Merge pull request #28 from micxer/auto-unlock

Auto-load encryption keys on boot

README.md

@@ -103,6 +103,9 @@ zfs_enable_performance_tuning: false
 # Defines if Samba is installed and configured
 zfs_enable_samba: false
 
+# Defines if keys for encrypted filesystems are loaded on boot
+zfs_autoload_encryption_keys: false
+
 # Defines filesystems to manage
 zfs_filesystems: []
   # - name: nfs

defaults/main.yml

@@ -41,6 +41,9 @@ zfs_enable_performance_tuning: false
 # Defines if Samba is installed and configured
 zfs_enable_samba: false
 
+# Defines if keys for encrypted filesystems are loaded on boot
+zfs_autoload_encryption_keys: false
+
 # Defines filesystems to manage
 zfs_filesystems: []
   # - name: nfs

tasks/encryption_keys.yml

@@ -0,0 +1,36 @@
+---
+- name: Encryption keys | Get encrypted pools
+  ansible.builtin.set_fact:
+    zfs_encrypted_pools: >-
+      {{ zfs_pools | selectattr('options', 'search', 'keylocation') | map(attribute='name') | list }}
+  when: zfs_create_pools
+
+- name: Encryption keys | Get encrypted datasets
+  ansible.builtin.set_fact:
+    zfs_encrypted_datasets: >-
+      {{ zfs_filesystems | selectattr('keylocation', 'defined') | map('combine', {'dataset_name': '{{ pool }}/{{name}}'})
+                         | map(attribute='dataset_name') | list }}
+  when: zfs_create_filesystems
+
+- name: Encryption keys | Create key-load service unit file
+  ansible.builtin.template:
+    src: etc/systemd/system/[email protected]
+    dest: /etc/systemd/system/[email protected]
+    owner: root
+    group: root
+    mode: "0644"
+  when: zfs_encrypted_pools or zfs_encrypted_datasets
+
+- name: Encryption keys | Activate key-load service for encrypted pools
+  ansible.builtin.systemd_service:
+    name: zfs-load-key@{{ item }}
+    enabled: true
+  loop: "{{ zfs_encrypted_pools }}"
+  when: zfs_create_pools
+
+- name: Encryption keys | Activate key-load service for encrypted datasets
+  ansible.builtin.systemd_service:
+    name: zfs-load-key@{{ item }}
+    enabled: true
+  loop: "{{ zfs_encrypted_datasets }}"
+  when: zfs_create_filesystems

tasks/main.yml

@@ -11,6 +11,13 @@
 - include_tasks: ubuntu.yml
   when: ansible_distribution == "Ubuntu" and zfs_install_update == true
 
+- name: Encryption keys
+  include_tasks: encryption_keys.yml
+  when: >
+        (zfs_create_pools or
+        zfs_create_filesystems) and
+        zfs_autoload_encryption_keys
+
 - include_tasks: manage_zfs.yml
 
 - include_tasks: samba.yml

templates/etc/systemd/system/zfs-load-key@.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=Load encryption keys for zpool
+Documentation=man:zfs(8)
+DefaultDependencies=no
+After=systemd-udev-settle.service
+After=systemd-remount-fs.service
+After=zfs-import.target
+Before=zfs-mount.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/zfs load-key %i
+
+[Install]
+WantedBy=zfs-mount.service