[dropbear] Add dropbear to add an SSH server on the initramfs and unlock the disks

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

group_vars/dropbear.yml

@@ -0,0 +1,6 @@
+---
+glob_dropbear:
+  initramfs_ip: "::::{{ ansible_hostname }}:eno1:dhcp"
+  options: "-I 180 -j -k -p 2222 -s"
+  authorized_keys:
+    - "{{ vault.surface.pubkey }}"

hosts

@@ -56,6 +56,10 @@ constellation-dev.adm.crans.org
 [dhcp:children]
 routeurs_vm
 
+[dropbear]
+ft.adm.crans.org
+thot.adm.crans.org
+
 [docker:children]
 gitlab_runner
 

plays/dropbear.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: dropbear
+  vars:
+    dropbear: "{{ glob_dropbear | default({}) | combine(loc_dropbear | default({})) }}"
+  roles:
+    - dropbear

roles/dropbear/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: Update initramfs
+  command: update-initramfs -u

roles/dropbear/tasks/main.yml

@@ -0,0 +1,36 @@
+---
+- name: Install dropbear
+  apt:
+    update_cache: true
+    install_recommends: false
+    name: dropbear-initramfs
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure initramfs network
+  template:
+    src: initramfs-tools/conf.d/10-network.j2
+    dest: /etc/initramfs-tools/conf.d/10-network
+    owner: root
+    group: root
+    mode: 0644
+  notify: Update initramfs
+
+- name: Deploy configuration
+  template:
+    src: dropbear-initramfs/config.j2
+    dest: /etc/dropbear-initramfs/config
+    owner: root
+    group: root
+    mode: 0644
+  notify: Update initramfs
+
+- name: Deploy authorized keys
+  template:
+    src: dropbear-initramfs/authorized_keys.j2
+    dest: /etc/dropbear-initramfs/authorized_keys
+    owner: root
+    group: root
+    mode: 0644
+  notify: Update initramfs

roles/dropbear/templates/dropbear-initramfs/authorized_keys.j2

@@ -0,0 +1,3 @@
+{% for key in dropbear.authorized_keys %}
+{{ key }}
+{% endfor %}

roles/dropbear/templates/dropbear-initramfs/config.j2

@@ -0,0 +1,34 @@
+{{ ansible_header | comment }}
+
+#
+# Configuration options for the dropbear-initramfs boot scripts.
+# You must run update-initramfs(8) to effect changes to this file (like
+# for other files under the '/etc/dropbear-initramfs' directory).
+
+#
+# Command line options to pass to dropbear(8)
+#
+DROPBEAR_OPTIONS="{{ dropbear.options }}"
+
+#
+# On local (non-NFS) mounts, interfaces matching this pattern are
+# brought down before exiting the ramdisk to avoid dirty network
+# configuration in the normal kernel.
+# The special value 'none' keeps all interfaces up and preserves routing
+# tables and addresses.
+#
+#IFDOWN=*
+
+#
+# On local (non-NFS) mounts, the network stack and dropbear are started
+# asynchronously at init-premount stage.  This value specifies the
+# maximum number of seconds to wait (while the network/dropbear are
+# being configured) at init-bottom stage before terminating dropbear and
+# bringing the network down.
+# If the timeout is too short, and if the boot process is not blocking
+# on user input supplied via SSHd (ie no remote unlocking), then the
+# initrd might pivot to init(1) too early, thereby causing a race
+# condition between network configuration from initramfs vs from the
+# normal system.
+#
+#DROPBEAR_SHUTDOWN_TIMEOUT=60

roles/dropbear/templates/initramfs-tools/conf.d/10-network.j2

@@ -0,0 +1,3 @@
+{{ ansible_header | comment }}
+
+IP={{ dropbear.initramfs_ip }}