diff --git a/roles/configuration/tasks/encryption.yml b/roles/configuration/tasks/encryption.yml index c5c3ddf..c5064b1 100644 --- a/roles/configuration/tasks/encryption.yml +++ b/roles/configuration/tasks/encryption.yml @@ -122,216 +122,16 @@ path: /mnt{{ configuration_luks_keyfile_path }} state: absent - - name: Write crypttab entry - ansible.builtin.lineinfile: - path: /mnt/etc/crypttab - regexp: "^{{ configuration_luks_mapper_name }}\\s" - line: >- - {{ configuration_luks_mapper_name }} UUID={{ configuration_luks_uuid }} - {{ configuration_luks_crypttab_keyfile }} {{ configuration_luks_crypttab_options }} - create: true - mode: "0600" + - name: Configure crypttab + ansible.builtin.include_tasks: encryption/crypttab.yml - - name: Ensure keyfile pattern for initramfs-tools - when: - - os_family == 'Debian' - - configuration_luks_keyfile_in_use - ansible.builtin.lineinfile: - path: /mnt/etc/cryptsetup-initramfs/conf-hook - regexp: "^KEYFILE_PATTERN=" - line: "KEYFILE_PATTERN=/etc/cryptsetup-keys.d/*.key" - create: true - mode: "0644" + - name: Configure initramfs + ansible.builtin.include_tasks: encryption/initramfs.yml - - name: Configure mkinitcpio hooks for LUKS - when: os == 'archlinux' - ansible.builtin.lineinfile: - path: /mnt/etc/mkinitcpio.conf - regexp: "^HOOKS=" - line: >- - HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole - block sd-encrypt{{ ' lvm2' if system_cfg.filesystem != 'btrfs' else '' }} filesystems fsck) - - - name: Read mkinitcpio configuration - when: os == 'archlinux' - ansible.builtin.slurp: - src: /mnt/etc/mkinitcpio.conf - register: configuration_mkinitcpio_slurp - - - name: Build mkinitcpio FILES list - when: os == 'archlinux' - vars: - mkinitcpio_files_list: >- - {{ - ( - configuration_mkinitcpio_slurp.content | b64decode - | regex_findall('^FILES=\\(([^)]*)\\)', multiline=True) - | default([]) - | first - | default('') - ).split() - }} - mkinitcpio_files_list_new: >- - {{ - ( - (mkinitcpio_files_list + [configuration_luks_keyfile_path]) - if configuration_luks_keyfile_in_use - else ( - mkinitcpio_files_list - | reject('equalto', configuration_luks_keyfile_path) - | list - ) - ) - | unique - }} - ansible.builtin.set_fact: - configuration_mkinitcpio_files_list_new: "{{ mkinitcpio_files_list_new }}" - - - name: Configure mkinitcpio FILES list - when: os == 'archlinux' - ansible.builtin.lineinfile: - path: /mnt/etc/mkinitcpio.conf - regexp: "^FILES=" - line: >- - FILES=({{ - configuration_mkinitcpio_files_list_new | join(' ') - }}) - - - name: Ensure dracut config directory exists + - name: Configure dracut when: os_family == 'RedHat' - ansible.builtin.file: - path: /mnt/etc/dracut.conf.d - state: directory - mode: "0755" + ansible.builtin.include_tasks: encryption/dracut.yml - - name: Configure dracut for LUKS - when: os_family == 'RedHat' - ansible.builtin.copy: - dest: /mnt/etc/dracut.conf.d/crypt.conf - content: | - add_dracutmodules+=" crypt " - {% if configuration_luks_keyfile_in_use %} - install_items+=" {{ configuration_luks_keyfile_path }} " - {% endif %} - mode: "0644" - - - name: Read kernel cmdline defaults - when: os_family == 'RedHat' - ansible.builtin.slurp: - src: /mnt/etc/kernel/cmdline - register: configuration_kernel_cmdline_slurp - - - name: Build kernel cmdline with LUKS args - when: os_family == 'RedHat' - vars: - kernel_cmdline_current: >- - {{ configuration_kernel_cmdline_slurp.content | b64decode | trim }} - kernel_cmdline_list: >- - {{ - kernel_cmdline_current.split() - if kernel_cmdline_current | length > 0 else [] - }} - kernel_cmdline_filtered: >- - {{ - kernel_cmdline_list - | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=') - | list - }} - kernel_cmdline_new: >- - {{ - (kernel_cmdline_filtered + configuration_luks_kernel_args.split()) - | unique - | join(' ') - }} - ansible.builtin.set_fact: - configuration_kernel_cmdline_new: "{{ kernel_cmdline_new }}" - - - name: Write kernel cmdline with LUKS args - when: os_family == 'RedHat' - ansible.builtin.copy: - dest: /mnt/etc/kernel/cmdline - mode: "0644" - content: "{{ configuration_kernel_cmdline_new }}\n" - - - name: Update BLS entries with LUKS kernel cmdline - when: os_family == 'RedHat' - vars: - _bls_cmdline: "{{ configuration_kernel_cmdline_new }}" - ansible.builtin.include_tasks: _bls_update.yml - - - name: Read grub defaults + - name: Configure GRUB for LUKS when: not os_family == 'RedHat' - ansible.builtin.slurp: - src: /mnt/etc/default/grub - register: configuration_grub_slurp - - - name: Build grub command lines with LUKS args - when: not os_family == 'RedHat' - vars: - grub_content: "{{ configuration_grub_slurp.content | b64decode }}" - grub_cmdline_linux: >- - {{ - grub_content - | regex_findall('^GRUB_CMDLINE_LINUX=\"(.