---
- name: Cryptsetup part of this tasklist
  shell: |
    mkdir -p -m0700 /srv/common/luks
    ( umask 0077 && dd if=/dev/urandom bs=1 count=4096 of=/srv/common/luks/crypt_dev_md1 conv=fsync )
    yes fai | cryptsetup luksAddKey /dev/md1 /srv/common/luks/crypt_dev_md1
    echo "crypt_dev_md1 /dev/md1 /srv/common/luks/crypt_dev_md1 luks,discard,key-slot=0" > /etc/crypttab
    echo "KEYFILE_PATTERN=*" >> /etc/cryptsetup-initramfs/conf-hook
    echo "UMASK=0077" >> /etc/initramfs-tools/conf.d/umask.conf
    update-initramfs -u
  args:
    executable: /bin/sh
    creates: /srv/common/luks
  become: yes