From cd11f997b8eb6539c3cf9ec201effd80806878b9 Mon Sep 17 00:00:00 2001
From: Thomas von Dein <tom@vondein.org>
Date: Fri, 22 Nov 2024 18:43:35 +0100
Subject: [PATCH] replace unbound w/ kresd, add user (needs ansible users
 bugfix for pw)

---
 TODO.md                                |  3 ---
 debug.yaml                             |  2 ++
 deploy.yaml                            |  1 +
 group_vars/all/all.yaml                | 32 +++++++++++++++-----------
 roles/firewall/tasks/main.yaml         |  3 ++-
 roles/jails/templates/bastille.conf.j2 |  2 +-
 roles/pubnix/files/sshd_config         |  1 +
 roles/pubnix/tasks/main.yaml           |  8 +++++++
 roles/pubnix/templates/Bastillefile.j2 |  4 +++-
 roles/reachable/tasks/main.yaml        |  4 ++++
 roles/server/files/kresd.conf          | 12 ++++++++++
 roles/server/handlers/main.yaml        | 12 ++++++++++
 roles/server/tasks/main.yaml           | 25 ++++++++++++++++++++
 13 files changed, 89 insertions(+), 20 deletions(-)
 create mode 100644 roles/reachable/tasks/main.yaml
 create mode 100644 roles/server/files/kresd.conf
 create mode 100644 roles/server/handlers/main.yaml

diff --git a/TODO.md b/TODO.md
index de14a63..80a31d3 100644
--- a/TODO.md
+++ b/TODO.md
@@ -35,6 +35,3 @@ nullfs into jail
 
 ## Add quota config and enable/configure rctl
 
-## Setup sshd_config for jail
-
-Using Bastillefile CP?
diff --git a/debug.yaml b/debug.yaml
index 0dbe3e3..cb7fdcf 100644
--- a/debug.yaml
+++ b/debug.yaml
@@ -1,7 +1,9 @@
 ---
 - name: DEBUGGING ROLES
+  tags: active
   hosts: running
   gather_facts: true
   user: root
   roles:
     - role: network
+    - role: pubnix
diff --git a/deploy.yaml b/deploy.yaml
index 56ff359..b3ebf76 100644
--- a/deploy.yaml
+++ b/deploy.yaml
@@ -5,6 +5,7 @@
   gather_facts: true
   user: root
   roles:
+    - role: reachable
     - role: server
     - role: network
     - role: firewall
diff --git a/group_vars/all/all.yaml b/group_vars/all/all.yaml
index 1e98052..d16d6be 100644
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@@ -8,6 +8,7 @@ packages:
   - cpdup
   - bash
   - doas
+  - knot-resolver
 
 # used by bastille to build a base
 release: 14.1-RELEASE
@@ -25,8 +26,24 @@ ssh_keys:
 
 jails:
   pubnix:
-    octet: 2
+    pkgs:
+      - bash
+      - zsh
+      - vim
+      - git
+      - htop
+      - tmux
+      - bind-tools
+      - coreutils
+      - emacs-nox
+      - fzf
 
+users:
+  - name: scip
+    groups: wheel
+    shell: /usr/local/bin/bash
+    rootdir: /usr/local/bastille/jails/pubnix/root
+    
 storage:
   volume:
     size: 10
@@ -91,16 +108,3 @@ permissions:
     group: wheel
     mode: '0711'
 
-jails:
-  pubnix:
-    pkgs:
-      - bash
-      - zsh
-      - vim
-      - git
-      - htop
-      - tmux
-      - bind-tools
-      - coreutils
-      - emacs-nox
-      - fzf
diff --git a/roles/firewall/tasks/main.yaml b/roles/firewall/tasks/main.yaml
index 4ca814e..43ea9d9 100644
--- a/roles/firewall/tasks/main.yaml
+++ b/roles/firewall/tasks/main.yaml
@@ -3,7 +3,8 @@
   community.general.sysrc:
     name: pf_enable
     value: "YES"
-  notify: start pf
+    # FIXME: on first start causes the ansible connection to hang
+    # notify: start pf
 
 - name: enable pflog
   community.general.sysrc:
diff --git a/roles/jails/templates/bastille.conf.j2 b/roles/jails/templates/bastille.conf.j2
index 242ae00..4c636db 100644
--- a/roles/jails/templates/bastille.conf.j2
+++ b/roles/jails/templates/bastille.conf.j2
@@ -57,7 +57,7 @@ bastille_network_pf_ext_if="ext_if"                                   ## default
 bastille_network_pf_table="jails"                                     ## default: "jails"
 bastille_network_shared=""                                            ## default: ""
 bastille_network_gateway=""                                           ## default: ""
-bastille_network_gateway6="{{ jailip.stdout }}"        ## default: ""
+bastille_network_gateway6="{{ ansible_default_ipv6.address }}"        ## default: ""
 
