156 lines
4.6 KiB
YAML
156 lines
4.6 KiB
YAML
---
|
|
# Tasks file for the luks_ssh role
|
|
|
|
# Infrastructure
|
|
# Ansible instructions to deploy the infrastructure
|
|
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
|
|
# Copyright (C) 2020 Saibotk
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, version 3 of the License.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
# See https://github.com/gsauthof/dracut-sshd/tree/master?tab=readme-ov-file#faq
|
|
- name: Unlock root account for SSH
|
|
ansible.builtin.user:
|
|
name: root
|
|
password: "*" # * means only SSH key login is allowed, this is needed for the initramfs sshd login
|
|
become: true
|
|
|
|
- name: Create dracut extension
|
|
ansible.builtin.file:
|
|
path: "{{ luks_ssh_dracut_ssh_dir }}"
|
|
state: directory
|
|
mode: "755"
|
|
owner: "root"
|
|
group: "root"
|
|
become: true
|
|
|
|
- name: Add SSH keys for grub2
|
|
ansible.posix.authorized_key:
|
|
user: "root"
|
|
state: present
|
|
exclusive: true
|
|
key: |
|
|
{% for key in luks_ssh_dracut_authorized_keys %}
|
|
{{ lookup('file', key) }}
|
|
{% endfor %}
|
|
path: "{{ luks_ssh_dracut_ssh_dir }}/authorized_keys"
|
|
become: true
|
|
notify: Regenerate dracut
|
|
|
|
- name: Copy module setup file
|
|
ansible.builtin.copy:
|
|
src: "module-setup.sh"
|
|
dest: "{{ luks_ssh_dracut_ssh_dir }}/module-setup.sh"
|
|
mode: "0755"
|
|
owner: "root"
|
|
group: "root"
|
|
become: true
|
|
notify: Regenerate dracut
|
|
|
|
- name: Copy module files
|
|
ansible.builtin.copy:
|
|
src: "{{ item }}"
|
|
dest: "{{ luks_ssh_dracut_ssh_dir }}/{{ item }}"
|
|
mode: "0644"
|
|
owner: "root"
|
|
group: "root"
|
|
become: true
|
|
with_items:
|
|
- "sshd.service"
|
|
- "profile"
|
|
- "motd"
|
|
notify: Regenerate dracut
|
|
|
|
- name: Copy templated module files
|
|
ansible.builtin.template:
|
|
src: "{{ item }}"
|
|
dest: "{{ luks_ssh_dracut_ssh_dir }}/{{ item }}"
|
|
mode: "0644"
|
|
owner: "root"
|
|
group: "root"
|
|
become: true
|
|
with_items:
|
|
- "sshd_config"
|
|
notify: Regenerate dracut
|
|
|
|
- name: Install dracut network
|
|
ansible.builtin.package:
|
|
name: dracut-network
|
|
state: present
|
|
become: true
|
|
notify: Regenerate dracut
|
|
|
|
- name: Configure dracut to include network module for early networking
|
|
ansible.builtin.copy:
|
|
src: "90-network.conf"
|
|
dest: "/etc/dracut.conf.d/90-network.conf"
|
|
mode: "0644"
|
|
owner: "root"
|
|
group: "root"
|
|
become: true
|
|
notify: Regenerate dracut
|
|
|
|
- name: Check if line is present
|
|
ansible.builtin.shell: cat /etc/default/grub | grep GRUB_CMDLINE_LINUX_DEFAULT
|
|
changed_when: false
|
|
ignore_errors: true
|
|
register: luks_ssh_grub_default
|
|
|
|
- name: Ensure that GRUB_CMDLINE_LINUX_DEFAULT is present
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/default/grub
|
|
regexp: "^GRUB_CMDLINE_LINUX_DEFAULT"
|
|
line: 'GRUB_CMDLINE_LINUX_DEFAULT=""'
|
|
become: true
|
|
notify: Regenerate grub config
|
|
when: luks_ssh_grub_default.rc != 0
|
|
|
|
# This method will only add the parameter if it was not already added
|
|
# NOTICE: If the parameter was manually added, it will not be altered!
|
|
- name: Enable early networking kernel parameter (rd.neednet=1)
|
|
ansible.builtin.replace:
|
|
path: /etc/default/grub
|
|
regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=\"((?:(?!rd\.neednet=).)*?)"$'
|
|
replace: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 rd.neednet=1"'
|
|
become: true
|
|
notify: Regenerate grub config
|
|
|
|
# This method will only add the parameter if it was not already added
|
|
# NOTICE: If the parameter was manually added, it will not be altered!
|
|
- name: Enable early networking kernel parameter (ip=dhcp)
|
|
ansible.builtin.replace:
|
|
path: /etc/default/grub
|
|
regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=\"((?:(?!ip=).)*?)"$'
|
|
replace: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 ip=dhcp"'
|
|
become: true
|
|
notify: Regenerate grub config
|
|
|
|
- name: Disable rhel-import-state service, so that it doesn not overwrite ifcfg scripts.
|
|
ansible.builtin.systemd:
|
|
name: "rhel-import-state"
|
|
enabled: false
|
|
masked: true
|
|
become: true
|
|
when:
|
|
- ansible_os_family == "RedHat" and ansible_distribution == "CentOS"
|
|
- luks_ssh_disable_state_import
|
|
|
|
- name: Disable import-state service, so that it doesn not overwrite ifcfg scripts.
|
|
ansible.builtin.systemd:
|
|
name: "import-state"
|
|
enabled: false
|
|
masked: true
|
|
become: true
|
|
when:
|
|
- ansible_distribution == "Rocky"
|
|
- luks_ssh_disable_state_import
|