scip/bsdnix
1
0
Fork 0
Code Issues Pull Requests Activity

added dns using hetzner dns, renamed pubnix => pub

Browse Source
This commit is contained in:
Thomas von Dein
2024-12-10 17:47:38 +01:00
parent b429091ec7
commit a92cda6b40
23 changed files with 48 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
roles/pub/bin/group.sh Executable file
View File

@@ -0,0 +1,66 @@
#!/bin/sh
rootdir=""
group=""
action=""
usage() {
echo "Usage: $0 -g group -a action"
echo "Valid actions: present, absent"
exit 1
}
run() {
echo $*
$*
}
OPTIND=1
while getopts d:g:a: opt ; do
case $opt in
d)
rootdir="$OPTARG"
;;
g)
group="$OPTARG"
;;
a)
action="$OPTARG"
;;
*)
usage
;;
esac
done
shift $(($OPTIND - 1))
if test -z "$group" -o -z "$action"; then
usage
fi
root=""
if test -n "$rootdir"; then
root="-R $rootdir"
fi
case "$action" in
present)
if pw $root group show "$group" > /dev/null 2>&1; then
if pw $root group show "$group" | grep -q LOCKED; then
echo "$group exists."
fi
else
run pw $root group add "$group"
fi
;;
absent)
if pw $root group show "$group" > /dev/null 2>&1; then
run pw $root group del "$group"
fi
;;
*)
usage
;;
esac

141
roles/pub/bin/user.sh Executable file
View File

@@ -0,0 +1,141 @@
#!/bin/sh
# manage FreeBSD jail users
# vars defaults
rootdir=""
user=""
groups=""
home=""
shell="/usr/local/bin/bash"
comment=""
action=""
usage() {
echo "Usage: $0 -u user [-h home] [-s shell] [-g groups] [-d rootdir] [-c comment] -a action"
echo "Valid actions: present, absent, locked"
exit 1
}
getuid() {
# resolve jail uid
root="$1"
user="$2"
pw $root show user "$user" -7 | cut -d: -f 3
}
run() {
# verbose exec
echo "$@"
"$@"
}
# parse commandline flags
OPTIND=1
while getopts d:u:h:g:s:c:a: opt ; do
case $opt in
d)
rootdir="$OPTARG"
;;
u)
user="$OPTARG"
;;
h)
home="$OPTARG"
;;
g)
groups="$OPTARG"
;;
s)
shell="$OPTARG"
;;
c)
comment="$OPTARG"
;;
a)
action="$OPTARG"
;;
*)
usage
;;
esac
done
shift $(($OPTIND - 1))
if test -z "$user" -o -z "$action"; then
usage
fi
# setup pw flags
args=""
root=""
if test -n "$rootdir"; then
root="-R $rootdir"
fi
if test -n "$groups"; then
args="-G $groups"
fi
if test -n "$home"; then
args="$args -d $home -k /etc/skel -m -M 700"
else
args="$args -d /home/$user -k /etc/skel -m -M 700"
fi
if test -n "$shell"; then
args="$args -s $shell"
else
args="$args -s /usr/local/bin/bash"
fi
if test -n "$comment"; then
args="$args -c $comment"
fi
# the horse shall work
case "$action" in
present)
if pw $root user show "$user" > /dev/null 2>&1; then
if pw $root user show "$user" | grep -q LOCKED; then
# user is present but locked
run pw unlock "$user"
else
echo "$user exists."
fi
else
# create user
run pw $root user add "$user" $args
fi
if test -e "/usr/local/bastille/keys/$user" -a ! -e "/home/$user/.ssh/authorized_keys"; then
# install ssh key
uid=$(getuid "$root" "$user")
install -m 700 -o "$uid" -g "$uid" -d "/home/$user/.ssh"
install -m 600 -o "$uid" -g "$uid" "/usr/local/bastille/keys/$user" "/home/$user/.ssh/authorized_keys"
fi
;;
absent)
if pw $root user show "$user" > /dev/null 2>&1; then
# get rid
run pw $root user del "$user"
fi
;;
locked)
if pw $root user show "$user" > /dev/null 2>&1; then
if pw $root user show "$user" | grep -q LOCKED; then
echo "$user is already locked."
else
# lock'em out
run pw lock "$user"
fi
fi
;;
*)
usage
;;
esac

