45 lines
1.4 KiB
YAML
45 lines
1.4 KiB
YAML
---
|
|
- name: Find device with LUKS holder
|
|
vars:
|
|
partitions: "{{ item.value.partitions | dict2items | selectattr('value.holders', 'search', 'luks|crypt') }}"
|
|
ansible.builtin.set_fact:
|
|
encrypt_device: "/dev/disk/by-id/{{ partitions[0].value.links.ids[0] }}"
|
|
when:
|
|
- item.value.partitions is defined
|
|
- item.value.partitions | dict2items | length > 0
|
|
loop: "{{ ansible_devices | dict2items }}"
|
|
|
|
- name: Get luks slots
|
|
ansible.builtin.command:
|
|
cmd: "systemd-cryptenroll {{ encrypt_device }}"
|
|
register: encrypt_slots_result
|
|
changed_when: false
|
|
when: encrypt_device is defined
|
|
|
|
- name: Change Password of Luks password slot
|
|
ansible.builtin.command:
|
|
cmd: >
|
|
systemd-run -P --wait
|
|
-p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase_initial }}
|
|
-p SetCredential=cryptenroll.new-passphrase:{{ encrypt_passphrase }}
|
|
systemd-cryptenroll --password {{ encrypt_device }} --wipe-slot=password
|
|
no_log: true
|
|
when:
|
|
- encrypt_device is defined
|
|
- encrypt_passphrase is defined
|
|
- encrypt_slots_result.stdout_lines | length == 2
|
|
- encrypt_slots_result.stdout_lines[1].startswith(' 0')
|
|
|
|
- name: TPM Device Check
|
|
ansible.builtin.stat:
|
|
path: /dev/tpm0
|
|
register: tpm_device
|
|
when: encrypt_device is defined
|
|
|
|
- name: Include TPM2 role
|
|
ansible.builtin.include_tasks:
|
|
file: tpm2.yml
|
|
when:
|
|
- encrypt_device is defined
|
|
- encrypt_tpm2
|
|
- tpm_device.stat.exists
|