sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docu(readme): document dict-based variables and examples

Browse Source
This commit is contained in:
Sandwich
2026-02-11 05:37:18 +01:00
parent fcc7c6aeb6
commit a9db85d45e
4 changed files with 326 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
inventory_example.yml
View File

@@ -1,65 +1,127 @@
---
all:
vars:
install_type: "virtual"
hypervisor:
type: "proxmox"
url: "pve01.example.com"
username: "root@pam"
password: "CHANGE_ME"
node: "pve01"
host: "pve01"
storage: "local-lvm"
install_drive: "/dev/sda"
boot_iso: "local:iso/archlinux-x86_64.iso"
children:
proxmox:
hosts:
app01.example.com:
ansible_host: 10.0.0.10
os: "archlinux"
filesystem: "btrfs"
system:
type: "virtual"
os: "archlinux"
name: "app01.example.com"
id: 100
cpus: 2
memory_mb: 4096
memory: 4096
balloon: 0
network: "vmbr0"
ip: 10.0.0.10
prefix: 24
gateway: 10.0.0.1
dns_servers:
- 1.1.1.1
- 1.0.0.1
dns:
servers:
- 1.1.1.1
- 1.0.0.1
search:
- example.com
disks:
- size: 40
- size: 80
mount: /data
fstype: xfs
extra_packages:
- jq
- tmux
mount:
path: /data
fstype: xfs
label: DATA
opts: defaults
user:
name: "ops"
password: "CHANGE_ME"
public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
packages:
- jq
- tmux
features:
cis:
enabled: false
selinux:
enabled: true
firewall:
enabled: true
backend: "firewalld"
toolkit: "nftables"
ssh:
enabled: true
zstd:
enabled: true
swap:
enabled: true
banner:
motd: true
sudo: true
chroot:
tool: "arch-chroot"
db01.example.com:
ansible_host: 10.0.0.11
os: "rhel"
os_version: "9"
filesystem: "xfs"
rhel_iso: "local:iso/rhel-9.4-x86_64-dvd.iso"
system:
type: "virtual"
os: "rhel"
os_version: "9"
name: "db01.example.com"
id: 101
cpus: 4
memory_mb: 8192
memory: 8192
network: "vmbr0"
ip: 10.0.0.11
prefix: 24
gateway: 10.0.0.1
dns_servers: "1.1.1.1,1.0.0.1"
dns:
servers: "1.1.1.1,1.0.0.1"
disks:
- size: 80
rhel_iso: "local:iso/rhel-9.4-x86_64-dvd.iso"
luks_enabled: true
luks_passphrase: "CHANGE_ME"
luks_auto_decrypt_method: "keyfile"
luks_keyfile_size: 128
cis: true
selinux: false
firewall_enabled: false
- size: 200
mount:
path: /srv/data
fstype: ext4
user:
name: "dbadmin"
password: "CHANGE_ME"
public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
luks:
enabled: true
passphrase: "CHANGE_ME"
auto_decrypt_method: "keyfile"
keyfile_size: 128
features:
cis:
enabled: true
selinux:
enabled: false
firewall:
enabled: false
backend: "firewalld"
toolkit: "nftables"
ssh:
enabled: true
zstd:
enabled: true
swap:
enabled: true
banner:
motd: true
sudo: true
chroot:
tool: "arch-chroot"