42
roles/pub/files/keys/tom Normal file
View File

@@ -0,0 +1,42 @@
$ANSIBLE_VAULT;1.1;AES256
31356362656165313531663465316362386534323532313630636666373333333566646364636465
6536363632363133326538376666333563343363306266380a336537653435613638396436343931
66393530626237396332313039663837666438376430626565313565366431663533333566323862
3637386136663238340a373961663661323935353934633934633334663934623764633431623364
31653366336138323062653936653266663130313064313031333964653061326437366137623139
64616663383232313233316562383961303334343138333837623635646166343539623734396631
62616632346539313737626565333632383062383866633836326330653531336636623166396337
34646262386664333065313637666537366537383665666662653966353330373131306236346138
39353932343931636331333230333439666534376333313134653761333835336331333734393166
34643632613834616163366539346536356130363663386137373134613732383432373165623765
66653239643862636431643033336531633339626666353933653766323138663466326631323332
30306165633837623464353338396333386631396162623763363632326462633262316163333133
33303335663036393335313562646366373764656139656135303937626366653963336365383466
38616566613436363038613138643033376430636566386236356434346334633866373635383139
39313931373334396333336330613062326130623965666330633735616331373332373530643761
64303335613961623966636662363935346231386430663664626237663530393834666537383539
62643166663735303030386538313363333033363264373964343165383230373935383564373137
34313936386234366336316537616232343337323464343563613530343966626165333462343930
61376139373235366436633766613339373738663937333265643535643837626339333339336135
63383364393962623032646164646661343337663464303166663966303133316331373830663231
33626161303137633332383035353164326330643437666234613864376366346363653063333839
35393333666161653566343866313066633966613537666238343531376633636233323632663536
61356432373935376363333233613239336432376432656166326462623735643464666438323765
34646165323932303561373233373161613263306336613535636363353135313739646365393436
30626332653339353934353964323964323635333734663339306339303265653339336666373635
62316139323465366161353731353938666331393239376638323238346331373738366536346332
30626563366337663131626461393235626230373561313635366630666566613433646538636237
64386166653439663633616564636365303539303734633338393962306438396139376432356265
30626232666539616139646337383332646162323263333338313035336364656632306330386533
31303466363831316163346365623734616135343837383364363563393937626364336162656136
31323039323235373730343266343839363333616134356137666235333362383234333762646266
37663463366339303535333134313136393864656334613437623538396330633933616363373564
31646634383735393430326232633732623566323137363262346566373130323563323664666261
37363131383866623437373262383365333630373764393530626237643636633362626666623330
37636234383665626137626464373932636239383366336665633366316164663263636461616532
31373266666531323566663432346163643637366436666462323935356531623639303032663961
39303637373536643432653139633636666466313333326134643831633864343062363335313932
61626566663530393761336238323334663263336536363962373761386564333664306232656332
66386231373962373432333237626362353134363962633962363539613934633262343363303933
38306534613233303432363930323334663230306165313630663863313137366433396539333630
61643265316535653337613730373331383164306535306336313361396433636337

20
roles/pub/files/motd Normal file
View File

@@ -0,0 +1,20 @@
/\
_/./ welcome
,-' `-:..-'/ to
: o ) _ ( bsdnix.
"`-....,--; `-.\
`'
/\
_/./
,-' `-:..-'/
: o ) _ (
"`-....,--; `-.\
`'
/\
To find help: _/./
ssh kobayashi ,-' `-:..-'/
man bsdnix : o ) _ (
"`-....,--; `-.\

152
roles/pub/files/skel/dot.bash_profile Executable file
View File

@@ -0,0 +1,152 @@
# -*-shell-script-*-
#
# default bash config
# do not use the config if not in a terminal
if test -z "$PS1"; then
return
fi
# and do not use it if in no interactive terminal
if test "$TERM" = "dumb"; then
export PS1='$ '
return
fi
inputrc="$HOME/.inputrc"
# create helper configs, if requested. that way I don't have to copy
# around multiple files if I enter a new system
createcfgs() {
if ! test -f $inputrc; then
if ! test -w $HOME; then
inputrc="/tmp/.inputrc_tom"
fi
cat << EOF > $inputrc
# toms readline config
set show-all-if-ambiguous on
set meta-flag on
set input-meta on
set convert-meta on
set output-meta on
# C-a blocked by screen, so use these also
Meta-a: beginning-of-line
# alt-left
"\e[1;3C": forward-word
# ctrl-right
"\e[1;5C": forward-word
# alt-left, vnc
"\e\e[C": forward-word
# alt-right
"\e[1;3D": backward-word
# ctrl-left
"\e[1;5D": backward-word
# alt-left, vnc
"\e\e[D": backward-word
# alt-down
"\e[1;3B": beginning-of-line
# alt-down, vnc
"\e\e[A": beginning-of-line
# alt-up
"\e[1;3A": end-of-line
# alt-up, vnc
"\e\e[B": end-of-line
EOF
fi
}
# stay with en, but support umlauts and the other bastards
export LC_COLLATE="en_US.UTF-8"
export LC_CTYPE="de_DE.UTF-8"
export LC_MONETARY="de_DE.UTF-8"
export LC_NUMERIC="de_DE.UTF-8"
export LC_TIME="de_DE.UTF-8"
export LC_PAPER="de_DE.UTF-8"
export LANG="en_US.UTF-8"
export LC_LANG="en_US.UTF-8"
export LC_ALL="en_US.UTF-8"
export LANGUAGE="en_US.UTF-8"
export GDM_LANG="en_US.UTF-8"
# generate customized support configs
createcfgs
INPUTRC="$inputrc"
# global aliases
alias dir='ls -l'
alias ll='ls -l'
alias la='ls -la'
alias l='ls -alF'
alias ls-l='ls -l'
alias lt='ls -ltr'
alias o='less'
alias ..='cd ..'
alias ...='cd ../..'
alias ....='cd ../../..'
alias .....='cd ../../../..'
alias rd=rmdir
alias md='mkdir -p'
alias which='type -p'
alias less='less -i -P "?f%f:Standard input. %lb / %L ?e(END):>"'
alias les='less'
alias grip='egrep -i'
alias lc="tr '[A-Z]' '[a-z]'"
alias uc="tr '[a-z]' '[A-Z]'"
alias table="column -t"
alias gethttp="fetch -n --no-verify-peer --no-verify-hostname"
# use vim
alias vi=vim
EDITOR=vim
# simple command prompt
PS1='
--- [\w] ---
\u@\h % '
# customize path
for dir in $HOME/bin /usr/local/bin /usr/local/sbin /usr/sbin; do
if test -d $dir; then
PATH=$PATH:$dir
fi
done
export PATH
# history options
HISTFILESIZE=1000000
HISTSIZE=1000000
HISTCONTROL=ignoreboth
HISTIGNORE='ls:bg:fg:history'
HISTTIMEFORMAT='%F %T '
export EDITOR PS1 PATH LESSCHARSET GREP_OPTIONS HISTFILE HISTFILESIZE HISTSIZE HISTCONTROL HISTIGNORE HISTTIMEFORMAT INPUTRC
# better override
umask 0027
# completion?
bash=${BASH_VERSION%.*}; bmajor=${bash%.*}; bminor=${bash#*.}
if [ "$PS1" ] && [ $bmajor -eq 2 ] && [ $bminor '>' 04 ] \
&& [ -f ~/.completion ]; then # interactive shell
# Source completion code
source ~/.completion
fi
# bash options
shopt -s cdable_vars checkhash checkwinsize histappend cmdhist
# any local specific config?
if test -e ~/.bashrc-local; then
source ~/.bashrc-local
fi

53
roles/pub/files/skel/dot.cshrc Normal file
View File

@@ -0,0 +1,53 @@
#
# .cshrc - csh resource script, read at beginning of execution by each shell
#
# see also csh(1), environ(7).
# more examples available at /usr/share/examples/csh/
#
alias h history 25
alias j jobs -l
alias l ls -alF
alias la ls -aF
alias lf ls -FA
alias ll ls -lAF
alias lt ls -ltr
alias les less
alias md mkdir -p
alias .. cd ..
alias ... cd ../..
alias .... cd ../../..
alias ..... cd ../../../..
alias grip egrep -i
alias which type -p
# These are normally set through /etc/login.conf. You may override them here
# if wanted.
# set path = (/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin $HOME/bin)
# A righteous umask
# umask 22
setenv EDITOR vi
setenv PAGER less
if ($?prompt) then
# An interactive shell -- set some stuff up
set prompt = "%N@%m:%~ %# "
set promptchars = "%#"
set filec
set history = 1000
set savehist = (1000 merge)
set autolist = ambiguous
# Use history to aid expansion
set autoexpand
set autorehash
set mail = (/var/mail/$USER)
if ( $?tcsh ) then
bindkey "^W" backward-delete-word
bindkey -k up history-search-backward
bindkey -k down history-search-forward
endif
endif

