Encryption role for luks encrypted drives including TPM2 support

lmn-client.yml

@@ -49,6 +49,7 @@
     - lmn_network
     - role: up2date_debian
       tags: upgrade
+    - lmn_encrypt
     - lmn_sssd
     - lmn_mount
     - lmn_kde

roles/lmn_encrypt/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+encrypt_passphrase_initial: Muster!
+encrypt_tpm2: false

roles/lmn_encrypt/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: Run update-grub
+  ansible.builtin.command: update-grub
+
+- name: Run update-dracut
+  ansible.builtin.command: dracut -f

roles/lmn_encrypt/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+- name: Find device with LUKS holder
+  vars:
+    partitions: "{{ item.value.partitions | dict2items | selectattr('value.holders', 'search', 'luks|crypt') }}"
+  ansible.builtin.set_fact:
+    encrypt_device: "/dev/disk/by-id/{{ partitions[0].value.links.ids[0] }}"
+  when:
+    - item.value.partitions is defined
+    - item.value.partitions | dict2items | length > 0
+  loop: "{{ ansible_devices | dict2items }}"
+
+- name: Get luks slots
+  ansible.builtin.command:
+    cmd: "systemd-cryptenroll {{ encrypt_device }}"
+  register: encrypt_slots_result
+  changed_when: false
+  when: encrypt_device is defined
+
+- name: Change Password of Luks password slot
+  ansible.builtin.command:
+    cmd: >
+      systemd-run -P --wait
+      -p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase_initial }}
+      -p SetCredential=cryptenroll.new-passphrase:{{ encrypt_passphrase }}
+      systemd-cryptenroll --password {{ encrypt_device }} --wipe-slot=password
+  no_log: true
+  when:
+    - encrypt_device is defined
+    - encrypt_passphrase is defined
+    - encrypt_slots_result.stdout_lines | length == 2
+    - encrypt_slots_result.stdout_lines[1].startswith('   0')
+
+- name: TPM Device Check
+  ansible.builtin.stat:
+    path: /dev/tpm0
+  register: tpm_device
+  when: encrypt_device is defined
+
+- name: Include TPM2 role
+  ansible.builtin.include_tasks:
+    file: tpm2.yml
+  when:
+    - encrypt_device is defined
+    - encrypt_tpm2
+    - tpm_device.stat.exists

roles/lmn_encrypt/tasks/tpm2.yml

@@ -0,0 +1,42 @@
+---
+- name: Install tpm2-tools and dracut
+  ansible.builtin.apt:
+    name:
+      - tpm2-tools
+      - dracut
+
+- name: Enable tpm2-tss crypt module on dracut
+  ansible.builtin.copy:
+    dest: /etc/dracut.conf.d/crypt.conf
+    content: add_dracutmodules+=" tpm2-tss crypt "
+    mode: '0644'
+  notify: Run update-dracut
+
+- name: Comment out root device in crypttab
+  ansible.builtin.lineinfile:
+    dest: /etc/crypttab
+    regexp: '^([^#].*)'
+    line: '#\1'
+    backrefs: true
+
+- name: Insert luks support to GRUB_CMDLINE_LINUX
+  ansible.builtin.lineinfile:
+    dest: /etc/default/grub
+    regexp: '^(GRUB_CMDLINE_LINUX=).*'
+    line: '\1"rd.auto rd.luks=1"'
+    backrefs: true
+  notify: Run update-grub
+
+- name: Insert TPM2 to Luks slot
+  ansible.builtin.command:
+    cmd: >
+      systemd-run -P --wait
+      -p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase | default(encrypt_passphrase_initial) }}
+      systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 {{ encrypt_device }} --wipe-slot=tpm2
+  no_log: true
+  when: "'tpm2' not in encrypt_slots_result.stdout"
+
+# - name: Update TPM2 Luks slot
+#   ansible.builtin.command:
+#     cmd: systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+8 --unlock-tpm2-device=auto {{ encrypt_device }} --wipe-slot=tpm2
+#   when: not grub_config.changed