fixed chat jail, added releaser playbook, fixed rctl boot var

2024-12-16 12:23:19 +01:00 · 2024-12-16 12:23:19 +01:00 · ef31172e81
commit ef31172e81
parent 7b60d8bf8c
11 changed files with 59 additions and 38 deletions
--- a/4
+++ b/4
@ -14,6 +14,7 @@ SNAPSHOT    = $(shell hcloud image  list -t snapshot -o yaml | \

 OPTIONS = -i inventory -t active
 CREATE_COMMAND = ansible-playbook create.yaml $(OPTIONS)
+RELEASE_COMMAND = ansible-playbook release.yaml $(OPTIONS)
 DEPLOY_COMMAND = ansible-playbook deploy.yaml $(OPTIONS)
 CLEAN_COMMAND = ansible-playbook cleanup.yaml $(OPTIONS)
 HOSTS_COMMAND = ansible-playbook knownhosts.yaml $(OPTIONS)
@ -30,6 +31,9 @@ debug:
 create:
 	$(ENV) $(CREATE_COMMAND)

+release:
+	$(ENV) $(RELEASE_COMMAND)
+
 hosts:
 	$(ENV) $(HOSTS_COMMAND)

--- a/TODO.md
+++ b/TODO.md
@ -8,27 +8,9 @@

 See Bastillefile pub

-## racct.enable = 1!
+## racct/rctl test

-sysctl kern.racct.enable=1
-sysctl: oid 'kern.racct.enable' is a read only tunable
-sysctl: Tunable values are set in /boot/loader.conf
-
-not ="YES"
-
-+ test the current setup: does it get configured and how does it limit
+test the current setup: does it get configured and how does it limit
 users? also check if new users belong to login class "jail" and test
 their limits

-## bastille start+template
-
-https://github.com/BastilleBSD/bastille/issues/772
-
-Maybe build+copy  devzat only after the  jail is built and  running by
-just copying the binariy into it, perhaps like this:
-
- stop
- copy
- start
-
-or something.
--- a/cleanup.yaml
+++ b/cleanup.yaml
@ -1,7 +1,7 @@
 ---
 - name: Remove BSDNIX Servers
  tags: active
-  hosts: vps
+  hosts: vps,relvps
  connection: local
  gather_facts: False
  user: root
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@ -20,7 +20,7 @@ versions:
 release: 14.2-RELEASE

 # snapshot to install in new vps
-snapshot: FreeBSD-14.2-RELEASE-p0-0-hcloud-init
+snapshot: FreeBSD-14.2-RELEASE-p0-1-hcloud-init

 location: fsn1

--- a/inventory/vps.yaml
+++ b/inventory/vps.yaml
@ -4,3 +4,8 @@ vps:
    suto:
      hostname: suto

+relvps:
+  hosts:
+    releaser:
+      hostname: releaser
+
--- a/release.yaml
+++ b/release.yaml
@ -0,0 +1,18 @@
+---
+- name: Create BSDNIX Release Server
+  tags: active
+  hosts: relvps
+  connection: local
+  gather_facts: False
+  user: root
+  roles:
+    - role: install
+
+- name: Deploy BSDNIX Release Server
+  tags: active
+  hosts: running
+  gather_facts: true
+  user: root
+  roles:
+    - role: dns
+
--- a/roles/chat/tasks/main.yaml
+++ b/roles/chat/tasks/main.yaml
@ -3,10 +3,11 @@
 # git clone https://github.com/quackduck/devzat
 # but our own fork where we patched the torlist stuff away.
 # see: https://github.com/quackduck/devzat/issues/246
+# https://github.com/tlinden/devzat
 - name: build devzat
  shell: |
    cd /tmp
-    git clone https://github.com/tlinden/devzat
+    git clone https://github.com/quackduck/devzat
    cd /tmp/devzat
    go build
  args:
@ -62,9 +63,3 @@
 - name: template jail
  shell: |
    bastille template {{ role_name }} services/{{ role_name }}
-    touch /tmp/.ansible.devzattemplate
-  args:
-    # FIXME: might make it impossible to update, on the other hand w/o
-    # it this command fails with "devzat binary busy" when the jail is
-    # already running, since go binaries do not fork.
-    creates: /tmp/.ansible.devzattemplate
--- a/roles/chat/templates/Bastillefile.j2
+++ b/roles/chat/templates/Bastillefile.j2
@ -1,3 +1,5 @@
+SERVICE devzat stop
+
 CP usr /

 SYSRC sendmail_enable=NONE
--- a/roles/install/tasks/main.yaml
+++ b/roles/install/tasks/main.yaml
@ -13,7 +13,9 @@
  register: server

 - name: Attach the home volume
+  when: inventory_hostname in groups['vps']
  hetzner.hcloud.volume:
    name: "{{ storage.volume.name }}"
    server: "{{ hostname }}"
    state: present
+
--- a/roles/pub/bin/user.sh
+++ b/roles/pub/bin/user.sh
@ -9,6 +9,7 @@ groups=""
 home=""
 shell="/usr/local/bin/bash"
 comment=""
+loginclass="jail"
 action=""

 usage() {
@ -74,7 +75,7 @@ args=""
 root=""

 if test -n "$rootdir"; then
-    root="-R $rootdir -L jail"
+    root="-R $rootdir"
 fi

 if test -n "$groups"; then
@ -97,6 +98,10 @@ if test -n "$comment"; then
    args="$args -c $comment"
 fi

+if test -n "$loginclass"; then
+    args="$args -L $loginclass"
+fi
+
 # the horse shall work
 case "$action" in
    present)
--- a/roles/pub/tasks/main.yaml
+++ b/roles/pub/tasks/main.yaml
@ -79,12 +79,20 @@

 # create our login class, needed for rctl rules
 - name: create jail login class
-  shell: |
-    ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
-    cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
-    touch /tmp/.ansiblepubloginconf
-  args:
-    creates: /tmp/.ansiblepubloginconf
+  blockinfile:
+    path: /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+    append_newline: true
+    prepend_newline: true
+    block: |
+      jail:\
+          :tc=default:
+
+# shell: |
+#   ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+#   cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+#   touch /tmp/.ansiblepubloginconf
+# args:
+#   creates: /tmp/.ansiblepubloginconf

 # create our own group[s]
 - name: Manage groups