diff --git a/group_vars/dropbear.yml b/group_vars/dropbear.yml new file mode 100644 index 0000000000000000000000000000000000000000..d6a882c8820df2b586cfcdd90d637f21284b6274 --- /dev/null +++ b/group_vars/dropbear.yml @@ -0,0 +1,6 @@ +--- +glob_dropbear: + initramfs_ip: "::::{{ ansible_hostname }}:ens2f0:dhcp" + options: "-I 180 -j -k -p 80 -s" + authorized_keys: + - "{{ vault.surface.pubkey }}" diff --git a/hosts b/hosts index a934adcba65e653bae0b251340311eee4b5f8965..63e23322c975e75c0b0ade2a20fbae3659856377 100644 --- a/hosts +++ b/hosts @@ -56,6 +56,10 @@ constellation-dev.adm.crans.org [dhcp:children] routeurs_vm +[dropbear] +ft.adm.crans.org +thot.adm.crans.org + [docker:children] gitlab_runner diff --git a/plays/dropbear.yml b/plays/dropbear.yml new file mode 100755 index 0000000000000000000000000000000000000000..e2cf9c210a243dc312f61d6dca499048f6a63414 --- /dev/null +++ b/plays/dropbear.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: dropbear + vars: + dropbear: "{{ glob_dropbear | default({}) | combine(loc_dropbear | default({})) }}" + roles: + - dropbear diff --git a/roles/dropbear/handlers/main.yml b/roles/dropbear/handlers/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..1ef3879ab24d47445f5988922eb079900ebd1e4c --- /dev/null +++ b/roles/dropbear/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: Update initramfs + command: update-initramfs -u diff --git a/roles/dropbear/tasks/main.yml b/roles/dropbear/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..80a2a69c8876ecfd8a7026c5b887fb97f5ab22c6 --- /dev/null +++ b/roles/dropbear/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: Install dropbear + apt: + update_cache: true + install_recommends: false + name: dropbear-initramfs + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Configure initramfs network + template: + src: initramfs-tools/conf.d/10-network.j2 + dest: /etc/initramfs-tools/conf.d/10-network + owner: root + group: root + mode: 0644 + notify: Update initramfs + +- name: Deploy configuration + template: + src: dropbear-initramfs/config.j2 + dest: /etc/dropbear-initramfs/config + owner: root + group: root + mode: 0644 + notify: Update initramfs + +- name: Deploy authorized keys + template: + src: dropbear-initramfs/authorized_keys.j2 + dest: /etc/dropbear-initramfs/authorized_keys + owner: root + group: root + mode: 0644 + notify: Update initramfs diff --git a/roles/dropbear/templates/dropbear-initramfs/authorized_keys.j2 b/roles/dropbear/templates/dropbear-initramfs/authorized_keys.j2 new file mode 100644 index 0000000000000000000000000000000000000000..6e617e9214cf71f4f9392f9c13ff8e52112a78cc --- /dev/null +++ b/roles/dropbear/templates/dropbear-initramfs/authorized_keys.j2 @@ -0,0 +1,3 @@ +{% for key in dropbear.authorized_keys %} +{{ key }} +{% endfor %} diff --git a/roles/dropbear/templates/dropbear-initramfs/config.j2 b/roles/dropbear/templates/dropbear-initramfs/config.j2 new file mode 100644 index 0000000000000000000000000000000000000000..470f0035a5483220852b026e94d2caed56c959ec --- /dev/null +++ b/roles/dropbear/templates/dropbear-initramfs/config.j2 @@ -0,0 +1,34 @@ +{{ ansible_header | comment }} + +# +# Configuration options for the dropbear-initramfs boot scripts. +# You must run update-initramfs(8) to effect changes to this file (like +# for other files under the '/etc/dropbear-initramfs' directory). + +# +# Command line options to pass to dropbear(8) +# +DROPBEAR_OPTIONS="{{ dropbear.options }}" + +# +# On local (non-NFS) mounts, interfaces matching this pattern are +# brought down before exiting the ramdisk to avoid dirty network +# configuration in the normal kernel. +# The special value 'none' keeps all interfaces up and preserves routing +# tables and addresses. +# +#IFDOWN=* + +# +# On local (non-NFS) mounts, the network stack and dropbear are started +# asynchronously at init-premount stage. This value specifies the +# maximum number of seconds to wait (while the network/dropbear are +# being configured) at init-bottom stage before terminating dropbear and +# bringing the network down. +# If the timeout is too short, and if the boot process is not blocking +# on user input supplied via SSHd (ie no remote unlocking), then the +# initrd might pivot to init(1) too early, thereby causing a race +# condition between network configuration from initramfs vs from the +# normal system. +# +#DROPBEAR_SHUTDOWN_TIMEOUT=60 diff --git a/roles/dropbear/templates/initramfs-tools/conf.d/10-network.j2 b/roles/dropbear/templates/initramfs-tools/conf.d/10-network.j2 new file mode 100644 index 0000000000000000000000000000000000000000..6f42ef4bee9bc5b8556a7e592f88b0ae3e385e61 --- /dev/null +++ b/roles/dropbear/templates/initramfs-tools/conf.d/10-network.j2 @@ -0,0 +1,3 @@ +{{ ansible_header | comment }} + +IP={{ dropbear.initramfs_ip }}