This is some Ansible (for Ubuntu 22.04) to install and configure your initramfs to run dropbear (ie an SSH server).
Super handy if you have an encrypted root partition and don't have physical access to the machine to enter the encryption passphrase on the console.
- You'll need to put your actual public SSH keys, instead of the blahblah placeholder I have here
- I set dropbear to run on port 31337 so the hostkey doesn't clash with the main OS' key in your ~/.ssh/known_hosts
- This expects to be able to trigger two Ansible handlers when it makes changes, they are listed separately at the bottom
- You'll need to change the
GRUB_CMDLINE_LINUX_DEFAULTline below to have the actual IP/gateway/NIC/hostname you want the kernel to configure
- After you ssh in when the machine is booting, the command to actually unlock the root filesystem is:
# This is a playbook version of https://hamy.io/post/0005/remote-unlocking-of-luks-encrypted-root-in-ubuntu-debian/ - name: Install dropbear-initramfs apt: name: dropbear-initramfs state: present - name: Install busybox-static apt: name: busybox-static state: present - name: Configure dropbear-initramfs options lineinfile: path: /etc/dropbear/initramfs/dropbear.conf regexp: 'DROPBEAR_OPTIONS' line: 'DROPBEAR_OPTIONS="-p 31337 -s -j -k -I 60"' notify: update initramfs - name: Add dropbear authorized_keys copy: dest: /etc/dropbear/initramfs/authorized_keys mode: 0600 owner: root group: root content: | ssh-rsa AAAAblahblahsshpubkey foo@bar notify: update initramfs # The format of the ip= kernel parameter is: <client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf> # It comes from https://git.kernel.org/pub/scm/libs/klibc/klibc.git/tree/usr/kinit/ipconfig/README.ipconfig?id=HEAD - name: Configure boot IP and consoleblanking lineinfile: path: /etc/default/grub regexp: 'GRUB_CMDLINE_LINUX_DEFAULT' line: 'GRUB_CMDLINE_LINUX_DEFAULT="ip=192.168.0.10::192.168.0.1:255.255.255.0:somehostname:eth0:none"' notify: update grub
- name: update initramfs command: update-initramfs -u - name: update grub command: update-grub