sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:5b3076d9e1dcaf60be9a867c7577d1252444861d
Branches Tags
sandwich:master
...
compare: sandwich:4336d864b3adc063f5ad95bb905feae8f8dc2ad8
Branches Tags
sandwich:master

8 Commits
5b3076d9e1 ... 4336d864b3

Author SHA1 Message Date
Sandwich
4336d864b3 refactor(virtualization): extract shared Xen disk definitions 2026-03-12 12:27:18 +01:00
Sandwich
62e50c19ff refactor: remove unnecessary changed_when from set_fact tasks 2026-03-12 12:25:45 +01:00
Sandwich
b7cf1b10a9 refactor(partitioning): remove redundant blockdev --rereadpt calls 2026-03-12 12:25:15 +01:00
Sandwich
fc2d924349 refactor(partitioning): remove unused register variables 2026-03-12 12:24:59 +01:00
Sandwich
67e3753ece chore: suppress args[module] false positives from variable-based module_defaults 2026-03-12 12:12:27 +01:00
Sandwich
da9e287e56 fix(cleanup): add no_log to Proxmox VM restart task 2026-03-12 12:12:27 +01:00
Sandwich
a8ea4f0962 fix(virtualization): add missing changed_when to Xen VM stop task 2026-03-12 12:12:27 +01:00
Sandwich
754668b734 fix(configuration): replace fail+ignore_errors with debug for TPM2 fallback warning 2026-03-12 12:12:27 +01:00
13 changed files with 32 additions and 66 deletions
Expand all files Collapse all files

1
.ansible-lint
View File

@@ -1,5 +1,6 @@
skip_list: skip_list:
- run-once - run-once
- var-naming[no-role-prefix] # user-facing API dicts (cis, system, hypervisor) are intentionally not role-prefixed - var-naming[no-role-prefix] # user-facing API dicts (cis, system, hypervisor) are intentionally not role-prefixed
- args[module] # false positives from variable-based module_defaults (_proxmox_auth, _vmware_auth)
exclude_paths: exclude_paths:
- roles/global_defaults/ - roles/global_defaults/

6
roles/cleanup/tasks/libvirt.yml
View File

@@ -14,7 +14,6 @@
- name: Initialize cleaned VM XML - name: Initialize cleaned VM XML
ansible.builtin.set_fact: ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_get_xml.get_xml }}" cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_get_xml.get_xml }}"
changed_when: false
- name: Remove boot ISO device from VM XML (source match) - name: Remove boot ISO device from VM XML (source match)
when: boot_iso is defined and boot_iso | length > 0 when: boot_iso is defined and boot_iso | length > 0
@@ -28,7 +27,6 @@
when: boot_iso is defined and boot_iso | length > 0 when: boot_iso is defined and boot_iso | length > 0
ansible.builtin.set_fact: ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot_source.xmlstring }}" cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot_source.xmlstring }}"
changed_when: false
- name: Remove boot ISO device from VM XML (target fallback) - name: Remove boot ISO device from VM XML (target fallback)
community.general.xml: community.general.xml:
@@ -40,7 +38,6 @@
- name: Update cleaned VM XML after removing boot ISO - name: Update cleaned VM XML after removing boot ISO
ansible.builtin.set_fact: ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot.xmlstring }}" cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot.xmlstring }}"
changed_when: false
- name: Remove cloud-init ISO device from VM XML (source match) - name: Remove cloud-init ISO device from VM XML (source match)
community.general.xml: community.general.xml:
@@ -52,7 +49,6 @@
- name: Update cleaned VM XML after removing cloud-init ISO source match - name: Update cleaned VM XML after removing cloud-init ISO source match
ansible.builtin.set_fact: ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit_source.xmlstring }}" cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit_source.xmlstring }}"
changed_when: false
- name: Remove cloud-init ISO device from VM XML (target fallback) - name: Remove cloud-init ISO device from VM XML (target fallback)
community.general.xml: community.general.xml:
@@ -64,7 +60,6 @@
- name: Update cleaned VM XML after removing cloud-init ISO - name: Update cleaned VM XML after removing cloud-init ISO
ansible.builtin.set_fact: ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit.xmlstring }}" cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit.xmlstring }}"
changed_when: false
- name: Strip XML declaration for libvirt define - name: Strip XML declaration for libvirt define
ansible.builtin.set_fact: ansible.builtin.set_fact:
@@ -76,7 +71,6 @@
| regex_replace("(?i)encoding=[\"'][^\"']+[\"']", "") | regex_replace("(?i)encoding=[\"'][^\"']+[\"']", "")
| trim | trim
}} }}
changed_when: false
- name: Update VM definition without installer media - name: Update VM definition without installer media
community.libvirt.virt: community.libvirt.virt:

1
roles/cleanup/tasks/proxmox.yml
View File

@@ -25,3 +25,4 @@
community.proxmox.proxmox_kvm: community.proxmox.proxmox_kvm:
vmid: "{{ system_cfg.id }}" vmid: "{{ system_cfg.id }}"
state: restarted state: restarted
no_log: true

25
roles/cleanup/tasks/xen.yml
View File

@@ -7,34 +7,11 @@
xen_installer_media_enabled: "{{ xen_installer_media_enabled | default(false) }}" xen_installer_media_enabled: "{{ xen_installer_media_enabled | default(false) }}"
block: block:
- name: Ensure Xen disk definitions exist - name: Ensure Xen disk definitions exist
when: virtualization_xen_disks is not defined ansible.builtin.include_tasks: ../../virtualization/tasks/_xen_disks.yml
ansible.builtin.set_fact:
cleanup_xen_disks: "{{ cleanup_xen_disks | default([]) + [cleanup_xen_disk_cfg] }}"
vars:
device_letter_map: "{{ disk_letter_map }}"
device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
cleanup_xen_disk_cfg: >-
{{
{
'path': (
virtualization_xen_disk_path ~ '/' ~ hostname ~ '.qcow2'
if ansible_loop.index0 == 0
else virtualization_xen_disk_path ~ '/' ~ hostname ~ '-disk' ~ ansible_loop.index0 ~ '.qcow2'
),
'target': 'xvd' ~ device_letter,
'size': (item.size | float)
}
}}
loop: "{{ system_cfg.disks }}"
loop_control:
label: "{{ item | to_json }}"
extended: true
changed_when: false
- name: Render Xen VM configuration without installer media - name: Render Xen VM configuration without installer media
vars: vars:
xen_installer_media_enabled: false xen_installer_media_enabled: false
virtualization_xen_disks: "{{ virtualization_xen_disks | default(cleanup_xen_disks | default([])) }}"
ansible.builtin.template: ansible.builtin.template:
src: xen.cfg.j2 src: xen.cfg.j2
dest: /tmp/xen-{{ hostname }}.cfg dest: /tmp/xen-{{ hostname }}.cfg

1
roles/configuration/tasks/encryption/keyfile.yml
View File

@@ -86,7 +86,6 @@
device: "{{ configuration_luks_device }}" device: "{{ configuration_luks_device }}"
passphrase: "{{ configuration_luks_passphrase }}" passphrase: "{{ configuration_luks_passphrase }}"
new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}" new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}"
register: configuration_luks_addkey_retry
failed_when: false failed_when: false
no_log: true no_log: true

3
roles/configuration/tasks/encryption/tpm2.yml
View File

@@ -80,11 +80,10 @@
host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }} host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
rescue: rescue:
- name: Warn about TPM2 enrollment failure - name: Warn about TPM2 enrollment failure
ansible.builtin.fail: ansible.builtin.debug:
msg: >- msg: >-
WARNING: TPM2 enrollment failed — falling back to keyfile auto-decrypt. WARNING: TPM2 enrollment failed — falling back to keyfile auto-decrypt.
The system will use a keyfile instead of TPM2 for automatic LUKS unlock. The system will use a keyfile instead of TPM2 for automatic LUKS unlock.
ignore_errors: true
- name: Fallback to keyfile auto-decrypt - name: Fallback to keyfile auto-decrypt
ansible.builtin.set_fact: ansible.builtin.set_fact:

1
roles/partitioning/tasks/_create_filesystems.yml
View File

@@ -24,7 +24,6 @@
ansible.builtin.command: >- ansible.builtin.command: >-
tune2fs -O "^orphan_file,^metadata_csum_seed" tune2fs -O "^orphan_file,^metadata_csum_seed"
"{{ install_drive }}{{ partitioning_part_sep }}{{ partitioning_boot_fs_partition_suffix }}" "{{ install_drive }}{{ partitioning_part_sep }}{{ partitioning_boot_fs_partition_suffix }}"
register: partitioning_boot_ext4_tune_result
changed_when: false changed_when: false
- name: Create swap filesystem - name: Create swap filesystem

5
roles/partitioning/tasks/_create_partitions.yml
View File

@@ -65,9 +65,7 @@
ansible.builtin.command: "{{ item }}" ansible.builtin.command: "{{ item }}"
loop: loop:
- "partprobe {{ install_drive }}" - "partprobe {{ install_drive }}"
- "blockdev --rereadpt {{ install_drive }}"
- "udevadm settle" - "udevadm settle"
register: partitioning_partprobe_result
changed_when: false changed_when: false
failed_when: false failed_when: false
@@ -91,9 +89,7 @@
ansible.builtin.command: "{{ item }}" ansible.builtin.command: "{{ item }}"
loop: loop:
- "partprobe {{ install_drive }}" - "partprobe {{ install_drive }}"
- "blockdev --rereadpt {{ install_drive }}"
- "udevadm settle" - "udevadm settle"
register: partitioning_partprobe_retry
changed_when: false changed_when: false
failed_when: false failed_when: false
@@ -116,6 +112,5 @@
loop: loop:
- "partprobe {{ install_drive }}" - "partprobe {{ install_drive }}"
- "udevadm settle" - "udevadm settle"
register: partitioning_partprobe_settle
changed_when: false changed_when: false
failed_when: false failed_when: false

