refactor(vars): enforce nested system and hypervisor schema

main.yml

@@ -5,26 +5,75 @@
   gather_facts: false
   become: true
   vars_prompt:
-    - name: user_name
+    - name: system_user_name
       prompt: |
         What is your username?
       private: false
 
-    - name: user_public_key
+    - name: system_user_public_key
       prompt: |
         What is your ssh key?
       private: false
 
-    - name: user_password
+    - name: system_user_password
       prompt: |
         What is your password?
       confirm: true
 
-    - name: root_password
+    - name: system_root_password
       prompt: |
         What is your root password?
       confirm: true
   pre_tasks:
+    - name: Apply prompted authentication values to system input
+      vars:
+        system_input: "{{ system | default({}) }}"
+        system_user_input: "{{ (system_input.user | default({})) if (system_input.user is mapping) else {} }}"
+        system_root_input: "{{ (system_input.root | default({})) if (system_input.root is mapping) else {} }}"
+        system_user_name_effective: >-
+          {{
+            (system_user_input.name | default('') | string)
+            if (system_user_input.name | default('') | string | length) > 0
+            else (system_user_name | default('') | string)
+          }}
+        system_user_public_key_effective: >-
+          {{
+            (system_user_input.public_key | default('') | string)
+            if (system_user_input.public_key | default('') | string | length) > 0
+            else (system_user_public_key | default('') | string)
+          }}
+        system_user_password_effective: >-
+          {{
+            (system_user_input.password | default('') | string)
+            if (system_user_input.password | default('') | string | length) > 0
+            else (system_user_password | default('') | string)
+          }}
+        system_root_password_effective: >-
+          {{
+            (system_root_input.password | default('') | string)
+            if (system_root_input.password | default('') | string | length) > 0
+            else (system_root_password | default('') | string)
+          }}
+      ansible.builtin.set_fact:
+        system: >-
+          {{
+            system_input
+            | combine(
+                {
+                  'user': {
+                    'name': system_user_name_effective,
+                    'public_key': system_user_public_key_effective,
+                    'password': system_user_password_effective
+                  },
+                  'root': {
+                    'password': system_root_password_effective
+                  }
+                },
+                recursive=True
+              )
+          }}
+      changed_when: false
+
     - name: Load global defaults
       ansible.builtin.import_role:
         name: global_defaults
@@ -35,7 +84,7 @@
 
   roles:
     - role: virtualization
-      when: install_type == "virtual"
+      when: system_cfg.type == "virtual"
       become: false
       vars:
         ansible_connection: local
@@ -54,10 +103,10 @@
     - role: configuration
 
     - role: cis
-      when: cis_enabled
+      when: system_cfg.features.cis.enabled | bool
 
     - role: cleanup
-      when: install_type in ["virtual", "physical"]
+      when: system_cfg.type in ["virtual", "physical"]
       become: false
 
   post_tasks:
@@ -68,7 +117,7 @@
             (ansible_connection | default('ssh')) != 'ssh'
             or ((system_cfg.ip | default('') | string | length) > 0)
             or (
-              install_type == 'physical'
+              system_cfg.type == 'physical'
               and (ansible_host | default('') | string | length) > 0
             )
           }}
@@ -78,29 +127,16 @@
       when:
         - post_reboot_can_connect | bool
       ansible.builtin.set_fact:
-        ansible_user: "{{ user_name }}"
-        ansible_password: "{{ user_password }}"
-        ansible_become_password: "{{ user_password }}"
+        ansible_user: "{{ system_cfg.user.name }}"
+        ansible_password: "{{ system_cfg.user.password }}"
+        ansible_become_password: "{{ system_cfg.user.password }}"
         ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
 
-    - name: Install post-reboot extra packages
-      vars:
-        post_install_extra_packages: >-
-          {{
-            (
-              extra_packages
-              if (extra_packages is iterable and extra_packages is not string)
-              else (extra_packages | string).split(',')
-            )
-            | map('trim')
-            | reject('equalto', '')
-            | list
-          }}
+    - name: Install post-reboot packages
       when:
         - post_reboot_can_connect | bool
-        - extra_packages is defined
-        - extra_packages | length > 0
-        - post_install_extra_packages | length > 0
+        - system_cfg.packages is defined
+        - system_cfg.packages | length > 0
       ansible.builtin.package:
-        name: "{{ post_install_extra_packages }}"
+        name: "{{ system_cfg.packages }}"
         state: present