Fix line-length

roles/bootstrap/tasks/main.yml

@@ -13,7 +13,9 @@
       when: os | lower in ['debian11', 'debian12']
       ansible.builtin.command: "{{ item }}"
       with_items:
-        - debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} /mnt http://deb.debian.org/debian/
+        - |
+          debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'bullseye' if os == 'debian11' else 'bookworm' }} \
+          /mnt http://deb.debian.org/debian/
         - arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
         - arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
 
@@ -21,7 +23,9 @@
       when: os | lower in ['ubuntu', 'ubuntu-lts']
       ansible.builtin.command: "{{ item }}"
       with_items:
-        - debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'mantic' if os == 'ubuntu' else 'jammy' }} /mnt http://archive.ubuntu.com/ubuntu/
+        - |
+          debootstrap --include={{ role_packages[os].base | join(',') }} {{ 'mantic' if os == 'ubuntu' else 'jammy' }} \
+          /mnt http://archive.ubuntu.com/ubuntu/
         - arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
         - arch-chroot /mnt apt update -y
         - arch-chroot /mnt apt install -y {{ role_packages[os].extra | join(' ') }}
@@ -38,7 +42,9 @@
       when: os | lower == 'fedora'
       ansible.builtin.command: "{{ item }}"
       with_items:
-        - dnf --releasever=40 --best --repo=fedora --repo=fedora-updates --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
+        - |
+          dnf --releasever=40 --best --repo=fedora --repo=fedora-updates \
+          --installroot=/mnt --setopt=install_weak_deps=False groupinstall -y critical-path-base core
         - arch-chroot /mnt dnf --releasever=40 --setopt=install_weak_deps=False install -y {{ role_packages.fedora | join(' ') }}
         - arch-chroot /mnt dnf reinstall -y kernel-core
 

roles/cis/tasks/main.yml

@@ -93,14 +93,13 @@
         - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
         - { path: /mnt/etc/sudoers, content: Defaults        logfile="/var/log/sudo.log" }
         - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
-        - path: /mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth"
+        - { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
-            }}
+            else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}',
-          content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900
+            content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 }
-        - path: /mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else
+        - { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth"
-            "pam.d/system-auth" }}
+            if os == "fedora" else "pam.d/system-auth" }}', content: account required pam_faillock.so }
-          content: account required pam_faillock.so
+        - { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}',
-        - path: /mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}
+            content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" }
-          content: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
         - { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
         - { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
 
@@ -165,15 +164,20 @@
 
           ### Ciphers and keying ###
           RekeyLimit 512M 6h
-          KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+          KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,
-          Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+            diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,
-          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+            diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,
+            ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+          Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,
+            aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
+            hmac-sha2-512,hmac-sha2-256
           ###########################
 
           AllowStreamLocalForwarding no
           PermitUserRC no
 
-          AllowUsers svcansible
+          AllowUsers *
           AllowGroups *
           DenyUsers nobody
           DenyGroups nobody

