Define optional defaults and require vm_cpus

README.md

@@ -58,13 +58,13 @@ Global variables apply across your Ansible project and are loaded from `vars.yml
 | Variable                | Description                                                | Example Value                             |
 | ----------------------- | ---------------------------------------------------------- | ----------------------------------------- |
 | `install_type`          | Type of installation.                                      | `virtual`, `physical`                     |
-| `hypervisor`            | Type of hypervisor.                                        | `libvirt`, `proxmox`, `vmware`, `none`    |
+| `hypervisor`            | Type of hypervisor (required for virtual installs).        | `libvirt`, `proxmox`, `vmware`, `none`    |
 | `install_drive`         | Drive where the system will be installed.                  | `/dev/sda`                                |
 | `boot_iso`              | Path to the boot ISO image.                                | `local-btrfs:iso/archlinux-x86_64.iso`    |
 | `rhel_iso`              | Path to the RHEL ISO file, required for RHEL 8/9/10.        | `local-btrfs:iso/rhel-9.4-x86_64-dvd.iso` |
 | `custom_iso` (optional) | Skip ArchISO checks and pacman setup on installer media.   | `true`, `false (default)`                 |
-| `cis` (optional)        | Adjusts the installation to be CIS level 3 conformant.     | `true`, `false`                           |
+| `cis` (optional)        | Adjusts the installation to be CIS level 3 conformant.     | `true`, `false (default)`                 |
-| `selinux` (optional)    | Toggle SELinux where supported.                            | `true`, `false`                           |
+| `selinux` (optional)    | Toggle SELinux where supported.                            | `true (default)`, `false`                 |
 
 ### 2.2 Hypervisor Access (virtual installs)
 
@@ -78,7 +78,7 @@ Global variables apply across your Ansible project and are loaded from `vars.yml
 | `hypervisor_node`       | Hypervisor node name.                                      | `node01`             |
 | `hypervisor_storage`    | Storage identifier for VM disks.                           | `local-btrfs`        |
 | `vm_path` (optional)    | Libvirt image dir or VMware folder path.                   | `/var/lib/libvirt/images` |
-| `vmware_ssh`            | If Ansible should use SSH after base VMware setup.         | `true`, `false`      |
+| `vmware_ssh`            | If Ansible should use SSH after base VMware setup.         | `true`, `false (default)`      |
 | `vlan_name` (optional)  | VLAN for the VM's network interface.                       | `vlan100`            |
 | `note` (optional)       | VMware VM annotation.                                      | `Provisioned by Ansible` |
 
@@ -161,7 +161,7 @@ These are prompted by default via `vars_prompt` in `main.yml`, but can be suppli
 | `vm_id`     | Unique identifier for the VM.     | `101`         |
 | `vm_size`   | Disk size allocated in GB.        | `20`          |
 | `vm_memory` | Amount of memory in MB.           | `2048`        |
-| `vm_cpus`   | Number of CPU cores.              | `4`           |
+| `vm_cpus`   | Number of CPU cores (virtual installs). | `4`      |
 | `vm_ballo`  | Ballooning memory size (optional).| `2048`        |
 
 ### 3.5 Post-install Packages
@@ -194,7 +194,7 @@ Use `inventory_example.yml`, `vars_example.yml`, and the bare-metal examples as
 
 ## Notes
 
-- `vm_size`/`vm_memory` are required for virtual installs only, physical installs use the full disk.
+- `vm_size`/`vm_memory`/`vm_cpus` are required for virtual installs only, physical installs use the full disk.
 - `vm_dns` and `vm_dns_search` accept comma-separated strings or YAML lists.
 - `hypervisor` determines which backend-specific roles run.
 - Guest tools are installed based on `hypervisor`: `qemu-guest-agent` for `libvirt`/`proxmox`, `open-vm-tools` for `vmware`, otherwise none.

