sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docu(readme): document dict-based variables and examples

Browse Source
This commit is contained in:
Sandwich
2026-02-11 05:37:18 +01:00
parent fcc7c6aeb6
commit a9db85d45e
4 changed files with 326 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
inventory_example.yml
View File

@@ -1,65 +1,127 @@
--- ---
all: all:
vars: vars:
install_type: "virtual"
hypervisor: hypervisor:
type: "proxmox" type: "proxmox"
url: "pve01.example.com" url: "pve01.example.com"
username: "root@pam" username: "root@pam"
password: "CHANGE_ME" password: "CHANGE_ME"
node: "pve01" host: "pve01"
storage: "local-lvm" storage: "local-lvm"
install_drive: "/dev/sda"
boot_iso: "local:iso/archlinux-x86_64.iso" boot_iso: "local:iso/archlinux-x86_64.iso"
children: children:
proxmox: proxmox:
hosts: hosts:
app01.example.com: app01.example.com:
ansible_host: 10.0.0.10 ansible_host: 10.0.0.10
os: "archlinux"
filesystem: "btrfs" filesystem: "btrfs"
system: system:
type: "virtual"
os: "archlinux"
name: "app01.example.com" name: "app01.example.com"
id: 100 id: 100
cpus: 2 cpus: 2
memory_mb: 4096 memory: 4096
balloon: 0
network: "vmbr0" network: "vmbr0"
ip: 10.0.0.10 ip: 10.0.0.10
prefix: 24 prefix: 24
gateway: 10.0.0.1 gateway: 10.0.0.1
dns_servers: dns:
- 1.1.1.1 servers:
- 1.0.0.1 - 1.1.1.1
- 1.0.0.1
search:
- example.com
disks: disks:
- size: 40 - size: 40
- size: 80 - size: 80
mount: /data mount:
fstype: xfs path: /data
extra_packages: fstype: xfs
- jq label: DATA
- tmux opts: defaults
user:
name: "ops"
password: "CHANGE_ME"
public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
packages:
- jq
- tmux
features:
cis:
enabled: false
selinux:
enabled: true
firewall:
enabled: true
backend: "firewalld"
toolkit: "nftables"
ssh:
enabled: true
zstd:
enabled: true
swap:
enabled: true
banner:
motd: true
sudo: true
chroot:
tool: "arch-chroot"
db01.example.com: db01.example.com:
ansible_host: 10.0.0.11 ansible_host: 10.0.0.11
os: "rhel"
os_version: "9"
filesystem: "xfs" filesystem: "xfs"
rhel_iso: "local:iso/rhel-9.4-x86_64-dvd.iso"
system: system:
type: "virtual"
os: "rhel"
os_version: "9"
name: "db01.example.com" name: "db01.example.com"
id: 101 id: 101
cpus: 4 cpus: 4
memory_mb: 8192 memory: 8192
network: "vmbr0" network: "vmbr0"
ip: 10.0.0.11 ip: 10.0.0.11
prefix: 24 prefix: 24
gateway: 10.0.0.1 gateway: 10.0.0.1
dns_servers: "1.1.1.1,1.0.0.1" dns:
servers: "1.1.1.1,1.0.0.1"
disks: disks:
- size: 80 - size: 80
rhel_iso: "local:iso/rhel-9.4-x86_64-dvd.iso" - size: 200
luks_enabled: true mount:
luks_passphrase: "CHANGE_ME" path: /srv/data
luks_auto_decrypt_method: "keyfile" fstype: ext4
luks_keyfile_size: 128 user:
cis: true name: "dbadmin"
selinux: false password: "CHANGE_ME"
firewall_enabled: false public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
luks:
enabled: true
passphrase: "CHANGE_ME"
auto_decrypt_method: "keyfile"
keyfile_size: 128
features:
cis:
enabled: true
selinux:
enabled: false
firewall:
enabled: false
backend: "firewalld"
toolkit: "nftables"
ssh:
enabled: true
zstd:
enabled: true
swap:
enabled: true
banner:
motd: true
sudo: true
chroot:
tool: "arch-chroot"

147
inventory_libvirt_example.yml
View File

@@ -1,65 +1,126 @@
--- ---
all: all:
vars: vars:
install_type: "virtual"
hypervisor: hypervisor:
type: "libvirt" type: "libvirt"
install_drive: "/dev/vda" url: "localhost"
username: ""
password: ""
host: ""
storage: "default"
boot_iso: "/var/lib/libvirt/images/archlinux-x86_64.iso" boot_iso: "/var/lib/libvirt/images/archlinux-x86_64.iso"
children: children:
libvirt: libvirt:
hosts: hosts:
web01.example.com: web01.local:
ansible_host: 192.168.122.10 ansible_host: 192.168.122.20
os: "debian"
os_version: "12"
filesystem: "ext4" filesystem: "ext4"
system: system:
name: "web01.example.com" type: "virtual"
os: "debian"
os_version: "12"
name: "web01.local"
cpus: 2 cpus: 2
memory_mb: 2048 memory: 2048
ip: 192.168.122.10 network: "default"
ip: 192.168.122.20
prefix: 24 prefix: 24
gateway: 192.168.122.1 gateway: 192.168.122.1
dns_servers: 1.1.1.1 dns:
servers:
- 1.1.1.1
search:
- lab.local
path: "/var/lib/libvirt/images"
disks: disks:
- size: 30 - size: 30
extra_packages: - size: 80
- nginx mount:
- fail2ban path: /var/www
vault01.example.com: fstype: xfs
ansible_host: 192.168.122.11 user:
os: "ubuntu-lts" name: "web"
password: "CHANGE_ME"
public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
packages:
- nginx
- curl
features:
firewall:
enabled: true
backend: "ufw"
toolkit: "nftables"
db01.local:
ansible_host: 192.168.122.21
filesystem: "xfs"
rhel_iso: "/var/lib/libvirt/images/rhel-9.4-x86_64-dvd.iso"
system:
type: "virtual"
os: "rhel"
os_version: "9"
name: "db01.local"
cpus: 4
memory: 4096
network: "default"
ip: 192.168.122.21
prefix: 24
gateway: 192.168.122.1
dns:
servers:
- 9.9.9.9
search:
- example.com
disks:
- size: 60
- size: 120
mount:
path: /data
fstype: ext4
user:
name: "db"
password: "CHANGE_ME"
public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
luks:
enabled: true
passphrase: "CHANGE_ME"
auto_decrypt_method: "keyfile"
features:
firewall:
enabled: false
backend: "firewalld"
toolkit: "nftables"
compute01.local:
ansible_host: 192.168.122.22
filesystem: "btrfs" filesystem: "btrfs"
system: system:
name: "vault01.example.com" type: "virtual"
cpus: 2 os: "fedora"
memory_mb: 4096 os_version: "41"
ip: 192.168.122.11 name: "compute01.local"
cpus: 8
memory: 8192
network: "default"
ip: 192.168.122.22
prefix: 24 prefix: 24
gateway: 192.168.122.1 gateway: 192.168.122.1
dns_search: "example.com" dns:
disks: servers: "1.1.1.1,1.0.0.1"
- size: 40
luks_enabled: true
luks_passphrase: "CHANGE_ME"
luks_auto_decrypt_method: "keyfile"
firewall_enabled: false
rhel9.example.com:
ansible_host: 192.168.122.12
os: "rhel"
os_version: "9"
filesystem: "xfs"
system:
name: "rhel9.example.com"
cpus: 4
memory_mb: 8192
vlan: "100"
ip: 192.168.122.12
prefix: 24
gateway: 192.168.122.1
dns_servers: "1.1.1.1,1.0.0.1"
path: "/srv/libvirt/images"
disks: disks:
- size: 80 - size: 80
rhel_iso: "/var/lib/libvirt/images/rhel-9.4-x86_64-dvd.iso" - size: 200
mount:
path: /data
fstype: btrfs
user:
name: "compute"
password: "CHANGE_ME"
public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
features:
cis:
enabled: true

69
vars_baremetal_example.yml
View File

@@ -1,20 +1,61 @@
--- ---
# Example variables for baremetal installs.
hypervisor: hypervisor:
type: "none" type: "none"
install_type: "physical"
install_drive: "/dev/sda"
os: "archlinux"
filesystem: "btrfs" filesystem: "btrfs"
cis: false system:
selinux: true type: "physical"
firewall_enabled: true os: "archlinux"
name: "{{ inventory_hostname }}"
luks_enabled: true cpus: 8
luks_passphrase: "1234" memory: 16384
luks_mapper_name: "SYSTEM_DECRYPTED" ip: "{{ ansible_host | default('') }}"
luks_auto_decrypt: true prefix: 24
luks_auto_decrypt_method: "tpm2" gateway: "10.0.0.1"
luks_tpm2_device: "auto" dns:
luks_tpm2_pcrs: "7" servers:
- "1.1.1.1"
disks:
- device: "/dev/sda"
size: 120
- device: "/dev/sdb"
size: 500
mount:
path: /data
fstype: ext4
user:
name: "admin"
password: "CHANGE_ME"
public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
luks:
enabled: true
passphrase: "CHANGE_ME"
mapper_name: "SYSTEM_DECRYPTED"
auto_decrypt: true
auto_decrypt_method: "tpm2"
tpm2_device: "auto"
tpm2_pcrs: "7"
features:
cis:
enabled: false
selinux:
enabled: true
firewall:
enabled: true
backend: "firewalld"
toolkit: "nftables"
ssh:
enabled: true
zstd:
enabled: true
swap:
enabled: true
banner:
motd: true
sudo: true
chroot:
tool: "arch-chroot"

115
vars_example.yml
View File

@@ -1,47 +1,92 @@
--- ---
# Set system.ip for static addressing. Remove system.ip to use DHCP. # Example variables for virtual provisioning.
system: filesystem: "btrfs"
ip: "{{ inventory_hostname }}" custom_iso: false
install_type: "virtual"
install_drive: "/dev/sda" # Use /dev/vda for virtio/libvirt.
custom_iso: false # Set true to skip ArchISO-specific validation and pacman setup.
cis: false # Set true to enable CIS hardening.
selinux: true # Toggle SELinux where supported.
firewall_enabled: true # Toggle firewall package and service.
hypervisor: hypervisor:
type: "proxmox" # libvirt|proxmox|vmware|xen|none type: "proxmox" # libvirt|proxmox|vmware|xen|none
url: "pve01.example.com" url: "pve01.example.com"
username: "root@pam" username: "root@pam"
password: "CHANGE_ME" password: "CHANGE_ME"
node: "pve01" host: "pve01"
storage: "local-lvm" storage: "local-lvm"
datacenter: "dc01" datacenter: "dc01"
cluster: "cluster01" cluster: "cluster01"
validate_certs: false validate_certs: false
ssh: true # VMware only; enables temporary SSH in installer
# VMware (only needed when hypervisor: vmware) system:
# system: type: "virtual" # virtual|physical
# path: "/Folder" # Optional folder path segment in vCenter. os: "archlinux"
vmware_ssh: true os_version: ""
name: "{{ inventory_hostname }}"
# LUKS disk encryption (optional) id: 100
# These map to partitioning_luks_* internally. cpus: 4
luks_enabled: false memory: 8192
luks_passphrase: "CHANGE_ME" balloon: 0
luks_mapper_name: "SYSTEM_DECRYPTED" network: "vmbr0"
luks_auto_decrypt: true ip: "{{ inventory_hostname }}"
luks_auto_decrypt_method: "tpm2" prefix: 24
luks_tpm2_device: "auto" gateway: "10.0.0.1"
luks_tpm2_pcrs: "7" dns:
luks_keyfile_size: 64 servers:
luks_options: "discard,tries=3" - "1.1.1.1"
luks_type: "luks2" - "1.0.0.1"
luks_cipher: "aes-xts-plain64" search:
luks_hash: "sha512" - "example.com"
luks_iter_time: 4000 path: "/Lab/Example"
luks_key_size: 512 disks:
luks_pbkdf: "argon2id" - size: 80
luks_use_urandom: true - size: 200
luks_verify_passphrase: true mount:
path: /data
fstype: xfs
label: DATA
opts: defaults
user:
name: "ops"
password: "CHANGE_ME"
public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
luks:
enabled: false
passphrase: "CHANGE_ME"
mapper_name: "SYSTEM_DECRYPTED"
auto_decrypt: true
auto_decrypt_method: "tpm2"
tpm2_device: "auto"
tpm2_pcrs: "7"
keyfile_size: 64
options: "discard,tries=3"
type: "luks2"
cipher: "aes-xts-plain64"
hash: "sha512"
iter_time: 4000
key_size: 512
pbkdf: "argon2id"
use_urandom: true
verify_passphrase: true
packages:
- jq
- tmux
features:
cis:
enabled: false
selinux:
enabled: true
firewall:
enabled: true
backend: "firewalld" # firewalld|ufw
toolkit: "nftables" # nftables|iptables
ssh:
enabled: true
zstd:
enabled: true
swap:
enabled: true
banner:
motd: true
sudo: true
chroot:
tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn