scip/bsdnix
1
0
Fork 0
Code Issues Pull Requests Activity

enhanced makefile, added pubnix jail role, fixed knownhosts issue

Browse Source
This commit is contained in:
Thomas von Dein 2024-11-12 14:08:53 +01:00
parent 562fec8549
commit a82f6e61e8
9 changed files with 110 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
Makefile
View File

@ -1,42 +1,29 @@
.PHONY: all deploy depoy-v deploy-vv deploy-vvv deploy-vvv check clean clean-v clean-vv clean-vvv clean-vvvv .PHONY: all deploy check clean create
TOKEN = $(shell ansible-vault decrypt --vault-password-file ~/.config/ansible/hcloud.secret --output - group_vars/all/vars.yaml | cut -d' ' -f2) TOKEN = $(shell ansible-vault decrypt --vault-password-file \
~/.config/ansible/hcloud.secret --output - group_vars/all/vars.yaml | cut -d' ' -f2)
SNAPSHOT = $(shell hcloud image list -t snapshot -o yaml | yq '. | map(select(.description == "FreeBSD-14.1-RELEASE-hcloud-init")) | .[].id') SNAPSHOT = $(shell hcloud image list -t snapshot -o yaml | \
yq '. | map(select(.description == "FreeBSD-14.1-RELEASE-hcloud-init")) | .[].id')
CREATE_COMMAND = ansible-playbook create.yaml -i inventory
DEPLOY_COMMAND = ansible-playbook deploy.yaml -i inventory DEPLOY_COMMAND = ansible-playbook deploy.yaml -i inventory
CLEAN_COMMAND = ansible-playbook cleanup.yaml -i inventory CLEAN_COMMAND = ansible-playbook cleanup.yaml -i inventory
ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" HOSTS_COMMAND = ansible-playbook knownhosts.yaml -i inventory
deploy: ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
create:
$(ENV) $(CREATE_COMMAND)
hosts:
$(ENV) $(HOSTS_COMMAND)
deploy: create
$(ENV) $(DEPLOY_COMMAND) $(ENV) $(DEPLOY_COMMAND)
deploy-v:
$(ENV) ANSIBLE_VERBOSITY=1 $(DEPLOY_COMMAND)
deploy-vv:
$(ENV) ANSIBLE_VERBOSITY=2 $(DEPLOY_COMMAND)
deploy-vvv:
$(ENV) ANSIBLE_VERBOSITY=3 $(DEPLOY_COMMAND)
deploy-vvvv:
$(ENV) ANSIBLE_VERBOSITY=4 $(DEPLOY_COMMAND)
clean: clean:
$(ENV) $(CLEAN_COMMAND) $(ENV) $(CLEAN_COMMAND)
clean-v:
$(ENV) ANSIBLE_VERBOSITY=1 $(CLEAN_COMMAND)
clean-vv:
$(ENV) ANSIBLE_VERBOSITY=2 $(CLEAN_COMMAND)
clean-vvv:
$(ENV) ANSIBLE_VERBOSITY=3 $(CLEAN_COMMAND)
clean-vvvv:
$(ENV) ANSIBLE_VERBOSITY=4 $(CLEAN_COMMAND)
check: check:
ansible-playbook -vvv --ask-vault-pass deploy.yaml -i inventory --syntax-check ansible-playbook -vvv --ask-vault-pass deploy.yaml -i inventory --syntax-check

2
ansible.cfg
View File

@ -1,9 +1,11 @@
[defaults] [defaults]
vault_password_file = ~/.config/ansible/hcloud.secret vault_password_file = ~/.config/ansible/hcloud.secret
stdout_callback: yaml stdout_callback: yaml
host_key_checking = False
[ssh_connection] [ssh_connection]
pipelining = True pipelining = True
[inventory] [inventory]
enable_plugins = hcloud, host_list, yaml enable_plugins = hcloud, host_list, yaml

25
create.yaml Normal file
View File

@ -0,0 +1,25 @@
- name: Create BSDNIX Servers
hosts: vps
connection: local
gather_facts: False
user: root
roles:
- role: install
# during testing the ip addresses change all the time, so tune the
# known_hosts file accordingly after setup
- name: Add/cleanup public keys of all vps' to known_hosts file
hosts: localhost
connection: local
gather_facts: false
vars:
ssh_known_hosts_file: "{{ lookup('env','HOME') + '/.ssh/known_hosts' }}"
ssh_known_hosts: "{{ groups['running'] }}"
tasks:
- known_hosts:
path: "{{ ssh_known_hosts_file }}"
name: "{{ item }}"
key: "{{ lookup('pipe','ssh-keyscan -T 10 ' + item + ',' + lookup('dig',item)) }}"
state: present
loop: "{{ ssh_known_hosts | map('extract', hostvars, ['ipv6']) | list }}"
become: no

9
deploy.yaml
View File

@ -8,11 +8,4 @@
- role: network - role: network
- role: firewall - role: firewall
- role: jails - role: jails
- role: pubnix
- name: Create BSDNIX Servers
hosts: vps
connection: local
gather_facts: False
user: root
roles:
- role: install

3
group_vars/all/all.yaml
View File

@ -18,3 +18,6 @@ ssh_keys:
- scip@e3 - scip@e3
- scip@tripod - scip@tripod
- scip@pixel8 - scip@pixel8
jails:
pubnix: 10.1.1.1

1
inventory/vps.yaml
View File

@ -3,3 +3,4 @@ vps:
hosts: hosts:
shell: shell:
hostname: shell.daemon.de hostname: shell.daemon.de

6
roles/pubnix/files/Bastillefile Normal file
View File

@ -0,0 +1,6 @@
PKG bash
SYSRC sshd_enable=YES
CMD mkdir -p /data/home
SERVICE nginx restart
FSTAB /data/home data/home nullfs ro 0 0
RDR tcp 22 22

14
roles/pubnix/files/sshd_config Normal file
View File

@ -0,0 +1,14 @@
LogLevel INFO
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 2
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no

42
roles/pubnix/tasks/main.yaml Normal file
View File

@ -0,0 +1,42 @@
---
- name: create services template dir
file:
path: "/usr/local/bastille/templates/services/{{ role_name }}"
state: directory
recurse: yes
- name: copy template config files
copy:
src: Bastillefile
dest: "/usr/local/bastille/templates/services/{{ role_name }}/"
- name: create config path
file:
path: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
state: directory
recurse: yes
- name: copy config file
copy:
src: sshd_config
dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
- name: create data/home dataset
community.general.zfs:
name: zroot/home
state: present
extra_zfs_properties:
mountpoint: /data/home
- name: create jail
shell: "bastille create {{ role_name }} {{ release }} {{ jails[role_name] }}"
args:
creates: /usr/local/bastille/jails/{{ role_name }}
- name: start jail
# https://github.com/BastilleBSD/bastille/issues/342
shell: bastille start {{ role_name }} || true
# FIXME: fails, /etc/resolv.conf in jail is wrong, no working nameserver in there or outgoing dns forbidden
- name: template jail
shell: "bastille template {{ role_name }} services/{{ role_name }}"