Getting started

Which version to use

The current version of dropbear provided in Debian jessie is a bit old and does not provide SOTA cryptography. The role already supports the updated dropbear version from Debian stretch which is now available as dropbear-initramfs. The proper way to install it on Debian jessie is to use debops.reprepro.

It has also been tested to install the version from stretch on jessie. Note that this is discouraged by Debian and DebOps but you might decide to make an exception in this case when you know what you are doing.

If you do, all you have to do is to enable the stretch repositories and use APT pinning to ensure that no unwanted packages are pulled from stretch. And tell debops-contrib.dropbear_initramfs that you want the newer version. If you are using DebOps, you can set the following in your inventory:

## Load APT pinning presets.
apt_preferences__group_list:
  - '{{ apt_preferences__preset_list | list }}'

apt__group_sources:
  - comment: 'Enable Debian stretch repository'
    uri: '{{ ansible_local.apt.default_sources_map.Debian[0]
             if (ansible_local|d() and ansible_local.apt|d() and
                 ansible_local.apt.default_sources_map|d() and
                 ansible_local.apt.default_sources_map.Debian|d() and
                 ansible_local.apt.default_sources_map.Debian[0]|d())
             else "http://deb.debian.org/debian" }}'
    suites:
      - 'stretch'
    component:
      - 'main'

dropbear_initramfs__base_packages:
  - 'dropbear-initramfs'

Example inventory

To setup the dropbear ssh server in initramfs of a given host or a set of hosts, they need to be added to the [debops_service_dropbear_initramfs] Ansible group in the inventory:

[debops_service_dropbear_initramfs]
hostname

Example playbook

Here's an example playbook that uses the debops-contrib.dropbear_initramfs role:

---

- name: Setup the dropbear ssh server in initramfs
  hosts: [ 'debops_service_dropbear_initramfs' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  roles:

    - role: debops.apt_preferences
      tags: [ 'role::apt_preferences' ]
      apt_preferences__dependent_list:
        - '{{ dropbear_initramfs__apt_preferences__dependent_list }}'

    - role: debops-contrib.dropbear_initramfs
      tags: [ 'role::dropbear_initramfs' ]

The playbook is shipped with this role under ./docs/playbooks/dropbear_initramfs.yml from which you can symlink it to your playbook directory. In case you use multiple DebOps Contrib roles, consider using the DebOps Contrib playbooks.

Ansible tags

You can use Ansible --tags or --skip-tags parameters to limit what tasks are performed during Ansible run. This can be used after a host was first configured to speed up playbook execution, when you are sure that most of the configuration is already in the desired state.

Available role tags:

role::dropbear_initramfs

Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.

role::dropbear_initramfs:pkgs

Tasks related to system package management like installing or removing packages.