sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor(standardize): fix sudoers lecture syntax, extract ssh config, remove redundant os filters

Browse Source
This commit is contained in:
Sandwich
2026-02-13 00:20:59 +01:00
parent af5eecfc01
commit eeb580f180
17 changed files with 67 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -150,10 +150,11 @@ all:
These top-level variables sit outside the `system`/`hypervisor` dictionaries. These top-level variables sit outside the `system`/`hypervisor` dictionaries.
| Variable | Type | Description | | Variable | Type | Description |
| ------------ | ------ | ------------------------------------------------ | | ----------------------------------- | ------ | ------------------------------------------------ |
| `boot_iso` | string | Path to the boot ISO image (required for virtual installs). | | `boot_iso` | string | Path to the boot ISO image (required for virtual installs). |
| `rhel_iso` | string | Path to the RHEL ISO (required when `system.os: rhel`). | | `rhel_iso` | string | Path to the RHEL ISO (required when `system.os: rhel`). |
| `custom_iso` | bool | Skip ArchISO validation and pacman setup. Default `false`. | | `custom_iso` | bool | Skip ArchISO validation and pacman setup. Default `false`. |
| `thirdparty_tasks` | string | Drop-in task file included during environment setup. Default `dropins/preparation.yml`. |
### 4.2 `system` Dictionary ### 4.2 `system` Dictionary

19
roles/configuration/tasks/banner.yml
View File

@@ -26,30 +26,25 @@
- name: Configure sudo banner - name: Configure sudo banner
when: system_cfg.features.banner.sudo | bool when: system_cfg.features.banner.sudo | bool
block: block:
- name: Create sudoers banner directory - name: Create sudo lecture file
ansible.builtin.file:
path: /mnt/etc/sudoers.d
state: directory
mode: "0755"
owner: root
group: root
- name: Create sudo banner file
ansible.builtin.copy: ansible.builtin.copy:
content: | content: |
I am Groot, and I know what I'm doing. I am Groot, and I know what I'm doing.
dest: /mnt/etc/sudoers.d/banner dest: /mnt/etc/sudo_lecture
mode: "0644" mode: "0644"
owner: root owner: root
group: root group: root
- name: Enable sudo banner in sudoers - name: Enable sudo lecture in sudoers
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/sudoers path: /mnt/etc/sudoers
line: "Defaults lecture=@/etc/sudoers.d/banner" line: "{{ item }}"
state: present state: present
create: true create: true
mode: "0440" mode: "0440"
owner: root owner: root
group: root group: root
validate: "/usr/sbin/visudo --check --file=%s" validate: "/usr/sbin/visudo --check --file=%s"
loop:
- "Defaults lecture=always"
- "Defaults lecture_file=/etc/sudo_lecture"

12
roles/configuration/tasks/bootloader.yml
View File

@@ -6,9 +6,9 @@
configuration_use_efibootmgr: "{{ is_rhel | bool }}" configuration_use_efibootmgr: "{{ is_rhel | bool }}"
configuration_efi_dir: "{{ partitioning_efi_mountpoint }}" configuration_efi_dir: "{{ partitioning_efi_mountpoint }}"
configuration_bootloader_id: >- configuration_bootloader_id: >-
{{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }} {{ "ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os }}
configuration_efi_vendor: >- configuration_efi_vendor: >-
{{ "redhat" if os | lower == "rhel" else os | lower }} {{ "redhat" if os == "rhel" else os }}
configuration_efibootmgr_cmd: >- configuration_efibootmgr_cmd: >-
/usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -p 1 /usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -p 1
-l '\efi\EFI\{{ configuration_efi_vendor }}\shimx64.efi' -l '\efi\EFI\{{ configuration_efi_vendor }}\shimx64.efi'
@@ -23,7 +23,7 @@
changed_when: configuration_bootloader_result.rc == 0 changed_when: configuration_bootloader_result.rc == 0
- name: Ensure lvm2 for non btrfs filesystems - name: Ensure lvm2 for non btrfs filesystems
when: os | lower == "archlinux" and system_cfg.filesystem != "btrfs" when: os == "archlinux" and system_cfg.filesystem != "btrfs"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf path: /mnt/etc/mkinitcpio.conf
regexp: "^(HOOKS=.*block)(?!.*lvm2)(.*)" regexp: "^(HOOKS=.*block)(?!.*lvm2)(.*)"
@@ -31,12 +31,12 @@
backrefs: true backrefs: true
- name: Regenerate initramfs - name: Regenerate initramfs
when: os | lower not in ["alpine", "void"] when: os not in ["alpine", "void"]
vars: vars:
configuration_initramfs_cmd: >- configuration_initramfs_cmd: >-
{{ {{
'/usr/sbin/mkinitcpio -P' '/usr/sbin/mkinitcpio -P'
if os | lower == "archlinux" if os == "archlinux"
else ( else (
'/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ' '/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin '
+ '/usr/sbin/update-initramfs -u -k all' + '/usr/sbin/update-initramfs -u -k all'
@@ -51,7 +51,7 @@
- name: Generate grub config - name: Generate grub config
vars: vars:
configuration_efi_vendor: >- configuration_efi_vendor: >-
{{ "redhat" if os | lower == "rhel" else os | lower }} {{ "redhat" if os == "rhel" else os }}
configuration_grub_cfg_cmd: >- configuration_grub_cfg_cmd: >-
{{ {{
'/usr/sbin/grub2-mkconfig -o ' '/usr/sbin/grub2-mkconfig -o '

