Normalize user-facing defaults
This commit is contained in:
@@ -3,16 +3,8 @@
|
||||
block:
|
||||
- name: Install Bootloader
|
||||
vars:
|
||||
configuration_use_efibootmgr: "{{ is_rhel | default(false) }}"
|
||||
configuration_efi_dir: >-
|
||||
{{
|
||||
partitioning_efi_mountpoint
|
||||
| default(
|
||||
"/boot/efi"
|
||||
if (is_rhel | default(false)) or (os | lower in ["ubuntu", "ubuntu-lts"])
|
||||
else "/boot"
|
||||
)
|
||||
}}
|
||||
configuration_use_efibootmgr: "{{ is_rhel | bool }}"
|
||||
configuration_efi_dir: "{{ partitioning_efi_mountpoint }}"
|
||||
configuration_bootloader_id: >-
|
||||
{{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
|
||||
configuration_efi_vendor: >-
|
||||
@@ -47,7 +39,7 @@
|
||||
else (
|
||||
'/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin '
|
||||
+ '/usr/sbin/update-initramfs -u -k all'
|
||||
if is_debian | default(false)
|
||||
if is_debian | bool
|
||||
else '/usr/bin/dracut --regenerate-all --force'
|
||||
)
|
||||
}}
|
||||
@@ -62,9 +54,9 @@
|
||||
configuration_grub_cfg_cmd: >-
|
||||
{{
|
||||
'/usr/sbin/grub2-mkconfig -o '
|
||||
+ (partitioning_efi_mountpoint | default('/boot/efi'))
|
||||
+ partitioning_efi_mountpoint
|
||||
+ '/EFI/' + configuration_efi_vendor + '/grub.cfg'
|
||||
if is_rhel | default(false)
|
||||
if is_rhel | bool
|
||||
else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg'
|
||||
}}
|
||||
ansible.builtin.command: "arch-chroot /mnt {{ configuration_grub_cfg_cmd }}"
|
||||
|
||||
@@ -1,31 +1,17 @@
|
||||
---
|
||||
- name: Configure disk encryption
|
||||
when: partitioning_luks_enabled | default(luks_enabled | default(false)) | bool
|
||||
when: partitioning_luks_enabled | bool
|
||||
vars:
|
||||
configuration_luks_passphrase_effective: >-
|
||||
{{ (partitioning_luks_passphrase | default(luks_passphrase | default(''))) | string }}
|
||||
{{ partitioning_luks_passphrase | string }}
|
||||
block:
|
||||
- name: Set LUKS configuration facts
|
||||
vars:
|
||||
configuration_luks_mapper_name_value: >-
|
||||
{{
|
||||
partitioning_luks_mapper_name
|
||||
| default(luks_mapper_name | default('SYSTEM_DECRYPTED'))
|
||||
}}
|
||||
configuration_luks_device_value: >-
|
||||
{{
|
||||
partitioning_luks_device
|
||||
| default(
|
||||
install_drive
|
||||
~ (
|
||||
partitioning_root_partition_suffix
|
||||
| default(partitioning_main_partition_suffix | default(2))
|
||||
| string
|
||||
)
|
||||
)
|
||||
}}
|
||||
{{ partitioning_luks_mapper_name }}
|
||||
configuration_luks_device_value: "{{ partitioning_luks_device }}"
|
||||
configuration_luks_tpm2_pcrs_raw: >-
|
||||
{{ partitioning_luks_tpm2_pcrs | default(luks_tpm2_pcrs | default('')) }}
|
||||
{{ partitioning_luks_tpm2_pcrs }}
|
||||
configuration_luks_tpm2_pcrs_effective_value: >-
|
||||
{{
|
||||
(
|
||||
@@ -43,17 +29,17 @@
|
||||
configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"
|
||||
configuration_luks_device: "{{ configuration_luks_device_value }}"
|
||||
configuration_luks_options: >-
|
||||
{{ partitioning_luks_options | default(luks_options | default('discard,tries=3')) }}
|
||||
{{ partitioning_luks_options }}
|
||||
configuration_luks_auto_method: >-
|
||||
{{
|
||||
(partitioning_luks_auto_decrypt | default(luks_auto_decrypt | default(true)) | bool)
|
||||
(partitioning_luks_auto_decrypt | bool)
|
||||
| ternary(
|
||||
partitioning_luks_auto_decrypt_method | default(luks_auto_decrypt_method | default('tpm2')),
|
||||
partitioning_luks_auto_decrypt_method,
