replace unbound w/ kresd, add user (needs ansible users bugfix for pw)

2024-11-22 18:43:35 +01:00 · 2024-11-22 18:43:35 +01:00 · cd11f997b8
commit cd11f997b8
parent cfe6edae85
13 changed files with 89 additions and 20 deletions
--- a/TODO.md
+++ b/TODO.md
@ -35,6 +35,3 @@ nullfs into jail

 ## Add quota config and enable/configure rctl

-## Setup sshd_config for jail
-
-Using Bastillefile CP?
--- a/debug.yaml
+++ b/debug.yaml
@ -1,7 +1,9 @@
 ---
 - name: DEBUGGING ROLES
+  tags: active
  hosts: running
  gather_facts: true
  user: root
  roles:
    - role: network
+    - role: pubnix
--- a/deploy.yaml
+++ b/deploy.yaml
@ -5,6 +5,7 @@
  gather_facts: true
  user: root
  roles:
+    - role: reachable
    - role: server
    - role: network
    - role: firewall
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@ -8,6 +8,7 @@ packages:
  - cpdup
  - bash
  - doas
+  - knot-resolver

 # used by bastille to build a base
 release: 14.1-RELEASE
@ -25,7 +26,23 @@ ssh_keys:

 jails:
  pubnix:
-    octet: 2
+    pkgs:
+      - bash
+      - zsh
+      - vim
+      - git
+      - htop
+      - tmux
+      - bind-tools
+      - coreutils
+      - emacs-nox
+      - fzf
+
+users:
+  - name: scip
+    groups: wheel
+    shell: /usr/local/bin/bash
+    rootdir: /usr/local/bastille/jails/pubnix/root
    
 storage:
  volume:
@ -91,16 +108,3 @@ permissions:
    group: wheel
    mode: '0711'

-jails:
-  pubnix:
-    pkgs:
-      - bash
-      - zsh
-      - vim
-      - git
-      - htop
-      - tmux
-      - bind-tools
-      - coreutils
-      - emacs-nox
-      - fzf
--- a/roles/firewall/tasks/main.yaml
+++ b/roles/firewall/tasks/main.yaml
@ -3,7 +3,8 @@
  community.general.sysrc:
    name: pf_enable
    value: "YES"
-  notify: start pf
+    # FIXME: on first start causes the ansible connection to hang
+    # notify: start pf

 - name: enable pflog
  community.general.sysrc:
--- a/roles/jails/templates/bastille.conf.j2
+++ b/roles/jails/templates/bastille.conf.j2
@ -57,7 +57,7 @@ bastille_network_pf_ext_if="ext_if"                                   ## default
 bastille_network_pf_table="jails"                                     ## default: "jails"
 bastille_network_shared=""                                            ## default: ""
 bastille_network_gateway=""                                           ## default: ""
-bastille_network_gateway6="{{ jailip.stdout }}"        ## default: ""
+bastille_network_gateway6="{{ ansible_default_ipv6.address }}"        ## default: ""

 ## Default Templates
 bastille_template_base="default/base"                                 ## default: "default/base"
--- a/roles/pubnix/files/sshd_config
+++ b/roles/pubnix/files/sshd_config
@ -1,3 +1,4 @@
+# pubnix sshd config
 LogLevel INFO
 LoginGraceTime 1m
 PermitRootLogin no
--- a/roles/pubnix/tasks/main.yaml
+++ b/roles/pubnix/tasks/main.yaml
@ -41,3 +41,11 @@
 # FIXME: fails, /etc/resolv.conf in jail is wrong, no working nameserver in there or outgoing dns forbidden
 - name: template jail
  shell: "bastille template {{ role_name }} services/{{ role_name }}"
+
+- name: Create users
+  loop: "{{ users }}"
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    shell: "{{ item.shell }}"
+    groups: "{{ item.groups }}"
+    rootdir: "{{ item.rootdir }}"
--- a/roles/pubnix/templates/Bastillefile.j2
+++ b/roles/pubnix/templates/Bastillefile.j2
@ -6,9 +6,11 @@ SYSRC tmpsize=500m
 SYSRC tmpmfs=AUTO
 SYSRC clear_tmp_enable=YES

-CMD rm /home
+CMD if test -l /home; then rm /home; fi
 CMD mkdir -p /home

 FSTAB /home home nullfs rw 0 0

+CP etc /
+
 SERVICE sshd start
--- a/roles/reachable/tasks/main.yaml
+++ b/roles/reachable/tasks/main.yaml
@ -0,0 +1,4 @@
+---
+- name: wait until host is reachable
+  ansible.builtin.wait_for_connection:
+    timeout: 1200
--- a/roles/server/files/kresd.conf
+++ b/roles/server/files/kresd.conf
@ -0,0 +1,12 @@
+-- Network interface configuration
+net.listen('127.0.0.1', 53, { kind = 'dns' })
+net.listen('127.0.0.1', 853, { kind = 'tls' })
+net.listen('::1', 53, { kind = 'dns', freebind = true })
+net.listen('::1', 853, { kind = 'tls', freebind = true })
+
+-- Load useful modules
+modules = {
+        'hints > iterate',  -- Allow loading /etc/hosts or custom root hints
+        'stats',            -- Track internal statistics
+        'predict',          -- Prefetch expiring/frequent records
+}
--- a/roles/server/handlers/main.yaml
+++ b/roles/server/handlers/main.yaml
@ -0,0 +1,12 @@
+---
+- name: start kresd
+  service:
+    name: kresd
+    state: started
+
+- name: stop unbound
+  service:
+    name: local_unbound
+    state: stopped
+
+- meta: flush_handlers
--- a/roles/server/tasks/main.yaml
+++ b/roles/server/tasks/main.yaml
@ -74,3 +74,28 @@
    group: wheel
    mode: '0600'

+- name: Install knot resolver config
+  ansible.builtin.copy:
+    src: roles/server/files/kresd.conf
+    dest: /usr/local/etc/knot-resolver/kresd.conf
+    owner: root
+    group: wheel
+    mode: '0644'
+
+- name: Symlink knot dig
+  shell: "ln -sf /usr/local/bin/kdig /usr/local/bin/dig"
+  args:
+    creates: "/usr/local/bin/dig"
+
+- name: disable unbound
+  community.general.sysrc:
+    name: local_unbound_enable
+    value: "NO"
+  notify: stop unbound
+
+- name: enable knot resolver
+  community.general.sysrc:
+    name: kresd_enable
+    value: "YES"
+  notify: start kresd
+