scip/bsdnix
1
0
Fork 0
Code Issues Pull Requests Activity

fixes:

Browse Source 
- finally fixed pf.conf
- got Bastillefile working (sshd_config missing yet)
- re-activated network role to set net variables
- fixed make [all]
- use hetzner volume for jail home
- use ramdisk for /tmp inside jail
This commit is contained in:
Thomas von Dein 2024-11-21 19:38:55 +01:00
parent dd2714d315
commit 480111eed7
11 changed files with 59 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -1,4 +1,4 @@
.PHONY: all deploy check clean create debug editvars
.PHONY: all deploy check clean create debug editvars test
VARS = group_vars/all/vars.yaml
@ -19,8 +19,6 @@ DEBUG_COMMAND = ansible-playbook debug.yaml $(OPTIONS)
ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
test:
@echo SNAPSHOT="$(SNAPSHOT)"
all: create deploy

5
TODO.md
View File

@ -25,7 +25,6 @@ or using e3 using wrapper script around `jaildk exec dns knotc ...`
### Cleanup release snapshot
- remove /home symlink
- remove pkg function from root .bashrc
@ -33,4 +32,6 @@ or using e3 using wrapper script around `jaildk exec dns knotc ...`
## Add quota config and enable/configure rctl
## Fix jail DNS, doesn't work yet (pf missing?)
## Setup sshd_config for jail
Using Bastillefile CP?

2
deploy.yaml
View File

@ -6,7 +6,7 @@
user: root
roles:
- role: server
#- role: network
- role: network
- role: firewall
- role: ssh
- role: jails

14
group_vars/all/all.yaml
View File

@ -90,3 +90,17 @@ permissions:
owner: root
group: wheel
mode: '0711'
jails:
pubnix:
pkgs:
- bash
- zsh
- vim
- git
- htop
- tmux
- bind-tools
- coreutils
- emacs-nox
- fzf

9
roles/firewall/templates/pf.conf.j2
View File

@ -8,6 +8,7 @@
# pfctl -t bad_hosts -T delete $ip
ext_if="{{ ansible_default_ipv6.interface }}"
jail_net="{{ jailnet.stdout }}"
### Default block policy is to return a reset packet
set block-policy drop
@ -30,6 +31,11 @@ block in log all
### Allow outgoing, skip others rules if match, and track connections
pass out quick keep state
pass out inet6 keep state
pass out quick on $ext_if keep state
pass out on $ext_if inet6 keep state
### Allow traffic coming from jails
pass in on $ext_if inet6 from $jail_net keep state
### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
### And block incoming traffic from $ext_if IP on $ext_if interface
@ -42,5 +48,8 @@ pass in quick on $ext_if inet6 proto tcp from any to any port ssh \
(max-src-conn-rate 10/60, \
overload <bad_hosts> flush global) label ServicesTCP
# allow ansible answers
pass out on $ext_if proto tcp from port 22 to any flags any
# ipv6 icmp
pass in quick inet6 proto icmp6 all keep state

4
roles/jails/tasks/main.yaml
View File

@ -37,10 +37,6 @@
regexp: '^(.*)quarterly(.*)$'
replace: '\1latest\2'
- name: determine ipv6 address
shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { print $2 }}'
register: primaryip
- name: setup bastille.conf
template:
src: bastille.conf.j2

2
roles/jails/templates/bastille.conf.j2
View File

@ -57,7 +57,7 @@ bastille_network_pf_ext_if="ext_if" ## default
bastille_network_pf_table="jails" ## default: "jails"
bastille_network_shared="" ## default: ""
bastille_network_gateway="" ## default: ""
bastille_network_gateway6="{{ primaryip.stdout }}" ## default: ""
bastille_network_gateway6="{{ jailip.stdout }}" ## default: ""
## Default Templates
bastille_template_base="default/base" ## default: "default/base"

33
roles/network/tasks/main.yaml
View File

@ -1,29 +1,8 @@
---
- name: Add bridge interface
community.general.sysrc:
name: cloned_interfaces
state: value_present
value: "bridge0"
- name: determine ipv6 address
shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::2", $2); print $2 }}'
register: jailip
- name: Setup bridge interface
community.general.sysrc:
name: ifconfig_bridge0
state: value_present
value: "up"
notify: netif cloneup
- name: Setup bridge interface
community.general.sysrc:
name: ifconfig_bridge0
state: value_present
value: "addm vtnet0"
notify: netif cloneup
- name: Setup bridge interface ipv6
community.general.sysrc:
name: ifconfig_bridge0_ipv6
state: value_present
value: "inet6 auto_linklocal"
notify: netif cloneup
- meta: flush_handlers
- name: determine ipv6 net
shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::", $2); print $2"/64" }}'
register: jailnet

6
roles/pubnix/files/Bastillefile
View File

@ -1,6 +0,0 @@
PKG bash
SYSRC sshd_enable=YES
CMD mkdir -p /data/home
SERVICE nginx restart
FSTAB /data/home data/home nullfs ro 0 0
RDR tcp 22 22

21
roles/pubnix/tasks/main.yaml
View File

@ -6,9 +6,9 @@
recurse: yes
- name: copy template config files
copy:
src: Bastillefile
dest: "/usr/local/bastille/templates/services/{{ role_name }}/"
template:
src: Bastillefile.j2
dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"
- name: create config path
file:
@ -21,16 +21,13 @@
src: sshd_config
dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
- name: create data/home dataset
community.general.zfs:
name: zroot/home
state: present
extra_zfs_properties:
mountpoint: /data/home
# - name: create data/home dataset
# community.general.zfs:
# name: zroot/home
# state: present
# extra_zfs_properties:
# mountpoint: /data/home
- name: determine ipv6 address
shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::2", $2); print $2 }}'
register: jailip
- name: create jail
shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"

14
roles/pubnix/templates/Bastillefile.j2 Normal file
View File

@ -0,0 +1,14 @@
PKG {{ jails.pubnix.pkgs | join(' ') }}
SYSRC sshd_enable=YES
SYSRC sendmail_enable=NONE
SYSRC tmpsize="500m"
SYSRC tmpmfs="AUTO"
SYSRC clear_tmp_enable="YES"
CMD rm /home
CMD mkdir -p /home
FSTAB /home home nullfs rw 0 0
SERVICE sshd start