fix(configuration): tolerate missing units, gate Secure Boot to supported OSes, fix clevis install per family

2026-04-30 20:14:33 +02:00
parent db7dc53bd7
commit 382e82ff85
4 changed files with 28 additions and 3 deletions
--- a/roles/configuration/tasks/encryption.yml
+++ b/roles/configuration/tasks/encryption.yml
@@ -155,5 +155,5 @@
      ansible.builtin.include_tasks: encryption/dracut.yml

    - name: Configure GRUB for LUKS
-      when: _initramfs_generator | default('') != 'dracut' or os_family != 'RedHat'
+      when: _initramfs_generator | default('') != 'dracut'
      ansible.builtin.include_tasks: encryption/grub.yml
--- a/roles/configuration/tasks/encryption/initramfs.yml
+++ b/roles/configuration/tasks/encryption/initramfs.yml
@@ -8,8 +8,18 @@
  when:
    - configuration_luks_auto_method == 'tpm2'
    - _tpm2_method | default('') == 'clevis'
-  ansible.builtin.command: >-
-    {{ chroot_command }} apt install -y clevis clevis-luks clevis-tpm2 clevis-initramfs tpm2-tools
+  vars:
+    _clevis_install_cmd:
+      Debian: >-
+        {{ chroot_command }} apt install -y
+        clevis clevis-luks clevis-tpm2 clevis-initramfs tpm2-tools
+      RedHat: >-
+        {{ chroot_command }} dnf install -y
+        clevis clevis-luks clevis-systemd tpm2-tools
+      Suse: >-
+        {{ chroot_command }} zypper install -y
+        clevis clevis-systemd tpm2.0-tools
+  ansible.builtin.command: "{{ _clevis_install_cmd[os_family] }}"
  register: _clevis_install_result
  changed_when: _clevis_install_result.rc == 0

--- a/roles/configuration/tasks/secure_boot.yml
+++ b/roles/configuration/tasks/secure_boot.yml
@@ -1,4 +1,15 @@
 ---
+- name: Validate Secure Boot is supported on this OS
+  ansible.builtin.assert:
+    that:
+      - os in ['archlinux', 'debian', 'ubuntu', 'ubuntu-lts',
+              'rhel', 'rocky', 'almalinux', 'fedora']
+    fail_msg: >-
+      Secure Boot is not supported on {{ os }} in this bootstrap. Supported:
+      Arch (sbctl) and Debian/Ubuntu/RHEL/Rocky/Alma/Fedora (shim). Disable
+      system.features.secure_boot.enabled or pick a supported OS.
+    quiet: true
+
 - name: Configure shim-based Secure Boot
  when: os != 'archlinux'
  ansible.builtin.include_tasks: secure_boot/shim.yml
--- a/roles/configuration/tasks/services.yml
+++ b/roles/configuration/tasks/services.yml
@@ -22,6 +22,10 @@
  loop: "{{ configuration_systemd_services }}"
  register: configuration_enable_service_result
  changed_when: configuration_enable_service_result.rc == 0
+  failed_when: >-
+    configuration_enable_service_result.rc != 0
+    and 'No such file or directory' not in (configuration_enable_service_result.stderr | default(''))
+    and 'does not exist' not in (configuration_enable_service_result.stderr | default(''))

 - name: Activate UFW firewall
  when: