linux-system-roles.nbde_server
nbde_server
Ansible role to set up Network-Bound Disk Encryption servers (like tang).
This role currently supports tang as a provider and can install tang servers.
Supported Distributions
- RHEL-7+, CentOS-7+
- Fedora
Requirements
Collection requirements
The role requires some additional collections listed in meta/collection-requirements.yml. These aren't installed automatically. You need to run:
ansible-galaxy install -vv -r meta/collection-requirements.yml
Role Variables
Here are the variables you can set for the role:
| Variable | Default | Description |
|---|---|---|
nbde_server_provider |
tang |
Sets the provider for the nbde_server role. Currently, only tang is supported. |
nbde_server_service_state |
started |
Determines if the nbde_server is started or stopped. |
nbde_server_rotate_keys |
false |
If true, existing keys will be rotated and new keys created. Default is false, which creates new keys only. |
nbde_server_fetch_keys |
false |
If true, keys will be fetched to the control node, placed in nbde_server_keys_dir. |
nbde_server_deploy_keys |
false |
If true, deploys keys from nbde_server_keys_dir to remote hosts. |
nbde_server_keys_dir |
Directory on the control node containing keys for deployment. Must be an absolute path. | |
nbde_server_manage_firewall |
false |
If true, manages the nbde server port and zone using the firewall role. |
nbde_server_manage_selinux |
false |
If true, manages the nbde server port with the selinux role. |
nbde_server_port |
80 |
Port number for tangd to listen on. Additional settings required for firewall and SELinux management. |
nbde_server_firewall_zone |
public |
Sets the firewall zone for the port if nbde_server_manage_firewall is true. |
Using nbde_server_fetch_keys and nbde_server_deploy_keys
To use these options, set nbde_server_keys_dir, which must be an absolute path.
When nbde_server_fetch_keys is true
- Keys are fetched from each host. If
nbde_server_deploy_keysis not set, keys will go into directories named after each host. - If
nbde_server_deploy_keysis set, only keys from the first host will be placed in the main directory.
When nbde_server_deploy_keys is true
- Keys from the main directory will be sent to all hosts.
- Keys from subdirectories named after specific hosts will only go to those hosts.
Example Playbooks
Example 1: Deploy NBDE server to all hosts
---
- name: Manage nbde servers
hosts: all
roles:
- linux-system-roles.nbde_server
Example 2: Fetch keys from NBDE servers
---
- name: Manage nbde keys from /root/nbde_server/keys
hosts: all
vars:
nbde_server_fetch_keys: true
nbde_server_keys_dir: /root/nbde_server/keys
roles:
- linux-system-roles.nbde_server
Example 3: Redeploy keys from a backup
---
- name: Manage nbde and redeploy backed up keys
hosts: all
vars:
nbde_server_deploy_keys: true
nbde_server_keys_dir: /root/nbde_server/keys
roles:
- linux-system-roles.nbde_server
Example 4: Use the same keys on every host
---
- name: Manage nbde with same keys on every host
hosts: all
vars:
nbde_server_fetch_keys: true
nbde_server_deploy_keys: true
nbde_server_keys_dir: /root/nbde_server/keys
roles:
- linux-system-roles.nbde_server
Example 5: Deploy NBDE server with custom port and zone
---
- name: Manage nbde with custom port and zone
hosts: all
vars:
nbde_server_manage_firewall: true
nbde_server_manage_selinux: true
nbde_server_port: 7500
nbde_server_firewall_zone: dmz
roles:
- linux-system-roles.nbde_server
rpm-ostree
See README-ostree.md
License
MIT
Informazioni sul progetto
Ansible role for configuring Network-Bound Disk Encryption servers (e.g. tang)
Installa
ansible-galaxy install linux-system-roles.nbde_serverLicenza
mit
Download
8.4k
Proprietario