linux-system-roles.crypto_policies

crypto_policies

This Ansible role controls the cryptocurrency policies for the entire system.

This is a common practice since Red Hat Enterprise Linux 8 and Fedora.

Requirements

Check below for more details.

Collection Requirements

To manage rpm-ostree systems with this role, you need to install additional collections. Run the following command to install the collection.

ansible-galaxy collection install -vv -r meta/collection-requirements.yml

Role Variables

By default, this role will only report the system's status as explained in the next section.

crypto_policies_policy

Use this variable to set the crypto policy you want on the target system. It can be the base policy or a base policy with sub-policies, as accepted by the update-crypto-policies tool. For example: FUTURE or DEFAULT:NO-SHA1:GOST. The specified policy must exist on the target system.

The default value is null, meaning no changes will be made, and the role will just collect the information below.

You can find the list of available base policies in the crypto_policies_available_policies variable, and the list of available sub-policies in the crypto_policies_available_subpolicies variable.

crypto_policies_reload

By default (true), updating crypto policies will restart some daemons affected by these policies. Setting it to false stops this behavior, which could be useful if you are running this role during system setup or if another task will handle the restart later.

crypto_policies_reboot_ok

Because crypto policies can't know about every custom application using crypto libraries, it’s recommended to reboot the system after changing policies. By default (false), if a reboot is necessary, this role will set the crypto_policies_reboot_required variable (explained below), and it will be up to you to reboot the system after making any other changes that might need a reboot. If there are no tasks in the playbook that need a reboot, you can set this to true, and the role will manage the reboot for you when needed.

crypto_policies_transactional_update_reboot_ok

This variable manages reboots needed after transactional updates. If a reboot is required, the role will reboot the system if crypto_policies_transactional_update_reboot_ok is set to true. If it’s false, the role will inform the user that a reboot is needed, allowing for custom management of the reboot situation. If this variable is not set, the role will not proceed to avoid missing the reboot requirement.

Variables Provided by the Role

crypto_policies_active

This shows the currently active policy name, matching the format of the crypto_policies_policy variable above.

crypto_policies_available_policies

A list of all base policies available on the target system. You can add custom policy files by copying .pol files to the /etc/crypto-policies/policies directory (not implemented in this role yet).

crypto_policies_available_subpolicies

A list of all sub-policies available on the target system. You can install custom sub-policies by copying .pmod files to the /etc/crypto-policies/policies/modules directory (not done in this role yet).

crypto_policies_available_modules

This is an old name for crypto_policies_available_subpolicies.

crypto_policies_reboot_required

By default false - if it’s true, it means a reboot is necessary to apply changes made by the role.

Example Playbook

The following playbook sets the system to the default crypto policy level without SHA1. The update is done without a reboot (recommended for the user to do afterward).

- name: Manage crypto policies
  hosts: all
  roles:
    - role: linux-system-roles.crypto_policies
      vars:
        crypto_policies_policy: "DEFAULT:NO-SHA1"
        crypto_policies_reload: false