sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sandwich:master
Branches Tags
sandwich:master
..
compare: sandwich:a76f317f8fcb96b60c8f317c7b7a78bb88ba5dd0
Branches Tags
sandwich:master

93 Commits
master ... a76f317f8f

Author SHA1 Message Date
Sandwich
a76f317f8f refactor(bootstrap): restructure package lists to self-contained per-OS dicts with base/extra/conditional 2026-02-21 02:39:06 +01:00
Sandwich
e5bd152fb3 refactor(environment): split main.yml into focused sub-task files 2026-02-21 02:39:05 +01:00
Sandwich
6d1c3577df refactor(global_defaults): add idempotency guards to normalization tasks 2026-02-21 02:39:03 +01:00
Sandwich
86f0284acb fix(global_defaults): default interface name to eth0 instead of empty string 2026-02-21 02:38:59 +01:00
Sandwich
221bb4d517 docs(cis): add comment explaining squashfs/snap Ubuntu exclusion 2026-02-21 02:38:58 +01:00
Sandwich
e81ba76446 chore(bootstrap): pin collection versions in requirements.yml 2026-02-21 02:38:57 +01:00
Sandwich
54bbb9d15c fix(bootstrap): move Jinja to end of task name and rename registers to bootstrap_dnf_* 2026-02-21 02:38:27 +01:00
Sandwich
f94b220020 docs: update README with cis dict API, execution pipeline, and cleanup defaults 2026-02-21 01:30:36 +01:00
Sandwich
3fd470d63e fix(validation): align btrfs disk size check with new 2GB swap minimum 2026-02-21 01:28:32 +01:00
Sandwich
a3cd507b2a refactor(bootstrap): unify rocky, almalinux, and fedora into shared _dnf_family.yml 2026-02-21 01:27:33 +01:00
Sandwich
f74ec325ea refactor(cis): extract hardcoded values to cis_defaults and add _normalize.yml 2026-02-21 01:26:31 +01:00
Sandwich
bef15af69f refactor(cleanup): prioritize source-match over target-match in libvirt media removal 2026-02-21 01:22:44 +01:00
Sandwich
7970d933e8 docs(cis): explain Fedora exclusion from crypto-policy configuration 2026-02-21 01:22:41 +01:00
Sandwich
a123a32feb fix(bootstrap): replace brittle sed with ansible.builtin.replace for ubuntu universe repo 2026-02-21 01:22:37 +01:00
Sandwich
54c704de4e refactor(virtualization): simplify cloud-user-data sudo to unconditional NOPASSWD 2026-02-21 01:22:34 +01:00
Sandwich
9308d09d7b fix(bootstrap): remove duplicate lrzsz and gate dbus-daemon on version in almalinux 2026-02-21 01:20:34 +01:00
Sandwich
f367844239 fix(virtualization): fix cloud-user-data sudo logic to respect sudo: false 2026-02-21 01:20:31 +01:00
Sandwich
53e4499d2b fix(partitioning): lower swap minimum from 4GB to 2GB for small VMs 2026-02-21 01:19:23 +01:00
Sandwich
eb63a4fa83 fix(partitioning): add wipefs before mkfs on extra disk partitions 2026-02-21 01:19:19 +01:00
Sandwich
9e3688ae2b fix(cis): strengthen kernel module blacklist and sysctl hardening 2026-02-21 01:18:52 +01:00
Sandwich
dea01cc8a0 refactor(partitioning): split monolithic main.yml into focused task files 2026-02-21 00:39:03 +01:00
Sandwich
92c9702e1d fix(validation): add CIDR prefix range check and Ubuntu version validation 2026-02-21 00:38:57 +01:00
Sandwich
c837a52a24 refactor(cis): remove redundant AllowUsers/AllowGroups/DenyUsers/DenyGroups from sshd 2026-02-21 00:38:52 +01:00
Sandwich
fbd57e0603 fix(cis): skip squashfs blacklist on Ubuntu to preserve snap functionality 2026-02-21 00:38:47 +01:00
Sandwich
40a9ee9882 fix(partitioning): correct changed_when on btrfs quota and qgroup commands 2026-02-21 00:38:43 +01:00
Sandwich
3448e95e5c fix(cis): add regexp to all lineinfile entries in security_lines.yml for idempotency 2026-02-21 00:38:36 +01:00
Sandwich
074831833f fix: add no_log to credential-handling pre_tasks and post_tasks in main.yml 2026-02-21 00:38:32 +01:00
Sandwich
d1a5217e88 fix(virtualization): add no_log and secure temp file handling to libvirt cloud-init 2026-02-21 00:38:28 +01:00
Sandwich
07492b5b57 refactor(cleanup): add configurable verify_boot, boot_timeout, and remove_on_failure defaults 2026-02-20 23:02:24 +01:00
Sandwich
14913bcd3d refactor: move playbook-root templates into their respective roles 2026-02-20 23:01:38 +01:00
Sandwich
041650c287 refactor: add loop_control labels to dict-based loops across all roles 2026-02-20 23:00:53 +01:00
Sandwich
a63ffbc731 refactor(partitioning): move btrfs home quota to configurable default 2026-02-20 22:55:37 +01:00
Sandwich
9d2f1cc5bd fix(environment): detect RHEL ISO device dynamically instead of hardcoded /dev/sr paths 2026-02-20 22:54:42 +01:00
Sandwich
f72f9feb9a refactor(global_defaults): split system.yml into composable normalization stages 2026-02-20 22:54:05 +01:00
Sandwich
417737f904 refactor(global_defaults): extract OS family lists to single source of truth 2026-02-20 22:52:55 +01:00
Sandwich
a06c2ebdcf fix(partitioning): add failed_when to all blkid commands to catch empty UUIDs 2026-02-20 22:52:18 +01:00
Sandwich
e174ecda42 fix(partitioning): add default fallbacks for is_rhel, os, os_version in defaults 2026-02-20 22:51:37 +01:00
Sandwich
5246a905bb fix(virtualization): use hostname variable instead of hardcoded archiso in cloud-user-data 2026-02-20 22:51:32 +01:00
Sandwich
d00d84b69c fix(virtualization): avoid no-handler lint finding in xen VM created tracking 2026-02-20 22:29:03 +01:00
Sandwich
4dafa8c596 fix(partitioning): fix line length violation in home size calculation 2026-02-20 22:28:58 +01:00
Sandwich
53584b8730 fix(configuration): add pipefail to root password shell pipe 2026-02-20 22:28:54 +01:00
Sandwich
ce40468b77 fix(bootstrap): use release map for ubuntu version detection 2026-02-20 22:27:46 +01:00
Sandwich
4b4fab3c33 chore: add .yamllint matching main project conventions 2026-02-20 22:27:31 +01:00
Sandwich
db2fab5e7d fix(configuration): use chpasswd for root password and separate shell setting 2026-02-20 22:27:17 +01:00
Sandwich
42be0a5919 fix(configuration): add explicit LUKS auto-decrypt fallback state tracking and logging 2026-02-20 22:26:47 +01:00
Sandwich
17400fa6ff refactor(partitioning): externalize hardcoded LVM and disk sizing constants to defaults 2026-02-20 22:26:23 +01:00
Sandwich
deb14d2c94 fix(virtualization): add xen VM existence check and improve changed_when 2026-02-20 22:25:10 +01:00
Sandwich
65c5b1029b fix(cis): add pipefail to sshd version detection and define binary defaults 2026-02-20 22:24:14 +01:00
Sandwich
a1fbb7c21d feat(cleanup): gate RHEL ISO disk and fstab handling on rhel_repo.source 2026-02-20 21:51:20 +01:00
Sandwich
d076ac8fef feat(global_defaults): add system.features.rhel_repo option (iso|satellite|none) 2026-02-20 21:51:16 +01:00
Sandwich
c82e4afc4d fix(encryption): add warning before silent TPM2-to-keyfile fallback 2026-02-20 21:51:12 +01:00
Sandwich
ac72fdc4a6 fix(partitioning): correct wipefs changed_when to report actual disk modification 2026-02-20 21:51:09 +01:00
Sandwich
b2e050c467 fix(validation): require password for primary user in system.users[0] 2026-02-20 21:51:06 +01:00
Sandwich
914d7dd9d1 fix(system_check): move no_log from block to individual API tasks 2026-02-20 21:51:02 +01:00
Sandwich
21bf8f79e2 fix(cis): make mlkem768x25519-sha256 KexAlgorithm conditional on OpenSSH 9.9+ 2026-02-20 21:50:58 +01:00
Sandwich
38feff4369 fix(cis): use is_rhel for journald config path instead of fedora-only check 2026-02-20 21:50:55 +01:00
Sandwich
404529e8a4 refactor(configuration): add conditional dispatch to task includes 2026-02-20 21:16:52 +01:00
Sandwich
3db18858c3 refactor(cis): move OS-specific binary resolution to vars/main.yml 2026-02-20 21:16:48 +01:00
Sandwich
72a9576abe refactor(configuration): split network.yml into per-init-system dispatch files 2026-02-20 21:16:45 +01:00
Sandwich
462c2c7dfe refactor(bootstrap): restructure conditional package lists to list concatenation 2026-02-20 21:16:40 +01:00
Sandwich
ef8bfeaf84 refactor(configuration): convert services.yml to list-based loop 2026-02-20 21:16:37 +01:00
Sandwich
ba6be037ac refactor(virt): adopt module_defaults for hypervisor credentials 2026-02-20 21:16:33 +01:00
Sandwich
5ca1c7f570 refactor(cleanup): restructure dispatch to use hypervisor_type include 2026-02-20 21:16:28 +01:00
Sandwich
cd8e477534 refactor(partitioning): extract VG name to defaults variable 2026-02-20 21:16:25 +01:00
Sandwich
c439e9741e fix(configuration): remove trailing blank line from extras.yml 2026-02-20 20:20:33 +01:00
Sandwich
0a5c70e49f docs(environment): document RPM GPG policy relaxation 2026-02-20 20:19:57 +01:00
Sandwich
19f2c9efe2 chore(bootstrap): align ansible.cfg with main project settings 2026-02-20 20:19:46 +01:00
Sandwich
230c74fd9b feat(system_check): add safety check for physical installs 2026-02-20 20:19:37 +01:00
Sandwich
a2c19e2e49 fix(cleanup): fix vmware CD-ROM omit fragility and add cross-role defaults 2026-02-20 20:19:25 +01:00
Sandwich
9f9a4b38b8 fix(virtualization): add XML safety attributes and switch xen to virtio 2026-02-20 20:18:49 +01:00
Sandwich
524356cf8d fix(cis): remove deprecated sshd options and update hardening values 2026-02-20 20:17:52 +01:00
Sandwich
a2993212ca fix(configuration): disambiguate BLS task names and clean up misc noise 2026-02-20 20:17:05 +01:00
Sandwich
fba2e5fc94 refactor(configuration): relocate login banner and fix blockinfile markers 2026-02-20 20:16:19 +01:00
Sandwich
cf68a93b45 fix(configuration): use short hostname and allow per-user shell 2026-02-20 20:15:49 +01:00
Sandwich
3000268a0e fix(partitioning): mount extra disks by UUID instead of device path 2026-02-20 20:15:25 +01:00
Sandwich
196c5be67a fix(partitioning): correct LVM swap sizing and harden UUID fallbacks 2026-02-20 20:15:00 +01:00
Sandwich
33bad193b4 fix(configuration): add trailing semicolons to NM keyfile DNS fields 2026-02-20 20:14:06 +01:00
Sandwich
d5277802f7 fix(bootstrap): add missing packages and remove duplicates 2026-02-20 20:13:53 +01:00
Sandwich
28e6cf50d1 fix(bootstrap): add devpts mount and use ephemeral state for RHEL DVD 2026-02-20 20:12:59 +01:00
Sandwich
42cb5071c2 fix(bootstrap): unify resolv.conf to live environment DNS symlink 2026-02-20 20:12:42 +01:00
Sandwich
23a798a63a fix(global_defaults): add no_log to hypervisor tasks and expand validation 2026-02-20 20:11:37 +01:00
Sandwich
5dd84c6b39 fix: configurable OVMF/machine type, routes syntax, package lists, interface names 2026-02-20 18:47:12 +01:00
Sandwich
d0ae20911b fix(cleanup): keep RHEL ISO ide1 attached as local repo 2026-02-20 18:41:40 +01:00
Sandwich
b6d06dd96d fix: deep analysis audit — no_log, resolv.conf, service conflicts, lint 2026-02-20 18:34:59 +01:00
Sandwich
09b3ed44ba fix(bootstrap): RHEL 9 bootstrap from Arch ISO compatibility 
- Generate resolv.conf from inventory DNS settings instead of copying
  host file (Arch ISO has systemd-resolved stub 127.0.0.53)
- Add XFS compat options for GRUB 2.06 and kernel 5.14 across LVM
  volumes, /boot partition, and data disks
- Mount API filesystems (proc, sys, dev) into chroot for RPM scriptlets
- Bypass GPG Sequoia validation with _pkgverify_level none
- Tolerate grub2-common scriptlet warnings
- Handle libvirt VM destroy gracefully during cleanup
 2026-02-20 16:58:59 +01:00
Sandwich
603abe63cb refactor: make bootstrap host target configurable 2026-02-20 16:58:59 +01:00
Sandwich
1c0e6533ae fix(ubuntu): add initramfs-tools to debootstrap base packages 2026-02-20 16:58:59 +01:00
Sandwich
00aa614cfd fix(bootstrap): use explicit keyring for debootstrap and copy resolv.conf 2026-02-20 16:58:59 +01:00
Sandwich
4905d10bc0 fix(cloud-init): handle boolean sudo values in user-data template 2026-02-20 16:58:59 +01:00
Sandwich
b4e8ccb77f fix: re-gather facts after reboot to detect target OS package manager 
The live ISO (Arch) caches ansible_pkg_mgr=pacman. After rebooting
into the target OS (e.g. Debian), package module fails because pacman
is not available. Re-gather minimal facts including pkg_mgr.
 2026-02-20 16:58:59 +01:00
Sandwich
2a82ee4d5c fix: resolve Jinja2 .keys ambiguity, fastfetch availability, and python interpreter 
- Use bracket notation item['keys'] instead of item.keys to avoid
  conflict with Python dict .keys() method
- Remove fastfetch from Debian 12 package list (only available in 13+)
- Set explicit python interpreter path for post-reboot tasks
 2026-02-20 16:58:58 +01:00
Sandwich
7b213e7456 fix(partitioning): create separate /boot for LVM-based filesystems 
VMware EFI firmware may not initialize all SCSI devices before GRUB
runs, preventing LVM assembly when the root LV spans multiple disks.
A separate /boot partition (the standard RHEL Anaconda layout) lets
GRUB load kernels without LVM; the kernel initramfs handles LVM
activation with proper device waiting.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-20 04:50:32 +01:00
Sandwich
cfc261878a fix(bootloader): run efibootmgr on host for universal chroot compatibility 
The previous approach ran efibootmgr inside the chroot, which only works
with arch-chroot (auto-mounts efivars) but fails silently with
systemd-nspawn or plain chroot. Move EFI boot entry creation to the host
where efivars is always available.

Also fixes wrong EFI loader path (\efi\EFI\... -> \EFI\...) and uses
the correct vendor label (e.g. "redhat" instead of raw os variable).

For non-RHEL distros, grub-install now uses --no-nvram to avoid
redundant NVRAM writes; the host efibootmgr handles entry creation
for all distros uniformly with idempotent pre-check.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-20 03:36:20 +01:00
94 changed files with 863 additions and 2239 deletions
Expand all files Collapse all files

2
.ansible-lint
View File

@@ -1,6 +1,4 @@
skip_list:
- run-once
- var-naming[no-role-prefix] # user-facing API dicts (cis, system, hypervisor) are intentionally not role-prefixed
- args[module] # false positives from variable-based module_defaults (_proxmox_auth, _vmware_auth)
exclude_paths:
- roles/global_defaults/

59
README.md
View File

@@ -91,7 +91,7 @@ all:
username: root@pam
password: !vault |
$ANSIBLE_VAULT...
node: pve01
host: pve01
storage: local-lvm
children:
@@ -202,29 +202,14 @@ When `interfaces` is empty, the flat fields (`bridge`, `ip`, `prefix`, `gateway`
#### `system.users`
Dict keyed by username. At least one user must have a `password` (used for SSH access during bootstrap). Users without a password get locked accounts (key-only auth).
```yaml
system:
users:
svcansible:
password: "vault_lookup"
keys:
- "ssh-ed25519 AAAA..."
appuser:
sudo: "ALL=(ALL) NOPASSWD: ALL"
keys:
- "ssh-ed25519 BBBB..."
```
| Key | Type | Default | Description |
| ---------- | ----------- | ------- | -------------------------------------------------- |
| *(dict key)* | string | -- | Username (required) |
| `password` | string | -- | User password (required for at least one user) |
| `name` | string | -- | Username (required) |
| `password` | string | -- | User password (required for first user) |
| `keys` | list | `[]` | SSH public keys |
| `sudo` | bool/string | -- | `true` for NOPASSWD ALL, or custom sudoers string |
Users must be defined in inventory. The dict format enables additive merging across inventory layers with `hash_behaviour=merge`.
The first user's credentials are prompted interactively via `vars_prompt` unless supplied in inventory or `-e`.
#### `system.root`
@@ -257,15 +242,7 @@ Users must be defined in inventory. The dict format enables additive merging acr
| Key | Type | Default | Description |
| -------- | ------------- | ------- | ---------------------------------------------- |
| `device` | string | `auto` | TPM2 device selector |
| `pcrs` | string/list | -- | PCR binding policy (e.g. `"7"` or `"0+7"`); empty = no PCR binding |
**TPM2 auto-unlock:** Uses `systemd-cryptenroll` on all distros. The user-set passphrase
remains as a backup unlock method. TPM2 enrollment runs in the chroot during bootstrap;
if it fails (e.g. no TPM2 hardware), the system boots with passphrase-only unlock and
TPM2 can be enrolled post-deployment via `systemd-cryptenroll --tpm2-device=auto <device>`.
On Debian/Ubuntu, TPM2 auto-unlock requires dracut (initramfs-tools does not support `tpm2-device`).
The bootstrap auto-switches to dracut when `method: tpm2` is set. Override via `features.initramfs.generator`.
| `pcrs` | string/list | -- | PCR binding policy (e.g. `"7"` or `"0+7"`) |
#### `system.features`
@@ -282,26 +259,6 @@ The bootstrap auto-switches to dracut when `method: tpm2` is set. Override via `
| `banner.motd` | bool | `false` | MOTD banner |
| `banner.sudo` | bool | `true` | Sudo banner |
| `chroot.tool` | string | `arch-chroot` | `arch-chroot`, `chroot`, or `systemd-nspawn` |
| `initramfs.generator` | string | auto-detected | Override initramfs generator (see below) |
| `desktop.*` | dict | see below | Desktop environment settings (see [4.2.5](#425-systemfeaturesdesktop)) |
**Initramfs generator auto-detection:** RedHat → dracut, Arch → mkinitcpio, Debian/Ubuntu → initramfs-tools.
Override with `dracut`, `mkinitcpio`, or `initramfs-tools`. When LUKS TPM2 auto-unlock is enabled and the
native generator does not support `tpm2-device`, the generator is automatically upgraded to dracut.
On distros with older dracut (no `tpm2-tss` module), clevis is used as a fallback for TPM2 binding.
#### 4.2.5 `system.features.desktop`
| Key | Type | Default | Description |
| ----------------- | ------ | -------------- | ----------------------------------------- |
| `enabled` | bool | `false` | Install desktop environment |
| `environment` | string | -- | `gnome`, `kde`, `xfce`, `sway`, `hyprland`, `cinnamon`, `mate`, `lxqt`, `budgie` |
| `display_manager` | string | auto-detected | Override DM: `gdm`, `sddm`, `lightdm`, `ly`, `greetd` |
When `enabled: true`, the bootstrap installs the desktop environment packages, enables the display manager
and bluetooth services, and sets the systemd default target to `graphical.target`.
Display manager auto-detection: gnome→gdm, kde→sddm, xfce→lightdm, sway→greetd, hyprland→ly.
### 4.3 `hypervisor` Dictionary
@@ -311,7 +268,7 @@ Display manager auto-detection: gnome→gdm, kde→sddm, xfce→lightdm, sway→
| `url` | string | -- | API host (Proxmox/VMware) |
| `username` | string | -- | API username |
| `password` | string | -- | API password |
| `node` | string | -- | Target compute node (Proxmox node / VMware ESXi host; mutually exclusive with `cluster` on VMware) |
| `host` | string | -- | Proxmox node name |
| `storage` | string | -- | Storage identifier (Proxmox/VMware) |
| `datacenter` | string | -- | VMware datacenter |
| `cluster` | string | -- | VMware cluster |
@@ -441,7 +398,7 @@ ansible-playbook -i inventory.yml main.yml
ansible-playbook -i inventory.yml main.yml -e @vars.yml
```
All credentials (`system.users`, `system.root.password`) must be defined in inventory or passed via `-e`.
Credentials for the first user and root are prompted interactively via `vars_prompt` unless already set in inventory or passed via `-e`.
Example inventory files are included:
@@ -451,7 +408,7 @@ Example inventory files are included:
## 7. Security
Use **Ansible Vault** for all sensitive values (`hypervisor.password`, `system.luks.passphrase`, user passwords in `system.users`, `system.root.password`).
Use **Ansible Vault** for all sensitive values (`hypervisor.password`, `system.luks.passphrase`, `system.users[].password`, `system.root.password`).
