nbde_server
Ansible role for configuring Network-Bound Disk Encryption servers (e.g. tang).
This role currently supports tang
as a provider and it can set up tang
servers.
Supported Distributions
-
RHEL-7+, CentOS-7+
-
Fedora
Requirements
The role requires additional collections which are specified in
meta/collection-requirements.yml
. These are not automatically
installed. You must install them like this:
ansible-galaxy install -vv -r meta/collection-requirements.yml
Limitations
Role Variables
These are the variables that can be passed to the role:
Variable | Default | Description |
---|---|---|
|
|
identifies the provider for
|
|
|
indicates the state the
nbde_server should be. It can be either |
|
|
indicates whether we should rotate
existing keys — if any — , then create new keys. Default behavior
( |
|
|
indicates whether we should fetch
keys to the control node, in which case they will be placed in
|
|
|
indicates whether we should deploy
the keys located in |
|
specifies a directory in the control node
that contains keys to be deployed to the remote hosts. Keys located in
the top level directory will be deployed to every remote host, while
keys located within subdirectories named after the remote hosts — as
per the inventory — will be deployed only to these specific hosts.
|
|
|
|
manage the nbde server port and
zone using the |
|
|
manage the nbde server port
using the |
|
|
port number that tangd will listen on. You
must set |
|
|
change the default zone where
the port should be opened. You must set
|
nbde_server_fetch_keys and nbde_server_deploy_keys
To use either of these options, you need to specify
nbde_server_keys_dir
, a directory, with an absolute path.
The behavior of using these variables is described next:
When nbde_server_fetch_keys
is set to true
, the role will fetch keys
from the hosts in the following manner:
-
if
nbde_server_deploy_keys
is not set, the keys from every host will be fetched and placed in directories named after the host, insidenbde_server_keys_dir
-
if
nbde_server_deploy_keys
is set, only the keys from the first host in the inventory will be fetched, and it will be placed in the top level directory ofnbde_server_keys_dir
nbde_server_deploy_keys
is simple: if it is set to true, it will
deploy the keys available in nbde_server_keys_dir
, in the following
manner:
-
the keys located in the top level directory of
nbde_server_keys_dir
will be deployed to every host -
the keys located within subdirectories named after hosts in the inventory, inside
nbde_server_keys_dir
, will be deployed to that specific host
Example Playbooks
Example 1: deploy NBDE server to every host in the inventory
---
- hosts: all
roles:
- rhel-system-roles.nbde_server
Example 2: lift the keys from every NBDE server install in
/root/nbde_server/keys
/root/nbde_server/keys
, within subdirectories named after the host
they belong to.
Example 3: redeploy keys from a backup taken with Example 2:
To redeploy keys, they must be placed into subdirectories named after
the host they are to be deployed to. With /root/nbde_server/keys
after
Example 2, use the following playbook to redeploy the same keys to the
same hosts:
---
- hosts: all
vars:
nbde_server_deploy_keys: true
nbde_server_keys_dir: /root/nbde_server/keys
roles:
- rhel-system-roles.nbde_server
Example 4: deploy an NBDE server and use the same keys in every host
NOTE This is not recommended, but it is supported
---
- hosts: all
vars:
nbde_server_fetch_keys: true
nbde_server_deploy_keys: true
nbde_server_keys_dir: /root/nbde_server/keys
roles:
- rhel-system-roles.nbde_server
Example 5: deploy NBDE server with custom port and zone
---
- hosts: all
vars:
nbde_server_manage_firewall: true
nbde_server_manage_selinux: true
nbde_server_port: 7500
nbde_server_firewall_zone: dmz
roles:
- rhel-system-roles.nbde_server
License
MIT