sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs(bootstrap): fix users dict format in examples, sync schema defaults, document secure_boot/rhel_repo

Browse Source
This commit is contained in:
Sandwich
2026-05-02 21:42:09 +02:00
parent 5d0630a386
commit 7c44cb1ff0
6 changed files with 35 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@@ -122,7 +122,7 @@ all:
path: /data path: /data
fstype: xfs fstype: xfs
users: users:
- name: ops ops:
password: !vault | password: !vault |
$ANSIBLE_VAULT... $ANSIBLE_VAULT...
keys: keys:
@@ -167,7 +167,7 @@ Top-level variables outside `system`/`hypervisor`/`cis`.
| `type` | string | `virtual` | `virtual` or `physical` | | `type` | string | `virtual` | `virtual` or `physical` |
| `os` | string | -- | Target distribution (see [table](#distributions)) | | `os` | string | -- | Target distribution (see [table](#distributions)) |
| `version` | string | -- | Version selector for versioned distros | | `version` | string | -- | Version selector for versioned distros |
| `filesystem` | string | -- | `btrfs`, `ext4`, or `xfs` | | `filesystem` | string | `ext4` | `btrfs`, `ext4`, or `xfs` |
| `name` | string | inventory hostname | Final hostname | | `name` | string | inventory hostname | Final hostname |
| `timezone` | string | `Europe/Vienna` | System timezone (tz database name) | | `timezone` | string | `Europe/Vienna` | System timezone (tz database name) |
| `locale` | string | `en_US.UTF-8` | System locale | | `locale` | string | `en_US.UTF-8` | System locale |
@@ -176,11 +176,12 @@ Top-level variables outside `system`/`hypervisor`/`cis`.
| `cpus` | int | `0` | vCPU count (required for virtual) | | `cpus` | int | `0` | vCPU count (required for virtual) |
| `memory` | int | `0` | Memory in MiB (required for virtual) | | `memory` | int | `0` | Memory in MiB (required for virtual) |
| `balloon` | int | `0` | Balloon memory in MiB (Proxmox) | | `balloon` | int | `0` | Balloon memory in MiB (Proxmox) |
| `path` | string | -- | Hypervisor folder/path | | `path` | string | -- | Hypervisor folder/path (falls back to `hypervisor.folder`) |
| `mirror` | string | per-distro default | Override package mirror (Debian/Ubuntu) |
| `packages` | list | `[]` | Additional packages installed post-reboot | | `packages` | list | `[]` | Additional packages installed post-reboot |
| `network` | dict | see below | Network configuration | | `network` | dict | see below | Network configuration |
| `disks` | list | `[]` | Disk layout (see [Multi-Disk Schema](#46-multi-disk-schema)) | | `disks` | list | `[]` | Disk layout (see [Multi-Disk Schema](#46-multi-disk-schema)) |
| `users` | list | `[]` | User accounts | | `users` | dict | `{}` | User accounts (keyed by username) |
| `root` | dict | see below | Root account settings | | `root` | dict | see below | Root account settings |
| `luks` | dict | see below | Encryption settings | | `luks` | dict | see below | Encryption settings |
| `features` | dict | see below | Feature toggles | | `features` | dict | see below | Feature toggles |
@@ -229,8 +230,9 @@ Users must be defined in inventory. The dict format enables additive merging acr
#### `system.root` #### `system.root`
| Key | Type | Default | Description | | Key | Type | Default | Description |
| ---------- | ------ | ------- | ------------- | | ---------- | ------ | ----------- | ------------- |
| `password` | string | -- | Root password | | `password` | string | -- | Root password |
| `shell` | string | `/bin/bash` | Login shell |
#### `system.luks` #### `system.luks`
@@ -249,8 +251,6 @@ Users must be defined in inventory. The dict format enables additive merging acr
| `iter` | int | `4000` | PBKDF iteration time (ms) | | `iter` | int | `4000` | PBKDF iteration time (ms) |
| `bits` | int | `512` | Key size (bits) | | `bits` | int | `512` | Key size (bits) |
| `pbkdf` | string | `argon2id` | PBKDF algorithm | | `pbkdf` | string | `argon2id` | PBKDF algorithm |
