sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:4336d864b3adc063f5ad95bb905feae8f8dc2ad8
Branches Tags
sandwich:master
...
compare: sandwich:704ff21f0e8f25a442623b49c5a5ce6b30cdce16
Branches Tags
sandwich:master

8 Commits
4336d864b3 ... 704ff21f0e

Author SHA1 Message Date
MORAWSKI Norbert
704ff21f0e fix(users): update cloud-init template and input validation for dict users 2026-03-20 15:10:31 +01:00
MORAWSKI Norbert
3e85a44d8e refactor(prompts): remove vars_prompt, require users defined in inventory 2026-03-20 15:06:32 +01:00
MORAWSKI Norbert
2d602646c8 fix(prompts): add default values to vars_prompt to skip in non-interactive mode 2026-03-20 15:03:35 +01:00
MORAWSKI Norbert
c0e672a32a refactor(users): change system.users from list to dict keyed by username 2026-03-20 14:33:13 +01:00
MORAWSKI Norbert
398f1b081d fix(configuration): make root password, user keys, and sudo all optional 2026-03-20 02:03:48 +01:00
MORAWSKI Norbert
8ef57ebbda fix(cloud-init): handle missing keys and make sudo conditional 2026-03-20 02:01:35 +01:00
MORAWSKI Norbert
a47e14aafd fix(cleanup): remove ansible_become override that blocks swapoff/umount 2026-03-20 01:13:20 +01:00
MORAWSKI Norbert
967a1c9d0d feat(global_defaults): add system.features.aur schema for validation passthrough 2026-03-20 01:13:20 +01:00
11 changed files with 105 additions and 156 deletions
Expand all files Collapse all files

25
README.md
View File

@@ -202,14 +202,29 @@ When `interfaces` is empty, the flat fields (`bridge`, `ip`, `prefix`, `gateway`
#### `system.users` #### `system.users`
Dict keyed by username. At least one user must have a `password` (used for SSH access during bootstrap). Users without a password get locked accounts (key-only auth).
```yaml
system:
users:
svcansible:
password: "vault_lookup"
keys:
- "ssh-ed25519 AAAA..."
appuser:
sudo: "ALL=(ALL) NOPASSWD: ALL"
keys:
- "ssh-ed25519 BBBB..."
```
| Key | Type | Default | Description | | Key | Type | Default | Description |
| ---------- | ----------- | ------- | -------------------------------------------------- | | ---------- | ----------- | ------- | -------------------------------------------------- |
| `name` | string | -- | Username (required) | | *(dict key)* | string | -- | Username (required) |
| `password` | string | -- | User password (required for first user) | | `password` | string | -- | User password (required for at least one user) |
| `keys` | list | `[]` | SSH public keys | | `keys` | list | `[]` | SSH public keys |
| `sudo` | bool/string | -- | `true` for NOPASSWD ALL, or custom sudoers string | | `sudo` | bool/string | -- | `true` for NOPASSWD ALL, or custom sudoers string |
The first user's credentials are prompted interactively via `vars_prompt` unless supplied in inventory or `-e`. Users must be defined in inventory. The dict format enables additive merging across inventory layers with `hash_behaviour=merge`.
#### `system.root` #### `system.root`
@@ -398,7 +413,7 @@ ansible-playbook -i inventory.yml main.yml
ansible-playbook -i inventory.yml main.yml -e @vars.yml ansible-playbook -i inventory.yml main.yml -e @vars.yml
``` ```
Credentials for the first user and root are prompted interactively via `vars_prompt` unless already set in inventory or passed via `-e`. All credentials (`system.users`, `system.root.password`) must be defined in inventory or passed via `-e`.
Example inventory files are included: Example inventory files are included:
@@ -408,7 +423,7 @@ Example inventory files are included:
## 7. Security ## 7. Security
Use **Ansible Vault** for all sensitive values (`hypervisor.password`, `system.luks.passphrase`, `system.users[].password`, `system.root.password`). Use **Ansible Vault** for all sensitive values (`hypervisor.password`, `system.luks.passphrase`, user passwords in `system.users`, `system.root.password`).
