users: + admin: + password: "CHANGE_ME" + keys: + - "ssh-ed25519 AAAA..." + root: + password: "CHANGE_ME" diff --git a/inventory_example.yml b/inventory_example.yml index 944cd4a..6ced83c 100644 --- a/inventory_example.yml +++ b/inventory_example.yml @@ -43,7 +43,7 @@ all: label: DATA opts: defaults users: - - name: "ops" + ops: password: "CHANGE_ME" keys: - "ssh-ed25519 AAAA..." @@ -100,7 +100,7 @@ all: path: /srv/data fstype: ext4 users: - - name: "dbadmin" + dbadmin: password: "CHANGE_ME" keys: - "ssh-ed25519 AAAA..." diff --git a/inventory_libvirt_example.yml b/inventory_libvirt_example.yml index 1520c34..f741973 100644 --- a/inventory_libvirt_example.yml +++ b/inventory_libvirt_example.yml @@ -6,7 +6,6 @@ all: url: "localhost" username: "" password: "" - host: "" storage: "default" boot_iso: "/var/lib/libvirt/images/archlinux-x86_64.iso" children: @@ -40,7 +39,7 @@ all: path: /var/www fstype: xfs users: - - name: "web" + web: password: "CHANGE_ME" keys: - "ssh-ed25519 AAAA..." @@ -82,7 +81,7 @@ all: path: /data fstype: ext4 users: - - name: "db" + db: password: "CHANGE_ME" keys: - "ssh-ed25519 AAAA..." @@ -123,7 +122,7 @@ all: path: /data fstype: btrfs users: - - name: "compute" + compute: password: "CHANGE_ME" keys: - "ssh-ed25519 AAAA..." diff --git a/vars_baremetal_example.yml b/vars_baremetal_example.yml index 78934cd..711de4c 100644 --- a/vars_baremetal_example.yml +++ b/vars_baremetal_example.yml @@ -26,7 +26,7 @@ system: path: /data fstype: ext4 users: - - name: "admin" + admin: password: "CHANGE_ME" keys: - "ssh-ed25519 AAAA..." diff --git a/vars_example.yml b/vars_example.yml index ee5aa02..44a5939 100644 --- a/vars_example.yml +++ b/vars_example.yml @@ -56,7 +56,7 @@ system: label: DATA opts: defaults users: - - name: "ops" + ops: password: "CHANGE_ME" keys: - "ssh-ed25519 AAAA..."