refactor(vars): simplify normalization and remove effective intermediates

2026-02-11 05:37:18 +01:00
parent 04727033f1
commit b8c672507f
9 changed files with 267 additions and 409 deletions
--- a/roles/configuration/tasks/encryption/keyfile.yml
+++ b/roles/configuration/tasks/encryption/keyfile.yml
@@ -52,7 +52,7 @@
      when: configuration_luks_keyfile_unlock_test.rc != 0
      community.crypto.luks_device:
        device: "{{ configuration_luks_device }}"
-        passphrase: "{{ configuration_luks_passphrase_effective }}"
+        passphrase: "{{ configuration_luks_passphrase }}"
        new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}"
      register: configuration_luks_addkey_result
      failed_when: false
@@ -84,7 +84,7 @@
        - name: Retry adding keyfile to LUKS header
          community.crypto.luks_device:
            device: "{{ configuration_luks_device }}"
-            passphrase: "{{ configuration_luks_passphrase_effective }}"
+            passphrase: "{{ configuration_luks_passphrase }}"
            new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}"
          register: configuration_luks_addkey_retry
          failed_when: false
--- a/roles/configuration/tasks/encryption/tpm2.yml
+++ b/roles/configuration/tasks/encryption/tpm2.yml
@@ -11,7 +11,7 @@
    - name: Write passphrase into temporary file for TPM2 enrollment
      ansible.builtin.copy:
        dest: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
-        content: "{{ configuration_luks_passphrase_effective }}"
+        content: "{{ configuration_luks_passphrase }}"
        owner: root
        group: root
        mode: "0600"
@@ -31,8 +31,8 @@
                | regex_replace('^/mnt', '')
              )
            ]
-            + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_effective]
-               if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
+            + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_normalized]
+               if configuration_luks_tpm2_pcrs_normalized | length > 0 else [])
            + [configuration_luks_device]
          }}
        configuration_luks_enroll_chroot_cmd: >-
@@ -55,8 +55,8 @@
              '--wipe-slot=tpm2',
              '--unlock-key-file=' + configuration_luks_tpm2_passphrase_tempfile.path
            ]
-            + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_effective]
-               if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
+            + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_normalized]
+               if configuration_luks_tpm2_pcrs_normalized | length > 0 else [])
            + [configuration_luks_device]
          }}
      ansible.builtin.command: