Skip to content

feat(vyos): add SSH key and password bootstrap via SOPS #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jmgilman merged 3 commits into from
Dec 30, 2025
Merged

feat(vyos): add SSH key and password bootstrap via SOPS #59

jmgilman merged 3 commits into from
Dec 30, 2025

Conversation

@jmgilman
Copy link
Collaborator

@jmgilman jmgilman commented Dec 30, 2025

Summary

  • Add SOPS-encrypted ssh.sops.yaml containing SSH key pair and console password for VyOS gateway
  • Modify provision-usb.py to inject SSH credentials into gateway.conf at USB creation time
  • Add ansible/init.sh script to extract SSH private key to ~/.ssh/vyos-gateway
  • Update ansible inventory to use the new default key path

This solves the bootstrapping chicken-and-egg problem where ansible couldn't connect to VyOS after initial USB-based installation because no SSH key was configured.

New Bootstrap Flow

  1. provision-usb.py reads credentials from ssh.sops.yaml and injects them into the config on USB
  2. VyOS is installed with SSH key + console password already configured
  3. Operators run ./init.sh once locally to extract the private key for ansible
  4. Ansible now works out of the box

Test plan

  • Verified render-config-boot.sh still works for containerlab tests
  • Tested SSH key injection produces valid VyOS config syntax
  • Verified SOPS encryption/decryption works for the new file

🤖 Generated with Claude Code

jmgilman and others added 3 commits December 29, 2025 17:56
@jmgilman @claude
feat(vyos): add SSH key and password bootstrap via SOPS
1f61c0d 
Solve the VyOS bootstrapping problem where ansible couldn't connect
after initial USB-based installation because no SSH key was configured.

Changes:
- Add SOPS-encrypted ssh.sops.yaml with SSH key pair and console password
- Modify provision-usb.py to inject SSH credentials into gateway.conf
- Add ansible/init.sh to extract SSH private key to ~/.ssh/vyos-gateway
- Update ansible inventory to use the new default key path

The bootstrap flow is now:
1. provision-usb.py injects SSH public key + password into config
2. VyOS is installed with working SSH access from the start
3. Operators run init.sh once to get the private key for ansible

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@jmgilman @claude
fix(vyos): correct static route description placement
6a97fcf 
Move description from next-hop block to route block level.
VyOS circinus schema only allows description at the route level,
not nested under next-hop. The incorrect placement caused VyOS
to silently ignore the entire protocols static section during
config load.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@jmgilman @claude
style(genesis): fix line length in provision-usb.py
cb17f88 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@jmgilman jmgilman merged commit 9ab9a9b into master Dec 30, 2025
2 checks passed
@jmgilman jmgilman deleted the feat/vyos-ssh-bootstrap branch December 30, 2025 03:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jmgilman