Ansible-Bootstrap/roles/configuration/tasks/encryption.yml

---
- name: Configure disk encryption
  when: system_cfg.luks.enabled | bool
  no_log: true
  vars:
    configuration_luks_passphrase: >-
      {{ system_cfg.luks.passphrase | string }}
  block:
    - name: Set LUKS configuration facts
      vars:
        luks_tpm2_pcrs: >-
          {{
            (
              system_cfg.luks.tpm2.pcrs
              if system_cfg.luks.tpm2.pcrs is string
              else (system_cfg.luks.tpm2.pcrs | map('string') | join('+'))
            )
            | string
            | replace(',', '+')
            | regex_replace('\\s+', '')
            | regex_replace('^\\+|\\+$', '')
          }}
      ansible.builtin.set_fact:
        configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}"
        configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"
        configuration_luks_device: "{{ partitioning_luks_device }}"
        configuration_luks_options: "{{ system_cfg.luks.options }}"
        configuration_luks_auto_method: >-
          {{
            (system_cfg.luks.auto | bool)
            | ternary(
                system_cfg.luks.method,
                'manual'
              )
          }}
        configuration_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}"
        configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
        configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ system_cfg.luks.mapper }}.key"

    - name: Validate LUKS UUID is available
      ansible.builtin.assert:
        that:
          - configuration_luks_uuid | length > 0
        fail_msg: LUKS UUID not available. Ensure partitioning ran before configuration.

    - name: Validate LUKS passphrase for auto-decrypt
      when: configuration_luks_auto_method in ['tpm2', 'keyfile']
      ansible.builtin.assert:
        that:
          - configuration_luks_passphrase | length > 0
        fail_msg: system.luks.passphrase must be set for LUKS auto-decrypt.
      no_log: true

    - name: Enroll TPM2 for LUKS
      when: configuration_luks_auto_method == 'tpm2'
      ansible.builtin.include_tasks: encryption/tpm2.yml

    - name: Configure LUKS keyfile auto-decrypt
      when: configuration_luks_auto_method == 'keyfile'
      ansible.builtin.include_tasks: encryption/keyfile.yml

    - name: Record final LUKS auto-decrypt method
      ansible.builtin.set_fact:
        configuration_luks_final_method: "{{ configuration_luks_auto_method }}"

    - name: Report LUKS auto-decrypt configuration
      ansible.builtin.debug:
        msg: "LUKS auto-decrypt method: {{ configuration_luks_final_method }}"

    - name: Build LUKS parameters
      vars:
        luks_keyfile_in_use: "{{ configuration_luks_auto_method == 'keyfile' }}"
        luks_option_list: >-
          {{
            (configuration_luks_options | trim).split(',')
            if configuration_luks_options | trim | length > 0
            else []
          }}
        luks_tpm2_option_list: >-
          {{
            (configuration_luks_auto_method == 'tpm2')
            | ternary(
                ['tpm2-device=' + configuration_luks_tpm2_device]
                + (['tpm2-pcrs=' + configuration_luks_tpm2_pcrs]
                   if configuration_luks_tpm2_pcrs | length > 0 else []),
                []
              )
          }}
        luks_crypttab_keyfile: "{{ configuration_luks_keyfile_path if luks_keyfile_in_use else 'none' }}"
        luks_crypttab_options: >-
          {{
            (['luks'] + luks_option_list + luks_tpm2_option_list)
            | join(',')
          }}
        luks_rd_options: "{{ (luks_option_list + luks_tpm2_option_list) | join(',') }}"
        luks_kernel_args: >-
          {{
            (
              ['rd.luks.name=' + configuration_luks_uuid + '=' + configuration_luks_mapper_name]
              + (
                ['rd.luks.options=' + configuration_luks_uuid + '=' + luks_rd_options]
                if luks_rd_options | length > 0 else []
              )
              + (
                ['rd.luks.key=' + configuration_luks_uuid + '=' + configuration_luks_keyfile_path]
                if luks_keyfile_in_use else []
              )
            ) | join(' ')
          }}
      ansible.builtin.set_fact:
        configuration_luks_keyfile_in_use: "{{ luks_keyfile_in_use }}"
        configuration_luks_option_list: "{{ luks_option_list }}"
        configuration_luks_tpm2_option_list: "{{ luks_tpm2_option_list }}"
        configuration_luks_crypttab_keyfile: "{{ luks_crypttab_keyfile }}"
        configuration_luks_crypttab_options: "{{ luks_crypttab_options }}"
        configuration_luks_rd_options: "{{ luks_rd_options }}"
        configuration_luks_kernel_args: "{{ luks_kernel_args }}"

    - name: Remove LUKS keyfile if TPM2 auto-decrypt is active
      when: configuration_luks_auto_method == 'tpm2'
      ansible.builtin.file:
        path: /mnt{{ configuration_luks_keyfile_path }}
        state: absent

    - name: Configure crypttab
      ansible.builtin.include_tasks: encryption/crypttab.yml

    - name: Configure initramfs
      ansible.builtin.include_tasks: encryption/initramfs.yml

    - name: Configure dracut
      when: os_family == 'RedHat'
      ansible.builtin.include_tasks: encryption/dracut.yml

    - name: Configure GRUB for LUKS
      when: not os_family == 'RedHat'
      ansible.builtin.include_tasks: encryption/grub.yml