From db08609acfcc4a409d55deb9d623f95e04dc3f5e Mon Sep 17 00:00:00 2001 From: Sandwich Date: Wed, 11 Feb 2026 05:37:18 +0100 Subject: [PATCH] feat(disks): add standardized multi-disk mount schema --- roles/partitioning/defaults/main.yml | 38 ++++++++-------- roles/partitioning/tasks/btrfs.yml | 8 ++-- roles/partitioning/tasks/ext4.yml | 4 +- roles/partitioning/tasks/extra_disks.yml | 32 ++++++------- roles/partitioning/tasks/main.yml | 58 ++++++++++++------------ roles/partitioning/tasks/xfs.yml | 2 +- 6 files changed, 71 insertions(+), 71 deletions(-) diff --git a/roles/partitioning/defaults/main.yml b/roles/partitioning/defaults/main.yml index 008211a..7162962 100644 --- a/roles/partitioning/defaults/main.yml +++ b/roles/partitioning/defaults/main.yml @@ -1,22 +1,22 @@ --- -partitioning_luks_enabled: "{{ luks_enabled | bool }}" -partitioning_luks_passphrase: "{{ luks_passphrase }}" -partitioning_luks_mapper_name: "{{ luks_mapper_name }}" -partitioning_luks_type: "{{ luks_type }}" -partitioning_luks_cipher: "{{ luks_cipher }}" -partitioning_luks_hash: "{{ luks_hash }}" -partitioning_luks_iter_time: "{{ luks_iter_time }}" -partitioning_luks_key_size: "{{ luks_key_size }}" -partitioning_luks_pbkdf: "{{ luks_pbkdf }}" -partitioning_luks_use_urandom: "{{ luks_use_urandom | bool }}" -partitioning_luks_verify_passphrase: "{{ luks_verify_passphrase | bool }}" -partitioning_luks_auto_decrypt: "{{ luks_auto_decrypt | bool }}" -partitioning_luks_auto_decrypt_method: "{{ luks_auto_decrypt_method }}" -partitioning_luks_tpm2_device: "{{ luks_tpm2_device }}" -partitioning_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}" -partitioning_luks_keyfile_size: "{{ luks_keyfile_size }}" -partitioning_luks_options: "{{ luks_options }}" -partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if zstd_enabled | bool else '' }}" +partitioning_luks_enabled: "{{ system_cfg.luks.enabled | bool }}" +partitioning_luks_passphrase: "{{ system_cfg.luks.passphrase }}" +partitioning_luks_mapper_name: "{{ system_cfg.luks.mapper_name }}" +partitioning_luks_type: "{{ system_cfg.luks.type }}" +partitioning_luks_cipher: "{{ system_cfg.luks.cipher }}" +partitioning_luks_hash: "{{ system_cfg.luks.hash }}" +partitioning_luks_iter_time: "{{ system_cfg.luks.iter_time }}" +partitioning_luks_key_size: "{{ system_cfg.luks.key_size }}" +partitioning_luks_pbkdf: "{{ system_cfg.luks.pbkdf }}" +partitioning_luks_use_urandom: "{{ system_cfg.luks.use_urandom | bool }}" +partitioning_luks_verify_passphrase: "{{ system_cfg.luks.verify_passphrase | bool }}" +partitioning_luks_auto_decrypt: "{{ system_cfg.luks.auto_decrypt | bool }}" +partitioning_luks_auto_decrypt_method: "{{ system_cfg.luks.auto_decrypt_method }}" +partitioning_luks_tpm2_device: "{{ system_cfg.luks.tpm2_device }}" +partitioning_luks_tpm2_pcrs: "{{ system_cfg.luks.tpm2_pcrs }}" +partitioning_luks_keyfile_size: "{{ system_cfg.luks.keyfile_size }}" +partitioning_luks_options: "{{ system_cfg.luks.options }}" +partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if system_cfg.features.zstd.enabled | bool else '' }}" partitioning_boot_partition_suffix: 1 partitioning_main_partition_suffix: 2 partitioning_efi_size_mib: 512 @@ -135,7 +135,7 @@ partitioning_vm_memory_effective: >- partitioning_vm_memory if (partitioning_vm_memory is defined and (partitioning_vm_memory | float) > 0) else ( - (system_cfg.memory_mb if system_cfg is defined else 0) + (system_cfg.memory if system_cfg is defined else 0) | default(0) ) ) diff --git a/roles/partitioning/tasks/btrfs.yml b/roles/partitioning/tasks/btrfs.yml index 1b8d9b0..73b4b82 100644 --- a/roles/partitioning/tasks/btrfs.yml +++ b/roles/partitioning/tasks/btrfs.yml @@ -41,8 +41,8 @@ - name: Make root subvolumes when: - - cis_enabled or item.subvol