sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(disks): add standardized multi-disk mount schema

Browse Source
This commit is contained in:
Sandwich
2026-02-11 05:37:18 +01:00
parent 961c8f259c
commit db08609acf
6 changed files with 71 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
roles/partitioning/defaults/main.yml
View File

@@ -1,22 +1,22 @@
--- ---
partitioning_luks_enabled: "{{ luks_enabled | bool }}" partitioning_luks_enabled: "{{ system_cfg.luks.enabled | bool }}"
partitioning_luks_passphrase: "{{ luks_passphrase }}" partitioning_luks_passphrase: "{{ system_cfg.luks.passphrase }}"
partitioning_luks_mapper_name: "{{ luks_mapper_name }}" partitioning_luks_mapper_name: "{{ system_cfg.luks.mapper_name }}"
partitioning_luks_type: "{{ luks_type }}" partitioning_luks_type: "{{ system_cfg.luks.type }}"
partitioning_luks_cipher: "{{ luks_cipher }}" partitioning_luks_cipher: "{{ system_cfg.luks.cipher }}"
partitioning_luks_hash: "{{ luks_hash }}" partitioning_luks_hash: "{{ system_cfg.luks.hash }}"
partitioning_luks_iter_time: "{{ luks_iter_time }}" partitioning_luks_iter_time: "{{ system_cfg.luks.iter_time }}"
partitioning_luks_key_size: "{{ luks_key_size }}" partitioning_luks_key_size: "{{ system_cfg.luks.key_size }}"
partitioning_luks_pbkdf: "{{ luks_pbkdf }}" partitioning_luks_pbkdf: "{{ system_cfg.luks.pbkdf }}"
partitioning_luks_use_urandom: "{{ luks_use_urandom | bool }}" partitioning_luks_use_urandom: "{{ system_cfg.luks.use_urandom | bool }}"
partitioning_luks_verify_passphrase: "{{ luks_verify_passphrase | bool }}" partitioning_luks_verify_passphrase: "{{ system_cfg.luks.verify_passphrase | bool }}"
partitioning_luks_auto_decrypt: "{{ luks_auto_decrypt | bool }}" partitioning_luks_auto_decrypt: "{{ system_cfg.luks.auto_decrypt | bool }}"
partitioning_luks_auto_decrypt_method: "{{ luks_auto_decrypt_method }}" partitioning_luks_auto_decrypt_method: "{{ system_cfg.luks.auto_decrypt_method }}"
partitioning_luks_tpm2_device: "{{ luks_tpm2_device }}" partitioning_luks_tpm2_device: "{{ system_cfg.luks.tpm2_device }}"
partitioning_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}" partitioning_luks_tpm2_pcrs: "{{ system_cfg.luks.tpm2_pcrs }}"
partitioning_luks_keyfile_size: "{{ luks_keyfile_size }}" partitioning_luks_keyfile_size: "{{ system_cfg.luks.keyfile_size }}"
partitioning_luks_options: "{{ luks_options }}" partitioning_luks_options: "{{ system_cfg.luks.options }}"
partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if zstd_enabled | bool else '' }}" partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if system_cfg.features.zstd.enabled | bool else '' }}"
partitioning_boot_partition_suffix: 1 partitioning_boot_partition_suffix: 1
partitioning_main_partition_suffix: 2 partitioning_main_partition_suffix: 2
partitioning_efi_size_mib: 512 partitioning_efi_size_mib: 512
@@ -135,7 +135,7 @@ partitioning_vm_memory_effective: >-
partitioning_vm_memory partitioning_vm_memory
if (partitioning_vm_memory is defined and (partitioning_vm_memory | float) > 0) if (partitioning_vm_memory is defined and (partitioning_vm_memory | float) > 0)
else ( else (
(system_cfg.memory_mb if system_cfg is defined else 0) (system_cfg.memory if system_cfg is defined else 0)
| default(0) | default(0)
) )
) )

