sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
2c3540951940f23401e0740374c7f91ad5af4615
Ansible-Bootstrap/roles/global_defaults/defaults/main.yml

215 lines
6.1 KiB
YAML
Raw Blame History

---
# OS family lists - single source of truth for platform detection and validation
os_family_rhel:
- almalinux
- fedora
- rhel
- rocky
os_family_debian:
- debian
- ubuntu
- ubuntu-lts
# OS -> family mapping - aligns with the main project's ansible_os_family pattern.
# Enables platform_config dict lookups per role instead of inline when: is_rhel chains.
os_family_map:
almalinux: RedHat
archlinux: Archlinux
debian: Debian
fedora: RedHat
rhel: RedHat
rocky: RedHat
ubuntu: Debian
ubuntu-lts: Debian
os_supported:
- almalinux
- archlinux
- debian
- fedora
- rhel
- rocky
- ubuntu
- ubuntu-lts
# User input. Normalized into hypervisor_cfg + hypervisor_type.
hypervisor:
type: "none"
hypervisor_defaults:
type: "none"
url: ""
username: ""
password: ""
node: ""
storage: ""
datacenter: ""
cluster: ""
folder: ""
certs: false
ssh: false
physical_default_os: "archlinux"
custom_iso: false
thirdparty_tasks: "dropins/preparation.yml"
system_defaults:
type: "virtual" # virtual|physical
os: ""
version: ""
filesystem: "ext4"
name: ""
id: ""
cpus: 0
memory: 0 # MiB
balloon: 0 # MiB
network:
bridge: ""
vlan: ""
ip: ""
prefix: ""
gateway: ""
dns:
servers: []
search: []
interfaces: []
path: ""
timezone: "Europe/Vienna"
locale: "en_US.UTF-8"
keymap: "us"
mirror: ""
packages: []
disks: []
users: {}
root:
password: ""
shell: "/bin/bash"
luks:
enabled: false
passphrase: ""
mapper: "SYSTEM_DECRYPTED"
auto: true
method: "tpm2"
tpm2:
device: "auto"
pcrs: ""
keysize: 64
options: "discard,tries=3"
type: "luks2"
cipher: "aes-xts-plain64"
hash: "sha512"
iter: 4000
bits: 512
pbkdf: "argon2id"
features:
cis:
enabled: false
profile: default # default|l1|l2 (default = current house behaviour)
rules: {} # per-rule overrides, e.g. {usb_lockdown: false}
params: {} # parameter overrides, e.g. {pwquality_minlen: 16}
selinux:
enabled: true
firewall:
enabled: true
backend: "firewalld" # firewalld|ufw
toolkit: "nftables" # nftables|iptables
ssh:
enabled: true
zstd:
enabled: true
swap:
enabled: true
banner:
motd: false
sudo: true
rhel_repo:
source: "iso" # iso|satellite|none - how RHEL systems get packages post-install
url: "" # Satellite/custom repo URL when source=satellite
chroot:
tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn
initramfs:
generator: "" # auto-detected; override: dracut|mkinitcpio|initramfs-tools
desktop:
enabled: false
environment: "" # gnome|kde|sway|hyprland
display_manager: "" # auto from environment when empty; override: gdm|sddm|greetd|plasma-login-manager|ly
autologin: false # false | username from system.users
session: "" # session name/command for the autologin user
groups: [] # opt-in package groups (keys of desktop_package_groups)
secure_boot:
enabled: false
method: "" # arch only: sbctl (default) or uki; ignored for other distros
firmware:
enabled: "auto" # auto = on for physical, off for virtual
microcode: "auto"
gpu:
enabled: "auto" # auto = follows desktop.enabled
nvidia_driver: "auto" # auto | open | proprietary | nouveau
peripherals:
enabled: "auto" # auto = follows desktop.enabled
fingerprint: "auto" # auto|true|false (auto = install when detected)
camera: "auto" # v4l-utils when a UVC/IPU6 camera is detected
audio: "auto" # SOF firmware + ALSA UCM when an audio device is present
bluetooth: "auto" # bluez when a Bluetooth controller is present
displaylink: false
hardware:
profile: {} # full override: non-empty SKIPS detection (golden image)
# Declarative hardware group: a per-device profile that MERGES over
# auto-detect (auto-detect = base; these supplement/override it). Vendor
# lists union with detection, booleans OR with detection, packages append,
# disable[] force-off (applied last), kernel_params append to the cmdline.
cpu: "" # pin a CPU vendor (intel|amd); empty = use detection
gpus: [] # extra GPU vendor codes to force
wireless: [] # extra wireless vendor codes to force
audio: [] # extra audio vendor codes to force
camera: {} # {uvc: true, ipu6: true} to force a camera kind
fingerprint: false # force-on a fingerprint reader detection missed
bluetooth: false # force-on a Bluetooth controller detection missed
packages: {} # per-os_family extra packages, e.g. {Archlinux: [intel-ipu6-dkms]}
disable: [] # feature/vendor names to force-off (audio|bluetooth|camera|fingerprint|displaylink|<vendor>)
kernel_params: [] # extra kernel cmdline params (quirks), e.g. ["i915.enable_psr=0"]
# Per-hypervisor required fields - drives data-driven validation.
# All virtual types additionally require network bridge or interfaces.
hypervisor_required_fields:
proxmox:
hypervisor: [url, username, password, node, storage]
system: [id]
vmware:
hypervisor: [url, username, password, datacenter, storage]
system: []
xen:
hypervisor: []
system: []
libvirt:
hypervisor: []
system: []
# Hypervisor-to-disk device prefix mapping for virtual machines.
# Physical installs must set system.disks[].device explicitly.
hypervisor_disk_device_map:
libvirt: "/dev/vd"
xen: "/dev/xvd"
proxmox: "/dev/sd"
vmware: "/dev/sd"
# Mountpoints managed by the partitioning role - forbidden for extra disks.
reserved_mounts:
- /boot
- /boot/efi
- /home
- /var
- /var/log
- /var/log/audit
# Drive letter sequence for disk device naming (max 26 disks).
disk_letter_map: "abcdefghijklmnopqrstuvwxyz"
system_disk_defaults:
size: 0
device: ""
mount:
path: ""
fstype: ""
label: ""
opts: "defaults"
Reference in New Issue View Git Blame Copy Permalink