| `urandom` | bool | `true` | Use urandom during key generation |
| `verify` | bool | `true` | Verify passphrase during format |
#### `system.luks.tpm2` #### `system.luks.tpm2`
@@ -283,6 +283,10 @@ The bootstrap auto-switches to dracut when `method: tpm2` is set. Override via `
| `banner.sudo` | bool | `true` | Sudo banner | | `banner.sudo` | bool | `true` | Sudo banner |
| `chroot.tool` | string | `arch-chroot` | `arch-chroot`, `chroot`, or `systemd-nspawn` | | `chroot.tool` | string | `arch-chroot` | `arch-chroot`, `chroot`, or `systemd-nspawn` |
| `initramfs.generator` | string | auto-detected | Override initramfs generator (see below) | | `initramfs.generator` | string | auto-detected | Override initramfs generator (see below) |
| `rhel_repo.source` | string | `iso` | RHEL post-install repo source: `iso`, `satellite`, or `none` |
| `rhel_repo.url` | string | -- | Satellite/custom repo URL when `source: satellite` |
| `secure_boot.enabled` | bool | `false` | Enable Secure Boot (Arch via sbctl, others via shim) |
| `secure_boot.method` | string | -- | Arch only: `sbctl` (default) or `uki` |
| `desktop.*` | dict | see below | Desktop environment settings (see [4.2.5](#425-systemfeaturesdesktop)) | | `desktop.*` | dict | see below | Desktop environment settings (see [4.2.5](#425-systemfeaturesdesktop)) |
| `firmware.*` | dict | see below | Vendor firmware blobs and CPU microcode (see [4.2.6](#426-systemfeaturesfirmware)) | | `firmware.*` | dict | see below | Vendor firmware blobs and CPU microcode (see [4.2.6](#426-systemfeaturesfirmware)) |
| `gpu.*` | dict | see below | Mesa/Vulkan and per-vendor GPU userspace (see [4.2.7](#427-systemfeaturesgpu)) | | `gpu.*` | dict | see below | Mesa/Vulkan and per-vendor GPU userspace (see [4.2.7](#427-systemfeaturesgpu)) |
@@ -393,7 +397,7 @@ system:
| `storage` | string | -- | Storage identifier (Proxmox/VMware) | | `storage` | string | -- | Storage identifier (Proxmox/VMware) |
| `datacenter` | string | -- | VMware datacenter | | `datacenter` | string | -- | VMware datacenter |
| `cluster` | string | -- | VMware cluster | | `cluster` | string | -- | VMware cluster |
| `certs` | bool | `true` | TLS certificate validation (VMware) | | `certs` | bool | `false` | TLS certificate validation (VMware) |
| `ssh` | bool | `false` | Enable SSH on guest and switch connection (VMware) | | `ssh` | bool | `false` | Enable SSH on guest and switch connection (VMware) |
### 4.4 `cis` Dictionary ### 4.4 `cis` Dictionary
@@ -505,9 +509,9 @@ Roles execute in this order:
1. **global_defaults** -- normalize inputs, validate, set OS flags 1. **global_defaults** -- normalize inputs, validate, set OS flags
2. **system_check** -- detect installer environment, verify live/non-prod target 2. **system_check** -- detect installer environment, verify live/non-prod target
3. **virtualization** -- create VM (if virtual), attach disks, cloud-init 3. **virtualization** -- create VM (if virtual), attach disks, cloud-init
4. **environment** -- prepare installer: mount ISO, configure repos, setup pacman 4. **environment** -- prepare installer: mount ISO, configure repos, setup pacman, detect hardware
5. **partitioning** -- create partitions, LVM, LUKS, mount filesystems 5. **partitioning** -- create partitions, LVM, LUKS, mount filesystems
6. **bootstrap** -- install base system and packages (OS-specific) 6. **bootstrap** -- install base system, packages, and vendor-matched hardware bits
7. **configuration** -- users, fstab, locales, bootloader, encryption enrollment, networking 7. **configuration** -- users, fstab, locales, bootloader, encryption enrollment, networking
8. **cis** -- CIS hardening (when `system.features.cis.enabled: true`) 8. **cis** -- CIS hardening (when `system.features.cis.enabled: true`)
9. **cleanup** -- unmount, shutdown installer, remove media, verify boot 9. **cleanup** -- unmount, shutdown installer, remove media, verify boot