8
roles/partitioning/tasks/btrfs.yml
View File

@@ -41,8 +41,8 @@
- name: Make root subvolumes - name: Make root subvolumes
when: when:
- cis_enabled or item.subvol not in ['var_log_audit'] - system_cfg.features.cis.enabled or item.subvol not in ['var_log_audit']
- swap_enabled | bool or item.subvol != 'swap' - system_cfg.features.swap.enabled | bool or item.subvol != 'swap'
ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
args: args:
creates: /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} creates: /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
@@ -57,7 +57,7 @@
register: partitioning_btrfs_subvol_result register: partitioning_btrfs_subvol_result
- name: Set quotas for subvolumes - name: Set quotas for subvolumes
when: cis_enabled when: system_cfg.features.cis.enabled
ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
loop: loop:
- { subvol: home, quota: 2G } - { subvol: home, quota: 2G }
@@ -65,7 +65,7 @@
changed_when: false changed_when: false
- name: Create a Btrfs swap file - name: Create a Btrfs swap file
when: swap_enabled | bool when: system_cfg.features.swap.enabled | bool
ansible.builtin.command: >- ansible.builtin.command: >-
btrfs filesystem mkswapfile --size {{ partitioning_swap_size_gb }}g --uuid clear /mnt/@swap/swapfile btrfs filesystem mkswapfile --size {{ partitioning_swap_size_gb }}g --uuid clear /mnt/@swap/swapfile
args: args:

4
roles/partitioning/tasks/ext4.yml
View File

@@ -1,6 +1,6 @@
--- ---
- name: Create and format ext4 logical volumes - name: Create and format ext4 logical volumes
when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.filesystem: community.general.filesystem:
dev: /dev/sys/{{ item.lv }} dev: /dev/sys/{{ item.lv }}
fstype: ext4 fstype: ext4
@@ -15,7 +15,7 @@
- name: Remove Unsupported features for older Systems - name: Remove Unsupported features for older Systems
when: > when: >
(os in ['almalinux', 'rocky', 'rhel'] or (os == 'debian' and (os_version | string) == '11')) (os in ['almalinux', 'rocky', 'rhel'] or (os == 'debian' and (os_version | string) == '11'))
and (cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']) and (system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}" ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
loop: loop:
- { lv: root } - { lv: root }

32
roles/partitioning/tasks/extra_disks.yml
View File

@@ -4,7 +4,7 @@
partitioning_extra_disks: >- partitioning_extra_disks: >-
{{ {{
(system_cfg.disks | default([]))[1:] (system_cfg.disks | default([]))[1:]
| selectattr('mount') | selectattr('mount.path')
| list | list
}} }}
changed_when: false changed_when: false
@@ -18,12 +18,12 @@
- item.device != install_drive - item.device != install_drive
- item.partition is defined - item.partition is defined
- item.partition | string | length > 0 - item.partition | string | length > 0
- item.fstype is defined - item.mount.fstype is defined
- item.fstype in ['btrfs', 'ext4', 'xfs'] - item.mount.fstype in ['btrfs', 'ext4', 'xfs']
- item.mount is defined - item.mount.path is defined
- item.mount | string | length > 0 - item.mount.path | string | length > 0
- item.mount.startswith('/') - item.mount.path.startswith('/')
- item.mount != '/' - item.mount.path != '/'
fail_msg: "Invalid additional disk definition: {{ item | to_json }}" fail_msg: "Invalid additional disk definition: {{ item | to_json }}"
quiet: true quiet: true
loop: "{{ partitioning_extra_disks }}" loop: "{{ partitioning_extra_disks }}"
@@ -38,7 +38,7 @@
number: 1 number: 1
part_start: "1MiB" part_start: "1MiB"
part_end: "100%" part_end: "100%"
name: "{{ (item.label | default('') | string | length > 0) | ternary(item.label, 'data') }}" name: "{{ (item.mount.label | default('') | string | length > 0) | ternary(item.mount.label, 'data') }}"
state: present state: present
loop: "{{ partitioning_extra_disks }}" loop: "{{ partitioning_extra_disks }}"
loop_control: loop_control:
@@ -53,8 +53,8 @@
when: partitioning_extra_disks | length > 0 when: partitioning_extra_disks | length > 0
community.general.filesystem: community.general.filesystem:
dev: "{{ item.partition }}" dev: "{{ item.partition }}"
fstype: "{{ item.fstype }}" fstype: "{{ item.mount.fstype }}"
opts: "{{ ('-L ' ~ item.label) if (item.label | default('') | string | length) > 0 else omit }}" opts: "{{ ('-L ' ~ item.mount.label) if (item.mount.label | default('') | string | length) > 0 else omit }}"
force: true force: true
loop: "{{ partitioning_extra_disks }}" loop: "{{ partitioning_extra_disks }}"
loop_control: loop_control:
@@ -63,23 +63,23 @@
- name: Ensure mount directories exist for additional disks - name: Ensure mount directories exist for additional disks
when: partitioning_extra_disks | length > 0 when: partitioning_extra_disks | length > 0
ansible.builtin.file: ansible.builtin.file:
path: "/mnt{{ item.mount }}" path: "/mnt{{ item.mount.path }}"
state: directory state: directory
owner: root owner: root
group: root group: root
mode: "0755" mode: "0755"
loop: "{{ partitioning_extra_disks }}" loop: "{{ partitioning_extra_disks }}"
loop_control: loop_control:
label: "{{ item.mount }}" label: "{{ item.mount.path }}"
- name: Mount additional disks for fstab generation - name: Mount additional disks for fstab generation
when: partitioning_extra_disks | length > 0 when: partitioning_extra_disks | length > 0
ansible.posix.mount: ansible.posix.mount:
path: "/mnt{{ item.mount }}" path: "/mnt{{ item.mount.path }}"
src: "{{ item.partition }}" src: "{{ item.partition }}"
fstype: "{{ item.fstype }}" fstype: "{{ item.mount.fstype }}"
opts: "{{ item.opts | default('defaults') }}" opts: "{{ item.mount.opts | default('defaults') }}"
state: mounted state: mounted
loop: "{{ partitioning_extra_disks }}" loop: "{{ partitioning_extra_disks }}"
loop_control: loop_control:
label: "{{ item.mount }}" label: "{{ item.mount.path }}"

58
roles/partitioning/tasks/main.yml
View File

@@ -1,9 +1,9 @@
--- ---
- name: Detect system memory for swap sizing - name: Detect system memory for swap sizing
when: when:
- swap_enabled | bool - system_cfg.features.swap.enabled | bool
- partitioning_vm_memory is not defined or (partitioning_vm_memory | float) <= 0 - partitioning_vm_memory is not defined or (partitioning_vm_memory | float) <= 0
- system_cfg is not defined or (system_cfg.memory_mb | default(0) | float) <= 0 - system_cfg is not defined or (system_cfg.memory | default(0) | float) <= 0
block: block:
- name: Read system memory - name: Read system memory
ansible.builtin.command: awk '/MemTotal/ {print int($2/1024)}' /proc/meminfo ansible.builtin.command: awk '/MemTotal/ {print int($2/1024)}' /proc/meminfo
@@ -17,7 +17,7 @@
- name: Set partitioning vm_size for physical installs - name: Set partitioning vm_size for physical installs
when: when:
- install_type == "physical" - system_cfg.type == "physical"
- partitioning_vm_size is not defined or (partitioning_vm_size | float) <= 0 - partitioning_vm_size is not defined or (partitioning_vm_size | float) <= 0
- install_drive | length > 0 - install_drive | length > 0
block: block:
@@ -163,7 +163,7 @@
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- partitioning_luks_passphrase_effective | length > 0 - partitioning_luks_passphrase_effective | length > 0
fail_msg: luks_passphrase (or partitioning_luks_passphrase) must be set when LUKS is enabled. fail_msg: system.luks.passphrase must be set when LUKS is enabled.
no_log: true no_log: true
- name: Ensure LUKS container exists - name: Ensure LUKS container exists
@@ -258,8 +258,8 @@
- name: Create LVM logical volumes - name: Create LVM logical volumes
when: when:
- cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] - system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
- swap_enabled | bool or item.lv != 'swap' - system_cfg.features.swap.enabled | bool or item.lv != 'swap'
vars: vars:
partitioning_lvm_extent_reserve_count: 10 partitioning_lvm_extent_reserve_count: 10
partitioning_lvm_extent_size_mib: 4 partitioning_lvm_extent_size_mib: 4
@@ -279,7 +279,7 @@
4 4
] | max | float ] | max | float
) )
if swap_enabled | bool if system_cfg.features.swap.enabled | bool
else 0 else 0
}} }}
partitioning_lvm_swap_cap_gb: >- partitioning_lvm_swap_cap_gb: >-
@@ -291,7 +291,7 @@
0 0
] | max ] | max
) )
if swap_enabled | bool if system_cfg.features.swap.enabled | bool
else 0 else 0
}} }}
partitioning_lvm_swap_target_effective_gb: >- partitioning_lvm_swap_target_effective_gb: >-
@@ -302,7 +302,7 @@
partitioning_lvm_swap_cap_gb partitioning_lvm_swap_cap_gb
] | min ] | min
) )
if swap_enabled | bool if system_cfg.features.swap.enabled | bool
else 0 else 0
}} }}
partitioning_lvm_swap_max_gb: >- partitioning_lvm_swap_max_gb: >-
@@ -312,14 +312,14 @@
( (
(partitioning_vm_size_effective | float) (partitioning_vm_size_effective | float)
- (partitioning_reserved_gb | float) - (partitioning_reserved_gb | float)
- (cis_enabled | ternary(7.5, 0)) - (system_cfg.features.cis.enabled | ternary(7.5, 0))
- partitioning_lvm_extent_reserve_gb - partitioning_lvm_extent_reserve_gb
- 4 - 4
), ),
0 0
] | max ] | max
) )
if swap_enabled | bool if system_cfg.features.swap.enabled | bool
else 0 else 0
}} }}
