sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor(standardize): fix sudoers lecture syntax, extract ssh config, remove redundant os filters

Browse Source
This commit is contained in:
Sandwich
2026-02-13 00:20:59 +01:00
parent af5eecfc01
commit eeb580f180
17 changed files with 67 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@@ -149,11 +149,12 @@ all:
These top-level variables sit outside the `system`/`hypervisor` dictionaries.
| Variable | Type | Description |
| ------------ | ------ | ------------------------------------------------ |
| `boot_iso` | string | Path to the boot ISO image (required for virtual installs). |
| `rhel_iso` | string | Path to the RHEL ISO (required when `system.os: rhel`). |
| `custom_iso` | bool | Skip ArchISO validation and pacman setup. Default `false`. |
| Variable | Type | Description |
| ----------------------------------- | ------ | ------------------------------------------------ |
| `boot_iso` | string | Path to the boot ISO image (required for virtual installs). |
| `rhel_iso` | string | Path to the RHEL ISO (required when `system.os: rhel`). |
| `custom_iso` | bool | Skip ArchISO validation and pacman setup. Default `false`. |
| `thirdparty_tasks` | string | Drop-in task file included during environment setup. Default `dropins/preparation.yml`. |
### 4.2 `system` Dictionary

19
roles/configuration/tasks/banner.yml
View File

@@ -26,30 +26,25 @@
- name: Configure sudo banner
when: system_cfg.features.banner.sudo | bool
block:
- name: Create sudoers banner directory
ansible.builtin.file:
path: /mnt/etc/sudoers.d
state: directory
mode: "0755"
owner: root
group: root
- name: Create sudo banner file
- name: Create sudo lecture file
ansible.builtin.copy:
content: |
I am Groot, and I know what I'm doing.
dest: /mnt/etc/sudoers.d/banner
dest: /mnt/etc/sudo_lecture
mode: "0644"
owner: root
group: root
- name: Enable sudo banner in sudoers
- name: Enable sudo lecture in sudoers
ansible.builtin.lineinfile:
path: /mnt/etc/sudoers
line: "Defaults lecture=@/etc/sudoers.d/banner"
line: "{{ item }}"
state: present
create: true
mode: "0440"
owner: root
group: root
validate: "/usr/sbin/visudo --check --file=%s"
loop:
- "Defaults lecture=always"
- "Defaults lecture_file=/etc/sudo_lecture"

12
roles/configuration/tasks/bootloader.yml
View File

@@ -6,9 +6,9 @@
configuration_use_efibootmgr: "{{ is_rhel | bool }}"
configuration_efi_dir: "{{ partitioning_efi_mountpoint }}"
configuration_bootloader_id: >-
{{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
{{ "ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os }}
configuration_efi_vendor: >-
{{ "redhat" if os | lower == "rhel" else os | lower }}
{{ "redhat" if os == "rhel" else os }}
configuration_efibootmgr_cmd: >-
/usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -p 1
-l '\efi\EFI\{{ configuration_efi_vendor }}\shimx64.efi'
@@ -23,7 +23,7 @@
changed_when: configuration_bootloader_result.rc == 0
- name: Ensure lvm2 for non btrfs filesystems
when: os | lower == "archlinux" and system_cfg.filesystem != "btrfs"
when: os == "archlinux" and system_cfg.filesystem != "btrfs"
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: "^(HOOKS=.*block)(?!.*lvm2)(.*)"
@@ -31,12 +31,12 @@
backrefs: true
- name: Regenerate initramfs
when: os | lower not in ["alpine", "void"]
when: os not in ["alpine", "void"]
vars:
configuration_initramfs_cmd: >-
{{
'/usr/sbin/mkinitcpio -P'
if os | lower == "archlinux"
if os == "archlinux"
else (
'/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin '
+ '/usr/sbin/update-initramfs -u -k all'
@@ -51,7 +51,7 @@
- name: Generate grub config
vars:
configuration_efi_vendor: >-
{{ "redhat" if os | lower == "rhel" else os | lower }}
{{ "redhat" if os == "rhel" else os }}
configuration_grub_cfg_cmd: >-
{{
'/usr/sbin/grub2-mkconfig -o '

8
roles/configuration/tasks/encryption.yml
View File

@@ -136,7 +136,7 @@
mode: "0644"
- name: Configure mkinitcpio hooks for LUKS
when: os | lower == 'archlinux'
when: os == 'archlinux'
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: "^HOOKS="
@@ -145,13 +145,13 @@
block sd-encrypt lvm2 filesystems fsck)
- name: Read mkinitcpio configuration
when: os | lower == 'archlinux'
when: os == 'archlinux'
ansible.builtin.slurp:
src: /mnt/etc/mkinitcpio.conf
register: configuration_mkinitcpio_slurp
- name: Build mkinitcpio FILES list
when: os | lower == 'archlinux'
when: os == 'archlinux'
vars:
mkinitcpio_files_list: >-
{{
@@ -180,7 +180,7 @@
configuration_mkinitcpio_files_list_new: "{{ mkinitcpio_files_list_new }}"
- name: Configure mkinitcpio FILES list
when: os | lower == 'archlinux'
when: os == 'archlinux'
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: "^FILES="

2
roles/configuration/tasks/extras.yml
View File

@@ -28,7 +28,7 @@
- name: Create zram config
when:
- (os != "debian" or (os_version | string) != "11") and os != "rhel"
- os | lower not in ["alpine", "void"]
- os not in ["alpine", "void"]
- system_cfg.features.swap.enabled | bool
ansible.builtin.copy:
dest: /mnt/etc/systemd/zram-generator.conf

6
roles/configuration/tasks/grub.yml
View File

@@ -20,7 +20,7 @@
{{
(
partitioning_main_uuid.stdout
if (system_cfg.filesystem | lower) == 'btrfs'
if system_cfg.filesystem == 'btrfs'
else (partitioning_uuid_root | default([]) | first | default(''))
)
| default('')
@@ -36,11 +36,11 @@
else []
)
)
if (system_cfg.filesystem | lower) != 'btrfs'
if system_cfg.filesystem != 'btrfs'
else []
}}
grub_root_flags: >-
{{ ['rootflags=subvol=@'] if (system_cfg.filesystem | lower) == 'btrfs' else [] }}
{{ ['rootflags=subvol=@'] if system_cfg.filesystem == 'btrfs' else [] }}
grub_cmdline_linux_base: >-
{{
(['crashkernel=auto'] + grub_lvm_args)

12
roles/configuration/tasks/locales.yml
View File

@@ -78,15 +78,3 @@
content: "LANG={{ system_cfg.locale }}"
dest: /mnt/etc/locale.conf
mode: "0644"
- name: Ensure SSH password authentication is enabled
ansible.builtin.lineinfile:
path: /mnt/etc/ssh/sshd_config
regexp: "^#?PasswordAuthentication\\s+"
line: "PasswordAuthentication yes"
- name: SSH permit root login
ansible.builtin.replace:
path: /mnt/etc/ssh/sshd_config
regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"

1
roles/configuration/tasks/main.yml
View File

@@ -5,6 +5,7 @@
- banner.yml
- fstab.yml
- locales.yml
- ssh.yml
- services.yml
- grub.yml
- encryption.yml

8
roles/configuration/tasks/network.yml
View File

@@ -30,7 +30,7 @@
fail_msg: Failed to detect any network interfaces.
- name: Configure NetworkManager profiles
when: os | lower not in ["alpine", "void"]
when: os not in ["alpine", "void"]
block:
- name: Copy NetworkManager keyfile per interface
vars:
@@ -47,14 +47,14 @@
label: "LAN-{{ idx }}"
- name: Fix Ubuntu unmanaged devices
when: os | lower in ["ubuntu", "ubuntu-lts"]
when: os in ["ubuntu", "ubuntu-lts"]
ansible.builtin.file:
path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
state: touch
mode: "0644"
- name: Configure Alpine networking
when: os | lower == "alpine"
when: os == "alpine"
vars:
configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
block:
@@ -90,7 +90,7 @@
{% endfor %}
- name: Configure Void networking
when: os | lower == "void"
when: os == "void"
vars:
configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
block:

2
roles/configuration/tasks/selinux.yml
View File

@@ -12,7 +12,7 @@
changed_when: configuration_setfiles_result.rc == 0
- name: Disable SELinux
when: os | lower == "fedora" or not system_cfg.features.selinux.enabled | bool
when: os == "fedora" or not system_cfg.features.selinux.enabled | bool
ansible.builtin.lineinfile:
path: /mnt/etc/selinux/config
regexp: ^SELINUX=

