add sshd debug interface

2025-09-20 02:40:45 -05:00
parent 41457d5786
commit 170c46a4d4
4 changed files with 80 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -52,6 +52,31 @@ pbx01.company.com nebula_internal_ip_addr=10.43.0.6

 **Note:** More variables can be found in the [role defaults.](defaults/main.yml)

+# SSH Debug Console
+
+This role supports Nebula's built-in SSH debug console feature. To enable it, set:
+
+```yaml
+nebula_sshd_enabled: true
+nebula_sshd_listen: "127.0.0.1:2222"  # Optional, defaults to 127.0.0.1:2222
+nebula_sshd_authorized_users:
+  - user: admin
+    keys:
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... admin@host"
+    key_files:
+      - "/path/to/admin.pub"
+  - user: developer
+    key_files:
+      - "~/.ssh/developer_key.pub"
+```
+
+You can specify SSH keys either:
+- **Inline** using the `keys` field with the full public key string
+- **From files** using the `key_files` field with paths to public key files
+- **Both** in the same user entry
+
+The role automatically generates an ED25519 SSH host key at `/opt/nebula/ssh_host_ed25519_key` when the SSH daemon is enabled.
+
 # Running the Playbook
 ```
 ansible-playbook -i inventory nebula.yml
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -43,3 +43,8 @@ nebula_inbound_rules:
 nebula_outbound_rules:
  - { port: "any", proto: "any", host: "any" }

+nebula_sshd_enabled: false
+nebula_sshd_listen: "127.0.0.1:2222"
+nebula_sshd_authorized_users: []
+nebula_sshd_trusted_cas: []
+
--- a/tasks/nebula.yml
+++ b/tasks/nebula.yml
@@ -40,3 +40,33 @@
  with_items:
    - nebula
    - nebula-cert
+
+- name: Generate SSH host key for Nebula debug console
+  openssh_keypair:
+    path: /opt/nebula/ssh_host_ed25519_key
+    type: ed25519
+    owner: root
+    group: root
+    mode: '0600'
+  when: nebula_sshd_enabled
+
+- name: Read SSH key files and build registry
+  block:
+    - name: Read all SSH key files
+      slurp:
+        src: "{{ item.1 }}"
+      register: ssh_key_files
+      failed_when: false
+      loop: "{{ nebula_sshd_authorized_users | subelements('key_files', skip_missing=True) }}"
+
+    - name: Build SSH key registry by username
+      set_fact:
+        nebula_sshd_key_registry: >-
+          {{ nebula_sshd_key_registry | default({}) | combine({
+            result.item.0.user: (nebula_sshd_key_registry | default({})).get(result.item.0.user, []) +
+            [result.content | b64decode | trim]
+          }) }}
+      loop: "{{ ssh_key_files.results | selectattr('content', 'defined') | list }}"
+      loop_control:
+        loop_var: result
+  when: nebula_sshd_enabled
--- a/templates/node_config.yml.j2
+++ b/templates/node_config.yml.j2
@@ -76,6 +76,26 @@ stats:
  interval: {{ nebula_metrics_prometheus_interval }}
 {% endif %}

+{% if nebula_sshd_enabled %}
+sshd:
+  enabled: {{ nebula_sshd_enabled }}
+  listen: {{ nebula_sshd_listen }}
+  host_key: /opt/nebula/ssh_host_ed25519_key
+{% if nebula_sshd_authorized_users %}
+  authorized_users:
+{% for sshd_user in nebula_sshd_authorized_users %}
+    - user: {{ sshd_user.user }}
+      keys:
+{% for ssh_key in sshd_user.get('keys', []) %}
+        - "{{ ssh_key }}"
+{% endfor %}
+{% for file_key in nebula_sshd_key_registry.get(sshd_user.user, []) %}
+        - "{{ file_key }}"
+{% endfor %}
+{% endfor %}
+{% endif %}
+{% endif %}
+
 # you NEED this firewall section.
 #
 # Nebula has its own firewall in addition to anything