fix(configuration): add explicit LUKS auto-decrypt fallback state tracking and logging

2026-02-20 22:26:47 +01:00
parent 17400fa6ff
commit 42be0a5919
2 changed files with 15 additions and 0 deletions
--- a/roles/configuration/tasks/encryption.yml
+++ b/roles/configuration/tasks/encryption.yml
@@ -59,6 +59,14 @@
      when: configuration_luks_auto_method == 'keyfile'
      ansible.builtin.include_tasks: encryption/keyfile.yml

+    - name: Record final LUKS auto-decrypt method
+      ansible.builtin.set_fact:
+        configuration_luks_final_method: "{{ configuration_luks_auto_method }}"
+
+    - name: Report LUKS auto-decrypt configuration
+      ansible.builtin.debug:
+        msg: "LUKS auto-decrypt method: {{ configuration_luks_final_method }}"
+
    - name: Build LUKS parameters
      vars:
        luks_keyfile_in_use: "{{ configuration_luks_auto_method == 'keyfile' }}"
--- a/roles/configuration/tasks/encryption/keyfile.yml
+++ b/roles/configuration/tasks/encryption/keyfile.yml
@@ -104,6 +104,13 @@
      failed_when: false
      no_log: true

+    - name: Warn about keyfile enrollment failure
+      when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0
+      ansible.builtin.debug:
+        msg: >-
+          LUKS keyfile enrollment failed — falling back to manual unlock at boot.
+          The system will prompt for the LUKS passphrase during startup.
+
    - name: Fallback to manual LUKS unlock if keyfile enrollment failed
      when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0
      ansible.builtin.set_fact: