added dns using hetzner dns, renamed pubnix => pub

2024-12-10 17:47:38 +01:00
parent b429091ec7
commit a92cda6b40
23 changed files with 48 additions and 33 deletions
--- a/roles/pub/tasks/main.yaml
+++ b/roles/pub/tasks/main.yaml
@@ -0,0 +1,102 @@
+---
+- name: create services template dir
+  file:
+    path: "/usr/local/bastille/templates/services/{{ role_name }}"
+    state: directory
+    recurse: yes
+
+- name: copy template config files
+  template:
+    src: Bastillefile.j2
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"
+
+- name: create config paths
+  file:
+    path: "/usr/local/bastille/templates/services/{{ role_name }}/{{ item }}/"
+    state: directory
+    recurse: yes
+  loop:
+    - etc/ssh
+    - usr/share/skel
+
+- name: copy sshd config file
+  copy:
+    src: sshd_config
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
+
+- name: copy motd file
+  copy:
+    src: motd
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/motd.template"
+
+- name: copy skel files
+  copy:
+    src: "skel/{{ item }}"
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel/{{ item }}"
+  loop:
+    - dot.bash_profile
+    - dot.cshrc
+    - dot.emacs
+    - dot.login
+    - dot.login_conf
+    - dot.profile
+    - dot.shrc
+
+- name: copy resolv.conf file
+  template:
+    src: resolv.conf.j2
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/resolv.conf"
+    
+- name: create jail
+  shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
+  args:
+    creates: /usr/local/bastille/jails/{{ role_name }}
+
+- name: start jail
+  # https://github.com/BastilleBSD/bastille/issues/342
+  shell: bastille start {{ role_name }} || true
+
+- name: template jail
+  shell: "bastille template {{ role_name }} services/{{ role_name }}"
+
+# FIXME: loop over files and check size somehow, or always copy? use file module?
+- name: copy skel files into jail template
+  shell: cp -r /usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel /usr/local/bastille/jails/{{ role_name }}/root/etc/
+  # args:
+  #   creates: /usr/local/bastille/jails/{{ role_name }}/root/etc/skel
+
+# these will later be used by  bin/user.sh (see below) to be installed
+# into the user homes
+- name: copy user ssh keys
+  copy:
+    src: keys
+    dest: "/usr/local/bastille/"
+
+# create our own group[s]
+- name: Manage groups
+  loop: "{{ jailgroups }}"
+  ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/{{ role_name }}/root"
+
+# The normal  ansible user  module can't be  used here,  because we're
+# talking  about jail  users  here. I  tried to  patch  the module  to
+# support the  -R flag (https://github.com/ansible/ansible/pull/84371)
+# but it makes no sense. Every  single function needs to be patched so
+# that it works for jails.
+#
+# So, instead I'm just using this simple script, which does the job as
+# well.
+- name: Manage users
+  loop: "{{ jailusers }}"
+  ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -d {{ defaults.jailbase }}/{{ role_name }}/root"
+
+- name: add dns entry for jail host
+  community.dns.hetzner_dns_record:
+    state: present
+    zone: "{{ dns.zone }}"
+    record: "{{ role_name }}.{{ dns.zone }}"
+    type: AAAA
+    ttl: 300
+    value: "{{ jailip.stdout }}"
+    hetzner_token: "{{ hetzner_dns_token }}"
+
+