diff --git a/roles/configuration/tasks/encryption.yml b/roles/configuration/tasks/encryption.yml index 28511e5..5000293 100644 --- a/roles/configuration/tasks/encryption.yml +++ b/roles/configuration/tasks/encryption.yml @@ -1,18 +1,18 @@ --- - name: Configure disk encryption - when: partitioning_luks_enabled | bool + when: system_cfg.luks.enabled | bool vars: configuration_luks_passphrase: >- - {{ partitioning_luks_passphrase | string }} + {{ system_cfg.luks.passphrase | string }} block: - name: Set LUKS configuration facts vars: luks_tpm2_pcrs: >- {{ ( - partitioning_luks_tpm2_pcrs - if partitioning_luks_tpm2_pcrs is string - else (partitioning_luks_tpm2_pcrs | map('string') | join('+')) + system_cfg.luks.tpm2.pcrs + if system_cfg.luks.tpm2.pcrs is string + else (system_cfg.luks.tpm2.pcrs | map('string') | join('+')) ) | string | replace(',', '+') @@ -20,21 +20,21 @@ | regex_replace('^\\+|\\+$', '') }} ansible.builtin.set_fact: - configuration_luks_mapper_name: "{{ partitioning_luks_mapper_name }}" + configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}" configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}" configuration_luks_device: "{{ partitioning_luks_device }}" - configuration_luks_options: "{{ partitioning_luks_options }}" + configuration_luks_options: "{{ system_cfg.luks.options }}" configuration_luks_auto_method: >- {{ - (partitioning_luks_auto_decrypt | bool) + (system_cfg.luks.auto | bool) | ternary( - partitioning_luks_auto_decrypt_method, + system_cfg.luks.method, 'manual' ) }} configuration_luks_tpm2_device: "{{ partitioning_luks_tpm2_device }}" configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}" - configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ partitioning_luks_mapper_name }}.key" + configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ system_cfg.luks.mapper }}.key" changed_when: false - name: Validate LUKS UUID is available diff --git a/roles/configuration/tasks/encryption/keyfile.yml b/roles/configuration/tasks/encryption/keyfile.yml index d0b4290..11719b6 100644 --- a/roles/configuration/tasks/encryption/keyfile.yml +++ b/roles/configuration/tasks/encryption/keyfile.yml @@ -16,7 +16,7 @@ {{ lookup( 'community.general.random_string', - length=(partitioning_luks_keyfile_size | int), + length=(system_cfg.luks.keysize | int), override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' ) }} @@ -71,7 +71,7 @@ {{ lookup( 'community.general.random_string', - length=(partitioning_luks_keyfile_size | int), + length=(system_cfg.luks.keysize | int), override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' ) }} diff --git a/roles/partitioning/defaults/main.yml b/roles/partitioning/defaults/main.yml index 7ee8ee7..b97b28d 100644 --- a/roles/partitioning/defaults/main.yml +++ b/roles/partitioning/defaults/main.yml @@ -1,21 +1,4 @@ --- -partitioning_luks_enabled: "{{ system_cfg.luks.enabled | bool }}" -partitioning_luks_passphrase: "{{ system_cfg.luks.passphrase }}" -partitioning_luks_mapper_name: "{{ system_cfg.luks.mapper }}" -partitioning_luks_type: "{{ system_cfg.luks.type }}" -partitioning_luks_cipher: "{{ system_cfg.luks.cipher }}" -partitioning_luks_hash: "{{ system_cfg.luks.hash }}" -partitioning_luks_iter_time: "{{ system_cfg.luks.iter }}" -partitioning_luks_key_size: "{{ system_cfg.luks.bits }}" -partitioning_luks_pbkdf: "{{ system_cfg.luks.pbkdf }}" -partitioning_luks_use_urandom: "{{ system_cfg.luks.urandom | bool }}" -partitioning_luks_verify_passphrase: "{{ system_cfg.luks.verify | bool }}" -partitioning_luks_auto_decrypt: "{{ system_cfg.luks.auto | bool }}" -partitioning_luks_auto_decrypt_method: "{{ system_cfg.luks.method }}" -partitioning_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}" -partitioning_luks_tpm2_pcrs: "{{ system_cfg.luks.tpm2.pcrs }}" -partitioning_luks_keyfile_size: "{{ system_cfg.luks.keysize }}" -partitioning_luks_options: "{{ system_cfg.luks.options }}" partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if system_cfg.features.zstd.enabled | bool else '' }}" partitioning_boot_partition_suffix: 1 partitioning_main_partition_suffix: 2 @@ -26,7 +9,7 @@ partitioning_boot_size_mib: 1024 partitioning_use_full_disk: true partitioning_separate_boot: >- {{ - (partitioning_luks_enabled | bool) + (system_cfg.luks.enabled | bool) and (os | lower not in ['archlinux']) }} partitioning_boot_fs_fstype: >- @@ -103,15 +86,15 @@ partitioning_layout: >- }} partitioning_grub_enable_cryptodisk: >- {{ - (partitioning_luks_enabled | bool) + (system_cfg.luks.enabled | bool) and not (partitioning_separate_boot | bool) and (partitioning_efi_mountpoint == '/boot/efi') }} partitioning_luks_device: "{{ install_drive ~ (partitioning_root_partition_suffix | string) }}" partitioning_root_device: >- {{ - '/dev/mapper/' + partitioning_luks_mapper_name - if (partitioning_luks_enabled | bool) + '/dev/mapper/' + system_cfg.luks.mapper + if (system_cfg.luks.enabled | bool) else install_drive ~ (partitioning_root_partition_suffix | string) }} partitioning_disk_size_gb: >- diff --git a/roles/partitioning/tasks/btrfs.yml b/roles/partitioning/tasks/btrfs.yml index 73b4b82..9b4f22d 100644 --- a/roles/partitioning/tasks/btrfs.yml +++ b/roles/partitioning/tasks/btrfs.yml @@ -9,8 +9,8 @@ opts: >- {{ '-K' - if (partitioning_luks_enabled | bool) - and not ('discard' in (partitioning_luks_options | lower)) + if (system_cfg.luks.enabled | bool) + and not ('discard' in (system_cfg.luks.options | lower)) else omit }} diff --git a/roles/partitioning/tasks/main.yml b/roles/partitioning/tasks/main.yml index 9ec1338..75bbb93 100644 --- a/roles/partitioning/tasks/main.yml +++ b/roles/partitioning/tasks/main.yml @@ -70,22 +70,22 @@ failed_when: false - name: Close LUKS mapper - when: partitioning_luks_enabled | bool + when: system_cfg.luks.enabled | bool community.crypto.luks_device: - name: "{{ partitioning_luks_mapper_name }}" + name: "{{ system_cfg.luks.mapper }}" state: closed failed_when: false - name: Remove LUKS mapper device - when: partitioning_luks_enabled | bool + when: system_cfg.luks.enabled | bool ansible.builtin.command: >- - dmsetup remove --force --retry {{ partitioning_luks_mapper_name }} + dmsetup remove --force --retry {{ system_cfg.luks.mapper }} register: partitioning_dmsetup_remove changed_when: partitioning_dmsetup_remove.rc == 0 failed_when: false - name: Remove LUKS signatures - when: partitioning_luks_enabled | bool + when: system_cfg.luks.enabled | bool community.crypto.luks_device: device: "{{ partitioning_luks_device }}" state: absent @@ -154,12 +154,12 @@ failed_when: false - name: Configure LUKS encryption - when: partitioning_luks_enabled | bool + when: system_cfg.luks.enabled | bool block: - name: Validate LUKS passphrase ansible.builtin.assert: that: - - (partitioning_luks_passphrase | string | length) > 0 + - (system_cfg.luks.passphrase | string | length) > 0 fail_msg: system.luks.passphrase must be set when LUKS is enabled. no_log: true @@ -167,26 +167,26 @@ community.crypto.luks_device: device: "{{ partitioning_luks_device }}" state: present - type: "{{ partitioning_luks_type }}" - cipher: "{{ partitioning_luks_cipher }}" - hash: "{{ partitioning_luks_hash }}" - keysize: "{{ partitioning_luks_key_size }}" + type: "{{ system_cfg.luks.type }}" + cipher: "{{ system_cfg.luks.cipher }}" + hash: "{{ system_cfg.luks.hash }}" + keysize: "{{ system_cfg.luks.bits }}" pbkdf: - algorithm: "{{ partitioning_luks_pbkdf }}" - iteration_time: "{{ (partitioning_luks_iter_time | float) / 1000 }}" - passphrase: "{{ partitioning_luks_passphrase | string }}" + algorithm: "{{ system_cfg.luks.pbkdf }}" + iteration_time: "{{ (system_cfg.luks.iter | float) / 1000 }}" + passphrase: "{{ system_cfg.luks.passphrase | string }}" register: partitioning_luks_format_result no_log: true - name: Force-close LUKS mapper community.crypto.luks_device: - name: "{{ partitioning_luks_mapper_name }}" + name: "{{ system_cfg.luks.mapper }}" state: closed failed_when: false - name: Force-remove LUKS mapper device ansible.builtin.command: >- - dmsetup remove --force --retry {{ partitioning_luks_mapper_name }} + dmsetup remove --force --retry {{ system_cfg.luks.mapper }} register: partitioning_dmsetup_remove_after_format changed_when: partitioning_dmsetup_remove_after_format.rc == 0 failed_when: false @@ -202,21 +202,21 @@ community.crypto.luks_device: device: "{{ partitioning_luks_device }}" state: opened - name: "{{ partitioning_luks_mapper_name }}" - passphrase: "{{ partitioning_luks_passphrase | string }}" - allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}" + name: "{{ system_cfg.luks.mapper }}" + passphrase: "{{ system_cfg.luks.passphrase | string }}" + allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}" register: partitioning_luks_open_result no_log: true rescue: - name: Force-close stale LUKS mapper community.crypto.luks_device: - name: "{{ partitioning_luks_mapper_name }}" + name: "{{ system_cfg.luks.mapper }}" state: closed failed_when: false - name: Force-remove stale LUKS mapper device ansible.builtin.command: >- - dmsetup remove --force --retry {{ partitioning_luks_mapper_name }} + dmsetup remove --force --retry {{ system_cfg.luks.mapper }} register: partitioning_dmsetup_remove_retry changed_when: partitioning_dmsetup_remove_retry.rc == 0 failed_when: false @@ -230,9 +230,9 @@ community.crypto.luks_device: device: "{{ partitioning_luks_device }}" state: opened - name: "{{ partitioning_luks_mapper_name }}" - passphrase: "{{ partitioning_luks_passphrase | string }}" - allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}" + name: "{{ system_cfg.luks.mapper }}" + passphrase: "{{ system_cfg.luks.passphrase | string }}" + allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}" register: partitioning_luks_open_retry no_log: true diff --git a/roles/virtualization/defaults/main.yml b/roles/virtualization/defaults/main.yml index 05a95f7..65b2b81 100644 --- a/roles/virtualization/defaults/main.yml +++ b/roles/virtualization/defaults/main.yml @@ -15,10 +15,10 @@ virtualization_xen_disk_path: /var/lib/xen/images virtualization_tpm2_enabled: >- {{ - (partitioning_luks_enabled | bool) - and (partitioning_luks_auto_decrypt | bool) + (system_cfg.luks.enabled | bool) + and (system_cfg.luks.auto | bool) and ( - (partitioning_luks_auto_decrypt_method | lower) + (system_cfg.luks.method | lower) == 'tpm2' ) }}