fixed bootstrap of chat jail, added rctl limit config stuff

2024-12-15 18:48:41 +01:00
parent 862f2567b1
commit 7b60d8bf8c
10 changed files with 84 additions and 13 deletions
--- a/roles/server/files/rctl.conf
+++ b/roles/server/files/rctl.conf
@@ -0,0 +1,10 @@
+#
+# rctl.conf: restrictions  for jail  users.  The loginclass  "jail" is
+# being   created  inside   the   "pub"   jail's  /etc/login.conf   in
+# roles/pub/tasks/main.yaml. But we can  still configure the kernel to
+# accept rules based on this login class. Cool!
+loginclass:jail:maxproc:deny=50/user
+loginclass:jail:openfiles:deny=100/user
+loginclass:jail:pcpu:deny=20/user
+#loginclass:jail:cputime:sigkill=100/user
+
--- a/roles/server/handlers/main.yaml
+++ b/roles/server/handlers/main.yaml
@@ -9,4 +9,9 @@
    name: local_unbound
    state: stopped

+- name: start rctl
+  service:
+    name: rctl
+    state: started
+    
 - meta: flush_handlers
--- a/roles/server/tasks/main.yaml
+++ b/roles/server/tasks/main.yaml
@@ -71,29 +71,37 @@
    reload: true

 - name: Install doas config
-  ansible.builtin.copy:
-    src: roles/server/files/doas.conf
+  copy:
+    src: doas.conf
    dest: /usr/local/etc/doas.conf
    owner: root
    group: wheel
    mode: '0600'

 - name: Install knot resolver config
-  ansible.builtin.copy:
-    src: roles/server/files/kresd.conf
+  copy:
+    src: kresd.conf
    dest: /usr/local/etc/knot-resolver/kresd.conf
    owner: root
    group: wheel
    mode: '0644'

 - name: Install knot resolv.conf
-  ansible.builtin.copy:
-    src: roles/server/files/resolv.conf
+  copy:
+    src: resolv.conf
    dest: /etc/resolv.conf
    owner: root
    group: wheel
    mode: '0644'

+- name: Install rctl rule set
+  copy:
+    src: rctl.conf
+    dest: /etc/rctl.conf
+    owner: root
+    group: wheel
+    mode: '0644'
+
 - name: Install /etc/hosts file
  copy:
    src: hosts
@@ -127,3 +135,8 @@
    value: "YES"
  notify: start kresd

+- name: enable rctl
+  community.general.sysrc:
+    name: rctl_enable
+    value: "YES"
+  notify: start rctl