Ansible role to setup a dropbear SSH server in a busybox in the
initramfs so you can be able to connect remotely and enter the LUKS
password of your fully (except for /boot) encrypted server. If you specify
a static_ip, it will be set up, otherwise the default DHCP option will be
used.
Based on pbworks and eugenemdavis.
Note: It only supports RSA SSH keys for now.
Uses the crypt_unlock.sh from gusennan
This role should work in any distro from the Debian family. It is tested on debian buster.
You'll need an already configured Debian family server with an unencrypted boot partition and the rest under LUKS encryption that you are able to unlock by physically entering the LUKS password to the server.
ssh_pub_key: Local path to your public SSH keystatic_ip: Static IP for the initramfs. If you leave it undefined, DHCP will be used. But if it's defined, the following variables must be defined too.remote_ip: Allowed remote IP address to recieve connections from. Empty by default (incoming connections aren't restricted to an specific IP address).gateway: Gateway IP address.netmask: Netmask.hostname: Hostname.network_interface: Main network interface to setup the static IP on.ssh_port: If defined, the dropbear SSH port will be set to its value.
None.
- name: Setup dropbear SSH server in the initramfs
hosts: all
roles:
- role: dropbear_luksTo test the role you need molecule
. You also need to have a valid SSH public key in ~/.ssh/id_rsa.pub. If you
don't have one, you can create it with: ssh-keygen -C test -f ~/.ssh/id_rsa.
molecule testGPLv3
- m0wer: m0wer (at) autistici (dot) org