fix(partitioning): add LVM extent headroom

This fixes an issue that in some virtual environments the NICs
MAC-Address gets changes and the config no longer applies.

README.md

@@ -66,6 +66,7 @@ Global variables apply across your Ansible project and can be supplied via inven
 | `cis` (optional)        | Adjusts the installation to be CIS level 3 conformant.     | `true`, `false (default)`                 |
 | `selinux` (optional)    | Toggle SELinux where supported.                            | `true (default)`, `false`                 |
 | `firewalld_enabled` (optional) | Toggle firewalld package/service enablement.        | `true (default)`, `false`                 |
+| `ssh_enabled` (optional) | Toggle SSH server package/service enablement.        | `true (default)`, `false`                 |
 
 ### 2.2 Hypervisor Access (virtual installs)
 
@@ -105,7 +106,7 @@ These are required when `hypervisor: vmware` uses the `vmware_tools` connection.
 | `luks_passphrase`          | Passphrase used for initial LUKS format/unlock. | `1234`             |
 | `luks_mapper_name`         | Decrypted mapper name.                          | `SYSTEM_DECRYPTED` |
 | `luks_auto_decrypt`        | Enable automatic unlock on boot.                | `true`, `false`    |
-| `luks_auto_decrypt_method` | Auto-unlock method.                             | `tpm2`, `keyfile`  |
+| `luks_auto_decrypt_method` | Auto-unlock method.                             | `tpm2`, `keyfile`, `manual` |
 | `luks_tpm2_device`         | TPM2 device for enrollment.                     | `auto`             |
 | `luks_tpm2_pcrs`           | TPM2 PCR list (systemd-cryptenroll).            | `7`                |
 | `luks_keyfile_size`        | Keyfile size in bytes for initramfs.            | `64`               |
@@ -119,6 +120,18 @@ These are required when `hypervisor: vmware` uses the `vmware_tools` connection.
 | `luks_use_urandom`         | Reserved; module uses cryptsetup defaults.      | `true`             |
 | `luks_verify_passphrase`   | Reserved; module uses cryptsetup defaults.      | `true`             |
 
+### 2.5 Partitioning Overrides (advanced)
+
+Use these only when you need to override the default layout logic.
+
+| Variable                     | Description                                              | Example Value |
+| ---------------------------- | -------------------------------------------------------- | ------------- |
+| `partitioning_efi_size_mib`  | ESP size in MiB.                                         | `512`         |
+| `partitioning_boot_size_mib` | `/boot` size in MiB when a separate boot is used.        | `1024`        |
+| `partitioning_separate_boot` | Force a separate `/boot` partition.                      | `true`        |
+| `partitioning_boot_fs_fstype` | Filesystem for `/boot` when separate.                   | `ext4`        |
+| `partitioning_use_full_disk` | Use remaining LVM space for the root volume.             | `true`        |
+
 To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**.
 
 ## 3. Inventory Variables
@@ -129,6 +142,7 @@ Inventory variables are defined for individual hosts or VMs in the inventory fil
 
 | Variable     | Description                            | Example Value          |
 | ------------ | -------------------------------------- | ---------------------- |
+| `ansible_host` | Ansible connection address for the host. | `192.168.0.10`      |
 | `os`         | Operating system to be installed.      | `ubuntu-lts`           |
 | `filesystem` | Filesystem type for the root volume.   | `btrfs`, `ext4`, `xfs` |
 | `hostname`   | The hostname assigned to the system.   | `vm01`                 |
@@ -160,7 +174,7 @@ These are prompted by default via `vars_prompt` in `main.yml`, but can be suppli
 | Variable    | Description                       | Example Value |
 | ----------- | --------------------------------- | ------------- |
 | `vm_id`     | Unique identifier for the VM.     | `101`         |
-| `vm_size`   | Disk size allocated in GB.        | `20`          |
+| `vm_size`   | Disk size allocated in GB (min 20). | `20`        |
 | `vm_memory` | Amount of memory in MB.           | `2048`        |
 | `vm_cpus`   | Number of CPU cores (virtual installs). | `4`      |
 | `vm_ballo`  | Ballooning memory size (optional).| `2048`        |

main.yml

@@ -80,25 +80,23 @@
         ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
 
     - name: Install post-reboot extra packages
+      vars:
+        post_install_extra_packages: >-
+          {{
+            (
+              extra_packages
+              if (extra_packages is iterable and extra_packages is not string)
+              else (extra_packages | string).split(',')
+            )
+            | map('trim')
+            | reject('equalto', '')
+            | list
+          }}
       when:
         - post_reboot_can_connect | bool
         - extra_packages is defined
         - extra_packages | length > 0
-      block:
+        - post_install_extra_packages | length > 0
-        - name: Install extra packages
+      ansible.builtin.package:
-          vars:
+        name: "{{ post_install_extra_packages }}"
-            post_install_extra_packages: >-
+        state: present
-              {{
-                (
-                  extra_packages
-                  if (extra_packages is iterable and extra_packages is not string)
-                  else (extra_packages | string).split(',')
-                )
-                | map('trim')
-                | reject('equalto', '')
-                | list
-              }}
-          when: post_install_extra_packages | length > 0
-          ansible.builtin.package:
-            name: "{{ post_install_extra_packages }}"
-            state: present

roles/bootstrap/tasks/almalinux.yml

@@ -14,7 +14,7 @@
         --setopt=install_weak_deps=False groupinstall -y base core
     - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
     - >-
-        arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False
+        {{ chroot_command }} /mnt dnf --releasever=9 --setopt=install_weak_deps=False
         install -y {{ bootstrap_alma_extra }}
   register: bootstrap_result
   changed_when: bootstrap_result.rc == 0

roles/bootstrap/tasks/debian.yml

@@ -23,7 +23,7 @@
     - >-
         debootstrap --include={{ bootstrap_debian_base }}
         {{ bootstrap_debian_release }} /mnt http://deb.debian.org/debian/
-    - "arch-chroot /mnt apt install -y {{ bootstrap_debian_extra }}"
+    - "{{ chroot_command }} /mnt apt install -y {{ bootstrap_debian_extra }}"
-    - arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
+    - "{{ chroot_command }} /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data"
   register: bootstrap_result
   changed_when: bootstrap_result.rc == 0

roles/bootstrap/tasks/fedora.yml

@@ -15,8 +15,8 @@
         groupinstall -y critical-path-base core
     - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
     - >-
-        arch-chroot /mnt dnf --releasever=43 --setopt=install_weak_deps=False
+        {{ chroot_command }} /mnt dnf --releasever=43 --setopt=install_weak_deps=False
         install -y {{ bootstrap_fedora_extra }}
-    - arch-chroot /mnt dnf reinstall -y kernel-core
+    - "{{ chroot_command }} /mnt dnf reinstall -y kernel-core"
   register: bootstrap_result
   changed_when: bootstrap_result.rc == 0

roles/bootstrap/tasks/rhel.yml

@@ -34,12 +34,7 @@
         state: mounted
 
     - name: Rebuild RPM database inside chroot
-      ansible.builtin.command:
+      ansible.builtin.command: "{{ chroot_command }} /mnt rpm --rebuilddb"
-        argv:
-          - arch-chroot
-          - /mnt
-          - rpm
-          - --rebuilddb
       register: bootstrap_rpm_rebuild_result
       changed_when: bootstrap_rpm_rebuild_result.rc == 0
 
@@ -60,7 +55,7 @@
             | join(' ')
           }}
       ansible.builtin.command: >-
-        arch-chroot /mnt dnf --releasever={{ bootstrap_rhel_release }}
+        {{ chroot_command }} /mnt dnf --releasever={{ bootstrap_rhel_release }}
         --setopt=install_weak_deps=False install -y {{ bootstrap_rhel_extra }}
       register: bootstrap_result
       changed_when: bootstrap_result.rc == 0

roles/bootstrap/tasks/rocky.yml

@@ -15,7 +15,7 @@
         groupinstall -y base core
     - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
     - >-
-        arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False
+        {{ chroot_command }} /mnt dnf --releasever=9 --setopt=install_weak_deps=False
         install -y {{ bootstrap_rocky_extra }}
   register: bootstrap_result
   changed_when: bootstrap_result.rc == 0

roles/bootstrap/tasks/ubuntu.yml

@@ -20,8 +20,8 @@
         debootstrap --include={{ bootstrap_ubuntu_base }}
         {{ bootstrap_ubuntu_release }} /mnt http://archive.ubuntu.com/ubuntu/
     - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
-    - arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
+    - "{{ chroot_command }} /mnt sed -i '1s|$| universe|' /etc/apt/sources.list"
-    - arch-chroot /mnt apt update
+    - "{{ chroot_command }} /mnt apt update"
-    - "arch-chroot /mnt apt install -y {{ bootstrap_ubuntu_extra }}"
+    - "{{ chroot_command }} /mnt apt install -y {{ bootstrap_ubuntu_extra }}"
   register: bootstrap_result
   changed_when: bootstrap_result.rc == 0

roles/bootstrap/vars/main.yml

@@ -48,7 +48,7 @@ bootstrap_archlinux:
   - ncdu
   - networkmanager
   - nfs-utils
-  - openssh
+  - "{{ 'openssh' if ssh_enabled | bool else '' }}"
   - ppp
   - prometheus-node-exporter
   - python-psycopg2
@@ -82,7 +82,7 @@ bootstrap_debian11:
     - logrotate
     - lvm2
     - net-tools
-    - openssh-server
+    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
     - python3
     - sudo
     - xfsprogs
@@ -153,7 +153,7 @@ bootstrap_debian12:
     - neofetch
     - net-tools
     - network-manager
-    - openssh-server
+    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
     - python-is-python3
     - python3
     - ripgrep
@@ -208,7 +208,7 @@ bootstrap_debian13:
     - ncdu
     - net-tools
     - network-manager
-    - openssh-server
+    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
     - python-is-python3
     - python3
     - ripgrep
@@ -412,7 +412,7 @@ bootstrap_ubuntu:
     - ncurses-term
     - net-tools
     - network-manager
-    - openssh-server
+    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
     - python-is-python3
     - python3
     - ripgrep
@@ -475,7 +475,7 @@ bootstrap_ubuntu_lts:
     - ncurses-term
     - net-tools
     - network-manager
-    - openssh-server
+    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
     - python-is-python3
     - python3
     - ripgrep

roles/cis/tasks/crypto.yml

@@ -1,12 +1,12 @@
 ---
 - name: Configure System Cryptography Policy
   when: os in ["almalinux", "rhel9", "rhel10", "rocky"]
-  ansible.builtin.command: arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
+  ansible.builtin.command: "{{ chroot_command }} /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"
   register: cis_crypto_policy_result
   changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout"
 
 - name: Mask Systemd Services
   ansible.builtin.command: >
-    arch-chroot /mnt systemctl mask nftables bluetooth rpcbind
+    {{ chroot_command }} /mnt systemctl mask nftables bluetooth rpcbind
   register: cis_mask_services_result
   changed_when: cis_mask_services_result.rc == 0

roles/configuration/tasks/bootloader.yml

@@ -18,7 +18,7 @@
           --bootloader-id={{ configuration_bootloader_id }}
         configuration_bootloader_cmd: >-
           {{ configuration_efibootmgr_cmd if configuration_use_efibootmgr else configuration_grub_cmd }}
-      ansible.builtin.command: "arch-chroot /mnt {{ configuration_bootloader_cmd }}"
+      ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_bootloader_cmd }}"
       register: configuration_bootloader_result
       changed_when: configuration_bootloader_result.rc == 0
 
@@ -43,7 +43,7 @@
               else '/usr/bin/dracut --regenerate-all --force'
             )
           }}
-      ansible.builtin.command: "arch-chroot /mnt {{ configuration_initramfs_cmd }}"
+      ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_initramfs_cmd }}"
       register: configuration_initramfs_result
       changed_when: configuration_initramfs_result.rc == 0
 
@@ -59,6 +59,6 @@
             if is_rhel | bool
             else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg'
           }}
-      ansible.builtin.command: "arch-chroot /mnt {{ configuration_grub_cfg_cmd }}"
+      ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_grub_cfg_cmd }}"
       register: configuration_grub_result
       changed_when: configuration_grub_result.rc == 0

roles/configuration/tasks/encryption/tpm2.yml

@@ -35,9 +35,9 @@
                if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
             + [configuration_luks_device]
           }}
-        configuration_luks_enroll_chroot_args: "{{ ['arch-chroot', '/mnt'] + configuration_luks_enroll_args }}"
+        configuration_luks_enroll_chroot_cmd: >-
-      ansible.builtin.command:
+          {{ chroot_command }} /mnt {{ configuration_luks_enroll_args | join(' ') }}
-        argv: "{{ configuration_luks_enroll_chroot_args }}"
+      ansible.builtin.command: "{{ configuration_luks_enroll_chroot_cmd }}"
       register: configuration_luks_tpm2_enroll_chroot
       changed_when: configuration_luks_tpm2_enroll_chroot.rc == 0
       failed_when: false

roles/configuration/tasks/extras.yml

@@ -26,13 +26,15 @@
     mode: "0644"
 
 - name: Create zram config
-  when: os | lower not in ['debian11', 'rhel8']
+  when:
+    - os | lower not in ['debian11', 'rhel8']
+    - swap_enabled | bool
   ansible.builtin.copy:
     dest: /mnt/etc/systemd/zram-generator.conf
     content: |
       [zram0]
       zram-size  = ram / 2
-      compression-algorithm = zstd
+      compression-algorithm = {{ 'zstd' if zstd_enabled | bool else 'lz4' }}
       swap-priority = 100
       fs-type = swap
     mode: "0644"

roles/configuration/tasks/grub.yml

@@ -28,7 +28,14 @@
           }}
         configuration_grub_lvm_args_value: >-
           {{
-            ['resume=/dev/mapper/sys-swap', 'rd.lvm.lv=sys/root', 'rd.lvm.lv=sys/swap']
+            (
+              ['rd.lvm.lv=sys/root']
+              + (
+                ['rd.lvm.lv=sys/swap', 'resume=/dev/mapper/sys-swap']
+                if swap_enabled | bool
+                else []
+              )
+            )
             if (filesystem | lower) != 'btrfs'
             else []
           }}

roles/configuration/tasks/locales.yml

@@ -1,11 +1,14 @@
 ---
+- name: Reload systemd in installer environment
+  ansible.builtin.systemd:
+    daemon_reload: true
+
 - name: Set local timezone
-  ansible.builtin.command: "{{ item }}"
+  ansible.builtin.file:
-  loop:
+    src: /usr/share/zoneinfo/Europe/Vienna
-    - systemctl daemon-reload
+    dest: /mnt/etc/localtime
-    - arch-chroot /mnt ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime
+    state: link
-  register: configuration_timezone_result
+    force: true
-  changed_when: configuration_timezone_result.rc == 0
 
 - name: Setup locales
   block:
@@ -20,7 +23,7 @@
 
     - name: Generate locales
       when: not is_rhel | bool
-      ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
+      ansible.builtin.command: "{{ chroot_command }} /mnt /usr/sbin/locale-gen"
       register: configuration_locale_result
       changed_when: configuration_locale_result.rc == 0
 

roles/configuration/tasks/selinux.yml

@@ -5,7 +5,7 @@
     - name: Fix SELinux by pre-labeling the filesystem before first boot
       when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and selinux | bool
       ansible.builtin.command: >
-        arch-chroot /mnt /sbin/setfiles -v -F
+        {{ chroot_command }} /mnt /sbin/setfiles -v -F
         -e /dev -e /proc -e /sys -e /run
         /etc/selinux/targeted/contexts/files/file_contexts /
       register: configuration_setfiles_result

roles/configuration/tasks/services.yml

@@ -1,11 +1,12 @@
 ---
 - name: Enable Systemd Services
   ansible.builtin.command: >
-    arch-chroot /mnt systemctl enable NetworkManager
+    {{ chroot_command }} /mnt systemctl enable NetworkManager
     {{ ' firewalld' if firewalld_enabled | bool else '' }}
     {{
-      ' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
+      (' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
-      (' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else '')
+       (' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else ''))
+      if ssh_enabled | bool else ''
     }}
     {{
       'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
@@ -13,10 +14,3 @@
     }}
   register: configuration_enable_services_result
   changed_when: configuration_enable_services_result.rc == 0
-
-- name: Disable firewalld when disabled
-  when: not firewalld_enabled | bool
-  ansible.builtin.command: arch-chroot /mnt systemctl disable --now firewalld
-  register: configuration_disable_firewalld_result
-  changed_when: configuration_disable_firewalld_result.rc == 0
-  failed_when: false

roles/configuration/tasks/users.yml

@@ -4,11 +4,11 @@
     configuration_user_group: >-
       {{ "sudo" if is_debian | bool else "wheel" }}
     configuration_useradd_cmd: >-
-      arch-chroot /mnt /usr/sbin/useradd --create-home --user-group
+      {{ chroot_command }} /mnt /usr/sbin/useradd --create-home --user-group
       --groups {{ configuration_user_group }} {{ user_name }}
       --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
     configuration_root_cmd: >-
-      arch-chroot /mnt /usr/sbin/usermod --password
+      {{ chroot_command }} /mnt /usr/sbin/usermod --password
       '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
   ansible.builtin.command: "{{ item }}"
   loop:

roles/configuration/templates/network.j2

@@ -3,9 +3,6 @@ id=LAN
 uuid={{ configuration_net_uuid }}
 type=ethernet
 
-[ethernet]
-mac-address={{ configuration_net_mac }}
-
 [ipv4]
 {% set dns_value = vm_dns if vm_dns is defined else '' %}
 {% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %}

roles/environment/tasks/main.yml

@@ -151,3 +151,37 @@
                 src: "{{ os | lower }}.repo.j2"
                 dest: /etc/yum.repos.d/{{ os | lower }}.repo
                 mode: "0644"
+
+    - name: Check for third-party preparation tasks
+      run_once: true
+      become: false
+      delegate_to: localhost
+      vars:
+        ansible_connection: local
+      block:
+        - name: Resolve third-party preparation task path
+          ansible.builtin.set_fact:
+            environment_thirdparty_tasks_path: >-
+              {{
+                thirdparty_preparation_tasks_path
+                if thirdparty_preparation_tasks_path | regex_search('^/')
+                else playbook_dir + '/' + thirdparty_preparation_tasks_path
+              }}
+          changed_when: false
+
+        - name: Stat third-party preparation tasks
+          ansible.builtin.stat:
+            path: "{{ environment_thirdparty_tasks_path }}"
+          register: environment_thirdparty_tasks_stat
+          changed_when: false
+
+    - name: Run third-party preparation tasks
+      when:
+        - thirdparty_preparation_tasks_path | length > 0
+        - environment_thirdparty_tasks_stat.stat.exists
+      ansible.builtin.include_tasks: >-
+        {{
+          thirdparty_preparation_tasks_path
+          if thirdparty_preparation_tasks_path | regex_search('^/')
+          else playbook_dir + '/' + thirdparty_preparation_tasks_path
+        }}

roles/global_defaults/defaults/main.yml

@@ -5,6 +5,11 @@ cis: false
 selinux: true
 vmware_ssh: false
 firewalld_enabled: true
+ssh_enabled: true
+zstd_enabled: true
+swap_enabled: true
+chroot_command: "arch-chroot"
+thirdparty_preparation_tasks_path: "dropins/preparation.yml"
 
 cis_enabled: "{{ cis | bool }}"
 

roles/global_defaults/tasks/main.yml

@@ -52,10 +52,7 @@
           install_type == "physical"
           or (
             vm_size is defined
-            and (
+            and (vm_size | int) >= 20
-              (filesystem == "btrfs" and (vm_size | int) >= 10)
-              or (filesystem != "btrfs" and (vm_size | int) >= 20)
-            )
           )
         )
       - >-
@@ -64,15 +61,19 @@
           or (
             vm_size is defined
             and vm_memory is defined
+            and filesystem is defined
             and (
-              (vm_size | float)
+              filesystem != "btrfs"
-              >= (
+              or (
-                (vm_memory | float / 1024 >= 16.0)
+                (vm_size | float)
-                | ternary(
+                >= (
-                    (vm_memory | float / 2048),
+                  (vm_memory | float / 1024 >= 16.0)
-                    [vm_memory | float / 1024, 4.0] | max
+                  | ternary(
-                  )
+                      (vm_memory | float / 2048),
-                + 16
+                      [vm_memory | float / 1024, 4.0] | max
+                    )
+                  + 5.5
+                )
               )
             )
           )

roles/partitioning/defaults/main.yml

@@ -16,12 +16,14 @@ partitioning_luks_tpm2_device: "{{ luks_tpm2_device }}"
 partitioning_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
 partitioning_luks_keyfile_size: "{{ luks_keyfile_size }}"
 partitioning_luks_options: "{{ luks_options }}"
+partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if zstd_enabled | bool else '' }}"
 partitioning_boot_partition_suffix: 1
 partitioning_main_partition_suffix: 2
 partitioning_efi_size_mib: 512
 partitioning_efi_start_mib: 1
 partitioning_efi_end_mib: "{{ (partitioning_efi_start_mib | int) + (partitioning_efi_size_mib | int) }}"
 partitioning_boot_size_mib: 1024
+partitioning_use_full_disk: true
 partitioning_separate_boot: >-
   {{
     (partitioning_luks_enabled | bool)

roles/partitioning/tasks/btrfs.yml

@@ -19,7 +19,19 @@
         path: /mnt
         src: "{{ partitioning_root_device }}"
         fstype: btrfs
-        opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async
+        opts: >-
+          {{
+            [
+              'rw',
+              'relatime',
+              partitioning_btrfs_compress_opt,
+              'ssd',
+              'space_cache=v2',
+              'discard=async'
+            ]
+            | reject('equalto', '')
+            | join(',')
+          }}
         state: mounted
 
     - name: Enable quotas on Btrfs filesystem
@@ -28,7 +40,9 @@
       changed_when: false
 
     - name: Make root subvolumes
-      when: cis_enabled or item.subvol not in ['var_log_audit']
+      when:
+        - cis_enabled or item.subvol not in ['var_log_audit']
+        - swap_enabled | bool or item.subvol != 'swap'
       ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
       args:
         creates: /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
@@ -51,6 +65,7 @@
       changed_when: false
 
     - name: Create a Btrfs swap file
+      when: swap_enabled | bool
       ansible.builtin.command: >-
         btrfs filesystem mkswapfile --size {{ partitioning_swap_size_gb }}g --uuid clear /mnt/@swap/swapfile
       args:

roles/partitioning/tasks/main.yml

@@ -1,6 +1,7 @@
 ---
 - name: Detect system memory for swap sizing
   when:
+    - swap_enabled | bool
     - partitioning_vm_memory is not defined or (partitioning_vm_memory | float) <= 0
     - vm_memory is not defined or (vm_memory | float) <= 0
   block:
@@ -257,17 +258,70 @@
         pvs: "{{ partitioning_root_device }}"
 
     - name: Create LVM logical volumes
-      when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
+      when:
+        - cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
+        - swap_enabled | bool or item.lv != 'swap'
       vars:
+        partitioning_lvm_extent_reserve_count: 10
+        partitioning_lvm_extent_size_mib: 4
+        partitioning_lvm_extent_reserve_gb: >-
+          {{
+            (
+              (partitioning_lvm_extent_reserve_count | float)
+              * (partitioning_lvm_extent_size_mib | float)
+              / 1024
+            ) | round(2, 'ceil')
+          }}
         partitioning_lvm_swap_target_gb: >-
           {{
             (
-              ((partitioning_vm_memory_effective | float / 1024) > 16.0)
+              [
-              | ternary(
+                (partitioning_vm_memory_effective | float / 1024),
-                  (partitioning_vm_memory_effective | float / 2048) | int,
+                4
-                  (partitioning_vm_memory_effective | float / 1024)
+              ] | max | float
-                )
+            )
-            ) | float
+            if swap_enabled | bool
+            else 0
+          }}
+        partitioning_lvm_swap_cap_gb: >-
+          {{
+            (
+              4
+              + [
+                (partitioning_vm_size_effective | float) - 20,
+                0
+              ] | max
+            )
+            if swap_enabled | bool
+            else 0
+          }}
+        partitioning_lvm_swap_target_effective_gb: >-
+          {{
+            (
+              [
+                partitioning_lvm_swap_target_gb,
+                partitioning_lvm_swap_cap_gb
+              ] | min
+            )
+            if swap_enabled | bool
+            else 0
+          }}
+        partitioning_lvm_swap_max_gb: >-
+          {{
+            (
+              [
+                (
+                  (partitioning_vm_size_effective | float)
+                  - (partitioning_reserved_gb | float)
+                  - (cis_enabled | ternary(7.5, 0))
+                  - partitioning_lvm_extent_reserve_gb
+                  - 4
+                ),
+                0
+              ] | max
+            )
+            if swap_enabled | bool
+            else 0
           }}
         partitioning_lvm_available_gb: >-
           {{
@@ -275,10 +329,15 @@
               (partitioning_vm_size_effective | float)
               - (partitioning_reserved_gb | float)
               - (cis_enabled | ternary(7.5, 0))
-              - partitioning_lvm_swap_target_gb
+              - partitioning_lvm_extent_reserve_gb
+              - partitioning_lvm_swap_target_effective_gb
             ) | float
           }}
-        partitioning_lvm_root_gb: >-
+        partitioning_lvm_home_gb: >-
+          {{
+            ([([(((partitioning_vm_size_effective | float) - 20) * 0.1), 2] | max), 20] | min)
+          }}
+        partitioning_lvm_root_default_gb: >-
           {{
             [
               (
@@ -300,15 +359,37 @@
           }}
         partitioning_lvm_swap_gb: >-
           {{
-            ((partitioning_lvm_available_gb | float) < 4)
+            (
-            | ternary(
+              [
-                (
+                partitioning_lvm_swap_target_effective_gb,
-                  (partitioning_lvm_available_gb | float)
+                partitioning_lvm_swap_max_gb
-                  + (partitioning_lvm_swap_target_gb | float)
+              ] | min | round(2, 'floor')
-                  - 4
+            )
-                ),
+            if swap_enabled | bool
-                partitioning_lvm_swap_target_gb
+            else 0
-              )
+          }}
+        partitioning_lvm_root_full_gb: >-
+          {{
+            [
+              (
+                (partitioning_vm_size_effective | float)
+                - (partitioning_reserved_gb | float)
+                - (partitioning_lvm_swap_gb | float)
+                - partitioning_lvm_extent_reserve_gb
+                - (
+                    (partitioning_lvm_home_gb | float) + 5.5
+                    if cis_enabled
+                    else 0
+                  )
+              ),
+              4
+            ] | max | round(2, 'floor')
+          }}
+        partitioning_lvm_root_gb: >-
+          {{
+            partitioning_lvm_root_full_gb
+            if partitioning_use_full_disk | bool
+            else partitioning_lvm_root_default_gb
           }}
       community.general.lvol:
         vg: sys
@@ -321,7 +402,7 @@
         - lv: swap
           size: "{{ partitioning_lvm_swap_gb | string + 'G' }}"
         - lv: home
-          size: "{{ ([([(((partitioning_vm_size_effective | float) - 20) * 0.1), 2] | max), 20] | min) | string + 'G' }}"
+          size: "{{ partitioning_lvm_home_gb | string + 'G' }}"
         - {lv: var, size: "2G"}
         - {lv: var_log, size: "2G"}
         - {lv: var_log_audit, size: "1.5G"}
@@ -354,7 +435,9 @@
       changed_when: partitioning_boot_ext4_tune_result.rc == 0
 
     - name: Create swap filesystem
-      when: filesystem != 'btrfs'
+      when:
+        - filesystem != 'btrfs'
+        - swap_enabled | bool
       community.general.filesystem:
         fstype: swap
         dev: /dev/sys/swap
@@ -379,28 +462,86 @@
       register: partitioning_main_uuid
       changed_when: false
 
-    - name: Get UUIDs for LVM filesystems
+    - name: Get UUID for LVM root filesystem
-      when: filesystem != 'btrfs' and (cis_enabled or item not in ['home', 'var', 'var_log', 'var_log_audit'])
+      when: filesystem != 'btrfs'
-      ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }}
+      ansible.builtin.command: blkid -s UUID -o value /dev/sys/root
-      loop:
+      register: partitioning_uuid_root_result
-        - root
+      changed_when: false
-        - swap
+
-        - home
+    - name: Get UUID for LVM swap filesystem
-        - var
+      when:
-        - var_log
+        - filesystem != 'btrfs'
-        - var_log_audit
+        - swap_enabled | bool
-      register: partitioning_uuid_result
+      ansible.builtin.command: blkid -s UUID -o value /dev/sys/swap
+      register: partitioning_uuid_swap_result
+      changed_when: false
+
+    - name: Get UUID for LVM home filesystem
+      when:
+        - filesystem != 'btrfs'
+        - cis_enabled
+      ansible.builtin.command: blkid -s UUID -o value /dev/sys/home
+      register: partitioning_uuid_home_result
+      changed_when: false
+
+    - name: Get UUID for LVM var filesystem
+      when:
+        - filesystem != 'btrfs'
+        - cis_enabled
+      ansible.builtin.command: blkid -s UUID -o value /dev/sys/var
+      register: partitioning_uuid_var_result
+      changed_when: false
+
+    - name: Get UUID for LVM var_log filesystem
+      when:
+        - filesystem != 'btrfs'
+        - cis_enabled
+      ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log
+      register: partitioning_uuid_var_log_result
+      changed_when: false
+
+    - name: Get UUID for LVM var_log_audit filesystem
+      when:
+        - filesystem != 'btrfs'
+        - cis_enabled
+      ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log_audit
+      register: partitioning_uuid_var_log_audit_result
       changed_when: false
 
     - name: Assign UUIDs to Variables
       when: filesystem != 'btrfs'
       ansible.builtin.set_fact:
-        partitioning_uuid_root: "{{ partitioning_uuid_result.results[0].stdout_lines }}"
+        partitioning_uuid_root: "{{ partitioning_uuid_root_result.stdout_lines | default([]) }}"
-        partitioning_uuid_swap: "{{ partitioning_uuid_result.results[1].stdout_lines }}"
+        partitioning_uuid_swap: >-
-        partitioning_uuid_home: "{{ partitioning_uuid_result.results[2].stdout_lines if cis_enabled else '' }}"
+          {{
-        partitioning_uuid_var: "{{ partitioning_uuid_result.results[3].stdout_lines if cis_enabled else '' }}"
+            partitioning_uuid_swap_result.stdout_lines | default([])
-        partitioning_uuid_var_log: "{{ partitioning_uuid_result.results[4].stdout_lines if cis_enabled else '' }}"
+            if swap_enabled | bool
-        partitioning_uuid_var_log_audit: "{{ partitioning_uuid_result.results[5].stdout_lines if cis_enabled else '' }}"
+            else ''
+          }}
+        partitioning_uuid_home: >-
+          {{
+            partitioning_uuid_home_result.stdout_lines | default([])
+            if cis_enabled
+            else ''
+          }}
+        partitioning_uuid_var: >-
+          {{
+            partitioning_uuid_var_result.stdout_lines | default([])
+            if cis_enabled
+            else ''
+          }}
+        partitioning_uuid_var_log: >-
+          {{
+            partitioning_uuid_var_log_result.stdout_lines | default([])
+            if cis_enabled
+            else ''
+          }}
+        partitioning_uuid_var_log_audit: >-
+          {{
+            partitioning_uuid_var_log_audit_result.stdout_lines | default([])
+            if cis_enabled
+            else ''
+          }}
 
 - name: Mount filesystems
   block:
@@ -415,6 +556,7 @@
             )
         - >-
             not (item.path in ['/swap', '/var/cache/pacman/pkg'] and filesystem != 'btrfs')
+        - swap_enabled | bool or item.path != '/swap'
       ansible.posix.mount:
         path: /mnt{{ item.path }}
         src: "{{ 'UUID=' + (partitioning_main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
@@ -429,17 +571,17 @@
               'defaults'
               if filesystem != 'btrfs'
               else [
-                'rw', 'relatime', 'compress=zstd:15', 'ssd', 'space_cache=v2',
+                'rw', 'relatime', partitioning_btrfs_compress_opt, 'ssd', 'space_cache=v2',
                 'discard=async', 'subvol=@'
-              ] | join(',')
+              ] | reject('equalto', '') | join(',')
             }}
         - path: /swap
           opts: >-
             {{
               [
-                'rw', 'nosuid', 'nodev', 'relatime', 'compress=zstd:15', 'ssd',
+                'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
                 'space_cache=v2', 'discard=async', 'subvol=@swap'
-              ] | join(',')
+              ] | reject('equalto', '') | join(',')
             }}
         - path: /home
           uuid: "{{ partitioning_uuid_home[0] | default(omit) }}"
@@ -448,9 +590,9 @@
               'defaults,nosuid,nodev'
               if filesystem != 'btrfs'
               else [
-                'rw', 'nosuid', 'nodev', 'relatime', 'compress=zstd:15', 'ssd',
+                'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
                 'space_cache=v2', 'discard=async', 'subvol=@home'
-              ] | join(',')
+              ] | reject('equalto', '') | join(',')
             }}
         - path: /var
           uuid: "{{ partitioning_uuid_var[0] | default(omit) }}"
@@ -459,9 +601,9 @@
               'defaults,nosuid,nodev'
               if filesystem != 'btrfs'
               else [
-                'rw', 'nosuid', 'nodev', 'relatime', 'compress=zstd:15', 'ssd',
+                'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
                 'space_cache=v2', 'discard=async', 'subvol=@var'
-              ] | join(',')
+              ] | reject('equalto', '') | join(',')
             }}
         - path: /var/log
           uuid: "{{ partitioning_uuid_var_log[0] | default(omit) }}"
@@ -470,9 +612,9 @@
               'defaults,nosuid,nodev,noexec'
               if filesystem != 'btrfs'
               else [
-                'rw', 'nosuid', 'nodev', 'noexec', 'relatime', 'compress=zstd:15',
+                'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
                 'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log'
-              ] | join(',')
+              ] | reject('equalto', '') | join(',')
             }}
         - path: /var/cache/pacman/pkg
           uuid: "{{ partitioning_uuid_root | default([]) | first | default(omit) }}"
@@ -481,9 +623,9 @@
               'defaults,nosuid,nodev,noexec'
               if filesystem != 'btrfs'
               else [
-                'rw', 'nosuid', 'nodev', 'noexec', 'relatime', 'compress=zstd:15',
+                'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
                 'ssd', 'space_cache=v2', 'discard=async', 'subvol=@pkg'
-              ] | join(',')
+              ] | reject('equalto', '') | join(',')
             }}
         - path: /var/log/audit
           uuid: "{{ partitioning_uuid_var_log_audit[0] | default(omit) }}"
@@ -492,9 +634,9 @@
               'defaults,nosuid,nodev,noexec'
               if filesystem != 'btrfs'
               else [
-                'rw', 'nosuid', 'nodev', 'noexec', 'relatime', 'compress=zstd:15',
+                'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
                 'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log_audit'
-              ] | join(',')
+              ] | reject('equalto', '') | join(',')
             }}
 
     - name: Mount /boot filesystem
@@ -514,6 +656,7 @@
         state: mounted
 
     - name: Activate swap
+      when: swap_enabled | bool
       vars:
         partitioning_swap_cmd: >-
           {{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + partitioning_uuid_swap[0] }}