diff --git a/TODO.md b/TODO.md index 80a31d3..166b45b 100644 --- a/TODO.md +++ b/TODO.md @@ -35,3 +35,8 @@ nullfs into jail ## Add quota config and enable/configure rctl +## DNS + +- kresd.conf => listen on :: +- add ::1 to host resolv.conf +- add default gw to jail resolv.conf diff --git a/group_vars/all/all.yaml b/group_vars/all/all.yaml index d16d6be..bce34c3 100644 --- a/group_vars/all/all.yaml +++ b/group_vars/all/all.yaml @@ -43,6 +43,10 @@ users: groups: wheel shell: /usr/local/bin/bash rootdir: /usr/local/bastille/jails/pubnix/root + - name: tom + groups: nobody + shell: /usr/local/bin/bash + rootdir: /usr/local/bastille/jails/pubnix/root storage: volume: diff --git a/roles/firewall/templates/pf.conf.j2 b/roles/firewall/templates/pf.conf.j2 index 35f0fae..60bf78b 100644 --- a/roles/firewall/templates/pf.conf.j2 +++ b/roles/firewall/templates/pf.conf.j2 @@ -31,6 +31,8 @@ block in log all ### Allow outgoing, skip others rules if match, and track connections pass out quick keep state pass out inet6 keep state + +# FIXME: does not survice reboots, that is: pf blocks after a reboot, pf must be reloaded, then it works pass out quick on $ext_if keep state pass out on $ext_if inet6 keep state diff --git a/roles/pubnix/files/skel/dot.bashrc b/roles/pubnix/files/skel/dot.bashrc new file mode 100755 index 0000000..7d4676d --- /dev/null +++ b/roles/pubnix/files/skel/dot.bashrc @@ -0,0 +1,166 @@ +# -*-shell-script-*- +# +# default bash config + +# do not use the config if not in a terminal +if test -z "$PS1"; then + return +fi + +# and do not use it if in no interactive terminal +if test "$TERM" = "dumb"; then + export PS1='$ ' + return +fi + +inputrc="$HOME/.inputrc" + +# create helper configs, if requested. that way I don't have to copy +# around multiple files if I enter a new system +createcfgs() { + if ! test -f $inputrc; then + if ! test -w $HOME; then + inputrc="/tmp/.inputrc_tom" + fi + cat << EOF > $inputrc +# toms readline config +set show-all-if-ambiguous on +set meta-flag on +set input-meta on +set convert-meta on +set output-meta on + +# C-a blocked by screen, so use these also +Meta-a: beginning-of-line + +# alt-left +"\e[1;3C": forward-word +# ctrl-right +"\e[1;5C": forward-word +# alt-left, vnc +"\e\e[C": forward-word + +# alt-right +"\e[1;3D": backward-word +# ctrl-left +"\e[1;5D": backward-word +# alt-left, vnc +"\e\e[D": backward-word + +# alt-down +"\e[1;3B": beginning-of-line +# alt-down, vnc +"\e\e[A": beginning-of-line + +# alt-up +"\e[1;3A": end-of-line +# alt-up, vnc +"\e\e[B": end-of-line + +EOF + fi +} + +# stay with en, but support umlauts and the other bastards +export LC_COLLATE="en_US.UTF-8" +export LC_CTYPE="de_DE.UTF-8" +export LC_MONETARY="de_DE.UTF-8" +export LC_NUMERIC="de_DE.UTF-8" +export LC_TIME="de_DE.UTF-8" +export LC_PAPER="de_DE.UTF-8" +export LANG="en_US.UTF-8" +export LC_LANG="en_US.UTF-8" +export LC_ALL="en_US.UTF-8" +export LANGUAGE="en_US.UTF-8" +export GDM_LANG="en_US.UTF-8" + +# generate customized support configs +createcfgs +INPUTRC="$inputrc" + + +# global aliases +alias dir='ls -l' +alias ll='ls -l' +alias la='ls -la' +alias l='ls -alF' +alias ls-l='ls -l' +alias lt='ls -ltr' +alias o='less' +alias ..='cd ..' +alias ...='cd ../..' +alias ....='cd ../../..' +alias .....='cd ../../../..' +alias rd=rmdir +alias md='mkdir -p' +alias which='type -p' +alias less='less -i -P "?f%f:Standard input. %lb / %L ?e(END):>"' +alias les='less' +alias grip='egrep -i' +alias lc="tr '[A-Z]' '[a-z]'" +alias uc="tr '[a-z]' '[A-Z]'" +alias table="column -t" +alias gethttp="fetch -n --no-verify-peer --no-verify-hostname" + + +PROMPT_COMMAND="PS1='\[\033]0;\u@$host:\w\007\] +--- [\w] --- +\u@$host: $CURSOR '" + +# customize path +for dir in $HOME/bin $HOME/.cabal/bin $HOME/perl5/perlbrew/bin /usr/local/bin /usr/local/sbin /usr/sbin; do + if test -d $dir; then + PATH=$PATH:$dir + fi +done +export PATH + +# global env vars +EDITOR=vim + +# history options +HISTFILESIZE=1000000 +HISTSIZE=1000000 +HISTCONTROL=ignoreboth +HISTIGNORE='ls:bg:fg:history' +HISTTIMEFORMAT='%F %T ' + +export EDITOR PROMPT_COMMAND PATH LESSCHARSET GREP_OPTIONS HISTFILE HISTFILESIZE HISTSIZE HISTCONTROL HISTIGNORE HISTTIMEFORMAT INPUTRC + +# better override +umask 0027 + +# completion? +bash=${BASH_VERSION%.*}; bmajor=${bash%.*}; bminor=${bash#*.} +if [ "$PS1" ] && [ $bmajor -eq 2 ] && [ $bminor '>' 04 ] \ + && [ -f ~/.completion ]; then # interactive shell + # Source completion code + source ~/.completion +fi + +# bash options +shopt -s cdable_vars checkhash checkwinsize histappend cmdhist + +# perl brew installed? +if test -d ~/perl5; then + source ~/perl5/perlbrew/etc/bashrc +fi + +# python? +if test -e ~/.pythonrc; then + export PYTHONSTARTUP=~/.pythonrc +fi + +# any local specific config? +if test -e ~/.bashrc-local; then + source ~/.bashrc-local +fi + +# rust? +if test -e /usr/local/rust/cargo/env; then + source /usr/local/rust/cargo/env + export RUSTUP_HOME=/usr/local/rust/rustup + export CARGO_HOME=/usr/local/rust/cargo +fi + + diff --git a/roles/pubnix/files/skel/dot.cshrc b/roles/pubnix/files/skel/dot.cshrc new file mode 100644 index 0000000..c3c035d --- /dev/null +++ b/roles/pubnix/files/skel/dot.cshrc @@ -0,0 +1,42 @@ +# +# .cshrc - csh resource script, read at beginning of execution by each shell +# +# see also csh(1), environ(7). +# more examples available at /usr/share/examples/csh/ +# + +alias h history 25 +alias j jobs -l +alias la ls -aF +alias lf ls -FA +alias ll ls -lAF + +# These are normally set through /etc/login.conf. You may override them here +# if wanted. +# set path = (/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin $HOME/bin) +# A righteous umask +# umask 22 + +setenv EDITOR vi +setenv PAGER less + +if ($?prompt) then + # An interactive shell -- set some stuff up + set prompt = "%N@%m:%~ %# " + set promptchars = "%#" + + set filec + set history = 1000 + set savehist = (1000 merge) + set autolist = ambiguous + # Use history to aid expansion + set autoexpand + set autorehash + set mail = (/var/mail/$USER) + if ( $?tcsh ) then + bindkey "^W" backward-delete-word + bindkey -k up history-search-backward + bindkey -k down history-search-forward + endif + +endif diff --git a/roles/pubnix/files/skel/dot.emacs b/roles/pubnix/files/skel/dot.emacs new file mode 100644 index 0000000..c0e00b8 --- /dev/null +++ b/roles/pubnix/files/skel/dot.emacs @@ -0,0 +1,324 @@ +;; * Default emacs config -*-emacs-lisp-*- +;; +;; https://github.com/TLINDEN/emacs-skel + +;; * Enable Fontlock-mode (colours) in gui mode +;; see: https://www.emacswiki.org/emacs/CustomizingBoth +(if window-system + (progn + (global-font-lock-mode 1) + (set-background-color "white") + (set-foreground-color "DarkBlue") + )) + +;; * Display cursor as row in Terminal +(unless (display-graphic-p) + ;; else (optional) + (global-hl-line-mode) + (set-face-background hl-line-face "DarkGray") + (set-face-foreground hl-line-face "Black") + ) + +;; -------------------------------------------------------------------------------- +;; * Console backspace fix +(define-key key-translation-map [?