sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(configuration): tolerate missing units, gate Secure Boot to supported OSes, fix clevis install per family

Browse Source
This commit is contained in:
Sandwich
2026-04-30 20:14:33 +02:00
parent db7dc53bd7
commit 382e82ff85
4 changed files with 28 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/configuration/tasks/encryption.yml
View File

@@ -155,5 +155,5 @@
ansible.builtin.include_tasks: encryption/dracut.yml ansible.builtin.include_tasks: encryption/dracut.yml
- name: Configure GRUB for LUKS - name: Configure GRUB for LUKS
when: _initramfs_generator | default('') != 'dracut' or os_family != 'RedHat' when: _initramfs_generator | default('') != 'dracut'
ansible.builtin.include_tasks: encryption/grub.yml ansible.builtin.include_tasks: encryption/grub.yml

14
roles/configuration/tasks/encryption/initramfs.yml
View File

@@ -8,8 +8,18 @@
when: when:
- configuration_luks_auto_method == 'tpm2' - configuration_luks_auto_method == 'tpm2'
- _tpm2_method | default('') == 'clevis' - _tpm2_method | default('') == 'clevis'
ansible.builtin.command: >- vars:
{{ chroot_command }} apt install -y clevis clevis-luks clevis-tpm2 clevis-initramfs tpm2-tools _clevis_install_cmd:
Debian: >-
{{ chroot_command }} apt install -y
clevis clevis-luks clevis-tpm2 clevis-initramfs tpm2-tools
RedHat: >-
{{ chroot_command }} dnf install -y
clevis clevis-luks clevis-systemd tpm2-tools
Suse: >-
{{ chroot_command }} zypper install -y
clevis clevis-systemd tpm2.0-tools
ansible.builtin.command: "{{ _clevis_install_cmd[os_family] }}"
register: _clevis_install_result register: _clevis_install_result
changed_when: _clevis_install_result.rc == 0 changed_when: _clevis_install_result.rc == 0

11
roles/configuration/tasks/secure_boot.yml
View File

@@ -1,4 +1,15 @@
--- ---
- name: Validate Secure Boot is supported on this OS
ansible.builtin.assert:
that:
- os in ['archlinux', 'debian', 'ubuntu', 'ubuntu-lts',
'rhel', 'rocky', 'almalinux', 'fedora']
fail_msg: >-
Secure Boot is not supported on {{ os }} in this bootstrap. Supported:
Arch (sbctl) and Debian/Ubuntu/RHEL/Rocky/Alma/Fedora (shim). Disable
system.features.secure_boot.enabled or pick a supported OS.
quiet: true
- name: Configure shim-based Secure Boot - name: Configure shim-based Secure Boot
when: os != 'archlinux' when: os != 'archlinux'
ansible.builtin.include_tasks: secure_boot/shim.yml ansible.builtin.include_tasks: secure_boot/shim.yml

4
roles/configuration/tasks/services.yml
View File

@@ -22,6 +22,10 @@
loop: "{{ configuration_systemd_services }}" loop: "{{ configuration_systemd_services }}"
register: configuration_enable_service_result register: configuration_enable_service_result
changed_when: configuration_enable_service_result.rc == 0 changed_when: configuration_enable_service_result.rc == 0
failed_when: >-
configuration_enable_service_result.rc != 0
and 'No such file or directory' not in (configuration_enable_service_result.stderr | default(''))
and 'does not exist' not in (configuration_enable_service_result.stderr | default(''))
- name: Activate UFW firewall - name: Activate UFW firewall
when: when: