feat(configuration): generic FDE with systemd-cryptenroll, clevis fallback, and configurable initramfs

2026-04-01 15:07:58 +02:00
parent dfca7ec94b
commit 3623fc292c
5 changed files with 268 additions and 94 deletions
--- a/roles/configuration/tasks/encryption.yml
+++ b/roles/configuration/tasks/encryption.yml
@@ -36,6 +36,12 @@
        configuration_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}"
        configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
        configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ system_cfg.luks.mapper }}.key"
+        configuration_luks_tpm2_token_lib: >-
+          {{
+            '/usr/lib/x86_64-linux-gnu/cryptsetup/libcryptsetup-token-systemd-tpm2.so'
+            if os_family == 'Debian'
+            else '/usr/lib64/cryptsetup/libcryptsetup-token-systemd-tpm2.so'
+          }}

    - name: Validate LUKS UUID is available
      ansible.builtin.assert:
@@ -51,8 +57,13 @@
        fail_msg: system.luks.passphrase must be set for LUKS auto-decrypt.
      no_log: true

-    - name: Enroll TPM2 for LUKS
-      when: configuration_luks_auto_method == 'tpm2'
+    - name: Detect TPM2 unlock method
+      ansible.builtin.include_tasks: encryption/initramfs_detect.yml
+
+    - name: Enroll TPM2 via systemd-cryptenroll
+      when:
+        - configuration_luks_auto_method == 'tpm2'
+        - _tpm2_method | default('systemd-cryptenroll') == 'systemd-cryptenroll'
      ansible.builtin.include_tasks: encryption/tpm2.yml

    - name: Configure LUKS keyfile auto-decrypt
@@ -78,7 +89,7 @@
          }}
        luks_tpm2_option_list: >-
          {{
-            (configuration_luks_auto_method == 'tpm2')
+            (configuration_luks_auto_method == 'tpm2' and (_tpm2_method | default('systemd-cryptenroll')) == 'systemd-cryptenroll')
            | ternary(
                ['tpm2-device=' + configuration_luks_tpm2_device]
                + (['tpm2-pcrs=' + configuration_luks_tpm2_pcrs]
@@ -122,16 +133,16 @@
        path: /mnt{{ configuration_luks_keyfile_path }}
        state: absent

+    - name: Configure initramfs for LUKS
+      ansible.builtin.include_tasks: encryption/initramfs.yml
+
    - name: Configure crypttab
      ansible.builtin.include_tasks: encryption/crypttab.yml

-    - name: Configure initramfs
-      ansible.builtin.include_tasks: encryption/initramfs.yml
-
-    - name: Configure dracut
-      when: os_family == 'RedHat'
+    - name: Configure dracut for LUKS
+      when: _initramfs_generator | default('') == 'dracut'
      ansible.builtin.include_tasks: encryption/dracut.yml

    - name: Configure GRUB for LUKS
-      when: not os_family == 'RedHat'
+      when: _initramfs_generator | default('') != 'dracut' or os_family != 'RedHat'
      ansible.builtin.include_tasks: encryption/grub.yml