Define optional defaults and require vm_cpus

roles/configuration/tasks/selinux.yml

@@ -3,7 +3,7 @@
   when: is_rhel | bool
   block:
     - name: Fix SELinux by pre-labeling the filesystem before first boot
-      when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux is not defined or selinux | bool)
+      when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and selinux | bool
       ansible.builtin.command: >
         arch-chroot /mnt /sbin/setfiles -v -F
         -e /dev -e /proc -e /sys -e /run
@@ -12,7 +12,7 @@
       changed_when: configuration_setfiles_result.rc == 0
 
     - name: Disable SELinux
-      when: os | lower == "fedora" or (selinux is defined and not (selinux | bool))
+      when: os | lower == "fedora" or not selinux | bool
       ansible.builtin.lineinfile:
         path: /mnt/etc/selinux/config
         regexp: ^SELINUX=

roles/environment/tasks/main.yml

@@ -62,7 +62,7 @@
       changed_when: false
 
     - name: Configure SSH for root login
-      when: hypervisor == "vmware" and (vmware_ssh is defined and vmware_ssh | bool)
+      when: hypervisor == "vmware" and vmware_ssh | bool
       block:
         - name: Allow login
           ansible.builtin.replace:

roles/global_defaults/defaults/main.yml

@@ -1,7 +1,12 @@
 ---
-vm_cpus: 4
-cis_enabled: "{{ cis is defined and cis | bool }}"
-custom_iso_enabled: "{{ custom_iso is defined and custom_iso | bool }}"
+hypervisor: "none"
+custom_iso: false
+cis: false
+selinux: true
+vmware_ssh: false
+
+cis_enabled: "{{ cis | bool }}"
+custom_iso_enabled: "{{ custom_iso | bool }}"
 
 luks_enabled: false
 luks_mapper_name: "SYSTEM_DECRYPTED"