fixed chat jail, added releaser playbook, fixed rctl boot var
This commit is contained in:
parent
7b60d8bf8c
commit
ef31172e81
4
Makefile
4
Makefile
@ -14,6 +14,7 @@ SNAPSHOT = $(shell hcloud image list -t snapshot -o yaml | \
|
|||||||
|
|
||||||
OPTIONS = -i inventory -t active
|
OPTIONS = -i inventory -t active
|
||||||
CREATE_COMMAND = ansible-playbook create.yaml $(OPTIONS)
|
CREATE_COMMAND = ansible-playbook create.yaml $(OPTIONS)
|
||||||
|
RELEASE_COMMAND = ansible-playbook release.yaml $(OPTIONS)
|
||||||
DEPLOY_COMMAND = ansible-playbook deploy.yaml $(OPTIONS)
|
DEPLOY_COMMAND = ansible-playbook deploy.yaml $(OPTIONS)
|
||||||
CLEAN_COMMAND = ansible-playbook cleanup.yaml $(OPTIONS)
|
CLEAN_COMMAND = ansible-playbook cleanup.yaml $(OPTIONS)
|
||||||
HOSTS_COMMAND = ansible-playbook knownhosts.yaml $(OPTIONS)
|
HOSTS_COMMAND = ansible-playbook knownhosts.yaml $(OPTIONS)
|
||||||
@ -30,6 +31,9 @@ debug:
|
|||||||
create:
|
create:
|
||||||
$(ENV) $(CREATE_COMMAND)
|
$(ENV) $(CREATE_COMMAND)
|
||||||
|
|
||||||
|
release:
|
||||||
|
$(ENV) $(RELEASE_COMMAND)
|
||||||
|
|
||||||
hosts:
|
hosts:
|
||||||
$(ENV) $(HOSTS_COMMAND)
|
$(ENV) $(HOSTS_COMMAND)
|
||||||
|
|
||||||
|
|||||||
26
TODO.md
26
TODO.md
@ -8,27 +8,9 @@
|
|||||||
|
|
||||||
See Bastillefile pub
|
See Bastillefile pub
|
||||||
|
|
||||||
## racct.enable = 1!
|
## racct/rctl test
|
||||||
|
|
||||||
sysctl kern.racct.enable=1
|
test the current setup: does it get configured and how does it limit
|
||||||
sysctl: oid 'kern.racct.enable' is a read only tunable
|
users? also check if new users belong to login class "jail" and test
|
||||||
sysctl: Tunable values are set in /boot/loader.conf
|
their limits
|
||||||
|
|
||||||
not ="YES"
|
|
||||||
|
|
||||||
+ test the current setup: does it get configured and how does it limit
|
|
||||||
users? also check if new users belong to login class "jail" and test
|
|
||||||
their limits
|
|
||||||
|
|
||||||
## bastille start+template
|
|
||||||
|
|
||||||
https://github.com/BastilleBSD/bastille/issues/772
|
|
||||||
|
|
||||||
Maybe build+copy devzat only after the jail is built and running by
|
|
||||||
just copying the binariy into it, perhaps like this:
|
|
||||||
|
|
||||||
- stop
|
|
||||||
- copy
|
|
||||||
- start
|
|
||||||
|
|
||||||
or something.
|
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
- name: Remove BSDNIX Servers
|
- name: Remove BSDNIX Servers
|
||||||
tags: active
|
tags: active
|
||||||
hosts: vps
|
hosts: vps,relvps
|
||||||
connection: local
|
connection: local
|
||||||
gather_facts: False
|
gather_facts: False
|
||||||
user: root
|
user: root
|
||||||
|
|||||||
@ -20,7 +20,7 @@ versions:
|
|||||||
release: 14.2-RELEASE
|
release: 14.2-RELEASE
|
||||||
|
|
||||||
# snapshot to install in new vps
|
# snapshot to install in new vps
|
||||||
snapshot: FreeBSD-14.2-RELEASE-p0-0-hcloud-init
|
snapshot: FreeBSD-14.2-RELEASE-p0-1-hcloud-init
|
||||||
|
|
||||||
location: fsn1
|
location: fsn1
|
||||||
|
|
||||||
|
|||||||
@ -4,3 +4,8 @@ vps:
|
|||||||
suto:
|
suto:
|
||||||
hostname: suto
|
hostname: suto
|
||||||
|
|
||||||
|
relvps:
|
||||||
|
hosts:
|
||||||
|
releaser:
|
||||||
|
hostname: releaser
|
||||||
|
|
||||||
|
|||||||
18
release.yaml
Normal file
18
release.yaml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
- name: Create BSDNIX Release Server
|
||||||
|
tags: active
|
||||||
|
hosts: relvps
|
||||||
|
connection: local
|
||||||
|
gather_facts: False
|
||||||
|
user: root
|
||||||
|
roles:
|
||||||
|
- role: install
|
||||||
|
|
||||||
|
- name: Deploy BSDNIX Release Server
|
||||||
|
tags: active
|
||||||
|
hosts: running
|
||||||
|
gather_facts: true
|
||||||
|
user: root
|
||||||
|
roles:
