refactor(bootstrap): standardize patterns, extract common logic, remove dead code

roles/bootstrap/tasks/main.yml

@@ -1,45 +1,17 @@
 ---
 - name: Run OS-specific bootstrap process
   vars:
-    bootstrap_os_key: "{{ (os_resolved | default(os)) | lower }}"
-    bootstrap_var_key: "{{ 'bootstrap_' + ((os_resolved | default(os)) | lower | replace('-', '_')) }}"
-  block:
-    - name: Include AlmaLinux bootstrap tasks
-      when: bootstrap_os_key in ['almalinux', 'almalinux8', 'almalinux9', 'almalinux10']
-      ansible.builtin.include_tasks: almalinux.yml
-
-    - name: Include Alpine bootstrap tasks
-      when: bootstrap_os_key == 'alpine'
-      ansible.builtin.include_tasks: alpine.yml
-
-    - name: Include ArchLinux bootstrap tasks
-      when: bootstrap_os_key == 'archlinux'
-      ansible.builtin.include_tasks: archlinux.yml
-
-    - name: Include Debian bootstrap tasks
-      when: bootstrap_os_key in ['debian10', 'debian11', 'debian12', 'debian13', 'debianunstable']
-      ansible.builtin.include_tasks: debian.yml
-
-    - name: Include Fedora bootstrap tasks
-      when: bootstrap_os_key in ['fedora', 'fedora40', 'fedora41', 'fedora42', 'fedora43']
-      ansible.builtin.include_tasks: fedora.yml
-
-    - name: Include openSUSE bootstrap tasks
-      when: bootstrap_os_key == 'opensuse'
-      ansible.builtin.include_tasks: opensuse.yml
-
-    - name: Include Rocky bootstrap tasks
-      when: bootstrap_os_key in ['rocky', 'rocky8', 'rocky9', 'rocky10']
-      ansible.builtin.include_tasks: rocky.yml
-
-    - name: Include RHEL bootstrap tasks
-      when: bootstrap_os_key in ['rhel8', 'rhel9', 'rhel10']
-      ansible.builtin.include_tasks: rhel.yml
-
-    - name: Include Ubuntu bootstrap tasks
-      when: bootstrap_os_key in ['ubuntu', 'ubuntu-lts']
-      ansible.builtin.include_tasks: ubuntu.yml
-
-    - name: Include Void bootstrap tasks
-      when: bootstrap_os_key == 'void'
-      ansible.builtin.include_tasks: void.yml
+    bootstrap_os_task_map:
+      almalinux: almalinux.yml
+      alpine: alpine.yml
+      archlinux: archlinux.yml
+      debian: debian.yml
+      fedora: fedora.yml
+      opensuse: opensuse.yml
+      rocky: rocky.yml
+      rhel: rhel.yml
+      ubuntu: ubuntu.yml
+      ubuntu-lts: ubuntu.yml
+      void: void.yml
+    bootstrap_var_key: "{{ 'bootstrap_' + (os | replace('-lts', '') | replace('-', '_')) }}"
+  ansible.builtin.include_tasks: "{{ bootstrap_os_task_map[os] }}"

roles/bootstrap/tasks/rhel.yml

@@ -2,10 +2,8 @@
 - name: Bootstrap RHEL System
   block:
     - name: Install base packages in chroot environment
-      vars:
-        bootstrap_rhel_release: "{{ bootstrap_os_key | replace('rhel', '') }}"
       ansible.builtin.command: >-
-        dnf --releasever={{ bootstrap_rhel_release }} --repo={{ bootstrap_os_key }}-baseos
+        dnf --releasever={{ os_version_major }} --repo=rhel{{ os_version_major }}-baseos
         --installroot=/mnt
         --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
         groupinstall -y core base standard
@@ -39,14 +37,13 @@
 
