sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:master
Branches Tags
sandwich:master
...
compare: sandwich:0e3edb41f764da47c971b4af3b9b42f8c064be9b
Branches Tags
sandwich:master

116 Commits
master ... 0e3edb41f7

Author SHA1 Message Date
Sandwich
0e3edb41f7 docs(bootstrap): add section comments, role boundary docs, and pipeline overview 2026-02-22 01:59:12 +01:00
Sandwich
2bf0cb901e refactor(global_defaults): data-driven hypervisor validation and shared constants 2026-02-22 01:59:09 +01:00
Sandwich
1216c79619 refactor(extras): convert custom.sh from template to static copy 2026-02-22 01:59:04 +01:00
Sandwich
4efd64664d fix(cleanup,config): xen tmp cleanup, tpm2 fallback warning, add code comments 2026-02-22 01:59:01 +01:00
Sandwich
dc5aa5077e fix(partitioning,network): swapon idempotency, DNS search domains, tune2fs changed_when 2026-02-22 01:58:56 +01:00
Sandwich
c65934c290 fix(encryption): add no_log to LUKS configuration block 2026-02-22 01:58:52 +01:00
Sandwich
5b8438ac3b fix(network): bind NM connections to detected interface names for multi-NIC 2026-02-21 16:51:15 +01:00
Sandwich
45df803131 fix(bootstrap): make dhcp-client conditional for EL < 10 (removed in EL 10) 2026-02-21 13:43:41 +01:00
Sandwich
30f74fa4bd fix(bootstrap): remove --asexplicit from pacstrap to preserve dependency metadata 2026-02-21 13:26:59 +01:00
Sandwich
19372db27e fix(bootstrap): add kernel package to rocky and almalinux extra packages 2026-02-21 12:06:09 +01:00
Sandwich
d55fc5799d fix(bootstrap): detect kernel package name for dnf family reinstall step 2026-02-21 11:46:57 +01:00
Sandwich
98231be0bd fix(bootstrap): ensure chroot DNS resolution before installing extra packages 2026-02-21 11:30:28 +01:00
Sandwich
c46a4a5a0a fix(environment): align repo IDs in rocky and almalinux templates with bootstrap config 2026-02-21 11:18:34 +01:00
Sandwich
b84688f1d6 fix(configuration): omit interface-name when not explicitly provided to avoid predictable naming mismatch 2026-02-21 08:29:24 +01:00
Sandwich
b1d2294d63 refactor(configuration): rename _uid to configuration_uid for role prefix convention 2026-02-21 05:14:33 +01:00
Sandwich
ac339b54c4 fix(configuration): handle boolean sudo values in sudoers deployment 2026-02-21 05:14:29 +01:00
Sandwich
cb46a6989f fix(configuration): use full path for chpasswd in chroot 2026-02-21 05:03:36 +01:00
Sandwich
73ea7a177b fix(global_defaults): enrich pre-computed system_cfg with bootstrap defaults 2026-02-21 04:24:23 +01:00
Sandwich
0f8faf0a22 chore(lint): suppress var-naming for user-facing API dicts 2026-02-21 02:58:10 +01:00
Sandwich
b520126253 fix(configuration): remove unnecessary changed_when on set_fact tasks 2026-02-21 02:56:58 +01:00
Sandwich
a4ca4c4ff4 refactor(cis): align normalization with main project activation gate pattern 2026-02-21 02:56:39 +01:00
Sandwich
d9efb54bec fix(global_defaults): remove dead /swap and make pacman cache arch-only in reserved mounts 2026-02-21 02:56:20 +01:00
Sandwich
e7a0cc4f62 fix(global_defaults): set filesystem default to ext4 instead of empty string 2026-02-21 02:56:08 +01:00
Sandwich
a76f317f8f refactor(bootstrap): restructure package lists to self-contained per-OS dicts with base/extra/conditional 2026-02-21 02:39:06 +01:00
Sandwich
e5bd152fb3 refactor(environment): split main.yml into focused sub-task files 2026-02-21 02:39:05 +01:00
Sandwich
6d1c3577df refactor(global_defaults): add idempotency guards to normalization tasks 2026-02-21 02:39:03 +01:00
Sandwich
86f0284acb fix(global_defaults): default interface name to eth0 instead of empty string 2026-02-21 02:38:59 +01:00
Sandwich
221bb4d517 docs(cis): add comment explaining squashfs/snap Ubuntu exclusion 2026-02-21 02:38:58 +01:00
Sandwich
e81ba76446 chore(bootstrap): pin collection versions in requirements.yml 2026-02-21 02:38:57 +01:00
Sandwich
54bbb9d15c fix(bootstrap): move Jinja to end of task name and rename registers to bootstrap_dnf_* 2026-02-21 02:38:27 +01:00
Sandwich
f94b220020 docs: update README with cis dict API, execution pipeline, and cleanup defaults 2026-02-21 01:30:36 +01:00
Sandwich
3fd470d63e fix(validation): align btrfs disk size check with new 2GB swap minimum 2026-02-21 01:28:32 +01:00
Sandwich
a3cd507b2a refactor(bootstrap): unify rocky, almalinux, and fedora into shared _dnf_family.yml 2026-02-21 01:27:33 +01:00
Sandwich
f74ec325ea refactor(cis): extract hardcoded values to cis_defaults and add _normalize.yml 2026-02-21 01:26:31 +01:00
Sandwich
bef15af69f refactor(cleanup): prioritize source-match over target-match in libvirt media removal 2026-02-21 01:22:44 +01:00
Sandwich
7970d933e8 docs(cis): explain Fedora exclusion from crypto-policy configuration 2026-02-21 01:22:41 +01:00
Sandwich
a123a32feb fix(bootstrap): replace brittle sed with ansible.builtin.replace for ubuntu universe repo 2026-02-21 01:22:37 +01:00
Sandwich
54c704de4e refactor(virtualization): simplify cloud-user-data sudo to unconditional NOPASSWD 2026-02-21 01:22:34 +01:00
Sandwich
9308d09d7b fix(bootstrap): remove duplicate lrzsz and gate dbus-daemon on version in almalinux 2026-02-21 01:20:34 +01:00
Sandwich
f367844239 fix(virtualization): fix cloud-user-data sudo logic to respect sudo: false 2026-02-21 01:20:31 +01:00
Sandwich
53e4499d2b fix(partitioning): lower swap minimum from 4GB to 2GB for small VMs 2026-02-21 01:19:23 +01:00
Sandwich
eb63a4fa83 fix(partitioning): add wipefs before mkfs on extra disk partitions 2026-02-21 01:19:19 +01:00
Sandwich
9e3688ae2b fix(cis): strengthen kernel module blacklist and sysctl hardening 2026-02-21 01:18:52 +01:00
Sandwich
dea01cc8a0 refactor(partitioning): split monolithic main.yml into focused task files 2026-02-21 00:39:03 +01:00
Sandwich
92c9702e1d fix(validation): add CIDR prefix range check and Ubuntu version validation 2026-02-21 00:38:57 +01:00
Sandwich
c837a52a24 refactor(cis): remove redundant AllowUsers/AllowGroups/DenyUsers/DenyGroups from sshd 2026-02-21 00:38:52 +01:00
Sandwich
fbd57e0603 fix(cis): skip squashfs blacklist on Ubuntu to preserve snap functionality 2026-02-21 00:38:47 +01:00
Sandwich
40a9ee9882 fix(partitioning): correct changed_when on btrfs quota and qgroup commands 2026-02-21 00:38:43 +01:00
Sandwich
3448e95e5c fix(cis): add regexp to all lineinfile entries in security_lines.yml for idempotency 2026-02-21 00:38:36 +01:00
Sandwich
074831833f fix: add no_log to credential-handling pre_tasks and post_tasks in main.yml 2026-02-21 00:38:32 +01:00
Sandwich
d1a5217e88 fix(virtualization): add no_log and secure temp file handling to libvirt cloud-init 2026-02-21 00:38:28 +01:00
Sandwich
07492b5b57 refactor(cleanup): add configurable verify_boot, boot_timeout, and remove_on_failure defaults 2026-02-20 23:02:24 +01:00
Sandwich
14913bcd3d refactor: move playbook-root templates into their respective roles 2026-02-20 23:01:38 +01:00
Sandwich
041650c287 refactor: add loop_control labels to dict-based loops across all roles 2026-02-20 23:00:53 +01:00
Sandwich
a63ffbc731 refactor(partitioning): move btrfs home quota to configurable default 2026-02-20 22:55:37 +01:00
Sandwich
9d2f1cc5bd fix(environment): detect RHEL ISO device dynamically instead of hardcoded /dev/sr paths 2026-02-20 22:54:42 +01:00
Sandwich
f72f9feb9a refactor(global_defaults): split system.yml into composable normalization stages 2026-02-20 22:54:05 +01:00
Sandwich
417737f904 refactor(global_defaults): extract OS family lists to single source of truth 2026-02-20 22:52:55 +01:00
Sandwich
a06c2ebdcf fix(partitioning): add failed_when to all blkid commands to catch empty UUIDs 2026-02-20 22:52:18 +01:00
Sandwich
e174ecda42 fix(partitioning): add default fallbacks for is_rhel, os, os_version in defaults 2026-02-20 22:51:37 +01:00
Sandwich
5246a905bb fix(virtualization): use hostname variable instead of hardcoded archiso in cloud-user-data 2026-02-20 22:51:32 +01:00
Sandwich
d00d84b69c fix(virtualization): avoid no-handler lint finding in xen VM created tracking 2026-02-20 22:29:03 +01:00
Sandwich
4dafa8c596 fix(partitioning): fix line length violation in home size calculation 2026-02-20 22:28:58 +01:00
Sandwich
53584b8730 fix(configuration): add pipefail to root password shell pipe 2026-02-20 22:28:54 +01:00
Sandwich
ce40468b77 fix(bootstrap): use release map for ubuntu version detection 2026-02-20 22:27:46 +01:00
Sandwich
4b4fab3c33 chore: add .yamllint matching main project conventions 2026-02-20 22:27:31 +01:00
Sandwich
db2fab5e7d fix(configuration): use chpasswd for root password and separate shell setting 2026-02-20 22:27:17 +01:00
Sandwich
42be0a5919 fix(configuration): add explicit LUKS auto-decrypt fallback state tracking and logging 2026-02-20 22:26:47 +01:00
Sandwich
17400fa6ff refactor(partitioning): externalize hardcoded LVM and disk sizing constants to defaults 2026-02-20 22:26:23 +01:00
Sandwich
deb14d2c94 fix(virtualization): add xen VM existence check and improve changed_when 2026-02-20 22:25:10 +01:00
Sandwich
65c5b1029b fix(cis): add pipefail to sshd version detection and define binary defaults 2026-02-20 22:24:14 +01:00
Sandwich
a1fbb7c21d feat(cleanup): gate RHEL ISO disk and fstab handling on rhel_repo.source 2026-02-20 21:51:20 +01:00
Sandwich
d076ac8fef feat(global_defaults): add system.features.rhel_repo option (iso|satellite|none) 2026-02-20 21:51:16 +01:00
Sandwich
c82e4afc4d fix(encryption): add warning before silent TPM2-to-keyfile fallback 2026-02-20 21:51:12 +01:00
Sandwich
ac72fdc4a6 fix(partitioning): correct wipefs changed_when to report actual disk modification 2026-02-20 21:51:09 +01:00
Sandwich
b2e050c467 fix(validation): require password for primary user in system.users[0] 2026-02-20 21:51:06 +01:00
Sandwich
914d7dd9d1 fix(system_check): move no_log from block to individual API tasks 2026-02-20 21:51:02 +01:00
Sandwich
21bf8f79e2 fix(cis): make mlkem768x25519-sha256 KexAlgorithm conditional on OpenSSH 9.9+ 2026-02-20 21:50:58 +01:00
Sandwich
38feff4369 fix(cis): use is_rhel for journald config path instead of fedora-only check 2026-02-20 21:50:55 +01:00
Sandwich
404529e8a4 refactor(configuration): add conditional dispatch to task includes 2026-02-20 21:16:52 +01:00
Sandwich
3db18858c3 refactor(cis): move OS-specific binary resolution to vars/main.yml 2026-02-20 21:16:48 +01:00
Sandwich
72a9576abe refactor(configuration): split network.yml into per-init-system dispatch files 2026-02-20 21:16:45 +01:00
Sandwich
462c2c7dfe refactor(bootstrap): restructure conditional package lists to list concatenation 2026-02-20 21:16:40 +01:00
Sandwich
ef8bfeaf84 refactor(configuration): convert services.yml to list-based loop 2026-02-20 21:16:37 +01:00
Sandwich
ba6be037ac refactor(virt): adopt module_defaults for hypervisor credentials 2026-02-20 21:16:33 +01:00
Sandwich
5ca1c7f570 refactor(cleanup): restructure dispatch to use hypervisor_type include 2026-02-20 21:16:28 +01:00
Sandwich
cd8e477534 refactor(partitioning): extract VG name to defaults variable 2026-02-20 21:16:25 +01:00
Sandwich
c439e9741e fix(configuration): remove trailing blank line from extras.yml 2026-02-20 20:20:33 +01:00
Sandwich
0a5c70e49f docs(environment): document RPM GPG policy relaxation 2026-02-20 20:19:57 +01:00
Sandwich
19f2c9efe2 chore(bootstrap): align ansible.cfg with main project settings 2026-02-20 20:19:46 +01:00
Sandwich
230c74fd9b feat(system_check): add safety check for physical installs 2026-02-20 20:19:37 +01:00
Sandwich
a2c19e2e49 fix(cleanup): fix vmware CD-ROM omit fragility and add cross-role defaults 2026-02-20 20:19:25 +01:00
Sandwich
9f9a4b38b8 fix(virtualization): add XML safety attributes and switch xen to virtio 2026-02-20 20:18:49 +01:00
Sandwich
524356cf8d fix(cis): remove deprecated sshd options and update hardening values 2026-02-20 20:17:52 +01:00
Sandwich
a2993212ca fix(configuration): disambiguate BLS task names and clean up misc noise 2026-02-20 20:17:05 +01:00
Sandwich
fba2e5fc94 refactor(configuration): relocate login banner and fix blockinfile markers 2026-02-20 20:16:19 +01:00
Sandwich
cf68a93b45 fix(configuration): use short hostname and allow per-user shell 2026-02-20 20:15:49 +01:00
Sandwich
3000268a0e fix(partitioning): mount extra disks by UUID instead of device path 2026-02-20 20:15:25 +01:00
Sandwich
196c5be67a fix(partitioning): correct LVM swap sizing and harden UUID fallbacks 2026-02-20 20:15:00 +01:00
Sandwich
33bad193b4 fix(configuration): add trailing semicolons to NM keyfile DNS fields 2026-02-20 20:14:06 +01:00
Sandwich
d5277802f7 fix(bootstrap): add missing packages and remove duplicates 2026-02-20 20:13:53 +01:00
Sandwich
28e6cf50d1 fix(bootstrap): add devpts mount and use ephemeral state for RHEL DVD 2026-02-20 20:12:59 +01:00
Sandwich
42cb5071c2 fix(bootstrap): unify resolv.conf to live environment DNS symlink 2026-02-20 20:12:42 +01:00
Sandwich
23a798a63a fix(global_defaults): add no_log to hypervisor tasks and expand validation 2026-02-20 20:11:37 +01:00
Sandwich
5dd84c6b39 fix: configurable OVMF/machine type, routes syntax, package lists, interface names 2026-02-20 18:47:12 +01:00
Sandwich
d0ae20911b fix(cleanup): keep RHEL ISO ide1 attached as local repo 2026-02-20 18:41:40 +01:00
Sandwich
b6d06dd96d fix: deep analysis audit — no_log, resolv.conf, service conflicts, lint 2026-02-20 18:34:59 +01:00
Sandwich
09b3ed44ba fix(bootstrap): RHEL 9 bootstrap from Arch ISO compatibility 
- Generate resolv.conf from inventory DNS settings instead of copying
  host file (Arch ISO has systemd-resolved stub 127.0.0.53)
- Add XFS compat options for GRUB 2.06 and kernel 5.14 across LVM
  volumes, /boot partition, and data disks
- Mount API filesystems (proc, sys, dev) into chroot for RPM scriptlets
- Bypass GPG Sequoia validation with _pkgverify_level none
- Tolerate grub2-common scriptlet warnings
- Handle libvirt VM destroy gracefully during cleanup
 2026-02-20 16:58:59 +01:00
Sandwich
603abe63cb refactor: make bootstrap host target configurable 2026-02-20 16:58:59 +01:00
Sandwich
1c0e6533ae fix(ubuntu): add initramfs-tools to debootstrap base packages 2026-02-20 16:58:59 +01:00
Sandwich
00aa614cfd fix(bootstrap): use explicit keyring for debootstrap and copy resolv.conf 2026-02-20 16:58:59 +01:00
Sandwich
4905d10bc0 fix(cloud-init): handle boolean sudo values in user-data template 2026-02-20 16:58:59 +01:00
Sandwich
b4e8ccb77f fix: re-gather facts after reboot to detect target OS package manager 
The live ISO (Arch) caches ansible_pkg_mgr=pacman. After rebooting
into the target OS (e.g. Debian), package module fails because pacman
is not available. Re-gather minimal facts including pkg_mgr.
 2026-02-20 16:58:59 +01:00
Sandwich
2a82ee4d5c fix: resolve Jinja2 .keys ambiguity, fastfetch availability, and python interpreter 
- Use bracket notation item['keys'] instead of item.keys to avoid
  conflict with Python dict .keys() method
- Remove fastfetch from Debian 12 package list (only available in 13+)
- Set explicit python interpreter path for post-reboot tasks
 2026-02-20 16:58:58 +01:00
Sandwich
7b213e7456 fix(partitioning): create separate /boot for LVM-based filesystems 
VMware EFI firmware may not initialize all SCSI devices before GRUB
runs, preventing LVM assembly when the root LV spans multiple disks.
A separate /boot partition (the standard RHEL Anaconda layout) lets
GRUB load kernels without LVM; the kernel initramfs handles LVM
activation with proper device waiting.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-20 04:50:32 +01:00
Sandwich
cfc261878a fix(bootloader): run efibootmgr on host for universal chroot compatibility 
The previous approach ran efibootmgr inside the chroot, which only works
with arch-chroot (auto-mounts efivars) but fails silently with
systemd-nspawn or plain chroot. Move EFI boot entry creation to the host
where efivars is always available.

Also fixes wrong EFI loader path (\efi\EFI\... -> \EFI\...) and uses
the correct vendor label (e.g. "redhat" instead of raw os variable).

For non-RHEL distros, grub-install now uses --no-nvram to avoid
redundant NVRAM writes; the host efibootmgr handles entry creation
for all distros uniformly with idempotent pre-check.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-20 03:36:20 +01:00
97 changed files with 3450 additions and 2671 deletions
Expand all files Collapse all files

1
.ansible-lint
View File

@@ -1,4 +1,5 @@
skip_list: skip_list:
- run-once - run-once
- var-naming[no-role-prefix] # user-facing API dicts (cis, system, hypervisor) are intentionally not role-prefixed
exclude_paths: exclude_paths:
- roles/global_defaults/ - roles/global_defaults/

19
.yamllint Normal file
View File

@@ -0,0 +1,19 @@
---
extends: default
rules:
document-start: disable
line-length:
max: 200
allow-non-breakable-words: true
allow-non-breakable-inline-mappings: true
truthy:
allowed-values: ["true", "false"]
check-keys: false
comments:
min-spaces-from-content: 1
comments-indentation: disable
braces:
max-spaces-inside: 1
octal-values:
forbid-implicit-octal: true

