scip/bsdnix
1
0
Fork 0
Code Issues Pull Requests Activity

fixed resolv.conf, user creation, pf, added skel files (fails)

Browse Source
This commit is contained in:
Thomas von Dein 2024-11-24 13:12:51 +01:00
parent cd11f997b8
commit b6bc036930
15 changed files with 690 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
TODO.md
View File

@ -35,3 +35,8 @@ nullfs into jail
## Add quota config and enable/configure rctl ## Add quota config and enable/configure rctl
## DNS
- kresd.conf => listen on ::
- add ::1 to host resolv.conf
- add default gw to jail resolv.conf

4
group_vars/all/all.yaml
View File

@ -43,6 +43,10 @@ users:
groups: wheel groups: wheel
shell: /usr/local/bin/bash shell: /usr/local/bin/bash
rootdir: /usr/local/bastille/jails/pubnix/root rootdir: /usr/local/bastille/jails/pubnix/root
- name: tom
groups: nobody
shell: /usr/local/bin/bash
rootdir: /usr/local/bastille/jails/pubnix/root
storage: storage:
volume: volume:

2
roles/firewall/templates/pf.conf.j2
View File

@ -31,6 +31,8 @@ block in log all
### Allow outgoing, skip others rules if match, and track connections ### Allow outgoing, skip others rules if match, and track connections
pass out quick keep state pass out quick keep state
pass out inet6 keep state pass out inet6 keep state
# FIXME: does not survice reboots, that is: pf blocks after a reboot, pf must be reloaded, then it works
pass out quick on $ext_if keep state pass out quick on $ext_if keep state
pass out on $ext_if inet6 keep state pass out on $ext_if inet6 keep state

166
roles/pubnix/files/skel/dot.bashrc Executable file
View File

@ -0,0 +1,166 @@
# -*-shell-script-*-
#
# default bash config
# do not use the config if not in a terminal
if test -z "$PS1"; then
return
fi
# and do not use it if in no interactive terminal
if test "$TERM" = "dumb"; then
export PS1='$ '
return
fi
inputrc="$HOME/.inputrc"
# create helper configs, if requested. that way I don't have to copy
# around multiple files if I enter a new system
createcfgs() {
if ! test -f $inputrc; then
if ! test -w $HOME; then
inputrc="/tmp/.inputrc_tom"
fi
cat << EOF > $inputrc
# toms readline config
set show-all-if-ambiguous on
set meta-flag on
set input-meta on
set convert-meta on
set output-meta on
# C-a blocked by screen, so use these also
Meta-a: beginning-of-line
# alt-left
"\e[1;3C": forward-word
# ctrl-right
"\e[1;5C": forward-word
# alt-left, vnc
"\e\e[C": forward-word
# alt-right
"\e[1;3D": backward-word
# ctrl-left
"\e[1;5D": backward-word
# alt-left, vnc
"\e\e[D": backward-word
# alt-down
"\e[1;3B": beginning-of-line
# alt-down, vnc
"\e\e[A": beginning-of-line
# alt-up
"\e[1;3A": end-of-line
# alt-up, vnc
"\e\e[B": end-of-line
EOF
fi
}
# stay with en, but support umlauts and the other bastards
export LC_COLLATE="en_US.UTF-8"
export LC_CTYPE="de_DE.UTF-8"
export LC_MONETARY="de_DE.UTF-8"
export LC_NUMERIC="de_DE.UTF-8"
export LC_TIME="de_DE.UTF-8"
export LC_PAPER="de_DE.UTF-8"
export LANG="en_US.UTF-8"
export LC_LANG="en_US.UTF-8"
export LC_ALL="en_US.UTF-8"
export LANGUAGE="en_US.UTF-8"
export GDM_LANG="en_US.UTF-8"
# generate customized support configs
createcfgs
INPUTRC="$inputrc"
# global aliases
alias dir='ls -l'
alias ll='ls -l'
alias la='ls -la'
alias l='ls -alF'
alias ls-l='ls -l'
alias lt='ls -ltr'
alias o='less'
alias ..='cd ..'
alias ...='cd ../..'
alias ....='cd ../../..'
alias .....='cd ../../../..'
alias rd=rmdir
alias md='mkdir -p'
alias which='type -p'
alias less='less -i -P "?f%f:Standard input. %lb / %L ?e(END):>"'
alias les='less'
alias grip='egrep -i'
alias lc="tr '[A-Z]' '[a-z]'"
alias uc="tr '[a-z]' '[A-Z]'"
alias table="column -t"
alias gethttp="fetch -n --no-verify-peer --no-verify-hostname"
PROMPT_COMMAND="PS1='\[\033]0;\u@$host:\w\007\]
--- [\w] ---
\u@$host: $CURSOR '"
# customize path
for dir in $HOME/bin $HOME/.cabal/bin $HOME/perl5/perlbrew/bin /usr/local/bin /usr/local/sbin /usr/sbin; do
if test -d $dir; then
PATH=$PATH:$dir
fi
done
export PATH
# global env vars
EDITOR=vim
# history options
HISTFILESIZE=1000000
HISTSIZE=1000000
HISTCONTROL=ignoreboth
HISTIGNORE='ls:bg:fg:history'
HISTTIMEFORMAT='%F %T '
export EDITOR PROMPT_COMMAND PATH LESSCHARSET GREP_OPTIONS HISTFILE HISTFILESIZE HISTSIZE HISTCONTROL HISTIGNORE HISTTIMEFORMAT INPUTRC
# better override
umask 0027
# completion?
bash=${BASH_VERSION%.*}; bmajor=${bash%.*}; bminor=${bash#*.}
if [ "$PS1" ] && [ $bmajor -eq 2 ] && [ $bminor '>' 04 ] \
&& [ -f ~/.completion ]; then # interactive shell
# Source completion code
source ~/.completion
fi
# bash options
shopt -s cdable_vars checkhash checkwinsize histappend cmdhist
# perl brew installed?
if test -d ~/perl5; then
source ~/perl5/perlbrew/etc/bashrc
fi
# python?
if test -e ~/.pythonrc; then
export PYTHONSTARTUP=~/.pythonrc
fi
# any local specific config?
if test -e ~/.bashrc-local; then
source ~/.bashrc-local
fi
# rust?
if test -e /usr/local/rust/cargo/env; then
source /usr/local/rust/cargo/env
export RUSTUP_HOME=/usr/local/rust/rustup
export CARGO_HOME=/usr/local/rust/cargo
fi