|
||||
'manual'
|
||||
)
|
||||
}}
|
||||
configuration_luks_tpm2_device: >-
|
||||
{{ partitioning_luks_tpm2_device | default(luks_tpm2_device | default('auto')) }}
|
||||
{{ partitioning_luks_tpm2_device }}
|
||||
configuration_luks_tpm2_pcrs: "{{ configuration_luks_tpm2_pcrs_raw }}"
|
||||
configuration_luks_tpm2_pcrs_effective: "{{ configuration_luks_tpm2_pcrs_effective_value }}"
|
||||
configuration_luks_keyfile_path: >-
|
||||
@@ -151,7 +137,7 @@
|
||||
|
||||
- name: Ensure keyfile pattern for initramfs-tools
|
||||
when:
|
||||
- is_debian | default(false)
|
||||
- is_debian | bool
|
||||
- configuration_luks_keyfile_in_use
|
||||
ansible.builtin.lineinfile:
|
||||
path: /mnt/etc/cryptsetup-initramfs/conf-hook
|
||||
@@ -215,14 +201,14 @@
|
||||
}})
|
||||
|
||||
- name: Ensure dracut config directory exists
|
||||
when: is_rhel | default(false)
|
||||
when: is_rhel | bool
|
||||
ansible.builtin.file:
|
||||
path: /mnt/etc/dracut.conf.d
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: Configure dracut for LUKS
|
||||
when: is_rhel | default(false)
|
||||
when: is_rhel | bool
|
||||
ansible.builtin.copy:
|
||||
dest: /mnt/etc/dracut.conf.d/crypt.conf
|
||||
content: |
|
||||
@@ -233,13 +219,13 @@
|
||||
mode: "0644"
|
||||
|
||||
- name: Read kernel cmdline defaults
|
||||
when: is_rhel | default(false)
|
||||
when: is_rhel | bool
|
||||
ansible.builtin.slurp:
|
||||
src: /mnt/etc/kernel/cmdline
|
||||
register: configuration_kernel_cmdline_slurp
|
||||
|
||||
- name: Build kernel cmdline with LUKS args
|
||||
when: is_rhel | default(false)
|
||||
when: is_rhel | bool
|
||||
vars:
|
||||
configuration_kernel_cmdline_current_value: >-
|
||||
{{ configuration_kernel_cmdline_slurp.content | b64decode | trim }}
|
||||
@@ -265,14 +251,14 @@
|
||||
changed_when: false
|
||||
|
||||
- name: Write kernel cmdline with LUKS args
|
||||
when: is_rhel | default(false)
|
||||
when: is_rhel | bool
|
||||
ansible.builtin.copy:
|
||||
dest: /mnt/etc/kernel/cmdline
|
||||
mode: "0644"
|
||||
content: "{{ configuration_kernel_cmdline_new }}\n"
|
||||
|
||||
- name: Find BLS entries
|
||||
when: is_rhel | default(false)
|
||||
when: is_rhel | bool
|
||||
ansible.builtin.find:
|
||||
paths: /mnt/boot/loader/entries
|
||||
patterns: "*.conf"
|
||||
@@ -281,7 +267,7 @@
|
||||
|
||||
- name: Update BLS options with LUKS args
|
||||
when:
|
||||
- is_rhel | default(false)
|
||||
- is_rhel | bool
|
||||
- configuration_kernel_bls_entries.files | length > 0
|
||||
ansible.builtin.lineinfile:
|
||||
path: "{{ item.path }}"
|
||||
@@ -292,13 +278,13 @@
|
||||
label: "{{ item.path }}"
|
||||
|
||||
- name: Read grub defaults
|
||||
when: not is_rhel | default(false)
|
||||
when: not is_rhel | bool
|
||||
ansible.builtin.slurp:
|
||||
src: /mnt/etc/default/grub
|
||||
register: configuration_grub_slurp
|
||||
|
||||
- name: Build grub command lines with LUKS args
|
||||
when: not is_rhel | default(false)
|
||||
when: not is_rhel | bool
|
||||
vars:
|
||||
configuration_grub_content_value: "{{ configuration_grub_slurp.content | b64decode }}"
|
||||
configuration_grub_cmdline_linux_value: >-
|
||||
@@ -362,7 +348,7 @@
|
||||
configuration_grub_cmdline_default_new: "{{ configuration_grub_cmdline_default_new_value }}"
|
||||
|
||||
- name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS
|
||||
when: not is_rhel | default(false)
|
||||
when: not is_rhel | bool
|
||||
ansible.builtin.lineinfile:
|
||||
path: /mnt/etc/default/grub
|
||||
regexp: '^GRUB_CMDLINE_LINUX_DEFAULT='
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
{{
|
||||
lookup(
|
||||
'community.general.random_string',
|
||||
length=(partitioning_luks_keyfile_size | default(luks_keyfile_size | default(64)) | int),
|
||||
length=(partitioning_luks_keyfile_size | int),
|
||||
override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
|
||||
)
|
||||
}}
|
||||
@@ -71,7 +71,7 @@
|
||||
{{
|
||||
lookup(
|
||||
'community.general.random_string',
|
||||
length=(partitioning_luks_keyfile_size | default(luks_keyfile_size | default(64)) | int),
|
||||
length=(partitioning_luks_keyfile_size | int),
|
||||
override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
|
||||
)
|
||||
}}
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: Append vim configurations to vimrc
|
||||
ansible.builtin.blockinfile:
|
||||
path: "{{ '/mnt/etc/vim/vimrc' if is_debian | default(false) else '/mnt/etc/vimrc' }}"
|
||||
path: "{{ '/mnt/etc/vim/vimrc' if is_debian | bool else '/mnt/etc/vimrc' }}"
|
||||
block: |
|
||||
set encoding=utf-8
|
||||
set number
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
- name: Configure grub defaults
|
||||
when: not is_rhel | default(false)
|
||||
when: not is_rhel | bool
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /mnt/etc/default/grub
|
||||
regexp: "{{ item.regexp }}"
|
||||
@@ -12,7 +12,7 @@
|
||||
line: GRUB_TIMEOUT=1
|
||||
|
||||
- name: Ensure grub defaults file exists for RHEL-based systems
|
||||
when: is_rhel | default(false)
|
||||
when: is_rhel | bool
|
||||
block:
|
||||
- name: Build RHEL kernel command line defaults
|
||||
vars:
|
||||
@@ -106,7 +106,7 @@
|
||||
label: "{{ item.path }}"
|
||||
|
||||
- name: Enable GRUB cryptodisk for encrypted /boot
|
||||
when: partitioning_grub_enable_cryptodisk | default(false) | bool
|
||||
when: partitioning_grub_enable_cryptodisk | bool
|
||||
ansible.builtin.lineinfile:
|
||||
path: /mnt/etc/default/grub
|
||||
regexp: '^GRUB_ENABLE_CRYPTODISK='
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
- name: Setup locales
|
||||
block:
|
||||
- name: Configure locale.gen
|
||||
when: not is_rhel | default(false)
|
||||
when: not is_rhel | bool
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /mnt/etc/locale.gen
|
||||
regexp: "{{ item.regex }}"
|
||||
@@ -19,7 +19,7 @@
|
||||
- {regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8}
|
||||
|
||||
- name: Generate locales
|
||||
when: not is_rhel | default(false)
|
||||
when: not is_rhel | bool
|
||||
ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
|
||||
register: configuration_locale_result
|
||||
changed_when: configuration_locale_result.rc == 0
|
||||
@@ -32,7 +32,7 @@
|
||||
if '.' in hostname
|
||||
else (
|
||||
hostname + '.' + vm_dns_search
|
||||
if vm_dns_search is defined and vm_dns_search | length
|
||||
if vm_dns_search | length
|
||||
else hostname
|
||||
)
|
||||
}}
|
||||
@@ -49,7 +49,7 @@
|
||||
if '.' in hostname
|
||||
else (
|
||||
hostname + '.' + vm_dns_search
|
||||
if vm_dns_search is defined and vm_dns_search | length
|
||||
if vm_dns_search | length
|
||||
else hostname
|
||||
)
|
||||
}}
|
||||
@@ -57,7 +57,7 @@
|
||||
configuration_hostname_entries: >-
|
||||
{{ [configuration_hostname_fqdn, configuration_hostname_short] | unique | join(' ') }}
|
||||
configuration_hosts_line: >-
|
||||
{{ vm_ip | default(inventory_hostname) }} {{ configuration_hostname_entries }}
|
||||
{{ (vm_ip if vm_ip | length > 0 else inventory_hostname) }} {{ configuration_hostname_entries }}
|
||||
ansible.builtin.lineinfile:
|
||||
path: /mnt/etc/hosts
|
||||
line: "{{ configuration_hosts_line }}"
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
---
|
||||
- name: Fix SELinux
|
||||
when: is_rhel | default(false)
|
||||
when: is_rhel | bool
|
||||
block:
|
||||
- name: Fix SELinux by pre-labeling the filesystem before first boot
|
||||
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux | default(true) | bool)
|
||||
when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux | bool)
|
||||
ansible.builtin.command: >
|
||||
arch-chroot /mnt /sbin/setfiles -v -F
|
||||
-e /dev -e /proc -e /sys -e /run
|
||||
@@ -12,7 +12,7 @@
|
||||
changed_when: configuration_setfiles_result.rc == 0
|
||||
|
||||
- name: Disable SELinux
|
||||
when: os | lower == "fedora" or not (selinux | default(true) | bool)
|
||||
when: os | lower == "fedora" or not (selinux | bool)
|
||||
ansible.builtin.lineinfile:
|
||||
path: /mnt/etc/selinux/config
|
||||
regexp: ^SELINUX=
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: Give sudo access to wheel group
|
||||
ansible.builtin.copy:
|
||||
content: "{{ '%sudo ALL=(ALL) ALL' if is_debian | default(false) else '%wheel ALL=(ALL) ALL' }}"
|
||||
content: "{{ '%sudo ALL=(ALL) ALL' if is_debian | bool else '%wheel ALL=(ALL) ALL' }}"
|
||||
dest: /mnt/etc/sudoers.d/01-wheel
|
||||
mode: "0440"
|
||||
validate: /usr/sbin/visudo --check --file=%s
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
- name: Create user account
|
||||
vars:
|
||||
configuration_user_group: >-
|
||||
{{ "sudo" if is_debian | default(false) else "wheel" }}
|
||||
{{ "sudo" if is_debian | bool else "wheel" }}
|
||||
configuration_useradd_cmd: >-
|
||||
arch-chroot /mnt /usr/sbin/useradd --create-home --user-group
|
||||
--groups {{ configuration_user_group }} {{ user_name }}
|
||||
@@ -18,7 +18,7 @@
|
||||
changed_when: configuration_user_result.rc == 0
|
||||
|
||||
- name: Ensure .ssh directory exists
|
||||
when: user_public_key is defined
|
||||
when: user_public_key | length > 0
|
||||
ansible.builtin.file:
|
||||
path: /mnt/home/{{ user_name }}/.ssh
|
||||
state: directory
|
||||
@@ -27,7 +27,7 @@
|
||||
mode: "0700"
|
||||
|
||||
- name: Add SSH public key to authorized_keys
|
||||
when: user_public_key is defined
|
||||
when: user_public_key | length > 0
|
||||
ansible.builtin.lineinfile:
|
||||
path: /mnt/home/{{ user_name }}/.ssh/authorized_keys
|
||||
line: "{{ user_public_key }}"
|
||||
|
||||
@@ -7,14 +7,14 @@ type=ethernet
|
||||
mac-address={{ configuration_net_mac }}
|
||||
|
||||
[ipv4]
|
||||
{% set dns_value = vm_dns | default('') %}
|
||||
{% set dns_value = vm_dns %}
|
||||
{% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %}
|
||||
{% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %}
|
||||
{% set search_value = vm_dns_search | default('') %}
|
||||
{% set search_value = vm_dns_search %}
|
||||
{% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %}
|
||||
{% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %}
|
||||
{% if vm_ip is defined and vm_ip | length %}
|
||||
address1={{ vm_ip }}/{{ vm_nms | default(24) }}{{ (',' ~ vm_gw) if (vm_gw is defined and vm_gw | length) else '' }}
|
||||
{% if vm_ip | length %}
|
||||
address1={{ vm_ip }}/{{ vm_nms }}{{ (',' ~ vm_gw) if (vm_gw | length) else '' }}
|
||||
method=manual
|
||||
{% else %}
|
||||
method=auto
|
||||
|
||||
Reference in New Issue
Block a user