From 447c7cce7d750aff35d0a60f29ecf2623142b72f Mon Sep 17 00:00:00 2001 From: Michael Wilson Date: Fri, 2 Dec 2022 20:29:51 +0100 Subject: [PATCH] add role for unlocking encrypted disk via initramfs --- linux/unlock_initramfs/defaults/main.yml | 1 + linux/unlock_initramfs/handlers/main.yml | 2 ++ linux/unlock_initramfs/tasks/unlock.yml | 40 ++++++++++++++++++++++++ 3 files changed, 43 insertions(+) create mode 100644 linux/unlock_initramfs/defaults/main.yml create mode 100644 linux/unlock_initramfs/handlers/main.yml create mode 100644 linux/unlock_initramfs/tasks/unlock.yml diff --git a/linux/unlock_initramfs/defaults/main.yml b/linux/unlock_initramfs/defaults/main.yml new file mode 100644 index 0000000..10aa784 --- /dev/null +++ b/linux/unlock_initramfs/defaults/main.yml @@ -0,0 +1 @@ +unlock_disk_encryption_secret: secret diff --git a/linux/unlock_initramfs/handlers/main.yml b/linux/unlock_initramfs/handlers/main.yml new file mode 100644 index 0000000..daea996 --- /dev/null +++ b/linux/unlock_initramfs/handlers/main.yml @@ -0,0 +1,2 @@ +- name: unlock_disk + include_tasks: tasks/unlock.yml diff --git a/linux/unlock_initramfs/tasks/unlock.yml b/linux/unlock_initramfs/tasks/unlock.yml new file mode 100644 index 0000000..97886c6 --- /dev/null +++ b/linux/unlock_initramfs/tasks/unlock.yml @@ -0,0 +1,40 @@ +- name: send unlock command + raw: "printf '{{ unlock_disk_encryption_secret }}' | cryptroot-unlock" + +- name: wait for boot + wait_for: + delay: 5 + port: '{{ hostvars[inventory_hostname].ansible_ssh_port|default(22) }}' + host: '{{ hostvars[inventory_hostname].ansible_host }}' + search_regex: OpenSSH|dropbear + timeout: 300 + delegate_to: localhost + delegate_facts: yes + +- name: test ssh connection with {{ ansible_user }} + shell: | + ssh -p{{ hostvars[inventory_hostname].ansible_ssh_port|default(22) }} \ + -i {{ hostvars[inventory_hostname].ansible_ssh_private_key_file }} \ + -oStrictHostkeyChecking=no \ + -oBatchMode=yes \ + {{ hostvars[inventory_hostname].ansible_user }}@{{ hostvars[inventory_hostname].ansible_host }} echo test + register: connection_test + ignore_errors: yes + delegate_to: localhost + +- name: set ansible_user + set_fact: + ansible_ssh_user: "{{ ansible_user }}" + when: connection_test is succeeded + +- name: set python interpreter + set_fact: + ansible_python_interpreter: /usr/bin/env python3 + discovered_interpreter_python: + +- name: reload facts + setup: + +- name: set python interpreter + set_fact: + ansible_python_interpreter: "{{ discovered_interpreter_python }}"