Make chroot command configurable

2026-01-02 18:53:55 +01:00
parent ce972e55dd
commit fe0b72c9d8
14 changed files with 26 additions and 30 deletions
--- a/roles/bootstrap/tasks/almalinux.yml
+++ b/roles/bootstrap/tasks/almalinux.yml
@@ -14,7 +14,7 @@
        --setopt=install_weak_deps=False groupinstall -y base core
    - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
    - >-
-        arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False
+        {{ chroot_command }} /mnt dnf --releasever=9 --setopt=install_weak_deps=False
        install -y {{ bootstrap_alma_extra }}
  register: bootstrap_result
  changed_when: bootstrap_result.rc == 0
--- a/roles/bootstrap/tasks/debian.yml
+++ b/roles/bootstrap/tasks/debian.yml
@@ -23,7 +23,7 @@
    - >-
        debootstrap --include={{ bootstrap_debian_base }}
        {{ bootstrap_debian_release }} /mnt http://deb.debian.org/debian/
-    - "arch-chroot /mnt apt install -y {{ bootstrap_debian_extra }}"
-    - arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
+    - "{{ chroot_command }} /mnt apt install -y {{ bootstrap_debian_extra }}"
+    - "{{ chroot_command }} /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data"
  register: bootstrap_result
  changed_when: bootstrap_result.rc == 0
--- a/roles/bootstrap/tasks/fedora.yml
+++ b/roles/bootstrap/tasks/fedora.yml
@@ -15,8 +15,8 @@
        groupinstall -y critical-path-base core
    - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
    - >-
-        arch-chroot /mnt dnf --releasever=43 --setopt=install_weak_deps=False
+        {{ chroot_command }} /mnt dnf --releasever=43 --setopt=install_weak_deps=False
        install -y {{ bootstrap_fedora_extra }}
-    - arch-chroot /mnt dnf reinstall -y kernel-core
+    - "{{ chroot_command }} /mnt dnf reinstall -y kernel-core"
  register: bootstrap_result
  changed_when: bootstrap_result.rc == 0
--- a/roles/bootstrap/tasks/rhel.yml
+++ b/roles/bootstrap/tasks/rhel.yml
@@ -34,12 +34,7 @@
        state: mounted

    - name: Rebuild RPM database inside chroot
-      ansible.builtin.command:
-        argv:
-          - arch-chroot
-          - /mnt
-          - rpm
-          - --rebuilddb
+      ansible.builtin.command: "{{ chroot_command }} /mnt rpm --rebuilddb"
      register: bootstrap_rpm_rebuild_result
      changed_when: bootstrap_rpm_rebuild_result.rc == 0

@@ -60,7 +55,7 @@
            | join(' ')
          }}
      ansible.builtin.command: >-
-        arch-chroot /mnt dnf --releasever={{ bootstrap_rhel_release }}
+        {{ chroot_command }} /mnt dnf --releasever={{ bootstrap_rhel_release }}
        --setopt=install_weak_deps=False install -y {{ bootstrap_rhel_extra }}
      register: bootstrap_result
      changed_when: bootstrap_result.rc == 0
--- a/roles/bootstrap/tasks/rocky.yml
+++ b/roles/bootstrap/tasks/rocky.yml
@@ -15,7 +15,7 @@
        groupinstall -y base core
    - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
    - >-
-        arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False
+        {{ chroot_command }} /mnt dnf --releasever=9 --setopt=install_weak_deps=False
        install -y {{ bootstrap_rocky_extra }}
  register: bootstrap_result
  changed_when: bootstrap_result.rc == 0
--- a/roles/bootstrap/tasks/ubuntu.yml
+++ b/roles/bootstrap/tasks/ubuntu.yml
@@ -20,8 +20,8 @@
        debootstrap --include={{ bootstrap_ubuntu_base }}
        {{ bootstrap_ubuntu_release }} /mnt http://archive.ubuntu.com/ubuntu/
    - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
-    - arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
-    - arch-chroot /mnt apt update
-    - "arch-chroot /mnt apt install -y {{ bootstrap_ubuntu_extra }}"
+    - "{{ chroot_command }} /mnt sed -i '1s|$| universe|' /etc/apt/sources.list"
+    - "{{ chroot_command }} /mnt apt update"
+    - "{{ chroot_command }} /mnt apt install -y {{ bootstrap_ubuntu_extra }}"
  register: bootstrap_result
  changed_when: bootstrap_result.rc == 0
--- a/roles/cis/tasks/crypto.yml
+++ b/roles/cis/tasks/crypto.yml
@@ -1,12 +1,12 @@
 ---
 - name: Configure System Cryptography Policy
  when: os in ["almalinux", "rhel9", "rhel10", "rocky"]
-  ansible.builtin.command: arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
+  ansible.builtin.command: "{{ chroot_command }} /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"
  register: cis_crypto_policy_result
  changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout"

