From 5a0e645bed3888a35382be1dfe324b4f2b3443ef Mon Sep 17 00:00:00 2001 From: Thomas von Dein Date: Sat, 16 Nov 2024 11:16:54 +0100 Subject: [PATCH] more work, get rid of jail stuff, using vps directly --- Makefile | 5 ++--- TODO.md | 2 ++ create.yaml | 19 +++++++++++++++++++ deploy.yaml | 5 +++-- roles/pubnix/tasks/main.yaml | 2 +- roles/remove/tasks/main.yaml | 6 +++++- roles/ssh/files/sshd_config | 14 ++++++++++++++ roles/ssh/handlers/main.yaml | 7 +++++++ roles/ssh/tasks/main.yaml | 11 +++++++++++ 9 files changed, 64 insertions(+), 7 deletions(-) create mode 100644 roles/ssh/files/sshd_config create mode 100644 roles/ssh/handlers/main.yaml create mode 100644 roles/ssh/tasks/main.yaml diff --git a/Makefile b/Makefile index 3c1d8ae..25d9f08 100644 --- a/Makefile +++ b/Makefile @@ -14,6 +14,8 @@ DEBUG_COMMAND = ansible-playbook debug.yaml -i inventory ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose) +all: create deploy + debug: $(ENV) $(DEBUG_COMMAND) @@ -23,9 +25,6 @@ create: hosts: $(ENV) $(HOSTS_COMMAND) -all: create - $(ENV) $(DEPLOY_COMMAND) - deploy: $(ENV) $(DEPLOY_COMMAND) diff --git a/TODO.md b/TODO.md index a3b9383..e6141e2 100644 --- a/TODO.md +++ b/TODO.md @@ -1,5 +1,7 @@ ## Install tarball +### clean known_host doesnt work + ### install from tarball example: ```yaml diff --git a/create.yaml b/create.yaml index 3a3facb..ba0d161 100644 --- a/create.yaml +++ b/create.yaml @@ -1,3 +1,19 @@ +- name: Create the home volume + hosts: localhost + connection: local + # FIXME: create volume role + tasks: + - name: Create the home volume + hetzner.hcloud.volume: + # FIXME: put to vars + # FIXME: add mount to server + # FIXME: gpart create -s GPT da1 && gpart add -t freebsd-zfs -l storage -a 1M da1 && zpool create -f home da1 + name: home + location: fsn1 + format: ext4 + size: 100 + state: present + - name: Create BSDNIX Servers hosts: vps connection: local @@ -8,6 +24,7 @@ # during testing the ip addresses change all the time, so tune the # known_hosts file accordingly after setup +# FIXME: doesn't work correctly yet - name: Add/cleanup public keys of all vps' to known_hosts file hosts: localhost connection: local @@ -23,3 +40,5 @@ state: present loop: "{{ ssh_known_hosts | map('extract', hostvars, ['ipv6']) | list }}" become: no + + diff --git a/deploy.yaml b/deploy.yaml index 7ce6464..b4eac8d 100644 --- a/deploy.yaml +++ b/deploy.yaml @@ -7,5 +7,6 @@ - role: server - role: network - role: firewall - - role: jails - - role: pubnix + - role: ssh + #- role: jails + #- role: pubnix diff --git a/roles/pubnix/tasks/main.yaml b/roles/pubnix/tasks/main.yaml index f68aba5..6ba8a0c 100644 --- a/roles/pubnix/tasks/main.yaml +++ b/roles/pubnix/tasks/main.yaml @@ -33,7 +33,7 @@ register: jailip - name: create jail - shell: "bastille create -V {{ role_name }} {{ release }} {{ jailip.stdout }}/64 vtnet0" + shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0" args: creates: /usr/local/bastille/jails/{{ role_name }} diff --git a/roles/remove/tasks/main.yaml b/roles/remove/tasks/main.yaml index 7446e15..500530c 100644 --- a/roles/remove/tasks/main.yaml +++ b/roles/remove/tasks/main.yaml @@ -1,4 +1,9 @@ --- +- name: Remove volume + hetzner.hcloud.volume: + name: home + state: absent + - name: Remove server hcloud_server: name: "{{ hostname }}" @@ -9,4 +14,3 @@ state: absent ssh_keys: "{{ ssh_keys }}" register: server - diff --git a/roles/ssh/files/sshd_config b/roles/ssh/files/sshd_config new file mode 100644 index 0000000..886f337 --- /dev/null +++ b/roles/ssh/files/sshd_config @@ -0,0 +1,14 @@ +LogLevel INFO +LoginGraceTime 1m +PermitRootLogin no +StrictModes yes +MaxAuthTries 3 +MaxSessions 2 +PubkeyAuthentication yes +PasswordAuthentication no +KbdInteractiveAuthentication no +AllowAgentForwarding no +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no + diff --git a/roles/ssh/handlers/main.yaml b/roles/ssh/handlers/main.yaml new file mode 100644 index 0000000..6d4c3ba --- /dev/null +++ b/roles/ssh/handlers/main.yaml @@ -0,0 +1,7 @@ +--- +- name: start sshd + service: + name: sshd + state: restarted + async: 45 + poll: 5 diff --git a/roles/ssh/tasks/main.yaml b/roles/ssh/tasks/main.yaml new file mode 100644 index 0000000..b11fd16 --- /dev/null +++ b/roles/ssh/tasks/main.yaml @@ -0,0 +1,11 @@ +--- +- name: copy config file + copy: + src: sshd_config + dest: "/etc/ssh/" + +- name: restart sshd + community.general.sysrc: + name: sshd_enable + value: "YES" + notify: restart sshd