Packages and installation

dropbear_initramfs__base_packages

List of APT packages to install for dropbear_initramfs support.

Supported versions:

  • dropbear-initramfs

  • dropbear

dropbear_initramfs__base_packages:
  - '{{ "dropbear"
        if (
          (ansible_distribution == "Debian" and ansible_distribution_release in ["jessie"]) or
          (ansible_distribution == "Ubuntu" and ansible_distribution_release in ["precise", "trusty"])
        )
        else "dropbear-initramfs" }}'
dropbear_initramfs__packages

List of additional APT packages to install during dropbear_initramfs configuration.

dropbear_initramfs__packages: []
dropbear_initramfs__config_path

Path to dropbear initramfs configuration files.

dropbear_initramfs__config_path: '{{ "/etc/dropbear-initramfs"
                                     if (ansible_distribution_release in ["stretch", "buster", "bullseye"])
                                     else "/etc/dropbear/initramfs" }}'
dropbear_initramfs__config_file

Path to dropbear initramfs configuration file.

dropbear_initramfs__config_file: '{{ dropbear_initramfs__config_path + "/"
                                     + ("config"
                                        if (ansible_distribution_release in ["stretch", "buster", "bullseye"])
                                        else "dropbear.conf") }}'
dropbear_initramfs__deploy_state

What is the desired state which this role should achieve? Possible options:

present

Default. Ensure that dropbear is configured in the initramfs to allow ssh connections.

absent

Ensure that dropbear and related configuration maintained by this role are absent.

dropbear_initramfs__deploy_state: 'present'

Simple initramfs network

Refer to https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt for support configuration options.

Note that the IP kernel parameter as of Debian jessie only supports legacy IPv4. But don’t worry, the role has you covered. Refer to dropbear_initramfs__interfaces.

dropbear_initramfs__network_autoconf

Method to use for autoconfiguration. Use off or none for manual network configuration (see below).

dropbear_initramfs__network_autoconf: 'dhcp'
dropbear_initramfs__network_device

Default network device.

dropbear_initramfs__network_device: '{{
  ansible_default_ipv6.interface
  if ansible_default_ipv6.interface|d()
  else (
    ansible_default_ipv4.interface
    if ansible_default_ipv4.interface|d()
    else "eth0"
  )
  }}'
dropbear_initramfs__network_address

Manual network address to set.

dropbear_initramfs__network_address: '{{ ansible_default_ipv4.address }}'
dropbear_initramfs__network_netmask

Manual subnet mask to set.

dropbear_initramfs__network_netmask: '{{ ansible_default_ipv4.netmask }}'
dropbear_initramfs__network_gateway

Manual gateway to set.

dropbear_initramfs__network_gateway: '{{ ansible_default_ipv4.gateway }}'
dropbear_initramfs__network_manual

The IP kernel parameter used when dropbear_initramfs__network_autoconf is disabled.

The ipwrap filter causes IPv6 address to work on some platforms. Refer to: https://serverfault.com/questions/445296/is-there-a-linux-kernel-boot-parameter-to-configure-an-ipv6-address/701451#701451

dropbear_initramfs__network_manual: '{{
  (dropbear_initramfs__network_address | ansible.utils.ipwrap) + "::" +
  (dropbear_initramfs__network_gateway | ansible.utils.ipwrap) + ":" +
  dropbear_initramfs__network_netmask + "::" +
  dropbear_initramfs__network_device + ":none" }}'
dropbear_initramfs__network

The IP kernel parameter as it is configured by the role.

dropbear_initramfs__network: '{{ dropbear_initramfs__network_manual
                                 if (dropbear_initramfs__network_autoconf in ["off", "none"])
                                 else dropbear_initramfs__network_autoconf }}'

Complex initramfs network

These variables are dictionaries with additional network configuration. See dropbear_initramfs__interfaces documentation for more details.

dropbear_initramfs__interfaces

Dictionary which holds the configuration of additional network configuration for all hosts in the Ansible inventory.

dropbear_initramfs__interfaces: {}
dropbear_initramfs__group_interfaces

Dictionary which holds the configuration of additional network configuration for hosts in a specific Ansible inventory group.

dropbear_initramfs__group_interfaces: {}
dropbear_initramfs__host_interfaces

Dictionary which holds the configuration of additional network configuration for specific hosts in the Ansible inventory.

dropbear_initramfs__host_interfaces: {}
dropbear_initramfs__combined_interfaces

Dictionary which combines all of the other network interface configuration variables and is used in the role tasks and templates to generate the configuration.

dropbear_initramfs__combined_interfaces: '{{ lookup("template", "lookup/dropbear_initramfs__combined_interfaces.j2", convert_data=False) | from_yaml }}'

Initramfs generation

dropbear_initramfs__update_options

Additional options for the update-initramfs command. The default is to regenerate the initramfs for all installed kernel versions.

dropbear_initramfs__update_options: '-k all'

Dropbear options

dropbear_initramfs__port

The port dropbear listens on.

dropbear_initramfs__port: '22'
dropbear_initramfs__disable_password_login

Disable password login?

dropbear_initramfs__disable_password_login: '{{
  True
  if dropbear_initramfs__combined_authorized_keys|d()
  else False
  }}'
dropbear_initramfs__disable_port_forwarding

Disable local and remote port forwarding?

dropbear_initramfs__disable_port_forwarding: True
dropbear_initramfs__idle_timeout

Count of seconds after that dropbear times out.

dropbear_initramfs__idle_timeout: '180'
dropbear_initramfs__max_authentication_attempts

The maximum number of authentication attempts per connection.

dropbear_initramfs__max_authentication_attempts: '10'
dropbear_initramfs__forced_command

Override the command provided by the user and always run this command.

dropbear_initramfs__forced_command: ''
dropbear_initramfs__dropbear_options

Set options parsed to dropbear.

dropbear_initramfs__dropbear_options: '{{
  "-p " + dropbear_initramfs__port +
  (" -g -s" if dropbear_initramfs__disable_password_login|d() else "") +
  (" -j -k" if dropbear_initramfs__disable_port_forwarding|d() else "") +
  " -I " + dropbear_initramfs__idle_timeout +
  " -T " + dropbear_initramfs__max_authentication_attempts +
  (" -c " + dropbear_initramfs__forced_command if dropbear_initramfs__forced_command|d() else "")
  }}'

Authorized ssh keys

See dropbear_initramfs__authorized_keys for more details.

dropbear_initramfs__authorized_keys

List of authorized ssh keys configured on all hosts in the Ansible inventory.

dropbear_initramfs__authorized_keys: []
dropbear_initramfs__group_authorized_keys

List of authorized ssh keys configured on a group of hosts in the Ansible inventory.

dropbear_initramfs__group_authorized_keys: []
dropbear_initramfs__host_authorized_keys

List of authorized ssh keys configured on specific hosts in the Ansible inventory.

dropbear_initramfs__host_authorized_keys: []
dropbear_initramfs__combined_authorized_keys

Combines list of authorized ssh keys as used in the role tasks.

dropbear_initramfs__combined_authorized_keys: '{{ dropbear_initramfs__authorized_keys +
                                                  dropbear_initramfs__group_authorized_keys +
                                                  dropbear_initramfs__host_authorized_keys }}'
dropbear_initramfs__authorized_keys_key_options

List of default SSH options added to all public keys. If it's set to {{ omit }}, no options will be added automatically. The list of options can be overridden by the item.options parameter. Refer to dropbear(8) for details.

dropbear_initramfs__authorized_keys_key_options: '{{ omit }}'

Configuration for other Ansible roles

dropbear_initramfs__apt_preferences__dependent_list

Configuration for the debops.apt_preferences role.

dropbear_initramfs__apt_preferences__dependent_list:

  - package: 'dropbear-initramfs'
    pin: 'release o=Debian,n=stretch'
    priority: 800
    reason: 'Stronger cryptography. dropbear 2014.65-1 only offers: hmac-sha1-96,hmac-sha1,hmac-md5'
    by_role: 'debops-contrib.dropbear_initramfs'
    state: '{{ "present"
               if (("dropbear-initramfs" in dropbear_initramfs__base_packages) and
                   (ansible_distribution == "Debian" and ansible_distribution_release in ["jessie"]))
               else "absent" }}'