fixes:

- finally fixed pf.conf - got Bastillefile working (sshd_config missing yet) - re-activated network role to set net variables - fixed make [all] - use hetzner volume for jail home - use ramdisk for /tmp inside jail
2024-11-21 19:38:55 +01:00
parent dd2714d315
commit 480111eed7
11 changed files with 59 additions and 57 deletions
--- a/roles/firewall/templates/pf.conf.j2
+++ b/roles/firewall/templates/pf.conf.j2
@@ -8,6 +8,7 @@
 #   pfctl -t bad_hosts -T delete $ip  

 ext_if="{{ ansible_default_ipv6.interface }}"
+jail_net="{{ jailnet.stdout }}"

 ### Default block policy is to return a reset packet
 set block-policy drop
@@ -30,6 +31,11 @@ block in log all
 ### Allow outgoing, skip others rules if match, and track connections
 pass out quick keep state
 pass out inet6 keep state
+pass out quick on $ext_if keep state
+pass out on $ext_if inet6 keep state
+
+### Allow traffic coming from jails
+pass in on $ext_if inet6 from $jail_net keep state

 ### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
 ### And block incoming traffic from $ext_if IP on $ext_if interface
@@ -42,5 +48,8 @@ pass in quick on $ext_if inet6 proto tcp from any to any port ssh \
     (max-src-conn-rate 10/60, \
     overload <bad_hosts> flush global) label ServicesTCP

+# allow ansible answers
+pass out on $ext_if proto tcp from port 22 to any flags any
+     
 # ipv6 icmp
 pass in quick inet6 proto icmp6 all keep state
--- a/roles/jails/tasks/main.yaml
+++ b/roles/jails/tasks/main.yaml
@@ -37,10 +37,6 @@
    regexp: '^(.*)quarterly(.*)$'
    replace: '\1latest\2'

- name: determine ipv6 address
-  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { print $2 }}'
-  register: primaryip
-
 - name: setup bastille.conf
  template:
    src: bastille.conf.j2
--- a/roles/jails/templates/bastille.conf.j2
+++ b/roles/jails/templates/bastille.conf.j2
@@ -57,7 +57,7 @@ bastille_network_pf_ext_if="ext_if"                                   ## default
 bastille_network_pf_table="jails"                                     ## default: "jails"
 bastille_network_shared=""                                            ## default: ""
 bastille_network_gateway=""                                           ## default: ""
-bastille_network_gateway6="{{ primaryip.stdout }}"        ## default: ""
+bastille_network_gateway6="{{ jailip.stdout }}"        ## default: ""

 ## Default Templates
 bastille_template_base="default/base"                                 ## default: "default/base"
--- a/roles/network/tasks/main.yaml
+++ b/roles/network/tasks/main.yaml
@@ -1,29 +1,8 @@
 ---
- name: Add bridge interface
-  community.general.sysrc:
-    name: cloned_interfaces
-    state: value_present
-    value: "bridge0"
+- name: determine ipv6 address
+  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::2", $2); print $2 }}'
+  register: jailip

- name: Setup bridge interface
-  community.general.sysrc:
-    name: ifconfig_bridge0
-    state: value_present
-    value: "up"
-  notify: netif cloneup
-
- name: Setup bridge interface
-  community.general.sysrc:
-    name: ifconfig_bridge0
-    state: value_present
-    value: "addm vtnet0"
-  notify: netif cloneup
-  
- name: Setup bridge interface ipv6
-  community.general.sysrc:
-    name: ifconfig_bridge0_ipv6
-    state: value_present
-    value: "inet6 auto_linklocal"
-  notify: netif cloneup
-  
- meta: flush_handlers
+- name: determine ipv6 net
+  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::", $2); print $2"/64" }}'
+  register: jailnet
--- a/roles/pubnix/files/Bastillefile
+++ b/roles/pubnix/files/Bastillefile
@@ -1,6 +0,0 @@
-PKG bash
-SYSRC sshd_enable=YES
-CMD mkdir -p /data/home
-SERVICE nginx restart
-FSTAB /data/home data/home nullfs ro 0 0
-RDR tcp 22 22
--- a/roles/pubnix/tasks/main.yaml
+++ b/roles/pubnix/tasks/main.yaml
@@ -6,9 +6,9 @@
    recurse: yes

 - name: copy template config files
-  copy:
-    src: Bastillefile
-    dest: "/usr/local/bastille/templates/services/{{ role_name }}/"
+  template:
+    src: Bastillefile.j2
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"

 - name: create config path
  file:
@@ -21,17 +21,14 @@
    src: sshd_config
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"

- name: create data/home dataset
-  community.general.zfs:
-    name: zroot/home
-    state: present
-    extra_zfs_properties:
-      mountpoint: /data/home
+# - name: create data/home dataset
+#   community.general.zfs:
+#     name: zroot/home
+#     state: present
+#     extra_zfs_properties:
+#       mountpoint: /data/home
+

- name: determine ipv6 address
-  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::2", $2); print $2 }}'
-  register: jailip
-      
 - name: create jail
  shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
  args:
--- a/roles/pubnix/templates/Bastillefile.j2
+++ b/roles/pubnix/templates/Bastillefile.j2
@@ -0,0 +1,14 @@
+PKG {{ jails.pubnix.pkgs | join(' ') }}
+
+SYSRC sshd_enable=YES
+SYSRC sendmail_enable=NONE
+SYSRC tmpsize="500m"
+SYSRC tmpmfs="AUTO"
+SYSRC clear_tmp_enable="YES"
+
+CMD rm /home
+CMD mkdir -p /home
+
+FSTAB /home home nullfs rw 0 0
+
+SERVICE sshd start