8
roles/configuration/tasks/services.yml
View File

@@ -1,6 +1,6 @@
---
- name: Enable Systemd Services
when: os | lower not in ['alpine', 'void']
when: os not in ['alpine', 'void']
ansible.builtin.command: >
{{ chroot_command }} systemctl enable NetworkManager
{{ ' firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}
@@ -11,13 +11,13 @@
}}
{{
'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
if os | lower == 'archlinux' else ''
if os == 'archlinux' else ''
}}
register: configuration_enable_services_result
changed_when: configuration_enable_services_result.rc == 0
- name: Enable OpenRC services
when: os | lower == 'alpine'
when: os == 'alpine'
vars:
configuration_openrc_services: >-
{{
@@ -48,7 +48,7 @@
when: item.stat.exists
- name: Enable runit services
when: os | lower == 'void'
when: os == 'void'
vars:
configuration_runit_services: >-
{{

12
roles/configuration/tasks/ssh.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Ensure SSH password authentication is enabled
ansible.builtin.lineinfile:
path: /mnt/etc/ssh/sshd_config
regexp: "^#?PasswordAuthentication\\s+"
line: "PasswordAuthentication yes"
- name: SSH permit root login
ansible.builtin.replace:
path: /mnt/etc/ssh/sshd_config
regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"

8
roles/configuration/tasks/sudo.yml
View File

@@ -1,4 +1,12 @@
---
- name: Ensure sudoers.d directory exists
ansible.builtin.file:
path: /mnt/etc/sudoers.d
state: directory
mode: "0755"
owner: root
group: root
- name: Give sudo access to wheel group
ansible.builtin.copy:
content: "{{ '%sudo ALL=(ALL) ALL\n' if is_debian | bool else '%wheel ALL=(ALL) ALL\n' }}"

8
roles/environment/tasks/main.yml
View File

@@ -231,9 +231,9 @@
ansible.builtin.set_fact:
environment_thirdparty_tasks_path: >-
{{
thirdparty_preparation_tasks_path
if thirdparty_preparation_tasks_path | regex_search('^/')
else playbook_dir + '/' + thirdparty_preparation_tasks_path
thirdparty_tasks
if thirdparty_tasks | regex_search('^/')
else playbook_dir + '/' + thirdparty_tasks
}}
changed_when: false
@@ -245,6 +245,6 @@
- name: Run third-party preparation tasks
when:
- thirdparty_preparation_tasks_path | length > 0
- thirdparty_tasks | length > 0
- environment_thirdparty_tasks_stat.stat.exists
ansible.builtin.include_tasks: "{{ environment_thirdparty_tasks_path }}"

2
roles/global_defaults/defaults/main.yml
View File

@@ -15,7 +15,7 @@ hypervisor_defaults:
ssh: false
custom_iso: false
thirdparty_preparation_tasks_path: "dropins/preparation.yml"
thirdparty_tasks: "dropins/preparation.yml"
system_defaults:
type: "virtual" # virtual|physical

4
roles/global_defaults/tasks/main.yml
View File

@@ -14,8 +14,8 @@
- name: Set OS family flags
ansible.builtin.set_fact:
is_rhel: "{{ os | lower in ['almalinux', 'fedora', 'rhel', 'rocky'] }}"
is_debian: "{{ os | lower in ['debian', 'ubuntu', 'ubuntu-lts'] }}"
is_rhel: "{{ os in ['almalinux', 'fedora', 'rhel', 'rocky'] }}"
is_debian: "{{ os in ['debian', 'ubuntu', 'ubuntu-lts'] }}"
- name: Normalize OS version for keying
when:

6
roles/partitioning/defaults/main.yml
View File

@@ -10,12 +10,12 @@ partitioning_use_full_disk: true
partitioning_separate_boot: >-
{{
(system_cfg.luks.enabled | bool)
and (os | lower not in ['archlinux'])
and (os not in ['archlinux'])
}}
partitioning_boot_fs_fstype: >-
{{
(system_cfg.filesystem | lower)
if (system_cfg.filesystem | lower) != 'btrfs'
system_cfg.filesystem
if system_cfg.filesystem != 'btrfs'
else ('xfs' if is_rhel else 'ext4')
}}
partitioning_boot_fs_partition_suffix: >-