added:

- set file permissions
- setup sysctls
- set root password from vault var
- added doas + config

Makefile

@@ -1,11 +1,11 @@
-.PHONY: all deploy check clean create debug
+.PHONY: all deploy check clean create debug editvars
 
 
-TOKEN = $(shell ansible-vault decrypt --vault-password-file \
+VARS = group_vars/all/vars.yaml
-		        ~/.config/ansible/hcloud.secret --output - \
+VALL = group_vars/all/all.yaml
-				group_vars/all/vars.yaml | cut -d' ' -f2)
+TOKEN = $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_cloud_token | cut -d' ' -f2)
 
-SNAPNAME = $(shell cat group_vars/all/all.yaml | yq .snapshot)
+SNAPNAME = $(shell cat $(VALL) | yq .snapshot)
 
 SNAPSHOT = $(shell hcloud image  list -t snapshot -o yaml | \
 			       yq '. | map(select(.description == "$(SNAPNAME)")) | .[].id')
@@ -41,3 +41,8 @@ clean:
 
 check:
 	ansible-playbook -vvv --ask-vault-pass deploy.yaml -i inventory --syntax-check
+
+editvars:
+	ansible-vault decrypt $(VARS)
+	vi $(VARS)
+	ansible-vault encrypt $(VARS)

README.md

@@ -35,8 +35,7 @@ dynamic inventory to discover your vps.
   `pwgen -ys 32 1 > ~/.config/ansible/hcloud.secret`
   
 - Encrypt the vars file:
-  `ansible-vault encrypt --vault-password-file
+  `ansible-vault encrypt group_vars/all/vars.yaml`
-  ~/.config/ansible/hcloud.secret group_vars/all/vars.yaml`
   
 Now the hetzner ansible plugin is able to call hcloud with the
 appropriate token, no need to enter it manually anymore. Also, while

TODO.md

@@ -22,3 +22,13 @@
 https://github.com/bodsch/ansible-collection-dns/blob/main/roles/knot/README.md
 
 or using e3 using wrapper script around `jaildk exec dns knotc ...`
+
+### Cleanup release snapshot
+
+- remove /home symlink
+- remove pkg function from root .bashrc
+
+
+## Add users with authorized_keys files
+
+## Add quota config and enable/configure rctl

group_vars/all/all.yaml

@@ -7,6 +7,7 @@ image: "{{ lookup('ansible.builtin.env', 'SNAPSHOT') }}"
 packages:
   - cpdup
   - bash
+  - doas
 
 # used by bastille to build a base
 release: 14.1-RELEASE
@@ -36,3 +37,51 @@ storage:
       name: /home
     - mount: /var/cron/tabs
       name: /crontabs
+
+
+kernel:
+  sysctls:
+    security.bsd.see_other_uids: 0
+    security.bsd.see_other_gids: 0
+    security.bsd.see_jail_proc: 0
+    security.bsd.unprivileged_read_msgbuf: 0
+    security.bsd.unprivileged_proc_debug: 0
+    kern.randompid: 1
+    net.inet.ip.random_id: 1
+    hw.spec_store_bypass_disable: 1
+    kern.elf64.allow_wx: 0
+    kern.elf32.aslr.stack: 3
+    kern.elf32.aslr.pie_enable: 1
+    vfs.zfs.min_auto_ashift: 12
+    kern.securelevel: 2
+
+
+permissions:
+  - name: /home
+    owner: root
+    group: wheel
+    mode: '0711'
+  - name: /etc
+    owner: root
+    group: wheel
+    mode: '0711'
+  - name: /usr/local/etc
+    owner: root
+    group: wheel
+    mode: '0711'
+  - name: /root
+    owner: root
+    group: wheel
+    mode: '0700'
+  - name: /var/log
+    owner: root
+    group: wheel
+    mode: '0711'
+  - name: /var/cron/tabs
+    owner: root
+    group: wheel
+    mode: '0700'
+  - name: /var/log
+    owner: root
+    group: wheel
+    mode: '0711'

group_vars/all/vars.yaml

@@ -1,10 +1,12 @@
 $ANSIBLE_VAULT;1.1;AES256
-34666232626536653339373961383331363035343266633232643930663733386466663933356138
+66323661356665373037316136353833646231623531323031306336613065326431643138336430
-6366653166656465373634306461643236333162383138380a626430626631626133373330646361
+3438323839633335333963306638323137333664366466310a623862636139366336393835353238
-31303163343637626130393237666333643965646431306134643039363233386235623463633862
+38613934383631633134386564616233326234333637636162626632633762656366303036313539
-3334363233313532310a323965363364646362343937653534623930376461356633656135646533
+3365646662386263650a333636366132363662376362383737383233646531616632376234303062
-37343162333634373963366433393231626136353832613937343363623565303561663461333431
+32366464613630396463326236643361386637616664663066326337663037663639613433316462
-30353831376134336663643534383535656638663931626665336638353432626330356561643439
+33636665653930346265323237363238626463666163616439393332313639343863343764323639
-61303638336365636233353937626461643263383435353561303831363531653935386435316562
+34353834393236643530346238323164656339653365393563383938316461393730333536343365
-35363833383732656261643765323432363430636564626166653263643632373731323637663165
+63303865626534653237383634633937613039663761313038303461303837643066306161383661
-6437
+65326237366536306632633539656335373536336231303330386332646363333131393664656365
+36366539616230623338396434376565346435636331353963366438376437343233373735393730
+346162343166373762626664363866663536

roles/server/files/doas.conf

@@ -0,0 +1 @@
+permit persist :wheel as root

roles/server/tasks/main.yaml

@@ -44,3 +44,33 @@
   args:
     creates: "{{ item.mount }}"
 
+- name: Change permissions
+  loop: "{{ permissions }}"
+  ansible.builtin.file:
+    path: "{{ item.name }}"
+    owner: "{{ item.owner }}" 
+    group: "{{ item.group }}"
+    mode: "{{ item.mode }}"
+    
+- name: Change root password
+  user:
+    name: root
+    password: "{{ root_password | password_hash('sha512') }}"
+
+- name: Setup sysctls
+  loop: "{{ kernel.sysctls | dict2items }}"
+  ansible.posix.sysctl:
+    name: "{{ item.key }}"
+    value: "{{ item.value }}"
+    sysctl_set: true
+    state: present
+    reload: true
+
+- name: Install doas config
+  ansible.builtin.copy:
+    src: roles/server/files/doas.conf
+    dest: /usr/local/etc/doas.conf
+    owner: root
+    group: wheel
+    mode: '0600'
+