refactor(vars): simplify normalization and remove effective intermediates

roles/configuration/tasks/encryption.yml

@@ -2,7 +2,7 @@
 - name: Configure disk encryption
   when: partitioning_luks_enabled | bool
   vars:
-    configuration_luks_passphrase_effective: >-
+    configuration_luks_passphrase: >-
       {{ partitioning_luks_passphrase | string }}
   block:
     - name: Set LUKS configuration facts
@@ -12,7 +12,7 @@
         configuration_luks_device_value: "{{ partitioning_luks_device }}"
         configuration_luks_tpm2_pcrs_raw: >-
           {{ partitioning_luks_tpm2_pcrs }}
-        configuration_luks_tpm2_pcrs_effective_value: >-
+        configuration_luks_tpm2_pcrs_normalized: >-
           {{
             (
               configuration_luks_tpm2_pcrs_raw
@@ -41,7 +41,7 @@
         configuration_luks_tpm2_device: >-
           {{ partitioning_luks_tpm2_device }}
         configuration_luks_tpm2_pcrs: "{{ configuration_luks_tpm2_pcrs_raw }}"
-        configuration_luks_tpm2_pcrs_effective: "{{ configuration_luks_tpm2_pcrs_effective_value }}"
+        configuration_luks_tpm2_pcrs_normalized: "{{ configuration_luks_tpm2_pcrs_normalized }}"
         configuration_luks_keyfile_path: >-
           /etc/cryptsetup-keys.d/{{ configuration_luks_mapper_name_value }}.key
       changed_when: false
@@ -56,7 +56,7 @@
       when: configuration_luks_auto_method in ['tpm2', 'keyfile']
       ansible.builtin.assert:
         that:
-          - configuration_luks_passphrase_effective | length > 0
+          - configuration_luks_passphrase | length > 0
         fail_msg: system.luks.passphrase must be set for LUKS auto-decrypt.
       no_log: true
 
@@ -82,8 +82,8 @@
             (configuration_luks_auto_method == 'tpm2')
             | ternary(
                 ['tpm2-device=' + configuration_luks_tpm2_device]
-                + (['tpm2-pcrs=' + configuration_luks_tpm2_pcrs_effective]
-                   if configuration_luks_tpm2_pcrs_effective | length > 0 else []),
+                + (['tpm2-pcrs=' + configuration_luks_tpm2_pcrs_normalized]
+                   if configuration_luks_tpm2_pcrs_normalized | length > 0 else []),
                 []
               )
           }}

roles/configuration/tasks/encryption/keyfile.yml

@@ -52,7 +52,7 @@
       when: configuration_luks_keyfile_unlock_test.rc != 0
       community.crypto.luks_device:
         device: "{{ configuration_luks_device }}"
-        passphrase: "{{ configuration_luks_passphrase_effective }}"
+        passphrase: "{{ configuration_luks_passphrase }}"
         new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}"
       register: configuration_luks_addkey_result
       failed_when: false
@@ -84,7 +84,7 @@
         - name: Retry adding keyfile to LUKS header
           community.crypto.luks_device:
             device: "{{ configuration_luks_device }}"
-            passphrase: "{{ configuration_luks_passphrase_effective }}"
+            passphrase: "{{ configuration_luks_passphrase }}"
             new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}"
           register: configuration_luks_addkey_retry
           failed_when: false

roles/configuration/tasks/encryption/tpm2.yml

@@ -11,7 +11,7 @@
     - name: Write passphrase into temporary file for TPM2 enrollment
       ansible.builtin.copy:
         dest: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
-        content: "{{ configuration_luks_passphrase_effective }}"
+        content: "{{ configuration_luks_passphrase }}"
         owner: root
         group: root
         mode: "0600"
@@ -31,8 +31,8 @@
                 | regex_replace('^/mnt', '')
               )
             ]
-            + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_effective]
-               if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
+            + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_normalized]
+               if configuration_luks_tpm2_pcrs_normalized | length > 0 else [])
             + [configuration_luks_device]
           }}
         configuration_luks_enroll_chroot_cmd: >-
@@ -55,8 +55,8 @@
               '--wipe-slot=tpm2',
               '--unlock-key-file=' + configuration_luks_tpm2_passphrase_tempfile.path
             ]
-            + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_effective]
-               if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
+            + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_normalized]
+               if configuration_luks_tpm2_pcrs_normalized | length > 0 else [])
             + [configuration_luks_device]
           }}
       ansible.builtin.command:

roles/configuration/tasks/network.yml

@@ -30,17 +30,17 @@
         )
         | default('')
       }}
-    configuration_net_inf_effective: >-
+    configuration_net_inf_detected: >-
       {{ configuration_net_inf_from_facts | default(configuration_net_inf_from_ip, true) }}
-    configuration_net_inf_regex: "{{ configuration_net_inf_effective | ansible.builtin.regex_escape }}"
+    configuration_net_inf_regex: "{{ configuration_net_inf_detected | ansible.builtin.regex_escape }}"
     configuration_net_mac_from_virtualization: "{{ virtualization_mac_address | default('') }}"
     configuration_net_mac_from_facts: >-
       {{
         (
-          (ansible_facts | default({})).get(configuration_net_inf_effective, {}).get('macaddress', '')
+          (ansible_facts | default({})).get(configuration_net_inf_detected, {}).get('macaddress', '')
         )
         | default(
-            (ansible_facts | default({})).get('ansible_' + configuration_net_inf_effective, {}).get('macaddress', ''),
+            (ansible_facts | default({})).get('ansible_' + configuration_net_inf_detected, {}).get('macaddress', ''),
             true
           )
       }}
@@ -58,7 +58,7 @@
         | default('')
       }}
   ansible.builtin.set_fact:
-    configuration_net_inf: "{{ configuration_net_inf_effective }}"
+    configuration_net_inf: "{{ configuration_net_inf_detected }}"
     configuration_net_mac: >-
       {{
         (