From 170c46a4d45c638a62e39b46064a1c0e0fa4b52c Mon Sep 17 00:00:00 2001 From: AndrewPaglusch Date: Sat, 20 Sep 2025 02:40:45 -0500 Subject: [PATCH] add sshd debug interface --- README.md | 25 +++++++++++++++++++++++++ defaults/main.yml | 5 +++++ tasks/nebula.yml | 30 ++++++++++++++++++++++++++++++ templates/node_config.yml.j2 | 20 ++++++++++++++++++++ 4 files changed, 80 insertions(+) diff --git a/README.md b/README.md index 871b093..6b5b6ec 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,31 @@ pbx01.company.com nebula_internal_ip_addr=10.43.0.6 **Note:** More variables can be found in the [role defaults.](defaults/main.yml) +# SSH Debug Console + +This role supports Nebula's built-in SSH debug console feature. To enable it, set: + +```yaml +nebula_sshd_enabled: true +nebula_sshd_listen: "127.0.0.1:2222" # Optional, defaults to 127.0.0.1:2222 +nebula_sshd_authorized_users: + - user: admin + keys: + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... admin@host" + key_files: + - "/path/to/admin.pub" + - user: developer + key_files: + - "~/.ssh/developer_key.pub" +``` + +You can specify SSH keys either: +- **Inline** using the `keys` field with the full public key string +- **From files** using the `key_files` field with paths to public key files +- **Both** in the same user entry + +The role automatically generates an ED25519 SSH host key at `/opt/nebula/ssh_host_ed25519_key` when the SSH daemon is enabled. + # Running the Playbook ``` ansible-playbook -i inventory nebula.yml diff --git a/defaults/main.yml b/defaults/main.yml index 6f9fdcd..44a1beb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -43,3 +43,8 @@ nebula_inbound_rules: nebula_outbound_rules: - { port: "any", proto: "any", host: "any" } +nebula_sshd_enabled: false +nebula_sshd_listen: "127.0.0.1:2222" +nebula_sshd_authorized_users: [] +nebula_sshd_trusted_cas: [] + diff --git a/tasks/nebula.yml b/tasks/nebula.yml index cb0368d..c28efc1 100644 --- a/tasks/nebula.yml +++ b/tasks/nebula.yml @@ -40,3 +40,33 @@ with_items: - nebula - nebula-cert + +- name: Generate SSH host key for Nebula debug console + openssh_keypair: + path: /opt/nebula/ssh_host_ed25519_key + type: ed25519 + owner: root + group: root + mode: '0600' + when: nebula_sshd_enabled + +- name: Read SSH key files and build registry + block: + - name: Read all SSH key files + slurp: + src: "{{ item.1 }}" + register: ssh_key_files + failed_when: false + loop: "{{ nebula_sshd_authorized_users | subelements('key_files', skip_missing=True) }}" + + - name: Build SSH key registry by username + set_fact: + nebula_sshd_key_registry: >- + {{ nebula_sshd_key_registry | default({}) | combine({ + result.item.0.user: (nebula_sshd_key_registry | default({})).get(result.item.0.user, []) + + [result.content | b64decode | trim] + }) }} + loop: "{{ ssh_key_files.results | selectattr('content', 'defined') | list }}" + loop_control: + loop_var: result + when: nebula_sshd_enabled diff --git a/templates/node_config.yml.j2 b/templates/node_config.yml.j2 index 5f83f29..2456738 100644 --- a/templates/node_config.yml.j2 +++ b/templates/node_config.yml.j2 @@ -76,6 +76,26 @@ stats: interval: {{ nebula_metrics_prometheus_interval }} {% endif %} +{% if nebula_sshd_enabled %} +sshd: + enabled: {{ nebula_sshd_enabled }} + listen: {{ nebula_sshd_listen }} + host_key: /opt/nebula/ssh_host_ed25519_key +{% if nebula_sshd_authorized_users %} + authorized_users: +{% for sshd_user in nebula_sshd_authorized_users %} + - user: {{ sshd_user.user }} + keys: +{% for ssh_key in sshd_user.get('keys', []) %} + - "{{ ssh_key }}" +{% endfor %} +{% for file_key in nebula_sshd_key_registry.get(sshd_user.user, []) %} + - "{{ file_key }}" +{% endfor %} +{% endfor %} +{% endif %} +{% endif %} + # you NEED this firewall section. # # Nebula has its own firewall in addition to anything