425
README.md
View File

@@ -1,8 +1,8 @@
# Ansible Bootstrap # Ansible Bootstrap
An Ansible playbook for automating Linux system bootstrap in an Infrastructure-as-Code manner. It uses the Arch Linux ISO as a foundational tool to provide an efficient and systematic method for the automatic deployment of a variety of Linux distributions on designated target systems, ensuring a standardized setup across different platforms. Automated Linux system bootstrap using the Arch Linux ISO as a universal installer. Deploys any supported distribution on virtual or physical targets via Infrastructure-as-Code.
Most roles are adaptable for use with systems beyond Arch Linux, requiring only that the target system can install the necessary package manager (e.g. `dnf` for RHEL-based systems). A replacement for the `arch-chroot` command may also be required; set `system.features.chroot.tool` accordingly. Non-Arch targets require the appropriate package manager available from the ISO environment (e.g. `dnf` for RHEL-family). Set `system.features.chroot.tool` if `arch-chroot` is unavailable.
## Table of Contents ## Table of Contents
@@ -13,15 +13,14 @@ Most roles are adaptable for use with systems beyond Arch Linux, requiring only
- 4.1 [Core Variables](#41-core-variables) - 4.1 [Core Variables](#41-core-variables)
- 4.2 [`system` Dictionary](#42-system-dictionary) - 4.2 [`system` Dictionary](#42-system-dictionary)
- 4.3 [`hypervisor` Dictionary](#43-hypervisor-dictionary) - 4.3 [`hypervisor` Dictionary](#43-hypervisor-dictionary)
- 4.4 [VMware Guest Operations](#44-vmware-guest-operations) - 4.4 [`cis` Dictionary](#44-cis-dictionary)
- 4.5 [Multi-Disk Schema](#45-multi-disk-schema) - 4.5 [VMware Guest Operations](#45-vmware-guest-operations)
- 4.6 [Advanced Partitioning Overrides](#46-advanced-partitioning-overrides) - 4.6 [Multi-Disk Schema](#46-multi-disk-schema)
5. [How to Use the Playbook](#5-how-to-use-the-playbook) - 4.7 [Advanced Partitioning Overrides](#47-advanced-partitioning-overrides)
- 5.1 [Prerequisites](#51-prerequisites) - 4.8 [Cleanup Defaults](#48-cleanup-defaults)
- 5.2 [Running the Playbook](#52-running-the-playbook) 5. [Execution Pipeline](#5-execution-pipeline)
- 5.3 [Example Usage](#53-example-usage) 6. [Usage](#6-usage)
6. [Security](#6-security) 7. [Security](#7-security)
7. [Operational Notes](#7-operational-notes)
8. [Safety](#8-safety) 8. [Safety](#8-safety)
## 1. Supported Platforms ## 1. Supported Platforms
@@ -29,17 +28,17 @@ Most roles are adaptable for use with systems beyond Arch Linux, requiring only
### Distributions ### Distributions
| `system.os` | Distribution | `system.version` | | `system.os` | Distribution | `system.version` |
| ------------ | ------------------------ | ------------------------------- | | ------------ | ------------------------ | ------------------------------------- |
| `almalinux` | AlmaLinux | `8`, `9`, `10` | | `almalinux` | AlmaLinux | `8`, `9`, `10` |
| `alpine` | Alpine Linux | latest (rolling) | | `alpine` | Alpine Linux | latest (rolling) |
| `archlinux` | Arch Linux | latest (rolling) | | `archlinux` | Arch Linux | latest (rolling) |
| `debian` | Debian | `10`, `11`, `12`, `13`, `unstable` | | `debian` | Debian | `10`-`13`, `unstable` |
| `fedora` | Fedora | `40`, `41`, `42`, `43` | | `fedora` | Fedora | `38`-`45` |
| `opensuse` | openSUSE Tumbleweed | latest (rolling) | | `opensuse` | openSUSE Tumbleweed | latest (rolling) |
| `rhel` | Red Hat Enterprise Linux | `8`, `9`, `10` | | `rhel` | Red Hat Enterprise Linux | `8`, `9`, `10` |
| `rocky` | Rocky Linux | `8`, `9`, `10` | | `rocky` | Rocky Linux | `8`, `9`, `10` |
| `ubuntu` | Ubuntu | latest | | `ubuntu` | Ubuntu (latest non-LTS) | optional (e.g. `24.04`) |
| `ubuntu-lts` | Ubuntu LTS | latest | | `ubuntu-lts` | Ubuntu LTS | optional (e.g. `24.04`) |
| `void` | Void Linux | latest (rolling) | | `void` | Void Linux | latest (rolling) |
### Hypervisors ### Hypervisors
@@ -55,28 +54,28 @@ Most roles are adaptable for use with systems beyond Arch Linux, requiring only
## 2. Compatibility Notes ## 2. Compatibility Notes
- `rhel_iso` is required for `system.os: rhel`. - `rhel_iso` is required for `system.os: rhel`.
- RHEL installs should use `system.filesystem: ext4` or `system.filesystem: xfs` (not `btrfs`). - RHEL installs should use `ext4` or `xfs` (not `btrfs`).
- For RHEL 8 specifically, prefer `ext4` over `xfs` if you hit installer/filesystem edge cases. - `custom_iso: true` skips ArchISO validation; your installer must provide required tooling.
- `custom_iso: true` skips ArchISO validation and pacman preparation; your installer image must already provide required tooling. - On non-Arch installers, set `system.features.chroot.tool` explicitly.
- On non-Arch installers, set `system.features.chroot.tool` (`arch-chroot`, `chroot`, or `systemd-nspawn`) explicitly as needed.
## 3. Configuration Model ## 3. Configuration Model
The project uses two dict-based variables: Two dict-based variables drive the entire configuration:
- `system` for host/runtime/install configuration - **`system`** -- host, network, users, disk layout, encryption, and feature toggles
- `hypervisor` for virtualization backend configuration - **`hypervisor`** -- virtualization backend credentials and targeting
These are normal Ansible variables and belong in host/group vars. You can define them in inventory host entries, `group_vars/*`, or `host_vars/*`. Dictionary variables are merged across scopes (`group_vars` -> `host_vars`) by project config (`hash_behaviour = merge`), so you can set shared values like `system.filesystem` once in group vars and override only host-specific keys per host. An optional third dict **`cis`** overrides CIS hardening parameters when `system.features.cis.enabled: true`.
All three are standard Ansible variables. Place them in `group_vars/`, `host_vars/`, or inline inventory. With `hash_behaviour = merge`, dictionaries merge across scopes, so shared values go in group vars and host-specific overrides go per-host.
### Variable Placement ### Variable Placement
| Location | Scope | Typical use | | Location | Scope | Typical use |
| -------------------------- | ----------- | ------------------------------------------------------------ | | ------------------------ | ----------- | -------------------------------------------------------------- |
| `group_vars/all.yml` | All hosts | Shared defaults like `hypervisor`, `system.filesystem`, `boot_iso` | | `group_vars/all.yml` | All hosts | Shared `hypervisor`, `system.filesystem`, `boot_iso` |
| `group_vars/<group>.yml` | Group | Environment or role-specific defaults | | `group_vars/<group>.yml` | Group | Environment-specific defaults |
| `host_vars/<host>.yml` | Single host | Host-specific overrides | | `host_vars/<host>.yml` | Single host | Host-specific overrides (`system.network.ip`, `system.id`, etc.) |
| Inventory inline host vars | Single host | Inline definitions for quick setup |
### Example Inventory ### Example Inventory
@@ -90,7 +89,8 @@ all:
type: proxmox type: proxmox
url: pve01.example.com url: pve01.example.com
username: root@pam username: root@pam
password: CHANGE_ME password: !vault |
$ANSIBLE_VAULT...
host: pve01 host: pve01
storage: local-lvm storage: local-lvm
@@ -107,7 +107,6 @@ all:
id: 101 id: 101
cpus: 2 cpus: 2
memory: 4096 memory: 4096
balloon: 0
network: network:
bridge: vmbr0 bridge: vmbr0
ip: 10.0.0.10 ip: 10.0.0.10
@@ -124,19 +123,24 @@ all:
fstype: xfs fstype: xfs
users: users:
- name: ops - name: ops
password: CHANGE_ME password: !vault |
$ANSIBLE_VAULT...
keys: keys:
- "ssh-ed25519 AAAA..." - "ssh-ed25519 AAAA..."
sudo: true
root: root:
password: CHANGE_ME password: !vault |
$ANSIBLE_VAULT...
luks: luks:
enabled: true enabled: true
passphrase: CHANGE_ME passphrase: !vault |
auto: true $ANSIBLE_VAULT...
method: tpm2 method: tpm2
tpm2: tpm2:
pcrs: "7" pcrs: "7"
features: features:
cis:
enabled: true
firewall: firewall:
enabled: true enabled: true
backend: firewalld backend: firewalld
@@ -147,38 +151,36 @@ all:
### 4.1 Core Variables ### 4.1 Core Variables
These top-level variables sit outside the `system`/`hypervisor` dictionaries. Top-level variables outside `system`/`hypervisor`/`cis`.
| Variable | Type | Description | | Variable | Type | Default | Description |
| ----------------------------------- | ------ | ------------------------------------------------ | | ---------------- | ------ | -------------------------- | ---------------------------------------------------- |
| `boot_iso` | string | Path to the boot ISO image (required for virtual installs). | | `boot_iso` | string | -- | Boot ISO path (required for virtual installs) |
| `rhel_iso` | string | Path to the RHEL ISO (required when `system.os: rhel`). | | `rhel_iso` | string | -- | RHEL ISO path (required when `system.os: rhel`) |
| `custom_iso` | bool | Skip ArchISO validation and pacman setup. Default `false`. | | `custom_iso` | bool | `false` | Skip ArchISO validation and pacman setup |
| `thirdparty_tasks` | string | Drop-in task file included during environment setup. Default `dropins/preparation.yml`. | | `thirdparty_tasks` | string | `dropins/preparation.yml` | Drop-in task file included during environment setup |
### 4.2 `system` Dictionary ### 4.2 `system` Dictionary
Top-level host install/runtime settings. Use these keys under `system`.
| Key | Type | Default | Description | | Key | Type | Default | Description |
| ------------ | ---------- | -------------------- | ---------------------------------------- | | ------------ | ---------- | ------------------ | ------------------------------------------------------ |
| `type` | string | `virtual` | `virtual` or `physical` | | `type` | string | `virtual` | `virtual` or `physical` |
| `os` | string | empty | Target distribution (see [table](#distributions)) | | `os` | string | -- | Target distribution (see [table](#distributions)) |
| `version` | string | empty | Version selector for distro families | | `version` | string | -- | Version selector for versioned distros |
| `filesystem` | string | empty | `btrfs`, `ext4`, or `xfs` | | `filesystem` | string | -- | `btrfs`, `ext4`, or `xfs` |
| `name` | string | inventory hostname | Final hostname | | `name` | string | inventory hostname | Final hostname |
| `timezone` | string | `Europe/Vienna` | System timezone (tz database name) | | `timezone` | string | `Europe/Vienna` | System timezone (tz database name) |
| `locale` | string | `en_US.UTF-8` | System locale | | `locale` | string | `en_US.UTF-8` | System locale |
| `keymap` | string | `us` | Console keymap (`vconsole.conf`) | | `keymap` | string | `us` | Console keymap |
| `id` | int/string | empty | VMID (required for Proxmox) | | `id` | int/string | -- | VMID (required for Proxmox) |
| `cpus` | int | `0` | vCPU count | | `cpus` | int | `0` | vCPU count (required for virtual) |
| `memory` | int | `0` | Memory in MiB | | `memory` | int | `0` | Memory in MiB (required for virtual) |
| `balloon` | int | `0` | Balloon memory in MiB | | `balloon` | int | `0` | Balloon memory in MiB (Proxmox) |
| `path` | string | empty | Hypervisor folder/path (libvirt/vmware) | | `path` | string | -- | Hypervisor folder/path |
| `packages` | list | `[]` | Additional packages installed post-reboot | | `packages` | list | `[]` | Additional packages installed post-reboot |
| `network` | dict | see below | Network configuration | | `network` | dict | see below | Network configuration |
| `disks` | list | `[]` | Disk layout (see [Multi-Disk Schema](#45-multi-disk-schema)) | | `disks` | list | `[]` | Disk layout (see [Multi-Disk Schema](#46-multi-disk-schema)) |
| `users` | list | `[]` | User accounts (see below) | | `users` | list | `[]` | User accounts |
| `root` | dict | see below | Root account settings | | `root` | dict | see below | Root account settings |
| `luks` | dict | see below | Encryption settings | | `luks` | dict | see below | Encryption settings |
| `features` | dict | see below | Feature toggles | | `features` | dict | see below | Feature toggles |
@@ -186,231 +188,228 @@ Top-level host install/runtime settings. Use these keys under `system`.
#### `system.network` #### `system.network`
| Key | Type | Default | Description | | Key | Type | Default | Description |
| -------------- | ---------- | ------- | ---------------------------------------------------- | | -------------- | ---------- | ------- | ---------------------------------------------- |
| `bridge` | string | empty | Hypervisor network/bridge name | | `bridge` | string | -- | Hypervisor network/bridge name |
| `vlan` | string/int | empty | VLAN tag | | `vlan` | string/int | -- | VLAN tag |
| `ip` | string | empty | Static IP (omit for DHCP) | | `ip` | string | -- | Static IP (omit for DHCP) |
| `prefix` | int | empty | CIDR prefix for static IP | | `prefix` | int | -- | CIDR prefix (1-32, required with `ip`) |
| `gateway` | string | empty | Default gateway (static only) | | `gateway` | string | -- | Default gateway |
| `dns.servers` | list | `[]` | DNS resolvers (must be a YAML list) | | `dns.servers` | list | `[]` | DNS resolvers (must be a YAML list) |
| `dns.search` | list | `[]` | Search domains (must be a YAML list) | | `dns.search` | list | `[]` | Search domains (must be a YAML list) |
| `interfaces` | list | `[]` | Multi-NIC config (overrides flat fields above) | | `interfaces` | list | `[]` | Multi-NIC config (overrides flat fields above) |
When `interfaces` is empty, the flat fields (`bridge`, `ip`, `prefix`, `gateway`, `vlan`) are auto-wrapped into a single-entry `interfaces[]` list. When `interfaces` is set, it takes precedence and the flat fields are back-populated from `interfaces[0]` for backward compatibility. Each `interfaces[]` entry supports: `name`, `bridge` (required), `vlan`, `ip`, `prefix`, `gateway`. When `interfaces` is empty, the flat fields (`bridge`, `ip`, `prefix`, `gateway`, `vlan`) are auto-wrapped into a single-entry list. When `interfaces` is set, it takes precedence. Each entry supports: `name`, `bridge` (required), `vlan`, `ip`, `prefix`, `gateway`.
#### `system.users` #### `system.users`
A list of user account dictionaries. Credentials for the first user are prompted interactively by default via `vars_prompt` in `main.yml`, but can be supplied via inventory, vars files, or `-e` for non-interactive runs.
| Key | Type | Default | Description | | Key | Type | Default | Description |
| ---------- | ------ | ------- | -------------------------------------------- | | ---------- | ----------- | ------- | -------------------------------------------------- |
| `name` | string | empty | Username created on target (required) | | `name` | string | -- | Username (required) |
| `password` | string | empty | User password (also used for sudo) | | `password` | string | -- | User password (required for first user) |
| `keys` | list | `[]` | SSH public keys for `authorized_keys` | | `keys` | list | `[]` | SSH public keys |
| `sudo` | string | empty | Custom sudoers rule (optional, per-user) | | `sudo` | bool/string | -- | `true` for NOPASSWD ALL, or custom sudoers string |
The first user's credentials are prompted interactively via `vars_prompt` unless supplied in inventory or `-e`.
#### `system.root` #### `system.root`
| Key | Type | Default | Description | | Key | Type | Default | Description |
| ---------- | ------ | ------- | -------------- | | ---------- | ------ | ------- | ------------- |
| `password` | string | empty | Root password | | `password` | string | -- | Root password |
#### `system.luks` #### `system.luks`
LUKS container, unlock, and initramfs-related settings. | Key | Type | Default | Description |
| ------------ | ------ | ------------------ | ------------------------------------------ |
| Key | Type | Default | Allowed | Description | | `enabled` | bool | `false` | Enable encrypted root |
| ------------ | ------ | ------------------ | -------------------------- | ------------------------------------------ | | `passphrase` | string | -- | Passphrase for format/open/enroll |
| `enabled` | bool | `false` | `true`/`false` | Enable encrypted root workflow | | `mapper` | string | `SYSTEM_DECRYPTED` | Mapper name under `/dev/mapper` |
| `passphrase` | string | empty | any string | Passphrase used for format/open/enroll | | `auto` | bool | `true` | Auto-unlock toggle |
| `mapper` | string | `SYSTEM_DECRYPTED` | mapper name | Mapper name under `/dev/mapper` | | `method` | string | `tpm2` | Auto-unlock backend: `tpm2` or `keyfile` |
| `auto` | bool | `true` | `true`/`false` | Auto-unlock behavior toggle | | `keysize` | int | `64` | Keyfile size in bytes |
| `method` | string | `tpm2` | `tpm2`, `keyfile` | Auto-unlock backend when `auto=true` | | `options` | string | `discard,tries=3` | Additional crypttab options |
| `keysize` | int | `64` | positive int | Keyfile size (bytes) for keyfile mode | | `type` | string | `luks2` | LUKS format type |
| `options` | string | `discard,tries=3` | crypttab opts | Additional crypttab/kernel options | | `cipher` | string | `aes-xts-plain64` | Cipher |
| `type` | string | `luks2` | cryptsetup type | LUKS format type | | `hash` | string | `sha512` | Hash algorithm |
| `cipher` | string | `aes-xts-plain64` | cipher name | Cryptsetup cipher | | `iter` | int | `4000` | PBKDF iteration time (ms) |
| `hash` | string | `sha512` | hash name | Cryptsetup hash | | `bits` | int | `512` | Key size (bits) |
| `iter` | int | `4000` | positive int | PBKDF iteration time (ms) | | `pbkdf` | string | `argon2id` | PBKDF algorithm |
| `bits` | int | `512` | positive int | Key size (bits) | | `urandom` | bool | `true` | Use urandom during key generation |
| `pbkdf` | string | `argon2id` | pbkdf name | PBKDF algorithm | | `verify` | bool | `true` | Verify passphrase during format |
| `urandom` | bool | `true` | `true`/`false` | Use urandom during key generation |
| `verify` | bool | `true` | `true`/`false` | Verify passphrase during format |
#### `system.luks.tpm2` #### `system.luks.tpm2`
TPM2-specific policy settings used when `system.luks.method: tpm2`. | Key | Type | Default | Description |
| -------- | ------------- | ------- | ---------------------------------------------- |
| Key | Type | Default | Allowed | Description | | `device` | string | `auto` | TPM2 device selector |
| ------ | ----------- | ------- | --------------------- | --------------------------------------------------- | | `pcrs` | string/list | -- | PCR binding policy (e.g. `"7"` or `"0+7"`) |
| `device` | string | `auto` | `auto` or device path | TPM2 device selector |
| `pcrs` | string/list | empty | PCR expression | PCR binding policy (e.g. `"7"` or `"0+7"`) |
#### `system.features` #### `system.features`
Feature toggles for optional system configuration. | Key | Type | Default | Description |
| ------------------ | ------ | -------------- | ------------------------------------ |
| Key | Type | Default | Allowed | Description | | `cis.enabled` | bool | `false` | Enable CIS hardening (see [4.4](#44-cis-dictionary)) |
| ------------------ | ------ | -------------- | ------------------------------------------ | ---------------------------------- | | `selinux.enabled` | bool | `true` | SELinux management |
| `cis.enabled` | bool | `false` | `true`/`false` | Enable CIS hardening role | | `firewall.enabled` | bool | `true` | Firewall setup |
| `selinux.enabled` | bool | `true` | `true`/`false` | SELinux management | | `firewall.backend` | string | `firewalld` | `firewalld` or `ufw` |
| `firewall.enabled` | bool | `true` | `true`/`false` | Enable firewall role actions | | `firewall.toolkit` | string | `nftables` | `nftables` or `iptables` |
| `firewall.backend` | string | `firewalld` | `firewalld`, `ufw` | Firewall service backend | | `ssh.enabled` | bool | `true` | SSH service/package management |
| `firewall.toolkit` | string | `nftables` | `nftables`, `iptables` | Packet filtering toolkit | | `zstd.enabled` | bool | `true` | zstd-related tuning |
| `ssh.enabled` | bool | `true` | `true`/`false` | SSH service/package management | | `swap.enabled` | bool | `true` | Swap setup |
| `zstd.enabled` | bool | `true` | `true`/`false` | zstd related tuning | | `banner.motd` | bool | `false` | MOTD banner |
| `swap.enabled` | bool | `true` | `true`/`false` | Swap setup toggle | | `banner.sudo` | bool | `true` | Sudo banner |
| `banner.motd` | bool | `false` | `true`/`false` | MOTD banner management | | `chroot.tool` | string | `arch-chroot` | `arch-chroot`, `chroot`, or `systemd-nspawn` |
| `banner.sudo` | bool | `true` | `true`/`false` | Sudo banner management |
| `chroot.tool` | string | `arch-chroot` | `arch-chroot`, `chroot`, `systemd-nspawn` | Chroot wrapper command |
### 4.3 `hypervisor` Dictionary ### 4.3 `hypervisor` Dictionary
| Key | Type | Description | | Key | Type | Default | Description |
| ------------ | ------ | -------------------------------------------------------- | | ------------ | ------ | ------- | ---------------------------------------------------- |
| `type` | string | `libvirt`, `proxmox`, `vmware`, `xen`, or `none` | | `type` | string | -- | `libvirt`, `proxmox`, `vmware`, `xen`, or `none` |
| `url` | string | Proxmox/VMware API host | | `url` | string | -- | API host (Proxmox/VMware) |
| `username` | string | API username | | `username` | string | -- | API username |
| `password` | string | API password | | `password` | string | -- | API password |
| `host` | string | Proxmox node name | | `host` | string | -- | Proxmox node name |
| `storage` | string | Proxmox/VMware storage identifier | | `storage` | string | -- | Storage identifier (Proxmox/VMware) |
| `datacenter` | string | VMware datacenter | | `datacenter` | string | -- | VMware datacenter |
| `cluster` | string | VMware cluster | | `cluster` | string | -- | VMware cluster |
| `certs` | bool | TLS certificate validation for VMware | | `certs` | bool | `true` | TLS certificate validation (VMware) |
| `ssh` | bool | VMware: enable SSH on guest and switch connection to SSH | | `ssh` | bool | `false` | Enable SSH on guest and switch connection (VMware) |
### 4.4 VMware Guest Operations ### 4.4 `cis` Dictionary
When `hypervisor.type: vmware` uses the `vmware_tools` connection, these Ansible connection variables are required. When `system.features.cis.enabled: true`, the CIS role applies hardening. All values have sensible defaults; override specific keys via the `cis` dict.
| Key | Type | Default | Description |
| -------------------- | ------ | ------- | ------------------------------------------------ |
| `modules_blacklist` | list | see below | Kernel modules to blacklist via modprobe |
| `sysctl` | dict | see below | Sysctl key/value pairs written to `10-cis.conf` |
| `sshd_options` | list | see below | SSHD options applied via lineinfile |
| `pwquality_minlen` | int | `14` | Minimum password length |
| `tmout` | int | `900` | Shell timeout (seconds) |
| `umask` | string | `077` | Default umask in bashrc |
| `umask_profile` | string | `027` | Default umask in /etc/profile |
| `faillock_deny` | int | `5` | Failed login attempts before lockout |
| `faillock_unlock_time` | int | `900` | Lockout duration (seconds) |
| `password_remember` | int | `5` | Password history depth |
**Default modules blacklist:** `freevxfs`, `jffs2`, `hfs`, `hfsplus`, `cramfs`, `udf`, `usb-storage`, `dccp`, `sctp`, `rds`, `tipc`, `firewire-core`, `firewire-sbp2`, `thunderbolt`. `squashfs` is added automatically except on Ubuntu (snap dependency).
**Default sysctl settings** include: `kernel.yama.ptrace_scope=2`, `kernel.kptr_restrict=2`, `kernel.perf_event_paranoid=3`, `kernel.unprivileged_bpf_disabled=1`, IPv4/IPv6 hardening, ARP protection, and IPv6 disabled by default. Override individual keys:
```yaml
cis:
sysctl:
net.ipv6.conf.all.disable_ipv6: 0 # re-enable IPv6
net.ipv4.ip_forward: 1 # enable for routers/containers
```
**Default SSHD options** enforce: `PermitRootLogin no`, `PasswordAuthentication no`, `X11Forwarding no`, `AllowTcpForwarding no`, `MaxAuthTries 4`, and post-quantum KEX (mlkem768x25519-sha256 on OpenSSH 9.9+). Override per-option:
```yaml
cis:
sshd_options:
- { option: X11Forwarding, value: "yes" }
- { option: AllowTcpForwarding, value: "yes" }
```
Note: providing `sshd_options` replaces the entire list. Copy the defaults from `roles/cis/defaults/main.yml` and modify as needed.
### 4.5 VMware Guest Operations
When `hypervisor.type: vmware` uses the `vmware_tools` connection:
| Variable | Description | | Variable | Description |
| ------------------------------- | -------------------------------------------------- | | ------------------------------- | -------------------------------------------- |
| `ansible_vmware_tools_user` | Guest OS username for guest operations | | `ansible_vmware_tools_user` | Guest OS username |
| `ansible_vmware_tools_password` | Guest OS password for guest operations | | `ansible_vmware_tools_password` | Guest OS password |
| `ansible_vmware_guest_path` | VM inventory path (`/datacenter/vm/folder/name`) | | `ansible_vmware_guest_path` | VM inventory path |
| `ansible_vmware_host` | vCenter/ESXi hostname | | `ansible_vmware_host` | vCenter/ESXi hostname |
| `ansible_vmware_user` | vCenter/ESXi API username | | `ansible_vmware_user` | vCenter/ESXi API username |
| `ansible_vmware_password` | vCenter/ESXi API password | | `ansible_vmware_password` | vCenter/ESXi API password |
| `ansible_vmware_validate_certs` | Enable/disable TLS certificate validation | | `ansible_vmware_validate_certs` | TLS certificate validation |
### 4.5 Multi-Disk Schema ### 4.6 Multi-Disk Schema
`system.disks[0]` is always the OS disk. Additional entries define data disks. `system.disks[0]` is the OS disk (no `mount.path`). Additional entries define data disks.
| Key | Type | Description | | Key | Type | Description |
| ------------- | ------ | ---------------------------------------------------- | | ------------- | ------ | ------------------------------------------------------ |
| `size` | number | Disk size in GB (required for virtual installs) | | `size` | number | Disk size in GB (required for virtual) |
| `device` | string | Explicit block device (required for physical data disks) | | `device` | string | Block device path (required for physical data disks) |
| `mount.path` | string | Mount point (for additional disks) | | `partition` | string | Partition device path (required for physical data disks) |
| `mount.path` | string | Mount point (additional disks only) |
| `mount.fstype`| string | `btrfs`, `ext4`, or `xfs` | | `mount.fstype`| string | `btrfs`, `ext4`, or `xfs` |
| `mount.label` | string | Optional filesystem label | | `mount.label` | string | Filesystem label |
| `mount.opts` | string | Mount options (default: `defaults`) | | `mount.opts` | string | Mount options (default: `defaults`) |
Virtual install example:
```yaml ```yaml
system: system:
disks: disks:
- size: 80 - size: 80 # OS disk
- size: 200 - size: 200 # Data disk
mount: mount:
path: /data path: /data
fstype: xfs fstype: xfs
label: DATA label: DATA
opts: defaults,noatime
- size: 300
mount:
path: /backup
fstype: ext4
``` ```
Physical install example (device paths required): ### 4.7 Advanced Partitioning Overrides
```yaml | Variable | Default | Description |
system: | ------------------------------ | ------------ | ---------------------------------------- |
type: physical | `partitioning_efi_size_mib` | `512` | EFI system partition size in MiB |
disks: | `partitioning_boot_size_mib` | `1024` | Separate `/boot` size in MiB |
- device: /dev/sda | `partitioning_separate_boot` | auto-derived | Force a separate `/boot` partition |
size: 120 | `partitioning_boot_fs_fstype` | auto-derived | Filesystem for `/boot` |
- device: /dev/sdb | `partitioning_use_full_disk` | `true` | Use remaining VG space for root LV |
size: 500
mount:
path: /data
fstype: ext4
```
### 4.6 Advanced Partitioning Overrides **Swap sizing:** RAM >= 16GB gets swap = RAM/2. RAM < 16GB gets swap = max(RAM_GB, 2GB). Further capped to prevent over-allocation on small disks.
Use these only when you need to override the default partition layout logic. **LVM layout** (when not using btrfs): root, swap, and when CIS is enabled: `/home` (2-20GB, 10% of disk), `/var` (2GB), `/var/log` (2GB), `/var/log/audit` (1.5GB).
| Variable | Description | Default | ### 4.8 Cleanup Defaults
| ------------------------------ | ------------------------------------------------- | ------------ |
| `partitioning_efi_size_mib` | EFI system partition size in MiB | `512` |
| `partitioning_boot_size_mib` | Separate `/boot` size in MiB (when used) | `1024` |
| `partitioning_separate_boot` | Force a separate `/boot` partition | auto-derived |
| `partitioning_boot_fs_fstype` | Filesystem for `/boot` when separate | auto-derived |
| `partitioning_use_full_disk` | Consume remaining VG space for root LV | `true` |
## 5. How to Use the Playbook Post-install verification and recovery settings.
### 5.1 Prerequisites | Variable | Default | Description |
| --------------------------- | ------- | ----------------------------------------------------- |
| `cleanup_verify_boot` | `true` | Check VM accessibility after reboot |
| `cleanup_boot_timeout` | `300` | Timeout in seconds for boot verification |
| `cleanup_remove_on_failure` | `true` | Auto-remove VMs that fail to boot (created this run only) |
- Ansible installed on the control machine. ## 5. Execution Pipeline
- Inventory file with target systems defined and variables configured.
- Disposable/non-production targets (the playbook enforces production-safety checks).
### 5.2 Running the Playbook Roles execute in this order:
Execute the playbook using `ansible-playbook`, ensuring that all necessary variables are defined either in the inventory, in a vars file, or passed via `-e`. Credentials (`root_password`, `user_name`, `user_password`, `user_public_key`) are prompted interactively unless supplied through inventory or extra vars. 1. **global_defaults** -- normalize inputs, validate, set OS flags
2. **system_check** -- detect installer environment, verify live/non-prod target
3. **virtualization** -- create VM (if virtual), attach disks, cloud-init
4. **environment** -- prepare installer: mount ISO, configure repos, setup pacman
5. **partitioning** -- create partitions, LVM, LUKS, mount filesystems
6. **bootstrap** -- install base system and packages (OS-specific)
7. **configuration** -- users, fstab, locales, bootloader, encryption enrollment, networking
8. **cis** -- CIS hardening (when `system.features.cis.enabled: true`)
9. **cleanup** -- unmount, shutdown installer, remove media, verify boot
## 6. Usage
```bash ```bash
ansible-playbook -i inventory.yml main.yml ansible-playbook -i inventory.yml main.yml
ansible-playbook -i inventory.yml main.yml -e @vars_example.yml ansible-playbook -i inventory.yml main.yml -e @vars.yml
``` ```
### 5.3 Example Usage Credentials for the first user and root are prompted interactively via `vars_prompt` unless already set in inventory or passed via `-e`.
Use the bundled example files as starting points for new inventories: Example inventory files are included:
- `inventory_example.yml` -- Proxmox virtual setup - `inventory_example.yml` -- Proxmox virtual setup
- `inventory_libvirt_example.yml` -- libvirt virtual setup - `inventory_libvirt_example.yml` -- libvirt virtual setup
- `inventory_baremetal_example.yml` -- bare-metal physical setup - `inventory_baremetal_example.yml` -- bare-metal physical setup
- `vars_example.yml` -- shared variable overrides
- `vars_baremetal_example.yml` -- bare-metal variable overrides
```bash ## 7. Security
# Proxmox example
ansible-playbook -i inventory_example.yml main.yml
# libvirt example Use **Ansible Vault** for all sensitive values (`hypervisor.password`, `system.luks.passphrase`, `system.users[].password`, `system.root.password`).
ansible-playbook -i inventory_libvirt_example.yml main.yml
# Custom inventory with separate vars file
ansible-playbook -i inventory.yml main.yml -e @vars_example.yml
```
## 6. Security
To protect sensitive information such as passwords, API keys, and other confidential variables (e.g. `hypervisor.password`, `system.luks.passphrase`), **use Ansible Vault** instead of plaintext inventory files.
## 7. Operational Notes
- For virtual installs, `system.cpus`, `system.memory`, and `system.disks[0].size` are required and validated.
- For physical installs, sizing is derived from the detected install drive; set installer access (`ansible_user`/`ansible_password`) when the installer environment differs from the prompted user credentials.
- `system.network.dns.servers` and `system.network.dns.search` must be YAML lists.
- `hypervisor.type` selects backend-specific provisioning and cleanup behavior.
- Guest tools are selected automatically by hypervisor: `qemu-guest-agent` for `libvirt`/`proxmox`, `open-vm-tools` for `vmware`.
- With `system.luks.method: tpm2` on virtual installs, the virtualization role enables a TPM2 device where supported (libvirt/proxmox/vmware).
- With LUKS enabled on non-Arch targets, provisioning uses an ESP (512 MiB), a separate `/boot` (1 GiB), and the encrypted root; adjust sizes via `partitioning_efi_size_mib` and `partitioning_boot_size_mib` if needed.
- For VMware, `hypervisor.ssh: true` enables SSH on the guest and switches the connection to SSH for the remaining tasks.
- Molecule is scaffolded with a delegated driver and a no-op converge for lint-only validation.
## 8. Safety ## 8. Safety
This playbook intentionally aborts if it detects a non-live/production target. It also refuses to touch pre-existing VMs and only cleans up VMs created in the current run. The playbook aborts on non-live/production targets. It refuses to touch pre-existing VMs and only cleans up VMs created in the current run.
Always run lint after changes:
```bash
ansible-lint
```

3
ansible.cfg
View File

@@ -1,2 +1,5 @@
[defaults] [defaults]
hash_behaviour = merge hash_behaviour = merge
interpreter_python = auto_silent
deprecation_warnings = False
host_key_checking = False

7
collections/requirements.yml
View File

@@ -1,9 +1,16 @@
--- ---
collections: collections:
- name: ansible.posix - name: ansible.posix
version: "2.1.0"
- name: community.general - name: community.general
version: "12.3.0"
- name: community.libvirt - name: community.libvirt
version: "2.0.0"
- name: community.crypto - name: community.crypto
version: "3.1.0"
- name: community.proxmox - name: community.proxmox
version: "1.5.0"
- name: community.vmware - name: community.vmware
version: "6.2.0"
- name: vmware.vmware - name: vmware.vmware
version: "2.7.0"

24
main.yml
View File

@@ -1,6 +1,16 @@
--- ---
# Bootstrap pipeline — role execution order:
# 1. global_defaults — normalize + validate system/hypervisor/disk input
# 2. system_check — pre-flight hardware/environment safety checks
# 3. virtualization — create VM on hypervisor (libvirt/proxmox/vmware/xen)
# 4. environment — detect live ISO, configure installer network, install tools
# 5. partitioning — partition disk, create FS, LUKS, LVM, mount everything
# 6. bootstrap — debootstrap/pacstrap/dnf install the target OS into /mnt
# 7. configuration — users, network, encryption, fstab, bootloader, services
# 8. cis — CIS hardening (optional, per system.features.cis.enabled)
# 9. cleanup — unmount, remove cloud-init artifacts, reboot/shutdown
- name: Create and configure VMs - name: Create and configure VMs
hosts: all hosts: "{{ bootstrap_target | default('all') }}"
strategy: free # noqa: run-once[play] strategy: free # noqa: run-once[play]
gather_facts: false gather_facts: false
become: true become: true
@@ -26,6 +36,7 @@
confirm: true confirm: true
pre_tasks: pre_tasks:
- name: Apply prompted authentication values to system input - name: Apply prompted authentication values to system input
no_log: true
vars: vars:
system_input: "{{ system | default({}) }}" system_input: "{{ system | default({}) }}"
system_users_input: "{{ system_input.users | default([]) }}" system_users_input: "{{ system_input.users | default([]) }}"
@@ -147,11 +158,22 @@
- name: Set final SSH credentials for post-reboot tasks - name: Set final SSH credentials for post-reboot tasks
when: when:
- post_reboot_can_connect | bool - post_reboot_can_connect | bool
no_log: true
ansible.builtin.set_fact: ansible.builtin.set_fact:
ansible_user: "{{ system_cfg.users[0].name }}" ansible_user: "{{ system_cfg.users[0].name }}"
ansible_password: "{{ system_cfg.users[0].password }}" ansible_password: "{{ system_cfg.users[0].password }}"
ansible_become_password: "{{ system_cfg.users[0].password }}" ansible_become_password: "{{ system_cfg.users[0].password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
ansible_python_interpreter: /usr/bin/python3
- name: Re-gather facts for target OS after reboot
when:
- post_reboot_can_connect | bool
ansible.builtin.setup:
gather_subset:
- "!all"
- min
- pkg_mgr
- name: Install post-reboot packages - name: Install post-reboot packages
when: when:

47
roles/bootstrap/tasks/_dnf_family.yml Normal file
View File

@@ -0,0 +1,47 @@
---
- name: "Bootstrap {{ os | capitalize }}"
vars:
_dnf_config: "{{ lookup('vars', bootstrap_var_key) }}"
_dnf_repos: "{{ _dnf_config.repos | map('regex_replace', '^', '--repo=') | join(' ') }}"
_dnf_groups: "{{ _dnf_config.base | join(' ') }}"
_dnf_extra: >-
{{
((_dnf_config.extra | default([])) + (_dnf_config.conditional | default([])))
| reject('equalto', '')
| join(' ')
}}
block:
- name: "Install base system for {{ os | capitalize }}"
ansible.builtin.command: >-
dnf --releasever={{ os_version }} --best {{ _dnf_repos }}
--installroot=/mnt --setopt=install_weak_deps=False
groupinstall -y {{ _dnf_groups }}
register: bootstrap_dnf_base_result
changed_when: bootstrap_dnf_base_result.rc == 0
- name: Ensure chroot has DNS resolution
ansible.builtin.file:
src: /run/NetworkManager/resolv.conf
dest: /mnt/etc/resolv.conf
state: link
force: true
- name: Install extra packages
ansible.builtin.command: >-
{{ chroot_command }} dnf --releasever={{ os_version }} --setopt=install_weak_deps=False
install -y {{ _dnf_extra }}
register: bootstrap_dnf_extra_result
changed_when: bootstrap_dnf_extra_result.rc == 0
- name: Detect installed kernel package name
ansible.builtin.command: "{{ chroot_command }} rpm -q kernel-core"
register: bootstrap_dnf_kernel_check
changed_when: false
failed_when: false
- name: Reinstall kernel package
vars:
_kernel_pkg: "{{ 'kernel-core' if bootstrap_dnf_kernel_check.rc == 0 else 'kernel' }}"
ansible.builtin.command: "{{ chroot_command }} dnf reinstall -y {{ _kernel_pkg }}"
register: bootstrap_dnf_kernel_result
changed_when: bootstrap_dnf_kernel_result.rc == 0

35
roles/bootstrap/tasks/almalinux.yml
View File

@@ -1,35 +0,0 @@
---
- name: Bootstrap AlmaLinux
vars:
bootstrap_almalinux_extra: >-
{{
lookup('vars', bootstrap_var_key)
| reject('equalto', '')
| join(' ')
}}
block:
- name: Install AlmaLinux base system
ansible.builtin.command: >-
dnf --releasever={{ os_version }} --best --repo=baseos --repo=appstream
--installroot=/mnt --setopt=install_weak_deps=False
groupinstall -y core
register: bootstrap_almalinux_base_result
changed_when: bootstrap_almalinux_base_result.rc == 0
- name: Ensure chroot has resolv.conf
ansible.builtin.file:
src: /run/NetworkManager/resolv.conf
dest: /mnt/etc/resolv.conf
state: link
- name: Install extra packages
ansible.builtin.command: >-
{{ chroot_command }} dnf --releasever={{ os_version }} --setopt=install_weak_deps=False
install -y {{ bootstrap_almalinux_extra }}
register: bootstrap_almalinux_extra_result
changed_when: bootstrap_almalinux_extra_result.rc == 0
- name: Reinstall kernel core
ansible.builtin.command: "{{ chroot_command }} dnf reinstall -y kernel-core"
register: bootstrap_almalinux_kernel_result
changed_when: bootstrap_almalinux_kernel_result.rc == 0

23
roles/bootstrap/tasks/alpine.yml
View File

@@ -1,28 +1,25 @@
--- ---
- name: Bootstrap Alpine Linux - name: Bootstrap Alpine Linux
vars: vars:
bootstrap_alpine_packages: >- _config: "{{ lookup('vars', bootstrap_var_key) }}"
_base_packages: "{{ _config.base | join(' ') }}"
_extra_packages: >-
{{ {{
lookup('vars', bootstrap_var_key) | reject('equalto', '') | join(' ') ((_config.extra | default([])) + (_config.conditional | default([])))
| reject('equalto', '')
| join(' ')
}} }}
block: block:
- name: Ensure chroot has resolv.conf - name: Install Alpine Linux base
ansible.builtin.file:
src: /run/NetworkManager/resolv.conf
dest: /mnt/etc/resolv.conf
state: link
force: true
- name: Install Alpine Linux packages
ansible.builtin.command: > ansible.builtin.command: >
apk --root /mnt --no-cache add alpine-base apk --root /mnt --no-cache add {{ _base_packages }}
register: bootstrap_alpine_bootstrap_result register: bootstrap_alpine_bootstrap_result
changed_when: bootstrap_alpine_bootstrap_result.rc == 0 changed_when: bootstrap_alpine_bootstrap_result.rc == 0
- name: Install extra packages - name: Install extra packages
when: bootstrap_alpine_packages | length > 0 when: _extra_packages | trim | length > 0
ansible.builtin.command: > ansible.builtin.command: >
apk --root /mnt add {{ bootstrap_alpine_packages }} apk --root /mnt add {{ _extra_packages }}
register: bootstrap_alpine_extra_result register: bootstrap_alpine_extra_result
changed_when: bootstrap_alpine_extra_result.rc == 0 changed_when: bootstrap_alpine_extra_result.rc == 0

7
roles/bootstrap/tasks/archlinux.yml
View File

@@ -1,11 +1,14 @@
--- ---
- name: Bootstrap ArchLinux - name: Bootstrap ArchLinux
vars: vars:
_config: "{{ lookup('vars', bootstrap_var_key) }}"
bootstrap_archlinux_packages: >- bootstrap_archlinux_packages: >-
{{ {{
lookup('vars', bootstrap_var_key) ((_config.base | default([])) + (_config.conditional | default([])))
| reject('equalto', '')
| list
}} }}
ansible.builtin.command: >- ansible.builtin.command: >-
pacstrap /mnt {{ bootstrap_archlinux_packages | reject('equalto', '') | join(' ') }} --asexplicit pacstrap /mnt {{ bootstrap_archlinux_packages | join(' ') }}
register: bootstrap_result register: bootstrap_result
changed_when: bootstrap_result.rc == 0 changed_when: bootstrap_result.rc == 0

40
roles/bootstrap/tasks/debian.yml
View File

@@ -10,53 +10,33 @@
else 'sid' if (os_version | string) == 'unstable' else 'sid' if (os_version | string) == 'unstable'
else 'trixie' else 'trixie'
}} }}
bootstrap_debian_package_config: >- _config: "{{ lookup('vars', bootstrap_var_key) }}"
{{ bootstrap_debian_base_csv: "{{ (['ca-certificates'] + _config.base) | unique | join(',') }}"
lookup('vars', bootstrap_var_key)
}}
bootstrap_debian_base_packages: >-
{{
bootstrap_debian_package_config.base
| default([])
| reject('equalto', '')
| list
}}
bootstrap_debian_extra_packages: >-
{{
bootstrap_debian_package_config.extra
| default([])
| reject('equalto', '')
| list
}}
bootstrap_debian_base_csv: "{{ bootstrap_debian_base_packages | join(',') }}"
bootstrap_debian_extra_args: >- bootstrap_debian_extra_args: >-
{{ {{
bootstrap_debian_extra_packages ((_config.extra | default([])) + (_config.conditional | default([])))
| reject('equalto', '')
| join(' ') | join(' ')
}} }}
block: block:
- name: Validate Debian package configuration - name: Validate Debian package configuration
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- bootstrap_debian_package_config is mapping - _config is mapping
- bootstrap_debian_package_config.base is defined - _config.base is sequence
- bootstrap_debian_package_config.base is sequence - _config.extra is sequence
- bootstrap_debian_package_config.base is not string fail_msg: "{{ bootstrap_var_key }} must be a dict with base/extra/conditional keys."
- bootstrap_debian_package_config.extra is defined
- bootstrap_debian_package_config.extra is sequence
- bootstrap_debian_package_config.extra is not string
fail_msg: "bootstrap package definition for {{ bootstrap_var_key }} must be a mapping with base/extra lists."
quiet: true quiet: true
- name: Install Debian base system - name: Install Debian base system
ansible.builtin.command: >- ansible.builtin.command: >-
debootstrap --include={{ bootstrap_debian_base_csv }} debootstrap --include={{ bootstrap_debian_base_csv }}
{{ bootstrap_debian_release }} /mnt http://deb.debian.org/debian/ {{ bootstrap_debian_release }} /mnt https://deb.debian.org/debian/
register: bootstrap_debian_base_result register: bootstrap_debian_base_result
changed_when: bootstrap_debian_base_result.rc == 0 changed_when: bootstrap_debian_base_result.rc == 0
- name: Install extra packages - name: Install extra packages
when: bootstrap_debian_extra_packages | length > 0 when: bootstrap_debian_extra_args | trim | length > 0
ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_debian_extra_args }}" ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_debian_extra_args }}"
register: bootstrap_debian_extra_result register: bootstrap_debian_extra_result
changed_when: bootstrap_debian_extra_result.rc == 0 changed_when: bootstrap_debian_extra_result.rc == 0

35
roles/bootstrap/tasks/fedora.yml
View File

@@ -1,35 +0,0 @@
---
- name: Bootstrap Fedora
vars:
bootstrap_fedora_extra: >-
{{
lookup('vars', bootstrap_var_key)
| reject('equalto', '')
| join(' ')
}}
block:
- name: Install Fedora base system
ansible.builtin.command: >-
dnf --releasever={{ os_version }} --best --repo=fedora --repo=fedora-updates
--installroot=/mnt --setopt=install_weak_deps=False
groupinstall -y critical-path-base core
register: bootstrap_fedora_base_result
changed_when: bootstrap_fedora_base_result.rc == 0
- name: Ensure chroot has resolv.conf
ansible.builtin.file:
src: /run/NetworkManager/resolv.conf
dest: /mnt/etc/resolv.conf
state: link
- name: Install extra packages
ansible.builtin.command: >-
{{ chroot_command }} dnf --releasever={{ os_version }} --setopt=install_weak_deps=False
install -y {{ bootstrap_fedora_extra }}
register: bootstrap_fedora_extra_result
changed_when: bootstrap_fedora_extra_result.rc == 0
- name: Reinstall kernel core
ansible.builtin.command: "{{ chroot_command }} dnf reinstall -y kernel-core"
register: bootstrap_fedora_kernel_result
changed_when: bootstrap_fedora_kernel_result.rc == 0

40
roles/bootstrap/tasks/main.yml
View File

@@ -1,17 +1,51 @@
--- ---
- name: Create API filesystem mountpoints in installroot
when: is_rhel | bool
ansible.builtin.file:
path: "/mnt/{{ item }}"
state: directory
mode: "0755"
loop:
- dev
- proc
- sys
- name: Mount API filesystems into installroot
when: is_rhel | bool
ansible.posix.mount:
src: "{{ item.src }}"
path: "/mnt/{{ item.path }}"
fstype: "{{ item.fstype }}"
opts: "{{ item.opts | default(omit) }}"
state: ephemeral
loop:
- { src: proc, path: proc, fstype: proc }
- { src: sysfs, path: sys, fstype: sysfs }
- { src: /dev, path: dev, fstype: none, opts: bind }
- { src: devpts, path: dev/pts, fstype: devpts, opts: "gid=5,mode=620" }
loop_control:
label: "{{ item.path }}"
- name: Run OS-specific bootstrap process - name: Run OS-specific bootstrap process
vars: vars:
bootstrap_os_task_map: bootstrap_os_task_map:
almalinux: almalinux.yml almalinux: _dnf_family.yml
alpine: alpine.yml alpine: alpine.yml
archlinux: archlinux.yml archlinux: archlinux.yml
debian: debian.yml debian: debian.yml
fedora: fedora.yml fedora: _dnf_family.yml
opensuse: opensuse.yml opensuse: opensuse.yml
rocky: rocky.yml rocky: _dnf_family.yml
rhel: rhel.yml rhel: rhel.yml
ubuntu: ubuntu.yml ubuntu: ubuntu.yml
ubuntu-lts: ubuntu.yml ubuntu-lts: ubuntu.yml
void: void.yml void: void.yml
bootstrap_var_key: "{{ 'bootstrap_' + (os | replace('-lts', '') | replace('-', '_')) }}" bootstrap_var_key: "{{ 'bootstrap_' + (os | replace('-lts', '') | replace('-', '_')) }}"
ansible.builtin.include_tasks: "{{ bootstrap_os_task_map[os] }}" ansible.builtin.include_tasks: "{{ bootstrap_os_task_map[os] }}"
- name: Ensure chroot uses live environment DNS
ansible.builtin.file:
src: /run/NetworkManager/resolv.conf
dest: /mnt/etc/resolv.conf
state: link
force: true

25
roles/bootstrap/tasks/opensuse.yml
View File

@@ -1,28 +1,25 @@
--- ---
- name: Bootstrap openSUSE - name: Bootstrap openSUSE
vars: vars:
bootstrap_opensuse_packages: >- _config: "{{ lookup('vars', bootstrap_var_key) }}"
_base_patterns: "{{ _config.base | join(' ') }}"
_extra_packages: >-
{{ {{
lookup('vars', bootstrap_var_key) | reject('equalto', '') | join(' ') ((_config.extra | default([])) + (_config.conditional | default([])))
| reject('equalto', '')
| join(' ')
}} }}
block: block:
- name: Ensure chroot has resolv.conf - name: Install openSUSE base patterns
ansible.builtin.file:
src: /run/NetworkManager/resolv.conf
dest: /mnt/etc/resolv.conf
state: link
force: true
- name: Install openSUSE base packages
ansible.builtin.command: > ansible.builtin.command: >
zypper --root /mnt --non-interactive install -t pattern patterns-base-base zypper --root /mnt --non-interactive install -t pattern {{ _base_patterns }}
register: bootstrap_opensuse_base_result register: bootstrap_opensuse_base_result
changed_when: bootstrap_opensuse_base_result.rc == 0 changed_when: bootstrap_opensuse_base_result.rc == 0
- name: Install openSUSE extra packages - name: Install extra packages
when: bootstrap_opensuse_packages | length > 0 when: _extra_packages | trim | length > 0
ansible.builtin.command: > ansible.builtin.command: >
zypper --root /mnt --non-interactive install {{ bootstrap_opensuse_packages }} zypper --root /mnt --non-interactive install {{ _extra_packages }}
register: bootstrap_opensuse_extra_result register: bootstrap_opensuse_extra_result
changed_when: bootstrap_opensuse_extra_result.rc == 0 changed_when: bootstrap_opensuse_extra_result.rc == 0

