Normalize LUKS boot layout and partitioning defaults

Update Fedora to 43
Restore Debian ESP mount layout
2025-12-28 16:00:49 +01:00 · 2025-12-28 04:04:27 +01:00 · 2025-12-28 02:24:33 +01:00 · 2025-12-28 01:54:14 +01:00 · 2025-12-28 01:29:26 +01:00 · 2025-12-28 00:46:09 +01:00
50 changed files with 484 additions and 913 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -1,4 +1,2 @@
 skip_list:
  - run-once
-exclude_paths:
-  - roles/global_defaults/
--- a/README.md
+++ b/README.md
@@ -51,22 +51,20 @@ The playbook uses the ArchLinux ISO as a foundational tool to provides an effici

 ## 2. Global Variables

-Global variables apply across your Ansible project and can be supplied via inventory or `-e @vars_example.yml`. These variables define common settings such as hypervisor connection details and the boot ISO path. They can be overridden by inventory variables for specific hosts or VMs if needed.
+Global variables apply across your Ansible project and are loaded from `vars.yml` by default. These variables define common settings such as hypervisor connection details and the boot ISO path. They can be overridden by inventory variables for specific hosts or VMs if needed.

 ### 2.1 Core Provisioning

 | Variable                | Description                                                | Example Value                             |
 | ----------------------- | ---------------------------------------------------------- | ----------------------------------------- |
 | `install_type`          | Type of installation.                                      | `virtual`, `physical`                     |
-| `hypervisor`            | Type of hypervisor (required for virtual installs).        | `libvirt`, `proxmox`, `vmware`, `none`    |
+| `hypervisor`            | Type of hypervisor.                                        | `libvirt`, `proxmox`, `vmware`, `none`    |
 | `install_drive`         | Drive where the system will be installed.                  | `/dev/sda`                                |
 | `boot_iso`              | Path to the boot ISO image.                                | `local-btrfs:iso/archlinux-x86_64.iso`    |
 | `rhel_iso`              | Path to the RHEL ISO file, required for RHEL 8/9/10.        | `local-btrfs:iso/rhel-9.4-x86_64-dvd.iso` |
 | `custom_iso` (optional) | Skip ArchISO checks and pacman setup on installer media.   | `true`, `false (default)`                 |
-| `cis` (optional)        | Adjusts the installation to be CIS level 3 conformant.     | `true`, `false (default)`                 |
-| `selinux` (optional)    | Toggle SELinux where supported.                            | `true (default)`, `false`                 |
-| `firewalld_enabled` (optional) | Toggle firewalld package/service enablement.        | `true (default)`, `false`                 |
-| `ssh_enabled` (optional) | Toggle SSH server package/service enablement.        | `true (default)`, `false`                 |
+| `cis` (optional)        | Adjusts the installation to be CIS level 3 conformant.     | `true`, `false`                           |
+| `selinux` (optional)    | Toggle SELinux where supported.                            | `true`, `false`                           |

 ### 2.2 Hypervisor Access (virtual installs)

@@ -80,7 +78,7 @@ Global variables apply across your Ansible project and can be supplied via inven
 | `hypervisor_node`       | Hypervisor node name.                                      | `node01`             |
 | `hypervisor_storage`    | Storage identifier for VM disks.                           | `local-btrfs`        |
 | `vm_path` (optional)    | Libvirt image dir or VMware folder path.                   | `/var/lib/libvirt/images` |
-| `vmware_ssh`            | If Ansible should use SSH after base VMware setup.         | `true`, `false (default)`      |
+| `vmware_ssh`            | If Ansible should use SSH after base VMware setup.         | `true`, `false`      |
 | `vlan_name` (optional)  | VLAN for the VM's network interface.                       | `vlan100`            |
 | `note` (optional)       | VMware VM annotation.                                      | `Provisioned by Ansible` |

@@ -106,7 +104,7 @@ These are required when `hypervisor: vmware` uses the `vmware_tools` connection.
 | `luks_passphrase`          | Passphrase used for initial LUKS format/unlock. | `1234`             |
 | `luks_mapper_name`         | Decrypted mapper name.                          | `SYSTEM_DECRYPTED` |
 | `luks_auto_decrypt`        | Enable automatic unlock on boot.                | `true`, `false`    |
-| `luks_auto_decrypt_method` | Auto-unlock method.                             | `tpm2`, `keyfile`, `manual` |
+| `luks_auto_decrypt_method` | Auto-unlock method.                             | `tpm2`, `keyfile`  |
 | `luks_tpm2_device`         | TPM2 device for enrollment.                     | `auto`             |
 | `luks_tpm2_pcrs`           | TPM2 PCR list (systemd-cryptenroll).            | `7`                |
 | `luks_keyfile_size`        | Keyfile size in bytes for initramfs.            | `64`               |
@@ -120,18 +118,6 @@ These are required when `hypervisor: vmware` uses the `vmware_tools` connection.
 | `luks_use_urandom`         | Reserved; module uses cryptsetup defaults.      | `true`             |
 | `luks_verify_passphrase`   | Reserved; module uses cryptsetup defaults.      | `true`             |

-### 2.5 Partitioning Overrides (advanced)
-
-Use these only when you need to override the default layout logic.
-
-| Variable                     | Description                                              | Example Value |
-| ---------------------------- | -------------------------------------------------------- | ------------- |
-| `partitioning_efi_size_mib`  | ESP size in MiB.                                         | `512`         |
-| `partitioning_boot_size_mib` | `/boot` size in MiB when a separate boot is used.        | `1024`        |
-| `partitioning_separate_boot` | Force a separate `/boot` partition.                      | `true`        |
-| `partitioning_boot_fs_fstype` | Filesystem for `/boot` when separate.                   | `ext4`        |
-| `partitioning_use_full_disk` | Use remaining LVM space for the root volume.             | `true`        |
-
 To protect sensitive information, such as passwords, API keys, and other confidential variables (e.g., `hypervisor_password`), **it is recommended to use Ansible Vault**.

 ## 3. Inventory Variables
@@ -142,7 +128,6 @@ Inventory variables are defined for individual hosts or VMs in the inventory fil

 | Variable     | Description                            | Example Value          |
 | ------------ | -------------------------------------- | ---------------------- |
-| `ansible_host` | Ansible connection address for the host. | `192.168.0.10`      |
 | `os`         | Operating system to be installed.      | `ubuntu-lts`           |
 | `filesystem` | Filesystem type for the root volume.   | `btrfs`, `ext4`, `xfs` |
 | `hostname`   | The hostname assigned to the system.   | `vm01`                 |
@@ -174,9 +159,9 @@ These are prompted by default via `vars_prompt` in `main.yml`, but can be suppli
 | Variable    | Description                       | Example Value |
 | ----------- | --------------------------------- | ------------- |
 | `vm_id`     | Unique identifier for the VM.     | `101`         |
-| `vm_size`   | Disk size allocated in GB (min 20). | `20`        |
+| `vm_size`   | Disk size allocated in GB.        | `20`          |
 | `vm_memory` | Amount of memory in MB.           | `2048`        |
-| `vm_cpus`   | Number of CPU cores (virtual installs). | `4`      |
+| `vm_cpus`   | Number of CPU cores.              | `4`           |
 | `vm_ballo`  | Ballooning memory size (optional).| `2048`        |

 ### 3.5 Post-install Packages
@@ -193,28 +178,27 @@ Before running the playbook, ensure you have Ansible installed and configured co

 ### 4.2 Running the Playbook

-Execute the playbook using the `ansible-playbook` command, ensuring that all necessary variables are defined, typically by specifying a vars file (such as `vars_example.yml`) containing the required configurations.
+Execute the playbook using the `ansible-playbook` command, ensuring that all necessary variables are defined, typically by specifying a `vars.yml` file containing the required configurations.

 ### 4.3 Example Usage

-An effective way to use the playbook involves defining all necessary configurations within a vars file (for example, `vars_example.yml`). This file should include all relevant global variables tailored to your specific deployment requirements. Additionally, you should prepare an inventory file (`inventory.yml`) that lists all the hosts along with any specific inventory variables they might need. Then, you can run the playbook as follows:
+An effective way to use the playbook involves defining all necessary configurations within a `vars.yml` file. This file should include all relevant global variables tailored to your specific deployment requirements. Additionally, you should prepare an inventory file (`inventory.yml`) that lists all the hosts along with any specific inventory variables they might need. Then, you can run the playbook as follows:

 ```bash
-ansible-playbook -i inventory.yml -e @vars_example.yml main.yml
+ansible-playbook -i inventory.yml -e @vars.yml main.yml
 ```

-This command prompts Ansible to execute the `main.yml` playbook, applying configurations defined in both the vars file and the inventory file.
+This command prompts Ansible to execute the `main.yml` playbook, applying configurations defined in both `vars.yml` and the inventory file.

-Use `inventory_example.yml`, `inventory_libvirt_example.yml`, `vars_example.yml`, and the bare-metal examples as starting points for new inventories.
+Use `inventory_example.yml`, `vars_example.yml`, and the bare-metal examples as starting points for new inventories.

 ## Notes

- `vm_size`/`vm_memory`/`vm_cpus` are required for virtual installs only, physical installs use the full disk.
+- `vm_size`/`vm_memory` are required for virtual installs only, physical installs use the full disk.
 - `vm_dns` and `vm_dns_search` accept comma-separated strings or YAML lists.
 - `hypervisor` determines which backend-specific roles run.
 - Guest tools are installed based on `hypervisor`: `qemu-guest-agent` for `libvirt`/`proxmox`, `open-vm-tools` for `vmware`, otherwise none.
- Molecule is scaffolded with a delegated driver and a no-op converge for lint-only validation.
- With LUKS enabled on Debian/Ubuntu and RHEL-based systems, provisioning uses an ESP (512 MiB), a separate `/boot`
+- With LUKS enabled on Debian/Ubuntu and RHEL-based systems, provisioning uses an ESP (50 MiB), a separate `/boot`
  (1 GiB, same as `filesystem` unless `btrfs` uses ext4 on Debian/Ubuntu or xfs on RHEL-based), and the encrypted root;
  adjust sizes via
  `partitioning_efi_size_mib` and `partitioning_boot_size_mib` if needed.
--- a/inventory_example.yml
+++ b/inventory_example.yml
@@ -1,50 +1,40 @@
 ---
 all:
  vars:
-    install_type: "virtual"
    hypervisor: "proxmox"
+    install_type: "virtual"
    install_drive: "/dev/sda"
    boot_iso: "local:iso/archlinux-x86_64.iso"
    vm_nif: "vmbr0"
+    vm_gw: "10.0.0.1"
+    vm_dns:
+      - 1.1.1.1
+      - 1.0.0.1
+    vm_dns_search:
+      - example.com
  children:
    proxmox:
      hosts:
-        app01.example.com:
+        proxy01.example.com:
          ansible_host: 10.0.0.10
-          hostname: "app01.example.com"
+          hostname: "proxy01.example.com"
+          vm_id: 100
          os: "archlinux"
          filesystem: "btrfs"
-          vm_id: 100
-          vm_cpus: 2
          vm_memory: 4096
+          vm_ballo: 2048
+          vm_cpus: 2
          vm_size: 40
          vm_ip: 10.0.0.10
-          vm_nms: 24
-          vm_gw: 10.0.0.1
-          vm_dns:
-            - 1.1.1.1
-            - 1.0.0.1
-          extra_packages:
-            - jq
-            - tmux
-        db01.example.com:
+        database01.example.com:
          ansible_host: 10.0.0.11
-          hostname: "db01.example.com"
+          hostname: "database01.example.com"
+          vm_id: 101
          os: "rhel9"
          filesystem: "xfs"
-          vm_id: 101
+          vm_memory: 4096
+          vm_ballo: 2048
          vm_cpus: 4
-          vm_memory: 8192
-          vm_size: 80
+          vm_size: 60
          vm_ip: 10.0.0.11
-          vm_nms: 24
-          vm_gw: 10.0.0.1
-          vm_dns: "1.1.1.1,1.0.0.1"
          rhel_iso: "local:iso/rhel-9.4-x86_64-dvd.iso"
-          luks_enabled: true
-          luks_passphrase: "CHANGE_ME"
-          luks_auto_decrypt_method: "keyfile"
-          luks_keyfile_size: 128
-          cis: true
-          selinux: false
-          firewalld_enabled: false
--- a/inventory_libvirt_example.yml
+++ b/inventory_libvirt_example.yml
@@ -1,56 +0,0 @@
---
-all:
-  vars:
-    install_type: "virtual"
-    hypervisor: "libvirt"
-    install_drive: "/dev/vda"
-    boot_iso: "/var/lib/libvirt/images/archlinux-x86_64.iso"
-  children:
-    libvirt:
-      hosts:
-        web01.example.com:
-          ansible_host: 192.168.122.10
-          hostname: "web01.example.com"
-          os: "debian12"
-          filesystem: "ext4"
-          vm_cpus: 2
-          vm_memory: 2048
-          vm_size: 30
-          vm_ip: 192.168.122.10
-          vm_nms: 24
-          vm_gw: 192.168.122.1
-          vm_dns: 1.1.1.1
-          extra_packages:
-            - nginx
-            - fail2ban
-        vault01.example.com:
-          ansible_host: 192.168.122.11
-          hostname: "vault01.example.com"
-          os: "ubuntu-lts"
-          filesystem: "btrfs"
-          vm_cpus: 2
-          vm_memory: 4096
-          vm_size: 40
-          vm_ip: 192.168.122.11
-          vm_nms: 24
-          vm_gw: 192.168.122.1
-          vm_dns_search: "example.com"
-          luks_enabled: true
-          luks_passphrase: "CHANGE_ME"
-          luks_auto_decrypt_method: "keyfile"
-          firewalld_enabled: false
-        rhel9.example.com:
-          ansible_host: 192.168.122.12
-          hostname: "rhel9.example.com"
-          os: "rhel9"
-          filesystem: "xfs"
-          vm_cpus: 4
-          vm_memory: 8192
-          vm_size: 80
-          vm_ip: 192.168.122.12
-          vm_nms: 24
-          vm_gw: 192.168.122.1
-          vm_dns: "1.1.1.1,1.0.0.1"
-          vm_path: "/srv/libvirt/images"
-          rhel_iso: "/var/lib/libvirt/images/rhel-9.4-x86_64-dvd.iso"
-          vlan_name: "100"
--- a/main.yml
+++ b/main.yml
@@ -24,10 +24,70 @@
      prompt: |
        What is your root password?
      confirm: true
+  vars_files: vars.yml
  pre_tasks:
-    - name: Load global defaults
-      ansible.builtin.import_role:
-        name: global_defaults
+    - name: Validate variables
+      ansible.builtin.assert:
+        that:
+          - install_type in ["virtual", "physical"]
+          - hypervisor in ["libvirt", "proxmox", "vmware", "none"]
+          - filesystem in ["btrfs", "ext4", "xfs"]
+          - install_drive is defined
+          - install_type == "physical" or vm_size is defined
+          - install_type == "physical" or vm_memory is defined
+          - os in ["archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora", "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"]
+          - os not in ["rhel8", "rhel9", "rhel10"] or rhel_iso is defined
+          - >-
+            install_type == "physical"
+            or (
+              (filesystem == "btrfs" and (vm_size | default(0) | int) >= 10)
+              or (filesystem != "btrfs" and (vm_size | default(0) | int) >= 20)
+            )
+          - >-
+            install_type == "physical"
+            or (
+              (vm_size | default(0) | float)
+              >= (
+                (vm_memory | default(0) | float / 1024 >= 16.0)
+                | ternary(
+                    (vm_memory | default(0) | float / 2048),
+                    [vm_memory | default(0) | float / 1024, 4.0] | max
+                  )
+                + 16
+              )
+            )
+        fail_msg: Invalid input specified, please try again.
+
+    - name: Normalize optional flags
+      ansible.builtin.set_fact:
+        cis: "{{ cis | default(false) | bool }}"
+        custom_iso: "{{ custom_iso | default(false) | bool }}"
+        is_rhel: "{{ os | default('') | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky'] }}"
+        is_debian: "{{ os | default('') | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'] }}"
+      changed_when: false
+
+    - name: Set Python interpreter for RHEL-based installers
+      when:
+        - ansible_python_interpreter is not defined
+        - os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"]
+      ansible.builtin.set_fact:
+        ansible_python_interpreter: /usr/bin/python3
+      changed_when: false
+
+    - name: Set SSH access
+      when:
+        - install_type == "virtual"
+        - hypervisor != "vmware"
+      ansible.builtin.set_fact:
+        ansible_user: "{{ user_name }}"
+        ansible_password: "{{ user_password }}"
+        ansible_become_password: "{{ user_password }}"
+        ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+    - name: Set connection for VMware
+      when: hypervisor == "vmware"
+      ansible.builtin.set_fact:
+        ansible_connection: vmware_tools

  roles:
    - role: virtualization
@@ -50,7 +110,7 @@
    - role: configuration

    - role: cis
-      when: cis_enabled
+      when: cis | default(false) | bool

    - role: cleanup
      when: install_type in ["virtual", "physical"]
@@ -62,7 +122,7 @@
        post_reboot_can_connect: >-
          {{
            (ansible_connection | default('ssh')) != 'ssh'
-            or (vm_ip is defined and (vm_ip | string | length) > 0)
+            or ((vm_ip | default('') | string | length) > 0)
            or (
              install_type == 'physical'
              and (ansible_host | default('') | string | length) > 0
@@ -72,7 +132,7 @@

    - name: Set final SSH credentials for post-reboot tasks
      when:
-        - post_reboot_can_connect | bool
+        - post_reboot_can_connect | default(false) | bool
      ansible.builtin.set_fact:
        ansible_user: "{{ user_name }}"
        ansible_password: "{{ user_password }}"
@@ -80,23 +140,27 @@
        ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"

    - name: Install post-reboot extra packages
-      vars:
-        post_install_extra_packages: >-
-          {{
-            (
-              extra_packages
-              if (extra_packages is iterable and extra_packages is not string)
-              else (extra_packages | string).split(',')
-            )
-            | map('trim')
-            | reject('equalto', '')
-            | list
-          }}
      when:
-        - post_reboot_can_connect | bool
        - extra_packages is defined
-        - extra_packages | length > 0
-        - post_install_extra_packages | length > 0
-      ansible.builtin.package:
-        name: "{{ post_install_extra_packages }}"
-        state: present
+        - post_reboot_can_connect | default(false) | bool
+      block:
+        - name: Normalize extra package list
+          ansible.builtin.set_fact:
+            post_install_extra_packages: >-
+              {{
+                (
+                  extra_packages
+                  if (extra_packages is iterable and extra_packages is not string)
+                  else (extra_packages | default('') | string).split(',')
+                )
+                | map('trim')
+                | reject('equalto', '')
+                | list
+              }}
+          changed_when: false
+
+        - name: Install extra packages
+          when: post_install_extra_packages | length > 0
+          ansible.builtin.package:
+            name: "{{ post_install_extra_packages }}"
+            state: present
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -1,8 +0,0 @@
---
- name: Molecule converge placeholder
-  hosts: all
-  gather_facts: false
-  tasks:
-    - name: Skip destructive provisioning in Molecule
-      ansible.builtin.debug:
-        msg: "Molecule scenario is lint-only; run main.yml against disposable hosts."
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -1,19 +0,0 @@
---
-dependency:
-  name: galaxy
-driver:
-  name: delegated
-platforms:
-  - name: localhost
-provisioner:
-  name: ansible
-  playbooks:
-    converge: converge.yml
-  inventory:
-    host_vars:
-      localhost:
-        ansible_connection: local
-  lint:
-    name: ansible-lint
-verifier:
-  name: ansible
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -1,9 +0,0 @@
---
- name: Molecule verify placeholder
-  hosts: all
-  gather_facts: false
-  tasks:
-    - name: Verify placeholder
-      ansible.builtin.assert:
-        that:
-          - true
--- a/roles/bootstrap/tasks/almalinux.yml
+++ b/roles/bootstrap/tasks/almalinux.yml
@@ -14,7 +14,7 @@
        --setopt=install_weak_deps=False groupinstall -y base core
    - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
    - >-
-        {{ chroot_command }} /mnt dnf --releasever=9 --setopt=install_weak_deps=False
+        arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False
        install -y {{ bootstrap_alma_extra }}
  register: bootstrap_result
  changed_when: bootstrap_result.rc == 0
--- a/roles/bootstrap/tasks/debian.yml
+++ b/roles/bootstrap/tasks/debian.yml
@@ -23,7 +23,7 @@
    - >-
        debootstrap --include={{ bootstrap_debian_base }}
        {{ bootstrap_debian_release }} /mnt http://deb.debian.org/debian/
-    - "{{ chroot_command }} /mnt apt install -y {{ bootstrap_debian_extra }}"
-    - "{{ chroot_command }} /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data"
+    - "arch-chroot /mnt apt install -y {{ bootstrap_debian_extra }}"
+    - arch-chroot /mnt apt remove -y libcups2 libavahi-common3 libavahi-common-data
  register: bootstrap_result
  changed_when: bootstrap_result.rc == 0
--- a/roles/bootstrap/tasks/fedora.yml
+++ b/roles/bootstrap/tasks/fedora.yml
@@ -15,8 +15,8 @@
        groupinstall -y critical-path-base core
    - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
    - >-
-        {{ chroot_command }} /mnt dnf --releasever=43 --setopt=install_weak_deps=False
+        arch-chroot /mnt dnf --releasever=43 --setopt=install_weak_deps=False
        install -y {{ bootstrap_fedora_extra }}
-    - "{{ chroot_command }} /mnt dnf reinstall -y kernel-core"
+    - arch-chroot /mnt dnf reinstall -y kernel-core
  register: bootstrap_result
  changed_when: bootstrap_result.rc == 0
--- a/roles/bootstrap/tasks/rhel.yml
+++ b/roles/bootstrap/tasks/rhel.yml
@@ -34,7 +34,12 @@
        state: mounted

    - name: Rebuild RPM database inside chroot
-      ansible.builtin.command: "{{ chroot_command }} /mnt rpm --rebuilddb"
+      ansible.builtin.command:
+        argv:
+          - arch-chroot
+          - /mnt
+          - rpm
+          - --rebuilddb
      register: bootstrap_rpm_rebuild_result
      changed_when: bootstrap_rpm_rebuild_result.rc == 0

@@ -55,7 +60,7 @@
            | join(' ')
          }}
      ansible.builtin.command: >-
-        {{ chroot_command }} /mnt dnf --releasever={{ bootstrap_rhel_release }}
+        arch-chroot /mnt dnf --releasever={{ bootstrap_rhel_release }}
        --setopt=install_weak_deps=False install -y {{ bootstrap_rhel_extra }}
      register: bootstrap_result
      changed_when: bootstrap_result.rc == 0
--- a/roles/bootstrap/tasks/rocky.yml
+++ b/roles/bootstrap/tasks/rocky.yml
@@ -15,7 +15,7 @@
        groupinstall -y base core
    - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
    - >-
-        {{ chroot_command }} /mnt dnf --releasever=9 --setopt=install_weak_deps=False
+        arch-chroot /mnt dnf --releasever=9 --setopt=install_weak_deps=False
        install -y {{ bootstrap_rocky_extra }}
  register: bootstrap_result
  changed_when: bootstrap_result.rc == 0
--- a/roles/bootstrap/tasks/ubuntu.yml
+++ b/roles/bootstrap/tasks/ubuntu.yml
@@ -20,8 +20,8 @@
        debootstrap --include={{ bootstrap_ubuntu_base }}
        {{ bootstrap_ubuntu_release }} /mnt http://archive.ubuntu.com/ubuntu/
    - ln -sf /run/NetworkManager/resolv.conf /mnt/etc/resolv.conf
-    - "{{ chroot_command }} /mnt sed -i '1s|$| universe|' /etc/apt/sources.list"
-    - "{{ chroot_command }} /mnt apt update"
-    - "{{ chroot_command }} /mnt apt install -y {{ bootstrap_ubuntu_extra }}"
+    - arch-chroot /mnt sed -i '1s|$| universe|' /etc/apt/sources.list
+    - arch-chroot /mnt apt update
+    - "arch-chroot /mnt apt install -y {{ bootstrap_ubuntu_extra }}"
  register: bootstrap_result
  changed_when: bootstrap_result.rc == 0
--- a/roles/bootstrap/vars/main.yml
+++ b/roles/bootstrap/vars/main.yml
@@ -4,7 +4,6 @@ bootstrap_almalinux:
  - dbus-daemon
  - dhcp-client
  - efibootmgr
-  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
  - glibc-langpack-de
  - glibc-langpack-en
  - grub2
@@ -18,10 +17,10 @@ bootstrap_almalinux:
  - ppp
  - shim
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
  - vim
  - wget
  - zram-generator
@@ -34,7 +33,7 @@ bootstrap_archlinux:
  - dhcpcd
  - efibootmgr
  - fastfetch
-  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
+  - firewalld
  - fish
  - fzf
  - grub
@@ -48,7 +47,7 @@ bootstrap_archlinux:
  - ncdu
  - networkmanager
  - nfs-utils
-  - "{{ 'openssh' if ssh_enabled | bool else '' }}"
+  - openssh
  - ppp
  - prometheus-node-exporter
  - python-psycopg2
@@ -57,10 +56,10 @@ bootstrap_archlinux:
  - sudo
  - tldr
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
  - vim
  - wireguard-tools
  - zram-generator
@@ -75,14 +74,14 @@ bootstrap_debian11:
    - grub-efi
    - grub-efi-amd64-signed
    - grub2-common
-    - "{{ 'cryptsetup' if luks_enabled else '' }}"
-    - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
+    - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
+    - "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}"
    - linux-image-amd64
    - locales
    - logrotate
    - lvm2
    - net-tools
-    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
+    - openssh-server
    - python3
    - sudo
    - xfsprogs
@@ -91,7 +90,7 @@ bootstrap_debian11:
    - bat
    - curl
    - entr
-    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
+    - firewalld
    - fish
    - fzf
    - htop
@@ -110,9 +109,9 @@ bootstrap_debian11:
    - syslog-ng
    - tcpd
    - tldr
-    - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-    - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-    - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+    - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
+    - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
+    - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
    - vim
    - wget
    - zstd
@@ -125,8 +124,8 @@ bootstrap_debian12:
    - grub-efi
    - grub-efi-amd64-signed
    - grub2-common
-    - "{{ 'cryptsetup' if luks_enabled else '' }}"
-    - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
+    - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
+    - "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}"
    - linux-image-amd64
    - locales
    - logrotate
@@ -140,7 +139,7 @@ bootstrap_debian12:
    - curl
    - duf
    - entr
-    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
+    - firewalld
    - fish
    - fzf
    - htop
@@ -153,7 +152,7 @@ bootstrap_debian12:
    - neofetch
    - net-tools
    - network-manager
-    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
+    - openssh-server
    - python-is-python3
    - python3
    - ripgrep
@@ -165,9 +164,9 @@ bootstrap_debian12:
    - systemd-zram-generator
    - tcpd
    - tldr
-    - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-    - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-    - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+    - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
+    - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
+    - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
    - vim
    - wget
    - zstd
@@ -180,8 +179,8 @@ bootstrap_debian13:
    - grub-efi
    - grub-efi-amd64-signed
    - grub2-common
-    - "{{ 'cryptsetup' if luks_enabled else '' }}"
-    - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
+    - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
+    - "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}"
    - linux-image-amd64
    - locales
    - logrotate
@@ -196,7 +195,7 @@ bootstrap_debian13:
    - duf
    - entr
    - fastfetch
-    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
+    - firewalld
    - fish
    - fzf
    - htop
@@ -208,7 +207,7 @@ bootstrap_debian13:
    - ncdu
    - net-tools
    - network-manager
-    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
+    - openssh-server
    - python-is-python3
    - python3
    - ripgrep
@@ -218,9 +217,9 @@ bootstrap_debian13:
    - syslog-ng
    - systemd-zram-generator
    - tcpd
-    - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-    - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-    - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+    - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
+    - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
+    - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
    - vim
    - wget
    - zstd
@@ -234,7 +233,6 @@ bootstrap_fedora:
  - duf
  - efibootmgr
  - entr
-  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
  - fish
  - fzf
  - glibc-langpack-de
@@ -254,10 +252,10 @@ bootstrap_fedora:
  - ripgrep
  - shim
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
  - vim-default-editor
  - wget
  - zoxide
@@ -268,7 +266,6 @@ bootstrap_rhel8:
  - bind-utils
  - dhcp-client
  - efibootmgr
-  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
  - glibc-langpack-de
  - glibc-langpack-en
  - grub2
@@ -283,10 +280,10 @@ bootstrap_rhel8:
  - python39
  - shim
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
  - vim
  - zstd

