added devzat chat jail

2024-12-12 18:47:43 +01:00 · 2024-12-12 18:47:43 +01:00 · c7b89345bf
commit c7b89345bf
parent 4048b8fd92
11 changed files with 79 additions and 40 deletions
--- a/TODO.md
+++ b/TODO.md
@ -1,26 +1,5 @@
-## Install tarball
-
 ### clean known_host doesnt work

-### install from tarball example:
-
-```yaml
- name: "If jdk not exists then only download and unarchive"
-  unarchive:
-    src: "https://download.oracle.com/java/17/latest/jdk-17_linux-aarch64_bin.tar.gz"
-    dest: /opt/
-    remote_src: yes
-    creates: /opt/jdk-17
-  register: foo
- name: "Rename if download happens "
-  command: mv /opt/jdk-17_linux-arch64 /opt/jdk-17
-  when: foo.changed == True
-```
-
-### Cleanup release snapshot
-
- remove pkg function from root .bashrc
-
 ## Add quota config and enable/configure rctl

-## Add MOTD
+## Add bsdnix manpage (into pub jail)
--- a/deploy.yaml
+++ b/deploy.yaml
@ -12,4 +12,5 @@
    - role: firewall
    - role: ssh
    - role: jails
-    - role: pub
+    - role: chat
+    #- role: pub
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@ -12,6 +12,10 @@ packages:
  - go122
  - git

+versions:
+  - program: go122
+    link: go
+  
 # used by bastille to build a base
 release: 14.2-RELEASE

--- a/roles/chat/files/devzat
+++ b/roles/chat/files/devzat
@ -1,20 +1,23 @@
 #!/bin/sh

+#
+# PROVIDE: devzat
+# REQUIRE: networking
+# KEYWORD:
+
 . /etc/rc.subr

-name=devzat
-rcvar=devzat_enable 
-
-start_cmd="${name}_start"
-stop_cmd=":"
+name="devzat"
+rcvar="devzat_enable"
+devzat_user="nobody"
+devzat_command="/usr/local/sbin/devzat"
+pidfile="/tmp/${name}.pid"
+command="/usr/sbin/daemon"
+command_args="-P ${pidfile} ${devzat_command}"
+devzat_config="/usr/local/etc/devzat.yml"

 load_rc_config $name
 : ${devzat_enable:=no}
-: ${devzat_config="/usr/local/etc/devzat.yml"}
-: ${devzat_daemon="/usr/local/sbin/devzat"}
-
-devzat_start() {
-    DEVZAT_CONFIG="${devzat_config}" ${devzat_daemon}
-}

+export DEVZAT_CONFIG="${devzat_config}"
 run_rc_command "$1"
--- a/roles/chat/files/devzat.yml
+++ b/roles/chat/files/devzat.yml
@ -1,14 +1,14 @@
 # what port to host a server on ($PORT overrides this)
-port: 22
+port: 2222

 # what port to host profiling on (unimportant)
 profile_port: 5555

 # where to store data such as bans and logs
-data_dir: /var/run/devzat-data
+data_dir: /home/devzat/devzat-data

 # where the SSH private key is stored
-key_file: /var/run/devzat-sshkey
+key_file: /home/devzat/devzat-sshkey

 # whether to censor messages (optional)
 censor: false
--- a/roles/chat/tasks/main.yaml
+++ b/roles/chat/tasks/main.yaml
@ -1,8 +1,12 @@
 ---
+# we do NOT use:
+# git clone https://github.com/quackduck/devzat
+# but our own fork where we patched the torlist stuff away.
+# see: https://github.com/quackduck/devzat/issues/246
 - name: build devzat
  shell: |
    cd /tmp
-    git clone https://github.com/quackduck/devzat
+    git clone https://github.com/tlinden/devzat
    cd /tmp/devzat
    go build
  
@ -39,6 +43,7 @@
  copy:
    src: devzat
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/local/etc/rc.d/"
+    mode: '0755'

 - name: create jail
  shell: "bastille create -B {{ role_name }} {{ release }} {{ chatip.stdout }}/64 bridge0"
--- a/roles/chat/templates/Bastillefile.j2
+++ b/roles/chat/templates/Bastillefile.j2
@ -6,4 +6,10 @@ SYSRC tmpmfs=AUTO
 SYSRC clear_tmp_enable=YES
 SYSRC devzat_enable=YES

+CMD if test -l /home; then rm /home; fi
+CMD mkdir -p /home
+FSTAB /home home nullfs rw 0 0
+
+CMD install -d -o nobody -m 700 /home/devzat
+
 SERVICE devzat start
--- a/roles/pub/tasks/main.yaml
+++ b/roles/pub/tasks/main.yaml
@ -47,6 +47,11 @@
    src: resolv.conf.j2
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/resolv.conf"

+- name: copy hosts file
+  template:
+    src: hosts.j2
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/hosts"
+    
 - name: create jail
  shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
  args:
--- a/roles/pub/templates/hosts.j2
+++ b/roles/pub/templates/hosts.j2
@ -0,0 +1,13 @@
+::1                     localhost localhost.my.domain
+127.0.0.1               localhost localhost.my.domain
+
+# https://danwin1210.de/github-ipv6-proxy.php
+2a01:4f8:c010:d56::2 github.com
+2a01:4f8:c010:d56::3 api.github.com
+2a01:4f8:c010:d56::4 codeload.github.com
+2a01:4f8:c010:d56::5 objects.githubusercontent.com
+2a01:4f8:c010:d56::6 ghcr.io
+2a01:4f8:c010:d56::7 pkg.github.com npm.pkg.github.com maven.pkg.github.com nuget.pkg.github.com rubygems.pkg.github.com
+2a01:4f8:c010:d56::8 uploads.github.com
+
+{{ chatip.stdout }} chat chat.bsdnix.de kobayashi kobayashi.bsdnix.de
--- a/roles/server/files/hosts
+++ b/roles/server/files/hosts
@ -0,0 +1,11 @@
+::1                     localhost localhost.my.domain
+127.0.0.1               localhost localhost.my.domain
+
+# https://danwin1210.de/github-ipv6-proxy.php
+2a01:4f8:c010:d56::2 github.com
+2a01:4f8:c010:d56::3 api.github.com
+2a01:4f8:c010:d56::4 codeload.github.com
+2a01:4f8:c010:d56::5 objects.githubusercontent.com
+2a01:4f8:c010:d56::6 ghcr.io
+2a01:4f8:c010:d56::7 pkg.github.com npm.pkg.github.com maven.pkg.github.com nuget.pkg.github.com rubygems.pkg.github.com
+2a01:4f8:c010:d56::8 uploads.github.com
--- a/roles/server/tasks/main.yaml
+++ b/roles/server/tasks/main.yaml
@ -4,6 +4,10 @@
    state: present
    name: "{{ packages }}"

+- name: Create program symlinks
+  shell: "ln -sf /usr/local/bin/{{ item.program }} /usr/local/bin/{{ item.link }}"
+  loop: "{{ versions }}"
+    
 # FIXME: remove the symlink in the next release snapshot
 - name: Remove old home sym link
  shell: |
@ -90,6 +94,14 @@
    group: wheel
    mode: '0644'

+- name: Install /etc/hosts file
+  copy:
+    src: hosts
+    dest: /etc/hosts
+    owner: root
+    group: wheel
+    mode: '0644'
+    
 - name: Install jlogin
  copy:
    src: jlogin