## 8. Safety

3
ansible.cfg
View File

@@ -3,6 +3,3 @@ hash_behaviour = merge
interpreter_python = auto_silent
deprecation_warnings = False
host_key_checking = False
[ssh_connection]
ssh_args = -C -o ControlMaster=auto -o ControlPersist=600s -o ServerAliveInterval=30 -o ServerAliveCountMax=10

2
inventory_example.yml
View File

@@ -6,7 +6,7 @@ all:
url: "pve01.example.com"
username: "root@pam"
password: "CHANGE_ME"
node: "pve01"
host: "pve01"
storage: "local-lvm"
boot_iso: "local:iso/archlinux-x86_64.iso"
children:

195
main.yml
View File

@@ -1,20 +1,97 @@
---
# Bootstrap pipeline — role execution order:
# 1. global_defaults — normalize + validate system/hypervisor/disk input
# 2. system_check — pre-flight hardware/environment safety checks
# 3. virtualization — create VM on hypervisor (libvirt/proxmox/vmware/xen)
# 4. environment — detect live ISO, configure installer network, install tools
# 5. partitioning — partition disk, create FS, LUKS, LVM, mount everything
# 6. bootstrap — debootstrap/pacstrap/dnf install the target OS into /mnt
# 7. configuration — users, network, encryption, fstab, bootloader, services
# 8. cis — CIS hardening (optional, per system.features.cis.enabled)
# 9. cleanup — unmount, remove cloud-init artifacts, reboot/shutdown
- name: Create and configure VMs
hosts: "{{ bootstrap_target | default('all') }}"
strategy: free # noqa: run-once[play]
gather_facts: false
become: true
vars_prompt:
- name: user_name
prompt: |
What is your username?
private: false
- name: user_public_key
prompt: |
What is your ssh key?
private: false
- name: user_password
prompt: |
What is your password?
confirm: true
- name: root_password
prompt: |
What is your root password?
confirm: true
pre_tasks:
- name: Apply prompted authentication values to system input
no_log: true
vars:
system_input: "{{ system | default({}) }}"
system_users_input: "{{ system_input.users | default([]) }}"
system_first_user: >-
{{
system_users_input[0]
if (system_users_input is iterable and system_users_input is not string
and system_users_input is not mapping and system_users_input | length > 0)
else {}
}}
system_root_input: "{{ (system_input.root | default({})) if (system_input.root is mapping) else {} }}"
prompt_user_name: "{{ user_name | default(system_user_name | default(''), true) | string }}"
prompt_user_key: "{{ user_public_key | default(user_key | default(system_user_key | default(''), true), true) | string | trim }}"
prompt_user_password: "{{ user_password | default(system_user_password | default(''), true) | string }}"
prompt_root_password: "{{ root_password | default(system_root_password | default(''), true) | string }}"
resolved_user:
name: >-
{{
system_first_user.name | string
if (system_first_user.name | default('') | string | length) > 0
else prompt_user_name
}}
keys: >-
{{
system_first_user['keys']
if (system_first_user['keys'] is defined
and system_first_user['keys'] is iterable
and system_first_user['keys'] is not string
and system_first_user['keys'] | length > 0)
else (
[prompt_user_key]
if (prompt_user_key | length > 0)
else []
)
}}
password: >-
{{
system_first_user.password | string
if (system_first_user.password | default('') | string | length) > 0
else prompt_user_password
}}
ansible.builtin.set_fact:
system: >-
{{
system_input
| combine(
{
'users': (
[resolved_user]
+ (system_users_input[1:]
if (system_users_input is sequence
and system_users_input is not string
and system_users_input | length > 1)
else [])
),
'root': {
'password': (
(system_root_input.password | default('') | string | length) > 0
) | ternary(system_root_input.password | string, prompt_root_password)
}
},
recursive=True
)
}}
- name: Load global defaults
ansible.builtin.import_role:
name: global_defaults
@@ -23,79 +100,32 @@
ansible.builtin.import_role:
name: system_check
tasks:
- name: Bootstrap pipeline
block:
- name: Record that no pre-existing VM was found
ansible.builtin.set_fact:
_vm_absent_before_bootstrap: true
roles:
- role: virtualization
when: system_cfg.type == "virtual"
become: false
vars:
ansible_connection: local
- name: Create virtual machine
when: system_cfg.type == "virtual"
ansible.builtin.include_role:
name: virtualization
public: true
vars:
ansible_connection: local
ansible_become: false
- role: environment
vars:
ansible_connection: "{{ 'vmware_tools' if hypervisor_type == 'vmware' else 'ssh' }}"
- name: Configure environment
ansible.builtin.include_role:
name: environment
public: true
- role: partitioning
vars:
partitioning_boot_partition_suffix: 1
partitioning_main_partition_suffix: 2
- name: Partition disks
ansible.builtin.include_role:
name: partitioning
public: true
vars:
partitioning_boot_partition_suffix: 1
partitioning_main_partition_suffix: 2
- role: bootstrap
- name: Install base system
ansible.builtin.include_role:
name: bootstrap
public: true
- role: configuration
- name: Apply system configuration
ansible.builtin.include_role:
name: configuration
public: true
- role: cis
when: system_cfg.features.cis.enabled | bool
- name: Apply CIS hardening
when: system_cfg.features.cis.enabled | bool
ansible.builtin.include_role:
name: cis
public: true
- name: Clean up and finalize
when: system_cfg.type in ["virtual", "physical"]
ansible.builtin.include_role:
name: cleanup
public: true
rescue:
- name: Delete VM on bootstrap failure
when:
- _vm_absent_before_bootstrap | default(false) | bool
- virtualization_vm_created_in_run | default(false) | bool
- system_cfg.type == "virtual"
ansible.builtin.include_role:
name: virtualization
tasks_from: delete
vars:
ansible_connection: local
ansible_become: false
tags:
- rescue_cleanup
- name: Fail host after bootstrap rescue
ansible.builtin.fail:
msg: >-
Bootstrap failed for {{ hostname }}.
{{ 'VM was deleted to allow clean retry.'
if (virtualization_vm_created_in_run | default(false))
else 'VM was not created in this run (kept).' }}
- role: cleanup
when: system_cfg.type in ["virtual", "physical"]
become: false
post_tasks:
- name: Set post-reboot connection flags
@@ -119,15 +149,10 @@
when:
- post_reboot_can_connect | bool
no_log: true
vars:
_primary: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first) }}"
ansible.builtin.set_fact:
ansible_connection: ssh
ansible_host: "{{ system_cfg.network.ip }}"
ansible_port: 22
ansible_user: "{{ _primary.key }}"
ansible_password: "{{ _primary.value.password }}"
ansible_become_password: "{{ _primary.value.password }}"
ansible_user: "{{ system_cfg.users[0].name }}"
ansible_password: "{{ system_cfg.users[0].password }}"
ansible_become_password: "{{ system_cfg.users[0].password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
ansible_python_interpreter: /usr/bin/python3

15
roles/bootstrap/defaults/main.yml
View File

@@ -1,15 +0,0 @@
---
# OS → task file mapping for bootstrap dispatch.
# Each key matches a supported `os` value; value is the task file to include.
bootstrap_os_task_map:
almalinux: _dnf_family.yml
alpine: alpine.yml
archlinux: archlinux.yml
debian: debian.yml
fedora: _dnf_family.yml
opensuse: opensuse.yml
rocky: _dnf_family.yml
rhel: rhel.yml
ubuntu: ubuntu.yml
ubuntu-lts: ubuntu.yml
void: void.yml

48
roles/bootstrap/tasks/_desktop.yml
View File

@@ -1,48 +0,0 @@
---
- name: Load desktop package definitions
ansible.builtin.include_vars:
file: desktop.yml
- name: Resolve desktop packages
vars:
_de: "{{ system_cfg.features.desktop.environment }}"
_family_pkgs: "{{ bootstrap_desktop_packages[os_family] | default({}) }}"
_de_config: "{{ _family_pkgs[_de] | default({}) }}"
ansible.builtin.set_fact:
_desktop_groups: "{{ _de_config.groups | default([]) }}"
_desktop_packages: "{{ _de_config.packages | default([]) }}"
- name: Validate desktop environment is supported
ansible.builtin.assert:
that:
- (_desktop_groups | length > 0) or (_desktop_packages | length > 0)
fail_msg: >-
Desktop environment '{{ system_cfg.features.desktop.environment }}'
is not defined for os_family '{{ os_family }}'.
Supported: {{ (bootstrap_desktop_packages[os_family] | default({})).keys() | join(', ') }}
quiet: true
- name: Install desktop package groups
when: _desktop_groups | length > 0
ansible.builtin.command: >-
{{ chroot_command }} dnf --releasever={{ os_version }}
--setopt=install_weak_deps=False group install -y {{ _desktop_groups | join(' ') }}
register: _desktop_group_result
changed_when: _desktop_group_result.rc == 0
- name: Install desktop packages
when: _desktop_packages | length > 0
vars:
_install_commands:
RedHat: >-
{{ chroot_command }} dnf --releasever={{ os_version }}
--setopt=install_weak_deps=False install -y {{ _desktop_packages | join(' ') }}
Debian: >-
{{ chroot_command }} apt install -y {{ _desktop_packages | join(' ') }}
Archlinux: >-
pacstrap /mnt {{ _desktop_packages | join(' ') }}
Suse: >-
{{ chroot_command }} zypper install -y {{ _desktop_packages | join(' ') }}
ansible.builtin.command: "{{ _install_commands[os_family] }}"
register: _desktop_pkg_result
changed_when: _desktop_pkg_result.rc == 0

22
roles/bootstrap/tasks/_dnf_family.yml
View File

@@ -18,16 +18,6 @@
groupinstall -y {{ _dnf_groups }}
register: bootstrap_dnf_base_result
changed_when: bootstrap_dnf_base_result.rc == 0
failed_when:
- bootstrap_dnf_base_result.rc != 0
- "'scriptlet' not in bootstrap_dnf_base_result.stderr"
- name: Ensure chroot has DNS resolution
ansible.builtin.file:
src: /run/NetworkManager/resolv.conf
dest: /mnt/etc/resolv.conf
state: link
force: true
- name: Install extra packages
ansible.builtin.command: >-
@@ -36,15 +26,7 @@
register: bootstrap_dnf_extra_result
changed_when: bootstrap_dnf_extra_result.rc == 0
- name: Detect installed kernel package name
ansible.builtin.command: "{{ chroot_command }} rpm -q kernel-core"
register: bootstrap_dnf_kernel_check
changed_when: false
failed_when: false
- name: Reinstall kernel package
vars:
_kernel_pkg: "{{ 'kernel-core' if bootstrap_dnf_kernel_check.rc == 0 else 'kernel' }}"
ansible.builtin.command: "{{ chroot_command }} dnf reinstall -y {{ _kernel_pkg }}"
- name: Reinstall kernel core
ansible.builtin.command: "{{ chroot_command }} dnf reinstall -y kernel-core"
register: bootstrap_dnf_kernel_result
changed_when: bootstrap_dnf_kernel_result.rc == 0

11
roles/bootstrap/tasks/_validate.yml
View File

@@ -1,11 +0,0 @@
---
# Resolve the OS-specific variable namespace and task file for the bootstrap role.
- name: Validate OS is supported for bootstrap
ansible.builtin.assert:
that:
- os is defined
- os in bootstrap_os_task_map
fail_msg: >-
Unsupported OS '{{ os | default("undefined") }}' for bootstrap.
Supported: {{ bootstrap_os_task_map | dict2items | map(attribute='key') | join(', ') }}
quiet: true

2
roles/bootstrap/tasks/archlinux.yml
View File

@@ -9,6 +9,6 @@
| list
}}
ansible.builtin.command: >-
pacstrap /mnt {{ bootstrap_archlinux_packages | join(' ') }}
pacstrap /mnt {{ bootstrap_archlinux_packages | join(' ') }} --asexplicit
register: bootstrap_result
changed_when: bootstrap_result.rc == 0

27
roles/bootstrap/tasks/debian.yml
View File

@@ -31,35 +31,10 @@
- name: Install Debian base system
ansible.builtin.command: >-
debootstrap --include={{ bootstrap_debian_base_csv }}
{{ bootstrap_debian_release }} /mnt {{ system_cfg.mirror }}
{{ bootstrap_debian_release }} /mnt https://deb.debian.org/debian/
register: bootstrap_debian_base_result
changed_when: bootstrap_debian_base_result.rc == 0
- name: Write bootstrap sources.list
ansible.builtin.template:
src: debian.sources.list.j2
dest: /mnt/etc/apt/sources.list
mode: "0644"
- name: Configure apt performance tuning
ansible.builtin.copy:
dest: /mnt/etc/apt/apt.conf.d/99performance
content: |
Acquire::Retries "3";
Acquire::http::Pipeline-Depth "10";
APT::Install-Recommends "false";
mode: "0644"
- name: Update package lists
ansible.builtin.command: "{{ chroot_command }} apt update"
register: bootstrap_debian_update_result
changed_when: bootstrap_debian_update_result.rc == 0
- name: Upgrade all packages to latest versions
ansible.builtin.command: "{{ chroot_command }} apt full-upgrade -y"
register: bootstrap_debian_upgrade_result
changed_when: "'0 upgraded' not in bootstrap_debian_upgrade_result.stdout"
- name: Install extra packages
when: bootstrap_debian_extra_args | trim | length > 0
ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_debian_extra_args }}"

23
roles/bootstrap/tasks/main.yml
View File

@@ -1,9 +1,6 @@
---
- name: Validate bootstrap input
ansible.builtin.import_tasks: _validate.yml
- name: Create API filesystem mountpoints in installroot
when: os_family == 'RedHat'
when: is_rhel | bool
ansible.builtin.file:
path: "/mnt/{{ item }}"
state: directory
@@ -14,7 +11,7 @@
- sys
- name: Mount API filesystems into installroot
when: os_family == 'RedHat'
when: is_rhel | bool
ansible.posix.mount:
src: "{{ item.src }}"
path: "/mnt/{{ item.path }}"
@@ -31,13 +28,21 @@
- name: Run OS-specific bootstrap process
vars:
bootstrap_os_task_map:
almalinux: _dnf_family.yml
alpine: alpine.yml
archlinux: archlinux.yml
debian: debian.yml
fedora: _dnf_family.yml
opensuse: opensuse.yml
rocky: _dnf_family.yml
rhel: rhel.yml
ubuntu: ubuntu.yml
ubuntu-lts: ubuntu.yml
void: void.yml
bootstrap_var_key: "{{ 'bootstrap_' + (os | replace('-lts', '') | replace('-', '_')) }}"
ansible.builtin.include_tasks: "{{ bootstrap_os_task_map[os] }}"
- name: Install desktop environment packages
when: system_cfg.features.desktop.enabled | bool
ansible.builtin.include_tasks: _desktop.yml
- name: Ensure chroot uses live environment DNS
ansible.builtin.file:
src: /run/NetworkManager/resolv.conf

4
roles/bootstrap/tasks/rhel.yml
View File

@@ -13,7 +13,7 @@
block:
- name: Install base packages in chroot environment
ansible.builtin.command: >-
dnf --releasever={{ os_version_major }} --best {{ _rhel_repos }}
dnf --releasever={{ os_version_major }} {{ _rhel_repos }}
--installroot=/mnt
--setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
groupinstall -y {{ _rhel_groups }}
@@ -51,7 +51,7 @@
- name: Install additional packages in chroot
ansible.builtin.command: >-
{{ chroot_command }} dnf --releasever={{ os_version_major }} --best
{{ chroot_command }} dnf --releasever={{ os_version_major }}
--setopt=install_weak_deps=False install -y {{ _rhel_extra }}
register: bootstrap_result
changed_when: bootstrap_result.rc == 0

28
roles/bootstrap/tasks/ubuntu.yml
View File

@@ -3,7 +3,7 @@
vars:
# ubuntu = latest non-LTS, ubuntu-lts = latest LTS
bootstrap_ubuntu_release_map:
ubuntu: questing
ubuntu: plucky
ubuntu-lts: noble
bootstrap_ubuntu_release: "{{ bootstrap_ubuntu_release_map[os] | default('noble') }}"
_config: "{{ lookup('vars', bootstrap_var_key) }}"
@@ -30,35 +30,21 @@
--keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg
--include={{ bootstrap_ubuntu_base_csv }}
{{ bootstrap_ubuntu_release }} /mnt
{{ system_cfg.mirror }}
https://archive.ubuntu.com/ubuntu/
register: bootstrap_ubuntu_base_result
changed_when: bootstrap_ubuntu_base_result.rc == 0
- name: Write bootstrap sources.list
ansible.builtin.template:
src: ubuntu.sources.list.j2
dest: /mnt/etc/apt/sources.list
mode: "0644"
- name: Configure apt performance tuning
ansible.builtin.copy:
dest: /mnt/etc/apt/apt.conf.d/99performance
content: |
Acquire::Retries "3";
Acquire::http::Pipeline-Depth "10";
APT::Install-Recommends "false";
mode: "0644"
- name: Enable universe repository
ansible.builtin.replace:
path: /mnt/etc/apt/sources.list
regexp: '^(deb\s+\S+\s+\S+\s+main)$'
replace: '\1 universe'
- name: Update package lists
ansible.builtin.command: "{{ chroot_command }} apt update"
register: bootstrap_ubuntu_update_result
changed_when: bootstrap_ubuntu_update_result.rc == 0
- name: Upgrade all packages to latest versions
ansible.builtin.command: "{{ chroot_command }} apt full-upgrade -y"
register: bootstrap_ubuntu_upgrade_result
changed_when: "'0 upgraded' not in bootstrap_ubuntu_upgrade_result.stdout"
- name: Install extra packages
when: bootstrap_ubuntu_extra_args | trim | length > 0
ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_ubuntu_extra_args }}"

15
roles/bootstrap/templates/debian.sources.list.j2
View File

@@ -1,15 +0,0 @@
# Managed by Ansible.
{% set release = bootstrap_debian_release %}
{% set mirror = system_cfg.mirror %}
{% set components = 'main contrib non-free' ~ (' non-free-firmware' if (os_version | string) not in ['10', '11'] else '') %}
deb {{ mirror }} {{ release }} {{ components }}
deb-src {{ mirror }} {{ release }} {{ components }}
{% if release != 'sid' %}
deb https://security.debian.org/debian-security {{ release }}-security {{ components }}
deb-src https://security.debian.org/debian-security {{ release }}-security {{ components }}
deb {{ mirror }} {{ release }}-updates {{ components }}
deb-src {{ mirror }} {{ release }}-updates {{ components }}
{% endif %}

16
roles/bootstrap/templates/ubuntu.sources.list.j2
View File

@@ -1,16 +0,0 @@
# Managed by Ansible.
{% set release = bootstrap_ubuntu_release %}
{% set mirror = system_cfg.mirror %}
{% set components = 'main restricted universe multiverse' %}
deb {{ mirror }} {{ release }} {{ components }}
deb-src {{ mirror }} {{ release }} {{ components }}
deb {{ mirror }} {{ release }}-updates {{ components }}
deb-src {{ mirror }} {{ release }}-updates {{ components }}
deb {{ mirror }} {{ release }}-security {{ components }}
deb-src {{ mirror }} {{ release }}-security {{ components }}
deb {{ mirror }} {{ release }}-backports {{ components }}
deb-src {{ mirror }} {{ release }}-backports {{ components }}

149
roles/bootstrap/vars/desktop.yml
View File

@@ -1,149 +0,0 @@
---
# Per-family desktop environment package definitions.
# Keyed by os_family -> environment -> groups (dnf groupinstall) / packages.
# Kept intentionally minimal: base DE + essential tools, no full suites.
bootstrap_desktop_packages:
RedHat:
gnome:
groups:
- workstation-product-environment
packages: []
kde:
groups: []
packages:
- plasma-desktop
- plasma-nm
- plasma-pa
- plasma-systemmonitor
- sddm
- konsole
- dolphin
- kate
- kscreen
- kde-gtk-config
- xdg-user-dirs
- xdg-desktop-portal-kde
- bluez
- pipewire
- wireplumber
xfce:
groups:
- xfce-desktop-environment
packages:
- lightdm
Debian:
gnome:
groups: []
packages:
- gnome-core
- gdm3
- gnome-tweaks
- xdg-user-dirs
kde:
groups: []
packages:
- plasma-desktop
- plasma-nm
- plasma-pa
- sddm
- konsole
- dolphin
- kate
- kscreen
- xdg-user-dirs
- xdg-desktop-portal-kde
- bluez
- pipewire
- wireplumber
xfce:
groups: []
packages:
- xfce4
- xfce4-goodies
- lightdm
- xdg-user-dirs
Archlinux:
gnome:
groups: []
packages:
- gnome
- gdm
- xdg-user-dirs
kde:
groups: []
packages:
- plasma-desktop
- plasma-nm
- plasma-pa
- sddm
- konsole
- dolphin
- kate
- kscreen
- kde-gtk-config
- xdg-user-dirs
- xdg-desktop-portal-kde
- bluez
- pipewire
- wireplumber
xfce:
groups: []
packages:
- xfce4
- xfce4-goodies
- lightdm
- xdg-user-dirs
sway:
groups: []
packages:
- sway
- waybar
- foot
- wofi
- greetd
- xdg-user-dirs
- xdg-desktop-portal-wlr
- bluez
- pipewire
- wireplumber
hyprland:
groups: []
packages:
- hyprland
- kitty
- wofi
- waybar
- ly
- xdg-user-dirs
- xdg-desktop-portal-hyprland
- polkit-kde-agent
- qt5-wayland
- qt6-wayland
- bluez
- pipewire
- wireplumber
Suse:
gnome:
groups: []
packages:
- patterns-gnome-gnome_basic
- gdm
- xdg-user-dirs
kde:
groups: []
packages:
