Align ESP sizing to full 512 MiB

Mount Debian ESP on /boot/efi without LUKS
Drop vars.yml usage
2026-01-02 15:10:35 +01:00 · 2026-01-02 15:10:35 +01:00 · 2026-01-02 15:10:35 +01:00 · 2026-01-02 15:10:34 +01:00 · 2026-01-02 15:10:34 +01:00 · 2026-01-02 15:10:34 +01:00
42 changed files with 608 additions and 389 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -1,2 +1,4 @@
 skip_list:
  - run-once
+exclude_paths:
+  - roles/global_defaults/
--- a/README.md
+++ b/README.md
@@ -51,20 +51,21 @@ The playbook uses the ArchLinux ISO as a foundational tool to provides an effici

 ## 2. Global Variables

-Global variables apply across your Ansible project and are loaded from `vars.yml` by default. These variables define common settings such as hypervisor connection details and the boot ISO path. They can be overridden by inventory variables for specific hosts or VMs if needed.
+Global variables apply across your Ansible project and can be supplied via inventory or `-e @vars_example.yml`. These variables define common settings such as hypervisor connection details and the boot ISO path. They can be overridden by inventory variables for specific hosts or VMs if needed.

 ### 2.1 Core Provisioning

 | Variable                | Description                                                | Example Value                             |
 | ----------------------- | ---------------------------------------------------------- | ----------------------------------------- |
 | `install_type`          | Type of installation.                                      | `virtual`, `physical`                     |
-| `hypervisor`            | Type of hypervisor.                                        | `libvirt`, `proxmox`, `vmware`, `none`    |
+| `hypervisor`            | Type of hypervisor (required for virtual installs).        | `libvirt`, `proxmox`, `vmware`, `none`    |
 | `install_drive`         | Drive where the system will be installed.                  | `/dev/sda`                                |
 | `boot_iso`              | Path to the boot ISO image.                                | `local-btrfs:iso/archlinux-x86_64.iso`    |
 | `rhel_iso`              | Path to the RHEL ISO file, required for RHEL 8/9/10.        | `local-btrfs:iso/rhel-9.4-x86_64-dvd.iso` |
 | `custom_iso` (optional) | Skip ArchISO checks and pacman setup on installer media.   | `true`, `false (default)`                 |
-| `cis` (optional)        | Adjusts the installation to be CIS level 3 conformant.     | `true`, `false`                           |
-| `selinux` (optional)    | Toggle SELinux where supported.                            | `true`, `false`                           |
+| `cis` (optional)        | Adjusts the installation to be CIS level 3 conformant.     | `true`, `false (default)`                 |
+| `selinux` (optional)    | Toggle SELinux where supported.                            | `true (default)`, `false`                 |
+| `firewalld_enabled` (optional) | Toggle firewalld package/service enablement.        | `true (default)`, `false`                 |

 ### 2.2 Hypervisor Access (virtual installs)

@@ -78,7 +79,7 @@ Global variables apply across your Ansible project and are loaded from `vars.yml
 | `hypervisor_node`       | Hypervisor node name.                                      | `node01`             |
 | `hypervisor_storage`    | Storage identifier for VM disks.                           | `local-btrfs`        |
 | `vm_path` (optional)    | Libvirt image dir or VMware folder path.                   | `/var/lib/libvirt/images` |
-| `vmware_ssh`            | If Ansible should use SSH after base VMware setup.         | `true`, `false`      |
+| `vmware_ssh`            | If Ansible should use SSH after base VMware setup.         | `true`, `false (default)`      |
 | `vlan_name` (optional)  | VLAN for the VM's network interface.                       | `vlan100`            |
 | `note` (optional)       | VMware VM annotation.                                      | `Provisioned by Ansible` |

@@ -161,7 +162,7 @@ These are prompted by default via `vars_prompt` in `main.yml`, but can be suppli
 | `vm_id`     | Unique identifier for the VM.     | `101`         |
 | `vm_size`   | Disk size allocated in GB.        | `20`          |
 | `vm_memory` | Amount of memory in MB.           | `2048`        |
-| `vm_cpus`   | Number of CPU cores.              | `4`           |
+| `vm_cpus`   | Number of CPU cores (virtual installs). | `4`      |
 | `vm_ballo`  | Ballooning memory size (optional).| `2048`        |

 ### 3.5 Post-install Packages
@@ -178,27 +179,28 @@ Before running the playbook, ensure you have Ansible installed and configured co

 ### 4.2 Running the Playbook

-Execute the playbook using the `ansible-playbook` command, ensuring that all necessary variables are defined, typically by specifying a `vars.yml` file containing the required configurations.
+Execute the playbook using the `ansible-playbook` command, ensuring that all necessary variables are defined, typically by specifying a vars file (such as `vars_example.yml`) containing the required configurations.

 ### 4.3 Example Usage

-An effective way to use the playbook involves defining all necessary configurations within a `vars.yml` file. This file should include all relevant global variables tailored to your specific deployment requirements. Additionally, you should prepare an inventory file (`inventory.yml`) that lists all the hosts along with any specific inventory variables they might need. Then, you can run the playbook as follows:
+An effective way to use the playbook involves defining all necessary configurations within a vars file (for example, `vars_example.yml`). This file should include all relevant global variables tailored to your specific deployment requirements. Additionally, you should prepare an inventory file (`inventory.yml`) that lists all the hosts along with any specific inventory variables they might need. Then, you can run the playbook as follows:

 ```bash
-ansible-playbook -i inventory.yml -e @vars.yml main.yml
+ansible-playbook -i inventory.yml -e @vars_example.yml main.yml
 ```

-This command prompts Ansible to execute the `main.yml` playbook, applying configurations defined in both `vars.yml` and the inventory file.
+This command prompts Ansible to execute the `main.yml` playbook, applying configurations defined in both the vars file and the inventory file.

-Use `inventory_example.yml`, `vars_example.yml`, and the bare-metal examples as starting points for new inventories.
+Use `inventory_example.yml`, `inventory_libvirt_example.yml`, `vars_example.yml`, and the bare-metal examples as starting points for new inventories.

 ## Notes

- `vm_size`/`vm_memory` are required for virtual installs only, physical installs use the full disk.
+- `vm_size`/`vm_memory`/`vm_cpus` are required for virtual installs only, physical installs use the full disk.
 - `vm_dns` and `vm_dns_search` accept comma-separated strings or YAML lists.
 - `hypervisor` determines which backend-specific roles run.
 - Guest tools are installed based on `hypervisor`: `qemu-guest-agent` for `libvirt`/`proxmox`, `open-vm-tools` for `vmware`, otherwise none.
- With LUKS enabled on Debian/Ubuntu and RHEL-based systems, provisioning uses an ESP (50 MiB), a separate `/boot`
+- Molecule is scaffolded with a delegated driver and a no-op converge for lint-only validation.
+- With LUKS enabled on Debian/Ubuntu and RHEL-based systems, provisioning uses an ESP (512 MiB), a separate `/boot`
  (1 GiB, same as `filesystem` unless `btrfs` uses ext4 on Debian/Ubuntu or xfs on RHEL-based), and the encrypted root;
  adjust sizes via
  `partitioning_efi_size_mib` and `partitioning_boot_size_mib` if needed.
--- a/inventory_example.yml
+++ b/inventory_example.yml
@@ -1,40 +1,50 @@
 ---
 all:
  vars:
-    hypervisor: "proxmox"
    install_type: "virtual"
+    hypervisor: "proxmox"
    install_drive: "/dev/sda"
    boot_iso: "local:iso/archlinux-x86_64.iso"
    vm_nif: "vmbr0"
-    vm_gw: "10.0.0.1"
-    vm_dns:
-      - 1.1.1.1
-      - 1.0.0.1
-    vm_dns_search:
-      - example.com
  children:
    proxmox:
      hosts:
-        proxy01.example.com:
+        app01.example.com:
          ansible_host: 10.0.0.10
-          hostname: "proxy01.example.com"
-          vm_id: 100
+          hostname: "app01.example.com"
          os: "archlinux"
          filesystem: "btrfs"
-          vm_memory: 4096
-          vm_ballo: 2048
+          vm_id: 100
          vm_cpus: 2
+          vm_memory: 4096
          vm_size: 40
          vm_ip: 10.0.0.10
-        database01.example.com:
+          vm_nms: 24
+          vm_gw: 10.0.0.1
+          vm_dns:
+            - 1.1.1.1
+            - 1.0.0.1
+          extra_packages:
+            - jq
+            - tmux
+        db01.example.com:
          ansible_host: 10.0.0.11
-          hostname: "database01.example.com"
-          vm_id: 101
+          hostname: "db01.example.com"
          os: "rhel9"
          filesystem: "xfs"
-          vm_memory: 4096
-          vm_ballo: 2048
+          vm_id: 101
          vm_cpus: 4
-          vm_size: 60
+          vm_memory: 8192
+          vm_size: 80
          vm_ip: 10.0.0.11
+          vm_nms: 24
+          vm_gw: 10.0.0.1
+          vm_dns: "1.1.1.1,1.0.0.1"
          rhel_iso: "local:iso/rhel-9.4-x86_64-dvd.iso"
+          luks_enabled: true
+          luks_passphrase: "CHANGE_ME"
+          luks_auto_decrypt_method: "keyfile"
+          luks_keyfile_size: 128
+          cis: true
+          selinux: false
+          firewalld_enabled: false
--- a/inventory_libvirt_example.yml
+++ b/inventory_libvirt_example.yml
@@ -0,0 +1,56 @@
+---
+all:
+  vars:
+    install_type: "virtual"
+    hypervisor: "libvirt"
+    install_drive: "/dev/vda"
+    boot_iso: "/var/lib/libvirt/images/archlinux-x86_64.iso"
+  children:
+    libvirt:
+      hosts:
+        web01.example.com:
+          ansible_host: 192.168.122.10
+          hostname: "web01.example.com"
+          os: "debian12"
+          filesystem: "ext4"
+          vm_cpus: 2
+          vm_memory: 2048
+          vm_size: 30
+          vm_ip: 192.168.122.10
+          vm_nms: 24
+          vm_gw: 192.168.122.1
+          vm_dns: 1.1.1.1
+          extra_packages:
+            - nginx
+            - fail2ban
+        vault01.example.com:
+          ansible_host: 192.168.122.11
+          hostname: "vault01.example.com"
+          os: "ubuntu-lts"
+          filesystem: "btrfs"
+          vm_cpus: 2
+          vm_memory: 4096
+          vm_size: 40
+          vm_ip: 192.168.122.11
+          vm_nms: 24
+          vm_gw: 192.168.122.1
+          vm_dns_search: "example.com"
+          luks_enabled: true
+          luks_passphrase: "CHANGE_ME"
+          luks_auto_decrypt_method: "keyfile"
+          firewalld_enabled: false
+        rhel9.example.com:
+          ansible_host: 192.168.122.12
+          hostname: "rhel9.example.com"
+          os: "rhel9"
+          filesystem: "xfs"
+          vm_cpus: 4
+          vm_memory: 8192
+          vm_size: 80
+          vm_ip: 192.168.122.12
+          vm_nms: 24
+          vm_gw: 192.168.122.1
+          vm_dns: "1.1.1.1,1.0.0.1"
+          vm_path: "/srv/libvirt/images"
+          rhel_iso: "/var/lib/libvirt/images/rhel-9.4-x86_64-dvd.iso"
+          vlan_name: "100"
--- a/main.yml
+++ b/main.yml
@@ -24,70 +24,10 @@
      prompt: |
        What is your root password?
      confirm: true
-  vars_files: vars.yml
  pre_tasks:
-    - name: Validate variables
-      ansible.builtin.assert:
-        that:
-          - install_type in ["virtual", "physical"]
-          - hypervisor in ["libvirt", "proxmox", "vmware", "none"]
-          - filesystem in ["btrfs", "ext4", "xfs"]
-          - install_drive is defined
-          - install_type == "physical" or vm_size is defined
-          - install_type == "physical" or vm_memory is defined
-          - os in ["archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora", "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"]
-          - os not in ["rhel8", "rhel9", "rhel10"] or rhel_iso is defined
-          - >-
-            install_type == "physical"
-            or (
-              (filesystem == "btrfs" and (vm_size | default(0) | int) >= 10)
-              or (filesystem != "btrfs" and (vm_size | default(0) | int) >= 20)
-            )
-          - >-
-            install_type == "physical"
-            or (
-              (vm_size | default(0) | float)
-              >= (
-                (vm_memory | default(0) | float / 1024 >= 16.0)
-                | ternary(
-                    (vm_memory | default(0) | float / 2048),
-                    [vm_memory | default(0) | float / 1024, 4.0] | max
-                  )
-                + 16
-              )
-            )
-        fail_msg: Invalid input specified, please try again.
-
-    - name: Normalize optional flags
-      ansible.builtin.set_fact:
-        cis: "{{ cis | default(false) | bool }}"
-        custom_iso: "{{ custom_iso | default(false) | bool }}"
-        is_rhel: "{{ os | default('') | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky'] }}"
-        is_debian: "{{ os | default('') | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'] }}"
-      changed_when: false
-
-    - name: Set Python interpreter for RHEL-based installers
-      when:
-        - ansible_python_interpreter is not defined
-        - os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"]
-      ansible.builtin.set_fact:
-        ansible_python_interpreter: /usr/bin/python3
-      changed_when: false
-
-    - name: Set SSH access
-      when:
-        - install_type == "virtual"
-        - hypervisor != "vmware"
-      ansible.builtin.set_fact:
-        ansible_user: "{{ user_name }}"
-        ansible_password: "{{ user_password }}"
-        ansible_become_password: "{{ user_password }}"
-        ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
-
-    - name: Set connection for VMware
-      when: hypervisor == "vmware"
-      ansible.builtin.set_fact:
-        ansible_connection: vmware_tools
+    - name: Load global defaults
+      ansible.builtin.import_role:
+        name: global_defaults