*)\"', multiline=True) - | default([]) - | first - | default('') - }} - grub_cmdline_default: >- - {{ - grub_content - | regex_findall('^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)\"', multiline=True) - | default([]) - | first - | default('') - }} - grub_cmdline_linux_list: >- - {{ - grub_cmdline_linux.split() - if grub_cmdline_linux | length > 0 else [] - }} - grub_cmdline_default_list: >- - {{ - grub_cmdline_default.split() - if grub_cmdline_default | length > 0 else [] - }} - luks_kernel_args_list: "{{ configuration_luks_kernel_args.split() }}" - grub_cmdline_linux_new: >- - {{ - ( - ( - grub_cmdline_linux_list - | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=') - | list - ) - + luks_kernel_args_list - ) - | unique - | join(' ') - }} - grub_cmdline_default_new: >- - {{ - ( - ( - grub_cmdline_default_list - | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=') - | list - ) - + luks_kernel_args_list - ) - | unique - | join(' ') - }} - ansible.builtin.set_fact: - configuration_grub_content: "{{ grub_content }}" - configuration_grub_cmdline_linux: "{{ grub_cmdline_linux }}" - configuration_grub_cmdline_default: "{{ grub_cmdline_default }}" - configuration_grub_cmdline_linux_new: "{{ grub_cmdline_linux_new }}" - configuration_grub_cmdline_default_new: "{{ grub_cmdline_default_new }}" - - - name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS - when: not os_family == 'RedHat' - ansible.builtin.lineinfile: - path: /mnt/etc/default/grub - regexp: "^GRUB_CMDLINE_LINUX_DEFAULT=" - line: 'GRUB_CMDLINE_LINUX_DEFAULT="{{ configuration_grub_cmdline_default_new }}"' + ansible.builtin.include_tasks: encryption/grub.yml diff --git a/roles/configuration/tasks/encryption/crypttab.yml b/roles/configuration/tasks/encryption/crypttab.yml new file mode 100644 index 0000000..a96c873 --- /dev/null +++ b/roles/configuration/tasks/encryption/crypttab.yml @@ -0,0 +1,10 @@ +--- +- name: Write crypttab entry + ansible.builtin.lineinfile: + path: /mnt/etc/crypttab + regexp: "^{{ configuration_luks_mapper_name }}\\s" + line: >- + {{ configuration_luks_mapper_name }} UUID={{ configuration_luks_uuid }} + {{ configuration_luks_crypttab_keyfile }} {{ configuration_luks_crypttab_options }} + create: true + mode: "0600" diff --git a/roles/configuration/tasks/encryption/dracut.yml b/roles/configuration/tasks/encryption/dracut.yml new file mode 100644 index 0000000..c89fd82 --- /dev/null +++ b/roles/configuration/tasks/encryption/dracut.yml @@ -0,0 +1,56 @@ +--- +- name: Ensure dracut config directory exists + ansible.builtin.file: + path: /mnt/etc/dracut.conf.d + state: directory + mode: "0755" + +- name: Configure dracut for LUKS + ansible.builtin.copy: + dest: /mnt/etc/dracut.conf.d/crypt.conf + content: | + add_dracutmodules+=" crypt " + {% if configuration_luks_keyfile_in_use %} + install_items+=" {{ configuration_luks_keyfile_path }} " + {% endif %} + mode: "0644" + +- name: Read kernel cmdline defaults + ansible.builtin.slurp: + src: /mnt/etc/kernel/cmdline + register: configuration_kernel_cmdline_slurp + +- name: Build kernel cmdline with LUKS args + vars: + kernel_cmdline_current: >- + {{ configuration_kernel_cmdline_slurp.content | b64decode | trim }} + kernel_cmdline_list: >- + {{ + kernel_cmdline_current.split() + if kernel_cmdline_current | length > 0 else [] + }} + kernel_cmdline_filtered: >- + {{ + kernel_cmdline_list + | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=') + | list + }} + kernel_cmdline_new: >- + {{ + (kernel_cmdline_filtered + configuration_luks_kernel_args.split()) + | unique + | join(' ') + }} + ansible.builtin.set_fact: + configuration_kernel_cmdline_new: "{{ kernel_cmdline_new }}" + +- name: Write kernel cmdline with LUKS args + ansible.builtin.copy: + dest: /mnt/etc/kernel/cmdline + mode: "0644" + content: "{{ configuration_kernel_cmdline_new }}\n" + +- name: Update BLS entries with LUKS kernel cmdline + vars: + _bls_cmdline: "{{ configuration_kernel_cmdline_new }}" + ansible.builtin.include_tasks: ../_bls_update.yml diff --git a/roles/configuration/tasks/encryption/grub.yml b/roles/configuration/tasks/encryption/grub.yml new file mode 100644 index 0000000..5df3ae2 --- /dev/null +++ b/roles/configuration/tasks/encryption/grub.yml @@ -0,0 +1,74 @@ +--- +- name: Read grub defaults + ansible.builtin.slurp: + src: /mnt/etc/default/grub + register: configuration_grub_slurp + +- name: Build grub command lines with LUKS args + vars: + grub_content: "{{ configuration_grub_slurp.content | b64decode }}" + grub_cmdline_linux: >- + {{ + grub_content + | regex_findall('^GRUB_CMDLINE_LINUX=\"(.*)\"', multiline=True) + | default([]) + | first + | default('') + }} + grub_cmdline_default: >- + {{ + grub_content + | regex_findall('^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)\"', multiline=True) + | default([]) + | first + | default('') + }} + grub_cmdline_linux_list: >- + {{ + grub_cmdline_linux.split() + if grub_cmdline_linux | length > 0 else [] + }} + grub_cmdline_default_list: >- + {{ + grub_cmdline_default.split() + if grub_cmdline_default | length > 0 else [] + }} + luks_kernel_args_list: "{{ configuration_luks_kernel_args.split() }}" + grub_cmdline_linux_new: >- + {{ + ( + ( + grub_cmdline_linux_list + | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=') + | list + ) + + luks_kernel_args_list + ) + | unique + | join(' ') + }} + grub_cmdline_default_new: >- + {{ + ( + ( + grub_cmdline_default_list + | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=') + | list + ) + + luks_kernel_args_list + ) + | unique + | join(' ') + }} + ansible.builtin.set_fact: + configuration_grub_content: "{{ grub_content }}" + configuration_grub_cmdline_linux: "{{ grub_cmdline_linux }}" + configuration_grub_cmdline_default: "{{ grub_cmdline_default }}" + configuration_grub_cmdline_linux_new: "{{ grub_cmdline_linux_new }}" + configuration_grub_cmdline_default_new: "{{ grub_cmdline_default_new }}" + +- name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS + ansible.builtin.lineinfile: + path: /mnt/etc/default/grub + regexp: "^GRUB_CMDLINE_LINUX_DEFAULT=" + line: 'GRUB_CMDLINE_LINUX_DEFAULT="{{ configuration_grub_cmdline_default_new }}"' diff --git a/roles/configuration/tasks/encryption/initramfs.yml b/roles/configuration/tasks/encryption/initramfs.yml new file mode 100644 index 0000000..43548af --- /dev/null +++ b/roles/configuration/tasks/encryption/initramfs.yml @@ -0,0 +1,65 @@ +--- +- name: Ensure keyfile pattern for initramfs-tools + when: + - os_family == 'Debian' + - configuration_luks_keyfile_in_use + ansible.builtin.lineinfile: + path: /mnt/etc/cryptsetup-initramfs/conf-hook + regexp: "^KEYFILE_PATTERN=" + line: "KEYFILE_PATTERN=/etc/cryptsetup-keys.d/*.key" + create: true + mode: "0644" + +- name: Configure mkinitcpio hooks for LUKS + when: os == 'archlinux' + ansible.builtin.lineinfile: + path: /mnt/etc/mkinitcpio.conf + regexp: "^HOOKS=" + line: >- + HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole + block sd-encrypt{{ ' lvm2' if system_cfg.filesystem != 'btrfs' else '' }} filesystems fsck) + +- name: Read mkinitcpio configuration + when: os == 'archlinux' + ansible.builtin.slurp: + src: /mnt/etc/mkinitcpio.conf + register: configuration_mkinitcpio_slurp + +- name: Build mkinitcpio FILES list + when: os == 'archlinux' + vars: + mkinitcpio_files_list: >- + {{ + ( + configuration_mkinitcpio_slurp.content | b64decode + | regex_findall('^FILES=\\(([^)]*)\\)', multiline=True) + | default([]) + | first + | default('') + ).split() + }} + mkinitcpio_files_list_new: >- + {{ + ( + (mkinitcpio_files_list + [configuration_luks_keyfile_path]) + if configuration_luks_keyfile_in_use + else ( + mkinitcpio_files_list + | reject('equalto', configuration_luks_keyfile_path) + | list + ) + ) + | unique + }} + ansible.builtin.set_fact: + configuration_mkinitcpio_files_list_new: "{{ mkinitcpio_files_list_new }}" + +- name: Configure mkinitcpio FILES list + when: os == 'archlinux' + ansible.builtin.lineinfile: + path: /mnt/etc/mkinitcpio.conf + regexp: "^FILES=" + line: >- + FILES=({{ + configuration_mkinitcpio_files_list_new | join(' ') + }})