This playbook and role allows you to define a list of encrypted ZFS datasets.
I used this on my proxmox setup, but it should be available to use in all ZFS environments.
Encryption works by loading the encryption key to zfs. The playbook then tries to mount the dataset.
Because it's encrypted... when you reboot the server, you'll need to run the playbook to mount the dataset again.
Clone this repo into your roles directory:
git clone [email protected]:BojanZelic/ansible-zfs-encrypted-datasets.git roles/bojanzelic.zfs_datasets
Alternatively
ansible-galaxy install bojanzelic.zfs_datasets
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Pass in the encryption key as an environmental variable ZFS_KEY
- hosts: all
roles:
- role: bojanzelic.zfs_datasets
zfs_key: "{{ lookup('env','ZFS_KEY') }}"
zfs_datasources:
rpool:
state: present
rpool/backups:
encrypted: true
extra_zfs_properties:
sharenfs: [email protected]/24
rpool/documents:
encrypted: true
rpool/personal_media:
state: present
rpool/media:
state: present
GNU General Public License v3.0
Contact me at https://bojan.zelic.io