  roles:
    - role: virtualization
@@ -110,7 +50,7 @@
    - role: configuration

    - role: cis
-      when: cis | default(false) | bool
+      when: cis_enabled

    - role: cleanup
      when: install_type in ["virtual", "physical"]
@@ -122,7 +62,7 @@
        post_reboot_can_connect: >-
          {{
            (ansible_connection | default('ssh')) != 'ssh'
-            or ((vm_ip | default('') | string | length) > 0)
+            or (vm_ip is defined and (vm_ip | string | length) > 0)
            or (
              install_type == 'physical'
              and (ansible_host | default('') | string | length) > 0
@@ -132,7 +72,7 @@

    - name: Set final SSH credentials for post-reboot tasks
      when:
-        - post_reboot_can_connect | default(false) | bool
+        - post_reboot_can_connect | bool
      ansible.builtin.set_fact:
        ansible_user: "{{ user_name }}"
        ansible_password: "{{ user_password }}"
@@ -141,25 +81,23 @@

    - name: Install post-reboot extra packages
      when:
+        - post_reboot_can_connect | bool
        - extra_packages is defined
-        - post_reboot_can_connect | default(false) | bool
+        - extra_packages | length > 0
      block:
-        - name: Normalize extra package list
-          ansible.builtin.set_fact:
+        - name: Install extra packages
+          vars:
            post_install_extra_packages: >-
              {{
                (
                  extra_packages
                  if (extra_packages is iterable and extra_packages is not string)
-                  else (extra_packages | default('') | string).split(',')
+                  else (extra_packages | string).split(',')
                )
                | map('trim')
                | reject('equalto', '')
                | list
              }}
-          changed_when: false
-
-        - name: Install extra packages
          when: post_install_extra_packages | length > 0
          ansible.builtin.package:
            name: "{{ post_install_extra_packages }}"
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -0,0 +1,8 @@
+---
+- name: Molecule converge placeholder
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Skip destructive provisioning in Molecule
+      ansible.builtin.debug:
+        msg: "Molecule scenario is lint-only; run main.yml against disposable hosts."
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -0,0 +1,19 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: delegated
+platforms:
+  - name: localhost
+provisioner:
+  name: ansible
+  playbooks:
+    converge: converge.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_connection: local
+  lint:
+    name: ansible-lint
+verifier:
+  name: ansible
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -0,0 +1,9 @@
+---
+- name: Molecule verify placeholder
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Verify placeholder
+      ansible.builtin.assert:
+        that:
+          - true
--- a/roles/bootstrap/vars/main.yml
+++ b/roles/bootstrap/vars/main.yml
@@ -4,6 +4,7 @@ bootstrap_almalinux:
  - dbus-daemon
  - dhcp-client
  - efibootmgr
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
  - glibc-langpack-de
  - glibc-langpack-en
  - grub2
@@ -17,10 +18,10 @@ bootstrap_almalinux:
  - ppp
  - shim
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
  - vim
  - wget
  - zram-generator
@@ -33,7 +34,7 @@ bootstrap_archlinux:
  - dhcpcd
  - efibootmgr
  - fastfetch
-  - firewalld
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
  - fish
  - fzf
  - grub
@@ -56,10 +57,10 @@ bootstrap_archlinux:
  - sudo
  - tldr
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
  - vim
  - wireguard-tools
  - zram-generator
@@ -74,8 +75,8 @@ bootstrap_debian11:
    - grub-efi
    - grub-efi-amd64-signed
    - grub2-common
-    - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
-    - "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}"
+    - "{{ 'cryptsetup' if luks_enabled else '' }}"
+    - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
    - linux-image-amd64
    - locales
    - logrotate
@@ -90,7 +91,7 @@ bootstrap_debian11:
    - bat
    - curl
    - entr
-    - firewalld
+    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
    - fish
    - fzf
    - htop
@@ -109,9 +110,9 @@ bootstrap_debian11:
    - syslog-ng
    - tcpd
    - tldr
-    - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
-    - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
-    - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
+    - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+    - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
+    - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
    - vim
    - wget
    - zstd
@@ -124,8 +125,8 @@ bootstrap_debian12:
    - grub-efi
    - grub-efi-amd64-signed
    - grub2-common
-    - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
-    - "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}"
+    - "{{ 'cryptsetup' if luks_enabled else '' }}"
+    - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
    - linux-image-amd64
    - locales
    - logrotate
@@ -139,7 +140,7 @@ bootstrap_debian12:
    - curl
    - duf
    - entr
-    - firewalld
+    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
    - fish
    - fzf
    - htop
@@ -164,9 +165,9 @@ bootstrap_debian12:
    - systemd-zram-generator
    - tcpd
    - tldr
-    - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
-    - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
-    - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
+    - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+    - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
+    - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
    - vim
    - wget
    - zstd
@@ -179,8 +180,8 @@ bootstrap_debian13:
    - grub-efi
    - grub-efi-amd64-signed
    - grub2-common
-    - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
-    - "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}"
+    - "{{ 'cryptsetup' if luks_enabled else '' }}"
+    - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
    - linux-image-amd64
    - locales
    - logrotate
@@ -195,7 +196,7 @@ bootstrap_debian13:
    - duf
    - entr
    - fastfetch
-    - firewalld
+    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
    - fish
    - fzf
    - htop
@@ -217,9 +218,9 @@ bootstrap_debian13:
    - syslog-ng
    - systemd-zram-generator
    - tcpd
-    - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
-    - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
-    - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
+    - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+    - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
+    - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
    - vim
    - wget
    - zstd
@@ -233,6 +234,7 @@ bootstrap_fedora:
  - duf
  - efibootmgr
  - entr
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
  - fish
  - fzf
  - glibc-langpack-de
@@ -252,10 +254,10 @@ bootstrap_fedora:
  - ripgrep
  - shim
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
  - vim-default-editor
  - wget
  - zoxide
@@ -266,6 +268,7 @@ bootstrap_rhel8:
  - bind-utils
  - dhcp-client
  - efibootmgr
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
  - glibc-langpack-de
  - glibc-langpack-en
  - grub2
@@ -280,10 +283,10 @@ bootstrap_rhel8:
  - python39
  - shim
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
  - vim
  - zstd

@@ -291,6 +294,7 @@ bootstrap_rhel9:
  - bind-utils
  - dhcp-client
  - efibootmgr
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
  - glibc-langpack-de
  - glibc-langpack-en
  - grub2
@@ -305,10 +309,10 @@ bootstrap_rhel9:
  - python
  - shim
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
  - vim
  - zram-generator
  - zstd
@@ -316,6 +320,7 @@ bootstrap_rhel9:
 bootstrap_rhel10:
  - bind-utils
  - efibootmgr
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
  - glibc-langpack-de
  - glibc-langpack-en
  - grub2
@@ -330,10 +335,10 @@ bootstrap_rhel10:
  - python
  - shim
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
  - vim
  - zram-generator
  - zstd
@@ -343,6 +348,7 @@ bootstrap_rocky:
  - dbus-daemon
  - dhcp-client
  - efibootmgr
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
  - glibc-langpack-de
  - glibc-langpack-en
  - grub2
@@ -357,10 +363,10 @@ bootstrap_rocky:
  - shim
  - telnet
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
  - util-linux-core
  - vim
  - wget
@@ -375,8 +381,8 @@ bootstrap_ubuntu:
    - grub-efi
    - grub-efi-amd64-signed
    - grub2-common
-    - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
-    - "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}"
+    - "{{ 'cryptsetup' if luks_enabled else '' }}"
+    - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
    - linux-image-generic
    - locales
    - lvm2
@@ -394,7 +400,7 @@ bootstrap_ubuntu:
    - eza
    - fdupes
    - fio
-    - firewalld
+    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
    - fish
    - htop
    - jq
@@ -419,9 +425,9 @@ bootstrap_ubuntu:
    - tcpd
    - tldr
    - tmux
-    - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
-    - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
-    - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
+    - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+    - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
+    - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
    - traceroute
    - util-linux-extra
    - vim
@@ -438,8 +444,8 @@ bootstrap_ubuntu_lts:
    - grub-efi
    - grub-efi-amd64-signed
    - grub2-common
-    - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
-    - "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}"
+    - "{{ 'cryptsetup' if luks_enabled else '' }}"
+    - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
    - linux-image-generic
    - locales
    - lvm2
@@ -457,7 +463,7 @@ bootstrap_ubuntu_lts:
    - eza
    - fdupes
    - fio
-    - firewalld
+    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
    - fish
    - htop
    - jq
@@ -482,9 +488,9 @@ bootstrap_ubuntu_lts:
    - tcpd
    - tldr
    - tmux
-    - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
-    - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
-    - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
+    - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+    - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
+    - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
    - traceroute
    - util-linux-extra
    - vim
--- a/roles/cis/defaults/main.yml
+++ b/roles/cis/defaults/main.yml
@@ -0,0 +1,21 @@
+---
+cis_permission_targets: >-
+  {{
+    [
+      { "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
+      { "path": "/mnt/etc/cron.hourly", "mode": "0700" },
+      { "path": "/mnt/etc/cron.daily", "mode": "0700" },
+      { "path": "/mnt/etc/cron.weekly", "mode": "0700" },
+      { "path": "/mnt/etc/cron.monthly", "mode": "0700" },
+      { "path": "/mnt/etc/cron.d", "mode": "0700" },
+      { "path": "/mnt/etc/crontab", "mode": "0600" },
+      { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
+      { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
+      {
+        "path": "/mnt/usr/bin/"
+        + ("fusermount3" if os in ["archlinux", "debian12", "fedora", "rhel9", "rhel10", "rocky"] else "fusermount"),
+        "mode": "755"
+      },
+      { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
+    ] | reject("none")
+  }}
--- a/roles/cis/tasks/permissions.yml
+++ b/roles/cis/tasks/permissions.yml
@@ -1,25 +1,4 @@
 ---
- name: Build CIS permission targets
-  ansible.builtin.set_fact:
-    cis_permission_targets: >-
-      {{
-        [
-          { "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
-          { "path": "/mnt/etc/cron.hourly", "mode": "0700" },
-          { "path": "/mnt/etc/cron.daily", "mode": "0700" },
-          { "path": "/mnt/etc/cron.weekly", "mode": "0700" },
-          { "path": "/mnt/etc/cron.monthly", "mode": "0700" },
-          { "path": "/mnt/etc/cron.d", "mode": "0700" },
-          { "path": "/mnt/etc/crontab", "mode": "0600" },
-          { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
-          { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
-          { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["archlinux", "debian12", "fedora", "rhel9",
-            "rhel10", "rocky"] else "fusermount"), "mode": "755" },
-          { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
-        ] | reject("none")
-      }}
-  changed_when: false
-
 - name: Check CIS permission targets
  ansible.builtin.stat:
    path: "{{ item.path }}"
--- a/roles/cis/tasks/security_lines.yml
+++ b/roles/cis/tasks/security_lines.yml
@@ -10,8 +10,8 @@
    - {path: /mnt/etc/security/pwquality.conf, content: ucredit = -1}
    - {path: /mnt/etc/security/pwquality.conf, content: ocredit = -1}
    - {path: /mnt/etc/security/pwquality.conf, content: lcredit = -1}
-    - {path: '/mnt/etc/{{ "bashrc" if is_rhel | default(false) else "bash.bashrc" }}', content: umask 077}
-    - {path: '/mnt/etc/{{ "bashrc" if is_rhel | default(false) else "bash.bashrc" }}', content: export TMOUT=3000}
+    - {path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077}
+    - {path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=3000}
    - {path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent}
    - {path: /mnt/etc/sudoers, content: Defaults        logfile="/var/log/sudo.log"}
    - {path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so}
--- a/roles/cleanup/defaults/main.yml
+++ b/roles/cleanup/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+cleanup_libvirt_image_dir: >-
+  {{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
+cleanup_libvirt_cloudinit_path: >-
+  {{ [cleanup_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
--- a/roles/cleanup/tasks/libvirt.yml
+++ b/roles/cleanup/tasks/libvirt.yml
@@ -4,15 +4,6 @@
  delegate_to: localhost
  become: false
  block:
-    - name: Set libvirt image paths
-      vars:
-        cleanup_libvirt_image_dir_value: "{{ vm_path | default('/var/lib/libvirt/images') }}"
-      ansible.builtin.set_fact:
-        cleanup_libvirt_image_dir: "{{ cleanup_libvirt_image_dir_value }}"
-        cleanup_libvirt_cloudinit_path: >-
-          {{ [cleanup_libvirt_image_dir_value, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
-      changed_when: false
-
    - name: Read current VM XML definition
      community.libvirt.virt:
        command: get_xml
@@ -38,7 +29,7 @@
      changed_when: false