147
inventory_libvirt_example.yml
View File

@@ -1,65 +1,126 @@
---
all:
vars:
install_type: "virtual"
hypervisor:
type: "libvirt"
install_drive: "/dev/vda"
url: "localhost"
username: ""
password: ""
host: ""
storage: "default"
boot_iso: "/var/lib/libvirt/images/archlinux-x86_64.iso"
children:
libvirt:
hosts:
web01.example.com:
ansible_host: 192.168.122.10
os: "debian"
os_version: "12"
web01.local:
ansible_host: 192.168.122.20
filesystem: "ext4"
system:
name: "web01.example.com"
type: "virtual"
os: "debian"
os_version: "12"
name: "web01.local"
cpus: 2
memory_mb: 2048
ip: 192.168.122.10
memory: 2048
network: "default"
ip: 192.168.122.20
prefix: 24
gateway: 192.168.122.1
dns_servers: 1.1.1.1
dns:
servers:
- 1.1.1.1
search:
- lab.local
path: "/var/lib/libvirt/images"
disks:
- size: 30
extra_packages:
- nginx
- fail2ban
vault01.example.com:
ansible_host: 192.168.122.11
os: "ubuntu-lts"
- size: 80
mount:
path: /var/www
fstype: xfs
user:
name: "web"
password: "CHANGE_ME"
public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
packages:
- nginx
- curl
features:
firewall:
enabled: true
backend: "ufw"
toolkit: "nftables"
db01.local:
ansible_host: 192.168.122.21
filesystem: "xfs"
rhel_iso: "/var/lib/libvirt/images/rhel-9.4-x86_64-dvd.iso"
system:
type: "virtual"
os: "rhel"
os_version: "9"
name: "db01.local"
cpus: 4
memory: 4096
network: "default"
ip: 192.168.122.21
prefix: 24
gateway: 192.168.122.1
dns:
servers:
- 9.9.9.9
search:
- example.com
disks:
- size: 60
- size: 120
mount:
path: /data
fstype: ext4
user:
name: "db"
password: "CHANGE_ME"
public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
luks:
enabled: true
passphrase: "CHANGE_ME"
auto_decrypt_method: "keyfile"
features:
firewall:
enabled: false
backend: "firewalld"
toolkit: "nftables"
compute01.local:
ansible_host: 192.168.122.22
filesystem: "btrfs"
system:
name: "vault01.example.com"
cpus: 2
memory_mb: 4096
ip: 192.168.122.11
type: "virtual"
os: "fedora"
os_version: "41"
name: "compute01.local"
cpus: 8
memory: 8192
network: "default"
ip: 192.168.122.22
prefix: 24
gateway: 192.168.122.1
dns_search: "example.com"
disks:
- size: 40
luks_enabled: true
luks_passphrase: "CHANGE_ME"
luks_auto_decrypt_method: "keyfile"
firewall_enabled: false
rhel9.example.com:
ansible_host: 192.168.122.12
os: "rhel"
os_version: "9"
filesystem: "xfs"
system:
name: "rhel9.example.com"
cpus: 4
memory_mb: 8192
vlan: "100"
ip: 192.168.122.12
prefix: 24
gateway: 192.168.122.1
dns_servers: "1.1.1.1,1.0.0.1"
path: "/srv/libvirt/images"
dns:
servers: "1.1.1.1,1.0.0.1"
disks:
- size: 80
rhel_iso: "/var/lib/libvirt/images/rhel-9.4-x86_64-dvd.iso"
- size: 200
mount:
path: /data
fstype: btrfs
user:
name: "compute"
password: "CHANGE_ME"
public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
features:
cis:
enabled: true

69
vars_baremetal_example.yml
View File

@@ -1,20 +1,61 @@
---
# Example variables for baremetal installs.
hypervisor:
type: "none"
install_type: "physical"
install_drive: "/dev/sda"
os: "archlinux"
filesystem: "btrfs"
cis: false
selinux: true
firewall_enabled: true
luks_enabled: true
luks_passphrase: "1234"
luks_mapper_name: "SYSTEM_DECRYPTED"
luks_auto_decrypt: true
luks_auto_decrypt_method: "tpm2"
luks_tpm2_device: "auto"
luks_tpm2_pcrs: "7"
system:
type: "physical"
os: "archlinux"
name: "{{ inventory_hostname }}"
cpus: 8
memory: 16384
ip: "{{ ansible_host | default('') }}"
prefix: 24
gateway: "10.0.0.1"
dns:
servers:
- "1.1.1.1"
disks:
- device: "/dev/sda"
size: 120
- device: "/dev/sdb"
size: 500
mount:
path: /data
fstype: ext4
user:
name: "admin"
password: "CHANGE_ME"
public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
luks:
enabled: true
passphrase: "CHANGE_ME"
mapper_name: "SYSTEM_DECRYPTED"
auto_decrypt: true
auto_decrypt_method: "tpm2"
tpm2_device: "auto"
tpm2_pcrs: "7"
features:
cis:
enabled: false
selinux:
enabled: true
firewall:
enabled: true
backend: "firewalld"
toolkit: "nftables"
ssh:
enabled: true
zstd:
enabled: true
swap:
enabled: true
banner:
motd: true
sudo: true
chroot:
tool: "arch-chroot"

