From cc41a453e32bc4bb6f8c07df440866b9cdf6b713 Mon Sep 17 00:00:00 2001
From: ReYo <reyo@bk.ru>
Date: Sun, 1 Sep 2024 16:09:31 +0000
Subject: [PATCH] =?UTF-8?q?=D0=A0=D1=8F=D0=B4=D0=BE=D0=BC=20=D1=81=20?=
 =?UTF-8?q?=D1=80=D1=83=D1=82=20=D1=80=D0=B0=D0=B7=D0=B4=D0=B5=D0=BB=D0=BE?=
 =?UTF-8?q?=D0=BC=20=D0=B6=D0=B0=D1=85=D0=B0=D1=8E=20=D0=B5=D1=81=D0=BB?=
 =?UTF-8?q?=D0=B8=20=D0=B5=D1=81=D1=82=D1=8C=20=D1=87=D1=82=D0=BE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 roles/start/tasks/encrypt_disks_rroot.yml | 49 +++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 roles/start/tasks/encrypt_disks_rroot.yml

diff --git a/roles/start/tasks/encrypt_disks_rroot.yml b/roles/start/tasks/encrypt_disks_rroot.yml
new file mode 100644
index 0000000..8f4aa49
--- /dev/null
+++ b/roles/start/tasks/encrypt_disks_rroot.yml
@@ -0,0 +1,49 @@
+---
+- name: rroot disk name
+  ansible.builtin.shell: |
+   fdisk -l | grep -E '^(Devi|/dev)' | sort -nk2,2  |grep -B1 -A1 -w `findmnt -n -o SOURCE /` >/tmp/disks;  if [[ `wc -l /tmp/disks |awk '{print $1}'` -gt 1 && `wc -l /tmp/disks |awk '{print $1}'` -ne 3 ]]; then sed '1!D' /tmp/disks; elif [[ `wc -l /tmp/disks |awk '{print $1}'` -eq 3 ]]; then sed '3!D' /tmp/disks; fi |awk '{print $1}'|grep -o '[^/]*$'
+  register: rroot_disk
+  ignore_errors: true
+  
+- name: Create keyfile
+  ansible.builtin.shell: |
+    openssl genrsa -out /root/keyfile_rroot; chmod 0400 /root/keyfile_rroot
+  ignore_errors: true
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+
+- name: Encrypt rroot disk
+  ansible.builtin.shell: |
+    cryptsetup -q luksFormat /dev/{{ rroot_disk }} --key-file /root/keyfile_rroot
+  ignore_errors: true
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+
+- name: Open encrypted rroot disk
+  ansible.builtin.shell: |
+    cryptsetup luksOpen /dev/{{ rroot_disk }} {{ rroot_disk }} --key-file /root/keyfile_rroot
+  ignore_errors: true
+  register: rroot_disk_status
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+
+- name: Format the encrypted rroot disk
+  command: mkfs.ext4 /dev/mapper/{{ rroot_name }}
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+
+- name: Ensure the mount point exists
+  file:
+    path: /mnt/{{ rroot_name }}
+    state: directory
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+
+- name: Mount the encrypted second disk
+  mount:
+    path: /mnt/{{ rroot_disk }}
+    src: /dev/mapper/{{ rroot_disk }}
+    fstype: ext4
+    state: mounted
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+
+- name: Add crypttab
+  ansible.builtin.shell: |
+    printf "{{ rroot_disk }} /dev/{{ rroot_disk }}  /root/keyfile luks\n">/etc/crypttab
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+