--- - name: Configure disk encryption when: system_cfg.luks.enabled | bool no_log: true vars: configuration_luks_passphrase: >- {{ system_cfg.luks.passphrase | string }} block: - name: Set LUKS configuration facts vars: _raw_pcrs: >- {{ ( system_cfg.luks.tpm2.pcrs if system_cfg.luks.tpm2.pcrs is string else (system_cfg.luks.tpm2.pcrs | map('string') | join('+')) ) | string | replace(',', '+') | regex_replace('\\s+', '') | regex_replace('^\\+|\\+$', '') }} _sb_pcr7_safe: >- {{ system_cfg.features.secure_boot.enabled | bool and system_cfg.type | default('virtual') != 'virtual' }} luks_tpm2_pcrs: >- {{ _raw_pcrs if _raw_pcrs | length > 0 else ('7' if (_sb_pcr7_safe | bool) else '') }} ansible.builtin.set_fact: configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}" configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}" configuration_luks_device: "{{ partitioning_luks_device }}" configuration_luks_options: "{{ system_cfg.luks.options }}" configuration_luks_auto_method: >- {{ (system_cfg.luks.auto | bool) | ternary( system_cfg.luks.method, 'manual' ) }} configuration_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}" configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}" configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ system_cfg.luks.mapper }}.key" configuration_luks_tpm2_token_lib: >- {{ '/usr/lib/x86_64-linux-gnu/cryptsetup/libcryptsetup-token-systemd-tpm2.so' if os_family == 'Debian' else '/usr/lib64/cryptsetup/libcryptsetup-token-systemd-tpm2.so' }} - name: Validate LUKS UUID is available ansible.builtin.assert: that: - configuration_luks_uuid | length > 0 fail_msg: LUKS UUID not available. Ensure partitioning ran before configuration. - name: Validate LUKS passphrase for auto-decrypt when: configuration_luks_auto_method in ['tpm2', 'keyfile'] ansible.builtin.assert: that: - configuration_luks_passphrase | length > 0 fail_msg: system.luks.passphrase must be set for LUKS auto-decrypt. no_log: true - name: Detect TPM2 unlock method ansible.builtin.include_tasks: encryption/initramfs_detect.yml - name: Enroll TPM2 via systemd-cryptenroll when: - configuration_luks_auto_method == 'tpm2' - _tpm2_method | default('systemd-cryptenroll') == 'systemd-cryptenroll' ansible.builtin.include_tasks: encryption/tpm2.yml - name: Configure LUKS keyfile auto-decrypt when: configuration_luks_auto_method == 'keyfile' ansible.builtin.include_tasks: encryption/keyfile.yml - name: Record final LUKS auto-decrypt method ansible.builtin.set_fact: configuration_luks_final_method: "{{ configuration_luks_auto_method }}" - name: Report LUKS auto-decrypt configuration ansible.builtin.debug: msg: "LUKS auto-decrypt method: {{ configuration_luks_final_method }}" - name: Build LUKS parameters vars: luks_keyfile_in_use: "{{ configuration_luks_auto_method == 'keyfile' }}" luks_option_list: >- {{ (configuration_luks_options | trim).split(',') if configuration_luks_options | trim | length > 0 else [] }} luks_tpm2_option_list: >- {{ (configuration_luks_auto_method == 'tpm2' and (_tpm2_method | default('systemd-cryptenroll')) == 'systemd-cryptenroll') | ternary( ['tpm2-device=' + configuration_luks_tpm2_device] + (['tpm2-pcrs=' + configuration_luks_tpm2_pcrs] if configuration_luks_tpm2_pcrs | length > 0 else []), [] ) }} luks_crypttab_keyfile: "{{ configuration_luks_keyfile_path if luks_keyfile_in_use else 'none' }}" luks_crypttab_options: >- {{ (['luks'] + luks_option_list + luks_tpm2_option_list) | join(',') }} luks_rd_options: "{{ (luks_option_list + luks_tpm2_option_list) | join(',') }}" luks_kernel_args: >- {{ ( ['rd.luks.name=' + configuration_luks_uuid + '=' + configuration_luks_mapper_name] + ( ['rd.luks.options=' + configuration_luks_uuid + '=' + luks_rd_options] if luks_rd_options | length > 0 else [] ) + ( ['rd.luks.key=' + configuration_luks_uuid + '=' + configuration_luks_keyfile_path] if luks_keyfile_in_use else [] ) ) | join(' ') }} ansible.builtin.set_fact: configuration_luks_keyfile_in_use: "{{ luks_keyfile_in_use }}" configuration_luks_option_list: "{{ luks_option_list }}" configuration_luks_tpm2_option_list: "{{ luks_tpm2_option_list }}" configuration_luks_crypttab_keyfile: "{{ luks_crypttab_keyfile }}" configuration_luks_crypttab_options: "{{ luks_crypttab_options }}" configuration_luks_rd_options: "{{ luks_rd_options }}" configuration_luks_kernel_args: "{{ luks_kernel_args }}" - name: Remove LUKS keyfile if TPM2 auto-decrypt is active when: configuration_luks_auto_method == 'tpm2' ansible.builtin.file: path: /mnt{{ configuration_luks_keyfile_path }} state: absent - name: Configure initramfs for LUKS ansible.builtin.include_tasks: encryption/initramfs.yml - name: Configure crypttab ansible.builtin.include_tasks: encryption/crypttab.yml - name: Configure dracut for LUKS when: _initramfs_generator | default('') == 'dracut' ansible.builtin.include_tasks: encryption/dracut.yml - name: Configure GRUB for LUKS when: _initramfs_generator | default('') != 'dracut' or os_family != 'RedHat' ansible.builtin.include_tasks: encryption/grub.yml