sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:5aa50229834c7845b67f255a40643424490ccaa0
Branches Tags
sandwich:master
...
compare: sandwich:9e7fc156abbadf0bd4c0e8fd25f26cfc19fe23a9
Branches Tags
sandwich:master

2 Commits
5aa5022983 ... 9e7fc156ab

Author SHA1 Message Date
Sandwich
9e7fc156ab refactor(luks): use system_cfg.luks directly across roles 2026-02-11 19:26:51 +01:00
Sandwich
7e9abe862f fix: honor libvirt network config, preserve DHCP DNS with search-only NM config, and exact-match Xen VM names 2026-02-11 14:00:20 +01:00
10 changed files with 55 additions and 66 deletions
Expand all files Collapse all files

20
roles/configuration/tasks/encryption.yml
View File

@@ -1,18 +1,18 @@
--- ---
- name: Configure disk encryption - name: Configure disk encryption
when: partitioning_luks_enabled | bool when: system_cfg.luks.enabled | bool
vars: vars:
configuration_luks_passphrase: >- configuration_luks_passphrase: >-
{{ partitioning_luks_passphrase | string }} {{ system_cfg.luks.passphrase | string }}
block: block:
- name: Set LUKS configuration facts - name: Set LUKS configuration facts
vars: vars:
luks_tpm2_pcrs: >- luks_tpm2_pcrs: >-
{{ {{
( (
partitioning_luks_tpm2_pcrs system_cfg.luks.tpm2.pcrs
if partitioning_luks_tpm2_pcrs is string if system_cfg.luks.tpm2.pcrs is string
else (partitioning_luks_tpm2_pcrs | map('string') | join('+')) else (system_cfg.luks.tpm2.pcrs | map('string') | join('+'))
) )
| string | string
| replace(',', '+') | replace(',', '+')
@@ -20,21 +20,21 @@
| regex_replace('^\\+|\\+$', '') | regex_replace('^\\+|\\+$', '')
}} }}
ansible.builtin.set_fact: ansible.builtin.set_fact:
configuration_luks_mapper_name: "{{ partitioning_luks_mapper_name }}" configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}"
configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}" configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"
configuration_luks_device: "{{ partitioning_luks_device }}" configuration_luks_device: "{{ partitioning_luks_device }}"
configuration_luks_options: "{{ partitioning_luks_options }}" configuration_luks_options: "{{ system_cfg.luks.options }}"
configuration_luks_auto_method: >- configuration_luks_auto_method: >-
{{ {{
(partitioning_luks_auto_decrypt | bool) (system_cfg.luks.auto | bool)
| ternary( | ternary(
partitioning_luks_auto_decrypt_method, system_cfg.luks.method,
'manual' 'manual'
) )
}} }}
configuration_luks_tpm2_device: "{{ partitioning_luks_tpm2_device }}" configuration_luks_tpm2_device: "{{ partitioning_luks_tpm2_device }}"
configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}" configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ partitioning_luks_mapper_name }}.key" configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ system_cfg.luks.mapper }}.key"
changed_when: false changed_when: false
- name: Validate LUKS UUID is available - name: Validate LUKS UUID is available

4
roles/configuration/tasks/encryption/keyfile.yml
View File

@@ -16,7 +16,7 @@
{{ {{
lookup( lookup(
'community.general.random_string', 'community.general.random_string',
length=(partitioning_luks_keyfile_size | int), length=(system_cfg.luks.keysize | int),
override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
) )
}} }}
@@ -71,7 +71,7 @@
{{ {{
lookup( lookup(
'community.general.random_string', 'community.general.random_string',
length=(partitioning_luks_keyfile_size | int), length=(system_cfg.luks.keysize | int),
override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
) )
}} }}

2
roles/configuration/templates/network.j2
View File

@@ -15,7 +15,7 @@ method=auto
{% if dns_list %} {% if dns_list %}
dns={{ dns_list | join(';') }} dns={{ dns_list | join(';') }}
{% endif %} {% endif %}
{% if dns_list or search_list %} {% if dns_list %}
ignore-auto-dns=true ignore-auto-dns=true
{% endif %} {% endif %}
{% if search_list %} {% if search_list %}

