scip/bsdnix
1
0
Fork 0
Code Issues Pull Requests Activity

replace unbound w/ kresd, add user (needs ansible users bugfix for pw)

Browse Source
This commit is contained in:
Thomas von Dein 2024-11-22 18:43:35 +01:00
parent cfe6edae85
commit cd11f997b8
13 changed files with 89 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
TODO.md
View File

@ -35,6 +35,3 @@ nullfs into jail
## Add quota config and enable/configure rctl ## Add quota config and enable/configure rctl
## Setup sshd_config for jail
Using Bastillefile CP?

2
debug.yaml
View File

@ -1,7 +1,9 @@
--- ---
- name: DEBUGGING ROLES - name: DEBUGGING ROLES
tags: active
hosts: running hosts: running
gather_facts: true gather_facts: true
user: root user: root
roles: roles:
- role: network - role: network
- role: pubnix

1
deploy.yaml
View File

@ -5,6 +5,7 @@
gather_facts: true gather_facts: true
user: root user: root
roles: roles:
- role: reachable
- role: server - role: server
- role: network - role: network
- role: firewall - role: firewall

32
group_vars/all/all.yaml
View File

@ -8,6 +8,7 @@ packages:
- cpdup - cpdup
- bash - bash
- doas - doas
- knot-resolver
# used by bastille to build a base # used by bastille to build a base
release: 14.1-RELEASE release: 14.1-RELEASE
@ -25,8 +26,24 @@ ssh_keys:
jails: jails:
pubnix: pubnix:
octet: 2 pkgs:
- bash
- zsh
- vim
- git
- htop
- tmux
- bind-tools
- coreutils
- emacs-nox
- fzf
users:
- name: scip
groups: wheel
shell: /usr/local/bin/bash
rootdir: /usr/local/bastille/jails/pubnix/root
storage: storage:
volume: volume:
size: 10 size: 10
@ -91,16 +108,3 @@ permissions:
group: wheel group: wheel
mode: '0711' mode: '0711'
jails:
pubnix:
pkgs:
- bash
- zsh
- vim
- git
- htop
- tmux
- bind-tools
- coreutils
- emacs-nox
- fzf

3
roles/firewall/tasks/main.yaml
View File

@ -3,7 +3,8 @@
community.general.sysrc: community.general.sysrc:
name: pf_enable name: pf_enable
value: "YES" value: "YES"
notify: start pf # FIXME: on first start causes the ansible connection to hang
# notify: start pf
- name: enable pflog - name: enable pflog
community.general.sysrc: community.general.sysrc:

2
roles/jails/templates/bastille.conf.j2
View File

@ -57,7 +57,7 @@ bastille_network_pf_ext_if="ext_if" ## default
bastille_network_pf_table="jails" ## default: "jails" bastille_network_pf_table="jails" ## default: "jails"
bastille_network_shared="" ## default: "" bastille_network_shared="" ## default: ""
bastille_network_gateway="" ## default: "" bastille_network_gateway="" ## default: ""
bastille_network_gateway6="{{ jailip.stdout }}" ## default: "" bastille_network_gateway6="{{ ansible_default_ipv6.address }}" ## default: ""
## Default Templates ## Default Templates
bastille_template_base="default/base" ## default: "default/base" bastille_template_base="default/base" ## default: "default/base"

1
roles/pubnix/files/sshd_config
View File

@ -1,3 +1,4 @@
# pubnix sshd config
LogLevel INFO LogLevel INFO
LoginGraceTime 1m LoginGraceTime 1m
PermitRootLogin no PermitRootLogin no

8
roles/pubnix/tasks/main.yaml
View File

@ -41,3 +41,11 @@
# FIXME: fails, /etc/resolv.conf in jail is wrong, no working nameserver in there or outgoing dns forbidden # FIXME: fails, /etc/resolv.conf in jail is wrong, no working nameserver in there or outgoing dns forbidden
- name: template jail - name: template jail
shell: "bastille template {{ role_name }} services/{{ role_name }}" shell: "bastille template {{ role_name }} services/{{ role_name }}"
- name: Create users
loop: "{{ users }}"
ansible.builtin.user:
name: "{{ item.name }}"
shell: "{{ item.shell }}"
groups: "{{ item.groups }}"
rootdir: "{{ item.rootdir }}"

4
roles/pubnix/templates/Bastillefile.j2
View File

@ -6,9 +6,11 @@ SYSRC tmpsize=500m
SYSRC tmpmfs=AUTO SYSRC tmpmfs=AUTO
SYSRC clear_tmp_enable=YES SYSRC clear_tmp_enable=YES
CMD rm /home CMD if test -l /home; then rm /home; fi
CMD mkdir -p /home CMD mkdir -p /home
FSTAB /home home nullfs rw 0 0 FSTAB /home home nullfs rw 0 0
CP etc /
SERVICE sshd start SERVICE sshd start

4
roles/reachable/tasks/main.yaml Normal file
View File

@ -0,0 +1,4 @@
---
- name: wait until host is reachable
ansible.builtin.wait_for_connection:
timeout: 1200

12
roles/server/files/kresd.conf Normal file
View File

@ -0,0 +1,12 @@
-- Network interface configuration
net.listen('127.0.0.1', 53, { kind = 'dns' })
net.listen('127.0.0.1', 853, { kind = 'tls' })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('::1', 853, { kind = 'tls', freebind = true })
-- Load useful modules
modules = {
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}

12
roles/server/handlers/main.yaml Normal file
View File

@ -0,0 +1,12 @@
---
- name: start kresd
service:
name: kresd
state: started
- name: stop unbound
service:
name: local_unbound
state: stopped
- meta: flush_handlers

25
roles/server/tasks/main.yaml
View File

@ -74,3 +74,28 @@
group: wheel group: wheel
mode: '0600' mode: '0600'
- name: Install knot resolver config
ansible.builtin.copy:
src: roles/server/files/kresd.conf
dest: /usr/local/etc/knot-resolver/kresd.conf
owner: root
group: wheel
mode: '0644'
- name: Symlink knot dig
shell: "ln -sf /usr/local/bin/kdig /usr/local/bin/dig"
args:
creates: "/usr/local/bin/dig"
- name: disable unbound
community.general.sysrc:
name: local_unbound_enable
value: "NO"
notify: stop unbound
- name: enable knot resolver
community.general.sysrc:
name: kresd_enable
value: "YES"
notify: start kresd