fixed chat jail, added releaser playbook, fixed rctl boot var

2024-12-16 12:23:19 +01:00
parent 7b60d8bf8c
commit ef31172e81
11 changed files with 59 additions and 38 deletions
--- a/roles/chat/tasks/main.yaml
+++ b/roles/chat/tasks/main.yaml
@@ -3,10 +3,11 @@
 # git clone https://github.com/quackduck/devzat
 # but our own fork where we patched the torlist stuff away.
 # see: https://github.com/quackduck/devzat/issues/246
+# https://github.com/tlinden/devzat
 - name: build devzat
  shell: |
    cd /tmp
-    git clone https://github.com/tlinden/devzat
+    git clone https://github.com/quackduck/devzat
    cd /tmp/devzat
    go build
  args:
@@ -62,9 +63,3 @@
 - name: template jail
  shell: |
    bastille template {{ role_name }} services/{{ role_name }}
-    touch /tmp/.ansible.devzattemplate
-  args:
-    # FIXME: might make it impossible to update, on the other hand w/o
-    # it this command fails with "devzat binary busy" when the jail is
-    # already running, since go binaries do not fork.
-    creates: /tmp/.ansible.devzattemplate
--- a/roles/chat/templates/Bastillefile.j2
+++ b/roles/chat/templates/Bastillefile.j2
@@ -1,3 +1,5 @@
+SERVICE devzat stop
+
 CP usr /

 SYSRC sendmail_enable=NONE
--- a/roles/install/tasks/main.yaml
+++ b/roles/install/tasks/main.yaml
@@ -13,7 +13,9 @@
  register: server

 - name: Attach the home volume
+  when: inventory_hostname in groups['vps']
  hetzner.hcloud.volume:
    name: "{{ storage.volume.name }}"
    server: "{{ hostname }}"
    state: present
+
--- a/roles/pub/bin/user.sh
+++ b/roles/pub/bin/user.sh
@@ -9,6 +9,7 @@ groups=""
 home=""
 shell="/usr/local/bin/bash"
 comment=""
+loginclass="jail"
 action=""

 usage() {
@@ -74,7 +75,7 @@ args=""
 root=""

 if test -n "$rootdir"; then
-    root="-R $rootdir -L jail"
+    root="-R $rootdir"
 fi

 if test -n "$groups"; then
@@ -97,6 +98,10 @@ if test -n "$comment"; then
    args="$args -c $comment"
 fi

+if test -n "$loginclass"; then
+    args="$args -L $loginclass"
+fi
+
 # the horse shall work
 case "$action" in
    present)
--- a/roles/pub/tasks/main.yaml
+++ b/roles/pub/tasks/main.yaml
@@ -79,12 +79,20 @@

 # create our login class, needed for rctl rules
 - name: create jail login class
-  shell: |
-    ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
-    cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
-    touch /tmp/.ansiblepubloginconf
-  args:
-    creates: /tmp/.ansiblepubloginconf
+  blockinfile:
+    path: /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+    append_newline: true
+    prepend_newline: true
+    block: |
+      jail:\
+          :tc=default:
+
+# shell: |
+#   ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+#   cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+#   touch /tmp/.ansiblepubloginconf
+# args:
+#   creates: /tmp/.ansiblepubloginconf

 # create our own group[s]
 - name: Manage groups