From f8e3ce62d406820ef1f0f794d66da93a912cafe9 Mon Sep 17 00:00:00 2001 From: Sandwich Date: Fri, 2 Jan 2026 12:20:15 +0100 Subject: [PATCH] Map global defaults in playbook --- .ansible-lint | 2 - main.yml | 109 ++++++++++++++++++++++++ roles/global_defaults/defaults/main.yml | 47 +++++----- roles/global_defaults/tasks/main.yml | 5 -- 4 files changed, 131 insertions(+), 32 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index f25316d..d4f0d78 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,4 +1,2 @@ skip_list: - run-once -exclude_paths: - - roles/global_defaults/defaults/main.yml diff --git a/main.yml b/main.yml index 75feea9..2a3d6b7 100644 --- a/main.yml +++ b/main.yml @@ -30,6 +30,115 @@ ansible.builtin.import_role: name: global_defaults + - name: Apply global defaults + vars: + global_defaults_hypervisor_value: >- + {{ hypervisor if hypervisor is defined else global_defaults_hypervisor }} + global_defaults_custom_iso_value: >- + {{ custom_iso if custom_iso is defined else global_defaults_custom_iso }} + global_defaults_cis_value: >- + {{ cis if cis is defined else global_defaults_cis }} + global_defaults_selinux_value: >- + {{ selinux if selinux is defined else global_defaults_selinux }} + global_defaults_vmware_ssh_value: >- + {{ vmware_ssh if vmware_ssh is defined else global_defaults_vmware_ssh }} + global_defaults_firewalld_enabled_value: >- + {{ + firewalld_enabled + if firewalld_enabled is defined + else global_defaults_firewalld_enabled + }} + global_defaults_luks_enabled_value: >- + {{ luks_enabled if luks_enabled is defined else global_defaults_luks_enabled }} + global_defaults_luks_mapper_name_value: >- + {{ + luks_mapper_name + if luks_mapper_name is defined + else global_defaults_luks_mapper_name + }} + global_defaults_luks_auto_decrypt_value: >- + {{ + luks_auto_decrypt + if luks_auto_decrypt is defined + else global_defaults_luks_auto_decrypt + }} + global_defaults_luks_auto_decrypt_method_value: >- + {{ + luks_auto_decrypt_method + if luks_auto_decrypt_method is defined + else global_defaults_luks_auto_decrypt_method + }} + global_defaults_luks_tpm2_device_value: >- + {{ + luks_tpm2_device + if luks_tpm2_device is defined + else global_defaults_luks_tpm2_device + }} + global_defaults_luks_tpm2_pcrs_value: >- + {{ + luks_tpm2_pcrs + if luks_tpm2_pcrs is defined + else global_defaults_luks_tpm2_pcrs + }} + global_defaults_luks_keyfile_size_value: >- + {{ + luks_keyfile_size + if luks_keyfile_size is defined + else global_defaults_luks_keyfile_size + }} + global_defaults_luks_options_value: >- + {{ luks_options if luks_options is defined else global_defaults_luks_options }} + global_defaults_luks_type_value: >- + {{ luks_type if luks_type is defined else global_defaults_luks_type }} + global_defaults_luks_cipher_value: >- + {{ luks_cipher if luks_cipher is defined else global_defaults_luks_cipher }} + global_defaults_luks_hash_value: >- + {{ luks_hash if luks_hash is defined else global_defaults_luks_hash }} + global_defaults_luks_iter_time_value: >- + {{ luks_iter_time if luks_iter_time is defined else global_defaults_luks_iter_time }} + global_defaults_luks_key_size_value: >- + {{ luks_key_size if luks_key_size is defined else global_defaults_luks_key_size }} + global_defaults_luks_pbkdf_value: >- + {{ luks_pbkdf if luks_pbkdf is defined else global_defaults_luks_pbkdf }} + global_defaults_luks_use_urandom_value: >- + {{ + luks_use_urandom + if luks_use_urandom is defined + else global_defaults_luks_use_urandom + }} + global_defaults_luks_verify_passphrase_value: >- + {{ + luks_verify_passphrase + if luks_verify_passphrase is defined + else global_defaults_luks_verify_passphrase + }} + ansible.builtin.set_fact: + hypervisor: "{{ global_defaults_hypervisor_value }}" + custom_iso: "{{ global_defaults_custom_iso_value }}" + cis: "{{ global_defaults_cis_value }}" + selinux: "{{ global_defaults_selinux_value }}" + vmware_ssh: "{{ global_defaults_vmware_ssh_value }}" + firewalld_enabled: "{{ global_defaults_firewalld_enabled_value }}" + cis_enabled: "{{ global_defaults_cis_value | bool }}" + custom_iso_enabled: "{{ global_defaults_custom_iso_value | bool }}" + luks_enabled: "{{ global_defaults_luks_enabled_value }}" + luks_mapper_name: "{{ global_defaults_luks_mapper_name_value }}" + luks_auto_decrypt: "{{ global_defaults_luks_auto_decrypt_value }}" + luks_auto_decrypt_method: "{{ global_defaults_luks_auto_decrypt_method_value }}" + luks_tpm2_device: "{{ global_defaults_luks_tpm2_device_value }}" + luks_tpm2_pcrs: "{{ global_defaults_luks_tpm2_pcrs_value }}" + luks_keyfile_size: "{{ global_defaults_luks_keyfile_size_value }}" + luks_options: "{{ global_defaults_luks_options_value }}" + luks_type: "{{ global_defaults_luks_type_value }}" + luks_cipher: "{{ global_defaults_luks_cipher_value }}" + luks_hash: "{{ global_defaults_luks_hash_value }}" + luks_iter_time: "{{ global_defaults_luks_iter_time_value }}" + luks_key_size: "{{ global_defaults_luks_key_size_value }}" + luks_pbkdf: "{{ global_defaults_luks_pbkdf_value }}" + luks_use_urandom: "{{ global_defaults_luks_use_urandom_value }}" + luks_verify_passphrase: "{{ global_defaults_luks_verify_passphrase_value }}" + changed_when: false + - name: Validate variables ansible.builtin.assert: that: diff --git a/roles/global_defaults/defaults/main.yml b/roles/global_defaults/defaults/main.yml index 492335c..ee0f09c 100644 --- a/roles/global_defaults/defaults/main.yml +++ b/roles/global_defaults/defaults/main.yml @@ -1,27 +1,24 @@ --- -hypervisor: "none" -custom_iso: false -cis: false -selinux: true -vmware_ssh: false -firewalld_enabled: true +global_defaults_hypervisor: "none" +global_defaults_custom_iso: false +global_defaults_cis: false +global_defaults_selinux: true +global_defaults_vmware_ssh: false +global_defaults_firewalld_enabled: true -cis_enabled: "{{ cis | bool }}" -custom_iso_enabled: "{{ custom_iso | bool }}" - -luks_enabled: false -luks_mapper_name: "SYSTEM_DECRYPTED" -luks_auto_decrypt: true -luks_auto_decrypt_method: "tpm2" -luks_tpm2_device: "auto" -luks_tpm2_pcrs: "" -luks_keyfile_size: 64 -luks_options: "discard,tries=3" -luks_type: "luks2" -luks_cipher: "aes-xts-plain64" -luks_hash: "sha512" -luks_iter_time: 4000 -luks_key_size: 512 -luks_pbkdf: "argon2id" -luks_use_urandom: true -luks_verify_passphrase: true +global_defaults_luks_enabled: false +global_defaults_luks_mapper_name: "SYSTEM_DECRYPTED" +global_defaults_luks_auto_decrypt: true +global_defaults_luks_auto_decrypt_method: "tpm2" +global_defaults_luks_tpm2_device: "auto" +global_defaults_luks_tpm2_pcrs: "" +global_defaults_luks_keyfile_size: 64 +global_defaults_luks_options: "discard,tries=3" +global_defaults_luks_type: "luks2" +global_defaults_luks_cipher: "aes-xts-plain64" +global_defaults_luks_hash: "sha512" +global_defaults_luks_iter_time: 4000 +global_defaults_luks_key_size: 512 +global_defaults_luks_pbkdf: "argon2id" +global_defaults_luks_use_urandom: true +global_defaults_luks_verify_passphrase: true diff --git a/roles/global_defaults/tasks/main.yml b/roles/global_defaults/tasks/main.yml index 1072032..ed97d53 100644 --- a/roles/global_defaults/tasks/main.yml +++ b/roles/global_defaults/tasks/main.yml @@ -1,6 +1 @@ --- -- name: Load global defaults - ansible.builtin.debug: - msg: "Global defaults loaded." - verbosity: 1 - changed_when: false