25
roles/partitioning/defaults/main.yml
View File

@@ -1,21 +1,4 @@
--- ---
partitioning_luks_enabled: "{{ system_cfg.luks.enabled | bool }}"
partitioning_luks_passphrase: "{{ system_cfg.luks.passphrase }}"
partitioning_luks_mapper_name: "{{ system_cfg.luks.mapper }}"
partitioning_luks_type: "{{ system_cfg.luks.type }}"
partitioning_luks_cipher: "{{ system_cfg.luks.cipher }}"
partitioning_luks_hash: "{{ system_cfg.luks.hash }}"
partitioning_luks_iter_time: "{{ system_cfg.luks.iter }}"
partitioning_luks_key_size: "{{ system_cfg.luks.bits }}"
partitioning_luks_pbkdf: "{{ system_cfg.luks.pbkdf }}"
partitioning_luks_use_urandom: "{{ system_cfg.luks.urandom | bool }}"
partitioning_luks_verify_passphrase: "{{ system_cfg.luks.verify | bool }}"
partitioning_luks_auto_decrypt: "{{ system_cfg.luks.auto | bool }}"
partitioning_luks_auto_decrypt_method: "{{ system_cfg.luks.method }}"
partitioning_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}"
partitioning_luks_tpm2_pcrs: "{{ system_cfg.luks.tpm2.pcrs }}"
partitioning_luks_keyfile_size: "{{ system_cfg.luks.keysize }}"
partitioning_luks_options: "{{ system_cfg.luks.options }}"
partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if system_cfg.features.zstd.enabled | bool else '' }}" partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if system_cfg.features.zstd.enabled | bool else '' }}"
partitioning_boot_partition_suffix: 1 partitioning_boot_partition_suffix: 1
partitioning_main_partition_suffix: 2 partitioning_main_partition_suffix: 2
@@ -26,7 +9,7 @@ partitioning_boot_size_mib: 1024
partitioning_use_full_disk: true partitioning_use_full_disk: true
partitioning_separate_boot: >- partitioning_separate_boot: >-
{{ {{
(partitioning_luks_enabled | bool) (system_cfg.luks.enabled | bool)
and (os | lower not in ['archlinux']) and (os | lower not in ['archlinux'])
}} }}
partitioning_boot_fs_fstype: >- partitioning_boot_fs_fstype: >-
@@ -103,15 +86,15 @@ partitioning_layout: >-
}} }}
partitioning_grub_enable_cryptodisk: >- partitioning_grub_enable_cryptodisk: >-
{{ {{
(partitioning_luks_enabled | bool) (system_cfg.luks.enabled | bool)
and not (partitioning_separate_boot | bool) and not (partitioning_separate_boot | bool)
and (partitioning_efi_mountpoint == '/boot/efi') and (partitioning_efi_mountpoint == '/boot/efi')
}} }}
partitioning_luks_device: "{{ install_drive ~ (partitioning_root_partition_suffix | string) }}" partitioning_luks_device: "{{ install_drive ~ (partitioning_root_partition_suffix | string) }}"
partitioning_root_device: >- partitioning_root_device: >-
{{ {{
'/dev/mapper/' + partitioning_luks_mapper_name '/dev/mapper/' + system_cfg.luks.mapper
if (partitioning_luks_enabled | bool) if (system_cfg.luks.enabled | bool)
else install_drive ~ (partitioning_root_partition_suffix | string) else install_drive ~ (partitioning_root_partition_suffix | string)
}} }}
partitioning_disk_size_gb: >- partitioning_disk_size_gb: >-

4
roles/partitioning/tasks/btrfs.yml
View File

@@ -9,8 +9,8 @@
opts: >- opts: >-
{{ {{
'-K' '-K'
if (partitioning_luks_enabled | bool) if (system_cfg.luks.enabled | bool)
and not ('discard' in (partitioning_luks_options | lower)) and not ('discard' in (system_cfg.luks.options | lower))
else omit else omit
}} }}

