From 382e82ff853ea93e79b21e80f9f80c5ecc0250d3 Mon Sep 17 00:00:00 2001 From: Sandwich Date: Thu, 30 Apr 2026 20:14:33 +0200 Subject: [PATCH] fix(configuration): tolerate missing units, gate Secure Boot to supported OSes, fix clevis install per family --- roles/configuration/tasks/encryption.yml | 2 +- roles/configuration/tasks/encryption/initramfs.yml | 14 ++++++++++++-- roles/configuration/tasks/secure_boot.yml | 11 +++++++++++ roles/configuration/tasks/services.yml | 4 ++++ 4 files changed, 28 insertions(+), 3 deletions(-) diff --git a/roles/configuration/tasks/encryption.yml b/roles/configuration/tasks/encryption.yml index 1bb4fc9..366a8d6 100644 --- a/roles/configuration/tasks/encryption.yml +++ b/roles/configuration/tasks/encryption.yml @@ -155,5 +155,5 @@ ansible.builtin.include_tasks: encryption/dracut.yml - name: Configure GRUB for LUKS - when: _initramfs_generator | default('') != 'dracut' or os_family != 'RedHat' + when: _initramfs_generator | default('') != 'dracut' ansible.builtin.include_tasks: encryption/grub.yml diff --git a/roles/configuration/tasks/encryption/initramfs.yml b/roles/configuration/tasks/encryption/initramfs.yml index 80ba6ef..4b49d1e 100644 --- a/roles/configuration/tasks/encryption/initramfs.yml +++ b/roles/configuration/tasks/encryption/initramfs.yml @@ -8,8 +8,18 @@ when: - configuration_luks_auto_method == 'tpm2' - _tpm2_method | default('') == 'clevis' - ansible.builtin.command: >- - {{ chroot_command }} apt install -y clevis clevis-luks clevis-tpm2 clevis-initramfs tpm2-tools + vars: + _clevis_install_cmd: + Debian: >- + {{ chroot_command }} apt install -y + clevis clevis-luks clevis-tpm2 clevis-initramfs tpm2-tools + RedHat: >- + {{ chroot_command }} dnf install -y + clevis clevis-luks clevis-systemd tpm2-tools + Suse: >- + {{ chroot_command }} zypper install -y + clevis clevis-systemd tpm2.0-tools + ansible.builtin.command: "{{ _clevis_install_cmd[os_family] }}" register: _clevis_install_result changed_when: _clevis_install_result.rc == 0 diff --git a/roles/configuration/tasks/secure_boot.yml b/roles/configuration/tasks/secure_boot.yml index 14fbb04..62be223 100644 --- a/roles/configuration/tasks/secure_boot.yml +++ b/roles/configuration/tasks/secure_boot.yml @@ -1,4 +1,15 @@ --- +- name: Validate Secure Boot is supported on this OS + ansible.builtin.assert: + that: + - os in ['archlinux', 'debian', 'ubuntu', 'ubuntu-lts', + 'rhel', 'rocky', 'almalinux', 'fedora'] + fail_msg: >- + Secure Boot is not supported on {{ os }} in this bootstrap. Supported: + Arch (sbctl) and Debian/Ubuntu/RHEL/Rocky/Alma/Fedora (shim). Disable + system.features.secure_boot.enabled or pick a supported OS. + quiet: true + - name: Configure shim-based Secure Boot when: os != 'archlinux' ansible.builtin.include_tasks: secure_boot/shim.yml diff --git a/roles/configuration/tasks/services.yml b/roles/configuration/tasks/services.yml index 673612f..d5c61ca 100644 --- a/roles/configuration/tasks/services.yml +++ b/roles/configuration/tasks/services.yml @@ -22,6 +22,10 @@ loop: "{{ configuration_systemd_services }}" register: configuration_enable_service_result changed_when: configuration_enable_service_result.rc == 0 + failed_when: >- + configuration_enable_service_result.rc != 0 + and 'No such file or directory' not in (configuration_enable_service_result.stderr | default('')) + and 'does not exist' not in (configuration_enable_service_result.stderr | default('')) - name: Activate UFW firewall when: