chore(lint): suppress var-naming for user-facing API dicts

.ansible-lint

@@ -1,4 +1,5 @@
 skip_list:
   - run-once
+  - var-naming[no-role-prefix] # user-facing API dicts (cis, system, hypervisor) are intentionally not role-prefixed
 exclude_paths:
   - roles/global_defaults/

roles/cis/defaults/main.yml

@@ -84,6 +84,8 @@ cis_defaults:
 cis_fusermount_binary: "{{ 'fusermount3' if is_rhel | default(false) | bool else 'fusermount' }}"
 cis_write_binary: "{{ 'write' if is_rhel | default(false) | bool else 'wall' }}"
 
+cis: {}
+
 cis_permission_targets:
   - { path: "/mnt/etc/ssh/sshd_config", mode: "0600" }
   - { path: "/mnt/etc/cron.hourly", mode: "0700" }

roles/cis/tasks/_normalize.yml

@@ -1,4 +1,10 @@
 ---
-- name: Build cis_cfg from defaults and user overrides
+- name: Normalize CIS input
   ansible.builtin.set_fact:
-    cis_cfg: "{{ cis_defaults | combine(cis | default({}), recursive=true) }}"
+    cis_enabled: "{{ cis is defined and (cis is mapping or cis | bool) }}"
+    cis_input: "{{ cis if cis is mapping else {} }}"
+
+- name: Normalize CIS configuration
+  when: cis_enabled and cis_cfg is not defined
+  ansible.builtin.set_fact:
+    cis_cfg: "{{ cis_defaults | combine(cis_input, recursive=True) }}"

roles/cis/tasks/main.yml

@@ -1,7 +1,10 @@
 ---
 - name: Normalize CIS configuration
-  ansible.builtin.include_tasks: _normalize.yml
+  ansible.builtin.import_tasks: _normalize.yml
 
+- name: Apply CIS hardening
+  when: cis_enabled
+  block:
     - name: Include CIS hardening tasks
       ansible.builtin.include_tasks: "{{ cis_task }}"
       loop:

roles/configuration/tasks/encryption.yml

@@ -35,7 +35,6 @@
         configuration_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}"
         configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
         configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ system_cfg.luks.mapper }}.key"
-      changed_when: false
 
     - name: Validate LUKS UUID is available
       ansible.builtin.assert:
@@ -245,7 +244,6 @@
           }}
       ansible.builtin.set_fact:
         configuration_kernel_cmdline_new: "{{ kernel_cmdline_new }}"
-      changed_when: false
 
     - name: Write kernel cmdline with LUKS args
       when: is_rhel | bool

roles/configuration/tasks/grub.yml

@@ -62,7 +62,6 @@
       ansible.builtin.set_fact:
         configuration_grub_cmdline_linux_base: "{{ grub_cmdline_linux_base }}"
         configuration_kernel_cmdline_base: "{{ grub_kernel_cmdline_base }}"
-      changed_when: false
 
     - name: Check if grub defaults file exists
       ansible.builtin.stat:

roles/global_defaults/defaults/main.yml

@@ -44,7 +44,7 @@ system_defaults:
   type: "virtual" # virtual|physical
   os: ""
   version: ""
-  filesystem: ""
+  filesystem: "ext4"
   name: ""
   id: ""
   cpus: 0

roles/global_defaults/tasks/validation.yml

@@ -333,15 +333,11 @@
 - name: Validate disk mount definitions
   when: system_cfg.disks is defined
   vars:
-    reserved_mounts:
+    reserved_mounts: >-
-      - /boot
+      {{
-      - /boot/efi
+        ['/boot', '/boot/efi', '/home', '/var', '/var/log', '/var/log/audit']
-      - /home
+        + (['/var/cache/pacman/pkg'] if os == 'archlinux' else [])
-      - /swap
+      }}
-      - /var
-      - /var/cache/pacman/pkg
-      - /var/log
-      - /var/log/audit
     disk_mount: "{{ (item.mount.path | default('') | string) | trim }}"
     disk_fstype: "{{ (item.mount.fstype | default('') | string) | trim }}"
     disk_device: "{{ (item.device | default('') | string) | trim }}"