Рядом с рут разделом жахаю если есть что

2024-09-01 16:09:31 +00:00 · 2024-09-01 16:09:31 +00:00 · cc41a453e3
parent e8109b60eb
commit cc41a453e3
1 changed files with 49 additions and 0 deletions
--- a/roles/start/tasks/encrypt_disks_rroot.yml
+++ b/roles/start/tasks/encrypt_disks_rroot.yml
@ -0,0 +1,49 @@
+---
+- name: rroot disk name
+  ansible.builtin.shell: |
+   fdisk -l | grep -E '^(Devi|/dev)' | sort -nk2,2  |grep -B1 -A1 -w `findmnt -n -o SOURCE /` >/tmp/disks;  if [[ `wc -l /tmp/disks |awk '{print $1}'` -gt 1 && `wc -l /tmp/disks |awk '{print $1}'` -ne 3 ]]; then sed '1!D' /tmp/disks; elif [[ `wc -l /tmp/disks |awk '{print $1}'` -eq 3 ]]; then sed '3!D' /tmp/disks; fi |awk '{print $1}'|grep -o '[^/]*$'
+  register: rroot_disk
+  ignore_errors: true
+  
+- name: Create keyfile
+  ansible.builtin.shell: |
+    openssl genrsa -out /root/keyfile_rroot; chmod 0400 /root/keyfile_rroot
+  ignore_errors: true
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+
+- name: Encrypt rroot disk
+  ansible.builtin.shell: |
+    cryptsetup -q luksFormat /dev/{{ rroot_disk }} --key-file /root/keyfile_rroot
+  ignore_errors: true
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+
+- name: Open encrypted rroot disk
+  ansible.builtin.shell: |
+    cryptsetup luksOpen /dev/{{ rroot_disk }} {{ rroot_disk }} --key-file /root/keyfile_rroot
+  ignore_errors: true
+  register: rroot_disk_status
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+
+- name: Format the encrypted rroot disk
+  command: mkfs.ext4 /dev/mapper/{{ rroot_name }}
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+
+- name: Ensure the mount point exists
+  file:
+    path: /mnt/{{ rroot_name }}
+    state: directory
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+
+- name: Mount the encrypted second disk
+  mount:
+    path: /mnt/{{ rroot_disk }}
+    src: /dev/mapper/{{ rroot_disk }}
+    fstype: ext4
+    state: mounted
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+
+- name: Add crypttab
+  ansible.builtin.shell: |
+    printf "{{ rroot_disk }} /dev/{{ rroot_disk }}  /root/keyfile luks\n">/etc/crypttab
+  when: rroot_disk is undefined or rroot_disk == None or rroot_disk | length == 0
+