100 lines
2.2 KiB
YAML
100 lines
2.2 KiB
YAML
---
|
|
|
|
- name: install busybox, cryptsetup and dropbear
|
|
apt:
|
|
name:
|
|
- busybox
|
|
- dropbear
|
|
- dropbear-initramfs
|
|
- cryptsetup
|
|
- cryptsetup-initramfs
|
|
state: latest
|
|
update_cache: true
|
|
tags:
|
|
- packages
|
|
|
|
- name: install systemd-cryptsetup
|
|
apt:
|
|
name:
|
|
- systemd-cryptsetup
|
|
state: latest
|
|
notify: update initramfs
|
|
tags:
|
|
- packages
|
|
when:
|
|
- ansible_distribution == "Debian"
|
|
|
|
- name: copy LUKS keyfile
|
|
copy:
|
|
src: private/keyfile-deadspace
|
|
dest: /root/keyfile-deadspace
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
no_log: true
|
|
when: '"name" in luks_crypttab.root.keys()'
|
|
|
|
- name: template crypttab
|
|
template:
|
|
src: crypttab.j2
|
|
dest: /etc/crypttab
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
notify: update initramfs
|
|
when: '"name" in luks_crypttab.root.keys()'
|
|
|
|
- name: ensure luks volumes are open
|
|
luks_device:
|
|
name: "{{ item.name }}"
|
|
uuid: "{{ item.uuid }}"
|
|
keyfile: "{{ luks_keyfile }}"
|
|
state: opened
|
|
with_items: "{{ luks_crypttab.disks }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
|
|
- name: mount luks volumes
|
|
mount:
|
|
path: |-
|
|
{{ item.mountpoint|default("/mnt/" ~ item.name) }}
|
|
src: /dev/mapper/{{ item.name }}
|
|
fstype: "{{ item.fstype|default('ext4') }}"
|
|
# present: add to fstab, mounted: mount and add to fstab
|
|
state: mounted
|
|
opts: nofail
|
|
notify: update initramfs
|
|
with_items: "{{ luks_crypttab.disks }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
when:
|
|
- item.mount|default(true)
|
|
|
|
- name: enable busybox in initramfs
|
|
replace:
|
|
path: /etc/initramfs-tools/initramfs.conf
|
|
regexp: '^#?BUSYBOX=.*$'
|
|
replace: "BUSYBOX=y"
|
|
notify: update initramfs
|
|
|
|
- name: set NO_START because we want to use openssh
|
|
replace:
|
|
path: /etc/default/dropbear
|
|
regexp: "^NO_START=.*$"
|
|
replace: "NO_START=1"
|
|
notify: update initramfs
|
|
|
|
- name: disable dropbear because we use openssh after boot
|
|
service:
|
|
name: dropbear
|
|
state: stopped
|
|
enabled: false
|
|
|
|
- name: authorized_keys for dropbear
|
|
template:
|
|
src: "private/sshkeys/{{ myusername }}.authorized_keys"
|
|
dest: "{{ dropbear_initramfs_dir|default('/etc/dropbear/initramfs') }}/authorized_keys"
|
|
mode: 0700
|
|
force: true
|
|
notify: update initramfs
|