115
vars_example.yml
View File

@@ -1,47 +1,92 @@
---
# Set system.ip for static addressing. Remove system.ip to use DHCP.
system:
ip: "{{ inventory_hostname }}"
install_type: "virtual"
install_drive: "/dev/sda" # Use /dev/vda for virtio/libvirt.
custom_iso: false # Set true to skip ArchISO-specific validation and pacman setup.
cis: false # Set true to enable CIS hardening.
selinux: true # Toggle SELinux where supported.
firewall_enabled: true # Toggle firewall package and service.
# Example variables for virtual provisioning.
filesystem: "btrfs"
custom_iso: false
hypervisor:
type: "proxmox" # libvirt|proxmox|vmware|xen|none
url: "pve01.example.com"
username: "root@pam"
password: "CHANGE_ME"
node: "pve01"
host: "pve01"
storage: "local-lvm"
datacenter: "dc01"
cluster: "cluster01"
validate_certs: false
ssh: true # VMware only; enables temporary SSH in installer
# VMware (only needed when hypervisor: vmware)
# system:
# path: "/Folder" # Optional folder path segment in vCenter.
vmware_ssh: true
# LUKS disk encryption (optional)
# These map to partitioning_luks_* internally.
luks_enabled: false
luks_passphrase: "CHANGE_ME"
luks_mapper_name: "SYSTEM_DECRYPTED"
luks_auto_decrypt: true
luks_auto_decrypt_method: "tpm2"
luks_tpm2_device: "auto"
luks_tpm2_pcrs: "7"
luks_keyfile_size: 64
luks_options: "discard,tries=3"
luks_type: "luks2"
luks_cipher: "aes-xts-plain64"
luks_hash: "sha512"
luks_iter_time: 4000
luks_key_size: 512
luks_pbkdf: "argon2id"
luks_use_urandom: true
luks_verify_passphrase: true
system:
type: "virtual" # virtual|physical
os: "archlinux"
os_version: ""
name: "{{ inventory_hostname }}"
id: 100
cpus: 4
memory: 8192
balloon: 0
network: "vmbr0"
ip: "{{ inventory_hostname }}"
prefix: 24
gateway: "10.0.0.1"
dns:
servers:
- "1.1.1.1"
- "1.0.0.1"
search:
- "example.com"
path: "/Lab/Example"
disks:
- size: 80
- size: 200
mount:
path: /data
fstype: xfs
label: DATA
opts: defaults
user:
name: "ops"
password: "CHANGE_ME"
public_key: "ssh-ed25519 AAAA..."
root:
password: "CHANGE_ME"
luks:
enabled: false
passphrase: "CHANGE_ME"
mapper_name: "SYSTEM_DECRYPTED"
auto_decrypt: true
auto_decrypt_method: "tpm2"
tpm2_device: "auto"
tpm2_pcrs: "7"
keyfile_size: 64
options: "discard,tries=3"
type: "luks2"
cipher: "aes-xts-plain64"
hash: "sha512"
iter_time: 4000
key_size: 512
pbkdf: "argon2id"
use_urandom: true
verify_passphrase: true
packages:
- jq
- tmux
features:
cis:
enabled: false
selinux:
enabled: true
firewall:
enabled: true
backend: "firewalld" # firewalld|ufw
toolkit: "nftables" # nftables|iptables
ssh:
enabled: true
zstd:
enabled: true
swap:
enabled: true
banner:
motd: true
sudo: true
chroot:
tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn