fix(runtime): migrate roles to nested system fields

roles/configuration/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-configuration_motd_enabled: "{{ motd_enabled | bool }}"
-configuration_sudo_banner_enabled: "{{ sudo_banner_enabled | bool }}"
-configuration_firewall_enabled: "{{ firewall_enabled | bool }}"
-configuration_luks_enabled: "{{ luks_enabled | bool }}"
+configuration_motd_enabled: "{{ system_cfg.features.banner.motd | bool }}"
+configuration_sudo_banner_enabled: "{{ system_cfg.features.banner.sudo | bool }}"
+configuration_firewall_enabled: "{{ system_cfg.features.firewall.enabled | bool }}"
+configuration_luks_enabled: "{{ system_cfg.luks.enabled | bool }}"

roles/configuration/tasks/encryption.yml

@@ -57,7 +57,7 @@
       ansible.builtin.assert:
         that:
           - configuration_luks_passphrase_effective | length > 0
-        fail_msg: luks_passphrase (or partitioning_luks_passphrase) must be set for LUKS auto-decrypt.
+        fail_msg: system.luks.passphrase must be set for LUKS auto-decrypt.
       no_log: true
 
     - name: Enroll TPM2 for LUKS

roles/configuration/tasks/extras.yml

@@ -29,13 +29,13 @@
   when:
     - (os != "debian" or (os_version | string) != "11") and os != "rhel"
     - os | lower not in ["alpine", "void"]
-    - swap_enabled | bool
+    - system_cfg.features.swap.enabled | bool
   ansible.builtin.copy:
     dest: /mnt/etc/systemd/zram-generator.conf
     content: |
       [zram0]
       zram-size  = ram / 2
-      compression-algorithm = {{ 'zstd' if zstd_enabled | bool else 'lz4' }}
+      compression-algorithm = {{ 'zstd' if system_cfg.features.zstd.enabled | bool else 'lz4' }}
       swap-priority = 100
       fs-type = swap
     mode: "0644"

roles/configuration/tasks/grub.yml

@@ -32,7 +32,7 @@
               ['rd.lvm.lv=sys/root']
               + (
                 ['rd.lvm.lv=sys/swap', 'resume=/dev/mapper/sys-swap']
-                if swap_enabled | bool
+                if system_cfg.features.swap.enabled | bool
                 else []
               )
             )

roles/configuration/tasks/locales.yml

@@ -31,13 +31,14 @@
 
     - name: Set hostname
       vars:
+        configuration_dns_domain: "{{ (system_cfg.dns.search | default([]) | first | default('')) | string }}"
         configuration_hostname_fqdn: >-
           {{
             hostname
             if '.' in hostname
             else (
-              hostname + '.' + system_cfg.dns_search
-              if system_cfg.dns_search is defined and system_cfg.dns_search | length
+              hostname + '.' + configuration_dns_domain
+              if configuration_dns_domain | length > 0
               else hostname
             )
           }}
@@ -48,13 +49,14 @@
 
     - name: Add host entry to /etc/hosts
       vars:
+        configuration_dns_domain: "{{ (system_cfg.dns.search | default([]) | first | default('')) | string }}"
         configuration_hostname_fqdn: >-
           {{
             hostname
             if '.' in hostname
             else (
-              hostname + '.' + system_cfg.dns_search
-              if system_cfg.dns_search is defined and system_cfg.dns_search | length
+              hostname + '.' + configuration_dns_domain
+              if configuration_dns_domain | length > 0
               else hostname
             )
           }}

roles/configuration/tasks/network.yml

@@ -101,15 +101,7 @@
 - name: Configure Alpine networking
   when: os | lower == "alpine"
   vars:
-    configuration_dns_value: "{{ system_cfg.dns_servers if system_cfg.dns_servers is defined else '' }}"
-    configuration_dns_list_raw: >-
-      {{
-        configuration_dns_value
-        if configuration_dns_value is iterable and configuration_dns_value is not string
-        else configuration_dns_value.split(',')
-      }}
-    configuration_dns_list: >-
-      {{ configuration_dns_list_raw | map('trim') | reject('equalto', '') | list }}
+    configuration_dns_list: "{{ system_cfg.dns.servers | default([]) }}"
     configuration_alpine_static: >-
       {{
         system_cfg.ip is defined
@@ -148,15 +140,7 @@
 - name: Configure Void networking
   when: os | lower == "void"
   vars:
-    configuration_dns_value: "{{ system_cfg.dns_servers if system_cfg.dns_servers is defined else '' }}"
-    configuration_dns_list_raw: >-
-      {{
-        configuration_dns_value
-        if configuration_dns_value is iterable and configuration_dns_value is not string
-        else configuration_dns_value.split(',')
-      }}
-    configuration_dns_list: >-
-      {{ configuration_dns_list_raw | map('trim') | reject('equalto', '') | list }}
+    configuration_dns_list: "{{ system_cfg.dns.servers | default([]) }}"
     configuration_void_static: >-
       {{
         system_cfg.ip is defined

roles/configuration/tasks/selinux.yml

@@ -3,7 +3,7 @@
   when: is_rhel | bool
   block:
     - name: Fix SELinux by pre-labeling the filesystem before first boot
-      when: os in ['almalinux', 'rocky', 'rhel'] and selinux | bool
+      when: os in ['almalinux', 'rocky', 'rhel'] and system_cfg.features.selinux.enabled | bool
       ansible.builtin.command: >
         {{ chroot_command }} /sbin/setfiles -v -F
         -e /dev -e /proc -e /sys -e /run
@@ -12,7 +12,7 @@
       changed_when: configuration_setfiles_result.rc == 0
 