8
roles/configuration/tasks/encryption.yml
View File

@@ -136,7 +136,7 @@
mode: "0644" mode: "0644"
- name: Configure mkinitcpio hooks for LUKS - name: Configure mkinitcpio hooks for LUKS
when: os | lower == 'archlinux' when: os == 'archlinux'
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf path: /mnt/etc/mkinitcpio.conf
regexp: "^HOOKS=" regexp: "^HOOKS="
@@ -145,13 +145,13 @@
block sd-encrypt lvm2 filesystems fsck) block sd-encrypt lvm2 filesystems fsck)
- name: Read mkinitcpio configuration - name: Read mkinitcpio configuration
when: os | lower == 'archlinux' when: os == 'archlinux'
ansible.builtin.slurp: ansible.builtin.slurp:
src: /mnt/etc/mkinitcpio.conf src: /mnt/etc/mkinitcpio.conf
register: configuration_mkinitcpio_slurp register: configuration_mkinitcpio_slurp
- name: Build mkinitcpio FILES list - name: Build mkinitcpio FILES list
when: os | lower == 'archlinux' when: os == 'archlinux'
vars: vars:
mkinitcpio_files_list: >- mkinitcpio_files_list: >-
{{ {{
@@ -180,7 +180,7 @@
configuration_mkinitcpio_files_list_new: "{{ mkinitcpio_files_list_new }}" configuration_mkinitcpio_files_list_new: "{{ mkinitcpio_files_list_new }}"
- name: Configure mkinitcpio FILES list - name: Configure mkinitcpio FILES list
when: os | lower == 'archlinux' when: os == 'archlinux'
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf path: /mnt/etc/mkinitcpio.conf
regexp: "^FILES=" regexp: "^FILES="

2
roles/configuration/tasks/extras.yml
View File

@@ -28,7 +28,7 @@
- name: Create zram config - name: Create zram config
when: when:
- (os != "debian" or (os_version | string) != "11") and os != "rhel" - (os != "debian" or (os_version | string) != "11") and os != "rhel"
- os | lower not in ["alpine", "void"] - os not in ["alpine", "void"]
- system_cfg.features.swap.enabled | bool - system_cfg.features.swap.enabled | bool
ansible.builtin.copy: ansible.builtin.copy:
dest: /mnt/etc/systemd/zram-generator.conf dest: /mnt/etc/systemd/zram-generator.conf

6
roles/configuration/tasks/grub.yml
View File

@@ -20,7 +20,7 @@
{{ {{
( (
partitioning_main_uuid.stdout partitioning_main_uuid.stdout
if (system_cfg.filesystem | lower) == 'btrfs' if system_cfg.filesystem == 'btrfs'
else (partitioning_uuid_root | default([]) | first | default('')) else (partitioning_uuid_root | default([]) | first | default(''))
) )
| default('') | default('')
@@ -36,11 +36,11 @@
else [] else []
) )
) )
if (system_cfg.filesystem | lower) != 'btrfs' if system_cfg.filesystem != 'btrfs'
else [] else []
}} }}
grub_root_flags: >- grub_root_flags: >-
{{ ['rootflags=subvol=@'] if (system_cfg.filesystem | lower) == 'btrfs' else [] }} {{ ['rootflags=subvol=@'] if system_cfg.filesystem == 'btrfs' else [] }}
grub_cmdline_linux_base: >- grub_cmdline_linux_base: >-
{{ {{
(['crashkernel=auto'] + grub_lvm_args) (['crashkernel=auto'] + grub_lvm_args)

12
roles/configuration/tasks/locales.yml
View File

@@ -78,15 +78,3 @@
content: "LANG={{ system_cfg.locale }}" content: "LANG={{ system_cfg.locale }}"
dest: /mnt/etc/locale.conf dest: /mnt/etc/locale.conf
mode: "0644" mode: "0644"
- name: Ensure SSH password authentication is enabled
ansible.builtin.lineinfile:
path: /mnt/etc/ssh/sshd_config
regexp: "^#?PasswordAuthentication\\s+"
line: "PasswordAuthentication yes"
- name: SSH permit root login
ansible.builtin.replace:
path: /mnt/etc/ssh/sshd_config
regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"

1
roles/configuration/tasks/main.yml
View File

@@ -5,6 +5,7 @@
- banner.yml - banner.yml
- fstab.yml - fstab.yml
- locales.yml - locales.yml
- ssh.yml
- services.yml - services.yml
- grub.yml - grub.yml
- encryption.yml - encryption.yml

8
roles/configuration/tasks/network.yml
View File

@@ -30,7 +30,7 @@
fail_msg: Failed to detect any network interfaces. fail_msg: Failed to detect any network interfaces.
- name: Configure NetworkManager profiles - name: Configure NetworkManager profiles
when: os | lower not in ["alpine", "void"] when: os not in ["alpine", "void"]
block: block:
- name: Copy NetworkManager keyfile per interface - name: Copy NetworkManager keyfile per interface
vars: vars:
@@ -47,14 +47,14 @@
label: "LAN-{{ idx }}" label: "LAN-{{ idx }}"
- name: Fix Ubuntu unmanaged devices - name: Fix Ubuntu unmanaged devices
when: os | lower in ["ubuntu", "ubuntu-lts"] when: os in ["ubuntu", "ubuntu-lts"]
ansible.builtin.file: ansible.builtin.file:
path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
state: touch state: touch
mode: "0644" mode: "0644"
- name: Configure Alpine networking - name: Configure Alpine networking
when: os | lower == "alpine" when: os == "alpine"
vars: vars:
configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}" configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
block: block:
@@ -90,7 +90,7 @@
{% endfor %} {% endfor %}
- name: Configure Void networking - name: Configure Void networking
when: os | lower == "void" when: os == "void"
vars: vars:
configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}" configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
block: block:

2
roles/configuration/tasks/selinux.yml
View File

@@ -12,7 +12,7 @@
changed_when: configuration_setfiles_result.rc == 0 changed_when: configuration_setfiles_result.rc == 0
- name: Disable SELinux - name: Disable SELinux
when: os | lower == "fedora" or not system_cfg.features.selinux.enabled | bool when: os == "fedora" or not system_cfg.features.selinux.enabled | bool
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/selinux/config path: /mnt/etc/selinux/config
regexp: ^SELINUX= regexp: ^SELINUX=

8
roles/configuration/tasks/services.yml
View File

@@ -1,6 +1,6 @@
--- ---
- name: Enable Systemd Services - name: Enable Systemd Services
when: os | lower not in ['alpine', 'void'] when: os not in ['alpine', 'void']
ansible.builtin.command: > ansible.builtin.command: >
{{ chroot_command }} systemctl enable NetworkManager {{ chroot_command }} systemctl enable NetworkManager
{{ ' firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }} {{ ' firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}
@@ -11,13 +11,13 @@
}} }}
{{ {{
'logrotate systemd-resolved systemd-timesyncd systemd-networkd' 'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
if os | lower == 'archlinux' else '' if os == 'archlinux' else ''
}} }}
register: configuration_enable_services_result register: configuration_enable_services_result
changed_when: configuration_enable_services_result.rc == 0 changed_when: configuration_enable_services_result.rc == 0
- name: Enable OpenRC services - name: Enable OpenRC services
when: os | lower == 'alpine' when: os == 'alpine'
vars: vars:
configuration_openrc_services: >- configuration_openrc_services: >-
{{ {{
@@ -48,7 +48,7 @@
when: item.stat.exists when: item.stat.exists
- name: Enable runit services - name: Enable runit services
when: os | lower == 'void' when: os == 'void'
vars: vars:
configuration_runit_services: >- configuration_runit_services: >-
{{ {{