- patterns-kde-kde_plasma
- sddm
- xdg-user-dirs
# Display manager auto-detection from desktop environment.
bootstrap_desktop_dm_map:
gnome: gdm
kde: sddm
xfce: lightdm
sway: greetd
hyprland: ly@tty2
cinnamon: lightdm
mate: lightdm
lxqt: sddm
budgie: gdm

25
roles/bootstrap/vars/main.yml
View File

@@ -29,6 +29,7 @@ bootstrap_rhel:
- standard
extra:
- bind-utils
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
@@ -47,7 +48,6 @@ bootstrap_rhel:
{{
(['grub2-efi-x64'] if os_version_major | default('') == '8' else ['grub2-efi'])
+ (['grub2-tools-extra'] if os_version_major | default('') in ['8', '9'] else [])
+ (['dhcp-client'] if (os_version_major | default('9') | int) < 10 else [])
+ (['python39'] if os_version_major | default('') == '8' else ['python'])
+ (['kernel'] if os_version_major | default('') == '10' else [])
+ (['zram-generator'] if os_version_major | default('') in ['9', '10'] else [])
@@ -62,12 +62,12 @@ bootstrap_almalinux:
- core
extra:
- bind-utils
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- kernel
- lrzsz
- lvm2
- mtr
@@ -86,7 +86,6 @@ bootstrap_almalinux:
conditional: >-
{{
(['dbus-daemon'] if (os_version_major | default('10') | int) >= 9 else [])
+ (['dhcp-client'] if (os_version_major | default('10') | int) < 10 else [])
+ bootstrap_common_conditional
}}
@@ -98,12 +97,12 @@ bootstrap_rocky:
- core
extra:
- bind-utils
- dhcp-client
- efibootmgr
- glibc-langpack-de
- glibc-langpack-en
- grub2
- grub2-efi
- kernel
- lrzsz
- lvm2
- mtr
@@ -122,11 +121,7 @@ bootstrap_rocky:
- wget
- zram-generator
- zstd
conditional: >-
{{
(['dhcp-client'] if (os_version_major | default('9') | int) < 10 else [])
+ bootstrap_common_conditional
}}
conditional: "{{ bootstrap_common_conditional }}"
bootstrap_fedora:
repos:
@@ -201,7 +196,6 @@ bootstrap_debian:
- lrzsz
- mtr
- ncdu
- needrestart
- net-tools
- network-manager
- python-is-python3
@@ -222,7 +216,6 @@ bootstrap_debian:
+ (['software-properties-common'] if (os_version | string) not in ['13', 'unstable'] else [])
+ (['systemd-zram-generator'] if (os_version | string) not in ['10', '11'] else [])
+ (['tldr'] if (os_version | string) not in ['13', 'unstable'] else [])
+ (['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else [])
+ bootstrap_common_conditional
}}
@@ -264,7 +257,6 @@ bootstrap_ubuntu:
- mtr
- ncdu
- ncurses-term
- needrestart
- net-tools
- network-manager
- python-is-python3
@@ -276,6 +268,7 @@ bootstrap_ubuntu:
- syslog-ng
- systemd-zram-generator
- tcpd
- tldr
- traceroute
- util-linux-extra
- vim
@@ -283,12 +276,7 @@ bootstrap_ubuntu:
- yq
- zoxide
- zstd
conditional: >-
{{
(['tldr'] if (os_version | default('') | string | length) > 0 else [])
+ (['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else [])
+ bootstrap_common_conditional
}}
conditional: "{{ bootstrap_common_conditional }}"
bootstrap_archlinux:
base:
@@ -325,7 +313,6 @@ bootstrap_archlinux:
{{
(['openssh'] if system_cfg.features.ssh.enabled | bool else [])
+ (['iptables-nft'] if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else [])
+ (['sbctl'] if system_cfg.features.secure_boot.enabled | bool else [])
+ (bootstrap_common_conditional | reject('equalto', 'nftables') | list)
}}

2
roles/cis/defaults/main.yml
View File

@@ -84,8 +84,6 @@ cis_defaults:
cis_fusermount_binary: "{{ 'fusermount3' if is_rhel | default(false) | bool else 'fusermount' }}"
cis_write_binary: "{{ 'write' if is_rhel | default(false) | bool else 'wall' }}"
cis: {}
cis_permission_targets:
- { path: "/mnt/etc/ssh/sshd_config", mode: "0600" }
- { path: "/mnt/etc/cron.hourly", mode: "0700" }

10
roles/cis/tasks/_normalize.yml
View File

@@ -1,10 +1,4 @@
---
- name: Normalize CIS input
- name: Build cis_cfg from defaults and user overrides
ansible.builtin.set_fact:
cis_enabled: "{{ cis is defined and (cis is mapping or cis | bool) }}"
cis_input: "{{ cis if cis is mapping else {} }}"
- name: Normalize CIS configuration
when: cis_enabled and cis_cfg is not defined
ansible.builtin.set_fact:
cis_cfg: "{{ cis_defaults | combine(cis_input, recursive=True) }}"
cis_cfg: "{{ cis_defaults | combine(cis | default({}), recursive=true) }}"

31
roles/cis/tasks/main.yml
View File

@@ -1,20 +1,17 @@
---
- name: Normalize CIS configuration
ansible.builtin.import_tasks: _normalize.yml
ansible.builtin.include_tasks: _normalize.yml
- name: Apply CIS hardening
when: cis_enabled
block:
- name: Include CIS hardening tasks
ansible.builtin.include_tasks: "{{ cis_task }}"
loop:
- modules.yml
- sysctl.yml
- auth.yml
- crypto.yml
- files.yml
- security_lines.yml
- permissions.yml
- sshd.yml
loop_control:
loop_var: cis_task
- name: Include CIS hardening tasks
ansible.builtin.include_tasks: "{{ cis_task }}"
loop:
- modules.yml
- sysctl.yml
- auth.yml
- crypto.yml
- files.yml
- security_lines.yml
- permissions.yml
- sshd.yml
loop_control:
loop_var: cis_task

10
roles/cleanup/defaults/main.yml
View File

@@ -3,3 +3,13 @@
cleanup_verify_boot: true
cleanup_boot_timeout: 300
cleanup_remove_on_failure: true
# Libvirt paths
cleanup_libvirt_image_dir: >-
{{
system_cfg.path
if system_cfg is defined and (system_cfg.path | string | length) > 0
else '/var/lib/libvirt/images'
}}
cleanup_libvirt_cloudinit_path: >-
{{ [cleanup_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}

43
roles/cleanup/tasks/libvirt.yml
View File

@@ -14,6 +14,7 @@
- name: Initialize cleaned VM XML
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_get_xml.get_xml }}"
changed_when: false
- name: Remove boot ISO device from VM XML (source match)
when: boot_iso is defined and boot_iso | length > 0
@@ -27,6 +28,7 @@
when: boot_iso is defined and boot_iso | length > 0
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot_source.xmlstring }}"
changed_when: false
- name: Remove boot ISO device from VM XML (target fallback)
community.general.xml:
@@ -38,6 +40,7 @@
- name: Update cleaned VM XML after removing boot ISO
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot.xmlstring }}"
changed_when: false
- name: Remove cloud-init ISO device from VM XML (source match)
community.general.xml:
@@ -49,6 +52,7 @@
- name: Update cleaned VM XML after removing cloud-init ISO source match
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit_source.xmlstring }}"
changed_when: false
- name: Remove cloud-init ISO device from VM XML (target fallback)
community.general.xml:
@@ -60,6 +64,7 @@
- name: Update cleaned VM XML after removing cloud-init ISO
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit.xmlstring }}"
changed_when: false
- name: Strip XML declaration for libvirt define
ansible.builtin.set_fact:
@@ -71,12 +76,7 @@
| regex_replace("(?i)encoding=[\"'][^\"']+[\"']", "")
| trim
}}
- name: Ensure boot device is set to hard disk in VM XML
when: "'<boot ' not in cleanup_libvirt_domain_xml_clean"
ansible.builtin.set_fact:
cleanup_libvirt_domain_xml_clean: >-
{{ cleanup_libvirt_domain_xml_clean | regex_replace('(</type>)', '\1\n <boot dev="hd"/>') }}
changed_when: false
- name: Update VM definition without installer media
community.libvirt.virt:
@@ -85,7 +85,7 @@
- name: Remove cloud-init disk
ansible.builtin.file:
path: "{{ virtualization_libvirt_cloudinit_path }}"
path: "{{ cleanup_libvirt_cloudinit_path }}"
state: absent
- name: Ensure VM is powered off before restart
@@ -94,35 +94,6 @@
state: destroyed
failed_when: false
- name: Enroll Secure Boot keys in VM NVRAM
when:
- system_cfg.features.secure_boot.enabled | default(false) | bool
- os != 'archlinux'
block:
- name: Find VM NVRAM file path
ansible.builtin.shell:
cmd: >-
set -o pipefail &&
virsh -c {{ libvirt_uri | default('qemu:///system') }} dumpxml {{ hostname }}
| grep -oP '<nvram[^>]*>\K[^<]+'
executable: /bin/bash
register: _sb_nvram_path
changed_when: false
failed_when: false
- name: Enroll Secure Boot keys via virt-fw-vars
when: _sb_nvram_path.stdout | default('') | length > 0
ansible.builtin.command:
argv:
- virt-fw-vars
- --inplace
- "{{ _sb_nvram_path.stdout | trim }}"
- --enroll-redhat
- --secure-boot
register: _sb_enroll_result
changed_when: _sb_enroll_result.rc == 0
failed_when: false
- name: Start the VM
community.libvirt.virt:
name: "{{ hostname }}"

12
roles/cleanup/tasks/proxmox.yml
View File

@@ -4,8 +4,15 @@
delegate_to: localhost
become: false
module_defaults:
community.proxmox.proxmox_disk: "{{ _proxmox_auth }}"
community.proxmox.proxmox_kvm: "{{ _proxmox_auth_node }}"
community.proxmox.proxmox_disk:
api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}"
community.proxmox.proxmox_kvm:
api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}"
node: "{{ hypervisor_cfg.host }}"
block:
- name: Cleanup Setup Disks
community.proxmox.proxmox_disk:
@@ -25,4 +32,3 @@
community.proxmox.proxmox_kvm:
vmid: "{{ system_cfg.id }}"
state: restarted
no_log: true

12
roles/cleanup/tasks/virtual.yml
View File

@@ -88,7 +88,11 @@
delegate_to: localhost
become: false
module_defaults:
community.proxmox.proxmox_kvm: "{{ _proxmox_auth_node }}"
community.proxmox.proxmox_kvm:
api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}"
node: "{{ hypervisor_cfg.host }}"
no_log: true
block:
- name: Stop Proxmox VM
@@ -109,7 +113,11 @@
delegate_to: localhost
become: false
module_defaults:
community.vmware.vmware_guest: "{{ _vmware_auth }}"
community.vmware.vmware_guest:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
no_log: true
block:
- name: Power off VMware VM

14
roles/cleanup/tasks/vmware.yml
View File

@@ -4,8 +4,18 @@
delegate_to: localhost
become: false
module_defaults:
community.vmware.vmware_guest: "{{ _vmware_auth }}"
vmware.vmware.vm_powerstate: "{{ _vmware_auth }}"
community.vmware.vmware_guest:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}"
vmware.vmware.vm_powerstate:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}"
no_log: true
block:
- name: Remove CD-ROM from VM in vCenter

30
roles/cleanup/tasks/xen.yml
View File

@@ -7,11 +7,34 @@
xen_installer_media_enabled: "{{ xen_installer_media_enabled | default(false) }}"
block:
- name: Ensure Xen disk definitions exist
ansible.builtin.include_tasks: ../../virtualization/tasks/_xen_disks.yml
when: virtualization_xen_disks is not defined
ansible.builtin.set_fact:
cleanup_xen_disks: "{{ cleanup_xen_disks | default([]) + [cleanup_xen_disk_cfg] }}"
vars:
device_letter_map: "abcdefghijklmnopqrstuvwxyz"
device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
cleanup_xen_disk_cfg: >-
{{
{
'path': (
virtualization_xen_disk_path ~ '/' ~ hostname ~ '.qcow2'
if ansible_loop.index0 == 0
else virtualization_xen_disk_path ~ '/' ~ hostname ~ '-disk' ~ ansible_loop.index0 ~ '.qcow2'
),
'target': 'xvd' ~ device_letter,
'size': (item.size | float)
}
}}
loop: "{{ system_cfg.disks }}"
loop_control:
label: "{{ item | to_json }}"
extended: true
changed_when: false
- name: Render Xen VM configuration without installer media
vars:
xen_installer_media_enabled: false
virtualization_xen_disks: "{{ virtualization_xen_disks | default(cleanup_xen_disks | default([])) }}"
ansible.builtin.template:
src: xen.cfg.j2
dest: /tmp/xen-{{ hostname }}.cfg
@@ -35,8 +58,3 @@
- /tmp/xen-{{ hostname }}.cfg
register: cleanup_xen_start_result
changed_when: cleanup_xen_start_result.rc == 0
- name: Remove temporary Xen configuration file
ansible.builtin.file:
path: /tmp/xen-{{ hostname }}.cfg
state: absent

7
roles/configuration/defaults/main.yml
View File

@@ -1,7 +0,0 @@
---
# Network configuration dispatch — maps OS name to the task file
# that writes network config. Default (NetworkManager) applies to
# all OSes not explicitly listed.
configuration_network_task_map:
alpine: network_alpine.yml
void: network_void.yml

19
roles/configuration/tasks/_bls_update.yml
View File

@@ -1,19 +0,0 @@
---
# Shared task: update BLS (Boot Loader Specification) entries with kernel cmdline.
# Expects variable: _bls_cmdline (the kernel command line string)
- name: Find BLS entries
ansible.builtin.find:
paths: /mnt/boot/loader/entries
patterns: "*.conf"
register: _bls_entries
changed_when: false
- name: Update BLS options
when: _bls_entries.files | length > 0
ansible.builtin.lineinfile:
path: "{{ item.path }}"
regexp: "^options "
line: "options {{ _bls_cmdline }}"
loop: "{{ _bls_entries.files }}"
loop_control:
label: "{{ item.path }}"

25
roles/configuration/tasks/_resolve_platform.yml
View File

@@ -1,25 +0,0 @@
---
# Resolve platform-specific configuration for the target OS family.
# Sets _configuration_platform from configuration_platform_config[os_family].
- name: Resolve platform-specific configuration
ansible.builtin.assert:
that:
- os_family is defined
- os_family in configuration_platform_config
fail_msg: >-
Unsupported os_family '{{ os_family | default("undefined") }}'.
Extend configuration_platform_config in vars/main.yml.
quiet: true
- name: Set platform configuration
ansible.builtin.set_fact:
_configuration_platform: "{{ configuration_platform_config[os_family] }}"
- name: Override EFI loader to shim for Secure Boot
when:
- system_cfg.features.secure_boot.enabled | bool
- _configuration_platform.efi_loader != 'shimx64.efi'
- os != 'archlinux'
ansible.builtin.set_fact:
_configuration_platform: >-
{{ _configuration_platform | combine({'efi_loader': 'shimx64.efi'}) }}

93
roles/configuration/tasks/bootloader.yml
View File

@@ -6,10 +6,11 @@
"redhat" if os == "rhel"
else ("ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os)
}}
_efi_loader: "{{ _configuration_platform.efi_loader }}"
_efi_loader: >-
{{ "shimx64.efi" if is_rhel | bool else "grubx64.efi" }}
block:
- name: Install GRUB EFI binary
when: _configuration_platform.grub_install
when: not (is_rhel | bool)
ansible.builtin.command: >-
{{ chroot_command }} /usr/sbin/grub-install --target=x86_64-efi
--efi-directory={{ partitioning_efi_mountpoint }}
@@ -34,16 +35,6 @@
register: configuration_efi_entry_result
changed_when: configuration_efi_entry_result.rc == 0
- name: Set installed OS as first EFI boot entry
ansible.builtin.shell:
cmd: >-
set -o pipefail &&
efibootmgr | grep -i '{{ _efi_vendor }}' | grep -oP 'Boot\K[0-9A-F]+' | head -1
| xargs -I{} efibootmgr -o {}
executable: /bin/bash
register: _efi_bootorder_result
changed_when: _efi_bootorder_result.rc == 0
- name: Ensure lvm2 for non btrfs filesystems
when: os == "archlinux" and system_cfg.filesystem != "btrfs"
ansible.builtin.lineinfile:
@@ -53,67 +44,33 @@
backrefs: true
- name: Regenerate initramfs
when: _configuration_platform.initramfs_cmd | length > 0
ansible.builtin.command: "{{ chroot_command }} {{ _configuration_platform.initramfs_cmd }}"
when: os not in ["alpine", "void"]
vars:
configuration_initramfs_cmd: >-
{{
'/usr/sbin/mkinitcpio -P'
if os == "archlinux"
else (
'/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin '
+ '/usr/sbin/update-initramfs -u -k all'
if is_debian | bool
else '/usr/bin/dracut --regenerate-all --force'
)
}}
ansible.builtin.command: "{{ chroot_command }} {{ configuration_initramfs_cmd }}"
register: configuration_initramfs_result
changed_when: configuration_initramfs_result.rc == 0
- name: Generate grub config (RedHat)
when: os_family == 'RedHat'
ansible.builtin.command: >-
{{ chroot_command }} /usr/sbin/{{ _configuration_platform.grub_mkconfig_prefix }}
-o /boot/grub2/grub.cfg
register: configuration_grub_result
changed_when: configuration_grub_result.rc == 0
- name: Fix btrfs BLS boot variable in grub config
when:
- os_family == 'RedHat'
- system_cfg.filesystem == 'btrfs'
ansible.builtin.replace:
path: /mnt/boot/grub2/grub.cfg
regexp: 'search --no-floppy --fs-uuid --set=boot \S+'
replace: 'set boot=$root'
- name: Create EFI grub.cfg wrapper for RedHat
when: os_family == 'RedHat'
- name: Generate grub config
vars:
_grub2_path: >-
configuration_grub_cfg_cmd: >-
{{
'/grub2'
if (partitioning_separate_boot | bool)
else ('/@/boot/grub2' if system_cfg.filesystem == 'btrfs' else '/boot/grub2')
'/usr/sbin/grub2-mkconfig -o '
+ partitioning_efi_mountpoint
+ '/EFI/' + _efi_vendor + '/grub.cfg'
if is_rhel | bool
else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg'
}}
ansible.builtin.shell:
cmd: |
set -o pipefail
uuid=$(grep -m1 'search.*--set=root' /mnt/boot/grub2/grub.cfg | grep -oP '[\da-f]{8}(-[\da-f]{4}){3}-[\da-f]{12}')
cat > /mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/grub.cfg <<GRUBEOF
search --no-floppy --fs-uuid --set=dev $uuid
set prefix=(\$dev){{ _grub2_path }}
export \$prefix
configfile \$prefix/grub.cfg
GRUBEOF
executable: /bin/bash
register: _grub_wrapper_result
changed_when: _grub_wrapper_result.rc == 0
- name: Generate grub config (non-RedHat)
when: os_family != 'RedHat'
ansible.builtin.command: "{{ chroot_command }} /usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg"
ansible.builtin.command: "{{ chroot_command }} {{ configuration_grub_cfg_cmd }}"
register: configuration_grub_result
changed_when: configuration_grub_result.rc == 0
- name: Rebuild GRUB as standalone EFI for Secure Boot
when:
- system_cfg.features.secure_boot.enabled | default(false) | bool
- os == 'archlinux'
ansible.builtin.command: >-
{{ chroot_command }} grub-mkstandalone
-d /usr/lib/grub/x86_64-efi
-O x86_64-efi
--disable-shim-lock
-o {{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/grubx64.efi
boot/grub/grub.cfg=/boot/grub/grub.cfg
register: _grub_standalone_result
changed_when: _grub_standalone_result.rc == 0

265
roles/configuration/tasks/encryption.yml
View File

@@ -1,14 +1,13 @@
---
- name: Configure disk encryption
when: system_cfg.luks.enabled | bool
no_log: true
vars:
configuration_luks_passphrase: >-
{{ system_cfg.luks.passphrase | string }}
block:
- name: Set LUKS configuration facts
vars:
_raw_pcrs: >-
luks_tpm2_pcrs: >-
{{
(
system_cfg.luks.tpm2.pcrs
@@ -20,17 +19,6 @@
| regex_replace('\\s+', '')
| regex_replace('^\\+|\\+$', '')
}}
_sb_pcr7_safe: >-
{{
system_cfg.features.secure_boot.enabled | bool
and system_cfg.type | default('virtual') != 'virtual'
}}
luks_tpm2_pcrs: >-
{{
_raw_pcrs
if _raw_pcrs | length > 0
else ('7' if (_sb_pcr7_safe | bool) else '')
}}
ansible.builtin.set_fact:
configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}"
configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"
@@ -47,12 +35,7 @@
configuration_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}"
configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ system_cfg.luks.mapper }}.key"
configuration_luks_tpm2_token_lib: >-
{{
'/usr/lib/x86_64-linux-gnu/cryptsetup/libcryptsetup-token-systemd-tpm2.so'
if os_family == 'Debian'
else '/usr/lib64/cryptsetup/libcryptsetup-token-systemd-tpm2.so'
}}
changed_when: false
- name: Validate LUKS UUID is available
ansible.builtin.assert:
@@ -68,13 +51,8 @@
fail_msg: system.luks.passphrase must be set for LUKS auto-decrypt.
