refactor!: switch hosts variables to a flat layout

2024-01-21 00:00:00 +00:00 · 2024-01-21 00:00:00 +00:00 · 779f2766f2
commit 779f2766f2
parent f669dea62a
33 changed files with 270 additions and 322 deletions
--- a/inventory/group_vars/all/vars.yml
+++ b/inventory/group_vars/all/vars.yml
@ -1,9 +1,16 @@
-custom_base_user_account: '{{ vault_custom_base_user_account }}'
-custom_github_token: '{{ vault_custom_github_token }}'
-dns:
-  type: "dot"
-  udp: '{{ vault_groups.defaults.udp }}'
-  dot: '{{ vault_groups.defaults.dot }}'
-  doh: '{{ vault_groups.defaults.doh }}'
-network: "external"
-ip_dualstack: true
+---
+# global parameters
+custom_base_user_account: "{{ vault_custom_base_user_account }}"
+custom_github_token: "{{ vault_custom_github_token | default('') }}"
+
+# global (hosts' system parameters)
+## TODO: move to a CMDB
+global_dns_type: "dot"
+# empty values for dns{4,6} servers mean that servers will be retrieved dynamically from /etc/resolv.conf
+global_dns_udp_dns4: "{{ vault_global_dns_udp_dns4 }}"
+global_dns_udp_dns6: "{{ vault_global_dns_udp_dns6 }}"
+global_dns_dot_dns4: "{{ vault_global_dns_dot_dns4 }}"
+global_dns_dot_dns6: "{{ vault_global_dns_dot_dns6 }}"
+global_dns_doh_dns4: "{{ vault_global_dns_doh_dns4 }}"
+global_dns_doh_dns6: "{{ vault_global_dns_doh_dns6 }}"
+global_ip_dualstack: true
--- a/inventory/group_vars/internal/vars.yml
+++ b/inventory/group_vars/internal/vars.yml
@ -0,0 +1,8 @@
+# global
+global_dns_type: "udp"
+global_dns_udp_dns4: "" # force usage of DHCP provided values
+global_dns_udp_dns6: "" # force usage of DHCP provided values
+global_ip_dualstack: false
+
+# security role
+security_firewall_mangle_drop_privatenets: false
--- a/inventory/host_vars/actinium/vars.yml
+++ b/inventory/host_vars/actinium/vars.yml
@ -2,14 +2,5 @@ ansible_become_password: "{{ vault_root_pass }}"
 ansible_host: "{{ vault_ansible_host }}"
 ansible_user: "{{ vault_ssh_user }}"

-custom_security:
-  firewall:
-    mangle:
-      drop_privatenets: false
-      policy:
-        forward: accept
-dns:
-  type: "udp"
-  udp: "{{ vault_groups.network.internal }}"
-network: "internal"
-ip_dualstack: false
+security_firewall_mangle_drop_privatenets: false
+security_firewall_mangle_policy_forward: accept
--- a/inventory/host_vars/lithium/vars.yml
+++ b/inventory/host_vars/lithium/vars.yml
@ -1,5 +1,3 @@
 ansible_become_password: "{{ vault_root_pass }}"
 ansible_host: "{{ vault_ansible_host }}"
 ansible_user: "{{ vault_ssh_user }}"
-network: "external"
-ip_dualstack: true
--- a/inventory/host_vars/localhost/vars.yml
+++ b/inventory/host_vars/localhost/vars.yml
@ -1,23 +0,0 @@
-ansible_become_password: "{{ vault_root_pass }}"
-ansible_host: "{{ vault_ansible_host }}"
-ansible_connection: local
-
-custom_development:
-  rust:
-    enable: true
-
-custom_common:
-  sysctl:
-    'fs.inotify.max_user_watches': 1048576
-    'vm.swappiness': 1
-  packages:
-    - pcscd
-    - pinentry-curses
-    - radeontop
-  git:
-    enable: true
-    username: "{{ vault_common_gitconfig_username }}"
-    email: "{{ vault_common_gitconfig_email }}"
-    force_sign: true
-    signing_key: "{{ vault_common_gitconfig_signingkey }}"
-  install_fonts: true
--- a/inventory/host_vars/unobtainium/vars.yml
+++ b/inventory/host_vars/unobtainium/vars.yml
@ -2,41 +2,22 @@ ansible_become_password: "{{ vault_root_pass }}"
 ansible_host: "{{ vault_ansible_host }}"
 ansible_connection: local

-custom_development:
-  rust:
-    enable: true
+# common role
+common_apt_packages:
+  - pcscd
+  - pinentry-curses
+  - radeontop
+common_git_enabled: true
+common_git_username: "{{ vault_common_gitconfig_username }}"
+common_git_email: "{{ vault_common_gitconfig_email }}"
+common_git_force_sign: true
+common_git_signing_key: "{{ vault_common_gitconfig_signingkey }}"
+common_install_fonts: true
+common_sysctl_configuration:
+  'fs.inotify.max_user_watches': 1048576
+  'vm.swappiness': 1

-custom_common:
-  sysctl:
-    'fs.inotify.max_user_watches': 1048576
-    'vm.swappiness': 1
-  packages:
-    - pcscd
-    - pinentry-curses
-    - radeontop
-  git:
-    enable: true
-    username: "{{ vault_common_gitconfig_username }}"
-    email: "{{ vault_common_gitconfig_email }}"
-    force_sign: true
-    signing_key: "{{ vault_common_gitconfig_signingkey }}"
-  install_fonts: true
-
-custom_security:
-  firewall:
-    filter:
-      policy:
-        output: accept
-        forward: accept
-    mangle:
-      drop_privatenets: false
-      policy:
-        forward: accept
-
-dns:
-  type: "udp"
-  udp:
-    dns4: "{{ vault_groups.network.internal.dns4 }}"
-    dns6: "{{ vault_groups.network.internal.dns6 }}"
-network: "internal"
-ip_dualstack: false
+# security role
+security_firewall_filter_policy_output: accept
+security_firewall_filter_policy_forward: accept
+security_firewall_mangle_policy_forward: accept