sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:f94b220020b0ae664330ae116d25af35e93cd184
Branches Tags
sandwich:master
...
compare: sandwich:a76f317f8fcb96b60c8f317c7b7a78bb88ba5dd0
Branches Tags
sandwich:master

7 Commits
f94b220020 ... a76f317f8f

Author SHA1 Message Date
Sandwich
a76f317f8f refactor(bootstrap): restructure package lists to self-contained per-OS dicts with base/extra/conditional 2026-02-21 02:39:06 +01:00
Sandwich
e5bd152fb3 refactor(environment): split main.yml into focused sub-task files 2026-02-21 02:39:05 +01:00
Sandwich
6d1c3577df refactor(global_defaults): add idempotency guards to normalization tasks 2026-02-21 02:39:03 +01:00
Sandwich
86f0284acb fix(global_defaults): default interface name to eth0 instead of empty string 2026-02-21 02:38:59 +01:00
Sandwich
221bb4d517 docs(cis): add comment explaining squashfs/snap Ubuntu exclusion 2026-02-21 02:38:58 +01:00
Sandwich
e81ba76446 chore(bootstrap): pin collection versions in requirements.yml 2026-02-21 02:38:57 +01:00
Sandwich
54bbb9d15c fix(bootstrap): move Jinja to end of task name and rename registers to bootstrap_dnf_* 2026-02-21 02:38:27 +01:00
19 changed files with 751 additions and 543 deletions
Expand all files Collapse all files

7
collections/requirements.yml
View File

@@ -1,9 +1,16 @@
--- ---
collections: collections:
- name: ansible.posix - name: ansible.posix
version: "2.1.0"
- name: community.general - name: community.general
version: "12.3.0"
- name: community.libvirt - name: community.libvirt
version: "2.0.0"
- name: community.crypto - name: community.crypto
version: "3.1.0"
- name: community.proxmox - name: community.proxmox
version: "1.5.0"
- name: community.vmware - name: community.vmware
version: "6.2.0"
- name: vmware.vmware - name: vmware.vmware
version: "2.7.0"

31
roles/bootstrap/tasks/_dnf_family.yml
View File

@@ -1,41 +1,32 @@
--- ---
- name: "Bootstrap {{ os | capitalize }}" - name: "Bootstrap {{ os | capitalize }}"
vars: vars:
_dnf_os_config: _dnf_config: "{{ lookup('vars', bootstrap_var_key) }}"
rocky: _dnf_repos: "{{ _dnf_config.repos | map('regex_replace', '^', '--repo=') | join(' ') }}"
repos: [baseos, appstream] _dnf_groups: "{{ _dnf_config.base | join(' ') }}"
groups: [core]
almalinux:
repos: [baseos, appstream]
groups: [core]
fedora:
repos: [fedora, fedora-updates]
groups: [critical-path-base, core]
_dnf_repos: "{{ _dnf_os_config[os].repos | map('regex_replace', '^', '--repo=') | join(' ') }}"
_dnf_groups: "{{ _dnf_os_config[os].groups | join(' ') }}"
_dnf_extra: >- _dnf_extra: >-
{{ {{
lookup('vars', bootstrap_var_key) ((_dnf_config.extra | default([])) + (_dnf_config.conditional | default([])))
| reject('equalto', '') | reject('equalto', '')
| join(' ') | join(' ')
}} }}
block: block:
- name: "Install {{ os | capitalize }} base system" - name: "Install base system for {{ os | capitalize }}"
ansible.builtin.command: >- ansible.builtin.command: >-
dnf --releasever={{ os_version }} --best {{ _dnf_repos }} dnf --releasever={{ os_version }} --best {{ _dnf_repos }}
--installroot=/mnt --setopt=install_weak_deps=False --installroot=/mnt --setopt=install_weak_deps=False
groupinstall -y {{ _dnf_groups }} groupinstall -y {{ _dnf_groups }}
register: _dnf_base_result register: bootstrap_dnf_base_result
changed_when: _dnf_base_result.rc == 0 changed_when: bootstrap_dnf_base_result.rc == 0
- name: Install extra packages - name: Install extra packages
ansible.builtin.command: >- ansible.builtin.command: >-
{{ chroot_command }} dnf --releasever={{ os_version }} --setopt=install_weak_deps=False {{ chroot_command }} dnf --releasever={{ os_version }} --setopt=install_weak_deps=False
install -y {{ _dnf_extra }} install -y {{ _dnf_extra }}
register: _dnf_extra_result register: bootstrap_dnf_extra_result
changed_when: _dnf_extra_result.rc == 0 changed_when: bootstrap_dnf_extra_result.rc == 0
- name: Reinstall kernel core - name: Reinstall kernel core
ansible.builtin.command: "{{ chroot_command }} dnf reinstall -y kernel-core" ansible.builtin.command: "{{ chroot_command }} dnf reinstall -y kernel-core"
register: _dnf_kernel_result register: bootstrap_dnf_kernel_result
changed_when: _dnf_kernel_result.rc == 0 changed_when: bootstrap_dnf_kernel_result.rc == 0

16
roles/bootstrap/tasks/alpine.yml
View File

@@ -1,21 +1,25 @@
--- ---
- name: Bootstrap Alpine Linux - name: Bootstrap Alpine Linux
vars: vars:
bootstrap_alpine_packages: >- _config: "{{ lookup('vars', bootstrap_var_key) }}"
_base_packages: "{{ _config.base | join(' ') }}"
_extra_packages: >-
{{ {{
lookup('vars', bootstrap_var_key) | reject('equalto', '') | join(' ') ((_config.extra | default([])) + (_config.conditional | default([])))
| reject('equalto', '')
| join(' ')
}} }}
block: block:
- name: Install Alpine Linux packages - name: Install Alpine Linux base
ansible.builtin.command: > ansible.builtin.command: >
apk --root /mnt --no-cache add alpine-base apk --root /mnt --no-cache add {{ _base_packages }}
register: bootstrap_alpine_bootstrap_result register: bootstrap_alpine_bootstrap_result
changed_when: bootstrap_alpine_bootstrap_result.rc == 0 changed_when: bootstrap_alpine_bootstrap_result.rc == 0
- name: Install extra packages - name: Install extra packages
when: bootstrap_alpine_packages | length > 0 when: _extra_packages | trim | length > 0
ansible.builtin.command: > ansible.builtin.command: >
apk --root /mnt add {{ bootstrap_alpine_packages }} apk --root /mnt add {{ _extra_packages }}
register: bootstrap_alpine_extra_result register: bootstrap_alpine_extra_result
changed_when: bootstrap_alpine_extra_result.rc == 0 changed_when: bootstrap_alpine_extra_result.rc == 0

7
roles/bootstrap/tasks/archlinux.yml
View File

@@ -1,11 +1,14 @@
--- ---
- name: Bootstrap ArchLinux - name: Bootstrap ArchLinux
vars: vars:
_config: "{{ lookup('vars', bootstrap_var_key) }}"
bootstrap_archlinux_packages: >- bootstrap_archlinux_packages: >-
{{ {{
lookup('vars', bootstrap_var_key) ((_config.base | default([])) + (_config.conditional | default([])))
| reject('equalto', '')
| list
}} }}
ansible.builtin.command: >- ansible.builtin.command: >-
pacstrap /mnt {{ bootstrap_archlinux_packages | reject('equalto', '') | join(' ') }} --asexplicit pacstrap /mnt {{ bootstrap_archlinux_packages | join(' ') }} --asexplicit
register: bootstrap_result register: bootstrap_result
changed_when: bootstrap_result.rc == 0 changed_when: bootstrap_result.rc == 0

40
roles/bootstrap/tasks/debian.yml
View File

@@ -10,53 +10,33 @@
else 'sid' if (os_version | string) == 'unstable' else 'sid' if (os_version | string) == 'unstable'
else 'trixie' else 'trixie'
}} }}
bootstrap_debian_package_config: >- _config: "{{ lookup('vars', bootstrap_var_key) }}"
{{ bootstrap_debian_base_csv: "{{ (['ca-certificates'] + _config.base) | unique | join(',') }}"
lookup('vars', bootstrap_var_key)
}}
bootstrap_debian_base_packages: >-
{{
bootstrap_debian_package_config.base
| default([])
| reject('equalto', '')
| list
}}
bootstrap_debian_extra_packages: >-
{{
bootstrap_debian_package_config.extra
| default([])
| reject('equalto', '')
| list
}}
bootstrap_debian_base_csv: "{{ bootstrap_debian_base_packages | join(',') }}"
bootstrap_debian_extra_args: >- bootstrap_debian_extra_args: >-
{{ {{
bootstrap_debian_extra_packages ((_config.extra | default([])) + (_config.conditional | default([])))
| reject('equalto', '')
| join(' ') | join(' ')
}} }}
block: block:
- name: Validate Debian package configuration - name: Validate Debian package configuration
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- bootstrap_debian_package_config is mapping - _config is mapping
- bootstrap_debian_package_config.base is defined - _config.base is sequence
- bootstrap_debian_package_config.base is sequence - _config.extra is sequence
- bootstrap_debian_package_config.base is not string fail_msg: "{{ bootstrap_var_key }} must be a dict with base/extra/conditional keys."
- bootstrap_debian_package_config.extra is defined
- bootstrap_debian_package_config.extra is sequence
- bootstrap_debian_package_config.extra is not string
fail_msg: "bootstrap package definition for {{ bootstrap_var_key }} must be a mapping with base/extra lists."
quiet: true quiet: true
- name: Install Debian base system - name: Install Debian base system
ansible.builtin.command: >- ansible.builtin.command: >-
debootstrap --include={{ bootstrap_debian_base_csv }} debootstrap --include={{ bootstrap_debian_base_csv }}
{{ bootstrap_debian_release }} /mnt http://deb.debian.org/debian/ {{ bootstrap_debian_release }} /mnt https://deb.debian.org/debian/
register: bootstrap_debian_base_result register: bootstrap_debian_base_result
changed_when: bootstrap_debian_base_result.rc == 0 changed_when: bootstrap_debian_base_result.rc == 0
- name: Install extra packages - name: Install extra packages
when: bootstrap_debian_extra_packages | length > 0 when: bootstrap_debian_extra_args | trim | length > 0
ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_debian_extra_args }}" ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_debian_extra_args }}"
register: bootstrap_debian_extra_result register: bootstrap_debian_extra_result
changed_when: bootstrap_debian_extra_result.rc == 0 changed_when: bootstrap_debian_extra_result.rc == 0

18
roles/bootstrap/tasks/opensuse.yml
View File

@@ -1,21 +1,25 @@
--- ---
- name: Bootstrap openSUSE - name: Bootstrap openSUSE
vars: vars:
bootstrap_opensuse_packages: >- _config: "{{ lookup('vars', bootstrap_var_key) }}"
_base_patterns: "{{ _config.base | join(' ') }}"
_extra_packages: >-
{{ {{
lookup('vars', bootstrap_var_key) | reject('equalto', '') | join(' ') ((_config.extra | default([])) + (_config.conditional | default([])))
| reject('equalto', '')
| join(' ')
}} }}
block: block:
- name: Install openSUSE base packages - name: Install openSUSE base patterns
ansible.builtin.command: > ansible.builtin.command: >
zypper --root /mnt --non-interactive install -t pattern patterns-base-base zypper --root /mnt --non-interactive install -t pattern {{ _base_patterns }}
register: bootstrap_opensuse_base_result register: bootstrap_opensuse_base_result
changed_when: bootstrap_opensuse_base_result.rc == 0 changed_when: bootstrap_opensuse_base_result.rc == 0
- name: Install openSUSE extra packages - name: Install extra packages
when: bootstrap_opensuse_packages | length > 0 when: _extra_packages | trim | length > 0
ansible.builtin.command: > ansible.builtin.command: >
zypper --root /mnt --non-interactive install {{ bootstrap_opensuse_packages }} zypper --root /mnt --non-interactive install {{ _extra_packages }}
register: bootstrap_opensuse_extra_result register: bootstrap_opensuse_extra_result
changed_when: bootstrap_opensuse_extra_result.rc == 0 changed_when: bootstrap_opensuse_extra_result.rc == 0