    - name: Remove boot ISO device from VM XML (source match)
-      when: boot_iso is defined and (boot_iso | length > 0)
+      when: boot_iso is defined and boot_iso | length > 0
      community.general.xml:
        xmlstring: "{{ cleanup_libvirt_domain_xml }}"
        xpath: "/domain/devices/disk[contains(source/@file, '{{ boot_iso | basename }}')]"
@@ -46,7 +37,7 @@
      register: cleanup_libvirt_xml_strip_boot_source

    - name: Update cleaned VM XML after removing boot ISO source match
-      when: boot_iso is defined and (boot_iso | length > 0)
+      when: boot_iso is defined and boot_iso | length > 0
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot_source.xmlstring }}"
      changed_when: false
--- a/roles/cleanup/tasks/vmware.yml
+++ b/roles/cleanup/tasks/vmware.yml
@@ -24,7 +24,7 @@
            unit_number: 1
            controller_type: sata
            type: iso
-            iso_path: "{{ rhel_iso | default(omit) }}"
+            iso_path: "{{ rhel_iso if rhel_iso is defined and rhel_iso | length > 0 else omit }}"
            state: absent
      failed_when: false

--- a/roles/configuration/tasks/bootloader.yml
+++ b/roles/configuration/tasks/bootloader.yml
@@ -3,16 +3,8 @@
  block:
    - name: Install Bootloader
      vars:
-        configuration_use_efibootmgr: "{{ is_rhel | default(false) }}"
-        configuration_efi_dir: >-
-          {{
-            partitioning_efi_mountpoint
-            | default(
-                "/boot/efi"
-                if (is_rhel | default(false)) or (os | lower in ["ubuntu", "ubuntu-lts"])
-                else "/boot"
-              )
-          }}
+        configuration_use_efibootmgr: "{{ is_rhel | bool }}"
+        configuration_efi_dir: "{{ partitioning_efi_mountpoint }}"
        configuration_bootloader_id: >-
          {{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
        configuration_efi_vendor: >-
@@ -47,7 +39,7 @@
            else (
              '/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin '
              + '/usr/sbin/update-initramfs -u -k all'
-              if is_debian | default(false)
+              if is_debian | bool
              else '/usr/bin/dracut --regenerate-all --force'
            )
          }}
@@ -62,9 +54,9 @@
        configuration_grub_cfg_cmd: >-
          {{
            '/usr/sbin/grub2-mkconfig -o '
-            + (partitioning_efi_mountpoint | default('/boot/efi'))
+            + partitioning_efi_mountpoint
            + '/EFI/' + configuration_efi_vendor + '/grub.cfg'
-            if is_rhel | default(false)
+            if is_rhel | bool
            else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg'
          }}
      ansible.builtin.command: "arch-chroot /mnt {{ configuration_grub_cfg_cmd }}"
--- a/roles/configuration/tasks/encryption.yml
+++ b/roles/configuration/tasks/encryption.yml
@@ -1,31 +1,17 @@
 ---
 - name: Configure disk encryption
-  when: partitioning_luks_enabled | default(luks_enabled | default(false)) | bool
+  when: partitioning_luks_enabled | bool
  vars:
    configuration_luks_passphrase_effective: >-
-      {{ (partitioning_luks_passphrase | default(luks_passphrase | default(''))) | string }}
+      {{ partitioning_luks_passphrase | string }}
  block:
    - name: Set LUKS configuration facts
      vars:
        configuration_luks_mapper_name_value: >-
-          {{
-            partitioning_luks_mapper_name
-            | default(luks_mapper_name | default('SYSTEM_DECRYPTED'))
-          }}
-        configuration_luks_device_value: >-
-          {{
-            partitioning_luks_device
-            | default(
-                install_drive
-                ~ (
-                  partitioning_root_partition_suffix
-                  | default(partitioning_main_partition_suffix | default(2))
-                  | string
-                )
-              )
-          }}
+          {{ partitioning_luks_mapper_name }}
+        configuration_luks_device_value: "{{ partitioning_luks_device }}"
        configuration_luks_tpm2_pcrs_raw: >-
-          {{ partitioning_luks_tpm2_pcrs | default(luks_tpm2_pcrs | default('')) }}
+          {{ partitioning_luks_tpm2_pcrs }}
        configuration_luks_tpm2_pcrs_effective_value: >-
          {{
            (
@@ -43,17 +29,17 @@
        configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"
        configuration_luks_device: "{{ configuration_luks_device_value }}"
        configuration_luks_options: >-
-          {{ partitioning_luks_options | default(luks_options | default('discard,tries=3')) }}
+          {{ partitioning_luks_options }}
        configuration_luks_auto_method: >-
          {{
-            (partitioning_luks_auto_decrypt | default(luks_auto_decrypt | default(true)) | bool)
+            (partitioning_luks_auto_decrypt | bool)
            | ternary(
-                partitioning_luks_auto_decrypt_method | default(luks_auto_decrypt_method | default('tpm2')),
+                partitioning_luks_auto_decrypt_method,
                'manual'
              )
          }}
        configuration_luks_tpm2_device: >-
-          {{ partitioning_luks_tpm2_device | default(luks_tpm2_device | default('auto')) }}
+          {{ partitioning_luks_tpm2_device }}
        configuration_luks_tpm2_pcrs: "{{ configuration_luks_tpm2_pcrs_raw }}"
        configuration_luks_tpm2_pcrs_effective: "{{ configuration_luks_tpm2_pcrs_effective_value }}"
        configuration_luks_keyfile_path: >-
@@ -151,7 +137,7 @@

    - name: Ensure keyfile pattern for initramfs-tools
      when:
-        - is_debian | default(false)
+        - is_debian | bool
        - configuration_luks_keyfile_in_use
      ansible.builtin.lineinfile:
        path: /mnt/etc/cryptsetup-initramfs/conf-hook
@@ -215,14 +201,14 @@
          }})

    - name: Ensure dracut config directory exists
-      when: is_rhel | default(false)
+      when: is_rhel | bool
      ansible.builtin.file:
        path: /mnt/etc/dracut.conf.d
        state: directory
        mode: "0755"

    - name: Configure dracut for LUKS
-      when: is_rhel | default(false)
+      when: is_rhel | bool
      ansible.builtin.copy:
        dest: /mnt/etc/dracut.conf.d/crypt.conf
        content: |
@@ -233,13 +219,13 @@
        mode: "0644"

    - name: Read kernel cmdline defaults
-      when: is_rhel | default(false)
+      when: is_rhel | bool
      ansible.builtin.slurp:
        src: /mnt/etc/kernel/cmdline
      register: configuration_kernel_cmdline_slurp

    - name: Build kernel cmdline with LUKS args
-      when: is_rhel | default(false)
+      when: is_rhel | bool
      vars:
        configuration_kernel_cmdline_current_value: >-
          {{ configuration_kernel_cmdline_slurp.content | b64decode | trim }}
@@ -265,14 +251,14 @@
      changed_when: false

    - name: Write kernel cmdline with LUKS args
-      when: is_rhel | default(false)
+      when: is_rhel | bool
      ansible.builtin.copy:
        dest: /mnt/etc/kernel/cmdline
        mode: "0644"
        content: "{{ configuration_kernel_cmdline_new }}\n"

    - name: Find BLS entries
-      when: is_rhel | default(false)
+      when: is_rhel | bool
      ansible.builtin.find:
        paths: /mnt/boot/loader/entries
        patterns: "*.conf"
@@ -281,7 +267,7 @@

    - name: Update BLS options with LUKS args
      when:
-        - is_rhel | default(false)
+        - is_rhel | bool
        - configuration_kernel_bls_entries.files | length > 0
      ansible.builtin.lineinfile:
        path: "{{ item.path }}"
@@ -292,13 +278,13 @@
        label: "{{ item.path }}"

    - name: Read grub defaults
-      when: not is_rhel | default(false)
+      when: not is_rhel | bool
      ansible.builtin.slurp:
        src: /mnt/etc/default/grub
      register: configuration_grub_slurp

    - name: Build grub command lines with LUKS args
-      when: not is_rhel | default(false)
+      when: not is_rhel | bool
      vars:
        configuration_grub_content_value: "{{ configuration_grub_slurp.content | b64decode }}"
        configuration_grub_cmdline_linux_value: >-
@@ -362,7 +348,7 @@
        configuration_grub_cmdline_default_new: "{{ configuration_grub_cmdline_default_new_value }}"

    - name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS
-      when: not is_rhel | default(false)
+      when: not is_rhel | bool
      ansible.builtin.lineinfile:
        path: /mnt/etc/default/grub
        regexp: '^GRUB_CMDLINE_LINUX_DEFAULT='
--- a/roles/configuration/tasks/encryption/keyfile.yml
+++ b/roles/configuration/tasks/encryption/keyfile.yml
@@ -16,7 +16,7 @@
          {{
            lookup(
              'community.general.random_string',
-              length=(partitioning_luks_keyfile_size | default(luks_keyfile_size | default(64)) | int),
+              length=(partitioning_luks_keyfile_size | int),
              override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
            )
          }}
@@ -61,7 +61,7 @@
    - name: Regenerate keyfile and retry adding to LUKS header
      when:
        - configuration_luks_keyfile_unlock_test.rc != 0
-        - configuration_luks_keyfile_copy.changed | default(false) | bool
+        - configuration_luks_keyfile_copy is defined and configuration_luks_keyfile_copy.changed | bool
        - configuration_luks_addkey_result is failed
      block:
        - name: Regenerate LUKS keyfile
@@ -71,7 +71,7 @@
              {{
                lookup(
                  'community.general.random_string',
-                  length=(partitioning_luks_keyfile_size | default(luks_keyfile_size | default(64)) | int),
+                  length=(partitioning_luks_keyfile_size | int),
                  override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
                )
              }}
--- a/roles/configuration/tasks/extras.yml
+++ b/roles/configuration/tasks/extras.yml
@@ -1,7 +1,7 @@
 ---
 - name: Append vim configurations to vimrc
  ansible.builtin.blockinfile:
-    path: "{{ '/mnt/etc/vim/vimrc' if is_debian | default(false) else '/mnt/etc/vimrc' }}"
+    path: "{{ '/mnt/etc/vim/vimrc' if is_debian | bool else '/mnt/etc/vimrc' }}"
    block: |
      set encoding=utf-8
      set number
--- a/roles/configuration/tasks/grub.yml
+++ b/roles/configuration/tasks/grub.yml
@@ -1,6 +1,6 @@
 ---
 - name: Configure grub defaults
-  when: not is_rhel | default(false)
+  when: not is_rhel | bool
  ansible.builtin.lineinfile:
    dest: /mnt/etc/default/grub
    regexp: "{{ item.regexp }}"
@@ -12,7 +12,7 @@
      line: GRUB_TIMEOUT=1

 - name: Ensure grub defaults file exists for RHEL-based systems
-  when: is_rhel | default(false)
+  when: is_rhel | bool
  block:
    - name: Build RHEL kernel command line defaults
      vars:
@@ -106,7 +106,7 @@
        label: "{{ item.path }}"

 - name: Enable GRUB cryptodisk for encrypted /boot
-  when: partitioning_grub_enable_cryptodisk | default(false) | bool
+  when: partitioning_grub_enable_cryptodisk | bool
  ansible.builtin.lineinfile:
    path: /mnt/etc/default/grub
    regexp: '^GRUB_ENABLE_CRYPTODISK='
--- a/roles/configuration/tasks/locales.yml
+++ b/roles/configuration/tasks/locales.yml
@@ -10,7 +10,7 @@
 - name: Setup locales
  block:
    - name: Configure locale.gen
-      when: not is_rhel | default(false)
+      when: not is_rhel | bool
      ansible.builtin.lineinfile:
        dest: /mnt/etc/locale.gen
        regexp: "{{ item.regex }}"
@@ -19,7 +19,7 @@
        - {regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8}

    - name: Generate locales
-      when: not is_rhel | default(false)
+      when: not is_rhel | bool
      ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
      register: configuration_locale_result
      changed_when: configuration_locale_result.rc == 0
@@ -57,7 +57,7 @@
        configuration_hostname_entries: >-
          {{ [configuration_hostname_fqdn, configuration_hostname_short] | unique | join(' ') }}
        configuration_hosts_line: >-
-          {{ vm_ip | default(inventory_hostname) }}    {{ configuration_hostname_entries }}
+          {{ (vm_ip if vm_ip is defined and vm_ip | length > 0 else inventory_hostname) }}    {{ configuration_hostname_entries }}
      ansible.builtin.lineinfile:
        path: /mnt/etc/hosts
        line: "{{ configuration_hosts_line }}"
--- a/roles/configuration/tasks/selinux.yml
+++ b/roles/configuration/tasks/selinux.yml
@@ -1,9 +1,9 @@
 ---
 - name: Fix SELinux
-  when: is_rhel | default(false)
+  when: is_rhel | bool
  block:
    - name: Fix SELinux by pre-labeling the filesystem before first boot
-      when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux | default(true) | bool)
+      when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and selinux | bool
      ansible.builtin.command: >
        arch-chroot /mnt /sbin/setfiles -v -F
        -e /dev -e /proc -e /sys -e /run
@@ -12,7 +12,7 @@
      changed_when: configuration_setfiles_result.rc == 0

    - name: Disable SELinux
-      when: os | lower == "fedora" or not (selinux | default(true) | bool)
+      when: os | lower == "fedora" or not selinux | bool
      ansible.builtin.lineinfile:
        path: /mnt/etc/selinux/config
        regexp: ^SELINUX=
--- a/roles/configuration/tasks/services.yml
+++ b/roles/configuration/tasks/services.yml
@@ -2,6 +2,7 @@
 - name: Enable Systemd Services
  ansible.builtin.command: >
    arch-chroot /mnt systemctl enable NetworkManager
+    {{ ' firewalld' if firewalld_enabled | bool else '' }}
    {{
      ' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
      (' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else '')
@@ -12,3 +13,10 @@
    }}
  register: configuration_enable_services_result
  changed_when: configuration_enable_services_result.rc == 0
+
+- name: Disable firewalld when disabled
+  when: not firewalld_enabled | bool
+  ansible.builtin.command: arch-chroot /mnt systemctl disable --now firewalld
+  register: configuration_disable_firewalld_result
+  changed_when: configuration_disable_firewalld_result.rc == 0
+  failed_when: false
--- a/roles/configuration/tasks/sudo.yml
+++ b/roles/configuration/tasks/sudo.yml
@@ -1,7 +1,7 @@
 ---
 - name: Give sudo access to wheel group
  ansible.builtin.copy:
-    content: "{{ '%sudo ALL=(ALL) ALL' if is_debian | default(false) else '%wheel ALL=(ALL) ALL' }}"
+    content: "{{ '%sudo ALL=(ALL) ALL' if is_debian | bool else '%wheel ALL=(ALL) ALL' }}"
    dest: /mnt/etc/sudoers.d/01-wheel
    mode: "0440"
    validate: /usr/sbin/visudo --check --file=%s
--- a/roles/configuration/tasks/users.yml
+++ b/roles/configuration/tasks/users.yml
@@ -2,7 +2,7 @@
 - name: Create user account
  vars:
    configuration_user_group: >-
-      {{ "sudo" if is_debian | default(false) else "wheel" }}
+      {{ "sudo" if is_debian | bool else "wheel" }}
    configuration_useradd_cmd: >-
      arch-chroot /mnt /usr/sbin/useradd --create-home --user-group
      --groups {{ configuration_user_group }} {{ user_name }}
@@ -18,7 +18,7 @@
  changed_when: configuration_user_result.rc == 0

 - name: Ensure .ssh directory exists
-  when: user_public_key is defined
+  when: user_public_key | length > 0
  ansible.builtin.file:
    path: /mnt/home/{{ user_name }}/.ssh
    state: directory
@@ -27,7 +27,7 @@
    mode: "0700"

 - name: Add SSH public key to authorized_keys
-  when: user_public_key is defined
+  when: user_public_key | length > 0
  ansible.builtin.lineinfile:
    path: /mnt/home/{{ user_name }}/.ssh/authorized_keys
    line: "{{ user_public_key }}"
--- a/roles/configuration/templates/network.j2
+++ b/roles/configuration/templates/network.j2
@@ -7,14 +7,14 @@ type=ethernet
 mac-address={{ configuration_net_mac }}

 [ipv4]
-{% set dns_value = vm_dns | default('') %}
+{% set dns_value = vm_dns if vm_dns is defined else '' %}
 {% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %}
 {% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %}
-{% set search_value = vm_dns_search | default('') %}
+{% set search_value = vm_dns_search if vm_dns_search is defined else '' %}
 {% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %}
 {% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %}
 {% if vm_ip is defined and vm_ip | length %}
-address1={{ vm_ip }}/{{ vm_nms | default(24) }}{{ (',' ~ vm_gw) if (vm_gw is defined and vm_gw | length) else '' }}
+address1={{ vm_ip }}/{{ vm_nms }}{{ (',' ~ vm_gw) if (vm_gw is defined and vm_gw | length) else '' }}
 method=manual
 {% else %}
 method=auto
--- a/roles/environment/tasks/main.yml
+++ b/roles/environment/tasks/main.yml
@@ -17,7 +17,7 @@

    - name: Abort if the host is not booted from the Arch install media
      when:
-        - not (custom_iso | default(false) | bool)
+        - not (custom_iso | bool)
        - not environment_archiso_stat.stat.exists
      ansible.builtin.fail:
        msg: This host is not booted from the Arch install media!
@@ -40,10 +40,9 @@
    - name: Set IP-Address
      when:
        - hypervisor == "vmware"
-        - vm_ip is defined
-        - vm_ip | length
+        - vm_ip is defined and vm_ip | length > 0
      ansible.builtin.command: >-
-        ip addr replace {{ vm_ip }}/{{ vm_nms | default(24) }}
+        ip addr replace {{ vm_ip }}/{{ vm_nms }}
        dev {{ environment_interface_name }}
      register: environment_ip_result
      changed_when: environment_ip_result.rc == 0
@@ -51,10 +50,8 @@
    - name: Set Default Gateway
      when:
        - hypervisor == "vmware"
-        - vm_gw is defined
-        - vm_gw | length
-        - vm_ip is defined
-        - vm_ip | length
+        - vm_gw is defined and vm_gw | length > 0
+        - vm_ip is defined and vm_ip | length > 0
      ansible.builtin.command: "ip route replace default via {{ vm_gw }}"
      register: environment_gateway_result
      changed_when: environment_gateway_result.rc == 0
@@ -65,7 +62,7 @@
      changed_when: false

    - name: Configure SSH for root login
-      when: hypervisor == "vmware" and (vmware_ssh is defined and vmware_ssh | bool)
+      when: hypervisor == "vmware" and vmware_ssh | bool
      block:
        - name: Allow login
          ansible.builtin.replace:
@@ -91,14 +88,14 @@
    - name: Prepare installer environment
      block:
        - name: Speed-up Bootstrap process
-          when: not (custom_iso | default(false) | bool)
+          when: not (custom_iso | bool)
          ansible.builtin.lineinfile:
            path: /etc/pacman.conf
            regexp: ^#ParallelDownloads =
            line: ParallelDownloads = 20

        - name: Wait for pacman lock to be released
-          when: not (custom_iso | default(false) | bool)
+          when: not (custom_iso | bool)
          ansible.builtin.wait_for:
            path: /var/lib/pacman/db.lck
            state: absent
@@ -107,7 +104,7 @@

        - name: Setup Pacman
          when:
-            - not (custom_iso | default(false) | bool)
+            - not (custom_iso | bool)
            - "'os' not in item or os in item.os"
          community.general.pacman:
            update_cache: true
@@ -141,7 +138,7 @@
                state: mounted

