fix: encryption, partitioning, cis and virtualization hardening
This commit is contained in:
@@ -16,9 +16,9 @@
|
||||
RedHat: >-
|
||||
{{ chroot_command }} dnf install -y
|
||||
clevis clevis-luks clevis-systemd tpm2-tools
|
||||
Suse: >-
|
||||
{{ chroot_command }} zypper install -y
|
||||
clevis clevis-systemd tpm2.0-tools
|
||||
Archlinux: >-
|
||||
{{ chroot_command }} pacman -S --noconfirm --needed
|
||||
clevis tpm2-tools
|
||||
ansible.builtin.command: "{{ _clevis_install_cmd[os_family] }}"
|
||||
register: _clevis_install_result
|
||||
changed_when: _clevis_install_result.rc == 0
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
# Sets _initramfs_generator and _tpm2_method facts.
|
||||
#
|
||||
# Generator detection: derived from the platform's initramfs_cmd
|
||||
# (dracut → dracut, mkinitcpio → mkinitcpio, else → initramfs-tools)
|
||||
# (dracut -> dracut, mkinitcpio -> mkinitcpio, else -> initramfs-tools)
|
||||
# TPM2 method: systemd-cryptenroll when generator supports tpm2-device,
|
||||
# clevis fallback otherwise. Non-native dracut installed automatically.
|
||||
|
||||
|
||||
@@ -107,7 +107,7 @@
|
||||
when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0
|
||||
ansible.builtin.debug:
|
||||
msg: >-
|
||||
LUKS keyfile enrollment failed — falling back to manual unlock at boot.
|
||||
LUKS keyfile enrollment failed - falling back to manual unlock at boot.
|
||||
The system will prompt for the LUKS passphrase during startup.
|
||||
|
||||
- name: Fallback to manual LUKS unlock if keyfile enrollment failed
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
# TPM2 enrollment via systemd-cryptenroll.
|
||||
# Works with dracut and mkinitcpio (sd-encrypt). The user-set passphrase
|
||||
# remains as a backup unlock method — no auto-generated keyfiles.
|
||||
# remains as a backup unlock method - no auto-generated keyfiles.
|
||||
- name: Enroll TPM2 for LUKS
|
||||
block:
|
||||
- name: Create temporary passphrase file for TPM2 enrollment
|
||||
|
||||
Reference in New Issue
Block a user