117 lines
2.7 KiB
YAML
117 lines
2.7 KiB
YAML
---
|
|
- name: Install EPEL
|
|
ansible.builtin.dnf:
|
|
name:
|
|
- oracle-epel-release-el9
|
|
state: present
|
|
- name: Install Dependencies
|
|
ansible.builtin.dnf:
|
|
name:
|
|
- make
|
|
- libblkid-devel
|
|
- gcc
|
|
- git
|
|
- dropbear
|
|
state: present
|
|
- name: Clone dracut-crypt-ssh
|
|
ansible.builtin.git:
|
|
repo: https://github.com/dracut-crypt-ssh/dracut-crypt-ssh.git
|
|
dest: /opt/src/dracut-crypt-ssh
|
|
version: master
|
|
notify: Build dracut-crypt-ssh
|
|
|
|
- name: Flush handlers
|
|
ansible.builtin.meta: flush_handlers
|
|
|
|
- name: Create small dracut module
|
|
ansible.builtin.file:
|
|
path: /usr/lib/dracut/modules.d/99cryptsetup
|
|
state: directory
|
|
mode: 0755
|
|
owner: root
|
|
group: root
|
|
seuser: system_u
|
|
serole: object_r
|
|
setype: bin_t
|
|
selevel: s0
|
|
|
|
- name: Ensure cryptsetup is installed in dracut
|
|
ansible.builtin.copy:
|
|
dest: /usr/lib/dracut/modules.d/99cryptsetup/module-setup.sh
|
|
content: |
|
|
#!/bin/bash
|
|
check() {
|
|
require_binaries cryptsetup || return 1
|
|
return 0
|
|
}
|
|
depends() {
|
|
return 0
|
|
}
|
|
install() {
|
|
inst cryptsetup
|
|
dracut_need_initqueue
|
|
}
|
|
|
|
mode: 0755
|
|
owner: root
|
|
group: root
|
|
seuser: system_u
|
|
serole: object_r
|
|
setype: bin_t
|
|
selevel: s0
|
|
notify: Regenerate initramfs
|
|
|
|
- name: Configure dracut-crypt-ssh
|
|
ansible.builtin.copy:
|
|
dest: /etc/dracut.conf.d/crypt-ssh.conf
|
|
content: |
|
|
dropbear_port="{{ unlock_port }}"
|
|
# System keys are in an OpenSSH-specific format (not PEM).
|
|
# So let's stick with default GENERATE or conver all key with
|
|
# ssh-keygen -m PEM -p -f <key file>
|
|
# dropbear_rsa_key="SYSTEM"
|
|
# dropbear_ecdsa_key="SYSTEM"
|
|
# dropbear_ed25519_key="SYSTEM"
|
|
dropbear_acl="/etc/dracut.conf.d/authorized_keys"
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
seuser: unconfined_u
|
|
serole: object_r
|
|
setype: etc_t
|
|
selevel: s0
|
|
notify: Regenerate initramfs
|
|
|
|
- name: Configure dracut authorized_keys
|
|
ansible.builtin.copy:
|
|
dest: /etc/dracut.conf.d/authorized_keys
|
|
content: |
|
|
{% for ssh_key in ssh_keys %}
|
|
{{ ssh_key }}
|
|
{% endfor %}
|
|
mode: 0600
|
|
owner: root
|
|
group: root
|
|
seuser: unconfined_u
|
|
serole: object_r
|
|
setype: etc_t
|
|
selevel: s0
|
|
notify: Regenerate initramfs
|
|
|
|
- name: Get GRUB defaults
|
|
ansible.builtin.slurp:
|
|
src: /etc/default/grub
|
|
register: tmp_grub
|
|
|
|
- name: Configure GRUB
|
|
ansible.builtin.copy:
|
|
dest: /etc/default/grub
|
|
content: "{{
|
|
tmp_grub['content'] | b64decode |
|
|
regex_replace('rd\\.neednet=\\S+\\s', '') |
|
|
regex_replace('ip=\\S+\\s', '') |
|
|
replace('quiet', 'rd.neednet=1 ip=dhcp quiet')
|
|
}}"
|
|
mode: 0644
|
|
notify: Regenerate GRUB
|