        - name: Configure RHEL Repos for installation
-          when: is_rhel | default(false)
+          when: is_rhel | bool
          block:
            - name: Create directories for repository files and RPM GPG keys
              ansible.builtin.file:
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -0,0 +1,26 @@
+---
+hypervisor: "none"
+custom_iso: false
+cis: false
+selinux: true
+vmware_ssh: false
+firewalld_enabled: true
+
+cis_enabled: "{{ cis | bool }}"
+
+luks_enabled: false
+luks_mapper_name: "SYSTEM_DECRYPTED"
+luks_auto_decrypt: true
+luks_auto_decrypt_method: "tpm2"
+luks_tpm2_device: "auto"
+luks_tpm2_pcrs: ""
+luks_keyfile_size: 64
+luks_options: "discard,tries=3"
+luks_type: "luks2"
+luks_cipher: "aes-xts-plain64"
+luks_hash: "sha512"
+luks_iter_time: 4000
+luks_key_size: 512
+luks_pbkdf: "argon2id"
+luks_use_urandom: true
+luks_verify_passphrase: true
--- a/roles/global_defaults/tasks/main.yml
+++ b/roles/global_defaults/tasks/main.yml
@@ -0,0 +1,113 @@
+---
+- name: Global defaults loaded
+  ansible.builtin.debug:
+    msg: Global defaults loaded.
+  changed_when: false
+
+- name: Validate variables
+  ansible.builtin.assert:
+    that:
+      - install_type is defined and install_type in ["virtual", "physical"]
+      - hypervisor in ["libvirt", "proxmox", "vmware", "none"]
+      - >-
+        install_type is defined and (
+          install_type == "physical"
+          or hypervisor in ["libvirt", "proxmox", "vmware"]
+        )
+      - filesystem is defined and filesystem in ["btrfs", "ext4", "xfs"]
+      - install_drive is defined and install_drive | length > 0
+      - hostname is defined and hostname | length > 0
+      - >-
+        os is defined and os in [
+          "archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora",
+          "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"
+        ]
+      - >-
+        os is defined and (
+          os not in ["rhel8", "rhel9", "rhel10"]
+          or (rhel_iso is defined and rhel_iso | length > 0)
+        )
+      - >-
+        install_type is defined and (
+          install_type == "physical"
+          or (boot_iso is defined and boot_iso | length > 0)
+        )
+      - >-
+        install_type is defined and (
+          install_type == "physical"
+          or (vm_cpus is defined and (vm_cpus | int) > 0)
+        )
+      - >-
+        install_type is defined and (
+          install_type == "physical"
+          or (vm_size is defined and (vm_size | float) > 0)
+        )
+      - >-
+        install_type is defined and (
+          install_type == "physical"
+          or (vm_memory is defined and (vm_memory | float) > 0)
+        )
+      - >-
+        install_type is defined and filesystem is defined and (
+          install_type == "physical"
+          or (
+            vm_size is defined
+            and (
+              (filesystem == "btrfs" and (vm_size | int) >= 10)
+              or (filesystem != "btrfs" and (vm_size | int) >= 20)
+            )
+          )
+        )
+      - >-
+        install_type is defined and (
+          install_type == "physical"
+          or (
+            vm_size is defined
+            and vm_memory is defined
+            and (
+              (vm_size | float)
+              >= (
+                (vm_memory | float / 1024 >= 16.0)
+                | ternary(
+                    (vm_memory | float / 2048),
+                    [vm_memory | float / 1024, 4.0] | max
+                  )
+                + 16
+              )
+            )
+          )
+        )
+      - >-
+        vm_ip is not defined
+        or vm_ip | length == 0
+        or (vm_nms is defined and (vm_nms | int) > 0)
+    fail_msg: Invalid input specified, please try again.
+
+- name: Set OS family flags
+  ansible.builtin.set_fact:
+    is_rhel: "{{ os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky'] }}"
+    is_debian: "{{ os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'] }}"
+  changed_when: false
+
+- name: Set Python interpreter for RHEL-based installers
+  when:
+    - ansible_python_interpreter is not defined
+    - os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"]
+  ansible.builtin.set_fact:
+    ansible_python_interpreter: /usr/bin/python3
+  changed_when: false
+
+- name: Set SSH access
+  when:
+    - install_type == "virtual"
+    - hypervisor != "vmware"
+  ansible.builtin.set_fact:
+    ansible_user: "{{ user_name }}"
+    ansible_password: "{{ user_password }}"
+    ansible_become_password: "{{ user_password }}"
+    ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+- name: Set connection for VMware
+  when: hypervisor == "vmware"
+  ansible.builtin.set_fact:
+    ansible_connection: vmware_tools
--- a/roles/partitioning/defaults/main.yml
+++ b/roles/partitioning/defaults/main.yml
@@ -1,34 +1,37 @@
 ---
-partitioning_luks_enabled: "{{ luks_enabled | default(false) | bool }}"
-partitioning_luks_mapper_name: "{{ luks_mapper_name | default('SYSTEM_DECRYPTED') }}"
-partitioning_luks_type: "{{ luks_type | default('luks2') }}"
-partitioning_luks_cipher: "{{ luks_cipher | default('aes-xts-plain64') }}"
-partitioning_luks_hash: "{{ luks_hash | default('sha512') }}"
-partitioning_luks_iter_time: "{{ luks_iter_time | default(4000) }}"
-partitioning_luks_key_size: "{{ luks_key_size | default(512) }}"
-partitioning_luks_pbkdf: "{{ luks_pbkdf | default('argon2id') }}"
-partitioning_luks_use_urandom: "{{ luks_use_urandom | default(true) | bool }}"
-partitioning_luks_verify_passphrase: "{{ luks_verify_passphrase | default(true) | bool }}"
-partitioning_luks_auto_decrypt: "{{ luks_auto_decrypt | default(true) | bool }}"
-partitioning_luks_auto_decrypt_method: "{{ luks_auto_decrypt_method | default('tpm2') }}"
-partitioning_luks_tpm2_device: "{{ luks_tpm2_device | default('auto') }}"
-partitioning_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs | default('') }}"
-partitioning_luks_keyfile_size: "{{ luks_keyfile_size | default(64) }}"
-partitioning_luks_options: "{{ luks_options | default('discard,tries=3') }}"
+partitioning_luks_enabled: "{{ luks_enabled | bool }}"
+partitioning_luks_passphrase: "{{ luks_passphrase }}"
+partitioning_luks_mapper_name: "{{ luks_mapper_name }}"
+partitioning_luks_type: "{{ luks_type }}"
+partitioning_luks_cipher: "{{ luks_cipher }}"
+partitioning_luks_hash: "{{ luks_hash }}"
+partitioning_luks_iter_time: "{{ luks_iter_time }}"
+partitioning_luks_key_size: "{{ luks_key_size }}"
+partitioning_luks_pbkdf: "{{ luks_pbkdf }}"
+partitioning_luks_use_urandom: "{{ luks_use_urandom | bool }}"
+partitioning_luks_verify_passphrase: "{{ luks_verify_passphrase | bool }}"
+partitioning_luks_auto_decrypt: "{{ luks_auto_decrypt | bool }}"
+partitioning_luks_auto_decrypt_method: "{{ luks_auto_decrypt_method }}"
+partitioning_luks_tpm2_device: "{{ luks_tpm2_device }}"
+partitioning_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
+partitioning_luks_keyfile_size: "{{ luks_keyfile_size }}"
+partitioning_luks_options: "{{ luks_options }}"
 partitioning_boot_partition_suffix: 1
 partitioning_main_partition_suffix: 2
-partitioning_efi_size_mib: 50
+partitioning_efi_size_mib: 512
+partitioning_efi_start_mib: 1
+partitioning_efi_end_mib: "{{ (partitioning_efi_start_mib | int) + (partitioning_efi_size_mib | int) }}"
 partitioning_boot_size_mib: 1024
 partitioning_separate_boot: >-
  {{
    (partitioning_luks_enabled | bool)
-    and (os | default('') | lower not in ['archlinux'])
+    and (os | lower not in ['archlinux'])
  }}
 partitioning_boot_fs_fstype: >-
  {{
-    (filesystem | default('') | lower)
-    if (filesystem | default('') | lower) != 'btrfs'
-    else ('xfs' if (is_rhel | default(false)) else 'ext4')
+    (filesystem | lower)
+    if (filesystem | lower) != 'btrfs'
+    else ('xfs' if is_rhel else 'ext4')
  }}
 partitioning_boot_fs_partition_suffix: >-
  {{
@@ -46,11 +49,11 @@ partitioning_efi_mountpoint: >-
    if (partitioning_separate_boot | bool)
    else (
      '/boot/efi'
-      if (is_rhel | default(false)) or (os | default('') | lower in ['ubuntu', 'ubuntu-lts'])
+      if is_rhel or (os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'])
      else '/boot'
    )
  }}
-partitioning_boot_end_mib: "{{ (partitioning_efi_size_mib | int) + (partitioning_boot_size_mib | int) }}"
+partitioning_boot_end_mib: "{{ (partitioning_efi_end_mib | int) + (partitioning_boot_size_mib | int) }}"
 partitioning_reserved_gb: >-
  {{
    (
@@ -63,13 +66,14 @@ partitioning_layout: >-
    [
      {
        'number': 1,
-        'part_end': (partitioning_efi_size_mib | string) + 'MiB',
+        'part_start': (partitioning_efi_start_mib | string) + 'MiB',
+        'part_end': (partitioning_efi_end_mib | string) + 'MiB',
        'name': 'efi',
        'flags': ['boot', 'esp']
      },
      {
        'number': 2,
-        'part_start': (partitioning_efi_size_mib | string) + 'MiB',
+        'part_start': (partitioning_efi_end_mib | string) + 'MiB',
        'part_end': (partitioning_boot_end_mib | string) + 'MiB',
        'name': 'boot'
      },
@@ -83,13 +87,14 @@ partitioning_layout: >-
    [
      {
        'number': 1,
-        'part_end': (partitioning_efi_size_mib | string) + 'MiB',
+        'part_start': (partitioning_efi_start_mib | string) + 'MiB',
+        'part_end': (partitioning_efi_end_mib | string) + 'MiB',
        'name': 'boot',
        'flags': ['boot', 'esp']
      },
      {
        'number': 2,
-        'part_start': (partitioning_efi_size_mib | string) + 'MiB',
+        'part_start': (partitioning_efi_end_mib | string) + 'MiB',
        'name': 'root'
      }
    ]
@@ -107,8 +112,24 @@ partitioning_root_device: >-
    if (partitioning_luks_enabled | bool)
    else install_drive ~ (partitioning_root_partition_suffix | string)
  }}
-partitioning_vm_size_effective: "{{ (partitioning_vm_size | default(vm_size | default(0))) | float }}"
-partitioning_vm_memory_effective: "{{ (partitioning_vm_memory | default(vm_memory | default(0))) | float }}"
+partitioning_vm_size_effective: >-
+  {{
+    (
+      partitioning_vm_size
+      if (partitioning_vm_size is defined and (partitioning_vm_size | float) > 0)
+      else (vm_size if vm_size is defined else 0)
+    )
+    | float
+  }}
+partitioning_vm_memory_effective: >-
+  {{
+    (
+      partitioning_vm_memory
+      if (partitioning_vm_memory is defined and (partitioning_vm_memory | float) > 0)
+      else (vm_memory if vm_memory is defined else 0)
+    )
+    | float
+  }}
 partitioning_swap_size_gb: >-
  {{
    ((partitioning_vm_memory_effective / 1024) >= 16.0)
--- a/roles/partitioning/tasks/btrfs.yml
+++ b/roles/partitioning/tasks/btrfs.yml
@@ -10,7 +10,7 @@
          {{
            '-K'
            if (partitioning_luks_enabled | bool)
-            and not ('discard' in (partitioning_luks_options | default('') | lower))
+            and not ('discard' in (partitioning_luks_options | lower))
            else omit
          }}

@@ -28,7 +28,7 @@
      changed_when: false

    - name: Make root subvolumes
-      when: cis | bool or item.subvol not in ['var_log_audit']
+      when: cis_enabled or item.subvol not in ['var_log_audit']
      ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
      args:
        creates: /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
@@ -43,7 +43,7 @@
      register: partitioning_btrfs_subvol_result

    - name: Set quotas for subvolumes
-      when: cis | bool
+      when: cis_enabled
      ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
      loop:
        - {subvol: home, quota: 2G}
--- a/roles/partitioning/tasks/ext4.yml
+++ b/roles/partitioning/tasks/ext4.yml
@@ -1,6 +1,6 @@
 ---
 - name: Create and format ext4 logical volumes
-  when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
+  when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
  community.general.filesystem:
    dev: /dev/sys/{{ item.lv }}
    fstype: ext4
@@ -13,7 +13,7 @@
    - {lv: var_log_audit}

 - name: Remove Unsupported features for older Systems
-  when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
+  when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
  ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
  loop:
    - {lv: root}
--- a/roles/partitioning/tasks/main.yml
+++ b/roles/partitioning/tasks/main.yml
@@ -1,8 +1,8 @@
 ---
 - name: Detect system memory for swap sizing
  when:
-    - partitioning_vm_memory is not defined
-    - vm_memory is not defined
+    - partitioning_vm_memory is not defined or (partitioning_vm_memory | float) <= 0
+    - vm_memory is not defined or (vm_memory | float) <= 0
  block:
    - name: Read system memory
      ansible.builtin.command: awk '/MemTotal/ {print int($2/1024)}' /proc/meminfo
@@ -17,9 +17,9 @@
 - name: Set partitioning vm_size for physical installs
  when:
    - install_type == "physical"
-    - partitioning_vm_size is not defined
-    - vm_size is not defined
-    - install_drive is defined
+    - partitioning_vm_size is not defined or (partitioning_vm_size | float) <= 0
+    - vm_size is not defined or (vm_size | float) <= 0
+    - install_drive | length > 0
  block:
    - name: Detect install drive size
      ansible.builtin.command: "lsblk -b -dn -o SIZE {{ install_drive }}"
@@ -157,7 +157,7 @@
  when: partitioning_luks_enabled | bool
  vars:
    partitioning_luks_passphrase_effective: >-
-      {{ (partitioning_luks_passphrase | default(luks_passphrase | default(''))) | string }}
+      {{ partitioning_luks_passphrase | string }}
  block:
    - name: Validate LUKS passphrase
      ansible.builtin.assert:
@@ -207,7 +207,7 @@
            state: opened
            name: "{{ partitioning_luks_mapper_name }}"
            passphrase: "{{ partitioning_luks_passphrase_effective }}"
-            allow_discards: "{{ 'discard' in (partitioning_luks_options | default('') | lower) }}"
+            allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}"
          register: partitioning_luks_open_result
          no_log: true
      rescue:
@@ -235,7 +235,7 @@
            state: opened
            name: "{{ partitioning_luks_mapper_name }}"
            passphrase: "{{ partitioning_luks_passphrase_effective }}"
-            allow_discards: "{{ 'discard' in (partitioning_luks_options | default('') | lower) }}"
+            allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}"
          register: partitioning_luks_open_retry
          no_log: true

@@ -257,7 +257,59 @@
        pvs: "{{ partitioning_root_device }}"

    - name: Create LVM logical volumes
-      when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
+      when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
+      vars:
+        partitioning_lvm_swap_target_gb: >-
+          {{
+            (
+              ((partitioning_vm_memory_effective | float / 1024) > 16.0)
+              | ternary(
+                  (partitioning_vm_memory_effective | float / 2048) | int,
+                  (partitioning_vm_memory_effective | float / 1024)
+                )
+            ) | float
+          }}
+        partitioning_lvm_available_gb: >-
+          {{
+            (
+              (partitioning_vm_size_effective | float)
+              - (partitioning_reserved_gb | float)
+              - (cis_enabled | ternary(7.5, 0))
+              - partitioning_lvm_swap_target_gb
+            ) | float
+          }}
+        partitioning_lvm_root_gb: >-
+          {{
+            [
+              (
+                ((partitioning_lvm_available_gb | float) < 4)
+                | ternary(
+                    4,
+                    (
+                      ((partitioning_lvm_available_gb | float) > 12)
+                      | ternary(
+                          ((partitioning_vm_size_effective | float) * 0.4)
+                          | round(0, 'ceil'),
+                          partitioning_lvm_available_gb
+                        )
+                    )
+                  )
+              ),
+              4
+            ] | max
+          }}
+        partitioning_lvm_swap_gb: >-
+          {{
+            ((partitioning_lvm_available_gb | float) < 4)
+            | ternary(
+                (
+                  (partitioning_lvm_available_gb | float)
+                  + (partitioning_lvm_swap_target_gb | float)
+                  - 4
+                ),
+                partitioning_lvm_swap_target_gb
+              )
+          }}
      community.general.lvol:
        vg: sys
        lv: "{{ item.lv }}"
@@ -265,27 +317,9 @@
        state: present
      loop:
        - lv: root
-          size: >-
-            {{ [(((((partitioning_vm_size_effective | float) - (partitioning_reserved_gb | float) - ((cis | bool) | ternary(7.5, 0)) - (((partitioning_vm_memory_effective | float / 1024) > 16.0)
-                 | ternary(((partitioning_vm_memory_effective | float / 2048) | int), (partitioning_vm_memory_effective | float / 1024)))) < 4)
-                 | ternary(4,((((partitioning_vm_size_effective | float) - (partitioning_reserved_gb | float) - ((cis | bool) | ternary(7.5, 0)) -
-                (((partitioning_vm_memory_effective | float / 1024) > 16.0)
-                 | ternary(
-                     ((partitioning_vm_memory_effective | float / 2048) | int),
-                     (partitioning_vm_memory_effective | float / 1024)
-                   )))
-            > 12)
-                  | ternary(((partitioning_vm_size_effective | float) * 0.4) | round(0, 'ceil'),((partitioning_vm_size_effective | float) - (partitioning_reserved_gb | float) - ((cis | bool)
-                  | ternary(7.5, 0)) - (((partitioning_vm_memory_effective | float / 1024) > 16.0)
-                  | ternary(((partitioning_vm_memory_effective | float / 2048) | int), (partitioning_vm_memory_effective | float / 1024))))))))), 4 ] | max | string +
-            'G' }}
+          size: "{{ partitioning_lvm_root_gb | string + 'G' }}"
        - lv: swap
-          size: >-
-            {{ ((((partitioning_vm_size_effective | float) - (partitioning_reserved_gb | float) - ((cis | bool) | ternary(7.5, 0))) - (((partitioning_vm_memory_effective | float / 1024) > 16.0)
-                | ternary(((partitioning_vm_memory_effective | float / 2048) | int), (partitioning_vm_memory_effective | float / 1024)))) < 4)
-                | ternary((((partitioning_vm_size_effective | float) - (partitioning_reserved_gb | float) - ((cis | bool) | ternary(7.5, 0))) - 4), (((partitioning_vm_memory_effective | float / 1024)
-            > 16.0)
-                | ternary(((partitioning_vm_memory_effective | float / 2048) | int), (partitioning_vm_memory_effective | float / 1024)))) | string + 'G' }}
+          size: "{{ partitioning_lvm_swap_gb | string + 'G' }}"
        - lv: home
          size: "{{ ([([(((partitioning_vm_size_effective | float) - 20) * 0.1), 2] | max), 20] | min) | string + 'G' }}"
        - {lv: var, size: "2G"}
@@ -346,7 +380,7 @@
      changed_when: false

    - name: Get UUIDs for LVM filesystems
-      when: filesystem != 'btrfs' and (cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit'])
+      when: filesystem != 'btrfs' and (cis_enabled or item not in ['home', 'var', 'var_log', 'var_log_audit'])
      ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }}
      loop:
        - root
@@ -363,18 +397,18 @@
      ansible.builtin.set_fact:
        partitioning_uuid_root: "{{ partitioning_uuid_result.results[0].stdout_lines }}"
        partitioning_uuid_swap: "{{ partitioning_uuid_result.results[1].stdout_lines }}"
-        partitioning_uuid_home: "{{ partitioning_uuid_result.results[2].stdout_lines if cis | bool else '' }}"
-        partitioning_uuid_var: "{{ partitioning_uuid_result.results[3].stdout_lines if cis | bool else '' }}"
-        partitioning_uuid_var_log: "{{ partitioning_uuid_result.results[4].stdout_lines if cis | bool else '' }}"
-        partitioning_uuid_var_log_audit: "{{ partitioning_uuid_result.results[5].stdout_lines if cis | bool else '' }}"
+        partitioning_uuid_home: "{{ partitioning_uuid_result.results[2].stdout_lines if cis_enabled else '' }}"
+        partitioning_uuid_var: "{{ partitioning_uuid_result.results[3].stdout_lines if cis_enabled else '' }}"
+        partitioning_uuid_var_log: "{{ partitioning_uuid_result.results[4].stdout_lines if cis_enabled else '' }}"
+        partitioning_uuid_var_log_audit: "{{ partitioning_uuid_result.results[5].stdout_lines if cis_enabled else '' }}"

 - name: Mount filesystems
  block:
    - name: Mount filesystems and subvolumes
      when:
        - >-
-            cis | bool or (
-              not cis and (
+            cis_enabled or (
+              not cis_enabled and (
                (filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg'])
                or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg'])
              )
--- a/roles/partitioning/tasks/xfs.yml
+++ b/roles/partitioning/tasks/xfs.yml
@@ -1,6 +1,6 @@
 ---
 - name: Create and format XFS logical volumes
-  when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
+  when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
  community.general.filesystem:
    dev: /dev/sys/{{ item.lv }}
    fstype: xfs
--- a/roles/virtualization/defaults/main.yml
+++ b/roles/virtualization/defaults/main.yml
@@ -1,11 +1,19 @@
 ---
+virtualization_libvirt_image_dir: >-
+  {{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
+virtualization_libvirt_disk_path: >-
+  {{ [virtualization_libvirt_image_dir, hostname ~ '.qcow2'] | ansible.builtin.path_join }}
+virtualization_libvirt_cloudinit_path: >-
+  {{ [virtualization_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
+virtualization_mac_address: >-
+  {{ '52:54:00' | community.general.random_mac(seed=hostname) }}
+
 virtualization_tpm2_enabled: >-
  {{
-    (partitioning_luks_enabled | default(luks_enabled | default(false)) | bool)
-    and (partitioning_luks_auto_decrypt | default(luks_auto_decrypt | default(true)) | bool)
+    (partitioning_luks_enabled | bool)
+    and (partitioning_luks_auto_decrypt | bool)
    and (
-      (partitioning_luks_auto_decrypt_method | default(luks_auto_decrypt_method | default('tpm2')))
-      | lower
+      (partitioning_luks_auto_decrypt_method | lower)
      == 'tpm2'
    )
  }}
--- a/roles/virtualization/tasks/libvirt.yml
+++ b/roles/virtualization/tasks/libvirt.yml
@@ -1,16 +1,4 @@
 ---
- name: Set libvirt image paths
-  delegate_to: localhost
-  vars:
-    virtualization_libvirt_image_dir_value: "{{ vm_path | default('/var/lib/libvirt/images') }}"
-  ansible.builtin.set_fact:
-    virtualization_libvirt_image_dir: "{{ virtualization_libvirt_image_dir_value }}"
-    virtualization_libvirt_disk_path: >-
-      {{ [virtualization_libvirt_image_dir_value, hostname ~ '.qcow2'] | ansible.builtin.path_join }}
-    virtualization_libvirt_cloudinit_path: >-
-      {{ [virtualization_libvirt_image_dir_value, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
-  changed_when: false
-
 - name: Create VM disk
  delegate_to: localhost
  ansible.builtin.command:
@@ -23,13 +11,6 @@
      - "{{ vm_size }}G"
    creates: "{{ virtualization_libvirt_disk_path }}"

- name: Generate VM MAC address
-  delegate_to: localhost
-  ansible.builtin.set_fact:
-    virtualization_mac_address: >-
-      {{ '52:54:00' | community.general.random_mac(seed=hostname) }}
-  changed_when: false
-
 - name: Render cloud config templates
  delegate_to: localhost
  ansible.builtin.template:
--- a/roles/virtualization/tasks/proxmox.yml
+++ b/roles/virtualization/tasks/proxmox.yml
@@ -2,7 +2,7 @@
 - name: Deploy VM on Proxmox
  delegate_to: localhost
  vars:
-    virtualization_dns_value: "{{ vm_dns | default('') }}"
+    virtualization_dns_value: "{{ vm_dns if vm_dns is defined else '' }}"
    virtualization_dns_list_raw: >-
      {{
        virtualization_dns_value
@@ -11,7 +11,7 @@
      }}
    virtualization_dns_list: >-
      {{ virtualization_dns_list_raw | map('trim') | reject('equalto', '') | list }}
-    virtualization_search_value: "{{ vm_dns_search | default('') }}"
+    virtualization_search_value: "{{ vm_dns_search if vm_dns_search is defined else '' }}"
    virtualization_search_list_raw: >-
      {{
        virtualization_search_value
@@ -33,7 +33,7 @@
    cpu: host
    cores: "{{ vm_cpus }}"
    memory: "{{ vm_memory }}"
-    balloon: "{{ vm_ballo | default(omit) }}"
+    balloon: "{{ vm_ballo if vm_ballo is defined and vm_ballo | int > 0 else omit }}"
    numa_enabled: true
    hotplug: network,disk
    update: "{{ virtualization_tpm2_enabled | bool }}"
@@ -57,14 +57,14 @@
      }}
    ide:
      ide0: "{{ boot_iso }},media=cdrom"
-      ide1: "{{ rhel_iso + ',media=cdrom' if rhel_iso is defined else omit }}"
+      ide1: "{{ rhel_iso + ',media=cdrom' if rhel_iso is defined and rhel_iso | length > 0 else omit }}"
      ide2: "{{ hypervisor_storage }}:cloudinit"
    net:
-      net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}
+      net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name | length > 0 %},tag={{ vlan_name }}{% endif %}
    ipconfig:
      ipconfig0: >-
        {{
-          'ip=' ~ vm_ip ~ '/' ~ (vm_nms | default(24))
+          'ip=' ~ vm_ip ~ '/' ~ vm_nms
          ~ (',gw=' ~ vm_gw if vm_gw is defined and vm_gw | length else '')
          if vm_ip is defined and vm_ip | length
          else 'ip=dhcp'
--- a/roles/virtualization/tasks/vmware.yml
+++ b/roles/virtualization/tasks/vmware.yml
@@ -8,11 +8,11 @@
    validate_certs: false
    datacenter: "{{ hypervisor_datacenter }}"
    cluster: "{{ hypervisor_cluster }}"
-    folder: "{{ vm_path | default(omit) }}"
+    folder: "{{ vm_path if vm_path is defined and vm_path | length > 0 else omit }}"
    name: "{{ hostname }}"
    guest_id: otherLinux64Guest
    annotation: |
-      {{ note | default('') }}
+      {{ note if note is defined else '' }}
    state: "{{ 'poweredoff' if virtualization_tpm2_enabled | bool else 'poweredon' }}"
    disk:
      - size_gb: "{{ vm_size }}"
@@ -41,12 +41,12 @@
            "state": "present",
            "type": "iso",
            "iso_path": rhel_iso
-          } ] if rhel_iso is defined and rhel_iso|length > 0 else [] )
+          } ] if rhel_iso is defined and rhel_iso | length > 0 else [] )
      }}
    networks:
      - name: "{{ vm_nif }}"
        type: dhcp
-        vlan: "{{ vlan_name | default(omit) }}"
+        vlan: "{{ vlan_name if vlan_name is defined and vlan_name | length > 0 else omit }}"

 - name: Ensure vTPM2 is enabled when required
  when: virtualization_tpm2_enabled | bool
@@ -57,7 +57,7 @@
    password: "{{ hypervisor_password }}"
    validate_certs: false
    datacenter: "{{ hypervisor_datacenter }}"
-    folder: "{{ vm_path | default(omit) }}"
+    folder: "{{ vm_path if vm_path is defined and vm_path | length > 0 else omit }}"
    name: "{{ hostname }}"
    state: present

--- a/roles/virtualization/templates/cloud-network-config.yml.j2
+++ b/roles/virtualization/templates/cloud-network-config.yml.j2
@@ -5,15 +5,15 @@ network:
      match:
        macaddress: "{{ virtualization_mac_address }}"
 {% set has_static = vm_ip is defined and vm_ip | length %}
-{% set dns_value = vm_dns | default('') %}
+{% set dns_value = vm_dns if vm_dns is defined else '' %}
 {% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %}
 {% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %}
-{% set search_value = vm_dns_search | default('') %}
+{% set search_value = vm_dns_search if vm_dns_search is defined else '' %}
 {% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %}
 {% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %}
 {% if has_static %}
      addresses:
-        - "{{ vm_ip }}/{{ vm_nms | default(24) }}"
+        - "{{ vm_ip }}/{{ vm_nms }}"
 {% if vm_gw is defined and vm_gw | length %}
      gateway4: "{{ vm_gw }}"
 {% endif %}
--- a/roles/virtualization/templates/vm.xml.j2
+++ b/roles/virtualization/templates/vm.xml.j2
@@ -1,7 +1,7 @@
 <domain type='kvm'>
  <name>{{ hostname }}</name>
  <memory>{{ vm_memory | int * 1024 }}</memory>
-  {% if vm_ballo is defined %}<currentMemory>{{ vm_ballo | int * 1024 }}</currentMemory>{% endif %}
+  {% if vm_ballo is defined and vm_ballo | int > 0 %}<currentMemory>{{ vm_ballo | int * 1024 }}</currentMemory>{% endif %}
  <vcpu placement='static'>{{ vm_cpus }}</vcpu>
  <os>
    <type arch='x86_64' machine="pc-q35-8.0">hvm</type>
@@ -37,7 +37,7 @@
      <source file="{{ virtualization_libvirt_cloudinit_path }}"/>
      <target dev="sdb" bus="sata"/>
    </disk>
-    {% if rhel_iso is defined %}
+    {% if rhel_iso is defined and rhel_iso | length > 0 %}
    <disk type="file" device="cdrom">
      <driver name="qemu" type="raw"/>
      <source file="{{ rhel_iso }}"/>
@@ -49,7 +49,7 @@
      <source network='default'/>
      <model type='virtio'/>
    </interface>
-    {% if virtualization_tpm2_enabled | default(false) %}
+    {% if virtualization_tpm2_enabled %}
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'/>
    </tpm>
--- a/vars_baremetal_example.yml
+++ b/vars_baremetal_example.yml
@@ -6,6 +6,10 @@ install_drive: "/dev/sda"
 os: "archlinux"
 filesystem: "btrfs"

+cis: false
+selinux: true
+firewalld_enabled: true
+
 luks_enabled: true
 luks_passphrase: "1234"
 luks_mapper_name: "SYSTEM_DECRYPTED"
--- a/vars_example.yml
+++ b/vars_example.yml
@@ -5,6 +5,9 @@ vm_ip: "{{ inventory_hostname }}"
 install_type: "virtual"
 install_drive: "/dev/sda"  # Use /dev/vda for virtio/libvirt.
 custom_iso: false  # Set true to skip ArchISO-specific validation and pacman setup.
+cis: false  # Set true to enable CIS hardening.
+selinux: true  # Toggle SELinux where supported.
+firewalld_enabled: true  # Toggle firewalld package and service.

