scip/bsdnix
1
0
Fork 0
Code Issues Pull Requests Activity

fixes:

Browse Source 
- finally fixed pf.conf
- got Bastillefile working (sshd_config missing yet)
- re-activated network role to set net variables
- fixed make [all]
- use hetzner volume for jail home
- use ramdisk for /tmp inside jail
This commit is contained in:
Thomas von Dein 2024-11-21 19:38:55 +01:00
parent dd2714d315
commit 480111eed7
11 changed files with 59 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -1,4 +1,4 @@
.PHONY: all deploy check clean create debug editvars .PHONY: all deploy check clean create debug editvars test
VARS = group_vars/all/vars.yaml VARS = group_vars/all/vars.yaml
@ -19,8 +19,6 @@ DEBUG_COMMAND = ansible-playbook debug.yaml $(OPTIONS)
ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose) ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
test:
@echo SNAPSHOT="$(SNAPSHOT)"
all: create deploy all: create deploy

5
TODO.md
View File

@ -25,7 +25,6 @@ or using e3 using wrapper script around `jaildk exec dns knotc ...`
### Cleanup release snapshot ### Cleanup release snapshot
- remove /home symlink
- remove pkg function from root .bashrc - remove pkg function from root .bashrc
@ -33,4 +32,6 @@ or using e3 using wrapper script around `jaildk exec dns knotc ...`
## Add quota config and enable/configure rctl ## Add quota config and enable/configure rctl
## Fix jail DNS, doesn't work yet (pf missing?) ## Setup sshd_config for jail
Using Bastillefile CP?

2
deploy.yaml
View File

@ -6,7 +6,7 @@
user: root user: root
roles: roles:
- role: server - role: server
#- role: network - role: network
- role: firewall - role: firewall
- role: ssh - role: ssh
- role: jails - role: jails

14
group_vars/all/all.yaml
View File

@ -90,3 +90,17 @@ permissions:
owner: root owner: root
group: wheel group: wheel
mode: '0711' mode: '0711'
jails:
pubnix:
pkgs:
- bash
- zsh
- vim
- git
- htop
- tmux
- bind-tools
- coreutils
- emacs-nox
- fzf

9
roles/firewall/templates/pf.conf.j2
View File

@ -8,6 +8,7 @@
# pfctl -t bad_hosts -T delete $ip # pfctl -t bad_hosts -T delete $ip
ext_if="{{ ansible_default_ipv6.interface }}" ext_if="{{ ansible_default_ipv6.interface }}"
jail_net="{{ jailnet.stdout }}"
### Default block policy is to return a reset packet ### Default block policy is to return a reset packet
set block-policy drop set block-policy drop
@ -30,6 +31,11 @@ block in log all
### Allow outgoing, skip others rules if match, and track connections ### Allow outgoing, skip others rules if match, and track connections
pass out quick keep state pass out quick keep state
pass out inet6 keep state pass out inet6 keep state
pass out quick on $ext_if keep state
pass out on $ext_if inet6 keep state
### Allow traffic coming from jails
pass in on $ext_if inet6 from $jail_net keep state
### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface ### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
### And block incoming traffic from $ext_if IP on $ext_if interface ### And block incoming traffic from $ext_if IP on $ext_if interface
@ -42,5 +48,8 @@ pass in quick on $ext_if inet6 proto tcp from any to any port ssh \
(max-src-conn-rate 10/60, \ (max-src-conn-rate 10/60, \
overload <bad_hosts> flush global) label ServicesTCP overload <bad_hosts> flush global) label ServicesTCP
# allow ansible answers
pass out on $ext_if proto tcp from port 22 to any flags any
# ipv6 icmp # ipv6 icmp
pass in quick inet6 proto icmp6 all keep state pass in quick inet6 proto icmp6 all keep state

4
roles/jails/tasks/main.yaml
View File

@ -37,10 +37,6 @@
regexp: '^(.*)quarterly(.*)$' regexp: '^(.*)quarterly(.*)$'
replace: '\1latest\2' replace: '\1latest\2'
- name: determine ipv6 address
shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { print $2 }}'
register: primaryip
- name: setup bastille.conf - name: setup bastille.conf
template: template:
src: bastille.conf.j2 src: bastille.conf.j2

2
roles/jails/templates/bastille.conf.j2
View File

@ -57,7 +57,7 @@ bastille_network_pf_ext_if="ext_if" ## default
bastille_network_pf_table="jails" ## default: "jails" bastille_network_pf_table="jails" ## default: "jails"
bastille_network_shared="" ## default: "" bastille_network_shared="" ## default: ""
bastille_network_gateway="" ## default: "" bastille_network_gateway="" ## default: ""
bastille_network_gateway6="{{ primaryip.stdout }}" ## default: "" bastille_network_gateway6="{{ jailip.stdout }}" ## default: ""
## Default Templates ## Default Templates
bastille_template_base="default/base" ## default: "default/base" bastille_template_base="default/base" ## default: "default/base"

33
roles/network/tasks/main.yaml
View File

@ -1,29 +1,8 @@
--- ---
- name: Add bridge interface - name: determine ipv6 address
community.general.sysrc: shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::2", $2); print $2 }}'
name: cloned_interfaces register: jailip
state: value_present
value: "bridge0"
- name: Setup bridge interface - name: determine ipv6 net
community.general.sysrc: shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::", $2); print $2"/64" }}'
name: ifconfig_bridge0 register: jailnet
state: value_present
value: "up"
notify: netif cloneup
- name: Setup bridge interface
community.general.sysrc:
name: ifconfig_bridge0
state: value_present
value: "addm vtnet0"
notify: netif cloneup
- name: Setup bridge interface ipv6
community.general.sysrc:
name: ifconfig_bridge0_ipv6
state: value_present
value: "inet6 auto_linklocal"
notify: netif cloneup
- meta: flush_handlers

6
roles/pubnix/files/Bastillefile
View File

@ -1,6 +0,0 @@
PKG bash
SYSRC sshd_enable=YES
CMD mkdir -p /data/home
SERVICE nginx restart
FSTAB /data/home data/home nullfs ro 0 0
RDR tcp 22 22

23
roles/pubnix/tasks/main.yaml
View File

@ -6,9 +6,9 @@
recurse: yes recurse: yes
- name: copy template config files - name: copy template config files
copy: template:
src: Bastillefile src: Bastillefile.j2
dest: "/usr/local/bastille/templates/services/{{ role_name }}/" dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"
- name: create config path - name: create config path
file: file:
@ -21,17 +21,14 @@
src: sshd_config src: sshd_config
dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/" dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
- name: create data/home dataset # - name: create data/home dataset
community.general.zfs: # community.general.zfs:
name: zroot/home # name: zroot/home
state: present # state: present
extra_zfs_properties: # extra_zfs_properties:
mountpoint: /data/home # mountpoint: /data/home
- name: determine ipv6 address
shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::2", $2); print $2 }}'
register: jailip
- name: create jail - name: create jail
shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0" shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
args: args:

14
roles/pubnix/templates/Bastillefile.j2 Normal file
View File

@ -0,0 +1,14 @@
PKG {{ jails.pubnix.pkgs | join(' ') }}
SYSRC sshd_enable=YES
SYSRC sendmail_enable=NONE
SYSRC tmpsize="500m"
SYSRC tmpmfs="AUTO"
SYSRC clear_tmp_enable="YES"
CMD rm /home
CMD mkdir -p /home
FSTAB /home home nullfs rw 0 0
SERVICE sshd start