diff --git a/lmn-client.yml b/lmn-client.yml index 4d4ff4c..4a2fab7 100644 --- a/lmn-client.yml +++ b/lmn-client.yml @@ -49,6 +49,7 @@ - lmn_network - role: up2date_debian tags: upgrade + - lmn_encrypt - lmn_sssd - lmn_mount - lmn_kde diff --git a/roles/lmn_encrypt/defaults/main.yml b/roles/lmn_encrypt/defaults/main.yml new file mode 100644 index 0000000..b9b7837 --- /dev/null +++ b/roles/lmn_encrypt/defaults/main.yml @@ -0,0 +1,3 @@ +--- +encrypt_passphrase_initial: Muster! +encrypt_tpm2: false diff --git a/roles/lmn_encrypt/handlers/main.yml b/roles/lmn_encrypt/handlers/main.yml new file mode 100644 index 0000000..0ef929f --- /dev/null +++ b/roles/lmn_encrypt/handlers/main.yml @@ -0,0 +1,5 @@ +- name: Run update-grub + ansible.builtin.command: update-grub + +- name: Run update-dracut + ansible.builtin.command: dracut -f diff --git a/roles/lmn_encrypt/tasks/main.yml b/roles/lmn_encrypt/tasks/main.yml new file mode 100644 index 0000000..83196c8 --- /dev/null +++ b/roles/lmn_encrypt/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- name: Find device with LUKS holder + vars: + partitions: "{{ item.value.partitions | dict2items | selectattr('value.holders', 'search', 'luks|crypt') }}" + ansible.builtin.set_fact: + encrypt_device: "/dev/disk/by-id/{{ partitions[0].value.links.ids[0] }}" + when: + - item.value.partitions is defined + - item.value.partitions | dict2items | length > 0 + loop: "{{ ansible_devices | dict2items }}" + +- name: Get luks slots + ansible.builtin.command: + cmd: "systemd-cryptenroll {{ encrypt_device }}" + register: encrypt_slots_result + changed_when: false + when: encrypt_device is defined + +- name: Change Password of Luks password slot + ansible.builtin.command: + cmd: > + systemd-run -P --wait + -p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase_initial }} + -p SetCredential=cryptenroll.new-passphrase:{{ encrypt_passphrase }} + systemd-cryptenroll --password {{ encrypt_device }} --wipe-slot=password + no_log: true + when: + - encrypt_device is defined + - encrypt_passphrase is defined + - encrypt_slots_result.stdout_lines | length == 2 + - encrypt_slots_result.stdout_lines[1].startswith(' 0') + +- name: TPM Device Check + ansible.builtin.stat: + path: /dev/tpm0 + register: tpm_device + when: encrypt_device is defined + +- name: Include TPM2 role + ansible.builtin.include_tasks: + file: tpm2.yml + when: + - encrypt_device is defined + - encrypt_tpm2 + - tpm_device.stat.exists diff --git a/roles/lmn_encrypt/tasks/tpm2.yml b/roles/lmn_encrypt/tasks/tpm2.yml new file mode 100644 index 0000000..50a989f --- /dev/null +++ b/roles/lmn_encrypt/tasks/tpm2.yml @@ -0,0 +1,42 @@ +--- +- name: Install tpm2-tools and dracut + ansible.builtin.apt: + name: + - tpm2-tools + - dracut + +- name: Enable tpm2-tss crypt module on dracut + ansible.builtin.copy: + dest: /etc/dracut.conf.d/crypt.conf + content: add_dracutmodules+=" tpm2-tss crypt " + mode: '0644' + notify: Run update-dracut + +- name: Comment out root device in crypttab + ansible.builtin.lineinfile: + dest: /etc/crypttab + regexp: '^([^#].*)' + line: '#\1' + backrefs: true + +- name: Insert luks support to GRUB_CMDLINE_LINUX + ansible.builtin.lineinfile: + dest: /etc/default/grub + regexp: '^(GRUB_CMDLINE_LINUX=).*' + line: '\1"rd.auto rd.luks=1"' + backrefs: true + notify: Run update-grub + +- name: Insert TPM2 to Luks slot + ansible.builtin.command: + cmd: > + systemd-run -P --wait + -p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase | default(encrypt_passphrase_initial) }} + systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 {{ encrypt_device }} --wipe-slot=tpm2 + no_log: true + when: "'tpm2' not in encrypt_slots_result.stdout" + +# - name: Update TPM2 Luks slot +# ansible.builtin.command: +# cmd: systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+8 --unlock-tpm2-device=auto {{ encrypt_device }} --wipe-slot=tpm2 +# when: not grub_config.changed