diff --git a/roles/configuration/tasks/encryption.yml b/roles/configuration/tasks/encryption.yml index 1c0c937..28511e5 100644 --- a/roles/configuration/tasks/encryption.yml +++ b/roles/configuration/tasks/encryption.yml @@ -7,17 +7,12 @@ block: - name: Set LUKS configuration facts vars: - configuration_luks_mapper_name_value: >- - {{ partitioning_luks_mapper_name }} - configuration_luks_device_value: "{{ partitioning_luks_device }}" - configuration_luks_tpm2_pcrs_raw: >- - {{ partitioning_luks_tpm2_pcrs }} - configuration_luks_tpm2_pcrs_normalized: >- + luks_tpm2_pcrs: >- {{ ( - configuration_luks_tpm2_pcrs_raw - if configuration_luks_tpm2_pcrs_raw is string - else (configuration_luks_tpm2_pcrs_raw | map('string') | join('+')) + partitioning_luks_tpm2_pcrs + if partitioning_luks_tpm2_pcrs is string + else (partitioning_luks_tpm2_pcrs | map('string') | join('+')) ) | string | replace(',', '+') @@ -25,11 +20,10 @@ | regex_replace('^\\+|\\+$', '') }} ansible.builtin.set_fact: - configuration_luks_mapper_name: "{{ configuration_luks_mapper_name_value }}" + configuration_luks_mapper_name: "{{ partitioning_luks_mapper_name }}" configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}" - configuration_luks_device: "{{ configuration_luks_device_value }}" - configuration_luks_options: >- - {{ partitioning_luks_options }} + configuration_luks_device: "{{ partitioning_luks_device }}" + configuration_luks_options: "{{ partitioning_luks_options }}" configuration_luks_auto_method: >- {{ (partitioning_luks_auto_decrypt | bool) @@ -38,12 +32,9 @@ 'manual' ) }} - configuration_luks_tpm2_device: >- - {{ partitioning_luks_tpm2_device }} - configuration_luks_tpm2_pcrs: "{{ configuration_luks_tpm2_pcrs_raw }}" - configuration_luks_tpm2_pcrs_normalized: "{{ configuration_luks_tpm2_pcrs_normalized }}" - configuration_luks_keyfile_path: >- - /etc/cryptsetup-keys.d/{{ configuration_luks_mapper_name_value }}.key + configuration_luks_tpm2_device: "{{ partitioning_luks_tpm2_device }}" + configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}" + configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ partitioning_luks_mapper_name }}.key" changed_when: false - name: Validate LUKS UUID is available @@ -70,54 +61,52 @@ - name: Build LUKS parameters vars: - configuration_luks_keyfile_in_use_value: "{{ configuration_luks_auto_method == 'keyfile' }}" - configuration_luks_option_list_value: >- + luks_keyfile_in_use: "{{ configuration_luks_auto_method == 'keyfile' }}" + luks_option_list: >- {{ (configuration_luks_options | trim).split(',') if configuration_luks_options | trim | length > 0 else [] }} - configuration_luks_tpm2_option_list_value: >- + luks_tpm2_option_list: >- {{ (configuration_luks_auto_method == 'tpm2') | ternary( ['tpm2-device=' + configuration_luks_tpm2_device] - + (['tpm2-pcrs=' + configuration_luks_tpm2_pcrs_normalized] - if configuration_luks_tpm2_pcrs_normalized | length > 0 else []), + + (['tpm2-pcrs=' + configuration_luks_tpm2_pcrs] + if configuration_luks_tpm2_pcrs | length > 0 else []), [] ) }} - configuration_luks_crypttab_keyfile_value: >- - {{ configuration_luks_keyfile_path if configuration_luks_keyfile_in_use_value else 'none' }} - configuration_luks_crypttab_options_value: >- + luks_crypttab_keyfile: "{{ configuration_luks_keyfile_path if luks_keyfile_in_use else 'none' }}" + luks_crypttab_options: >- {{ - (['luks'] + configuration_luks_option_list_value + configuration_luks_tpm2_option_list_value) + (['luks'] + luks_option_list + luks_tpm2_option_list) | join(',') }} - configuration_luks_rd_options_value: >- - {{ (configuration_luks_option_list_value + configuration_luks_tpm2_option_list_value) | join(',') }} - configuration_luks_kernel_args_value: >- + luks_rd_options: "{{ (luks_option_list + luks_tpm2_option_list) | join(',') }}" + luks_kernel_args: >- {{ ( ['rd.luks.name=' + configuration_luks_uuid + '=' + configuration_luks_mapper_name] + ( - ['rd.luks.options=' + configuration_luks_uuid + '=' + configuration_luks_rd_options_value] - if configuration_luks_rd_options_value | length > 0 else [] + ['rd.luks.options=' + configuration_luks_uuid + '=' + luks_rd_options] + if luks_rd_options | length > 0 else [] ) + ( ['rd.luks.key=' + configuration_luks_uuid + '=' + configuration_luks_keyfile_path] - if configuration_luks_keyfile_in_use_value else [] + if luks_keyfile_in_use else [] ) ) | join(' ') }} ansible.builtin.set_fact: - configuration_luks_keyfile_in_use: "{{ configuration_luks_keyfile_in_use_value }}" - configuration_luks_option_list: "{{ configuration_luks_option_list_value }}" - configuration_luks_tpm2_option_list: "{{ configuration_luks_tpm2_option_list_value }}" - configuration_luks_crypttab_keyfile: "{{ configuration_luks_crypttab_keyfile_value }}" - configuration_luks_crypttab_options: "{{ configuration_luks_crypttab_options_value }}" - configuration_luks_rd_options: "{{ configuration_luks_rd_options_value }}" - configuration_luks_kernel_args: "{{ configuration_luks_kernel_args_value }}" + configuration_luks_keyfile_in_use: "{{ luks_keyfile_in_use }}" + configuration_luks_option_list: "{{ luks_option_list }}" + configuration_luks_tpm2_option_list: "{{ luks_tpm2_option_list }}" + configuration_luks_crypttab_keyfile: "{{ luks_crypttab_keyfile }}" + configuration_luks_crypttab_options: "{{ luks_crypttab_options }}" + configuration_luks_rd_options: "{{ luks_rd_options }}" + configuration_luks_kernel_args: "{{ luks_kernel_args }}" - name: Remove LUKS keyfile if TPM2 auto-decrypt is active when: configuration_luks_auto_method == 'tpm2' @@ -164,7 +153,7 @@ - name: Build mkinitcpio FILES list when: os | lower == 'archlinux' vars: - configuration_mkinitcpio_files_list_value: >- + mkinitcpio_files_list: >- {{ ( configuration_mkinitcpio_slurp.content | b64decode @@ -174,13 +163,13 @@ | default('') ).split() }} - configuration_mkinitcpio_files_list_new_value: >- + mkinitcpio_files_list_new: >- {{ ( - (configuration_mkinitcpio_files_list_value + [configuration_luks_keyfile_path]) + (mkinitcpio_files_list + [configuration_luks_keyfile_path]) if configuration_luks_keyfile_in_use else ( - configuration_mkinitcpio_files_list_value + mkinitcpio_files_list | reject('equalto', configuration_luks_keyfile_path) | list ) @@ -188,7 +177,7 @@ | unique }} ansible.builtin.set_fact: - configuration_mkinitcpio_files_list_new: "{{ configuration_mkinitcpio_files_list_new_value }}" + configuration_mkinitcpio_files_list_new: "{{ mkinitcpio_files_list_new }}" - name: Configure mkinitcpio FILES list when: os | lower == 'archlinux' @@ -227,27 +216,27 @@ - name: Build kernel cmdline with LUKS args when: is_rhel | bool vars: - configuration_kernel_cmdline_current_value: >- + kernel_cmdline_current: >- {{ configuration_kernel_cmdline_slurp.content | b64decode | trim }} - configuration_kernel_cmdline_list_value: >- + kernel_cmdline_list: >- {{ - configuration_kernel_cmdline_current_value.split() - if configuration_kernel_cmdline_current_value | length > 0 else [] + kernel_cmdline_current.split() + if kernel_cmdline_current | length > 0 else [] }} - configuration_kernel_cmdline_filtered_value: >- + kernel_cmdline_filtered: >- {{ - configuration_kernel_cmdline_list_value + kernel_cmdline_list | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=') | list }} - configuration_kernel_cmdline_new_value: >- + kernel_cmdline_new: >- {{ - (configuration_kernel_cmdline_filtered_value + configuration_luks_kernel_args.split()) + (kernel_cmdline_filtered + configuration_luks_kernel_args.split()) | unique | join(' ') }} ansible.builtin.set_fact: - configuration_kernel_cmdline_new: "{{ configuration_kernel_cmdline_new_value }}" + configuration_kernel_cmdline_new: "{{ kernel_cmdline_new }}" changed_when: false - name: Write kernel cmdline with LUKS args @@ -286,66 +275,66 @@ - name: Build grub command lines with LUKS args when: not is_rhel | bool vars: - configuration_grub_content_value: "{{ configuration_grub_slurp.content | b64decode }}" - configuration_grub_cmdline_linux_value: >- + grub_content: "{{ configuration_grub_slurp.content | b64decode }}" + grub_cmdline_linux: >- {{ - configuration_grub_content_value + grub_content | regex_findall('^GRUB_CMDLINE_LINUX=\"(.*)\"', multiline=True) | default([]) | first | default('') }} - configuration_grub_cmdline_default_value: >- + grub_cmdline_default: >- {{ - configuration_grub_content_value + grub_content | regex_findall('^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)\"', multiline=True) | default([]) | first | default('') }} - configuration_grub_cmdline_linux_list_value: >- + grub_cmdline_linux_list: >- {{ - configuration_grub_cmdline_linux_value.split() - if configuration_grub_cmdline_linux_value | length > 0 else [] + grub_cmdline_linux.split() + if grub_cmdline_linux | length > 0 else [] }} - configuration_grub_cmdline_default_list_value: >- + grub_cmdline_default_list: >- {{ - configuration_grub_cmdline_default_value.split() - if configuration_grub_cmdline_default_value | length > 0 else [] + grub_cmdline_default.split() + if grub_cmdline_default | length > 0 else [] }} - configuration_luks_kernel_args_list_value: "{{ configuration_luks_kernel_args.split() }}" - configuration_grub_cmdline_linux_new_value: >- + luks_kernel_args_list: "{{ configuration_luks_kernel_args.split() }}" + grub_cmdline_linux_new: >- {{ ( ( - configuration_grub_cmdline_linux_list_value + grub_cmdline_linux_list | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=') | list ) - + configuration_luks_kernel_args_list_value + + luks_kernel_args_list ) | unique | join(' ') }} - configuration_grub_cmdline_default_new_value: >- + grub_cmdline_default_new: >- {{ ( ( - configuration_grub_cmdline_default_list_value + grub_cmdline_default_list | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=') | list ) - + configuration_luks_kernel_args_list_value + + luks_kernel_args_list ) | unique | join(' ') }} ansible.builtin.set_fact: - configuration_grub_content: "{{ configuration_grub_content_value }}" - configuration_grub_cmdline_linux: "{{ configuration_grub_cmdline_linux_value }}" - configuration_grub_cmdline_default: "{{ configuration_grub_cmdline_default_value }}" - configuration_grub_cmdline_linux_new: "{{ configuration_grub_cmdline_linux_new_value }}" - configuration_grub_cmdline_default_new: "{{ configuration_grub_cmdline_default_new_value }}" + configuration_grub_content: "{{ grub_content }}" + configuration_grub_cmdline_linux: "{{ grub_cmdline_linux }}" + configuration_grub_cmdline_default: "{{ grub_cmdline_default }}" + configuration_grub_cmdline_linux_new: "{{ grub_cmdline_linux_new }}" + configuration_grub_cmdline_default_new: "{{ grub_cmdline_default_new }}" - name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS when: not is_rhel | bool diff --git a/roles/configuration/tasks/encryption/tpm2.yml b/roles/configuration/tasks/encryption/tpm2.yml index 95c14a9..5ede070 100644 --- a/roles/configuration/tasks/encryption/tpm2.yml +++ b/roles/configuration/tasks/encryption/tpm2.yml @@ -31,8 +31,8 @@ | regex_replace('^/mnt', '') ) ] - + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_normalized] - if configuration_luks_tpm2_pcrs_normalized | length > 0 else []) + + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs] + if configuration_luks_tpm2_pcrs | length > 0 else []) + [configuration_luks_device] }} configuration_luks_enroll_chroot_cmd: >- @@ -55,8 +55,8 @@ '--wipe-slot=tpm2', '--unlock-key-file=' + configuration_luks_tpm2_passphrase_tempfile.path ] - + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_normalized] - if configuration_luks_tpm2_pcrs_normalized | length > 0 else []) + + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs] + if configuration_luks_tpm2_pcrs | length > 0 else []) + [configuration_luks_device] }} ansible.builtin.command: