From ef31172e81b65483a40d26fc067f801b30cf0b97 Mon Sep 17 00:00:00 2001
From: Thomas von Dein <tom@vondein.org>
Date: Mon, 16 Dec 2024 12:23:19 +0100
Subject: [PATCH] fixed chat jail, added releaser playbook, fixed rctl boot var

---
 Makefile                             |  4 ++++
 TODO.md                              | 26 ++++----------------------
 cleanup.yaml                         |  2 +-
 group_vars/all/all.yaml              |  2 +-
 inventory/vps.yaml                   |  5 +++++
 release.yaml                         | 18 ++++++++++++++++++
 roles/chat/tasks/main.yaml           |  9 ++-------
 roles/chat/templates/Bastillefile.j2 |  2 ++
 roles/install/tasks/main.yaml        |  2 ++
 roles/pub/bin/user.sh                |  7 ++++++-
 roles/pub/tasks/main.yaml            | 20 ++++++++++++++------
 11 files changed, 59 insertions(+), 38 deletions(-)
 create mode 100644 release.yaml

diff --git a/Makefile b/Makefile
index 8b8d7db..2221c3b 100644
--- a/Makefile
+++ b/Makefile
@@ -14,6 +14,7 @@ SNAPSHOT    = $(shell hcloud image  list -t snapshot -o yaml | \
 
 OPTIONS = -i inventory -t active
 CREATE_COMMAND = ansible-playbook create.yaml $(OPTIONS)
+RELEASE_COMMAND = ansible-playbook release.yaml $(OPTIONS)
 DEPLOY_COMMAND = ansible-playbook deploy.yaml $(OPTIONS)
 CLEAN_COMMAND = ansible-playbook cleanup.yaml $(OPTIONS)
 HOSTS_COMMAND = ansible-playbook knownhosts.yaml $(OPTIONS)
@@ -30,6 +31,9 @@ debug:
 create:
 	$(ENV) $(CREATE_COMMAND)
 
+release:
+	$(ENV) $(RELEASE_COMMAND)
+
 hosts:
 	$(ENV) $(HOSTS_COMMAND)
 
diff --git a/TODO.md b/TODO.md
index 41ad667..fa912ae 100644
--- a/TODO.md
+++ b/TODO.md
@@ -8,27 +8,9 @@
 
 See Bastillefile pub
 
-## racct.enable = 1!
+## racct/rctl test
 
-sysctl kern.racct.enable=1
-sysctl: oid 'kern.racct.enable' is a read only tunable
-sysctl: Tunable values are set in /boot/loader.conf
+test the current setup: does it get configured and how does it limit
+users? also check if new users belong to login class "jail" and test
+their limits
 
-not ="YES"
-
-+ test the current setup: does it get configured and how does it limit
-  users? also check if new users belong to login class "jail" and test
-  their limits
-
-## bastille start+template
-
-https://github.com/BastilleBSD/bastille/issues/772
-
-Maybe build+copy  devzat only after the  jail is built and  running by
-just copying the binariy into it, perhaps like this:
-
-- stop
-- copy
-- start
-
-or something.
diff --git a/cleanup.yaml b/cleanup.yaml
index e39e601..4e0f68f 100644
--- a/cleanup.yaml
+++ b/cleanup.yaml
@@ -1,7 +1,7 @@
 ---
 - name: Remove BSDNIX Servers
   tags: active
-  hosts: vps
+  hosts: vps,relvps
   connection: local
   gather_facts: False
   user: root
diff --git a/group_vars/all/all.yaml b/group_vars/all/all.yaml
index 84d408c..e6c57b5 100644
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@@ -20,7 +20,7 @@ versions:
 release: 14.2-RELEASE
 
 # snapshot to install in new vps
-snapshot: FreeBSD-14.2-RELEASE-p0-0-hcloud-init
+snapshot: FreeBSD-14.2-RELEASE-p0-1-hcloud-init
 
 location: fsn1
 
diff --git a/inventory/vps.yaml b/inventory/vps.yaml
index 7bda3ca..b0c9fb5 100644
--- a/inventory/vps.yaml
+++ b/inventory/vps.yaml
@@ -4,3 +4,8 @@ vps:
     suto:
       hostname: suto
 
