From bbaa388b40907a735c720e54e98016d7e79ec6aa Mon Sep 17 00:00:00 2001 From: Sergei Petrosian Date: Thu, 7 May 2026 14:52:35 +0200 Subject: [PATCH] feat: Parametrize no_log usage in trustee_client role - Replace literal no_log: true with trustee_client_secure_logging variable - Add trustee_client_secure_logging: true to defaults/main.yml - Document trustee_client_secure_logging variable in README.md This change allows users to control logging of potentially sensitive information by setting trustee_client_secure_logging: false for debugging, while maintaining secure defaults. Co-Authored-By: Claude Sonnet 4.5 --- README.md | 16 ++++++++++++++++ defaults/main.yml | 1 + tasks/encrypt_disk.yml | 8 ++++---- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f01c086..a1db403 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,22 @@ An unpartitioned empty disk must be attached to the target. When enabled, this t 3. Mounts it at the designated path 4. Sets up automatic unlock and mount either with Secret Registration Client service or /etc/crypttab with `systemd-cryptenroll` +## Variables + +### trustee_client_secure_logging + +If `true`, suppress potentially sensitive output from tasks that handle +credentials, secrets, and other sensitive data by setting `no_log: true` on +those tasks. This prevents passwords, API tokens, private keys, and similar +sensitive information from appearing in Ansible logs and console output. + +If you need to debug issues with credential handling or secret management, you +can temporarily set `trustee_client_secure_logging: false` to see the full output from +these tasks. However, be aware that this may expose sensitive information in +logs, so it should only be used in development or troubleshooting scenarios. + +Default: `true` + ## License Whenever possible, please prefer MIT. diff --git a/defaults/main.yml b/defaults/main.yml index caa2b06..e5c8542 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,3 +17,4 @@ trustee_client_secret_registration_enabled: false # Encrypt disk configuration trustee_client_encrypt_disk: false trustee_client_encrypt_disk_mount_point: "/mnt/encrypted-disk" +trustee_client_secure_logging: true diff --git a/tasks/encrypt_disk.yml b/tasks/encrypt_disk.yml index db193c9..1c31f0d 100644 --- a/tasks/encrypt_disk.yml +++ b/tasks/encrypt_disk.yml @@ -44,7 +44,7 @@ /usr/local/bin/secret_registration_client.sh --fetch-key-to {{ __trustee_client_secret_key_tempfile.path }} changed_when: true when: trustee_client_secret_registration_enabled | bool - no_log: true + no_log: "{{ trustee_client_secure_logging }}" - name: Check systemd-cryptenroll command exists ansible.builtin.command: command -v systemd-cryptenroll @@ -60,7 +60,7 @@ when: - __trustee_client_cryptenroll_check is success - not trustee_client_secret_registration_enabled | bool - no_log: true + no_log: "{{ trustee_client_secure_logging }}" - name: Encrypt the partition ansible.builtin.shell: | @@ -73,7 +73,7 @@ [ -d {{ trustee_client_encrypt_disk_mount_point }} ] || mkdir -p {{ trustee_client_encrypt_disk_mount_point }} mount /dev/mapper/trustee_client_encrypted_disk_0 {{ trustee_client_encrypt_disk_mount_point }} changed_when: true - no_log: true + no_log: "{{ trustee_client_secure_logging }}" - name: TPM2 cryptenroll and configure crypttab/fstab when: @@ -85,7 +85,7 @@ systemd-cryptenroll {{ __trustee_client_disk_partition }} --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file={{ __trustee_client_secret_key_tempfile.path }} systemd-cryptenroll {{ __trustee_client_disk_partition }} --wipe-slot=password changed_when: true - no_log: true + no_log: "{{ trustee_client_secure_logging }}" - name: Get UUID of the LUKS partition ansible.builtin.command: "lsblk -dno UUID {{ __trustee_client_disk_partition }}"