324
roles/pub/files/skel/dot.emacs Normal file
View File

@@ -0,0 +1,324 @@
;; * Default emacs config -*-emacs-lisp-*-
;;
;; https://github.com/TLINDEN/emacs-skel
;; * Enable Fontlock-mode (colours) in gui mode
;; see: https://www.emacswiki.org/emacs/CustomizingBoth
(if window-system
(progn
(global-font-lock-mode 1)
(set-background-color "white")
(set-foreground-color "DarkBlue")
))
;; * Display cursor as row in Terminal
(unless (display-graphic-p)
;; else (optional)
(global-hl-line-mode)
(set-face-background hl-line-face "DarkGray")
(set-face-foreground hl-line-face "Black")
)
;; --------------------------------------------------------------------------------
;; * Console backspace fix
(define-key key-translation-map [?\C-h] [?\C-?])
;; * Some sensible defaults
;; no ~ backups
(setq make-backup-files nil)
;; disable Toolbar
(tool-bar-mode -1)
;; disable menubar (default: enabled)
;; (menu-bar-mode -1)
;; disable menubardialog boxes (default: enabled)
;; (setq use-dialog-box nil)
;; disable scrollbars (default: enabled)
;; Scrolleisten abschalten (standard: ein)
;; (scroll-bar-mode 0)
;; Less output during startup
(setq inhibit-startup-message t)
(setq inhibit-startup-screen t)
;; show column number
(column-number-mode t)
;; Set x11 window title
(setq frame-title-format '(buffer-file-name "emacs %f" ("emacs %b")))
;; create valid unix files
(setq require-final-newline t)
;; show matching parens
(show-paren-mode 1)
;; cursor doesn't move when scrolling
(setq scroll-preserve-screen-position t)
;; no comment columns
(setq-default comment-column 0)
;; no auto-save
(setq auto-save-default nil)
;; always display all buffers
(setq buffers-menu-max-size nil)
(setq mouse-buffer-menu-mode-mult 30)
;; don't hide anything
(setq disabled-command-function nil)
;; Mark == Copy
(setq mouse-drag-copy-region t)
;; more Ram
(setq gc-cons-threshold 20000000)
;; --------------------------------------------------------------------------------
;; * Scratch Buffer
;; default content of *scratch* buffer == short help
(setq initial-scratch-message ";;
;; Short help (Keys: C == Control, M == Alt or META):
;; Combination (eg. C-x C-f): keep control pressed, then x, then f
;; Cascade (eg. C-x 3): press control and x, release, then 3
;; Key with mouse (eg. C-mouse1): press control and left mouse button
;; M-x <cmd> execute emacs command | M-w copy marked stuff
;; C-x C-f open a file | C-w delete marked stuff
;; C-x C-S save buffer to file | C-y insert (paste, yank)
;; C-x C-q close buffer | C-g abort current action
;; C-mouse-1 popup buffer list | C-s search forward
;; C-x 2 split window horizontally | again: next match
;; C-x 3 split window vertically | C-r search backwards
;; M-o switch bffers | C-x C-c finish emacs
;; C-x 1 show only one buffer | C-x b switch buffer
;; C-x k close current buffer | C-c i invert colours
;; C-<del> delete left word | C-<entf> delete right word
;; C-<up> jump 1 paragraph up | C-<down> jump 1 paragraph down
;; C-<left> jump 1 word left | C-<right> jump 1 word right
;; C-_ UNDO | C-g C-_ REDO
;; <home> or C-a beginning of line, then window, then buffer
;; <end> or C-e end of line, then window, then buffer
;; M-x query-replace search/replace
;; M-x query-replace-regex dito, with regex (man perlre)
;; M-x <xxx-mode> (xxx: cperl, ruby etc) enable mode
;; Configuration: ~/.emacs, Tutorial: C-h t, https://emacswiki.org/
;; This is the *scratch* buffer for short notices a testing elisp.
")
;; --------------------------------------------------------------------------------
;; * y means yes
(defalias 'yes-or-no-p 'y-or-n-p)
;; --------------------------------------------------------------------------------
;; * TAB/Indent
(setq-default indent-tabs-mode nil)
(setq-default tab-width 4)
(setq indent-line-function 'insert-tab)
(setq tab-stop-list (quote (4 8 12 16 20 24 28 32 36 40 44
48 52 56 60 64 68 72 76 80 84
88 92 96 100 104 108 112 116 120)))
(setq tab-always-indent 'complete)
(add-hook 'makefile-mode-hook '(lambda() (setq indent-tabs-mode t)))
;; --------------------------------------------------------------------------------
;; * Helper
(defun add-something-to-mode-hooks (mode-list something)
"helper function to add a callback to multiple hooks"
(dolist (mode mode-list)
(add-hook (intern (concat (symbol-name mode) "-mode-hook")) something)))
;; * Standard key bindings
;; --------------------------------------------------------------------------------
;; c-h != delete
(keyboard-translate ?\C-h ?\C-?)
(keyboard-translate ?\C-? ?\C-h)
;; general keys (re-)mappings
(global-set-key (kbd "C-s") 'isearch-forward-regexp)
(global-set-key (kbd "C-r") 'isearch-backward-regexp)
(global-set-key (kbd "<backtab>") 'dabbrev-completion) ; shift-TAB: inline completion
(global-set-key (kbd "M-o") 'other-window) ; Buffer wechseln
(global-set-key (kbd "<delete>") 'delete-char)
(global-set-key (kbd "<backspace>") 'backward-delete-char)
(global-set-key (kbd "S-<delete>") 'kill-word) ; Shift+Del delete word
(global-set-key (kbd "S-<backspace>") 'backward-kill-word) ; Shift+Backspace dito
(global-set-key (kbd "C-<delete>") 'kill-word) ; Shift+Del dito
(global-set-key (kbd "C-<backspace>") 'backward-kill-word) ; Shift+Backspace dito
(global-unset-key (kbd "C-z"))
(global-set-key (kbd "C-x k") 'kill-this-buffer) ; close buffers immediately
;; --------------------------------------------------------------------------------
;; * Invert fore- and background
;; remember last inverse
(defvar my-invert-state t)
;; invert everything, reverse it when called again
(defun my-invert()
"invert fg-bg"
(interactive)
(invert-face 'default)
(invert-face 'mode-line)
(set-face-attribute 'fringe nil :inverse-video my-invert-state)
(setq my-invert-state (not my-invert-state)) ;; cycle variable my-invert-state
)
(global-set-key (kbd "C-c i") 'my-invert)
;; --------------------------------------------------------------------------------
;; * Custom binding for HOME and END keys (and CTRL-a und CTRL-e)
;; from viking-mode:
(defun my-last-key-repeats ()
"Returns how many times the last key has been pressed as integer."
(interactive)
(let* ((keys (reverse (append (recent-keys) nil)))
(pressed (car keys))
(times 0))
(progn
(catch 'nomore
(dolist (k keys)
(if (equal pressed k)
(setq times (+ times 1))
(throw 'nomore t))))
times)))
(defun pc-keys-home ()
"Go to beginning of line/window/buffer. First hitting key goes
to beginning of line, second in a row goes to beginning of
window, third in a row goes to beginning of buffer."
(interactive)
(let* (
(key-times (my-last-key-repeats)))
(cond
((eq key-times 3)
(if mark-active
(goto-char (point-min))
(beginning-of-buffer)))
((eq key-times 2)
(if mark-active () (push-mark))
(move-to-window-line 0))
((eq key-times 1)
(beginning-of-line))
)))
(defun pc-keys-end ()
"Go to end of line/window/buffer. First hitting key goes
to end of line, second in a row goes to end of
window, third in a row goes to end of buffer."
(interactive)
(let* (
(key-times (my-last-key-repeats)))
(cond
((eq key-times 3)
(if mark-active
(goto-char (point-max))
(end-of-buffer)))
((eq key-times 2)
(if mark-active () (push-mark))
(move-to-window-line -1)
(end-of-line)
)
((eq key-times 1)
(end-of-line))
)))
(global-set-key (kbd "<home>") 'pc-keys-home)
(global-set-key (kbd "<end>") 'pc-keys-end)
(global-set-key (kbd "C-a") 'pc-keys-home)
(global-set-key (kbd "C-e") 'pc-keys-end)
;; --------------------------------------------------------------------------------
;; * IDO mode - better completion during file open etc
;; Press C-f during IDO in order to get to normal behavior
(ido-mode t)
(ido-everywhere nil)
(setq ido-enable-flex-matching t)
(setq ido-use-filename-at-point nil)
(setq ido-use-virtual-buffers t)
(setq ido-auto-merge-work-directories-length -1)
;; Do not use IDO during save-as (C-x C-w)
(defvar my-ido-disabled nil)
(advice-add 'ido-write-file :before '(lambda (&rest args) (ido-mode 0) (setq my-ido-disabled t)))
(advice-add 'ido-write-file :after '(lambda (&rest args) (ido-mode 1) (setq my-ido-disabled nil)))
(defun my-keyboard-quit-advice (fn &rest args)
(when my-ido-disabled
(ido-mode 1)
(setq my-ido-disabled nil))
(apply fn args))
(advice-add 'abort-recursive-edit :around #'my-keyboard-quit-advice)
;; --------------------------------------------------------------------------------
;; * Highlight TABs
(defface extra-whitespace-face
'((t (:background "pale green")))
"Used for tabs and such.")
(defvar my-extra-keywords
'(("\t" . 'extra-whitespace-face)))
(add-something-to-mode-hooks '(c c++ vala cperl emacs-lisp python shell-script)
(lambda () (font-lock-add-keywords nil my-extra-keywords)))
;; --------------------------------------------------------------------------------
;; * Emacs Autoconfig / Customizegroup Placeholder
;; This is the place where emacs stores configuration options
;; customized interactively with:
;; M-x customize-group <RET> <group> <RET>
(custom-set-faces
;; custom-set-faces was added by Custom.
'(default ((t (:family "DejaVu Sans Mono" :foundry "unknown" :slant normal :weight normal :width normal))))
'(cperl-nonoverridable-face ((((class color) (background light)) (:foreground "Magenta"))))
'(custom-documentation-face ((t (:foreground "Navy"))) t)
'(custom-group-tag-face-1 ((((class color) (background light)) (:underline t :foreground "VioletRed"))) t)
'(font-lock-builtin-face ((t (:foreground "BlueViolet"))))
'(font-lock-comment-face ((t (:foreground "DarkGreen"))))
'(font-lock-constant-face ((t (:foreground "Magenta"))))
'(font-lock-function-name-face ((t (:bold nil :foreground "DarkOrchid"))))
'(font-lock-keyword-face ((t (:foreground "Blue"))))
'(font-lock-string-face ((t (:foreground "Red"))))
'(font-lock-type-face ((t (:foreground "DarkSlateBlue"))))
'(font-lock-variable-name-face ((t (:foreground "Sienna"))))
'(font-lock-warning-face ((t (:bold t :foreground "Red"))))
'(highlight ((t (:background "DodgerBlue2" :foreground "White"))))
'(ido-only-match ((t (:foreground "dark green" :weight bold))))
'(mode-line ((t (:foreground "White" :background "Blue"))))
'(mode-line-inactive ((t (:foreground "White" :background "DimGray"))))
'(outline-1 ((t (:inherit font-lock-function-name-face :underline t :weight bold))))
'(outline-2 ((t (:inherit font-lock-variable-name-face :underline t :weight bold))))
'(outline-3 ((t (:inherit font-lock-keyword-face :underline t :weight bold))))
'(outline-4 ((t (:inherit font-lock-comment-face :underline t))))
'(region ((t (:foreground "Aquamarine" :background "Darkblue"))))
'(secondary-selection ((t (:foreground "Green" :background "darkslateblue")))))
(custom-set-variables
;; custom-set-variables was added by Custom.
)

9
roles/pub/files/skel/dot.login Normal file
View File

@@ -0,0 +1,9 @@
#
# .login - csh login script, read by login shell, after `.cshrc' at login.
#
# See also csh(1), environ(7).
#
# Query terminal size; useful for serial lines.
if ( -x /usr/bin/resizewin ) /usr/bin/resizewin -z

6
roles/pub/files/skel/dot.login_conf Normal file
View File

@@ -0,0 +1,6 @@
#
# see login.conf(5)
#
#me:\
# :charset=iso-8859-1:\
# :lang=de_DE.ISO8859-1:

28
roles/pub/files/skel/dot.profile Normal file
View File

@@ -0,0 +1,28 @@
#
# .profile - Bourne Shell startup script for login shells
#
# see also sh(1), environ(7).
#
# These are normally set through /etc/login.conf. You may override them here
# if wanted.
# PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:$HOME/bin; export PATH
# Setting TERM is normally done through /etc/ttys. Do only override
# if you're sure that you'll never log in via telnet or xterm or a
# serial line.
# TERM=xterm; export TERM
EDITOR=vi; export EDITOR
PAGER=less; export PAGER
# set ENV to a file invoked each time sh is started for interactive use.
ENV=$HOME/.shrc; export ENV
# Let sh(1) know it's at home, despite /home being a symlink.
if [ "$PWD" != "$HOME" ] && [ "$PWD" -ef "$HOME" ] ; then cd ; fi
# Query terminal size; useful for serial lines.
if [ -x /usr/bin/resizewin ] ; then /usr/bin/resizewin -z ; fi
umask 0027

50
roles/pub/files/skel/dot.shrc Normal file
View File

@@ -0,0 +1,50 @@
#
# .shrc - bourne shell startup file
#
# This file will be used if the shell is invoked for interactive use and
# the environment variable ENV is set to this file.
#
# see also sh(1), environ(7).
#
# file permissions: rwxr-xr-x
#
umask 027
# Uncomment this to enable the builtin vi(1) command line editor in sh(1),
# e.g. ESC to go into visual mode.
# set -o vi
# some useful aliases
alias h='fc -l'
alias j=jobs
alias m="$PAGER"
alias ll='ls -laFo'
alias l='ls -l'
alias g='egrep -i'
# # be paranoid
# alias cp='cp -ip'
# alias mv='mv -i'
# alias rm='rm -i'
# # csh like history on arrow up and down
bind ^[[A ed-search-prev-history
bind ^[[B ed-search-next-history
# # ctrl+arrow allow to jump from words to words
bind "\\e[1;5C" em-next-word
bind "\\e[1;5D" ed-prev-word
alias history='fc -l'
# Fix home/del for mobaxterm
bind ^[[5~ ed-move-to-beg
bind ^[[6~ ed-move-to-end
# set prompt: ``username@hostname:directory $ ''
PS1="\u@\h:\w \\$ "
# search path for cd(1)
# CDPATH=:$HOME

116
roles/pub/files/skel/dot.vimrc Normal file
View File

@@ -0,0 +1,116 @@
" concentrate backup files etc
let &directory = expand('~/.vimdata/swap//')
set backup
let &backupdir = expand('~/.vimdata/backup//')
set undofile
let &undodir = expand('~/.vimdata/undo//')
if !isdirectory(&undodir) | call mkdir(&undodir, "p") | endif
if !isdirectory(&backupdir) | call mkdir(&backupdir, "p") | endif
if !isdirectory(&directory) | call mkdir(&directory, "p") | endif
" allow backspacing over everything in insert mode
set bs=2
" no auto indent
set nosmartindent
set noautoindent
" smart indent with code
autocmd FileType perl set smartindent
autocmd FileType python set smartindent
autocmd FileType shell set smartindent
autocmd FileType c set smartindent
" paste mode - this will avoid unexpected effects when you
" cut or copy some text from one window and paste it in Vim.
set pastetoggle=<F11>
" indent shifts 2 spaces to right
set expandtab
set shiftwidth=2
set softtabstop=2
set smarttab
" show matches when using completion
set wildmenu
" search is case insensitive
set ignorecase
" Set utf8 as standard encoding and en_US as the standard language
set encoding=utf8
" highlight matches
set hlsearch
" not case insensitive if term contains upper letters
set smartcase
" show cursor position in statusline
set ruler
" show matching bracket after typing a closing bracket
set showmatch
" show current mode in statusline
set showmode
" show last command in statusline
set showcmd
" show status line
set laststatus=2
" set xterm title to "VIM <file>", while <file> is
" the currently opened buffer
set title
" do not beep (doh!)
set visualbell
" don't ask for :x!
set writeany
" just enter Q to exit
map Q :q!<Cr>
" fix broken shells
set term=xterm
" enable true colors
set termguicolors
" add comment char when pressing <Cr> inside comment line
set formatoptions+=r
" show line numbers
" set number
set relativenumber
set numberwidth=5
" to disable linenumbers and indentlines (if any) press t in normal mode
nmap t :set relativenumber!<CR>:IndentLinesToggle<CR>
" help in full screen
command! -nargs=1 -complete=help H help <args> | silent only
if &diff
" apply right patch to the left
nnoremap < :diffget <Enter>
" apply left patch to the right
nnoremap > :diffput <Enter>
" update diff
nnoremap <C-l> :diffupdate <Enter>
" jump to next diff
map n ]c
" jump to previous diff
map p [c
" switch windows (back and forth)
nnoremap <C-o> <C-W>w
endif

15
roles/pub/files/sshd_config Normal file
View File

@@ -0,0 +1,15 @@
# pub jail sshd config
LogLevel INFO
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 2
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no

102
roles/pub/tasks/main.yaml Normal file
View File

@@ -0,0 +1,102 @@
---
- name: create services template dir
file:
path: "/usr/local/bastille/templates/services/{{ role_name }}"
state: directory
recurse: yes
- name: copy template config files
template:
src: Bastillefile.j2
dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"
- name: create config paths
file:
path: "/usr/local/bastille/templates/services/{{ role_name }}/{{ item }}/"
state: directory
recurse: yes
loop:
- etc/ssh
- usr/share/skel
- name: copy sshd config file
copy:
src: sshd_config
dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
- name: copy motd file
copy:
src: motd
dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/motd.template"
- name: copy skel files
copy:
src: "skel/{{ item }}"
dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel/{{ item }}"
loop:
- dot.bash_profile
- dot.cshrc
- dot.emacs
- dot.login
- dot.login_conf
- dot.profile
- dot.shrc
- name: copy resolv.conf file
template:
src: resolv.conf.j2
dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/resolv.conf"
- name: create jail
shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
args:
creates: /usr/local/bastille/jails/{{ role_name }}
- name: start jail
# https://github.com/BastilleBSD/bastille/issues/342
shell: bastille start {{ role_name }} || true
- name: template jail
shell: "bastille template {{ role_name }} services/{{ role_name }}"
# FIXME: loop over files and check size somehow, or always copy? use file module?
- name: copy skel files into jail template
shell: cp -r /usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel /usr/local/bastille/jails/{{ role_name }}/root/etc/
# args:
# creates: /usr/local/bastille/jails/{{ role_name }}/root/etc/skel
# these will later be used by bin/user.sh (see below) to be installed
# into the user homes
- name: copy user ssh keys
copy:
src: keys
dest: "/usr/local/bastille/"
# create our own group[s]
- name: Manage groups
loop: "{{ jailgroups }}"
ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/{{ role_name }}/root"
# The normal ansible user module can't be used here, because we're
# talking about jail users here. I tried to patch the module to
# support the -R flag (https://github.com/ansible/ansible/pull/84371)
# but it makes no sense. Every single function needs to be patched so
# that it works for jails.
#
# So, instead I'm just using this simple script, which does the job as
# well.
- name: Manage users
loop: "{{ jailusers }}"
ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -d {{ defaults.jailbase }}/{{ role_name }}/root"
- name: add dns entry for jail host
community.dns.hetzner_dns_record:
state: present
zone: "{{ dns.zone }}"
record: "{{ role_name }}.{{ dns.zone }}"
type: AAAA
ttl: 300
value: "{{ jailip.stdout }}"
hetzner_token: "{{ hetzner_dns_token }}"

20
roles/pub/templates/Bastillefile.j2 Normal file
View File

@@ -0,0 +1,20 @@
CP etc /
PKG {{ jails.pub.pkgs | join(' ') }}
SYSRC sshd_enable=YES
SYSRC sendmail_enable=NONE
SYSRC tmpsize=500m
SYSRC tmpmfs=AUTO
SYSRC clear_tmp_enable=YES
CMD if test -l /home; then rm /home; fi
CMD mkdir -p /home
FSTAB /home home nullfs rw 0 0
# FIXME: fails for now, see: https://github.com/BastilleBSD/bastille/issues/743
#CP usr/share/skel /usr/share/skel
SERVICE sshd start

2
roles/pub/templates/resolv.conf.j2 Normal file
View File

@@ -0,0 +1,2 @@
nameserver {{ primaryip.stdout }}
options edns0