feat: golden-image build support (cloud-init on EL, selinux relabel, SSH wait)

main.yml

@@ -141,6 +141,15 @@
         ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
         ansible_python_interpreter: /usr/bin/python3
 
+    - name: Wait for the rebooted host to accept SSH
+      when:
+        - post_reboot_can_connect | bool
+      ansible.builtin.wait_for_connection:
+        delay: 5
+        sleep: 5
+        # 600s: a selinux-enabled first boot relabels the filesystem and reboots once more.
+        timeout: 600
+
     - name: Re-gather facts for target OS after reboot
       when:
         - post_reboot_can_connect | bool
@@ -150,6 +159,13 @@
           - min
           - pkg_mgr
 
+    - name: Register with the Satellite content source
+      when:
+        - post_reboot_can_connect | bool
+        - system_cfg.content.source == 'satellite'
+        - system_cfg.os | lower in os_family_rhel
+      ansible.builtin.include_tasks: "{{ playbook_dir }}/roles/configuration/tasks/satellite_register.yml"
+
     - name: Install post-reboot packages
       when:
         - post_reboot_can_connect | bool

roles/bootstrap/vars/main.yml

@@ -11,6 +11,7 @@ bootstrap_common_conditional: >-
       + (['cryptsetup', 'tpm2-tools'] if system_cfg.luks.enabled | bool else [])
       + (['qemu-guest-agent'] if hypervisor_type in ['libvirt', 'proxmox'] else [])
       + (['open-vm-tools'] if hypervisor_type == 'vmware' else [])
+      + (['cloud-init'] if system_cfg.features.cloud_init | bool else [])
     )
   }}
 

roles/configuration/tasks/selinux.yml

@@ -11,6 +11,16 @@
       register: configuration_setfiles_result
       changed_when: configuration_setfiles_result.rc == 0
 
+    # setfiles in the chroot misses paths created at first boot (e.g. /var/lib/sss),
+    # leaving unlabeled_t files that block services under enforcing SELinux. Force a
+    # complete relabel on first boot; fixfiles consumes and removes the flag.
+    - name: Force a complete SELinux relabel on first boot
+      when: os in ['almalinux', 'rocky', 'rhel'] and system_cfg.features.selinux.enabled | bool
+      ansible.builtin.file:
+        path: /mnt/.autorelabel
+        state: touch
+        mode: "0644"
+
     # Fedora: setfiles segfaults during bootstrap chroot relabeling, so SELinux
     # is left permissive and expected to relabel on first boot.
     - name: Disable SELinux

roles/global_defaults/defaults/main.yml

@@ -58,6 +58,8 @@ system_defaults:
   version: ""
   filesystem: "ext4"
   name: ""
+  # consumed by the golden produce/deploy wrappers, not the bootstrap itself
+  source: ""
   id: ""
   cpus: 0
   memory: 0 # MiB
@@ -101,6 +103,10 @@ system_defaults:
     bits: 512
     pbkdf: "argon2id"
   features:
+    # Bake cloud-init for the deterministic clone-deploy golden path; off by
+    # default (ansible-direct everywhere, smaller image). Package name is
+    # uniform across families.
+    cloud_init: false
     cis:
       enabled: false
       profile: default # default|l1|l2 (default = current house behaviour)

roles/global_defaults/tasks/_normalize_system.yml

@@ -140,6 +140,7 @@
         pbkdf: "{{ system_raw.luks.pbkdf | string }}"
       # --- Feature flags ---
       features:
+        cloud_init: "{{ system_raw.features.cloud_init | default(false) | bool }}"
         cis:
           enabled: "{{ system_raw.features.cis.enabled | bool }}"
           profile: "{{ system_raw.features.cis.profile | default('default') | string }}"