42
roles/pubnix/files/skel/dot.cshrc Normal file
View File

@ -0,0 +1,42 @@
#
# .cshrc - csh resource script, read at beginning of execution by each shell
#
# see also csh(1), environ(7).
# more examples available at /usr/share/examples/csh/
#
alias h history 25
alias j jobs -l
alias la ls -aF
alias lf ls -FA
alias ll ls -lAF
# These are normally set through /etc/login.conf. You may override them here
# if wanted.
# set path = (/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin $HOME/bin)
# A righteous umask
# umask 22
setenv EDITOR vi
setenv PAGER less
if ($?prompt) then
# An interactive shell -- set some stuff up
set prompt = "%N@%m:%~ %# "
set promptchars = "%#"
set filec
set history = 1000
set savehist = (1000 merge)
set autolist = ambiguous
# Use history to aid expansion
set autoexpand
set autorehash
set mail = (/var/mail/$USER)
if ( $?tcsh ) then
bindkey "^W" backward-delete-word
bindkey -k up history-search-backward
bindkey -k down history-search-forward
endif
endif

324
roles/pubnix/files/skel/dot.emacs Normal file
View File

@ -0,0 +1,324 @@
;; * Default emacs config -*-emacs-lisp-*-
;;
;; https://github.com/TLINDEN/emacs-skel
;; * Enable Fontlock-mode (colours) in gui mode
;; see: https://www.emacswiki.org/emacs/CustomizingBoth
(if window-system
(progn
(global-font-lock-mode 1)
(set-background-color "white")
(set-foreground-color "DarkBlue")
))
;; * Display cursor as row in Terminal
(unless (display-graphic-p)
;; else (optional)
(global-hl-line-mode)
(set-face-background hl-line-face "DarkGray")
(set-face-foreground hl-line-face "Black")
)
;; --------------------------------------------------------------------------------
;; * Console backspace fix
(define-key key-translation-map [?\C-h] [?\C-?])
;; * Some sensible defaults
;; no ~ backups
(setq make-backup-files nil)
;; disable Toolbar
(tool-bar-mode -1)
;; disable menubar (default: enabled)
;; (menu-bar-mode -1)
;; disable menubardialog boxes (default: enabled)
;; (setq use-dialog-box nil)
;; disable scrollbars (default: enabled)
;; Scrolleisten abschalten (standard: ein)
;; (scroll-bar-mode 0)
;; Less output during startup
(setq inhibit-startup-message t)
(setq inhibit-startup-screen t)
;; show column number
(column-number-mode t)
;; Set x11 window title
(setq frame-title-format '(buffer-file-name "emacs %f" ("emacs %b")))
;; create valid unix files
(setq require-final-newline t)
;; show matching parens
(show-paren-mode 1)
;; cursor doesn't move when scrolling
(setq scroll-preserve-screen-position t)
;; no comment columns
(setq-default comment-column 0)
;; no auto-save
(setq auto-save-default nil)
;; always display all buffers
(setq buffers-menu-max-size nil)
(setq mouse-buffer-menu-mode-mult 30)
;; don't hide anything
(setq disabled-command-function nil)
;; Mark == Copy
(setq mouse-drag-copy-region t)
;; more Ram
(setq gc-cons-threshold 20000000)
;; --------------------------------------------------------------------------------
;; * Scratch Buffer
;; default content of *scratch* buffer == short help
(setq initial-scratch-message ";;
;; Short help (Keys: C == Control, M == Alt or META):
;; Combination (eg. C-x C-f): keep control pressed, then x, then f
;; Cascade (eg. C-x 3): press control and x, release, then 3
;; Key with mouse (eg. C-mouse1): press control and left mouse button
;; M-x <cmd> execute emacs command | M-w copy marked stuff
;; C-x C-f open a file | C-w delete marked stuff
;; C-x C-S save buffer to file | C-y insert (paste, yank)
;; C-x C-q close buffer | C-g abort current action
;; C-mouse-1 popup buffer list | C-s search forward
;; C-x 2 split window horizontally | again: next match
;; C-x 3 split window vertically | C-r search backwards
;; M-o switch bffers | C-x C-c finish emacs
;; C-x 1 show only one buffer | C-x b switch buffer
;; C-x k close current buffer | C-c i invert colours
;; C-<del> delete left word | C-<entf> delete right word