not in ['var_log_audit'] - - swap_enabled | bool or item.subvol != 'swap' + - system_cfg.features.cis.enabled or item.subvol not in ['var_log_audit'] + - system_cfg.features.swap.enabled | bool or item.subvol != 'swap' ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} args: creates: /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} @@ -57,7 +57,7 @@ register: partitioning_btrfs_subvol_result - name: Set quotas for subvolumes - when: cis_enabled + when: system_cfg.features.cis.enabled ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} loop: - { subvol: home, quota: 2G } @@ -65,7 +65,7 @@ changed_when: false - name: Create a Btrfs swap file - when: swap_enabled | bool + when: system_cfg.features.swap.enabled | bool ansible.builtin.command: >- btrfs filesystem mkswapfile --size {{ partitioning_swap_size_gb }}g --uuid clear /mnt/@swap/swapfile args: diff --git a/roles/partitioning/tasks/ext4.yml b/roles/partitioning/tasks/ext4.yml index a5abbfe..ca51fde 100644 --- a/roles/partitioning/tasks/ext4.yml +++ b/roles/partitioning/tasks/ext4.yml @@ -1,6 +1,6 @@ --- - name: Create and format ext4 logical volumes - when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] + when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] community.general.filesystem: dev: /dev/sys/{{ item.lv }} fstype: ext4 @@ -15,7 +15,7 @@ - name: Remove Unsupported features for older Systems when: > (os in ['almalinux', 'rocky', 'rhel'] or (os == 'debian' and (os_version | string) == '11')) - and (cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']) + and (system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']) ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}" loop: - { lv: root } diff --git a/roles/partitioning/tasks/extra_disks.yml b/roles/partitioning/tasks/extra_disks.yml index f57d23b..fe09155 100644 --- a/roles/partitioning/tasks/extra_disks.yml +++ b/roles/partitioning/tasks/extra_disks.yml @@ -4,7 +4,7 @@ partitioning_extra_disks: >- {{ (system_cfg.disks | default([]))[1:] - | selectattr('mount') + | selectattr('mount.path') | list }} changed_when: false @@ -18,12 +18,12 @@ - item.device != install_drive - item.partition is defined - item.partition | string | length > 0 - - item.fstype is defined - - item.fstype in ['btrfs', 'ext4', 'xfs'] - - item.mount is defined - - item.mount | string | length > 0 - - item.mount.startswith('/') - - item.mount != '/' + - item.mount.fstype is defined + - item.mount.fstype in ['btrfs', 'ext4', 'xfs'] + - item.mount.path is defined + - item.mount.path | string | length > 0 + - item.mount.path.startswith('/') + - item.mount.path != '/' fail_msg: "Invalid additional disk definition: {{ item | to_json }}" quiet: true loop: "{{ partitioning_extra_disks }}" @@ -38,7 +38,7 @@ number: 1 part_start: "1MiB" part_end: "100%" - name: "{{ (item.label | default('') | string | length > 0) | ternary(item.label, 'data') }}" + name: "{{ (item.mount.label | default('') | string | length > 0) | ternary(item.mount.label, 'data') }}" state: present loop: "{{ partitioning_extra_disks }}" loop_control: @@ -53,8 +53,8 @@ when: partitioning_extra_disks | length > 0 community.general.filesystem: dev: "{{ item.partition }}" - fstype: "{{ item.fstype }}" - opts: "{{ ('-L ' ~ item.label) if (item.label | default('') | string | length) > 0 else omit }}" + fstype: "{{ item.mount.fstype }}" + opts: "{{ ('-L ' ~ item.mount.label) if (item.mount.label | default('') | string | length) > 0 else omit }}" force: true loop: "{{ partitioning_extra_disks }}" loop_control: @@ -63,23 +63,23 @@ - name: Ensure mount directories exist for additional disks when: partitioning_extra_disks | length > 0 ansible.builtin.file: - path: "/mnt{{ item.mount }}" + path: "/mnt{{ item.mount.path }}" state: directory owner: root group: root mode: "0755" loop: "{{ partitioning_extra_disks }}" loop_control: - label: "{{ item.mount }}" + label: "{{ item.mount.path }}" - name: Mount additional disks for fstab generation when: partitioning_extra_disks | length > 0 ansible.posix.mount: - path: "/mnt{{ item.mount }}" + path: "/mnt{{ item.mount.path }}" src: "{{ item.partition }}" - fstype: "{{ item.fstype }}" - opts: "{{ item.opts | default('defaults') }}" + fstype: "{{ item.mount.fstype }}" + opts: "{{ item.mount.opts | default('defaults') }}" state: mounted loop: "{{ partitioning_extra_disks }}" loop_control: - label: "{{ item.mount }}" + label: "{{ item.mount.path }}" diff --git a/roles/partitioning/tasks/main.yml b/roles/partitioning/tasks/main.yml index d6e0fcc..e8393e7 100644 --- a/roles/partitioning/tasks/main.yml +++ b/roles/partitioning/tasks/main.yml @@ -1,9 +1,9 @@ --- - name: Detect system memory for swap sizing when: - - swap_enabled | bool + - system_cfg.features.swap.enabled | bool - partitioning_vm_memory is not defined or (partitioning_vm_memory | float) <= 0 - - system_cfg is not defined or (system_cfg.memory_mb | default(0) | float) <= 0 + - system_cfg is not defined or (system_cfg.memory | default(0) | float) <= 0 block: - name: Read system memory ansible.builtin.command: awk '/MemTotal/ {print int($2/1024)}' /proc/meminfo @@ -17,7 +17,7 @@ - name: Set partitioning vm_size for physical installs when: - - install_type == "physical" + - system_cfg.type == "physical" - partitioning_vm_size is not defined or (partitioning_vm_size | float) <= 0 - install_drive | length > 0 block: @@ -163,7 +163,7 @@ ansible.builtin.assert: that: - partitioning_luks_passphrase_effective | length > 0 - fail_msg: luks_passphrase (or partitioning_luks_passphrase) must be set when LUKS is enabled. + fail_msg: system.luks.passphrase must be set when LUKS is enabled. no_log: true - name: Ensure LUKS container exists @@ -258,8 +258,8 @@ - name: Create LVM logical volumes when: - - cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] - - swap_enabled | bool or item.lv != 'swap' + - system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] + - system_cfg.features.swap.enabled | bool or item.lv != 'swap' vars: partitioning_lvm_extent_reserve_count: 10 partitioning_lvm_extent_size_mib: 4 @@ -279,7 +279,7 @@ 4 ] | max | float ) - if swap_enabled | bool + if system_cfg.features.swap.enabled | bool else 0 }} partitioning_lvm_swap_cap_gb: >- @@ -291,7 +291,7 @@ 0 ] | max ) - if swap_enabled | bool + if system_cfg.features.swap.enabled | bool else 0 }} partitioning_lvm_swap_target_effective_gb: >- @@ -302,7 +302,7 @@ partitioning_lvm_swap_cap_gb ] | min ) - if swap_enabled | bool + if system_cfg.features.swap.enabled | bool else 0 }} partitioning_lvm_swap_max_gb: >- @@ -312,14 +312,14 @@ ( (partitioning_vm_size_effective | float) - (partitioning_reserved_gb | float) - - (cis_enabled | ternary(7.5, 0)) + - (system_cfg.features.cis.enabled | ternary(7.5, 0)) - partitioning_lvm_extent_reserve_gb - 4 ), 0 ] | max ) - if swap_enabled | bool + if system_cfg.features.swap.enabled | bool else 0 }} partitioning_lvm_available_gb: >- @@ -327,7 +327,7 @@ ( (partitioning_vm_size_effective | float) - (partitioning_reserved_gb | float) - - (cis_enabled | ternary(7.5, 0)) + - (system_cfg.features.cis.enabled | ternary(7.5, 0)) - partitioning_lvm_extent_reserve_gb - partitioning_lvm_swap_target_effective_gb ) | float @@ -364,7 +364,7 @@ partitioning_lvm_swap_max_gb ] | min | round(2, 'floor') ) - if swap_enabled | bool + if system_cfg.features.swap.enabled | bool else 0 }} partitioning_lvm_root_full_gb: >- @@ -377,7 +377,7 @@ - partitioning_lvm_extent_reserve_gb - ( (partitioning_lvm_home_gb | float) + 5.5 - if cis_enabled + if system_cfg.features.cis.enabled else 0 ) ), @@ -436,7 +436,7 @@ - name: Create swap filesystem when: - filesystem != 'btrfs' - - swap_enabled | bool + - system_cfg.features.swap.enabled | bool community.general.filesystem: fstype: swap dev: /dev/sys/swap @@ -470,7 +470,7 @@ - name: Get UUID for LVM swap filesystem when: - filesystem != 'btrfs' - - swap_enabled | bool + - system_cfg.features.swap.enabled | bool ansible.builtin.command: blkid -s UUID -o value /dev/sys/swap register: partitioning_uuid_swap_result changed_when: false @@ -478,7 +478,7 @@ - name: Get UUID for LVM home filesystem when: - filesystem != 'btrfs' - - cis_enabled + - system_cfg.features.cis.enabled ansible.builtin.command: blkid -s UUID -o value /dev/sys/home register: partitioning_uuid_home_result changed_when: false @@ -486,7 +486,7 @@ - name: Get UUID for LVM var filesystem when: - filesystem != 'btrfs' - - cis_enabled + - system_cfg.features.cis.enabled ansible.builtin.command: blkid -s UUID -o value /dev/sys/var register: partitioning_uuid_var_result changed_when: false @@ -494,7 +494,7 @@ - name: Get UUID for LVM var_log filesystem when: - filesystem != 'btrfs' - - cis_enabled + - system_cfg.features.cis.enabled ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log register: partitioning_uuid_var_log_result changed_when: false @@ -502,7 +502,7 @@ - name: Get UUID for LVM var_log_audit filesystem when: - filesystem != 'btrfs' - - cis_enabled + - system_cfg.features.cis.enabled ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log_audit register: partitioning_uuid_var_log_audit_result changed_when: false @@ -514,31 +514,31 @@ partitioning_uuid_swap: >- {{ partitioning_uuid_swap_result.stdout_lines | default([]) - if swap_enabled | bool + if system_cfg.features.swap.enabled | bool else '' }} partitioning_uuid_home: >- {{ partitioning_uuid_home_result.stdout_lines | default([]) - if cis_enabled + if system_cfg.features.cis.enabled else '' }} partitioning_uuid_var: >- {{ partitioning_uuid_var_result.stdout_lines | default([]) - if cis_enabled + if system_cfg.features.cis.enabled else '' }} partitioning_uuid_var_log: >- {{ partitioning_uuid_var_log_result.stdout_lines | default([]) - if cis_enabled + if system_cfg.features.cis.enabled else '' }} partitioning_uuid_var_log_audit: >- {{ partitioning_uuid_var_log_audit_result.stdout_lines | default([]) - if cis_enabled + if system_cfg.features.cis.enabled else '' }} @@ -547,15 +547,15 @@ - name: Mount filesystems and subvolumes when: - >- - cis_enabled or ( - not cis_enabled and ( + system_cfg.features.cis.enabled or ( + not system_cfg.features.cis.enabled and ( (filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg']) or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg']) ) ) - >- not (item.path in ['/swap', '/var/cache/pacman/pkg'] and filesystem != 'btrfs') - - swap_enabled | bool or item.path != '/swap' + - system_cfg.features.swap.enabled | bool or item.path != '/swap' ansible.posix.mount: path: /mnt{{ item.path }} src: "{{ 'UUID=' + (partitioning_main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}" @@ -655,7 +655,7 @@ state: mounted - name: Activate swap - when: swap_enabled | bool + when: system_cfg.features.swap.enabled | bool vars: partitioning_swap_cmd: >- {{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + partitioning_uuid_swap[0] }} diff --git a/roles/partitioning/tasks/xfs.yml b/roles/partitioning/tasks/xfs.yml index 8fc903f..913ff85 100644 --- a/roles/partitioning/tasks/xfs.yml +++ b/roles/partitioning/tasks/xfs.yml @@ -1,6 +1,6 @@ --- - name: Create and format XFS logical volumes - when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] + when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] community.general.filesystem: dev: /dev/sys/{{ item.lv }} fstype: xfs