diff options
-rw-r--r-- | dan/host_vars/sk-2019.yml | 29 | ||||
-rw-r--r-- | dan/sk-2019.yml | 1 | ||||
-rw-r--r-- | inventory/host_vars/sk-2019.yml | 11 | ||||
-rw-r--r-- | roles/cryptdisk/defaults/main.yml | 8 | ||||
-rw-r--r-- | roles/cryptdisk/tasks/main.yml | 45 |
5 files changed, 84 insertions, 10 deletions
diff --git a/dan/host_vars/sk-2019.yml b/dan/host_vars/sk-2019.yml index 10b7238c..67ff3aac 100644 --- a/dan/host_vars/sk-2019.yml +++ b/dan/host_vars/sk-2019.yml @@ -1,10 +1,21 @@ $ANSIBLE_VAULT;1.2;AES256;dan -32333038313762663966323431303631613865306433343839363366656431653233326466386531 -6266393731356639353832656436346436383334636139300a356133346432386434396465313135 -64306665653431623930306439336535613465343464313163323138326135326234353862386533 -6566643032333631360a313963666234383262333265366631376561393138306461616233336464 -64383563303861643034653732396335643566613734306663323632313531323837343738326236 -35616131356630313161353864366361613736373465353035313431373533306436643166643863 -32396334386338626235366366313733353530333066663161313263363435356565326239653864 -63393464393261306664386631336339343139356533373732363734663539643133343061376361 -64666233656436336437343839306138393263653639376435323461323237373963 +35663165356437306532343566613137663338643139326330623135623134326539376639616138 +6539346263303561393339616133306131663233393536620a623939333832333263636338653435 +34386463316163363331303536323439373937303739613637613034363831633664353239653839 +6132313630376563350a663633333863626333306662613038373130386333353634376537613962 +65396539616130636239636264646263633338633263613537653465616330353163666364663432 +36653466393562383462633030316330346364663633653434663763376161333834326638616564 +32343563636333616633626534363865346662333862363939346664353461363862663066653264 +34396337643934386135303835373032306435626637303638353165636437353030363433373265 +33646636306163366334663037386633343233353138663061633830386136346236386630303037 +65363237346633346632653766326238333338323339643038346662386531326366353862333235 +36373566316166393439393831333136663933333939396561643566313039623832383365316164 +39633663346633323433393736303735323962653930313238336439353266353264626231653962 +65646135636433313534303633633365363261633232316466393735646361383437323935653931 +33356334653166373361303764356162303966323030366237663232343435376535623934633264 +61373233666664666436343964393066396632646164636366633833333565366232343536356331 +66353332346265663263386236643531633533643363326638396265353361303765636238643632 +61383137393665303064346531363339646164343831643130323437656166613336343632663338 +33626337326631396432326137383533373662643762326631313531313864363064356564366638 +66323066373737373662303833383862656333623864393665313234353133643838323737643161 +37383732306633666566 diff --git a/dan/sk-2019.yml b/dan/sk-2019.yml index 18afd810..25c70226 100644 --- a/dan/sk-2019.yml +++ b/dan/sk-2019.yml @@ -5,4 +5,5 @@ - role: base - role: sshd - role: zsh + - role: cryptdisk - role: zfs/base diff --git a/inventory/host_vars/sk-2019.yml b/inventory/host_vars/sk-2019.yml index 5f48bd83..aa7be02f 100644 --- a/inventory/host_vars/sk-2019.yml +++ b/inventory/host_vars/sk-2019.yml @@ -9,6 +9,15 @@ install: network: {} +cryptdisk_volumes: + crypto-nvme0: + passphrase: "{{ vault_cryptdisk_volumes['crypto-nvme0'].passphrase }}" + device: /dev/disk/by-id/nvme-eui.0025388791050fef-part3 + crypto-nvme1: + passphrase: "{{ vault_cryptdisk_volumes['crypto-nvme1'].passphrase }}" + device: /dev/disk/by-id/nvme-eui.0025388791050fdc-part3 + + zfs_zpool_name: storage zfs_zpool_mountpoint: /srv/storage -zfs_zpool_create_vdevs: mirror nvme0n1p3 nvme1n1p3 +zfs_zpool_create_vdevs: mirror /dev/mapper/crypto-nvme0 /dev/mapper/crypto-nvme1 diff --git a/roles/cryptdisk/defaults/main.yml b/roles/cryptdisk/defaults/main.yml new file mode 100644 index 00000000..9dca3e80 --- /dev/null +++ b/roles/cryptdisk/defaults/main.yml @@ -0,0 +1,8 @@ +--- +# cryptdisk_volumes: +# crypto-nvme0: +# passphrase: "keep-this-very-very-secret" +# device: /dev/nvme0n1p3 +# crypto-nvme1: +# passphrase: "use-differnt-passphrase-and-keep-this-secret-as-well" +# device: /dev/nvme1n1p3 diff --git a/roles/cryptdisk/tasks/main.yml b/roles/cryptdisk/tasks/main.yml new file mode 100644 index 00000000..c0422bb3 --- /dev/null +++ b/roles/cryptdisk/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- name: install cryptsetup packages + apt: + name: + - cryptsetup-bin + state: present + +- name: Create temporary build directory + tempfile: + state: directory + register: keyfile_dir + changed_when: False + check_mode: False + +- name: create cryptdisk volumes + block: + + - name: write passphrases into temporary keyfiles + loop: "{{ cryptdisk_volumes | dict2items }}" + loop_control: + label: "{{ item.key }}" + copy: + dest: "{{ keyfile_dir.path }}/{{ item.key }}" + content: "{{ item.value.passphrase }}" + mode: 0600 + changed_when: False + check_mode: False + + - name: create/open luks volumes + loop: "{{ cryptdisk_volumes | dict2items }}" + loop_control: + label: "{{ item.key }} ({{ item.value.device }})" + luks_device: + name: "{{ item.key }}" + device: "{{ item.value.device }}" + keyfile: "{{ keyfile_dir.path }}/{{ item.key }}" + state: opened + + always: + - name: remove base-directory for keyfiles + file: + path: "{{ keyfile_dir.path }}" + state: absent + changed_when: False + check_mode: False |