From f6a5f764852ae7a9777b251b98e6c8875e19105e Mon Sep 17 00:00:00 2001 From: ReYo Date: Tue, 3 Sep 2024 18:40:43 +0000 Subject: [PATCH] =?UTF-8?q?=D0=98=D1=81=D0=BF=D1=80=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D0=B8=D0=B5=20=D0=BF=D0=BE=20=D0=BC=D0=BE=D0=B4?= =?UTF-8?q?=D1=83=D0=BB=D1=8F=D0=BC=20luks=20+=20=D0=B4=D0=BE=D0=BF=D0=BE?= =?UTF-8?q?=D0=BB=D0=BD=D0=B8=D1=82=D0=B5=D0=BB=D1=8C=D0=BD=D0=B0=D1=8F=20?= =?UTF-8?q?=D0=BF=D1=80=D0=BE=D0=B2=D0=B5=D1=80=D0=BA=D0=B0=20=D0=BD=D0=B0?= =?UTF-8?q?=20=D0=BE=D1=88=D0=B8=D0=B1=D0=BA=D0=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/start/tasks/encrypt_disks.yml | 27 ++++++++++++----------- roles/start/tasks/encrypt_disks_rroot.yml | 20 +++++++---------- 2 files changed, 22 insertions(+), 25 deletions(-) diff --git a/roles/start/tasks/encrypt_disks.yml b/roles/start/tasks/encrypt_disks.yml index 2f50a0e..08c4da5 100644 --- a/roles/start/tasks/encrypt_disks.yml +++ b/roles/start/tasks/encrypt_disks.yml @@ -1,37 +1,38 @@ --- - name: Create keyfile - ansible.builtin.shell: | - openssl genrsa -out /root/keyfile; chmod 0400 /root/keyfile - ignore_errors: true + community.crypto.openssl_privatekey: + path: /root/keyfile -- name: Encrypt second disk - ansible.builtin.shell: | - cryptsetup -q luksFormat /dev/{{ sdisk_disk }} --key-file /root/keyfile - ignore_errors: true - -- name: Open encrypted second disk - ansible.builtin.shell: | - cryptsetup luksOpen /dev/{{ sdisk_disk }} {{ sdisk_name }} --key-file /root/keyfile +- name: Create/Open encrypted second disk + community.crypto.luks_device: + device: "/dev/{{ sdisk_disk }}" + state: "opened" + name: "{{ sdisk_name }}" + keyfile: "/root/keyfile" ignore_errors: true register: second_disk_status - name: Format the encrypted second disk command: mkfs.ext4 /dev/mapper/{{ sdisk_name }} - when: second_disk_status.rc == 0 + when: second_disk_status.failed|bool == false - name: Ensure the mount point exists file: path: /mnt/{{ sdisk_name }} state: directory + when: second_disk_status.failed|bool == false - name: Mount the encrypted second disk - mount: + ansible.posix.mount: path: /mnt/{{ sdisk_name }} src: /dev/mapper/{{ sdisk_name }} fstype: ext4 state: mounted + register: second_disk_status + when: second_disk_status.failed|bool == false - name: Add crypttab ansible.builtin.shell: | printf "{{ sdisk_name }} /dev/{{ sdisk_disk }} /root/keyfile luks\n">/etc/crypttab + when: second_disk_status.failed|bool == false diff --git a/roles/start/tasks/encrypt_disks_rroot.yml b/roles/start/tasks/encrypt_disks_rroot.yml index 31edca7..8ee5b55 100644 --- a/roles/start/tasks/encrypt_disks_rroot.yml +++ b/roles/start/tasks/encrypt_disks_rroot.yml @@ -12,24 +12,20 @@ var: rroot_disk.stdout - name: Create keyfile - ansible.builtin.shell: | - openssl genrsa -out /root/keyfile_rroot; chmod 0400 /root/keyfile_rroot + community.crypto.openssl_privatekey: + path: /root/keyfile_rroot ignore_errors: true when: rroot_disk.stdout | length > 0 -- name: Encrypt rroot disk - ansible.builtin.shell: | - cryptsetup -q luksFormat /dev/{{ rroot_disk.stdout }} --key-file /root/keyfile_rroot +- name: Create/Open encrypt rroot disk + community.crypto.luks_device: + device: "/dev/{{ rroot_disk.stdout }}" + state: "opened" + name: "{{ rroot_disk.stdout }}" + keyfile: "/root/keyfile_rroot" ignore_errors: true when: rroot_disk.stdout | length > 0 -- name: Open encrypted rroot disk - ansible.builtin.shell: | - cryptsetup luksOpen /dev/{{ rroot_disk.stdout }} {{ rroot_disk.stdout }} --key-file /root/keyfile_rroot - ignore_errors: true - register: rroot_disk_status - when: rroot_disk.stdout | length > 0 - - name: Format the encrypted rroot disk command: mkfs.ext4 /dev/mapper/{{ rroot_disk.stdout }} when: rroot_disk.stdout | length > 0