LUKS enrollment and RHEL cmdline/BLS

roles/configuration/tasks/encryption/keyfile.yml

@@ -0,0 +1,110 @@
+---
+- name: Configure LUKS keyfile auto-decrypt
+  block:
+    - name: Ensure cryptsetup key directory exists
+      ansible.builtin.file:
+        path: /mnt/etc/cryptsetup-keys.d
+        state: directory
+        owner: root
+        group: root
+        mode: "0700"
+
+    - name: Ensure LUKS keyfile exists
+      ansible.builtin.copy:
+        dest: /mnt{{ configuration_luks_keyfile_path }}
+        content: >-
+          {{
+            lookup(
+              'community.general.random_string',
+              length=(partitioning_luks_keyfile_size | default(luks_keyfile_size | default(64)) | int),
+              override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
+            )
+          }}
+        owner: root
+        group: root
+        mode: "0600"
+        force: false
+      register: configuration_luks_keyfile_copy
+      no_log: true
+
+    - name: Ensure keyfile permissions
+      ansible.builtin.file:
+        path: /mnt{{ configuration_luks_keyfile_path }}
+        owner: root
+        group: root
+        mode: "0600"
+
+    - name: Check whether keyfile already unlocks the LUKS device
+      ansible.builtin.command:
+        argv:
+          - cryptsetup
+          - luksOpen
+          - --test-passphrase
+          - --key-file
+          - "/mnt{{ configuration_luks_keyfile_path }}"
+          - "{{ configuration_luks_device }}"
+      register: configuration_luks_keyfile_unlock_test
+      changed_when: false
+      failed_when: false
+      no_log: true
+
+    - name: Add keyfile to LUKS header
+      when: configuration_luks_keyfile_unlock_test.rc != 0
+      community.crypto.luks_device:
+        device: "{{ configuration_luks_device }}"
+        passphrase: "{{ configuration_luks_passphrase_effective }}"
+        new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}"
+      register: configuration_luks_addkey_result
+      failed_when: false
+      no_log: true
+
+    - name: Regenerate keyfile and retry adding to LUKS header
+      when:
+        - configuration_luks_keyfile_unlock_test.rc != 0
+        - configuration_luks_keyfile_copy.changed | default(false) | bool
+        - configuration_luks_addkey_result is failed
+      block:
+        - name: Regenerate LUKS keyfile
+          ansible.builtin.copy:
+            dest: /mnt{{ configuration_luks_keyfile_path }}
+            content: >-
+              {{
+                lookup(
+                  'community.general.random_string',
+                  length=(partitioning_luks_keyfile_size | default(luks_keyfile_size | default(64)) | int),
+                  override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
+                )
+              }}
+            owner: root
+            group: root
+            mode: "0600"
+            force: true
+          no_log: true
+
+        - name: Retry adding keyfile to LUKS header
+          community.crypto.luks_device:
+            device: "{{ configuration_luks_device }}"
+            passphrase: "{{ configuration_luks_passphrase_effective }}"
+            new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}"
+          register: configuration_luks_addkey_retry
+          failed_when: false
+          no_log: true
+
+    - name: Re-check whether keyfile unlocks the LUKS device
+      ansible.builtin.command:
+        argv:
+          - cryptsetup
+          - luksOpen
+          - --test-passphrase
+          - --key-file
+          - "/mnt{{ configuration_luks_keyfile_path }}"
+          - "{{ configuration_luks_device }}"
+      register: configuration_luks_keyfile_unlock_test_after
+      changed_when: false
+      failed_when: false
+      no_log: true
+
+    - name: Fallback to manual LUKS unlock if keyfile enrollment failed
+      when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0
+      ansible.builtin.set_fact:
+        configuration_luks_auto_method: manual