From a460584c5ddf3e0c90f88b741e327f2f070774b7 Mon Sep 17 00:00:00 2001 From: Sandwich Date: Sun, 22 Feb 2026 02:26:54 +0100 Subject: [PATCH] refactor(configuration): add platform_config dict and replace is_rhel/is_debian with os_family lookups --- roles/configuration/tasks/bootloader.yml | 25 +++------ roles/configuration/tasks/encryption.yml | 22 ++++---- roles/configuration/tasks/extras.yml | 2 +- roles/configuration/tasks/grub.yml | 4 +- roles/configuration/tasks/locales.yml | 4 +- roles/configuration/tasks/main.yml | 6 ++- roles/configuration/tasks/selinux.yml | 2 +- roles/configuration/tasks/services.yml | 8 +-- roles/configuration/tasks/sudo.yml | 2 +- roles/configuration/tasks/users.yml | 3 +- roles/configuration/vars/main.yml | 67 ++++++++++++++++++++++++ 11 files changed, 101 insertions(+), 44 deletions(-) create mode 100644 roles/configuration/vars/main.yml diff --git a/roles/configuration/tasks/bootloader.yml b/roles/configuration/tasks/bootloader.yml index 0473f11..72d6aa2 100644 --- a/roles/configuration/tasks/bootloader.yml +++ b/roles/configuration/tasks/bootloader.yml @@ -6,11 +6,10 @@ "redhat" if os == "rhel" else ("ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os) }} - _efi_loader: >- - {{ "shimx64.efi" if is_rhel | bool else "grubx64.efi" }} + _efi_loader: "{{ _configuration_platform.efi_loader }}" block: - name: Install GRUB EFI binary - when: not (is_rhel | bool) + when: _configuration_platform.grub_install ansible.builtin.command: >- {{ chroot_command }} /usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ partitioning_efi_mountpoint }} @@ -44,20 +43,8 @@ backrefs: true - name: Regenerate initramfs - when: os not in ["alpine", "void"] - vars: - configuration_initramfs_cmd: >- - {{ - '/usr/sbin/mkinitcpio -P' - if os == "archlinux" - else ( - '/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ' - + '/usr/sbin/update-initramfs -u -k all' - if is_debian | bool - else '/usr/bin/dracut --regenerate-all --force' - ) - }} - ansible.builtin.command: "{{ chroot_command }} {{ configuration_initramfs_cmd }}" + when: _configuration_platform.initramfs_cmd | length > 0 + ansible.builtin.command: "{{ chroot_command }} {{ _configuration_platform.initramfs_cmd }}" register: configuration_initramfs_result changed_when: configuration_initramfs_result.rc == 0 @@ -65,10 +52,10 @@ vars: configuration_grub_cfg_cmd: >- {{ - '/usr/sbin/grub2-mkconfig -o ' + '/usr/sbin/' + _configuration_platform.grub_mkconfig_prefix + ' -o ' + partitioning_efi_mountpoint + '/EFI/' + _efi_vendor + '/grub.cfg' - if is_rhel | bool + if os_family == 'RedHat' else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg' }} ansible.builtin.command: "{{ chroot_command }} {{ configuration_grub_cfg_cmd }}" diff --git a/roles/configuration/tasks/encryption.yml b/roles/configuration/tasks/encryption.yml index 6aa9deb..5f69f38 100644 --- a/roles/configuration/tasks/encryption.yml +++ b/roles/configuration/tasks/encryption.yml @@ -134,7 +134,7 @@ - name: Ensure keyfile pattern for initramfs-tools when: - - is_debian | bool + - os_family == 'Debian' - configuration_luks_keyfile_in_use ansible.builtin.lineinfile: path: /mnt/etc/cryptsetup-initramfs/conf-hook @@ -198,14 +198,14 @@ }}) - name: Ensure dracut config directory exists - when: is_rhel | bool + when: os_family == 'RedHat' ansible.builtin.file: path: /mnt/etc/dracut.conf.d state: directory mode: "0755" - name: Configure dracut for LUKS - when: is_rhel | bool + when: os_family == 'RedHat' ansible.builtin.copy: dest: /mnt/etc/dracut.conf.d/crypt.conf content: | @@ -216,13 +216,13 @@ mode: "0644" - name: Read kernel cmdline defaults - when: is_rhel | bool + when: os_family == 'RedHat' ansible.builtin.slurp: src: /mnt/etc/kernel/cmdline register: configuration_kernel_cmdline_slurp - name: Build kernel cmdline with LUKS args - when: is_rhel | bool + when: os_family == 'RedHat' vars: kernel_cmdline_current: >- {{ configuration_kernel_cmdline_slurp.content | b64decode | trim }} @@ -247,14 +247,14 @@ configuration_kernel_cmdline_new: "{{ kernel_cmdline_new }}" - name: Write kernel cmdline with LUKS args - when: is_rhel | bool + when: os_family == 'RedHat' ansible.builtin.copy: dest: /mnt/etc/kernel/cmdline mode: "0644" content: "{{ configuration_kernel_cmdline_new }}\n" - name: Find BLS entries for encryption kernel cmdline - when: is_rhel | bool + when: os_family == 'RedHat' ansible.builtin.find: paths: /mnt/boot/loader/entries patterns: "*.conf" @@ -263,7 +263,7 @@ - name: Update BLS options with LUKS args when: - - is_rhel | bool + - os_family == 'RedHat' - configuration_kernel_bls_entries.files | length > 0 ansible.builtin.lineinfile: path: "{{ item.path }}" @@ -274,13 +274,13 @@ label: "{{ item.path }}" - name: Read grub defaults - when: not is_rhel | bool + when: not os_family == 'RedHat' ansible.builtin.slurp: src: /mnt/etc/default/grub register: configuration_grub_slurp - name: Build grub command lines with LUKS args - when: not is_rhel | bool + when: not os_family == 'RedHat' vars: grub_content: "{{ configuration_grub_slurp.content | b64decode }}" grub_cmdline_linux: >- @@ -344,7 +344,7 @@ configuration_grub_cmdline_default_new: "{{ grub_cmdline_default_new }}" - name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS - when: not is_rhel | bool + when: not os_family == 'RedHat' ansible.builtin.lineinfile: path: /mnt/etc/default/grub regexp: "^GRUB_CMDLINE_LINUX_DEFAULT=" diff --git a/roles/configuration/tasks/extras.yml b/roles/configuration/tasks/extras.yml index 9b8bc37..a4ce37f 100644 --- a/roles/configuration/tasks/extras.yml +++ b/roles/configuration/tasks/extras.yml @@ -1,7 +1,7 @@ --- - name: Append vim configurations to vimrc ansible.builtin.blockinfile: - path: "{{ '/mnt/etc/vim/vimrc' if is_debian | bool else '/mnt/etc/vimrc' }}" + path: "{{ '/mnt/etc/vim/vimrc' if os_family == 'Debian' else '/mnt/etc/vimrc' }}" block: | set encoding=utf-8 set number diff --git a/roles/configuration/tasks/grub.yml b/roles/configuration/tasks/grub.yml index dfdd9e4..9e94dcb 100644 --- a/roles/configuration/tasks/grub.yml +++ b/roles/configuration/tasks/grub.yml @@ -1,6 +1,6 @@ --- - name: Configure grub defaults - when: not is_rhel | bool + when: os_family != 'RedHat' ansible.builtin.lineinfile: dest: /mnt/etc/default/grub regexp: "{{ item.regexp }}" @@ -14,7 +14,7 @@ label: "{{ item.line }}" - name: Ensure grub defaults file exists for RHEL-based systems - when: is_rhel | bool + when: os_family == 'RedHat' block: - name: Build RHEL kernel command line defaults vars: diff --git a/roles/configuration/tasks/locales.yml b/roles/configuration/tasks/locales.yml index c3096ff..41c70e1 100644 --- a/roles/configuration/tasks/locales.yml +++ b/roles/configuration/tasks/locales.yml @@ -14,7 +14,7 @@ - name: Setup locales block: - name: Configure locale.gen - when: not is_rhel | bool + when: _configuration_platform.locale_gen ansible.builtin.lineinfile: dest: /mnt/etc/locale.gen regexp: "{{ item.regex }}" @@ -25,7 +25,7 @@ label: "{{ item.line }}" - name: Generate locales - when: not is_rhel | bool + when: _configuration_platform.locale_gen ansible.builtin.command: "{{ chroot_command }} /usr/sbin/locale-gen" register: configuration_locale_result changed_when: configuration_locale_result.rc == 0 diff --git a/roles/configuration/tasks/main.yml b/roles/configuration/tasks/main.yml index 2dc571f..de6c9ff 100644 --- a/roles/configuration/tasks/main.yml +++ b/roles/configuration/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Resolve platform-specific configuration + ansible.builtin.set_fact: + _configuration_platform: "{{ configuration_platform_config[os_family] }}" + - name: Include configuration tasks when: configuration_task.when | default(true) ansible.builtin.include_tasks: "{{ configuration_task.file }}" @@ -17,7 +21,7 @@ - file: users.yml - file: sudo.yml - file: selinux.yml - when: "{{ is_rhel | bool }}" + when: "{{ os_family == 'RedHat' }}" loop_control: loop_var: configuration_task label: "{{ configuration_task.file }}" diff --git a/roles/configuration/tasks/selinux.yml b/roles/configuration/tasks/selinux.yml index 594f4e7..88bd294 100644 --- a/roles/configuration/tasks/selinux.yml +++ b/roles/configuration/tasks/selinux.yml @@ -1,6 +1,6 @@ --- - name: Fix SELinux - when: is_rhel | bool + when: os_family == 'RedHat' block: - name: Fix SELinux by pre-labeling the filesystem before first boot when: os in ['almalinux', 'rocky', 'rhel'] and system_cfg.features.selinux.enabled | bool diff --git a/roles/configuration/tasks/services.yml