Persistent config on Qubes OS using debops.persistent_paths

POC Related to: debops/debops-playbooks#333
ypid · Jan 31, 2017 · 3765a50 · 3765a50
1 parent cd3440c
commit 3765a50
Show file tree

Hide file tree

Showing 6 changed files with 74 additions and 6 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -41,6 +41,9 @@ Added
 - Support to setup filesystems using a random key on boot.
   Refer to :ref:`cryptsetup__ref_devices_tmp_with_random_key` for details. [ypid_]
 
+- Support for persistent configuration of TemplateBasedVM on `Qubes OS`_ out of
+  the box using the ``debops.persistent_paths`` role. [ypid_]
+
 Changed
 ~~~~~~~
 

diff --git a/COPYRIGHT b/COPYRIGHT
@@ -1,7 +1,7 @@
 debops.cryptsetup - Setup and manage encrypted filesystems
 
-Copyright (C) 2015-2016 Robin Schneider <[email protected]>
-Copyright (C) 2015-2016 DebOps https://debops.org/
+Copyright (C) 2015-2017 Robin Schneider <[email protected]>
+Copyright (C) 2015-2017 DebOps https://debops.org/
 
 This Ansible role is part of DebOps.
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -235,6 +235,13 @@ cryptsetup__swap_priority: -1
 # Refer to :ref:`item.fstype <cryptsetup__devices_fstype>` for details.
 cryptsetup__fstype: 'ext4'
 
+                                                                   # ]]]
+# .. envvar:: cryptsetup__fstab_file [[[
+#
+# File path to the :manpage:`fstab(5)` file where file systems should be
+# configured.
+cryptsetup__fstab_file: '/etc/fstab'
+
                                                                    # ]]]
 # .. envvar:: cryptsetup__mount_options [[[
 #
@@ -268,6 +275,13 @@ cryptsetup__mountpoint_parent_directory: '/media'
 # Refer to :ref:`item.crypttab_options <cryptsetup__devices_crypttab_options>` for details.
 cryptsetup__crypttab_options: []
 
+                                                                   # ]]]
+# .. envvar:: cryptsetup__crypttab_file [[[
+#
+# File path to the :manpage:`crypttab(5)` file where encrypted file systems
+# should be configured.
+cryptsetup__crypttab_file: '/etc/crypttab'
+
                                                                    # ]]]
 # .. envvar:: cryptsetup__hash [[[
 #
@@ -352,4 +366,22 @@ cryptsetup__use_dev_random: True
 cryptsetup__iter_time: 'default'
                                                                    # ]]]
                                                                    # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: cryptsetup__persistent_paths__dependent_persistent_paths [[[
+#
+# Configuration for the ``debops.persistent_paths`` Ansible role.
+cryptsetup__persistent_paths__dependent_persistent_paths:
+
+  '50_debops_cryptsetup':
+    by_role: 'debops.cryptsetup'
+    paths:
+      - '{{ cryptsetup__fstab_file }}'
+      - '{{ cryptsetup__crypttab_file }}'
+      - '{{ cryptsetup__keyfile_remote_location }}'
+      - '{{ cryptsetup__header_backup_remote_location }}'
+      - '{{ cryptsetup__mountpoint_parent_directory }}'
+                                                                   # ]]]
+                                                                   # ]]]
                                                                    # ]]]
diff --git a/docs/getting-started.rst b/docs/getting-started.rst
@@ -36,8 +36,17 @@ To configure encrypted filesystems on host given in
 
 .. code:: ini
 
-    [debops_service_cryptsetup]
-    hostname
+   [debops_service_cryptsetup]
+   hostname
+
+In case the host in question happens to be a TemplateBasedVM on `Qubes OS`_, it
+should instead be added to ``debops_service_cryptsetup_persistent_paths`` so
+that the changes can be made persistent:
+
+.. code:: ini
+
+   [debops_service_cryptsetup_persistent_paths]
+   hostname
 
 Example playbook
 ----------------
@@ -48,6 +57,12 @@ that uses the ``debops.cryptsetup`` role:
 .. literalinclude:: playbooks/cryptsetup.yml
    :language: yaml
 
+If you are using this role without DebOps, here's an example Ansible playbook
+that uses ``debops.cryptsetup`` together with the ``debops.persistent_paths`` role:
+
+.. literalinclude:: playbooks/cryptsetup-persistent_paths.yml
+   :language: yaml
+
 Ansible tags
 ------------
 

diff --git a/docs/playbooks/cryptsetup-persistent_paths.yml b/docs/playbooks/cryptsetup-persistent_paths.yml
@@ -0,0 +1,18 @@
+---
+
+- name: Setup and manage encrypted filesystems and ensure persistence
+  hosts: [ 'debops_service_cryptsetup_persistent_paths' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: debops.cryptsetup
+      tags: [ 'role::cryptsetup' ]
+
+    - role: debops.persistent_paths
+      tags: [ 'role::persistent_paths' ]
+      persistent_paths__dependent_persistent_paths: '{{ cryptsetup__persistent_paths__dependent_persistent_paths }}'
diff --git a/tasks/manage_devices.yml b/tasks/manage_devices.yml
@@ -291,7 +291,7 @@
     opts:   '{{ (item.mount_options | d(cryptsetup__mount_options | d([]))) | list | sort | unique | join(",") }}'
     dump:   '{{ item.mount_dump     | d(omit) }}'
     passno: '{{ item.mount_passno   | d(omit) }}'
-    fstab:  '{{ item.fstab_path     | d(omit) }}'
+    fstab:  '{{ item.fstab_path | d(cryptsetup__fstab_file) }}'
     state:  '{{ "mounted" if (item.state|d(cryptsetup__state) == "ansible_controller_mounted") else item.state|d(cryptsetup__state) }}'
   when: ((item.manage_filesystem|d(True) | bool) and not (item.swap|d(False) | bool))
   with_items: '{{ cryptsetup__process_devices|d([]) }}'
@@ -316,7 +316,7 @@
                 | list | sort | unique | join(",") }}'
     dump:   '0'
     passno: '0'
-    fstab:  '{{ item.fstab_path | d(omit) }}'
+    fstab:  '{{ item.fstab_path | d(cryptsetup__fstab_file) }}'
     state:  '{{ (item.state|d(cryptsetup__state) == "absent")|ternary("absent", "present") }}'
   register: cryptsetup__register_swap_fstab
   when: item.swap|d(False) | bool