\C-h] [?\C-?]) + +;; * Some sensible defaults + +;; no ~ backups +(setq make-backup-files nil) + +;; disable Toolbar +(tool-bar-mode -1) + +;; disable menubar (default: enabled) +;; (menu-bar-mode -1) + +;; disable menubardialog boxes (default: enabled) +;; (setq use-dialog-box nil) + +;; disable scrollbars (default: enabled) +;; Scrolleisten abschalten (standard: ein) +;; (scroll-bar-mode 0) + +;; Less output during startup +(setq inhibit-startup-message t) +(setq inhibit-startup-screen t) + +;; show column number +(column-number-mode t) + +;; Set x11 window title +(setq frame-title-format '(buffer-file-name "emacs %f" ("emacs %b"))) + +;; create valid unix files +(setq require-final-newline t) + +;; show matching parens +(show-paren-mode 1) + +;; cursor doesn't move when scrolling +(setq scroll-preserve-screen-position t) + +;; no comment columns +(setq-default comment-column 0) + +;; no auto-save +(setq auto-save-default nil) + +;; always display all buffers +(setq buffers-menu-max-size nil) +(setq mouse-buffer-menu-mode-mult 30) + +;; don't hide anything +(setq disabled-command-function nil) + +;; Mark == Copy +(setq mouse-drag-copy-region t) + +;; more Ram +(setq gc-cons-threshold 20000000) + +;; -------------------------------------------------------------------------------- +;; * Scratch Buffer + +;; default content of *scratch* buffer == short help + +(setq initial-scratch-message ";; +;; Short help (Keys: C == Control, M == Alt or META): + +;; Combination (eg. C-x C-f): keep control pressed, then x, then f +;; Cascade (eg. C-x 3): press control and x, release, then 3 +;; Key with mouse (eg. C-mouse1): press control and left mouse button + +;; M-x execute emacs command | M-w copy marked stuff +;; C-x C-f open a file | C-w delete marked stuff +;; C-x C-S save buffer to file | C-y insert (paste, yank) +;; C-x C-q close buffer | C-g abort current action +;; C-mouse-1 popup buffer list | C-s search forward +;; C-x 2 split window horizontally | again: next match +;; C-x 3 split window vertically | C-r search backwards +;; M-o switch bffers | C-x C-c finish emacs +;; C-x 1 show only one buffer | C-x b switch buffer +;; C-x k close current buffer | C-c i invert colours + +;; C- delete left word | C- delete right word +;; C- jump 1 paragraph up | C- jump 1 paragraph down +;; C- jump 1 word left | C- jump 1 word right +;; C-_ UNDO | C-g C-_ REDO + +;; or C-a beginning of line, then window, then buffer +;; or C-e end of line, then window, then buffer + +;; M-x query-replace search/replace +;; M-x query-replace-regex dito, with regex (man perlre) +;; M-x (xxx: cperl, ruby etc) enable mode + +;; Configuration: ~/.emacs, Tutorial: C-h t, https://emacswiki.org/ + +;; This is the *scratch* buffer for short notices a testing elisp. + +") + +;; -------------------------------------------------------------------------------- +;; * y means yes +(defalias 'yes-or-no-p 'y-or-n-p) + +;; -------------------------------------------------------------------------------- +;; * TAB/Indent +(setq-default indent-tabs-mode nil) +(setq-default tab-width 4) +(setq indent-line-function 'insert-tab) +(setq tab-stop-list (quote (4 8 12 16 20 24 28 32 36 40 44 + 48 52 56 60 64 68 72 76 80 84 + 88 92 96 100 104 108 112 116 120))) +(setq tab-always-indent 'complete) +(add-hook 'makefile-mode-hook '(lambda() (setq indent-tabs-mode t))) + +;; -------------------------------------------------------------------------------- +;; * Helper +(defun add-something-to-mode-hooks (mode-list something) + "helper function to add a callback to multiple hooks" + (dolist (mode mode-list) + (add-hook (intern (concat (symbol-name mode) "-mode-hook")) something))) + +;; * Standard key bindings +;; -------------------------------------------------------------------------------- +;; c-h != delete +(keyboard-translate ?