feat: golden-image build support (cloud-init on EL, selinux relabel, SSH wait)

2026-05-27 05:05:55 +02:00
parent 2c35409519
commit 939c5c741f
5 changed files with 34 additions and 0 deletions
--- a/roles/bootstrap/vars/main.yml
+++ b/roles/bootstrap/vars/main.yml
@@ -11,6 +11,7 @@ bootstrap_common_conditional: >-
      + (['cryptsetup', 'tpm2-tools'] if system_cfg.luks.enabled | bool else [])
      + (['qemu-guest-agent'] if hypervisor_type in ['libvirt', 'proxmox'] else [])
      + (['open-vm-tools'] if hypervisor_type == 'vmware' else [])
+      + (['cloud-init'] if system_cfg.features.cloud_init | bool else [])
    )
  }}

--- a/roles/configuration/tasks/selinux.yml
+++ b/roles/configuration/tasks/selinux.yml
@@ -11,6 +11,16 @@
      register: configuration_setfiles_result
      changed_when: configuration_setfiles_result.rc == 0

+    # setfiles in the chroot misses paths created at first boot (e.g. /var/lib/sss),
+    # leaving unlabeled_t files that block services under enforcing SELinux. Force a
+    # complete relabel on first boot; fixfiles consumes and removes the flag.
+    - name: Force a complete SELinux relabel on first boot
+      when: os in ['almalinux', 'rocky', 'rhel'] and system_cfg.features.selinux.enabled | bool
+      ansible.builtin.file:
+        path: /mnt/.autorelabel
+        state: touch
+        mode: "0644"
+
    # Fedora: setfiles segfaults during bootstrap chroot relabeling, so SELinux
    # is left permissive and expected to relabel on first boot.
    - name: Disable SELinux
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -58,6 +58,8 @@ system_defaults:
  version: ""
  filesystem: "ext4"
  name: ""
+  # consumed by the golden produce/deploy wrappers, not the bootstrap itself
+  source: ""
  id: ""
  cpus: 0
  memory: 0 # MiB
@@ -101,6 +103,10 @@ system_defaults:
    bits: 512
    pbkdf: "argon2id"
  features:
+    # Bake cloud-init for the deterministic clone-deploy golden path; off by
+    # default (ansible-direct everywhere, smaller image). Package name is
+    # uniform across families.
+    cloud_init: false
    cis:
      enabled: false
      profile: default # default|l1|l2 (default = current house behaviour)
--- a/roles/global_defaults/tasks/_normalize_system.yml
+++ b/roles/global_defaults/tasks/_normalize_system.yml
@@ -140,6 +140,7 @@
        pbkdf: "{{ system_raw.luks.pbkdf | string }}"
      # --- Feature flags ---
      features:
+        cloud_init: "{{ system_raw.features.cloud_init | default(false) | bool }}"
        cis:
          enabled: "{{ system_raw.features.cis.enabled | bool }}"
          profile: "{{ system_raw.features.cis.profile | default('default') | string }}"