no_log: true
- name: Detect TPM2 unlock method
ansible.builtin.include_tasks: encryption/initramfs_detect.yml
- name: Enroll TPM2 via systemd-cryptenroll
when:
- configuration_luks_auto_method == 'tpm2'
- _tpm2_method | default('systemd-cryptenroll') == 'systemd-cryptenroll'
- name: Enroll TPM2 for LUKS
when: configuration_luks_auto_method == 'tpm2'
ansible.builtin.include_tasks: encryption/tpm2.yml
- name: Configure LUKS keyfile auto-decrypt
@@ -100,7 +78,7 @@
}}
luks_tpm2_option_list: >-
{{
(configuration_luks_auto_method == 'tpm2' and (_tpm2_method | default('systemd-cryptenroll')) == 'systemd-cryptenroll')
(configuration_luks_auto_method == 'tpm2')
| ternary(
['tpm2-device=' + configuration_luks_tpm2_device]
+ (['tpm2-pcrs=' + configuration_luks_tpm2_pcrs]
@@ -144,16 +122,231 @@
path: /mnt{{ configuration_luks_keyfile_path }}
state: absent
- name: Configure initramfs for LUKS
ansible.builtin.include_tasks: encryption/initramfs.yml
- name: Write crypttab entry
ansible.builtin.lineinfile:
path: /mnt/etc/crypttab
regexp: "^{{ configuration_luks_mapper_name }}\\s"
line: >-
{{ configuration_luks_mapper_name }} UUID={{ configuration_luks_uuid }}
{{ configuration_luks_crypttab_keyfile }} {{ configuration_luks_crypttab_options }}
create: true
mode: "0600"
- name: Configure crypttab
ansible.builtin.include_tasks: encryption/crypttab.yml
- name: Ensure keyfile pattern for initramfs-tools
when:
- is_debian | bool
- configuration_luks_keyfile_in_use
ansible.builtin.lineinfile:
path: /mnt/etc/cryptsetup-initramfs/conf-hook
regexp: "^KEYFILE_PATTERN="
line: "KEYFILE_PATTERN=/etc/cryptsetup-keys.d/*.key"
create: true
mode: "0644"
- name: Configure mkinitcpio hooks for LUKS
when: os == 'archlinux'
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: "^HOOKS="
line: >-
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole
block sd-encrypt{{ ' lvm2' if system_cfg.filesystem != 'btrfs' else '' }} filesystems fsck)
- name: Read mkinitcpio configuration
when: os == 'archlinux'
ansible.builtin.slurp:
src: /mnt/etc/mkinitcpio.conf
register: configuration_mkinitcpio_slurp
- name: Build mkinitcpio FILES list
when: os == 'archlinux'
vars:
mkinitcpio_files_list: >-
{{
(
configuration_mkinitcpio_slurp.content | b64decode
| regex_findall('^FILES=\\(([^)]*)\\)', multiline=True)
| default([])
| first
| default('')
).split()
}}
mkinitcpio_files_list_new: >-
{{
(
(mkinitcpio_files_list + [configuration_luks_keyfile_path])
if configuration_luks_keyfile_in_use
else (
mkinitcpio_files_list
| reject('equalto', configuration_luks_keyfile_path)
| list
)
)
| unique
}}
ansible.builtin.set_fact:
configuration_mkinitcpio_files_list_new: "{{ mkinitcpio_files_list_new }}"
- name: Configure mkinitcpio FILES list
when: os == 'archlinux'
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: "^FILES="
line: >-
FILES=({{
configuration_mkinitcpio_files_list_new | join(' ')
}})
- name: Ensure dracut config directory exists
when: is_rhel | bool
ansible.builtin.file:
path: /mnt/etc/dracut.conf.d
state: directory
mode: "0755"
- name: Configure dracut for LUKS
when: _initramfs_generator | default('') == 'dracut'
ansible.builtin.include_tasks: encryption/dracut.yml
when: is_rhel | bool
ansible.builtin.copy:
dest: /mnt/etc/dracut.conf.d/crypt.conf
content: |
add_dracutmodules+=" crypt "
{% if configuration_luks_keyfile_in_use %}
install_items+=" {{ configuration_luks_keyfile_path }} "
{% endif %}
mode: "0644"
- name: Configure GRUB for LUKS
when: _initramfs_generator | default('') != 'dracut' or os_family != 'RedHat'
ansible.builtin.include_tasks: encryption/grub.yml
- name: Read kernel cmdline defaults
when: is_rhel | bool
ansible.builtin.slurp:
src: /mnt/etc/kernel/cmdline
register: configuration_kernel_cmdline_slurp
- name: Build kernel cmdline with LUKS args
when: is_rhel | bool
vars:
kernel_cmdline_current: >-
{{ configuration_kernel_cmdline_slurp.content | b64decode | trim }}
kernel_cmdline_list: >-
{{
kernel_cmdline_current.split()
if kernel_cmdline_current | length > 0 else []
}}
kernel_cmdline_filtered: >-
{{
kernel_cmdline_list
| reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
| list
}}
kernel_cmdline_new: >-
{{
(kernel_cmdline_filtered + configuration_luks_kernel_args.split())
| unique
| join(' ')
}}
ansible.builtin.set_fact:
configuration_kernel_cmdline_new: "{{ kernel_cmdline_new }}"
changed_when: false
- name: Write kernel cmdline with LUKS args
when: is_rhel | bool
ansible.builtin.copy:
dest: /mnt/etc/kernel/cmdline
mode: "0644"
content: "{{ configuration_kernel_cmdline_new }}\n"
- name: Find BLS entries for encryption kernel cmdline
when: is_rhel | bool
ansible.builtin.find:
paths: /mnt/boot/loader/entries
patterns: "*.conf"
register: configuration_kernel_bls_entries
changed_when: false
- name: Update BLS options with LUKS args
when:
- is_rhel | bool
- configuration_kernel_bls_entries.files | length > 0
ansible.builtin.lineinfile:
path: "{{ item.path }}"
regexp: "^options "
line: "options {{ configuration_kernel_cmdline_new }}"
loop: "{{ configuration_kernel_bls_entries.files }}"
loop_control:
label: "{{ item.path }}"
- name: Read grub defaults
when: not is_rhel | bool
ansible.builtin.slurp:
src: /mnt/etc/default/grub
register: configuration_grub_slurp
- name: Build grub command lines with LUKS args
when: not is_rhel | bool
vars:
grub_content: "{{ configuration_grub_slurp.content | b64decode }}"
grub_cmdline_linux: >-
{{
grub_content
| regex_findall('^GRUB_CMDLINE_LINUX=\"(.*)\"', multiline=True)
| default([])
| first
| default('')
}}
grub_cmdline_default: >-
{{
grub_content
| regex_findall('^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)\"', multiline=True)
| default([])
| first
| default('')
}}
grub_cmdline_linux_list: >-
{{
grub_cmdline_linux.split()
if grub_cmdline_linux | length > 0 else []
}}
grub_cmdline_default_list: >-
{{
grub_cmdline_default.split()
if grub_cmdline_default | length > 0 else []
}}
luks_kernel_args_list: "{{ configuration_luks_kernel_args.split() }}"
grub_cmdline_linux_new: >-
{{
(
(
grub_cmdline_linux_list
| reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
| list
)
+ luks_kernel_args_list
)
| unique
| join(' ')
}}
grub_cmdline_default_new: >-
{{
(
(
grub_cmdline_default_list
| reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
| list
)
+ luks_kernel_args_list
)
| unique
| join(' ')
}}
ansible.builtin.set_fact:
configuration_grub_content: "{{ grub_content }}"
configuration_grub_cmdline_linux: "{{ grub_cmdline_linux }}"
configuration_grub_cmdline_default: "{{ grub_cmdline_default }}"
configuration_grub_cmdline_linux_new: "{{ grub_cmdline_linux_new }}"
configuration_grub_cmdline_default_new: "{{ grub_cmdline_default_new }}"
- name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS
when: not is_rhel | bool
ansible.builtin.lineinfile:
path: /mnt/etc/default/grub
regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
line: 'GRUB_CMDLINE_LINUX_DEFAULT="{{ configuration_grub_cmdline_default_new }}"'

10
roles/configuration/tasks/encryption/crypttab.yml
View File

@@ -1,10 +0,0 @@
---
- name: Write crypttab entry
ansible.builtin.lineinfile:
path: /mnt/etc/crypttab
regexp: "^{{ configuration_luks_mapper_name }}\\s"
line: >-
{{ configuration_luks_mapper_name }} UUID={{ configuration_luks_uuid }}
{{ configuration_luks_crypttab_keyfile }} {{ configuration_luks_crypttab_options }}
create: true
mode: "0600"

66
roles/configuration/tasks/encryption/dracut.yml
View File

@@ -1,66 +0,0 @@
---
- name: Ensure dracut config directory exists
ansible.builtin.file:
path: /mnt/etc/dracut.conf.d
state: directory
mode: "0755"
- name: Configure dracut for LUKS
ansible.builtin.copy:
dest: /mnt/etc/dracut.conf.d/crypt.conf
content: |
add_dracutmodules+=" crypt systemd "
{% if configuration_luks_keyfile_in_use | default(false) %}
install_items+=" {{ configuration_luks_keyfile_path }} "
{% endif %}
{% if configuration_luks_auto_method == 'tpm2' %}
install_items+=" {{ configuration_luks_tpm2_token_lib | default('') }} "
{% endif %}
mode: "0644"
# --- Kernel cmdline: write rd.luks.* args for dracut ---
- name: Ensure kernel cmdline directory exists
ansible.builtin.file:
path: /mnt/etc/kernel
state: directory
mode: "0755"
- name: Read existing kernel cmdline
ansible.builtin.slurp:
src: /mnt/etc/kernel/cmdline
register: _kernel_cmdline_slurp
failed_when: false
- name: Build kernel cmdline with LUKS args
vars:
_cmdline_current: >-
{{ (_kernel_cmdline_slurp.content | default('') | b64decode | default('')) | trim }}
_cmdline_list: >-
{{ _cmdline_current.split() if _cmdline_current | length > 0 else [] }}
_cmdline_filtered: >-
{{
_cmdline_list
| reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
| list
}}
_cmdline_new: >-
{{
(_cmdline_filtered + configuration_luks_kernel_args.split())
| unique
| join(' ')
}}
ansible.builtin.set_fact:
_dracut_kernel_cmdline: "{{ _cmdline_new }}"
- name: Write kernel cmdline with LUKS args
ansible.builtin.copy:
dest: /mnt/etc/kernel/cmdline
mode: "0644"
content: "{{ _dracut_kernel_cmdline }}\n"
# --- BLS entries: RedHat-specific ---
- name: Update BLS entries with LUKS kernel cmdline
when: os_family == 'RedHat'
vars:
_bls_cmdline: "{{ _dracut_kernel_cmdline }}"
ansible.builtin.include_tasks: ../_bls_update.yml

74
roles/configuration/tasks/encryption/grub.yml
View File

@@ -1,74 +0,0 @@
---
- name: Read grub defaults
ansible.builtin.slurp:
src: /mnt/etc/default/grub
register: configuration_grub_slurp
- name: Build grub command lines with LUKS args
vars:
grub_content: "{{ configuration_grub_slurp.content | b64decode }}"
grub_cmdline_linux: >-
{{
grub_content
| regex_findall('^GRUB_CMDLINE_LINUX=\"(.*)\"', multiline=True)
| default([])
| first
| default('')
}}
grub_cmdline_default: >-
{{
grub_content
| regex_findall('^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)\"', multiline=True)
| default([])
| first
| default('')
}}
grub_cmdline_linux_list: >-
{{
grub_cmdline_linux.split()
if grub_cmdline_linux | length > 0 else []
}}
grub_cmdline_default_list: >-
{{
grub_cmdline_default.split()
if grub_cmdline_default | length > 0 else []
}}
luks_kernel_args_list: "{{ configuration_luks_kernel_args.split() }}"
grub_cmdline_linux_new: >-
{{
(
(
grub_cmdline_linux_list
| reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
| list
)
+ luks_kernel_args_list
)
| unique
| join(' ')
}}
grub_cmdline_default_new: >-
{{
(
(
grub_cmdline_default_list
| reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
| list
)
+ luks_kernel_args_list
)
| unique
| join(' ')
}}
ansible.builtin.set_fact:
configuration_grub_content: "{{ grub_content }}"
configuration_grub_cmdline_linux: "{{ grub_cmdline_linux }}"
configuration_grub_cmdline_default: "{{ grub_cmdline_default }}"
configuration_grub_cmdline_linux_new: "{{ grub_cmdline_linux_new }}"
configuration_grub_cmdline_default_new: "{{ grub_cmdline_default_new }}"
- name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS
ansible.builtin.lineinfile:
path: /mnt/etc/default/grub
regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
line: 'GRUB_CMDLINE_LINUX_DEFAULT="{{ configuration_grub_cmdline_default_new }}"'

152
roles/configuration/tasks/encryption/initramfs.yml
View File

@@ -1,152 +0,0 @@
---
# Initramfs configuration for LUKS auto-unlock.
# Runs AFTER Build LUKS parameters (so configuration_luks_keyfile_in_use is set).
# _initramfs_generator and _tpm2_method are set by initramfs_detect.yml.
# --- clevis: install and bind TPM2 ---
- name: Install clevis in target system
when:
- configuration_luks_auto_method == 'tpm2'
- _tpm2_method | default('') == 'clevis'
ansible.builtin.command: >-
{{ chroot_command }} apt install -y clevis clevis-luks clevis-tpm2 clevis-initramfs tpm2-tools
register: _clevis_install_result
changed_when: _clevis_install_result.rc == 0
- name: Install clevis on installer for LUKS binding
when:
- configuration_luks_auto_method == 'tpm2'
- _tpm2_method | default('') == 'clevis'
community.general.pacman:
name:
- clevis
- tpm2-tools
state: present
retries: 3
delay: 5
- name: Create clevis passphrase file
when:
- configuration_luks_auto_method == 'tpm2'
- _tpm2_method | default('') == 'clevis'
ansible.builtin.copy:
dest: /mnt/root/.luks-enroll-key
content: "{{ configuration_luks_passphrase }}"
mode: "0600"
no_log: true
- name: Ensure TPM device accessible for clevis
when:
- configuration_luks_auto_method == 'tpm2'
- _tpm2_method | default('') == 'clevis'
ansible.builtin.shell: >-
ls /mnt/dev/tpmrm0 2>/dev/null
|| (ls /dev/tpmrm0 && cp -a /dev/tpmrm0 /mnt/dev/tpmrm0)
changed_when: false
failed_when: false
- name: Bind LUKS to TPM2 via clevis
when:
- configuration_luks_auto_method == 'tpm2'
- _tpm2_method | default('') == 'clevis'
vars:
_clevis_config: >-
{{
'{"pcr_ids":"' + configuration_luks_tpm2_pcrs + '"}'
if configuration_luks_tpm2_pcrs | length > 0
else '{}'
}}
ansible.builtin.command: >-
clevis luks bind -f -k /mnt/root/.luks-enroll-key
-d {{ configuration_luks_device }} tpm2 '{{ _clevis_config }}'
register: _clevis_bind_result
changed_when: _clevis_bind_result.rc == 0
failed_when: false
# Initramfs regeneration is handled by the bootloader task which runs after
# encryption configuration. Clevis hooks are included automatically by
# update-initramfs when clevis-initramfs is installed.
- name: Remove clevis passphrase file
when:
- configuration_luks_auto_method == 'tpm2'
- _tpm2_method | default('') == 'clevis'
ansible.builtin.file:
path: /mnt/root/.luks-enroll-key
state: absent
- name: Report clevis binding result
when:
- configuration_luks_auto_method == 'tpm2'
- _tpm2_method | default('') == 'clevis'
ansible.builtin.debug:
msg: >-
{{ 'Clevis TPM2 binding succeeded' if (_clevis_bind_result.rc | default(1)) == 0
else 'Clevis TPM2 binding failed: ' + (_clevis_bind_result.stderr | default('unknown')) + '. System will require passphrase at boot.' }}
# --- initramfs-tools: keyfile support (non-TPM2) ---
- name: Configure initramfs-tools keyfile pattern
when:
- _initramfs_generator | default('') == 'initramfs-tools'
- configuration_luks_keyfile_in_use | default(false) | bool
ansible.builtin.lineinfile:
path: /mnt/etc/cryptsetup-initramfs/conf-hook
regexp: "^KEYFILE_PATTERN="
line: "KEYFILE_PATTERN=/etc/cryptsetup-keys.d/*.key"
create: true
mode: "0644"
# --- mkinitcpio: systemd + sd-encrypt hooks ---
- name: Configure mkinitcpio hooks for LUKS
when: _initramfs_generator | default('') == 'mkinitcpio'
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: "^HOOKS="
line: >-
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole
block sd-encrypt{{ ' lvm2' if system_cfg.filesystem != 'btrfs' else '' }} filesystems fsck)
- name: Read mkinitcpio configuration
when: _initramfs_generator | default('') == 'mkinitcpio'
ansible.builtin.slurp:
src: /mnt/etc/mkinitcpio.conf
register: configuration_mkinitcpio_slurp
- name: Build mkinitcpio FILES list
when: _initramfs_generator | default('') == 'mkinitcpio'
vars:
mkinitcpio_files_list: >-
{{
(
configuration_mkinitcpio_slurp.content | b64decode
| regex_findall('^FILES=\\(([^)]*)\\)', multiline=True)
| default([])
| first
| default('')
).split()
}}
mkinitcpio_files_list_new: >-
{{
(
(mkinitcpio_files_list + [configuration_luks_keyfile_path])
if (configuration_luks_keyfile_in_use | default(false))
else (
mkinitcpio_files_list
| reject('equalto', configuration_luks_keyfile_path)
| list
)
)
| unique
}}
ansible.builtin.set_fact:
configuration_mkinitcpio_files_list_new: "{{ mkinitcpio_files_list_new }}"
- name: Configure mkinitcpio FILES list
when: _initramfs_generator | default('') == 'mkinitcpio'
ansible.builtin.lineinfile:
path: /mnt/etc/mkinitcpio.conf
regexp: "^FILES="
line: >-
FILES=({{
configuration_mkinitcpio_files_list_new | join(' ')
}})

98
roles/configuration/tasks/encryption/initramfs_detect.yml
View File

@@ -1,98 +0,0 @@
---
# Resolve initramfs generator and TPM2 unlock method.
# Sets _initramfs_generator and _tpm2_method facts.
#
# Generator detection: derived from the platform's initramfs_cmd
# (dracut → dracut, mkinitcpio → mkinitcpio, else → initramfs-tools)
# TPM2 method: systemd-cryptenroll when generator supports tpm2-device,
# clevis fallback otherwise. Non-native dracut installed automatically.
- name: Resolve initramfs generator
vars:
_user_generator: "{{ system_cfg.features.initramfs.generator | default('') }}"
_native_generator: >-
{{
'dracut' if _configuration_platform.initramfs_cmd is search('dracut')
else ('mkinitcpio' if _configuration_platform.initramfs_cmd is search('mkinitcpio')
else 'initramfs-tools')
}}
ansible.builtin.set_fact:
_initramfs_generator: >-
{{ _user_generator if _user_generator | length > 0 else _native_generator }}
_initramfs_native_generator: "{{ _native_generator }}"
# --- Install non-native dracut if overridden or needed ---
- name: Install dracut in chroot when not native
when:
- _initramfs_generator == 'dracut'
- _initramfs_native_generator != 'dracut'
ansible.builtin.shell: >-
{{ chroot_command }} sh -c '
command -v apt >/dev/null 2>&1 && apt install -y dracut ||
command -v pacman >/dev/null 2>&1 && pacman -S --noconfirm dracut ||
command -v dnf >/dev/null 2>&1 && dnf install -y dracut
'
register: _dracut_install_result
changed_when: _dracut_install_result.rc == 0
failed_when: false
- name: Override initramfs command to dracut
when:
- _initramfs_generator == 'dracut'
- _initramfs_native_generator != 'dracut'
vars:
# Generate dracut initramfs with output name matching what GRUB expects:
# mkinitcpio native: /boot/initramfs-linux.img (Arch convention)
# initramfs-tools native: /boot/initrd.img-<kver> (Debian convention)
_dracut_cmd: >-
{{
'bash -c "for kver in /lib/modules/*/; do kver=$(basename $kver); dracut --force /boot/initramfs-linux.img $kver; done"'
if _initramfs_native_generator == 'mkinitcpio'
else 'bash -c "for kver in /lib/modules/*/; do kver=$(basename $kver); dracut --force /boot/initrd.img-$kver $kver; done"'
}}
ansible.builtin.set_fact:
_configuration_platform: >-
{{ _configuration_platform | combine({'initramfs_cmd': _dracut_cmd}) }}
# --- TPM2 method detection ---
- name: Probe dracut for TPM2 module support
when:
- configuration_luks_auto_method == 'tpm2'
- _initramfs_generator != 'mkinitcpio'
ansible.builtin.command: "{{ chroot_command }} dracut --list-modules"
register: _dracut_modules_check
changed_when: false
failed_when: false
- name: Resolve TPM2 unlock method
when: configuration_luks_auto_method == 'tpm2'
vars:
# mkinitcpio sd-encrypt supports tpm2-device natively
# dracut with tpm2-tss module supports tpm2-device natively
# everything else needs clevis
_supports_tpm2_native: >-
{{
_initramfs_generator == 'mkinitcpio'
or ('tpm2-tss' in (_dracut_modules_check.stdout | default('')))
}}
ansible.builtin.set_fact:
_tpm2_method: "{{ 'systemd-cryptenroll' if _supports_tpm2_native | bool else 'clevis' }}"
# --- Auto-upgrade to dracut when tpm2-tss available but generator isn't dracut ---
- name: Switch to dracut for TPM2 support
when:
- configuration_luks_auto_method == 'tpm2'
- _tpm2_method == 'systemd-cryptenroll'
- _initramfs_generator not in ['dracut', 'mkinitcpio']
vars:
_dracut_cmd: >-
bash -c "for kver in /lib/modules/*/; do kver=$(basename $kver); dracut --force /boot/initrd.img-$kver $kver; done"
ansible.builtin.set_fact:
_initramfs_generator: dracut
_configuration_platform: >-
{{ _configuration_platform | combine({'initramfs_cmd': _dracut_cmd}) }}
- name: Report TPM2 configuration
when: configuration_luks_auto_method == 'tpm2'
ansible.builtin.debug:
msg: "TPM2 unlock: {{ _tpm2_method | default('none') }} | initramfs: {{ _initramfs_generator }}"

1
roles/configuration/tasks/encryption/keyfile.yml
View File

@@ -86,6 +86,7 @@
device: "{{ configuration_luks_device }}"
passphrase: "{{ configuration_luks_passphrase }}"
new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}"
register: configuration_luks_addkey_retry
failed_when: false
no_log: true

86
roles/configuration/tasks/encryption/tpm2.yml
View File

@@ -1,35 +1,26 @@
---
# TPM2 enrollment via systemd-cryptenroll.
# Works with dracut and mkinitcpio (sd-encrypt). The user-set passphrase
# remains as a backup unlock method — no auto-generated keyfiles.
- name: Enroll TPM2 for LUKS
block:
# Tempfile in chroot /tmp — accessible by both chroot and host commands
- name: Create temporary passphrase file for TPM2 enrollment
ansible.builtin.tempfile:
path: /mnt/root
path: /mnt/tmp
prefix: luks-passphrase-
state: file
register: _tpm2_passphrase_tempfile
register: configuration_luks_tpm2_passphrase_tempfile
- name: Write passphrase into temporary file
- name: Write passphrase into temporary file for TPM2 enrollment
ansible.builtin.copy:
dest: "{{ _tpm2_passphrase_tempfile.path }}"
dest: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
content: "{{ configuration_luks_passphrase }}"
owner: root
group: root
mode: "0600"
no_log: true
- name: Ensure TPM device is accessible in chroot
ansible.builtin.shell: >-
ls /mnt/dev/tpmrm0 2>/dev/null
|| (ls /dev/tpmrm0 && cp -a /dev/tpmrm0 /mnt/dev/tpmrm0)
changed_when: false
failed_when: false
- name: Enroll TPM2 token via systemd-cryptenroll
- name: Enroll TPM2 token
vars:
_enroll_args: >-
configuration_luks_enroll_args: >-
{{
[
'/usr/bin/systemd-cryptenroll',
@@ -37,28 +28,69 @@
'--tpm2-with-pin=false',
'--wipe-slot=tpm2',
'--unlock-key-file=' + (
_tpm2_passphrase_tempfile.path | regex_replace('^/mnt', '')
configuration_luks_tpm2_passphrase_tempfile.path
| regex_replace('^/mnt', '')
)
]
+ (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs]
if configuration_luks_tpm2_pcrs | length > 0 else [])
+ [configuration_luks_device]
}}
ansible.builtin.command: "{{ chroot_command }} {{ _enroll_args | join(' ') }}"
register: _tpm2_enroll_result
changed_when: _tpm2_enroll_result.rc == 0
configuration_luks_enroll_chroot_cmd: >-
{{ chroot_command }} {{ configuration_luks_enroll_args | join(' ') }}
ansible.builtin.command: "{{ configuration_luks_enroll_chroot_cmd }}"
register: configuration_luks_tpm2_enroll_chroot
changed_when: configuration_luks_tpm2_enroll_chroot.rc == 0
failed_when: false
- name: Retry TPM2 enrollment in installer environment
when:
- (configuration_luks_tpm2_enroll_chroot.rc | default(1)) != 0
vars:
configuration_luks_enroll_args: >-
{{
[
'/usr/bin/systemd-cryptenroll',
'--tpm2-device=' + configuration_luks_tpm2_device,
'--tpm2-with-pin=false',
'--wipe-slot=tpm2',
'--unlock-key-file=' + configuration_luks_tpm2_passphrase_tempfile.path
]
+ (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs]
if configuration_luks_tpm2_pcrs | length > 0 else [])
+ [configuration_luks_device]
}}
ansible.builtin.command:
argv: "{{ configuration_luks_enroll_args }}"
register: configuration_luks_tpm2_enroll_host
changed_when: configuration_luks_tpm2_enroll_host.rc == 0
failed_when: false
- name: Validate TPM2 enrollment succeeded
ansible.builtin.assert:
that:
- >-
(configuration_luks_tpm2_enroll_chroot.rc | default(1)) == 0
or (configuration_luks_tpm2_enroll_host.rc | default(1)) == 0
fail_msg: >-
TPM2 enrollment failed.
chroot rc={{ configuration_luks_tpm2_enroll_chroot.rc | default('n/a') }},
host rc={{ configuration_luks_tpm2_enroll_host.rc | default('n/a') }},
chroot stderr={{ configuration_luks_tpm2_enroll_chroot.stderr | default('') }},
host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
rescue:
- name: TPM2 enrollment failed
- name: Warn about TPM2 enrollment failure
ansible.builtin.debug:
msg: >-
TPM2 enrollment failed: {{ _tpm2_enroll_result.stderr | default('unknown') }}.