;; C-<up> jump 1 paragraph up | C-<down> jump 1 paragraph down
;; C-<left> jump 1 word left | C-<right> jump 1 word right
;; C-_ UNDO | C-g C-_ REDO
;; <home> or C-a beginning of line, then window, then buffer
;; <end> or C-e end of line, then window, then buffer
;; M-x query-replace search/replace
;; M-x query-replace-regex dito, with regex (man perlre)
;; M-x <xxx-mode> (xxx: cperl, ruby etc) enable mode
;; Configuration: ~/.emacs, Tutorial: C-h t, https://emacswiki.org/
;; This is the *scratch* buffer for short notices a testing elisp.
")
;; --------------------------------------------------------------------------------
;; * y means yes
(defalias 'yes-or-no-p 'y-or-n-p)
;; --------------------------------------------------------------------------------
;; * TAB/Indent
(setq-default indent-tabs-mode nil)
(setq-default tab-width 4)
(setq indent-line-function 'insert-tab)
(setq tab-stop-list (quote (4 8 12 16 20 24 28 32 36 40 44
48 52 56 60 64 68 72 76 80 84
88 92 96 100 104 108 112 116 120)))
(setq tab-always-indent 'complete)
(add-hook 'makefile-mode-hook '(lambda() (setq indent-tabs-mode t)))
;; --------------------------------------------------------------------------------
;; * Helper
(defun add-something-to-mode-hooks (mode-list something)
"helper function to add a callback to multiple hooks"
(dolist (mode mode-list)
(add-hook (intern (concat (symbol-name mode) "-mode-hook")) something)))
;; * Standard key bindings
;; --------------------------------------------------------------------------------
;; c-h != delete
(keyboard-translate ?\C-h ?\C-?)
(keyboard-translate ?\C-? ?\C-h)
;; general keys (re-)mappings
(global-set-key (kbd "C-s") 'isearch-forward-regexp)
(global-set-key (kbd "C-r") 'isearch-backward-regexp)
(global-set-key (kbd "<backtab>") 'dabbrev-completion) ; shift-TAB: inline completion
(global-set-key (kbd "M-o") 'other-window) ; Buffer wechseln
(global-set-key (kbd "<delete>") 'delete-char)
(global-set-key (kbd "<backspace>") 'backward-delete-char)
(global-set-key (kbd "S-<delete>") 'kill-word) ; Shift+Del delete word
(global-set-key (kbd "S-<backspace>") 'backward-kill-word) ; Shift+Backspace dito
(global-set-key (kbd "C-<delete>") 'kill-word) ; Shift+Del dito
(global-set-key (kbd "C-<backspace>") 'backward-kill-word) ; Shift+Backspace dito
(global-unset-key (kbd "C-z"))
(global-set-key (kbd "C-x k") 'kill-this-buffer) ; close buffers immediately
;; --------------------------------------------------------------------------------
;; * Invert fore- and background
;; remember last inverse
(defvar my-invert-state t)
;; invert everything, reverse it when called again
(defun my-invert()
"invert fg-bg"
(interactive)
(invert-face 'default)
(invert-face 'mode-line)
(set-face-attribute 'fringe nil :inverse-video my-invert-state)
(setq my-invert-state (not my-invert-state)) ;; cycle variable my-invert-state
)
(global-set-key (kbd "C-c i") 'my-invert)
;; --------------------------------------------------------------------------------
;; * Custom binding for HOME and END keys (and CTRL-a und CTRL-e)
;; from viking-mode:
(defun my-last-key-repeats ()
"Returns how many times the last key has been pressed as integer."
(interactive)
(let* ((keys (reverse (append (recent-keys) nil)))
(pressed (car keys))
(times 0))
(progn
(catch 'nomore
(dolist (k keys)
(if (equal pressed k)
(setq times (+ times 1))
(throw 'nomore t))))
times)))
(defun pc-keys-home ()
"Go to beginning of line/window/buffer. First hitting key goes
to beginning of line, second in a row goes to beginning of
window, third in a row goes to beginning of buffer."
(interactive)
(let* (
(key-times (my-last-key-repeats)))
(cond
((eq key-times 3)
(if mark-active
(goto-char (point-min))
(beginning-of-buffer)))
((eq key-times 2)
(if mark-active () (push-mark))
(move-to-window-line 0))
((eq key-times 1)
(beginning-of-line))
)))