12
roles/configuration/tasks/ssh.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Ensure SSH password authentication is enabled
ansible.builtin.lineinfile:
path: /mnt/etc/ssh/sshd_config
regexp: "^#?PasswordAuthentication\\s+"
line: "PasswordAuthentication yes"
- name: SSH permit root login
ansible.builtin.replace:
path: /mnt/etc/ssh/sshd_config
regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"

8
roles/configuration/tasks/sudo.yml
View File

@@ -1,4 +1,12 @@
--- ---
- name: Ensure sudoers.d directory exists
ansible.builtin.file:
path: /mnt/etc/sudoers.d
state: directory
mode: "0755"
owner: root
group: root
- name: Give sudo access to wheel group - name: Give sudo access to wheel group
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ '%sudo ALL=(ALL) ALL\n' if is_debian | bool else '%wheel ALL=(ALL) ALL\n' }}" content: "{{ '%sudo ALL=(ALL) ALL\n' if is_debian | bool else '%wheel ALL=(ALL) ALL\n' }}"

8
roles/environment/tasks/main.yml
View File

@@ -231,9 +231,9 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
environment_thirdparty_tasks_path: >- environment_thirdparty_tasks_path: >-
{{ {{
thirdparty_preparation_tasks_path thirdparty_tasks
if thirdparty_preparation_tasks_path | regex_search('^/') if thirdparty_tasks | regex_search('^/')
else playbook_dir + '/' + thirdparty_preparation_tasks_path else playbook_dir + '/' + thirdparty_tasks
}} }}
changed_when: false changed_when: false
@@ -245,6 +245,6 @@
- name: Run third-party preparation tasks - name: Run third-party preparation tasks
when: when:
- thirdparty_preparation_tasks_path | length > 0 - thirdparty_tasks | length > 0
- environment_thirdparty_tasks_stat.stat.exists - environment_thirdparty_tasks_stat.stat.exists
ansible.builtin.include_tasks: "{{ environment_thirdparty_tasks_path }}" ansible.builtin.include_tasks: "{{ environment_thirdparty_tasks_path }}"

2
roles/global_defaults/defaults/main.yml
View File

@@ -15,7 +15,7 @@ hypervisor_defaults:
ssh: false ssh: false
custom_iso: false custom_iso: false
thirdparty_preparation_tasks_path: "dropins/preparation.yml" thirdparty_tasks: "dropins/preparation.yml"
system_defaults: system_defaults:
type: "virtual" # virtual|physical type: "virtual" # virtual|physical

4
roles/global_defaults/tasks/main.yml
View File

@@ -14,8 +14,8 @@
- name: Set OS family flags - name: Set OS family flags
ansible.builtin.set_fact: ansible.builtin.set_fact:
is_rhel: "{{ os | lower in ['almalinux', 'fedora', 'rhel', 'rocky'] }}" is_rhel: "{{ os in ['almalinux', 'fedora', 'rhel', 'rocky'] }}"
is_debian: "{{ os | lower in ['debian', 'ubuntu', 'ubuntu-lts'] }}" is_debian: "{{ os in ['debian', 'ubuntu', 'ubuntu-lts'] }}"
- name: Normalize OS version for keying - name: Normalize OS version for keying
when: when:

6
roles/partitioning/defaults/main.yml
View File

@@ -10,12 +10,12 @@ partitioning_use_full_disk: true
partitioning_separate_boot: >- partitioning_separate_boot: >-
{{ {{
(system_cfg.luks.enabled | bool) (system_cfg.luks.enabled | bool)
and (os | lower not in ['archlinux']) and (os not in ['archlinux'])
}} }}
partitioning_boot_fs_fstype: >- partitioning_boot_fs_fstype: >-
{{ {{
(system_cfg.filesystem | lower) system_cfg.filesystem
if (system_cfg.filesystem | lower) != 'btrfs' if system_cfg.filesystem != 'btrfs'
else ('xfs' if is_rhel else 'ext4') else ('xfs' if is_rhel else 'ext4')
}} }}
partitioning_boot_fs_partition_suffix: >- partitioning_boot_fs_partition_suffix: >-