Sections

Packages and installation ¶

dropbear_initramfs__base_packages¶

List of APT packages to install for dropbear_initramfs support.

Supported versions:

dropbear-initramfs
dropbear

dropbear_initramfs__base_packages:
  - '{{ "dropbear"
        if (
          (ansible_distribution == "Debian" and ansible_distribution_release in ["jessie"]) or
          (ansible_distribution == "Ubuntu" and ansible_distribution_release in ["precise", "trusty"])
        )
        else "dropbear-initramfs" }}'

dropbear_initramfs__packages¶

List of additional APT packages to install during dropbear_initramfs configuration.

dropbear_initramfs__packages: []

dropbear_initramfs__deploy_state¶

What is the desired state which this role should achieve? Possible options:

present: Default. Ensure that dropbear is configured in the initramfs to allow ssh connections.
absent: Ensure that dropbear and related configuration maintained by this role are absent.

dropbear_initramfs__deploy_state: 'present'

Simple initramfs network ¶

Refer to https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt for support configuration options.

Note that the IP kernel parameter as of Debian jessie only supports legacy IPv4. But don’t worry, the role has you covered. Refer to dropbear_initramfs__interfaces.

dropbear_initramfs__network_autoconf¶

Method to use for autoconfiguration. Use off or none for manual network configuration (see below).

dropbear_initramfs__network_autoconf: 'dhcp'

dropbear_initramfs__network_device¶

Default network device.

dropbear_initramfs__network_device: '{{
  ansible_default_ipv6.interface
  if ansible_default_ipv6.interface|d()
  else (
    ansible_default_ipv4.interface
    if ansible_default_ipv4.interface|d()
    else "eth0"
  )
  }}'

dropbear_initramfs__network_address¶

Manual network address to set.

dropbear_initramfs__network_address: '{{ ansible_default_ipv4.address }}'

dropbear_initramfs__network_netmask¶

Manual subnet mask to set.

dropbear_initramfs__network_netmask: '{{ ansible_default_ipv4.netmask }}'

dropbear_initramfs__network_gateway¶

Manual gateway to set.

dropbear_initramfs__network_gateway: '{{ ansible_default_ipv4.gateway }}'

dropbear_initramfs__network_manual¶

The IP kernel parameter used when dropbear_initramfs__network_autoconf is disabled.

The ipwrap filter causes IPv6 address to work on some platforms. Refer to: https://serverfault.com/questions/445296/is-there-a-linux-kernel-boot-parameter-to-configure-an-ipv6-address/701451#701451

dropbear_initramfs__network_manual: '{{
  (dropbear_initramfs__network_address | ansible.utils.ipwrap) + "::" +
  (dropbear_initramfs__network_gateway | ansible.utils.ipwrap) + ":" +
  dropbear_initramfs__network_netmask + "::" +
  dropbear_initramfs__network_device + ":none" }}'

dropbear_initramfs__network¶

The IP kernel parameter as it is configured by the role.

dropbear_initramfs__network: '{{ dropbear_initramfs__network_manual
                                 if (dropbear_initramfs__network_autoconf in ["off", "none"])
                                 else dropbear_initramfs__network_autoconf }}'

Complex initramfs network ¶

These variables are dictionaries with additional network configuration. See dropbear_initramfs__interfaces documentation for more details.

dropbear_initramfs__interfaces¶

Dictionary which holds the configuration of additional network configuration for all hosts in the Ansible inventory.

dropbear_initramfs__interfaces: {}

dropbear_initramfs__group_interfaces¶

Dictionary which holds the configuration of additional network configuration for hosts in a specific Ansible inventory group.

dropbear_initramfs__group_interfaces: {}

dropbear_initramfs__host_interfaces¶

Dictionary which holds the configuration of additional network configuration for specific hosts in the Ansible inventory.

dropbear_initramfs__host_interfaces: {}

dropbear_initramfs__combined_interfaces¶

Dictionary which combines all of the other network interface configuration variables and is used in the role tasks and templates to generate the configuration.