34
roles/bootstrap/tasks/rhel.yml
View File

@@ -1,20 +1,27 @@
--- ---
- name: Bootstrap RHEL System - name: Bootstrap RHEL System
vars:
_rhel_config: "{{ lookup('vars', bootstrap_var_key) }}"
_rhel_repos: "{{ _rhel_config.repos | map('regex_replace', '^', '--repo=') | join(' ') }}"
_rhel_groups: "{{ _rhel_config.base | join(' ') }}"
_rhel_extra: >-
{{
((_rhel_config.extra | default([])) + (_rhel_config.conditional | default([])))
| reject('equalto', '')
| join(' ')
}}
block: block:
- name: Install base packages in chroot environment - name: Install base packages in chroot environment
ansible.builtin.command: >- ansible.builtin.command: >-
dnf --releasever={{ os_version_major }} --repo=rhel{{ os_version_major }}-baseos dnf --releasever={{ os_version_major }} {{ _rhel_repos }}
--installroot=/mnt --installroot=/mnt
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y core base standard groupinstall -y {{ _rhel_groups }}
register: bootstrap_result register: bootstrap_result
changed_when: bootstrap_result.rc == 0 changed_when: bootstrap_result.rc == 0
failed_when:
- name: Ensure chroot has resolv.conf - bootstrap_result.rc != 0
ansible.builtin.file: - "'grub2-common' not in (bootstrap_result.stderr | default(''))"
src: /run/NetworkManager/resolv.conf
dest: /mnt/etc/resolv.conf
state: link
- name: Ensure chroot RHEL DVD directory exists - name: Ensure chroot RHEL DVD directory exists
ansible.builtin.file: ansible.builtin.file:
@@ -28,7 +35,7 @@
path: /mnt/usr/local/install/redhat/dvd path: /mnt/usr/local/install/redhat/dvd
fstype: none fstype: none
opts: bind opts: bind
state: mounted state: ephemeral
- name: Rebuild RPM database inside chroot - name: Rebuild RPM database inside chroot
ansible.builtin.command: "{{ chroot_command }} rpm --rebuilddb" ansible.builtin.command: "{{ chroot_command }} rpm --rebuilddb"
@@ -43,15 +50,8 @@
remote_src: true remote_src: true
- name: Install additional packages in chroot - name: Install additional packages in chroot
vars:
bootstrap_rhel_extra: >-
{{
lookup('vars', bootstrap_var_key)
| reject('equalto', '')
| join(' ')
}}
ansible.builtin.command: >- ansible.builtin.command: >-
{{ chroot_command }} dnf --releasever={{ os_version_major }} {{ chroot_command }} dnf --releasever={{ os_version_major }}
--setopt=install_weak_deps=False install -y {{ bootstrap_rhel_extra }} --setopt=install_weak_deps=False install -y {{ _rhel_extra }}
register: bootstrap_result register: bootstrap_result
changed_when: bootstrap_result.rc == 0 changed_when: bootstrap_result.rc == 0

35
roles/bootstrap/tasks/rocky.yml
View File

@@ -1,35 +0,0 @@
---
- name: Bootstrap Rocky Linux
vars:
bootstrap_rocky_extra: >-
{{
lookup('vars', bootstrap_var_key)
| reject('equalto', '')
| join(' ')
}}
block:
- name: Install Rocky Linux base system
ansible.builtin.command: >-
dnf --releasever={{ os_version }} --best --repo=baseos --repo=appstream
--installroot=/mnt --setopt=install_weak_deps=False
groupinstall -y core
register: bootstrap_rocky_base_result
changed_when: bootstrap_rocky_base_result.rc == 0
- name: Ensure chroot has resolv.conf
ansible.builtin.file:
src: /run/NetworkManager/resolv.conf
dest: /mnt/etc/resolv.conf
state: link
- name: Install extra packages
ansible.builtin.command: >-
{{ chroot_command }} dnf --releasever={{ os_version }} --setopt=install_weak_deps=False
install -y {{ bootstrap_rocky_extra }}
register: bootstrap_rocky_extra_result
changed_when: bootstrap_rocky_extra_result.rc == 0
- name: Reinstall kernel core
ansible.builtin.command: "{{ chroot_command }} dnf reinstall -y kernel-core"
register: bootstrap_rocky_kernel_result
changed_when: bootstrap_rocky_kernel_result.rc == 0

64
roles/bootstrap/tasks/ubuntu.yml
View File

@@ -1,60 +1,44 @@
--- ---
- name: Bootstrap Ubuntu System - name: Bootstrap Ubuntu System
vars: vars:
bootstrap_ubuntu_release: >- # ubuntu = latest non-LTS, ubuntu-lts = latest LTS
{{ 'plucky' if os == 'ubuntu' else 'noble' }} bootstrap_ubuntu_release_map:
bootstrap_ubuntu_package_config: >- ubuntu: plucky
ubuntu-lts: noble
bootstrap_ubuntu_release: "{{ bootstrap_ubuntu_release_map[os] | default('noble') }}"
_config: "{{ lookup('vars', bootstrap_var_key) }}"
bootstrap_ubuntu_base_csv: "{{ (['ca-certificates'] + _config.base) | unique | join(',') }}"
bootstrap_ubuntu_extra_args: >-
{{ {{
lookup('vars', bootstrap_var_key) ((_config.extra | default([])) + (_config.conditional | default([])))
}}
bootstrap_ubuntu_base_packages: >-
{{
bootstrap_ubuntu_package_config.base
| default([])
| reject('equalto', '') | reject('equalto', '')
| list | join(' ')
}} }}
bootstrap_ubuntu_extra_packages: >-
{{
bootstrap_ubuntu_package_config.extra
| default([])
| reject('equalto', '')
| list
}}
bootstrap_ubuntu_base_csv: "{{ bootstrap_ubuntu_base_packages | join(',') }}"
bootstrap_ubuntu_extra: "{{ bootstrap_ubuntu_extra_packages | join(' ') }}"
block: block:
- name: Validate Ubuntu package configuration - name: Validate Ubuntu package configuration
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- bootstrap_ubuntu_package_config is mapping - _config is mapping
- bootstrap_ubuntu_package_config.base is defined - _config.base is sequence
- bootstrap_ubuntu_package_config.base is sequence - _config.extra is sequence
- bootstrap_ubuntu_package_config.base is not string fail_msg: "{{ bootstrap_var_key }} must be a dict with base/extra/conditional keys."
- bootstrap_ubuntu_package_config.extra is defined
- bootstrap_ubuntu_package_config.extra is sequence
- bootstrap_ubuntu_package_config.extra is not string
fail_msg: "bootstrap package definition for {{ bootstrap_var_key }} must be a mapping with base/extra lists."
quiet: true quiet: true
- name: Install Ubuntu base system - name: Install Ubuntu base system
ansible.builtin.command: >- ansible.builtin.command: >-
debootstrap --include={{ bootstrap_ubuntu_base_csv }} debootstrap
--keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg
--include={{ bootstrap_ubuntu_base_csv }}
{{ bootstrap_ubuntu_release }} /mnt {{ bootstrap_ubuntu_release }} /mnt
http://archive.ubuntu.com/ubuntu/ https://archive.ubuntu.com/ubuntu/
register: bootstrap_ubuntu_base_result register: bootstrap_ubuntu_base_result
changed_when: bootstrap_ubuntu_base_result.rc == 0 changed_when: bootstrap_ubuntu_base_result.rc == 0
- name: Ensure chroot has resolv.conf
ansible.builtin.file:
src: /run/NetworkManager/resolv.conf
dest: /mnt/etc/resolv.conf
state: link
- name: Enable universe repository - name: Enable universe repository
ansible.builtin.command: "{{ chroot_command }} sed -i '1s|$| universe|' /etc/apt/sources.list" ansible.builtin.replace:
register: bootstrap_ubuntu_repo_result path: /mnt/etc/apt/sources.list
changed_when: bootstrap_ubuntu_repo_result.rc == 0 regexp: '^(deb\s+\S+\s+\S+\s+main)$'
replace: '\1 universe'
- name: Update package lists - name: Update package lists
ansible.builtin.command: "{{ chroot_command }} apt update" ansible.builtin.command: "{{ chroot_command }} apt update"
@@ -62,7 +46,7 @@
changed_when: bootstrap_ubuntu_update_result.rc == 0 changed_when: bootstrap_ubuntu_update_result.rc == 0
- name: Install extra packages - name: Install extra packages
when: bootstrap_ubuntu_extra_packages | length > 0 when: bootstrap_ubuntu_extra_args | trim | length > 0
ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_ubuntu_extra }}" ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_ubuntu_extra_args }}"
register: bootstrap_ubuntu_extra_result register: bootstrap_ubuntu_extra_result
changed_when: bootstrap_ubuntu_extra_result.rc == 0 changed_when: bootstrap_ubuntu_extra_result.rc == 0

23
roles/bootstrap/tasks/void.yml
View File

@@ -1,28 +1,25 @@
--- ---
- name: Bootstrap Void Linux - name: Bootstrap Void Linux
vars: vars:
bootstrap_void_packages: >- _config: "{{ lookup('vars', bootstrap_var_key) }}"
_base_packages: "{{ _config.base | join(' ') }}"
_extra_packages: >-
{{ {{
lookup('vars', bootstrap_var_key) | reject('equalto', '') | join(' ') ((_config.extra | default([])) + (_config.conditional | default([])))
| reject('equalto', '')
| join(' ')
}} }}
block: block:
- name: Ensure chroot has resolv.conf - name: Install Void Linux base
ansible.builtin.file:
src: /run/NetworkManager/resolv.conf
dest: /mnt/etc/resolv.conf
state: link
force: true
- name: Install Void Linux base packages
ansible.builtin.command: > ansible.builtin.command: >
xbps-install -Sy -r /mnt -R https://repo-default.voidlinux.org/current void-repo-nonfree base-system xbps-install -Sy -r /mnt -R https://repo-default.voidlinux.org/current {{ _base_packages }}
register: bootstrap_void_base_result register: bootstrap_void_base_result
changed_when: bootstrap_void_base_result.rc == 0 changed_when: bootstrap_void_base_result.rc == 0
- name: Install extra packages - name: Install extra packages
when: bootstrap_void_packages | length > 0 when: _extra_packages | trim | length > 0
ansible.builtin.command: > ansible.builtin.command: >
xbps-install -Su -r /mnt {{ bootstrap_void_packages }} xbps-install -Su -r /mnt {{ _extra_packages }}
register: bootstrap_void_extra_result register: bootstrap_void_extra_result
changed_when: bootstrap_void_extra_result.rc == 0 changed_when: bootstrap_void_extra_result.rc == 0

422
roles/bootstrap/vars/main.yml
View File

@@ -1,80 +1,192 @@
--- ---
# Common conditional packages shared across distributions. # Feature-gated packages shared across all distros.
# Arch overrides nftables with iptables-nft; SSH package names vary per distro. # Arch has special nftables handling and composes this differently.
bootstrap_common_conditional: bootstrap_common_conditional: >-
- "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
- "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
- "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
- "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
- "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
- "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
- "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
- "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
bootstrap_rhel_base: >-
{{ {{
['bind-utils', 'dhcp-client', 'efibootmgr', (
'glibc-langpack-de', 'glibc-langpack-en', 'lrzsz', (['firewalld'] if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else [])
'lvm2', 'mtr', 'ncurses-term', 'nfs-utils', + (['ufw'] if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else [])
'policycoreutils-python-utils', 'shim', 'tmux', 'vim', 'zstd'] + (['iptables'] if system_cfg.features.firewall.toolkit == 'iptables' and system_cfg.features.firewall.enabled | bool else [])
+ bootstrap_common_conditional + (['nftables'] if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else [])
+ (['cryptsetup', 'tpm2-tools'] if system_cfg.luks.enabled | bool else [])
+ (['qemu-guest-agent'] if hypervisor_type in ['libvirt', 'proxmox'] else [])
+ (['open-vm-tools'] if hypervisor_type == 'vmware' else [])
)
}} }}
bootstrap_rhel_versioned: # ---------------------------------------------------------------------------
# Per-OS package definitions: base (rootfs/group install), extra (post-base),
# conditional (feature/version-gated, appended by task files).
# DNF-based distros also carry repos (dnf --repo) and use base as group names.
# ---------------------------------------------------------------------------
bootstrap_rhel:
repos:
- "rhel{{ os_version_major }}-baseos"
base:
- core
- base
- standard
extra:
- bind-utils
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2 - grub2
- "{{ 'grub2-efi-x64' if os_version_major | default('') == '8' else 'grub2-efi' }}" - lrzsz
- "{{ 'grub2-tools-extra' if os_version_major | default('') in ['8', '9'] else '' }}" - lvm2
- "{{ 'python39' if os_version_major | default('') == '8' else 'python' }}" - mtr
- "{{ 'kernel' if os_version_major | default('') == '10' else '' }}" - ncurses-term
- "{{ 'zram-generator' if os_version_major | default('') in ['9', '10'] else '' }}" - nfs-utils
- policycoreutils-python-utils
bootstrap_rhel: "{{ bootstrap_rhel_base + bootstrap_rhel_versioned }}" - shim
- tmux
bootstrap_almalinux: >- - vim
- zstd
conditional: >-
{{ {{
bootstrap_rhel_base (['grub2-efi-x64'] if os_version_major | default('') == '8' else ['grub2-efi'])
+ ['grub2', 'grub2-efi', 'dbus-daemon', 'lrzsz', + (['grub2-tools-extra'] if os_version_major | default('') in ['8', '9'] else [])
'nfsv4-client-utils', 'nc', 'ppp', 'zram-generator'] + (['dhcp-client'] if (os_version_major | default('9') | int) < 10 else [])
}} + (['python39'] if os_version_major | default('') == '8' else ['python'])
+ (['kernel'] if os_version_major | default('') == '10' else [])
bootstrap_rocky: >- + (['zram-generator'] if os_version_major | default('') in ['9', '10'] else [])
{{
bootstrap_rhel_base
+ ['grub2', 'grub2-efi', 'nfsv4-client-utils', 'nc', 'ppp',
'telnet', 'util-linux-core', 'wget', 'zram-generator']
}}
bootstrap_fedora: >-
{{
['bat', 'bind-utils', 'btrfs-progs', 'cronie', 'dhcp-client',
'duf', 'efibootmgr', 'entr', 'fish', 'fzf',
'glibc-langpack-de', 'glibc-langpack-en', 'grub2', 'grub2-efi',
'htop', 'iperf3', 'logrotate', 'lrzsz', 'lvm2',
'nc', 'nfs-utils', 'nfsv4-client-utils', 'polkit', 'ppp',
'ripgrep', 'shim', 'tmux', 'vim-default-editor',
'wget', 'zoxide', 'zram-generator', 'zstd']
+ bootstrap_common_conditional + bootstrap_common_conditional
}} }}
bootstrap_debian_base_common: bootstrap_almalinux:
repos:
- baseos
- appstream
base:
- core
extra:
- bind-utils
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- kernel
- lrzsz
- lvm2
- mtr
- nc
- ncurses-term
- nfs-utils
- nfsv4-client-utils
- policycoreutils-python-utils
- ppp
- python3
- shim
- tmux
- vim
- zram-generator
- zstd
conditional: >-
{{
(['dbus-daemon'] if (os_version_major | default('10') | int) >= 9 else [])
+ (['dhcp-client'] if (os_version_major | default('10') | int) < 10 else [])
+ bootstrap_common_conditional
}}
bootstrap_rocky:
repos:
- baseos
- appstream
base:
- core
extra:
- bind-utils
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- kernel
- lrzsz
- lvm2
- mtr
- nc
- ncurses-term
- nfs-utils
- nfsv4-client-utils
- policycoreutils-python-utils
- ppp
- python3
- shim
- telnet
- tmux
- util-linux-core
- vim
- wget
- zram-generator
- zstd
conditional: >-
{{
(['dhcp-client'] if (os_version_major | default('9') | int) < 10 else [])
+ bootstrap_common_conditional
}}
bootstrap_fedora:
repos:
- fedora
- fedora-updates
base:
- critical-path-base
- core
extra:
- bat
- bind-utils
- btrfs-progs
- cronie
- dhcp-client
- duf
- efibootmgr
- entr
- fish
- fzf
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- htop
- iperf3
- logrotate
- lrzsz
- lvm2
- nc
- nfs-utils
- nfsv4-client-utils
- polkit
- ppp
- python3
- ripgrep
- shim
- tmux
- vim-default-editor
- wget
- zoxide
- zram-generator
- zstd
conditional: "{{ bootstrap_common_conditional }}"
bootstrap_debian:
base:
- btrfs-progs - btrfs-progs
- cron - cron
- cryptsetup-initramfs
- gnupg - gnupg
- grub-efi - grub-efi
- grub-efi-amd64-signed - grub-efi-amd64-signed
- grub2-common - grub2-common
- "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
- "{{ 'cryptsetup-initramfs' if system_cfg.luks.enabled else '' }}"
- locales - locales
- logrotate - logrotate
- lvm2 - lvm2
- "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}" - openssh-server
- "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
- "{{ 'openssh-server' if system_cfg.features.ssh.enabled | bool else '' }}"
- python3 - python3
- xfsprogs - xfsprogs
extra:
bootstrap_debian_extra_common:
- apparmor-utils - apparmor-utils
- bat - bat
- chrony - chrony
@@ -85,6 +197,7 @@ bootstrap_debian_extra_common:
- htop - htop
- jq - jq
- libpam-pwquality - libpam-pwquality
- linux-image-amd64
- lrzsz - lrzsz
- mtr - mtr
- ncdu - ncdu
@@ -100,67 +213,180 @@ bootstrap_debian_extra_common:
- vim - vim
- wget - wget
- zstd - zstd
conditional: >-
bootstrap_debian_extra_versioned:
- linux-image-amd64
- "{{ 'duf' if (os_version | string) not in ['10', '11'] else '' }}"
- "{{ 'fastfetch' if (os_version | string) in ['12', '13', 'unstable'] else '' }}"
- "{{ 'neofetch' if (os_version | string) == '12' else '' }}"
- "{{ 'software-properties-common' if (os_version | string) not in ['13', 'unstable'] else '' }}"
- "{{ 'systemd-zram-generator' if (os_version | string) not in ['10', '11'] else '' }}"
- "{{ 'tldr' if (os_version | string) not in ['13', 'unstable'] else '' }}"
bootstrap_debian:
base: "{{ bootstrap_debian_base_common }}"
extra: >-
{{ {{
bootstrap_debian_extra_common (['duf'] if (os_version | string) not in ['10', '11'] else [])
+ bootstrap_debian_extra_versioned + (['fastfetch'] if (os_version | string) in ['13', 'unstable'] else [])
+ (['neofetch'] if (os_version | string) == '12' else [])
+ (['software-properties-common'] if (os_version | string) not in ['13', 'unstable'] else [])
+ (['systemd-zram-generator'] if (os_version | string) not in ['10', '11'] else [])
+ (['tldr'] if (os_version | string) not in ['13', 'unstable'] else [])
+ bootstrap_common_conditional + bootstrap_common_conditional
}} }}
bootstrap_ubuntu: bootstrap_ubuntu:
base: base:
- btrfs-progs
- cron
- cryptsetup-initramfs
- gnupg
- grub-efi
- grub-efi-amd64-signed
- grub2-common
- initramfs-tools
- linux-image-generic - linux-image-generic
extra: >- - locales
{{ - logrotate
bootstrap_debian_base_common - lvm2
+ bootstrap_debian_extra_common - openssh-server
+ ['bash-completion', 'dnsutils', 'duf', 'eza', 'fdupes', 'fio', - python3
'ncurses-term', 'software-properties-common', 'systemd-zram-generator', - xfsprogs
'tldr', 'traceroute', 'util-linux-extra', 'yq', 'zoxide'] extra:
+ bootstrap_common_conditional - apparmor-utils
}} - bash-completion
- bat
- chrony
- curl
- dnsutils
- duf
- entr
- eza
- fdupes
- fio
- fish
- fzf
- htop
- jq
- libpam-pwquality
- lrzsz
- mtr
- ncdu
- ncurses-term
- net-tools
- network-manager
- python-is-python3
- ripgrep
- rsync
- screen
- software-properties-common
- sudo
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- traceroute
- util-linux-extra
- vim
- wget
- yq
- zoxide
- zstd
conditional: "{{ bootstrap_common_conditional }}"
bootstrap_archlinux: >- bootstrap_archlinux:
base:
- base
- btrfs-progs
- cronie
- dhcpcd
- efibootmgr
- fastfetch
- fish
- fzf
- grub
- htop
- libpwquality
- linux
- logrotate
- lrzsz
- lsof
- lvm2
- ncdu
- networkmanager
- nfs-utils
- ppp
- python
- reflector
- rsync
- sudo
- tldr
- tmux
- vim
- zram-generator
extra: []
conditional: >-
{{ {{
['base', 'btrfs-progs', 'cronie', 'dhcpcd', 'efibootmgr', 'fastfetch', (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
'fish', 'fzf', 'grub', 'htop', 'libpwquality', 'linux', 'logrotate', + (['iptables-nft'] if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else [])
'lrzsz', 'lsof', 'lvm2', 'ncdu', 'networkmanager', 'nfs-utils',
'ppp', 'prometheus-node-exporter', 'python-psycopg2', 'reflector',
'rsync', 'sudo', 'tldr', 'tmux', 'vim', 'wireguard-tools', 'zram-generator']
+ [('openssh' if system_cfg.features.ssh.enabled | bool else '')]
+ [('iptables-nft' if system_cfg.features.firewall.toolkit == 'nftables' else '')]
+ (bootstrap_common_conditional | reject('equalto', 'nftables') | list) + (bootstrap_common_conditional | reject('equalto', 'nftables') | list)
}} }}
bootstrap_alpine: >- bootstrap_alpine:
base:
- alpine-base
extra:
- btrfs-progs
- chrony
- curl
- e2fsprogs
- linux-lts
- logrotate
- lvm2
- python3
- rsync
- sudo
- util-linux
- vim
- xfsprogs
conditional: >-
{{ {{
['alpine-base', 'vim'] (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
+ [('openssh' if system_cfg.features.ssh.enabled | bool else '')]
+ bootstrap_common_conditional + bootstrap_common_conditional
}} }}
bootstrap_opensuse: >- bootstrap_opensuse:
base:
- patterns-base-base
extra:
- btrfs-progs
- chrony
- curl
- e2fsprogs
- glibc-locale
- kernel-default
- logrotate
- lvm2
- NetworkManager
- python3
- rsync
- sudo
- vim
- xfsprogs
conditional: >-
{{ {{
['vim'] (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
+ [('openssh' if system_cfg.features.ssh.enabled | bool else '')]
+ bootstrap_common_conditional + bootstrap_common_conditional
}} }}
bootstrap_void: >- bootstrap_void:
base:
- base-system
- void-repo-nonfree
extra:
- btrfs-progs
- chrony
- curl
- dhcpcd
- e2fsprogs
- logrotate
- lvm2
- python3
- rsync
- sudo
- vim
- xfsprogs
conditional: >-
{{ {{
['vim'] (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
+ [('openssh' if system_cfg.features.ssh.enabled | bool else '')]
+ bootstrap_common_conditional + bootstrap_common_conditional
}} }}

119
roles/cis/defaults/main.yml
View File

@@ -1,21 +1,100 @@
--- ---
cis_permission_targets: >- # User-facing API: override via top-level `cis` dict in inventory.
{{ # Merged with these defaults in _normalize.yml → cis_cfg.
[ cis_defaults:
{ "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" }, modules_blacklist:
{ "path": "/mnt/etc/cron.hourly", "mode": "0700" }, - freevxfs
{ "path": "/mnt/etc/cron.daily", "mode": "0700" }, - jffs2
{ "path": "/mnt/etc/cron.weekly", "mode": "0700" }, - hfs
{ "path": "/mnt/etc/cron.monthly", "mode": "0700" }, - hfsplus
{ "path": "/mnt/etc/cron.d", "mode": "0700" }, - cramfs
{ "path": "/mnt/etc/crontab", "mode": "0600" }, - udf
{ "path": "/mnt/etc/logrotate.conf", "mode": "0644" }, - usb-storage
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os != "rhel" else None, - dccp
{ - sctp
"path": "/mnt/usr/bin/" - rds
+ ("fusermount3" if os in ["archlinux", "fedora", "rocky"] or os == "rhel" or (os == "debian" and (os_version | string) == "12") else "fusermount"), - tipc
"mode": "755" - firewire-core
}, - firewire-sbp2
{ "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian" and (os_version | string) == "11" else "write"), "mode": "755" } - thunderbolt
] | reject("none") sysctl:
}} fs.suid_dumpable: 0
kernel.dmesg_restrict: 1
kernel.kptr_restrict: 2
kernel.perf_event_paranoid: 3
kernel.unprivileged_bpf_disabled: 1
kernel.yama.ptrace_scope: 2
kernel.randomize_va_space: 2
net.ipv4.ip_forward: 0
net.ipv4.tcp_syncookies: 1
net.ipv4.icmp_echo_ignore_broadcasts: 1
net.ipv4.icmp_ignore_bogus_error_responses: 1
net.ipv4.conf.all.log_martians: 1
net.ipv4.conf.all.rp_filter: 1
net.ipv4.conf.all.secure_redirects: 0
net.ipv4.conf.all.send_redirects: 0
net.ipv4.conf.all.accept_redirects: 0
net.ipv4.conf.all.accept_source_route: 0
net.ipv4.conf.all.arp_ignore: 1
net.ipv4.conf.all.arp_announce: 2
net.ipv4.conf.default.log_martians: 1
net.ipv4.conf.default.rp_filter: 1
net.ipv4.conf.default.secure_redirects: 0
net.ipv4.conf.default.send_redirects: 0
net.ipv4.conf.default.accept_redirects: 0
net.ipv6.conf.all.accept_redirects: 0
net.ipv6.conf.all.disable_ipv6: 1
net.ipv6.conf.default.accept_redirects: 0
net.ipv6.conf.default.disable_ipv6: 1
net.ipv6.conf.lo.disable_ipv6: 1
sshd_options:
- { option: LogLevel, value: VERBOSE }
- { option: LoginGraceTime, value: "60" }
- { option: PermitRootLogin, value: "no" }
- { option: StrictModes, value: "yes" }
- { option: MaxAuthTries, value: "4" }
- { option: MaxSessions, value: "10" }
- { option: MaxStartups, value: "10:30:60" }
- { option: PubkeyAuthentication, value: "yes" }
- { option: HostbasedAuthentication, value: "no" }
- { option: IgnoreRhosts, value: "yes" }
- { option: PasswordAuthentication, value: "no" }
- { option: PermitEmptyPasswords, value: "no" }
- { option: KerberosAuthentication, value: "no" }
- { option: GSSAPIAuthentication, value: "no" }
- { option: AllowAgentForwarding, value: "no" }
- { option: AllowTcpForwarding, value: "no" }
- { option: KbdInteractiveAuthentication, value: "no" }
- { option: GatewayPorts, value: "no" }
- { option: X11Forwarding, value: "no" }
- { option: PermitUserEnvironment, value: "no" }
- { option: ClientAliveInterval, value: "300" }
- { option: ClientAliveCountMax, value: "1" }
- { option: PermitTunnel, value: "no" }
- { option: Banner, value: /etc/issue.net }
pwquality_minlen: 14
tmout: 900
umask: "077"
umask_profile: "027"
faillock_deny: 5
faillock_unlock_time: 900
password_remember: 5
# Platform-specific binary names for CIS permission targets
cis_fusermount_binary: "{{ 'fusermount3' if is_rhel | default(false) | bool else 'fusermount' }}"
cis_write_binary: "{{ 'write' if is_rhel | default(false) | bool else 'wall' }}"
cis: {}
cis_permission_targets:
- { path: "/mnt/etc/ssh/sshd_config", mode: "0600" }
- { path: "/mnt/etc/cron.hourly", mode: "0700" }
- { path: "/mnt/etc/cron.daily", mode: "0700" }
- { path: "/mnt/etc/cron.weekly", mode: "0700" }
- { path: "/mnt/etc/cron.monthly", mode: "0700" }
- { path: "/mnt/etc/cron.d", mode: "0700" }
- { path: "/mnt/etc/crontab", mode: "0600" }
- { path: "/mnt/etc/logrotate.conf", mode: "0644" }
- { path: "/mnt/usr/sbin/pppd", mode: "0754" }
- { path: "/mnt/usr/bin/{{ cis_fusermount_binary }}", mode: "0755" }
- { path: "/mnt/usr/bin/{{ cis_write_binary }}", mode: "0755" }

10
roles/cis/tasks/_normalize.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Normalize CIS input
ansible.builtin.set_fact:
cis_enabled: "{{ cis is defined and (cis is mapping or cis | bool) }}"
cis_input: "{{ cis if cis is mapping else {} }}"
- name: Normalize CIS configuration
when: cis_enabled and cis_cfg is not defined
ansible.builtin.set_fact:
cis_cfg: "{{ cis_defaults | combine(cis_input, recursive=True) }}"

16
roles/cis/tasks/auth.yml
View File

@@ -3,13 +3,21 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "/mnt/etc/profile" path: "/mnt/etc/profile"
regexp: "^(\\s*)umask\\s+\\d+" regexp: "^(\\s*)umask\\s+\\d+"
line: "umask 027" line: "umask {{ cis_cfg.umask_profile }}"
# Non-RHEL/non-Debian distros: loop evaluates to [] (intentional skip)
- name: Prevent Login to Accounts With Empty Password - name: Prevent Login to Accounts With Empty Password
ansible.builtin.replace: ansible.builtin.replace:
dest: "{{ item }}" dest: "{{ item }}"
regexp: "\\s*nullok" regexp: "\\s*nullok"
replace: "" replace: ""
loop: loop: >-
- /mnt/etc/pam.d/system-auth {{
- /mnt/etc/pam.d/password-auth ['/mnt/etc/pam.d/system-auth', '/mnt/etc/pam.d/password-auth']
if is_rhel | bool
else (
['/mnt/etc/pam.d/common-auth', '/mnt/etc/pam.d/common-password']
if is_debian | bool
else []
)
}}

6
roles/cis/tasks/crypto.yml
View File

@@ -1,6 +1,8 @@
--- ---
# Fedora ships its own crypto-policies preset and update-crypto-policies
# behaves differently; applying DEFAULT:NO-SHA1 can break package signing.
- name: Configure System Cryptography Policy - name: Configure System Cryptography Policy
when: os == "rhel" or os in ["almalinux", "rocky"] when: os in (os_family_rhel | difference(['fedora']))
ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1" ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"
register: cis_crypto_policy_result register: cis_crypto_policy_result
changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout" changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout"
@@ -9,4 +11,4 @@
ansible.builtin.command: > ansible.builtin.command: >
{{ chroot_command }} systemctl mask {{ 'nftables' if system_cfg.features.firewall.toolkit == 'iptables' else 'iptables' }} bluetooth rpcbind {{ chroot_command }} systemctl mask {{ 'nftables' if system_cfg.features.firewall.toolkit == 'iptables' else 'iptables' }} bluetooth rpcbind
register: cis_mask_services_result register: cis_mask_services_result
changed_when: cis_mask_services_result.rc == 0 changed_when: "'Created symlink' in cis_mask_services_result.stderr"

6
roles/cis/tasks/main.yml
View File

@@ -1,4 +1,10 @@
--- ---
- name: Normalize CIS configuration
ansible.builtin.import_tasks: _normalize.yml
- name: Apply CIS hardening
when: cis_enabled
block:
- name: Include CIS hardening tasks - name: Include CIS hardening tasks
ansible.builtin.include_tasks: "{{ cis_task }}" ansible.builtin.include_tasks: "{{ cis_task }}"
loop: loop:

19
roles/cis/tasks/modules.yml
View File

@@ -1,22 +1,17 @@
--- ---
- name: Disable Kernel Modules - name: Disable Kernel Modules
vars:
# Ubuntu uses squashfs for snap packages — blacklisting it breaks snap entirely
cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
cis_modules_all: "{{ cis_cfg.modules_blacklist + cis_modules_squashfs }}"
ansible.builtin.copy: ansible.builtin.copy:
dest: /mnt/etc/modprobe.d/cis.conf dest: /mnt/etc/modprobe.d/cis.conf
mode: "0644" mode: "0644"
content: | content: |
# CIS LVL 3 Restrictions # CIS LVL 3 Restrictions
install freevxfs /bin/false {% for mod in cis_modules_all %}
install jffs2 /bin/false install {{ mod }}{{ ' ' * (16 - mod | length) }}/bin/false
install hfs /bin/false {% endfor %}
install hfsplus /bin/false
install cramfs /bin/false
install squashfs /bin/false
install udf /bin/false
install usb-storage /bin/false
install dccp /bin/false
install sctp /bin/false
install rds /bin/false
install tipc /bin/false
- name: Remove old USB rules file - name: Remove old USB rules file
ansible.builtin.file: ansible.builtin.file:

4
roles/cis/tasks/permissions.yml
View File

@@ -3,6 +3,8 @@
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ item.path }}" path: "{{ item.path }}"
loop: "{{ cis_permission_targets }}" loop: "{{ cis_permission_targets }}"
loop_control:
label: "{{ item.path }}"
register: cis_permission_stats register: cis_permission_stats
changed_when: false changed_when: false
@@ -13,4 +15,6 @@
group: "{{ item.item.group | default(omit) }}" group: "{{ item.item.group | default(omit) }}"
mode: "{{ item.item.mode }}" mode: "{{ item.item.mode }}"
loop: "{{ cis_permission_stats.results }}" loop: "{{ cis_permission_stats.results }}"
loop_control:
label: "{{ item.item.path }}"
when: item.stat.exists when: item.stat.exists

46
roles/cis/tasks/security_lines.yml
View File

@@ -2,19 +2,30 @@
- name: Add Security related lines into config files - name: Add Security related lines into config files
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ item.path }}" path: "{{ item.path }}"
regexp: "{{ item.regexp }}"
line: "{{ item.content }}" line: "{{ item.content }}"
loop: loop:
- { path: /mnt/etc/security/limits.conf, content: "* hard core 0" } - { path: /mnt/etc/security/limits.conf, regexp: '^\*\s+hard\s+core\s+', content: "* hard core 0" }
- { path: /mnt/etc/security/pwquality.conf, content: minlen = 14 } - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*minlen\s*=', content: "minlen = {{ cis_cfg.pwquality_minlen }}" }
- { path: /mnt/etc/security/pwquality.conf, content: dcredit = -1 } - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*dcredit\s*=', content: dcredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 } - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*ucredit\s*=', content: ucredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 } - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*ocredit\s*=', content: ocredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 } - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*lcredit\s*=', content: lcredit = -1 }
- { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077 } - path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}'
- { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=3000 } regexp: '^\s*umask\s+\d+'
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent } content: "umask {{ cis_cfg.umask }}"
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" } - path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}'
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so } regexp: '^\s*(export\s+)?TMOUT='
content: "export TMOUT={{ cis_cfg.tmout }}"
- path: '/mnt/{{ "usr/lib/systemd/journald.conf" if is_rhel | bool else "etc/systemd/journald.conf" }}'
regexp: '^\s*#?\s*Storage='
content: Storage=persistent
- path: /mnt/etc/sudoers
regexp: '^\s*Defaults\s+logfile='
content: Defaults logfile="/var/log/sudo.log"
- path: /mnt/etc/pam.d/su
regexp: '^\s*#?\s*auth\s+required\s+pam_wheel\.so'
content: auth required pam_wheel.so
- path: >- - path: >-
/mnt/etc/{{ /mnt/etc/{{
"pam.d/common-auth" "pam.d/common-auth"
@@ -23,8 +34,9 @@
if os == "fedora" if os == "fedora"
else "pam.d/system-auth" else "pam.d/system-auth"
}} }}
regexp: '^\s*auth\s+required\s+pam_faillock\.so'
content: >- content: >-
auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 auth required pam_faillock.so onerr=fail audit silent deny={{ cis_cfg.faillock_deny }} unlock_time={{ cis_cfg.faillock_unlock_time }}
- path: >- - path: >-
/mnt/etc/{{ /mnt/etc/{{
"pam.d/common-account" "pam.d/common-account"
@@ -33,6 +45,7 @@
if os == "fedora" if os == "fedora"
else "pam.d/system-auth" else "pam.d/system-auth"
}} }}
regexp: '^\s*account\s+required\s+pam_faillock\.so'
content: account required pam_faillock.so content: account required pam_faillock.so
- path: >- - path: >-
/mnt/etc/pam.d/{{ /mnt/etc/pam.d/{{
@@ -40,7 +53,10 @@
if is_debian | bool if is_debian | bool
else "passwd" else "passwd"
}} }}
regexp: '^\s*password\s+\[success=1.*\]\s+pam_unix\.so'
content: >- content: >-
password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 password [success=1 default=ignore] pam_unix.so obscure sha512 remember={{ cis_cfg.password_remember }}
- { path: /mnt/etc/hosts.deny, content: "ALL: ALL" } - { path: /mnt/etc/hosts.deny, regexp: '^ALL:\s*ALL', content: "ALL: ALL" }
- { path: /mnt/etc/hosts.allow, content: "sshd: ALL" } - { path: /mnt/etc/hosts.allow, regexp: '^sshd:\s*ALL', content: "sshd: ALL" }
loop_control:
label: "{{ item.content }}"

51
roles/cis/tasks/sshd.yml
View File

@@ -4,48 +4,37 @@
path: /mnt/etc/ssh/sshd_config path: /mnt/etc/ssh/sshd_config
regexp: ^\s*#?{{ item.option }}\s+.*$ regexp: ^\s*#?{{ item.option }}\s+.*$
line: "{{ item.option }} {{ item.value }}" line: "{{ item.option }} {{ item.value }}"
loop: loop: "{{ cis_cfg.sshd_options }}"
- { option: LogLevel, value: VERBOSE } loop_control:
- { option: LoginGraceTime, value: "60" } label: "{{ item.option }}"
- { option: PermitRootLogin, value: "no" }
- { option: StrictModes, value: "yes" } - name: Detect target OpenSSH version
- { option: MaxAuthTries, value: "4" } ansible.builtin.shell: >-
- { option: MaxSessions, value: "10" } set -o pipefail && {{ chroot_command }} ssh -V 2>&1 | grep -oP 'OpenSSH_\K[0-9]+\.[0-9]+'
- { option: MaxStartups, value: "10:30:60" } args:
- { option: PubkeyAuthentication, value: "yes" } executable: /bin/bash
- { option: HostbasedAuthentication, value: "no" } register: cis_sshd_openssh_version
- { option: IgnoreRhosts, value: "yes" } changed_when: false
- { option: PasswordAuthentication, value: "no" } failed_when: false
- { option: PermitEmptyPasswords, value: "no" }
- { option: KerberosAuthentication, value: "no" }
- { option: GSSAPIAuthentication, value: "no" }
- { option: AllowAgentForwarding, value: "no" }
- { option: AllowTcpForwarding, value: "no" }
- { option: ChallengeResponseAuthentication, value: "no" }
- { option: GatewayPorts, value: "no" }
- { option: X11Forwarding, value: "no" }
- { option: PermitUserEnvironment, value: "no" }
- { option: ClientAliveInterval, value: "300" }
- { option: ClientAliveCountMax, value: "1" }
- { option: PermitTunnel, value: "no" }
- { option: Banner, value: /etc/issue.net }
- name: Append CIS specific configurations to sshd_config - name: Append CIS specific configurations to sshd_config
vars:
cis_sshd_has_mlkem: "{{ (cis_sshd_openssh_version.stdout | default('0.0') is version('9.9', '>=')) }}"
cis_sshd_kex: >-
{{
(['mlkem768x25519-sha256'] if cis_sshd_has_mlkem | bool else [])
+ ['curve25519-sha256@libssh.org', 'ecdh-sha2-nistp521', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp256']
}}
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /mnt/etc/ssh/sshd_config path: /mnt/etc/ssh/sshd_config
marker: "# {mark} CIS SSH HARDENING" marker: "# {mark} CIS SSH HARDENING"
block: |- block: |-
## CIS Specific ## CIS Specific
Protocol 2
### Ciphers and keying ### ### Ciphers and keying ###
RekeyLimit 512M 6h RekeyLimit 512M 6h
KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 KexAlgorithms {{ cis_sshd_kex | join(',') }}
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
########################### ###########################
AllowStreamLocalForwarding no AllowStreamLocalForwarding no
PermitUserRC no PermitUserRC no
AllowUsers *
AllowGroups *
DenyUsers nobody
DenyGroups nobody

26
roles/cis/tasks/sysctl.yml
View File

@@ -5,26 +5,6 @@
mode: "0644" mode: "0644"
content: | content: |
## CIS Sysctl configurations ## CIS Sysctl configurations
kernel.yama.ptrace_scope=1 {% for key, value in cis_cfg.sysctl | dictsort %}
kernel.randomize_va_space=2 {{ key }}={{ value }}
# Network {% endfor %}
net.ipv4.ip_forward=0
net.ipv4.tcp_syncookies=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1

21
roles/cis/vars/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
# OS-specific binary names for CIS permission targets.
# fusermount3 is the modern name; older distros still use fusermount.
cis_fusermount_binary: >-
{{
'fusermount3'
if (
os in ['archlinux', 'fedora', 'rocky', 'rhel']
or (os == 'debian' and (os_version | string) not in ['10', '11'])
or (os == 'almalinux')
)
else 'fusermount'
}}
# write.ul is the Debian 11 name; all others use write.
cis_write_binary: >-
{{
'write.ul'
if (os == 'debian' and (os_version | string) == '11')
else 'write'
}}

6
roles/cleanup/defaults/main.yml
View File

@@ -1,4 +1,10 @@
--- ---
# Post-reboot verification
cleanup_verify_boot: true
cleanup_boot_timeout: 300
cleanup_remove_on_failure: true
# Libvirt paths
cleanup_libvirt_image_dir: >- cleanup_libvirt_image_dir: >-
{{ {{
system_cfg.path system_cfg.path

36
roles/cleanup/tasks/libvirt.yml
View File

@@ -16,18 +16,6 @@
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_get_xml.get_xml }}" cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_get_xml.get_xml }}"
changed_when: false changed_when: false
- name: Remove boot ISO device from VM XML (target match)
community.general.xml:
xmlstring: "{{ cleanup_libvirt_domain_xml }}"
xpath: "/domain/devices/disk[target/@dev='sda']"
state: absent
register: cleanup_libvirt_xml_strip_boot
- name: Update cleaned VM XML after removing boot ISO
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot.xmlstring }}"
changed_when: false
- name: Remove boot ISO device from VM XML (source match) - name: Remove boot ISO device from VM XML (source match)
when: boot_iso is defined and boot_iso | length > 0 when: boot_iso is defined and boot_iso | length > 0
community.general.xml: community.general.xml:
@@ -42,16 +30,16 @@
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot_source.xmlstring }}" cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot_source.xmlstring }}"
changed_when: false changed_when: false
- name: Remove cloud-init ISO device from VM XML (target match) - name: Remove boot ISO device from VM XML (target fallback)
community.general.xml: community.general.xml:
xmlstring: "{{ cleanup_libvirt_domain_xml }}" xmlstring: "{{ cleanup_libvirt_domain_xml }}"
xpath: "/domain/devices/disk[target/@dev='sdb']" xpath: "/domain/devices/disk[target/@dev='sda']"
state: absent state: absent
register: cleanup_libvirt_xml_strip_cloudinit register: cleanup_libvirt_xml_strip_boot
- name: Update cleaned VM XML after removing cloud-init ISO - name: Update cleaned VM XML after removing boot ISO
ansible.builtin.set_fact: ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit.xmlstring }}" cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot.xmlstring }}"
changed_when: false changed_when: false
- name: Remove cloud-init ISO device from VM XML (source match) - name: Remove cloud-init ISO device from VM XML (source match)
@@ -66,6 +54,18 @@
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit_source.xmlstring }}" cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit_source.xmlstring }}"
changed_when: false changed_when: false
- name: Remove cloud-init ISO device from VM XML (target fallback)
community.general.xml:
xmlstring: "{{ cleanup_libvirt_domain_xml }}"
xpath: "/domain/devices/disk[target/@dev='sdb']"
state: absent
register: cleanup_libvirt_xml_strip_cloudinit
- name: Update cleaned VM XML after removing cloud-init ISO
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit.xmlstring }}"
changed_when: false
- name: Strip XML declaration for libvirt define - name: Strip XML declaration for libvirt define
ansible.builtin.set_fact: ansible.builtin.set_fact:
cleanup_libvirt_domain_xml_clean: >- cleanup_libvirt_domain_xml_clean: >-
@@ -92,12 +92,14 @@
community.libvirt.virt: community.libvirt.virt:
name: "{{ hostname }}" name: "{{ hostname }}"
state: destroyed state: destroyed
failed_when: false
- name: Start the VM - name: Start the VM
community.libvirt.virt: community.libvirt.virt:
name: "{{ hostname }}" name: "{{ hostname }}"
state: running state: running
# delegate_to inventory_hostname: overrides play-level localhost to run wait_for_connection against the VM
- name: Wait for VM to boot up - name: Wait for VM to boot up
delegate_to: "{{ inventory_hostname }}" delegate_to: "{{ inventory_hostname }}"
ansible.builtin.wait_for_connection: ansible.builtin.wait_for_connection:

29
roles/cleanup/tasks/proxmox.yml
View File

@@ -3,25 +3,32 @@
when: hypervisor_type == "proxmox" when: hypervisor_type == "proxmox"
delegate_to: localhost delegate_to: localhost
become: false become: false
block: module_defaults:
- name: Cleanup Setup Disks
community.proxmox.proxmox_disk: community.proxmox.proxmox_disk:
api_host: "{{ hypervisor_cfg.url }}" api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}" api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}" api_password: "{{ hypervisor_cfg.password }}"
name: "{{ hostname }}"
vmid: "{{ system_cfg.id }}"
disk: "{{ item }}"
state: absent
loop:
- ide0
- ide2
- name: Start the VM
community.proxmox.proxmox_kvm: community.proxmox.proxmox_kvm:
api_host: "{{ hypervisor_cfg.url }}" api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}" api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}" api_password: "{{ hypervisor_cfg.password }}"
node: "{{ hypervisor_cfg.host }}" node: "{{ hypervisor_cfg.host }}"
block:
- name: Cleanup Setup Disks
community.proxmox.proxmox_disk:
name: "{{ hostname }}"
vmid: "{{ system_cfg.id }}"
disk: "{{ item }}"
state: absent
loop: >-
{{
['ide0', 'ide2']
+ (['ide1'] if not (os == 'rhel' and system_cfg.features.rhel_repo.source == 'iso') else [])
}}
failed_when: false
no_log: true
- name: Start the VM
community.proxmox.proxmox_kvm:
vmid: "{{ system_cfg.id }}" vmid: "{{ system_cfg.id }}"
state: restarted state: restarted

111
roles/cleanup/tasks/virtual.yml
View File

@@ -6,16 +6,7 @@
ansible.builtin.include_tasks: shutdown.yml ansible.builtin.include_tasks: shutdown.yml
- name: Cleanup hypervisor resources - name: Cleanup hypervisor resources
ansible.builtin.include_tasks: proxmox.yml ansible.builtin.include_tasks: "{{ hypervisor_type }}.yml"
- name: Cleanup vCenter resources
ansible.builtin.include_tasks: vmware.yml
- name: Cleanup libvirt resources
ansible.builtin.include_tasks: libvirt.yml
- name: Cleanup Xen resources
ansible.builtin.include_tasks: xen.yml
- name: Determine post-reboot connectivity - name: Determine post-reboot connectivity
ansible.builtin.set_fact: ansible.builtin.set_fact:
@@ -34,25 +25,27 @@
) )
) | bool ) | bool
}} }}
changed_when: false
- name: Check VM accessibility after reboot - name: Check VM accessibility after reboot
when: when:
- cleanup_verify_boot | bool
- system_cfg.type == "virtual" - system_cfg.type == "virtual"
- cleanup_post_reboot_can_connect | bool - cleanup_post_reboot_can_connect | bool
block: block:
- name: Attempt to connect to VM - name: Attempt to connect to VM
delegate_to: "{{ inventory_hostname }}" delegate_to: "{{ inventory_hostname }}"
ansible.builtin.wait_for_connection: ansible.builtin.wait_for_connection:
timeout: 300 timeout: "{{ cleanup_boot_timeout }}"
register: cleanup_vm_connection_check register: cleanup_vm_connection_check
failed_when: false failed_when: false
changed_when: false changed_when: false
- name: VM failed to boot - initiate cleanup - name: VM failed to boot - initiate cleanup
when: when:
- cleanup_remove_on_failure | bool
- cleanup_vm_connection_check is defined - cleanup_vm_connection_check is defined
- cleanup_vm_connection_check.failed | bool - cleanup_vm_connection_check.failed | bool
- virtualization_vm_created_in_run | default(false) | bool
block: block:
- name: VM boot failure detected - removing VM - name: VM boot failure detected - removing VM
ansible.builtin.debug: ansible.builtin.debug:
@@ -61,32 +54,23 @@
This VM was created in the current playbook run and will be removed This VM was created in the current playbook run and will be removed
to prevent orphaned resources. to prevent orphaned resources.
- name: Remove VM for libvirt - name: Remove failed libvirt VM
when: when: hypervisor_type == "libvirt"
- hypervisor_type == "libvirt"
- virtualization_vm_created_in_run | default(false) | bool
delegate_to: localhost delegate_to: localhost
become: false become: false
block:
- name: Destroy libvirt VM
community.libvirt.virt: community.libvirt.virt:
name: "{{ hostname }}" name: "{{ hostname }}"
state: destroyed state: destroyed
failed_when: false
- name: Undefine VM for libvirt - name: Undefine libvirt VM
when:
- hypervisor_type == "libvirt"
- virtualization_vm_created_in_run | default(false) | bool
delegate_to: localhost
become: false
community.libvirt.virt: community.libvirt.virt:
name: "{{ hostname }}" name: "{{ hostname }}"
command: undefine command: undefine
- name: Remove VM disk for libvirt - name: Remove libvirt VM disks
when:
- hypervisor_type == "libvirt"
- virtualization_vm_created_in_run | default(false) | bool
delegate_to: localhost
become: false
ansible.builtin.file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
state: absent state: absent
@@ -94,83 +78,66 @@
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"
- name: Remove cloud-init disk for libvirt - name: Remove libvirt cloud-init disk
when:
- hypervisor_type == "libvirt"
- virtualization_vm_created_in_run | default(false) | bool
delegate_to: localhost
become: false
ansible.builtin.file: ansible.builtin.file:
path: "{{ virtualization_libvirt_cloudinit_path }}" path: "{{ virtualization_libvirt_cloudinit_path }}"
state: absent state: absent
- name: Remove VM for proxmox - name: Remove failed Proxmox VM
when: when: hypervisor_type == "proxmox"
- hypervisor_type == "proxmox"
- virtualization_vm_created_in_run | default(false) | bool
delegate_to: localhost delegate_to: localhost
become: false become: false
module_defaults:
community.proxmox.proxmox_kvm: community.proxmox.proxmox_kvm:
api_host: "{{ hypervisor_cfg.url }}" api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}" api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}" api_password: "{{ hypervisor_cfg.password }}"
node: "{{ hypervisor_cfg.host }}" node: "{{ hypervisor_cfg.host }}"
no_log: true
block:
- name: Stop Proxmox VM
community.proxmox.proxmox_kvm:
name: "{{ hostname }}" name: "{{ hostname }}"
vmid: "{{ system_cfg.id }}" vmid: "{{ system_cfg.id }}"
state: stopped state: stopped
- name: Delete VM for proxmox - name: Delete Proxmox VM
when:
- hypervisor_type == "proxmox"
- virtualization_vm_created_in_run | default(false) | bool
delegate_to: localhost
become: false
community.proxmox.proxmox_kvm: community.proxmox.proxmox_kvm:
api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}"
node: "{{ hypervisor_cfg.host }}"
name: "{{ hostname }}" name: "{{ hostname }}"
vmid: "{{ system_cfg.id }}" vmid: "{{ system_cfg.id }}"
state: absent state: absent
unprivileged: false unprivileged: false
- name: Remove VM for VMware - name: Remove failed VMware VM
when: when: hypervisor_type == "vmware"
- hypervisor_type == "vmware"
- virtualization_vm_created_in_run | default(false) | bool
delegate_to: localhost delegate_to: localhost
become: false become: false
module_defaults:
community.vmware.vmware_guest: community.vmware.vmware_guest:
hostname: "{{ hypervisor_cfg.url }}" hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}" username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}" password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}" validate_certs: "{{ hypervisor_cfg.certs | bool }}"
no_log: true
block:
- name: Power off VMware VM
community.vmware.vmware_guest:
name: "{{ hostname }}" name: "{{ hostname }}"
folder: "{{ system_cfg.path | default('/') }}" folder: "{{ system_cfg.path | default('/') }}"
state: poweredoff state: poweredoff
- name: Delete VM for VMware - name: Delete VMware VM
when:
- hypervisor_type == "vmware"
- virtualization_vm_created_in_run | default(false) | bool
delegate_to: localhost
become: false
community.vmware.vmware_guest: community.vmware.vmware_guest:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
name: "{{ hostname }}" name: "{{ hostname }}"
folder: "{{ system_cfg.path | default('/') }}" folder: "{{ system_cfg.path | default('/') }}"
state: absent state: absent
- name: Destroy Xen VM if running - name: Remove failed Xen VM
when: when: hypervisor_type == "xen"
- hypervisor_type == "xen"
- virtualization_vm_created_in_run | default(false) | bool
delegate_to: localhost delegate_to: localhost
become: false become: false
block:
- name: Destroy Xen VM if running
ansible.builtin.command: ansible.builtin.command:
argv: argv:
- xl - xl
@@ -180,12 +147,7 @@
failed_when: false failed_when: false
changed_when: cleanup_xen_destroy.rc == 0 changed_when: cleanup_xen_destroy.rc == 0
- name: Remove Xen VM disk - name: Remove Xen VM disks
when:
- hypervisor_type == "xen"
- virtualization_vm_created_in_run | default(false) | bool
delegate_to: localhost
become: false
ansible.builtin.file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
state: absent state: absent
@@ -194,11 +156,6 @@
label: "{{ item.path }}" label: "{{ item.path }}"
- name: Remove Xen VM config file - name: Remove Xen VM config file
when:
- hypervisor_type == "xen"
- virtualization_vm_created_in_run | default(false) | bool
delegate_to: localhost
become: false
ansible.builtin.file: ansible.builtin.file:
path: "/tmp/xen-{{ hostname }}.cfg" path: "/tmp/xen-{{ hostname }}.cfg"
state: absent state: absent

57
roles/cleanup/tasks/vmware.yml
View File

@@ -3,36 +3,55 @@
when: hypervisor_type == "vmware" when: hypervisor_type == "vmware"
delegate_to: localhost delegate_to: localhost
become: false become: false
block: module_defaults:
- name: Remove CD-ROM from VM in vCenter
community.vmware.vmware_guest: community.vmware.vmware_guest:
hostname: "{{ hypervisor_cfg.url }}" hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}" username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}" password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}" validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}" datacenter: "{{ hypervisor_cfg.datacenter }}"
name: "{{ hostname }}"
cdrom:
- controller_number: 0
unit_number: 0
controller_type: sata
type: iso
iso_path: "{{ boot_iso }}"
state: absent
- controller_number: 0
unit_number: 1
controller_type: sata
type: iso
iso_path: "{{ rhel_iso if rhel_iso is defined and rhel_iso | length > 0 else omit }}"
state: absent
failed_when: false
- name: Start VM in vCenter
vmware.vmware.vm_powerstate: vmware.vmware.vm_powerstate:
hostname: "{{ hypervisor_cfg.url }}" hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}" username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}" password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}" validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}" datacenter: "{{ hypervisor_cfg.datacenter }}"
no_log: true
block:
- name: Remove CD-ROM from VM in vCenter
community.vmware.vmware_guest:
name: "{{ hostname }}"
cdrom: >-
{{
[
{
'controller_number': 0,
'unit_number': 0,
'controller_type': 'sata',
'type': 'iso',
'iso_path': boot_iso,
'state': 'absent'
}
]
+ (
[
{
'controller_number': 0,
'unit_number': 1,
'controller_type': 'sata',
'type': 'iso',
'iso_path': rhel_iso,
'state': 'absent'
}
]
if (rhel_iso is defined and rhel_iso | length > 0
and not (os == 'rhel' and system_cfg.features.rhel_repo.source == 'iso'))
else []
)
}}
failed_when: false
- name: Start VM in vCenter
vmware.vmware.vm_powerstate:
name: "{{ hostname }}" name: "{{ hostname }}"
state: powered-on state: powered-on

9
roles/cleanup/tasks/xen.yml
View File

@@ -3,13 +3,15 @@
when: hypervisor_type == "xen" when: hypervisor_type == "xen"
delegate_to: localhost delegate_to: localhost
become: false become: false
vars:
xen_installer_media_enabled: "{{ xen_installer_media_enabled | default(false) }}"
block: block:
- name: Ensure Xen disk definitions exist - name: Ensure Xen disk definitions exist
when: virtualization_xen_disks is not defined when: virtualization_xen_disks is not defined
ansible.builtin.set_fact: ansible.builtin.set_fact:
cleanup_xen_disks: "{{ cleanup_xen_disks | default([]) + [cleanup_xen_disk_cfg] }}" cleanup_xen_disks: "{{ cleanup_xen_disks | default([]) + [cleanup_xen_disk_cfg] }}"
vars: vars:
device_letter_map: "abcdefghijklmnopqrstuvwxyz" device_letter_map: "{{ disk_letter_map }}"
device_letter: "{{ device_letter_map[ansible_loop.index0] }}" device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
cleanup_xen_disk_cfg: >- cleanup_xen_disk_cfg: >-
{{ {{
@@ -56,3 +58,8 @@
- /tmp/xen-{{ hostname }}.cfg - /tmp/xen-{{ hostname }}.cfg
register: cleanup_xen_start_result register: cleanup_xen_start_result
changed_when: cleanup_xen_start_result.rc == 0 changed_when: cleanup_xen_start_result.rc == 0
- name: Remove temporary Xen configuration file
ansible.builtin.file:
path: /tmp/xen-{{ hostname }}.cfg
state: absent

0
roles/configuration/templates/custom.sh.j2 → roles/configuration/files/custom.sh
View File

16
roles/configuration/tasks/banner.yml
View File

@@ -23,6 +23,22 @@
- /mnt/etc/motd.d/insights-client - /mnt/etc/motd.d/insights-client
failed_when: false failed_when: false
- name: Create login banner
ansible.builtin.copy:
dest: "{{ item }}"
content: |
**************************************************************
* WARNING: Unauthorized access to this system is prohibited. *
* All activities are monitored and logged. *
* Disconnect immediately if you are not an authorized user. *
**************************************************************
owner: root
group: root
mode: "0644"
loop:
- /mnt/etc/issue
- /mnt/etc/issue.net
- name: Configure sudo banner - name: Configure sudo banner
when: system_cfg.features.banner.sudo | bool when: system_cfg.features.banner.sudo | bool
block: block:

53
roles/configuration/tasks/bootloader.yml
View File

@@ -1,27 +1,40 @@
--- ---
- name: Configure Bootloader - name: Configure Bootloader
block:
- name: Install Bootloader
vars: vars:
configuration_use_efibootmgr: "{{ is_rhel | bool }}" _efi_vendor: >-
configuration_efi_dir: "{{ partitioning_efi_mountpoint }}" {{
configuration_bootloader_id: >- "redhat" if os == "rhel"
{{ "ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os }} else ("ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os)
configuration_efi_vendor: >- }}
{{ "redhat" if os == "rhel" else os }} _efi_loader: >-
configuration_efibootmgr_cmd: >- {{ "shimx64.efi" if is_rhel | bool else "grubx64.efi" }}
/usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -p 1 block:
-l '\efi\EFI\{{ configuration_efi_vendor }}\shimx64.efi' - name: Install GRUB EFI binary
configuration_grub_cmd: >- when: not (is_rhel | bool)
/usr/sbin/grub-install --target=x86_64-efi ansible.builtin.command: >-
--efi-directory={{ configuration_efi_dir }} {{ chroot_command }} /usr/sbin/grub-install --target=x86_64-efi
--bootloader-id={{ configuration_bootloader_id }} --efi-directory={{ partitioning_efi_mountpoint }}
configuration_bootloader_cmd: >- --bootloader-id={{ _efi_vendor }}
{{ configuration_efibootmgr_cmd if configuration_use_efibootmgr else configuration_grub_cmd }} --no-nvram
ansible.builtin.command: "{{ chroot_command }} {{ configuration_bootloader_cmd }}"
register: configuration_bootloader_result register: configuration_bootloader_result
changed_when: configuration_bootloader_result.rc == 0 changed_when: configuration_bootloader_result.rc == 0
- name: Check existing EFI boot entries
ansible.builtin.command: efibootmgr
register: configuration_efi_entries
changed_when: false
- name: Ensure EFI boot entry exists
when: ('* ' + _efi_vendor) not in configuration_efi_entries.stdout
ansible.builtin.command: >-
efibootmgr -c
-L '{{ _efi_vendor }}'
-d '{{ install_drive }}'
-p 1
-l '\EFI\{{ _efi_vendor }}\{{ _efi_loader }}'
register: configuration_efi_entry_result
changed_when: configuration_efi_entry_result.rc == 0
- name: Ensure lvm2 for non btrfs filesystems - name: Ensure lvm2 for non btrfs filesystems
when: os == "archlinux" and system_cfg.filesystem != "btrfs" when: os == "archlinux" and system_cfg.filesystem != "btrfs"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@@ -50,13 +63,11 @@
- name: Generate grub config - name: Generate grub config
vars: vars:
configuration_efi_vendor: >-
{{ "redhat" if os == "rhel" else os }}
configuration_grub_cfg_cmd: >- configuration_grub_cfg_cmd: >-
{{ {{
'/usr/sbin/grub2-mkconfig -o ' '/usr/sbin/grub2-mkconfig -o '
+ partitioning_efi_mountpoint + partitioning_efi_mountpoint
+ '/EFI/' + configuration_efi_vendor + '/grub.cfg' + '/EFI/' + _efi_vendor + '/grub.cfg'
if is_rhel | bool if is_rhel | bool
else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg' else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg'
}} }}

15
roles/configuration/tasks/encryption.yml
View File

@@ -1,6 +1,7 @@
--- ---
- name: Configure disk encryption - name: Configure disk encryption
when: system_cfg.luks.enabled | bool when: system_cfg.luks.enabled | bool
no_log: true
vars: vars:
configuration_luks_passphrase: >- configuration_luks_passphrase: >-
{{ system_cfg.luks.passphrase | string }} {{ system_cfg.luks.passphrase | string }}
@@ -35,7 +36,6 @@
configuration_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}" configuration_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}"
configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}" configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ system_cfg.luks.mapper }}.key" configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ system_cfg.luks.mapper }}.key"
changed_when: false
- name: Validate LUKS UUID is available - name: Validate LUKS UUID is available
ansible.builtin.assert: ansible.builtin.assert:
@@ -59,6 +59,14 @@
when: configuration_luks_auto_method == 'keyfile' when: configuration_luks_auto_method == 'keyfile'
ansible.builtin.include_tasks: encryption/keyfile.yml ansible.builtin.include_tasks: encryption/keyfile.yml
- name: Record final LUKS auto-decrypt method
ansible.builtin.set_fact:
configuration_luks_final_method: "{{ configuration_luks_auto_method }}"
- name: Report LUKS auto-decrypt configuration
ansible.builtin.debug:
msg: "LUKS auto-decrypt method: {{ configuration_luks_final_method }}"
- name: Build LUKS parameters - name: Build LUKS parameters
vars: vars:
luks_keyfile_in_use: "{{ configuration_luks_auto_method == 'keyfile' }}" luks_keyfile_in_use: "{{ configuration_luks_auto_method == 'keyfile' }}"
@@ -142,7 +150,7 @@
regexp: "^HOOKS=" regexp: "^HOOKS="
line: >- line: >-
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole
block sd-encrypt lvm2 filesystems fsck) block sd-encrypt{{ ' lvm2' if system_cfg.filesystem != 'btrfs' else '' }} filesystems fsck)
- name: Read mkinitcpio configuration - name: Read mkinitcpio configuration
when: os == 'archlinux' when: os == 'archlinux'
@@ -237,7 +245,6 @@
}} }}
ansible.builtin.set_fact: ansible.builtin.set_fact:
configuration_kernel_cmdline_new: "{{ kernel_cmdline_new }}" configuration_kernel_cmdline_new: "{{ kernel_cmdline_new }}"
changed_when: false
- name: Write kernel cmdline with LUKS args - name: Write kernel cmdline with LUKS args
when: is_rhel | bool when: is_rhel | bool
@@ -246,7 +253,7 @@
mode: "0644" mode: "0644"
content: "{{ configuration_kernel_cmdline_new }}\n" content: "{{ configuration_kernel_cmdline_new }}\n"
- name: Find BLS entries - name: Find BLS entries for encryption kernel cmdline
when: is_rhel | bool when: is_rhel | bool
ansible.builtin.find: ansible.builtin.find:
paths: /mnt/boot/loader/entries paths: /mnt/boot/loader/entries

7
roles/configuration/tasks/encryption/keyfile.yml
View File

@@ -104,6 +104,13 @@
failed_when: false failed_when: false
no_log: true no_log: true
- name: Warn about keyfile enrollment failure
when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0
ansible.builtin.debug:
msg: >-
LUKS keyfile enrollment failed — falling back to manual unlock at boot.
The system will prompt for the LUKS passphrase during startup.
- name: Fallback to manual LUKS unlock if keyfile enrollment failed - name: Fallback to manual LUKS unlock if keyfile enrollment failed
when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0 when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0
ansible.builtin.set_fact: ansible.builtin.set_fact:

9
roles/configuration/tasks/encryption/tpm2.yml
View File

@@ -1,6 +1,7 @@
--- ---
- name: Enroll TPM2 for LUKS - name: Enroll TPM2 for LUKS
block: block:
# Tempfile in chroot /tmp — accessible by both chroot and host commands
- name: Create temporary passphrase file for TPM2 enrollment - name: Create temporary passphrase file for TPM2 enrollment
ansible.builtin.tempfile: ansible.builtin.tempfile:
path: /mnt/tmp path: /mnt/tmp
@@ -78,6 +79,13 @@
chroot stderr={{ configuration_luks_tpm2_enroll_chroot.stderr | default('') }}, chroot stderr={{ configuration_luks_tpm2_enroll_chroot.stderr | default('') }},
host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }} host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
rescue: rescue:
- name: Warn about TPM2 enrollment failure
ansible.builtin.fail:
msg: >-
WARNING: TPM2 enrollment failed — falling back to keyfile auto-decrypt.
The system will use a keyfile instead of TPM2 for automatic LUKS unlock.
ignore_errors: true
- name: Fallback to keyfile auto-decrypt - name: Fallback to keyfile auto-decrypt
ansible.builtin.set_fact: ansible.builtin.set_fact:
configuration_luks_auto_method: keyfile configuration_luks_auto_method: keyfile
@@ -87,4 +95,3 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}" path: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
state: absent state: absent
changed_when: false

35
roles/configuration/tasks/extras.yml
View File

@@ -9,9 +9,11 @@
set smartindent set smartindent
set mouse=a set mouse=a
insertafter: EOF insertafter: EOF
marker: "" marker: "# {mark} CUSTOM VIM CONFIG"
failed_when: false failed_when: false
# Tuned for VM workloads: low swappiness, aggressive writeback, large page-cluster
# for zram. Override post-bootstrap via the linux role or sysctl if needed.
- name: Add memory tuning parameters - name: Add memory tuning parameters
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /mnt/etc/sysctl.d/90-memory.conf path: /mnt/etc/sysctl.d/90-memory.conf
@@ -22,7 +24,7 @@
vm.dirty_background_ratio=1 vm.dirty_background_ratio=1
vm.dirty_ratio=10 vm.dirty_ratio=10
vm.page-cluster=10 vm.page-cluster=10
marker: "" marker: "# {mark} MEMORY TUNING"
mode: "0644" mode: "0644"
- name: Create zram config - name: Create zram config
@@ -41,32 +43,7 @@
mode: "0644" mode: "0644"
- name: Copy Custom Shell config - name: Copy Custom Shell config
ansible.builtin.template: ansible.builtin.copy:
src: custom.sh.j2 src: custom.sh
dest: /mnt/etc/profile.d/custom.sh dest: /mnt/etc/profile.d/custom.sh
mode: "0644" mode: "0644"
- name: Create login banner
ansible.builtin.copy:
dest: "{{ item }}"
content: |
**************************************************************
* WARNING: Unauthorized access to this system is prohibited. *
* All activities are monitored and logged. *
* Disconnect immediately if you are not an authorized user. *
**************************************************************
owner: root
group: root
mode: "0644"
loop:
- /mnt/etc/issue
- /mnt/etc/issue.net
- name: Remove motd files
when: os == "rhel"
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /mnt/etc/motd.d/cockpit
- /mnt/etc/motd.d/insights-client

19
roles/configuration/tasks/fstab.yml
View File

@@ -23,8 +23,19 @@
regexp: "(xfs.*?)(attr2)" regexp: "(xfs.*?)(attr2)"
replace: "\\1allocsize=64m" replace: "\\1allocsize=64m"
- name: Remove RHEL ISO fstab entry when not using local repo
when:
- os == "rhel"
- system_cfg.features.rhel_repo.source != "iso"
ansible.builtin.lineinfile:
path: /mnt/etc/fstab
regexp: "^.*\\/dvd.*$"
state: absent
- name: Replace ISO UUID entry with /dev/sr0 in fstab - name: Replace ISO UUID entry with /dev/sr0 in fstab
when: os == "rhel" when:
- os == "rhel"
- system_cfg.features.rhel_repo.source == "iso"
vars: vars:
configuration_fstab_dvd_line: >- configuration_fstab_dvd_line: >-
{{ {{
@@ -39,7 +50,10 @@
state: present state: present
- name: Write image from RHEL ISO to the target machine - name: Write image from RHEL ISO to the target machine
when: os == "rhel" and hypervisor_type == 'vmware' when:
- os == "rhel"
- hypervisor_type == "vmware"
- system_cfg.features.rhel_repo.source == "iso"
ansible.builtin.command: ansible.builtin.command:
argv: argv:
- dd - dd
@@ -63,3 +77,4 @@
- { regexp: "^tmpfs\\s+/dev/shm\\s+", line: "tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0" } - { regexp: "^tmpfs\\s+/dev/shm\\s+", line: "tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0" }
loop_control: loop_control:
loop_var: fstab_entry loop_var: fstab_entry
label: "{{ fstab_entry.regexp }}"

5
roles/configuration/tasks/grub.yml
View File

@@ -10,6 +10,8 @@
line: GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3" line: GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"
- regexp: ^GRUB_TIMEOUT= - regexp: ^GRUB_TIMEOUT=
line: GRUB_TIMEOUT=1 line: GRUB_TIMEOUT=1
loop_control:
label: "{{ item.line }}"
- name: Ensure grub defaults file exists for RHEL-based systems - name: Ensure grub defaults file exists for RHEL-based systems
when: is_rhel | bool when: is_rhel | bool
@@ -60,7 +62,6 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
configuration_grub_cmdline_linux_base: "{{ grub_cmdline_linux_base }}" configuration_grub_cmdline_linux_base: "{{ grub_cmdline_linux_base }}"
configuration_kernel_cmdline_base: "{{ grub_kernel_cmdline_base }}" configuration_kernel_cmdline_base: "{{ grub_kernel_cmdline_base }}"
changed_when: false
- name: Check if grub defaults file exists - name: Check if grub defaults file exists
ansible.builtin.stat: ansible.builtin.stat:
@@ -95,7 +96,7 @@
mode: "0644" mode: "0644"
content: "{{ configuration_kernel_cmdline_base }}\n" content: "{{ configuration_kernel_cmdline_base }}\n"
- name: Find BLS entries - name: Find BLS entries for GRUB configuration
ansible.builtin.find: ansible.builtin.find:
paths: /mnt/boot/loader/entries paths: /mnt/boot/loader/entries
patterns: "*.conf" patterns: "*.conf"

4
roles/configuration/tasks/locales.yml
View File

@@ -21,6 +21,8 @@
line: "{{ item.line }}" line: "{{ item.line }}"
loop: loop:
- { regex: "{{ system_cfg.locale }} UTF-8", line: "{{ system_cfg.locale }} UTF-8" } - { regex: "{{ system_cfg.locale }} UTF-8", line: "{{ system_cfg.locale }} UTF-8" }
loop_control:
label: "{{ item.line }}"
- name: Generate locales - name: Generate locales
when: not is_rhel | bool when: not is_rhel | bool
@@ -45,7 +47,7 @@
- name: Set hostname - name: Set hostname
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ configuration_hostname_fqdn }}" content: "{{ configuration_hostname_fqdn.split('.')[0] }}"
dest: /mnt/etc/hostname dest: /mnt/etc/hostname
mode: "0644" mode: "0644"

32
roles/configuration/tasks/main.yml
View File

@@ -1,19 +1,23 @@
--- ---
- name: Include configuration tasks - name: Include configuration tasks
ansible.builtin.include_tasks: "{{ configuration_task }}" when: configuration_task.when | default(true)
ansible.builtin.include_tasks: "{{ configuration_task.file }}"
loop: loop:
- banner.yml - file: banner.yml
- fstab.yml - file: fstab.yml
- locales.yml - file: locales.yml
- ssh.yml - file: ssh.yml
- services.yml - file: services.yml
- grub.yml - file: grub.yml
- encryption.yml - file: encryption.yml
- bootloader.yml when: "{{ system_cfg.luks.enabled | bool }}"
- extras.yml - file: bootloader.yml
- network.yml - file: extras.yml
- users.yml - file: network.yml
- sudo.yml - file: users.yml
- selinux.yml - file: sudo.yml
- file: selinux.yml
when: "{{ is_rhel | bool }}"
loop_control: loop_control:
loop_var: configuration_task loop_var: configuration_task
label: "{{ configuration_task.file }}"