b/roles/configuration/tasks/services.yml index 1888d13..d16ec74 100644 --- a/roles/configuration/tasks/services.yml +++ b/roles/configuration/tasks/services.yml @@ -1,13 +1,13 @@ --- - name: Enable systemd services - when: os not in ['alpine', 'void'] + when: _configuration_platform.init_system == 'systemd' vars: configuration_systemd_services: >- {{ ['NetworkManager'] + (['firewalld'] if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else []) + (['ufw'] if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else []) - + ([('ssh' if is_debian | bool else 'sshd')] if system_cfg.features.ssh.enabled | bool else []) + + ([_configuration_platform.ssh_service] if system_cfg.features.ssh.enabled | bool else []) + (['logrotate', 'systemd-timesyncd'] if os == 'archlinux' else []) }} ansible.builtin.command: "{{ chroot_command }} systemctl enable {{ item }}" @@ -16,7 +16,7 @@ changed_when: configuration_enable_service_result.rc == 0 - name: Enable OpenRC services - when: os == 'alpine' + when: _configuration_platform.init_system == 'openrc' vars: configuration_openrc_services: >- {{ @@ -48,7 +48,7 @@ when: item.stat.exists - name: Enable runit services - when: os == 'void' + when: _configuration_platform.init_system == 'runit' vars: configuration_runit_services: >- {{ diff --git a/roles/configuration/tasks/sudo.yml b/roles/configuration/tasks/sudo.yml index 141d09d..3e21682 100644 --- a/roles/configuration/tasks/sudo.yml +++ b/roles/configuration/tasks/sudo.yml @@ -9,7 +9,7 @@ - name: Give sudo access to wheel group ansible.builtin.copy: - content: "{{ '%sudo ALL=(ALL) ALL\n' if is_debian | bool else '%wheel ALL=(ALL) ALL\n' }}" + content: "{{ _configuration_platform.sudo_group }} ALL=(ALL) ALL\n" dest: /mnt/etc/sudoers.d/01-wheel mode: "0440" validate: /usr/sbin/visudo --check --file=%s diff --git a/roles/configuration/tasks/users.yml b/roles/configuration/tasks/users.yml index e9ad009..42b58e4 100644 --- a/roles/configuration/tasks/users.yml +++ b/roles/configuration/tasks/users.yml @@ -17,8 +17,7 @@ - name: Create user accounts vars: - configuration_user_group: >- - {{ "sudo" if is_debian | bool else "wheel" }} + configuration_user_group: "{{ _configuration_platform.user_group }}" # UID starts at 1000; safe for fresh installs only configuration_useradd_cmd: >- {{ chroot_command }} /usr/sbin/useradd --create-home --user-group diff --git a/roles/configuration/vars/main.yml b/roles/configuration/vars/main.yml new file mode 100644 index 0000000..a1d6fce --- /dev/null +++ b/roles/configuration/vars/main.yml @@ -0,0 +1,67 @@ +--- +# Platform-specific configuration values keyed by os_family. +# Consumed as _configuration_platform in tasks via: +# configuration_platform_config[os_family] +configuration_platform_config: + RedHat: + user_group: wheel + sudo_group: "%wheel" + ssh_service: sshd + efi_loader: shimx64.efi + grub_install: false + initramfs_cmd: "/usr/bin/dracut --regenerate-all --force" + grub_mkconfig_prefix: grub2-mkconfig + locale_gen: false + init_system: systemd + Debian: + user_group: sudo + sudo_group: "%sudo" + ssh_service: ssh + efi_loader: grubx64.efi + grub_install: true + initramfs_cmd: >- + /usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + /usr/sbin/update-initramfs -u -k all + grub_mkconfig_prefix: grub-mkconfig + locale_gen: true + init_system: systemd + Archlinux: + user_group: wheel + sudo_group: "%wheel" + ssh_service: sshd + efi_loader: grubx64.efi + grub_install: true + initramfs_cmd: "/usr/sbin/mkinitcpio -P" + grub_mkconfig_prefix: grub-mkconfig + locale_gen: true + init_system: systemd + Suse: + user_group: wheel + sudo_group: "%wheel" + ssh_service: sshd + efi_loader: grubx64.efi + grub_install: true + initramfs_cmd: "/usr/bin/dracut --regenerate-all --force" + grub_mkconfig_prefix: grub-mkconfig + locale_gen: true + init_system: systemd + Alpine: + user_group: wheel + sudo_group: "%wheel" + ssh_service: sshd + efi_loader: grubx64.efi + grub_install: true + initramfs_cmd: "" + grub_mkconfig_prefix: grub-mkconfig + locale_gen: false + init_system: openrc + Void: + user_group: wheel + sudo_group: "%wheel" + ssh_service: sshd + efi_loader: grubx64.efi + grub_install: true + initramfs_cmd: "" + grub_mkconfig_prefix: grub-mkconfig + locale_gen: false + init_system: runit