From a82f6e61e85c865663a670ad40555687a8247f87 Mon Sep 17 00:00:00 2001
From: Thomas von Dein <tom@vondein.org>
Date: Tue, 12 Nov 2024 14:08:53 +0100
Subject: [PATCH] enhanced makefile, added pubnix jail role, fixed knownhosts
 issue

---
 Makefile                        | 45 ++++++++++++---------------------
 ansible.cfg                     |  2 ++
 create.yaml                     | 25 ++++++++++++++++++
 deploy.yaml                     |  9 +------
 group_vars/all/all.yaml         |  3 +++
 inventory/vps.yaml              |  1 +
 roles/pubnix/files/Bastillefile |  6 +++++
 roles/pubnix/files/sshd_config  | 14 ++++++++++
 roles/pubnix/tasks/main.yaml    | 42 ++++++++++++++++++++++++++++++
 9 files changed, 110 insertions(+), 37 deletions(-)
 create mode 100644 create.yaml
 create mode 100644 roles/pubnix/files/Bastillefile
 create mode 100644 roles/pubnix/files/sshd_config
 create mode 100644 roles/pubnix/tasks/main.yaml

diff --git a/Makefile b/Makefile
index 4814f0f..a394978 100644
--- a/Makefile
+++ b/Makefile
@@ -1,42 +1,29 @@
-.PHONY: all deploy depoy-v deploy-vv deploy-vvv deploy-vvv check clean clean-v clean-vv clean-vvv clean-vvvv
+.PHONY: all deploy check clean create
 
-TOKEN = $(shell ansible-vault decrypt --vault-password-file ~/.config/ansible/hcloud.secret --output - group_vars/all/vars.yaml | cut -d' ' -f2)
+TOKEN = $(shell ansible-vault decrypt --vault-password-file \
+		        ~/.config/ansible/hcloud.secret --output - group_vars/all/vars.yaml | cut -d' ' -f2)
 
-SNAPSHOT = $(shell hcloud image  list -t snapshot -o yaml | yq '. | map(select(.description == "FreeBSD-14.1-RELEASE-hcloud-init")) | .[].id')
+SNAPSHOT = $(shell hcloud image  list -t snapshot -o yaml | \
+			       yq '. | map(select(.description == "FreeBSD-14.1-RELEASE-hcloud-init")) | .[].id')
 
+CREATE_COMMAND = ansible-playbook create.yaml -i inventory
 DEPLOY_COMMAND = ansible-playbook deploy.yaml -i inventory
 CLEAN_COMMAND = ansible-playbook cleanup.yaml -i inventory
-ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)"
+HOSTS_COMMAND = ansible-playbook knownhosts.yaml -i inventory
 
-deploy:
+ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
+
+create:
+	$(ENV) $(CREATE_COMMAND)
+
+hosts:
+	$(ENV) $(HOSTS_COMMAND)
+
+deploy: create
 	$(ENV) $(DEPLOY_COMMAND)
 
-deploy-v:
-	$(ENV) ANSIBLE_VERBOSITY=1 $(DEPLOY_COMMAND)
-
-deploy-vv:
-	$(ENV) ANSIBLE_VERBOSITY=2 $(DEPLOY_COMMAND)
-
-deploy-vvv:
-	$(ENV) ANSIBLE_VERBOSITY=3 $(DEPLOY_COMMAND)
-
-deploy-vvvv:
-	$(ENV) ANSIBLE_VERBOSITY=4 $(DEPLOY_COMMAND)
-
 clean:
 	$(ENV) $(CLEAN_COMMAND)
 
-clean-v:
-	$(ENV) ANSIBLE_VERBOSITY=1 $(CLEAN_COMMAND)
-
-clean-vv:
-	$(ENV) ANSIBLE_VERBOSITY=2 $(CLEAN_COMMAND)
-
-clean-vvv:
-	$(ENV) ANSIBLE_VERBOSITY=3 $(CLEAN_COMMAND)
-
-clean-vvvv:
-	$(ENV) ANSIBLE_VERBOSITY=4 $(CLEAN_COMMAND)
-
 check:
 	ansible-playbook -vvv --ask-vault-pass deploy.yaml -i inventory --syntax-check
diff --git a/ansible.cfg b/ansible.cfg
index be25feb..aced057 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,9 +1,11 @@
 [defaults]
 vault_password_file = ~/.config/ansible/hcloud.secret
 stdout_callback: yaml
+host_key_checking = False
 
