--- # Tasks file for the luks_ssh role # Infrastructure # Ansible instructions to deploy the infrastructure # Copyright (C) 2019-2020 Christoph (Sheogorath) Kern # Copyright (C) 2020 Saibotk # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, version 3 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # See https://github.com/gsauthof/dracut-sshd/tree/master?tab=readme-ov-file#faq - name: Unlock root account for SSH ansible.builtin.user: name: root password: "*" # * means only SSH key login is allowed, this is needed for the initramfs sshd login become: true - name: Create dracut extension ansible.builtin.file: path: "{{ luks_ssh_dracut_ssh_dir }}" state: directory mode: "755" owner: "root" group: "root" become: true - name: Add SSH keys for grub2 ansible.posix.authorized_key: user: "root" state: present exclusive: true key: | {% for key in luks_ssh_dracut_authorized_keys %} {{ lookup('file', key) }} {% endfor %} path: "{{ luks_ssh_dracut_ssh_dir }}/authorized_keys" become: true notify: Regenerate dracut - name: Copy module setup file ansible.builtin.copy: src: "module-setup.sh" dest: "{{ luks_ssh_dracut_ssh_dir }}/module-setup.sh" mode: "0755" owner: "root" group: "root" become: true notify: Regenerate dracut - name: Copy module files ansible.builtin.copy: src: "{{ item }}" dest: "{{ luks_ssh_dracut_ssh_dir }}/{{ item }}" mode: "0644" owner: "root" group: "root" become: true with_items: - "sshd.service" - "profile" - "motd" notify: Regenerate dracut - name: Copy templated module files ansible.builtin.template: src: "{{ item }}" dest: "{{ luks_ssh_dracut_ssh_dir }}/{{ item }}" mode: "0644" owner: "root" group: "root" become: true with_items: - "sshd_config" notify: Regenerate dracut - name: Install dracut network ansible.builtin.package: name: dracut-network state: present become: true notify: Regenerate dracut - name: Configure dracut to include network module for early networking ansible.builtin.copy: src: "90-network.conf" dest: "/etc/dracut.conf.d/90-network.conf" mode: "0644" owner: "root" group: "root" become: true notify: Regenerate dracut - name: Check if line is present ansible.builtin.shell: cat /etc/default/grub | grep GRUB_CMDLINE_LINUX_DEFAULT changed_when: false ignore_errors: true register: luks_ssh_grub_default - name: Ensure that GRUB_CMDLINE_LINUX_DEFAULT is present ansible.builtin.lineinfile: path: /etc/default/grub regexp: "^GRUB_CMDLINE_LINUX_DEFAULT" line: 'GRUB_CMDLINE_LINUX_DEFAULT=""' become: true notify: Regenerate grub config when: luks_ssh_grub_default.rc != 0 # This method will only add the parameter if it was not already added # NOTICE: If the parameter was manually added, it will not be altered! - name: Enable early networking kernel parameter (rd.neednet=1) ansible.builtin.replace: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=\"((?:(?!rd\.neednet=).)*?)"$' replace: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 rd.neednet=1"' become: true notify: Regenerate grub config # This method will only add the parameter if it was not already added # NOTICE: If the parameter was manually added, it will not be altered! - name: Enable early networking kernel parameter (ip=dhcp) ansible.builtin.replace: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=\"((?:(?!ip=).)*?)"$' replace: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 ip=dhcp"' become: true notify: Regenerate grub config - name: Disable rhel-import-state service, so that it doesn not overwrite ifcfg scripts. ansible.builtin.systemd: name: "rhel-import-state" enabled: false masked: true become: true when: - ansible_os_family == "RedHat" and ansible_distribution == "CentOS" - luks_ssh_disable_state_import - name: Disable import-state service, so that it doesn not overwrite ifcfg scripts. ansible.builtin.systemd: name: "import-state" enabled: false masked: true become: true when: - ansible_distribution == "Rocky" - luks_ssh_disable_state_import