sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:b72816e9854f9cbcd47d51daa0f4ca148a4bfc1e
Branches Tags
sandwich:master
...
compare: sandwich:fb69c96e4aeb888133aba3c63eace0079aa3c2a1
Branches Tags
sandwich:master

7 Commits
b72816e985 ... fb69c96e4a

Author SHA1 Message Date
Sandwich
fb69c96e4a chore(bootstrap): update ubuntu non-lts codename to questing (25.10) 2026-02-22 03:08:54 +01:00
Sandwich
d586c087f8 fix(global_defaults): add missing ssh.enabled validation assertion 2026-02-22 03:08:31 +01:00
Sandwich
9dd71b2559 fix(global_defaults): correct fedora version upper bound to 43 2026-02-22 03:08:23 +01:00
Sandwich
35f1702447 feat(global_defaults): add root.shell to system schema and normalization 2026-02-22 03:07:30 +01:00
Sandwich
8b18fbdb4c refactor(cleanup): remove duplicated libvirt path vars, reuse virtualization defaults 2026-02-22 03:07:04 +01:00
Sandwich
909a0a6021 refactor(bootstrap,configuration): rename validation-only _normalize.yml files 2026-02-22 03:06:34 +01:00
Sandwich
2f3fce42b5 fix(partitioning): add | bool to all system_cfg.features.cis.enabled checks 2026-02-22 03:06:13 +01:00
17 changed files with 30 additions and 37 deletions
Expand all files Collapse all files

0
roles/bootstrap/tasks/_normalize.yml → roles/bootstrap/tasks/_validate.yml
View File

4
roles/bootstrap/tasks/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
- name: Normalize bootstrap - name: Validate bootstrap input
ansible.builtin.import_tasks: _normalize.yml ansible.builtin.import_tasks: _validate.yml
- name: Create API filesystem mountpoints in installroot - name: Create API filesystem mountpoints in installroot
when: os_family == 'RedHat' when: os_family == 'RedHat'

2
roles/bootstrap/tasks/ubuntu.yml
View File

@@ -3,7 +3,7 @@
vars: vars:
# ubuntu = latest non-LTS, ubuntu-lts = latest LTS # ubuntu = latest non-LTS, ubuntu-lts = latest LTS
bootstrap_ubuntu_release_map: bootstrap_ubuntu_release_map:
ubuntu: plucky ubuntu: questing
ubuntu-lts: noble ubuntu-lts: noble
bootstrap_ubuntu_release: "{{ bootstrap_ubuntu_release_map[os] | default('noble') }}" bootstrap_ubuntu_release: "{{ bootstrap_ubuntu_release_map[os] | default('noble') }}"
_config: "{{ lookup('vars', bootstrap_var_key) }}" _config: "{{ lookup('vars', bootstrap_var_key) }}"

10
roles/cleanup/defaults/main.yml
View File

@@ -3,13 +3,3 @@
cleanup_verify_boot: true cleanup_verify_boot: true
cleanup_boot_timeout: 300 cleanup_boot_timeout: 300
cleanup_remove_on_failure: true cleanup_remove_on_failure: true
# Libvirt paths
cleanup_libvirt_image_dir: >-
{{
system_cfg.path
if system_cfg is defined and (system_cfg.path | string | length) > 0
else '/var/lib/libvirt/images'
}}
cleanup_libvirt_cloudinit_path: >-
{{ [cleanup_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}

2
roles/cleanup/tasks/libvirt.yml
View File

@@ -85,7 +85,7 @@
- name: Remove cloud-init disk - name: Remove cloud-init disk
ansible.builtin.file: ansible.builtin.file:
path: "{{ cleanup_libvirt_cloudinit_path }}" path: "{{ virtualization_libvirt_cloudinit_path }}"
state: absent state: absent
- name: Ensure VM is powered off before restart - name: Ensure VM is powered off before restart

0
roles/configuration/tasks/_normalize.yml → roles/configuration/tasks/_resolve_platform.yml
View File

4
roles/configuration/tasks/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
- name: Normalize configuration - name: Resolve platform configuration
ansible.builtin.import_tasks: _normalize.yml ansible.builtin.import_tasks: _resolve_platform.yml
- name: Include configuration tasks - name: Include configuration tasks
when: configuration_task.when | default(true) when: configuration_task.when | default(true)

2
roles/configuration/tasks/users.yml
View File

@@ -11,7 +11,7 @@
- name: Set root shell - name: Set root shell
ansible.builtin.command: >- ansible.builtin.command: >-
{{ chroot_command }} /usr/sbin/usermod --shell {{ system_cfg.root.shell | default('/bin/bash') }} root {{ chroot_command }} /usr/sbin/usermod --shell {{ system_cfg.root.shell }} root
register: configuration_root_shell_result register: configuration_root_shell_result
changed_when: configuration_root_shell_result.rc == 0 changed_when: configuration_root_shell_result.rc == 0

1
roles/global_defaults/defaults/main.yml
View File

@@ -87,6 +87,7 @@ system_defaults:
users: [] users: []
root: root:
password: "" password: ""
shell: "/bin/bash"
luks: luks:
enabled: false enabled: false
passphrase: "" passphrase: ""

1
roles/global_defaults/tasks/_normalize_system.yml
View File

@@ -84,6 +84,7 @@
users: "{{ system_raw.users | default([]) }}" users: "{{ system_raw.users | default([]) }}"
root: root:
password: "{{ system_raw.root.password | string }}" password: "{{ system_raw.root.password | string }}"
shell: "{{ system_raw.root.shell | default('/bin/bash') | string }}"
# --- LUKS disk encryption --- # --- LUKS disk encryption ---
luks: luks:
enabled: "{{ system_raw.luks.enabled | bool }}" enabled: "{{ system_raw.luks.enabled | bool }}"

3
roles/global_defaults/tasks/validation.yml
View File

@@ -123,7 +123,7 @@
or ( or (
os == "debian" and (os_version | string) in ["10", "11", "12", "13", "unstable"] os == "debian" and (os_version | string) in ["10", "11", "12", "13", "unstable"]
) or ( ) or (
os == "fedora" and (os_version | int) >= 38 and (os_version | int) <= 45 os == "fedora" and (os_version | int) >= 38 and (os_version | int) <= 43
) or ( ) or (
os in ["rocky", "almalinux"] os in ["rocky", "almalinux"]
and (os_version | string) is match("^(8|9|10)(\\.\\d+)?$") and (os_version | string) is match("^(8|9|10)(\\.\\d+)?$")
@@ -206,6 +206,7 @@
- system_cfg.features.firewall.toolkit is defined - system_cfg.features.firewall.toolkit is defined
- system_cfg.features.firewall.toolkit in ["iptables", "nftables"] - system_cfg.features.firewall.toolkit in ["iptables", "nftables"]
- system_cfg.features.firewall.enabled is defined - system_cfg.features.firewall.enabled is defined
- system_cfg.features.ssh.enabled is defined
- system_cfg.features.banner.motd is defined - system_cfg.features.banner.motd is defined
- system_cfg.features.banner.sudo is defined - system_cfg.features.banner.sudo is defined
- system_cfg.luks.enabled is defined - system_cfg.luks.enabled is defined

16
roles/partitioning/tasks/_create_filesystems.yml
View File

@@ -77,7 +77,7 @@
- name: Get UUID for LVM home filesystem - name: Get UUID for LVM home filesystem
when: when:
- system_cfg.filesystem != 'btrfs' - system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled - system_cfg.features.cis.enabled | bool
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/home ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/home
register: partitioning_uuid_home_result register: partitioning_uuid_home_result
changed_when: false changed_when: false
@@ -86,7 +86,7 @@
- name: Get UUID for LVM var filesystem - name: Get UUID for LVM var filesystem
when: when:
- system_cfg.filesystem != 'btrfs' - system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled - system_cfg.features.cis.enabled | bool
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var
register: partitioning_uuid_var_result register: partitioning_uuid_var_result
changed_when: false changed_when: false
@@ -95,7 +95,7 @@
- name: Get UUID for LVM var_log filesystem - name: Get UUID for LVM var_log filesystem
when: when:
- system_cfg.filesystem != 'btrfs' - system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled - system_cfg.features.cis.enabled | bool
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var_log ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var_log
register: partitioning_uuid_var_log_result register: partitioning_uuid_var_log_result
changed_when: false changed_when: false
@@ -104,7 +104,7 @@
- name: Get UUID for LVM var_log_audit filesystem - name: Get UUID for LVM var_log_audit filesystem
when: when:
- system_cfg.filesystem != 'btrfs' - system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled - system_cfg.features.cis.enabled | bool
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var_log_audit ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var_log_audit
register: partitioning_uuid_var_log_audit_result register: partitioning_uuid_var_log_audit_result
changed_when: false changed_when: false
@@ -123,24 +123,24 @@
partitioning_uuid_home: >- partitioning_uuid_home: >-
{{ {{
partitioning_uuid_home_result.stdout_lines | default([]) partitioning_uuid_home_result.stdout_lines | default([])
if system_cfg.features.cis.enabled if system_cfg.features.cis.enabled | bool
else [] else []
}} }}
partitioning_uuid_var: >- partitioning_uuid_var: >-
{{ {{
partitioning_uuid_var_result.stdout_lines | default([]) partitioning_uuid_var_result.stdout_lines | default([])
if system_cfg.features.cis.enabled if system_cfg.features.cis.enabled | bool
else [] else []
}} }}
partitioning_uuid_var_log: >- partitioning_uuid_var_log: >-
{{ {{
partitioning_uuid_var_log_result.stdout_lines | default([]) partitioning_uuid_var_log_result.stdout_lines | default([])
if system_cfg.features.cis.enabled if system_cfg.features.cis.enabled | bool
else [] else []
}} }}
partitioning_uuid_var_log_audit: >- partitioning_uuid_var_log_audit: >-
{{ {{
partitioning_uuid_var_log_audit_result.stdout_lines | default([]) partitioning_uuid_var_log_audit_result.stdout_lines | default([])
if system_cfg.features.cis.enabled if system_cfg.features.cis.enabled | bool
else [] else []
}} }}

8
roles/partitioning/tasks/_create_lvm.yml
View File

@@ -29,7 +29,7 @@
- name: Create LVM logical volumes - name: Create LVM logical volumes
when: when:
- system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] - system_cfg.features.cis.enabled | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
- system_cfg.features.swap.enabled | bool or item.lv != 'swap' - system_cfg.features.swap.enabled | bool or item.lv != 'swap'
vars: vars:
partitioning_lvm_extent_reserve_count: 10 partitioning_lvm_extent_reserve_count: 10
@@ -84,7 +84,7 @@
( (
(partitioning_disk_size_gb | float) (partitioning_disk_size_gb | float)
- (partitioning_reserved_gb | float) - (partitioning_reserved_gb | float)
- (system_cfg.features.cis.enabled | ternary(partitioning_cis_reserved_gb | float, 0)) - (system_cfg.features.cis.enabled | bool | ternary(partitioning_cis_reserved_gb | float, 0))
- partitioning_lvm_extent_reserve_gb - partitioning_lvm_extent_reserve_gb
- 4 - 4
), ),
@@ -99,7 +99,7 @@
( (
(partitioning_disk_size_gb | float) (partitioning_disk_size_gb | float)
- (partitioning_reserved_gb | float) - (partitioning_reserved_gb | float)
- (system_cfg.features.cis.enabled | ternary(partitioning_cis_reserved_gb | float, 0)) - (system_cfg.features.cis.enabled | bool | ternary(partitioning_cis_reserved_gb | float, 0))
- partitioning_lvm_extent_reserve_gb - partitioning_lvm_extent_reserve_gb
- partitioning_lvm_swap_target_limited_gb - partitioning_lvm_swap_target_limited_gb
) | float ) | float
@@ -160,7 +160,7 @@
+ (partitioning_lvm_var_gb | float) + (partitioning_lvm_var_gb | float)
+ (partitioning_lvm_var_log_gb | float) + (partitioning_lvm_var_log_gb | float)
+ (partitioning_lvm_var_log_audit_gb | float) + (partitioning_lvm_var_log_audit_gb | float)
if system_cfg.features.cis.enabled if system_cfg.features.cis.enabled | bool
else 0 else 0
) )
), ),

4
roles/partitioning/tasks/_mount.yml
View File

@@ -7,8 +7,8 @@
- name: Mount filesystems and subvolumes - name: Mount filesystems and subvolumes
when: when:
- >- - >-
system_cfg.features.cis.enabled or ( system_cfg.features.cis.enabled | bool or (
not system_cfg.features.cis.enabled and ( not (system_cfg.features.cis.enabled | bool) and (
(system_cfg.filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg']) (system_cfg.filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg'])
or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg']) or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg'])
) )

4
roles/partitioning/tasks/btrfs.yml
View File

@@ -41,7 +41,7 @@
- name: Make root subvolumes - name: Make root subvolumes
when: when:
- system_cfg.features.cis.enabled or item.subvol not in ['var_log_audit'] - system_cfg.features.cis.enabled | bool or item.subvol not in ['var_log_audit']
- system_cfg.features.swap.enabled | bool or item.subvol != 'swap' - system_cfg.features.swap.enabled | bool or item.subvol != 'swap'
ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
args: args:
@@ -59,7 +59,7 @@
register: partitioning_btrfs_subvol_result register: partitioning_btrfs_subvol_result
- name: Set quotas for subvolumes - name: Set quotas for subvolumes
when: system_cfg.features.cis.enabled when: system_cfg.features.cis.enabled | bool
ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
loop: loop:
- { subvol: home, quota: "{{ partitioning_btrfs_home_quota }}" } - { subvol: home, quota: "{{ partitioning_btrfs_home_quota }}" }

4
roles/partitioning/tasks/ext4.yml
View File

@@ -1,6 +1,6 @@
--- ---
- name: Create and format ext4 logical volumes - name: Create and format ext4 logical volumes
when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] when: system_cfg.features.cis.enabled | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.filesystem: community.general.filesystem:
dev: /dev/{{ partitioning_vg_name }}/{{ item.lv }} dev: /dev/{{ partitioning_vg_name }}/{{ item.lv }}
fstype: ext4 fstype: ext4
@@ -17,7 +17,7 @@
- name: Remove Unsupported features for older Systems - name: Remove Unsupported features for older Systems
when: > when: >
(os in ['almalinux', 'rocky', 'rhel'] or (os == 'debian' and (os_version | string) == '11')) (os in ['almalinux', 'rocky', 'rhel'] or (os == 'debian' and (os_version | string) == '11'))
and (system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']) and (system_cfg.features.cis.enabled | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/{{ partitioning_vg_name }}/{{ item.lv }}" ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/{{ partitioning_vg_name }}/{{ item.lv }}"
loop: loop:
- { lv: root } - { lv: root }

2
roles/partitioning/tasks/xfs.yml
View File

@@ -1,6 +1,6 @@
--- ---
- name: Create and format XFS logical volumes - name: Create and format XFS logical volumes
when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] when: system_cfg.features.cis.enabled | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.filesystem: community.general.filesystem:
dev: /dev/{{ partitioning_vg_name }}/{{ item.lv }} dev: /dev/{{ partitioning_vg_name }}/{{ item.lv }}
fstype: xfs fstype: xfs