@@ -294,7 +291,6 @@ bootstrap_rhel9:
  - bind-utils
  - dhcp-client
  - efibootmgr
-  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
  - glibc-langpack-de
  - glibc-langpack-en
  - grub2
@@ -309,10 +305,10 @@ bootstrap_rhel9:
  - python
  - shim
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
  - vim
  - zram-generator
  - zstd
@@ -320,7 +316,6 @@ bootstrap_rhel9:
 bootstrap_rhel10:
  - bind-utils
  - efibootmgr
-  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
  - glibc-langpack-de
  - glibc-langpack-en
  - grub2
@@ -335,10 +330,10 @@ bootstrap_rhel10:
  - python
  - shim
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
  - vim
  - zram-generator
  - zstd
@@ -348,7 +343,6 @@ bootstrap_rocky:
  - dbus-daemon
  - dhcp-client
  - efibootmgr
-  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
  - glibc-langpack-de
  - glibc-langpack-en
  - grub2
@@ -363,10 +357,10 @@ bootstrap_rocky:
  - shim
  - telnet
  - tmux
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
+  - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
  - util-linux-core
  - vim
  - wget
@@ -381,8 +375,8 @@ bootstrap_ubuntu:
    - grub-efi
    - grub-efi-amd64-signed
    - grub2-common
-    - "{{ 'cryptsetup' if luks_enabled else '' }}"
-    - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
+    - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
+    - "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}"
    - linux-image-generic
    - locales
    - lvm2
@@ -400,7 +394,7 @@ bootstrap_ubuntu:
    - eza
    - fdupes
    - fio
-    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
+    - firewalld
    - fish
    - htop
    - jq
@@ -412,7 +406,7 @@ bootstrap_ubuntu:
    - ncurses-term
    - net-tools
    - network-manager
-    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
+    - openssh-server
    - python-is-python3
    - python3
    - ripgrep
@@ -425,9 +419,9 @@ bootstrap_ubuntu:
    - tcpd
    - tldr
    - tmux
-    - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-    - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-    - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+    - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
+    - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
+    - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
    - traceroute
    - util-linux-extra
    - vim
@@ -444,8 +438,8 @@ bootstrap_ubuntu_lts:
    - grub-efi
    - grub-efi-amd64-signed
    - grub2-common
-    - "{{ 'cryptsetup' if luks_enabled else '' }}"
-    - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
+    - "{{ 'cryptsetup' if luks_enabled | default(false) else '' }}"
+    - "{{ 'cryptsetup-initramfs' if luks_enabled | default(false) else '' }}"
    - linux-image-generic
    - locales
    - lvm2
@@ -463,7 +457,7 @@ bootstrap_ubuntu_lts:
    - eza
    - fdupes
    - fio
-    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
+    - firewalld
    - fish
    - htop
    - jq
@@ -475,7 +469,7 @@ bootstrap_ubuntu_lts:
    - ncurses-term
    - net-tools
    - network-manager
-    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
+    - openssh-server
    - python-is-python3
    - python3
    - ripgrep
@@ -488,9 +482,9 @@ bootstrap_ubuntu_lts:
    - tcpd
    - tldr
    - tmux
-    - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-    - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-    - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+    - "{{ 'tpm2-tools' if luks_enabled | default(false) else '' }}"
+    - "{{ 'qemu-guest-agent' if hypervisor | default('none') | lower in ['libvirt', 'proxmox'] else '' }}"
+    - "{{ 'open-vm-tools' if hypervisor | default('none') | lower == 'vmware' else '' }}"
    - traceroute
    - util-linux-extra
    - vim
--- a/roles/cis/defaults/main.yml
+++ b/roles/cis/defaults/main.yml
@@ -1,21 +0,0 @@
---
-cis_permission_targets: >-
-  {{
-    [
-      { "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
-      { "path": "/mnt/etc/cron.hourly", "mode": "0700" },
-      { "path": "/mnt/etc/cron.daily", "mode": "0700" },
-      { "path": "/mnt/etc/cron.weekly", "mode": "0700" },
-      { "path": "/mnt/etc/cron.monthly", "mode": "0700" },
-      { "path": "/mnt/etc/cron.d", "mode": "0700" },
-      { "path": "/mnt/etc/crontab", "mode": "0600" },
-      { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
-      { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
-      {
-        "path": "/mnt/usr/bin/"
-        + ("fusermount3" if os in ["archlinux", "debian12", "fedora", "rhel9", "rhel10", "rocky"] else "fusermount"),
-        "mode": "755"
-      },
-      { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
-    ] | reject("none")
-  }}
--- a/roles/cis/tasks/crypto.yml
+++ b/roles/cis/tasks/crypto.yml
@@ -1,12 +1,12 @@
 ---
 - name: Configure System Cryptography Policy
  when: os in ["almalinux", "rhel9", "rhel10", "rocky"]
-  ansible.builtin.command: "{{ chroot_command }} /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"
+  ansible.builtin.command: arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
  register: cis_crypto_policy_result
  changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout"

 - name: Mask Systemd Services
  ansible.builtin.command: >
-    {{ chroot_command }} /mnt systemctl mask nftables bluetooth rpcbind
+    arch-chroot /mnt systemctl mask nftables bluetooth rpcbind
  register: cis_mask_services_result
  changed_when: cis_mask_services_result.rc == 0
--- a/roles/cis/tasks/permissions.yml
+++ b/roles/cis/tasks/permissions.yml
@@ -1,4 +1,25 @@
 ---
+- name: Build CIS permission targets
+  ansible.builtin.set_fact:
+    cis_permission_targets: >-
+      {{
+        [
+          { "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
+          { "path": "/mnt/etc/cron.hourly", "mode": "0700" },
+          { "path": "/mnt/etc/cron.daily", "mode": "0700" },
+          { "path": "/mnt/etc/cron.weekly", "mode": "0700" },
+          { "path": "/mnt/etc/cron.monthly", "mode": "0700" },
+          { "path": "/mnt/etc/cron.d", "mode": "0700" },
+          { "path": "/mnt/etc/crontab", "mode": "0600" },
+          { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
+          { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
+          { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["archlinux", "debian12", "fedora", "rhel9",
+            "rhel10", "rocky"] else "fusermount"), "mode": "755" },
+          { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
+        ] | reject("none")
+      }}
+  changed_when: false
+
 - name: Check CIS permission targets
  ansible.builtin.stat:
    path: "{{ item.path }}"
--- a/roles/cis/tasks/security_lines.yml
+++ b/roles/cis/tasks/security_lines.yml
@@ -10,8 +10,8 @@
    - {path: /mnt/etc/security/pwquality.conf, content: ucredit = -1}
    - {path: /mnt/etc/security/pwquality.conf, content: ocredit = -1}
    - {path: /mnt/etc/security/pwquality.conf, content: lcredit = -1}
-    - {path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077}
-    - {path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=3000}
+    - {path: '/mnt/etc/{{ "bashrc" if is_rhel | default(false) else "bash.bashrc" }}', content: umask 077}
+    - {path: '/mnt/etc/{{ "bashrc" if is_rhel | default(false) else "bash.bashrc" }}', content: export TMOUT=3000}
    - {path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent}
    - {path: /mnt/etc/sudoers, content: Defaults        logfile="/var/log/sudo.log"}
    - {path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so}
--- a/roles/cleanup/defaults/main.yml
+++ b/roles/cleanup/defaults/main.yml
@@ -1,5 +0,0 @@
---
-cleanup_libvirt_image_dir: >-
-  {{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
-cleanup_libvirt_cloudinit_path: >-
-  {{ [cleanup_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
--- a/roles/cleanup/tasks/libvirt.yml
+++ b/roles/cleanup/tasks/libvirt.yml
@@ -4,6 +4,15 @@
  delegate_to: localhost
  become: false
  block:
+    - name: Set libvirt image paths
+      vars:
+        cleanup_libvirt_image_dir_value: "{{ vm_path | default('/var/lib/libvirt/images') }}"
+      ansible.builtin.set_fact:
+        cleanup_libvirt_image_dir: "{{ cleanup_libvirt_image_dir_value }}"
+        cleanup_libvirt_cloudinit_path: >-
+          {{ [cleanup_libvirt_image_dir_value, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
+      changed_when: false
+
    - name: Read current VM XML definition
      community.libvirt.virt:
        command: get_xml
@@ -29,7 +38,7 @@
      changed_when: false

    - name: Remove boot ISO device from VM XML (source match)
-      when: boot_iso is defined and boot_iso | length > 0
+      when: boot_iso is defined and (boot_iso | length > 0)
      community.general.xml:
        xmlstring: "{{ cleanup_libvirt_domain_xml }}"
        xpath: "/domain/devices/disk[contains(source/@file, '{{ boot_iso | basename }}')]"
@@ -37,7 +46,7 @@
      register: cleanup_libvirt_xml_strip_boot_source

    - name: Update cleaned VM XML after removing boot ISO source match
-      when: boot_iso is defined and boot_iso | length > 0
+      when: boot_iso is defined and (boot_iso | length > 0)
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot_source.xmlstring }}"
      changed_when: false
--- a/roles/cleanup/tasks/vmware.yml
+++ b/roles/cleanup/tasks/vmware.yml
@@ -24,7 +24,7 @@
            unit_number: 1
            controller_type: sata
            type: iso
-            iso_path: "{{ rhel_iso if rhel_iso is defined and rhel_iso | length > 0 else omit }}"
+            iso_path: "{{ rhel_iso | default(omit) }}"
            state: absent
      failed_when: false

--- a/roles/configuration/tasks/bootloader.yml
+++ b/roles/configuration/tasks/bootloader.yml
@@ -3,8 +3,16 @@
  block:
    - name: Install Bootloader
      vars:
-        configuration_use_efibootmgr: "{{ is_rhel | bool }}"
-        configuration_efi_dir: "{{ partitioning_efi_mountpoint }}"
+        configuration_use_efibootmgr: "{{ is_rhel | default(false) }}"
+        configuration_efi_dir: >-
+          {{
+            partitioning_efi_mountpoint
+            | default(
+                "/boot/efi"
+                if (is_rhel | default(false)) or (os | lower in ["ubuntu", "ubuntu-lts"])
+                else "/boot"
+              )
+          }}
        configuration_bootloader_id: >-
          {{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
        configuration_efi_vendor: >-
@@ -18,7 +26,7 @@
          --bootloader-id={{ configuration_bootloader_id }}
        configuration_bootloader_cmd: >-
          {{ configuration_efibootmgr_cmd if configuration_use_efibootmgr else configuration_grub_cmd }}
-      ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_bootloader_cmd }}"
+      ansible.builtin.command: "arch-chroot /mnt {{ configuration_bootloader_cmd }}"
      register: configuration_bootloader_result
      changed_when: configuration_bootloader_result.rc == 0

@@ -39,11 +47,11 @@
            else (
              '/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin '
              + '/usr/sbin/update-initramfs -u -k all'
-              if is_debian | bool
+              if is_debian | default(false)
              else '/usr/bin/dracut --regenerate-all --force'
            )
          }}
-      ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_initramfs_cmd }}"
+      ansible.builtin.command: "arch-chroot /mnt {{ configuration_initramfs_cmd }}"
      register: configuration_initramfs_result
      changed_when: configuration_initramfs_result.rc == 0

@@ -54,11 +62,11 @@
        configuration_grub_cfg_cmd: >-
          {{
            '/usr/sbin/grub2-mkconfig -o '
-            + partitioning_efi_mountpoint
+            + (partitioning_efi_mountpoint | default('/boot/efi'))
            + '/EFI/' + configuration_efi_vendor + '/grub.cfg'
-            if is_rhel | bool
+            if is_rhel | default(false)
            else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg'
          }}
-      ansible.builtin.command: "{{ chroot_command }} /mnt {{ configuration_grub_cfg_cmd }}"
+      ansible.builtin.command: "arch-chroot /mnt {{ configuration_grub_cfg_cmd }}"
      register: configuration_grub_result
      changed_when: configuration_grub_result.rc == 0
--- a/roles/configuration/tasks/encryption.yml
+++ b/roles/configuration/tasks/encryption.yml
@@ -1,17 +1,31 @@
 ---
 - name: Configure disk encryption
-  when: partitioning_luks_enabled | bool
+  when: partitioning_luks_enabled | default(luks_enabled | default(false)) | bool
  vars:
    configuration_luks_passphrase_effective: >-
-      {{ partitioning_luks_passphrase | string }}
+      {{ (partitioning_luks_passphrase | default(luks_passphrase | default(''))) | string }}
  block:
    - name: Set LUKS configuration facts
      vars:
        configuration_luks_mapper_name_value: >-
-          {{ partitioning_luks_mapper_name }}
-        configuration_luks_device_value: "{{ partitioning_luks_device }}"
+          {{
+            partitioning_luks_mapper_name
+            | default(luks_mapper_name | default('SYSTEM_DECRYPTED'))
+          }}
+        configuration_luks_device_value: >-
+          {{
+            partitioning_luks_device
+            | default(
+                install_drive
+                ~ (
+                  partitioning_root_partition_suffix
+                  | default(partitioning_main_partition_suffix | default(2))
+                  | string
+                )
+              )
+          }}
        configuration_luks_tpm2_pcrs_raw: >-
-          {{ partitioning_luks_tpm2_pcrs }}
+          {{ partitioning_luks_tpm2_pcrs | default(luks_tpm2_pcrs | default('')) }}
        configuration_luks_tpm2_pcrs_effective_value: >-
          {{
            (
@@ -29,17 +43,17 @@
        configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"
        configuration_luks_device: "{{ configuration_luks_device_value }}"
        configuration_luks_options: >-
-          {{ partitioning_luks_options }}
+          {{ partitioning_luks_options | default(luks_options | default('discard,tries=3')) }}
        configuration_luks_auto_method: >-
          {{
-            (partitioning_luks_auto_decrypt | bool)
+            (partitioning_luks_auto_decrypt | default(luks_auto_decrypt | default(true)) | bool)
            | ternary(
-                partitioning_luks_auto_decrypt_method,
+                partitioning_luks_auto_decrypt_method | default(luks_auto_decrypt_method | default('tpm2')),
                'manual'
              )
          }}
        configuration_luks_tpm2_device: >-
-          {{ partitioning_luks_tpm2_device }}
+          {{ partitioning_luks_tpm2_device | default(luks_tpm2_device | default('auto')) }}
        configuration_luks_tpm2_pcrs: "{{ configuration_luks_tpm2_pcrs_raw }}"
        configuration_luks_tpm2_pcrs_effective: "{{ configuration_luks_tpm2_pcrs_effective_value }}"
        configuration_luks_keyfile_path: >-
@@ -137,7 +151,7 @@

    - name: Ensure keyfile pattern for initramfs-tools
      when:
-        - is_debian | bool
+        - is_debian | default(false)
        - configuration_luks_keyfile_in_use
      ansible.builtin.lineinfile:
        path: /mnt/etc/cryptsetup-initramfs/conf-hook
@@ -201,14 +215,14 @@
          }})

    - name: Ensure dracut config directory exists
-      when: is_rhel | bool
+      when: is_rhel | default(false)
      ansible.builtin.file:
        path: /mnt/etc/dracut.conf.d
        state: directory
        mode: "0755"

    - name: Configure dracut for LUKS
-      when: is_rhel | bool
+      when: is_rhel | default(false)
      ansible.builtin.copy:
        dest: /mnt/etc/dracut.conf.d/crypt.conf
        content: |
@@ -219,13 +233,13 @@
        mode: "0644"

    - name: Read kernel cmdline defaults
-      when: is_rhel | bool
+      when: is_rhel | default(false)
      ansible.builtin.slurp:
        src: /mnt/etc/kernel/cmdline
      register: configuration_kernel_cmdline_slurp

    - name: Build kernel cmdline with LUKS args
-      when: is_rhel | bool
+      when: is_rhel | default(false)
      vars:
        configuration_kernel_cmdline_current_value: >-
          {{ configuration_kernel_cmdline_slurp.content | b64decode | trim }}
@@ -251,14 +265,14 @@
      changed_when: false

    - name: Write kernel cmdline with LUKS args
-      when: is_rhel | bool
+      when: is_rhel | default(false)
      ansible.builtin.copy:
        dest: /mnt/etc/kernel/cmdline
        mode: "0644"
        content: "{{ configuration_kernel_cmdline_new }}\n"

    - name: Find BLS entries
-      when: is_rhel | bool
+      when: is_rhel | default(false)
      ansible.builtin.find:
        paths: /mnt/boot/loader/entries
        patterns: "*.conf"
@@ -267,7 +281,7 @@

    - name: Update BLS options with LUKS args
      when:
-        - is_rhel | bool
+        - is_rhel | default(false)
        - configuration_kernel_bls_entries.files | length > 0
      ansible.builtin.lineinfile:
        path: "{{ item.path }}"
@@ -278,13 +292,13 @@
        label: "{{ item.path }}"

    - name: Read grub defaults
-      when: not is_rhel | bool
+      when: not is_rhel | default(false)
      ansible.builtin.slurp:
        src: /mnt/etc/default/grub
      register: configuration_grub_slurp

    - name: Build grub command lines with LUKS args
-      when: not is_rhel | bool
+      when: not is_rhel | default(false)
      vars:
        configuration_grub_content_value: "{{ configuration_grub_slurp.content | b64decode }}"
        configuration_grub_cmdline_linux_value: >-
@@ -348,7 +362,7 @@
        configuration_grub_cmdline_default_new: "{{ configuration_grub_cmdline_default_new_value }}"

    - name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS
-      when: not is_rhel | bool
+      when: not is_rhel | default(false)
      ansible.builtin.lineinfile:
        path: /mnt/etc/default/grub
        regexp: '^GRUB_CMDLINE_LINUX_DEFAULT='
--- a/roles/configuration/tasks/encryption/keyfile.yml
+++ b/roles/configuration/tasks/encryption/keyfile.yml
@@ -16,7 +16,7 @@
          {{
            lookup(
              'community.general.random_string',
-              length=(partitioning_luks_keyfile_size | int),
+              length=(partitioning_luks_keyfile_size | default(luks_keyfile_size | default(64)) | int),
              override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
            )
          }}
@@ -61,7 +61,7 @@
    - name: Regenerate keyfile and retry adding to LUKS header
      when:
        - configuration_luks_keyfile_unlock_test.rc != 0
-        - configuration_luks_keyfile_copy is defined and configuration_luks_keyfile_copy.changed | bool
+        - configuration_luks_keyfile_copy.changed | default(false) | bool
        - configuration_luks_addkey_result is failed
      block:
        - name: Regenerate LUKS keyfile
@@ -71,7 +71,7 @@
              {{
                lookup(
                  'community.general.random_string',
-                  length=(partitioning_luks_keyfile_size | int),
+                  length=(partitioning_luks_keyfile_size | default(luks_keyfile_size | default(64)) | int),
                  override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
                )
              }}
--- a/roles/configuration/tasks/encryption/tpm2.yml
+++ b/roles/configuration/tasks/encryption/tpm2.yml
@@ -35,9 +35,9 @@
               if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
            + [configuration_luks_device]
          }}
-        configuration_luks_enroll_chroot_cmd: >-
-          {{ chroot_command }} /mnt {{ configuration_luks_enroll_args | join(' ') }}
-      ansible.builtin.command: "{{ configuration_luks_enroll_chroot_cmd }}"
+        configuration_luks_enroll_chroot_args: "{{ ['arch-chroot', '/mnt'] + configuration_luks_enroll_args }}"
+      ansible.builtin.command:
+        argv: "{{ configuration_luks_enroll_chroot_args }}"
      register: configuration_luks_tpm2_enroll_chroot
      changed_when: configuration_luks_tpm2_enroll_chroot.rc == 0
      failed_when: false
--- a/roles/configuration/tasks/extras.yml
+++ b/roles/configuration/tasks/extras.yml
@@ -1,7 +1,7 @@
 ---
 - name: Append vim configurations to vimrc
  ansible.builtin.blockinfile:
-    path: "{{ '/mnt/etc/vim/vimrc' if is_debian | bool else '/mnt/etc/vimrc' }}"
+    path: "{{ '/mnt/etc/vim/vimrc' if is_debian | default(false) else '/mnt/etc/vimrc' }}"
    block: |
      set encoding=utf-8
      set number
@@ -26,15 +26,13 @@
    mode: "0644"

 - name: Create zram config
-  when:
-    - os | lower not in ['debian11', 'rhel8']
-    - swap_enabled | bool
+  when: os | lower not in ['debian11', 'rhel8']
  ansible.builtin.copy:
    dest: /mnt/etc/systemd/zram-generator.conf
    content: |
      [zram0]
      zram-size  = ram / 2
-      compression-algorithm = {{ 'zstd' if zstd_enabled | bool else 'lz4' }}
+      compression-algorithm = zstd
      swap-priority = 100
      fs-type = swap
    mode: "0644"
--- a/roles/configuration/tasks/grub.yml
+++ b/roles/configuration/tasks/grub.yml
@@ -1,6 +1,6 @@
 ---
 - name: Configure grub defaults
-  when: not is_rhel | bool
+  when: not is_rhel | default(false)
  ansible.builtin.lineinfile:
    dest: /mnt/etc/default/grub
    regexp: "{{ item.regexp }}"
@@ -12,7 +12,7 @@
      line: GRUB_TIMEOUT=1

 - name: Ensure grub defaults file exists for RHEL-based systems
-  when: is_rhel | bool
+  when: is_rhel | default(false)
  block:
    - name: Build RHEL kernel command line defaults
      vars:
@@ -28,14 +28,7 @@
          }}
        configuration_grub_lvm_args_value: >-
          {{
-            (
-              ['rd.lvm.lv=sys/root']
-              + (
-                ['rd.lvm.lv=sys/swap', 'resume=/dev/mapper/sys-swap']
-                if swap_enabled | bool
-                else []
-              )
-            )
+            ['resume=/dev/mapper/sys-swap', 'rd.lvm.lv=sys/root', 'rd.lvm.lv=sys/swap']
            if (filesystem | lower) != 'btrfs'
            else []
          }}
@@ -113,7 +106,7 @@
        label: "{{ item.path }}"

 - name: Enable GRUB cryptodisk for encrypted /boot
-  when: partitioning_grub_enable_cryptodisk | bool
+  when: partitioning_grub_enable_cryptodisk | default(false) | bool
  ansible.builtin.lineinfile:
    path: /mnt/etc/default/grub
    regexp: '^GRUB_ENABLE_CRYPTODISK='
--- a/roles/configuration/tasks/locales.yml
+++ b/roles/configuration/tasks/locales.yml
@@ -1,19 +1,16 @@
 ---
- name: Reload systemd in installer environment
-  ansible.builtin.systemd:
-    daemon_reload: true
-
 - name: Set local timezone
-  ansible.builtin.file:
-    src: /usr/share/zoneinfo/Europe/Vienna
-    dest: /mnt/etc/localtime
-    state: link
-    force: true
+  ansible.builtin.command: "{{ item }}"
+  loop:
+    - systemctl daemon-reload
+    - arch-chroot /mnt ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime
+  register: configuration_timezone_result
+  changed_when: configuration_timezone_result.rc == 0

 - name: Setup locales
  block:
    - name: Configure locale.gen
-      when: not is_rhel | bool
+      when: not is_rhel | default(false)
      ansible.builtin.lineinfile:
        dest: /mnt/etc/locale.gen
        regexp: "{{ item.regex }}"
@@ -22,8 +19,8 @@
        - {regex: en_US\.UTF-8 UTF-8, line: en_US.UTF-8 UTF-8}

    - name: Generate locales
-      when: not is_rhel | bool
-      ansible.builtin.command: "{{ chroot_command }} /mnt /usr/sbin/locale-gen"
+      when: not is_rhel | default(false)
+      ansible.builtin.command: arch-chroot /mnt /usr/sbin/locale-gen
      register: configuration_locale_result
      changed_when: configuration_locale_result.rc == 0

@@ -60,7 +57,7 @@
        configuration_hostname_entries: >-
          {{ [configuration_hostname_fqdn, configuration_hostname_short] | unique | join(' ') }}
        configuration_hosts_line: >-
-          {{ (vm_ip if vm_ip is defined and vm_ip | length > 0 else inventory_hostname) }}    {{ configuration_hostname_entries }}
+          {{ vm_ip | default(inventory_hostname) }}    {{ configuration_hostname_entries }}
      ansible.builtin.lineinfile:
        path: /mnt/etc/hosts
        line: "{{ configuration_hosts_line }}"
--- a/roles/configuration/tasks/selinux.yml
+++ b/roles/configuration/tasks/selinux.yml
@@ -1,18 +1,18 @@
 ---
 - name: Fix SELinux
-  when: is_rhel | bool
+  when: is_rhel | default(false)
  block:
    - name: Fix SELinux by pre-labeling the filesystem before first boot
-      when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and selinux | bool
+      when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux | default(true) | bool)
      ansible.builtin.command: >
-        {{ chroot_command }} /mnt /sbin/setfiles -v -F
+        arch-chroot /mnt /sbin/setfiles -v -F
        -e /dev -e /proc -e /sys -e /run
        /etc/selinux/targeted/contexts/files/file_contexts /
      register: configuration_setfiles_result
      changed_when: configuration_setfiles_result.rc == 0

    - name: Disable SELinux
-      when: os | lower == "fedora" or not selinux | bool
+      when: os | lower == "fedora" or not (selinux | default(true) | bool)
      ansible.builtin.lineinfile:
        path: /mnt/etc/selinux/config
        regexp: ^SELINUX=
--- a/roles/configuration/tasks/services.yml
+++ b/roles/configuration/tasks/services.yml
@@ -1,12 +1,10 @@
 ---
 - name: Enable Systemd Services
  ansible.builtin.command: >
-    {{ chroot_command }} /mnt systemctl enable NetworkManager
-    {{ ' firewalld' if firewalld_enabled | bool else '' }}
+    arch-chroot /mnt systemctl enable NetworkManager
    {{
-      (' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
-       (' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else ''))
-      if ssh_enabled | bool else ''
+      ' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
+      (' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else '')
    }}
    {{
      'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
--- a/roles/configuration/tasks/sudo.yml
+++ b/roles/configuration/tasks/sudo.yml
@@ -1,7 +1,7 @@
 ---
 - name: Give sudo access to wheel group
  ansible.builtin.copy:
-    content: "{{ '%sudo ALL=(ALL) ALL' if is_debian | bool else '%wheel ALL=(ALL) ALL' }}"
+    content: "{{ '%sudo ALL=(ALL) ALL' if is_debian | default(false) else '%wheel ALL=(ALL) ALL' }}"
    dest: /mnt/etc/sudoers.d/01-wheel
    mode: "0440"
    validate: /usr/sbin/visudo --check --file=%s
--- a/roles/configuration/tasks/users.yml
+++ b/roles/configuration/tasks/users.yml
@@ -2,13 +2,13 @@
 - name: Create user account
  vars:
    configuration_user_group: >-
-      {{ "sudo" if is_debian | bool else "wheel" }}
+      {{ "sudo" if is_debian | default(false) else "wheel" }}
    configuration_useradd_cmd: >-
-      {{ chroot_command }} /mnt /usr/sbin/useradd --create-home --user-group
+      arch-chroot /mnt /usr/sbin/useradd --create-home --user-group
      --groups {{ configuration_user_group }} {{ user_name }}
      --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
    configuration_root_cmd: >-
-      {{ chroot_command }} /mnt /usr/sbin/usermod --password
+      arch-chroot /mnt /usr/sbin/usermod --password
      '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
  ansible.builtin.command: "{{ item }}"
  loop:
@@ -18,7 +18,7 @@
  changed_when: configuration_user_result.rc == 0

 - name: Ensure .ssh directory exists
-  when: user_public_key | length > 0
+  when: user_public_key is defined
  ansible.builtin.file:
    path: /mnt/home/{{ user_name }}/.ssh
    state: directory
@@ -27,7 +27,7 @@
    mode: "0700"

 - name: Add SSH public key to authorized_keys
-  when: user_public_key | length > 0
+  when: user_public_key is defined
  ansible.builtin.lineinfile:
    path: /mnt/home/{{ user_name }}/.ssh/authorized_keys
    line: "{{ user_public_key }}"
--- a/roles/configuration/templates/network.j2
+++ b/roles/configuration/templates/network.j2
@@ -3,15 +3,18 @@ id=LAN
 uuid={{ configuration_net_uuid }}
 type=ethernet

+[ethernet]
+mac-address={{ configuration_net_mac }}
+
 [ipv4]
-{% set dns_value = vm_dns if vm_dns is defined else '' %}
+{% set dns_value = vm_dns | default('') %}
 {% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %}
 {% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %}
-{% set search_value = vm_dns_search if vm_dns_search is defined else '' %}
+{% set search_value = vm_dns_search | default('') %}
 {% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %}
 {% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %}
 {% if vm_ip is defined and vm_ip | length %}
-address1={{ vm_ip }}/{{ vm_nms }}{{ (',' ~ vm_gw) if (vm_gw is defined and vm_gw | length) else '' }}
+address1={{ vm_ip }}/{{ vm_nms | default(24) }}{{ (',' ~ vm_gw) if (vm_gw is defined and vm_gw | length) else '' }}
 method=manual
 {% else %}
 method=auto
--- a/roles/environment/tasks/main.yml
+++ b/roles/environment/tasks/main.yml
@@ -17,7 +17,7 @@

    - name: Abort if the host is not booted from the Arch install media
      when:
-        - not (custom_iso | bool)
+        - not (custom_iso | default(false) | bool)
        - not environment_archiso_stat.stat.exists
      ansible.builtin.fail:
        msg: This host is not booted from the Arch install media!
@@ -40,9 +40,10 @@
    - name: Set IP-Address
      when:
        - hypervisor == "vmware"
-        - vm_ip is defined and vm_ip | length > 0
+        - vm_ip is defined
+        - vm_ip | length
      ansible.builtin.command: >-
-        ip addr replace {{ vm_ip }}/{{ vm_nms }}
+        ip addr replace {{ vm_ip }}/{{ vm_nms | default(24) }}
        dev {{ environment_interface_name }}
      register: environment_ip_result
      changed_when: environment_ip_result.rc == 0
@@ -50,8 +51,10 @@
    - name: Set Default Gateway
      when:
        - hypervisor == "vmware"
-        - vm_gw is defined and vm_gw | length > 0
-        - vm_ip is defined and vm_ip | length > 0
+        - vm_gw is defined
+        - vm_gw | length
+        - vm_ip is defined
+        - vm_ip | length
      ansible.builtin.command: "ip route replace default via {{ vm_gw }}"
      register: environment_gateway_result
      changed_when: environment_gateway_result.rc == 0
@@ -62,7 +65,7 @@
      changed_when: false

    - name: Configure SSH for root login
-      when: hypervisor == "vmware" and vmware_ssh | bool
+      when: hypervisor == "vmware" and (vmware_ssh is defined and vmware_ssh | bool)
      block:
        - name: Allow login
          ansible.builtin.replace:
@@ -88,14 +91,14 @@
    - name: Prepare installer environment
      block:
        - name: Speed-up Bootstrap process
-          when: not (custom_iso | bool)
+          when: not (custom_iso | default(false) | bool)
          ansible.builtin.lineinfile:
            path: /etc/pacman.conf
            regexp: ^#ParallelDownloads =
            line: ParallelDownloads = 20

        - name: Wait for pacman lock to be released
-          when: not (custom_iso | bool)
+          when: not (custom_iso | default(false) | bool)
          ansible.builtin.wait_for:
            path: /var/lib/pacman/db.lck
            state: absent
@@ -104,7 +107,7 @@

        - name: Setup Pacman
          when:
-            - not (custom_iso | bool)
+            - not (custom_iso | default(false) | bool)
            - "'os' not in item or os in item.os"
          community.general.pacman:
            update_cache: true
@@ -138,7 +141,7 @@
                state: mounted

        - name: Configure RHEL Repos for installation
-          when: is_rhel | bool
+          when: is_rhel | default(false)
          block:
            - name: Create directories for repository files and RPM GPG keys
              ansible.builtin.file:
@@ -151,37 +154,3 @@
                src: "{{ os | lower }}.repo.j2"
                dest: /etc/yum.repos.d/{{ os | lower }}.repo
                mode: "0644"
-
-    - name: Check for third-party preparation tasks
-      run_once: true
-      become: false
-      delegate_to: localhost
-      vars:
-        ansible_connection: local
-      block:
-        - name: Resolve third-party preparation task path
-          ansible.builtin.set_fact:
-            environment_thirdparty_tasks_path: >-
-              {{
-                thirdparty_preparation_tasks_path
-                if thirdparty_preparation_tasks_path | regex_search('^/')
-                else playbook_dir + '/' + thirdparty_preparation_tasks_path
-              }}
-          changed_when: false
-
-        - name: Stat third-party preparation tasks
-          ansible.builtin.stat:
-            path: "{{ environment_thirdparty_tasks_path }}"
-          register: environment_thirdparty_tasks_stat
-          changed_when: false
-
-    - name: Run third-party preparation tasks
-      when:
-        - thirdparty_preparation_tasks_path | length > 0
-        - environment_thirdparty_tasks_stat.stat.exists
-      ansible.builtin.include_tasks: >-
-        {{
-          thirdparty_preparation_tasks_path
-          if thirdparty_preparation_tasks_path | regex_search('^/')
-          else playbook_dir + '/' + thirdparty_preparation_tasks_path
-        }}
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -1,31 +0,0 @@
---
-hypervisor: "none"
-custom_iso: false
-cis: false
-selinux: true
-vmware_ssh: false
-firewalld_enabled: true
-ssh_enabled: true
-zstd_enabled: true
-swap_enabled: true
-chroot_command: "arch-chroot"
-thirdparty_preparation_tasks_path: "dropins/preparation.yml"
-
-cis_enabled: "{{ cis | bool }}"
-
-luks_enabled: false
-luks_mapper_name: "SYSTEM_DECRYPTED"
-luks_auto_decrypt: true
-luks_auto_decrypt_method: "tpm2"
-luks_tpm2_device: "auto"
-luks_tpm2_pcrs: ""
-luks_keyfile_size: 64
-luks_options: "discard,tries=3"
-luks_type: "luks2"
-luks_cipher: "aes-xts-plain64"
-luks_hash: "sha512"
-luks_iter_time: 4000
-luks_key_size: 512
-luks_pbkdf: "argon2id"
-luks_use_urandom: true
-luks_verify_passphrase: true
--- a/roles/global_defaults/tasks/main.yml
+++ b/roles/global_defaults/tasks/main.yml
@@ -1,114 +0,0 @@
---
- name: Global defaults loaded
-  ansible.builtin.debug:
-    msg: Global defaults loaded.
-  changed_when: false
-
- name: Validate variables
-  ansible.builtin.assert:
-    that:
-      - install_type is defined and install_type in ["virtual", "physical"]
-      - hypervisor in ["libvirt", "proxmox", "vmware", "none"]
-      - >-
-        install_type is defined and (
-          install_type == "physical"
-          or hypervisor in ["libvirt", "proxmox", "vmware"]
-        )
-      - filesystem is defined and filesystem in ["btrfs", "ext4", "xfs"]
-      - install_drive is defined and install_drive | length > 0
-      - hostname is defined and hostname | length > 0
-      - >-
-        os is defined and os in [
-          "archlinux", "almalinux", "debian11", "debian12", "debian13", "fedora",
-          "rhel8", "rhel9", "rhel10", "rocky", "ubuntu", "ubuntu-lts"
-        ]
-      - >-
-        os is defined and (
-          os not in ["rhel8", "rhel9", "rhel10"]
-          or (rhel_iso is defined and rhel_iso | length > 0)
-        )
-      - >-
-        install_type is defined and (
-          install_type == "physical"
-          or (boot_iso is defined and boot_iso | length > 0)
-        )
-      - >-
-        install_type is defined and (
-          install_type == "physical"
-          or (vm_cpus is defined and (vm_cpus | int) > 0)
-        )
-      - >-
-        install_type is defined and (
-          install_type == "physical"
-          or (vm_size is defined and (vm_size | float) > 0)
-        )
-      - >-
-        install_type is defined and (
-          install_type == "physical"
-          or (vm_memory is defined and (vm_memory | float) > 0)
-        )
-      - >-
-        install_type is defined and filesystem is defined and (
-          install_type == "physical"
-          or (
-            vm_size is defined
-            and (vm_size | int) >= 20
-          )
-        )
-      - >-
-        install_type is defined and (
-          install_type == "physical"
-          or (
-            vm_size is defined
-            and vm_memory is defined
-            and filesystem is defined
-            and (
-              filesystem != "btrfs"
-              or (
-                (vm_size | float)
-                >= (
-                  (vm_memory | float / 1024 >= 16.0)
-                  | ternary(
-                      (vm_memory | float / 2048),
-                      [vm_memory | float / 1024, 4.0] | max
-                    )
-                  + 5.5
-                )
-              )
-            )
-          )
-        )
-      - >-
-        vm_ip is not defined
-        or vm_ip | length == 0
-        or (vm_nms is defined and (vm_nms | int) > 0)
-    fail_msg: Invalid input specified, please try again.
-
- name: Set OS family flags
-  ansible.builtin.set_fact:
-    is_rhel: "{{ os | lower in ['almalinux', 'fedora', 'rhel8', 'rhel9', 'rhel10', 'rocky'] }}"
-    is_debian: "{{ os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'] }}"
-  changed_when: false
-
- name: Set Python interpreter for RHEL-based installers
-  when:
-    - ansible_python_interpreter is not defined
-    - os | lower in ["almalinux", "rhel8", "rhel9", "rhel10", "rocky"]
-  ansible.builtin.set_fact:
-    ansible_python_interpreter: /usr/bin/python3
-  changed_when: false
-
- name: Set SSH access
-  when:
-    - install_type == "virtual"
-    - hypervisor != "vmware"
-  ansible.builtin.set_fact:
-    ansible_user: "{{ user_name }}"
-    ansible_password: "{{ user_password }}"
-    ansible_become_password: "{{ user_password }}"
-    ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
-
- name: Set connection for VMware
-  when: hypervisor == "vmware"
-  ansible.builtin.set_fact:
-    ansible_connection: vmware_tools
--- a/roles/partitioning/defaults/main.yml
+++ b/roles/partitioning/defaults/main.yml
@@ -1,39 +1,34 @@
 ---
-partitioning_luks_enabled: "{{ luks_enabled | bool }}"
-partitioning_luks_passphrase: "{{ luks_passphrase }}"
-partitioning_luks_mapper_name: "{{ luks_mapper_name }}"
-partitioning_luks_type: "{{ luks_type }}"
-partitioning_luks_cipher: "{{ luks_cipher }}"
-partitioning_luks_hash: "{{ luks_hash }}"
-partitioning_luks_iter_time: "{{ luks_iter_time }}"
-partitioning_luks_key_size: "{{ luks_key_size }}"
-partitioning_luks_pbkdf: "{{ luks_pbkdf }}"
-partitioning_luks_use_urandom: "{{ luks_use_urandom | bool }}"
-partitioning_luks_verify_passphrase: "{{ luks_verify_passphrase | bool }}"
-partitioning_luks_auto_decrypt: "{{ luks_auto_decrypt | bool }}"
-partitioning_luks_auto_decrypt_method: "{{ luks_auto_decrypt_method }}"
-partitioning_luks_tpm2_device: "{{ luks_tpm2_device }}"
-partitioning_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
-partitioning_luks_keyfile_size: "{{ luks_keyfile_size }}"
-partitioning_luks_options: "{{ luks_options }}"
-partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if zstd_enabled | bool else '' }}"
+partitioning_luks_enabled: "{{ luks_enabled | default(false) | bool }}"
+partitioning_luks_mapper_name: "{{ luks_mapper_name | default('SYSTEM_DECRYPTED') }}"
+partitioning_luks_type: "{{ luks_type | default('luks2') }}"
+partitioning_luks_cipher: "{{ luks_cipher | default('aes-xts-plain64') }}"
+partitioning_luks_hash: "{{ luks_hash | default('sha512') }}"
+partitioning_luks_iter_time: "{{ luks_iter_time | default(4000) }}"
+partitioning_luks_key_size: "{{ luks_key_size | default(512) }}"
+partitioning_luks_pbkdf: "{{ luks_pbkdf | default('argon2id') }}"
+partitioning_luks_use_urandom: "{{ luks_use_urandom | default(true) | bool }}"
+partitioning_luks_verify_passphrase: "{{ luks_verify_passphrase | default(true) | bool }}"
+partitioning_luks_auto_decrypt: "{{ luks_auto_decrypt | default(true) | bool }}"
+partitioning_luks_auto_decrypt_method: "{{ luks_auto_decrypt_method | default('tpm2') }}"
+partitioning_luks_tpm2_device: "{{ luks_tpm2_device | default('auto') }}"
+partitioning_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs | default('') }}"
+partitioning_luks_keyfile_size: "{{ luks_keyfile_size | default(64) }}"
+partitioning_luks_options: "{{ luks_options | default('discard,tries=3') }}"
 partitioning_boot_partition_suffix: 1
 partitioning_main_partition_suffix: 2
-partitioning_efi_size_mib: 512
-partitioning_efi_start_mib: 1
-partitioning_efi_end_mib: "{{ (partitioning_efi_start_mib | int) + (partitioning_efi_size_mib | int) }}"
+partitioning_efi_size_mib: 50
 partitioning_boot_size_mib: 1024
-partitioning_use_full_disk: true
 partitioning_separate_boot: >-
  {{
    (partitioning_luks_enabled | bool)
-    and (os | lower not in ['archlinux'])
+    and (os | default('') | lower not in ['archlinux'])
  }}
 partitioning_boot_fs_fstype: >-
  {{
-    (filesystem | lower)
-    if (filesystem | lower) != 'btrfs'
-    else ('xfs' if is_rhel else 'ext4')
+    (filesystem | default('') | lower)
+    if (filesystem | default('') | lower) != 'btrfs'
+    else ('xfs' if (is_rhel | default(false)) else 'ext4')
  }}
 partitioning_boot_fs_partition_suffix: >-
  {{
@@ -51,11 +46,11 @@ partitioning_efi_mountpoint: >-
    if (partitioning_separate_boot | bool)
    else (
      '/boot/efi'
-      if is_rhel or (os | lower in ['debian11', 'debian12', 'debian13', 'ubuntu', 'ubuntu-lts'])
+      if (is_rhel | default(false)) or (os | default('') | lower in ['ubuntu', 'ubuntu-lts'])
      else '/boot'
    )
  }}
-partitioning_boot_end_mib: "{{ (partitioning_efi_end_mib | int) + (partitioning_boot_size_mib | int) }}"
+partitioning_boot_end_mib: "{{ (partitioning_efi_size_mib | int) + (partitioning_boot_size_mib | int) }}"
 partitioning_reserved_gb: >-
  {{
    (
@@ -68,14 +63,13 @@ partitioning_layout: >-
    [
      {
        'number': 1,
-        'part_start': (partitioning_efi_start_mib | string) + 'MiB',
-        'part_end': (partitioning_efi_end_mib | string) + 'MiB',
+        'part_end': (partitioning_efi_size_mib | string) + 'MiB',
        'name': 'efi',
        'flags': ['boot', 'esp']
      },
      {
        'number': 2,
-        'part_start': (partitioning_efi_end_mib | string) + 'MiB',
+        'part_start': (partitioning_efi_size_mib | string) + 'MiB',
        'part_end': (partitioning_boot_end_mib | string) + 'MiB',
        'name': 'boot'
      },
@@ -89,14 +83,13 @@ partitioning_layout: >-
    [
      {
        'number': 1,
-        'part_start': (partitioning_efi_start_mib | string) + 'MiB',
-        'part_end': (partitioning_efi_end_mib | string) + 'MiB',
+        'part_end': (partitioning_efi_size_mib | string) + 'MiB',
        'name': 'boot',
        'flags': ['boot', 'esp']
      },
      {
        'number': 2,
-        'part_start': (partitioning_efi_end_mib | string) + 'MiB',
+        'part_start': (partitioning_efi_size_mib | string) + 'MiB',
        'name': 'root'
      }
    ]
@@ -114,24 +107,8 @@ partitioning_root_device: >-
    if (partitioning_luks_enabled | bool)
    else install_drive ~ (partitioning_root_partition_suffix | string)
  }}
-partitioning_vm_size_effective: >-
-  {{
-    (
-      partitioning_vm_size
-      if (partitioning_vm_size is defined and (partitioning_vm_size | float) > 0)
-      else (vm_size if vm_size is defined else 0)
-    )
-    | float
-  }}
-partitioning_vm_memory_effective: >-
-  {{
-    (
-      partitioning_vm_memory
-      if (partitioning_vm_memory is defined and (partitioning_vm_memory | float) > 0)
-      else (vm_memory if vm_memory is defined else 0)
-    )
-    | float
-  }}
+partitioning_vm_size_effective: "{{ (partitioning_vm_size | default(vm_size | default(0))) | float }}"
+partitioning_vm_memory_effective: "{{ (partitioning_vm_memory | default(vm_memory | default(0))) | float }}"
 partitioning_swap_size_gb: >-
  {{
    ((partitioning_vm_memory_effective / 1024) >= 16.0)
--- a/roles/partitioning/tasks/btrfs.yml
+++ b/roles/partitioning/tasks/btrfs.yml
@@ -10,7 +10,7 @@
          {{
            '-K'
            if (partitioning_luks_enabled | bool)
-            and not ('discard' in (partitioning_luks_options | lower))
+            and not ('discard' in (partitioning_luks_options | default('') | lower))
            else omit
          }}

@@ -19,19 +19,7 @@
        path: /mnt
        src: "{{ partitioning_root_device }}"
        fstype: btrfs
-        opts: >-
-          {{
-            [
-              'rw',
-              'relatime',
-              partitioning_btrfs_compress_opt,
-              'ssd',
-              'space_cache=v2',
-              'discard=async'
-            ]
-            | reject('equalto', '')
-            | join(',')
-          }}
+        opts: rw,relatime,compress=zstd:15,ssd,space_cache=v2,discard=async
        state: mounted

    - name: Enable quotas on Btrfs filesystem
@@ -40,9 +28,7 @@
      changed_when: false

    - name: Make root subvolumes
-      when:
-        - cis_enabled or item.subvol not in ['var_log_audit']
-        - swap_enabled | bool or item.subvol != 'swap'
+      when: cis | bool or item.subvol not in ['var_log_audit']
      ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
      args:
        creates: /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
@@ -57,7 +43,7 @@
      register: partitioning_btrfs_subvol_result

    - name: Set quotas for subvolumes
-      when: cis_enabled
+      when: cis | bool
      ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
      loop:
        - {subvol: home, quota: 2G}
@@ -65,7 +51,6 @@
      changed_when: false

    - name: Create a Btrfs swap file
-      when: swap_enabled | bool
      ansible.builtin.command: >-
        btrfs filesystem mkswapfile --size {{ partitioning_swap_size_gb }}g --uuid clear /mnt/@swap/swapfile
      args:
--- a/roles/partitioning/tasks/ext4.yml
+++ b/roles/partitioning/tasks/ext4.yml
@@ -1,6 +1,6 @@
 ---
 - name: Create and format ext4 logical volumes
-  when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
+  when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
  community.general.filesystem:
    dev: /dev/sys/{{ item.lv }}
    fstype: ext4
@@ -13,7 +13,7 @@
    - {lv: var_log_audit}

