From 3a3aa48dd3b55f5572072f540f444702f1ae7302 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Wed, 29 Jun 2022 11:07:24 +0200
Subject: [PATCH] [dropbear] Add dropbear to add an SSH server on the initramfs
 and unlock the disks

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/dropbear.yml                       |  6 ++++
 hosts                                         |  4 +++
 plays/dropbear.yml                            |  7 ++++
 roles/dropbear/handlers/main.yml              |  3 ++
 roles/dropbear/tasks/main.yml                 | 36 +++++++++++++++++++
 .../dropbear-initramfs/authorized_keys.j2     |  3 ++
 .../templates/dropbear-initramfs/config.j2    | 34 ++++++++++++++++++
 .../initramfs-tools/conf.d/10-network.j2      |  3 ++
 8 files changed, 96 insertions(+)
 create mode 100644 group_vars/dropbear.yml
 create mode 100755 plays/dropbear.yml
 create mode 100644 roles/dropbear/handlers/main.yml
 create mode 100644 roles/dropbear/tasks/main.yml
 create mode 100644 roles/dropbear/templates/dropbear-initramfs/authorized_keys.j2
 create mode 100644 roles/dropbear/templates/dropbear-initramfs/config.j2
 create mode 100644 roles/dropbear/templates/initramfs-tools/conf.d/10-network.j2

diff --git a/group_vars/dropbear.yml b/group_vars/dropbear.yml
new file mode 100644
index 00000000..33371032
--- /dev/null
+++ b/group_vars/dropbear.yml
@@ -0,0 +1,6 @@
+---
+glob_dropbear:
+  initramfs_ip: "::::{{ ansible_hostname }}:eno1:dhcp"
+  options: "-I 180 -j -k -p 2222 -s"
+  authorized_keys:
+    - "{{ vault.surface.pubkey }}"
diff --git a/hosts b/hosts
index a934adcb..63e23322 100644
--- a/hosts
+++ b/hosts
@@ -56,6 +56,10 @@ constellation-dev.adm.crans.org
 [dhcp:children]
 routeurs_vm
 
+[dropbear]
+ft.adm.crans.org
+thot.adm.crans.org
+
 [docker:children]
 gitlab_runner
 
diff --git a/plays/dropbear.yml b/plays/dropbear.yml
new file mode 100755
index 00000000..e2cf9c21
--- /dev/null
+++ b/plays/dropbear.yml
@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: dropbear
+  vars:
+    dropbear: "{{ glob_dropbear | default({}) | combine(loc_dropbear | default({})) }}"
+  roles:
+    - dropbear
diff --git a/roles/dropbear/handlers/main.yml b/roles/dropbear/handlers/main.yml
new file mode 100644
index 00000000..1ef3879a
--- /dev/null
+++ b/roles/dropbear/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: Update initramfs
+  command: update-initramfs -u
diff --git a/roles/dropbear/tasks/main.yml b/roles/dropbear/tasks/main.yml
new file mode 100644
index 00000000..80a2a69c
--- /dev/null
+++ b/roles/dropbear/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+- name: Install dropbear
+  apt:
+    update_cache: true
+    install_recommends: false
+    name: dropbear-initramfs
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure initramfs network
+  template:
+    src: initramfs-tools/conf.d/10-network.j2
+    dest: /etc/initramfs-tools/conf.d/10-network
+    owner: root
+    group: root
+    mode: 0644
+  notify: Update initramfs
+
+- name: Deploy configuration
+  template:
+    src: dropbear-initramfs/config.j2
+    dest: /etc/dropbear-initramfs/config
+    owner: root
+    group: root
+    mode: 0644
+  notify: Update initramfs
+
+- name: Deploy authorized keys
+  template:
+    src: dropbear-initramfs/authorized_keys.j2
+    dest: /etc/dropbear-initramfs/authorized_keys
+    owner: root
+    group: root
+    mode: 0644
+  notify: Update initramfs
diff --git a/roles/dropbear/templates/dropbear-initramfs/authorized_keys.j2 b/roles/dropbear/templates/dropbear-initramfs/authorized_keys.j2
new file mode 100644
index 00000000..6e617e92
--- /dev/null
+++ b/roles/dropbear/templates/dropbear-initramfs/authorized_keys.j2
@@ -0,0 +1,3 @@
+{% for key in dropbear.authorized_keys %}
+{{ key }}
+{% endfor %}
diff --git a/roles/dropbear/templates/dropbear-initramfs/config.j2 b/roles/dropbear/templates/dropbear-initramfs/config.j2
new file mode 100644
index 00000000..470f0035
--- /dev/null
+++ b/roles/dropbear/templates/dropbear-initramfs/config.j2
@@ -0,0 +1,34 @@
+{{ ansible_header | comment }}
+
+#
+# Configuration options for the dropbear-initramfs boot scripts.
+# You must run update-initramfs(8) to effect changes to this file (like
+# for other files under the '/etc/dropbear-initramfs' directory).
+
+#
+# Command line options to pass to dropbear(8)
+#
+DROPBEAR_OPTIONS="{{ dropbear.options }}"
+
+#
+# On local (non-NFS) mounts, interfaces matching this pattern are
+# brought down before exiting the ramdisk to avoid dirty network
+# configuration in the normal kernel.
+# The special value 'none' keeps all interfaces up and preserves routing
+# tables and addresses.
+#
+#IFDOWN=*
+
+#
+# On local (non-NFS) mounts, the network stack and dropbear are started
+# asynchronously at init-premount stage.  This value specifies the
+# maximum number of seconds to wait (while the network/dropbear are
+# being configured) at init-bottom stage before terminating dropbear and
+# bringing the network down.
+# If the timeout is too short, and if the boot process is not blocking
+# on user input supplied via SSHd (ie no remote unlocking), then the
+# initrd might pivot to init(1) too early, thereby causing a race
+# condition between network configuration from initramfs vs from the
+# normal system.
+#
+#DROPBEAR_SHUTDOWN_TIMEOUT=60
diff --git a/roles/dropbear/templates/initramfs-tools/conf.d/10-network.j2 b/roles/dropbear/templates/initramfs-tools/conf.d/10-network.j2
new file mode 100644
index 00000000..6f42ef4b
--- /dev/null
+++ b/roles/dropbear/templates/initramfs-tools/conf.d/10-network.j2
@@ -0,0 +1,3 @@
+{{ ansible_header | comment }}
+
+IP={{ dropbear.initramfs_ip }}