|
||||||
|
- role: dns
|
||||||
|
|
||||||
@ -3,10 +3,11 @@
|
|||||||
# git clone https://github.com/quackduck/devzat
|
# git clone https://github.com/quackduck/devzat
|
||||||
# but our own fork where we patched the torlist stuff away.
|
# but our own fork where we patched the torlist stuff away.
|
||||||
# see: https://github.com/quackduck/devzat/issues/246
|
# see: https://github.com/quackduck/devzat/issues/246
|
||||||
|
# https://github.com/tlinden/devzat
|
||||||
- name: build devzat
|
- name: build devzat
|
||||||
shell: |
|
shell: |
|
||||||
cd /tmp
|
cd /tmp
|
||||||
git clone https://github.com/tlinden/devzat
|
git clone https://github.com/quackduck/devzat
|
||||||
cd /tmp/devzat
|
cd /tmp/devzat
|
||||||
go build
|
go build
|
||||||
args:
|
args:
|
||||||
@ -62,9 +63,3 @@
|
|||||||
- name: template jail
|
- name: template jail
|
||||||
shell: |
|
shell: |
|
||||||
bastille template {{ role_name }} services/{{ role_name }}
|
bastille template {{ role_name }} services/{{ role_name }}
|
||||||
touch /tmp/.ansible.devzattemplate
|
|
||||||
args:
|
|
||||||
# FIXME: might make it impossible to update, on the other hand w/o
|
|
||||||
# it this command fails with "devzat binary busy" when the jail is
|
|
||||||
# already running, since go binaries do not fork.
|
|
||||||
creates: /tmp/.ansible.devzattemplate
|
|
||||||
|
|||||||
@ -1,3 +1,5 @@
|
|||||||
|
SERVICE devzat stop
|
||||||
|
|
||||||
CP usr /
|
CP usr /
|
||||||
|
|
||||||
SYSRC sendmail_enable=NONE
|
SYSRC sendmail_enable=NONE
|
||||||
|
|||||||
@ -13,7 +13,9 @@
|
|||||||
register: server
|
register: server
|
||||||
|
|
||||||
- name: Attach the home volume
|
- name: Attach the home volume
|
||||||
|
when: inventory_hostname in groups['vps']
|
||||||
hetzner.hcloud.volume:
|
hetzner.hcloud.volume:
|
||||||
name: "{{ storage.volume.name }}"
|
name: "{{ storage.volume.name }}"
|
||||||
server: "{{ hostname }}"
|
server: "{{ hostname }}"
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
|||||||
@ -9,6 +9,7 @@ groups=""
|
|||||||
home=""
|
home=""
|
||||||
shell="/usr/local/bin/bash"
|
shell="/usr/local/bin/bash"
|
||||||
comment=""
|
comment=""
|
||||||
|
loginclass="jail"
|
||||||
action=""
|
action=""
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
@ -74,7 +75,7 @@ args=""
|
|||||||
root=""
|
root=""
|
||||||
|
|
||||||
if test -n "$rootdir"; then
|
if test -n "$rootdir"; then
|
||||||
root="-R $rootdir -L jail"
|
root="-R $rootdir"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if test -n "$groups"; then
|
if test -n "$groups"; then
|
||||||
@ -97,6 +98,10 @@ if test -n "$comment"; then
|
|||||||
args="$args -c $comment"
|
args="$args -c $comment"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if test -n "$loginclass"; then
|
||||||
|
args="$args -L $loginclass"
|
||||||
|
fi
|
||||||
|
|
||||||
# the horse shall work
|
# the horse shall work
|
||||||
case "$action" in
|
case "$action" in
|
||||||
present)
|
present)
|
||||||
|
|||||||
@ -79,12 +79,20 @@
|
|||||||
|
|
||||||
# create our login class, needed for rctl rules
|
# create our login class, needed for rctl rules
|
||||||
- name: create jail login class
|
- name: create jail login class
|
||||||
shell: |
|
blockinfile:
|
||||||
( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
|
path: /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
|
||||||
cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
|
append_newline: true
|
||||||
touch /tmp/.ansiblepubloginconf
|
prepend_newline: true
|
||||||
args:
|
block: |
|
||||||
creates: /tmp/.ansiblepubloginconf
|
jail:\
|
||||||
|
:tc=default:
|
||||||
|
|
||||||
|
# shell: |
|
||||||
|
# ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
|
||||||
|
# cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
|
||||||
|
# touch /tmp/.ansiblepubloginconf
|
||||||
|
# args:
|
||||||
|
# creates: /tmp/.ansiblepubloginconf
|
||||||
|
|
||||||
# create our own group[s]
|
# create our own group[s]
|
||||||
- name: Manage groups
|
- name: Manage groups
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user