From 2172c539791a09d1ed1ae4b7a8ed3f4bf4cc8d2f Mon Sep 17 00:00:00 2001 From: Sergei Petrosian <30409084+spetrosi@users.noreply.github.com> Date: Fri, 8 Sep 2023 15:07:09 +0200 Subject: [PATCH] docs(changelog): version 1.2.15 [citest skip] (#132) Update changelog and .README.html for version 1.2.15 Signed-off-by: Sergei Petrosian --- .README.html | 319 +++++++++++++++++++++++++++++++++++++++++++++++++++ CHANGELOG.md | 34 ++++++ 2 files changed, 353 insertions(+) create mode 100644 .README.html diff --git a/.README.html b/.README.html new file mode 100644 index 0000000..1c2168e --- /dev/null +++ b/.README.html @@ -0,0 +1,319 @@ + + + + + + + + nbde_client + + + + + + +
+
+

nbde_client

+
+
+ +
+

Ansible role for configuring Network-Bound Disk Encryption clients +(e.g. clevis).

+

This role currently supports clevis as a provider and it +uses it for operations like encryption and decryption.

+

Supported Distributions

+ +

Limitations

+

This role can currently create tang bindings. TPM2 is +not supported as of now.

+

Role Variables

+

These are the variables that can be passed to the role:

+ + + + + + + + + + + + + + + + + + + + +
VariableDefault/ChoicesDescription
nbde_client_providerclevisidentifies the provider for the nbde_client role. We +currently support clevis.
nbde_client_bindingsa list containing binding configurations, which include e.g. devices +and slots.
+

nbde_client_bindings

+

nbde_client_bindings is a list of dictionaries that +support the following keys:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameDefault/ChoicesDescription
devicespecifies the path of the backing device of an encrypted device on +the managed host. This device must be already configured as a LUKS +device before using the role (REQUIRED).
encryption_passworda valid password or passphrase for opening/unlocking the specified +device. Recommend vault encrypting the value. See https://docs.ansible.com/ansible/latest/user_guide/vault.html
encryption_key_srceither the absolute or relative path, on the control node, of a file +containing an encryption key valid for opening/unlocking the specified +device. The role will copy this file to the managed node(s).
statepresent / absentspecifies whether a binding with the configuration described should +be added or removed. Setting state to present (the default) means a +binding will be added; setting state to absent means a binding will be +removed from the device/slot.
slot1specifies the slot to use for the binding.
serversspecifies a list of servers to bind to. To enable high availability, +specify more than one server here.
threshold1specifies the threshold for the Shamir Secret Sharing (SSS) scheme +that is put in place when using more than one server. When using +multiple servers, threshold indicates how many of those servers should +succeed, in terms of decryption, in order to complete the process of +recovering the LUKS passphrase to open the device.
password_temporaryfalseIf true, the password or passphrase that was provided +via the encryption_password or encryption_key +arguments will be used to unlock the device and then it will be removed +from the LUKS device after the binding operation completes, i.e. it will +not be valid anymore. To be used if device has been previously created +with a sample password or passphrase (for example by an automated +install like kickstart that set up some sort of "default" password), +which the role should replace by a stronger one.
+

Example:

+
nbde_client_bindings:
+  - device: /dev/sda1
+    encryption_key_src: /vault/keyfile
+    state: present
+    slot: 2
+    threshold: 1
+    password_temporary: false
+    servers:
+      - http://server1.example.com
+      - http://server2.example.com
+

Example Playbooks

+

Example 1: high availability

+
---
+- hosts: all
+  vars:
+    nbde_client_bindings:
+      - device: /dev/sda1
+        # recommend vault encrypting the encryption_password
+        # see https://docs.ansible.com/ansible/latest/user_guide/vault.html
+        encryption_password: password
+        servers:
+          - http://server1.example.com
+          - http://server2.example.com
+  roles:
+    - linux-system-roles.nbde_client
+

Example 2: +remove binding from slot 2 in /dev/sda1

+
---
+- hosts: all
+  vars:
+    nbde_client_bindings:
+      - device: /dev/sda1
+        # recommend vault encrypting the encryption_password
+        # see https://docs.ansible.com/ansible/latest/user_guide/vault.html
+        encryption_password: password
+        slot: 2
+        state: absent
+  roles:
+    - linux-system-roles.nbde_client
+

License

+

MIT

+
+ + diff --git a/CHANGELOG.md b/CHANGELOG.md index b028a02..b8874d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,40 @@ Changelog ========= +[1.2.15] - 2023-09-08 +-------------------- + +### Other Changes + +- ci: Add markdownlint, test_converting_readme, and build_docs workflows (#129) + + - markdownlint runs against README.md to avoid any issues with + converting it to HTML + - test_converting_readme converts README.md > HTML and uploads this test + artifact to ensure that conversion works fine + - build_docs converts README.md > HTML and pushes the result to the + docs branch to publish dosc to GitHub pages site. + - Fix markdown issues in README.md + + Signed-off-by: Sergei Petrosian + +- docs: Make badges consistent, run markdownlint on all .md files (#130) + + - Consistently generate badges for GH workflows in README RHELPLAN-146921 + - Run markdownlint on all .md files + - Add custom-woke-action if not used already + - Rename woke action to Woke for a pretty badge + + Signed-off-by: Sergei Petrosian + +- ci: Remove badges from README.md prior to converting to HTML (#131) + + - Remove thematic break after badges + - Remove badges from README.md prior to converting to HTML + + Signed-off-by: Sergei Petrosian + + [1.2.14] - 2023-07-19 --------------------