summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--dan/host_vars/sk-2019.yml29
-rw-r--r--dan/sk-2019.yml1
-rw-r--r--inventory/host_vars/sk-2019.yml11
-rw-r--r--roles/cryptdisk/defaults/main.yml8
-rw-r--r--roles/cryptdisk/tasks/main.yml45
5 files changed, 84 insertions, 10 deletions
diff --git a/dan/host_vars/sk-2019.yml b/dan/host_vars/sk-2019.yml
index 10b7238c..67ff3aac 100644
--- a/dan/host_vars/sk-2019.yml
+++ b/dan/host_vars/sk-2019.yml
@@ -1,10 +1,21 @@
$ANSIBLE_VAULT;1.2;AES256;dan
-32333038313762663966323431303631613865306433343839363366656431653233326466386531
-6266393731356639353832656436346436383334636139300a356133346432386434396465313135
-64306665653431623930306439336535613465343464313163323138326135326234353862386533
-6566643032333631360a313963666234383262333265366631376561393138306461616233336464
-64383563303861643034653732396335643566613734306663323632313531323837343738326236
-35616131356630313161353864366361613736373465353035313431373533306436643166643863
-32396334386338626235366366313733353530333066663161313263363435356565326239653864
-63393464393261306664386631336339343139356533373732363734663539643133343061376361
-64666233656436336437343839306138393263653639376435323461323237373963
+35663165356437306532343566613137663338643139326330623135623134326539376639616138
+6539346263303561393339616133306131663233393536620a623939333832333263636338653435
+34386463316163363331303536323439373937303739613637613034363831633664353239653839
+6132313630376563350a663633333863626333306662613038373130386333353634376537613962
+65396539616130636239636264646263633338633263613537653465616330353163666364663432
+36653466393562383462633030316330346364663633653434663763376161333834326638616564
+32343563636333616633626534363865346662333862363939346664353461363862663066653264
+34396337643934386135303835373032306435626637303638353165636437353030363433373265
+33646636306163366334663037386633343233353138663061633830386136346236386630303037
+65363237346633346632653766326238333338323339643038346662386531326366353862333235
+36373566316166393439393831333136663933333939396561643566313039623832383365316164
+39633663346633323433393736303735323962653930313238336439353266353264626231653962
+65646135636433313534303633633365363261633232316466393735646361383437323935653931
+33356334653166373361303764356162303966323030366237663232343435376535623934633264
+61373233666664666436343964393066396632646164636366633833333565366232343536356331
+66353332346265663263386236643531633533643363326638396265353361303765636238643632
+61383137393665303064346531363339646164343831643130323437656166613336343632663338
+33626337326631396432326137383533373662643762326631313531313864363064356564366638
+66323066373737373662303833383862656333623864393665313234353133643838323737643161
+37383732306633666566
diff --git a/dan/sk-2019.yml b/dan/sk-2019.yml
index 18afd810..25c70226 100644
--- a/dan/sk-2019.yml
+++ b/dan/sk-2019.yml
@@ -5,4 +5,5 @@
- role: base
- role: sshd
- role: zsh
+ - role: cryptdisk
- role: zfs/base
diff --git a/inventory/host_vars/sk-2019.yml b/inventory/host_vars/sk-2019.yml
index 5f48bd83..aa7be02f 100644
--- a/inventory/host_vars/sk-2019.yml
+++ b/inventory/host_vars/sk-2019.yml
@@ -9,6 +9,15 @@ install:
network: {}
+cryptdisk_volumes:
+ crypto-nvme0:
+ passphrase: "{{ vault_cryptdisk_volumes['crypto-nvme0'].passphrase }}"
+ device: /dev/disk/by-id/nvme-eui.0025388791050fef-part3
+ crypto-nvme1:
+ passphrase: "{{ vault_cryptdisk_volumes['crypto-nvme1'].passphrase }}"
+ device: /dev/disk/by-id/nvme-eui.0025388791050fdc-part3
+
+
zfs_zpool_name: storage
zfs_zpool_mountpoint: /srv/storage
-zfs_zpool_create_vdevs: mirror nvme0n1p3 nvme1n1p3
+zfs_zpool_create_vdevs: mirror /dev/mapper/crypto-nvme0 /dev/mapper/crypto-nvme1
diff --git a/roles/cryptdisk/defaults/main.yml b/roles/cryptdisk/defaults/main.yml
new file mode 100644
index 00000000..9dca3e80
--- /dev/null
+++ b/roles/cryptdisk/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+# cryptdisk_volumes:
+# crypto-nvme0:
+# passphrase: "keep-this-very-very-secret"
+# device: /dev/nvme0n1p3
+# crypto-nvme1:
+# passphrase: "use-differnt-passphrase-and-keep-this-secret-as-well"
+# device: /dev/nvme1n1p3
diff --git a/roles/cryptdisk/tasks/main.yml b/roles/cryptdisk/tasks/main.yml
new file mode 100644
index 00000000..c0422bb3
--- /dev/null
+++ b/roles/cryptdisk/tasks/main.yml
@@ -0,0 +1,45 @@
+---
+- name: install cryptsetup packages
+ apt:
+ name:
+ - cryptsetup-bin
+ state: present
+
+- name: Create temporary build directory
+ tempfile:
+ state: directory
+ register: keyfile_dir
+ changed_when: False
+ check_mode: False
+
+- name: create cryptdisk volumes
+ block:
+
+ - name: write passphrases into temporary keyfiles
+ loop: "{{ cryptdisk_volumes | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ copy:
+ dest: "{{ keyfile_dir.path }}/{{ item.key }}"
+ content: "{{ item.value.passphrase }}"
+ mode: 0600
+ changed_when: False
+ check_mode: False
+
+ - name: create/open luks volumes
+ loop: "{{ cryptdisk_volumes | dict2items }}"
+ loop_control:
+ label: "{{ item.key }} ({{ item.value.device }})"
+ luks_device:
+ name: "{{ item.key }}"
+ device: "{{ item.value.device }}"
+ keyfile: "{{ keyfile_dir.path }}/{{ item.key }}"
+ state: opened
+
+ always:
+ - name: remove base-directory for keyfiles
+ file:
+ path: "{{ keyfile_dir.path }}"
+ state: absent
+ changed_when: False
+ check_mode: False
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-02 17:44:50 +0000