forked from mobalt/ccf-relay
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathencryption_existingpartition.yml
128 lines (115 loc) · 3.67 KB
/
encryption_existingpartition.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
- name: pb to create partition
hosts: all
become: true
vars:
#target_size: 1720GB
target_device: /dev/sda
target_partition: 3
#target_device: /dev/nvme0n1
#target_partition: p3
crypt_name: data
tasks:
- name: Create a directory if it does not exist - /data
ansible.builtin.file:
path: /data
state: directory
mode: '0755'
- name: block for doing basic setup and verification for target system
block:
- name: get facts for "{{ target_device }}"
parted:
device: "{{ target_device }}"
register: target_facts
- name: print facts for "{{ target_device }}"
debug:
msg: "{{ target_facts }}"
- name: check to see if there are any facts for /dev/vdb1. this means there are existing partitions that we would overwrite, so fail
debug:
msg: "{{ target_facts }}.partitions"
# failed_when: ansible_devices.sdc.partitions.sdc1 is defined ### if vdb1 is defined, there's already a partition there, so abort.
- name: print size for the disk
debug:
msg: "the size is {{ target_facts['disk']['size'] }} kib"
- name: make sure cryptsetup is installed
apt:
name: cryptsetup
state: latest
- name: block to attempt to get info on what my destination device will become
block:
- name: task to attempt to get info on what my destination device will be
parted:
device: "{{ target_device}}"
number: 1
state: info
register: info_output
- name: print info_output
debug:
msg: "{{ info_output }}"
#- name: block to attempt parted
# block:
# - name: use parted in block to create new partition
# parted:
# device: "{{ target_device }}"
# number: 1
# state: present
# part_end: "{{ target_size }}"
# register: parted_output
# rescue:
# - name: parted failed
# fail:
# msg: 'parted failed: {{ parted_output }}'
- name: block for LUKS and filesystem tasks
block:
- name: create LUKS container with passphrase
luks_device:
device: "{{ target_device }}{{ target_partition }}"
state: present
name: "{{ crypt_name }}"
# Bad place to keep passphrase, even examples.
# TODO: Move to extra-repo location like .env
passphrase: "{{ lookup('env', 'ENCRYPT_PW') }}"
new_passphrase: "{{ lookup('env', 'ENCRYPT_PW') }}"
- name: open luks container
luks_device:
device: "{{ target_device }}{{ target_partition }}"
state: opened
name: "{{ crypt_name }}"
passphrase: "{{ lookup('env', 'ENCRYPT_PW') }}"
- name: create a filesystem
filesystem:
fstype: ext4
dev: "/dev/mapper/{{ crypt_name }}"
- name: mount device
mount:
path: /data
src: "/dev/mapper/{{ crypt_name }}"
state: mounted
fstype: ext4
boot: no
# - name: put some content in my new filesystem
# copy:
# content: "Hello secure world!"
# dest: /data/hello_world.txt
#
# - name: set content in /etc/crypttab so I can mount the partition on reboot
# copy:
# content: "{{ crypt_name }} {{ target_device }}1 none luks,tries=1"
# dest: /etc/crypttab
# owner: root
# group: root
# mode: 0644
#
# - name: remove device from fstab
# mount:
# path: /data
# src: "/dev/mapper/{{ crypt_name }}"
# state: absent
#
#
## - name: set content in /etc/crypttab so I can mount the partition on reboot
## copy:
## content: "{{ crypt_name }} {{ target_device }}1 {{ keyfile }}"
## dest: /etc/crypttab
## owner: root
## group: root
## mode: 0644