Inconsistent use of role vars/role defaults

[nodiscc]

Describe the bug

Use of role vars and role defaults is inconsistent/unclear to me in ansible-os-hardening.

Expected behavior

I believe most variables set by this role should be overrideable using host_vars or group_vars if the need arises to deviate from a strictly hardened config.

Variable precedence tells us role vars can only be overriden by the user from a very limited set of vars sources (realistically, only extra vars passed through command line). Values that are expected to be changed from the playbook shoulg rather go in defaults/.

Actual behavior

For example in this PR, hidepid_option value can not be overriden by host/group vars.

OS / Environment

Any.

Ansible Version

Any.

Role Version

Any.

Additional context

If my reasoning is correct, the only correct use of role vars is through includes on specific conditions (for example ansible_local.os_release or similar), when the value is not expected to be changeable by the user.

Can you clarify what dictates whether a variable should go in vars/ or defaults/ in this role?

[rndmh3ro]

Hey @nodiscc,

thanks for this issue!

Can you clarify what dictates whether a variable should go in vars/ or defaults/ in this role?

We try to follow the Ansible standard here:

Basically, anything that goes into “role defaults” (the defaults folder inside the role) is the most malleable and easily overridden. Anything in the vars directory of the role overrides previous versions of that variable in namespace.

In defaults should go things that should be easily overwritable. Variables in vars shouldn't.

For example in this PR, hidepid_option value can not be overriden by host/group vars.

This is therefore a bug. Thank you for noticing - I'll fix this.

[nodiscc]

Ok then, glad I could help. The remaining variables in vars/main.yml seem fine.

[rndmh3ro]

Thanks for your help!