14
inventory_baremetal_example.yml
View File

@@ -9,8 +9,11 @@ all:
baremetal01.example.com: baremetal01.example.com:
ansible_host: 10.0.0.162 ansible_host: 10.0.0.162
ansible_user: root ansible_user: root
ansible_password: "1234" ansible_password: "CHANGE_ME"
ansible_become_password: "1234" ansible_become_password: "CHANGE_ME"
# Required for physical installs: confirms the operator accepts that
# install_drive will be wiped. system_check refuses to run without it.
physical_install_confirmed: true
system: system:
type: "physical" type: "physical"
os: "archlinux" os: "archlinux"
@@ -18,3 +21,10 @@ all:
disks: disks:
- device: "/dev/sda" - device: "/dev/sda"
size: 120 size: 120
users:
admin:
password: "CHANGE_ME"
keys:
- "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"

4
inventory_example.yml
View File

@@ -43,7 +43,7 @@ all:
label: DATA label: DATA
opts: defaults opts: defaults
users: users:
- name: "ops" ops:
password: "CHANGE_ME" password: "CHANGE_ME"
keys: keys:
- "ssh-ed25519 AAAA..." - "ssh-ed25519 AAAA..."
@@ -100,7 +100,7 @@ all:
path: /srv/data path: /srv/data
fstype: ext4 fstype: ext4
users: users:
- name: "dbadmin" dbadmin:
password: "CHANGE_ME" password: "CHANGE_ME"
keys: keys:
- "ssh-ed25519 AAAA..." - "ssh-ed25519 AAAA..."

7
inventory_libvirt_example.yml
View File

@@ -6,7 +6,6 @@ all:
url: "localhost" url: "localhost"
username: "" username: ""
password: "" password: ""
host: ""
storage: "default" storage: "default"
boot_iso: "/var/lib/libvirt/images/archlinux-x86_64.iso" boot_iso: "/var/lib/libvirt/images/archlinux-x86_64.iso"
children: children:
@@ -40,7 +39,7 @@ all:
path: /var/www path: /var/www
fstype: xfs fstype: xfs
users: users:
- name: "web" web:
password: "CHANGE_ME" password: "CHANGE_ME"
keys: keys:
- "ssh-ed25519 AAAA..." - "ssh-ed25519 AAAA..."
@@ -82,7 +81,7 @@ all:
path: /data path: /data
fstype: ext4 fstype: ext4
users: users:
- name: "db" db:
password: "CHANGE_ME" password: "CHANGE_ME"
keys: keys:
- "ssh-ed25519 AAAA..." - "ssh-ed25519 AAAA..."
@@ -123,7 +122,7 @@ all:
path: /data path: /data
fstype: btrfs fstype: btrfs
users: users:
- name: "compute" compute:
password: "CHANGE_ME" password: "CHANGE_ME"
keys: keys:
- "ssh-ed25519 AAAA..." - "ssh-ed25519 AAAA..."

2
vars_baremetal_example.yml
View File

@@ -26,7 +26,7 @@ system:
path: /data path: /data
fstype: ext4 fstype: ext4
users: users:
- name: "admin" admin:
password: "CHANGE_ME" password: "CHANGE_ME"
keys: keys:
- "ssh-ed25519 AAAA..." - "ssh-ed25519 AAAA..."

2
vars_example.yml
View File

@@ -56,7 +56,7 @@ system:
label: DATA label: DATA
opts: defaults opts: defaults
users: users:
- name: "ops" ops:
password: "CHANGE_ME" password: "CHANGE_ME"
keys: keys:
- "ssh-ed25519 AAAA..." - "ssh-ed25519 AAAA..."