\C-h ?\C-?) +(keyboard-translate ?\C-? ?\C-h) + +;; general keys (re-)mappings +(global-set-key (kbd "C-s") 'isearch-forward-regexp) +(global-set-key (kbd "C-r") 'isearch-backward-regexp) +(global-set-key (kbd "") 'dabbrev-completion) ; shift-TAB: inline completion +(global-set-key (kbd "M-o") 'other-window) ; Buffer wechseln +(global-set-key (kbd "") 'delete-char) +(global-set-key (kbd "") 'backward-delete-char) +(global-set-key (kbd "S-") 'kill-word) ; Shift+Del delete word +(global-set-key (kbd "S-") 'backward-kill-word) ; Shift+Backspace dito +(global-set-key (kbd "C-") 'kill-word) ; Shift+Del dito +(global-set-key (kbd "C-") 'backward-kill-word) ; Shift+Backspace dito +(global-unset-key (kbd "C-z")) +(global-set-key (kbd "C-x k") 'kill-this-buffer) ; close buffers immediately + +;; -------------------------------------------------------------------------------- +;; * Invert fore- and background + +;; remember last inverse +(defvar my-invert-state t) + +;; invert everything, reverse it when called again +(defun my-invert() + "invert fg-bg" + (interactive) + (invert-face 'default) + (invert-face 'mode-line) + (set-face-attribute 'fringe nil :inverse-video my-invert-state) + (setq my-invert-state (not my-invert-state)) ;; cycle variable my-invert-state + ) + +(global-set-key (kbd "C-c i") 'my-invert) + +;; -------------------------------------------------------------------------------- +;; * Custom binding for HOME and END keys (and CTRL-a und CTRL-e) + +;; from viking-mode: +(defun my-last-key-repeats () + "Returns how many times the last key has been pressed as integer." + (interactive) + (let* ((keys (reverse (append (recent-keys) nil))) + (pressed (car keys)) + (times 0)) + (progn + (catch 'nomore + (dolist (k keys) + (if (equal pressed k) + (setq times (+ times 1)) + (throw 'nomore t)))) + times))) + +(defun pc-keys-home () + "Go to beginning of line/window/buffer. First hitting key goes +to beginning of line, second in a row goes to beginning of +window, third in a row goes to beginning of buffer." + (interactive) + (let* ( + (key-times (my-last-key-repeats))) + (cond + ((eq key-times 3) + (if mark-active + (goto-char (point-min)) + (beginning-of-buffer))) + + ((eq key-times 2) + (if mark-active () (push-mark)) + (move-to-window-line 0)) + + ((eq key-times 1) + (beginning-of-line)) + ))) + +(defun pc-keys-end () + "Go to end of line/window/buffer. First hitting key goes +to end of line, second in a row goes to end of +window, third in a row goes to end of buffer." + (interactive) + (let* ( + (key-times (my-last-key-repeats))) + (cond + ((eq key-times 3) + (if mark-active + (goto-char (point-max)) + (end-of-buffer))) + + ((eq key-times 2) + (if mark-active () (push-mark)) + (move-to-window-line -1) + (end-of-line) + ) + + ((eq key-times 1) + (end-of-line)) + ))) + +(global-set-key (kbd "") 'pc-keys-home) +(global-set-key (kbd "") 'pc-keys-end) +(global-set-key (kbd "C-a") 'pc-keys-home) +(global-set-key (kbd "C-e") 