48
roles/partitioning/tasks/main.yml
View File

@@ -70,22 +70,22 @@
failed_when: false failed_when: false
- name: Close LUKS mapper - name: Close LUKS mapper
when: partitioning_luks_enabled | bool when: system_cfg.luks.enabled | bool
community.crypto.luks_device: community.crypto.luks_device:
name: "{{ partitioning_luks_mapper_name }}" name: "{{ system_cfg.luks.mapper }}"
state: closed state: closed
failed_when: false failed_when: false
- name: Remove LUKS mapper device - name: Remove LUKS mapper device
when: partitioning_luks_enabled | bool when: system_cfg.luks.enabled | bool
ansible.builtin.command: >- ansible.builtin.command: >-
dmsetup remove --force --retry {{ partitioning_luks_mapper_name }} dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
register: partitioning_dmsetup_remove register: partitioning_dmsetup_remove
changed_when: partitioning_dmsetup_remove.rc == 0 changed_when: partitioning_dmsetup_remove.rc == 0
failed_when: false failed_when: false
- name: Remove LUKS signatures - name: Remove LUKS signatures
when: partitioning_luks_enabled | bool when: system_cfg.luks.enabled | bool
community.crypto.luks_device: community.crypto.luks_device:
device: "{{ partitioning_luks_device }}" device: "{{ partitioning_luks_device }}"
state: absent state: absent
@@ -154,12 +154,12 @@
failed_when: false failed_when: false
- name: Configure LUKS encryption - name: Configure LUKS encryption
when: partitioning_luks_enabled | bool when: system_cfg.luks.enabled | bool
block: block:
- name: Validate LUKS passphrase - name: Validate LUKS passphrase
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- (partitioning_luks_passphrase | string | length) > 0 - (system_cfg.luks.passphrase | string | length) > 0
fail_msg: system.luks.passphrase must be set when LUKS is enabled. fail_msg: system.luks.passphrase must be set when LUKS is enabled.
no_log: true no_log: true
@@ -167,26 +167,26 @@
community.crypto.luks_device: community.crypto.luks_device:
device: "{{ partitioning_luks_device }}" device: "{{ partitioning_luks_device }}"
state: present state: present
type: "{{ partitioning_luks_type }}" type: "{{ system_cfg.luks.type }}"
cipher: "{{ partitioning_luks_cipher }}" cipher: "{{ system_cfg.luks.cipher }}"
hash: "{{ partitioning_luks_hash }}" hash: "{{ system_cfg.luks.hash }}"
keysize: "{{ partitioning_luks_key_size }}" keysize: "{{ system_cfg.luks.bits }}"
pbkdf: pbkdf:
algorithm: "{{ partitioning_luks_pbkdf }}" algorithm: "{{ system_cfg.luks.pbkdf }}"
iteration_time: "{{ (partitioning_luks_iter_time | float) / 1000 }}" iteration_time: "{{ (system_cfg.luks.iter | float) / 1000 }}"
passphrase: "{{ partitioning_luks_passphrase | string }}" passphrase: "{{ system_cfg.luks.passphrase | string }}"
register: partitioning_luks_format_result register: partitioning_luks_format_result
no_log: true no_log: true
- name: Force-close LUKS mapper - name: Force-close LUKS mapper
community.crypto.luks_device: community.crypto.luks_device:
name: "{{ partitioning_luks_mapper_name }}" name: "{{ system_cfg.luks.mapper }}"
state: closed state: closed
failed_when: false failed_when: false
- name: Force-remove LUKS mapper device - name: Force-remove LUKS mapper device
ansible.builtin.command: >- ansible.builtin.command: >-
dmsetup remove --force --retry {{ partitioning_luks_mapper_name }} dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
register: partitioning_dmsetup_remove_after_format register: partitioning_dmsetup_remove_after_format
changed_when: partitioning_dmsetup_remove_after_format.rc == 0 changed_when: partitioning_dmsetup_remove_after_format.rc == 0
failed_when: false failed_when: false
@@ -202,21 +202,21 @@
community.crypto.luks_device: community.crypto.luks_device:
device: "{{ partitioning_luks_device }}" device: "{{ partitioning_luks_device }}"
state: opened state: opened
name: "{{ partitioning_luks_mapper_name }}" name: "{{ system_cfg.luks.mapper }}"
passphrase: "{{ partitioning_luks_passphrase | string }}" passphrase: "{{ system_cfg.luks.passphrase | string }}"
allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}" allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
register: partitioning_luks_open_result register: partitioning_luks_open_result
no_log: true no_log: true
rescue: rescue:
- name: Force-close stale LUKS mapper - name: Force-close stale LUKS mapper
community.crypto.luks_device: community.crypto.luks_device:
name: "{{ partitioning_luks_mapper_name }}" name: "{{ system_cfg.luks.mapper }}"
state: closed state: closed
failed_when: false failed_when: false
- name: Force-remove stale LUKS mapper device - name: Force-remove stale LUKS mapper device
ansible.builtin.command: >- ansible.builtin.command: >-
dmsetup remove --force --retry {{ partitioning_luks_mapper_name }} dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
register: partitioning_dmsetup_remove_retry register: partitioning_dmsetup_remove_retry
changed_when: partitioning_dmsetup_remove_retry.rc == 0 changed_when: partitioning_dmsetup_remove_retry.rc == 0
failed_when: false failed_when: false
@@ -230,9 +230,9 @@
community.crypto.luks_device: community.crypto.luks_device:
device: "{{ partitioning_luks_device }}" device: "{{ partitioning_luks_device }}"
state: opened state: opened
name: "{{ partitioning_luks_mapper_name }}" name: "{{ system_cfg.luks.mapper }}"
passphrase: "{{ partitioning_luks_passphrase | string }}" passphrase: "{{ system_cfg.luks.passphrase | string }}"
allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}" allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
register: partitioning_luks_open_retry register: partitioning_luks_open_retry
no_log: true no_log: true

