Sections
Packages and installation
- dropbear_initramfs__base_packages
List of APT packages to install for dropbear_initramfs support.
Supported versions:
dropbear-initramfs
dropbear
dropbear_initramfs__base_packages:
- '{{ "dropbear"
if (
(ansible_distribution == "Debian" and ansible_distribution_release in ["jessie"]) or
(ansible_distribution == "Ubuntu" and ansible_distribution_release in ["precise", "trusty"])
)
else "dropbear-initramfs" }}'
- dropbear_initramfs__packages
List of additional APT packages to install during dropbear_initramfs configuration.
dropbear_initramfs__packages: []
- dropbear_initramfs__config_path
Path to dropbear initramfs configuration files.
dropbear_initramfs__config_path: '{{ "/etc/dropbear-initramfs"
if (ansible_distribution_release in ["stretch", "buster", "bullseye"])
else "/etc/dropbear/initramfs" }}'
- dropbear_initramfs__config_file
Path to dropbear initramfs configuration file.
dropbear_initramfs__config_file: '{{ dropbear_initramfs__config_path + "/"
+ ("config"
if (ansible_distribution_release in ["stretch", "buster", "bullseye"])
else "dropbear.conf") }}'
- dropbear_initramfs__deploy_state
What is the desired state which this role should achieve? Possible options:
present
Default. Ensure that dropbear is configured in the initramfs to allow ssh connections.
absent
Ensure that dropbear and related configuration maintained by this role are absent.
dropbear_initramfs__deploy_state: 'present'
Simple initramfs network
Refer to https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt for support configuration options.
Note that the IP
kernel parameter as of Debian jessie only supports legacy
IPv4. But don’t worry, the role has you covered. Refer to
dropbear_initramfs__interfaces
.
- dropbear_initramfs__network_autoconf
Method to use for autoconfiguration. Use off
or none
for manual
network configuration (see below).
dropbear_initramfs__network_autoconf: 'dhcp'
- dropbear_initramfs__network_device
Default network device.
dropbear_initramfs__network_device: '{{
ansible_default_ipv6.interface
if ansible_default_ipv6.interface|d()
else (
ansible_default_ipv4.interface
if ansible_default_ipv4.interface|d()
else "eth0"
)
}}'
- dropbear_initramfs__network_address
Manual network address to set.
dropbear_initramfs__network_address: '{{ ansible_default_ipv4.address }}'
- dropbear_initramfs__network_netmask
Manual subnet mask to set.
dropbear_initramfs__network_netmask: '{{ ansible_default_ipv4.netmask }}'
- dropbear_initramfs__network_gateway
Manual gateway to set.
dropbear_initramfs__network_gateway: '{{ ansible_default_ipv4.gateway }}'
- dropbear_initramfs__network_manual
The IP
kernel parameter used when
dropbear_initramfs__network_autoconf
is disabled.
The ipwrap filter causes IPv6 address to work on some platforms. Refer to: https://serverfault.com/questions/445296/is-there-a-linux-kernel-boot-parameter-to-configure-an-ipv6-address/701451#701451
dropbear_initramfs__network_manual: '{{
(dropbear_initramfs__network_address | ansible.utils.ipwrap) + "::" +
(dropbear_initramfs__network_gateway | ansible.utils.ipwrap) + ":" +
dropbear_initramfs__network_netmask + "::" +
dropbear_initramfs__network_device + ":none" }}'
- dropbear_initramfs__network
The IP
kernel parameter as it is configured by the role.
dropbear_initramfs__network: '{{ dropbear_initramfs__network_manual
if (dropbear_initramfs__network_autoconf in ["off", "none"])
else dropbear_initramfs__network_autoconf }}'
Complex initramfs network
These variables are dictionaries with additional network configuration. See dropbear_initramfs__interfaces documentation for more details.
- dropbear_initramfs__interfaces
Dictionary which holds the configuration of additional network configuration for all hosts in the Ansible inventory.
dropbear_initramfs__interfaces: {}
- dropbear_initramfs__group_interfaces
Dictionary which holds the configuration of additional network configuration for hosts in a specific Ansible inventory group.
dropbear_initramfs__group_interfaces: {}
- dropbear_initramfs__host_interfaces
Dictionary which holds the configuration of additional network configuration for specific hosts in the Ansible inventory.
dropbear_initramfs__host_interfaces: {}
- dropbear_initramfs__combined_interfaces
Dictionary which combines all of the other network interface configuration variables and is used in the role tasks and templates to generate the configuration.
dropbear_initramfs__combined_interfaces: '{{ lookup("template", "lookup/dropbear_initramfs__combined_interfaces.j2", convert_data=False) | from_yaml }}'
Initramfs generation
- dropbear_initramfs__update_options
Additional options for the update-initramfs command. The default is to regenerate the initramfs for all installed kernel versions.
dropbear_initramfs__update_options: '-k all'
Dropbear options
- dropbear_initramfs__port
The port dropbear listens on.
dropbear_initramfs__port: '22'
- dropbear_initramfs__disable_password_login
Disable password login?
dropbear_initramfs__disable_password_login: '{{
True
if dropbear_initramfs__combined_authorized_keys|d()
else False
}}'
- dropbear_initramfs__disable_port_forwarding
Disable local and remote port forwarding?
dropbear_initramfs__disable_port_forwarding: True
- dropbear_initramfs__idle_timeout
Count of seconds after that dropbear times out.
dropbear_initramfs__idle_timeout: '180'
- dropbear_initramfs__max_authentication_attempts
The maximum number of authentication attempts per connection.
dropbear_initramfs__max_authentication_attempts: '10'
- dropbear_initramfs__forced_command
Override the command provided by the user and always run this command.
dropbear_initramfs__forced_command: ''
- dropbear_initramfs__dropbear_options
Set options parsed to dropbear.
dropbear_initramfs__dropbear_options: '{{
"-p " + dropbear_initramfs__port +
(" -g -s" if dropbear_initramfs__disable_password_login|d() else "") +
(" -j -k" if dropbear_initramfs__disable_port_forwarding|d() else "") +
" -I " + dropbear_initramfs__idle_timeout +
" -T " + dropbear_initramfs__max_authentication_attempts +
(" -c " + dropbear_initramfs__forced_command if dropbear_initramfs__forced_command|d() else "")
}}'
Configuration for other Ansible roles
- dropbear_initramfs__apt_preferences__dependent_list
Configuration for the debops.apt_preferences role.
dropbear_initramfs__apt_preferences__dependent_list:
- package: 'dropbear-initramfs'
pin: 'release o=Debian,n=stretch'
priority: 800
reason: 'Stronger cryptography. dropbear 2014.65-1 only offers: hmac-sha1-96,hmac-sha1,hmac-md5'
by_role: 'debops-contrib.dropbear_initramfs'
state: '{{ "present"
if (("dropbear-initramfs" in dropbear_initramfs__base_packages) and
(ansible_distribution == "Debian" and ansible_distribution_release in ["jessie"]))
else "absent" }}'