fixed bootstrap of chat jail, added rctl limit config stuff

TODO.md

@@ -7,3 +7,28 @@
 ## Check if motd generation works
 
 See Bastillefile pub
+
+## racct.enable = 1!
+
+sysctl kern.racct.enable=1
+sysctl: oid 'kern.racct.enable' is a read only tunable
+sysctl: Tunable values are set in /boot/loader.conf
+
+not ="YES"
+
++ test the current setup: does it get configured and how does it limit
+  users? also check if new users belong to login class "jail" and test
+  their limits
+
+## bastille start+template
+
+https://github.com/BastilleBSD/bastille/issues/772
+
+Maybe build+copy  devzat only after the  jail is built and  running by
+just copying the binariy into it, perhaps like this:
+
+- stop
+- copy
+- start
+
+or something.

roles/chat/files/devzat

@@ -13,7 +13,7 @@ devzat_user="nobody"
 devzat_command="/usr/local/sbin/devzat"
 pidfile="/tmp/${name}.pid"
 command="/usr/sbin/daemon"
-command_args="-P ${pidfile} ${devzat_command}"
+command_args="-P ${pidfile} -c ${devzat_command}"
 devzat_config="/usr/local/etc/devzat.yml"
 
 load_rc_config $name

roles/chat/tasks/main.yaml

@@ -34,7 +34,9 @@
     - usr/local/sbin
 
 - name: copy devzat binary
-  shell: install -m 755 /tmp/devzat/devzat /usr/local/bastille/templates/services/{{ role_name }}/usr/local/sbin/devzat
+  shell: |
+    install -m 755 /tmp/devzat/devzat /usr/local/bastille/templates/services/{{ role_name }}/usr/local/sbin/devzat
+    touch /tmp/.ansible.devzat
   args:
     creates: "/tmp/.ansible.devzat"
   
@@ -58,9 +60,11 @@
   shell: bastille start {{ role_name }} || true
 
 - name: template jail
-  shell: "bastille template {{ role_name }} services/{{ role_name }}"
+  shell: |
+    bastille template {{ role_name }} services/{{ role_name }}
+    touch /tmp/.ansible.devzattemplate
   args:
     # FIXME: might make it impossible to update, on the other hand w/o
     # it this command fails with "devzat binary busy" when the jail is
     # already running, since go binaries do not fork.
-    creates: "/tmp/.ansible.devzattemplate"
+    creates: /tmp/.ansible.devzattemplate

roles/chat/templates/Bastillefile.j2

@@ -6,7 +6,7 @@ SYSRC tmpmfs=AUTO
 SYSRC clear_tmp_enable=YES
 SYSRC devzat_enable=YES
 
-CMD if test -l /home; then rm /home; fi
+CMD if test -L /home; then rm /home; fi
 CMD mkdir -p /home
 FSTAB /home home nullfs rw 0 0
 

roles/jails/tasks/main.yaml

@@ -31,6 +31,11 @@
   args:
     creates: "/usr/local/bastille/releases/{{ release }}"
 
+- name: remove home link from bootstrap
+  shell: |
+    if test -L /usr/local/bastille/releases/{{ release }}/home; then rm -f /usr/local/bastille/releases/{{ release }}/home; fi
+    mkdir -p /usr/local/bastille/releases/{{ release }}/home
+
 - name: configure bootstrap to use latest pkgs
   replace:
     path: "/usr/local/bastille/releases/{{ release }}/etc/pkg/FreeBSD.conf"

roles/pub/bin/user.sh

@@ -74,7 +74,7 @@ args=""
 root=""
 
 if test -n "$rootdir"; then
-    root="-R $rootdir"
+    root="-R $rootdir -L jail"
 fi
 
 if test -n "$groups"; then

roles/pub/tasks/main.yaml

@@ -77,6 +77,15 @@
     src: keys
     dest: "/usr/local/bastille/"
 
+# create our login class, needed for rctl rules
+- name: create jail login class
+  shell: |
+    ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+    cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+    touch /tmp/.ansiblepubloginconf
+  args:
+    creates: /tmp/.ansiblepubloginconf
+
 # create our own group[s]
 - name: Manage groups
   loop: "{{ jailgroups }}"

roles/server/files/rctl.conf

@@ -0,0 +1,10 @@
+#
+# rctl.conf: restrictions  for jail  users.  The loginclass  "jail" is
+# being   created  inside   the   "pub"   jail's  /etc/login.conf   in
+# roles/pub/tasks/main.yaml. But we can  still configure the kernel to
+# accept rules based on this login class. Cool!
+loginclass:jail:maxproc:deny=50/user
+loginclass:jail:openfiles:deny=100/user
+loginclass:jail:pcpu:deny=20/user
+#loginclass:jail:cputime:sigkill=100/user
+

roles/server/handlers/main.yaml

@@ -9,4 +9,9 @@
     name: local_unbound
     state: stopped
 
+- name: start rctl
+  service:
+    name: rctl
+    state: started
+    
 - meta: flush_handlers

roles/server/tasks/main.yaml

@@ -71,29 +71,37 @@
     reload: true
 
 - name: Install doas config
-  ansible.builtin.copy:
+  copy:
-    src: roles/server/files/doas.conf
+    src: doas.conf
     dest: /usr/local/etc/doas.conf
     owner: root
     group: wheel
     mode: '0600'
 
 - name: Install knot resolver config
-  ansible.builtin.copy:
+  copy:
-    src: roles/server/files/kresd.conf
+    src: kresd.conf
     dest: /usr/local/etc/knot-resolver/kresd.conf
     owner: root
     group: wheel
     mode: '0644'
 
 - name: Install knot resolv.conf
-  ansible.builtin.copy:
+  copy:
-    src: roles/server/files/resolv.conf
+    src: resolv.conf
     dest: /etc/resolv.conf
     owner: root
     group: wheel
     mode: '0644'
 
+- name: Install rctl rule set
+  copy:
+    src: rctl.conf
+    dest: /etc/rctl.conf
+    owner: root
+    group: wheel
+    mode: '0644'
+
 - name: Install /etc/hosts file
   copy:
     src: hosts
@@ -127,3 +135,8 @@
     value: "YES"
   notify: start kresd
 
+- name: enable rctl
+  community.general.sysrc:
+    name: rctl_enable
+    value: "YES"
+  notify: start rctl