3
roles/partitioning/tasks/_setup_luks.yml
View File

@@ -21,7 +21,6 @@
algorithm: "{{ system_cfg.luks.pbkdf }}" algorithm: "{{ system_cfg.luks.pbkdf }}"
iteration_time: "{{ (system_cfg.luks.iter | float) / 1000 }}" iteration_time: "{{ (system_cfg.luks.iter | float) / 1000 }}"
passphrase: "{{ system_cfg.luks.passphrase | string }}" passphrase: "{{ system_cfg.luks.passphrase | string }}"
register: partitioning_luks_format_result
no_log: true no_log: true
- name: Force-close LUKS mapper - name: Force-close LUKS mapper
@@ -51,7 +50,6 @@
name: "{{ system_cfg.luks.mapper }}" name: "{{ system_cfg.luks.mapper }}"
passphrase: "{{ system_cfg.luks.passphrase | string }}" passphrase: "{{ system_cfg.luks.passphrase | string }}"
allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}" allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
register: partitioning_luks_open_result
no_log: true no_log: true
rescue: rescue:
- name: Force-close stale LUKS mapper - name: Force-close stale LUKS mapper
@@ -79,7 +77,6 @@
name: "{{ system_cfg.luks.mapper }}" name: "{{ system_cfg.luks.mapper }}"
passphrase: "{{ system_cfg.luks.passphrase | string }}" passphrase: "{{ system_cfg.luks.passphrase | string }}"
allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}" allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
register: partitioning_luks_open_retry
no_log: true no_log: true
- name: Get LUKS UUID - name: Get LUKS UUID

2
roles/partitioning/tasks/btrfs.yml
View File

@@ -56,7 +56,6 @@
- { subvol: var_log_audit } - { subvol: var_log_audit }
loop_control: loop_control:
label: "{{ item.subvol }}" label: "{{ item.subvol }}"
register: partitioning_btrfs_subvol_result
- name: Set quotas for subvolumes - name: Set quotas for subvolumes
when: system_cfg.features.cis.enabled | bool when: system_cfg.features.cis.enabled | bool
@@ -74,7 +73,6 @@
btrfs filesystem mkswapfile --size {{ partitioning_swap_size_gb }}g --uuid clear /mnt/@swap/swapfile btrfs filesystem mkswapfile --size {{ partitioning_swap_size_gb }}g --uuid clear /mnt/@swap/swapfile
args: args:
creates: /mnt/@swap/swapfile creates: /mnt/@swap/swapfile
register: partitioning_btrfs_swap_result
- name: Unmount Partition - name: Unmount Partition
ansible.posix.mount: ansible.posix.mount:

26
roles/virtualization/tasks/_xen_disks.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- name: Build Xen disk definitions
when: virtualization_xen_disks is not defined
block:
- name: Compute Xen disk configuration
ansible.builtin.set_fact:
virtualization_xen_disks: "{{ virtualization_xen_disks | default([]) + [_xen_disk_cfg] }}"
vars:
device_letter_map: "{{ disk_letter_map }}"
device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
_xen_disk_cfg: >-
{{
{
'path': (
virtualization_xen_disk_path ~ '/' ~ hostname ~ '.qcow2'
if ansible_loop.index0 == 0
else virtualization_xen_disk_path ~ '/' ~ hostname ~ '-disk' ~ ansible_loop.index0 ~ '.qcow2'
),
'target': 'xvd' ~ device_letter,
'size': (item.size | float)
}
}}
loop: "{{ system_cfg.disks }}"
loop_control:
label: "{{ item | to_json }}"
extended: true

1
roles/virtualization/tasks/delete.yml
View File

@@ -70,6 +70,7 @@
- xl - xl
- destroy - destroy
- "{{ hostname }}" - "{{ hostname }}"
changed_when: false
failed_when: false failed_when: false
- name: Remove Xen VM config - name: Remove Xen VM config

23
roles/virtualization/tasks/xen.yml
View File

@@ -2,28 +2,7 @@
- name: Deploy VM on Xen - name: Deploy VM on Xen
block: block:
- name: Build disk definitions - name: Build disk definitions
ansible.builtin.set_fact: ansible.builtin.include_tasks: _xen_disks.yml
virtualization_xen_disks: "{{ virtualization_xen_disks | default([]) + [virtualization_xen_disk_cfg] }}"
vars:
device_letter_map: "{{ disk_letter_map }}"
device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
virtualization_xen_disk_cfg: >-
{{
{
'path': (
virtualization_xen_disk_path ~ '/' ~ hostname ~ '.qcow2'
if ansible_loop.index0 == 0
else virtualization_xen_disk_path ~ '/' ~ hostname ~ '-disk' ~ ansible_loop.index0 ~ '.qcow2'
),
'target': 'xvd' ~ device_letter,
'size': (item.size | float)
}
}}
loop: "{{ system_cfg.disks }}"
loop_control:
label: "{{ item | to_json }}"
extended: true
changed_when: false
- name: Create VM disks for Xen - name: Create VM disks for Xen
delegate_to: localhost delegate_to: localhost