 - name: Remove Unsupported features for older Systems
-  when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
+  when: (os | lower in ['almalinux', 'debian11', 'rhel8', 'rhel9', 'rocky']) and (cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
  ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/sys/{{ item.lv }}"
  loop:
    - {lv: root}
--- a/roles/partitioning/tasks/main.yml
+++ b/roles/partitioning/tasks/main.yml
@@ -1,9 +1,8 @@
 ---
 - name: Detect system memory for swap sizing
  when:
-    - swap_enabled | bool
-    - partitioning_vm_memory is not defined or (partitioning_vm_memory | float) <= 0
-    - vm_memory is not defined or (vm_memory | float) <= 0
+    - partitioning_vm_memory is not defined
+    - vm_memory is not defined
  block:
    - name: Read system memory
      ansible.builtin.command: awk '/MemTotal/ {print int($2/1024)}' /proc/meminfo
@@ -18,9 +17,9 @@
 - name: Set partitioning vm_size for physical installs
  when:
    - install_type == "physical"
-    - partitioning_vm_size is not defined or (partitioning_vm_size | float) <= 0
-    - vm_size is not defined or (vm_size | float) <= 0
-    - install_drive | length > 0
+    - partitioning_vm_size is not defined
+    - vm_size is not defined
+    - install_drive is defined
  block:
    - name: Detect install drive size
      ansible.builtin.command: "lsblk -b -dn -o SIZE {{ install_drive }}"
@@ -158,7 +157,7 @@
  when: partitioning_luks_enabled | bool
  vars:
    partitioning_luks_passphrase_effective: >-
-      {{ partitioning_luks_passphrase | string }}
+      {{ (partitioning_luks_passphrase | default(luks_passphrase | default(''))) | string }}
  block:
    - name: Validate LUKS passphrase
      ansible.builtin.assert:
@@ -208,7 +207,7 @@
            state: opened
            name: "{{ partitioning_luks_mapper_name }}"
            passphrase: "{{ partitioning_luks_passphrase_effective }}"
-            allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}"
+            allow_discards: "{{ 'discard' in (partitioning_luks_options | default('') | lower) }}"
          register: partitioning_luks_open_result
          no_log: true
      rescue:
@@ -236,7 +235,7 @@
            state: opened
            name: "{{ partitioning_luks_mapper_name }}"
            passphrase: "{{ partitioning_luks_passphrase_effective }}"
-            allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}"
+            allow_discards: "{{ 'discard' in (partitioning_luks_options | default('') | lower) }}"
          register: partitioning_luks_open_retry
          no_log: true

@@ -258,139 +257,7 @@
        pvs: "{{ partitioning_root_device }}"

    - name: Create LVM logical volumes
-      when:
-        - cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
-        - swap_enabled | bool or item.lv != 'swap'
-      vars:
-        partitioning_lvm_extent_reserve_count: 10
-        partitioning_lvm_extent_size_mib: 4
-        partitioning_lvm_extent_reserve_gb: >-
-          {{
-            (
-              (partitioning_lvm_extent_reserve_count | float)
-              * (partitioning_lvm_extent_size_mib | float)
-              / 1024
-            ) | round(2, 'ceil')
-          }}
-        partitioning_lvm_swap_target_gb: >-
-          {{
-            (
-              [
-                (partitioning_vm_memory_effective | float / 1024),
-                4
-              ] | max | float
-            )
-            if swap_enabled | bool
-            else 0
-          }}
-        partitioning_lvm_swap_cap_gb: >-
-          {{
-            (
-              4
-              + [
-                (partitioning_vm_size_effective | float) - 20,
-                0
-              ] | max
-            )
-            if swap_enabled | bool
-            else 0
-          }}
-        partitioning_lvm_swap_target_effective_gb: >-
-          {{
-            (
-              [
-                partitioning_lvm_swap_target_gb,
-                partitioning_lvm_swap_cap_gb
-              ] | min
-            )
-            if swap_enabled | bool
-            else 0
-          }}
-        partitioning_lvm_swap_max_gb: >-
-          {{
-            (
-              [
-                (
-                  (partitioning_vm_size_effective | float)
-                  - (partitioning_reserved_gb | float)
-                  - (cis_enabled | ternary(7.5, 0))
-                  - partitioning_lvm_extent_reserve_gb
-                  - 4
-                ),
-                0
-              ] | max
-            )
-            if swap_enabled | bool
-            else 0
-          }}
-        partitioning_lvm_available_gb: >-
-          {{
-            (
-              (partitioning_vm_size_effective | float)
-              - (partitioning_reserved_gb | float)
-              - (cis_enabled | ternary(7.5, 0))
-              - partitioning_lvm_extent_reserve_gb
-              - partitioning_lvm_swap_target_effective_gb
-            ) | float
-          }}
-        partitioning_lvm_home_gb: >-
-          {{
-            ([([(((partitioning_vm_size_effective | float) - 20) * 0.1), 2] | max), 20] | min)
-          }}
-        partitioning_lvm_root_default_gb: >-
-          {{
-            [
-              (
-                ((partitioning_lvm_available_gb | float) < 4)
-                | ternary(
-                    4,
-                    (
-                      ((partitioning_lvm_available_gb | float) > 12)
-                      | ternary(
-                          ((partitioning_vm_size_effective | float) * 0.4)
-                          | round(0, 'ceil'),
-                          partitioning_lvm_available_gb
-                        )
-                    )
-                  )
-              ),
-              4
-            ] | max
-          }}
-        partitioning_lvm_swap_gb: >-
-          {{
-            (
-              [
-                partitioning_lvm_swap_target_effective_gb,
-                partitioning_lvm_swap_max_gb
-              ] | min | round(2, 'floor')
-            )
-            if swap_enabled | bool
-            else 0
-          }}
-        partitioning_lvm_root_full_gb: >-
-          {{
-            [
-              (
-                (partitioning_vm_size_effective | float)
-                - (partitioning_reserved_gb | float)
-                - (partitioning_lvm_swap_gb | float)
-                - partitioning_lvm_extent_reserve_gb
-                - (
-                    (partitioning_lvm_home_gb | float) + 5.5
-                    if cis_enabled
-                    else 0
-                  )
-              ),
-              4
-            ] | max | round(2, 'floor')
-          }}
-        partitioning_lvm_root_gb: >-
-          {{
-            partitioning_lvm_root_full_gb
-            if partitioning_use_full_disk | bool
-            else partitioning_lvm_root_default_gb
-          }}
+      when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
      community.general.lvol:
        vg: sys
        lv: "{{ item.lv }}"
@@ -398,11 +265,29 @@
        state: present
      loop:
        - lv: root
-          size: "{{ partitioning_lvm_root_gb | string + 'G' }}"
+          size: >-
+            {{ [(((((partitioning_vm_size_effective | float) - (partitioning_reserved_gb | float) - ((cis | bool) | ternary(7.5, 0)) - (((partitioning_vm_memory_effective | float / 1024) > 16.0)
+                 | ternary(((partitioning_vm_memory_effective | float / 2048) | int), (partitioning_vm_memory_effective | float / 1024)))) < 4)
+                 | ternary(4,((((partitioning_vm_size_effective | float) - (partitioning_reserved_gb | float) - ((cis | bool) | ternary(7.5, 0)) -
+                (((partitioning_vm_memory_effective | float / 1024) > 16.0)
+                 | ternary(
+                     ((partitioning_vm_memory_effective | float / 2048) | int),
+                     (partitioning_vm_memory_effective | float / 1024)
+                   )))
+            > 12)
+                  | ternary(((partitioning_vm_size_effective | float) * 0.4) | round(0, 'ceil'),((partitioning_vm_size_effective | float) - (partitioning_reserved_gb | float) - ((cis | bool)
+                  | ternary(7.5, 0)) - (((partitioning_vm_memory_effective | float / 1024) > 16.0)
+                  | ternary(((partitioning_vm_memory_effective | float / 2048) | int), (partitioning_vm_memory_effective | float / 1024))))))))), 4 ] | max | string +
+            'G' }}
        - lv: swap
-          size: "{{ partitioning_lvm_swap_gb | string + 'G' }}"
+          size: >-
+            {{ ((((partitioning_vm_size_effective | float) - (partitioning_reserved_gb | float) - ((cis | bool) | ternary(7.5, 0))) - (((partitioning_vm_memory_effective | float / 1024) > 16.0)
+                | ternary(((partitioning_vm_memory_effective | float / 2048) | int), (partitioning_vm_memory_effective | float / 1024)))) < 4)
+                | ternary((((partitioning_vm_size_effective | float) - (partitioning_reserved_gb | float) - ((cis | bool) | ternary(7.5, 0))) - 4), (((partitioning_vm_memory_effective | float / 1024)
+            > 16.0)
+                | ternary(((partitioning_vm_memory_effective | float / 2048) | int), (partitioning_vm_memory_effective | float / 1024)))) | string + 'G' }}
        - lv: home
-          size: "{{ partitioning_lvm_home_gb | string + 'G' }}"
+          size: "{{ ([([(((partitioning_vm_size_effective | float) - 20) * 0.1), 2] | max), 20] | min) | string + 'G' }}"
        - {lv: var, size: "2G"}
        - {lv: var_log, size: "2G"}
        - {lv: var_log_audit, size: "1.5G"}
@@ -435,9 +320,7 @@
      changed_when: partitioning_boot_ext4_tune_result.rc == 0

    - name: Create swap filesystem
-      when:
-        - filesystem != 'btrfs'
-        - swap_enabled | bool
+      when: filesystem != 'btrfs'
      community.general.filesystem:
        fstype: swap
        dev: /dev/sys/swap
@@ -462,101 +345,42 @@
      register: partitioning_main_uuid
      changed_when: false

-    - name: Get UUID for LVM root filesystem
-      when: filesystem != 'btrfs'
-      ansible.builtin.command: blkid -s UUID -o value /dev/sys/root
-      register: partitioning_uuid_root_result
-      changed_when: false
-
-    - name: Get UUID for LVM swap filesystem
-      when:
-        - filesystem != 'btrfs'
-        - swap_enabled | bool
-      ansible.builtin.command: blkid -s UUID -o value /dev/sys/swap
-      register: partitioning_uuid_swap_result
-      changed_when: false
-
-    - name: Get UUID for LVM home filesystem
-      when:
-        - filesystem != 'btrfs'
-        - cis_enabled
-      ansible.builtin.command: blkid -s UUID -o value /dev/sys/home
-      register: partitioning_uuid_home_result
-      changed_when: false
-
-    - name: Get UUID for LVM var filesystem
-      when:
-        - filesystem != 'btrfs'
-        - cis_enabled
-      ansible.builtin.command: blkid -s UUID -o value /dev/sys/var
-      register: partitioning_uuid_var_result
-      changed_when: false
-
-    - name: Get UUID for LVM var_log filesystem
-      when:
-        - filesystem != 'btrfs'
-        - cis_enabled
-      ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log
-      register: partitioning_uuid_var_log_result
-      changed_when: false
-
-    - name: Get UUID for LVM var_log_audit filesystem
-      when:
-        - filesystem != 'btrfs'
-        - cis_enabled
-      ansible.builtin.command: blkid -s UUID -o value /dev/sys/var_log_audit
-      register: partitioning_uuid_var_log_audit_result
+    - name: Get UUIDs for LVM filesystems
+      when: filesystem != 'btrfs' and (cis | bool or item not in ['home', 'var', 'var_log', 'var_log_audit'])
+      ansible.builtin.command: blkid -s UUID -o value /dev/sys/{{ item }}
+      loop:
+        - root
+        - swap
+        - home
+        - var
+        - var_log
+        - var_log_audit
+      register: partitioning_uuid_result
      changed_when: false

    - name: Assign UUIDs to Variables
      when: filesystem != 'btrfs'
      ansible.builtin.set_fact:
-        partitioning_uuid_root: "{{ partitioning_uuid_root_result.stdout_lines | default([]) }}"
-        partitioning_uuid_swap: >-
-          {{
-            partitioning_uuid_swap_result.stdout_lines | default([])
-            if swap_enabled | bool
-            else ''
-          }}
-        partitioning_uuid_home: >-
-          {{
-            partitioning_uuid_home_result.stdout_lines | default([])
-            if cis_enabled
-            else ''
-          }}
-        partitioning_uuid_var: >-
-          {{
-            partitioning_uuid_var_result.stdout_lines | default([])
-            if cis_enabled
-            else ''
-          }}
-        partitioning_uuid_var_log: >-
-          {{
-            partitioning_uuid_var_log_result.stdout_lines | default([])
-            if cis_enabled
-            else ''
-          }}
-        partitioning_uuid_var_log_audit: >-
-          {{
-            partitioning_uuid_var_log_audit_result.stdout_lines | default([])
-            if cis_enabled
-            else ''
-          }}
+        partitioning_uuid_root: "{{ partitioning_uuid_result.results[0].stdout_lines }}"
+        partitioning_uuid_swap: "{{ partitioning_uuid_result.results[1].stdout_lines }}"
+        partitioning_uuid_home: "{{ partitioning_uuid_result.results[2].stdout_lines if cis | bool else '' }}"
+        partitioning_uuid_var: "{{ partitioning_uuid_result.results[3].stdout_lines if cis | bool else '' }}"
+        partitioning_uuid_var_log: "{{ partitioning_uuid_result.results[4].stdout_lines if cis | bool else '' }}"
+        partitioning_uuid_var_log_audit: "{{ partitioning_uuid_result.results[5].stdout_lines if cis | bool else '' }}"

 - name: Mount filesystems
  block:
    - name: Mount filesystems and subvolumes
      when:
        - >-
-            cis_enabled or (
-              not cis_enabled and (
+            cis | bool or (
+              not cis and (
                (filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg'])
                or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg'])
              )
            )
        - >-
            not (item.path in ['/swap', '/var/cache/pacman/pkg'] and filesystem != 'btrfs')
-        - swap_enabled | bool or item.path != '/swap'
      ansible.posix.mount:
        path: /mnt{{ item.path }}
        src: "{{ 'UUID=' + (partitioning_main_uuid.stdout if filesystem == 'btrfs' else item.uuid) }}"
@@ -571,17 +395,17 @@
              'defaults'
              if filesystem != 'btrfs'
              else [
-                'rw', 'relatime', partitioning_btrfs_compress_opt, 'ssd', 'space_cache=v2',
+                'rw', 'relatime', 'compress=zstd:15', 'ssd', 'space_cache=v2',
                'discard=async', 'subvol=@'
-              ] | reject('equalto', '') | join(',')
+              ] | join(',')
            }}
        - path: /swap
          opts: >-
            {{
              [
-                'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
+                'rw', 'nosuid', 'nodev', 'relatime', 'compress=zstd:15', 'ssd',
                'space_cache=v2', 'discard=async', 'subvol=@swap'
-              ] | reject('equalto', '') | join(',')
+              ] | join(',')
            }}
        - path: /home
          uuid: "{{ partitioning_uuid_home[0] | default(omit) }}"
@@ -590,9 +414,9 @@
              'defaults,nosuid,nodev'
              if filesystem != 'btrfs'
              else [
-                'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
+                'rw', 'nosuid', 'nodev', 'relatime', 'compress=zstd:15', 'ssd',
                'space_cache=v2', 'discard=async', 'subvol=@home'
-              ] | reject('equalto', '') | join(',')
+              ] | join(',')
            }}
        - path: /var
          uuid: "{{ partitioning_uuid_var[0] | default(omit) }}"
@@ -601,9 +425,9 @@
              'defaults,nosuid,nodev'
              if filesystem != 'btrfs'
              else [
-                'rw', 'nosuid', 'nodev', 'relatime', partitioning_btrfs_compress_opt, 'ssd',
+                'rw', 'nosuid', 'nodev', 'relatime', 'compress=zstd:15', 'ssd',
                'space_cache=v2', 'discard=async', 'subvol=@var'
-              ] | reject('equalto', '') | join(',')
+              ] | join(',')
            }}
        - path: /var/log
          uuid: "{{ partitioning_uuid_var_log[0] | default(omit) }}"
@@ -612,9 +436,9 @@
              'defaults,nosuid,nodev,noexec'
              if filesystem != 'btrfs'
              else [
-                'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
+                'rw', 'nosuid', 'nodev', 'noexec', 'relatime', 'compress=zstd:15',
                'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log'
-              ] | reject('equalto', '') | join(',')
+              ] | join(',')
            }}
        - path: /var/cache/pacman/pkg
          uuid: "{{ partitioning_uuid_root | default([]) | first | default(omit) }}"
@@ -623,9 +447,9 @@
              'defaults,nosuid,nodev,noexec'
              if filesystem != 'btrfs'
              else [
-                'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
+                'rw', 'nosuid', 'nodev', 'noexec', 'relatime', 'compress=zstd:15',
                'ssd', 'space_cache=v2', 'discard=async', 'subvol=@pkg'
-              ] | reject('equalto', '') | join(',')
+              ] | join(',')
            }}
        - path: /var/log/audit
          uuid: "{{ partitioning_uuid_var_log_audit[0] | default(omit) }}"
@@ -634,9 +458,9 @@
              'defaults,nosuid,nodev,noexec'
              if filesystem != 'btrfs'
              else [
-                'rw', 'nosuid', 'nodev', 'noexec', 'relatime', partitioning_btrfs_compress_opt,
+                'rw', 'nosuid', 'nodev', 'noexec', 'relatime', 'compress=zstd:15',
                'ssd', 'space_cache=v2', 'discard=async', 'subvol=@var_log_audit'
-              ] | reject('equalto', '') | join(',')
+              ] | join(',')
            }}