(defun pc-keys-end ()
"Go to end of line/window/buffer. First hitting key goes
to end of line, second in a row goes to end of
window, third in a row goes to end of buffer."
(interactive)
(let* (
(key-times (my-last-key-repeats)))
(cond
((eq key-times 3)
(if mark-active
(goto-char (point-max))
(end-of-buffer)))
((eq key-times 2)
(if mark-active () (push-mark))
(move-to-window-line -1)
(end-of-line)
)
((eq key-times 1)
(end-of-line))
)))
(global-set-key (kbd "<home>") 'pc-keys-home)
(global-set-key (kbd "<end>") 'pc-keys-end)
(global-set-key (kbd "C-a") 'pc-keys-home)
(global-set-key (kbd "C-e") 'pc-keys-end)
;; --------------------------------------------------------------------------------
;; * IDO mode - better completion during file open etc
;; Press C-f during IDO in order to get to normal behavior
(ido-mode t)
(ido-everywhere nil)
(setq ido-enable-flex-matching t)
(setq ido-use-filename-at-point nil)
(setq ido-use-virtual-buffers t)
(setq ido-auto-merge-work-directories-length -1)
;; Do not use IDO during save-as (C-x C-w)
(defvar my-ido-disabled nil)
(advice-add 'ido-write-file :before '(lambda (&rest args) (ido-mode 0) (setq my-ido-disabled t)))
(advice-add 'ido-write-file :after '(lambda (&rest args) (ido-mode 1) (setq my-ido-disabled nil)))
(defun my-keyboard-quit-advice (fn &rest args)
(when my-ido-disabled
(ido-mode 1)
(setq my-ido-disabled nil))
(apply fn args))
(advice-add 'abort-recursive-edit :around #'my-keyboard-quit-advice)
;; --------------------------------------------------------------------------------
;; * Highlight TABs
(defface extra-whitespace-face
'((t (:background "pale green")))
"Used for tabs and such.")
(defvar my-extra-keywords
'(("\t" . 'extra-whitespace-face)))
(add-something-to-mode-hooks '(c c++ vala cperl emacs-lisp python shell-script)
(lambda () (font-lock-add-keywords nil my-extra-keywords)))
;; --------------------------------------------------------------------------------
;; * Emacs Autoconfig / Customizegroup Placeholder
;; This is the place where emacs stores configuration options
;; customized interactively with:
;; M-x customize-group <RET> <group> <RET>
(custom-set-faces
;; custom-set-faces was added by Custom.
'(default ((t (:family "DejaVu Sans Mono" :foundry "unknown" :slant normal :weight normal :width normal))))
'(cperl-nonoverridable-face ((((class color) (background light)) (:foreground "Magenta"))))
'(custom-documentation-face ((t (:foreground "Navy"))) t)
'(custom-group-tag-face-1 ((((class color) (background light)) (:underline t :foreground "VioletRed"))) t)
'(font-lock-builtin-face ((t (:foreground "BlueViolet"))))
'(font-lock-comment-face ((t (:foreground "DarkGreen"))))
'(font-lock-constant-face ((t (:foreground "Magenta"))))
'(font-lock-function-name-face ((t (:bold nil :foreground "DarkOrchid"))))
'(font-lock-keyword-face ((t (:foreground "Blue"))))
'(font-lock-string-face ((t (:foreground "Red"))))
'(font-lock-type-face ((t (:foreground "DarkSlateBlue"))))
'(font-lock-variable-name-face ((t (:foreground "Sienna"))))
'(font-lock-warning-face ((t (:bold t :foreground "Red"))))
'(highlight ((t (:background "DodgerBlue2" :foreground "White"))))
'(ido-only-match ((t (:foreground "dark green" :weight bold))))
'(mode-line ((t (:foreground "White" :background "Blue"))))
'(mode-line-inactive ((t (:foreground "White" :background "DimGray"))))
'(outline-1 ((t (:inherit font-lock-function-name-face :underline t :weight bold))))
'(outline-2 ((t (:inherit font-lock-variable-name-face :underline t :weight bold))))
'(outline-3 ((t (:inherit font-lock-keyword-face :underline t :weight bold))))
'(outline-4 ((t (:inherit font-lock-comment-face :underline t))))
'(region ((t (:foreground "Aquamarine" :background "Darkblue"))))
'(secondary-selection ((t (:foreground "Green" :background "darkslateblue")))))
(custom-set-variables
;; custom-set-variables was added by Custom.
)

9
roles/pubnix/files/skel/dot.login Normal file
View File

@ -0,0 +1,9 @@
#
# .login - csh login script, read by login shell, after `.cshrc' at login.
#
# See also csh(1), environ(7).
#
# Query terminal size; useful for serial lines.
if ( -x /usr/bin/resizewin ) /usr/bin/resizewin -z

6
roles/pubnix/files/skel/dot.login_conf Normal file
View File

@ -0,0 +1,6 @@
#
# see login.conf(5)
#
#me:\
# :charset=iso-8859-1:\
# :lang=de_DE.ISO8859-1:

28
roles/pubnix/files/skel/dot.profile Normal file
View File

@ -0,0 +1,28 @@
#
# .profile - Bourne Shell startup script for login shells
#
# see also sh(1), environ(7).
#
# These are normally set through /etc/login.conf. You may override them here
# if wanted.
# PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:$HOME/bin; export PATH
# Setting TERM is normally done through /etc/ttys. Do only override
# if you're sure that you'll never log in via telnet or xterm or a
# serial line.
# TERM=xterm; export TERM
EDITOR=vi; export EDITOR
PAGER=less; export PAGER
# set ENV to a file invoked each time sh is started for interactive use.
ENV=$HOME/.shrc; export ENV
# Let sh(1) know it's at home, despite /home being a symlink.
if [ "$PWD" != "$HOME" ] && [ "$PWD" -ef "$HOME" ] ; then cd ; fi
# Query terminal size; useful for serial lines.
if [ -x /usr/bin/resizewin ] ; then /usr/bin/resizewin -z ; fi
umask 0027

50
roles/pubnix/files/skel/dot.shrc Normal file
View File

@ -0,0 +1,50 @@
#
# .shrc - bourne shell startup file
#
# This file will be used if the shell is invoked for interactive use and
# the environment variable ENV is set to this file.
#
# see also sh(1), environ(7).
#
# file permissions: rwxr-xr-x
#
umask 027
# Uncomment this to enable the builtin vi(1) command line editor in sh(1),
# e.g. ESC to go into visual mode.
# set -o vi
# some useful aliases
alias h='fc -l'
alias j=jobs
alias m="$PAGER"
alias ll='ls -laFo'
alias l='ls -l'
alias g='egrep -i'
# # be paranoid
# alias cp='cp -ip'
# alias mv='mv -i'
# alias rm='rm -i'
# # csh like history on arrow up and down
bind ^[[A ed-search-prev-history
bind ^[[B ed-search-next-history
# # ctrl+arrow allow to jump from words to words
bind "\\e[1;5C" em-next-word
bind "\\e[1;5D" ed-prev-word
alias history='fc -l'
# Fix home/del for mobaxterm
bind ^[[5~ ed-move-to-beg
bind ^[[6~ ed-move-to-end
# set prompt: ``username@hostname:directory $ ''
PS1="\u@\h:\w \\$ "
# search path for cd(1)
# CDPATH=:$HOME

55
roles/pubnix/tasks/main.yaml
View File

@ -10,25 +10,38 @@
src: Bastillefile.j2 src: Bastillefile.j2
dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile" dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"
- name: create config path - name: create config paths
file: file:
path: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/" path: "/usr/local/bastille/templates/services/{{ role_name }}/{{ item }}/"
state: directory state: directory
recurse: yes recurse: yes
loop:
- etc/ssh
- usr/share/skel
- name: copy config file - name: copy sshd config file
copy: copy:
src: sshd_config src: sshd_config
dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/" dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
# - name: create data/home dataset - name: copy skel files
# community.general.zfs: copy:
# name: zroot/home src: "skel/{{ item }}"
# state: present dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel/{{ item }}"
# extra_zfs_properties: loop:
# mountpoint: /data/home - dot.bashrc
- dot.cshrc
- dot.emacs
- dot.login
- dot.login_conf
- dot.profile
- dot.shrc
- name: copy resolv.conf file
template:
src: resolv.conf.j2
dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/resolv.conf"
- name: create jail - name: create jail
shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0" shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
args: args:
@ -38,14 +51,24 @@
# https://github.com/BastilleBSD/bastille/issues/342 # https://github.com/BastilleBSD/bastille/issues/342
shell: bastille start {{ role_name }} || true shell: bastille start {{ role_name }} || true
# FIXME: fails, /etc/resolv.conf in jail is wrong, no working nameserver in there or outgoing dns forbidden
- name: template jail - name: template jail
shell: "bastille template {{ role_name }} services/{{ role_name }}" shell: "bastille template {{ role_name }} services/{{ role_name }}"
# The normal ansible user module can't be used here, because we're
# talking about jail users here. I tried to patch the module to
# support the -R flag (https://github.com/ansible/ansible/pull/84371)
# but it makes no sense. Every single function needs to be patched so
# that it works for jails.
#
# So, instead I'm just using this simple script, which does the job as
# well.
- name: Create users - name: Create users
loop: "{{ users }}" loop: "{{ users }}"
ansible.builtin.user: shell: |
name: "{{ item.name }}" if pw -V {{ item.rootdir }}/etc user show {{ item.name }} > /dev/null 2>&1; then \
shell: "{{ item.shell }}" pw -V {{ item.rootdir }}/etc user mod {{ item.name }} -d /home/{{ item.name }} -G {{ item.groups }} -m -s {{ item.shell }}; \
groups: "{{ item.groups }}" echo "user {{ item.name }} modified"; \
rootdir: "{{ item.rootdir }}" else \
pw -V {{ item.rootdir }}/etc user add {{ item.name }} -d /home/{{ item.name }} -G {{ item.groups }} -m -s {{ item.shell }}; \
echo "user {{ item.name }} created"; \
fi

3
roles/pubnix/templates/Bastillefile.j2
View File

@ -13,4 +13,7 @@ FSTAB /home home nullfs rw 0 0
CP etc / CP etc /
# FIXME: fails for now, see: https://github.com/BastilleBSD/bastille/issues/743
#CP usr/share/skel /usr/share/skel
SERVICE sshd start SERVICE sshd start

2
roles/pubnix/templates/resolv.conf.j2 Normal file
View File

@ -0,0 +1,2 @@
nameserver {{ ansible_default_ipv6.address }}
options edns0

2
roles/server/files/resolv.conf Normal file
View File

@ -0,0 +1,2 @@
nameserver ::1
options edns0

8
roles/server/tasks/main.yaml
View File

@ -82,6 +82,14 @@
group: wheel group: wheel
mode: '0644' mode: '0644'
- name: Install knot resolv.conf
ansible.builtin.copy:
src: roles/server/files/resolv.conf
dest: /etc/resolv.conf
owner: root
group: wheel
mode: '0644'
- name: Symlink knot dig - name: Symlink knot dig
shell: "ln -sf /usr/local/bin/kdig /usr/local/bin/dig" shell: "ln -sf /usr/local/bin/kdig /usr/local/bin/dig"
args: args: