ansible-collection-core/roles/baseline/tasks/disk_partitions.yml

---
- name: Disk Partitions | PRELIM | Ensure baseline_home_luks_passphrase is defined
  ansible.builtin.assert:
    that:
      - baseline_home_luks_passphrase is defined
    msg: "Variable 'baseline_home_luks_passphrase' must be defined."

- name: Disk Partitions | PRELIM | Ensure baseline_second_disk_device is defined
  ansible.builtin.assert:
    that:
      - baseline_second_disk_device is defined
    msg: "Variable 'baseline_second_disk_device' must be defined."

- name: Disk Partitions | PATCH | Ensure lvm2 is installed
  ansible.builtin.package:
    name: lvm2
    state: present

- name: Disk Partitions | PATCH | Create LVM partition spanning entire disk
  community.general.parted:
    device: "{{ baseline_second_disk_device }}"
    number: 1
    flags: [lvm]
    state: present
    part_start: "0%"
    part_end: "100%"

- name: Disk Partitions | PATCH | Create volume group
  community.general.lvg:
    vg: "{{ baseline_second_disk_vg_name }}"
    pvs: "{{ baseline_second_disk_device }}1"

- name: Disk Partitions | PATCH | Create /var logical volume
  community.general.lvol:
    vg: "{{ baseline_second_disk_vg_name }}"
    lv: var
    size: "{{ baseline_second_disk_var_size }}"

- name: Disk Partitions | PATCH | Create /var/log logical volume
  community.general.lvol:
    vg: "{{ baseline_second_disk_vg_name }}"
    lv: var_log
    size: "{{ baseline_second_disk_var_log_size }}"

- name: Disk Partitions | PATCH | Create /var/log/audit logical volume
  community.general.lvol:
    vg: "{{ baseline_second_disk_vg_name }}"
    lv: var_log_audit
    size: "{{ baseline_second_disk_var_log_audit_size }}"

- name: Disk Partitions | PATCH | Create /var/tmp logical volume
  community.general.lvol:
    vg: "{{ baseline_second_disk_vg_name }}"
    lv: var_tmp
    size: "{{ baseline_second_disk_var_tmp_size }}"

- name: Disk Partitions | PATCH | Create /home logical volume with remaining space
  community.general.lvol:
    vg: "{{ baseline_second_disk_vg_name }}"
    lv: home
    shrink: false  # make idempotent
    size: "100%FREE"

- name: Disk Partitions | PATCH | Ensure cryptsetup is installed
  ansible.builtin.package:
    name: cryptsetup
    state: present

- name: Disk Partitions | PATCH | Encrypt /home with LUKS2 and provided passphrase
  community.crypto.luks_device:
    device: "/dev/{{ baseline_second_disk_vg_name }}/home"
    state: present
    passphrase: "{{ baseline_home_luks_passphrase }}"
    type: luks2

- name: Disk Partitions | PATCH | Open LUKS device
  community.crypto.luks_device:
    device: "/dev/{{ baseline_second_disk_vg_name }}/home"
    name: home_crypt
    state: opened
    passphrase: "{{ baseline_home_luks_passphrase }}"

- name: Disk Partitions | PATCH | Add /home logical volume to crypttab
  community.general.crypttab:
    backing_device: /dev/mapper/datavg-home
    name: home_crypt
    opts: discard
    state: present

- name: Disk Partitions | PATCH | Create xfs filesystems on new partitions
  community.general.filesystem:
    dev: "{{ item }}"
    fstype: xfs
  with_items:
    - /dev/mapper/datavg-var
    - /dev/mapper/datavg-var_log
    - /dev/mapper/datavg-var_log_audit
    - /dev/mapper/datavg-var_tmp
    - /dev/mapper/home_crypt

- name: Disk Partitions | AUDIT | Check if /home is mounted
  ansible.builtin.command:
    cmd: mountpoint -q /home
  register: baseline_second_disk_home_mounted
  changed_when: false
  failed_when: false

- name: Disk Partitions | AUDIT | Check if /home is empty
  ansible.builtin.command:
    cmd: ls -A /home
  register: baseline_second_disk_home_files
  when: baseline_second_disk_home_mounted.rc != 0
  changed_when: false

- name: Disk Partitions | AUDIT | Fail if /home is not mounted and not empty
  ansible.builtin.assert:
    that:
      - ((baseline_second_disk_home_files.skipped is defined) and baseline_second_disk_home_files.skipped) or (baseline_second_disk_home_files.stdout == "")

- name: Disk Partitions | PATCH | Ensure /home is mounted
  ansible.posix.mount:
    src: "/dev/mapper/home_crypt"
    path: '/home'
    fstype: 'xfs'
    opts: 'rw,nosuid,nodev'
    state: mounted

- name: Disk Partitions | AUDIT | Check if /var is mounted
  ansible.builtin.command:
    cmd: mountpoint -q /var
  register: baseline_second_disk_var_mounted
  changed_when: false
  failed_when: false

- name: Disk Partitions | PATCH | Migrate content if /var is not mounted
  when: baseline_second_disk_var_mounted.rc != 0
  block:
    - name: Disk Partitions | PATCH | Enter emergency mode
      ansible.builtin.command:
        cmd: systemctl isolate emergency.target
      tags:
        - skip_ansible_lint  # Not possible with ansible.builtin.systemd_service

    - name: Disk Partitions | PATCH | Unmount /var/lib/nfs/rpc_pipefs if mounted
      ansible.posix.mount:
        path: /var/lib/nfs/rpc_pipefs
        state: unmounted

    - name: Disk Partitions | PATCH | Migrate data to new partitions
      ansible.builtin.include_tasks:
        file: disk_partitions_migrate.yml
      vars:
        baseline_second_disk_migrate_path: "{{ item }}"
      with_items:
        - "/var"
        - "/var/log"
        - "/var/log/audit"
        - "/var/tmp"

    - name: Disk Partitions | PATCH | Restore default mode
      ansible.builtin.command:
        cmd: systemctl isolate default.target
      tags:
        - skip_ansible_lint  # Not possible with ansible.builtin.systemd_service
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`---`
			`- name: Disk Partitions \| PRELIM \| Ensure baseline_home_luks_passphrase is defined`
			`ansible.builtin.assert:`
			`that:`
			`- baseline_home_luks_passphrase is defined`
			`msg: "Variable 'baseline_home_luks_passphrase' must be defined."`

			`- name: Disk Partitions \| PRELIM \| Ensure baseline_second_disk_device is defined`
			`ansible.builtin.assert:`
			`that:`
			`- baseline_second_disk_device is defined`
			`msg: "Variable 'baseline_second_disk_device' must be defined."`

			`- name: Disk Partitions \| PATCH \| Ensure lvm2 is installed`
			`ansible.builtin.package:`
			`name: lvm2`
			`state: present`

			`- name: Disk Partitions \| PATCH \| Create LVM partition spanning entire disk`
			`community.general.parted:`
			`device: "{{ baseline_second_disk_device }}"`
			`number: 1`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`flags: [lvm]`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`state: present`
			`part_start: "0%"`
			`part_end: "100%"`

			`- name: Disk Partitions \| PATCH \| Create volume group`
			`community.general.lvg:`
			`vg: "{{ baseline_second_disk_vg_name }}"`
			`pvs: "{{ baseline_second_disk_device }}1"`

			`- name: Disk Partitions \| PATCH \| Create /var logical volume`
			`community.general.lvol:`
			`vg: "{{ baseline_second_disk_vg_name }}"`
			`lv: var`
			`size: "{{ baseline_second_disk_var_size }}"`

			`- name: Disk Partitions \| PATCH \| Create /var/log logical volume`
			`community.general.lvol:`
			`vg: "{{ baseline_second_disk_vg_name }}"`
			`lv: var_log`
			`size: "{{ baseline_second_disk_var_log_size }}"`

			`- name: Disk Partitions \| PATCH \| Create /var/log/audit logical volume`
			`community.general.lvol:`
			`vg: "{{ baseline_second_disk_vg_name }}"`
			`lv: var_log_audit`
			`size: "{{ baseline_second_disk_var_log_audit_size }}"`

			`- name: Disk Partitions \| PATCH \| Create /var/tmp logical volume`
			`community.general.lvol:`
			`vg: "{{ baseline_second_disk_vg_name }}"`
			`lv: var_tmp`
			`size: "{{ baseline_second_disk_var_tmp_size }}"`

			`- name: Disk Partitions \| PATCH \| Create /home logical volume with remaining space`
			`community.general.lvol:`
			`vg: "{{ baseline_second_disk_vg_name }}"`
			`lv: home`
			`shrink: false # make idempotent`
			`size: "100%FREE"`

			`- name: Disk Partitions \| PATCH \| Ensure cryptsetup is installed`
			`ansible.builtin.package:`
			`name: cryptsetup`
			`state: present`

			`- name: Disk Partitions \| PATCH \| Encrypt /home with LUKS2 and provided passphrase`
			`community.crypto.luks_device:`
			`device: "/dev/{{ baseline_second_disk_vg_name }}/home"`
			`state: present`
			`passphrase: "{{ baseline_home_luks_passphrase }}"`
			`type: luks2`

			`- name: Disk Partitions \| PATCH \| Open LUKS device`
			`community.crypto.luks_device:`
			`device: "/dev/{{ baseline_second_disk_vg_name }}/home"`
			`name: home_crypt`
			`state: opened`
			`passphrase: "{{ baseline_home_luks_passphrase }}"`

			`- name: Disk Partitions \| PATCH \| Add /home logical volume to crypttab`
			`community.general.crypttab:`
			`backing_device: /dev/mapper/datavg-home`
			`name: home_crypt`
			`opts: discard`
			`state: present`

			`- name: Disk Partitions \| PATCH \| Create xfs filesystems on new partitions`
			`community.general.filesystem:`
			`dev: "{{ item }}"`
			`fstype: xfs`
			`with_items:`
			`- /dev/mapper/datavg-var`
			`- /dev/mapper/datavg-var_log`
			`- /dev/mapper/datavg-var_log_audit`
			`- /dev/mapper/datavg-var_tmp`
			`- /dev/mapper/home_crypt`

			`- name: Disk Partitions \| AUDIT \| Check if /home is mounted`
			`ansible.builtin.command:`
			`cmd: mountpoint -q /home`
			`register: baseline_second_disk_home_mounted`
			`changed_when: false`
			`failed_when: false`

			`- name: Disk Partitions \| AUDIT \| Check if /home is empty`
			`ansible.builtin.command:`
			`cmd: ls -A /home`
			`register: baseline_second_disk_home_files`
			`when: baseline_second_disk_home_mounted.rc != 0`
			`changed_when: false`

			`- name: Disk Partitions \| AUDIT \| Fail if /home is not mounted and not empty`
			`ansible.builtin.assert:`
			`that:`
			`- ((baseline_second_disk_home_files.skipped is defined) and baseline_second_disk_home_files.skipped) or (baseline_second_disk_home_files.stdout == "")`

			`- name: Disk Partitions \| PATCH \| Ensure /home is mounted`
			`ansible.posix.mount:`
			`src: "/dev/mapper/home_crypt"`
			`path: '/home'`
			`fstype: 'xfs'`
			`opts: 'rw,nosuid,nodev'`
			`state: mounted`

			`- name: Disk Partitions \| AUDIT \| Check if /var is mounted`
			`ansible.builtin.command:`
			`cmd: mountpoint -q /var`
			`register: baseline_second_disk_var_mounted`
			`changed_when: false`
			`failed_when: false`

			`- name: Disk Partitions \| PATCH \| Migrate content if /var is not mounted`
			`when: baseline_second_disk_var_mounted.rc != 0`
			`block:`
			`- name: Disk Partitions \| PATCH \| Enter emergency mode`
			`ansible.builtin.command:`
			`cmd: systemctl isolate emergency.target`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`tags:`
			`- skip_ansible_lint # Not possible with ansible.builtin.systemd_service`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00
			`- name: Disk Partitions \| PATCH \| Unmount /var/lib/nfs/rpc_pipefs if mounted`
			`ansible.posix.mount:`
			`path: /var/lib/nfs/rpc_pipefs`
			`state: unmounted`

			`- name: Disk Partitions \| PATCH \| Migrate data to new partitions`
			`ansible.builtin.include_tasks:`
			`file: disk_partitions_migrate.yml`
			`vars:`
			`baseline_second_disk_migrate_path: "{{ item }}"`
			`with_items:`
			`- "/var"`
			`- "/var/log"`
			`- "/var/log/audit"`
			`- "/var/tmp"`

			`- name: Disk Partitions \| PATCH \| Restore default mode`
			`ansible.builtin.command:`
			`cmd: systemctl isolate default.target`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`tags:`
			`- skip_ansible_lint # Not possible with ansible.builtin.systemd_service`