    - name: Mount /boot filesystem
@@ -656,7 +480,6 @@
        state: mounted

    - name: Activate swap
-      when: swap_enabled | bool
      vars:
        partitioning_swap_cmd: >-
          {{ 'swapon /mnt/swap/swapfile' if filesystem == 'btrfs' else 'swapon -U ' + partitioning_uuid_swap[0] }}
--- a/roles/partitioning/tasks/xfs.yml
+++ b/roles/partitioning/tasks/xfs.yml
@@ -1,6 +1,6 @@
 ---
 - name: Create and format XFS logical volumes
-  when: cis_enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
+  when: cis | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
  community.general.filesystem:
    dev: /dev/sys/{{ item.lv }}
    fstype: xfs
--- a/roles/virtualization/defaults/main.yml
+++ b/roles/virtualization/defaults/main.yml
@@ -1,19 +1,11 @@
 ---
-virtualization_libvirt_image_dir: >-
-  {{ vm_path if vm_path is defined and vm_path | length > 0 else '/var/lib/libvirt/images' }}
-virtualization_libvirt_disk_path: >-
-  {{ [virtualization_libvirt_image_dir, hostname ~ '.qcow2'] | ansible.builtin.path_join }}
-virtualization_libvirt_cloudinit_path: >-
-  {{ [virtualization_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
-virtualization_mac_address: >-
-  {{ '52:54:00' | community.general.random_mac(seed=hostname) }}
-
 virtualization_tpm2_enabled: >-
  {{
-    (partitioning_luks_enabled | bool)
-    and (partitioning_luks_auto_decrypt | bool)
+    (partitioning_luks_enabled | default(luks_enabled | default(false)) | bool)
+    and (partitioning_luks_auto_decrypt | default(luks_auto_decrypt | default(true)) | bool)
    and (
-      (partitioning_luks_auto_decrypt_method | lower)
+      (partitioning_luks_auto_decrypt_method | default(luks_auto_decrypt_method | default('tpm2')))
+      | lower
      == 'tpm2'
    )
  }}
--- a/roles/virtualization/tasks/libvirt.yml
+++ b/roles/virtualization/tasks/libvirt.yml
@@ -1,4 +1,16 @@
 ---
+- name: Set libvirt image paths
+  delegate_to: localhost
+  vars:
+    virtualization_libvirt_image_dir_value: "{{ vm_path | default('/var/lib/libvirt/images') }}"
+  ansible.builtin.set_fact:
+    virtualization_libvirt_image_dir: "{{ virtualization_libvirt_image_dir_value }}"
+    virtualization_libvirt_disk_path: >-
+      {{ [virtualization_libvirt_image_dir_value, hostname ~ '.qcow2'] | ansible.builtin.path_join }}
+    virtualization_libvirt_cloudinit_path: >-
+      {{ [virtualization_libvirt_image_dir_value, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
+  changed_when: false
+
 - name: Create VM disk
  delegate_to: localhost
  ansible.builtin.command:
@@ -11,6 +23,13 @@
      - "{{ vm_size }}G"
    creates: "{{ virtualization_libvirt_disk_path }}"

+- name: Generate VM MAC address
+  delegate_to: localhost
+  ansible.builtin.set_fact:
+    virtualization_mac_address: >-
+      {{ '52:54:00' | community.general.random_mac(seed=hostname) }}
+  changed_when: false
+
 - name: Render cloud config templates
  delegate_to: localhost
  ansible.builtin.template:
--- a/roles/virtualization/tasks/proxmox.yml
+++ b/roles/virtualization/tasks/proxmox.yml
@@ -2,7 +2,7 @@
 - name: Deploy VM on Proxmox
  delegate_to: localhost
  vars:
-    virtualization_dns_value: "{{ vm_dns if vm_dns is defined else '' }}"
+    virtualization_dns_value: "{{ vm_dns | default('') }}"
    virtualization_dns_list_raw: >-
      {{
        virtualization_dns_value
@@ -11,7 +11,7 @@
      }}
    virtualization_dns_list: >-
      {{ virtualization_dns_list_raw | map('trim') | reject('equalto', '') | list }}
-    virtualization_search_value: "{{ vm_dns_search if vm_dns_search is defined else '' }}"
+    virtualization_search_value: "{{ vm_dns_search | default('') }}"
    virtualization_search_list_raw: >-
      {{
        virtualization_search_value
@@ -33,7 +33,7 @@
    cpu: host
    cores: "{{ vm_cpus }}"
    memory: "{{ vm_memory }}"
-    balloon: "{{ vm_ballo if vm_ballo is defined and vm_ballo | int > 0 else omit }}"
+    balloon: "{{ vm_ballo | default(omit) }}"
    numa_enabled: true
    hotplug: network,disk
    update: "{{ virtualization_tpm2_enabled | bool }}"
@@ -57,14 +57,14 @@
      }}
    ide:
      ide0: "{{ boot_iso }},media=cdrom"
-      ide1: "{{ rhel_iso + ',media=cdrom' if rhel_iso is defined and rhel_iso | length > 0 else omit }}"
+      ide1: "{{ rhel_iso + ',media=cdrom' if rhel_iso is defined else omit }}"
      ide2: "{{ hypervisor_storage }}:cloudinit"
    net:
-      net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name | length > 0 %},tag={{ vlan_name }}{% endif %}
+      net0: virtio,bridge={{ vm_nif }}{% if vlan_name is defined and vlan_name %},tag={{ vlan_name }}{% endif %}
    ipconfig:
      ipconfig0: >-
        {{
-          'ip=' ~ vm_ip ~ '/' ~ vm_nms
+          'ip=' ~ vm_ip ~ '/' ~ (vm_nms | default(24))
          ~ (',gw=' ~ vm_gw if vm_gw is defined and vm_gw | length else '')
          if vm_ip is defined and vm_ip | length
          else 'ip=dhcp'
--- a/roles/virtualization/tasks/vmware.yml
+++ b/roles/virtualization/tasks/vmware.yml
@@ -8,11 +8,11 @@
    validate_certs: false
    datacenter: "{{ hypervisor_datacenter }}"
    cluster: "{{ hypervisor_cluster }}"
-    folder: "{{ vm_path if vm_path is defined and vm_path | length > 0 else omit }}"
+    folder: "{{ vm_path | default(omit) }}"
    name: "{{ hostname }}"
    guest_id: otherLinux64Guest
    annotation: |
-      {{ note if note is defined else '' }}
+      {{ note | default('') }}
    state: "{{ 'poweredoff' if virtualization_tpm2_enabled | bool else 'poweredon' }}"
    disk:
      - size_gb: "{{ vm_size }}"
@@ -41,12 +41,12 @@
            "state": "present",
            "type": "iso",
            "iso_path": rhel_iso
-          } ] if rhel_iso is defined and rhel_iso | length > 0 else [] )
+          } ] if rhel_iso is defined and rhel_iso|length > 0 else [] )
      }}
    networks:
      - name: "{{ vm_nif }}"
        type: dhcp
-        vlan: "{{ vlan_name if vlan_name is defined and vlan_name | length > 0 else omit }}"
+        vlan: "{{ vlan_name | default(omit) }}"

 - name: Ensure vTPM2 is enabled when required
  when: virtualization_tpm2_enabled | bool
@@ -57,7 +57,7 @@
    password: "{{ hypervisor_password }}"
    validate_certs: false
    datacenter: "{{ hypervisor_datacenter }}"
-    folder: "{{ vm_path if vm_path is defined and vm_path | length > 0 else omit }}"
+    folder: "{{ vm_path | default(omit) }}"
    name: "{{ hostname }}"
    state: present

--- a/roles/virtualization/templates/cloud-network-config.yml.j2
+++ b/roles/virtualization/templates/cloud-network-config.yml.j2
@@ -5,15 +5,15 @@ network:
      match:
        macaddress: "{{ virtualization_mac_address }}"
 {% set has_static = vm_ip is defined and vm_ip | length %}
-{% set dns_value = vm_dns if vm_dns is defined else '' %}
+{% set dns_value = vm_dns | default('') %}
 {% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %}
 {% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %}
-{% set search_value = vm_dns_search if vm_dns_search is defined else '' %}
+{% set search_value = vm_dns_search | default('') %}
 {% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %}
 {% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %}
 {% if has_static %}
      addresses:
-        - "{{ vm_ip }}/{{ vm_nms }}"
+        - "{{ vm_ip }}/{{ vm_nms | default(24) }}"
 {% if vm_gw is defined and vm_gw | length %}
      gateway4: "{{ vm_gw }}"
 {% endif %}
--- a/roles/virtualization/templates/vm.xml.j2
+++ b/roles/virtualization/templates/vm.xml.j2
@@ -1,7 +1,7 @@
 <domain type='kvm'>
  <name>{{ hostname }}</name>
  <memory>{{ vm_memory | int * 1024 }}</memory>
-  {% if vm_ballo is defined and vm_ballo | int > 0 %}<currentMemory>{{ vm_ballo | int * 1024 }}</currentMemory>{% endif %}
+  {% if vm_ballo is defined %}<currentMemory>{{ vm_ballo | int * 1024 }}</currentMemory>{% endif %}
  <vcpu placement='static'>{{ vm_cpus }}</vcpu>
  <os>
    <type arch='x86_64' machine="pc-q35-8.0">hvm</type>
@@ -37,7 +37,7 @@
      <source file="{{ virtualization_libvirt_cloudinit_path }}"/>
      <target dev="sdb" bus="sata"/>
    </disk>
-    {% if rhel_iso is defined and rhel_iso | length > 0 %}
+    {% if rhel_iso is defined %}
    <disk type="file" device="cdrom">
      <driver name="qemu" type="raw"/>
      <source file="{{ rhel_iso }}"/>
@@ -49,7 +49,7 @@
      <source network='default'/>
      <model type='virtio'/>
    </interface>
-    {% if virtualization_tpm2_enabled %}
+    {% if virtualization_tpm2_enabled | default(false) %}
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'/>
    </tpm>
--- a/vars_baremetal_example.yml
+++ b/vars_baremetal_example.yml
@@ -6,10 +6,6 @@ install_drive: "/dev/sda"
 os: "archlinux"
 filesystem: "btrfs"

-cis: false
-selinux: true
-firewalld_enabled: true
-
 luks_enabled: true
 luks_passphrase: "1234"
 luks_mapper_name: "SYSTEM_DECRYPTED"
--- a/vars_example.yml
+++ b/vars_example.yml
@@ -5,9 +5,6 @@ vm_ip: "{{ inventory_hostname }}"
 install_type: "virtual"
 install_drive: "/dev/sda"  # Use /dev/vda for virtio/libvirt.
 custom_iso: false  # Set true to skip ArchISO-specific validation and pacman setup.
-cis: false  # Set true to enable CIS hardening.
-selinux: true  # Toggle SELinux where supported.
-firewalld_enabled: true  # Toggle firewalld package and service.

 hypervisor_url: "pve01.example.com"
 hypervisor_username: "root@pam"
Author	SHA1	Message	Date
Sandwich	eb2addf3fd	Normalize LUKS boot layout and partitioning defaults	2025-12-28 16:00:49 +01:00
Sandwich	89d037dc54	Update Fedora to 43	2025-12-28 04:04:27 +01:00
Sandwich	757102c959	Restore Debian ESP mount layout	2025-12-28 02:24:33 +01:00
Sandwich	2fbb966f69	Fix Debian initramfs regeneration	2025-12-28 01:54:14 +01:00
Sandwich	8e2c44321e	Ensure initramfs-tools for Debian/Ubuntu	2025-12-28 01:29:26 +01:00
Sandwich	415fc5a26b	Enable GRUB cryptodisk defaults	2025-12-28 00:46:09 +01:00
Sandwich	aaada3a826	Fix bootstrap package list rendering	2025-12-28 00:12:37 +01:00
Sandwich	a5e516aa91	Condition LUKS and guest tools in bootstrap vars	2025-12-27 23:52:06 +01:00
Sandwich	b9544a60d3	Fix Debian EFI mount layout	2025-12-27 23:49:21 +01:00
Sandwich	d0b26a57ef	Docs, examples, and tooling	2025-12-27 23:07:47 +01:00
Sandwich	f73982d502	CIS role split and permission safety	2025-12-27 22:27:26 +01:00
Sandwich	d92b89b001	Cleanup refactor and libvirt removal tooling	2025-12-27 21:44:33 +01:00
Sandwich	3362aad149	Virtualization TPM2 and cloud-init fixes	2025-12-27 20:19:11 +01:00
Sandwich	2e59d7d27c	Partitioning idempotency and filesystem tasks	2025-12-26 23:31:54 +01:00
Sandwich	d0bcbb95d8	LUKS enrollment and RHEL cmdline/BLS	2025-12-26 22:09:08 +01:00
Sandwich	0181f9104a	Configuration role refactor and network template	2025-12-26 20:38:42 +01:00
Sandwich	4de84a7312	Split bootstrap by OS	2025-12-25 22:12:19 +01:00
Sandwich	04d5e99e56	Playbook flow and environment prep	2025-12-25 20:47:37 +01:00
Sandwich	378d9a88c2	Add Debian 13 (Trixie) support	2025-08-11 21:37:25 +02:00
Sandwich	905043baf3	Update doc to Fedora 42	2025-07-07 15:24:17 +02:00
Sandwich	9164815185	Fix rhel10 variable assertion	2025-07-06 04:36:55 +02:00
Sandwich	81f15fffb7	use proper datacenter variable	2025-07-06 04:34:16 +02:00
Sandwich	d454c3cd82	Update Fedora to 42	2025-07-06 04:28:59 +02:00
Sandwich	9ffb2aa69f	Use the proper property name	2025-06-24 16:57:18 +02:00
Sandwich	6d843ff409	Fix VM state after cleanup	2025-06-24 16:54:57 +02:00
Sandwich	775dbefa67	use proper filename for role variables	2025-06-17 06:34:39 +02:00
Sandwich	06823044dd	Update ubuntu to plucky release	2025-06-17 03:57:58 +02:00
Sandwich	919c44bb29	Add rhel10 support	2025-06-17 03:13:30 +02:00
Sandwich	0d01f2afdc	Add ncurses-term package to ubuntu for more legacy terminal descriptors	2025-05-30 09:48:55 +02:00
Sandwich	e532dcac16	Add ncurses-term package for legacy ssh client (terminal descriptors)	2025-05-30 09:14:21 +02:00
Sandwich	6cbecf2db0	Add vm_dns_search to hostname if set	2025-05-26 14:37:28 +02:00
Sandwich	d612f9dabb	Improve SSH CIS hardening	2025-05-04 01:41:00 +02:00
Sandwich	00c3cd5180	Fix Typo	2025-04-29 20:30:02 +02:00
Sandwich	fef1f44a07	Improve Arch packages + Disable swap before unmounting	2025-04-29 20:28:55 +02:00
Sandwich	e1464562f7	Document vmware_ssh variable	2025-03-25 13:13:06 +01:00
Sandwich	60c552be45	Fix vm creation when no rhel_iso for vmware	2025-02-20 16:00:39 +01:00
Sandwich	c96fcf5e96	Increase max home size to 20GB	2025-02-18 21:39:58 +01:00
Sandwich	4e70ee2e3e	Add guest_id since its necessary	2025-02-17 21:38:56 +01:00
Sandwich	81bbd2b22a	Implement VMware annotation	2025-02-17 21:17:18 +01:00
Sandwich	e65fbfd570	Improve Partition calculation algorithm	2025-02-17 20:43:45 +01:00
Sandwich	122bd5cdf4	Add DNS Search option	2025-02-10 15:16:15 +01:00
Sandwich	c8d3de3d8d	Update README regarding SELinux	2025-02-07 20:50:20 +01:00
Sandwich	4ed15e5ea8	dont fail if selinux is undefined	2025-02-07 20:47:30 +01:00
Sandwich	518babe328	Remove motd files for rhel	2025-02-05 17:14:17 +01:00
Sandwich	918e14051d	Enable option to disable selinux for all osses	2025-02-05 01:41:10 +01:00
Sandwich	3d18962160	Include Standard package group for RHEL systems	2025-02-05 00:02:37 +01:00
Sandwich	457d558133	Make sure Volumes are safely unmounted before reboot	2025-01-22 12:34:00 +01:00
Sandwich	e06a95fdbc	Fix CIS applienc for RHEL8	2025-01-21 22:34:01 +01:00
Sandwich	7bae512560	Update package name to match correctly	2025-01-21 22:02:43 +01:00
Sandwich	3e91057689	Make sure the VM truly starts	2025-01-21 21:35:47 +01:00
Sandwich	e9647571fc	Do not check if VM is back on vmware with cis activated, it will fail without the key, and key cannot be set otherwise awx refuses connection	2025-01-21 21:30:56 +01:00
Sandwich	c32769d831	Add banner	2025-01-21 20:16:05 +01:00
Sandwich	7cfa4aee8d	Add ssh key survey	2025-01-21 20:00:18 +01:00
Sandwich	a7e7f49d84	Add missing variable	2025-01-21 19:58:07 +01:00
Sandwich	cfcccbf512	CIS Adjustments	2025-01-21 19:55:36 +01:00
Sandwich	75c4ba6b4c	Fix variable distribution	2025-01-21 17:43:18 +01:00
Sandwich	b62066d675	Make Network Assignment more reliable	2025-01-21 16:59:56 +01:00
Sandwich	53a2c27984	Add nms default	2025-01-17 00:50:26 +01:00
Sandwich	bb82ff120b	Remove nms from ip since already addition already done internaly	2025-01-17 00:45:42 +01:00
Sandwich	221d77b94d	Do not reboot localhost!	2025-01-17 00:38:35 +01:00
Sandwich	d71ea511f9	Don't fail proxmox install if rhel_iso is not defined	2025-01-17 00:07:58 +01:00
Sandwich	b3299781dc	use 24 netmask as default if not set	2025-01-17 00:03:38 +01:00
Sandwich	5e7a06b7db	Add extra utils	2025-01-14 21:14:40 +01:00
Sandwich	d77f65ce05	Set correct IP NetworkMask if defined	2025-01-14 16:08:10 +01:00
Sandwich	39fc15d7d8	Fix typo	2025-01-14 15:03:06 +01:00
Sandwich	b076968404	Dont fail if vmware_ssh is not defined	2025-01-14 14:58:58 +01:00
Sandwich	4f03ccbfcf	Add dig via bind-utils for rhel	2024-12-03 16:42:47 +01:00
Sandwich	5746be4561	RHEL add python package	2024-12-03 13:31:31 +01:00
Sandwich	39cc49a05b	Do not hardcode macaddress which makes vm cloning harder	2024-12-02 18:08:48 +01:00
Sandwich	2d63ca9c5a	Use RHEL nameing for yum repo file	2024-11-12 14:14:09 +01:00
Sandwich	9f56328890	Fix DNS issue	2024-11-11 17:44:52 +01:00
Sandwich	dc763bdc42	Adjust never libvirt loaders	2024-11-11 17:26:37 +01:00
Sandwich	25deaab87d	Add some extra packages and vi mode for bash	2024-11-05 03:36:15 +01:00
Sandwich	89f054e8fd	Add final check if the VM is up and running after reboot	2024-11-01 23:58:52 +01:00
Sandwich	cbe238f4d5	Improve the root lv size calculations, still not perfect on bigger disk and ram sizes	2024-10-31 20:07:40 +01:00
Sandwich	c6f1686db8	Preper Shutdown so VMware does not corrupt the installation	2024-10-31 18:27:31 +01:00
Sandwich	c9a15dfccf	improve logical volume size calculation	2024-10-31 17:32:27 +01:00
Sandwich	f83a9ebd67	remove zram from debian11 since no support	2024-10-31 16:00:44 +01:00
Sandwich	e16868a78d	remove zram for rhel8 since no support	2024-10-31 15:56:42 +01:00
Sandwich	406db38296	dont use sudo for umount	2024-10-31 15:35:22 +01:00
Sandwich	cb3f36a040	Add umount for non RHEL systems	2024-10-31 14:23:55 +01:00
Sandwich	d97f0cfff8	Fix ubuntu install issue	2024-10-31 05:56:20 +01:00
Sandwich	e8f609dd03	Add SWAP support	2024-10-31 05:46:33 +01:00
Sandwich	a599e26a63	Add zram-generator config	2024-10-31 02:18:55 +01:00
Sandwich	3085ebc336	add zram-generator package	2024-10-31 02:10:21 +01:00
Sandwich	f967ea1c3b	Add swap optimalisations	2024-10-31 02:05:11 +01:00
Sandwich	2c4995ede8	Make root LV size dynamic based on VM disk size	2024-10-31 01:29:48 +01:00
Sandwich	ccf3193c92	improve VMware cleanup	2024-10-31 01:12:51 +01:00
Sandwich	d92944c345	Fix riski shell pipe	2024-10-31 00:43:49 +01:00
Sandwich	3c94a33ae7	Remove Cloud-init package which can cause issues with NetworkManager on bootup	2024-10-31 00:41:38 +01:00
Sandwich	af82baf1d8	Include MAC-Address into the NetworkManager keyfile	2024-10-31 00:13:23 +01:00
Sandwich	ec55701f00	umount disks before reboot	2024-10-30 23:48:36 +01:00
Sandwich	2a1a47ecc1	Remove VMWare static since not applicable	2024-10-30 23:18:27 +01:00
Sandwich	4808ce4401	Fix DISK removal at cleanup	2024-10-30 23:10:53 +01:00
Sandwich	db1fd13623	Fix variable hierarchy	2024-10-30 22:19:00 +01:00
Sandwich	e5660b0ba7	Fix ISO mounting for VMware Hypervisor	2024-10-30 20:25:41 +01:00
Sandwich	173ecd299b	Different aproche for ISO mounting	2024-10-30 19:30:12 +01:00
Sandwich	4d242ad987	Adjust controllerID for RHEL ISO for correct mounting	2024-10-30 19:23:01 +01:00
Sandwich	f8ac22cfab	Allow passwordless ssh for VMware Setup	2024-10-30 19:12:36 +01:00
Sandwich	12a7549aaa	Speed up setup on VMware if ssh is available	2024-10-30 18:59:32 +01:00
Sandwich	6705411b2d	Enable root ssh login	2024-10-30 18:54:15 +01:00
Sandwich	fe2b216fc7	set cis default value	2024-10-30 18:14:29 +01:00
Sandwich	26824ca6bb	Improve Ip set on VMware hypervisors	2024-10-30 18:04:46 +01:00
Sandwich	c60fcca86d	Fix VM Connection if hypervisor is VMware	2024-10-30 17:57:22 +01:00
Sandwich	cdd8062937	Fix recursion	2024-10-30 17:09:22 +01:00
Sandwich	ebedff1c4e	fix jinja syntax	2024-10-30 17:05:50 +01:00
Sandwich	04d05a4e8b	Move hypervisor and disk variable from main playbook	2024-10-30 16:58:22 +01:00
Sandwich	ee6e06a3fe	lower connection timeout	2024-10-30 16:48:23 +01:00
Sandwich	527bc11d1d	Change VMware boot order to boot correctly from ArchISO	2024-10-30 15:59:16 +01:00
Sandwich	d331e07536	Fix VMware Network if no VLAN specified	2024-10-30 15:48:22 +01:00
Sandwich	287036bcb4	use the correct NetworkMask variable name	2024-10-30 14:38:25 +01:00
Sandwich	ca5a3c8807	Add network mask variables for Hypervisor static IP assigments	2024-10-30 14:33:38 +01:00
Sandwich	c8dd89681b	move vm_ip back since it is not a permanent/static variable	2024-10-30 14:10:37 +01:00
Sandwich	9d4af56976	Move some persstent Vars to main playbook	2024-10-30 14:01:07 +01:00
Sandwich	3c55eaf4a1	Recommend Ansible Vault for variables storing secrets	2024-10-30 13:45:19 +01:00
Sandwich	d905dce89e	Add missing RHEL variable examples	2024-10-30 00:49:37 +01:00
Sandwich	76f1382e3e	Assertion for minimum filesystem size	2024-10-30 00:44:19 +01:00
Sandwich	04c27cd7d0	remove deperacted parameter causing sshd startup fails	2024-10-30 00:32:08 +01:00
Sandwich	147430b36e	Add RHEL8 and RHEL9 support	2024-10-30 00:29:46 +01:00
Sandwich	f8ba5c41db	Update Ubuntu to Oracular Oriole and Ubuntu-LTS to Noble Numbat	2024-10-29 15:08:43 +01:00
Sandwich	7a4fc24f32	Remove SSH Config multiline since OpenSSH does not support it	2024-10-29 14:25:53 +01:00
Sandwich	7bf7c29291	Update Fedora to Version 41	2024-10-29 14:17:01 +01:00
Sandwich	ccfce65673	Disable Cloud-init updates on boot to prevent loopdevice out of storage	2024-10-29 12:59:50 +01:00
Sandwich	528f2fc775	Use command module instead of shell if possible	2024-10-28 21:15:10 +01:00
Sandwich	505110f580	Fix command module formating	2024-10-28 21:07:33 +01:00
Sandwich	1d1b2fff42	Fix connection DNS resolving inside chroot	2024-10-28 20:26:15 +01:00
Sandwich	4cf4816be0	ensure variable is not empty	2024-10-28 19:25:49 +01:00
Sandwich	e37b5a535b	Specify changed_when for shell commands	2024-10-28 19:20:05 +01:00
Sandwich	5312ec8cc6	Replace ignore_errors with failed_when	2024-10-28 18:56:00 +01:00
Sandwich	a3b772c543	fix risky-shell-pipe	2024-10-28 18:47:31 +01:00
Sandwich	adde811f47	Fix risky-file-permissions because of unpecified mode	2024-10-28 18:37:44 +01:00
Sandwich	f788767839	Fix line-length	2024-10-28 18:26:54 +01:00
Sandwich	8b773d2304	Adjust literal-compare to use correct bool comparison	2024-10-28 17:17:24 +01:00
Sandwich	c988ab8f9a	dont use ignore-errors	2024-07-11 22:31:13 +02:00
Sandwich	8864db253b	add missing task name	2024-07-11 22:22:43 +02:00
Sandwich	06ca8d8787	ansible-lint fixes	2024-07-11 22:20:45 +02:00
Sandwich	374b5fc7ef	use correct boolean values	2024-07-11 22:09:58 +02:00
Sandwich	6bfd530c90	fix jinja formating	2024-07-11 22:03:15 +02:00
Sandwich	b077e549db	remove btrfs quota limits	2024-05-21 14:20:28 +02:00
Sandwich	43ce280d11	correct README	2024-04-17 14:38:47 +02:00
Sandwich	a6b51b4cb4	Add supported distro to the README	2024-04-17 14:37:47 +02:00
Sandwich	6dd31cc95f	fix cis support for all distros	2024-04-17 14:09:32 +02:00
Sandwich	4b98ec1434	add ubuntu-lts support	2024-04-17 12:17:19 +02:00
Sandwich	2444c5d7af	add ubuntu support	2024-04-17 10:53:09 +02:00
Sandwich	ec6ca49265	fix fedora boot issue	2024-04-17 06:02:32 +02:00
Sandwich	fe43bf6733	add essential almalinux packages	2024-04-17 05:06:45 +02:00
Sandwich	31c155ce92	install dnf if {{ os }} is fedora	2024-04-17 04:47:33 +02:00
Sandwich	0c75114b94	add rocky to README example	2024-04-17 04:39:29 +02:00
Sandwich	cd9ed65c91	Add essential rockylinux packages	2024-04-17 04:32:11 +02:00
Sandwich	9986d19ed6	Add en and de langauge support for rockylinux	2024-04-17 04:19:32 +02:00
Sandwich	d73e78c5f2	Add cloud-init support	2024-04-16 01:17:48 +02:00
Sandwich	b6f620fb70	Add RockyLinux support	2024-04-16 01:14:12 +02:00
Sandwich	cc40bae858	Add RockyLinux support	2024-04-16 01:14:05 +02:00
Sandwich	344753fa5b	Add RockyLinux Repo file	2024-04-15 21:30:04 +02:00
Sandwich	6be464a0e2	move assertion list to main playbook	2024-04-15 21:23:32 +02:00
Sandwich	48b5f602fa	Enable systemd-resolved and systemd-timesyncd services for ArchLinux	2024-03-28 03:50:04 +01:00
Sandwich	cc118274a3	Update gitignore	2024-03-22 12:48:49 +01:00
sandwich	d733513e29	Delete vars_libvirt.yml	2024-03-22 12:46:31 +01:00
sandwich	402f2b9bc0	Delete inventory_libvirt.yml	2024-03-22 12:46:22 +01:00
Sandwich	4ec5432989	Add inventory example in yaml	2024-03-22 12:43:13 +01:00