sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor(luks): use system_cfg.luks directly across roles

Browse Source
This commit is contained in:
Sandwich
2026-02-11 19:26:51 +01:00
parent 8c0716508e
commit 7a76f58384
6 changed files with 45 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
roles/configuration/tasks/encryption.yml
View File

@@ -1,18 +1,18 @@
--- ---
- name: Configure disk encryption - name: Configure disk encryption
when: partitioning_luks_enabled | bool when: system_cfg.luks.enabled | bool
vars: vars:
configuration_luks_passphrase: >- configuration_luks_passphrase: >-
{{ partitioning_luks_passphrase | string }} {{ system_cfg.luks.passphrase | string }}
block: block:
- name: Set LUKS configuration facts - name: Set LUKS configuration facts
vars: vars:
luks_tpm2_pcrs: >- luks_tpm2_pcrs: >-
{{ {{
( (
partitioning_luks_tpm2_pcrs system_cfg.luks.tpm2.pcrs
if partitioning_luks_tpm2_pcrs is string if system_cfg.luks.tpm2.pcrs is string
else (partitioning_luks_tpm2_pcrs | map('string') | join('+')) else (system_cfg.luks.tpm2.pcrs | map('string') | join('+'))
) )
| string | string
| replace(',', '+') | replace(',', '+')
@@ -20,21 +20,21 @@
| regex_replace('^\\+|\\+$', '') | regex_replace('^\\+|\\+$', '')
}} }}
ansible.builtin.set_fact: ansible.builtin.set_fact:
configuration_luks_mapper_name: "{{ partitioning_luks_mapper_name }}" configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}"
configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}" configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"
configuration_luks_device: "{{ partitioning_luks_device }}" configuration_luks_device: "{{ partitioning_luks_device }}"
configuration_luks_options: "{{ partitioning_luks_options }}" configuration_luks_options: "{{ system_cfg.luks.options }}"
configuration_luks_auto_method: >- configuration_luks_auto_method: >-
{{ {{
(partitioning_luks_auto_decrypt | bool) (system_cfg.luks.auto | bool)
| ternary( | ternary(
partitioning_luks_auto_decrypt_method, system_cfg.luks.method,
'manual' 'manual'
) )
}} }}
configuration_luks_tpm2_device: "{{ partitioning_luks_tpm2_device }}" configuration_luks_tpm2_device: "{{ partitioning_luks_tpm2_device }}"
configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}" configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ partitioning_luks_mapper_name }}.key" configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ system_cfg.luks.mapper }}.key"
changed_when: false changed_when: false
- name: Validate LUKS UUID is available - name: Validate LUKS UUID is available

4
roles/configuration/tasks/encryption/keyfile.yml
View File

@@ -16,7 +16,7 @@
{{ {{
lookup( lookup(
'community.general.random_string', 'community.general.random_string',
length=(partitioning_luks_keyfile_size | int), length=(system_cfg.luks.keysize | int),
override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
) )
}} }}
@@ -71,7 +71,7 @@
{{ {{
lookup( lookup(
'community.general.random_string', 'community.general.random_string',
length=(partitioning_luks_keyfile_size | int), length=(system_cfg.luks.keysize | int),
override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
) )
}} }}

