Ansible-Bootstrap/roles/configuration/tasks/grub.yml

---
- name: Configure grub defaults
  when: not is_rhel | default(false)
  ansible.builtin.lineinfile:
    dest: /mnt/etc/default/grub
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
  loop:
    - regexp: ^GRUB_CMDLINE_LINUX_DEFAULT=
      line: GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"
    - regexp: ^GRUB_TIMEOUT=
      line: GRUB_TIMEOUT=1

- name: Ensure grub defaults file exists for RHEL-based systems
  when: is_rhel | default(false)
  block:
    - name: Build RHEL kernel command line defaults
      vars:
        configuration_grub_root_uuid_value: >-
          {{
            (
              partitioning_main_uuid.stdout
              if (filesystem | lower) == 'btrfs'
              else (partitioning_uuid_root | default([]) | first | default(''))
            )
            | default('')
            | trim
          }}
        configuration_grub_lvm_args_value: >-
          {{
            ['resume=/dev/mapper/sys-swap', 'rd.lvm.lv=sys/root', 'rd.lvm.lv=sys/swap']
            if (filesystem | lower) != 'btrfs'
            else []
          }}
        configuration_grub_root_flags_value: >-
          {{ ['rootflags=subvol=@'] if (filesystem | lower) == 'btrfs' else [] }}
        configuration_grub_cmdline_linux_base_value: >-
          {{
            (['crashkernel=auto'] + configuration_grub_lvm_args_value)
            | join(' ')
          }}
        configuration_grub_kernel_cmdline_base_value: >-
          {{
            (
              (['root=UUID=' + configuration_grub_root_uuid_value]
               if configuration_grub_root_uuid_value | length > 0 else [])
              + ['ro', 'crashkernel=auto']
              + configuration_grub_lvm_args_value
              + configuration_grub_root_flags_value
            )
            | join(' ')
          }}
      ansible.builtin.set_fact:
        configuration_grub_cmdline_linux_base: "{{ configuration_grub_cmdline_linux_base_value }}"
        configuration_kernel_cmdline_base: "{{ configuration_grub_kernel_cmdline_base_value }}"
      changed_when: false

    - name: Check if grub defaults file exists
      ansible.builtin.stat:
        path: /mnt/etc/default/grub
      register: configuration_grub_defaults_stat
      changed_when: false

    - name: Create default grub configuration
      when: not configuration_grub_defaults_stat.stat.exists
      ansible.builtin.copy:
        dest: /mnt/etc/default/grub
        mode: "0644"
        content: |
          GRUB_TIMEOUT=1
          GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
          GRUB_DEFAULT=saved
          GRUB_DISABLE_SUBMENU=true
          GRUB_TERMINAL_OUTPUT="console"
          GRUB_CMDLINE_LINUX="{{ configuration_grub_cmdline_linux_base }}"
          GRUB_DISABLE_RECOVERY="true"
          GRUB_ENABLE_BLSCFG=true

    - name: Ensure kernel cmdline directory exists
      ansible.builtin.file:
        path: /mnt/etc/kernel
        state: directory
        mode: "0755"

    - name: Write kernel cmdline defaults
      ansible.builtin.copy:
        dest: /mnt/etc/kernel/cmdline
        mode: "0644"
        content: "{{ configuration_kernel_cmdline_base }}\n"

    - name: Find BLS entries
      ansible.builtin.find:
        paths: /mnt/boot/loader/entries
        patterns: "*.conf"
      register: configuration_grub_bls_entries
      changed_when: false

    - name: Update BLS options with kernel cmdline defaults
      when: configuration_grub_bls_entries.files | length > 0
      ansible.builtin.lineinfile:
        path: "{{ item.path }}"
        regexp: '^options '
        line: "options {{ configuration_kernel_cmdline_base }}"
      loop: "{{ configuration_grub_bls_entries.files }}"
      loop_control:
        label: "{{ item.path }}"

- name: Enable GRUB cryptodisk for encrypted /boot
  when: partitioning_grub_enable_cryptodisk | default(false) | bool
  ansible.builtin.lineinfile:
    path: /mnt/etc/default/grub
    regexp: '^GRUB_ENABLE_CRYPTODISK='
    line: GRUB_ENABLE_CRYPTODISK=y