+relvps:
+  hosts:
+    releaser:
+      hostname: releaser
+
diff --git a/release.yaml b/release.yaml
new file mode 100644
index 0000000..a50ae21
--- /dev/null
+++ b/release.yaml
@@ -0,0 +1,18 @@
+---
+- name: Create BSDNIX Release Server
+  tags: active
+  hosts: relvps
+  connection: local
+  gather_facts: False
+  user: root
+  roles:
+    - role: install
+
+- name: Deploy BSDNIX Release Server
+  tags: active
+  hosts: running
+  gather_facts: true
+  user: root
+  roles:
+    - role: dns
+
diff --git a/roles/chat/tasks/main.yaml b/roles/chat/tasks/main.yaml
index bd1f850..5c1f7de 100644
--- a/roles/chat/tasks/main.yaml
+++ b/roles/chat/tasks/main.yaml
@@ -3,10 +3,11 @@
 # git clone https://github.com/quackduck/devzat
 # but our own fork where we patched the torlist stuff away.
 # see: https://github.com/quackduck/devzat/issues/246
+# https://github.com/tlinden/devzat
 - name: build devzat
   shell: |
     cd /tmp
-    git clone https://github.com/tlinden/devzat
+    git clone https://github.com/quackduck/devzat
     cd /tmp/devzat
     go build
   args:
@@ -62,9 +63,3 @@
 - name: template jail
   shell: |
     bastille template {{ role_name }} services/{{ role_name }}
-    touch /tmp/.ansible.devzattemplate
-  args:
-    # FIXME: might make it impossible to update, on the other hand w/o
-    # it this command fails with "devzat binary busy" when the jail is
-    # already running, since go binaries do not fork.
-    creates: /tmp/.ansible.devzattemplate
diff --git a/roles/chat/templates/Bastillefile.j2 b/roles/chat/templates/Bastillefile.j2
index 46855e5..748904b 100644
--- a/roles/chat/templates/Bastillefile.j2
+++ b/roles/chat/templates/Bastillefile.j2
@@ -1,3 +1,5 @@
+SERVICE devzat stop
+
 CP usr /
 
 SYSRC sendmail_enable=NONE
diff --git a/roles/install/tasks/main.yaml b/roles/install/tasks/main.yaml
index caa755d..3595dd5 100644
--- a/roles/install/tasks/main.yaml
+++ b/roles/install/tasks/main.yaml
@@ -13,7 +13,9 @@
   register: server
 
 - name: Attach the home volume
+  when: inventory_hostname in groups['vps']
   hetzner.hcloud.volume:
     name: "{{ storage.volume.name }}"
     server: "{{ hostname }}"
     state: present
+
diff --git a/roles/pub/bin/user.sh b/roles/pub/bin/user.sh
index f7c9caa..4c37f9c 100755
--- a/roles/pub/bin/user.sh
+++ b/roles/pub/bin/user.sh
@@ -9,6 +9,7 @@ groups=""
 home=""
 shell="/usr/local/bin/bash"
 comment=""
+loginclass="jail"
 action=""
 
 usage() {
@@ -74,7 +75,7 @@ args=""
 root=""
 
 if test -n "$rootdir"; then
-    root="-R $rootdir -L jail"
+    root="-R $rootdir"
 fi
 
 if test -n "$groups"; then
@@ -97,6 +98,10 @@ if test -n "$comment"; then
     args="$args -c $comment"
 fi
 
+if test -n "$loginclass"; then
+    args="$args -L $loginclass"
+fi
+
 # the horse shall work
 case "$action" in
     present)
diff --git a/roles/pub/tasks/main.yaml b/roles/pub/tasks/main.yaml
index 738e4f9..8b8c6b8 100644
--- a/roles/pub/tasks/main.yaml
+++ b/roles/pub/tasks/main.yaml
@@ -79,12 +79,20 @@
 
 # create our login class, needed for rctl rules
 - name: create jail login class
-  shell: |
-    ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
-    cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
-    touch /tmp/.ansiblepubloginconf
-  args:
-    creates: /tmp/.ansiblepubloginconf
+  blockinfile:
+    path: /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+    append_newline: true
+    prepend_newline: true
+    block: |
+      jail:\
+          :tc=default:
+
+# shell: |
+#   ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+#   cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+#   touch /tmp/.ansiblepubloginconf
+# args:
+#   creates: /tmp/.ansiblepubloginconf
 
 # create our own group[s]
 - name: Manage groups