'pc-keys-end) + +;; -------------------------------------------------------------------------------- +;; * IDO mode - better completion during file open etc + +;; Press C-f during IDO in order to get to normal behavior +(ido-mode t) +(ido-everywhere nil) +(setq ido-enable-flex-matching t) +(setq ido-use-filename-at-point nil) +(setq ido-use-virtual-buffers t) +(setq ido-auto-merge-work-directories-length -1) + +;; Do not use IDO during save-as (C-x C-w) +(defvar my-ido-disabled nil) +(advice-add 'ido-write-file :before '(lambda (&rest args) (ido-mode 0) (setq my-ido-disabled t))) +(advice-add 'ido-write-file :after '(lambda (&rest args) (ido-mode 1) (setq my-ido-disabled nil))) + +(defun my-keyboard-quit-advice (fn &rest args) + (when my-ido-disabled + (ido-mode 1) + (setq my-ido-disabled nil)) + (apply fn args)) + +(advice-add 'abort-recursive-edit :around #'my-keyboard-quit-advice) + + +;; -------------------------------------------------------------------------------- +;; * Highlight TABs + +(defface extra-whitespace-face + '((t (:background "pale green"))) + "Used for tabs and such.") + +(defvar my-extra-keywords + '(("\t" . 'extra-whitespace-face))) + +(add-something-to-mode-hooks '(c c++ vala cperl emacs-lisp python shell-script) + (lambda () (font-lock-add-keywords nil my-extra-keywords))) + + +;; -------------------------------------------------------------------------------- +;; * Emacs Autoconfig / Customizegroup Placeholder + +;; This is the place where emacs stores configuration options +;; customized interactively with: +;; M-x customize-group + +(custom-set-faces + ;; custom-set-faces was added by Custom. + '(default ((t (:family "DejaVu Sans Mono" :foundry "unknown" :slant normal :weight normal :width normal)))) + '(cperl-nonoverridable-face ((((class color) (background light)) (:foreground "Magenta")))) + '(custom-documentation-face ((t (:foreground "Navy"))) t) + '(custom-group-tag-face-1 ((((class color) (background light)) (:underline t :foreground "VioletRed"))) t) + '(font-lock-builtin-face ((t (:foreground "BlueViolet")))) + '(font-lock-comment-face ((t (:foreground "DarkGreen")))) + '(font-lock-constant-face ((t (:foreground "Magenta")))) + '(font-lock-function-name-face ((t (:bold nil :foreground "DarkOrchid")))) + '(font-lock-keyword-face ((t (:foreground "Blue")))) + '(font-lock-string-face ((t (:foreground "Red")))) + '(font-lock-type-face ((t (:foreground "DarkSlateBlue")))) + '(font-lock-variable-name-face ((t (:foreground "Sienna")))) + '(font-lock-warning-face ((t (:bold t :foreground "Red")))) + '(highlight ((t (:background "DodgerBlue2" :foreground "White")))) + '(ido-only-match ((t (:foreground "dark green" :weight bold)))) + '(mode-line ((t (:foreground "White" :background "Blue")))) + '(mode-line-inactive ((t (:foreground "White" :background "DimGray")))) + '(outline-1 ((t (:inherit font-lock-function-name-face :underline t :weight bold)))) + '(outline-2 ((t (:inherit font-lock-variable-name-face :underline t :weight bold)))) + '(outline-3 ((t (:inherit font-lock-keyword-face :underline t :weight bold)))) + '(outline-4 ((t (:inherit font-lock-comment-face :underline t)))) + '(region ((t (:foreground "Aquamarine" :background "Darkblue")))) + '(secondary-selection ((t (:foreground "Green" :background "darkslateblue"))))) + +(custom-set-variables + ;; custom-set-variables was added by Custom. + ) diff --git a/roles/pubnix/files/skel/dot.login b/roles/pubnix/files/skel/dot.login new file mode 100644 index 0000000..1ca819e --- /dev/null +++ b/roles/pubnix/files/skel/dot.login @@ -0,0 +1,9 @@ +# +# .login - csh login script, read by login shell, after `.cshrc' at login. +# +# See also csh(1), environ(7). +# + +# Query terminal size; useful for serial lines. +if ( -x /usr/bin/resizewin ) /usr/bin/resizewin -z + diff --git a/roles/pubnix/files/skel/dot.login_conf b/roles/pubnix/files/skel/dot.login_conf new file mode 100644 index 0000000..e0fa9b2 --- /dev/null +++ b/roles/pubnix/files/skel/dot.login_conf @@ -0,0 +1,6 @@ +# +# see login.conf(5) +# +#me:\ +# :charset=iso-8859-1:\ +# :lang=de_DE.ISO8859-1: diff --git a/roles/pubnix/files/skel/dot.profile b/roles/pubnix/files/skel/dot.profile new file mode 100644 index 0000000..43227f5 --- /dev/null +++ b/roles/pubnix/files/skel/dot.profile @@ -0,0 +1,28 @@ +# +# .profile - Bourne Shell startup script for login shells +# +# see also sh(1), environ(7). +# + +# These are normally set through /etc/login.conf. You may override them here +# if wanted. +# PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:$HOME/bin; export PATH + +# Setting TERM is normally done through /etc/ttys. Do only override +# if you're sure that you'll never log in via telnet or xterm or a +# serial line. +# TERM=xterm; export TERM + +EDITOR=vi; export EDITOR +PAGER=less; export PAGER + +# set ENV to a file invoked each time sh is started for interactive use. +ENV=$HOME/.shrc; export ENV + +# Let sh(1) know it's at home, despite /home being a symlink. +if [ "$PWD" != "$HOME" ] && [ "$PWD" -ef "$HOME" ] ; then cd ; fi + +# Query terminal size; useful for serial lines. +if [ -x /usr/bin/resizewin ] ; then /usr/bin/resizewin -z ; fi + +umask 0027 diff --git a/roles/pubnix/files/skel/dot.shrc b/roles/pubnix/files/skel/dot.shrc new file mode 100644 index 0000000..d66a311 --- /dev/null +++ b/roles/pubnix/files/skel/dot.shrc @@ -0,0 +1,50 @@ +# +# .shrc - bourne shell startup file +# +# This file will be used if the shell is invoked for interactive use and +# the environment variable ENV is set to this file. +# +# see also sh(1), environ(7). +# + + +# file permissions: rwxr-xr-x +# +umask 027 + +# Uncomment this to enable the builtin vi(1) command line editor in sh(1), +# e.g. ESC to go into visual mode. +# set -o vi + + +# some useful aliases +alias h='fc -l' +alias j=jobs +alias m="$PAGER" +alias ll='ls -laFo' +alias l='ls -l' +alias g='egrep -i' + +# # be paranoid +# alias cp='cp -ip' +# alias mv='mv -i' +# alias rm='rm -i' + +# # csh like history on arrow up and down +bind ^[[A ed-search-prev-history +bind ^[[B ed-search-next-history + +# # ctrl+arrow allow to jump from words to words +bind "\\e[1;5C" em-next-word +bind "\\e[1;5D" ed-prev-word +alias history='fc -l' + +# Fix home/del for mobaxterm +bind ^[[5~ ed-move-to-beg +bind ^[[6~ ed-move-to-end + +# set prompt: ``username@hostname:directory $ '' +PS1="\u@\h:\w \\$ " + +# search path for cd(1) +# CDPATH=:$HOME diff --git a/roles/pubnix/tasks/main.yaml b/roles/pubnix/tasks/main.yaml index 85c47eb..2cead36 100644 --- a/roles/pubnix/tasks/main.yaml +++ b/roles/pubnix/tasks/main.yaml @@ -10,25 +10,38 @@ src: Bastillefile.j2 dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile" -- name: create config path +- name: create config paths file: - path: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/" + path: "/usr/local/bastille/templates/services/{{ role_name }}/{{ item }}/" state: directory recurse: yes + loop: + - etc/ssh + - usr/share/skel -- name: copy config file +- name: copy sshd config file copy: src: sshd_config dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/" -# - name: create data/home dataset -# community.general.zfs: -# name: zroot/home -# state: present -# extra_zfs_properties: -# mountpoint: /data/home - +- name: copy skel files + copy: + src: "skel/{{ item }}" + dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel/{{ item }}" + loop: + - dot.bashrc + - dot.cshrc + - dot.emacs + - dot.login + - dot.login_conf + - dot.profile + - dot.shrc +- name: copy resolv.conf file + template: + src: resolv.conf.j2 + dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/resolv.conf" + - name: create jail shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0" args: @@ -38,14 +51,24 @@ # https://github.com/BastilleBSD/bastille/issues/342 shell: bastille start {{ role_name }} || true -# FIXME: fails, /etc/resolv.conf in jail is wrong, no working nameserver in there or outgoing dns forbidden - name: template jail shell: "bastille template {{ role_name }} services/{{ role_name }}" +# The normal ansible user module can't be used here, because we're +# talking about jail users here. I tried to patch the module to +# support the -R flag (https://github.com/ansible/ansible/pull/84371) +# but it makes no sense. Every single function needs to be patched so +# that it works for jails. +# +# So, instead I'm just using this simple script, which does the job as +# well. - name: Create users loop: "{{ users }}" - ansible.builtin.user: - name: "{{ item.name }}" - shell: "{{ item.shell }}" - groups: "{{ item.groups }}" - rootdir: "{{ item.rootdir }}" + shell: | + if pw -V {{ item.rootdir }}/etc user show {{ item.name }} > /dev/null 2>&1; then \ + pw -V {{ item.rootdir }}/etc user mod {{ item.name }} -d /home/{{ item.name }} -G {{ item.groups }} -m -s {{ item.shell }}; \ + echo "user {{ item.name }} modified"; \ + else \ + pw -V {{ item.rootdir }}/etc user add {{ item.name }} -d /home/{{ item.name }} -G {{ item.groups }} -m -s {{ item.shell }}; \ + echo "user {{ item.name }} created"; \ + fi diff --git a/roles/pubnix/templates/Bastillefile.j2 b/roles/pubnix/templates/Bastillefile.j2 index e8704c9..29c86e6 100644 --- a/roles/pubnix/templates/Bastillefile.j2 +++ b/roles/pubnix/templates/Bastillefile.j2 @@ -13,4 +13,7 @@ FSTAB /home home nullfs rw 0 0 CP etc / +# FIXME: fails for now, see: https://github.com/BastilleBSD/bastille/issues/743 +#CP usr/share/skel /usr/share/skel + SERVICE sshd start diff --git a/roles/pubnix/templates/resolv.conf.j2 b/roles/pubnix/templates/resolv.conf.j2 new file mode 100644 index 0000000..da24562 --- /dev/null +++ b/roles/pubnix/templates/resolv.conf.j2 @@ -0,0 +1,2 @@ +nameserver {{ ansible_default_ipv6.address }} +options edns0 diff --git a/roles/server/files/resolv.conf b/roles/server/files/resolv.conf new file mode 100644 index 0000000..eb2851f --- /dev/null +++ b/roles/server/files/resolv.conf @@ -0,0 +1,2 @@ +nameserver ::1 +options edns0 diff --git a/roles/server/tasks/main.yaml b/roles/server/tasks/main.yaml index 95310e5..4f0b6a9 100644 --- a/roles/server/tasks/main.yaml +++ b/roles/server/tasks/main.yaml @@ -82,6 +82,14 @@ group: wheel mode: '0644' +- name: Install knot resolv.conf + ansible.builtin.copy: + src: roles/server/files/resolv.conf + dest: /etc/resolv.conf + owner: root + group: wheel + mode: '0644' + - name: Symlink knot dig shell: "ln -sf /usr/local/bin/kdig /usr/local/bin/dig" args: