added devzat chat jail

2024-12-12 18:47:43 +01:00
parent 4048b8fd92
commit c7b89345bf
11 changed files with 79 additions and 40 deletions
--- a/roles/chat/files/devzat
+++ b/roles/chat/files/devzat
@@ -1,20 +1,23 @@
 #!/bin/sh

+#
+# PROVIDE: devzat
+# REQUIRE: networking
+# KEYWORD:
+
 . /etc/rc.subr

-name=devzat
-rcvar=devzat_enable 
+name="devzat"
+rcvar="devzat_enable"
+devzat_user="nobody"
+devzat_command="/usr/local/sbin/devzat"
+pidfile="/tmp/${name}.pid"
+command="/usr/sbin/daemon"
+command_args="-P ${pidfile} ${devzat_command}"
+devzat_config="/usr/local/etc/devzat.yml"

-start_cmd="${name}_start"
-stop_cmd=":"
-
-load_rc_config $name 
-: ${devzat_enable:=no} 
-: ${devzat_config="/usr/local/etc/devzat.yml"}
-: ${devzat_daemon="/usr/local/sbin/devzat"}
-
-devzat_start() {
-    DEVZAT_CONFIG="${devzat_config}" ${devzat_daemon}
-}
+load_rc_config $name
+: ${devzat_enable:=no}

+export DEVZAT_CONFIG="${devzat_config}"
 run_rc_command "$1"
--- a/roles/chat/files/devzat.yml
+++ b/roles/chat/files/devzat.yml
@@ -1,14 +1,14 @@
 # what port to host a server on ($PORT overrides this)
-port: 22
+port: 2222

 # what port to host profiling on (unimportant)
 profile_port: 5555

 # where to store data such as bans and logs
-data_dir: /var/run/devzat-data
+data_dir: /home/devzat/devzat-data

 # where the SSH private key is stored
-key_file: /var/run/devzat-sshkey
+key_file: /home/devzat/devzat-sshkey

 # whether to censor messages (optional)
 censor: false
--- a/roles/chat/tasks/main.yaml
+++ b/roles/chat/tasks/main.yaml
@@ -1,8 +1,12 @@
 ---
+# we do NOT use:
+# git clone https://github.com/quackduck/devzat
+# but our own fork where we patched the torlist stuff away.
+# see: https://github.com/quackduck/devzat/issues/246
 - name: build devzat
  shell: |
    cd /tmp
-    git clone https://github.com/quackduck/devzat
+    git clone https://github.com/tlinden/devzat
    cd /tmp/devzat
    go build
  
@@ -39,6 +43,7 @@
  copy:
    src: devzat
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/local/etc/rc.d/"
+    mode: '0755'

 - name: create jail
  shell: "bastille create -B {{ role_name }} {{ release }} {{ chatip.stdout }}/64 bridge0"
--- a/roles/chat/templates/Bastillefile.j2
+++ b/roles/chat/templates/Bastillefile.j2
@@ -6,4 +6,10 @@ SYSRC tmpmfs=AUTO
 SYSRC clear_tmp_enable=YES
 SYSRC devzat_enable=YES

+CMD if test -l /home; then rm /home; fi
+CMD mkdir -p /home
+FSTAB /home home nullfs rw 0 0
+
+CMD install -d -o nobody -m 700 /home/devzat
+
 SERVICE devzat start