Normalize user-facing defaults

roles/configuration/tasks/encryption.yml

@@ -1,31 +1,17 @@
 ---
 - name: Configure disk encryption
-  when: partitioning_luks_enabled | default(luks_enabled | default(false)) | bool
+  when: partitioning_luks_enabled | bool
   vars:
     configuration_luks_passphrase_effective: >-
-      {{ (partitioning_luks_passphrase | default(luks_passphrase | default(''))) | string }}
+      {{ partitioning_luks_passphrase | string }}
   block:
     - name: Set LUKS configuration facts
       vars:
         configuration_luks_mapper_name_value: >-
-          {{
-            partitioning_luks_mapper_name
-            | default(luks_mapper_name | default('SYSTEM_DECRYPTED'))
-          }}
-        configuration_luks_device_value: >-
-          {{
-            partitioning_luks_device
-            | default(
-                install_drive
-                ~ (
-                  partitioning_root_partition_suffix
-                  | default(partitioning_main_partition_suffix | default(2))
-                  | string
-                )
-              )
-          }}
+          {{ partitioning_luks_mapper_name }}
+        configuration_luks_device_value: "{{ partitioning_luks_device }}"
         configuration_luks_tpm2_pcrs_raw: >-
-          {{ partitioning_luks_tpm2_pcrs | default(luks_tpm2_pcrs | default('')) }}
+          {{ partitioning_luks_tpm2_pcrs }}
         configuration_luks_tpm2_pcrs_effective_value: >-
           {{
             (
@@ -43,17 +29,17 @@
         configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"
         configuration_luks_device: "{{ configuration_luks_device_value }}"
         configuration_luks_options: >-
-          {{ partitioning_luks_options | default(luks_options | default('discard,tries=3')) }}
+          {{ partitioning_luks_options }}
         configuration_luks_auto_method: >-
           {{
-            (partitioning_luks_auto_decrypt | default(luks_auto_decrypt | default(true)) | bool)
+            (partitioning_luks_auto_decrypt | bool)
             | ternary(
-                partitioning_luks_auto_decrypt_method | default(luks_auto_decrypt_method | default('tpm2')),
+                partitioning_luks_auto_decrypt_method,
                 'manual'
               )
           }}
         configuration_luks_tpm2_device: >-
-          {{ partitioning_luks_tpm2_device | default(luks_tpm2_device | default('auto')) }}
+          {{ partitioning_luks_tpm2_device }}
         configuration_luks_tpm2_pcrs: "{{ configuration_luks_tpm2_pcrs_raw }}"
         configuration_luks_tpm2_pcrs_effective: "{{ configuration_luks_tpm2_pcrs_effective_value }}"
         configuration_luks_keyfile_path: >-
@@ -151,7 +137,7 @@
 
     - name: Ensure keyfile pattern for initramfs-tools
       when:
-        - is_debian | default(false)
+        - is_debian | bool
         - configuration_luks_keyfile_in_use
       ansible.builtin.lineinfile:
         path: /mnt/etc/cryptsetup-initramfs/conf-hook
@@ -215,14 +201,14 @@
           }})
 
     - name: Ensure dracut config directory exists
-      when: is_rhel | default(false)
+      when: is_rhel | bool
       ansible.builtin.file:
         path: /mnt/etc/dracut.conf.d
         state: directory
         mode: "0755"
 
     - name: Configure dracut for LUKS
-      when: is_rhel | default(false)
+      when: is_rhel | bool
       ansible.builtin.copy:
         dest: /mnt/etc/dracut.conf.d/crypt.conf
         content: |
@@ -233,13 +219,13 @@
         mode: "0644"
 
     - name: Read kernel cmdline defaults
-      when: is_rhel | default(false)
+      when: is_rhel | bool
       ansible.builtin.slurp:
         src: /mnt/etc/kernel/cmdline
       register: configuration_kernel_cmdline_slurp
 
     - name: Build kernel cmdline with LUKS args
-      when: is_rhel | default(false)
+      when: is_rhel | bool
       vars:
         configuration_kernel_cmdline_current_value: >-
           {{ configuration_kernel_cmdline_slurp.content | b64decode | trim }}
@@ -265,14 +251,14 @@
       changed_when: false
 
     - name: Write kernel cmdline with LUKS args
-      when: is_rhel | default(false)
+      when: is_rhel | bool
       ansible.builtin.copy:
         dest: /mnt/etc/kernel/cmdline
         mode: "0644"
         content: "{{ configuration_kernel_cmdline_new }}\n"
 
     - name: Find BLS entries
-      when: is_rhel | default(false)
+      when: is_rhel | bool
       ansible.builtin.find:
         paths: /mnt/boot/loader/entries
         patterns: "*.conf"
@@ -281,7 +267,7 @@
 
     - name: Update BLS options with LUKS args
       when:
-        - is_rhel | default(false)
+        - is_rhel | bool
         - configuration_kernel_bls_entries.files | length > 0
       ansible.builtin.lineinfile:
         path: "{{ item.path }}"
@@ -292,13 +278,13 @@
         label: "{{ item.path }}"
 
     - name: Read grub defaults
-      when: not is_rhel | default(false)
+      when: not is_rhel | bool
       ansible.builtin.slurp:
         src: /mnt/etc/default/grub
       register: configuration_grub_slurp
 
     - name: Build grub command lines with LUKS args
-      when: not is_rhel | default(false)
+      when: not is_rhel | bool
       vars:
         configuration_grub_content_value: "{{ configuration_grub_slurp.content | b64decode }}"
         configuration_grub_cmdline_linux_value: >-
@@ -362,7 +348,7 @@
         configuration_grub_cmdline_default_new: "{{ configuration_grub_cmdline_default_new_value }}"
 
     - name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS
-      when: not is_rhel | default(false)
+      when: not is_rhel | bool
       ansible.builtin.lineinfile:
         path: /mnt/etc/default/grub
         regexp: '^GRUB_CMDLINE_LINUX_DEFAULT='