diff --git a/Makefile b/Makefile index d0aeb9b..f71bbbc 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,22 @@ -.PHONY: all deploy check +.PHONY: all deploy depoy-v deploy-vv deploy-vvv deploy-vvv check + +TOKEN = $(shell ansible-vault decrypt --vault-password-file ~/.config/ansible/hcloud.secret --output - group_vars/all/vars.yaml | cut -d' ' -f2) + deploy: - ansible-playbook -vvv --ask-vault-pass server-role.yaml -i inventory + HCLOUD_TOKEN="$(TOKEN)" ansible-playbook deploy.yaml -i inventory + +deploy-v: + HCLOUD_TOKEN="$(TOKEN)" ansible-playbook -v deploy.yaml -i inventory + +deploy-vv: + HCLOUD_TOKEN="$(TOKEN)" ansible-playbook -vv deploy.yaml -i inventory + +deploy-vvv: + HCLOUD_TOKEN="$(TOKEN)" ansible-playbook -vvv deploy.yaml -i inventory + +deploy-vvvv: + HCLOUD_TOKEN="$(TOKEN)" ansible-playbook -vvvv deploy.yaml -i inventory check: - ansible-playbook -vvv --ask-vault-pass server-role.yaml -i inventory --syntax-check + ansible-playbook -vvv --ask-vault-pass deploy.yaml -i inventory --syntax-check diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..fa483b3 --- /dev/null +++ b/TODO.md @@ -0,0 +1,14 @@ +## Install tarball + +```yaml +- name: "If jdk not exists then only download and unarchive" + unarchive: + src: "https://download.oracle.com/java/17/latest/jdk-17_linux-aarch64_bin.tar.gz" + dest: /opt/ + remote_src: yes + creates: /opt/jdk-17 + register: foo +- name: "Rename if download happens " + command: mv /opt/jdk-17_linux-arch64 /opt/jdk-17 + when: foo.changed == True +``` diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..17f2f18 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,9 @@ +[defaults] +vault_password_file = ~/.config/ansible/hcloud.secret +stdout_callback: yaml + +[ssh_connection] +pipelining = True + +[inventory] +enable_plugins = hcloud diff --git a/bak/Makefile b/bak/Makefile new file mode 100644 index 0000000..d0aeb9b --- /dev/null +++ b/bak/Makefile @@ -0,0 +1,7 @@ +.PHONY: all deploy check + +deploy: + ansible-playbook -vvv --ask-vault-pass server-role.yaml -i inventory + +check: + ansible-playbook -vvv --ask-vault-pass server-role.yaml -i inventory --syntax-check diff --git a/group_vars/all b/bak/group_vars/all.yaml similarity index 50% rename from group_vars/all rename to bak/group_vars/all.yaml index e8484d9..4e83659 100644 --- a/group_vars/all +++ b/bak/group_vars/all.yaml @@ -1,2 +1,5 @@ type: cpx11 image: 191285714 +packages: + - cpdup + - bash diff --git a/bak/host_vars/shell.yaml b/bak/host_vars/shell.yaml new file mode 100644 index 0000000..36b1056 --- /dev/null +++ b/bak/host_vars/shell.yaml @@ -0,0 +1,2 @@ +hostname: shell.daemon.de +ansible_user: root diff --git a/inventory/all.yaml b/bak/inventory/all.yaml similarity index 52% rename from inventory/all.yaml rename to bak/inventory/all.yaml index a4f4781..fe780d0 100644 --- a/inventory/all.yaml +++ b/bak/inventory/all.yaml @@ -1,4 +1,3 @@ shellservers: hosts: - shell: - mx: + shell.daemon.de: diff --git a/bak/roles/server/tasks/main.yaml b/bak/roles/server/tasks/main.yaml new file mode 100644 index 0000000..28a2547 --- /dev/null +++ b/bak/roles/server/tasks/main.yaml @@ -0,0 +1,19 @@ +--- +# - name: Create server +# hcloud_server: +# api_token: "{{ hcloud_token }}" +# name: "{{ hostname }}" +# server_type: "{{ type }}" +# image: "{{ image }}" +# location: ash +# enable_ipv4: false +# state: present +# register: server + +- command: which python + register: result + +# - name: Install Packages +# community.general.pkgng: +# state: present +# name: "{{ packages }}" diff --git a/server-role.yaml b/bak/server-role.yaml similarity index 100% rename from server-role.yaml rename to bak/server-role.yaml diff --git a/deploy.yaml b/deploy.yaml new file mode 100644 index 0000000..4ae5fee --- /dev/null +++ b/deploy.yaml @@ -0,0 +1,10 @@ +--- +- name: Create BSDNIX Servers + hosts: all + gather_facts: true + user: root + roles: + - role: server + - role: network + - role: firewall + - role: jails diff --git a/group_vars/all/all.yaml b/group_vars/all/all.yaml new file mode 100644 index 0000000..7fb632b --- /dev/null +++ b/group_vars/all/all.yaml @@ -0,0 +1,6 @@ +type: cpx11 +image: 191285714 +packages: + - cpdup + - bash +release: 14.1-RELEASE diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml new file mode 100644 index 0000000..6331d18 --- /dev/null +++ b/group_vars/all/vars.yaml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +34666232626536653339373961383331363035343266633232643930663733386466663933356138 +6366653166656465373634306461643236333162383138380a626430626631626133373330646361 +31303163343637626130393237666333643965646431306134643039363233386235623463633862 +3334363233313532310a323965363364646362343937653534623930376461356633656135646533 +37343162333634373963366433393231626136353832613937343363623565303561663461333431 +30353831376134336663643534383535656638663931626665336638353432626330356561643439 +61303638336365636233353937626461643263383435353561303831363531653935386435316562 +35363833383732656261643765323432363430636564626166653263643632373731323637663165 +6437 diff --git a/host_vars/mx.yaml b/host_vars/mx.yaml deleted file mode 100644 index 986fae8..0000000 --- a/host_vars/mx.yaml +++ /dev/null @@ -1 +0,0 @@ -hostname: mx diff --git a/host_vars/shell.yaml b/host_vars/shell.yaml deleted file mode 100644 index 40b7b6f..0000000 --- a/host_vars/shell.yaml +++ /dev/null @@ -1 +0,0 @@ -hostname: shell diff --git a/inventory/hosts.hcloud.yaml b/inventory/hosts.hcloud.yaml new file mode 100644 index 0000000..e701bbe --- /dev/null +++ b/inventory/hosts.hcloud.yaml @@ -0,0 +1,6 @@ +plugin: hcloud +status: + - running +groups: + dev: +connect_with: "public_ipv6" diff --git a/roles/firewall/handlers/main.yaml b/roles/firewall/handlers/main.yaml new file mode 100644 index 0000000..83883cc --- /dev/null +++ b/roles/firewall/handlers/main.yaml @@ -0,0 +1,15 @@ +--- +- name: start pf + service: + name: pf + state: started + async: 45 + poll: 5 + +- name: start pflog + service: + name: pflog + state: started + +- name: reload pf + shell: pfctl -nf /etc/pf.conf && pfctl -f /etc/pf.conf diff --git a/roles/firewall/tasks/main.yaml b/roles/firewall/tasks/main.yaml new file mode 100644 index 0000000..4ca814e --- /dev/null +++ b/roles/firewall/tasks/main.yaml @@ -0,0 +1,20 @@ +--- +- name: enable pf + community.general.sysrc: + name: pf_enable + value: "YES" + notify: start pf + +- name: enable pflog + community.general.sysrc: + name: pflog_enable + value: "YES" + notify: start pflog + +- name: template pf.conf + template: + src: pf.conf.j2 + dest: /etc/pf.conf + notify: reload pf + +- meta: flush_handlers diff --git a/roles/firewall/templates/pf.conf.j2 b/roles/firewall/templates/pf.conf.j2 new file mode 100644 index 0000000..749e56d --- /dev/null +++ b/roles/firewall/templates/pf.conf.j2 @@ -0,0 +1,24 @@ +ext_if="{{ ansible_default_ipv6.interface }}" + +### Default block policy is to return a reset packet +set block-policy return +### Reassemble fragmented packets +scrub in on $ext_if all fragment reassemble +### Ignore loopback interface +set skip on lo + +### Allow empty table to exist +table persist + +### Block on incoming traffic +block in all + +### Allow outgoing, skip others rules if match, and track connections +pass out quick keep state + +### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface +### And block incoming traffic from $ext_if IP on $ext_if interface +antispoof for $ext_if inet6 + +### Allow SSH +pass in inet6 proto tcp from any to any port ssh flags S/SA keep state diff --git a/roles/jails/tasks/main.yaml b/roles/jails/tasks/main.yaml new file mode 100644 index 0000000..d8c28cd --- /dev/null +++ b/roles/jails/tasks/main.yaml @@ -0,0 +1,41 @@ +--- +- name: install bastille + pkgng: + name: bastille + +- name: enable bastille + community.general.sysrc: + name: bastille_enable + value: "YES" + +- name: add bastille devfs rule + blockinfile: + path: /etc/devfs.rules + marker: "" + create: yes + block: | + [bastille_vnet=13] + add path 'bpf*' unhide + +- name: enable zfs for bastille + community.general.sysrc: + name: "{{ item.name }}" + value: "{{ item.value }}" + path: /usr/local/etc/bastille/bastille.conf + loop: + - { name: "bastille_zfs_enable", value: "YES" } + - { name: "bastille_zfs_zpool", value: "zroot" } + +- name: bootstrap {{ release }} release + shell: "bastille bootstrap {{ release }}" + args: + creates: "/usr/local/bastille/releases/{{ release }}" + +- name: configure bootstrap to use latest pkgs + replace: + path: "/usr/local/bastille/releases/{{ release }}/etc/pkg/FreeBSD.conf" + regexp: '^(.*)quarterly(.*)$' + replace: '\1latest\2' + +# - name: update bootstrap +# shell: "bastille update {{ release }}" diff --git a/roles/network/handlers/main.yaml b/roles/network/handlers/main.yaml new file mode 100644 index 0000000..d5286b8 --- /dev/null +++ b/roles/network/handlers/main.yaml @@ -0,0 +1,3 @@ +--- +- name: netif cloneup + shell: service netif cloneup diff --git a/roles/network/tasks/main.yaml b/roles/network/tasks/main.yaml new file mode 100644 index 0000000..d483141 --- /dev/null +++ b/roles/network/tasks/main.yaml @@ -0,0 +1,14 @@ +--- +- name: Add lo1 interface + community.general.sysrc: + name: cloned_interfaces + state: value_present + value: "lo1" + +- name: Name lo1 interface bastille0 + community.general.sysrc: + name: ifconfig_lo1_name + value: "bastille0" + notify: netif cloneup + +- meta: flush_handlers diff --git a/roles/server/tasks/main.yaml b/roles/server/tasks/main.yaml index 7b7cf04..f1e8389 100644 --- a/roles/server/tasks/main.yaml +++ b/roles/server/tasks/main.yaml @@ -1,11 +1,9 @@ --- -- name: Create server - hcloud_server: - api_token: "{{ hcloud_token }}" - name: "{{ hostname }}" - server_type: "{{ type }}" - image: "{{ image }}" - location: ash - enable_ipv4: false +- name: Install Packages + community.general.pkgng: state: present - register: server + name: "{{ packages }}" + +- command: which cpdup + register: result +