docs(bootstrap): fix users dict format in examples, sync schema defaults, document secure_boot/rhel_repo
This commit is contained in:
28
README.md
28
README.md
@@ -122,7 +122,7 @@ all:
|
||||
path: /data
|
||||
fstype: xfs
|
||||
users:
|
||||
- name: ops
|
||||
ops:
|
||||
password: !vault |
|
||||
$ANSIBLE_VAULT...
|
||||
keys:
|
||||
@@ -167,7 +167,7 @@ Top-level variables outside `system`/`hypervisor`/`cis`.
|
||||
| `type` | string | `virtual` | `virtual` or `physical` |
|
||||
| `os` | string | -- | Target distribution (see [table](#distributions)) |
|
||||
| `version` | string | -- | Version selector for versioned distros |
|
||||
| `filesystem` | string | -- | `btrfs`, `ext4`, or `xfs` |
|
||||
| `filesystem` | string | `ext4` | `btrfs`, `ext4`, or `xfs` |
|
||||
| `name` | string | inventory hostname | Final hostname |
|
||||
| `timezone` | string | `Europe/Vienna` | System timezone (tz database name) |
|
||||
| `locale` | string | `en_US.UTF-8` | System locale |
|
||||
@@ -176,11 +176,12 @@ Top-level variables outside `system`/`hypervisor`/`cis`.
|
||||
| `cpus` | int | `0` | vCPU count (required for virtual) |
|
||||
| `memory` | int | `0` | Memory in MiB (required for virtual) |
|
||||
| `balloon` | int | `0` | Balloon memory in MiB (Proxmox) |
|
||||
| `path` | string | -- | Hypervisor folder/path |
|
||||
| `path` | string | -- | Hypervisor folder/path (falls back to `hypervisor.folder`) |
|
||||
| `mirror` | string | per-distro default | Override package mirror (Debian/Ubuntu) |
|
||||
| `packages` | list | `[]` | Additional packages installed post-reboot |
|
||||
| `network` | dict | see below | Network configuration |
|
||||
| `disks` | list | `[]` | Disk layout (see [Multi-Disk Schema](#46-multi-disk-schema)) |
|
||||
| `users` | list | `[]` | User accounts |
|
||||
| `users` | dict | `{}` | User accounts (keyed by username) |
|
||||
| `root` | dict | see below | Root account settings |
|
||||
| `luks` | dict | see below | Encryption settings |
|
||||
| `features` | dict | see below | Feature toggles |
|
||||
@@ -228,9 +229,10 @@ Users must be defined in inventory. The dict format enables additive merging acr
|
||||
|
||||
#### `system.root`
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
| ---------- | ------ | ------- | ------------- |
|
||||
| `password` | string | -- | Root password |
|
||||
| Key | Type | Default | Description |
|
||||
| ---------- | ------ | ----------- | ------------- |
|
||||
| `password` | string | -- | Root password |
|
||||
| `shell` | string | `/bin/bash` | Login shell |
|
||||
|
||||
#### `system.luks`
|
||||
|
||||
@@ -249,8 +251,6 @@ Users must be defined in inventory. The dict format enables additive merging acr
|
||||
| `iter` | int | `4000` | PBKDF iteration time (ms) |
|
||||
| `bits` | int | `512` | Key size (bits) |
|
||||
| `pbkdf` | string | `argon2id` | PBKDF algorithm |
|
||||
| `urandom` | bool | `true` | Use urandom during key generation |
|
||||
| `verify` | bool | `true` | Verify passphrase during format |
|
||||
|
||||
#### `system.luks.tpm2`
|
||||
|
||||
@@ -283,6 +283,10 @@ The bootstrap auto-switches to dracut when `method: tpm2` is set. Override via `
|
||||
| `banner.sudo` | bool | `true` | Sudo banner |
|
||||
| `chroot.tool` | string | `arch-chroot` | `arch-chroot`, `chroot`, or `systemd-nspawn` |
|
||||
| `initramfs.generator` | string | auto-detected | Override initramfs generator (see below) |
|
||||
| `rhel_repo.source` | string | `iso` | RHEL post-install repo source: `iso`, `satellite`, or `none` |
|
||||
| `rhel_repo.url` | string | -- | Satellite/custom repo URL when `source: satellite` |
|
||||
| `secure_boot.enabled` | bool | `false` | Enable Secure Boot (Arch via sbctl, others via shim) |
|
||||
| `secure_boot.method` | string | -- | Arch only: `sbctl` (default) or `uki` |
|
||||
| `desktop.*` | dict | see below | Desktop environment settings (see [4.2.5](#425-systemfeaturesdesktop)) |
|
||||
| `firmware.*` | dict | see below | Vendor firmware blobs and CPU microcode (see [4.2.6](#426-systemfeaturesfirmware)) |
|
||||
| `gpu.*` | dict | see below | Mesa/Vulkan and per-vendor GPU userspace (see [4.2.7](#427-systemfeaturesgpu)) |
|
||||
@@ -393,7 +397,7 @@ system:
|
||||
| `storage` | string | -- | Storage identifier (Proxmox/VMware) |
|
||||
| `datacenter` | string | -- | VMware datacenter |
|
||||
| `cluster` | string | -- | VMware cluster |
|
||||
| `certs` | bool | `true` | TLS certificate validation (VMware) |
|
||||
| `certs` | bool | `false` | TLS certificate validation (VMware) |
|
||||
| `ssh` | bool | `false` | Enable SSH on guest and switch connection (VMware) |
|
||||
|
||||
### 4.4 `cis` Dictionary
|
||||
@@ -505,9 +509,9 @@ Roles execute in this order:
|
||||
1. **global_defaults** -- normalize inputs, validate, set OS flags
|
||||
2. **system_check** -- detect installer environment, verify live/non-prod target
|
||||
3. **virtualization** -- create VM (if virtual), attach disks, cloud-init
|
||||
4. **environment** -- prepare installer: mount ISO, configure repos, setup pacman
|
||||
4. **environment** -- prepare installer: mount ISO, configure repos, setup pacman, detect hardware
|
||||
5. **partitioning** -- create partitions, LVM, LUKS, mount filesystems
|
||||
6. **bootstrap** -- install base system and packages (OS-specific)
|
||||
6. **bootstrap** -- install base system, packages, and vendor-matched hardware bits
|
||||
7. **configuration** -- users, fstab, locales, bootloader, encryption enrollment, networking
|
||||
8. **cis** -- CIS hardening (when `system.features.cis.enabled: true`)
|
||||
9. **cleanup** -- unmount, shutdown installer, remove media, verify boot
|
||||
|
||||
Reference in New Issue
Block a user