enhanced makefile, added pubnix jail role, fixed knownhosts issue

2024-11-12 14:08:53 +01:00 · 2024-11-12 14:08:53 +01:00 · a82f6e61e8
commit a82f6e61e8
parent 562fec8549
9 changed files with 110 additions and 37 deletions
--- a/45
+++ b/45
@ -1,42 +1,29 @@
-.PHONY: all deploy depoy-v deploy-vv deploy-vvv deploy-vvv check clean clean-v clean-vv clean-vvv clean-vvvv
+.PHONY: all deploy check clean create

-TOKEN = $(shell ansible-vault decrypt --vault-password-file ~/.config/ansible/hcloud.secret --output - group_vars/all/vars.yaml | cut -d' ' -f2)
+TOKEN = $(shell ansible-vault decrypt --vault-password-file \
+		        ~/.config/ansible/hcloud.secret --output - group_vars/all/vars.yaml | cut -d' ' -f2)

-SNAPSHOT = $(shell hcloud image  list -t snapshot -o yaml | yq '. | map(select(.description == "FreeBSD-14.1-RELEASE-hcloud-init")) | .[].id')
+SNAPSHOT = $(shell hcloud image  list -t snapshot -o yaml | \
+			       yq '. | map(select(.description == "FreeBSD-14.1-RELEASE-hcloud-init")) | .[].id')

+CREATE_COMMAND = ansible-playbook create.yaml -i inventory
 DEPLOY_COMMAND = ansible-playbook deploy.yaml -i inventory
 CLEAN_COMMAND = ansible-playbook cleanup.yaml -i inventory
-ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)"
+HOSTS_COMMAND = ansible-playbook knownhosts.yaml -i inventory

-deploy:
+ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
+
+create:
+	$(ENV) $(CREATE_COMMAND)
+
+hosts:
+	$(ENV) $(HOSTS_COMMAND)
+
+deploy: create
 	$(ENV) $(DEPLOY_COMMAND)

-deploy-v:
-	$(ENV) ANSIBLE_VERBOSITY=1 $(DEPLOY_COMMAND)
-
-deploy-vv:
-	$(ENV) ANSIBLE_VERBOSITY=2 $(DEPLOY_COMMAND)
-
-deploy-vvv:
-	$(ENV) ANSIBLE_VERBOSITY=3 $(DEPLOY_COMMAND)
-
-deploy-vvvv:
-	$(ENV) ANSIBLE_VERBOSITY=4 $(DEPLOY_COMMAND)
-
 clean:
 	$(ENV) $(CLEAN_COMMAND)

-clean-v:
-	$(ENV) ANSIBLE_VERBOSITY=1 $(CLEAN_COMMAND)
-
-clean-vv:
-	$(ENV) ANSIBLE_VERBOSITY=2 $(CLEAN_COMMAND)
-
-clean-vvv:
-	$(ENV) ANSIBLE_VERBOSITY=3 $(CLEAN_COMMAND)
-
-clean-vvvv:
-	$(ENV) ANSIBLE_VERBOSITY=4 $(CLEAN_COMMAND)
-
 check:
 	ansible-playbook -vvv --ask-vault-pass deploy.yaml -i inventory --syntax-check
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,9 +1,11 @@
 [defaults]
 vault_password_file = ~/.config/ansible/hcloud.secret
 stdout_callback: yaml
+host_key_checking = False

 [ssh_connection]
 pipelining = True

 [inventory]
 enable_plugins = hcloud, host_list, yaml
+
--- a/create.yaml
+++ b/create.yaml
@ -0,0 +1,25 @@
+- name: Create BSDNIX Servers
+  hosts: vps
+  connection: local
+  gather_facts: False
+  user: root
+  roles:
+    - role: install
+
+# during testing  the ip addresses  change all  the time, so  tune the
+# known_hosts file accordingly after setup
+- name: Add/cleanup public keys of all vps' to known_hosts file
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  vars:
+    ssh_known_hosts_file: "{{ lookup('env','HOME') + '/.ssh/known_hosts' }}"
+    ssh_known_hosts: "{{ groups['running'] }}"
+  tasks:
+    - known_hosts:
+        path: "{{ ssh_known_hosts_file }}"
+        name: "{{ item }}"
+        key: "{{ lookup('pipe','ssh-keyscan -T 10 ' + item + ',' + lookup('dig',item)) }}"
+        state: present
+      loop: "{{ ssh_known_hosts | map('extract', hostvars, ['ipv6']) | list }}"
+      become: no
--- a/deploy.yaml
+++ b/deploy.yaml
@ -8,11 +8,4 @@
    - role: network
    - role: firewall
    - role: jails
-
- name: Create BSDNIX Servers
-  hosts: vps
-  connection: local
-  gather_facts: False
-  user: root
-  roles:
-    - role: install
+    - role: pubnix
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@ -18,3 +18,6 @@ ssh_keys:
  - scip@e3
  - scip@tripod
  - scip@pixel8
+
+jails:
+  pubnix: 10.1.1.1
--- a/inventory/vps.yaml
+++ b/inventory/vps.yaml
@ -3,3 +3,4 @@ vps:
  hosts:
    shell:
      hostname: shell.daemon.de
+
--- a/roles/pubnix/files/Bastillefile
+++ b/roles/pubnix/files/Bastillefile
@ -0,0 +1,6 @@
+PKG bash
+SYSRC sshd_enable=YES
+CMD mkdir -p /data/home
+SERVICE nginx restart
+FSTAB /data/home data/home nullfs ro 0 0
+RDR tcp 22 22
--- a/roles/pubnix/files/sshd_config
+++ b/roles/pubnix/files/sshd_config
@ -0,0 +1,14 @@
+LogLevel INFO
+LoginGraceTime 1m
+PermitRootLogin no
+StrictModes yes
+MaxAuthTries 3
+MaxSessions 2
+PubkeyAuthentication yes
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+
--- a/roles/pubnix/tasks/main.yaml
+++ b/roles/pubnix/tasks/main.yaml
@ -0,0 +1,42 @@
+---
+- name: create services template dir
+  file:
+    path: "/usr/local/bastille/templates/services/{{ role_name }}"
+    state: directory
+    recurse: yes
+
+- name: copy template config files
+  copy:
+    src: Bastillefile
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/"
+
+- name: create config path
+  file:
+    path: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
+    state: directory
+    recurse: yes
+
+- name: copy config file
+  copy:
+    src: sshd_config
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
+
+- name: create data/home dataset
+  community.general.zfs:
+    name: zroot/home
+    state: present
+    extra_zfs_properties:
+      mountpoint: /data/home
+
+- name: create jail
+  shell: "bastille create {{ role_name }} {{ release }} {{ jails[role_name] }}"
+  args:
+    creates: /usr/local/bastille/jails/{{ role_name }}
+
+- name: start jail
+  # https://github.com/BastilleBSD/bastille/issues/342
+  shell: bastille start {{ role_name }} || true
+
+# FIXME: fails, /etc/resolv.conf in jail is wrong, no working nameserver in there or outgoing dns forbidden
+- name: template jail
+  shell: "bastille template {{ role_name }} services/{{ role_name }}"