89
roles/configuration/tasks/network.yml
View File

@@ -29,88 +29,9 @@
- configuration_detected_interfaces | length > 0 - configuration_detected_interfaces | length > 0
fail_msg: Failed to detect any network interfaces. fail_msg: Failed to detect any network interfaces.
- name: Configure NetworkManager profiles - name: Configure networking
when: os not in ["alpine", "void"]
block:
- name: Copy NetworkManager keyfile per interface
vars: vars:
configuration_iface: "{{ item }}" configuration_network_task_map:
configuration_iface_name: "{{ configuration_detected_interfaces[idx] | default('eth' ~ idx) }}" alpine: network_alpine.yml
configuration_net_uuid: "{{ ('LAN-' ~ idx ~ '-' ~ hostname) | ansible.builtin.to_uuid }}" void: network_void.yml
ansible.builtin.template: ansible.builtin.include_tasks: "{{ configuration_network_task_map[os] | default('network_nm.yml') }}"
src: network.j2
dest: "/mnt/etc/NetworkManager/system-connections/LAN-{{ idx }}.nmconnection"
mode: "0600"
loop: "{{ system_cfg.network.interfaces }}"
loop_control:
index_var: idx
label: "LAN-{{ idx }}"
- name: Fix Ubuntu unmanaged devices
when: os in ["ubuntu", "ubuntu-lts"]
ansible.builtin.file:
path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
state: touch
mode: "0644"
- name: Configure Alpine networking
when: os == "alpine"
vars:
configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
block:
- name: Write Alpine network interfaces
ansible.builtin.copy:
dest: /mnt/etc/network/interfaces
mode: "0644"
content: |
auto lo
iface lo inet loopback
{% for iface in system_cfg.network.interfaces %}
{% set iface_name = configuration_detected_interfaces[loop.index0] | default(iface.name | default('eth' ~ loop.index0)) %}
{% set has_static = (iface.ip | default('') | string | length) > 0 %}
auto {{ iface_name }}
iface {{ iface_name }} inet {{ 'static' if has_static else 'dhcp' }}
{% if has_static %}
address {{ iface.ip }}/{{ iface.prefix }}
{% if iface.gateway | default('') | string | length %}
gateway {{ iface.gateway }}
{% endif %}
{% endif %}
{% endfor %}
- name: Set Alpine DNS resolvers
when: configuration_dns_list | length > 0
ansible.builtin.copy:
dest: /mnt/etc/resolv.conf
mode: "0644"
content: |
{% for resolver in configuration_dns_list %}
nameserver {{ resolver }}
{% endfor %}
- name: Configure Void networking
when: os == "void"
vars:
configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
block:
- name: Write dhcpcd configuration
ansible.builtin.copy:
dest: /mnt/etc/dhcpcd.conf
mode: "0644"
content: |
{% for iface in system_cfg.network.interfaces %}
{% set iface_name = configuration_detected_interfaces[loop.index0] | default(iface.name | default('eth' ~ loop.index0)) %}
{% set has_static = (iface.ip | default('') | string | length) > 0 %}
{% if has_static %}
interface {{ iface_name }}
static ip_address={{ iface.ip }}/{{ iface.prefix }}
{% if iface.gateway | default('') | string | length %}
static routers={{ iface.gateway }}
{% endif %}
{% if loop.index0 == 0 and configuration_dns_list | length > 0 %}
static domain_name_servers={{ configuration_dns_list | join(' ') }}
{% endif %}
{% endif %}
{% endfor %}

41
roles/configuration/tasks/network_alpine.yml Normal file
View File

@@ -0,0 +1,41 @@
---
- name: Write Alpine network interfaces
vars:
configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
ansible.builtin.copy:
dest: /mnt/etc/network/interfaces
mode: "0644"
content: |
auto lo
iface lo inet loopback
{% for iface in system_cfg.network.interfaces %}
{% set inv_name = iface.name | default('') | string %}
{% set det_name = configuration_detected_interfaces[loop.index0] | default('eth' ~ loop.index0) %}
{% set iface_name = inv_name if inv_name | length > 0 else det_name %}
{% set has_static = (iface.ip | default('') | string | length) > 0 %}
auto {{ iface_name }}
iface {{ iface_name }} inet {{ 'static' if has_static else 'dhcp' }}
{% if has_static %}
address {{ iface.ip }}/{{ iface.prefix }}
{% if iface.gateway | default('') | string | length %}
gateway {{ iface.gateway }}
{% endif %}
{% endif %}
{% endfor %}
- name: Set Alpine DNS resolvers
vars:
configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
configuration_dns_search: "{{ system_cfg.network.dns.search | default([]) }}"
when: configuration_dns_list | length > 0 or configuration_dns_search | length > 0
ansible.builtin.copy:
dest: /mnt/etc/resolv.conf
mode: "0644"
content: |
{% if configuration_dns_search | length > 0 %}
search {{ configuration_dns_search | join(' ') }}
{% endif %}
{% for resolver in configuration_dns_list %}
nameserver {{ resolver }}
{% endfor %}

21
roles/configuration/tasks/network_nm.yml Normal file
View File

@@ -0,0 +1,21 @@
---
- name: Copy NetworkManager keyfile per interface
vars:
configuration_iface: "{{ item }}"
configuration_iface_name: "{{ item.name | default(configuration_detected_interfaces[idx] | default('')) }}"
configuration_net_uuid: "{{ ('LAN-' ~ idx ~ '-' ~ hostname) | ansible.builtin.to_uuid }}"
ansible.builtin.template:
src: network.j2
dest: "/mnt/etc/NetworkManager/system-connections/LAN-{{ idx }}.nmconnection"
mode: "0600"
loop: "{{ system_cfg.network.interfaces }}"
loop_control:
index_var: idx
label: "LAN-{{ idx }}"
- name: Fix Ubuntu unmanaged devices
when: os in ["ubuntu", "ubuntu-lts"]
ansible.builtin.file:
path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
state: touch
mode: "0644"

29
roles/configuration/tasks/network_void.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Write dhcpcd configuration
vars:
configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
configuration_dns_search: "{{ system_cfg.network.dns.search | default([]) }}"
ansible.builtin.copy:
dest: /mnt/etc/dhcpcd.conf
mode: "0644"
content: |
{% for iface in system_cfg.network.interfaces %}
{% set inv_name = iface.name | default('') | string %}
{% set det_name = configuration_detected_interfaces[loop.index0] | default('eth' ~ loop.index0) %}
{% set iface_name = inv_name if inv_name | length > 0 else det_name %}
{% set has_static = (iface.ip | default('') | string | length) > 0 %}
{% if has_static %}
interface {{ iface_name }}
static ip_address={{ iface.ip }}/{{ iface.prefix }}
{% if iface.gateway | default('') | string | length %}
static routers={{ iface.gateway }}
{% endif %}
{% if loop.index0 == 0 and configuration_dns_list | length > 0 %}
static domain_name_servers={{ configuration_dns_list | join(' ') }}
{% endif %}
{% if loop.index0 == 0 and configuration_dns_search | length > 0 %}
static domain_search={{ configuration_dns_search | join(' ') }}
{% endif %}
{% endif %}
{% endfor %}

2
roles/configuration/tasks/selinux.yml
View File

@@ -11,6 +11,8 @@
register: configuration_setfiles_result register: configuration_setfiles_result
changed_when: configuration_setfiles_result.rc == 0 changed_when: configuration_setfiles_result.rc == 0
# Fedora: setfiles segfaults during bootstrap chroot relabeling, so SELinux
# is left permissive and expected to relabel on first boot.
- name: Disable SELinux - name: Disable SELinux
when: os == "fedora" or not system_cfg.features.selinux.enabled | bool when: os == "fedora" or not system_cfg.features.selinux.enabled | bool
ansible.builtin.lineinfile: ansible.builtin.lineinfile:

31
roles/configuration/tasks/services.yml
View File

@@ -1,20 +1,19 @@
--- ---
- name: Enable Systemd Services - name: Enable systemd services
when: os not in ['alpine', 'void'] when: os not in ['alpine', 'void']
ansible.builtin.command: > vars:
{{ chroot_command }} systemctl enable NetworkManager configuration_systemd_services: >-
{{ ' firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}
{{ ' ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}
{{ {{
(' ssh' if is_debian | bool else ' sshd') ['NetworkManager']
if system_cfg.features.ssh.enabled | bool else '' + (['firewalld'] if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else [])
+ (['ufw'] if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else [])
+ ([('ssh' if is_debian | bool else 'sshd')] if system_cfg.features.ssh.enabled | bool else [])
+ (['logrotate', 'systemd-timesyncd'] if os == 'archlinux' else [])
}} }}
{{ ansible.builtin.command: "{{ chroot_command }} systemctl enable {{ item }}"
'logrotate systemd-resolved systemd-timesyncd systemd-networkd' loop: "{{ configuration_systemd_services }}"
if os == 'archlinux' else '' register: configuration_enable_service_result
}} changed_when: configuration_enable_service_result.rc == 0
register: configuration_enable_services_result
changed_when: configuration_enable_services_result.rc == 0
- name: Enable OpenRC services - name: Enable OpenRC services
when: os == 'alpine' when: os == 'alpine'
@@ -37,7 +36,6 @@
path: "/mnt/etc/init.d/{{ item }}" path: "/mnt/etc/init.d/{{ item }}"
loop: "{{ configuration_openrc_services }}" loop: "{{ configuration_openrc_services }}"
register: configuration_openrc_service_stats register: configuration_openrc_service_stats
changed_when: false
- name: Enable OpenRC services - name: Enable OpenRC services
ansible.builtin.file: ansible.builtin.file:
@@ -45,6 +43,8 @@
dest: "/mnt/etc/runlevels/default/{{ item.item }}" dest: "/mnt/etc/runlevels/default/{{ item.item }}"
state: link state: link
loop: "{{ configuration_openrc_service_stats.results }}" loop: "{{ configuration_openrc_service_stats.results }}"
loop_control:
label: "{{ item.item }}"
when: item.stat.exists when: item.stat.exists
- name: Enable runit services - name: Enable runit services
@@ -68,7 +68,6 @@
path: "/mnt/etc/sv/{{ item }}" path: "/mnt/etc/sv/{{ item }}"
loop: "{{ configuration_runit_services }}" loop: "{{ configuration_runit_services }}"
register: configuration_runit_service_stats register: configuration_runit_service_stats
changed_when: false
- name: Enable runit services - name: Enable runit services
ansible.builtin.file: ansible.builtin.file:
@@ -76,4 +75,6 @@
dest: "/mnt/var/service/{{ item.item }}" dest: "/mnt/var/service/{{ item.item }}"
state: link state: link
loop: "{{ configuration_runit_service_stats.results }}" loop: "{{ configuration_runit_service_stats.results }}"
loop_control:
label: "{{ item.item }}"
when: item.stat.exists when: item.stat.exists

2
roles/configuration/tasks/ssh.yml
View File

@@ -1,4 +1,6 @@
--- ---
# Bootstrap-only: permissive SSH for initial Ansible access.
# Post-bootstrap hardening (key-only, no root login) is handled by the linux role.
- name: Ensure SSH password authentication is enabled - name: Ensure SSH password authentication is enabled
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /mnt/etc/ssh/sshd_config path: /mnt/etc/ssh/sshd_config

7
roles/configuration/tasks/sudo.yml
View File

@@ -15,9 +15,12 @@
validate: /usr/sbin/visudo --check --file=%s validate: /usr/sbin/visudo --check --file=%s
- name: Deploy per-user sudoers rules - name: Deploy per-user sudoers rules
when: item.sudo is defined and (item.sudo | string | length) > 0 when: item.sudo | default(false)
vars:
configuration_sudoers_rule: >-
{{ item.sudo if item.sudo is string else 'ALL=(ALL) NOPASSWD: ALL' }}
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ item.name }} {{ item.sudo }}\n" content: "{{ item.name }} {{ configuration_sudoers_rule }}\n"
dest: "/mnt/etc/sudoers.d/{{ item.name }}" dest: "/mnt/etc/sudoers.d/{{ item.name }}"
mode: "0440" mode: "0440"
validate: /usr/sbin/visudo --check --file=%s validate: /usr/sbin/visudo --check --file=%s

29
roles/configuration/tasks/users.yml
View File

@@ -1,22 +1,30 @@
--- ---
- name: Set root password - name: Set root password
vars: ansible.builtin.shell: >-
configuration_root_cmd: >- set -o pipefail &&
{{ chroot_command }} /usr/sbin/usermod --password echo 'root:{{ system_cfg.root.password | password_hash("sha512") }}' | {{ chroot_command }} /usr/sbin/chpasswd -e
'{{ system_cfg.root.password | password_hash('sha512') }}' root --shell /bin/bash args:
ansible.builtin.command: "{{ configuration_root_cmd }}" executable: /bin/bash
register: configuration_root_result register: configuration_root_result
changed_when: configuration_root_result.rc == 0 changed_when: configuration_root_result.rc == 0
no_log: true
- name: Set root shell
ansible.builtin.command: >-
{{ chroot_command }} /usr/sbin/usermod --shell {{ system_cfg.root.shell | default('/bin/bash') }} root
register: configuration_root_shell_result
changed_when: configuration_root_shell_result.rc == 0
- name: Create user accounts - name: Create user accounts
vars: vars:
configuration_user_group: >- configuration_user_group: >-
{{ "sudo" if is_debian | bool else "wheel" }} {{ "sudo" if is_debian | bool else "wheel" }}
# UID starts at 1000; safe for fresh installs only
configuration_useradd_cmd: >- configuration_useradd_cmd: >-
{{ chroot_command }} /usr/sbin/useradd --create-home --user-group {{ chroot_command }} /usr/sbin/useradd --create-home --user-group
--uid {{ 1000 + ansible_loop.index0 }} --uid {{ 1000 + ansible_loop.index0 }}
--groups {{ configuration_user_group }} {{ item.name }} --groups {{ configuration_user_group }} {{ item.name }}
--password {{ item.password | password_hash('sha512') }} --shell /bin/bash --password {{ item.password | password_hash('sha512') }} --shell {{ item.shell | default('/bin/bash') }}
ansible.builtin.command: "{{ configuration_useradd_cmd }}" ansible.builtin.command: "{{ configuration_useradd_cmd }}"
loop: "{{ system_cfg.users }}" loop: "{{ system_cfg.users }}"
loop_control: loop_control:
@@ -24,9 +32,10 @@
label: "{{ item.name }}" label: "{{ item.name }}"
register: configuration_user_result register: configuration_user_result
changed_when: configuration_user_result.rc == 0 changed_when: configuration_user_result.rc == 0
no_log: true
- name: Ensure .ssh directory exists - name: Ensure .ssh directory exists
when: item.keys | default([]) | length > 0 when: item['keys'] | default([]) | length > 0
ansible.builtin.file: ansible.builtin.file:
path: "/mnt/home/{{ item.name }}/.ssh" path: "/mnt/home/{{ item.name }}/.ssh"
state: directory state: directory
@@ -40,12 +49,12 @@
- name: Add SSH public keys to authorized_keys - name: Add SSH public keys to authorized_keys
vars: vars:
_uid: "{{ 1000 + (system_cfg.users | map(attribute='name') | list).index(item.0.name) }}" configuration_uid: "{{ 1000 + (system_cfg.users | map(attribute='name') | list).index(item.0.name) }}"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "/mnt/home/{{ item.0.name }}/.ssh/authorized_keys" path: "/mnt/home/{{ item.0.name }}/.ssh/authorized_keys"
line: "{{ item.1 }}" line: "{{ item.1 }}"
owner: "{{ _uid }}" owner: "{{ configuration_uid }}"
group: "{{ _uid }}" group: "{{ configuration_uid }}"
mode: "0600" mode: "0600"
create: true create: true
loop: "{{ system_cfg.users | subelements('keys', skip_missing=True) }}" loop: "{{ system_cfg.users | subelements('keys', skip_missing=True) }}"

7
roles/configuration/templates/network.j2
View File

@@ -2,7 +2,10 @@
id=LAN-{{ idx }} id=LAN-{{ idx }}
uuid={{ configuration_net_uuid }} uuid={{ configuration_net_uuid }}
type=ethernet type=ethernet
autoconnect-priority=10
{% if configuration_iface_name | length > 0 %}
interface-name={{ configuration_iface_name }} interface-name={{ configuration_iface_name }}
{% endif %}
[ipv4] [ipv4]
{% set iface = configuration_iface %} {% set iface = configuration_iface %}
@@ -15,11 +18,11 @@ method=manual
method=auto method=auto
{% endif %} {% endif %}
{% if idx | int == 0 and dns_list %} {% if idx | int == 0 and dns_list %}
dns={{ dns_list | join(';') }} dns={{ dns_list | join(';') }};
ignore-auto-dns=true ignore-auto-dns=true
{% endif %} {% endif %}
{% if idx | int == 0 and search_list %} {% if idx | int == 0 and search_list %}
dns-search={{ search_list | join(';') }} dns-search={{ search_list | join(';') }};
{% endif %} {% endif %}
[ipv6] [ipv6]

64
roles/environment/tasks/_configure_network.yml Normal file
View File

@@ -0,0 +1,64 @@
---
- name: Select primary Network Interface
when: hypervisor_type == "vmware"
ansible.builtin.set_fact:
environment_interface_name: >-
{{
(
(ansible_facts.interfaces | default(ansible_facts['ansible_interfaces'] | default([])))
| reject('equalto', 'lo')
| list
| first
)
| default('')
}}
- name: Set IP-Address
when:
- hypervisor_type == "vmware"
- system_cfg.network.ip is defined and system_cfg.network.ip | string | length > 0
ansible.builtin.command: >-
ip addr replace {{ system_cfg.network.ip }}/{{ system_cfg.network.prefix }}
dev {{ environment_interface_name }}
register: environment_ip_result
changed_when: environment_ip_result.rc == 0
- name: Set Default Gateway
when:
- hypervisor_type == "vmware"
- system_cfg.network.gateway is defined and system_cfg.network.gateway | string | length > 0
- system_cfg.network.ip is defined and system_cfg.network.ip | string | length > 0
ansible.builtin.command: "ip route replace default via {{ system_cfg.network.gateway }}"
register: environment_gateway_result
changed_when: environment_gateway_result.rc == 0
- name: Synchronize clock via NTP
ansible.builtin.command: timedatectl set-ntp true
register: environment_ntp_result
changed_when: environment_ntp_result.rc == 0
- name: Configure SSH for root login
when: hypervisor_type == "vmware" and hypervisor_cfg.ssh | bool
block:
- name: Allow login
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
replace: "{{ item.replace }}"
loop:
- regexp: "^#?PermitEmptyPasswords.*"
replace: "PermitEmptyPasswords yes"
- regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"
loop_control:
label: "{{ item.replace }}"
- name: Reload SSH service to apply changes
ansible.builtin.service:
name: sshd
state: reloaded
- name: Set SSH connection for VMware
ansible.builtin.set_fact:
ansible_connection: ssh
ansible_user: root

76
roles/environment/tasks/_detect_live.yml Normal file
View File

@@ -0,0 +1,76 @@
---
- name: Wait for connection
ansible.builtin.wait_for_connection:
timeout: 180
delay: 5
- name: Gather facts
ansible.builtin.setup:
- name: Check for live environment markers
ansible.builtin.stat:
path: "{{ item }}"
loop:
- /run/archiso
- /run/live
- /run/initramfs
- /run/initramfs/live
register: environment_live_marker_stat
changed_when: false
- name: Determine root filesystem type
ansible.builtin.set_fact:
environment_root_fstype: >-
{{
ansible_mounts
| selectattr('mount', 'equalto', '/')
| map(attribute='fstype')
| list
| first
| default('')
| lower
}}
environment_archiso_present: >-
{{
(
environment_live_marker_stat.results
| selectattr('item', 'equalto', '/run/archiso')
| selectattr('stat.exists')
| list
| length
) > 0
}}
- name: Identify live environment indicators
ansible.builtin.set_fact:
environment_is_live_environment: >-
{{
(
environment_live_marker_stat.results
| selectattr('stat.exists')
| list
| length
) > 0
or environment_root_fstype in ['overlay', 'overlayfs', 'squashfs', 'aufs']
or (ansible_hostname | default('') | lower is search('live'))
}}
- name: Abort if target is not a live environment
ansible.builtin.assert:
that:
- environment_is_live_environment | bool
fail_msg: |
PRODUCTION SYSTEM DETECTED - ABORTING
The target system does not appear to be a live installer environment.
This playbook must run from a live ISO to avoid wiping production data.
Boot from a live installer (Arch, Debian, Ubuntu, etc.) and retry.
quiet: true
- name: Abort if the host is not booted from the Arch install media
when:
- not (custom_iso | bool)
- not environment_archiso_present | bool
ansible.builtin.fail:
msg: This host is not booted from the Arch install media!

102
roles/environment/tasks/_prepare_installer.yml Normal file
View File

@@ -0,0 +1,102 @@
---
- name: Speed-up Bootstrap process
when: not (custom_iso | bool)
ansible.builtin.lineinfile:
path: /etc/pacman.conf
regexp: ^#ParallelDownloads =
line: ParallelDownloads = 20
- name: Wait for pacman lock to be released
when: not (custom_iso | bool)
ansible.builtin.wait_for:
path: /var/lib/pacman/db.lck
state: absent
timeout: 120
changed_when: false
- name: Setup Pacman
when:
- not (custom_iso | bool)
- item.os is not defined or os in item.os
community.general.pacman:
update_cache: true
force: true
name: "{{ item.name }}"
state: latest
loop:
- { name: glibc }
- { name: dnf, os: [almalinux, fedora, rhel, rocky] }
- { name: debootstrap, os: [debian, ubuntu, ubuntu-lts] }
- { name: debian-archive-keyring, os: [debian] }
- { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
loop_control:
label: "{{ item.name }}"
retries: 4
delay: 15
- name: Prepare /iso mount and repository for RHEL-based systems
when: os == "rhel"
block:
- name: Create /iso directory
ansible.builtin.file:
path: /usr/local/install/redhat/dvd
state: directory
mode: "0755"
- name: Detect RHEL ISO device
ansible.builtin.command: lsblk -rno NAME,TYPE
register: environment_lsblk_result
changed_when: false
- name: Select RHEL ISO device
vars:
_rom_devices: >-
{{
environment_lsblk_result.stdout_lines
| map('split', ' ')
| selectattr('1', 'equalto', 'rom')
| map('first')
| map('regex_replace', '^', '/dev/')
| list
}}
ansible.builtin.set_fact:
environment_rhel_iso_device: >-
{{
_rom_devices[-1]
if _rom_devices | length > 1
else (_rom_devices[0] | default('/dev/sr1'))
}}
- name: Mount RHEL ISO
ansible.posix.mount:
src: "{{ environment_rhel_iso_device }}"
path: /usr/local/install/redhat/dvd
fstype: iso9660
opts: "ro,loop"
state: mounted
# Security note: RPM Sequoia signature policy is relaxed to allow
# bootstrapping RHEL-family distros from the Arch ISO, where the
# host rpm/dnf does not trust target distro GPG keys. Package
# integrity is verified by the target system's own rpm after reboot.
- name: Relax RPM Sequoia signature policy for RHEL bootstrap
when: is_rhel | bool
ansible.builtin.copy:
dest: /etc/rpm/macros
content: "%_pkgverify_level none\n"
mode: "0644"
- name: Configure RHEL Repos for installation
when: is_rhel | bool
block:
- name: Create directories for repository files and RPM GPG keys
ansible.builtin.file:
path: /etc/yum.repos.d
state: directory
mode: "0755"
- name: Create RHEL repository file
ansible.builtin.template:
src: "{{ os }}.repo.j2"
dest: /etc/yum.repos.d/{{ os }}.repo
mode: "0644"

27
roles/environment/tasks/_thirdparty.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- name: Check for third-party preparation tasks
run_once: true
become: false
delegate_to: localhost
vars:
ansible_connection: local
block:
- name: Resolve third-party preparation task path
ansible.builtin.set_fact:
environment_thirdparty_tasks_path: >-
{{
thirdparty_tasks
if thirdparty_tasks | regex_search('^/')
else playbook_dir + '/' + thirdparty_tasks
}}
- name: Stat third-party preparation tasks
ansible.builtin.stat:
path: "{{ environment_thirdparty_tasks_path }}"
register: environment_thirdparty_tasks_stat
- name: Run third-party preparation tasks
when:
- thirdparty_tasks | length > 0
- environment_thirdparty_tasks_stat.stat.exists
ansible.builtin.include_tasks: "{{ environment_thirdparty_tasks_path }}"

247
roles/environment/tasks/main.yml
View File

@@ -2,249 +2,14 @@
- name: Configure work environment - name: Configure work environment
become: "{{ hypervisor_type != 'vmware' }}" become: "{{ hypervisor_type != 'vmware' }}"
block: block:
- name: Wait for connection - name: Detect and validate live environment
ansible.builtin.wait_for_connection: ansible.builtin.include_tasks: _detect_live.yml
timeout: 180
delay: 5
- name: Gather facts - name: Configure network and connectivity
ansible.builtin.setup: ansible.builtin.include_tasks: _configure_network.yml
- name: Check for live environment markers
ansible.builtin.stat:
path: "{{ item }}"
loop:
- /run/archiso
- /run/live
- /run/initramfs
- /run/initramfs/live
register: environment_live_marker_stat
changed_when: false
- name: Determine root filesystem type
ansible.builtin.set_fact:
environment_root_fstype: >-
{{
ansible_mounts
| selectattr('mount', 'equalto', '/')
| map(attribute='fstype')
| list
| first
| default('')
| lower
}}
environment_archiso_present: >-
{{
(
environment_live_marker_stat.results
| selectattr('item', 'equalto', '/run/archiso')
| selectattr('stat.exists')
| list
| length
) > 0
}}
changed_when: false
- name: Identify live environment indicators
ansible.builtin.set_fact:
environment_is_live_environment: >-
{{
(
environment_live_marker_stat.results
| selectattr('stat.exists')
| list
| length
) > 0
or environment_root_fstype in ['overlay', 'overlayfs', 'squashfs', 'aufs']
or (ansible_hostname | default('') | lower is search('live'))
}}
changed_when: false
- name: Abort if target is not a live environment
ansible.builtin.assert:
that:
- environment_is_live_environment | bool
fail_msg: |
PRODUCTION SYSTEM DETECTED - ABORTING
The target system does not appear to be a live installer environment.
This playbook must run from a live ISO to avoid wiping production data.
Boot from a live installer (Arch, Debian, Ubuntu, etc.) and retry.
quiet: true
- name: Abort if the host is not booted from the Arch install media
when:
- not (custom_iso | bool)
- not environment_archiso_present | bool
ansible.builtin.fail:
msg: This host is not booted from the Arch install media!
- name: Select primary Network Interface
when: hypervisor_type == "vmware"
ansible.builtin.set_fact:
environment_interface_name: >-
{{
(
(ansible_facts.interfaces | default(ansible_facts['ansible_interfaces'] | default([])))
| reject('equalto', 'lo')
| list
| first
)
| default('')
}}
changed_when: false
- name: Set IP-Address
when:
- hypervisor_type == "vmware"
- system_cfg.network.ip is defined and system_cfg.network.ip | string | length > 0
ansible.builtin.command: >-
ip addr replace {{ system_cfg.network.ip }}/{{ system_cfg.network.prefix }}
dev {{ environment_interface_name }}
register: environment_ip_result
changed_when: environment_ip_result.rc == 0
- name: Set Default Gateway
when:
- hypervisor_type == "vmware"
- system_cfg.network.gateway is defined and system_cfg.network.gateway | string | length > 0
- system_cfg.network.ip is defined and system_cfg.network.ip | string | length > 0
ansible.builtin.command: "ip route replace default via {{ system_cfg.network.gateway }}"
register: environment_gateway_result
changed_when: environment_gateway_result.rc == 0
- name: Synchronize clock via NTP
ansible.builtin.command: timedatectl set-ntp true
register: environment_ntp_result
changed_when: environment_ntp_result.rc == 0
- name: Configure SSH for root login
when: hypervisor_type == "vmware" and hypervisor_cfg.ssh | bool
block:
- name: Allow login
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
replace: "{{ item.replace }}"
loop:
- regexp: "^#?PermitEmptyPasswords.*"
replace: "PermitEmptyPasswords yes"
- regexp: "^#?PermitRootLogin.*"
replace: "PermitRootLogin yes"
- name: Reload SSH service to apply changes
ansible.builtin.service:
name: sshd
state: reloaded
- name: Set SSH connection for VMware
ansible.builtin.set_fact:
ansible_connection: ssh
ansible_user: root
- name: Prepare installer environment - name: Prepare installer environment
block: ansible.builtin.include_tasks: _prepare_installer.yml
- name: Speed-up Bootstrap process
when: not (custom_iso | bool)
ansible.builtin.lineinfile:
path: /etc/pacman.conf
regexp: ^#ParallelDownloads =
line: ParallelDownloads = 20
- name: Wait for pacman lock to be released
when: not (custom_iso | bool)
ansible.builtin.wait_for:
path: /var/lib/pacman/db.lck
state: absent
timeout: 120
changed_when: false
- name: Setup Pacman
when:
- not (custom_iso | bool)
- item.os is not defined or os in item.os
community.general.pacman:
update_cache: true
force: true
name: "{{ item.name }}"
state: latest
loop:
- { name: glibc }
- { name: dnf, os: [almalinux, fedora, rhel, rocky] }
- { name: debootstrap, os: [debian, ubuntu, ubuntu-lts] }
- { name: debian-archive-keyring, os: [debian] }
- { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
retries: 4
delay: 15
- name: Prepare /iso mount and repository for RHEL-based systems
when: os == "rhel"
block:
- name: Create /iso directory
ansible.builtin.file:
path: /usr/local/install/redhat/dvd
state: directory
mode: "0755"
- name: Select RHEL ISO device
ansible.builtin.set_fact:
environment_rhel_iso_device: >-
{{
'/dev/sr2'
if hypervisor_type == 'libvirt'
else '/dev/sr1'
}}
changed_when: false
- name: Mount RHEL ISO
ansible.posix.mount:
src: "{{ environment_rhel_iso_device }}"
path: /usr/local/install/redhat/dvd
fstype: iso9660
opts: "ro,loop"
state: mounted
- name: Configure RHEL Repos for installation
when: is_rhel | bool
block:
- name: Create directories for repository files and RPM GPG keys
ansible.builtin.file:
path: /etc/yum.repos.d
state: directory
mode: "0755"
- name: Create RHEL repository file
ansible.builtin.template:
src: "{{ os }}.repo.j2"
dest: /etc/yum.repos.d/{{ os }}.repo
mode: "0644"
- name: Check for third-party preparation tasks
run_once: true
become: false
delegate_to: localhost
vars:
ansible_connection: local
block:
- name: Resolve third-party preparation task path
ansible.builtin.set_fact:
environment_thirdparty_tasks_path: >-
{{
thirdparty_tasks
if thirdparty_tasks | regex_search('^/')
else playbook_dir + '/' + thirdparty_tasks
}}
changed_when: false
- name: Stat third-party preparation tasks
ansible.builtin.stat:
path: "{{ environment_thirdparty_tasks_path }}"
register: environment_thirdparty_tasks_stat
changed_when: false
- name: Run third-party preparation tasks - name: Run third-party preparation tasks
when: ansible.builtin.include_tasks: _thirdparty.yml
- thirdparty_tasks | length > 0
- environment_thirdparty_tasks_stat.stat.exists
ansible.builtin.include_tasks: "{{ environment_thirdparty_tasks_path }}"

8
templates/almalinux.repo.j2 → roles/environment/templates/almalinux.repo.j2
View File

@@ -1,4 +1,4 @@
[alma-appstream] [appstream]
name=AlmaLinux $releasever - AppStream name=AlmaLinux $releasever - AppStream
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream
# baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/$basearch/os/ # baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/$basearch/os/
@@ -9,7 +9,7 @@ gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400 metadata_expire=86400
enabled_metadata=1 enabled_metadata=1
[alma-baseos] [baseos]
name=AlmaLinux $releasever - BaseOS name=AlmaLinux $releasever - BaseOS
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/ # baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/
@@ -20,7 +20,7 @@ gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400 metadata_expire=86400
enabled_metadata=1 enabled_metadata=1
[alma-extras] [extras]
name=AlmaLinux $releasever - Extras name=AlmaLinux $releasever - Extras
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras
# baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/$basearch/os/ # baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/$basearch/os/
@@ -31,7 +31,7 @@ gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400 metadata_expire=86400
enabled_metadata=0 enabled_metadata=0
[alma-highavailability] [highavailability]
name=AlmaLinux $releasever - HighAvailability name=AlmaLinux $releasever - HighAvailability
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/highavailability mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/highavailability
# baseurl=https://repo.almalinux.org/almalinux/$releasever/HighAvailability/$basearch/os/ # baseurl=https://repo.almalinux.org/almalinux/$releasever/HighAvailability/$basearch/os/

0
templates/fedora.repo.j2 → roles/environment/templates/fedora.repo.j2
View File

0
templates/rhel.repo.j2 → roles/environment/templates/rhel.repo.j2
View File

21
roles/environment/templates/rocky.repo.j2 Normal file
View File

@@ -0,0 +1,21 @@
[baseos]
name=Rocky Linux $releasever - BaseOS
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/
gpgcheck=1
enabled=1
countme=1
gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever
metadata_expire=86400
enabled_metadata=1
[appstream]
name=Rocky Linux $releasever - AppStream
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$releasever
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/AppStream/$basearch/os/
gpgcheck=1
enabled=1
countme=1
gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever
metadata_expire=86400
enabled_metadata=1

64
roles/global_defaults/defaults/main.yml
View File

@@ -1,4 +1,27 @@
--- ---
# OS family lists — single source of truth for platform detection and validation
os_family_rhel:
- almalinux
- fedora
- rhel
- rocky
os_family_debian:
- debian
- ubuntu
- ubuntu-lts
os_supported:
- almalinux
- alpine
- archlinux
- debian
- fedora
- opensuse
- rhel
- rocky
- ubuntu
- ubuntu-lts
- void
# User input. Normalized into hypervisor_cfg + hypervisor_type. # User input. Normalized into hypervisor_cfg + hypervisor_type.
hypervisor: hypervisor:
type: "none" type: "none"
@@ -21,7 +44,7 @@ system_defaults:
type: "virtual" # virtual|physical type: "virtual" # virtual|physical
os: "" os: ""
version: "" version: ""
filesystem: "" filesystem: "ext4"
name: "" name: ""
id: "" id: ""
cpus: 0 cpus: 0
@@ -83,9 +106,48 @@ system_defaults:
banner: banner:
motd: false motd: false
sudo: true sudo: true
rhel_repo:
source: "iso" # iso|satellite|none — how RHEL systems get packages post-install
url: "" # Satellite/custom repo URL when source=satellite
chroot: chroot:
tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn
# Per-hypervisor required fields — drives data-driven validation.
# All virtual types additionally require network bridge or interfaces.
hypervisor_required_fields:
proxmox:
hypervisor: [url, username, password, host, storage]
system: [id]
vmware:
hypervisor: [url, username, password, datacenter, cluster, storage]
system: []
xen:
hypervisor: []
system: []
libvirt:
hypervisor: []
system: []
# Hypervisor-to-disk device prefix mapping for virtual machines.
# Physical installs must set system.disks[].device explicitly.
hypervisor_disk_device_map:
libvirt: "/dev/vd"
xen: "/dev/xvd"
proxmox: "/dev/sd"
vmware: "/dev/sd"
# Mountpoints managed by the partitioning role — forbidden for extra disks.
reserved_mounts:
- /boot
- /boot/efi
- /home
- /var
- /var/log
- /var/log/audit
# Drive letter sequence for disk device naming (max 26 disks).
disk_letter_map: "abcdefghijklmnopqrstuvwxyz"
system_disk_defaults: system_disk_defaults:
size: 0 size: 0
device: "" device: ""