 ## Default Templates
 bastille_template_base="default/base"                                 ## default: "default/base"
diff --git a/roles/pubnix/files/sshd_config b/roles/pubnix/files/sshd_config
index 886f337..e22dcd3 100644
--- a/roles/pubnix/files/sshd_config
+++ b/roles/pubnix/files/sshd_config
@@ -1,3 +1,4 @@
+# pubnix sshd config
 LogLevel INFO
 LoginGraceTime 1m
 PermitRootLogin no
diff --git a/roles/pubnix/tasks/main.yaml b/roles/pubnix/tasks/main.yaml
index feaf940..85c47eb 100644
--- a/roles/pubnix/tasks/main.yaml
+++ b/roles/pubnix/tasks/main.yaml
@@ -41,3 +41,11 @@
 # FIXME: fails, /etc/resolv.conf in jail is wrong, no working nameserver in there or outgoing dns forbidden
 - name: template jail
   shell: "bastille template {{ role_name }} services/{{ role_name }}"
+
+- name: Create users
+  loop: "{{ users }}"
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    shell: "{{ item.shell }}"
+    groups: "{{ item.groups }}"
+    rootdir: "{{ item.rootdir }}"
diff --git a/roles/pubnix/templates/Bastillefile.j2 b/roles/pubnix/templates/Bastillefile.j2
index 023bdd4..e8704c9 100644
--- a/roles/pubnix/templates/Bastillefile.j2
+++ b/roles/pubnix/templates/Bastillefile.j2
@@ -6,9 +6,11 @@ SYSRC tmpsize=500m
 SYSRC tmpmfs=AUTO
 SYSRC clear_tmp_enable=YES
 
-CMD rm /home
+CMD if test -l /home; then rm /home; fi
 CMD mkdir -p /home
 
 FSTAB /home home nullfs rw 0 0
 
+CP etc /
+
 SERVICE sshd start
diff --git a/roles/reachable/tasks/main.yaml b/roles/reachable/tasks/main.yaml
new file mode 100644
index 0000000..c8afb1b
--- /dev/null
+++ b/roles/reachable/tasks/main.yaml
@@ -0,0 +1,4 @@
+---
+- name: wait until host is reachable
+  ansible.builtin.wait_for_connection:
+    timeout: 1200
diff --git a/roles/server/files/kresd.conf b/roles/server/files/kresd.conf
new file mode 100644
index 0000000..3753207
--- /dev/null
+++ b/roles/server/files/kresd.conf
@@ -0,0 +1,12 @@
+-- Network interface configuration
+net.listen('127.0.0.1', 53, { kind = 'dns' })
+net.listen('127.0.0.1', 853, { kind = 'tls' })
+net.listen('::1', 53, { kind = 'dns', freebind = true })
+net.listen('::1', 853, { kind = 'tls', freebind = true })
+
+-- Load useful modules
+modules = {
+        'hints > iterate',  -- Allow loading /etc/hosts or custom root hints
+        'stats',            -- Track internal statistics
+        'predict',          -- Prefetch expiring/frequent records
+}
diff --git a/roles/server/handlers/main.yaml b/roles/server/handlers/main.yaml
new file mode 100644
index 0000000..91d6b5f
--- /dev/null
+++ b/roles/server/handlers/main.yaml
@@ -0,0 +1,12 @@
+---
+- name: start kresd
+  service:
+    name: kresd
+    state: started
+
+- name: stop unbound
+  service:
+    name: local_unbound
+    state: stopped
+
+- meta: flush_handlers
diff --git a/roles/server/tasks/main.yaml b/roles/server/tasks/main.yaml
index e724182..95310e5 100644
--- a/roles/server/tasks/main.yaml
+++ b/roles/server/tasks/main.yaml
@@ -74,3 +74,28 @@
     group: wheel
     mode: '0600'
 
+- name: Install knot resolver config
+  ansible.builtin.copy:
+    src: roles/server/files/kresd.conf
+    dest: /usr/local/etc/knot-resolver/kresd.conf
+    owner: root
+    group: wheel
+    mode: '0644'
+
+- name: Symlink knot dig
+  shell: "ln -sf /usr/local/bin/kdig /usr/local/bin/dig"
+  args:
+    creates: "/usr/local/bin/dig"
+
+- name: disable unbound
+  community.general.sysrc:
+    name: local_unbound_enable
+    value: "NO"
+  notify: stop unbound
+
+- name: enable knot resolver
+  community.general.sysrc:
+    name: kresd_enable
+    value: "YES"
+  notify: start kresd
+