     - name: Copy RHEL repo file into chroot environment
       ansible.builtin.copy:
-        src: /etc/yum.repos.d/{{ bootstrap_os_key }}.repo
+        src: /etc/yum.repos.d/rhel.repo
         dest: /mnt/etc/yum.repos.d/redhat.repo
         mode: "0644"
         remote_src: true
 
     - name: Install additional packages in chroot
       vars:
-        bootstrap_rhel_release: "{{ bootstrap_os_key | replace('rhel', '') }}"
         bootstrap_rhel_extra: >-
           {{
             lookup('vars', bootstrap_var_key)
@@ -54,7 +51,7 @@
             | join(' ')
           }}
       ansible.builtin.command: >-
-        {{ chroot_command }} dnf --releasever={{ bootstrap_rhel_release }}
+        {{ chroot_command }} dnf --releasever={{ os_version_major }}
         --setopt=install_weak_deps=False install -y {{ bootstrap_rhel_extra }}
       register: bootstrap_result
       changed_when: bootstrap_result.rc == 0

roles/bootstrap/tasks/ubuntu.yml

@@ -2,7 +2,7 @@
 - name: Bootstrap Ubuntu System
   vars:
     bootstrap_ubuntu_release: >-
-      {{ 'plucky' if bootstrap_os_key == 'ubuntu' else 'noble' }}
+      {{ 'plucky' if os == 'ubuntu' else 'noble' }}
     bootstrap_ubuntu_package_config: >-
       {{
         lookup('vars', bootstrap_var_key)

roles/bootstrap/vars/main.yml

@@ -1,28 +1,24 @@
 ---
-bootstrap_rhel_base:
-  - bind-utils
-  - dhcp-client
-  - efibootmgr
+# Common conditional packages shared across distributions.
+# Arch overrides nftables with iptables-nft; SSH package names vary per distro.
+bootstrap_common_conditional:
   - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
   - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
   - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
   - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
-  - glibc-langpack-de
-  - glibc-langpack-en
-  - lrzsz
-  - lvm2
-  - mtr
-  - ncurses-term
-  - nfs-utils
-  - policycoreutils-python-utils
-  - shim
-  - tmux
   - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
   - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
   - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
   - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
-  - vim
-  - zstd
+
+bootstrap_rhel_base: >-
+  {{
+    ['bind-utils', 'dhcp-client', 'efibootmgr',
+     'glibc-langpack-de', 'glibc-langpack-en', 'lrzsz',
+     'lvm2', 'mtr', 'ncurses-term', 'nfs-utils',
+     'policycoreutils-python-utils', 'shim', 'tmux', 'vim', 'zstd']
+    + bootstrap_common_conditional
+  }}
 
 bootstrap_rhel_versioned:
   - grub2
@@ -32,72 +28,33 @@ bootstrap_rhel_versioned:
   - "{{ 'kernel' if os_version_major | default('') == '10' else '' }}"
   - "{{ 'zram-generator' if os_version_major | default('') in ['9', '10'] else '' }}"
 
-bootstrap_rhel_common: "{{ bootstrap_rhel_base + bootstrap_rhel_versioned }}"
+bootstrap_rhel: "{{ bootstrap_rhel_base + bootstrap_rhel_versioned }}"
 
-bootstrap_rhel8: "{{ bootstrap_rhel_common }}"
-bootstrap_rhel9: "{{ bootstrap_rhel_common }}"
-bootstrap_rhel10: "{{ bootstrap_rhel_common }}"
+bootstrap_almalinux: >-
+  {{
+    bootstrap_rhel_base
+    + ['grub2', 'grub2-efi', 'dbus-daemon', 'lrzsz',
+       'nfsv4-client-utils', 'nc', 'ppp', 'zram-generator']
+  }}
 
-bootstrap_almalinux:
-  "{{ bootstrap_rhel_base + ['grub2', 'grub2-efi', 'dbus-daemon', 'lrzsz', 'nfsv4-client-utils', 'nc', 'ppp', 'zram-generator'] }}"
+bootstrap_rocky: >-
+  {{
+    bootstrap_rhel_base
+    + ['grub2', 'grub2-efi', 'nfsv4-client-utils', 'nc', 'ppp',
+       'telnet', 'util-linux-core', 'wget', 'zram-generator']
+  }}
 