100
roles/global_defaults/tasks/_normalize_disks.yml Normal file
View File

@@ -0,0 +1,100 @@
---
- name: Normalize system disks input
vars:
system_disks: "{{ system_cfg.disks | default([]) }}"
system_disk_letter_map: "{{ disk_letter_map }}"
system_disk_device_prefix: >-
{{
hypervisor_disk_device_map.get(hypervisor_type, '')
if system_cfg.type == 'virtual'
else ''
}}
block:
- name: Validate system disks structure
ansible.builtin.assert:
that:
- system_disks is sequence
- (system_disks | length) <= 26
fail_msg: "system.disks must be a list with at most 26 entries."
quiet: true
- name: Validate system disk entries
ansible.builtin.assert:
that:
- item is mapping
- item.mount is not defined or item.mount is mapping
fail_msg: "Each disk entry must be a dictionary, and disk.mount (if set) must be a dictionary."
quiet: true
loop: "{{ system_disks }}"
loop_control:
label: "{{ item | to_json }}"
- name: Initialize normalized disk list
ansible.builtin.set_fact:
system_disks_cfg: []
- name: Build normalized system disk configuration
vars:
disk_idx: "{{ ansible_loop.index0 }}"
disk_letter: "{{ system_disk_letter_map[disk_idx] }}"
disk_cfg_base: "{{ system_disk_defaults | combine(item, recursive=True) }}"
disk_mount: "{{ system_disk_defaults.mount | combine((disk_cfg_base.mount | default({})), recursive=True) }}"
disk_mount_path: "{{ (disk_mount.path | default('') | string) | trim }}"
disk_mount_fstype: >-
{{
disk_mount.fstype
if (disk_mount.fstype | default('') | string | length) > 0
else ('ext4' if disk_mount_path | length > 0 else '')
}}
disk_device: >-
{{
disk_cfg_base.device
if (disk_cfg_base.device | string | length) > 0
else (
(system_disk_device_prefix ~ disk_letter)
if system_cfg.type == 'virtual'
else ''
)
}}
disk_partition: >-
{{
disk_device ~ ('p1' if (disk_device | regex_search('\\d$')) else '1')
if disk_device | length > 0
else ''
}}
ansible.builtin.set_fact:
system_disks_cfg: >-
{{
system_disks_cfg + [
disk_cfg_base
| combine(
{
'device': disk_device,
'mount': {
'path': disk_mount_path,
'fstype': disk_mount_fstype,
'label': disk_mount.label | default('') | string,
'opts': disk_mount.opts | default('defaults') | string
},
'partition': disk_partition
},
recursive=True
)
]
}}
loop: "{{ system_disks }}"
loop_control:
loop_var: item
extended: true
label: "{{ item | to_json }}"
- name: Update system configuration with normalized disks
ansible.builtin.set_fact:
system_cfg: "{{ system_cfg | combine({'disks': system_disks_cfg}, recursive=True) }}"
- name: Set install_drive from primary disk
when:
- system_disks_cfg | length > 0
- system_disks_cfg[0].device | string | length > 0
ansible.builtin.set_fact:
install_drive: "{{ system_disks_cfg[0].device }}"

154
roles/global_defaults/tasks/_normalize_system.yml Normal file
View File

@@ -0,0 +1,154 @@
---
- name: Build normalized system configuration
vars:
system_raw: "{{ system_defaults | combine(system, recursive=True) }}"
system_type: "{{ system_raw.type | string | lower }}"
system_os_input: "{{ system_raw.os | default('') | string | lower }}"
system_name: >-
{{
system_raw.name | string | trim
if (system_raw.name | default('') | string | trim | length) > 0
else inventory_hostname
}}
ansible.builtin.set_fact:
system_cfg:
# --- Identity & platform ---
type: "{{ system_type }}"
os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
version: "{{ system_raw.version | default('') | string }}"
filesystem: "{{ system_raw.filesystem | default('') | string | lower }}"
name: "{{ system_name }}"
id: "{{ system_raw.id | default('') | string }}"
# --- VM sizing (ignored for physical) ---
cpus: "{{ [system_raw.cpus | default(0) | int, 0] | max }}"
memory: "{{ [system_raw.memory | default(0) | int, 0] | max }}"
balloon: "{{ [system_raw.balloon | default(0) | int, 0] | max }}"
# --- Network ---
# Flat fields (bridge, ip, etc.) and interfaces[] are mutually exclusive.
# When interfaces[] is set, flat fields are populated from the first
# interface in the "Populate primary network fields" task below.
# When only flat fields are set, a synthetic interfaces[] entry is built.
network:
bridge: "{{ system_raw.network.bridge | default('') | string }}"
vlan: "{{ system_raw.network.vlan | default('') | string }}"
ip: "{{ system_raw.network.ip | default('') | string }}"
prefix: >-
{{
(system_raw.network.prefix | int | string)
if (system_raw.network.prefix | default('') | string | length) > 0
else ''
}}
gateway: "{{ system_raw.network.gateway | default('') | string }}"
dns:
servers: "{{ system_raw.network.dns.servers | default([]) }}"
search: "{{ system_raw.network.dns.search | default([]) }}"
interfaces: >-
{{
system_raw.network.interfaces
if (system_raw.network.interfaces | default([]) | length > 0)
else (
[{
'name': '',
'bridge': system_raw.network.bridge | default('') | string,
'vlan': system_raw.network.vlan | default('') | string,
'ip': system_raw.network.ip | default('') | string,
'prefix': (
(system_raw.network.prefix | int | string)
if (system_raw.network.prefix | default('') | string | length) > 0
else ''
),
'gateway': system_raw.network.gateway | default('') | string
}]
if (system_raw.network.bridge | default('') | string | length > 0)
else []
)
}}
# --- Locale & environment ---
timezone: "{{ system_raw.timezone | default('Europe/Vienna') | string }}"
locale: "{{ system_raw.locale | default('en_US.UTF-8') | string }}"
keymap: "{{ system_raw.keymap | default('us') | string }}"
path: "{{ system_raw.path | default('') | string }}"
packages: >-
{{
(
system_raw.packages
if system_raw.packages is iterable and system_raw.packages is not string
else (system_raw.packages | string).split(',')
)
| map('trim')
| reject('equalto', '')
| list
}}
# --- Storage & accounts ---
disks: "{{ system_raw.disks | default([]) }}"
users: "{{ system_raw.users | default([]) }}"
root:
password: "{{ system_raw.root.password | string }}"
# --- LUKS disk encryption ---
luks:
enabled: "{{ system_raw.luks.enabled | bool }}"
passphrase: "{{ system_raw.luks.passphrase | string }}"
mapper: "{{ system_raw.luks.mapper | string }}"
auto: "{{ system_raw.luks.auto | bool }}"
method: "{{ system_raw.luks.method | string | lower }}"
tpm2:
device: "{{ system_raw.luks.tpm2.device | string }}"
pcrs: "{{ system_raw.luks.tpm2.pcrs | string }}"
keysize: "{{ system_raw.luks.keysize | int }}"
options: "{{ system_raw.luks.options | string }}"
type: "{{ system_raw.luks.type | string }}"
cipher: "{{ system_raw.luks.cipher | string }}"
hash: "{{ system_raw.luks.hash | string }}"
iter: "{{ system_raw.luks.iter | int }}"
bits: "{{ system_raw.luks.bits | int }}"
pbkdf: "{{ system_raw.luks.pbkdf | string }}"
urandom: "{{ system_raw.luks.urandom | bool }}"
verify: "{{ system_raw.luks.verify | bool }}"
# --- Feature flags ---
features:
cis:
enabled: "{{ system_raw.features.cis.enabled | bool }}"
selinux:
enabled: "{{ system_raw.features.selinux.enabled | bool }}"
firewall:
enabled: "{{ system_raw.features.firewall.enabled | bool }}"
backend: "{{ system_raw.features.firewall.backend | string | lower }}"
toolkit: "{{ system_raw.features.firewall.toolkit | string | lower }}"
ssh:
enabled: "{{ system_raw.features.ssh.enabled | bool }}"
zstd:
enabled: "{{ system_raw.features.zstd.enabled | bool }}"
swap:
enabled: "{{ system_raw.features.swap.enabled | bool }}"
banner:
motd: "{{ system_raw.features.banner.motd | bool }}"
sudo: "{{ system_raw.features.banner.sudo | bool }}"
rhel_repo:
source: "{{ system_raw.features.rhel_repo.source | default('iso') | string | lower }}"
url: "{{ system_raw.features.rhel_repo.url | default('') | string }}"
chroot:
tool: "{{ system_raw.features.chroot.tool | string }}"
hostname: "{{ system_name }}"
os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
os_version: "{{ system_raw.version | default('') | string }}"
no_log: true
- name: Populate primary network fields from first interface
when:
- system_cfg.network.interfaces | length > 0
- system_cfg.network.bridge | default('') | string | length == 0
vars:
_primary: "{{ system_cfg.network.interfaces[0] }}"
ansible.builtin.set_fact:
system_cfg: >-
{{
system_cfg | combine({
'network': system_cfg.network | combine({
'bridge': _primary.bridge | default(''),
'vlan': _primary.vlan | default(''),
'ip': _primary.ip | default(''),
'prefix': _primary.prefix | default(''),
'gateway': _primary.gateway | default('')
})
}, recursive=True)
}}

57
roles/global_defaults/tasks/_validate_input.yml Normal file
View File

@@ -0,0 +1,57 @@
---
- name: Ensure system input is a dictionary
ansible.builtin.set_fact:
system: "{{ system | default({}) }}"
- name: Validate system input types
ansible.builtin.assert:
that:
- system is mapping
- system.network is not defined or system.network is mapping
- system.users is not defined or (system.users is iterable and system.users is not string and system.users is not mapping)
- system.root is not defined or system.root is mapping
- system.luks is not defined or system.luks is mapping
- system.features is not defined or system.features is mapping
fail_msg: "system and its nested keys (network, root, luks, features) must be dictionaries; system.users must be a list."
quiet: true
- name: Validate DNS lists (not strings)
when: system.network is defined and system.network.dns is defined
ansible.builtin.assert:
that:
- system.network.dns.servers is not defined or (system.network.dns.servers is iterable and system.network.dns.servers is not string)
- system.network.dns.search is not defined or (system.network.dns.search is iterable and system.network.dns.search is not string)
fail_msg: "system.network.dns.servers and system.network.dns.search must be lists, not strings."
quiet: true
- name: Validate system.users entries
when: system.users is defined and system.users | length > 0
ansible.builtin.assert:
that:
- item is mapping
- item.name is defined and (item.name | string | length) > 0
- item['keys'] is not defined or (item['keys'] is iterable and item['keys'] is not string)
fail_msg: "Each system.users[] entry must be a dict with 'name'; 'keys' must be a list."
quiet: true
loop: "{{ system.users }}"
loop_control:
label: "{{ item.name | default('(unnamed)') }}"
- name: Validate system features input types
when: system.features is defined
loop: "{{ system_defaults.features | dict2items | map(attribute='key') | list }}"
loop_control:
label: "system.features.{{ item }}"
ansible.builtin.assert:
that:
- (system.features[item] | default({})) is mapping
fail_msg: "system.features.{{ item }} must be a dictionary."
quiet: true
- name: Validate system LUKS TPM2 input type
when: system.luks is defined and system.luks is mapping
ansible.builtin.assert:
that:
- system.luks.tpm2 is not defined or system.luks.tpm2 is mapping
fail_msg: "system.luks.tpm2 must be a dictionary."
quiet: true

6
roles/global_defaults/tasks/hypervisor.yml
View File

@@ -1,4 +1,7 @@
--- ---
- name: Normalize hypervisor configuration
when: hypervisor_cfg is not defined
block:
- name: Ensure hypervisor input is a dictionary - name: Ensure hypervisor input is a dictionary
ansible.builtin.set_fact: ansible.builtin.set_fact:
hypervisor: "{{ hypervisor | default({}) }}" hypervisor: "{{ hypervisor | default({}) }}"
@@ -12,9 +15,10 @@
fail_msg: "hypervisor must be a dictionary and hypervisor.type must be set (e.g. libvirt|proxmox|vmware|xen|none)." fail_msg: "hypervisor must be a dictionary and hypervisor.type must be set (e.g. libvirt|proxmox|vmware|xen|none)."
quiet: true quiet: true
- name: Normalize hypervisor configuration - name: Merge hypervisor defaults with input
vars: vars:
merged: "{{ hypervisor_defaults | combine(hypervisor, recursive=True) }}" merged: "{{ hypervisor_defaults | combine(hypervisor, recursive=True) }}"
ansible.builtin.set_fact: ansible.builtin.set_fact:
hypervisor_cfg: "{{ merged }}" hypervisor_cfg: "{{ merged }}"
hypervisor_type: "{{ merged.type | string | lower }}" hypervisor_type: "{{ merged.type | string | lower }}"
no_log: true

9
roles/global_defaults/tasks/main.yml
View File

@@ -1,4 +1,8 @@
--- ---
# Centralized normalization — all input dicts (system, hypervisor, disks)
# are normalized here into system_cfg, hypervisor_cfg, etc.
# Downstream roles consume these computed facts directly and do NOT need
# per-role _normalize.yml (except CIS, which has its own input dict).
- name: Global defaults loaded - name: Global defaults loaded
ansible.builtin.debug: ansible.builtin.debug:
msg: Global defaults loaded. msg: Global defaults loaded.
@@ -14,8 +18,8 @@
- name: Set OS family flags - name: Set OS family flags
ansible.builtin.set_fact: ansible.builtin.set_fact:
is_rhel: "{{ os in ['almalinux', 'fedora', 'rhel', 'rocky'] }}" is_rhel: "{{ os in os_family_rhel }}"
is_debian: "{{ os in ['debian', 'ubuntu', 'ubuntu-lts'] }}" is_debian: "{{ os in os_family_debian }}"
- name: Normalize OS version for keying - name: Normalize OS version for keying
when: when:
@@ -49,6 +53,7 @@
ansible_password: "{{ system_cfg.users[0].password }}" ansible_password: "{{ system_cfg.users[0].password }}"
ansible_become_password: "{{ system_cfg.users[0].password }}" ansible_become_password: "{{ system_cfg.users[0].password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
no_log: true
- name: Set connection for VMware - name: Set connection for VMware
when: hypervisor_type == "vmware" when: hypervisor_type == "vmware"

324
roles/global_defaults/tasks/system.yml
View File

@@ -1,297 +1,45 @@
--- ---
- name: Ensure system input is a dictionary # Two code paths:
ansible.builtin.set_fact: # 1. Fresh run (system_cfg undefined): normalize from raw `system` input.
system: "{{ system | default({}) }}" # 2. Pre-computed (system_cfg already set, e.g. from main project's deploy_iac):
# merge with bootstrap system_defaults to fill missing fields (luks, features,
- name: Validate system input types # etc.) that bootstrap expects but the main project doesn't set, then derive
ansible.builtin.assert: # convenience facts (hostname, os, os_version).
that: - name: Normalize system and disk configuration
- system is mapping when: system_cfg is not defined
- system.network is not defined or system.network is mapping
- system.users is not defined or (system.users is iterable and system.users is not string and system.users is not mapping)
- system.root is not defined or system.root is mapping
- system.luks is not defined or system.luks is mapping
- system.features is not defined or system.features is mapping
fail_msg: "system and its nested keys (network, root, luks, features) must be dictionaries; system.users must be a list."
quiet: true
- name: Validate DNS lists (not strings)
when: system.network is defined and system.network.dns is defined
ansible.builtin.assert:
that:
- system.network.dns.servers is not defined or (system.network.dns.servers is iterable and system.network.dns.servers is not string)
- system.network.dns.search is not defined or (system.network.dns.search is iterable and system.network.dns.search is not string)
fail_msg: "system.network.dns.servers and system.network.dns.search must be lists, not strings."
quiet: true
- name: Validate system.users entries
when: system.users is defined and system.users | length > 0
ansible.builtin.assert:
that:
- item is mapping
- item.name is defined and (item.name | string | length) > 0
- item.keys is not defined or (item.keys is iterable and item.keys is not string)
fail_msg: "Each system.users[] entry must be a dict with 'name'; 'keys' must be a list."
quiet: true
loop: "{{ system.users }}"
loop_control:
label: "{{ item.name | default('(unnamed)') }}"
- name: Validate system features input types
when: system.features is defined
loop: "{{ system_defaults.features | dict2items | map(attribute='key') | list }}"
loop_control:
label: "system.features.{{ item }}"
ansible.builtin.assert:
that:
- (system.features[item] | default({})) is mapping
fail_msg: "system.features.{{ item }} must be a dictionary."
quiet: true
- name: Validate system LUKS TPM2 input type
when: system.luks is defined and system.luks is mapping
ansible.builtin.assert:
that:
- system.luks.tpm2 is not defined or system.luks.tpm2 is mapping
fail_msg: "system.luks.tpm2 must be a dictionary."
quiet: true
- name: Build normalized system configuration
vars:
system_raw: "{{ system_defaults | combine(system, recursive=True) }}"
system_type: "{{ system_raw.type | string | lower }}"
system_os_input: "{{ system_raw.os | default('') | string | lower }}"
system_name: >-
{{
system_raw.name | string | trim
if (system_raw.name | default('') | string | trim | length) > 0
else inventory_hostname
}}
ansible.builtin.set_fact:
system_cfg:
type: "{{ system_type }}"
os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
version: "{{ system_raw.version | default('') | string }}"
filesystem: "{{ system_raw.filesystem | default('') | string | lower }}"
name: "{{ system_name }}"
id: "{{ system_raw.id | default('') | string }}"
cpus: "{{ [system_raw.cpus | default(0) | int, 0] | max }}"
memory: "{{ [system_raw.memory | default(0) | int, 0] | max }}"
balloon: "{{ [system_raw.balloon | default(0) | int, 0] | max }}"
network:
bridge: "{{ system_raw.network.bridge | default('') | string }}"
vlan: "{{ system_raw.network.vlan | default('') | string }}"
ip: "{{ system_raw.network.ip | default('') | string }}"
prefix: >-
{{
(system_raw.network.prefix | int)
if (system_raw.network.prefix | default('') | string | length) > 0
else ''
}}
gateway: "{{ system_raw.network.gateway | default('') | string }}"
dns:
servers: "{{ system_raw.network.dns.servers | default([]) }}"
search: "{{ system_raw.network.dns.search | default([]) }}"
interfaces: >-
{{
system_raw.network.interfaces
if (system_raw.network.interfaces | default([]) | length > 0)
else (
[{
'name': 'eth0',
'bridge': system_raw.network.bridge | default('') | string,
'vlan': system_raw.network.vlan | default('') | string,
'ip': system_raw.network.ip | default('') | string,
'prefix': (
(system_raw.network.prefix | int | string)
if (system_raw.network.prefix | default('') | string | length) > 0
else ''
),
'gateway': system_raw.network.gateway | default('') | string
}]
if (system_raw.network.bridge | default('') | string | length > 0)
else []
)
}}
timezone: "{{ system_raw.timezone | default('Europe/Vienna') | string }}"
locale: "{{ system_raw.locale | default('en_US.UTF-8') | string }}"
keymap: "{{ system_raw.keymap | default('us') | string }}"
path: "{{ system_raw.path | default('') | string }}"
packages: >-
{{
(
system_raw.packages
if system_raw.packages is iterable and system_raw.packages is not string
else (system_raw.packages | string).split(',')
)
| map('trim')
| reject('equalto', '')
| list
}}
disks: "{{ system_raw.disks | default([]) }}"
users: "{{ system_raw.users | default([]) }}"
root:
password: "{{ system_raw.root.password | string }}"
luks:
enabled: "{{ system_raw.luks.enabled | bool }}"
passphrase: "{{ system_raw.luks.passphrase | string }}"
mapper: "{{ system_raw.luks.mapper | string }}"
auto: "{{ system_raw.luks.auto | bool }}"
method: "{{ system_raw.luks.method | string | lower }}"
tpm2:
device: "{{ system_raw.luks.tpm2.device | string }}"
pcrs: "{{ system_raw.luks.tpm2.pcrs | string }}"
keysize: "{{ system_raw.luks.keysize | int }}"
options: "{{ system_raw.luks.options | string }}"
type: "{{ system_raw.luks.type | string }}"
cipher: "{{ system_raw.luks.cipher | string }}"
hash: "{{ system_raw.luks.hash | string }}"
iter: "{{ system_raw.luks.iter | int }}"
bits: "{{ system_raw.luks.bits | int }}"
pbkdf: "{{ system_raw.luks.pbkdf | string }}"
urandom: "{{ system_raw.luks.urandom | bool }}"
verify: "{{ system_raw.luks.verify | bool }}"
features:
cis:
enabled: "{{ system_raw.features.cis.enabled | bool }}"
selinux:
enabled: "{{ system_raw.features.selinux.enabled | bool }}"
firewall:
enabled: "{{ system_raw.features.firewall.enabled | bool }}"
backend: "{{ system_raw.features.firewall.backend | string | lower }}"
toolkit: "{{ system_raw.features.firewall.toolkit | string | lower }}"
ssh:
enabled: "{{ system_raw.features.ssh.enabled | bool }}"
zstd:
enabled: "{{ system_raw.features.zstd.enabled | bool }}"
swap:
enabled: "{{ system_raw.features.swap.enabled | bool }}"
banner:
motd: "{{ system_raw.features.banner.motd | bool }}"
sudo: "{{ system_raw.features.banner.sudo | bool }}"
chroot:
tool: "{{ system_raw.features.chroot.tool | string }}"
hostname: "{{ system_name }}"
os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
os_version: "{{ system_raw.version | default('') | string }}"
- name: Populate primary network fields from first interface
when:
- system_cfg.network.interfaces | length > 0
- system_cfg.network.bridge | default('') | string | length == 0
vars:
_primary: "{{ system_cfg.network.interfaces[0] }}"
ansible.builtin.set_fact:
system_cfg: >-
{{
system_cfg | combine({
'network': system_cfg.network | combine({
'bridge': _primary.bridge | default(''),
'vlan': _primary.vlan | default(''),
'ip': _primary.ip | default(''),
'prefix': _primary.prefix | default(''),
'gateway': _primary.gateway | default('')
})
}, recursive=True)
}}
- name: Normalize system disks input
vars:
system_disks: "{{ system_cfg.disks | default([]) }}"
system_disk_letter_map: "abcdefghijklmnopqrstuvwxyz"
system_disk_device_prefix: >-
{{
{'libvirt': '/dev/vd', 'xen': '/dev/xvd', 'proxmox': '/dev/sd', 'vmware': '/dev/sd'}.get(hypervisor_type, '')
if system_cfg.type == 'virtual'
else ''
}}
block: block:
- name: Validate system disks structure - name: Validate raw system input types
ansible.builtin.assert: ansible.builtin.include_tasks: _validate_input.yml
that:
- system_disks is sequence
- (system_disks | length) <= 26
fail_msg: "system.disks must be a list with at most 26 entries."
quiet: true
- name: Validate system disk entries - name: Normalize system configuration
ansible.builtin.assert: ansible.builtin.include_tasks: _normalize_system.yml
that:
- item is mapping
- item.mount is not defined or item.mount is mapping
fail_msg: "Each disk entry must be a dictionary, and disk.mount (if set) must be a dictionary."
quiet: true
loop: "{{ system_disks }}"
loop_control:
label: "{{ item | to_json }}"
- name: Initialize normalized disk list - name: Normalize disk configuration
ansible.builtin.include_tasks: _normalize_disks.yml
- name: Check if pre-computed system_cfg needs enrichment
when: system_cfg is defined
ansible.builtin.set_fact: ansible.builtin.set_fact:
system_disks_cfg: [] _bootstrap_needs_enrichment: "{{ hostname is not defined }}"
- name: Build normalized system disk configuration - name: Merge pre-computed system_cfg with bootstrap system_defaults
vars:
disk_idx: "{{ ansible_loop.index0 }}"
disk_letter: "{{ system_disk_letter_map[disk_idx] }}"
disk_cfg_base: "{{ system_disk_defaults | combine(item, recursive=True) }}"
disk_mount: "{{ system_disk_defaults.mount | combine((disk_cfg_base.mount | default({})), recursive=True) }}"
disk_mount_path: "{{ (disk_mount.path | default('') | string) | trim }}"
disk_mount_fstype: >-
{{
disk_mount.fstype
if (disk_mount.fstype | default('') | string | length) > 0
else ('ext4' if disk_mount_path | length > 0 else '')
}}
disk_device: >-
{{
disk_cfg_base.device
if (disk_cfg_base.device | string | length) > 0
else (
(system_disk_device_prefix ~ disk_letter)
if system_cfg.type == 'virtual'
else ''
)
}}
disk_partition: >-
{{
disk_device ~ ('p1' if (disk_device | regex_search('\\d$')) else '1')
if disk_device | length > 0
else ''
}}
ansible.builtin.set_fact:
system_disks_cfg: >-
{{
system_disks_cfg + [
disk_cfg_base
| combine(
{
'device': disk_device,
'mount': {
'path': disk_mount_path,
'fstype': disk_mount_fstype,
'label': disk_mount.label | default('') | string,
'opts': disk_mount.opts | default('defaults') | string
},
'partition': disk_partition
},
recursive=True
)
]
}}
loop: "{{ system_disks }}"
loop_control:
loop_var: item
extended: true
label: "{{ item | to_json }}"
- name: Update system configuration with normalized disks
ansible.builtin.set_fact:
system_cfg: "{{ system_cfg | combine({'disks': system_disks_cfg}, recursive=True) }}"
- name: Set install_drive from primary disk
when: when:
- system_disks_cfg | length > 0 - system_cfg is defined
- system_disks_cfg[0].device | string | length > 0 - _bootstrap_needs_enrichment | default(false) | bool
ansible.builtin.set_fact: ansible.builtin.set_fact:
install_drive: "{{ system_disks_cfg[0].device }}" system_cfg: "{{ system_defaults | combine(system | default({}), recursive=True) | combine(system_cfg, recursive=True) }}"
- name: Derive convenience facts from pre-computed system_cfg
when:
- system_cfg is defined
- _bootstrap_needs_enrichment | default(false) | bool
ansible.builtin.set_fact:
hostname: "{{ system_cfg.name | default(inventory_hostname) }}"
os: "{{ system_cfg.os | default('') }}"
os_version: "{{ system_cfg.version | default('') | string }}"
- name: Normalize disk configuration (pre-computed system_cfg)
when:
- system_cfg is defined
- install_drive is not defined
ansible.builtin.include_tasks: _normalize_disks.yml

131
roles/global_defaults/tasks/validation.yml
View File

@@ -114,7 +114,7 @@
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- os is defined - os is defined
- os in ["almalinux", "alpine", "archlinux", "debian", "fedora", "opensuse", "rhel", "rocky", "ubuntu", "ubuntu-lts", "void"] - os in os_supported
- >- - >-
os not in ["debian", "fedora", "rocky", "almalinux", "rhel"] os not in ["debian", "fedora", "rocky", "almalinux", "rhel"]
or (os_version is defined and (os_version | string | length) > 0) or (os_version is defined and (os_version | string | length) > 0)
@@ -123,7 +123,7 @@
or ( or (
os == "debian" and (os_version | string) in ["10", "11", "12", "13", "unstable"] os == "debian" and (os_version | string) in ["10", "11", "12", "13", "unstable"]
) or ( ) or (
os == "fedora" and (os_version | string) in ["40", "41", "42", "43"] os == "fedora" and (os_version | int) >= 38 and (os_version | int) <= 45
) or ( ) or (
os in ["rocky", "almalinux"] os in ["rocky", "almalinux"]
and (os_version | string) is match("^(8|9|10)(\\.\\d+)?$") and (os_version | string) is match("^(8|9|10)(\\.\\d+)?$")
@@ -131,7 +131,16 @@
os == "rhel" os == "rhel"
and (os_version | string) is match("^(8|9|10)(\\.\\d+)?$") and (os_version | string) is match("^(8|9|10)(\\.\\d+)?$")
) or ( ) or (
os in ["alpine", "archlinux", "opensuse", "ubuntu", "ubuntu-lts", "void"] os == "ubuntu"
and (os_version | string) is match("^(2[0-9])\\.04$")
) or (
os == "ubuntu-lts"
and (os_version | string) is match("^(2[0-9])\\.04$")
) or (
os in ["ubuntu", "ubuntu-lts"]
and (os_version | default('') | string | length) == 0
) or (
os in ["alpine", "archlinux", "opensuse", "void"]
) )
fail_msg: "Invalid os/version specified. Please check README.md for supported values." fail_msg: "Invalid os/version specified. Please check README.md for supported values."
quiet: true quiet: true
@@ -143,56 +152,43 @@
fail_msg: "rhel_iso is required when os=rhel." fail_msg: "rhel_iso is required when os=rhel."
quiet: true quiet: true
- name: Validate Proxmox hypervisor inputs - name: Validate hypervisor-specific required fields
when: when:
- system_cfg.type == "virtual" - system_cfg.type == "virtual"
- hypervisor_type == "proxmox" - hypervisor_type in hypervisor_required_fields
ansible.builtin.assert:
that:
- (hypervisor_cfg[item] | default('') | string | length) > 0
fail_msg: "Missing required {{ hypervisor_type }} field: hypervisor.{{ item }}"
quiet: true
loop: "{{ hypervisor_required_fields[hypervisor_type].hypervisor | default([]) }}"
loop_control:
label: "hypervisor.{{ item }}"
no_log: true
- name: Validate hypervisor-specific required system fields
when:
- system_cfg.type == "virtual"
- hypervisor_type in hypervisor_required_fields
ansible.builtin.assert:
that:
- (system_cfg[item] | default('') | string | length) > 0
fail_msg: "Missing required {{ hypervisor_type }} field: system.{{ item }}"
quiet: true
loop: "{{ hypervisor_required_fields[hypervisor_type].system | default([]) }}"
loop_control:
label: "system.{{ item }}"
- name: Validate virtual machine network requirement
when: system_cfg.type == "virtual"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- hypervisor_cfg.url | string | length > 0
- hypervisor_cfg.username | string | length > 0
- hypervisor_cfg.password | string | length > 0
- hypervisor_cfg.host | string | length > 0
- hypervisor_cfg.storage | string | length > 0
- system_cfg.id | string | length > 0
- >- - >-
(system_cfg.network.bridge | default('') | string | length > 0) (system_cfg.network.bridge | default('') | string | length > 0)
or (system_cfg.network.interfaces | default([]) | length > 0) or (system_cfg.network.interfaces | default([]) | length > 0)
fail_msg: >- fail_msg: >-
Missing required Proxmox inputs. Define hypervisor.(url,username,password,host,storage), Missing required {{ hypervisor_type }} network configuration.
system.id, and system.network.bridge (or system.network.interfaces[]). Define system.network.bridge (or system.network.interfaces[]).
quiet: true
- name: Validate VMware hypervisor inputs
when:
- system_cfg.type == "virtual"
- hypervisor_type == "vmware"
ansible.builtin.assert:
that:
- hypervisor_cfg.url | string | length > 0
- hypervisor_cfg.username | string | length > 0
- hypervisor_cfg.password | string | length > 0
- hypervisor_cfg.datacenter | string | length > 0
- hypervisor_cfg.cluster | string | length > 0
- hypervisor_cfg.storage | string | length > 0
- >-
(system_cfg.network.bridge | default('') | string | length > 0)
or (system_cfg.network.interfaces | default([]) | length > 0)
fail_msg: >-
Missing required VMware inputs. Define hypervisor.(url,username,password,datacenter,cluster,storage)
and system.network.bridge (or system.network.interfaces[]).
quiet: true
- name: Validate Xen hypervisor inputs
when:
- system_cfg.type == "virtual"
- hypervisor_type == "xen"
ansible.builtin.assert:
that:
- >-
(system_cfg.network.bridge | default('') | string | length > 0)
or (system_cfg.network.interfaces | default([]) | length > 0)
fail_msg: "Missing required Xen inputs. Define system.network.bridge (or system.network.interfaces[])."
quiet: true quiet: true
- name: Validate virtual installer ISO requirement - name: Validate virtual installer ISO requirement
@@ -227,6 +223,8 @@
- system_cfg.disks is defined and (system_cfg.disks | length) > 0 - system_cfg.disks is defined and (system_cfg.disks | length) > 0
- (system_cfg.disks[0].size | float) > 0 - (system_cfg.disks[0].size | float) > 0
- (system_cfg.disks[0].size | float) >= 20 - (system_cfg.disks[0].size | float) >= 20
# Btrfs minimum disk: swap_size + 5.5 GiB overhead (subvolumes + metadata).
# Swap sizing: memory < 16 GiB → max(memory_GiB, 2); memory >= 16 GiB → memory/2.
- >- - >-
system_cfg.filesystem != "btrfs" system_cfg.filesystem != "btrfs"
or ( or (
@@ -236,7 +234,7 @@
(system_cfg.memory | float / 1024 >= 16.0) (system_cfg.memory | float / 1024 >= 16.0)
| ternary( | ternary(
(system_cfg.memory | float / 2048), (system_cfg.memory | float / 2048),
[system_cfg.memory | float / 1024, 4.0] | max [system_cfg.memory | float / 1024, 2.0] | max
) )
) )
+ 5.5 + 5.5
@@ -245,6 +243,28 @@
fail_msg: "Invalid system sizing. Check system.cpus, system.memory, and system.disks[0].size." fail_msg: "Invalid system sizing. Check system.cpus, system.memory, and system.disks[0].size."
quiet: true quiet: true
- name: Validate at least one user is defined
ansible.builtin.assert:
that:
- system_cfg.users | default([]) | length > 0
- system_cfg.users[0].name is defined and (system_cfg.users[0].name | string | length) > 0
- system_cfg.users[0].password is defined and (system_cfg.users[0].password | string | length) > 0
fail_msg: "At least one user with a name and password must be defined in system.users[]."
quiet: true
no_log: true
- name: Validate DNS servers is a list
when:
- system_cfg.network.dns.servers is defined
- system_cfg.network.dns.servers | length > 0
ansible.builtin.assert:
that:
- system_cfg.network.dns.servers is iterable
- system_cfg.network.dns.servers is not string
- system_cfg.network.dns.servers is not mapping
fail_msg: "system.network.dns.servers must be a list."
quiet: true
- name: Validate all virtual disks have a positive size - name: Validate all virtual disks have a positive size
when: system_cfg.type == "virtual" when: system_cfg.type == "virtual"
ansible.builtin.assert: ansible.builtin.assert:
@@ -288,15 +308,11 @@
- name: Validate disk mount definitions - name: Validate disk mount definitions
when: system_cfg.disks is defined when: system_cfg.disks is defined
vars: vars:
reserved_mounts: all_reserved_mounts: >-
- /boot {{
- /boot/efi reserved_mounts
- /home + (['/var/cache/pacman/pkg'] if os == 'archlinux' else [])
- /swap }}
- /var
- /var/cache/pacman/pkg
- /var/log
- /var/log/audit
disk_mount: "{{ (item.mount.path | default('') | string) | trim }}" disk_mount: "{{ (item.mount.path | default('') | string) | trim }}"
disk_fstype: "{{ (item.mount.fstype | default('') | string) | trim }}" disk_fstype: "{{ (item.mount.fstype | default('') | string) | trim }}"
disk_device: "{{ (item.device | default('') | string) | trim }}" disk_device: "{{ (item.device | default('') | string) | trim }}"
@@ -305,7 +321,7 @@
that: that:
- disk_mount == "" or disk_mount.startswith("/") - disk_mount == "" or disk_mount.startswith("/")
- disk_mount == "" or disk_mount != "/" - disk_mount == "" or disk_mount != "/"
- disk_mount == "" or disk_mount not in reserved_mounts - disk_mount == "" or disk_mount not in all_reserved_mounts
- disk_mount == "" or disk_fstype in ["btrfs", "ext4", "xfs"] - disk_mount == "" or disk_fstype in ["btrfs", "ext4", "xfs"]
- disk_mount == "" or system_cfg.type == "virtual" or (disk_device | length) > 0 - disk_mount == "" or system_cfg.type == "virtual" or (disk_device | length) > 0
- disk_mount == "" or system_cfg.type != "virtual" or (disk_size | float) > 0 - disk_mount == "" or system_cfg.type != "virtual" or (disk_size | float) > 0
@@ -321,7 +337,8 @@
that: that:
- system_cfg.network.prefix is defined - system_cfg.network.prefix is defined
- (system_cfg.network.prefix | int) > 0 - (system_cfg.network.prefix | int) > 0
fail_msg: "system.network.prefix is required when system.network.ip is set." - (system_cfg.network.prefix | int) <= 32
fail_msg: "system.network.prefix must be between 1 and 32 when system.network.ip is set."
quiet: true quiet: true
- name: Validate network interfaces entries - name: Validate network interfaces entries

31
roles/partitioning/defaults/main.yml
View File

@@ -6,17 +6,40 @@ partitioning_efi_size_mib: 512
partitioning_efi_start_mib: 1 partitioning_efi_start_mib: 1
partitioning_efi_end_mib: "{{ (partitioning_efi_start_mib | int) + (partitioning_efi_size_mib | int) }}" partitioning_efi_end_mib: "{{ (partitioning_efi_start_mib | int) + (partitioning_efi_size_mib | int) }}"
partitioning_boot_size_mib: 1024 partitioning_boot_size_mib: 1024
partitioning_vg_name: sys
partitioning_use_full_disk: true partitioning_use_full_disk: true
# LVM logical volume sizing
partitioning_lvm_var_gb: 2
partitioning_lvm_var_log_gb: 2
partitioning_lvm_var_log_audit_gb: 1.5
# Disk overhead subtracted from available space in swap/home calculations
partitioning_disk_overhead_gb: 20
# CIS-required reserved space for /var, /var/log, /var/log/audit, /home
partitioning_cis_reserved_gb: 7.5
# Home allocation: percentage of (disk - overhead), bounded by min/max
partitioning_home_allocation_pct: 0.1
partitioning_home_min_gb: 2
partitioning_home_max_gb: 20
# Btrfs home quota (applied when CIS is enabled)
partitioning_btrfs_home_quota: 2G
partitioning_separate_boot: >- partitioning_separate_boot: >-
{{ {{
(
(system_cfg.luks.enabled | bool) (system_cfg.luks.enabled | bool)
and (os not in ['archlinux']) or (system_cfg.filesystem != 'btrfs')
)
and ((os | default('')) not in ['archlinux'])
}} }}
partitioning_boot_fs_fstype: >- partitioning_boot_fs_fstype: >-
{{ {{
system_cfg.filesystem system_cfg.filesystem
if system_cfg.filesystem != 'btrfs' if system_cfg.filesystem != 'btrfs'
else ('xfs' if is_rhel else 'ext4') else ('xfs' if (is_rhel | default(false) | bool) else 'ext4')
}} }}
partitioning_boot_fs_partition_suffix: >- partitioning_boot_fs_partition_suffix: >-
{{ {{
@@ -34,7 +57,7 @@ partitioning_efi_mountpoint: >-
if (partitioning_separate_boot | bool) if (partitioning_separate_boot | bool)
else ( else (
'/boot/efi' '/boot/efi'
if is_rhel or (os in ['ubuntu', 'ubuntu-lts'] or (os == 'debian' and (os_version | string) in ['11', '12', '13'])) if (is_rhel | default(false) | bool) or ((os | default('')) in ['ubuntu', 'ubuntu-lts'] or ((os | default('')) == 'debian' and (os_version | default('') | string) in ['11', '12', '13']))
else '/boot' else '/boot'
) )
}} }}
@@ -129,6 +152,6 @@ partitioning_swap_size_gb: >-
((partitioning_memory_mb / 1024) >= 16.0) ((partitioning_memory_mb / 1024) >= 16.0)
| ternary( | ternary(
(partitioning_memory_mb / 2048) | int, (partitioning_memory_mb / 2048) | int,
[partitioning_memory_mb / 1024, 4.0] | max | int [partitioning_memory_mb / 1024, 2.0] | max | int
) )
}} }}

146
roles/partitioning/tasks/_create_filesystems.yml Normal file
View File

@@ -0,0 +1,146 @@
---
- name: Create filesystems
block:
- name: Create FAT32 filesystem in boot partition
community.general.filesystem:
dev: "{{ install_drive }}{{ partitioning_boot_partition_suffix }}"
fstype: vfat
opts: -F32 -n BOOT
force: true
- name: Create filesystem for /boot partition
when: partitioning_separate_boot | bool
community.general.filesystem:
dev: "{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}"
fstype: "{{ partitioning_boot_fs_fstype }}"
opts: "{{ '-m bigtime=0 -i nrext64=0,exchange=0 -n parent=0' if (is_rhel | bool and partitioning_boot_fs_fstype == 'xfs') else omit }}"
force: true
- name: Remove unsupported ext4 features from /boot
when:
- partitioning_separate_boot | bool
- partitioning_boot_fs_fstype == 'ext4'
- os in ['almalinux', 'rocky', 'rhel'] or (os == 'debian' and (os_version | string) == '11')
ansible.builtin.command: >-
tune2fs -O "^orphan_file,^metadata_csum_seed"
"{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}"
register: partitioning_boot_ext4_tune_result
changed_when: false
- name: Create swap filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.swap.enabled | bool
community.general.filesystem:
fstype: swap
dev: /dev/{{ partitioning_vg_name }}/swap
- name: Create filesystem
ansible.builtin.include_tasks: "{{ system_cfg.filesystem }}.yml"
- name: Get UUID for boot filesystem
ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ partitioning_boot_partition_suffix }}'
register: partitioning_boot_uuid
changed_when: false
failed_when: partitioning_boot_uuid.rc != 0 or (partitioning_boot_uuid.stdout | trim | length) == 0
- name: Get UUID for /boot filesystem
when: partitioning_separate_boot | bool
ansible.builtin.command: >-
blkid -s UUID -o value '{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}'
register: partitioning_boot_fs_uuid
changed_when: false
failed_when: partitioning_boot_fs_uuid.rc != 0 or (partitioning_boot_fs_uuid.stdout | trim | length) == 0
- name: Get UUID for main filesystem
ansible.builtin.command: blkid -s UUID -o value '{{ partitioning_root_device }}'
register: partitioning_main_uuid
changed_when: false
failed_when: partitioning_main_uuid.rc != 0 or (partitioning_main_uuid.stdout | trim | length) == 0
- name: Get UUID for LVM root filesystem
when: system_cfg.filesystem != 'btrfs'
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/root
register: partitioning_uuid_root_result
changed_when: false
failed_when: partitioning_uuid_root_result.rc != 0 or (partitioning_uuid_root_result.stdout | trim | length) == 0
- name: Get UUID for LVM swap filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.swap.enabled | bool
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/swap
register: partitioning_uuid_swap_result
changed_when: false
failed_when: partitioning_uuid_swap_result.rc != 0 or (partitioning_uuid_swap_result.stdout | trim | length) == 0
- name: Get UUID for LVM home filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/home
register: partitioning_uuid_home_result
changed_when: false
failed_when: partitioning_uuid_home_result.rc != 0 or (partitioning_uuid_home_result.stdout | trim | length) == 0
- name: Get UUID for LVM var filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var
register: partitioning_uuid_var_result
changed_when: false
failed_when: partitioning_uuid_var_result.rc != 0 or (partitioning_uuid_var_result.stdout | trim | length) == 0
- name: Get UUID for LVM var_log filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var_log
register: partitioning_uuid_var_log_result
changed_when: false
failed_when: partitioning_uuid_var_log_result.rc != 0 or (partitioning_uuid_var_log_result.stdout | trim | length) == 0
- name: Get UUID for LVM var_log_audit filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var_log_audit
register: partitioning_uuid_var_log_audit_result
changed_when: false
failed_when: partitioning_uuid_var_log_audit_result.rc != 0 or (partitioning_uuid_var_log_audit_result.stdout | trim | length) == 0
- name: Assign UUIDs to Variables
when: system_cfg.filesystem != 'btrfs'
ansible.builtin.set_fact:
partitioning_uuid_root: "{{ partitioning_uuid_root_result.stdout_lines | default([]) }}"
partitioning_uuid_swap: >-
{{
partitioning_uuid_swap_result.stdout_lines | default([])
if system_cfg.features.swap.enabled | bool
else []
}}
partitioning_uuid_home: >-
{{
partitioning_uuid_home_result.stdout_lines | default([])
if system_cfg.features.cis.enabled
else []
}}
partitioning_uuid_var: >-
{{
partitioning_uuid_var_result.stdout_lines | default([])
if system_cfg.features.cis.enabled
else []
}}
partitioning_uuid_var_log: >-
{{
partitioning_uuid_var_log_result.stdout_lines | default([])
if system_cfg.features.cis.enabled
else []
}}
partitioning_uuid_var_log_audit: >-
{{
partitioning_uuid_var_log_audit_result.stdout_lines | default([])
if system_cfg.features.cis.enabled
else []
}}

192
roles/partitioning/tasks/_create_lvm.yml Normal file
View File

@@ -0,0 +1,192 @@
---
# LVM Sizing Algorithm
# ====================
# Sizes are computed from disk_size_gb, memory_mb, and feature flags.
#
# Swap sizing:
# - RAM >= 16 GB → swap = RAM/2 (in GB)
# - RAM < 16 GB → swap = max(RAM_GB, 2)
# - Capped to: min(target, 4 + max(disk - overhead, 0))
# - Further capped to: max available after subtracting reserved + CIS + extent reserve + 4 GB buffer
#
# Root sizing:
# - Full-disk mode (default): disk - reserved - swap - extent_reserve - (CIS volumes if enabled)
# - Partial mode: tiered — <4 GB available → 4 GB, 4-12 GB → all available, >12 GB → 40% of disk
#
# CIS volumes (only when CIS enabled):
# - /home: max(min(home_raw, home_max), home_min) where home_raw = (disk - overhead) * 10%
# - /var: 2 GB, /var/log: 2 GB, /var/log/audit: 1.5 GB
#
# Extent reserve: 10 extents * 4 MiB = ~0.04 GB (prevents VG overflow)
- name: Create LVM logical volumes
when: system_cfg.filesystem != 'btrfs'
block:
- name: Create LVM volume group
community.general.lvg:
vg: "{{ partitioning_vg_name }}"
pvs: "{{ partitioning_root_device }}"
- name: Create LVM logical volumes
when:
- system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
- system_cfg.features.swap.enabled | bool or item.lv != 'swap'
vars:
partitioning_lvm_extent_reserve_count: 10
partitioning_lvm_extent_size_mib: 4
partitioning_lvm_extent_reserve_gb: >-
{{
(
(partitioning_lvm_extent_reserve_count | float)
* (partitioning_lvm_extent_size_mib | float)
/ 1024
) | round(2, 'ceil')
}}
partitioning_lvm_swap_target_gb: >-
{{
(
((partitioning_memory_mb | float / 1024) >= 16.0)
| ternary(
(partitioning_memory_mb | float / 2048),
[(partitioning_memory_mb | float / 1024), 2] | max | float
)
)
if system_cfg.features.swap.enabled | bool
else 0
}}
partitioning_lvm_swap_cap_gb: >-
{{
(
4
+ [
(partitioning_disk_size_gb | float) - (partitioning_disk_overhead_gb | float),
0
] | max
)
if system_cfg.features.swap.enabled | bool
else 0
}}
partitioning_lvm_swap_target_limited_gb: >-
{{
(
[
partitioning_lvm_swap_target_gb,
partitioning_lvm_swap_cap_gb
] | min
)
if system_cfg.features.swap.enabled | bool
else 0
}}
partitioning_lvm_swap_max_gb: >-
{{
(
[
(
(partitioning_disk_size_gb | float)
- (partitioning_reserved_gb | float)
- (system_cfg.features.cis.enabled | ternary(partitioning_cis_reserved_gb | float, 0))
- partitioning_lvm_extent_reserve_gb
- 4
),
0
] | max
)
if system_cfg.features.swap.enabled | bool
else 0
}}
partitioning_lvm_available_gb: >-
{{
(
(partitioning_disk_size_gb | float)
- (partitioning_reserved_gb | float)
- (system_cfg.features.cis.enabled | ternary(partitioning_cis_reserved_gb | float, 0))
- partitioning_lvm_extent_reserve_gb
- partitioning_lvm_swap_target_limited_gb
) | float
}}
partitioning_lvm_home_raw_gb: >-
{{
((partitioning_disk_size_gb | float) - (partitioning_disk_overhead_gb | float))
* (partitioning_home_allocation_pct | float)
}}
partitioning_lvm_home_gb: >-
{{
[
[(partitioning_lvm_home_raw_gb | float), (partitioning_home_min_gb | float)] | max,
(partitioning_home_max_gb | float)
] | min
}}
partitioning_lvm_root_default_gb: >-
{{
[
(
((partitioning_lvm_available_gb | float) < 4)
| ternary(
4,
(
((partitioning_lvm_available_gb | float) > 12)
| ternary(
((partitioning_disk_size_gb | float) * 0.4)
| round(0, 'ceil'),
partitioning_lvm_available_gb
)
)
)
),
4
] | max
}}
partitioning_lvm_swap_gb: >-
{{
(
[
partitioning_lvm_swap_target_limited_gb,
partitioning_lvm_swap_max_gb
] | min | round(2, 'floor')
)
if system_cfg.features.swap.enabled | bool
else 0
}}
partitioning_lvm_root_full_gb: >-
{{
[
(
(partitioning_disk_size_gb | float)
- (partitioning_reserved_gb | float)
- (partitioning_lvm_swap_gb | float)
- partitioning_lvm_extent_reserve_gb
- (
(partitioning_lvm_home_gb | float)
+ (partitioning_lvm_var_gb | float)
+ (partitioning_lvm_var_log_gb | float)
+ (partitioning_lvm_var_log_audit_gb | float)
if system_cfg.features.cis.enabled
else 0
)
),
4
] | max | round(2, 'floor')
}}
partitioning_lvm_root_gb: >-
{{
partitioning_lvm_root_full_gb
if partitioning_use_full_disk | bool
else partitioning_lvm_root_default_gb
}}
community.general.lvol:
vg: "{{ partitioning_vg_name }}"
lv: "{{ item.lv }}"
size: "{{ item.size }}"
state: present
loop:
- lv: root
size: "{{ partitioning_lvm_root_gb | string + 'G' }}"
- lv: swap
size: "{{ partitioning_lvm_swap_gb | string + 'G' }}"
- lv: home
size: "{{ partitioning_lvm_home_gb | string + 'G' }}"
- { lv: var, size: "{{ partitioning_lvm_var_gb }}G" }
- { lv: var_log, size: "{{ partitioning_lvm_var_log_gb }}G" }
- { lv: var_log_audit, size: "{{ partitioning_lvm_var_log_audit_gb }}G" }
loop_control:
label: "{{ item.lv }}"

121
roles/partitioning/tasks/_create_partitions.yml Normal file
View File

@@ -0,0 +1,121 @@
---
- name: Partition install drive
block:
- name: Prepare partitions
block:
- name: Disable swap
ansible.builtin.command: swapoff -a
register: partitioning_swapoff_result
changed_when: partitioning_swapoff_result.rc == 0
failed_when: false
- name: Find mounts under /mnt
ansible.builtin.command: findmnt -R /mnt -n -o TARGET
register: partitioning_mounted_paths
changed_when: false
failed_when: false
- name: Unmount /mnt mounts
when: partitioning_mounted_paths.stdout_lines | length > 0
ansible.posix.mount:
path: "{{ item }}"
state: unmounted
loop: "{{ partitioning_mounted_paths.stdout_lines | reverse }}"
loop_control:
label: "{{ item }}"
failed_when: false
- name: Remove LVM volume group
community.general.lvg:
vg: "{{ partitioning_vg_name }}"
state: absent
force: true
failed_when: false
- name: Close LUKS mapper
when: system_cfg.luks.enabled | bool
community.crypto.luks_device:
name: "{{ system_cfg.luks.mapper }}"
state: closed
failed_when: false
- name: Remove LUKS mapper device
when: system_cfg.luks.enabled | bool
ansible.builtin.command: >-
dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
register: partitioning_dmsetup_remove
changed_when: partitioning_dmsetup_remove.rc == 0
failed_when: false
- name: Remove LUKS signatures
when: system_cfg.luks.enabled | bool
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: absent
failed_when: false
- name: Wipe filesystem signatures
ansible.builtin.shell: >-
find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;
register: partitioning_wipefs_result
changed_when: partitioning_wipefs_result.rc == 0
failed_when: false
- name: Refresh kernel partition table
ansible.builtin.command: "{{ item }}"
loop:
- "partprobe {{ install_drive }}"
- "blockdev --rereadpt {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_result
changed_when: false
failed_when: false
- name: Define partitions
block:
- name: Create partition layout
community.general.parted:
device: "{{ install_drive }}"
label: gpt
number: "{{ item.number }}"
part_end: "{{ item.part_end | default(omit) }}"
part_start: "{{ item.part_start | default(omit) }}"
name: "{{ item.name }}"
flags: "{{ item.flags | default(omit) }}"
state: present
loop: "{{ partitioning_layout }}"
loop_control:
label: "{{ item.name }}"
rescue:
- name: Refresh kernel partition table after failure
ansible.builtin.command: "{{ item }}"
loop:
- "partprobe {{ install_drive }}"
- "blockdev --rereadpt {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_retry
changed_when: false
failed_when: false
- name: Retry partition layout
community.general.parted:
device: "{{ install_drive }}"
label: gpt
number: "{{ item.number }}"
part_end: "{{ item.part_end | default(omit) }}"
part_start: "{{ item.part_start | default(omit) }}"
name: "{{ item.name }}"
flags: "{{ item.flags | default(omit) }}"
state: present
loop: "{{ partitioning_layout }}"
loop_control:
label: "{{ item.name }}"
- name: Settle partition table
ansible.builtin.command: "{{ item }}"
loop:
- "partprobe {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_settle
changed_when: false
failed_when: false

38
roles/partitioning/tasks/_detect_sizing.yml Normal file
View File

@@ -0,0 +1,38 @@
---
- name: Detect system memory for swap sizing
when:
- system_cfg.features.swap.enabled | bool
- partitioning_vm_memory is not defined or (partitioning_vm_memory | float) <= 0
- (system_cfg.memory | default(0) | float) <= 0
block:
- name: Read system memory
ansible.builtin.command: awk '/MemTotal/ {print int($2/1024)}' /proc/meminfo
register: partitioning_memtotal_mb
changed_when: false
failed_when: false
- name: Set partitioning vm memory default
ansible.builtin.set_fact:
partitioning_vm_memory: "{{ (partitioning_memtotal_mb.stdout | default('4096') | int) | float }}"
- name: Set partitioning vm_size for physical installs
when:
- system_cfg.type == "physical"
- partitioning_vm_size is not defined or (partitioning_vm_size | float) <= 0
- install_drive | length > 0
block:
- name: Detect install drive size
ansible.builtin.command: "lsblk -b -dn -o SIZE {{ install_drive }}"
register: partitioning_disk_size_bytes
changed_when: false
- name: Set partitioning vm_size from install drive size
when:
- partitioning_disk_size_bytes.stdout is defined
- (partitioning_disk_size_bytes.stdout | trim | length) > 0
ansible.builtin.set_fact:
partitioning_vm_size: >-
{{
(partitioning_disk_size_bytes.stdout | trim | int / 1024 / 1024 / 1024)
| round(2, 'floor')
}}

129
roles/partitioning/tasks/_mount.yml Normal file
View File

@@ -0,0 +1,129 @@
---
- name: Mount filesystems
block:
# CIS mode: mount all paths (separate partitions for /home, /var, etc.)
# Non-CIS btrfs: only mount subvolume paths (/home, /var/log, /var/cache/pacman/pkg)
# Non-CIS LVM: skip CIS-only paths (/home, /var, /var/log, /var/log/audit, /var/cache/pacman/pkg)
- name: Mount filesystems and subvolumes
when:
- >-
system_cfg.features.cis.enabled or (
not system_cfg.features.cis.enabled and (
(system_cfg.filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg'])
or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg'])
)
)
- >-
not (item.path in ['/swap', '/var/cache/pacman/pkg'] and system_cfg.filesystem != 'btrfs')
- system_cfg.features.swap.enabled | bool or item.path != '/swap'
ansible.posix.mount:
path: /mnt{{ item.path }}
src: "{{ 'UUID=' + (partitioning_main_uuid.stdout if system_cfg.filesystem == 'btrfs' else item.uuid) }}"
fstype: "{{ system_cfg.filesystem }}"
opts: "{{ item.opts }}"
state: mounted
loop:
# ssd: no-op on kernels 5.15+ (btrfs auto-detects); kept for older kernel compat
- path: ""
uuid: "{{ partitioning_uuid_root[0] | default(omit) }}"
opts: >-
{{
'defaults'
if system_cfg.filesystem != 'btrfs'
else [
'rw', 'relatime', partitioning_btrfs_compress_opt, 'ssd', 'space_cache=v2',
'discard=async', 'subvol=@'
] | reject('equalto', '') | join(',')
}}
- path: /swap
opts: >-
{{
[
'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
'space_cache=v2', 'discard=async', 'subvol=@swap'
] | reject('equalto', '') | join(',')
}}
- path: /home
uuid: "{{ partitioning_uuid_home[0] | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev'
if system_cfg.filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
'space_cache=v2', 'discard=async', 'subvol=@home'
] | reject('equalto', '') | join(',')
}}
- path: /var
uuid: "{{ partitioning_uuid_var[0] | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev'
if system_cfg.filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
'space_cache=v2', 'discard=async', 'subvol=@var'
] | reject('equalto', '') | join(',')
}}
- path: /var/log
uuid: "{{ partitioning_uuid_var_log[0] | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev,noexec'
if system_cfg.filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log'
] | reject('equalto', '') | join(',')
}}
- path: /var/cache/pacman/pkg
uuid: "{{ partitioning_uuid_root | default([]) | first | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev,noexec'
if system_cfg.filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@pkg'
] | reject('equalto', '') | join(',')
}}
- path: /var/log/audit
uuid: "{{ partitioning_uuid_var_log_audit[0] | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev,noexec'
if system_cfg.filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log_audit'
] | reject('equalto', '') | join(',')
}}
loop_control:
label: "{{ item.path }}"
- name: Mount /boot filesystem
when: partitioning_separate_boot | bool
ansible.posix.mount:
path: /mnt/boot
src: "UUID={{ partitioning_boot_fs_uuid.stdout }}"
fstype: "{{ partitioning_boot_fs_fstype }}"
opts: defaults
state: mounted
- name: Mount boot filesystem
ansible.posix.mount:
path: "/mnt{{ partitioning_efi_mountpoint }}"
src: UUID={{ partitioning_boot_uuid.stdout }}
fstype: vfat
state: mounted
- name: Activate swap
when: system_cfg.features.swap.enabled | bool
vars:
partitioning_swap_cmd: >-
{{ 'swapon /mnt/swap/swapfile' if system_cfg.filesystem == 'btrfs' else 'swapon -U ' + partitioning_uuid_swap[0] }}
ansible.builtin.command: "{{ partitioning_swap_cmd }}"
register: partitioning_swap_activate_result
# swapon returns 255 if swap is already active
failed_when: partitioning_swap_activate_result.rc not in [0, 255]
changed_when: partitioning_swap_activate_result.rc == 0

92
roles/partitioning/tasks/_setup_luks.yml Normal file
View File

@@ -0,0 +1,92 @@
---
- name: Configure LUKS encryption
when: system_cfg.luks.enabled | bool
block:
- name: Validate LUKS passphrase
ansible.builtin.assert:
that:
- (system_cfg.luks.passphrase | string | length) > 0
fail_msg: system.luks.passphrase must be set when LUKS is enabled.
no_log: true
- name: Ensure LUKS container exists
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: present
type: "{{ system_cfg.luks.type }}"
cipher: "{{ system_cfg.luks.cipher }}"
hash: "{{ system_cfg.luks.hash }}"
keysize: "{{ system_cfg.luks.bits }}"
pbkdf:
algorithm: "{{ system_cfg.luks.pbkdf }}"
iteration_time: "{{ (system_cfg.luks.iter | float) / 1000 }}"
passphrase: "{{ system_cfg.luks.passphrase | string }}"
register: partitioning_luks_format_result
no_log: true
- name: Force-close LUKS mapper
community.crypto.luks_device:
name: "{{ system_cfg.luks.mapper }}"
state: closed
failed_when: false
- name: Force-remove LUKS mapper device
ansible.builtin.command: >-
dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
register: partitioning_dmsetup_remove_after_format
changed_when: partitioning_dmsetup_remove_after_format.rc == 0
failed_when: false
- name: Settle udev after removing LUKS mapper
ansible.builtin.command: udevadm settle
changed_when: false
failed_when: false
- name: Ensure LUKS mapper is opened
block:
- name: Open LUKS device
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: opened
name: "{{ system_cfg.luks.mapper }}"
passphrase: "{{ system_cfg.luks.passphrase | string }}"
allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
register: partitioning_luks_open_result
no_log: true
rescue:
- name: Force-close stale LUKS mapper
community.crypto.luks_device:
name: "{{ system_cfg.luks.mapper }}"
state: closed
failed_when: false
- name: Force-remove stale LUKS mapper device
ansible.builtin.command: >-
dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
register: partitioning_dmsetup_remove_retry
changed_when: partitioning_dmsetup_remove_retry.rc == 0
failed_when: false
- name: Settle udev after removing stale LUKS mapper
ansible.builtin.command: udevadm settle
changed_when: false
failed_when: false
- name: Retry opening LUKS device
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: opened
name: "{{ system_cfg.luks.mapper }}"
passphrase: "{{ system_cfg.luks.passphrase | string }}"
allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
register: partitioning_luks_open_retry
no_log: true
- name: Get LUKS UUID
ansible.builtin.command: "cryptsetup luksUUID {{ partitioning_luks_device }}"
register: partitioning_luks_uuid_result
changed_when: false
- name: Store LUKS UUID
ansible.builtin.set_fact:
partitioning_luks_uuid: "{{ partitioning_luks_uuid_result.stdout | trim }}"

10
roles/partitioning/tasks/btrfs.yml
View File

@@ -37,7 +37,7 @@
- name: Enable quotas on Btrfs filesystem - name: Enable quotas on Btrfs filesystem
ansible.builtin.command: btrfs quota enable /mnt ansible.builtin.command: btrfs quota enable /mnt
register: partitioning_btrfs_quota_result register: partitioning_btrfs_quota_result
changed_when: false changed_when: partitioning_btrfs_quota_result.rc == 0
- name: Make root subvolumes - name: Make root subvolumes
when: when:
@@ -54,15 +54,19 @@
- { subvol: pkg } - { subvol: pkg }
- { subvol: var_log } - { subvol: var_log }
- { subvol: var_log_audit } - { subvol: var_log_audit }
loop_control:
label: "{{ item.subvol }}"
register: partitioning_btrfs_subvol_result register: partitioning_btrfs_subvol_result
- name: Set quotas for subvolumes - name: Set quotas for subvolumes
when: system_cfg.features.cis.enabled when: system_cfg.features.cis.enabled
ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }} ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
loop: loop:
- { subvol: home, quota: 2G } - { subvol: home, quota: "{{ partitioning_btrfs_home_quota }}" }
loop_control:
label: "{{ item.subvol }}"
register: partitioning_btrfs_qgroup_result register: partitioning_btrfs_qgroup_result
changed_when: false changed_when: partitioning_btrfs_qgroup_result.rc == 0
- name: Create a Btrfs swap file - name: Create a Btrfs swap file
when: system_cfg.features.swap.enabled | bool when: system_cfg.features.swap.enabled | bool

8
roles/partitioning/tasks/ext4.yml
View File

@@ -2,7 +2,7 @@
- name: Create and format ext4 logical volumes - name: Create and format ext4 logical volumes
when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.filesystem: community.general.filesystem:
dev: /dev/sys/{{ item.lv }} dev: /dev/{{ partitioning_vg_name }}/{{ item.lv }}
fstype: ext4 fstype: ext4
force: true force: true
loop: loop:
@@ -11,17 +11,21 @@
- { lv: var } - { lv: var }
- { lv: var_log } - { lv: var_log }
- { lv: var_log_audit } - { lv: var_log_audit }
loop_control:
label: "{{ item.lv }}"
- name: Remove Unsupported features for older Systems - name: Remove Unsupported features for older Systems
when: > when: >
(os in ['almalinux', 'rocky', 'rhel'] or (os == 'debian' and (os_version | string) == '11')) (os in ['almalinux', 'rocky', 'rhel'] or (os == 'debian' and (os_version | string) == '11'))
and (system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']) and (system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}" ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/{{ partitioning_vg_name }}/{{ item.lv }}"
loop: loop:
- { lv: root } - { lv: root }
- { lv: home } - { lv: home }
- { lv: var } - { lv: var }
- { lv: var_log } - { lv: var_log }
- { lv: var_log_audit } - { lv: var_log_audit }
loop_control:
label: "{{ item.lv }}"
register: partitioning_ext4_tune_result register: partitioning_ext4_tune_result
changed_when: partitioning_ext4_tune_result.rc == 0 changed_when: partitioning_ext4_tune_result.rc == 0

38
roles/partitioning/tasks/extra_disks.yml
View File

@@ -7,7 +7,6 @@
| selectattr('mount.path') | selectattr('mount.path')
| list | list
}} }}
changed_when: false
- name: Validate additional disks do not target install_drive - name: Validate additional disks do not target install_drive
when: partitioning_extra_disks | length > 0 when: partitioning_extra_disks | length > 0
@@ -49,13 +48,34 @@
ansible.builtin.command: udevadm settle ansible.builtin.command: udevadm settle
changed_when: false changed_when: false
- name: Wipe existing filesystem signatures on additional disk partitions
when: partitioning_extra_disks | length > 0
ansible.builtin.command: "wipefs --force --all {{ item.partition }}"
changed_when: true
loop: "{{ partitioning_extra_disks }}"
loop_control:
label: "{{ item.partition }}"
- name: Create filesystems on additional disks - name: Create filesystems on additional disks
when: partitioning_extra_disks | length > 0 when: partitioning_extra_disks | length > 0
vars:
_label_opt: "{{ ('-L ' ~ item.mount.label) if (item.mount.label | default('') | string | length) > 0 else '' }}"
_compat_opt: "{{ '-m bigtime=0 -i nrext64=0,exchange=0 -n parent=0' if (is_rhel | bool and item.mount.fstype == 'xfs') else '' }}"
_all_opts: "{{ ([_label_opt, _compat_opt] | select | join(' ')) or omit }}"
community.general.filesystem: community.general.filesystem:
dev: "{{ item.partition }}" dev: "{{ item.partition }}"
fstype: "{{ item.mount.fstype }}" fstype: "{{ item.mount.fstype }}"
opts: "{{ ('-L ' ~ item.mount.label) if (item.mount.label | default('') | string | length) > 0 else omit }}" opts: "{{ _all_opts }}"
force: true loop: "{{ partitioning_extra_disks }}"
loop_control:
label: "{{ item.partition }}"
- name: Collect extra disk UUIDs
when: partitioning_extra_disks | length > 0
ansible.builtin.command: "blkid -s UUID -o value {{ item.partition }}"
register: partitioning_extra_disk_uuids
changed_when: false
failed_when: partitioning_extra_disk_uuids.rc != 0 or (partitioning_extra_disk_uuids.stdout | trim | length) == 0
loop: "{{ partitioning_extra_disks }}" loop: "{{ partitioning_extra_disks }}"
loop_control: loop_control:
label: "{{ item.partition }}" label: "{{ item.partition }}"
@@ -75,11 +95,11 @@
- name: Mount additional disks for fstab generation - name: Mount additional disks for fstab generation
when: partitioning_extra_disks | length > 0 when: partitioning_extra_disks | length > 0
ansible.posix.mount: ansible.posix.mount:
path: "/mnt{{ item.mount.path }}" path: "/mnt{{ item.0.mount.path }}"
src: "{{ item.partition }}" src: "UUID={{ item.1.stdout }}"
fstype: "{{ item.mount.fstype }}" fstype: "{{ item.0.mount.fstype }}"
opts: "{{ item.mount.opts | default('defaults') }}" opts: "{{ item.0.mount.opts | default('defaults') }}"
state: mounted state: mounted
loop: "{{ partitioning_extra_disks }}" loop: "{{ partitioning_extra_disks | zip(partitioning_extra_disk_uuids.results) | list }}"
loop_control: loop_control:
label: "{{ item.mount.path }}" label: "{{ item.0.mount.path }}"