dropbear_initramfs__combined_interfaces: '{{ lookup("template", "lookup/dropbear_initramfs__combined_interfaces.j2", convert_data=False) | from_yaml }}'

Initramfs generation ¶

dropbear_initramfs__update_options¶

Additional options for the update-initramfs command. The default is to regenerate the initramfs for all installed kernel versions.

dropbear_initramfs__update_options: '-k all'

Dropbear options ¶

dropbear_initramfs__port¶

The port dropbear listens on.

dropbear_initramfs__port: '22'

dropbear_initramfs__disable_password_login¶

Disable password login?

dropbear_initramfs__disable_password_login: '{{
  True
  if dropbear_initramfs__combined_authorized_keys|d()
  else False
  }}'

dropbear_initramfs__disable_port_forwarding¶

Disable local and remote port forwarding?

dropbear_initramfs__disable_port_forwarding: True

dropbear_initramfs__idle_timeout¶

Count of seconds after that dropbear times out.

dropbear_initramfs__idle_timeout: '180'

dropbear_initramfs__max_authentication_attempts¶

The maximum number of authentication attempts per connection.

dropbear_initramfs__max_authentication_attempts: '10'

dropbear_initramfs__forced_command¶

Override the command provided by the user and always run this command.

dropbear_initramfs__forced_command: ''

dropbear_initramfs__dropbear_options¶

Set options parsed to dropbear.

dropbear_initramfs__dropbear_options: '{{
  "-p " + dropbear_initramfs__port +
  (" -g -s" if dropbear_initramfs__disable_password_login|d() else "") +
  (" -j -k" if dropbear_initramfs__disable_port_forwarding|d() else "") +
  " -I " + dropbear_initramfs__idle_timeout +
  " -T " + dropbear_initramfs__max_authentication_attempts +
  (" -c " + dropbear_initramfs__forced_command if dropbear_initramfs__forced_command|d() else "")
  }}'

Authorized ssh keys ¶

See dropbear_initramfs__authorized_keys for more details.

dropbear_initramfs__authorized_keys¶

List of authorized ssh keys configured on all hosts in the Ansible inventory.

dropbear_initramfs__authorized_keys: []

dropbear_initramfs__group_authorized_keys¶

List of authorized ssh keys configured on a group of hosts in the Ansible inventory.

dropbear_initramfs__group_authorized_keys: []

dropbear_initramfs__host_authorized_keys¶

List of authorized ssh keys configured on specific hosts in the Ansible inventory.

dropbear_initramfs__host_authorized_keys: []

dropbear_initramfs__combined_authorized_keys¶

Combines list of authorized ssh keys as used in the role tasks.

dropbear_initramfs__combined_authorized_keys: '{{ dropbear_initramfs__authorized_keys +
                                                  dropbear_initramfs__group_authorized_keys +
                                                  dropbear_initramfs__host_authorized_keys }}'

dropbear_initramfs__authorized_keys_key_options¶

List of default SSH options added to all public keys. If it's set to {{ omit }}, no options will be added automatically. The list of options can be overridden by the item.options parameter. Refer to dropbear(8) for details.

dropbear_initramfs__authorized_keys_key_options: '{{ omit }}'

Configuration for other Ansible roles ¶

dropbear_initramfs__apt_preferences__dependent_list¶

Configuration for the debops.apt_preferences role.

dropbear_initramfs__apt_preferences__dependent_list:

  - package: 'dropbear-initramfs'
    pin: 'release o=Debian,n=stretch'
    priority: 800
    reason: 'Stronger cryptography. dropbear 2014.65-1 only offers: hmac-sha1-96,hmac-sha1,hmac-md5'
    by_role: 'debops-contrib.dropbear_initramfs'
    state: '{{ "present"
               if (("dropbear-initramfs" in dropbear_initramfs__base_packages) and
                   (ansible_distribution == "Debian" and ansible_distribution_release in ["jessie"]))
               else "absent" }}'

Packages and installation¶

Simple initramfs network¶

Complex initramfs network¶

Initramfs generation¶

Dropbear options¶

Authorized ssh keys¶

Configuration for other Ansible roles¶