got it running, added net, pf and jail roles

Makefile

@@ -1,7 +1,22 @@
-.PHONY: all deploy check
+.PHONY: all deploy depoy-v deploy-vv deploy-vvv deploy-vvv check
+
+TOKEN = $(shell ansible-vault decrypt --vault-password-file ~/.config/ansible/hcloud.secret --output - group_vars/all/vars.yaml | cut -d' ' -f2)
+
 
 deploy:
-	ansible-playbook -vvv --ask-vault-pass server-role.yaml -i inventory
+	HCLOUD_TOKEN="$(TOKEN)" ansible-playbook deploy.yaml -i inventory
+
+deploy-v:
+	HCLOUD_TOKEN="$(TOKEN)" ansible-playbook -v deploy.yaml -i inventory
+
+deploy-vv:
+	HCLOUD_TOKEN="$(TOKEN)" ansible-playbook -vv deploy.yaml -i inventory
+
+deploy-vvv:
+	HCLOUD_TOKEN="$(TOKEN)" ansible-playbook -vvv deploy.yaml -i inventory
+
+deploy-vvvv:
+	HCLOUD_TOKEN="$(TOKEN)" ansible-playbook -vvvv deploy.yaml -i inventory
 
 check:
-	ansible-playbook -vvv --ask-vault-pass server-role.yaml -i inventory --syntax-check
+	ansible-playbook -vvv --ask-vault-pass deploy.yaml -i inventory --syntax-check

TODO.md

@@ -0,0 +1,14 @@
+## Install tarball
+
+```yaml
+- name: "If jdk not exists then only download and unarchive"
+  unarchive:
+    src: "https://download.oracle.com/java/17/latest/jdk-17_linux-aarch64_bin.tar.gz"
+    dest: /opt/
+    remote_src: yes
+    creates: /opt/jdk-17
+  register: foo
+- name: "Rename if download happens "
+  command: mv /opt/jdk-17_linux-arch64 /opt/jdk-17
+  when: foo.changed == True
+```

ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+vault_password_file = ~/.config/ansible/hcloud.secret
+stdout_callback: yaml
+
+[ssh_connection]
+pipelining = True
+
+[inventory]
+enable_plugins = hcloud

bak/Makefile

@@ -0,0 +1,7 @@
+.PHONY: all deploy check
+
+deploy:
+	ansible-playbook -vvv --ask-vault-pass server-role.yaml -i inventory
+
+check:
+	ansible-playbook -vvv --ask-vault-pass server-role.yaml -i inventory --syntax-check

bak/group_vars/all.yaml

@@ -1,2 +1,5 @@
 type: cpx11
 image: 191285714
+packages:
+  - cpdup
+  - bash

bak/host_vars/shell.yaml

@@ -0,0 +1,2 @@
+hostname: shell.daemon.de
+ansible_user: root

bak/inventory/all.yaml

@@ -1,4 +1,3 @@
 shellservers:
   hosts:
-    shell:
-    mx:
+    shell.daemon.de:

bak/roles/server/tasks/main.yaml

@@ -0,0 +1,19 @@
+---
+# - name: Create server
+#   hcloud_server:
+#     api_token: "{{ hcloud_token }}"
+#     name: "{{ hostname }}"
+#     server_type: "{{ type }}"
+#     image: "{{ image }}"
+#     location: ash
+#     enable_ipv4: false
+#     state: present
+#   register: server
+
+- command: which python
+  register: result
+
+# - name: Install Packages
+#   community.general.pkgng:
+#     state: present
+#     name: "{{ packages }}"

deploy.yaml

@@ -0,0 +1,10 @@
+---
+- name: Create BSDNIX Servers
+  hosts: all
+  gather_facts: true
+  user: root
+  roles:
+    - role: server
+    - role: network
+    - role: firewall
+    - role: jails

group_vars/all/all.yaml

@@ -0,0 +1,6 @@
+type: cpx11
+image: 191285714
+packages:
+  - cpdup
+  - bash
+release: 14.1-RELEASE

group_vars/all/vars.yaml

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+34666232626536653339373961383331363035343266633232643930663733386466663933356138
+6366653166656465373634306461643236333162383138380a626430626631626133373330646361
+31303163343637626130393237666333643965646431306134643039363233386235623463633862
+3334363233313532310a323965363364646362343937653534623930376461356633656135646533
+37343162333634373963366433393231626136353832613937343363623565303561663461333431
+30353831376134336663643534383535656638663931626665336638353432626330356561643439
+61303638336365636233353937626461643263383435353561303831363531653935386435316562
+35363833383732656261643765323432363430636564626166653263643632373731323637663165
+6437

host_vars/mx.yaml

@@ -1 +0,0 @@
-hostname: mx

host_vars/shell.yaml

@@ -1 +0,0 @@
-hostname: shell

inventory/hosts.hcloud.yaml

@@ -0,0 +1,6 @@
+plugin: hcloud
+status:
+  - running
+groups:
+  dev:
+connect_with: "public_ipv6"

roles/firewall/handlers/main.yaml

@@ -0,0 +1,15 @@
+---
+- name: start pf
+  service:
+    name: pf
+    state: started
+  async: 45
+  poll: 5
+
+- name: start pflog
+  service:
+    name: pflog
+    state: started
+
+- name: reload pf
+  shell: pfctl -nf /etc/pf.conf && pfctl -f /etc/pf.conf

roles/firewall/tasks/main.yaml

@@ -0,0 +1,20 @@
+---
+- name: enable pf
+  community.general.sysrc:
+    name: pf_enable
+    value: "YES"
+  notify: start pf
+
+- name: enable pflog
+  community.general.sysrc:
+    name: pflog_enable
+    value: "YES"
+  notify: start pflog
+
+- name: template pf.conf
+  template:
+    src: pf.conf.j2
+    dest: /etc/pf.conf
+  notify: reload pf
+
+- meta: flush_handlers

roles/firewall/templates/pf.conf.j2

@@ -0,0 +1,24 @@
+ext_if="{{ ansible_default_ipv6.interface }}"
+
+### Default block policy is to return a reset packet
+set block-policy return
+### Reassemble fragmented packets
+scrub in on $ext_if all fragment reassemble
+### Ignore loopback interface
+set skip on lo
+
+### Allow empty table to exist
+table <jails> persist
+
+### Block on incoming traffic
+block in all
+
+### Allow outgoing, skip others rules if match, and track connections
+pass out quick keep state
+
+### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
+### And block incoming traffic from $ext_if IP on $ext_if interface
+antispoof for $ext_if inet6
+
+### Allow SSH
+pass in inet6 proto tcp from any to any port ssh flags S/SA keep state

roles/jails/tasks/main.yaml

@@ -0,0 +1,41 @@
+---
+- name: install bastille
+  pkgng:
+    name: bastille
+
+- name: enable bastille
+  community.general.sysrc:
+    name: bastille_enable
+    value: "YES"
+
+- name: add bastille devfs rule
+  blockinfile:
+    path: /etc/devfs.rules
+    marker: "<!-- {mark} ANSIBLE MANAGED vnet -->"
+    create: yes
+    block: |
+      [bastille_vnet=13]
+      add path 'bpf*' unhide
+
+- name: enable zfs for bastille
+  community.general.sysrc:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    path: /usr/local/etc/bastille/bastille.conf
+  loop:
+    - { name: "bastille_zfs_enable", value: "YES" }
+    - { name: "bastille_zfs_zpool", value: "zroot" }
+
+- name: bootstrap {{ release }} release
+  shell: "bastille bootstrap {{ release }}"
+  args:
+    creates: "/usr/local/bastille/releases/{{ release }}"
+
+- name: configure bootstrap to use latest pkgs
+  replace:
+    path: "/usr/local/bastille/releases/{{ release }}/etc/pkg/FreeBSD.conf"
+    regexp: '^(.*)quarterly(.*)$'
+    replace: '\1latest\2'
+
+# - name: update bootstrap
+#   shell: "bastille update {{ release }}"

roles/network/handlers/main.yaml

@@ -0,0 +1,3 @@
+---
+- name: netif cloneup
+  shell: service netif cloneup

roles/network/tasks/main.yaml

@@ -0,0 +1,14 @@
+---
+- name: Add lo1 interface
+  community.general.sysrc:
+    name: cloned_interfaces
+    state: value_present
+    value: "lo1"
+
+- name: Name lo1 interface bastille0
+  community.general.sysrc:
+    name: ifconfig_lo1_name
+    value: "bastille0"
+  notify: netif cloneup
+
+- meta: flush_handlers

roles/server/tasks/main.yaml

@@ -1,11 +1,9 @@
 ---
-- name: Create server
-  hcloud_server:
-    api_token: "{{ hcloud_token }}"
-    name: "{{ hostname }}"
-    server_type: "{{ type }}"
-    image: "{{ image }}"
-    location: ash
-    enable_ipv4: false
+- name: Install Packages
+  community.general.pkgng:
     state: present
-  register: server
+    name: "{{ packages }}"
+
+- command: which cpdup
+  register: result
+