fixed resolv.conf, user creation, pf, added skel files (fails)

2024-11-24 13:12:51 +01:00
parent cd11f997b8
commit b6bc036930
15 changed files with 690 additions and 16 deletions
--- a/roles/pubnix/tasks/main.yaml
+++ b/roles/pubnix/tasks/main.yaml
@@ -10,25 +10,38 @@
    src: Bastillefile.j2
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"

- name: create config path
+- name: create config paths
  file:
-    path: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
+    path: "/usr/local/bastille/templates/services/{{ role_name }}/{{ item }}/"
    state: directory
    recurse: yes
+  loop:
+    - etc/ssh
+    - usr/share/skel

- name: copy config file
+- name: copy sshd config file
  copy:
    src: sshd_config
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"

-# - name: create data/home dataset
-#   community.general.zfs:
-#     name: zroot/home
-#     state: present
-#     extra_zfs_properties:
-#       mountpoint: /data/home
-
+- name: copy skel files
+  copy:
+    src: "skel/{{ item }}"
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel/{{ item }}"
+  loop:
+    - dot.bashrc
+    - dot.cshrc
+    - dot.emacs
+    - dot.login
+    - dot.login_conf
+    - dot.profile
+    - dot.shrc

+- name: copy resolv.conf file
+  template:
+    src: resolv.conf.j2
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/resolv.conf"
+    
 - name: create jail
  shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
  args:
@@ -38,14 +51,24 @@
  # https://github.com/BastilleBSD/bastille/issues/342
  shell: bastille start {{ role_name }} || true

-# FIXME: fails, /etc/resolv.conf in jail is wrong, no working nameserver in there or outgoing dns forbidden
 - name: template jail
  shell: "bastille template {{ role_name }} services/{{ role_name }}"

+# The normal  ansible user  module can't be  used here,  because we're
+# talking  about jail  users  here. I  tried to  patch  the module  to
+# support the  -R flag (https://github.com/ansible/ansible/pull/84371)
+# but it makes no sense. Every  single function needs to be patched so
+# that it works for jails.
+#
+# So, instead I'm just using this simple script, which does the job as
+# well.
 - name: Create users
  loop: "{{ users }}"
-  ansible.builtin.user:
-    name: "{{ item.name }}"
-    shell: "{{ item.shell }}"
-    groups: "{{ item.groups }}"
-    rootdir: "{{ item.rootdir }}"
+  shell: |
+    if pw -V {{ item.rootdir }}/etc user show {{ item.name }} > /dev/null 2>&1; then \
+       pw -V {{ item.rootdir }}/etc user mod  {{ item.name }} -d /home/{{ item.name }} -G {{ item.groups }} -m -s {{ item.shell }}; \
+       echo "user {{ item.name }} modified"; \
+    else \
+       pw -V {{ item.rootdir }}/etc user add  {{ item.name }} -d /home/{{ item.name }} -G {{ item.groups }} -m -s {{ item.shell }}; \
+       echo "user {{ item.name }} created"; \
+    fi