got it running, added net, pf and jail roles

roles/jails/tasks/main.yaml

@@ -0,0 +1,41 @@
+---
+- name: install bastille
+  pkgng:
+    name: bastille
+
+- name: enable bastille
+  community.general.sysrc:
+    name: bastille_enable
+    value: "YES"
+
+- name: add bastille devfs rule
+  blockinfile:
+    path: /etc/devfs.rules
+    marker: "<!-- {mark} ANSIBLE MANAGED vnet -->"
+    create: yes
+    block: |
+      [bastille_vnet=13]
+      add path 'bpf*' unhide
+
+- name: enable zfs for bastille
+  community.general.sysrc:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    path: /usr/local/etc/bastille/bastille.conf
+  loop:
+    - { name: "bastille_zfs_enable", value: "YES" }
+    - { name: "bastille_zfs_zpool", value: "zroot" }
+
+- name: bootstrap {{ release }} release
+  shell: "bastille bootstrap {{ release }}"
+  args:
+    creates: "/usr/local/bastille/releases/{{ release }}"
+
+- name: configure bootstrap to use latest pkgs
+  replace:
+    path: "/usr/local/bastille/releases/{{ release }}/etc/pkg/FreeBSD.conf"
+    regexp: '^(.*)quarterly(.*)$'
+    replace: '\1latest\2'
+
+# - name: update bootstrap
+#   shell: "bastille update {{ release }}"