partitioning_lvm_available_gb: >- partitioning_lvm_available_gb: >-
@@ -327,7 +327,7 @@
( (
(partitioning_vm_size_effective | float) (partitioning_vm_size_effective | float)
- (partitioning_reserved_gb | float) - (partitioning_reserved_gb | float)
- (cis_enabled | ternary(7.5, 0)) - (system_cfg.features.cis.enabled | ternary(7.5, 0))
- partitioning_lvm_extent_reserve_gb - partitioning_lvm_extent_reserve_gb
- partitioning_lvm_swap_target_effective_gb - partitioning_lvm_swap_target_effective_gb
) | float ) | float
@@ -364,7 +364,7 @@
partitioning_lvm_swap_max_gb partitioning_lvm_swap_max_gb
] | min | round(2, 'floor') ] | min | round(2, 'floor')
) )
if swap_enabled | bool if system_cfg.features.swap.enabled | bool
else 0 else 0
}} }}
partitioning_lvm_root_full_gb: >- partitioning_lvm_root_full_gb: >-
@@ -377,7 +377,7 @@
- partitioning_lvm_extent_reserve_gb - partitioning_lvm_extent_reserve_gb
- ( - (
(partitioning_lvm_home_gb | float) + 5.5 (partitioning_lvm_home_gb | float) + 5.5
if cis_enabled if system_cfg.features.cis.enabled
else 0 else 0
) )
), ),
@@ -436,7 +436,7 @@
- name: Create swap filesystem - name: Create swap filesystem
when: when:
- filesystem != 'btrfs' - filesystem != 'btrfs'
- swap_enabled | bool - system_cfg.features.swap.enabled | bool
community.general.filesystem: community.general.filesystem:
fstype: swap fstype: swap
dev: /dev/sys/swap dev: /dev/sys/swap
@@ -470,7 +470,7 @@
- name: Get UUID for LVM swap filesystem - name: Get UUID for LVM swap filesystem
when: when:
- filesystem != 'btrfs' - filesystem != 'btrfs'
- swap_enabled | bool - system_cfg.features.swap.enabled | bool
ansible.builtin.command: blkid -s UUID -o value /dev/sys/swap ansible.builtin.command: blkid -s UUID -o value /dev/sys/swap
register: partitioning_uuid_swap_result register: partitioning_uuid_swap_result
changed_when: false changed_when: false
@@ -478,7 +478,7 @@
- name: Get UUID for LVM home filesystem - name: Get UUID for LVM home filesystem
when: when:
- filesystem != 'btrfs' - filesystem != 'btrfs'
- cis_enabled - system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/sys/home ansible.builtin.command: blkid -s UUID -o value /dev/sys/home
register: partitioning_uuid_home_result register: partitioning_uuid_home_result
changed_when: false changed_when: false
@@ -486,7 +486,7 @@
- name: Get UUID for LVM var filesystem - name: Get UUID for LVM var filesystem
when: when:
- filesystem != 'btrfs' - filesystem != 'btrfs'
- cis_enabled - system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/sys/var ansible.builtin.command: blkid -s UUID -o value /dev/sys/var
register: partitioning_uuid_var_result register: partitioning_uuid_var_result
changed_when: false changed_when: false
@@ -494,7 +494,7 @@
- name: Get UUID for LVM var_log filesystem - name: Get UUID for LVM var_log filesystem
when: when:
- filesystem != 'btrfs' - filesystem != 'btrfs'
- cis_enabled - system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log
register: partitioning_uuid_var_log_result register: partitioning_uuid_var_log_result
changed_when: false changed_when: false
@@ -502,7 +502,7 @@
- name: Get UUID for LVM var_log_audit filesystem - name: Get UUID for LVM var_log_audit filesystem
when: when:
- filesystem != 'btrfs' - filesystem != 'btrfs'
- cis_enabled - system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log_audit ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log_audit
register: partitioning_uuid_var_log_audit_result register: partitioning_uuid_var_log_audit_result
changed_when: false changed_when: false
@@ -514,31 +514,31 @@
partitioning_uuid_swap: >- partitioning_uuid_swap: >-
{{ {{
partitioning_uuid_swap_result.stdout_lines | default([]) partitioning_uuid_swap_result.stdout_lines | default([])
if swap_enabled | bool if system_cfg.features.swap.enabled | bool
else '' else ''
}} }}
partitioning_uuid_home: >- partitioning_uuid_home: >-
{{ {{
partitioning_uuid_home_result.stdout_lines | default([]) partitioning_uuid_home_result.stdout_lines | default([])
if cis_enabled if system_cfg.features.cis.enabled
else '' else ''
}} }}
partitioning_uuid_var: >- partitioning_uuid_var: >-
{{ {{
partitioning_uuid_var_result.stdout_lines | default([]) partitioning_uuid_var_result.stdout_lines | default([])
if cis_enabled if system_cfg.features.cis.enabled
else '' else ''
}} }}
partitioning_uuid_var_log: >- partitioning_uuid_var_log: >-
{{ {{
partitioning_uuid_var_log_result.stdout_lines | default([]) partitioning_uuid_var_log_result.stdout_lines | default([])
if cis_enabled if system_cfg.features.cis.enabled
else '' else ''
}} }}
partitioning_uuid_var_log_audit: >- partitioning_uuid_var_log_audit: >-
{{ {{
partitioning_uuid_var_log_audit_result.stdout_lines | default([]) partitioning_uuid_var_log_audit_result.stdout_lines | default([])
if cis_enabled if system_cfg.features.cis.enabled
else '' else ''
}} }}
@@ -547,15 +547,15 @@
- name: Mount filesystems and subvolumes - name: Mount filesystems and subvolumes
when: when:
- >- - >-
cis_enabled or ( system_cfg.features.cis.enabled or (
not cis_enabled and ( not system_cfg.features.cis.enabled and (
(filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg']) (filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg'])
or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg']) or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg'])
) )
) )
- >- - >-
not (item.path in ['/swap', '/var/cache/pacman/pkg'] and filesystem != 'btrfs') not (item.path in ['/swap', '/var/cache/pacman/pkg'] and filesystem != 'btrfs')
- swap_enabled | bool or item.path != '/swap' - system_cfg.features.swap.enabled | bool or item.path != '/swap'
ansible.posix.mount: ansible.posix.mount:
path: /mnt{{ item.path }} path: /mnt{{ item.path }}
src: "{{ 'UUID=' + (partitioning_main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}" src: "{{ 'UUID=' + (partitioning_main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
@@ -655,7 +655,7 @@
state: mounted state: mounted
- name: Activate swap - name: Activate swap
when: swap_enabled | bool when: system_cfg.features.swap.enabled | bool
vars: vars:
partitioning_swap_cmd: >- partitioning_swap_cmd: >-
{{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + partitioning_uuid_swap[0] }} {{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + partitioning_uuid_swap[0] }}

2
roles/partitioning/tasks/xfs.yml
View File

@@ -1,6 +1,6 @@
--- ---
- name: Create and format XFS logical volumes - name: Create and format XFS logical volumes
when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.filesystem: community.general.filesystem:
dev: /dev/sys/{{ item.lv }} dev: /dev/sys/{{ item.lv }}
fstype: xfs fstype: xfs