bsdnix/group_vars/all/all.yaml

type: cx22

# resolved on startup in Makefile
image: "{{ lookup('ansible.builtin.env', 'SNAPSHOT') }}"

# extranous general packages we might need
packages:
  - cpdup
  - bash
  - doas

# used by bastille to build a base
release: 14.1-RELEASE

# snapshot to install in new vps
snapshot: FreeBSD-14.1-RELEASE-p5-1-hcloud-init

location: fsn1

# must already exist in group project
ssh_keys:
  - scip@e3
  - scip@tripod
  - scip@pixel8

jails:
  pubnix:
    octet: 2

storage:
  volume:
    size: 10
    name: zhcloud # zfs pool name
    device: da1
  mounts:
    - mount: /home
      name: /home
    - mount: /var/cron/tabs
      name: /crontabs


netif:
  primary: bridge0

kernel:
  sysctls:
    security.bsd.see_other_uids: 0
    security.bsd.see_other_gids: 0
    security.bsd.see_jail_proc: 0
    net.inet6.ip6.forwarding: 1
  sysctlsoff:
    security.bsd.unprivileged_read_msgbuf: 0
    security.bsd.unprivileged_proc_debug: 0
    kern.randompid: 1
    net.inet.ip.random_id: 1
    hw.spec_store_bypass_disable: 1
    kern.elf64.allow_wx: 0
    kern.elf32.aslr.stack: 3
    kern.elf32.aslr.pie_enable: 1
    vfs.zfs.min_auto_ashift: 12
    kern.securelevel: 2


permissions:
  - name: /home
    owner: root
    group: wheel
    mode: '0711'
  - name: /etc
    owner: root
    group: wheel
    mode: '0711'
  - name: /usr/local/etc
    owner: root
    group: wheel
    mode: '0711'
  - name: /root
    owner: root
    group: wheel
    mode: '0700'
  - name: /var/log
    owner: root
    group: wheel
    mode: '0711'
  - name: /var/cron/tabs
    owner: root
    group: wheel
    mode: '0700'
  - name: /var/log
    owner: root
    group: wheel
    mode: '0711'

jails:
  pubnix:
    pkgs:
      - bash
      - zsh
      - vim
      - git
      - htop
      - tmux
      - bind-tools
      - coreutils
      - emacs-nox
      - fzf
added creating new vps, fine tuned inventories (now using 2), + doc 2024-11-11 19:28:55 +01:00			`type: cx22`

			`# resolved on startup in Makefile`
			`image: "{{ lookup('ansible.builtin.env', 'SNAPSHOT') }}"`

			`# extranous general packages we might need`
got it running, added net, pf and jail roles 2024-11-08 20:08:56 +01:00			`packages:`
			`- cpdup`
			`- bash`
added: - set file permissions - setup sysctls - set root password from vault var - added doas + config 2024-11-18 18:33:33 +01:00			`- doas`
added creating new vps, fine tuned inventories (now using 2), + doc 2024-11-11 19:28:55 +01:00
			`# used by bastille to build a base`
got it running, added net, pf and jail roles 2024-11-08 20:08:56 +01:00			`release: 14.1-RELEASE`
added creating new vps, fine tuned inventories (now using 2), + doc 2024-11-11 19:28:55 +01:00
updated README, use 1 place for the release name (all.yaml) 2024-11-17 17:54:49 +01:00			`# snapshot to install in new vps`
finally got the ipv6 jail stuff working, yeah 2024-11-20 18:15:48 +01:00			`snapshot: FreeBSD-14.1-RELEASE-p5-1-hcloud-init`
updated README, use 1 place for the release name (all.yaml) 2024-11-17 17:54:49 +01:00
added creating new vps, fine tuned inventories (now using 2), + doc 2024-11-11 19:28:55 +01:00			`location: fsn1`

			`# must already exist in group project`
			`ssh_keys:`
			`- scip@e3`
			`- scip@tripod`
			`- scip@pixel8`
enhanced makefile, added pubnix jail role, fixed knownhosts issue 2024-11-12 14:08:53 +01:00
			`jails:`
made a little progress, but networking still fails 2024-11-12 19:09:20 +01:00			`pubnix:`
			`octet: 2`
fine tuned storage creation and attachment 2024-11-16 18:55:47 +01:00
			`storage:`
updated README, added tags, fixed knownhosts, added cron mount 2024-11-17 16:34:32 +01:00			`volume:`
fine tuned storage creation and attachment 2024-11-16 18:55:47 +01:00			`size: 10`
			`name: zhcloud # zfs pool name`
			`device: da1`
updated README, added tags, fixed knownhosts, added cron mount 2024-11-17 16:34:32 +01:00			`mounts:`
			`- mount: /home`
			`name: /home`
			`- mount: /var/cron/tabs`
			`name: /crontabs`
added: - set file permissions - setup sysctls - set root password from vault var - added doas + config 2024-11-18 18:33:33 +01:00

finally got the ipv6 jail stuff working, yeah 2024-11-20 18:15:48 +01:00			`netif:`
			`primary: bridge0`

added: - set file permissions - setup sysctls - set root password from vault var - added doas + config 2024-11-18 18:33:33 +01:00			`kernel:`
			`sysctls:`
			`security.bsd.see_other_uids: 0`
			`security.bsd.see_other_gids: 0`
			`security.bsd.see_jail_proc: 0`
finally got the ipv6 jail stuff working, yeah 2024-11-20 18:15:48 +01:00			`net.inet6.ip6.forwarding: 1`
desperate tries to get the v6 jail up 2024-11-19 18:38:45 +01:00			`sysctlsoff:`
added: - set file permissions - setup sysctls - set root password from vault var - added doas + config 2024-11-18 18:33:33 +01:00			`security.bsd.unprivileged_read_msgbuf: 0`
			`security.bsd.unprivileged_proc_debug: 0`
			`kern.randompid: 1`
			`net.inet.ip.random_id: 1`
			`hw.spec_store_bypass_disable: 1`
			`kern.elf64.allow_wx: 0`
			`kern.elf32.aslr.stack: 3`
			`kern.elf32.aslr.pie_enable: 1`
			`vfs.zfs.min_auto_ashift: 12`
			`kern.securelevel: 2`


			`permissions:`
			`- name: /home`
			`owner: root`
			`group: wheel`
			`mode: '0711'`
			`- name: /etc`
			`owner: root`
			`group: wheel`
			`mode: '0711'`
			`- name: /usr/local/etc`
			`owner: root`
			`group: wheel`
			`mode: '0711'`
			`- name: /root`
			`owner: root`
			`group: wheel`
			`mode: '0700'`
			`- name: /var/log`
			`owner: root`
			`group: wheel`
			`mode: '0711'`
			`- name: /var/cron/tabs`
			`owner: root`
			`group: wheel`
			`mode: '0700'`
			`- name: /var/log`
			`owner: root`
			`group: wheel`
			`mode: '0711'`
fixes: - finally fixed pf.conf - got Bastillefile working (sshd_config missing yet) - re-activated network role to set net variables - fixed make [all] - use hetzner volume for jail home - use ramdisk for /tmp inside jail 2024-11-21 19:38:55 +01:00
			`jails:`
			`pubnix:`
			`pkgs:`
			`- bash`
			`- zsh`
			`- vim`
			`- git`
			`- htop`
			`- tmux`
			`- bind-tools`
			`- coreutils`
			`- emacs-nox`
			`- fzf`