1.8 KiB
1.8 KiB
remote_unlock Role
Login to initial ram filesystem via SSH and unlock encrypted disks. Proceed boot after unlock.
With alternative entry point 'prepare' that system gets setup for this task.
Variables
| Name | Type | Requiered | Default | Description |
|---|---|---|---|---|
| unlock_port | int | no | 222 | TCP/IP port of the initial ram filesystem SSH daemon |
| luks_passphrase | str | yes | Passphrase to unlock encrypted LUKS disks |
Alternative Entry Point 'prepare'
Install all dependencies and build a initial ram filesystem that runs a SSH daemon. SSH will that be available to unlock LUKS encrypted disks from remote.
| Name | Type | Requiered | Default | Description |
|---|---|---|---|---|
| unlock_port | int | no | 222 | TCP/IP port of the initial ram filesystem SSH daemon |
| ssh_keys | list[str] | yes | List of ssh public keys that will be added to .ssh/authorized_keys |
Example
---
- name: Remote Unlock Test
hosts: all
vars:
unlock_port: 2224
luks_passphrase: '123456'
ssh_keys:
- "ssh-rsa 8J+OtU5ldmVyIGdvbm5hIGdpdmUgeW91IHVw8J+Otg== UmljayDwn5W6@IPCfp7sg"
- "ssh-ed25519 TmV2ZXIgZ29ubmEgbGV0IHlvdSBkb3du8J+Otg== UmljayDwn5W6@IPCfp7sg"
tasks:
- name: Prepare Unlock
ansible.builtin.include_role:
name: copyrights.on_premises.remote_unlock
tasks_from: prepare.yml
vars:
ansible_become: true
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Restart
ansible.builtin.command:
cmd: shutdown -r +1
become: true
changed_when: result['rc'] == 0
register: result
- name: Unlock after reboot
ansible.builtin.include_role:
name: copyrights.on_premises.remote_unlock