refactor(vars): enforce nested system and hypervisor schema

2026-02-11 05:37:18 +01:00
parent 9101e12126
commit 961c8f259c
5 changed files with 606 additions and 162 deletions
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -7,58 +7,77 @@ hypervisor_defaults:
  url: ""
  username: ""
  password: ""
-  node: ""
+  host: ""
  storage: ""
  datacenter: ""
  cluster: ""
  validate_certs: false
+  ssh: false
+
 custom_iso: false
-cis: false
-selinux: true
-vmware_ssh: false
-firewall_enabled: true
-firewall_backend: "firewalld"
-firewall_toolkit: "nftables"
-ssh_enabled: true
-zstd_enabled: true
-swap_enabled: true
-chroot_tool: "arch-chroot"
-os_version: ""
-motd_enabled: true
-sudo_banner_enabled: true
 thirdparty_preparation_tasks_path: "dropins/preparation.yml"

-cis_enabled: "{{ cis | bool }}"
-
 system_defaults:
+  type: "virtual" # virtual|physical
+  os: ""
+  os_version: ""
  name: ""
  id: ""
  cpus: 0
-  memory_mb: 0
-  balloon_mb: 0
+  memory: 0 # MiB
+  balloon: 0 # MiB
  network: ""
  vlan: ""
  ip: ""
  prefix: ""
  gateway: ""
-  dns_servers: []
-  dns_search: []
+  dns:
+    servers: []
+    search: []
  path: ""
+  packages: []
  disks: []
-
-luks_enabled: false
-luks_mapper_name: "SYSTEM_DECRYPTED"
-luks_auto_decrypt: true
-luks_auto_decrypt_method: "tpm2"
-luks_tpm2_device: "auto"
-luks_tpm2_pcrs: ""
-luks_keyfile_size: 64
-luks_options: "discard,tries=3"
-luks_type: "luks2"
-luks_cipher: "aes-xts-plain64"
-luks_hash: "sha512"
-luks_iter_time: 4000
-luks_key_size: 512
-luks_pbkdf: "argon2id"
-luks_use_urandom: true
-luks_verify_passphrase: true
+  user:
+    name: ""
+    password: ""
+    public_key: ""
+  root:
+    password: ""
+  luks:
+    enabled: false
+    passphrase: ""
+    mapper_name: "SYSTEM_DECRYPTED"
+    auto_decrypt: true
+    auto_decrypt_method: "tpm2"
+    tpm2_device: "auto"
+    tpm2_pcrs: ""
+    keyfile_size: 64
+    options: "discard,tries=3"
+    type: "luks2"
+    cipher: "aes-xts-plain64"
+    hash: "sha512"
+    iter_time: 4000
+    key_size: 512
+    pbkdf: "argon2id"
+    use_urandom: true
+    verify_passphrase: true
+  features:
+    cis:
+      enabled: false
+    selinux:
+      enabled: true
+    firewall:
+      enabled: true
+      backend: "firewalld" # firewalld|ufw
+      toolkit: "nftables" # nftables|iptables
+    ssh:
+      enabled: true
+    zstd:
+      enabled: true
+    swap:
+      enabled: true
+    banner:
+      motd: true
+      sudo: true
+    chroot:
+      tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn