theforeman · evgeni · May 5, 2026
diff --git a/development/playbooks/deploy-dev/deploy-dev.yaml b/development/playbooks/deploy-dev/deploy-dev.yaml
@@ -55,6 +55,7 @@
             foreman_development_enabled_plugins: "{{ foreman_development_enabled_plugins + ['foreman_ansible'] }}"
   roles:
     - role: pre_install
+    - role: crypto_policy
     - role: certificates
     - role: postgresql
     - role: redis

diff --git a/development/playbooks/remote-database/remote-database.yaml b/development/playbooks/remote-database/remote-database.yaml
@@ -13,6 +13,7 @@
     postgresql_ssl_key: "{{ certificates_ca_directory }}/private/{{ ansible_facts['fqdn'] }}.key"
   roles:
     - role: pre_install
+    - role: crypto_policy
     - role: certificates
     - role: postgresql
 

diff --git a/src/playbooks/deploy/deploy.yaml b/src/playbooks/deploy/deploy.yaml
@@ -29,6 +29,7 @@
   roles:
     - role: pre_install
     - role: checks
+    - role: crypto_policy
     - role: certificates
       when: "certificates_source in ['default', 'custom_server']"
     - role: certificate_checks

diff --git a/src/roles/candlepin/tasks/main.yml b/src/roles/candlepin/tasks/main.yml
@@ -90,6 +90,7 @@
     volumes:
       - /var/log/candlepin:/var/log/candlepin:Z
       - /var/log/tomcat:/var/log/tomcat:Z
+      - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z
     quadlet_options:
       - |
         [Install]

diff --git a/src/roles/crypto_policy/defaults/main.yml b/src/roles/crypto_policy/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+crypto_policy_container: "centos:stream9"
+crypto_policy_policy: FUTURE
diff --git a/src/roles/crypto_policy/tasks/main.yml b/src/roles/crypto_policy/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+- name: Create /var/lib/foremanctl/
+  ansible.builtin.file:
+    path: /var/lib/foremanctl/
+    state: directory
+    owner: root
+    group: root
+    mode: '0750'
+
+- name: Create temporary container for data extraction
+  containers.podman.podman_container:
+    name: crypto-policy-tmp
+    image: "{{ crypto_policy_container }}"
+    state: started
+    command: sleep 600
+
+- name: Set the policy
+  containers.podman.podman_container_exec:
+    name: crypto-policy-tmp
+    command: "update-crypto-policies --set {{ crypto_policy_policy }}"
+
+- name: Extract data from container
+  containers.podman.podman_container_copy:
+    container: crypto-policy-tmp
+    src: "/etc/crypto-policies"
+    dest: "/var/lib/foremanctl/etc_crypto_policies"
+    from_container: true
+
+- name: Remove temporary container
+  containers.podman.podman_container:
+    name: crypto-policy-tmp
+    state: absent
diff --git a/src/roles/foreman/tasks/main.yaml b/src/roles/foreman/tasks/main.yaml
@@ -105,6 +105,7 @@
     hostname: "{{ ansible_facts['hostname'] }}.local"
     volume:
       - 'foreman-data-run:/var/run/foreman:z'
+      - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z
     secrets:
       - 'foreman-database-url,type=env,target=DATABASE_URL'
       - 'foreman-seed-admin-user,type=env,target=SEED_ADMIN_USER'
@@ -143,6 +144,7 @@
     hostname: "{{ ansible_facts['hostname'] }}.local"
     volume:
       - 'foreman-data-run:/var/run/foreman:z'
+      - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z
     secrets:
       - 'foreman-database-url,type=env,target=DATABASE_URL'
       - 'foreman-settings-yaml,type=mount,target=/etc/foreman/settings.yaml'
@@ -198,6 +200,7 @@
     command: "foreman-rake {{ item.rake }}"
     volume:
       - 'foreman-data-run:/var/run/foreman:z'
+      - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z
     secrets:
       - 'foreman-database-url,type=env,target=DATABASE_URL'
       - 'foreman-seed-admin-user,type=env,target=SEED_ADMIN_USER'

diff --git a/src/roles/postgresql/tasks/main.yml b/src/roles/postgresql/tasks/main.yml
@@ -31,6 +31,7 @@
     network: host
     volumes:
       - "{{ postgresql_data_dir }}:/var/lib/pgsql/data:Z"
+      - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z
     secrets:
       - 'postgresql-admin-password,target=POSTGRESQL_ADMIN_PASSWORD,type=env'
     env:

diff --git a/src/roles/pulp/defaults/main.yaml b/src/roles/pulp/defaults/main.yaml
@@ -12,6 +12,7 @@ pulp_api_service_worker_count: "{{ ([4, ansible_facts['processor_nproc']] | min)
 
 pulp_volumes:
   - /var/lib/pulp:/var/lib/pulp
+  - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z
 
 pulp_api_container_name: pulp-api
 pulp_content_container_name: pulp-content

diff --git a/src/roles/redis/tasks/main.yaml b/src/roles/redis/tasks/main.yaml
@@ -24,6 +24,7 @@
     command: ["run-redis", "--supervised", "systemd"]
     volumes:
       - /var/lib/redis:/data:Z
+      - /var/lib/foremanctl/etc_crypto_policies:/etc/crypto-policies:ro,z
     quadlet_options:
       - |
         [Install]