 - name: Mask Systemd Services
  ansible.builtin.command: >
-    arch-chroot /mnt systemctl mask nftables bluetooth rpcbind
+    {{ chroot_command }} /mnt systemctl mask nftables bluetooth rpcbind
  register: cis_mask_services_result
  changed_when: cis_mask_services_result.rc == 0
--- a/roles/configuration/tasks/bootloader.yml
+++ b/roles/configuration/tasks/bootloader.yml
@@ -18,7 +18,7 @@
          --bootloader-id={{ configuration_bootloader_id }}
        configuration_bootloader_cmd: >-
          {{ configuration_efibootmgr_cmd if configuration_use_efibootmgr else configuration_grub_cmd }}
-      ansible.builtin.command: "arch-chroot /mnt {{ configuration_bootloader_cmd }}"
+      ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_bootloader_cmd }}"
      register: configuration_bootloader_result
      changed_when: configuration_bootloader_result.rc == 0

@@ -43,7 +43,7 @@
              else '/usr/bin/dracut --regenerate-all --force'
            )
          }}
-      ansible.builtin.command: "arch-chroot /mnt {{ configuration_initramfs_cmd }}"
+      ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_initramfs_cmd }}"
      register: configuration_initramfs_result
      changed_when: configuration_initramfs_result.rc == 0

@@ -59,6 +59,6 @@
            if is_rhel | bool
            else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg'
          }}
-      ansible.builtin.command: "arch-chroot /mnt {{ configuration_grub_cfg_cmd }}"
+      ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_grub_cfg_cmd }}"
      register: configuration_grub_result
      changed_when: configuration_grub_result.rc == 0
--- a/roles/configuration/tasks/encryption/tpm2.yml
+++ b/roles/configuration/tasks/encryption/tpm2.yml
@@ -35,9 +35,9 @@
               if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
            + [configuration_luks_device]
          }}
-        configuration_luks_enroll_chroot_args: "{{ ['arch-chroot', '/mnt'] + configuration_luks_enroll_args }}"
-      ansible.builtin.command:
-        argv: "{{ configuration_luks_enroll_chroot_args }}"
+        configuration_luks_enroll_chroot_cmd: >-
+          {{ chroot_command }} /mnt {{ configuration_luks_enroll_args | join(' ') }}
+      ansible.builtin.command: "{{ configuration_luks_enroll_chroot_cmd }}"
      register: configuration_luks_tpm2_enroll_chroot
      changed_when: configuration_luks_tpm2_enroll_chroot.rc == 0
      failed_when: false
--- a/roles/configuration/tasks/locales.yml
+++ b/roles/configuration/tasks/locales.yml
@@ -23,7 +23,7 @@

    - name: Generate locales
      when: not is_rhel | bool
-      ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
+      ansible.builtin.command: "{{ chroot_command }} /mnt /usr/sbin/locale-gen"
      register: configuration_locale_result
      changed_when: configuration_locale_result.rc == 0

--- a/roles/configuration/tasks/selinux.yml
+++ b/roles/configuration/tasks/selinux.yml
@@ -5,7 +5,7 @@
    - name: Fix SELinux by pre-labeling the filesystem before first boot
      when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and selinux | bool
      ansible.builtin.command: >
-        arch-chroot /mnt /sbin/setfiles -v -F
+        {{ chroot_command }} /mnt /sbin/setfiles -v -F
        -e /dev -e /proc -e /sys -e /run
        /etc/selinux/targeted/contexts/files/file_contexts /
      register: configuration_setfiles_result
--- a/roles/configuration/tasks/services.yml
+++ b/roles/configuration/tasks/services.yml
@@ -1,7 +1,7 @@
 ---
 - name: Enable Systemd Services
  ansible.builtin.command: >
-    arch-chroot /mnt systemctl enable NetworkManager
+    {{ chroot_command }} /mnt systemctl enable NetworkManager
    {{ ' firewalld' if firewalld_enabled | bool else '' }}
    {{
      ' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
@@ -16,7 +16,7 @@

 - name: Disable firewalld when disabled
  when: not firewalld_enabled | bool
-  ansible.builtin.command: arch-chroot /mnt systemctl disable --now firewalld
+  ansible.builtin.command: "{{ chroot_command }} /mnt systemctl disable --now firewalld"
  register: configuration_disable_firewalld_result
  changed_when: configuration_disable_firewalld_result.rc == 0
  failed_when: false
--- a/roles/configuration/tasks/users.yml
+++ b/roles/configuration/tasks/users.yml
@@ -4,11 +4,11 @@
    configuration_user_group: >-
      {{ "sudo" if is_debian | bool else "wheel" }}
    configuration_useradd_cmd: >-
-      arch-chroot /mnt /usr/sbin/useradd --create-home --user-group
+      {{ chroot_command }} /mnt /usr/sbin/useradd --create-home --user-group
      --groups {{ configuration_user_group }} {{ user_name }}
      --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
    configuration_root_cmd: >-
-      arch-chroot /mnt /usr/sbin/usermod --password
+      {{ chroot_command }} /mnt /usr/sbin/usermod --password
      '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
  ansible.builtin.command: "{{ item }}"
  loop:
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -7,6 +7,7 @@ vmware_ssh: false
 firewalld_enabled: true
 zstd_enabled: true
 swap_enabled: true
+chroot_command: "arch-chroot"

 cis_enabled: "{{ cis | bool }}"