Dotfiles/setup/modules/FreeipaAnsible/ansible/collect-luks-keys.yml

---
# collect-luks-keys.yml — fetch LUKS backup keys from enrolled clients.
#
# When a client was installed with disk encryption via the M-Archy installer,
# a backup LUKS key is stored at /_LUKS_BACKUP_KEY inside the encrypted root.
# This playbook fetches those keys to the controller and names each copy
# <HOSTNAME>_LUKS_BACKUP_KEY so they can be archived securely.
#
# Keys are stored in  luks-keys/  relative to the playbook directory.
# Protect that directory carefully — keys can unlock client root partitions.
#
# Usage:
#   ansible-playbook -i inventory collect-luks-keys.yml
#   ansible-playbook -i inventory collect-luks-keys.yml -e luks_keys_store=/secure/path
#
# To run automatically, add a cron job on the Ansible controller:
#   0 3 * * * cd /path/to/playbooks && ansible-playbook -i inventory collect-luks-keys.yml

- name: Collect LUKS backup keys from enrolled clients
  hosts: all
  become: yes

  vars:
    luks_key_path: /_LUKS_BACKUP_KEY
    luks_keys_store: "{{ playbook_dir }}/luks-keys"

  tasks:

    - name: Ensure local key store directory exists
      file:
        path: "{{ luks_keys_store }}"
        state: directory
        mode: '0700'
      delegate_to: localhost
      run_once: true
      become: false

    - name: Check for LUKS backup key on client
      stat:
        path: "{{ luks_key_path }}"
      register: luks_key_stat

    - name: Fetch LUKS backup key to controller
      fetch:
        src: "{{ luks_key_path }}"
        dest: "{{ luks_keys_store }}/{{ inventory_hostname }}_LUKS_BACKUP_KEY"
        flat: yes
      when: luks_key_stat.stat.exists
      register: luks_key_fetch

    - name: Secure fetched key permissions
      file:
        path: "{{ luks_keys_store }}/{{ inventory_hostname }}_LUKS_BACKUP_KEY"
        mode: '0400'
      delegate_to: localhost
      become: false
      when:
        - luks_key_stat.stat.exists
        - luks_key_fetch is changed

    - name: Report key status
      debug:
        msg: >-
          {{ inventory_hostname }}:
          {% if luks_key_stat.stat.exists %}
            key found and fetched to {{ luks_keys_store }}/{{ inventory_hostname }}_LUKS_BACKUP_KEY
          {% else %}
            no /_LUKS_BACKUP_KEY present (unencrypted or already collected)
          {% endif %}