got it running, added net, pf and jail roles

2024-11-08 20:08:56 +01:00
parent a5ab199dc8
commit 9c4b80cb5b
22 changed files with 229 additions and 16 deletions
--- a/roles/firewall/handlers/main.yaml
+++ b/roles/firewall/handlers/main.yaml
@@ -0,0 +1,15 @@
+---
+- name: start pf
+  service:
+    name: pf
+    state: started
+  async: 45
+  poll: 5
+
+- name: start pflog
+  service:
+    name: pflog
+    state: started
+
+- name: reload pf
+  shell: pfctl -nf /etc/pf.conf && pfctl -f /etc/pf.conf
--- a/roles/firewall/tasks/main.yaml
+++ b/roles/firewall/tasks/main.yaml
@@ -0,0 +1,20 @@
+---
+- name: enable pf
+  community.general.sysrc:
+    name: pf_enable
+    value: "YES"
+  notify: start pf
+
+- name: enable pflog
+  community.general.sysrc:
+    name: pflog_enable
+    value: "YES"
+  notify: start pflog
+
+- name: template pf.conf
+  template:
+    src: pf.conf.j2
+    dest: /etc/pf.conf
+  notify: reload pf
+
+- meta: flush_handlers
--- a/roles/firewall/templates/pf.conf.j2
+++ b/roles/firewall/templates/pf.conf.j2
@@ -0,0 +1,24 @@
+ext_if="{{ ansible_default_ipv6.interface }}"
+
+### Default block policy is to return a reset packet
+set block-policy return
+### Reassemble fragmented packets
+scrub in on $ext_if all fragment reassemble
+### Ignore loopback interface
+set skip on lo
+
+### Allow empty table to exist
+table <jails> persist
+
+### Block on incoming traffic
+block in all
+
+### Allow outgoing, skip others rules if match, and track connections
+pass out quick keep state
+
+### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
+### And block incoming traffic from $ext_if IP on $ext_if interface
+antispoof for $ext_if inet6
+
+### Allow SSH
+pass in inet6 proto tcp from any to any port ssh flags S/SA keep state
--- a/roles/jails/tasks/main.yaml
+++ b/roles/jails/tasks/main.yaml
@@ -0,0 +1,41 @@
+---
+- name: install bastille
+  pkgng:
+    name: bastille
+
+- name: enable bastille
+  community.general.sysrc:
+    name: bastille_enable
+    value: "YES"
+
+- name: add bastille devfs rule
+  blockinfile:
+    path: /etc/devfs.rules
+    marker: "<!-- {mark} ANSIBLE MANAGED vnet -->"
+    create: yes
+    block: |
+      [bastille_vnet=13]
+      add path 'bpf*' unhide
+
+- name: enable zfs for bastille
+  community.general.sysrc:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    path: /usr/local/etc/bastille/bastille.conf
+  loop:
+    - { name: "bastille_zfs_enable", value: "YES" }
+    - { name: "bastille_zfs_zpool", value: "zroot" }
+
+- name: bootstrap {{ release }} release
+  shell: "bastille bootstrap {{ release }}"
+  args:
+    creates: "/usr/local/bastille/releases/{{ release }}"
+
+- name: configure bootstrap to use latest pkgs
+  replace:
+    path: "/usr/local/bastille/releases/{{ release }}/etc/pkg/FreeBSD.conf"
+    regexp: '^(.*)quarterly(.*)$'
+    replace: '\1latest\2'
+
+# - name: update bootstrap
+#   shell: "bastille update {{ release }}"
--- a/roles/network/handlers/main.yaml
+++ b/roles/network/handlers/main.yaml
@@ -0,0 +1,3 @@
+---
+- name: netif cloneup
+  shell: service netif cloneup
--- a/roles/network/tasks/main.yaml
+++ b/roles/network/tasks/main.yaml
@@ -0,0 +1,14 @@
+---
+- name: Add lo1 interface
+  community.general.sysrc:
+    name: cloned_interfaces
+    state: value_present
+    value: "lo1"
+
+- name: Name lo1 interface bastille0
+  community.general.sysrc:
+    name: ifconfig_lo1_name
+    value: "bastille0"
+  notify: netif cloneup
+
+- meta: flush_handlers
--- a/roles/server/tasks/main.yaml
+++ b/roles/server/tasks/main.yaml
@@ -1,11 +1,9 @@
 ---
- name: Create server
-  hcloud_server:
-    api_token: "{{ hcloud_token }}"
-    name: "{{ hostname }}"
-    server_type: "{{ type }}"
-    image: "{{ image }}"
-    location: ash
-    enable_ipv4: false
+- name: Install Packages
+  community.general.pkgng:
    state: present
-  register: server
+    name: "{{ packages }}"
+
+- command: which cpdup
+  register: result
+