25
roles/partitioning/defaults/main.yml
View File

@@ -1,21 +1,4 @@
--- ---
partitioning_luks_enabled: "{{ system_cfg.luks.enabled | bool }}"
partitioning_luks_passphrase: "{{ system_cfg.luks.passphrase }}"
partitioning_luks_mapper_name: "{{ system_cfg.luks.mapper }}"
partitioning_luks_type: "{{ system_cfg.luks.type }}"
partitioning_luks_cipher: "{{ system_cfg.luks.cipher }}"
partitioning_luks_hash: "{{ system_cfg.luks.hash }}"
partitioning_luks_iter_time: "{{ system_cfg.luks.iter }}"
partitioning_luks_key_size: "{{ system_cfg.luks.bits }}"
partitioning_luks_pbkdf: "{{ system_cfg.luks.pbkdf }}"
partitioning_luks_use_urandom: "{{ system_cfg.luks.urandom | bool }}"
partitioning_luks_verify_passphrase: "{{ system_cfg.luks.verify | bool }}"
partitioning_luks_auto_decrypt: "{{ system_cfg.luks.auto | bool }}"
partitioning_luks_auto_decrypt_method: "{{ system_cfg.luks.method }}"
partitioning_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}"
partitioning_luks_tpm2_pcrs: "{{ system_cfg.luks.tpm2.pcrs }}"
partitioning_luks_keyfile_size: "{{ system_cfg.luks.keysize }}"
partitioning_luks_options: "{{ system_cfg.luks.options }}"
partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if system_cfg.features.zstd.enabled | bool else '' }}" partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if system_cfg.features.zstd.enabled | bool else '' }}"
partitioning_boot_partition_suffix: 1 partitioning_boot_partition_suffix: 1
partitioning_main_partition_suffix: 2 partitioning_main_partition_suffix: 2
@@ -26,7 +9,7 @@ partitioning_boot_size_mib: 1024
partitioning_use_full_disk: true partitioning_use_full_disk: true
partitioning_separate_boot: >- partitioning_separate_boot: >-
{{ {{
(partitioning_luks_enabled | bool) (system_cfg.luks.enabled | bool)
and (os | lower not in ['archlinux']) and (os | lower not in ['archlinux'])
}} }}
partitioning_boot_fs_fstype: >- partitioning_boot_fs_fstype: >-
@@ -103,15 +86,15 @@ partitioning_layout: >-
}} }}
partitioning_grub_enable_cryptodisk: >- partitioning_grub_enable_cryptodisk: >-
{{ {{
(partitioning_luks_enabled | bool) (system_cfg.luks.enabled | bool)
and not (partitioning_separate_boot | bool) and not (partitioning_separate_boot | bool)
and (partitioning_efi_mountpoint == '/boot/efi') and (partitioning_efi_mountpoint == '/boot/efi')
}} }}
partitioning_luks_device: "{{ install_drive ~ (partitioning_root_partition_suffix | string) }}" partitioning_luks_device: "{{ install_drive ~ (partitioning_root_partition_suffix | string) }}"
partitioning_root_device: >- partitioning_root_device: >-
{{ {{
'/dev/mapper/' + partitioning_luks_mapper_name '/dev/mapper/' + system_cfg.luks.mapper
if (partitioning_luks_enabled | bool) if (system_cfg.luks.enabled | bool)
else install_drive ~ (partitioning_root_partition_suffix | string) else install_drive ~ (partitioning_root_partition_suffix | string)
}} }}
partitioning_disk_size_gb: >- partitioning_disk_size_gb: >-

4
roles/partitioning/tasks/btrfs.yml
View File

@@ -9,8 +9,8 @@
opts: >- opts: >-
{{ {{
'-K' '-K'
if (partitioning_luks_enabled | bool) if (system_cfg.luks.enabled | bool)
and not ('discard' in (partitioning_luks_options | lower)) and not ('discard' in (system_cfg.luks.options | lower))
else omit else omit
}} }}

48
roles/partitioning/tasks/main.yml
View File

@@ -70,22 +70,22 @@
failed_when: false failed_when: false
- name: Close LUKS mapper - name: Close LUKS mapper
when: partitioning_luks_enabled | bool when: system_cfg.luks.enabled | bool
community.crypto.luks_device: community.crypto.luks_device:
name: "{{ partitioning_luks_mapper_name }}" name: "{{ system_cfg.luks.mapper }}"
state: closed state: closed
failed_when: false failed_when: false
- name: Remove LUKS mapper device - name: Remove LUKS mapper device
when: partitioning_luks_enabled | bool when: system_cfg.luks.enabled | bool
ansible.builtin.command: >- ansible.builtin.command: >-
dmsetup remove --force --retry {{ partitioning_luks_mapper_name }} dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
register: partitioning_dmsetup_remove register: partitioning_dmsetup_remove
changed_when: partitioning_dmsetup_remove.rc == 0 changed_when: partitioning_dmsetup_remove.rc == 0
failed_when: false failed_when: false
- name: Remove LUKS signatures - name: Remove LUKS signatures
when: partitioning_luks_enabled | bool when: system_cfg.luks.enabled | bool
community.crypto.luks_device: community.crypto.luks_device:
device: "{{ partitioning_luks_device }}" device: "{{ partitioning_luks_device }}"
state: absent state: absent
@@ -154,12 +154,12 @@
failed_when: false failed_when: false
- name: Configure LUKS encryption - name: Configure LUKS encryption
when: partitioning_luks_enabled | bool when: system_cfg.luks.enabled | bool
block: block:
- name: Validate LUKS passphrase - name: Validate LUKS passphrase
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- (partitioning_luks_passphrase | string | length) > 0 - (system_cfg.luks.passphrase | string | length) > 0
fail_msg: system.luks.passphrase must be set when LUKS is enabled. fail_msg: system.luks.passphrase must be set when LUKS is enabled.
no_log: true no_log: true
@@ -167,26 +167,26 @@
community.crypto.luks_device: community.crypto.luks_device:
device: "{{ partitioning_luks_device }}" device: "{{ partitioning_luks_device }}"
state: present state: present
type: "{{ partitioning_luks_type }}" type: "{{ system_cfg.luks.type }}"
cipher: "{{ partitioning_luks_cipher }}" cipher: "{{ system_cfg.luks.cipher }}"
hash: "{{ partitioning_luks_hash }}" hash: "{{ system_cfg.luks.hash }}"
keysize: "{{ partitioning_luks_key_size }}" keysize: "{{ system_cfg.luks.bits }}"
pbkdf: pbkdf:
algorithm: "{{ partitioning_luks_pbkdf }}" algorithm: "{{ system_cfg.luks.pbkdf }}"
iteration_time: "{{ (partitioning_luks_iter_time | float) / 1000 }}" iteration_time: "{{ (system_cfg.luks.iter | float) / 1000 }}"
passphrase: "{{ partitioning_luks_passphrase | string }}" passphrase: "{{ system_cfg.luks.passphrase | string }}"
register: partitioning_luks_format_result register: partitioning_luks_format_result
no_log: true no_log: true
- name: Force-close LUKS mapper - name: Force-close LUKS mapper
community.crypto.luks_device: community.crypto.luks_device:
name: "{{ partitioning_luks_mapper_name }}" name: "{{ system_cfg.luks.mapper }}"
state: closed state: closed
failed_when: false failed_when: false
- name: Force-remove LUKS mapper device - name: Force-remove LUKS mapper device
ansible.builtin.command: >- ansible.builtin.command: >-
dmsetup remove --force --retry {{ partitioning_luks_mapper_name }} dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
register: partitioning_dmsetup_remove_after_format register: partitioning_dmsetup_remove_after_format
changed_when: partitioning_dmsetup_remove_after_format.rc == 0 changed_when: partitioning_dmsetup_remove_after_format.rc == 0
failed_when: false failed_when: false
@@ -202,21 +202,21 @@
community.crypto.luks_device: community.crypto.luks_device:
device: "{{ partitioning_luks_device }}" device: "{{ partitioning_luks_device }}"
state: opened state: opened
name: "{{ partitioning_luks_mapper_name }}" name: "{{ system_cfg.luks.mapper }}"
passphrase: "{{ partitioning_luks_passphrase | string }}" passphrase: "{{ system_cfg.luks.passphrase | string }}"
allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}" allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
register: partitioning_luks_open_result register: partitioning_luks_open_result
no_log: true no_log: true
rescue: rescue:
- name: Force-close stale LUKS mapper - name: Force-close stale LUKS mapper
community.crypto.luks_device: community.crypto.luks_device:
name: "{{ partitioning_luks_mapper_name }}" name: "{{ system_cfg.luks.mapper }}"
state: closed state: closed
failed_when: false failed_when: false
- name: Force-remove stale LUKS mapper device - name: Force-remove stale LUKS mapper device
ansible.builtin.command: >- ansible.builtin.command: >-
dmsetup remove --force --retry {{ partitioning_luks_mapper_name }} dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
register: partitioning_dmsetup_remove_retry register: partitioning_dmsetup_remove_retry
changed_when: partitioning_dmsetup_remove_retry.rc == 0 changed_when: partitioning_dmsetup_remove_retry.rc == 0
failed_when: false failed_when: false
@@ -230,9 +230,9 @@
community.crypto.luks_device: community.crypto.luks_device:
device: "{{ partitioning_luks_device }}" device: "{{ partitioning_luks_device }}"
state: opened state: opened
name: "{{ partitioning_luks_mapper_name }}" name: "{{ system_cfg.luks.mapper }}"
passphrase: "{{ partitioning_luks_passphrase | string }}" passphrase: "{{ system_cfg.luks.passphrase | string }}"
allow_discards: "{{ 'discard' in (partitioning_luks_options | lower) }}" allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
register: partitioning_luks_open_retry register: partitioning_luks_open_retry
no_log: true no_log: true

6
roles/virtualization/defaults/main.yml
View File

@@ -15,10 +15,10 @@ virtualization_xen_disk_path: /var/lib/xen/images
virtualization_tpm2_enabled: >- virtualization_tpm2_enabled: >-
{{ {{
(partitioning_luks_enabled | bool) (system_cfg.luks.enabled | bool)
and (partitioning_luks_auto_decrypt | bool) and (system_cfg.luks.auto | bool)
and ( and (
(partitioning_luks_auto_decrypt_method | lower) (system_cfg.luks.method | lower)
== 'tpm2' == 'tpm2'
) )
}} }}