6
roles/system_check/tasks/main.yml
View File

@@ -101,7 +101,11 @@
when: hypervisor_type == "xen" when: hypervisor_type == "xen"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- hostname not in system_check_xen_existing_vms.stdout | default('') - >-
not (
system_check_xen_existing_vms.stdout | default('')
is search('(?m)^' ~ (hostname | ansible.builtin.regex_escape) ~ '\\s+\\d+\\s')
)
fail_msg: | fail_msg: |
VM {{ hostname }} already exists on Xen hypervisor. VM {{ hostname }} already exists on Xen hypervisor.
To avoid data loss, the playbook will not overwrite or delete existing VMs. To avoid data loss, the playbook will not overwrite or delete existing VMs.

6
roles/virtualization/defaults/main.yml
View File

@@ -15,10 +15,10 @@ virtualization_xen_disk_path: /var/lib/xen/images
virtualization_tpm2_enabled: >- virtualization_tpm2_enabled: >-
{{ {{
(partitioning_luks_enabled | bool) (system_cfg.luks.enabled | bool)
and (partitioning_luks_auto_decrypt | bool) and (system_cfg.luks.auto | bool)
and ( and (
(partitioning_luks_auto_decrypt_method | lower) (system_cfg.luks.method | lower)
== 'tpm2' == 'tpm2'
) )
}} }}

4
roles/virtualization/tasks/xen.yml
View File

@@ -74,4 +74,6 @@
virtualization_vm_created_in_run: true virtualization_vm_created_in_run: true
when: when:
- virtualization_xen_list_result is defined - virtualization_xen_list_result is defined
- hostname in virtualization_xen_list_result.stdout - >-
virtualization_xen_list_result.stdout | default('')
is search('(?m)^' ~ (hostname | ansible.builtin.regex_escape) ~ '\\s+\\d+\\s')

2
roles/virtualization/templates/vm.xml.j2
View File

@@ -48,7 +48,7 @@
{% endif %} {% endif %}
<interface type='network'> <interface type='network'>
<mac address="{{ virtualization_mac_address }}"/> <mac address="{{ virtualization_mac_address }}"/>
<source network='default'/> <source network='{{ system_cfg.network if (system_cfg.network | default('' ) | string | length) > 0 else "default" }}'/>
<model type='virtio'/> <model type='virtio'/>
</interface> </interface>
{% if virtualization_tpm2_enabled %} {% if virtualization_tpm2_enabled %}