feat(cleanup): enroll Secure Boot keys in VM NVRAM after OS installation

2026-04-02 07:22:53 +02:00
parent b31a5a2580
commit ce79728744
3 changed files with 43 additions and 4 deletions
--- a/roles/cleanup/tasks/libvirt.yml
+++ b/roles/cleanup/tasks/libvirt.yml
@@ -94,6 +94,35 @@
        state: destroyed
      failed_when: false

+    - name: Enroll Secure Boot keys in VM NVRAM
+      when:
+        - system_cfg.features.secure_boot.enabled | default(false) | bool
+        - os != 'archlinux'
+      block:
+        - name: Find VM NVRAM file path
+          ansible.builtin.shell:
+            cmd: >-
+              set -o pipefail &&
+              virsh -c {{ libvirt_uri | default('qemu:///system') }} dumpxml {{ hostname }}
+              | grep -oP '<nvram[^>]*>\K[^<]+'
+            executable: /bin/bash
+          register: _sb_nvram_path
+          changed_when: false
+          failed_when: false
+
+        - name: Enroll Secure Boot keys via virt-fw-vars
+          when: _sb_nvram_path.stdout | default('') | length > 0
+          ansible.builtin.command:
+            argv:
+              - virt-fw-vars
+              - --inplace
+              - "{{ _sb_nvram_path.stdout | trim }}"
+              - --enroll-redhat
+              - --secure-boot
+          register: _sb_enroll_result
+          changed_when: _sb_enroll_result.rc == 0
+          failed_when: false
+
    - name: Start the VM
      community.libvirt.virt:
        name: "{{ hostname }}"