23
roles/bootstrap/tasks/rhel.yml
View File

@@ -1,12 +1,22 @@
--- ---
- name: Bootstrap RHEL System - name: Bootstrap RHEL System
vars:
_rhel_config: "{{ lookup('vars', bootstrap_var_key) }}"
_rhel_repos: "{{ _rhel_config.repos | map('regex_replace', '^', '--repo=') | join(' ') }}"
_rhel_groups: "{{ _rhel_config.base | join(' ') }}"
_rhel_extra: >-
{{
((_rhel_config.extra | default([])) + (_rhel_config.conditional | default([])))
| reject('equalto', '')
| join(' ')
}}
block: block:
- name: Install base packages in chroot environment - name: Install base packages in chroot environment
ansible.builtin.command: >- ansible.builtin.command: >-
dnf --releasever={{ os_version_major }} --repo=rhel{{ os_version_major }}-baseos dnf --releasever={{ os_version_major }} {{ _rhel_repos }}
--installroot=/mnt --installroot=/mnt
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y core base standard groupinstall -y {{ _rhel_groups }}
register: bootstrap_result register: bootstrap_result
changed_when: bootstrap_result.rc == 0 changed_when: bootstrap_result.rc == 0
failed_when: failed_when:
@@ -40,15 +50,8 @@
remote_src: true remote_src: true
- name: Install additional packages in chroot - name: Install additional packages in chroot
vars:
bootstrap_rhel_extra: >-
{{
lookup('vars', bootstrap_var_key)
| reject('equalto', '')
| join(' ')
}}
ansible.builtin.command: >- ansible.builtin.command: >-
{{ chroot_command }} dnf --releasever={{ os_version_major }} {{ chroot_command }} dnf --releasever={{ os_version_major }}
--setopt=install_weak_deps=False install -y {{ bootstrap_rhel_extra }} --setopt=install_weak_deps=False install -y {{ _rhel_extra }}
register: bootstrap_result register: bootstrap_result
changed_when: bootstrap_result.rc == 0 changed_when: bootstrap_result.rc == 0

40
roles/bootstrap/tasks/ubuntu.yml
View File

@@ -6,38 +6,22 @@
ubuntu: plucky ubuntu: plucky
ubuntu-lts: noble ubuntu-lts: noble
bootstrap_ubuntu_release: "{{ bootstrap_ubuntu_release_map[os] | default('noble') }}" bootstrap_ubuntu_release: "{{ bootstrap_ubuntu_release_map[os] | default('noble') }}"
bootstrap_ubuntu_package_config: >- _config: "{{ lookup('vars', bootstrap_var_key) }}"
bootstrap_ubuntu_base_csv: "{{ (['ca-certificates'] + _config.base) | unique | join(',') }}"
bootstrap_ubuntu_extra_args: >-
{{ {{
lookup('vars', bootstrap_var_key) ((_config.extra | default([])) + (_config.conditional | default([])))
}}
bootstrap_ubuntu_base_packages: >-
{{
bootstrap_ubuntu_package_config.base
| default([])
| reject('equalto', '') | reject('equalto', '')
| list | join(' ')
}} }}
bootstrap_ubuntu_extra_packages: >-
{{
bootstrap_ubuntu_package_config.extra
| default([])
| reject('equalto', '')
| list
}}
bootstrap_ubuntu_base_csv: "{{ bootstrap_ubuntu_base_packages | join(',') }}"
bootstrap_ubuntu_extra: "{{ bootstrap_ubuntu_extra_packages | join(' ') }}"
block: block:
- name: Validate Ubuntu package configuration - name: Validate Ubuntu package configuration
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- bootstrap_ubuntu_package_config is mapping - _config is mapping
- bootstrap_ubuntu_package_config.base is defined - _config.base is sequence
- bootstrap_ubuntu_package_config.base is sequence - _config.extra is sequence
- bootstrap_ubuntu_package_config.base is not string fail_msg: "{{ bootstrap_var_key }} must be a dict with base/extra/conditional keys."
- bootstrap_ubuntu_package_config.extra is defined
- bootstrap_ubuntu_package_config.extra is sequence
- bootstrap_ubuntu_package_config.extra is not string
fail_msg: "bootstrap package definition for {{ bootstrap_var_key }} must be a mapping with base/extra lists."
quiet: true quiet: true
- name: Install Ubuntu base system - name: Install Ubuntu base system
@@ -46,7 +30,7 @@
--keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg
--include={{ bootstrap_ubuntu_base_csv }} --include={{ bootstrap_ubuntu_base_csv }}
{{ bootstrap_ubuntu_release }} /mnt {{ bootstrap_ubuntu_release }} /mnt
http://archive.ubuntu.com/ubuntu/ https://archive.ubuntu.com/ubuntu/
register: bootstrap_ubuntu_base_result register: bootstrap_ubuntu_base_result
changed_when: bootstrap_ubuntu_base_result.rc == 0 changed_when: bootstrap_ubuntu_base_result.rc == 0
@@ -62,7 +46,7 @@
changed_when: bootstrap_ubuntu_update_result.rc == 0 changed_when: bootstrap_ubuntu_update_result.rc == 0
- name: Install extra packages - name: Install extra packages
when: bootstrap_ubuntu_extra_packages | length > 0 when: bootstrap_ubuntu_extra_args | trim | length > 0
ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_ubuntu_extra }}" ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_ubuntu_extra_args }}"
register: bootstrap_ubuntu_extra_result register: bootstrap_ubuntu_extra_result
changed_when: bootstrap_ubuntu_extra_result.rc == 0 changed_when: bootstrap_ubuntu_extra_result.rc == 0

16
roles/bootstrap/tasks/void.yml
View File

@@ -1,21 +1,25 @@
--- ---
- name: Bootstrap Void Linux - name: Bootstrap Void Linux
vars: vars:
bootstrap_void_packages: >- _config: "{{ lookup('vars', bootstrap_var_key) }}"
_base_packages: "{{ _config.base | join(' ') }}"
_extra_packages: >-
{{ {{
lookup('vars', bootstrap_var_key) | reject('equalto', '') | join(' ') ((_config.extra | default([])) + (_config.conditional | default([])))
| reject('equalto', '')
| join(' ')
}} }}
block: block:
- name: Install Void Linux base packages - name: Install Void Linux base
ansible.builtin.command: > ansible.builtin.command: >
xbps-install -Sy -r /mnt -R https://repo-default.voidlinux.org/current void-repo-nonfree base-system xbps-install -Sy -r /mnt -R https://repo-default.voidlinux.org/current {{ _base_packages }}
register: bootstrap_void_base_result register: bootstrap_void_base_result
changed_when: bootstrap_void_base_result.rc == 0 changed_when: bootstrap_void_base_result.rc == 0
- name: Install extra packages - name: Install extra packages
when: bootstrap_void_packages | length > 0 when: _extra_packages | trim | length > 0
ansible.builtin.command: > ansible.builtin.command: >
xbps-install -Su -r /mnt {{ bootstrap_void_packages }} xbps-install -Su -r /mnt {{ _extra_packages }}
register: bootstrap_void_extra_result register: bootstrap_void_extra_result
changed_when: bootstrap_void_extra_result.rc == 0 changed_when: bootstrap_void_extra_result.rc == 0

492
roles/bootstrap/vars/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
# Common feature-gated packages. Built as a clean list (no empty strings). # Feature-gated packages shared across all distros.
# Arch overrides nftables → iptables-nft; SSH package names vary per distro. # Arch has special nftables handling and composes this differently.
bootstrap_common_conditional: >- bootstrap_common_conditional: >-
{{ {{
( (
@@ -14,158 +14,374 @@ bootstrap_common_conditional: >-
) )
}} }}
bootstrap_rhel_base: >- # ---------------------------------------------------------------------------
{{ # Per-OS package definitions: base (rootfs/group install), extra (post-base),
['bind-utils', 'dhcp-client', 'efibootmgr', # conditional (feature/version-gated, appended by task files).
'glibc-langpack-de', 'glibc-langpack-en', 'lrzsz', # DNF-based distros also carry repos (dnf --repo) and use base as group names.
'lvm2', 'mtr', 'ncurses-term', 'nfs-utils', # ---------------------------------------------------------------------------
'policycoreutils-python-utils', 'shim', 'tmux', 'vim', 'zstd']
+ bootstrap_common_conditional
}}
bootstrap_rhel_versioned: >- bootstrap_rhel:
{{ repos:
['grub2'] - "rhel{{ os_version_major }}-baseos"
+ (['grub2-efi-x64'] if os_version_major | default('') == '8' else ['grub2-efi']) base:
+ (['grub2-tools-extra'] if os_version_major | default('') in ['8', '9'] else []) - core
+ (['python39'] if os_version_major | default('') == '8' else ['python']) - base
+ (['kernel'] if os_version_major | default('') == '10' else []) - standard
+ (['zram-generator'] if os_version_major | default('') in ['9', '10'] else []) extra:
}} - bind-utils
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- lrzsz
- lvm2
- mtr
- ncurses-term
- nfs-utils
- policycoreutils-python-utils
- shim
- tmux
- vim
- zstd
conditional: >-
{{
(['grub2-efi-x64'] if os_version_major | default('') == '8' else ['grub2-efi'])
+ (['grub2-tools-extra'] if os_version_major | default('') in ['8', '9'] else [])
+ (['python39'] if os_version_major | default('') == '8' else ['python'])
+ (['kernel'] if os_version_major | default('') == '10' else [])
+ (['zram-generator'] if os_version_major | default('') in ['9', '10'] else [])
+ bootstrap_common_conditional
}}
bootstrap_rhel: "{{ bootstrap_rhel_base + bootstrap_rhel_versioned }}" bootstrap_almalinux:
repos:
- baseos
- appstream
base:
- core
extra:
- bind-utils
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- lrzsz
- lvm2
- mtr
- nc
- ncurses-term
- nfs-utils
- nfsv4-client-utils
- policycoreutils-python-utils
- ppp
- python3
- shim
- tmux
- vim
- zram-generator
- zstd
conditional: >-
{{
(['dbus-daemon'] if (os_version_major | default('10') | int) >= 9 else [])
+ bootstrap_common_conditional
}}
bootstrap_almalinux: >- bootstrap_rocky:
{{ repos:
bootstrap_rhel_base - baseos
+ ['grub2', 'grub2-efi', - appstream
'nfsv4-client-utils', 'nc', 'ppp', 'python3', 'zram-generator'] base:
+ (['dbus-daemon'] if (os_version_major | default('10') | int) >= 9 else []) - core
}} extra:
- bind-utils
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- lrzsz
- lvm2
- mtr
- nc
- ncurses-term
- nfs-utils
- nfsv4-client-utils
- policycoreutils-python-utils
- ppp
- python3
- shim
- telnet
- tmux
- util-linux-core
- vim
- wget
- zram-generator
- zstd
conditional: "{{ bootstrap_common_conditional }}"
bootstrap_rocky: >- bootstrap_fedora:
{{ repos:
bootstrap_rhel_base - fedora
+ ['grub2', 'grub2-efi', 'nfsv4-client-utils', 'nc', 'ppp', - fedora-updates
'python3', 'telnet', 'util-linux-core', 'wget', 'zram-generator'] base:
}} - critical-path-base
- core
bootstrap_fedora: >- extra:
{{ - bat
['bat', 'bind-utils', 'btrfs-progs', 'cronie', 'dhcp-client', - bind-utils
'duf', 'efibootmgr', 'entr', 'fish', 'fzf', - btrfs-progs
'glibc-langpack-de', 'glibc-langpack-en', 'grub2', 'grub2-efi', - cronie
'htop', 'iperf3', 'logrotate', 'lrzsz', 'lvm2', - dhcp-client
'nc', 'nfs-utils', 'nfsv4-client-utils', 'polkit', 'ppp', - duf
'python3', 'ripgrep', 'shim', 'tmux', 'vim-default-editor', - efibootmgr
'wget', 'zoxide', 'zram-generator', 'zstd'] - entr
+ bootstrap_common_conditional - fish
}} - fzf
- glibc-langpack-de
bootstrap_debian_base_common: >- - glibc-langpack-en
{{ - grub2
['btrfs-progs', 'cron', 'gnupg', 'grub-efi', 'grub-efi-amd64-signed', - grub2-efi
'grub2-common', 'locales', 'logrotate', 'lvm2', 'python3', 'xfsprogs'] - htop
+ (['cryptsetup-initramfs'] if system_cfg.luks.enabled | bool else []) - iperf3
+ (['openssh-server'] if system_cfg.features.ssh.enabled | bool else []) - logrotate
}} - lrzsz
- lvm2
bootstrap_debian_extra_common: - nc
- apparmor-utils - nfs-utils
- bat - nfsv4-client-utils
- chrony - polkit
- curl - ppp
- entr - python3
- fish - ripgrep
- fzf - shim
- htop - tmux
- jq - vim-default-editor
- libpam-pwquality - wget
- lrzsz - zoxide
- mtr - zram-generator
- ncdu - zstd
- net-tools conditional: "{{ bootstrap_common_conditional }}"
- network-manager
- python-is-python3
- ripgrep
- rsync
- screen
- sudo
- syslog-ng
- tcpd
- vim
- wget
- zstd
bootstrap_debian_extra_versioned: >-
{{
['linux-image-amd64']
+ (['duf'] if (os_version | string) not in ['10', '11'] else [])
+ (['fastfetch'] if (os_version | string) in ['13', 'unstable'] else [])
+ (['neofetch'] if (os_version | string) == '12' else [])
+ (['software-properties-common'] if (os_version | string) not in ['13', 'unstable'] else [])
+ (['systemd-zram-generator'] if (os_version | string) not in ['10', '11'] else [])
+ (['tldr'] if (os_version | string) not in ['13', 'unstable'] else [])
}}
bootstrap_debian: bootstrap_debian:
base: "{{ bootstrap_debian_base_common }}" base:
extra: >- - btrfs-progs
- cron
- cryptsetup-initramfs
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- locales
- logrotate
- lvm2
- openssh-server
- python3
- xfsprogs
extra:
- apparmor-utils
- bat
- chrony
- curl
- entr
- fish
- fzf
- htop
- jq
- libpam-pwquality
- linux-image-amd64
- lrzsz
- mtr
- ncdu
- net-tools
- network-manager
- python-is-python3
- ripgrep
- rsync
- screen
- sudo
- syslog-ng
- tcpd
- vim
- wget
- zstd
conditional: >-
{{ {{
bootstrap_debian_extra_common (['duf'] if (os_version | string) not in ['10', '11'] else [])
+ bootstrap_debian_extra_versioned + (['fastfetch'] if (os_version | string) in ['13', 'unstable'] else [])
+ (['neofetch'] if (os_version | string) == '12' else [])
+ (['software-properties-common'] if (os_version | string) not in ['13', 'unstable'] else [])
+ (['systemd-zram-generator'] if (os_version | string) not in ['10', '11'] else [])
+ (['tldr'] if (os_version | string) not in ['13', 'unstable'] else [])
+ bootstrap_common_conditional + bootstrap_common_conditional
}} }}
bootstrap_ubuntu: bootstrap_ubuntu:
base: base:
- btrfs-progs
- cron
- cryptsetup-initramfs
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- initramfs-tools - initramfs-tools
- linux-image-generic - linux-image-generic
extra: >- - locales
- logrotate
- lvm2
- openssh-server
- python3
- xfsprogs
extra:
- apparmor-utils
- bash-completion
- bat
- chrony
- curl
- dnsutils
- duf
- entr
- eza
- fdupes
- fio
- fish
- fzf
- htop
- jq
- libpam-pwquality
- lrzsz
- mtr
- ncdu
- ncurses-term
- net-tools
- network-manager
- python-is-python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- traceroute
- util-linux-extra
- vim
- wget
- yq
- zoxide
- zstd
conditional: "{{ bootstrap_common_conditional }}"
bootstrap_archlinux:
base:
- base
- btrfs-progs
- cronie
- dhcpcd
- efibootmgr
- fastfetch
- fish
- fzf
- grub
- htop
- libpwquality
- linux
- logrotate
- lrzsz
- lsof
- lvm2
- ncdu
- networkmanager
- nfs-utils
- ppp
- python
- reflector
- rsync
- sudo
- tldr
- tmux
- vim
- zram-generator
extra: []
conditional: >-
{{ {{
bootstrap_debian_base_common (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
+ bootstrap_debian_extra_common + (['iptables-nft'] if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else [])
+ ['bash-completion', 'dnsutils', 'duf', 'eza', 'fdupes', 'fio', + (bootstrap_common_conditional | reject('equalto', 'nftables') | list)
'ncurses-term', 'software-properties-common', 'systemd-zram-generator', }}
'tldr', 'traceroute', 'util-linux-extra', 'yq', 'zoxide']
bootstrap_alpine:
base:
- alpine-base
extra:
- btrfs-progs
- chrony
- curl
- e2fsprogs
- linux-lts
- logrotate
- lvm2
- python3
- rsync
- sudo
- util-linux
- vim
- xfsprogs
conditional: >-
{{
(['openssh'] if system_cfg.features.ssh.enabled | bool else [])
+ bootstrap_common_conditional + bootstrap_common_conditional
}} }}
bootstrap_archlinux: >- bootstrap_opensuse:
{{ base:
['base', 'btrfs-progs', 'cronie', 'dhcpcd', 'efibootmgr', 'fastfetch', - patterns-base-base
'fish', 'fzf', 'grub', 'htop', 'libpwquality', 'linux', 'logrotate', extra:
'lrzsz', 'lsof', 'lvm2', 'ncdu', 'networkmanager', 'nfs-utils', - btrfs-progs
'ppp', 'python', 'reflector', - chrony
'rsync', 'sudo', 'tldr', 'tmux', 'vim', 'zram-generator'] - curl
+ (['openssh'] if system_cfg.features.ssh.enabled | bool else []) - e2fsprogs
+ (['iptables-nft'] if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else []) - glibc-locale
+ (bootstrap_common_conditional | reject('equalto', 'nftables') | list) - kernel-default
}} - logrotate
- lvm2
- NetworkManager
- python3
- rsync
- sudo
- vim
- xfsprogs
conditional: >-
{{
(['openssh'] if system_cfg.features.ssh.enabled | bool else [])
+ bootstrap_common_conditional
}}
bootstrap_alpine: >- bootstrap_void:
{{ base:
['alpine-base', 'btrfs-progs', 'chrony', 'curl', 'e2fsprogs', - base-system
'linux-lts', 'logrotate', 'lvm2', 'python3', 'rsync', 'sudo', - void-repo-nonfree
'util-linux', 'vim', 'xfsprogs'] extra:
+ (['openssh'] if system_cfg.features.ssh.enabled | bool else []) - btrfs-progs
+ bootstrap_common_conditional - chrony
}} - curl
- dhcpcd
bootstrap_opensuse: >- - e2fsprogs
{{ - logrotate
['btrfs-progs', 'chrony', 'curl', 'e2fsprogs', - lvm2
'glibc-locale', 'kernel-default', 'logrotate', 'lvm2', 'NetworkManager', - python3
'python3', 'rsync', 'sudo', 'vim', 'xfsprogs'] - rsync
+ (['openssh'] if system_cfg.features.ssh.enabled | bool else []) - sudo
+ bootstrap_common_conditional - vim
}} - xfsprogs
conditional: >-
bootstrap_void: >- {{
{{ (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
['btrfs-progs', 'chrony', 'curl', 'dhcpcd', 'e2fsprogs', + bootstrap_common_conditional
'logrotate', 'lvm2', 'python3', 'rsync', 'sudo', }}
'vim', 'xfsprogs']
+ (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
+ bootstrap_common_conditional
}}

1
roles/cis/tasks/modules.yml
View File

@@ -1,6 +1,7 @@
--- ---
- name: Disable Kernel Modules - name: Disable Kernel Modules
vars: vars:
# Ubuntu uses squashfs for snap packages — blacklisting it breaks snap entirely
cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}" cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
cis_modules_all: "{{ cis_cfg.modules_blacklist + cis_modules_squashfs }}" cis_modules_all: "{{ cis_cfg.modules_blacklist + cis_modules_squashfs }}"
ansible.builtin.copy: ansible.builtin.copy:

64
roles/environment/tasks/_configure_network.yml Normal file
View File

@@ -0,0 +1,64 @@
---
- name: Select primary Network Interface
when: hypervisor_type == "vmware"
ansible.builtin.set_fact:
environment_interface_name: >-
{{
(
(ansible_facts.interfaces | default(ansible_facts['ansible_interfaces'] | default([])))
| reject('equalto', 'lo')
| list
| first
)
| default('')
}}
- name: Set IP-Address
when:
- hypervisor_type == "vmware"
- system_cfg.network.ip is defined and system_cfg.network.ip | string | length > 0
ansible.builtin.command: >-
ip addr replace {{ system_cfg.network.ip }}/{{ system_cfg.network.prefix }}
dev {{ environment_interface_name }}
register: environment_ip_result
changed_when: environment_ip_result.rc == 0
- name: Set Default Gateway
when:
- hypervisor_type == "vmware"
- system_cfg.network.gateway is defined and system_cfg.network.gateway | string | length > 0
- system_cfg.network.ip is defined and system_cfg.network.ip | string | length > 0
ansible.builtin.command: "ip route replace default via {{ system_cfg.network.gateway }}"
register: environment_gateway_result
changed_when: environment_gateway_result.rc == 0
- name: Synchronize clock via NTP
ansible.builtin.command: timedatectl set-ntp true
register: environment_ntp_result
changed_when: environment_ntp_result.rc == 0
- name: Configure SSH for root login
when: hypervisor_type == "vmware" and hypervisor_cfg.ssh | bool
block:
- name: Allow login
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
replace: "{{ item.replace }}"
loop:
- regexp: "^#?PermitEmptyPasswords.*"
replace: "PermitEmptyPasswords yes"
- regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"
loop_control:
label: "{{ item.replace }}"
- name: Reload SSH service to apply changes
ansible.builtin.service:
name: sshd
state: reloaded
- name: Set SSH connection for VMware
ansible.builtin.set_fact:
ansible_connection: ssh
ansible_user: root

76
roles/environment/tasks/_detect_live.yml Normal file
View File

@@ -0,0 +1,76 @@
---
- name: Wait for connection
ansible.builtin.wait_for_connection:
timeout: 180
delay: 5
- name: Gather facts
ansible.builtin.setup:
- name: Check for live environment markers
ansible.builtin.stat:
path: "{{ item }}"
loop:
- /run/archiso
- /run/live
- /run/initramfs
- /run/initramfs/live
register: environment_live_marker_stat
changed_when: false
- name: Determine root filesystem type
ansible.builtin.set_fact:
environment_root_fstype: >-
{{
ansible_mounts
| selectattr('mount', 'equalto', '/')
| map(attribute='fstype')
| list
| first
| default('')
| lower
}}
environment_archiso_present: >-
{{
(
environment_live_marker_stat.results
| selectattr('item', 'equalto', '/run/archiso')
| selectattr('stat.exists')
| list
| length
) > 0
}}
- name: Identify live environment indicators
ansible.builtin.set_fact:
environment_is_live_environment: >-
{{
(
environment_live_marker_stat.results
| selectattr('stat.exists')
| list
| length
) > 0
or environment_root_fstype in ['overlay', 'overlayfs', 'squashfs', 'aufs']
or (ansible_hostname | default('') | lower is search('live'))
}}
- name: Abort if target is not a live environment
ansible.builtin.assert:
that:
- environment_is_live_environment | bool
fail_msg: |
PRODUCTION SYSTEM DETECTED - ABORTING
The target system does not appear to be a live installer environment.
This playbook must run from a live ISO to avoid wiping production data.
Boot from a live installer (Arch, Debian, Ubuntu, etc.) and retry.
quiet: true
- name: Abort if the host is not booted from the Arch install media
when:
- not (custom_iso | bool)
- not environment_archiso_present | bool
ansible.builtin.fail:
msg: This host is not booted from the Arch install media!

102
roles/environment/tasks/_prepare_installer.yml Normal file
View File

@@ -0,0 +1,102 @@
---
- name: Speed-up Bootstrap process
when: not (custom_iso | bool)
ansible.builtin.lineinfile:
path: /etc/pacman.conf
regexp: ^#ParallelDownloads =
line: ParallelDownloads = 20
- name: Wait for pacman lock to be released
when: not (custom_iso | bool)
ansible.builtin.wait_for:
path: /var/lib/pacman/db.lck
state: absent
timeout: 120
changed_when: false
- name: Setup Pacman
when:
- not (custom_iso | bool)
- item.os is not defined or os in item.os
community.general.pacman:
update_cache: true
force: true
name: "{{ item.name }}"
state: latest
loop:
- { name: glibc }
- { name: dnf, os: [almalinux, fedora, rhel, rocky] }
- { name: debootstrap, os: [debian, ubuntu, ubuntu-lts] }
- { name: debian-archive-keyring, os: [debian] }
- { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
loop_control:
label: "{{ item.name }}"
retries: 4
delay: 15
- name: Prepare /iso mount and repository for RHEL-based systems
when: os == "rhel"
block:
- name: Create /iso directory
ansible.builtin.file:
path: /usr/local/install/redhat/dvd
state: directory
mode: "0755"
- name: Detect RHEL ISO device
ansible.builtin.command: lsblk -rno NAME,TYPE
register: environment_lsblk_result
changed_when: false
- name: Select RHEL ISO device
vars:
_rom_devices: >-
{{
environment_lsblk_result.stdout_lines
| map('split', ' ')
| selectattr('1', 'equalto', 'rom')
| map('first')
| map('regex_replace', '^', '/dev/')
| list
}}
ansible.builtin.set_fact:
environment_rhel_iso_device: >-
{{
_rom_devices[-1]
if _rom_devices | length > 1
else (_rom_devices[0] | default('/dev/sr1'))
}}
- name: Mount RHEL ISO
ansible.posix.mount:
src: "{{ environment_rhel_iso_device }}"
path: /usr/local/install/redhat/dvd
fstype: iso9660
opts: "ro,loop"
state: mounted
# Security note: RPM Sequoia signature policy is relaxed to allow
# bootstrapping RHEL-family distros from the Arch ISO, where the
# host rpm/dnf does not trust target distro GPG keys. Package
# integrity is verified by the target system's own rpm after reboot.
- name: Relax RPM Sequoia signature policy for RHEL bootstrap
when: is_rhel | bool
ansible.builtin.copy:
dest: /etc/rpm/macros
content: "%_pkgverify_level none\n"
mode: "0644"
- name: Configure RHEL Repos for installation
when: is_rhel | bool
block:
- name: Create directories for repository files and RPM GPG keys
ansible.builtin.file:
path: /etc/yum.repos.d
state: directory
mode: "0755"
- name: Create RHEL repository file
ansible.builtin.template:
src: "{{ os }}.repo.j2"
dest: /etc/yum.repos.d/{{ os }}.repo
mode: "0644"

27
roles/environment/tasks/_thirdparty.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- name: Check for third-party preparation tasks
run_once: true
become: false
delegate_to: localhost
vars:
ansible_connection: local
block:
- name: Resolve third-party preparation task path
ansible.builtin.set_fact:
environment_thirdparty_tasks_path: >-
{{
thirdparty_tasks
if thirdparty_tasks | regex_search('^/')
else playbook_dir + '/' + thirdparty_tasks
}}
- name: Stat third-party preparation tasks
ansible.builtin.stat:
path: "{{ environment_thirdparty_tasks_path }}"
register: environment_thirdparty_tasks_stat
- name: Run third-party preparation tasks
when:
- thirdparty_tasks | length > 0
- environment_thirdparty_tasks_stat.stat.exists
ansible.builtin.include_tasks: "{{ environment_thirdparty_tasks_path }}"

276
roles/environment/tasks/main.yml
View File

@@ -2,278 +2,14 @@
- name: Configure work environment - name: Configure work environment
become: "{{ hypervisor_type != 'vmware' }}" become: "{{ hypervisor_type != 'vmware' }}"
block: block:
- name: Wait for connection - name: Detect and validate live environment
ansible.builtin.wait_for_connection: ansible.builtin.include_tasks: _detect_live.yml
timeout: 180
delay: 5
- name: Gather facts - name: Configure network and connectivity
ansible.builtin.setup: ansible.builtin.include_tasks: _configure_network.yml
- name: Check for live environment markers
ansible.builtin.stat:
path: "{{ item }}"
loop:
- /run/archiso
- /run/live
- /run/initramfs
- /run/initramfs/live
register: environment_live_marker_stat
changed_when: false
- name: Determine root filesystem type
ansible.builtin.set_fact:
environment_root_fstype: >-
{{
ansible_mounts
| selectattr('mount', 'equalto', '/')
| map(attribute='fstype')
| list
| first
| default('')
| lower
}}
environment_archiso_present: >-
{{
(
environment_live_marker_stat.results
| selectattr('item', 'equalto', '/run/archiso')
| selectattr('stat.exists')
| list
| length
) > 0
}}
changed_when: false
- name: Identify live environment indicators
ansible.builtin.set_fact:
environment_is_live_environment: >-
{{
(
environment_live_marker_stat.results
| selectattr('stat.exists')
| list
| length
) > 0
or environment_root_fstype in ['overlay', 'overlayfs', 'squashfs', 'aufs']
or (ansible_hostname | default('') | lower is search('live'))
}}
changed_when: false
- name: Abort if target is not a live environment
ansible.builtin.assert:
that:
- environment_is_live_environment | bool
fail_msg: |
PRODUCTION SYSTEM DETECTED - ABORTING
The target system does not appear to be a live installer environment.
This playbook must run from a live ISO to avoid wiping production data.
Boot from a live installer (Arch, Debian, Ubuntu, etc.) and retry.
quiet: true
- name: Abort if the host is not booted from the Arch install media
when:
- not (custom_iso | bool)
- not environment_archiso_present | bool
ansible.builtin.fail:
msg: This host is not booted from the Arch install media!
- name: Select primary Network Interface
when: hypervisor_type == "vmware"
ansible.builtin.set_fact:
environment_interface_name: >-
{{
(
(ansible_facts.interfaces | default(ansible_facts['ansible_interfaces'] | default([])))
| reject('equalto', 'lo')
| list
| first
)
| default('')
}}
changed_when: false
- name: Set IP-Address
when:
- hypervisor_type == "vmware"
- system_cfg.network.ip is defined and system_cfg.network.ip | string | length > 0
ansible.builtin.command: >-
ip addr replace {{ system_cfg.network.ip }}/{{ system_cfg.network.prefix }}
dev {{ environment_interface_name }}
register: environment_ip_result
changed_when: environment_ip_result.rc == 0
- name: Set Default Gateway
when:
- hypervisor_type == "vmware"
- system_cfg.network.gateway is defined and system_cfg.network.gateway | string | length > 0
- system_cfg.network.ip is defined and system_cfg.network.ip | string | length > 0
ansible.builtin.command: "ip route replace default via {{ system_cfg.network.gateway }}"
register: environment_gateway_result
changed_when: environment_gateway_result.rc == 0
- name: Synchronize clock via NTP
ansible.builtin.command: timedatectl set-ntp true
register: environment_ntp_result
changed_when: environment_ntp_result.rc == 0
- name: Configure SSH for root login
when: hypervisor_type == "vmware" and hypervisor_cfg.ssh | bool
block:
- name: Allow login
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
replace: "{{ item.replace }}"
loop:
- regexp: "^#?PermitEmptyPasswords.*"
replace: "PermitEmptyPasswords yes"
- regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"
loop_control:
label: "{{ item.replace }}"
- name: Reload SSH service to apply changes
ansible.builtin.service:
name: sshd
state: reloaded
- name: Set SSH connection for VMware
ansible.builtin.set_fact:
ansible_connection: ssh
ansible_user: root
- name: Prepare installer environment - name: Prepare installer environment
block: ansible.builtin.include_tasks: _prepare_installer.yml
- name: Speed-up Bootstrap process
when: not (custom_iso | bool)
ansible.builtin.lineinfile:
path: /etc/pacman.conf
regexp: ^#ParallelDownloads =
line: ParallelDownloads = 20
- name: Wait for pacman lock to be released
when: not (custom_iso | bool)
ansible.builtin.wait_for:
path: /var/lib/pacman/db.lck
state: absent
timeout: 120
changed_when: false
- name: Setup Pacman
when:
- not (custom_iso | bool)
- item.os is not defined or os in item.os
community.general.pacman:
update_cache: true
force: true
name: "{{ item.name }}"
state: latest
loop:
- { name: glibc }
- { name: dnf, os: [almalinux, fedora, rhel, rocky] }
- { name: debootstrap, os: [debian, ubuntu, ubuntu-lts] }
- { name: debian-archive-keyring, os: [debian] }
- { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
loop_control:
label: "{{ item.name }}"
retries: 4
delay: 15
- name: Prepare /iso mount and repository for RHEL-based systems
when: os == "rhel"
block:
- name: Create /iso directory
ansible.builtin.file:
path: /usr/local/install/redhat/dvd
state: directory
mode: "0755"
- name: Detect RHEL ISO device
ansible.builtin.command: lsblk -rno NAME,TYPE
register: environment_lsblk_result
changed_when: false
- name: Select RHEL ISO device
vars:
_rom_devices: >-
{{
environment_lsblk_result.stdout_lines
| map('split', ' ')
| selectattr('1', 'equalto', 'rom')
| map('first')
| map('regex_replace', '^', '/dev/')
| list
}}
ansible.builtin.set_fact:
environment_rhel_iso_device: >-
{{
_rom_devices[-1]
if _rom_devices | length > 1
else (_rom_devices[0] | default('/dev/sr1'))
}}
- name: Mount RHEL ISO
ansible.posix.mount:
src: "{{ environment_rhel_iso_device }}"
path: /usr/local/install/redhat/dvd
fstype: iso9660
opts: "ro,loop"
state: mounted
# Security note: RPM Sequoia signature policy is relaxed to allow
# bootstrapping RHEL-family distros from the Arch ISO, where the
# host rpm/dnf does not trust target distro GPG keys. Package
# integrity is verified by the target system's own rpm after reboot.
- name: Relax RPM Sequoia signature policy for RHEL bootstrap
when: is_rhel | bool
ansible.builtin.copy:
dest: /etc/rpm/macros
content: "%_pkgverify_level none\n"
mode: "0644"
- name: Configure RHEL Repos for installation
when: is_rhel | bool
block:
- name: Create directories for repository files and RPM GPG keys
ansible.builtin.file:
path: /etc/yum.repos.d
state: directory
mode: "0755"
- name: Create RHEL repository file
ansible.builtin.template:
src: "{{ os }}.repo.j2"
dest: /etc/yum.repos.d/{{ os }}.repo
mode: "0644"
- name: Check for third-party preparation tasks
run_once: true
become: false
delegate_to: localhost
vars:
ansible_connection: local
block:
- name: Resolve third-party preparation task path
ansible.builtin.set_fact:
environment_thirdparty_tasks_path: >-
{{
thirdparty_tasks
if thirdparty_tasks | regex_search('^/')
else playbook_dir + '/' + thirdparty_tasks
}}
changed_when: false
- name: Stat third-party preparation tasks
ansible.builtin.stat:
path: "{{ environment_thirdparty_tasks_path }}"
register: environment_thirdparty_tasks_stat
changed_when: false
- name: Run third-party preparation tasks - name: Run third-party preparation tasks
when: ansible.builtin.include_tasks: _thirdparty.yml
- thirdparty_tasks | length > 0
- environment_thirdparty_tasks_stat.stat.exists
ansible.builtin.include_tasks: "{{ environment_thirdparty_tasks_path }}"

2
roles/global_defaults/tasks/_normalize_system.yml
View File

@@ -41,7 +41,7 @@
if (system_raw.network.interfaces | default([]) | length > 0) if (system_raw.network.interfaces | default([]) | length > 0)
else ( else (
[{ [{
'name': '', 'name': 'eth0',
'bridge': system_raw.network.bridge | default('') | string, 'bridge': system_raw.network.bridge | default('') | string,
'vlan': system_raw.network.vlan | default('') | string, 'vlan': system_raw.network.vlan | default('') | string,
'ip': system_raw.network.ip | default('') | string, 'ip': system_raw.network.ip | default('') | string,

41
roles/global_defaults/tasks/hypervisor.yml
View File

@@ -1,21 +1,24 @@
--- ---
- name: Ensure hypervisor input is a dictionary
ansible.builtin.set_fact:
hypervisor: "{{ hypervisor | default({}) }}"
- name: Validate hypervisor input
ansible.builtin.assert:
that:
- hypervisor is mapping
- hypervisor.type is defined
- hypervisor.type | string | length > 0
fail_msg: "hypervisor must be a dictionary and hypervisor.type must be set (e.g. libvirt|proxmox|vmware|xen|none)."
quiet: true
- name: Normalize hypervisor configuration - name: Normalize hypervisor configuration
vars: when: hypervisor_cfg is not defined
merged: "{{ hypervisor_defaults | combine(hypervisor, recursive=True) }}" block:
ansible.builtin.set_fact: - name: Ensure hypervisor input is a dictionary
hypervisor_cfg: "{{ merged }}" ansible.builtin.set_fact:
hypervisor_type: "{{ merged.type | string | lower }}" hypervisor: "{{ hypervisor | default({}) }}"
no_log: true
- name: Validate hypervisor input
ansible.builtin.assert:
that:
- hypervisor is mapping
- hypervisor.type is defined
- hypervisor.type | string | length > 0
fail_msg: "hypervisor must be a dictionary and hypervisor.type must be set (e.g. libvirt|proxmox|vmware|xen|none)."
quiet: true
- name: Merge hypervisor defaults with input
vars:
merged: "{{ hypervisor_defaults | combine(hypervisor, recursive=True) }}"
ansible.builtin.set_fact:
hypervisor_cfg: "{{ merged }}"
hypervisor_type: "{{ merged.type | string | lower }}"
no_log: true

15
roles/global_defaults/tasks/system.yml
View File

@@ -1,9 +1,12 @@
--- ---
- name: Validate raw system input types - name: Normalize system and disk configuration
ansible.builtin.include_tasks: _validate_input.yml when: system_cfg is not defined
block:
- name: Validate raw system input types
ansible.builtin.include_tasks: _validate_input.yml
- name: Normalize system configuration - name: Normalize system configuration
ansible.builtin.include_tasks: _normalize_system.yml ansible.builtin.include_tasks: _normalize_system.yml
- name: Normalize disk configuration - name: Normalize disk configuration
ansible.builtin.include_tasks: _normalize_disks.yml ansible.builtin.include_tasks: _normalize_disks.yml