664
roles/partitioning/tasks/main.yml
View File

@@ -1,665 +1,21 @@
--- ---
- name: Detect system memory for swap sizing - name: Detect system sizing
when: ansible.builtin.include_tasks: _detect_sizing.yml
- system_cfg.features.swap.enabled | bool
- partitioning_vm_memory is not defined or (partitioning_vm_memory | float) <= 0
- system_cfg is not defined or (system_cfg.memory | default(0) | float) <= 0
block:
- name: Read system memory
ansible.builtin.command: awk '/MemTotal/ {print int($2/1024)}' /proc/meminfo
register: partitioning_memtotal_mb
changed_when: false
failed_when: false
- name: Set partitioning vm memory default - name: Create partitions
ansible.builtin.set_fact: ansible.builtin.include_tasks: _create_partitions.yml
partitioning_vm_memory: "{{ (partitioning_memtotal_mb.stdout | default('4096') | int) | float }}"
- name: Set partitioning vm_size for physical installs - name: Setup LUKS encryption
when: ansible.builtin.include_tasks: _setup_luks.yml
- system_cfg.type == "physical"
- partitioning_vm_size is not defined or (partitioning_vm_size | float) <= 0
- install_drive | length > 0
block:
- name: Detect install drive size
ansible.builtin.command: "lsblk -b -dn -o SIZE {{ install_drive }}"
register: partitioning_disk_size_bytes
changed_when: false
- name: Set partitioning vm_size from install drive size
when:
- partitioning_disk_size_bytes.stdout is defined
- (partitioning_disk_size_bytes.stdout | trim | length) > 0
ansible.builtin.set_fact:
partitioning_vm_size: >-
{{
(partitioning_disk_size_bytes.stdout | trim | int / 1024 / 1024 / 1024)
| round(2, 'floor')
}}
- name: Partition install drive
block:
- name: Prepare partitions
block:
- name: Disable swap
ansible.builtin.command: swapoff -a
register: partitioning_swapoff_result
changed_when: partitioning_swapoff_result.rc == 0
failed_when: false
- name: Find mounts under /mnt
ansible.builtin.command: findmnt -R /mnt -n -o TARGET
register: partitioning_mounted_paths
changed_when: false
failed_when: false
- name: Unmount /mnt mounts
when: partitioning_mounted_paths.stdout_lines | length > 0
ansible.posix.mount:
path: "{{ item }}"
state: unmounted
loop: "{{ partitioning_mounted_paths.stdout_lines | reverse }}"
loop_control:
label: "{{ item }}"
failed_when: false
- name: Remove LVM volume group
community.general.lvg:
vg: sys
state: absent
force: true
failed_when: false
- name: Close LUKS mapper
when: system_cfg.luks.enabled | bool
community.crypto.luks_device:
name: "{{ system_cfg.luks.mapper }}"
state: closed
failed_when: false
- name: Remove LUKS mapper device
when: system_cfg.luks.enabled | bool
ansible.builtin.command: >-
dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
register: partitioning_dmsetup_remove
changed_when: partitioning_dmsetup_remove.rc == 0
failed_when: false
- name: Remove LUKS signatures
when: system_cfg.luks.enabled | bool
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: absent
failed_when: false
- name: Wipe filesystem signatures
ansible.builtin.command: >-
find /dev -wholename "{{ install_drive }}*" -exec wipefs --force --all {} \;
register: partitioning_wipefs_result
changed_when: false
failed_when: false
- name: Refresh kernel partition table
ansible.builtin.command: "{{ item }}"
loop:
- "partprobe {{ install_drive }}"
- "blockdev --rereadpt {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_result
changed_when: false
failed_when: false
- name: Define partitions
block:
- name: Create partition layout
community.general.parted:
device: "{{ install_drive }}"
label: gpt
number: "{{ item.number }}"
part_end: "{{ item.part_end | default(omit) }}"
part_start: "{{ item.part_start | default(omit) }}"
name: "{{ item.name }}"
flags: "{{ item.flags | default(omit) }}"
state: present
loop: "{{ partitioning_layout }}"
rescue:
- name: Refresh kernel partition table after failure
ansible.builtin.command: "{{ item }}"
loop:
- "partprobe {{ install_drive }}"
- "blockdev --rereadpt {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_retry
changed_when: false
failed_when: false
- name: Retry partition layout
community.general.parted:
device: "{{ install_drive }}"
label: gpt
number: "{{ item.number }}"
part_end: "{{ item.part_end | default(omit) }}"
part_start: "{{ item.part_start | default(omit) }}"
name: "{{ item.name }}"
flags: "{{ item.flags | default(omit) }}"
state: present
loop: "{{ partitioning_layout }}"
- name: Settle partition table
ansible.builtin.command: "{{ item }}"
loop:
- "partprobe {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_settle
changed_when: false
failed_when: false
- name: Configure LUKS encryption
when: system_cfg.luks.enabled | bool
block:
- name: Validate LUKS passphrase
ansible.builtin.assert:
that:
- (system_cfg.luks.passphrase | string | length) > 0
fail_msg: system.luks.passphrase must be set when LUKS is enabled.
no_log: true
- name: Ensure LUKS container exists
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: present
type: "{{ system_cfg.luks.type }}"
cipher: "{{ system_cfg.luks.cipher }}"
hash: "{{ system_cfg.luks.hash }}"
keysize: "{{ system_cfg.luks.bits }}"
pbkdf:
algorithm: "{{ system_cfg.luks.pbkdf }}"
iteration_time: "{{ (system_cfg.luks.iter | float) / 1000 }}"
passphrase: "{{ system_cfg.luks.passphrase | string }}"
register: partitioning_luks_format_result
no_log: true
- name: Force-close LUKS mapper
community.crypto.luks_device:
name: "{{ system_cfg.luks.mapper }}"
state: closed
failed_when: false
- name: Force-remove LUKS mapper device
ansible.builtin.command: >-
dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
register: partitioning_dmsetup_remove_after_format
changed_when: partitioning_dmsetup_remove_after_format.rc == 0
failed_when: false
- name: Settle udev after removing LUKS mapper
ansible.builtin.command: udevadm settle
changed_when: false
failed_when: false
- name: Ensure LUKS mapper is opened
block:
- name: Open LUKS device
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: opened
name: "{{ system_cfg.luks.mapper }}"
passphrase: "{{ system_cfg.luks.passphrase | string }}"
allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
register: partitioning_luks_open_result
no_log: true
rescue:
- name: Force-close stale LUKS mapper
community.crypto.luks_device:
name: "{{ system_cfg.luks.mapper }}"
state: closed
failed_when: false
- name: Force-remove stale LUKS mapper device
ansible.builtin.command: >-
dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
register: partitioning_dmsetup_remove_retry
changed_when: partitioning_dmsetup_remove_retry.rc == 0
failed_when: false
- name: Settle udev after removing stale LUKS mapper
ansible.builtin.command: udevadm settle
changed_when: false
failed_when: false
- name: Retry opening LUKS device
community.crypto.luks_device:
device: "{{ partitioning_luks_device }}"
state: opened
name: "{{ system_cfg.luks.mapper }}"
passphrase: "{{ system_cfg.luks.passphrase | string }}"
allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
register: partitioning_luks_open_retry
no_log: true
- name: Get LUKS UUID
ansible.builtin.command: "cryptsetup luksUUID {{ partitioning_luks_device }}"
register: partitioning_luks_uuid_result
changed_when: false
- name: Store LUKS UUID
ansible.builtin.set_fact:
partitioning_luks_uuid: "{{ partitioning_luks_uuid_result.stdout | trim }}"
- name: Create LVM logical volumes - name: Create LVM logical volumes
when: system_cfg.filesystem != 'btrfs' ansible.builtin.include_tasks: _create_lvm.yml
block:
- name: Create LVM volume group
community.general.lvg:
vg: sys
pvs: "{{ partitioning_root_device }}"
- name: Create LVM logical volumes - name: Create filesystems and collect UUIDs
when: ansible.builtin.include_tasks: _create_filesystems.yml
- system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
- system_cfg.features.swap.enabled | bool or item.lv != 'swap'
vars:
partitioning_lvm_extent_reserve_count: 10
partitioning_lvm_extent_size_mib: 4
partitioning_lvm_extent_reserve_gb: >-
{{
(
(partitioning_lvm_extent_reserve_count | float)
* (partitioning_lvm_extent_size_mib | float)
/ 1024
) | round(2, 'ceil')
}}
partitioning_lvm_swap_target_gb: >-
{{
(
[
(partitioning_memory_mb | float / 1024),
4
] | max | float
)
if system_cfg.features.swap.enabled | bool
else 0
}}
partitioning_lvm_swap_cap_gb: >-
{{
(
4
+ [
(partitioning_disk_size_gb | float) - 20,
0
] | max
)
if system_cfg.features.swap.enabled | bool
else 0
}}
partitioning_lvm_swap_target_limited_gb: >-
{{
(
[
partitioning_lvm_swap_target_gb,
partitioning_lvm_swap_cap_gb
] | min
)
if system_cfg.features.swap.enabled | bool
else 0
}}
partitioning_lvm_swap_max_gb: >-
{{
(
[
(
(partitioning_disk_size_gb | float)
- (partitioning_reserved_gb | float)
- (system_cfg.features.cis.enabled | ternary(7.5, 0))
- partitioning_lvm_extent_reserve_gb
- 4
),
0
] | max
)
if system_cfg.features.swap.enabled | bool
else 0
}}
partitioning_lvm_available_gb: >-
{{
(
(partitioning_disk_size_gb | float)
- (partitioning_reserved_gb | float)
- (system_cfg.features.cis.enabled | ternary(7.5, 0))
- partitioning_lvm_extent_reserve_gb
- partitioning_lvm_swap_target_limited_gb
) | float
}}
partitioning_lvm_home_gb: >-
{{
([([(((partitioning_disk_size_gb | float) - 20) * 0.1), 2] | max), 20] | min)
}}
partitioning_lvm_root_default_gb: >-
{{
[
(
((partitioning_lvm_available_gb | float) < 4)
| ternary(
4,
(
((partitioning_lvm_available_gb | float) > 12)
| ternary(
((partitioning_disk_size_gb | float) * 0.4)
| round(0, 'ceil'),
partitioning_lvm_available_gb
)
)
)
),
4
] | max
}}
partitioning_lvm_swap_gb: >-
{{
(
[
partitioning_lvm_swap_target_limited_gb,
partitioning_lvm_swap_max_gb
] | min | round(2, 'floor')
)
if system_cfg.features.swap.enabled | bool
else 0
}}
partitioning_lvm_root_full_gb: >-
{{
[
(
(partitioning_disk_size_gb | float)
- (partitioning_reserved_gb | float)
- (partitioning_lvm_swap_gb | float)
- partitioning_lvm_extent_reserve_gb
- (
(partitioning_lvm_home_gb | float) + 5.5
if system_cfg.features.cis.enabled
else 0
)
),
4
] | max | round(2, 'floor')
}}
partitioning_lvm_root_gb: >-
{{
partitioning_lvm_root_full_gb
if partitioning_use_full_disk | bool
else partitioning_lvm_root_default_gb
}}
community.general.lvol:
vg: sys
lv: "{{ item.lv }}"
size: "{{ item.size }}"
state: present
loop:
- lv: root
size: "{{ partitioning_lvm_root_gb | string + 'G' }}"
- lv: swap
size: "{{ partitioning_lvm_swap_gb | string + 'G' }}"
- lv: home
size: "{{ partitioning_lvm_home_gb | string + 'G' }}"
- { lv: var, size: "2G" }
- { lv: var_log, size: "2G" }
- { lv: var_log_audit, size: "1.5G" }
- name: Create filesystems
block:
- name: Create FAT32 filesystem in boot partition
community.general.filesystem:
dev: "{{ install_drive }}{{ partitioning_boot_partition_suffix }}"
fstype: vfat
opts: -F32 -n BOOT
force: true
- name: Create filesystem for /boot partition
when: partitioning_separate_boot | bool
community.general.filesystem:
dev: "{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}"
fstype: "{{ partitioning_boot_fs_fstype }}"
force: true
- name: Remove unsupported ext4 features from /boot
when:
- partitioning_separate_boot | bool
- partitioning_boot_fs_fstype == 'ext4'
- os in ['almalinux', 'rocky', 'rhel'] or (os == 'debian' and (os_version | string) == '11')
ansible.builtin.command: >-
tune2fs -O "^orphan_file,^metadata_csum_seed"
"{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}"
register: partitioning_boot_ext4_tune_result
changed_when: partitioning_boot_ext4_tune_result.rc == 0
- name: Create swap filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.swap.enabled | bool
community.general.filesystem:
fstype: swap
dev: /dev/sys/swap
- name: Create filesystem
ansible.builtin.include_tasks: "{{ system_cfg.filesystem }}.yml"
- name: Get UUID for boot filesystem
ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ partitioning_boot_partition_suffix }}'
register: partitioning_boot_uuid
changed_when: false
- name: Get UUID for /boot filesystem
when: partitioning_separate_boot | bool
ansible.builtin.command: >-
blkid -s UUID -o value '{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}'
register: partitioning_boot_fs_uuid
changed_when: false
- name: Get UUID for main filesystem
ansible.builtin.command: blkid -s UUID -o value '{{ partitioning_root_device }}'
register: partitioning_main_uuid
changed_when: false
- name: Get UUID for LVM root filesystem
when: system_cfg.filesystem != 'btrfs'
ansible.builtin.command: blkid -s UUID -o value /dev/sys/root
register: partitioning_uuid_root_result
changed_when: false
- name: Get UUID for LVM swap filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.swap.enabled | bool
ansible.builtin.command: blkid -s UUID -o value /dev/sys/swap
register: partitioning_uuid_swap_result
changed_when: false
- name: Get UUID for LVM home filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/sys/home
register: partitioning_uuid_home_result
changed_when: false
- name: Get UUID for LVM var filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/sys/var
register: partitioning_uuid_var_result
changed_when: false
- name: Get UUID for LVM var_log filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log
register: partitioning_uuid_var_log_result
changed_when: false
- name: Get UUID for LVM var_log_audit filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log_audit
register: partitioning_uuid_var_log_audit_result
changed_when: false
- name: Assign UUIDs to Variables
when: system_cfg.filesystem != 'btrfs'
ansible.builtin.set_fact:
partitioning_uuid_root: "{{ partitioning_uuid_root_result.stdout_lines | default([]) }}"
partitioning_uuid_swap: >-
{{
partitioning_uuid_swap_result.stdout_lines | default([])
if system_cfg.features.swap.enabled | bool
else ''
}}
partitioning_uuid_home: >-
{{
partitioning_uuid_home_result.stdout_lines | default([])
if system_cfg.features.cis.enabled
else ''
}}
partitioning_uuid_var: >-
{{
partitioning_uuid_var_result.stdout_lines | default([])
if system_cfg.features.cis.enabled
else ''
}}
partitioning_uuid_var_log: >-
{{
partitioning_uuid_var_log_result.stdout_lines | default([])
if system_cfg.features.cis.enabled
else ''
}}
partitioning_uuid_var_log_audit: >-
{{
partitioning_uuid_var_log_audit_result.stdout_lines | default([])
if system_cfg.features.cis.enabled
else ''
}}
- name: Mount filesystems - name: Mount filesystems
block: ansible.builtin.include_tasks: _mount.yml
- name: Mount filesystems and subvolumes
when:
- >-
system_cfg.features.cis.enabled or (
not system_cfg.features.cis.enabled and (
(system_cfg.filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg'])
or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg'])
)
)
- >-
not (item.path in ['/swap', '/var/cache/pacman/pkg'] and system_cfg.filesystem != 'btrfs')
- system_cfg.features.swap.enabled | bool or item.path != '/swap'
ansible.posix.mount:
path: /mnt{{ item.path }}
src: "{{ 'UUID=' + (partitioning_main_uuid.stdout if system_cfg.filesystem == 'btrfs' else item.uuid) }}"
fstype: "{{ system_cfg.filesystem }}"
opts: "{{ item.opts }}"
state: mounted
loop:
- path: ""
uuid: "{{ partitioning_uuid_root[0] | default(omit) }}"
opts: >-
{{
'defaults'
if system_cfg.filesystem != 'btrfs'
else [
'rw', 'relatime', partitioning_btrfs_compress_opt, 'ssd', 'space_cache=v2',
'discard=async', 'subvol=@'
] | reject('equalto', '') | join(',')
}}
- path: /swap
opts: >-
{{
[
'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
'space_cache=v2', 'discard=async', 'subvol=@swap'
] | reject('equalto', '') | join(',')
}}
- path: /home
uuid: "{{ partitioning_uuid_home[0] | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev'
if system_cfg.filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
'space_cache=v2', 'discard=async', 'subvol=@home'
] | reject('equalto', '') | join(',')
}}
- path: /var
uuid: "{{ partitioning_uuid_var[0] | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev'
if system_cfg.filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
'space_cache=v2', 'discard=async', 'subvol=@var'
] | reject('equalto', '') | join(',')
}}
- path: /var/log
uuid: "{{ partitioning_uuid_var_log[0] | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev,noexec'
if system_cfg.filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log'
] | reject('equalto', '') | join(',')
}}
- path: /var/cache/pacman/pkg
uuid: "{{ partitioning_uuid_root | default([]) | first | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev,noexec'
if system_cfg.filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@pkg'
] | reject('equalto', '') | join(',')
}}
- path: /var/log/audit
uuid: "{{ partitioning_uuid_var_log_audit[0] | default(omit) }}"
opts: >-
{{
'defaults,nosuid,nodev,noexec'
if system_cfg.filesystem != 'btrfs'
else [
'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log_audit'
] | reject('equalto', '') | join(',')
}}
- name: Mount /boot filesystem
when: partitioning_separate_boot | bool
ansible.posix.mount:
path: /mnt/boot
src: "UUID={{ partitioning_boot_fs_uuid.stdout }}"
fstype: "{{ partitioning_boot_fs_fstype }}"
opts: defaults
state: mounted
- name: Mount boot filesystem
ansible.posix.mount:
path: "/mnt{{ partitioning_efi_mountpoint }}"
src: UUID={{ partitioning_boot_uuid.stdout }}
fstype: vfat
state: mounted
- name: Activate swap
when: system_cfg.features.swap.enabled | bool
vars:
partitioning_swap_cmd: >-
{{ 'swapon /mnt/swap/swapfile' if system_cfg.filesystem == 'btrfs' else 'swapon -U ' + partitioning_uuid_swap[0] }}
ansible.builtin.command: "{{ partitioning_swap_cmd }}"
register: partitioning_swap_activate_result
changed_when: partitioning_swap_activate_result.rc == 0
- name: Mount additional disks - name: Mount additional disks
ansible.builtin.include_tasks: extra_disks.yml ansible.builtin.include_tasks: extra_disks.yml

5
roles/partitioning/tasks/xfs.yml
View File

@@ -2,8 +2,9 @@
- name: Create and format XFS logical volumes - name: Create and format XFS logical volumes
when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'] when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.filesystem: community.general.filesystem:
dev: /dev/sys/{{ item.lv }} dev: /dev/{{ partitioning_vg_name }}/{{ item.lv }}
fstype: xfs fstype: xfs
opts: "{{ '-m bigtime=0 -i nrext64=0,exchange=0 -n parent=0' if is_rhel | bool else omit }}"
force: true force: true
loop: loop:
- { lv: root } - { lv: root }
@@ -11,3 +12,5 @@
- { lv: var } - { lv: var }
- { lv: var_log } - { lv: var_log }
- { lv: var_log_audit } - { lv: var_log_audit }
loop_control:
label: "{{ item.lv }}"

27
roles/system_check/tasks/main.yml
View File

@@ -1,4 +1,14 @@
--- ---
- name: Physical install safety confirmation
when: system_cfg.type == "physical"
ansible.builtin.assert:
that:
- physical_install_confirmed | default(false) | bool
fail_msg: >-
DANGER: Physical install will WIPE {{ install_drive }} on {{ inventory_hostname }}.
Set physical_install_confirmed=true in inventory to proceed.
quiet: true
- name: VM existence protection check - name: VM existence protection check
when: system_cfg.type == "virtual" when: system_cfg.type == "virtual"
block: block:
@@ -23,23 +33,27 @@
Please choose a different hostname or remove the existing VM manually before proceeding. Please choose a different hostname or remove the existing VM manually before proceeding.
quiet: true quiet: true
- name: Check if VM already exists on Proxmox - name: Check VM existence on Proxmox
when: hypervisor_type == "proxmox" when: hypervisor_type == "proxmox"
delegate_to: localhost delegate_to: localhost
become: false become: false
module_defaults:
community.proxmox.proxmox_vm_info: community.proxmox.proxmox_vm_info:
api_host: "{{ hypervisor_cfg.url }}" api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}" api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}" api_password: "{{ hypervisor_cfg.password }}"
block:
- name: Query Proxmox for existing VM
community.proxmox.proxmox_vm_info:
node: "{{ hypervisor_cfg.host }}" node: "{{ hypervisor_cfg.host }}"
vmid: "{{ system_cfg.id }}" vmid: "{{ system_cfg.id }}"
name: "{{ hostname }}" name: "{{ hostname }}"
type: qemu type: qemu
register: system_check_proxmox_check_result register: system_check_proxmox_check_result
changed_when: false changed_when: false
no_log: true
- name: Abort if VM already exists on Proxmox - name: Abort if VM already exists on Proxmox
when: hypervisor_type == "proxmox"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- system_check_proxmox_check_result.proxmox_vms | default([]) | length == 0 - system_check_proxmox_check_result.proxmox_vms | default([]) | length == 0
@@ -49,23 +63,27 @@
Please choose a different hostname or VM ID, or remove the existing VM manually before proceeding. Please choose a different hostname or VM ID, or remove the existing VM manually before proceeding.
quiet: true quiet: true
- name: Check if VM already exists in vCenter - name: Check VM existence in vCenter
when: hypervisor_type == "vmware" when: hypervisor_type == "vmware"
delegate_to: localhost delegate_to: localhost
module_defaults:
community.vmware.vmware_guest_info: community.vmware.vmware_guest_info:
hostname: "{{ hypervisor_cfg.url }}" hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}" username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}" password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}" validate_certs: "{{ hypervisor_cfg.certs | bool }}"
block:
- name: Query vCenter for existing VM
community.vmware.vmware_guest_info:
datacenter: "{{ hypervisor_cfg.datacenter }}" datacenter: "{{ hypervisor_cfg.datacenter }}"
name: "{{ hostname }}" name: "{{ hostname }}"
folder: "{{ system_cfg.path if system_cfg.path | length > 0 else omit }}" folder: "{{ system_cfg.path if system_cfg.path | length > 0 else omit }}"
register: system_check_vmware_check_result register: system_check_vmware_check_result
failed_when: false failed_when: false
changed_when: false changed_when: false
no_log: true
- name: Fail if vCenter lookup failed unexpectedly - name: Fail if vCenter lookup failed unexpectedly
when: hypervisor_type == "vmware"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- not system_check_vmware_check_result.failed - not system_check_vmware_check_result.failed
@@ -76,7 +94,6 @@
quiet: true quiet: true
- name: Abort if VM already exists in vCenter - name: Abort if VM already exists in vCenter
when: hypervisor_type == "vmware"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- system_check_vmware_check_result.instance is not defined - system_check_vmware_check_result.instance is not defined

9
roles/virtualization/defaults/main.yml
View File

@@ -1,4 +1,9 @@
--- ---
# Cloud-init support matrix:
# libvirt — cloud-init ISO attached as CDROM (user-data + network-config)
# proxmox — cloud-init via Proxmox API (cicustom, ciuser, cipassword, etc.)
# vmware — no cloud-init; configuration is applied post-install via chroot
# xen — no cloud-init; configuration is applied post-install via chroot
virtualization_libvirt_image_dir: >- virtualization_libvirt_image_dir: >-
{{ {{
system_cfg.path system_cfg.path
@@ -11,6 +16,10 @@ virtualization_libvirt_cloudinit_path: >-
{{ [virtualization_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }} {{ [virtualization_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
virtualization_xen_disk_path: /var/lib/xen/images virtualization_xen_disk_path: /var/lib/xen/images
virtualization_libvirt_machine_type: q35
virtualization_libvirt_ovmf_code: /usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd
virtualization_libvirt_ovmf_vars: /usr/share/edk2/x64/OVMF_VARS.4m.fd
virtualization_tpm2_enabled: >- virtualization_tpm2_enabled: >-
{{ {{
(system_cfg.luks.enabled | bool) (system_cfg.luks.enabled | bool)

16
roles/virtualization/tasks/libvirt.yml
View File

@@ -3,7 +3,7 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
virtualization_libvirt_disks: "{{ virtualization_libvirt_disks | default([]) + [virtualization_libvirt_disk_cfg] }}" virtualization_libvirt_disks: "{{ virtualization_libvirt_disks | default([]) + [virtualization_libvirt_disk_cfg] }}"
vars: vars:
device_letter_map: "abcdefghijklmnopqrstuvwxyz" device_letter_map: "{{ disk_letter_map }}"
device_letter: "{{ device_letter_map[ansible_loop.index0] }}" device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
virtualization_libvirt_disk_cfg: >- virtualization_libvirt_disk_cfg: >-
{{ {{
@@ -23,7 +23,6 @@
loop_control: loop_control:
label: "{{ item | to_json }}" label: "{{ item | to_json }}"
extended: true extended: true
changed_when: false
- name: Create VM disks - name: Create VM disks
delegate_to: localhost delegate_to: localhost
@@ -45,10 +44,11 @@
ansible.builtin.template: ansible.builtin.template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: /tmp/{{ item.dest_prefix }}-{{ hostname }}.yml dest: /tmp/{{ item.dest_prefix }}-{{ hostname }}.yml
mode: "0644" mode: "0600"
loop: loop:
- { src: cloud-user-data.yml.j2, dest_prefix: cloud-user-data } - { src: cloud-user-data.yml.j2, dest_prefix: cloud-user-data }
- { src: cloud-network-config.yml.j2, dest_prefix: cloud-network-config } - { src: cloud-network-config.yml.j2, dest_prefix: cloud-network-config }
no_log: true
- name: Create cloud-init disk - name: Create cloud-init disk
delegate_to: localhost delegate_to: localhost
@@ -61,6 +61,16 @@
- "/tmp/cloud-network-config-{{ hostname }}.yml" - "/tmp/cloud-network-config-{{ hostname }}.yml"
creates: "{{ virtualization_libvirt_cloudinit_path }}" creates: "{{ virtualization_libvirt_cloudinit_path }}"
- name: Remove cloud-init temp files
delegate_to: localhost
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /tmp/cloud-user-data-{{ hostname }}.yml
- /tmp/cloud-network-config-{{ hostname }}.yml
# uri defaults to qemu:///system (local libvirtd)
- name: Create VM using libvirt - name: Create VM using libvirt
delegate_to: localhost delegate_to: localhost
community.libvirt.virt: community.libvirt.virt:

19
roles/virtualization/tasks/proxmox.yml
View File

@@ -1,6 +1,14 @@
--- ---
- name: Deploy VM on Proxmox - name: Deploy VM on Proxmox
delegate_to: localhost delegate_to: localhost
module_defaults:
community.proxmox.proxmox_kvm:
api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}"
node: "{{ hypervisor_cfg.host }}"
block:
- name: Create VM on Proxmox
vars: vars:
virtualization_proxmox_scsi: >- virtualization_proxmox_scsi: >-
{%- set out = {} -%} {%- set out = {} -%}
@@ -31,13 +39,9 @@
{%- endfor -%} {%- endfor -%}
{{ out }} {{ out }}
community.proxmox.proxmox_kvm: community.proxmox.proxmox_kvm:
api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}"
ciuser: "{{ system_cfg.users[0].name }}" ciuser: "{{ system_cfg.users[0].name }}"
cipassword: "{{ system_cfg.users[0].password }}" cipassword: "{{ system_cfg.users[0].password }}"
ciupgrade: false ciupgrade: false
node: "{{ hypervisor_cfg.host }}"
vmid: "{{ system_cfg.id }}" vmid: "{{ system_cfg.id }}"
name: "{{ hostname }}" name: "{{ hostname }}"
cpu: host cpu: host
@@ -74,17 +78,14 @@
searchdomains: "{{ system_cfg.network.dns.search if system_cfg.network.dns.search | length else omit }}" searchdomains: "{{ system_cfg.network.dns.search if system_cfg.network.dns.search | length else omit }}"
onboot: true onboot: true
state: present state: present
no_log: true
- name: Start VM on Proxmox - name: Start VM on Proxmox
delegate_to: localhost
community.proxmox.proxmox_kvm: community.proxmox.proxmox_kvm:
api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}"
node: "{{ hypervisor_cfg.host }}"
name: "{{ hostname }}" name: "{{ hostname }}"
vmid: "{{ system_cfg.id }}" vmid: "{{ system_cfg.id }}"
state: started state: started
no_log: true
register: virtualization_proxmox_start_result register: virtualization_proxmox_start_result
- name: Set VM created fact - name: Set VM created fact

47
roles/virtualization/tasks/vmware.yml
View File

@@ -10,10 +10,31 @@
loop: "{{ system_cfg.disks }}" loop: "{{ system_cfg.disks }}"
loop_control: loop_control:
label: "{{ item | to_json }}" label: "{{ item | to_json }}"
changed_when: false
- name: Create VM in vCenter - name: Deploy VM in vCenter
delegate_to: localhost delegate_to: localhost
module_defaults:
community.vmware.vmware_guest:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}"
community.vmware.vmware_guest_tpm:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}"
vmware.vmware.vm_powerstate:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}"
block:
# community.vmware: full-featured guest management
- name: Create VM in vCenter
vars: vars:
virtualization_vmware_networks: >- virtualization_vmware_networks: >-
{%- set ns = namespace(out=[]) -%} {%- set ns = namespace(out=[]) -%}
@@ -26,14 +47,10 @@
{%- endfor -%} {%- endfor -%}
{{ ns.out }} {{ ns.out }}
community.vmware.vmware_guest: community.vmware.vmware_guest:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}"
cluster: "{{ hypervisor_cfg.cluster }}" cluster: "{{ hypervisor_cfg.cluster }}"
folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}" folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}"
name: "{{ hostname }}" name: "{{ hostname }}"
# Generic guest ID — VMware auto-detects OS post-install
guest_id: otherLinux64Guest guest_id: otherLinux64Guest
annotation: | annotation: |
{{ note if note is defined else '' }} {{ note if note is defined else '' }}
@@ -65,6 +82,7 @@
} ] if rhel_iso is defined and rhel_iso | length > 0 else [] ) } ] if rhel_iso is defined and rhel_iso | length > 0 else [] )
}} }}
networks: "{{ virtualization_vmware_networks }}" networks: "{{ virtualization_vmware_networks }}"
no_log: true
register: virtualization_vmware_create_result register: virtualization_vmware_create_result
- name: Set VM created fact when VM was powered on during creation - name: Set VM created fact when VM was powered on during creation
@@ -77,28 +95,19 @@
- name: Ensure vTPM2 is enabled when required - name: Ensure vTPM2 is enabled when required
when: virtualization_tpm2_enabled | bool when: virtualization_tpm2_enabled | bool
delegate_to: localhost
community.vmware.vmware_guest_tpm: community.vmware.vmware_guest_tpm:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}"
folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}" folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}"
name: "{{ hostname }}" name: "{{ hostname }}"
state: present state: present
no_log: true
# vmware.vmware: modern collection for power operations
- name: Start VM in vCenter - name: Start VM in vCenter
when: virtualization_tpm2_enabled | bool when: virtualization_tpm2_enabled | bool
delegate_to: localhost
vmware.vmware.vm_powerstate: vmware.vmware.vm_powerstate:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}"
name: "{{ hostname }}" name: "{{ hostname }}"
state: powered-on state: powered-on
no_log: true
register: virtualization_vmware_start_result register: virtualization_vmware_start_result
- name: Set VM created fact when VM was started separately (TPM2 case) - name: Set VM created fact when VM was started separately (TPM2 case)

28
roles/virtualization/tasks/xen.yml
View File

@@ -5,7 +5,7 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
virtualization_xen_disks: "{{ virtualization_xen_disks | default([]) + [virtualization_xen_disk_cfg] }}" virtualization_xen_disks: "{{ virtualization_xen_disks | default([]) + [virtualization_xen_disk_cfg] }}"
vars: vars:
device_letter_map: "abcdefghijklmnopqrstuvwxyz" device_letter_map: "{{ disk_letter_map }}"
device_letter: "{{ device_letter_map[ansible_loop.index0] }}" device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
virtualization_xen_disk_cfg: >- virtualization_xen_disk_cfg: >-
{{ {{
@@ -49,6 +49,16 @@
dest: /tmp/xen-{{ hostname }}.cfg dest: /tmp/xen-{{ hostname }}.cfg
mode: "0644" mode: "0644"
- name: Check if Xen VM already exists
delegate_to: localhost
ansible.builtin.command:
argv:
- xl
- list
register: virtualization_xen_pre_check
changed_when: false
failed_when: false
- name: Create Xen VM - name: Create Xen VM
delegate_to: localhost delegate_to: localhost
ansible.builtin.command: ansible.builtin.command:
@@ -58,8 +68,11 @@
- /tmp/xen-{{ hostname }}.cfg - /tmp/xen-{{ hostname }}.cfg
register: virtualization_xen_create_result register: virtualization_xen_create_result
changed_when: virtualization_xen_create_result.rc == 0 changed_when: virtualization_xen_create_result.rc == 0
when: >-
not (virtualization_xen_pre_check.stdout | default('')
is search('(?m)^' ~ (hostname | ansible.builtin.regex_escape) ~ '\\s+\\d+\\s'))
- name: Ensure VM is running - name: Verify VM is running
delegate_to: localhost delegate_to: localhost
ansible.builtin.command: ansible.builtin.command:
argv: argv:
@@ -67,13 +80,10 @@
- list - list
register: virtualization_xen_list_result register: virtualization_xen_list_result
changed_when: false changed_when: false
failed_when: false failed_when: >-
not (virtualization_xen_list_result.stdout | default('')
is search('(?m)^' ~ (hostname | ansible.builtin.regex_escape) ~ '\\s+\\d+\\s'))
- name: Set VM created fact - name: Set VM created fact
ansible.builtin.set_fact: ansible.builtin.set_fact:
virtualization_vm_created_in_run: true virtualization_vm_created_in_run: "{{ (virtualization_xen_create_result.rc | default(1)) == 0 }}"
when:
- virtualization_xen_list_result is defined
- >-
virtualization_xen_list_result.stdout | default('')
is search('(?m)^' ~ (hostname | ansible.builtin.regex_escape) ~ '\\s+\\d+\\s')

4
roles/virtualization/templates/cloud-network-config.yml.j2
View File

@@ -13,7 +13,9 @@ network:
addresses: addresses:
- "{{ iface.ip }}/{{ iface.prefix }}" - "{{ iface.ip }}/{{ iface.prefix }}"
{% if iface.gateway | default('') | string | length %} {% if iface.gateway | default('') | string | length %}
gateway4: "{{ iface.gateway }}" routes:
- to: default
via: "{{ iface.gateway }}"
{% endif %} {% endif %}
{% else %} {% else %}
dhcp4: true dhcp4: true

6
roles/virtualization/templates/cloud-user-data.yml.j2
View File

@@ -1,5 +1,5 @@
#cloud-config #cloud-config
hostname: "archiso" hostname: "{{ hostname }}"
ssh_pwauth: true ssh_pwauth: true
package_update: false package_update: false
package_upgrade: false package_upgrade: false
@@ -8,10 +8,10 @@ users:
- name: "{{ user.name }}" - name: "{{ user.name }}"
primary_group: "{{ user.name }}" primary_group: "{{ user.name }}"
groups: users groups: users
sudo: "{{ user.sudo | default('ALL=(ALL) NOPASSWD:ALL') }}" sudo: "ALL=(ALL) NOPASSWD:ALL"
passwd: "{{ user.password | password_hash('sha512') }}" passwd: "{{ user.password | password_hash('sha512') }}"
lock_passwd: false lock_passwd: false
{% set ssh_keys = user.keys | default([]) %} {% set ssh_keys = user['keys'] | default([]) %}
{% if ssh_keys | length > 0 %} {% if ssh_keys | length > 0 %}
ssh_authorized_keys: ssh_authorized_keys:
{% for key in ssh_keys %} {% for key in ssh_keys %}

13
roles/virtualization/templates/vm.xml.j2
View File

@@ -1,15 +1,15 @@
<domain type='kvm'> <domain type='kvm'>
<name>{{ hostname }}</name> <name>{{ hostname }}</name>
<memory>{{ system_cfg.memory | int * 1024 }}</memory> <memory unit='KiB'>{{ system_cfg.memory | int * 1024 }}</memory>
{% if system_cfg.balloon is defined and system_cfg.balloon | int > 0 %}<currentMemory>{{ system_cfg.balloon | int * 1024 }}</currentMemory>{% endif %} {% if system_cfg.balloon is defined and system_cfg.balloon | int > 0 %}<currentMemory unit='KiB'>{{ system_cfg.balloon | int * 1024 }}</currentMemory>{% endif %}
<vcpu placement='static'>{{ system_cfg.cpus }}</vcpu> <vcpu placement='static'>{{ system_cfg.cpus }}</vcpu>
<os> <os>
<type arch='x86_64' machine="pc-q35-8.0">hvm</type> <type arch='x86_64' machine="{{ virtualization_libvirt_machine_type }}">hvm</type>
<bootmenu enable='no'/> <bootmenu enable='no'/>
<boot dev='hd'/> <boot dev='hd'/>
<boot dev='cdrom'/> <boot dev='cdrom'/>
<loader readonly="yes" type="pflash">/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd</loader> <loader readonly="yes" type="pflash">{{ virtualization_libvirt_ovmf_code }}</loader>
<nvram template="/usr/share/edk2/x64/OVMF_VARS.4m.fd"/> <nvram template="{{ virtualization_libvirt_ovmf_vars }}"/>
</os> </os>
<features> <features>
<acpi/> <acpi/>
@@ -33,17 +33,20 @@
<driver name="qemu" type="raw"/> <driver name="qemu" type="raw"/>
<source file="{{ boot_iso }}"/> <source file="{{ boot_iso }}"/>
<target dev="sda" bus="sata"/> <target dev="sda" bus="sata"/>
<readonly/>
</disk> </disk>
<disk type="file" device="cdrom"> <disk type="file" device="cdrom">
<driver name="qemu" type="raw"/> <driver name="qemu" type="raw"/>
<source file="{{ virtualization_libvirt_cloudinit_path }}"/> <source file="{{ virtualization_libvirt_cloudinit_path }}"/>
<target dev="sdb" bus="sata"/> <target dev="sdb" bus="sata"/>
<readonly/>
</disk> </disk>
{% if rhel_iso is defined and rhel_iso | length > 0 %} {% if rhel_iso is defined and rhel_iso | length > 0 %}
<disk type="file" device="cdrom"> <disk type="file" device="cdrom">
<driver name="qemu" type="raw"/> <driver name="qemu" type="raw"/>
<source file="{{ rhel_iso }}"/> <source file="{{ rhel_iso }}"/>
<target dev="sdc" bus="sata"/> <target dev="sdc" bus="sata"/>
<readonly/>
</disk> </disk>
{% endif %} {% endif %}
{% for iface in system_cfg.network.interfaces %} {% for iface in system_cfg.network.interfaces %}

2
templates/xen.cfg.j2 → roles/virtualization/templates/xen.cfg.j2
View File

@@ -12,7 +12,7 @@ disk = [
] ]
vif = [ vif = [
{%- for iface in system_cfg.network.interfaces -%} {%- for iface in system_cfg.network.interfaces -%}
'bridge={{ iface.bridge }},model=e1000'{% if not loop.last %}, {% endif %} 'bridge={{ iface.bridge }},model=virtio'{% if not loop.last %}, {% endif %}
{%- endfor -%} {%- endfor -%}
] ]
boot = "{{ 'dc' if xen_installer_media_enabled | bool else 'c' }}" boot = "{{ 'dc' if xen_installer_media_enabled | bool else 'c' }}"

10
templates/rocky.repo.j2
View File

@@ -1,10 +0,0 @@
[rocky-baseos]
name=Rocky Linux $releasever - BaseOS
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/
gpgcheck=1
enabled=1
countme=1
gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever
metadata_expire=86400
enabled_metadata=1