From 703dda21f74131995072d3cb53b5961c9e3f77f0 Mon Sep 17 00:00:00 2001
From: Frank Adaemmer <frank@adaemmer.com>
Date: Sun, 16 Oct 2022 13:36:36 +0200
Subject: [PATCH] add LUKS encryption

---
 roles/server_iso/README.md                 | 2 ++
 roles/server_iso/meta/argument_specs.yml   | 5 +++++
 roles/server_iso/templates/kickstart.ks.j2 | 2 +-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/roles/server_iso/README.md b/roles/server_iso/README.md
index 41d6b73..e70b00a 100644
--- a/roles/server_iso/README.md
+++ b/roles/server_iso/README.md
@@ -15,6 +15,7 @@ Create an Oracle Linux 9 ISO for automatic server installation.
 |netmask |str | no |  | IPv4 subnet mask. This will only be used when ansible_host is a IP address. |
 |ssh_keys |list[str] | no |  | List of ssh public keys that will be added to .ssh/authorized_keys |
 |iso_path |str | yes |  | Storage location for the created ISO |
+|luks_password |str | yes |  | Password for disk encryption. Consider password change after first boot. |
 <!-- END Argument Specs -->
 
 ## Example Playbook
@@ -24,6 +25,7 @@ Create an Oracle Linux 9 ISO for automatic server installation.
   gather_facts: false
   vars:
     iso_path: "~/Downloads/OEL_{{ inventory_hostname }}.iso"
+    luks_password: Password1
     ssh_keys:
       - "ssh-rsa 8J+OtU5ldmVyIGdvbm5hIGdpdmUgeW91IHVw8J+Otg== UmljayDwn5W6@IPCfp7sg"
   roles:
diff --git a/roles/server_iso/meta/argument_specs.yml b/roles/server_iso/meta/argument_specs.yml
index 724e024..f0659d2 100644
--- a/roles/server_iso/meta/argument_specs.yml
+++ b/roles/server_iso/meta/argument_specs.yml
@@ -55,3 +55,8 @@ argument_specs:
         required: true
         description: "Storage location for the created ISO"
         type: "str"
+
+      luks_password:
+        required: true
+        description: "Password for disk encryption. Consider password change after first boot."
+        type: "str"
diff --git a/roles/server_iso/templates/kickstart.ks.j2 b/roles/server_iso/templates/kickstart.ks.j2
index 9098b56..5eac254 100644
--- a/roles/server_iso/templates/kickstart.ks.j2
+++ b/roles/server_iso/templates/kickstart.ks.j2
@@ -73,7 +73,7 @@ ignoredisk --only-use=sda
 # Partition clearing information
 clearpart --all --initlabel
 # Disk partitioning information
-part pv.116 --fstype="lvmpv" --ondisk=sda --grow --size=25600
+part pv.116 --fstype="lvmpv" --ondisk=sda --grow --size=25600 --encrypted --cipher=aes-xts-plain64 --passphrase={{ luks_password }}
 part /boot --fstype="xfs" --ondisk=sda --size=1024
 volgroup ol --pesize=4096 pv.116
 logvol /var/log --fstype="xfs" --size=2048 --name=var_log --vgname=ol