## 8. Safety ## 8. Safety

97
main.yml
View File

@@ -14,94 +14,7 @@
strategy: free # noqa: run-once[play] strategy: free # noqa: run-once[play]
gather_facts: false gather_facts: false
become: true become: true
vars_prompt:
- name: user_name
prompt: |
What is your username?
private: false
- name: user_public_key
prompt: |
What is your ssh key?
private: false
- name: user_password
prompt: |
What is your password?
confirm: true
- name: root_password
prompt: |
What is your root password?
confirm: true
pre_tasks: pre_tasks:
- name: Apply prompted authentication values to system input
no_log: true
vars:
system_input: "{{ system | default({}) }}"
system_users_input: "{{ system_input.users | default([]) }}"
system_first_user: >-
{{
system_users_input[0]
if (system_users_input is iterable and system_users_input is not string
and system_users_input is not mapping and system_users_input | length > 0)
else {}
}}
system_root_input: "{{ (system_input.root | default({})) if (system_input.root is mapping) else {} }}"
prompt_user_name: "{{ user_name | default(system_user_name | default(''), true) | string }}"
prompt_user_key: "{{ user_public_key | default(user_key | default(system_user_key | default(''), true), true) | string | trim }}"
prompt_user_password: "{{ user_password | default(system_user_password | default(''), true) | string }}"
prompt_root_password: "{{ root_password | default(system_root_password | default(''), true) | string }}"
resolved_user:
name: >-
{{
system_first_user.name | string
if (system_first_user.name | default('') | string | length) > 0
else prompt_user_name
}}
keys: >-
{{
system_first_user['keys']
if (system_first_user['keys'] is defined
and system_first_user['keys'] is iterable
and system_first_user['keys'] is not string
and system_first_user['keys'] | length > 0)
else (
[prompt_user_key]
if (prompt_user_key | length > 0)
else []
)
}}
password: >-
{{
system_first_user.password | string
if (system_first_user.password | default('') | string | length) > 0
else prompt_user_password
}}
ansible.builtin.set_fact:
system: >-
{{
system_input
| combine(
{
'users': (
[resolved_user]
+ (system_users_input[1:]
if (system_users_input is sequence
and system_users_input is not string
and system_users_input | length > 1)
else [])
),
'root': {
'password': (
(system_root_input.password | default('') | string | length) > 0
) | ternary(system_root_input.password | string, prompt_root_password)
}
},
recursive=True
)
}}
- name: Load global defaults - name: Load global defaults
ansible.builtin.import_role: ansible.builtin.import_role:
name: global_defaults name: global_defaults
@@ -160,8 +73,6 @@
ansible.builtin.include_role: ansible.builtin.include_role:
name: cleanup name: cleanup
public: true public: true
vars:
ansible_become: false
rescue: rescue:
- name: Delete VM on bootstrap failure - name: Delete VM on bootstrap failure
@@ -208,10 +119,12 @@
when: when:
- post_reboot_can_connect | bool - post_reboot_can_connect | bool
no_log: true no_log: true
vars:
_primary: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first) }}"
ansible.builtin.set_fact: ansible.builtin.set_fact:
ansible_user: "{{ system_cfg.users[0].name }}" ansible_user: "{{ _primary.key }}"
ansible_password: "{{ system_cfg.users[0].password }}" ansible_password: "{{ _primary.value.password }}"
ansible_become_password: "{{ system_cfg.users[0].password }}" ansible_become_password: "{{ _primary.value.password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
ansible_python_interpreter: /usr/bin/python3 ansible_python_interpreter: /usr/bin/python3

12
roles/configuration/tasks/sudo.yml
View File

@@ -15,15 +15,15 @@
validate: /usr/sbin/visudo --check --file=%s validate: /usr/sbin/visudo --check --file=%s
- name: Deploy per-user sudoers rules - name: Deploy per-user sudoers rules
when: item.sudo | default(false) when: item.value.sudo | default(false)
vars: vars:
configuration_sudoers_rule: >- configuration_sudoers_rule: >-
{{ item.sudo if item.sudo is string else 'ALL=(ALL) NOPASSWD: ALL' }} {{ item.value.sudo if item.value.sudo is string else 'ALL=(ALL) NOPASSWD: ALL' }}
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ item.name }} {{ configuration_sudoers_rule }}\n" content: "{{ item.key }} {{ configuration_sudoers_rule }}\n"
dest: "/mnt/etc/sudoers.d/{{ item.name }}" dest: "/mnt/etc/sudoers.d/{{ item.key }}"
mode: "0440" mode: "0440"
validate: /usr/sbin/visudo --check --file=%s validate: /usr/sbin/visudo --check --file=%s
loop: "{{ system_cfg.users }}" loop: "{{ system_cfg.users | dict2items }}"
loop_control: loop_control:
label: "{{ item.name }}" label: "{{ item.key }}"

57
roles/configuration/tasks/users.yml
View File

@@ -1,5 +1,6 @@
--- ---
- name: Set root password - name: Set root password
when: (system_cfg.root.password | default('') | string | length) > 0
ansible.builtin.shell: >- ansible.builtin.shell: >-
set -o pipefail && set -o pipefail &&
echo 'root:{{ system_cfg.root.password | password_hash("sha512") }}' | {{ chroot_command }} /usr/sbin/chpasswd -e echo 'root:{{ system_cfg.root.password | password_hash("sha512") }}' | {{ chroot_command }} /usr/sbin/chpasswd -e
@@ -9,6 +10,13 @@
changed_when: configuration_root_result.rc == 0 changed_when: configuration_root_result.rc == 0
no_log: true no_log: true
- name: Lock root account when no password is set
when: (system_cfg.root.password | default('') | string | length) == 0
ansible.builtin.command: >-
{{ chroot_command }} /usr/bin/passwd -l root
register: configuration_root_lock_result
changed_when: configuration_root_lock_result.rc == 0
- name: Set root shell - name: Set root shell
ansible.builtin.command: >- ansible.builtin.command: >-
{{ chroot_command }} /usr/sbin/usermod --shell {{ system_cfg.root.shell }} root {{ chroot_command }} /usr/sbin/usermod --shell {{ system_cfg.root.shell }} root
@@ -18,44 +26,43 @@
- name: Create user accounts - name: Create user accounts
vars: vars:
configuration_user_group: "{{ _configuration_platform.user_group }}" configuration_user_group: "{{ _configuration_platform.user_group }}"
# UID starts at 1000; safe for fresh installs only
configuration_useradd_cmd: >- configuration_useradd_cmd: >-
{{ chroot_command }} /usr/sbin/useradd --create-home --user-group {{ chroot_command }} /usr/sbin/useradd --create-home --user-group
--uid {{ 1000 + ansible_loop.index0 }} --uid {{ 1000 + _idx }}
--groups {{ configuration_user_group }} {{ item.name }} --groups {{ configuration_user_group }} {{ item.key }}
--password {{ item.password | password_hash('sha512') }} --shell {{ item.shell | default('/bin/bash') }} {{ ('--password ' ~ (item.value.password | password_hash('sha512'))) if (item.value.password | default('') | string | length > 0) else '' }}
--shell {{ item.value.shell | default('/bin/bash') }}
ansible.builtin.command: "{{ configuration_useradd_cmd }}" ansible.builtin.command: "{{ configuration_useradd_cmd }}"
loop: "{{ system_cfg.users }}" loop: "{{ system_cfg.users | dict2items }}"
loop_control: loop_control:
extended: true index_var: _idx
label: "{{ item.name }}" label: "{{ item.key }}"
register: configuration_user_result register: configuration_user_result
changed_when: configuration_user_result.rc == 0 changed_when: configuration_user_result.rc == 0
no_log: true no_log: true
- name: Ensure .ssh directory exists - name: Ensure .ssh directory exists
when: item['keys'] | default([]) | length > 0 when: (item.value['keys'] | default([]) | length) > 0
ansible.builtin.file: ansible.builtin.file:
path: "/mnt/home/{{ item.name }}/.ssh" path: "/mnt/home/{{ item.key }}/.ssh"
state: directory state: directory
owner: "{{ 1000 + ansible_loop.index0 }}" owner: "{{ 1000 + _idx }}"
group: "{{ 1000 + ansible_loop.index0 }}" group: "{{ 1000 + _idx }}"
mode: "0700" mode: "0700"
loop: "{{ system_cfg.users }}" loop: "{{ system_cfg.users | dict2items }}"
loop_control: loop_control:
extended: true index_var: _idx
label: "{{ item.name }}" label: "{{ item.key }}"
- name: Add SSH public keys to authorized_keys - name: Deploy SSH authorized_keys
vars: when: (item.value['keys'] | default([]) | length) > 0
configuration_uid: "{{ 1000 + (system_cfg.users | map(attribute='name') | list).index(item.0.name) }}" ansible.builtin.copy:
ansible.builtin.lineinfile: content: "{{ item.value['keys'] | join('\n') }}\n"
path: "/mnt/home/{{ item.0.name }}/.ssh/authorized_keys" dest: "/mnt/home/{{ item.key }}/.ssh/authorized_keys"
line: "{{ item.1 }}" owner: "{{ 1000 + _idx }}"
owner: "{{ configuration_uid }}" group: "{{ 1000 + _idx }}"
group: "{{ configuration_uid }}"
mode: "0600" mode: "0600"
create: true loop: "{{ system_cfg.users | dict2items }}"
loop: "{{ system_cfg.users | subelements('keys', skip_missing=True) }}"
loop_control: loop_control:
label: "{{ item.0.name }}: {{ item.1[:40] }}..." index_var: _idx
label: "{{ item.key }}"

6
roles/global_defaults/defaults/main.yml
View File

@@ -85,7 +85,7 @@ system_defaults:
mirror: "" mirror: ""
packages: [] packages: []
disks: [] disks: []
users: [] users: {}
root: root:
password: "" password: ""
shell: "/bin/bash" shell: "/bin/bash"
@@ -129,6 +129,10 @@ system_defaults:
rhel_repo: rhel_repo:
source: "iso" # iso|satellite|none — how RHEL systems get packages post-install source: "iso" # iso|satellite|none — how RHEL systems get packages post-install
url: "" # Satellite/custom repo URL when source=satellite url: "" # Satellite/custom repo URL when source=satellite
aur:
enabled: false
helper: "yay" # yay|paru
user: "_aur_builder"
chroot: chroot:
tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn

2
roles/global_defaults/tasks/_normalize_system.yml
View File

@@ -96,7 +96,7 @@
}} }}
# --- Storage & accounts --- # --- Storage & accounts ---
disks: "{{ system_raw.disks | default([]) }}" disks: "{{ system_raw.disks | default([]) }}"
users: "{{ system_raw.users | default([]) }}" users: "{{ system_raw.users | default({}) }}"
root: root:
password: "{{ system_raw.root.password | string }}" password: "{{ system_raw.root.password | string }}"
shell: "{{ system_raw.root.shell | default('/bin/bash') | string }}" shell: "{{ system_raw.root.shell | default('/bin/bash') | string }}"

18
roles/global_defaults/tasks/_validate_input.yml
View File

@@ -8,11 +8,11 @@
that: that:
- system is mapping - system is mapping
- system.network is not defined or system.network is mapping - system.network is not defined or system.network is mapping
- system.users is not defined or (system.users is iterable and system.users is not string and system.users is not mapping) - system.users is not defined or system.users is mapping
- system.root is not defined or system.root is mapping - system.root is not defined or system.root is mapping
- system.luks is not defined or system.luks is mapping - system.luks is not defined or system.luks is mapping
- system.features is not defined or system.features is mapping - system.features is not defined or system.features is mapping
fail_msg: "system and its nested keys (network, root, luks, features) must be dictionaries; system.users must be a list." fail_msg: "system and its nested keys (network, root, luks, features, users) must be dictionaries."
quiet: true quiet: true
- name: Validate DNS lists (not strings) - name: Validate DNS lists (not strings)
@@ -25,17 +25,17 @@
quiet: true quiet: true
- name: Validate system.users entries - name: Validate system.users entries
when: system.users is defined and system.users | length > 0 when: system.users is defined and system.users is mapping and system.users | length > 0
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- item is mapping - item.value is mapping
- item.name is defined and (item.name | string | length) > 0 - item.key | string | length > 0
- item['keys'] is not defined or (item['keys'] is iterable and item['keys'] is not string) - item.value['keys'] is not defined or (item.value['keys'] is iterable and item.value['keys'] is not string)
fail_msg: "Each system.users[] entry must be a dict with 'name'; 'keys' must be a list." fail_msg: "Each system.users entry must be a dict keyed by username; 'keys' must be a list."