     - name: Disable SELinux
-      when: os | lower == "fedora" or not selinux | bool
+      when: os | lower == "fedora" or not system_cfg.features.selinux.enabled | bool
       ansible.builtin.lineinfile:
         path: /mnt/etc/selinux/config
         regexp: ^SELINUX=

roles/configuration/tasks/services.yml

@@ -3,11 +3,11 @@
   when: os | lower not in ['alpine', 'void']
   ansible.builtin.command: >
     {{ chroot_command }} systemctl enable NetworkManager
-    {{ ' firewalld' if firewall_backend == 'firewalld' and firewall_enabled | bool else '' }}
-    {{ ' ufw' if firewall_backend == 'ufw' and firewall_enabled | bool else '' }}
+    {{ ' firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}
+    {{ ' ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}
     {{
       (' ssh' if is_debian | bool else ' sshd')
-      if ssh_enabled | bool else ''
+      if system_cfg.features.ssh.enabled | bool else ''
     }}
     {{
       'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
@@ -22,8 +22,8 @@
     configuration_openrc_services: >-
       {{
         ['networking']
-        + (['sshd'] if ssh_enabled | bool else [])
-        + ([firewall_backend] if firewall_enabled | bool else [])
+        + (['sshd'] if system_cfg.features.ssh.enabled | bool else [])
+        + ([system_cfg.features.firewall.backend] if system_cfg.features.firewall.enabled | bool else [])
       }}
   block:
     - name: Ensure OpenRC runlevel directory exists
@@ -53,8 +53,8 @@
     configuration_runit_services: >-
       {{
         ['dhcpcd']
-        + (['sshd'] if ssh_enabled | bool else [])
-        + ([firewall_backend] if firewall_enabled | bool else [])
+        + (['sshd'] if system_cfg.features.ssh.enabled | bool else [])
+        + ([system_cfg.features.firewall.backend] if system_cfg.features.firewall.enabled | bool else [])
       }}
   block:
     - name: Ensure runit service directory exists

roles/configuration/tasks/users.yml

@@ -5,11 +5,11 @@
       {{ "sudo" if is_debian | bool else "wheel" }}
     configuration_useradd_cmd: >-
       {{ chroot_command }} /usr/sbin/useradd --create-home --user-group
-      --groups {{ configuration_user_group }} {{ user_name }}
-      --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
+      --groups {{ configuration_user_group }} {{ system_cfg.user.name }}
+      --password {{ system_cfg.user.password | password_hash('sha512') }} --shell /bin/bash
     configuration_root_cmd: >-
       {{ chroot_command }} /usr/sbin/usermod --password
-      '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
+      '{{ system_cfg.root.password | password_hash('sha512') }}' root --shell /bin/bash
   ansible.builtin.command: "{{ item }}"
   loop:
     - "{{ configuration_useradd_cmd }}"
@@ -18,19 +18,19 @@
   changed_when: configuration_user_result.rc == 0
 
 - name: Ensure .ssh directory exists
-  when: user_public_key | length > 0
+  when: system_cfg.user.public_key | length > 0
   ansible.builtin.file:
-    path: /mnt/home/{{ user_name }}/.ssh
+    path: /mnt/home/{{ system_cfg.user.name }}/.ssh
     state: directory
     owner: 1000
     group: 1000
     mode: "0700"
 
 - name: Add SSH public key to authorized_keys
-  when: user_public_key | length > 0
+  when: system_cfg.user.public_key | length > 0
   ansible.builtin.lineinfile:
-    path: /mnt/home/{{ user_name }}/.ssh/authorized_keys
-    line: "{{ user_public_key }}"
+    path: /mnt/home/{{ system_cfg.user.name }}/.ssh/authorized_keys
+    line: "{{ system_cfg.user.public_key }}"
     owner: 1000
     group: 1000
     mode: "0600"

roles/configuration/templates/network.j2

@@ -4,12 +4,8 @@ uuid={{ configuration_net_uuid }}
 type=ethernet
 
 [ipv4]
-{% set dns_value = system_cfg.dns_servers if system_cfg.dns_servers is defined else '' %}
-{% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %}
-{% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %}
-{% set search_value = system_cfg.dns_search if system_cfg.dns_search is defined else '' %}
-{% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %}
-{% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %}
+{% set dns_list = system_cfg.dns.servers | default([]) %}
+{% set search_list = system_cfg.dns.search | default([]) %}
 {% if system_cfg.ip is defined and system_cfg.ip | string | length %}
 address1={{ system_cfg.ip }}/{{ system_cfg.prefix }}{{ (',' ~ system_cfg.gateway) if (system_cfg.gateway is defined and system_cfg.gateway | string | length) else '' }}
 method=manual