Ansible-Bootstrap/roles/configuration/tasks/encryption/keyfile.yml

---
- name: Configure LUKS keyfile auto-decrypt
  block:
    - name: Ensure cryptsetup key directory exists
      ansible.builtin.file:
        path: /mnt/etc/cryptsetup-keys.d
        state: directory
        owner: root
        group: root
        mode: "0700"

    - name: Ensure LUKS keyfile exists
      ansible.builtin.copy:
        dest: /mnt{{ configuration_luks_keyfile_path }}
        content: >-
          {{
            lookup(
              'community.general.random_string',
              length=(partitioning_luks_keyfile_size | default(luks_keyfile_size | default(64)) | int),
              override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
            )
          }}
        owner: root
        group: root
        mode: "0600"
        force: false
      register: configuration_luks_keyfile_copy
      no_log: true

    - name: Ensure keyfile permissions
      ansible.builtin.file:
        path: /mnt{{ configuration_luks_keyfile_path }}
        owner: root
        group: root
        mode: "0600"

    - name: Check whether keyfile already unlocks the LUKS device
      ansible.builtin.command:
        argv:
          - cryptsetup
          - luksOpen
          - --test-passphrase
          - --key-file
          - "/mnt{{ configuration_luks_keyfile_path }}"
          - "{{ configuration_luks_device }}"
      register: configuration_luks_keyfile_unlock_test
      changed_when: false
      failed_when: false
      no_log: true

    - name: Add keyfile to LUKS header
      when: configuration_luks_keyfile_unlock_test.rc != 0
      community.crypto.luks_device:
        device: "{{ configuration_luks_device }}"
        passphrase: "{{ configuration_luks_passphrase_effective }}"
        new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}"
      register: configuration_luks_addkey_result
      failed_when: false
      no_log: true

    - name: Regenerate keyfile and retry adding to LUKS header
      when:
        - configuration_luks_keyfile_unlock_test.rc != 0
        - configuration_luks_keyfile_copy.changed | default(false) | bool
        - configuration_luks_addkey_result is failed
      block:
        - name: Regenerate LUKS keyfile
          ansible.builtin.copy:
            dest: /mnt{{ configuration_luks_keyfile_path }}
            content: >-
              {{
                lookup(
                  'community.general.random_string',
                  length=(partitioning_luks_keyfile_size | default(luks_keyfile_size | default(64)) | int),
                  override_all='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
                )
              }}
            owner: root
            group: root
            mode: "0600"
            force: true
          no_log: true

        - name: Retry adding keyfile to LUKS header
          community.crypto.luks_device:
            device: "{{ configuration_luks_device }}"
            passphrase: "{{ configuration_luks_passphrase_effective }}"
            new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}"
          register: configuration_luks_addkey_retry
          failed_when: false
          no_log: true

    - name: Re-check whether keyfile unlocks the LUKS device
      ansible.builtin.command:
        argv:
          - cryptsetup
          - luksOpen
          - --test-passphrase
          - --key-file
          - "/mnt{{ configuration_luks_keyfile_path }}"
          - "{{ configuration_luks_device }}"
      register: configuration_luks_keyfile_unlock_test_after
      changed_when: false
      failed_when: false
      no_log: true

    - name: Fallback to manual LUKS unlock if keyfile enrollment failed
      when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0
      ansible.builtin.set_fact:
        configuration_luks_auto_method: manual