diff --git a/roles/configuration/tasks/extras.yml b/roles/configuration/tasks/extras.yml index 604556b..89d37fa 100644 --- a/roles/configuration/tasks/extras.yml +++ b/roles/configuration/tasks/extras.yml @@ -26,7 +26,9 @@ mode: "0644" - name: Create zram config - when: os | lower not in ['debian11', 'rhel8'] + when: + - os | lower not in ['debian11', 'rhel8'] + - swap_enabled | bool ansible.builtin.copy: dest: /mnt/etc/systemd/zram-generator.conf content: | diff --git a/roles/configuration/tasks/grub.yml b/roles/configuration/tasks/grub.yml index 086fe7e..1a2977d 100644 --- a/roles/configuration/tasks/grub.yml +++ b/roles/configuration/tasks/grub.yml @@ -28,7 +28,14 @@ }} configuration_grub_lvm_args_value: >- {{ - ['resume=/dev/mapper/sys-swap', 'rd.lvm.lv=sys/root', 'rd.lvm.lv=sys/swap'] + ( + ['rd.lvm.lv=sys/root'] + + ( + ['rd.lvm.lv=sys/swap', 'resume=/dev/mapper/sys-swap'] + if swap_enabled | bool + else [] + ) + ) if (filesystem | lower) != 'btrfs' else [] }} diff --git a/roles/global_defaults/defaults/main.yml b/roles/global_defaults/defaults/main.yml index 9fc99f5..18102fe 100644 --- a/roles/global_defaults/defaults/main.yml +++ b/roles/global_defaults/defaults/main.yml @@ -6,6 +6,7 @@ selinux: true vmware_ssh: false firewalld_enabled: true zstd_enabled: true +swap_enabled: true cis_enabled: "{{ cis | bool }}" diff --git a/roles/partitioning/tasks/btrfs.yml b/roles/partitioning/tasks/btrfs.yml index 3c377e1..b1ae080 100644 --- a/roles/partitioning/tasks/btrfs.yml +++ b/roles/partitioning/tasks/btrfs.yml @@ -40,7 +40,9 @@ changed_when: false - name: Make root subvolumes - when: cis_enabled or item.subvol not in ['var_log_audit'] + when: + - cis_enabled or item.subvol not in ['var_log_audit'] + - swap_enabled | bool or item.subvol != 'swap' ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} args: creates: /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} @@ -63,6 +65,7 @@ changed_when: false - name: Create a Btrfs swap file + when: swap_enabled | bool ansible.builtin.command: >- btrfs filesystem mkswapfile --size {{ partitioning_swap_size_gb }}g --uuid clear /mnt/@swap/swapfile args: diff --git a/roles/partitioning/tasks/main.yml b/roles/partitioning/tasks/main.yml index 2fbd4da..2673f3c 100644 --- a/roles/partitioning/tasks/main.yml +++ b/roles/partitioning/tasks/main.yml @@ -1,6 +1,7 @@ --- - name: Detect system memory for swap sizing when: + - swap_enabled | bool - partitioning_vm_memory is not defined or (partitioning_vm_memory | float) <= 0 - vm_memory is not defined or (vm_memory | float) <= 0 block: @@ -257,41 +258,59 @@ pvs: "{{ partitioning_root_device }}" - name: Create LVM logical volumes - when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] + when: + - cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] + - swap_enabled | bool or item.lv != 'swap' vars: partitioning_lvm_swap_target_gb: >- {{ - [ - (partitioning_vm_memory_effective | float / 1024), - 4 - ] | max | float + ( + [ + (partitioning_vm_memory_effective | float / 1024), + 4 + ] | max | float + ) + if swap_enabled | bool + else 0 }} partitioning_lvm_swap_cap_gb: >- {{ - 4 - + [ - (partitioning_vm_size_effective | float) - 20, - 0 - ] | max + ( + 4 + + [ + (partitioning_vm_size_effective | float) - 20, + 0 + ] | max + ) + if swap_enabled | bool + else 0 }} partitioning_lvm_swap_target_effective_gb: >- {{ - [ - partitioning_lvm_swap_target_gb, - partitioning_lvm_swap_cap_gb - ] | min + ( + [ + partitioning_lvm_swap_target_gb, + partitioning_lvm_swap_cap_gb + ] | min + ) + if swap_enabled | bool + else 0 }} partitioning_lvm_swap_max_gb: >- {{ - [ - ( - (partitioning_vm_size_effective | float) - - (partitioning_reserved_gb | float) - - (cis_enabled | ternary(7.5, 0)) - - 4 - ), - 0 - ] | max + ( + [ + ( + (partitioning_vm_size_effective | float) + - (partitioning_reserved_gb | float) + - (cis_enabled | ternary(7.5, 0)) + - 4 + ), + 0 + ] | max + ) + if swap_enabled | bool + else 0 }} partitioning_lvm_available_gb: >- {{ @@ -328,10 +347,14 @@ }} partitioning_lvm_swap_gb: >- {{ - [ - partitioning_lvm_swap_target_effective_gb, - partitioning_lvm_swap_max_gb - ] | min | round(2, 'floor') + ( + [ + partitioning_lvm_swap_target_effective_gb, + partitioning_lvm_swap_max_gb + ] | min | round(2, 'floor') + ) + if swap_enabled | bool + else 0 }} partitioning_lvm_root_full_gb: >- {{ @@ -399,7 +422,9 @@ changed_when: partitioning_boot_ext4_tune_result.rc == 0 - name: Create swap filesystem - when: filesystem != 'btrfs' + when: + - filesystem != 'btrfs' + - swap_enabled | bool community.general.filesystem: fstype: swap dev: /dev/sys/swap @@ -424,28 +449,86 @@ register: partitioning_main_uuid changed_when: false - - name: Get UUIDs for LVM filesystems - when: filesystem != 'btrfs' and (cis_enabled or item not in ['home', 'var', 'var_log', 'var_log_audit']) - ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }} - loop: - - root - - swap - - home - - var - - var_log - - var_log_audit - register: partitioning_uuid_result + - name: Get UUID for LVM root filesystem + when: filesystem != 'btrfs' + ansible.builtin.command: blkid -s UUID -o value /dev/sys/root + register: partitioning_uuid_root_result + changed_when: false + + - name: Get UUID for LVM swap filesystem + when: + - filesystem != 'btrfs' + - swap_enabled | bool + ansible.builtin.command: blkid -s UUID -o value /dev/sys/swap + register: partitioning_uuid_swap_result + changed_when: false + + - name: Get UUID for LVM home filesystem + when: + - filesystem != 'btrfs' + - cis_enabled + ansible.builtin.command: blkid -s UUID -o value /dev/sys/home + register: partitioning_uuid_home_result + changed_when: false + + - name: Get UUID for LVM var filesystem + when: + - filesystem != 'btrfs' + - cis_enabled + ansible.builtin.command: blkid -s UUID -o value /dev/sys/var + register: partitioning_uuid_var_result + changed_when: false + + - name: Get UUID for LVM var_log filesystem + when: + - filesystem != 'btrfs' + - cis_enabled + ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log + register: partitioning_uuid_var_log_result + changed_when: false + + - name: Get UUID for LVM var_log_audit filesystem + when: + - filesystem != 'btrfs' + - cis_enabled + ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log_audit + register: partitioning_uuid_var_log_audit_result changed_when: false - name: Assign UUIDs to Variables when: filesystem != 'btrfs' ansible.builtin.set_fact: - partitioning_uuid_root: "{{ partitioning_uuid_result.results[0].stdout_lines }}" - partitioning_uuid_swap: "{{ partitioning_uuid_result.results[1].stdout_lines }}" - partitioning_uuid_home: "{{ partitioning_uuid_result.results[2].stdout_lines if cis_enabled else '' }}" - partitioning_uuid_var: "{{ partitioning_uuid_result.results[3].stdout_lines if cis_enabled else '' }}" - partitioning_uuid_var_log: "{{ partitioning_uuid_result.results[4].stdout_lines if cis_enabled else '' }}" - partitioning_uuid_var_log_audit: "{{ partitioning_uuid_result.results[5].stdout_lines if cis_enabled else '' }}" + partitioning_uuid_root: "{{ partitioning_uuid_root_result.stdout_lines | default([]) }}" + partitioning_uuid_swap: >- + {{ + partitioning_uuid_swap_result.stdout_lines | default([]) + if swap_enabled | bool + else '' + }} + partitioning_uuid_home: >- + {{ + partitioning_uuid_home_result.stdout_lines | default([]) + if cis_enabled + else '' + }} + partitioning_uuid_var: >- + {{ + partitioning_uuid_var_result.stdout_lines | default([]) + if cis_enabled + else '' + }} + partitioning_uuid_var_log: >- + {{ + partitioning_uuid_var_log_result.stdout_lines | default([]) + if cis_enabled + else '' + }} + partitioning_uuid_var_log_audit: >- + {{ + partitioning_uuid_var_log_audit_result.stdout_lines | default([]) + if cis_enabled + else '' + }} - name: Mount filesystems block: @@ -460,6 +543,7 @@ ) - >- not (item.path in ['/swap', '/var/cache/pacman/pkg'] and filesystem != 'btrfs') + - swap_enabled | bool or item.path != '/swap' ansible.posix.mount: path: /mnt{{ item.path }} src: "{{ 'UUID=' + (partitioning_main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}" @@ -559,6 +643,7 @@ state: mounted - name: Activate swap + when: swap_enabled | bool vars: partitioning_swap_cmd: >- {{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + partitioning_uuid_swap[0] }}