93 lines
3.4 KiB
YAML
93 lines
3.4 KiB
YAML
---
|
|
- name: Configure LUKS encryption
|
|
when: system_cfg.luks.enabled | bool
|
|
block:
|
|
- name: Validate LUKS passphrase
|
|
ansible.builtin.assert:
|
|
that:
|
|
- (system_cfg.luks.passphrase | string | length) > 0
|
|
fail_msg: system.luks.passphrase must be set when LUKS is enabled.
|
|
no_log: true
|
|
|
|
- name: Ensure LUKS container exists
|
|
community.crypto.luks_device:
|
|
device: "{{ partitioning_luks_device }}"
|
|
state: present
|
|
type: "{{ system_cfg.luks.type }}"
|
|
cipher: "{{ system_cfg.luks.cipher }}"
|
|
hash: "{{ system_cfg.luks.hash }}"
|
|
keysize: "{{ system_cfg.luks.bits }}"
|
|
pbkdf:
|
|
algorithm: "{{ system_cfg.luks.pbkdf }}"
|
|
iteration_time: "{{ (system_cfg.luks.iter | float) / 1000 }}"
|
|
passphrase: "{{ system_cfg.luks.passphrase | string }}"
|
|
register: partitioning_luks_format_result
|
|
no_log: true
|
|
|
|
- name: Force-close LUKS mapper
|
|
community.crypto.luks_device:
|
|
name: "{{ system_cfg.luks.mapper }}"
|
|
state: closed
|
|
failed_when: false
|
|
|
|
- name: Force-remove LUKS mapper device
|
|
ansible.builtin.command: >-
|
|
dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
|
|
register: partitioning_dmsetup_remove_after_format
|
|
changed_when: partitioning_dmsetup_remove_after_format.rc == 0
|
|
failed_when: false
|
|
|
|
- name: Settle udev after removing LUKS mapper
|
|
ansible.builtin.command: udevadm settle
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Ensure LUKS mapper is opened
|
|
block:
|
|
- name: Open LUKS device
|
|
community.crypto.luks_device:
|
|
device: "{{ partitioning_luks_device }}"
|
|
state: opened
|
|
name: "{{ system_cfg.luks.mapper }}"
|
|
passphrase: "{{ system_cfg.luks.passphrase | string }}"
|
|
allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
|
|
register: partitioning_luks_open_result
|
|
no_log: true
|
|
rescue:
|
|
- name: Force-close stale LUKS mapper
|
|
community.crypto.luks_device:
|
|
name: "{{ system_cfg.luks.mapper }}"
|
|
state: closed
|
|
failed_when: false
|
|
|
|
- name: Force-remove stale LUKS mapper device
|
|
ansible.builtin.command: >-
|
|
dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
|
|
register: partitioning_dmsetup_remove_retry
|
|
changed_when: partitioning_dmsetup_remove_retry.rc == 0
|
|
failed_when: false
|
|
|
|
- name: Settle udev after removing stale LUKS mapper
|
|
ansible.builtin.command: udevadm settle
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Retry opening LUKS device
|
|
community.crypto.luks_device:
|
|
device: "{{ partitioning_luks_device }}"
|
|
state: opened
|
|
name: "{{ system_cfg.luks.mapper }}"
|
|
passphrase: "{{ system_cfg.luks.passphrase | string }}"
|
|
allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
|
|
register: partitioning_luks_open_retry
|
|
no_log: true
|
|
|
|
- name: Get LUKS UUID
|
|
ansible.builtin.command: "cryptsetup luksUUID {{ partitioning_luks_device }}"
|
|
register: partitioning_luks_uuid_result
|
|
changed_when: false
|
|
|
|
- name: Store LUKS UUID
|
|
ansible.builtin.set_fact:
|
|
partitioning_luks_uuid: "{{ partitioning_luks_uuid_result.stdout | trim }}"
|