+nbde_server+
Ansible role for configuring Network-Bound Disk Encryption servers (e.g. tang).
This role currently supports +tang+
as a provider and it can set up
tang servers.
Supported Distributions
-
RHEL-7+, CentOS-7+
-
Fedora
Limitations
It is not currently possible to specify a custom port for the NBDE servers configured by this role.
Role Variables
These are the variables that can be passed to the role:
Variable | Default | Description |
---|---|---|
|
|
identifies the provider for
|
|
|
indicates the state the
nbde_server should be. It can be either |
|
|
indicates whether we should rotate
existing keys — if any — , then create new keys. Default behavior
( |
|
|
indicates whether we should fetch
keys to the control node, in which case they will be placed in
|
|
|
indicates whether we should deploy
the keys located in |
|
specifies a directory in the control node
that contains keys to be deployed to the remote hosts. Keys located in
the top level directory will be deployed to every remote host, while
keys located within subdirectories named after the remote hosts — as
per the inventory — will be deployed only to these specific hosts.
|
nbde_server_fetch_keys and nbde_server_deploy_keys
To use either of these options, you need to specify
+nbde_server_keys_dir+
, a directory, with an absolute path.
The behavior of using these variables is described next:
When +nbde_server_fetch_keys+
is set to +yes+
, the role will fetch keys from the hosts in the following manner:
-
if
+nbde_server_deploy_keys+
is not set, the keys from every host will be fetched and placed in directories named after the host, inside+nbde_server_keys_dir+
-
if
+nbde_server_deploy_keys+
is set, only the keys from the first host in the inventory will be fetched, and it will be placed in the top level directory of+nbde_server_keys_dir+
+nbde_server_deploy_keys+
is simple: if it is set to yes, it will deploy the keys available in +nbde_server_keys_dir+
, in the following manner:
-
the keys located in the top level directory of
+nbde_server_keys_dir+
will be deployed to every host -
the keys located within subdirectories named after hosts in the inventory, inside
+nbde_server_keys_dir+
, will be deployed to that specific host
Example Playbooks
Example 1: deploy NBDE server to every host in the inventory
---
- hosts: all
roles:
- fedora.linux_system_roles.nbde_server
Example 2: lift the keys from every NBDE server install in +/root/nbde_server/keys+
---
- hosts: all
vars:
nbde_server_fetch_keys: yes
nbde_server_keys_dir: /root/nbde_server/keys
roles:
- fedora.linux_system_roles.nbde_server
After this, you can backup your keys, which will be placed in
+/root/nbde_server/keys+
, within subdirectories named after the host
they belong to.
Example 3: redeploy keys from a backup taken with Example 2:
To redeploy keys, they must be placed into subdirectories named after
the host they are to be deployed to. With +/root/nbde_server/keys+
after Example 2, use the following playbook to redeploy the same keys to
the same hosts:
---
- hosts: all
vars:
nbde_server_deploy_keys: yes
nbde_server_keys_dir: /root/nbde_server/keys
roles:
- fedora.linux_system_roles.nbde_server
Example 4: deploy an NBDE server and use the same keys in every host
NOTE This is not recommended, but it is supported
---
- hosts: all
vars:
nbde_server_fetch_keys: yes
nbde_server_deploy_keys: yes
nbde_server_keys_dir: /root/nbde_server/keys
roles:
- fedora.linux_system_roles.nbde_server
License
MIT