From 42be0a591974480f9ca1c90e33c547dc1bc4b899 Mon Sep 17 00:00:00 2001 From: Sandwich Date: Fri, 20 Feb 2026 22:26:47 +0100 Subject: [PATCH] fix(configuration): add explicit LUKS auto-decrypt fallback state tracking and logging --- roles/configuration/tasks/encryption.yml | 8 ++++++++ roles/configuration/tasks/encryption/keyfile.yml | 7 +++++++ 2 files changed, 15 insertions(+) diff --git a/roles/configuration/tasks/encryption.yml b/roles/configuration/tasks/encryption.yml index d159c0e..35f8fb0 100644 --- a/roles/configuration/tasks/encryption.yml +++ b/roles/configuration/tasks/encryption.yml @@ -59,6 +59,14 @@ when: configuration_luks_auto_method == 'keyfile' ansible.builtin.include_tasks: encryption/keyfile.yml + - name: Record final LUKS auto-decrypt method + ansible.builtin.set_fact: + configuration_luks_final_method: "{{ configuration_luks_auto_method }}" + + - name: Report LUKS auto-decrypt configuration + ansible.builtin.debug: + msg: "LUKS auto-decrypt method: {{ configuration_luks_final_method }}" + - name: Build LUKS parameters vars: luks_keyfile_in_use: "{{ configuration_luks_auto_method == 'keyfile' }}" diff --git a/roles/configuration/tasks/encryption/keyfile.yml b/roles/configuration/tasks/encryption/keyfile.yml index 11719b6..0117c52 100644 --- a/roles/configuration/tasks/encryption/keyfile.yml +++ b/roles/configuration/tasks/encryption/keyfile.yml @@ -104,6 +104,13 @@ failed_when: false no_log: true + - name: Warn about keyfile enrollment failure + when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0 + ansible.builtin.debug: + msg: >- + LUKS keyfile enrollment failed — falling back to manual unlock at boot. + The system will prompt for the LUKS passphrase during startup. + - name: Fallback to manual LUKS unlock if keyfile enrollment failed when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0 ansible.builtin.set_fact: