linux-system-roles / nbde_client Goto Github PK
View Code? Open in Web Editor NEWAnsible role for configuring Network Bound Disk Encryption clients (e.g. clevis)
Home Page: https://linux-system-roles.github.io/nbde_client/
License: MIT License
Ansible role for configuring Network Bound Disk Encryption clients (e.g. clevis)
Home Page: https://linux-system-roles.github.io/nbde_client/
License: MIT License
Ideally the role uses /usr/local instead of /usr, as /usr is typically reserved for package managers. Some systems may also leave /usr read only with a writeable /usr/local, like in ostree based systems.
I'm unsure if dracut supports /usr/local/lib/dracut as an additional path however, but a rough equivalent of the network flushing scripts can be achieved via NetworkManager config to place in /etc/NetworkManager/conf.d/ like this:
[device]
keep-configuration=no
allowed-connections=except:origin:nm-initrd-generator
New system is unable to unlock after running the nbde_client role, after running the role get an all good from Ansible but upon reboot the system stops at the Luks encryption screen.
- name: Import nbde_client role
ansible.builtin.import_role:
name: linux-system-roles.nbde_client
vars:
nbde_client_bindings:
- device: "{{ root_disk | d('/dev/vda2') }}"
encryption_password: "{{ current_password }}"
servers: "{{ tang_servers }}"
I would like to recommend adding support for defining dracut parameters for ip, both static and dhcp. Also supporting the option of adding support for configuring dracut for, omit_dracutmodules+="ifcfg", so that devices with multiple IPs are not disrupted by the dracut networking configuration.
You may want to add network flushing support so that the kernel networking configuration is flushed and replaced with the system networking configuration. This prevents dracut/boot from destroying system network configurations such as multiple IPs on a single network interface, bonding, ect.
I would like to recommend adding support for [email protected] and [email protected] support. This will allow unlocking of non / partitions upon boot.
jose
is not installed by default (on Fedora Server/EL9) and is required as a dependency of the role.
Suggestion to add to documentation.
If you run the role again with the same nbde_client_bindings
, will it do all of these steps again, and report that something changed? If so, I'm not sure how to prevent that from happening - how would you know ahead of time that you have already brought the managed hosts to the desired state?
Originally posted by @richm in https://github.com/linux-system-roles/nbde_client/pull/3/files#r439106448
passphrase_temporary is definitely not idempotent, because first time it will remove the passphrase and second time it will fail.
As part of the conscious language project, the master branch is to be renamed to the main branch.
Here are the instructions.
If you use the gh cli (highly recommended) you can use this to check which repos need to be updated:
gh repo list linux-system-roles -L 100 --json name,defaultBranchRef --source | \
jq --raw-output '.[] | select(.defaultBranchRef.name == "master") | .name'
Thanks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.