-bootstrap_rocky:
-  "{{ bootstrap_rhel_base + ['grub2', 'grub2-efi', 'nfsv4-client-utils', 'nc', 'ppp', 'telnet', 'util-linux-core', 'wget', 'zram-generator'] }}"
-
-bootstrap_almalinux8: "{{ bootstrap_almalinux }}"
-bootstrap_almalinux9: "{{ bootstrap_almalinux }}"
-bootstrap_almalinux10: "{{ bootstrap_almalinux }}"
-
-bootstrap_rocky8: "{{ bootstrap_rocky }}"
-bootstrap_rocky9: "{{ bootstrap_rocky }}"
-bootstrap_rocky10: "{{ bootstrap_rocky }}"
-
-bootstrap_fedora:
-  - bat
-  - bind-utils
-  - btrfs-progs
-  - cronie
-  - dhcp-client
-  - duf
-  - efibootmgr
-  - entr
-  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
-  - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
-  - fish
-  - fzf
-  - glibc-langpack-de
-  - glibc-langpack-en
-  - grub2
-  - grub2-efi
-  - htop
-  - iperf3
-  - logrotate
-  - lrzsz
-  - lvm2
-  - nc
-  - nfs-utils
-  - nfsv4-client-utils
-  - polkit
-  - ppp
-  - ripgrep
-  - shim
-  - tmux
-  - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
-  - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
-  - vim-default-editor
-  - wget
-  - zoxide
-  - zram-generator
-  - zstd
-
-bootstrap_fedora40: "{{ bootstrap_fedora }}"
-bootstrap_fedora41: "{{ bootstrap_fedora }}"
-bootstrap_fedora42: "{{ bootstrap_fedora }}"
-bootstrap_fedora43: "{{ bootstrap_fedora }}"
+bootstrap_fedora: >-
+  {{
+    ['bat', 'bind-utils', 'btrfs-progs', 'cronie', 'dhcp-client',
+     'duf', 'efibootmgr', 'entr', 'fish', 'fzf',
+     'glibc-langpack-de', 'glibc-langpack-en', 'grub2', 'grub2-efi',
+     'htop', 'iperf3', 'logrotate', 'lrzsz', 'lvm2',
+     'nc', 'nfs-utils', 'nfsv4-client-utils', 'polkit', 'ppp',
+     'ripgrep', 'shim', 'tmux', 'vim-default-editor',
+     'wget', 'zoxide', 'zram-generator', 'zstd']
+    + bootstrap_common_conditional
+  }}
 
 bootstrap_debian_base_common:
   - btrfs-progs
@@ -123,8 +80,6 @@ bootstrap_debian_extra_common:
   - chrony
   - curl
   - entr
-  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
   - fish
   - fzf
   - htop
@@ -142,9 +97,6 @@ bootstrap_debian_extra_common:
   - sudo
   - syslog-ng
   - tcpd
-  - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
   - vim
   - wget
   - zstd
@@ -160,13 +112,12 @@ bootstrap_debian_extra_versioned:
 
 bootstrap_debian:
   base: "{{ bootstrap_debian_base_common }}"
-  extra: "{{ bootstrap_debian_extra_common + bootstrap_debian_extra_versioned }}"
-
-bootstrap_debian10: "{{ bootstrap_debian }}"
-bootstrap_debian11: "{{ bootstrap_debian }}"
-bootstrap_debian12: "{{ bootstrap_debian }}"
-bootstrap_debian13: "{{ bootstrap_debian }}"
-bootstrap_debianunstable: "{{ bootstrap_debian }}"
+  extra: >-
+    {{
+      bootstrap_debian_extra_common
+      + bootstrap_debian_extra_versioned
+      + bootstrap_common_conditional
+    }}
 
 bootstrap_ubuntu:
   base:
@@ -178,94 +129,38 @@ bootstrap_ubuntu:
       + ['bash-completion', 'dnsutils', 'duf', 'eza', 'fdupes', 'fio',
       'ncurses-term', 'software-properties-common', 'systemd-zram-generator',
       'tldr', 'traceroute', 'util-linux-extra', 'yq', 'zoxide']
+      + bootstrap_common_conditional
     }}
 