roles/configuration/tasks/main.yml

@@ -85,18 +85,26 @@
     - name: Configure Bootloader
       block:
         - name: Install Bootloader
-          ansible.builtin.command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/efibootmgr -c
+          ansible.builtin.command: arch-chroot /mnt
-            -L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ os }}\shimx64.efi'{% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{
+            {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/efibootmgr
-            "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }} --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}{%
+            -c -L '{{ os }}' -d "{{ install_drive }}" -p 1 -l '\efi\EFI\{{ os }}\shimx64.efi'
-            endif %}
+            {% else %}/usr/sbin/grub-install --target=x86_64-efi --efi-directory={{ "/boot/efi" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot" }}
+            --bootloader-id={{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
+            {% endif %}
         - name: Generate grub config
-          ansible.builtin.command: arch-chroot /mnt {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %}/usr/sbin/grub2-mkconfig
+          ansible.builtin.command: arch-chroot /mnt
-            -o /boot/efi/EFI/{{ os }}/grub.cfg{% else %}/usr/sbin/grub-mkconfig -o {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else
+            {% if os | lower not in ["archlinux", "debian11", "debian12", "ubuntu", "ubuntu-lts"] %} /usr/sbin/grub2-mkconfig
-            "/boot/grub/grub.cfg" }}{% endif %}
+            -o /boot/efi/EFI/{{ os }}/grub.cfg
+            {% else %}/usr/sbin/grub-mkconfig -o
+            {{ "/boot/efi/EFI/ubuntu/grub.cfg" if os | lower in ["ubuntu", "ubuntu-lts"] else "/boot/grub/grub.cfg" }}
+            {% endif %}
         - name: Regenerate initramfs
           when: os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
-          ansible.builtin.command: arch-chroot /mnt {% if os | lower == "archlinux" %}/usr/sbin/mkinitcpio -P{% elif os | lower not in ["debian11", "debian12", "ubuntu",
+          ansible.builtin.command: arch-chroot /mnt
-            "ubuntu-lts", "archlinux"] %}/usr/bin/dracut --regenerate-all --force{% else %}echo "Skipping initramfs regeneration"{% endif %}
+            {% if os | lower == "archlinux" %} /usr/sbin/mkinitcpio -P
+            {% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %} /usr/bin/dracut --regenerate-all --force
+            {% else %} echo "Skipping initramfs regeneration"
+            {% endif %}
     - name: Extra Configuration
       block:
         - name: Append lines to vimrc
@@ -145,8 +153,9 @@
         - name: Create user account
           ansible.builtin.command: "{{ item }}"
           with_items:
-            - arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups {{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else
+            - arch-chroot /mnt /usr/sbin/useradd --create-home --user-group --groups
-              "wheel" }} {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
+              {{ "sudo" if os | lower in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "wheel" }}
+              {{ user_name }} --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
             - arch-chroot /mnt /usr/sbin/usermod --password '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
 
         - name: Add SSH public key to authorized_keys

roles/partitioning/tasks/main.yml

@@ -106,20 +106,20 @@
           opts: "{{ 'defaults' if filesystem != 'btrfs' else 'rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@' }}"
         - path: /home
           uuid: "{{ uuid_home[0] | default(omit) }}"
-          opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home'
+          opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
-            }}"
+                else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@home' }}"
         - path: /var
           uuid: "{{ uuid_var[0] | default(omit) }}"
-          opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs' else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var'
+          opts: "{{ 'defaults,nosuid,nodev' if filesystem != 'btrfs'
-            }}"
+                else 'rw,nosuid,nodev,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var' }}"
         - path: /var/log
           uuid: "{{ uuid_var_log[0] | default(omit) }}"
-          opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log'
+          opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
-            }}"
+                else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log' }}"
         - path: /var/log/audit
           uuid: "{{ uuid_var_log_audit[0] | default(omit) }}"
-          opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs' else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit'
+          opts: "{{ 'defaults,nosuid,nodev,noexec' if filesystem != 'btrfs'
-            }}"
+                else 'rw,nosuid,nodev,noexec,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async,subvol=@var_log_audit' }}"
 
     - name: Mount tmp and var_tmp filesystems
       ansible.posix.mount:

roles/virtualization/tasks/libvirt.yml

@@ -27,8 +27,10 @@
 
 - name: Create cloud-init disk
   delegate_to: localhost
-  ansible.builtin.command: cloud-localds {{ vm_path | default('/var/lib/libvirt/images/') }}{{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml -N
+  ansible.builtin.command: cloud-localds
-    /tmp/cloud-network-config-{{ hostname }}.yml
+    {{ vm_path | default('/var/lib/libvirt/images/') }}
+    {{ hostname }}-cloudinit.iso /tmp/cloud-user-data-{{ hostname }}.yml
+    -N /tmp/cloud-network-config-{{ hostname }}.yml
 
 - name: Create VM using libvirt
   delegate_to: localhost