The system will require the passphrase for LUKS unlock on boot.
TPM2 can be enrolled post-deployment via: systemd-cryptenroll --tpm2-device=auto {{ configuration_luks_device }}
TPM2 enrollment failed — falling back to keyfile auto-decrypt.
The system will use a keyfile instead of TPM2 for automatic LUKS unlock.
- name: Fallback to keyfile auto-decrypt
ansible.builtin.set_fact:
configuration_luks_auto_method: keyfile
always:
- name: Remove temporary passphrase file
when: _tpm2_passphrase_tempfile.path is defined
- name: Remove TPM2 enrollment passphrase file
when: configuration_luks_tpm2_passphrase_tempfile.path is defined
ansible.builtin.file:
path: "{{ _tpm2_passphrase_tempfile.path }}"
path: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
state: absent

10
roles/configuration/tasks/extras.yml
View File

@@ -1,7 +1,7 @@
---
- name: Append vim configurations to vimrc
ansible.builtin.blockinfile:
path: "{{ '/mnt/etc/vim/vimrc' if os_family == 'Debian' else '/mnt/etc/vimrc' }}"
path: "{{ '/mnt/etc/vim/vimrc' if is_debian | bool else '/mnt/etc/vimrc' }}"
block: |
set encoding=utf-8
set number
@@ -9,11 +9,9 @@
set smartindent
set mouse=a
insertafter: EOF
marker: "\" {mark} CUSTOM VIM CONFIG"
marker: "# {mark} CUSTOM VIM CONFIG"
failed_when: false
# Tuned for VM workloads: low swappiness, aggressive writeback, large page-cluster
# for zram. Override post-bootstrap via the linux role or sysctl if needed.
- name: Add memory tuning parameters
ansible.builtin.blockinfile:
path: /mnt/etc/sysctl.d/90-memory.conf
@@ -43,7 +41,7 @@
mode: "0644"
- name: Copy Custom Shell config
ansible.builtin.copy:
src: custom.sh
ansible.builtin.template:
src: custom.sh.j2
dest: /mnt/etc/profile.d/custom.sh
mode: "0644"

25
roles/configuration/tasks/grub.yml
View File

@@ -1,6 +1,6 @@
---
- name: Configure grub defaults
when: os_family != 'RedHat'
when: not is_rhel | bool
ansible.builtin.lineinfile:
dest: /mnt/etc/default/grub
regexp: "{{ item.regexp }}"
@@ -14,7 +14,7 @@
label: "{{ item.line }}"
- name: Ensure grub defaults file exists for RHEL-based systems
when: os_family == 'RedHat'
when: is_rhel | bool
block:
- name: Build RHEL kernel command line defaults
vars:
@@ -62,6 +62,7 @@
ansible.builtin.set_fact:
configuration_grub_cmdline_linux_base: "{{ grub_cmdline_linux_base }}"
configuration_kernel_cmdline_base: "{{ grub_kernel_cmdline_base }}"
changed_when: false
- name: Check if grub defaults file exists
ansible.builtin.stat:
@@ -96,10 +97,22 @@
mode: "0644"
content: "{{ configuration_kernel_cmdline_base }}\n"
- name: Update BLS entries with kernel cmdline defaults
vars:
_bls_cmdline: "{{ configuration_kernel_cmdline_base }}"
ansible.builtin.include_tasks: _bls_update.yml
- name: Find BLS entries for GRUB configuration
ansible.builtin.find:
paths: /mnt/boot/loader/entries
patterns: "*.conf"
register: configuration_grub_bls_entries
changed_when: false
- name: Update BLS options with kernel cmdline defaults
when: configuration_grub_bls_entries.files | length > 0
ansible.builtin.lineinfile:
path: "{{ item.path }}"
regexp: "^options "
line: "options {{ configuration_kernel_cmdline_base }}"
loop: "{{ configuration_grub_bls_entries.files }}"
loop_control:
label: "{{ item.path }}"
- name: Enable GRUB cryptodisk for encrypted /boot
when: partitioning_grub_enable_cryptodisk | bool

4
roles/configuration/tasks/locales.yml
View File

@@ -14,7 +14,7 @@
- name: Setup locales
block:
- name: Configure locale.gen
when: _configuration_platform.locale_gen
when: not is_rhel | bool
ansible.builtin.lineinfile:
dest: /mnt/etc/locale.gen
regexp: "{{ item.regex }}"
@@ -25,7 +25,7 @@
label: "{{ item.line }}"
- name: Generate locales
when: _configuration_platform.locale_gen
when: not is_rhel | bool
ansible.builtin.command: "{{ chroot_command }} /usr/sbin/locale-gen"
register: configuration_locale_result
changed_when: configuration_locale_result.rc == 0

9
roles/configuration/tasks/main.yml
View File

@@ -1,13 +1,8 @@
---
- name: Resolve platform configuration
ansible.builtin.import_tasks: _resolve_platform.yml
- name: Include configuration tasks
when: configuration_task.when | default(true)
ansible.builtin.include_tasks: "{{ configuration_task.file }}"
loop:
- file: repositories.yml
when: "{{ os_family == 'Debian' }}"
- file: banner.yml
- file: fstab.yml
- file: locales.yml
@@ -17,14 +12,12 @@
- file: encryption.yml
when: "{{ system_cfg.luks.enabled | bool }}"
- file: bootloader.yml
- file: secure_boot.yml
when: "{{ system_cfg.features.secure_boot.enabled | bool }}"
- file: extras.yml
- file: network.yml
- file: users.yml
- file: sudo.yml
- file: selinux.yml
when: "{{ os_family == 'RedHat' }}"
when: "{{ is_rhel | bool }}"
loop_control:
loop_var: configuration_task
label: "{{ configuration_task.file }}"

9
roles/configuration/tasks/network.yml
View File

@@ -29,10 +29,9 @@
- configuration_detected_interfaces | length > 0
fail_msg: Failed to detect any network interfaces.
- name: Set DNS configuration facts
ansible.builtin.set_fact:
configuration_dns_list: "{{ system_cfg.network.dns.servers }}"
configuration_dns_search: "{{ system_cfg.network.dns.search }}"
- name: Configure networking
vars:
configuration_network_task_map:
alpine: network_alpine.yml
void: network_void.yml
ansible.builtin.include_tasks: "{{ configuration_network_task_map[os] | default('network_nm.yml') }}"

9
roles/configuration/tasks/network_alpine.yml
View File

@@ -1,5 +1,7 @@
---
- name: Write Alpine network interfaces
vars:
configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
ansible.builtin.copy:
dest: /mnt/etc/network/interfaces
mode: "0644"
@@ -23,14 +25,13 @@
{% endfor %}
- name: Set Alpine DNS resolvers
when: configuration_dns_list | length > 0 or configuration_dns_search | length > 0
vars:
configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
when: configuration_dns_list | length > 0
ansible.builtin.copy:
dest: /mnt/etc/resolv.conf
mode: "0644"
content: |
{% if configuration_dns_search | length > 0 %}
search {{ configuration_dns_search | join(' ') }}
{% endif %}
{% for resolver in configuration_dns_list %}
nameserver {{ resolver }}
{% endfor %}

7
roles/configuration/tasks/network_nm.yml
View File

@@ -2,7 +2,12 @@
- name: Copy NetworkManager keyfile per interface
vars:
configuration_iface: "{{ item }}"
configuration_iface_name: "{{ item.name | default(configuration_detected_interfaces[idx] | default('')) }}"
configuration_iface_name: >-
{{
item.name
if (item.name | default('') | string | length) > 0
else (configuration_detected_interfaces[idx] | default('eth' ~ idx))
}}
configuration_net_uuid: "{{ ('LAN-' ~ idx ~ '-' ~ hostname) | ansible.builtin.to_uuid }}"
ansible.builtin.template:
src: network.j2

5
roles/configuration/tasks/network_void.yml
View File

@@ -1,5 +1,7 @@
---
- name: Write dhcpcd configuration
vars:
configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
ansible.builtin.copy:
dest: /mnt/etc/dhcpcd.conf
mode: "0644"
@@ -18,9 +20,6 @@
{% if loop.index0 == 0 and configuration_dns_list | length > 0 %}
static domain_name_servers={{ configuration_dns_list | join(' ') }}
{% endif %}
{% if loop.index0 == 0 and configuration_dns_search | length > 0 %}
static domain_search={{ configuration_dns_search | join(' ') }}
{% endif %}
{% endif %}
{% endfor %}

25
roles/configuration/tasks/repositories.yml
View File

@@ -1,25 +0,0 @@
---
- name: Write final sources.list
vars:
_debian_release_map:
"10": buster
"11": bullseye
"12": bookworm
"13": trixie
unstable: sid
_ubuntu_release_map:
ubuntu: questing
ubuntu-lts: noble
ansible.builtin.template:
src: "{{ os | replace('-lts', '') }}.sources.list.j2"
dest: /mnt/etc/apt/sources.list
mode: "0644"
- name: Ensure apt performance configuration persists
ansible.builtin.copy:
dest: /mnt/etc/apt/apt.conf.d/99performance
content: |
Acquire::Retries "3";
Acquire::http::Pipeline-Depth "10";
APT::Install-Recommends "false";
mode: "0644"

8
roles/configuration/tasks/secure_boot.yml
View File

@@ -1,8 +0,0 @@
---
- name: Configure shim-based Secure Boot
when: os != 'archlinux'
ansible.builtin.include_tasks: secure_boot/shim.yml
- name: Configure sbctl Secure Boot
when: os == 'archlinux'
ansible.builtin.include_tasks: secure_boot/sbctl.yml

115
roles/configuration/tasks/secure_boot/sbctl.yml
View File

@@ -1,115 +0,0 @@
---
- name: Configure sbctl Secure Boot
block:
- name: Create Secure Boot signing keys
ansible.builtin.command: "{{ chroot_command }} sbctl create-keys"
register: _sbctl_create_keys
changed_when: _sbctl_create_keys.rc == 0
failed_when:
- _sbctl_create_keys.rc != 0
- "'already exists' not in (_sbctl_create_keys.stderr | default(''))"
- name: Enroll Secure Boot keys in firmware
ansible.builtin.command: "{{ chroot_command }} sbctl enroll-keys --microsoft"
register: _sbctl_enroll
changed_when: _sbctl_enroll.rc == 0
failed_when: false
- name: Install first-boot enrollment service if chroot enrollment failed
when: _sbctl_enroll.rc | default(1) != 0
block:
- name: Create first-boot sbctl enrollment service
ansible.builtin.copy:
dest: /mnt/etc/systemd/system/sbctl-enroll.service
mode: "0644"
content: |
[Unit]
Description=Enroll Secure Boot keys via sbctl
ConditionPathExists=!/var/lib/sbctl/.enrolled
After=local-fs.target
[Service]
Type=oneshot
ExecStart=/usr/bin/sbctl enroll-keys --microsoft
ExecStartPost=/usr/bin/touch /var/lib/sbctl/.enrolled
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- name: Enable first-boot enrollment service
ansible.builtin.command: "{{ chroot_command }} systemctl enable sbctl-enroll.service"
register: _sbctl_service_enable
changed_when: _sbctl_service_enable.rc == 0
- name: Find kernel images to sign
ansible.builtin.find:
paths: /mnt/boot
patterns: "vmlinuz-*"
file_type: file
register: _sbctl_kernel_images
- name: Sign kernel images
ansible.builtin.command: >-
{{ chroot_command }} sbctl sign -s {{ item.path | regex_replace('^/mnt', '') }}
loop: "{{ _sbctl_kernel_images.files }}"
loop_control:
label: "{{ item.path | basename }}"
register: _sbctl_sign_kernel
changed_when: _sbctl_sign_kernel.rc == 0
failed_when: false
- name: Sign GRUB EFI binary
vars:
_grub_efi_path: "{{ partitioning_efi_mountpoint }}/EFI/archlinux/grubx64.efi"
ansible.builtin.command: >-
{{ chroot_command }} sbctl sign -s {{ _grub_efi_path }}
register: _sbctl_sign_grub
changed_when: _sbctl_sign_grub.rc == 0
failed_when: false
- name: Ensure pacman hooks directory exists
ansible.builtin.file:
path: /mnt/etc/pacman.d/hooks
state: directory
mode: "0755"
- name: Install sbctl auto-signing pacman hook
ansible.builtin.copy:
dest: /mnt/etc/pacman.d/hooks/99-sbctl-sign.hook
mode: "0644"
content: |
[Trigger]
Operation = Install
Operation = Upgrade
Type = Path
Target = boot/vmlinuz-*
Target = usr/lib/modules/*/vmlinuz
[Action]
Description = Signing kernel images for Secure Boot...
When = PostTransaction
Exec = /usr/bin/sbctl sign-all
Depends = sbctl
- name: Verify sbctl signing status
ansible.builtin.command: "{{ chroot_command }} sbctl verify"
register: _sbctl_verify
changed_when: false
failed_when: false
- name: Report sbctl Secure Boot status
ansible.builtin.debug:
msg: >-
Secure Boot (sbctl):
Enrollment={{ 'done' if (_sbctl_enroll.rc | default(1)) == 0 else 'deferred to first boot' }}.
{{ _sbctl_verify.stdout | default('Verify not available') }}
rescue:
- name: Secure Boot setup failed
ansible.builtin.debug:
msg: >-
sbctl Secure Boot setup failed.
On VMs make sure the OVMF firmware is in Setup Mode (fresh NVRAM).
On bare metal enter the firmware setup and switch to Setup Mode first.
To recover manually: sbctl create-keys && sbctl enroll-keys --microsoft && sbctl sign-all

45
roles/configuration/tasks/secure_boot/shim.yml
View File

@@ -1,45 +0,0 @@
---
- name: Configure shim-based Secure Boot
vars:
_efi_vendor: >-
{{
"redhat" if os == "rhel"
else ("ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os)
}}
block:
- name: Find shim binary in target system
ansible.builtin.shell:
cmd: >-
set -o pipefail &&
{{ chroot_command }} find /usr/lib/shim /boot/efi/EFI
\( -name 'shimx64.efi.signed.latest' -o -name 'shimx64.efi.dualsigned'
-o -name 'shimx64.efi.signed' -o -name 'shimx64.efi' \)
-type f | sort -r | head -1
executable: /bin/bash
register: _shim_find_result
changed_when: false
failed_when: false
- name: Copy shim to EFI vendor directory
when:
- _shim_find_result.stdout | default('') | length > 0
- _configuration_platform.grub_install | bool
ansible.builtin.command: >-
cp /mnt{{ _shim_find_result.stdout_lines | first }}
/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi
register: _shim_copy_result
changed_when: _shim_copy_result.rc == 0
- name: Verify shim is present
ansible.builtin.stat:
path: "/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi"
register: _shim_stat
- name: Report Secure Boot status
ansible.builtin.debug:
msg: >-
Secure Boot (shim): {{
'shimx64.efi installed at ' ~ partitioning_efi_mountpoint ~ '/EFI/' ~ _efi_vendor
if (_shim_stat.stat.exists | default(false))
else 'shimx64.efi not found, shim package may handle placement on first boot'
}}

4
roles/configuration/tasks/selinux.yml
View File

@@ -1,6 +1,6 @@
---
- name: Fix SELinux
when: os_family == 'RedHat'
when: is_rhel | bool
block:
- name: Fix SELinux by pre-labeling the filesystem before first boot
when: os in ['almalinux', 'rocky', 'rhel'] and system_cfg.features.selinux.enabled | bool
@@ -11,8 +11,6 @@
register: configuration_setfiles_result
changed_when: configuration_setfiles_result.rc == 0
# Fedora: setfiles segfaults during bootstrap chroot relabeling, so SELinux
# is left permissive and expected to relabel on first boot.
- name: Disable SELinux
when: os == "fedora" or not system_cfg.features.selinux.enabled | bool
ansible.builtin.lineinfile:

33
roles/configuration/tasks/services.yml
View File

@@ -1,47 +1,22 @@
---
- name: Enable systemd services
when: _configuration_platform.init_system == 'systemd'
when: os not in ['alpine', 'void']
vars:
_desktop_dm: >-
{{
system_cfg.features.desktop.display_manager
if (system_cfg.features.desktop.display_manager | length > 0)
else (configuration_desktop_dm_map[system_cfg.features.desktop.environment] | default(''))
}}
configuration_systemd_services: >-
{{
['NetworkManager']
+ (['firewalld'] if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else [])
+ (['ufw'] if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else [])
+ ([_configuration_platform.ssh_service] if system_cfg.features.ssh.enabled | bool else [])
+ ([('ssh' if is_debian | bool else 'sshd')] if system_cfg.features.ssh.enabled | bool else [])
+ (['logrotate', 'systemd-timesyncd'] if os == 'archlinux' else [])
+ ([_desktop_dm] if system_cfg.features.desktop.enabled | bool and _desktop_dm | length > 0 else [])
+ (['bluetooth'] if system_cfg.features.desktop.enabled | bool else [])
}}
ansible.builtin.command: "{{ chroot_command }} systemctl enable {{ item }}"
loop: "{{ configuration_systemd_services }}"
register: configuration_enable_service_result
changed_when: configuration_enable_service_result.rc == 0
- name: Activate UFW firewall
when:
- system_cfg.features.firewall.backend == 'ufw'
- system_cfg.features.firewall.enabled | bool
ansible.builtin.command: "{{ chroot_command }} ufw --force enable"
register: _ufw_enable_result
changed_when: _ufw_enable_result.rc == 0
failed_when: false
- name: Set default systemd target to graphical
when:
- _configuration_platform.init_system == 'systemd'
- system_cfg.features.desktop.enabled | bool
ansible.builtin.command: "{{ chroot_command }} systemctl set-default graphical.target"
register: _desktop_target_result
changed_when: _desktop_target_result.rc == 0
- name: Enable OpenRC services
when: _configuration_platform.init_system == 'openrc'
when: os == 'alpine'
vars:
configuration_openrc_services: >-
{{
@@ -73,7 +48,7 @@
when: item.stat.exists
- name: Enable runit services
when: _configuration_platform.init_system == 'runit'
when: os == 'void'
vars:
configuration_runit_services: >-
{{

2
roles/configuration/tasks/ssh.yml
View File

@@ -1,6 +1,4 @@
---
# Bootstrap-only: permissive SSH for initial Ansible access.
# Post-bootstrap hardening (key-only, no root login) is handled by the linux role.
- name: Ensure SSH password authentication is enabled
ansible.builtin.lineinfile:
path: /mnt/etc/ssh/sshd_config

15
roles/configuration/tasks/sudo.yml
View File

@@ -9,21 +9,18 @@
- name: Give sudo access to wheel group
ansible.builtin.copy:
content: "{{ _configuration_platform.sudo_group }} ALL=(ALL) ALL\n"
content: "{{ '%sudo ALL=(ALL) ALL\n' if is_debian | bool else '%wheel ALL=(ALL) ALL\n' }}"
dest: /mnt/etc/sudoers.d/01-wheel
mode: "0440"
validate: /usr/sbin/visudo --check --file=%s
- name: Deploy per-user sudoers rules
when: item.value.sudo is defined and (item.value.sudo | string | length > 0)
vars:
configuration_sudoers_rule: >-
{{ item.value.sudo if item.value.sudo is string else 'ALL=(ALL) NOPASSWD: ALL' }}
when: item.sudo is defined and (item.sudo | string | length) > 0
ansible.builtin.copy:
content: "{{ item.key }} {{ configuration_sudoers_rule }}\n"
dest: "/mnt/etc/sudoers.d/{{ item.key }}"
content: "{{ item.name }} {{ item.sudo }}\n"
dest: "/mnt/etc/sudoers.d/{{ item.name }}"
mode: "0440"
validate: /usr/sbin/visudo --check --file=%s
loop: "{{ system_cfg.users | dict2items }}"
loop: "{{ system_cfg.users }}"
loop_control:
label: "{{ item.key }}"
label: "{{ item.name }}"

64
roles/configuration/tasks/users.yml
View File

@@ -1,68 +1,62 @@
---
- name: Set root password
when: (system_cfg.root.password | default('') | string | length) > 0
ansible.builtin.shell: >-
set -o pipefail &&
echo 'root:{{ system_cfg.root.password | password_hash("sha512") }}' | {{ chroot_command }} /usr/sbin/chpasswd -e
echo 'root:{{ system_cfg.root.password | password_hash("sha512") }}' | {{ chroot_command }} chpasswd -e
args:
executable: /bin/bash
register: configuration_root_result
changed_when: configuration_root_result.rc == 0
no_log: true
- name: Lock root account when no password is set
when: (system_cfg.root.password | default('') | string | length) == 0
ansible.builtin.command: >-
{{ chroot_command }} /usr/bin/passwd -l root
register: configuration_root_lock_result
changed_when: configuration_root_lock_result.rc == 0
- name: Set root shell
ansible.builtin.command: >-
{{ chroot_command }} /usr/sbin/usermod --shell {{ system_cfg.root.shell }} root
{{ chroot_command }} /usr/sbin/usermod --shell {{ system_cfg.root.shell | default('/bin/bash') }} root
register: configuration_root_shell_result
changed_when: configuration_root_shell_result.rc == 0
- name: Create user accounts
vars:
configuration_user_group: "{{ _configuration_platform.user_group }}"
configuration_user_group: >-
{{ "sudo" if is_debian | bool else "wheel" }}
# UID starts at 1000; safe for fresh installs only
configuration_useradd_cmd: >-
{{ chroot_command }} /usr/sbin/useradd --create-home --user-group
--uid {{ 1000 + _idx }}
--groups {{ configuration_user_group }} {{ item.key }}
{{ ('--password ' ~ (item.value.password | password_hash('sha512'))) if (item.value.password | default('') | string | length > 0) else '' }}
--shell {{ item.value.shell | default('/bin/bash') }}
--uid {{ 1000 + ansible_loop.index0 }}
--groups {{ configuration_user_group }} {{ item.name }}
--password {{ item.password | password_hash('sha512') }} --shell {{ item.shell | default('/bin/bash') }}
ansible.builtin.command: "{{ configuration_useradd_cmd }}"
loop: "{{ system_cfg.users | dict2items }}"
loop: "{{ system_cfg.users }}"
loop_control:
index_var: _idx
label: "{{ item.key }}"
extended: true
label: "{{ item.name }}"
register: configuration_user_result
changed_when: configuration_user_result.rc == 0
no_log: true
- name: Ensure .ssh directory exists
when: (item.value['keys'] | default([]) | length) > 0
when: item['keys'] | default([]) | length > 0
ansible.builtin.file:
path: "/mnt/home/{{ item.key }}/.ssh"
path: "/mnt/home/{{ item.name }}/.ssh"
state: directory
owner: "{{ 1000 + _idx }}"
group: "{{ 1000 + _idx }}"
owner: "{{ 1000 + ansible_loop.index0 }}"
group: "{{ 1000 + ansible_loop.index0 }}"
mode: "0700"
loop: "{{ system_cfg.users | dict2items }}"
loop: "{{ system_cfg.users }}"
loop_control:
index_var: _idx
label: "{{ item.key }}"
extended: true
label: "{{ item.name }}"
- name: Deploy SSH authorized_keys
when: (item.value['keys'] | default([]) | length) > 0
ansible.builtin.copy:
content: "{{ item.value['keys'] | join('\n') }}\n"
dest: "/mnt/home/{{ item.key }}/.ssh/authorized_keys"
owner: "{{ 1000 + _idx }}"
group: "{{ 1000 + _idx }}"
- name: Add SSH public keys to authorized_keys
vars:
_uid: "{{ 1000 + (system_cfg.users | map(attribute='name') | list).index(item.0.name) }}"
ansible.builtin.lineinfile:
path: "/mnt/home/{{ item.0.name }}/.ssh/authorized_keys"
line: "{{ item.1 }}"
owner: "{{ _uid }}"
group: "{{ _uid }}"
mode: "0600"
loop: "{{ system_cfg.users | dict2items }}"
create: true
loop: "{{ system_cfg.users | subelements('keys', skip_missing=True) }}"
loop_control:
index_var: _idx
label: "{{ item.key }}"
label: "{{ item.0.name }}: {{ item.1[:40] }}..."

0
roles/configuration/files/custom.sh → roles/configuration/templates/custom.sh.j2
View File

15
roles/configuration/templates/debian.sources.list.j2
View File

@@ -1,15 +0,0 @@
# Managed by Ansible.
{% set release = _debian_release_map[os_version | string] | default('trixie') %}
{% set mirror = system_cfg.mirror %}
{% set components = 'main contrib non-free' ~ (' non-free-firmware' if (os_version | string) not in ['10', '11'] else '') %}
deb {{ mirror }} {{ release }} {{ components }}
deb-src {{ mirror }} {{ release }} {{ components }}
{% if release != 'sid' %}
deb https://security.debian.org/debian-security {{ release }}-security {{ components }}
deb-src https://security.debian.org/debian-security {{ release }}-security {{ components }}
deb {{ mirror }} {{ release }}-updates {{ components }}
deb-src {{ mirror }} {{ release }}-updates {{ components }}
{% endif %}

7
roles/configuration/templates/network.j2
View File

@@ -2,15 +2,12 @@
id=LAN-{{ idx }}
uuid={{ configuration_net_uuid }}
type=ethernet
autoconnect-priority=10
{% if configuration_iface_name | length > 0 %}
interface-name={{ configuration_iface_name }}
{% endif %}
[ipv4]
{% set iface = configuration_iface %}
{% set dns_list = configuration_dns_list %}
{% set search_list = configuration_dns_search %}
{% set dns_list = system_cfg.network.dns.servers | default([]) %}
{% set search_list = system_cfg.network.dns.search | default([]) %}
{% if iface.ip | default('') | string | length %}
address1={{ iface.ip }}/{{ iface.prefix }}{{ (',' ~ iface.gateway) if (iface.gateway | default('') | string | length) else '' }}
method=manual

16
roles/configuration/templates/ubuntu.sources.list.j2
View File

@@ -1,16 +0,0 @@
# Managed by Ansible.
{% set release = _ubuntu_release_map[os] | default('noble') %}
{% set mirror = system_cfg.mirror %}
{% set components = 'main restricted universe multiverse' %}
deb {{ mirror }} {{ release }} {{ components }}
deb-src {{ mirror }} {{ release }} {{ components }}
deb {{ mirror }} {{ release }}-updates {{ components }}
deb-src {{ mirror }} {{ release }}-updates {{ components }}
deb {{ mirror }} {{ release }}-security {{ components }}
deb-src {{ mirror }} {{ release }}-security {{ components }}
deb {{ mirror }} {{ release }}-backports {{ components }}
deb-src {{ mirror }} {{ release }}-backports {{ components }}

79
roles/configuration/vars/main.yml
View File

@@ -1,79 +0,0 @@
---
# Platform-specific configuration values keyed by os_family.
# Consumed as _configuration_platform in tasks via:
# configuration_platform_config[os_family]
configuration_platform_config:
RedHat:
user_group: wheel
sudo_group: "%wheel"
ssh_service: sshd
efi_loader: shimx64.efi
grub_install: false
initramfs_cmd: "/usr/bin/dracut --regenerate-all --force"
grub_mkconfig_prefix: grub2-mkconfig
locale_gen: false
init_system: systemd
Debian:
user_group: sudo
sudo_group: "%sudo"
ssh_service: ssh
efi_loader: grubx64.efi
grub_install: true
initramfs_cmd: >-
/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
/usr/sbin/update-initramfs -u -k all
grub_mkconfig_prefix: grub-mkconfig
locale_gen: true
init_system: systemd
Archlinux:
user_group: wheel
sudo_group: "%wheel"
ssh_service: sshd
efi_loader: grubx64.efi
grub_install: true
initramfs_cmd: "/usr/sbin/mkinitcpio -P"
grub_mkconfig_prefix: grub-mkconfig
locale_gen: true
init_system: systemd
Suse:
user_group: wheel
sudo_group: "%wheel"
ssh_service: sshd
efi_loader: grubx64.efi
grub_install: true
initramfs_cmd: "/usr/bin/dracut --regenerate-all --force"
grub_mkconfig_prefix: grub-mkconfig
locale_gen: true
init_system: systemd
Alpine:
user_group: wheel
sudo_group: "%wheel"
ssh_service: sshd
efi_loader: grubx64.efi
grub_install: true
initramfs_cmd: ""
grub_mkconfig_prefix: grub-mkconfig
locale_gen: false
init_system: openrc
Void:
user_group: wheel
sudo_group: "%wheel"
ssh_service: sshd
efi_loader: grubx64.efi
grub_install: true
initramfs_cmd: ""
grub_mkconfig_prefix: grub-mkconfig
locale_gen: false
init_system: runit
# Display manager auto-detection from desktop environment name.
configuration_desktop_dm_map:
gnome: gdm
kde: sddm
xfce: lightdm
sway: greetd
hyprland: ly@tty2
cinnamon: lightdm
mate: lightdm
lxqt: sddm
budgie: gdm

10
roles/environment/defaults/main.yml
View File

@@ -1,10 +0,0 @@
---
# Connection and timing
environment_wait_timeout: 180
environment_wait_delay: 5
# Pacman installer settings
environment_parallel_downloads: 20
environment_pacman_lock_timeout: 120
environment_pacman_retries: 4
environment_pacman_retry_delay: 15

42
roles/environment/tasks/_configure_network.yml
View File

@@ -13,14 +13,6 @@
| default('')
}}
- name: Bring up network interface
when:
- hypervisor_type == "vmware"
- environment_interface_name | default('') | length > 0
ansible.builtin.command: "ip link set {{ environment_interface_name }} up"
register: environment_link_result
changed_when: environment_link_result.rc == 0
- name: Set IP-Address
when:
- hypervisor_type == "vmware"
@@ -40,31 +32,13 @@
register: environment_gateway_result
changed_when: environment_gateway_result.rc == 0
- name: Configure DNS resolvers
when:
- hypervisor_type == "vmware"
- system_cfg.network.dns.servers | default([]) | length > 0
ansible.builtin.copy:
dest: /etc/resolv.conf
content: |
{% for server in system_cfg.network.dns.servers %}
nameserver {{ server }}
{% endfor %}
{% if system_cfg.network.dns.search | default([]) | length > 0 %}
search {{ system_cfg.network.dns.search | join(' ') }}
{% endif %}
mode: "0644"
- name: Synchronize clock via NTP
ansible.builtin.command: timedatectl set-ntp true
register: environment_ntp_result
changed_when: environment_ntp_result.rc == 0
- name: Configure SSH for root login
when:
- hypervisor_type == "vmware"
- hypervisor_cfg.ssh | default(false) | bool
- system_cfg.network.ip is defined and system_cfg.network.ip | string | length > 0
when: hypervisor_type == "vmware" and hypervisor_cfg.ssh | bool
block:
- name: Allow login
ansible.builtin.replace:
@@ -84,19 +58,7 @@
name: sshd
state: reloaded
- name: Switch to SSH connection
- name: Set SSH connection for VMware
ansible.builtin.set_fact:
ansible_connection: ssh
ansible_host: "{{ system_cfg.network.ip }}"
ansible_port: 22
ansible_user: root
ansible_password: ""
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
- name: Reset connection for SSH switchover
ansible.builtin.meta: reset_connection
- name: Verify SSH connectivity
ansible.builtin.wait_for_connection:
timeout: 30
delay: 2

21
roles/environment/tasks/_detect_live.yml
View File

@@ -1,8 +1,8 @@
---
- name: Wait for connection
ansible.builtin.wait_for_connection:
timeout: "{{ environment_wait_timeout }}"
delay: "{{ environment_wait_delay }}"
timeout: 180
delay: 5
- name: Gather facts
ansible.builtin.setup:
@@ -68,23 +68,6 @@
Boot from a live installer (Arch, Debian, Ubuntu, etc.) and retry.
quiet: true
- name: Harden sshd for Ansible automation
ansible.builtin.blockinfile:
path: /etc/ssh/sshd_config
marker: "# {mark} BOOTSTRAP ANSIBLE SETTINGS"
block: |
PerSourcePenalties no
MaxStartups 50:30:100
ClientAliveInterval 30
ClientAliveCountMax 10
register: _sshd_config_result
- name: Restart sshd immediately if config was changed
when: _sshd_config_result is changed
ansible.builtin.service:
name: sshd
state: restarted
- name: Abort if the host is not booted from the Arch install media
when:
- not (custom_iso | bool)

16
roles/environment/tasks/_prepare_installer.yml
View File

@@ -4,14 +4,14 @@
ansible.builtin.lineinfile:
path: /etc/pacman.conf
regexp: ^#ParallelDownloads =
line: "ParallelDownloads = {{ environment_parallel_downloads }}"
line: ParallelDownloads = 20
- name: Wait for pacman lock to be released
when: not (custom_iso | bool)
ansible.builtin.wait_for:
path: /var/lib/pacman/db.lck
state: absent
timeout: "{{ environment_pacman_lock_timeout }}"
timeout: 120
changed_when: false
- name: Setup Pacman
@@ -25,15 +25,14 @@
state: latest
loop:
- { name: glibc }
- { name: lua, os: [almalinux, fedora, rhel, rocky] }
- { name: dnf, os: [almalinux, fedora, rhel, rocky] }
- { name: debootstrap, os: [debian, ubuntu, ubuntu-lts] }
- { name: debian-archive-keyring, os: [debian] }
- { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
loop_control:
label: "{{ item.name }}"
retries: "{{ environment_pacman_retries }}"
delay: "{{ environment_pacman_retry_delay }}"
retries: 4
delay: 15
- name: Prepare /iso mount and repository for RHEL-based systems
when: os == "rhel"
@@ -80,13 +79,6 @@
# bootstrapping RHEL-family distros from the Arch ISO, where the
# host rpm/dnf does not trust target distro GPG keys. Package
# integrity is verified by the target system's own rpm after reboot.
- name: Create RPM macros directory
when: is_rhel | bool
ansible.builtin.file:
path: /etc/rpm
state: directory
mode: "0755"
- name: Relax RPM Sequoia signature policy for RHEL bootstrap
when: is_rhel | bool
ansible.builtin.copy:

2
roles/environment/tasks/main.yml
View File

@@ -1,6 +1,6 @@
---
- name: Configure work environment
become: "{{ (hypervisor_type | default('none')) != 'vmware' }}"
become: "{{ hypervisor_type != 'vmware' }}"
block:
- name: Detect and validate live environment
ansible.builtin.include_tasks: _detect_live.yml

8
roles/environment/templates/almalinux.repo.j2
View File

@@ -1,4 +1,4 @@
[appstream]
[alma-appstream]
name=AlmaLinux $releasever - AppStream
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream
# baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/$basearch/os/
@@ -9,7 +9,7 @@ gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=1
[baseos]
[alma-baseos]
name=AlmaLinux $releasever - BaseOS
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/
@@ -20,7 +20,7 @@ gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=1
[extras]
[alma-extras]
name=AlmaLinux $releasever - Extras
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras
# baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/$basearch/os/
@@ -31,7 +31,7 @@ gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
metadata_expire=86400
enabled_metadata=0
[highavailability]
[alma-highavailability]
name=AlmaLinux $releasever - HighAvailability
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/highavailability
# baseurl=https://repo.almalinux.org/almalinux/$releasever/HighAvailability/$basearch/os/

13
roles/environment/templates/rocky.repo.j2
View File

@@ -1,4 +1,4 @@
[baseos]
[rocky-baseos]
name=Rocky Linux $releasever - BaseOS
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/
@@ -8,14 +8,3 @@ countme=1
gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever
metadata_expire=86400
enabled_metadata=1
[appstream]
name=Rocky Linux $releasever - AppStream
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$releasever
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/AppStream/$basearch/os/
gpgcheck=1
enabled=1
countme=1
gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever
metadata_expire=86400
enabled_metadata=1

75
roles/global_defaults/defaults/main.yml
View File

@@ -9,22 +9,6 @@ os_family_debian:
- debian
- ubuntu
- ubuntu-lts
# OS → family mapping — aligns with the main project's ansible_os_family pattern.
# Enables platform_config dict lookups per role instead of inline when: is_rhel chains.
os_family_map:
almalinux: RedHat
alpine: Alpine
archlinux: Archlinux
debian: Debian
fedora: RedHat
opensuse: Suse
rhel: RedHat
rocky: RedHat
ubuntu: Debian
ubuntu-lts: Debian
void: Void
os_supported:
- almalinux
- alpine
@@ -46,15 +30,13 @@ hypervisor_defaults:
url: ""
username: ""
password: ""
node: ""
host: ""
storage: ""
datacenter: ""
cluster: ""
folder: ""
certs: false
ssh: false
physical_default_os: "archlinux"
custom_iso: false
thirdparty_tasks: "dropins/preparation.yml"
@@ -62,7 +44,7 @@ system_defaults:
type: "virtual" # virtual|physical
os: ""
version: ""
filesystem: "ext4"
filesystem: ""
name: ""
id: ""
cpus: 0
@@ -82,13 +64,11 @@ system_defaults:
timezone: "Europe/Vienna"
locale: "en_US.UTF-8"
keymap: "us"
mirror: ""
packages: []
disks: []
users: {}
users: []
root:
password: ""
shell: "/bin/bash"
luks:
enabled: false
passphrase: ""
@@ -129,57 +109,8 @@ system_defaults:
rhel_repo:
source: "iso" # iso|satellite|none — how RHEL systems get packages post-install
url: "" # Satellite/custom repo URL when source=satellite
aur:
enabled: false
helper: "yay" # yay|paru
user: "_aur_builder"
chroot:
tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn
initramfs:
generator: "" # auto-detected; override: dracut|mkinitcpio|initramfs-tools
desktop:
enabled: false
environment: "" # gnome|kde|xfce|sway|hyprland|cinnamon|mate|lxqt|budgie
display_manager: "" # auto from environment when empty; override: gdm|sddm|lightdm|greetd
secure_boot:
enabled: false
method: "" # arch only: sbctl (default) or uki; ignored for other distros
# Per-hypervisor required fields — drives data-driven validation.
# All virtual types additionally require network bridge or interfaces.
hypervisor_required_fields:
proxmox:
hypervisor: [url, username, password, node, storage]
system: [id]
vmware:
hypervisor: [url, username, password, datacenter, storage]
system: []
xen:
hypervisor: []
system: []
libvirt:
hypervisor: []
system: []
# Hypervisor-to-disk device prefix mapping for virtual machines.
# Physical installs must set system.disks[].device explicitly.
hypervisor_disk_device_map:
libvirt: "/dev/vd"
xen: "/dev/xvd"
proxmox: "/dev/sd"
vmware: "/dev/sd"
# Mountpoints managed by the partitioning role — forbidden for extra disks.
reserved_mounts:
- /boot
- /boot/efi
- /home
- /var
- /var/log
- /var/log/audit
# Drive letter sequence for disk device naming (max 26 disks).
disk_letter_map: "abcdefghijklmnopqrstuvwxyz"
system_disk_defaults:
size: 0

4
roles/global_defaults/tasks/_normalize_disks.yml
View File

@@ -2,10 +2,10 @@
- name: Normalize system disks input
vars:
system_disks: "{{ system_cfg.disks | default([]) }}"
system_disk_letter_map: "{{ disk_letter_map }}"
system_disk_letter_map: "abcdefghijklmnopqrstuvwxyz"
system_disk_device_prefix: >-
{{
hypervisor_disk_device_map.get(hypervisor_type, '')
{'libvirt': '/dev/vd', 'xen': '/dev/xvd', 'proxmox': '/dev/sd', 'vmware': '/dev/sd'}.get(hypervisor_type, '')
if system_cfg.type == 'virtual'
else ''
}}

74
roles/global_defaults/tasks/_normalize_system.yml
View File

@@ -2,7 +2,7 @@
- name: Build normalized system configuration
vars:
system_raw: "{{ system_defaults | combine(system, recursive=True) }}"
system_type: "{{ 'virtual' if (system_raw.type | string | lower) in ['vm', 'virtual'] else (system_raw.type | string | lower) }}"
system_type: "{{ system_raw.type | string | lower }}"
system_os_input: "{{ system_raw.os | default('') | string | lower }}"
system_name: >-
{{
@@ -10,28 +10,17 @@
if (system_raw.name | default('') | string | trim | length) > 0
else inventory_hostname
}}
_mirror_defaults:
debian: "https://deb.debian.org/debian/"
ubuntu: "http://archive.ubuntu.com/ubuntu/"
ubuntu-lts: "http://archive.ubuntu.com/ubuntu/"
ansible.builtin.set_fact:
system_cfg:
# --- Identity & platform ---
type: "{{ system_type }}"
os: "{{ system_os_input if system_os_input | length > 0 else (physical_default_os if system_type == 'physical' else '') }}"
os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
version: "{{ system_raw.version | default('') | string }}"
filesystem: "{{ system_raw.filesystem | default('') | string | lower }}"
name: "{{ system_name }}"
id: "{{ system_raw.id | default('') | string }}"
# --- VM sizing (ignored for physical) ---
cpus: "{{ [system_raw.cpus | default(0) | int, 0] | max }}"
memory: "{{ [system_raw.memory | default(0) | int, 0] | max }}"
balloon: "{{ [system_raw.balloon | default(0) | int, 0] | max }}"
# --- Network ---
# Flat fields (bridge, ip, etc.) and interfaces[] are mutually exclusive.
# When interfaces[] is set, flat fields are populated from the first
# interface in the "Populate primary network fields" task below.
# When only flat fields are set, a synthetic interfaces[] entry is built.
network:
bridge: "{{ system_raw.network.bridge | default('') | string }}"
vlan: "{{ system_raw.network.vlan | default('') | string }}"
@@ -52,7 +41,7 @@
if (system_raw.network.interfaces | default([]) | length > 0)
else (
[{
'name': '',
'name': 'eth0',
'bridge': system_raw.network.bridge | default('') | string,
'vlan': system_raw.network.vlan | default('') | string,
'ip': system_raw.network.ip | default('') | string,
@@ -67,22 +56,10 @@
else []
)
}}
# --- Locale & environment ---
timezone: "{{ system_raw.timezone | string }}"
locale: "{{ system_raw.locale | string }}"
keymap: "{{ system_raw.keymap | string }}"
mirror: >-
{{
system_raw.mirror | string | trim
if (system_raw.mirror | default('') | string | trim | length) > 0
else _mirror_defaults[system_raw.os | default('') | string | lower] | default('')
}}
path: >-
{{
(system_raw.path | default('') | string)
if (system_raw.path | default('') | string | length > 0)
else (hypervisor_cfg.folder | default('') | string)
}}
timezone: "{{ system_raw.timezone | default('Europe/Vienna') | string }}"
locale: "{{ system_raw.locale | default('en_US.UTF-8') | string }}"
keymap: "{{ system_raw.keymap | default('us') | string }}"
path: "{{ system_raw.path | default('') | string }}"
packages: >-
{{
(
@@ -94,13 +71,10 @@
| reject('equalto', '')
| list
}}
# --- Storage & accounts ---
disks: "{{ system_raw.disks | default([]) }}"
users: "{{ system_raw.users | default({}) }}"
users: "{{ system_raw.users | default([]) }}"
root:
password: "{{ system_raw.root.password | string }}"
shell: "{{ system_raw.root.shell | default('/bin/bash') | string }}"
# --- LUKS disk encryption ---
luks:
enabled: "{{ system_raw.luks.enabled | bool }}"
passphrase: "{{ system_raw.luks.passphrase | string }}"
@@ -120,7 +94,6 @@
pbkdf: "{{ system_raw.luks.pbkdf | string }}"
urandom: "{{ system_raw.luks.urandom | bool }}"
verify: "{{ system_raw.luks.verify | bool }}"
# --- Feature flags ---
features:
cis:
enabled: "{{ system_raw.features.cis.enabled | bool }}"
@@ -144,16 +117,27 @@
url: "{{ system_raw.features.rhel_repo.url | default('') | string }}"
chroot:
tool: "{{ system_raw.features.chroot.tool | string }}"
initramfs:
generator: "{{ system_raw.features.initramfs.generator | default('') | string | lower }}"
desktop:
enabled: "{{ system_raw.features.desktop.enabled | bool }}"
environment: "{{ system_raw.features.desktop.environment | default('') | string | lower }}"
display_manager: "{{ system_raw.features.desktop.display_manager | default('') | string | lower }}"
secure_boot:
enabled: "{{ system_raw.features.secure_boot.enabled | bool }}"
method: "{{ system_raw.features.secure_boot.method | default('') | string | lower }}"
hostname: "{{ system_name }}"
os: "{{ system_os_input if system_os_input | length > 0 else (physical_default_os if system_type == 'physical' else '') }}"
os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
os_version: "{{ system_raw.version | default('') | string }}"
no_log: true
- name: Populate primary network fields from first interface
when:
- system_cfg.network.interfaces | length > 0
- system_cfg.network.bridge | default('') | string | length == 0
vars:
_primary: "{{ system_cfg.network.interfaces[0] }}"
ansible.builtin.set_fact:
system_cfg: >-
{{
system_cfg | combine({
'network': system_cfg.network | combine({
'bridge': _primary.bridge | default(''),
'vlan': _primary.vlan | default(''),
'ip': _primary.ip | default(''),
'prefix': _primary.prefix | default(''),
'gateway': _primary.gateway | default('')
})
}, recursive=True)
}}

18
roles/global_defaults/tasks/_validate_input.yml
View File

@@ -8,11 +8,11 @@
that:
- system is mapping
- system.network is not defined or system.network is mapping
- system.users is not defined or system.users is mapping
- system.users is not defined or (system.users is iterable and system.users is not string and system.users is not mapping)
- system.root is not defined or system.root is mapping
- system.luks is not defined or system.luks is mapping
- system.features is not defined or system.features is mapping
fail_msg: "system and its nested keys (network, root, luks, features, users) must be dictionaries."
fail_msg: "system and its nested keys (network, root, luks, features) must be dictionaries; system.users must be a list."
quiet: true
- name: Validate DNS lists (not strings)
@@ -25,17 +25,17 @@
quiet: true
- name: Validate system.users entries
when: system.users is defined and system.users is mapping and system.users | length > 0
when: system.users is defined and system.users | length > 0
ansible.builtin.assert:
that:
- item.value is mapping
- item.key | string | length > 0
- item.value['keys'] is not defined or (item.value['keys'] is iterable and item.value['keys'] is not string)
fail_msg: "Each system.users entry must be a dict keyed by username; 'keys' must be a list."
- item is mapping
- item.name is defined and (item.name | string | length) > 0
- item['keys'] is not defined or (item['keys'] is iterable and item['keys'] is not string)
fail_msg: "Each system.users[] entry must be a dict with 'name'; 'keys' must be a list."
quiet: true
loop: "{{ system.users | dict2items }}"
loop: "{{ system.users }}"
loop_control:
label: "{{ item.key }}"
label: "{{ item.name | default('(unnamed)') }}"
- name: Validate system features input types
when: system.features is defined

56
roles/global_defaults/tasks/main.yml
View File

@@ -1,8 +1,4 @@
---
# Centralized normalization — all input dicts (system, hypervisor, disks)
# are normalized here into system_cfg, hypervisor_cfg, etc.
# Downstream roles consume these computed facts directly and do NOT need
# per-role _normalize.yml (except CIS, which has its own input dict).
- name: Global defaults loaded
ansible.builtin.debug:
msg: Global defaults loaded.
@@ -10,41 +6,9 @@
- name: Normalize hypervisor inputs
ansible.builtin.include_tasks: hypervisor.yml
- name: Set VMware module auth defaults
when: hypervisor_type == 'vmware'
ansible.builtin.set_fact:
_vmware_auth:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}"
no_log: true
- name: Set Proxmox module auth defaults
when: hypervisor_type == 'proxmox'
ansible.builtin.set_fact:
_proxmox_auth:
api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}"
_proxmox_auth_node:
api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}"
node: "{{ hypervisor_cfg.node }}"
no_log: true
- name: Normalize system inputs
ansible.builtin.include_tasks: system.yml
- name: Inherit folder from hypervisor when system path is empty
when:
- system_cfg.path | default('') | string | length == 0
- hypervisor_cfg.folder | default('') | string | length > 0
ansible.builtin.set_fact:
system_cfg: "{{ system_cfg | combine({'path': hypervisor_cfg.folder | string}, recursive=True) }}"
- name: Validate variables
ansible.builtin.include_tasks: validation.yml
@@ -52,7 +16,6 @@
ansible.builtin.set_fact:
is_rhel: "{{ os in os_family_rhel }}"
is_debian: "{{ os in os_family_debian }}"
os_family: "{{ os_family_map[os] | default('Unknown') }}"
- name: Normalize OS version for keying
when:
@@ -81,14 +44,10 @@
when:
- system_cfg.type == "virtual"
- hypervisor_type != "vmware"
vars:
_primary: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first) }}"
ansible.builtin.set_fact:
ansible_host: "{{ system_cfg.network.ip }}"
ansible_port: 22
ansible_user: "{{ _primary.key }}"
ansible_password: "{{ _primary.value.password }}"
ansible_become_password: "{{ _primary.value.password }}"
ansible_user: "{{ system_cfg.users[0].name }}"
ansible_password: "{{ system_cfg.users[0].password }}"
ansible_become_password: "{{ system_cfg.users[0].password }}"
ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
no_log: true
@@ -96,12 +55,3 @@
when: hypervisor_type == "vmware"
ansible.builtin.set_fact:
ansible_connection: vmware_tools
ansible_host: "{{ hypervisor_cfg.url }}"
ansible_port: 443
ansible_user: root
ansible_password: ""
ansible_vmware_user: "{{ hypervisor_cfg.username }}"
ansible_vmware_password: "{{ hypervisor_cfg.password }}"
ansible_vmware_guest_path: "/{{ hypervisor_cfg.datacenter }}/vm{{ system_cfg.path }}/{{ hostname }}"
ansible_vmware_validate_certs: "{{ hypervisor_cfg.certs | bool }}"
no_log: true

95
roles/global_defaults/tasks/system.yml
View File

@@ -1,10 +1,4 @@
---
# Two code paths:
# 1. Fresh run (system_cfg undefined): normalize from raw `system` input.
# 2. Pre-computed (system_cfg already set, e.g. from main project's deploy_iac):
# merge with bootstrap system_defaults to fill missing fields (luks, features,
# etc.) that bootstrap expects but the main project doesn't set, then derive
# convenience facts (hostname, os, os_version).
- name: Normalize system and disk configuration
when: system_cfg is not defined
block:
@@ -16,92 +10,3 @@
- name: Normalize disk configuration
ansible.builtin.include_tasks: _normalize_disks.yml
- name: Populate primary network fields from first interface
when:
- system_cfg is defined
- system_cfg.network.interfaces | default([]) | length > 0
- system_cfg.network.ip | default('') | string | length == 0
vars:
_primary: "{{ system_cfg.network.interfaces[0] }}"
ansible.builtin.set_fact:
system_cfg: >-
{{
system_cfg | combine({
'network': system_cfg.network | combine({
'bridge': _primary.bridge | default(''),
'vlan': _primary.vlan | default(''),
'ip': _primary.ip | default(''),
'prefix': _primary.prefix | default(''),
'gateway': _primary.gateway | default('')
})
}, recursive=True)
}}
- name: Check if pre-computed system_cfg needs enrichment
when: system_cfg is defined
ansible.builtin.set_fact:
_bootstrap_needs_enrichment: "{{ hostname is not defined }}"
- name: Merge pre-computed system_cfg with bootstrap system_defaults
when:
- system_cfg is defined
- _bootstrap_needs_enrichment | default(false) | bool
ansible.builtin.set_fact:
system_cfg: "{{ system_defaults | combine(system | default({}), recursive=True) | combine(system_cfg, recursive=True) }}"
- name: Apply mirror default for pre-computed system_cfg
when:
- system_cfg is defined
- _bootstrap_needs_enrichment | default(false) | bool
- system_cfg.mirror | default('') | string | trim | length == 0
vars:
# Same as _normalize_system.yml — kept in sync manually.
_mirror_defaults:
debian: "https://deb.debian.org/debian/"
ubuntu: "http://archive.ubuntu.com/ubuntu/"
ubuntu-lts: "http://archive.ubuntu.com/ubuntu/"
ansible.builtin.set_fact:
system_cfg: >-
{{
system_cfg | combine({
'mirror': _mirror_defaults[system_cfg.os | default('') | string | lower] | default('')
}, recursive=True)
}}
- name: Populate primary network fields from first interface (pre-computed)
when:
- system_cfg is defined
- _bootstrap_needs_enrichment | default(false) | bool
- system_cfg.network.interfaces | default([]) | length > 0
- system_cfg.network.bridge | default('') | string | length == 0
vars:
_primary: "{{ system_cfg.network.interfaces[0] }}"
ansible.builtin.set_fact:
system_cfg: >-
{{
system_cfg | combine({
'network': system_cfg.network | combine({
'bridge': _primary.bridge | default(''),
'vlan': _primary.vlan | default(''),
'ip': _primary.ip | default(''),
'prefix': _primary.prefix | default(''),
'gateway': _primary.gateway | default('')
})
}, recursive=True)
}}
- name: Derive convenience facts from pre-computed system_cfg
when:
- system_cfg is defined
- _bootstrap_needs_enrichment | default(false) | bool
ansible.builtin.set_fact:
hostname: "{{ system_cfg.name | default(inventory_hostname) }}"
os: "{{ system_cfg.os | default('') }}"
os_version: "{{ system_cfg.version | default('') | string }}"
- name: Normalize disk configuration (pre-computed system_cfg)
when:
- system_cfg is defined
- install_drive is not defined
ansible.builtin.include_tasks: _normalize_disks.yml

152
roles/global_defaults/tasks/validation.yml
View File

@@ -123,7 +123,7 @@
or (
os == "debian" and (os_version | string) in ["10", "11", "12", "13", "unstable"]
) or (
os == "fedora" and (os_version | int) >= 38 and (os_version | int) <= 43
os == "fedora" and (os_version | int) >= 38 and (os_version | int) <= 45
) or (
os in ["rocky", "almalinux"]
and (os_version | string) is match("^(8|9|10)(\\.\\d+)?$")
@@ -152,60 +152,70 @@
fail_msg: "rhel_iso is required when os=rhel."
quiet: true
- name: Validate hypervisor-specific required fields
- name: Validate Proxmox hypervisor inputs
when:
- system_cfg.type == "virtual"
- hypervisor_type in hypervisor_required_fields
- hypervisor_type == "proxmox"
ansible.builtin.assert:
that:
- (hypervisor_cfg[item] | default('') | string | length) > 0
fail_msg: "Missing required {{ hypervisor_type }} field: hypervisor.{{ item }}"
- hypervisor_cfg.url | string | length > 0
- hypervisor_cfg.username | string | length > 0
- hypervisor_cfg.password | string | length > 0
- hypervisor_cfg.host | string | length > 0
- hypervisor_cfg.storage | string | length > 0
- system_cfg.id | string | length > 0
- >-
(system_cfg.network.bridge | default('') | string | length > 0)
or (system_cfg.network.interfaces | default([]) | length > 0)
fail_msg: >-
Missing required Proxmox inputs. Define hypervisor.(url,username,password,host,storage),
system.id, and system.network.bridge (or system.network.interfaces[]).
quiet: true
loop: "{{ hypervisor_required_fields[hypervisor_type].hypervisor | default([]) }}"
loop_control:
label: "hypervisor.{{ item }}"
no_log: true
- name: Validate VMware placement (cluster or node required, mutually exclusive)
- name: Validate VMware hypervisor inputs
when:
- system_cfg.type == "virtual"
- hypervisor_type == "vmware"
ansible.builtin.assert:
that:
- hypervisor_cfg.url | string | length > 0
- hypervisor_cfg.username | string | length > 0
- hypervisor_cfg.password | string | length > 0
- hypervisor_cfg.datacenter | string | length > 0
- hypervisor_cfg.cluster | string | length > 0
- hypervisor_cfg.storage | string | length > 0
- >-
(hypervisor_cfg.cluster | default('') | string | length > 0)
or (hypervisor_cfg.node | default('') | string | length > 0)
- >-
(hypervisor_cfg.cluster | default('') | string | length == 0)
or (hypervisor_cfg.node | default('') | string | length == 0)
(system_cfg.network.bridge | default('') | string | length > 0)
or (system_cfg.network.interfaces | default([]) | length > 0)
fail_msg: >-
VMware requires either hypervisor.cluster or hypervisor.node (mutually exclusive).
cluster targets a vSphere cluster; node targets a specific ESXi host.
Missing required VMware inputs. Define hypervisor.(url,username,password,datacenter,cluster,storage)
and system.network.bridge (or system.network.interfaces[]).
quiet: true
no_log: true
- name: Validate hypervisor-specific required system fields
- name: Validate Xen hypervisor inputs
when:
- system_cfg.type == "virtual"
- hypervisor_type in hypervisor_required_fields
ansible.builtin.assert:
that:
- (system_cfg[item] | default('') | string | length) > 0
fail_msg: "Missing required {{ hypervisor_type }} field: system.{{ item }}"
quiet: true
loop: "{{ hypervisor_required_fields[hypervisor_type].system | default([]) }}"
loop_control:
label: "system.{{ item }}"
- name: Validate virtual machine network requirement
when: system_cfg.type == "virtual"
- hypervisor_type == "xen"
ansible.builtin.assert:
that:
- >-
(system_cfg.network.bridge | default('') | string | length > 0)
or (system_cfg.network.interfaces | default([]) | length > 0)
fail_msg: >-
Missing required {{ hypervisor_type }} network configuration.
Define system.network.bridge (or system.network.interfaces[]).
fail_msg: "Missing required Xen inputs. Define system.network.bridge (or system.network.interfaces[])."
quiet: true
- name: Validate libvirt hypervisor inputs
when:
- system_cfg.type == "virtual"
- hypervisor_type == "libvirt"
ansible.builtin.assert:
that:
- >-
(system_cfg.network.bridge | default('') | string | length > 0)
or (system_cfg.network.interfaces | default([]) | length > 0)
fail_msg: "Missing required libvirt inputs. Define system.network.bridge (or system.network.interfaces[])."
quiet: true
- name: Validate virtual installer ISO requirement
@@ -223,7 +233,6 @@
- system_cfg.features.firewall.toolkit is defined
- system_cfg.features.firewall.toolkit in ["iptables", "nftables"]
- system_cfg.features.firewall.enabled is defined
- system_cfg.features.ssh.enabled is defined
- system_cfg.features.banner.motd is defined
- system_cfg.features.banner.sudo is defined
- system_cfg.luks.enabled is defined
@@ -241,8 +250,6 @@
- system_cfg.disks is defined and (system_cfg.disks | length) > 0
- (system_cfg.disks[0].size | float) > 0
- (system_cfg.disks[0].size | float) >= 20
# Btrfs minimum disk: swap_size + 5.5 GiB overhead (subvolumes + metadata).
# Swap sizing: memory < 16 GiB → max(memory_GiB, 2); memory >= 16 GiB → memory/2.
- >-
system_cfg.filesystem != "btrfs"
or (
@@ -261,16 +268,13 @@
fail_msg: "Invalid system sizing. Check system.cpus, system.memory, and system.disks[0].size."
quiet: true
- name: Validate at least one user with a password is defined
vars:
_pw_users: "{{ system_cfg.users | dict2items | selectattr('value.password', 'defined') | list }}"
- name: Validate at least one user is defined
ansible.builtin.assert:
that:
- system_cfg.users | default({}) | length > 0
- _pw_users | length > 0
- _pw_users[0].key | string | length > 0
- _pw_users[0].value.password | string | length > 0
fail_msg: "At least one user with a password must be defined in system.users."
- system_cfg.users | default([]) | length > 0
- system_cfg.users[0].name is defined and (system_cfg.users[0].name | string | length) > 0
- system_cfg.users[0].password is defined and (system_cfg.users[0].password | string | length) > 0
fail_msg: "At least one user with a name and password must be defined in system.users[]."
quiet: true
no_log: true
@@ -313,8 +317,8 @@
system_disk_mounts: >-
{{
(system_cfg.disks | default([]))
| map(attribute='mount', default={})
| map(attribute='path', default='')
| map(attribute='mount')
| map(attribute='path')
| map('string')
| map('trim')
| reject('equalto', '')
@@ -329,11 +333,15 @@
- name: Validate disk mount definitions
when: system_cfg.disks is defined
vars:
all_reserved_mounts: >-
{{
reserved_mounts
+ (['/var/cache/pacman/pkg'] if os == 'archlinux' else [])
}}
reserved_mounts:
- /boot
- /boot/efi
- /home
- /swap
- /var
- /var/cache/pacman/pkg
- /var/log
- /var/log/audit
disk_mount: "{{ (item.mount.path | default('') | string) | trim }}"
disk_fstype: "{{ (item.mount.fstype | default('') | string) | trim }}"
disk_device: "{{ (item.device | default('') | string) | trim }}"
@@ -342,7 +350,7 @@
that:
- disk_mount == "" or disk_mount.startswith("/")
- disk_mount == "" or disk_mount != "/"
- disk_mount == "" or disk_mount not in all_reserved_mounts
- disk_mount == "" or disk_mount not in reserved_mounts
- disk_mount == "" or disk_fstype in ["btrfs", "ext4", "xfs"]
- disk_mount == "" or system_cfg.type == "virtual" or (disk_device | length) > 0
- disk_mount == "" or system_cfg.type != "virtual" or (disk_size | float) > 0
@@ -368,48 +376,8 @@
that:
- item is mapping
- item.bridge is defined and (item.bridge | string | length) > 0
- >-
(item.ip | default('') | string | length) == 0
or (item.prefix | default('') | string | length) > 0
fail_msg: "Each system.network.interfaces[] entry must have a 'bridge' key and 'prefix' when 'ip' is set."
fail_msg: "Each system.network.interfaces[] entry must be a dict with at least a 'bridge' key."
quiet: true
loop: "{{ system_cfg.network.interfaces }}"
loop_control:
label: "{{ item | to_json }}"
- name: Validate hostname format
ansible.builtin.assert:
that:
- hostname is regex("^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$")
fail_msg: "hostname '{{ hostname }}' contains invalid characters. Use only alphanumeric, hyphens, dots, and underscores."
quiet: true
- name: Validate IP address format
when: system_cfg.network.ip is defined and (system_cfg.network.ip | string | length) > 0
ansible.builtin.assert:
that:
- system_cfg.network.ip is regex("^([0-9]{1,3}\\.){3}[0-9]{1,3}$")
fail_msg: "system.network.ip '{{ system_cfg.network.ip }}' is not a valid IPv4 address."
quiet: true
- name: Validate DNS server format
when:
- system_cfg.network.dns.servers is defined
- system_cfg.network.dns.servers | length > 0
ansible.builtin.assert:
that:
- item is regex("^([0-9]{1,3}\\.){3}[0-9]{1,3}$")
fail_msg: "DNS server '{{ item }}' is not a valid IPv4 address."
quiet: true
loop: "{{ system_cfg.network.dns.servers }}"
- name: Validate LUKS method
when: system_cfg.luks.enabled | bool
ansible.builtin.assert:
that:
- system_cfg.luks.method in ["tpm2", "keyfile"]
- >-
(system_cfg.luks.passphrase | string | length) > 0
fail_msg: "system.luks.method must be 'tpm2' or 'keyfile', and luks.passphrase must be set when LUKS is enabled."
quiet: true
no_log: true

7
roles/partitioning/defaults/main.yml
View File

@@ -1,8 +1,5 @@
---
partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if system_cfg.features.zstd.enabled | bool else '' }}"
# Partition separator: 'p' for NVMe/mmcblk (device path ends in digit), empty for SCSI/virtio.
# Examples: /dev/sda → /dev/sda1, /dev/nvme0n1 → /dev/nvme0n1p1
partitioning_part_sep: "{{ 'p' if (install_drive | default('') | regex_search('\\d$')) else '' }}"
partitioning_boot_partition_suffix: 1
partitioning_main_partition_suffix: 2
partitioning_efi_size_mib: 512
@@ -116,12 +113,12 @@ partitioning_grub_enable_cryptodisk: >-
and not (partitioning_separate_boot | bool)
and (partitioning_efi_mountpoint == '/boot/efi')
}}
partitioning_luks_device: "{{ install_drive ~ partitioning_part_sep ~ (partitioning_root_partition_suffix | string) }}"
partitioning_luks_device: "{{ install_drive ~ (partitioning_root_partition_suffix | string) }}"
partitioning_root_device: >-
{{
'/dev/mapper/' + system_cfg.luks.mapper
if (system_cfg.luks.enabled | bool)
else install_drive ~ partitioning_part_sep ~ (partitioning_root_partition_suffix | string)
else install_drive ~ (partitioning_root_partition_suffix | string)
}}
partitioning_disk_size_gb: >-
{{

29
roles/partitioning/tasks/_create_filesystems.yml
View File

@@ -3,7 +3,7 @@
block:
- name: Create FAT32 filesystem in boot partition
community.general.filesystem:
dev: "{{ install_drive }}{{ partitioning_part_sep }}{{ partitioning_boot_partition_suffix }}"
dev: "{{ install_drive }}{{ partitioning_boot_partition_suffix }}"
fstype: vfat
opts: -F32 -n BOOT
force: true
@@ -11,7 +11,7 @@
- name: Create filesystem for /boot partition
when: partitioning_separate_boot | bool
community.general.filesystem:
dev: "{{ install_drive }}{{ partitioning_part_sep }}{{ partitioning_boot_fs_partition_suffix }}"
dev: "{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}"
fstype: "{{ partitioning_boot_fs_fstype }}"
opts: "{{ '-m bigtime=0 -i nrext64=0,exchange=0 -n parent=0' if (is_rhel | bool and partitioning_boot_fs_fstype == 'xfs') else omit }}"
force: true
@@ -23,8 +23,9 @@
- os in ['almalinux', 'rocky', 'rhel'] or (os == 'debian' and (os_version | string) == '11')
ansible.builtin.command: >-
tune2fs -O "^orphan_file,^metadata_csum_seed"
"{{ install_drive }}{{ partitioning_part_sep }}{{ partitioning_boot_fs_partition_suffix }}"
changed_when: false
"{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}"
register: partitioning_boot_ext4_tune_result
changed_when: partitioning_boot_ext4_tune_result.rc == 0
- name: Create swap filesystem
when:
@@ -38,7 +39,7 @@
ansible.builtin.include_tasks: "{{ system_cfg.filesystem }}.yml"
- name: Get UUID for boot filesystem
ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ partitioning_part_sep }}{{ partitioning_boot_partition_suffix }}'
ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ partitioning_boot_partition_suffix }}'
register: partitioning_boot_uuid
changed_when: false
failed_when: partitioning_boot_uuid.rc != 0 or (partitioning_boot_uuid.stdout | trim | length) == 0
@@ -46,7 +47,7 @@
- name: Get UUID for /boot filesystem
when: partitioning_separate_boot | bool
ansible.builtin.command: >-
blkid -s UUID -o value '{{ install_drive }}{{ partitioning_part_sep }}{{ partitioning_boot_fs_partition_suffix }}'
blkid -s UUID -o value '{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}'
register: partitioning_boot_fs_uuid
changed_when: false
failed_when: partitioning_boot_fs_uuid.rc != 0 or (partitioning_boot_fs_uuid.stdout | trim | length) == 0
@@ -76,7 +77,7 @@
- name: Get UUID for LVM home filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled | bool
- system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/home
register: partitioning_uuid_home_result
changed_when: false
@@ -85,7 +86,7 @@
- name: Get UUID for LVM var filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled | bool
- system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var
register: partitioning_uuid_var_result
changed_when: false
@@ -94,7 +95,7 @@
- name: Get UUID for LVM var_log filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled | bool
- system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var_log
register: partitioning_uuid_var_log_result
changed_when: false
@@ -103,7 +104,7 @@
- name: Get UUID for LVM var_log_audit filesystem
when:
- system_cfg.filesystem != 'btrfs'
- system_cfg.features.cis.enabled | bool
- system_cfg.features.cis.enabled
ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var_log_audit
register: partitioning_uuid_var_log_audit_result
changed_when: false
@@ -122,24 +123,24 @@
partitioning_uuid_home: >-
{{
partitioning_uuid_home_result.stdout_lines | default([])
if system_cfg.features.cis.enabled | bool
if system_cfg.features.cis.enabled
else []
}}
partitioning_uuid_var: >-
{{
partitioning_uuid_var_result.stdout_lines | default([])
if system_cfg.features.cis.enabled | bool
if system_cfg.features.cis.enabled
else []
}}
partitioning_uuid_var_log: >-
{{
partitioning_uuid_var_log_result.stdout_lines | default([])
if system_cfg.features.cis.enabled | bool
if system_cfg.features.cis.enabled
else []
}}
partitioning_uuid_var_log_audit: >-
{{
partitioning_uuid_var_log_audit_result.stdout_lines | default([])
if system_cfg.features.cis.enabled | bool
if system_cfg.features.cis.enabled
else []
}}

8
roles/partitioning/tasks/_create_lvm.yml
View File

@@ -29,7 +29,7 @@
- name: Create LVM logical volumes
when:
- system_cfg.features.cis.enabled | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
- system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
- system_cfg.features.swap.enabled | bool or item.lv != 'swap'
vars:
partitioning_lvm_extent_reserve_count: 10
@@ -84,7 +84,7 @@
(
(partitioning_disk_size_gb | float)
- (partitioning_reserved_gb | float)
- (system_cfg.features.cis.enabled | bool | ternary(partitioning_cis_reserved_gb | float, 0))
- (system_cfg.features.cis.enabled | ternary(partitioning_cis_reserved_gb | float, 0))
- partitioning_lvm_extent_reserve_gb
- 4
),
@@ -99,7 +99,7 @@
(
(partitioning_disk_size_gb | float)
- (partitioning_reserved_gb | float)
- (system_cfg.features.cis.enabled | bool | ternary(partitioning_cis_reserved_gb | float, 0))
- (system_cfg.features.cis.enabled | ternary(partitioning_cis_reserved_gb | float, 0))
- partitioning_lvm_extent_reserve_gb
- partitioning_lvm_swap_target_limited_gb
) | float
@@ -160,7 +160,7 @@
+ (partitioning_lvm_var_gb | float)
+ (partitioning_lvm_var_log_gb | float)
+ (partitioning_lvm_var_log_audit_gb | float)
if system_cfg.features.cis.enabled | bool
if system_cfg.features.cis.enabled
else 0
)
),

5
roles/partitioning/tasks/_create_partitions.yml
View File

@@ -65,7 +65,9 @@
ansible.builtin.command: "{{ item }}"
loop:
- "partprobe {{ install_drive }}"
- "blockdev --rereadpt {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_result
changed_when: false
failed_when: false
@@ -89,7 +91,9 @@
ansible.builtin.command: "{{ item }}"
loop:
- "partprobe {{ install_drive }}"
- "blockdev --rereadpt {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_retry
changed_when: false
failed_when: false
@@ -112,5 +116,6 @@
loop:
- "partprobe {{ install_drive }}"
- "udevadm settle"
register: partitioning_partprobe_settle
changed_when: false
failed_when: false

14
roles/partitioning/tasks/_mount.yml
View File

@@ -1,21 +1,17 @@
---
- name: Mount filesystems
block:
# CIS mode: mount all paths (separate partitions for /home, /var, etc.)
# Non-CIS btrfs: only mount subvolume paths (/home, /var/log, /var/cache/pacman/pkg)
# Non-CIS LVM: skip CIS-only paths (/home, /var, /var/log, /var/log/audit, /var/cache/pacman/pkg)
- name: Mount filesystems and subvolumes
when:
- >-
system_cfg.features.cis.enabled | bool or (
not (system_cfg.features.cis.enabled | bool) and (
(system_cfg.filesystem == 'btrfs' and item.path in ['/home', '/var/log']
+ (['/var/cache/pacman/pkg'] if os == 'archlinux' else []))
system_cfg.features.cis.enabled or (
not system_cfg.features.cis.enabled and (
(system_cfg.filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg'])
or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg'])
)
)
- >-
not (item.path in ['/swap', '/var/cache/pacman/pkg'] and (system_cfg.filesystem != 'btrfs' or os != 'archlinux'))
not (item.path in ['/swap', '/var/cache/pacman/pkg'] and system_cfg.filesystem != 'btrfs')
- system_cfg.features.swap.enabled | bool or item.path != '/swap'
ansible.posix.mount:
path: /mnt{{ item.path }}
@@ -125,6 +121,4 @@
{{ 'swapon /mnt/swap/swapfile' if system_cfg.filesystem == 'btrfs' else 'swapon -U ' + partitioning_uuid_swap[0] }}
ansible.builtin.command: "{{ partitioning_swap_cmd }}"
register: partitioning_swap_activate_result
# swapon returns 255 if swap is already active
failed_when: partitioning_swap_activate_result.rc not in [0, 255]
changed_when: partitioning_swap_activate_result.rc == 0

3
roles/partitioning/tasks/_setup_luks.yml
View File

@@ -21,6 +21,7 @@
algorithm: "{{ system_cfg.luks.pbkdf }}"
iteration_time: "{{ (system_cfg.luks.iter | float) / 1000 }}"
passphrase: "{{ system_cfg.luks.passphrase | string }}"
register: partitioning_luks_format_result
no_log: true
- name: Force-close LUKS mapper
@@ -50,6 +51,7 @@
name: "{{ system_cfg.luks.mapper }}"
passphrase: "{{ system_cfg.luks.passphrase | string }}"
allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
register: partitioning_luks_open_result
no_log: true
rescue:
- name: Force-close stale LUKS mapper
@@ -77,6 +79,7 @@
name: "{{ system_cfg.luks.mapper }}"
passphrase: "{{ system_cfg.luks.passphrase | string }}"
allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
register: partitioning_luks_open_retry
no_log: true
- name: Get LUKS UUID

16
roles/partitioning/tasks/btrfs.yml
View File

@@ -41,9 +41,8 @@
- name: Make root subvolumes
when:
- system_cfg.features.cis.enabled | bool or item.subvol not in ['var_log_audit']
- system_cfg.features.cis.enabled or item.subvol not in ['var_log_audit']
- system_cfg.features.swap.enabled | bool or item.subvol != 'swap'
- item.os is not defined or os in item.os
ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
args:
creates: /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
@@ -52,21 +51,15 @@
- { subvol: swap }
- { subvol: home }
- { subvol: var }
- { subvol: pkg, os: [archlinux] }
- { subvol: pkg }
- { subvol: var_log }
- { subvol: var_log_audit }
loop_control:
label: "{{ item.subvol }}"
- name: Set default btrfs subvolume to @
ansible.builtin.shell: >-
btrfs subvolume list /mnt | awk '/ path @$/ {print $2}'
| xargs -I{} btrfs subvolume set-default {} /mnt
register: partitioning_btrfs_default_result
changed_when: partitioning_btrfs_default_result.rc == 0
register: partitioning_btrfs_subvol_result
- name: Set quotas for subvolumes
when: system_cfg.features.cis.enabled | bool
when: system_cfg.features.cis.enabled
ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
loop:
- { subvol: home, quota: "{{ partitioning_btrfs_home_quota }}" }
@@ -81,6 +74,7 @@
btrfs filesystem mkswapfile --size {{ partitioning_swap_size_gb }}g --uuid clear /mnt/@swap/swapfile
args:
creates: /mnt/@swap/swapfile
register: partitioning_btrfs_swap_result
- name: Unmount Partition
ansible.posix.mount:

4
roles/partitioning/tasks/ext4.yml
View File

@@ -1,6 +1,6 @@
---
- name: Create and format ext4 logical volumes
when: system_cfg.features.cis.enabled | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.filesystem:
dev: /dev/{{ partitioning_vg_name }}/{{ item.lv }}
fstype: ext4
@@ -17,7 +17,7 @@
- name: Remove Unsupported features for older Systems
when: >
(os in ['almalinux', 'rocky', 'rhel'] or (os == 'debian' and (os_version | string) == '11'))
and (system_cfg.features.cis.enabled | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
and (system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/{{ partitioning_vg_name }}/{{ item.lv }}"
loop:
- { lv: root }

2
roles/partitioning/tasks/xfs.yml
View File

@@ -1,6 +1,6 @@
---
- name: Create and format XFS logical volumes
when: system_cfg.features.cis.enabled | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
community.general.filesystem:
dev: /dev/{{ partitioning_vg_name }}/{{ item.lv }}
fstype: xfs

4
roles/system_check/tasks/main.yml
View File

@@ -45,7 +45,7 @@
block:
- name: Query Proxmox for existing VM
community.proxmox.proxmox_vm_info:
node: "{{ hypervisor_cfg.node }}"
node: "{{ hypervisor_cfg.host }}"
vmid: "{{ system_cfg.id }}"
name: "{{ hostname }}"
type: qemu
@@ -66,7 +66,6 @@
- name: Check VM existence in vCenter
when: hypervisor_type == "vmware"
delegate_to: localhost
become: false
module_defaults:
community.vmware.vmware_guest_info:
hostname: "{{ hypervisor_cfg.url }}"
@@ -107,7 +106,6 @@
- name: Check if VM already exists on Xen
when: hypervisor_type == "xen"
delegate_to: localhost
become: false
ansible.builtin.command:
argv:
- xl

15
roles/virtualization/defaults/main.yml
View File

@@ -1,9 +1,4 @@
---
# Cloud-init support matrix:
# libvirt — cloud-init ISO attached as CDROM (user-data + network-config)
# proxmox — cloud-init via Proxmox API (cicustom, ciuser, cipassword, etc.)
# vmware — no cloud-init; configuration is applied post-install via chroot
# xen — no cloud-init; configuration is applied post-install via chroot
virtualization_libvirt_image_dir: >-
{{
system_cfg.path
@@ -22,10 +17,10 @@ virtualization_libvirt_ovmf_vars: /usr/share/edk2/x64/OVMF_VARS.4m.fd
virtualization_tpm2_enabled: >-
{{
(
(system_cfg.luks.enabled | bool)
and (system_cfg.luks.auto | bool)
and (system_cfg.luks.method | lower == 'tpm2')
(system_cfg.luks.enabled | bool)
and (system_cfg.luks.auto | bool)
and (
(system_cfg.luks.method | lower)
== 'tpm2'
)
or (system_cfg.features.secure_boot.enabled | default(false) | bool)
}}

26
roles/virtualization/tasks/_xen_disks.yml
View File

@@ -1,26 +0,0 @@
---
- name: Build Xen disk definitions
when: virtualization_xen_disks is not defined
block:
- name: Compute Xen disk configuration
ansible.builtin.set_fact:
virtualization_xen_disks: "{{ virtualization_xen_disks | default([]) + [_xen_disk_cfg] }}"
vars:
device_letter_map: "{{ disk_letter_map }}"
device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
_xen_disk_cfg: >-
{{
{
'path': (
virtualization_xen_disk_path ~ '/' ~ hostname ~ '.qcow2'
if ansible_loop.index0 == 0
else virtualization_xen_disk_path ~ '/' ~ hostname ~ '-disk' ~ ansible_loop.index0 ~ '.qcow2'
),
'target': 'xvd' ~ device_letter,
'size': (item.size | float)
}
}}
loop: "{{ system_cfg.disks }}"
loop_control:
label: "{{ item | to_json }}"
extended: true

80
roles/virtualization/tasks/delete.yml
View File

@@ -1,80 +0,0 @@
---
- name: Delete VMware VM
when: hypervisor_type == "vmware"
delegate_to: localhost
community.vmware.vmware_guest:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}"
name: "{{ hostname }}"
folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}"
state: absent
force: true
no_log: true
- name: Delete Proxmox VM
when: hypervisor_type == "proxmox"
delegate_to: localhost
community.proxmox.proxmox_kvm:
api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}"
node: "{{ hypervisor_cfg.node }}"
vmid: "{{ system_cfg.id | default(omit, true) }}"
name: "{{ hostname }}"
state: absent
force: true
no_log: true
- name: Destroy libvirt VM
when: hypervisor_type == "libvirt"
delegate_to: localhost
block:
- name: Stop libvirt VM
community.libvirt.virt:
name: "{{ hostname }}"
state: destroyed
uri: "{{ libvirt_uri | default('qemu:///system') }}"
failed_when: false
- name: Undefine libvirt VM
ansible.builtin.command:
cmd: "virsh -c {{ libvirt_uri | default('qemu:///system') }} undefine {{ hostname }} --nvram"
register: _libvirt_undefine_result
changed_when: _libvirt_undefine_result.rc == 0
failed_when: false
- name: Remove libvirt disk images
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ virtualization_libvirt_disks | default([]) }}"
loop_control:
label: "{{ item.path | default('unknown') }}"
- name: Remove libvirt cloud-init disk
ansible.builtin.file:
path: "{{ virtualization_libvirt_cloudinit_path | default('/dev/null') }}"
state: absent
when: virtualization_libvirt_cloudinit_path is defined
- name: Destroy Xen VM
when: hypervisor_type == "xen"
delegate_to: localhost
block:
- name: Stop Xen VM
ansible.builtin.command:
argv:
- xl
- destroy
- "{{ hostname }}"
changed_when: false
failed_when: false
- name: Remove Xen VM config
ansible.builtin.file:
path: "/etc/xen/{{ hostname }}.cfg"
state: absent
failed_when: false

2
roles/virtualization/tasks/libvirt.yml
View File

@@ -3,7 +3,7 @@
ansible.builtin.set_fact:
virtualization_libvirt_disks: "{{ virtualization_libvirt_disks | default([]) + [virtualization_libvirt_disk_cfg] }}"
vars:
device_letter_map: "{{ disk_letter_map }}"
device_letter_map: "abcdefghijklmnopqrstuvwxyz"
device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
virtualization_libvirt_disk_cfg: >-
{{

10
roles/virtualization/tasks/proxmox.yml
View File

@@ -2,7 +2,11 @@
- name: Deploy VM on Proxmox
delegate_to: localhost
module_defaults:
community.proxmox.proxmox_kvm: "{{ _proxmox_auth_node }}"
community.proxmox.proxmox_kvm:
api_host: "{{ hypervisor_cfg.url }}"
api_user: "{{ hypervisor_cfg.username }}"
api_password: "{{ hypervisor_cfg.password }}"
node: "{{ hypervisor_cfg.host }}"
block:
- name: Create VM on Proxmox
vars:
@@ -35,8 +39,8 @@
{%- endfor -%}
{{ out }}
community.proxmox.proxmox_kvm:
ciuser: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first).key }}"
cipassword: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first).value.password }}"
ciuser: "{{ system_cfg.users[0].name }}"
cipassword: "{{ system_cfg.users[0].password }}"
ciupgrade: false
vmid: "{{ system_cfg.id }}"
name: "{{ hostname }}"

35
roles/virtualization/tasks/vmware.yml
View File

@@ -14,9 +14,24 @@
- name: Deploy VM in vCenter
delegate_to: localhost
module_defaults:
community.vmware.vmware_guest: "{{ _vmware_auth }}"
community.vmware.vmware_guest_tpm: "{{ _vmware_auth }}"
vmware.vmware.vm_powerstate: "{{ _vmware_auth }}"
community.vmware.vmware_guest:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}"
community.vmware.vmware_guest_tpm:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}"
vmware.vmware.vm_powerstate:
hostname: "{{ hypervisor_cfg.url }}"
username: "{{ hypervisor_cfg.username }}"
password: "{{ hypervisor_cfg.password }}"
validate_certs: "{{ hypervisor_cfg.certs | bool }}"
datacenter: "{{ hypervisor_cfg.datacenter }}"
block:
# community.vmware: full-featured guest management
- name: Create VM in vCenter
@@ -32,8 +47,7 @@
{%- endfor -%}
{{ ns.out }}
community.vmware.vmware_guest:
cluster: "{{ hypervisor_cfg.cluster if (hypervisor_cfg.node | default('') | length == 0) else omit }}"
esxi_hostname: "{{ hypervisor_cfg.node if (hypervisor_cfg.node | default('') | length > 0) else omit }}"
cluster: "{{ hypervisor_cfg.cluster }}"
folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}"
name: "{{ hostname }}"
# Generic guest ID — VMware auto-detects OS post-install
@@ -86,17 +100,6 @@
name: "{{ hostname }}"
state: present
no_log: true
register: virtualization_vmware_tpm2_result
- name: Validate vTPM2 was added successfully
when:
- virtualization_tpm2_enabled | bool
- virtualization_vmware_tpm2_result is defined
ansible.builtin.assert:
that:
- virtualization_vmware_tpm2_result is not failed
fail_msg: "Failed to add vTPM2 to VM '{{ hostname }}'. LUKS with TPM2 requires a virtual TPM device."
quiet: true
# vmware.vmware: modern collection for power operations
- name: Start VM in vCenter

23
roles/virtualization/tasks/xen.yml
View File

@@ -2,7 +2,28 @@
- name: Deploy VM on Xen
block:
- name: Build disk definitions
ansible.builtin.include_tasks: _xen_disks.yml
ansible.builtin.set_fact:
virtualization_xen_disks: "{{ virtualization_xen_disks | default([]) + [virtualization_xen_disk_cfg] }}"
vars:
device_letter_map: "abcdefghijklmnopqrstuvwxyz"
device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
virtualization_xen_disk_cfg: >-
{{
{
'path': (
virtualization_xen_disk_path ~ '/' ~ hostname ~ '.qcow2'
if ansible_loop.index0 == 0
else virtualization_xen_disk_path ~ '/' ~ hostname ~ '-disk' ~ ansible_loop.index0 ~ '.qcow2'
),
'target': 'xvd' ~ device_letter,
'size': (item.size | float)
}
}}
loop: "{{ system_cfg.disks }}"
loop_control:
label: "{{ item | to_json }}"
extended: true
changed_when: false
- name: Create VM disks for Xen
delegate_to: localhost

19
roles/virtualization/templates/cloud-user-data.yml.j2
View File

@@ -4,22 +4,17 @@ ssh_pwauth: true
package_update: false
package_upgrade: false
users:
{% for username, attrs in system_cfg.users.items() %}
- name: "{{ username }}"
primary_group: "{{ username }}"
{% for user in system_cfg.users %}
- name: "{{ user.name }}"
primary_group: "{{ user.name }}"
groups: users
{% if attrs.sudo | default(false) | bool %}
sudo: "ALL=(ALL) NOPASSWD:ALL"
{% endif %}
{% if attrs.password | default('') | length > 0 %}
passwd: "{{ attrs.password | password_hash('sha512') }}"
passwd: "{{ user.password | password_hash('sha512') }}"
lock_passwd: false
{% else %}
lock_passwd: true
{% endif %}
{% if 'keys' in attrs and attrs['keys'] is iterable and attrs['keys'] is not string and attrs['keys'] | length > 0 %}
{% set ssh_keys = user['keys'] | default([]) %}
{% if ssh_keys | length > 0 %}
ssh_authorized_keys:
{% for key in attrs['keys'] %}
{% for key in ssh_keys %}
- "{{ key }}"
{% endfor %}
{% endif %}

2
vars_example.yml
View File

@@ -7,7 +7,7 @@ hypervisor:
url: "pve01.example.com"
username: "root@pam"
password: "CHANGE_ME"
node: "pve01"
host: "pve01"
storage: "local-lvm"
datacenter: "dc01"
cluster: "cluster01"