 [ssh_connection]
 pipelining = True
 
 [inventory]
 enable_plugins = hcloud, host_list, yaml
+
diff --git a/create.yaml b/create.yaml
new file mode 100644
index 0000000..3a3facb
--- /dev/null
+++ b/create.yaml
@@ -0,0 +1,25 @@
+- name: Create BSDNIX Servers
+  hosts: vps
+  connection: local
+  gather_facts: False
+  user: root
+  roles:
+    - role: install
+
+# during testing  the ip addresses  change all  the time, so  tune the
+# known_hosts file accordingly after setup
+- name: Add/cleanup public keys of all vps' to known_hosts file
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  vars:
+    ssh_known_hosts_file: "{{ lookup('env','HOME') + '/.ssh/known_hosts' }}"
+    ssh_known_hosts: "{{ groups['running'] }}"
+  tasks:
+    - known_hosts:
+        path: "{{ ssh_known_hosts_file }}"
+        name: "{{ item }}"
+        key: "{{ lookup('pipe','ssh-keyscan -T 10 ' + item + ',' + lookup('dig',item)) }}"
+        state: present
+      loop: "{{ ssh_known_hosts | map('extract', hostvars, ['ipv6']) | list }}"
+      become: no
diff --git a/deploy.yaml b/deploy.yaml
index 228b2e4..7ce6464 100644
--- a/deploy.yaml
+++ b/deploy.yaml
@@ -8,11 +8,4 @@
     - role: network
     - role: firewall
     - role: jails
-
-- name: Create BSDNIX Servers
-  hosts: vps
-  connection: local
-  gather_facts: False
-  user: root
-  roles:
-    - role: install
+    - role: pubnix
diff --git a/group_vars/all/all.yaml b/group_vars/all/all.yaml
index 82f6d7c..a14a01c 100644
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@@ -18,3 +18,6 @@ ssh_keys:
   - scip@e3
   - scip@tripod
   - scip@pixel8
+
+jails:
+  pubnix: 10.1.1.1
diff --git a/inventory/vps.yaml b/inventory/vps.yaml
index f9d25e6..2661a94 100644
--- a/inventory/vps.yaml
+++ b/inventory/vps.yaml
@@ -3,3 +3,4 @@ vps:
   hosts:
     shell:
       hostname: shell.daemon.de
+
diff --git a/roles/pubnix/files/Bastillefile b/roles/pubnix/files/Bastillefile
new file mode 100644
index 0000000..013310c
--- /dev/null
+++ b/roles/pubnix/files/Bastillefile
@@ -0,0 +1,6 @@
+PKG bash
+SYSRC sshd_enable=YES
+CMD mkdir -p /data/home
+SERVICE nginx restart
+FSTAB /data/home data/home nullfs ro 0 0
+RDR tcp 22 22
diff --git a/roles/pubnix/files/sshd_config b/roles/pubnix/files/sshd_config
new file mode 100644
index 0000000..886f337
--- /dev/null
+++ b/roles/pubnix/files/sshd_config
@@ -0,0 +1,14 @@
+LogLevel INFO
+LoginGraceTime 1m
+PermitRootLogin no
+StrictModes yes
+MaxAuthTries 3
+MaxSessions 2
+PubkeyAuthentication yes
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+
diff --git a/roles/pubnix/tasks/main.yaml b/roles/pubnix/tasks/main.yaml
new file mode 100644
index 0000000..abb4a3b
--- /dev/null
+++ b/roles/pubnix/tasks/main.yaml
@@ -0,0 +1,42 @@
+---
+- name: create services template dir
+  file:
+    path: "/usr/local/bastille/templates/services/{{ role_name }}"
+    state: directory
+    recurse: yes
+
+- name: copy template config files
+  copy:
+    src: Bastillefile
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/"
+
+- name: create config path
+  file:
+    path: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
+    state: directory
+    recurse: yes
+
+- name: copy config file
+  copy:
+    src: sshd_config
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
+
+- name: create data/home dataset
+  community.general.zfs:
+    name: zroot/home
+    state: present
+    extra_zfs_properties:
+      mountpoint: /data/home
+
+- name: create jail
+  shell: "bastille create {{ role_name }} {{ release }} {{ jails[role_name] }}"
+  args:
+    creates: /usr/local/bastille/jails/{{ role_name }}
+
+- name: start jail
+  # https://github.com/BastilleBSD/bastille/issues/342
+  shell: bastille start {{ role_name }} || true
+
+# FIXME: fails, /etc/resolv.conf in jail is wrong, no working nameserver in there or outgoing dns forbidden
+- name: template jail
+  shell: "bastille template {{ role_name }} services/{{ role_name }}"