reworked dmcrypt for suricata

deploy.yml

@@ -36,6 +36,7 @@
   become: true
   roles:
     - cryptoraid
+  tags: raid
 
 - name: mounts
   hosts:

hosts.yml

@@ -57,23 +57,13 @@ all:
       rpi_cfg:
         - "enable_uart=1"
         - "otg_mode=1"
-      luks_yk_slot: 2
-      luks_yk_challenge: !vault |
-        $ANSIBLE_VAULT;1.1;AES256
-        34333431626366653132396433316337373134373832643066623838346535626639343130373536
-        3437363264343832346432373530316230623637333935310a643135323836306232366235333139
-        35323832333566653235386530643238633333356131373136333937373164373065313430633438
-        3731356134663033620a376230323761336534653064343135366465333438376539386238643931
-        31313735336563366366396536386262383430323161366263623639336661646465333436336264
-        3037623462653131643964383533646632343436613839623761
-      luks_dropbear_port: 2222
-      luks_timeout: 120
-      luks_targets:
-        - data0
-        - data1
-      luks_source_uuids:
-        - 202c924c-ee53-4321-9efd-1f776e939702
-        - a243ac31-094c-4fe2-bced-6e4311a16487
+      dmcrypt_targets:
+        - name: "WDC WDS400T1R0A"
+          target: "disk0"
+          source_uuid: "202c924c-ee53-4321-9efd-1f776e939702"
+        - name: "Samsung SSD 870"
+          target: "disk1"
+          source_uuid: "a243ac31-094c-4fe2-bced-6e4311a16487"
 
     caladan:
       ansible_host: caladan

roles/cryptoraid/files/authorized_keys

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDaiwmnSKC4DpznZlode1987DvGVLWqkvDZXZ6ey/LOZhRHvNnr5lP4Ke034R17mHHuTlzzuTKUKTN6JcIxBURGUwjWgNQO5z+7SapdOvPpw7M8wOlgp92CbIMiE/tReNbUi2e584Y5NR4tMCQm+FPvQ7c7nY/WoxJ6VSiKBbXzN+IrB9H6ZAVyfAlzHpxhwXeuP5xFwTtapzyzyc4phvuIhbXUc9NOZHXwoAR2La/0TVOgDyktEmCq6aGet03Azz6KPRptdnf4g9V3u8YivccXfd9WTrJr9fj1fWjDU9bBKVU6GtdcSwfqKwa6X4sQIZfONKvVEfqbIIEB70FsXHcdfnm3EN5L1PWbC441Q8bB1zvu/GnlXTlxDFmzByxnbLWTSPLuQyKq5sv9va8Jl9QEVpS3qWJbPHYBTevgboTExyLmpEfsCI+Of86Oxb8PNjyhX1/oWiy8S3w+5oQgAb+yNfSVPnX7CO4oGQhnttoXHA94LzxArYr9zZIp2asRMlc4VVWVH/jQ4FdLDjvKNARYiytOplZBPvFOHJiGb/rfjZKbMPPE+3V1WQPZ6B2nlWN5QxTpnLgTQnONr5rlSrvzFPY8BISUAYcdOCErG4agHDkHFZqWn8u+51wUZUnXo4NI+rty4Nzmc/kPfqWyv/8mSJfihidfuuHGEEzCk1qVdQ== cardno:11 073 199

roles/cryptoraid/files/bin/remote-unlock.sh

@@ -1,17 +0,0 @@
-#!/bin/sh
-
-. /usr/local/etc/unlock-luks.conf
-. /usr/local/share/unlock-luks-helpers.sh
-
-[ -z "$SOURCE_UUIDS" ] && return 1
-[ -z "$TARGETS" ] && return 1
-
-touch "$LOCK_FILE"
-# shellcheck disable=SC2064
-trap "rm -f $LOCK_FILE" EXIT
-
-printf "Enter LUKS password:"
-passwd=$(read_password)
-decrypt "${passwd}"
-
-rm -f "$LOCK_FILE"

roles/cryptoraid/files/bin/unlock-luks.sh

@@ -1,48 +0,0 @@
-#!/bin/sh
-
-. /usr/local/etc/unlock-luks.conf
-. /usr/local/share/unlock-luks-helpers.sh
-
-REMOTE_UNLOCK=/usr/local/bin/remote-unlock.sh
-
-DROPBEAR_PORT="${DROPBEAR_PORT:-22}"
-TIMEOUT="${TIMEOUT:-60}"
-YK_SLOT="${YK_SLOT:-2}"
-
-[ -z "$YK_CHALLENGE" ] && return 1
-[ -z "$SOURCE_UUIDS" ] && return 1
-[ -z "$TARGETS" ] && return 1
-
-loop() {
-    starttime=$(date +%s)
-    usedtime=0
-    while ! check_is_open && [ "$usedtime" -le "$TIMEOUT" ]; do
-        while [ -f "$LOCK_FILE" ]; do
-            sleep 1
-        done
-        yk_decrypt
-        sleep 1
-        endtime=$(date +%s)
-        usedtime=$((endtime - starttime))
-    done
-}
-
-dropbear \
-    -R -s -F \
-    -G root \
-    -p "${DROPBEAR_PORT}" \
-    -c "${REMOTE_UNLOCK}" &
-DROPBEAR_PID="$!"
-sleep 0.5
-# shellcheck disable=SC2064
-trap "kill $DROPBEAR_PID" EXIT
-
-loop
-
-kill "${DROPBEAR_PID}"
-
-if check_is_open; then
-    printf "decryption succeeded\n"
-else
-    printf "decryption failed\n"
-fi

roles/cryptoraid/files/etc/unlock-luks.conf

@@ -1,8 +0,0 @@
-#!/bin/sh
-
-export SOURCE_UUIDS="202c924c-ee53-4321-9efd-1f776e939702 a243ac31-094c-4fe2-bced-6e4311a16487"
-export TARGETS="data0 data1"
-export TIMEOUT="60"
-export YK_CHALLENGE="xWNQnvjBZav8UZzRKeQ7W1E0CV9E6Cnt"
-export YK_SLOT="2"
-export DROPBEAR_PORT=2222

roles/cryptoraid/files/share/unlock-luks-helpers.sh

@@ -1,45 +0,0 @@
-#!/bin/sh
-
-. /usr/local/etc/unlock-luks.conf
-
-export LOCK_FILE=/tmp/remote-unlock.lock
-
-[ -z "$SOURCE_UUIDS" ] && return 1
-[ -z "$TARGETS" ] && return 1
-
-decrypt() {
-    passwd="$1"
-    i=1
-    for uuid in $SOURCE_UUIDS; do
-        target=$(printf "%s" "$TARGETS" | cut -d ' ' -f "${i}")
-        printf "%s" "$passwd" | cryptsetup luksOpen "/dev/disk/by-uuid/${uuid}" "${target}"
-        i=$((i + 1))
-    done
-}
-
-read_password() {
-    stty -echo
-    trap 'stty echo' EXIT
-    read -r passwd
-    stty echo
-    trap - EXIT
-    printf "%s" "${passwd}"
-}
-
-check_is_open() {
-    for target in $TARGETS; do
-        [ ! -b "/dev/mapper/${target}" ] && return 1
-    done
-    return 0
-}
-
-yk_decrypt() {
-    printf "attempting decryption with yubikey\n"
-    if ykinfo "-${YK_SLOT}" >&2; then
-        printf "yubikey available\n"
-        yk_pass=$(ykchalresp "-${YK_SLOT}" "${YK_CHALLENGE}" | tr -d '\n')
-        decrypt "$yk_pass"
-    else
-        printf "yubikey not present\n"
-    fi
-}

roles/cryptoraid/tasks/alpine.yml

@@ -20,44 +20,14 @@
     line: btrfs
     insertafter: EOF
 
-- name: create script directories
-  file:
-    path: "/usr/local/{{ item }}"
-    state: directory
-    mode: '0755'
-  loop:
-    - bin
-    - etc
-    - share
+- name: add drive block to dmcrypt config
+  blockinfile:
+    insertbefore: leave this comment last
+    path: /etc/conf.d/dmcrypt
+    block: "{{ lookup('template', 'dmcrypt_block.j2') }}"
 
-- name: copy unlock scripts
-  copy:
-    src: "bin/{{ item }}"
-    dest: "/usr/local/bin/{{ item }}"
-    mode: '0755'
-  loop:
-    - remote-unlock.sh
-    - unlock-luks.sh
-
-- name: copy helper unlock files
-  copy:
-    src: share/unlock-luks-helpers.sh
-    dest: /usr/local/share/unlock-luks-helpers.sh
-    mode: '0644'
-
-- name: copy unlock config files
-  template:
-    src: unlock-luks.conf.j2
-    dest: /usr/local/etc/unlock-luks.conf
-    mode: '0644'
-
-- name: create root's ssh directory
-  file:
-    path: "/root/.ssh"
-    state: directory
-    mode: '0755'
-
-- name: copy authorized_keys
-  copy:
-    src: authorized_keys
-    dest: /root/.ssh/authorized_keys
+- name: enable dmcrypt at boot
+  service:
+    name: dmcrypt
+    enabled: true
+    runlevel: boot

roles/cryptoraid/templates/dmcrypt_block.j2

@@ -0,0 +1,7 @@
+
+{% for entry in dmcrypt_targets %}
+# {{ entry.name }}
+target='{{ entry.target }}'
+source='/dev/disk/by-uuid/{{ entry.source_uuid }}'
+
+{% endfor %}

roles/cryptoraid/templates/unlock-luks.conf.j2

@@ -1,8 +0,0 @@
-#!/bin/sh
-
-export SOURCE_UUIDS="{{ luks_source_uuids | join(" ") }}"
-export TARGETS="{{ luks_targets | join(" ") }}"
-export TIMEOUT="{{ luks_timeout }}"
-export YK_CHALLENGE="{{ luks_yk_challenge }}"
-export YK_SLOT="{{ luks_yk_slot }}"
-export DROPBEAR_PORT="{{ luks_dropbear_port }}"