-bootstrap_ubuntu_lts:
-  base:
-    - linux-image-generic
-  extra: >-
-    {{
-      bootstrap_debian_base_common
-      + bootstrap_debian_extra_common
-      + ['bash-completion', 'dnsutils', 'duf', 'eza', 'fdupes', 'fio',
-      'ncurses-term', 'software-properties-common', 'systemd-zram-generator',
-      'tldr', 'traceroute', 'util-linux-extra', 'yq', 'zoxide']
-    }}
+bootstrap_archlinux: >-
+  {{
+    ['base', 'btrfs-progs', 'cronie', 'dhcpcd', 'efibootmgr', 'fastfetch',
+     'fish', 'fzf', 'grub', 'htop', 'libpwquality', 'linux', 'logrotate',
+     'lrzsz', 'lsof', 'lvm2', 'ncdu', 'networkmanager', 'nfs-utils',
+     'ppp', 'prometheus-node-exporter', 'python-psycopg2', 'reflector',
+     'rsync', 'sudo', 'tldr', 'tmux', 'vim', 'wireguard-tools', 'zram-generator']
+    + [('openssh' if system_cfg.features.ssh.enabled | bool else '')]
+    + [('iptables-nft' if system_cfg.features.firewall.toolkit == 'nftables' else '')]
+    + (bootstrap_common_conditional | reject('equalto', 'nftables') | list)
+  }}
 
-bootstrap_archlinux:
-  - base
-  - btrfs-progs
-  - cronie
-  - dhcpcd
-  - efibootmgr
-  - fastfetch
-  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
-  - "{{ 'iptables-nft' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
-  - fish
-  - fzf
-  - grub
-  - htop
-  - libpwquality
-  - linux
-  - logrotate
-  - lrzsz
-  - lsof
-  - lvm2
-  - ncdu
-  - networkmanager
-  - nfs-utils
-  - "{{ 'openssh' if system_cfg.features.ssh.enabled | bool else '' }}"
-  - ppp
-  - prometheus-node-exporter
-  - python-psycopg2
-  - reflector
-  - rsync
-  - sudo
-  - tldr
-  - tmux
-  - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
-  - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
-  - vim
-  - wireguard-tools
-  - zram-generator
+bootstrap_alpine: >-
+  {{
+    ['alpine-base', 'vim']
+    + [('openssh' if system_cfg.features.ssh.enabled | bool else '')]
+    + bootstrap_common_conditional
+  }}
 
-bootstrap_alpine:
-  - alpine-base
-  - vim
-  - "{{ 'openssh' if system_cfg.features.ssh.enabled | bool else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
-  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
-  - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
-  - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
-  - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
+bootstrap_opensuse: >-
+  {{
+    ['vim']
+    + [('openssh' if system_cfg.features.ssh.enabled | bool else '')]
+    + bootstrap_common_conditional
+  }}
 
-bootstrap_opensuse:
-  - vim
-  - "{{ 'openssh' if system_cfg.features.ssh.enabled | bool else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
-  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
-  - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
-  - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
-  - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
-
-bootstrap_void:
-  - vim
-  - "{{ 'openssh' if system_cfg.features.ssh.enabled | bool else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
-  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
-  - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
-  - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
-  - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
+bootstrap_void: >-
+  {{
+    ['vim']
+    + [('openssh' if system_cfg.features.ssh.enabled | bool else '')]
+    + bootstrap_common_conditional
+  }}