main.yml

@@ -34,13 +34,15 @@
       ansible.builtin.assert:
         that:
           - install_type is defined and install_type in ["virtual", "physical"]
-          - hypervisor is defined and hypervisor in ["libvirt", "proxmox", "vmware", "none"]
+          - hypervisor in ["libvirt", "proxmox", "vmware", "none"]
+          - install_type is defined and (install_type == "physical" or hypervisor in ["libvirt", "proxmox", "vmware"])
           - filesystem is defined and filesystem in ["btrfs", "ext4", "xfs"]
           - install_drive is defined and install_drive | length > 0
           - hostname is defined and hostname | length > 0
           - os is defined and os in ["archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora", "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"]
           - os is defined and (os not in ["rhel8", "rhel9", "rhel10"] or (rhel_iso is defined and rhel_iso | length > 0))
           - install_type is defined and (install_type == "physical" or (boot_iso is defined and boot_iso | length > 0))
+          - install_type is defined and (install_type == "physical" or (vm_cpus is defined and (vm_cpus | int) > 0))
           - install_type is defined and (install_type == "physical" or (vm_size is defined and (vm_size | float) > 0))
           - install_type is defined and (install_type == "physical" or (vm_memory is defined and (vm_memory | float) > 0))
           - >-

roles/configuration/tasks/selinux.yml

@@ -3,7 +3,7 @@
   when: is_rhel | bool
   block:
     - name: Fix SELinux by pre-labeling the filesystem before first boot
-      when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux is not defined or selinux | bool)
+      when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and selinux | bool
       ansible.builtin.command: >
         arch-chroot /mnt /sbin/setfiles -v -F
         -e /dev -e /proc -e /sys -e /run
@@ -12,7 +12,7 @@
       changed_when: configuration_setfiles_result.rc == 0
 
     - name: Disable SELinux
-      when: os | lower == "fedora" or (selinux is defined and not (selinux | bool))
+      when: os | lower == "fedora" or not selinux | bool
       ansible.builtin.lineinfile:
         path: /mnt/etc/selinux/config
         regexp: ^SELINUX=

roles/environment/tasks/main.yml

@@ -62,7 +62,7 @@
       changed_when: false
 
     - name: Configure SSH for root login
-      when: hypervisor == "vmware" and (vmware_ssh is defined and vmware_ssh | bool)
+      when: hypervisor == "vmware" and vmware_ssh | bool
       block:
         - name: Allow login
           ansible.builtin.replace:

roles/global_defaults/defaults/main.yml

@@ -1,7 +1,12 @@
 ---
-vm_cpus: 4
+hypervisor: "none"
-cis_enabled: "{{ cis is defined and cis | bool }}"
+custom_iso: false
-custom_iso_enabled: "{{ custom_iso is defined and custom_iso | bool }}"
+cis: false
+selinux: true
+vmware_ssh: false
+
+cis_enabled: "{{ cis | bool }}"
+custom_iso_enabled: "{{ custom_iso | bool }}"
 
 luks_enabled: false
 luks_mapper_name: "SYSTEM_DECRYPTED"

vars_baremetal_example.yml

@@ -6,6 +6,9 @@ install_drive: "/dev/sda"
 os: "archlinux"
 filesystem: "btrfs"
 
+cis: false
+selinux: true
+
 luks_enabled: true
 luks_passphrase: "1234"
 luks_mapper_name: "SYSTEM_DECRYPTED"

vars_example.yml

@@ -5,6 +5,8 @@ vm_ip: "{{ inventory_hostname }}"
 install_type: "virtual"
 install_drive: "/dev/sda"  # Use /dev/vda for virtio/libvirt.
 custom_iso: false  # Set true to skip ArchISO-specific validation and pacman setup.
+cis: false  # Set true to enable CIS hardening.
+selinux: true  # Toggle SELinux where supported.
 
 hypervisor_url: "pve01.example.com"
 hypervisor_username: "root@pam"