 hypervisor_url: "pve01.example.com"
 hypervisor_username: "root@pam"
Author	SHA1	Message	Date
Sandwich	82a1548b2e	Align ESP sizing to full 512 MiB	2026-01-02 15:10:35 +01:00
Sandwich	95b793885a	Mount Debian ESP on /boot/efi without LUKS	2026-01-02 15:10:35 +01:00
Sandwich	f7c020de52	Drop vars.yml usage	2026-01-02 15:10:35 +01:00
Sandwich	7e4c2d87e2	Make inventory examples more generic	2026-01-02 15:10:34 +01:00
Sandwich	bc6bd2823f	Inline extra package normalization	2026-01-02 15:10:34 +01:00
Sandwich	01e0ea8b4b	Move pre-tasks into global defaults	2026-01-02 15:10:34 +01:00
Sandwich	75395cc8d2	Drop custom_iso_enabled and log defaults	2026-01-02 15:10:34 +01:00
Sandwich	be80c4096c	Restore global defaults lint exclusion	2026-01-02 15:10:34 +01:00
Sandwich	f8e3ce62d4	Map global defaults in playbook	2026-01-02 15:10:34 +01:00
Sandwich	78316a8946	Fix lint formatting and exceptions	2026-01-02 15:10:34 +01:00
Sandwich	5226206cab	Increase EFI system partition size	2026-01-02 15:10:34 +01:00
Sandwich	d9e42c0c84	Add Molecule scaffolding	2026-01-02 11:26:21 +01:00
Sandwich	b9484dadab	Add libvirt inventory matrix example	2026-01-02 11:26:06 +01:00
Sandwich	230b14e2ab	Move derived vars into role defaults	2026-01-02 11:25:51 +01:00
Sandwich	f9a8791b4d	Add firewalld_enabled toggle	2026-01-02 11:25:40 +01:00
Sandwich	f46dea0748	Define optional defaults and require vm_cpus	2026-01-02 11:25:06 +01:00
Sandwich	b1eedd30dc	Move partitioning LUKS defaults into role	2026-01-02 11:23:31 +01:00
Sandwich	98d0a4954d	Remove defaults for required vars	2025-12-28 17:10:00 +01:00
Sandwich	fd37b4ee96	Move global defaults into role defaults	2025-12-28 16:47:53 +01:00
Sandwich	7fe2a0dcc1	Normalize user-facing defaults	2025-12-28 16:41:11 +01:00
Sandwich	cc77f646d7	Normalize LUKS boot layout and partitioning defaults	2025-12-28 16:00:49 +01:00
Sandwich	2be6117aac	Update Fedora to 43	2025-12-28 04:04:27 +01:00
Sandwich	232ab244ca	Restore Debian ESP mount layout	2025-12-28 02:24:33 +01:00
Sandwich	ef945d925a	Fix Debian initramfs regeneration	2025-12-28 01:54:14 +01:00
Sandwich	366299ea6d	Ensure initramfs-tools for Debian/Ubuntu	2025-12-28 01:29:26 +01:00
Sandwich	3da6894ff1	Enable GRUB cryptodisk defaults	2025-12-28 00:46:09 +01:00
Sandwich	e1db2ce434	Fix bootstrap package list rendering	2025-12-28 00:12:37 +01:00
Sandwich	ae4fb6f43c	Condition LUKS and guest tools in bootstrap vars	2025-12-27 23:52:06 +01:00
Sandwich	2c23ce6cbb	Fix Debian EFI mount layout	2025-12-27 23:49:21 +01:00
Sandwich	0211efbae7	Docs, examples, and tooling	2025-12-27 23:07:47 +01:00
Sandwich	dda1287f23	CIS role split and permission safety	2025-12-27 22:27:26 +01:00
Sandwich	f62dba3ed6	Cleanup refactor and libvirt removal tooling	2025-12-27 21:44:33 +01:00
Sandwich	f08855456a	Virtualization TPM2 and cloud-init fixes	2025-12-27 20:19:11 +01:00
Sandwich	4bce08e77b	Partitioning idempotency and filesystem tasks	2025-12-26 23:31:54 +01:00
Sandwich	72ec492a33	LUKS enrollment and RHEL cmdline/BLS	2025-12-26 22:09:08 +01:00
Sandwich	efad1b9a67	Configuration role refactor and network template	2025-12-26 20:38:42 +01:00
Sandwich	732784fa2d	Split bootstrap by OS	2025-12-25 22:12:19 +01:00
Sandwich	a71d27c29d	Playbook flow and environment prep	2025-12-25 20:47:37 +01:00
Sandwich	7953c2c285	Add Debian 13 (Trixie) support	2025-08-11 21:37:25 +02:00
Sandwich	7a1a44220b	Update doc to Fedora 42	2025-07-07 15:24:17 +02:00
Sandwich	970af5ff73	Fix rhel10 variable assertion	2025-07-06 04:36:55 +02:00
Sandwich	035189d326	use proper datacenter variable	2025-07-06 04:34:16 +02:00
Sandwich	ede6829a89	Update Fedora to 42	2025-07-06 04:28:59 +02:00
Sandwich	b9156a0cac	Use the proper property name	2025-06-24 16:57:18 +02:00
Sandwich	1c5f93e76f	Fix VM state after cleanup	2025-06-24 16:54:57 +02:00
Sandwich	fe635b0783	use proper filename for role variables	2025-06-17 06:34:39 +02:00
Sandwich	0b4d2320c0	Update ubuntu to plucky release	2025-06-17 03:57:58 +02:00
Sandwich	11f7af1d9f	Add rhel10 support	2025-06-17 03:13:30 +02:00
Sandwich	e3a52b889b	Add ncurses-term package to ubuntu for more legacy terminal descriptors	2025-05-30 09:48:55 +02:00
Sandwich	ff2e5fb6b8	Add ncurses-term package for legacy ssh client (terminal descriptors)	2025-05-30 09:14:21 +02:00
Sandwich	db62d360b7	Add vm_dns_search to hostname if set	2025-05-26 14:37:28 +02:00
Sandwich	3d3f1caa14	Improve SSH CIS hardening	2025-05-04 01:41:00 +02:00
Sandwich	200e73e3ef	Fix Typo	2025-04-29 20:30:02 +02:00
Sandwich	f5fda74cad	Improve Arch packages + Disable swap before unmounting	2025-04-29 20:28:55 +02:00
Sandwich	9e4ae3ae33	Document vmware_ssh variable	2025-03-25 13:13:06 +01:00
Sandwich	052c89aa3e	Fix vm creation when no rhel_iso for vmware	2025-02-20 16:00:39 +01:00
Sandwich	21e6edcf63	Increase max home size to 20GB	2025-02-18 21:39:58 +01:00
Sandwich	4961cc4b03	Add guest_id since its necessary	2025-02-17 21:38:56 +01:00
Sandwich	a7497dbb0e	Implement VMware annotation	2025-02-17 21:17:18 +01:00
Sandwich	c764c209cb	Improve Partition calculation algorithm	2025-02-17 20:43:45 +01:00
Sandwich	9096a8fc18	Add DNS Search option	2025-02-10 15:16:15 +01:00
Sandwich	236df77406	Update README regarding SELinux	2025-02-07 20:50:20 +01:00
Sandwich	ba6938b225	dont fail if selinux is undefined	2025-02-07 20:47:30 +01:00
Sandwich	919c2085d2	Remove motd files for rhel	2025-02-05 17:14:17 +01:00
Sandwich	55e7b5e98c	Enable option to disable selinux for all osses	2025-02-05 01:41:10 +01:00
Sandwich	ef81e6b121	Include Standard package group for RHEL systems	2025-02-05 00:02:37 +01:00
Sandwich	2cf2f71b9c	Make sure Volumes are safely unmounted before reboot	2025-01-22 12:34:00 +01:00
Sandwich	7b972053ef	Fix CIS applienc for RHEL8	2025-01-21 22:34:01 +01:00
Sandwich	1afe5155ce	Update package name to match correctly	2025-01-21 22:02:43 +01:00
Sandwich	67065520a2	Make sure the VM truly starts	2025-01-21 21:35:47 +01:00
Sandwich	b3b6376d81	Do not check if VM is back on vmware with cis activated, it will fail without the key, and key cannot be set otherwise awx refuses connection	2025-01-21 21:30:56 +01:00
Sandwich	9f14556ef6	Add banner	2025-01-21 20:16:05 +01:00
Sandwich	293b608c84	Add ssh key survey	2025-01-21 20:00:18 +01:00
Sandwich	50a7011de7	Add missing variable	2025-01-21 19:58:07 +01:00
Sandwich	8d0c948dff	CIS Adjustments	2025-01-21 19:55:36 +01:00
Sandwich	183ec709f6	Fix variable distribution	2025-01-21 17:43:18 +01:00
Sandwich	6dd32b5a63	Make Network Assignment more reliable	2025-01-21 16:59:56 +01:00
Sandwich	9fdf83aad3	Add nms default	2025-01-17 00:50:26 +01:00
Sandwich	15fc6e0dd1	Remove nms from ip since already addition already done internaly	2025-01-17 00:45:42 +01:00
Sandwich	f866502d47	Do not reboot localhost!	2025-01-17 00:38:35 +01:00
Sandwich	4291aa8c4a	Don't fail proxmox install if rhel_iso is not defined	2025-01-17 00:07:58 +01:00
Sandwich	6e8ac0283a	use 24 netmask as default if not set	2025-01-17 00:03:38 +01:00
Sandwich	c650c2b50c	Add extra utils	2025-01-14 21:14:40 +01:00
Sandwich	2cc06e3f7d	Set correct IP NetworkMask if defined	2025-01-14 16:08:10 +01:00
Sandwich	8ba12fe4bf	Fix typo	2025-01-14 15:03:06 +01:00
Sandwich	c72ccd06aa	Dont fail if vmware_ssh is not defined	2025-01-14 14:58:58 +01:00
Sandwich	bfadc82e82	Add dig via bind-utils for rhel	2024-12-03 16:42:47 +01:00
Sandwich	c1b5793cab	RHEL add python package	2024-12-03 13:31:31 +01:00
Sandwich	72dabe3107	Do not hardcode macaddress which makes vm cloning harder	2024-12-02 18:08:48 +01:00
Sandwich	0ff03d9d6f	Use RHEL nameing for yum repo file	2024-11-12 14:14:09 +01:00
Sandwich	247e3e6c3b	Fix DNS issue	2024-11-11 17:44:52 +01:00
Sandwich	d864a492ee	Adjust never libvirt loaders	2024-11-11 17:26:37 +01:00
Sandwich	2e7e4d6423	Add some extra packages and vi mode for bash	2024-11-05 03:36:15 +01:00
Sandwich	2d96b12367	Add final check if the VM is up and running after reboot	2024-11-01 23:58:52 +01:00
Sandwich	9f3d638381	Improve the root lv size calculations, still not perfect on bigger disk and ram sizes	2024-10-31 20:07:40 +01:00
Sandwich	88aebd5276	Preper Shutdown so VMware does not corrupt the installation	2024-10-31 18:27:31 +01:00
Sandwich	29a493bf13	improve logical volume size calculation	2024-10-31 17:32:27 +01:00
Sandwich	99e0fb9e5c	remove zram from debian11 since no support	2024-10-31 16:00:44 +01:00
Sandwich	8618f8cf03	remove zram for rhel8 since no support	2024-10-31 15:56:42 +01:00
Sandwich	ccc53081f4	dont use sudo for umount	2024-10-31 15:35:22 +01:00
Sandwich	46b7f56425	Add umount for non RHEL systems	2024-10-31 14:23:55 +01:00
Sandwich	3994d4192d	Fix ubuntu install issue	2024-10-31 05:56:20 +01:00
Sandwich	e22cf5cc60	Add SWAP support	2024-10-31 05:46:33 +01:00
Sandwich	08a35b2b6b	Add zram-generator config	2024-10-31 02:18:55 +01:00
Sandwich	e357c7881a	add zram-generator package	2024-10-31 02:10:21 +01:00
Sandwich	10d6095aad	Add swap optimalisations	2024-10-31 02:05:11 +01:00
Sandwich	fcc2ace185	Make root LV size dynamic based on VM disk size	2024-10-31 01:29:48 +01:00
Sandwich	e3d61d5fdc	improve VMware cleanup	2024-10-31 01:12:51 +01:00
Sandwich	1af1ea8ffb	Fix riski shell pipe	2024-10-31 00:43:49 +01:00
Sandwich	9ebfc500a2	Remove Cloud-init package which can cause issues with NetworkManager on bootup	2024-10-31 00:41:38 +01:00
Sandwich	8a655993bd	Include MAC-Address into the NetworkManager keyfile	2024-10-31 00:13:23 +01:00
Sandwich	ff4f9cdb07	umount disks before reboot	2024-10-30 23:48:36 +01:00
Sandwich	d8d4371195	Remove VMWare static since not applicable	2024-10-30 23:18:27 +01:00
Sandwich	fea97ba140	Fix DISK removal at cleanup	2024-10-30 23:10:53 +01:00
Sandwich	72305d48a3	Fix variable hierarchy	2024-10-30 22:19:00 +01:00
Sandwich	03cc238237	Fix ISO mounting for VMware Hypervisor	2024-10-30 20:25:41 +01:00
Sandwich	5328d7cce3	Different aproche for ISO mounting	2024-10-30 19:30:12 +01:00
Sandwich	785667c0d6	Adjust controllerID for RHEL ISO for correct mounting	2024-10-30 19:23:01 +01:00
Sandwich	4cfde890f3	Allow passwordless ssh for VMware Setup	2024-10-30 19:12:36 +01:00
Sandwich	5bc981ffc7	Speed up setup on VMware if ssh is available	2024-10-30 18:59:32 +01:00
Sandwich	510bf0af89	Enable root ssh login	2024-10-30 18:54:15 +01:00
Sandwich	fa175eeb78	set cis default value	2024-10-30 18:14:29 +01:00
Sandwich	42b38f0d02	Improve Ip set on VMware hypervisors	2024-10-30 18:04:46 +01:00
Sandwich	98bdb9b824	Fix VM Connection if hypervisor is VMware	2024-10-30 17:57:22 +01:00
Sandwich	d499e222bb	Fix recursion	2024-10-30 17:09:22 +01:00
Sandwich	1201fe8f4b	fix jinja syntax	2024-10-30 17:05:50 +01:00
Sandwich	5742a9fd78	Move hypervisor and disk variable from main playbook	2024-10-30 16:58:22 +01:00
Sandwich	0c82d4da87	lower connection timeout	2024-10-30 16:48:23 +01:00
Sandwich	5930ef0759	Change VMware boot order to boot correctly from ArchISO	2024-10-30 15:59:16 +01:00
Sandwich	6e60a6e4b4	Fix VMware Network if no VLAN specified	2024-10-30 15:48:22 +01:00
Sandwich	0a3363f725	use the correct NetworkMask variable name	2024-10-30 14:38:25 +01:00
Sandwich	367a77945e	Add network mask variables for Hypervisor static IP assigments	2024-10-30 14:33:38 +01:00
Sandwich	b6ab48d062	move vm_ip back since it is not a permanent/static variable	2024-10-30 14:10:37 +01:00
Sandwich	8cc54806c1	Move some persstent Vars to main playbook	2024-10-30 14:01:07 +01:00
Sandwich	bcbddf0955	Recommend Ansible Vault for variables storing secrets	2024-10-30 13:45:19 +01:00
Sandwich	111cb79f2f	Add missing RHEL variable examples	2024-10-30 00:49:37 +01:00
Sandwich	c437e4c43d	Assertion for minimum filesystem size	2024-10-30 00:44:19 +01:00
Sandwich	d164b6a573	remove deperacted parameter causing sshd startup fails	2024-10-30 00:32:08 +01:00
Sandwich	1e625fd138	Add RHEL8 and RHEL9 support	2024-10-30 00:29:46 +01:00
Sandwich	051b7a376f	Update Ubuntu to Oracular Oriole and Ubuntu-LTS to Noble Numbat	2024-10-29 15:08:43 +01:00
Sandwich	77b5920ddb	Remove SSH Config multiline since OpenSSH does not support it	2024-10-29 14:25:53 +01:00
Sandwich	61fdf1461a	Update Fedora to Version 41	2024-10-29 14:17:01 +01:00
Sandwich	6c311159d8	Disable Cloud-init updates on boot to prevent loopdevice out of storage	2024-10-29 12:59:50 +01:00
Sandwich	7e6d8e73b4	Use command module instead of shell if possible	2024-10-28 21:15:10 +01:00
Sandwich	7374b0a4e2	Fix command module formating	2024-10-28 21:07:33 +01:00
Sandwich	ab694ef49c	Fix connection DNS resolving inside chroot	2024-10-28 20:26:15 +01:00
Sandwich	48cedc8efc	ensure variable is not empty	2024-10-28 19:25:49 +01:00
Sandwich	ca5caba602	Specify changed_when for shell commands	2024-10-28 19:20:05 +01:00
Sandwich	9ad4e96806	Replace ignore_errors with failed_when	2024-10-28 18:56:00 +01:00
Sandwich	6e2f081794	fix risky-shell-pipe	2024-10-28 18:47:31 +01:00
Sandwich	8ac881ada1	Fix risky-file-permissions because of unpecified mode	2024-10-28 18:37:44 +01:00
Sandwich	446736da3b	Fix line-length	2024-10-28 18:26:54 +01:00
Sandwich	15706c5d84	Adjust literal-compare to use correct bool comparison	2024-10-28 17:17:24 +01:00
Sandwich	2cba40508b	dont use ignore-errors	2024-07-11 22:31:13 +02:00
Sandwich	d8f39e855c	add missing task name	2024-07-11 22:22:43 +02:00
Sandwich	86656f6dbb	ansible-lint fixes	2024-07-11 22:20:45 +02:00
Sandwich	3af9ccddf2	use correct boolean values	2024-07-11 22:09:58 +02:00
Sandwich	b2fa0ab91d	fix jinja formating	2024-07-11 22:03:15 +02:00
Sandwich	8fef1b695b	remove btrfs quota limits	2024-05-21 14:20:28 +02:00
Sandwich	1130c1688a	correct README	2024-04-17 14:38:47 +02:00
Sandwich	3d56456ad4	Add supported distro to the README	2024-04-17 14:37:47 +02:00
Sandwich	2b97049dec	fix cis support for all distros	2024-04-17 14:09:32 +02:00
Sandwich	82118be5f9	add ubuntu-lts support	2024-04-17 12:17:19 +02:00
Sandwich	92a0f18240	add ubuntu support	2024-04-17 10:53:09 +02:00
Sandwich	bd8ae76703	fix fedora boot issue	2024-04-17 06:02:32 +02:00
Sandwich	a3d2452cd6	add essential almalinux packages	2024-04-17 05:06:45 +02:00
Sandwich	8cdf32e85e	install dnf if {{ os }} is fedora	2024-04-17 04:47:33 +02:00
Sandwich	58e9ded653	add rocky to README example	2024-04-17 04:39:29 +02:00
Sandwich	187c5feac2	Add essential rockylinux packages	2024-04-17 04:32:11 +02:00
Sandwich	d21351aed9	Add en and de langauge support for rockylinux	2024-04-17 04:19:32 +02:00
Sandwich	559fa6eab7	Add cloud-init support	2024-04-16 01:17:48 +02:00
Sandwich	7ac696393a	Add RockyLinux support	2024-04-16 01:14:12 +02:00
Sandwich	bf1ee09d48	Add RockyLinux support	2024-04-16 01:14:05 +02:00
Sandwich	f65d8cff98	Add RockyLinux Repo file	2024-04-15 21:30:04 +02:00
Sandwich	f698e04779	move assertion list to main playbook	2024-04-15 21:23:32 +02:00
Sandwich	1272a30e2e	Enable systemd-resolved and systemd-timesyncd services for ArchLinux	2024-03-28 03:50:04 +01:00
Sandwich	3a512213d0	Update gitignore	2024-03-22 12:48:49 +01:00
Sandwich	689be63a16	Add inventory example in yaml	2024-03-22 12:43:13 +01:00