quiet: true quiet: true
loop: "{{ system.users }}" loop: "{{ system.users | dict2items }}"
loop_control: loop_control:
label: "{{ item.name | default('(unnamed)') }}" label: "{{ item.key }}"
- name: Validate system features input types - name: Validate system features input types
when: system.features is defined when: system.features is defined

8
roles/global_defaults/tasks/main.yml
View File

@@ -81,10 +81,12 @@
when: when:
- system_cfg.type == "virtual" - system_cfg.type == "virtual"
- hypervisor_type != "vmware" - hypervisor_type != "vmware"
vars:
_primary: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first) }}"
ansible.builtin.set_fact: ansible.builtin.set_fact:
ansible_user: "{{ system_cfg.users[0].name }}" ansible_user: "{{ _primary.key }}"
ansible_password: "{{ system_cfg.users[0].password }}" ansible_password: "{{ _primary.value.password }}"
ansible_become_password: "{{ system_cfg.users[0].password }}" ansible_become_password: "{{ _primary.value.password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
no_log: true no_log: true

13
roles/global_defaults/tasks/validation.yml
View File

@@ -261,13 +261,16 @@
fail_msg: "Invalid system sizing. Check system.cpus, system.memory, and system.disks[0].size." fail_msg: "Invalid system sizing. Check system.cpus, system.memory, and system.disks[0].size."
quiet: true quiet: true
- name: Validate at least one user is defined - name: Validate at least one user with a password is defined
vars:
_pw_users: "{{ system_cfg.users | dict2items | selectattr('value.password', 'defined') | list }}"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- system_cfg.users | default([]) | length > 0 - system_cfg.users | default({}) | length > 0
- system_cfg.users[0].name is defined and (system_cfg.users[0].name | string | length) > 0 - _pw_users | length > 0
- system_cfg.users[0].password is defined and (system_cfg.users[0].password | string | length) > 0 - _pw_users[0].key | string | length > 0
fail_msg: "At least one user with a name and password must be defined in system.users[]." - _pw_users[0].value.password | string | length > 0
fail_msg: "At least one user with a password must be defined in system.users."
quiet: true quiet: true
no_log: true no_log: true

4
roles/virtualization/tasks/proxmox.yml
View File

@@ -35,8 +35,8 @@
{%- endfor -%} {%- endfor -%}
{{ out }} {{ out }}
community.proxmox.proxmox_kvm: community.proxmox.proxmox_kvm:
ciuser: "{{ system_cfg.users[0].name }}" ciuser: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first).key }}"
cipassword: "{{ system_cfg.users[0].password }}" cipassword: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first).value.password }}"
ciupgrade: false ciupgrade: false
vmid: "{{ system_cfg.id }}" vmid: "{{ system_cfg.id }}"
name: "{{ hostname }}" name: "{{ hostname }}"

19
roles/virtualization/templates/cloud-user-data.yml.j2
View File

@@ -4,17 +4,22 @@ ssh_pwauth: true
package_update: false package_update: false
package_upgrade: false package_upgrade: false
users: users:
{% for user in system_cfg.users %} {% for username, attrs in system_cfg.users.items() %}
- name: "{{ user.name }}" - name: "{{ username }}"
primary_group: "{{ user.name }}" primary_group: "{{ username }}"
groups: users groups: users
{% if attrs.sudo | default(false) | bool %}
sudo: "ALL=(ALL) NOPASSWD:ALL" sudo: "ALL=(ALL) NOPASSWD:ALL"
passwd: "{{ user.password | password_hash('sha512') }}" {% endif %}
{% if attrs.password | default('') | length > 0 %}
passwd: "{{ attrs.password | password_hash('sha512') }}"
lock_passwd: false lock_passwd: false
{% set ssh_keys = user['keys'] | default([]) %} {% else %}
{% if ssh_keys | length > 0 %} lock_passwd: true
{% endif %}
{% if 'keys' in attrs and attrs['keys'] is iterable and attrs['keys'] is not string and attrs['keys'] | length > 0 %}
ssh_authorized_keys: ssh_authorized_keys:
{% for key in ssh_keys %} {% for key in attrs['keys'] %}
- "{{ key }}" - "{{ key }}"
{% endfor %} {% endfor %}
{% endif %} {% endif %}