Makefile

@@ -1,4 +1,4 @@
-.PHONY: all deploy check clean create debug editvars test
+.PHONY: all deploy check clean create debug editvars
 
 
 VARS = group_vars/all/vars.yaml
@@ -19,6 +19,8 @@ DEBUG_COMMAND = ansible-playbook debug.yaml $(OPTIONS)
 
 ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
 
+test:
+	@echo SNAPSHOT="$(SNAPSHOT)"
 
 all: create deploy
 

TODO.md

@@ -25,6 +25,7 @@ or using e3 using wrapper script around `jaildk exec dns knotc ...`
 
 ### Cleanup release snapshot
 
+- remove /home symlink
 - remove pkg function from root .bashrc
 
 ## fix home mount
@@ -35,6 +36,4 @@ nullfs into jail
 
 ## Add quota config and enable/configure rctl
 
-## Setup sshd_config for jail
+## Fix jail DNS, doesn't work yet (pf missing?)
-
-Using Bastillefile CP?

deploy.yaml

@@ -6,7 +6,7 @@
   user: root
   roles:
     - role: server
-    - role: network
+    #- role: network
     - role: firewall
     - role: ssh
     - role: jails

group_vars/all/all.yaml

@@ -90,17 +90,3 @@ permissions:
     owner: root
     group: wheel
     mode: '0711'
-
-jails:
-  pubnix:
-    pkgs:
-      - bash
-      - zsh
-      - vim
-      - git
-      - htop
-      - tmux
-      - bind-tools
-      - coreutils
-      - emacs-nox
-      - fzf

roles/firewall/templates/pf.conf.j2

@@ -8,7 +8,6 @@
 #   pfctl -t bad_hosts -T delete $ip  
 
 ext_if="{{ ansible_default_ipv6.interface }}"
-jail_net="{{ jailnet.stdout }}"
 
 ### Default block policy is to return a reset packet
 set block-policy drop
@@ -31,11 +30,6 @@ block in log all
 ### Allow outgoing, skip others rules if match, and track connections
 pass out quick keep state
 pass out inet6 keep state
-pass out quick on $ext_if keep state
-pass out on $ext_if inet6 keep state
-
-### Allow traffic coming from jails
-pass in on $ext_if inet6 from $jail_net keep state
 
 ### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
 ### And block incoming traffic from $ext_if IP on $ext_if interface
@@ -48,8 +42,5 @@ pass in quick on $ext_if inet6 proto tcp from any to any port ssh \
      (max-src-conn-rate 10/60, \
      overload <bad_hosts> flush global) label ServicesTCP
 
-# allow ansible answers
-pass out on $ext_if proto tcp from port 22 to any flags any
-     
 # ipv6 icmp
 pass in quick inet6 proto icmp6 all keep state

roles/jails/tasks/main.yaml

@@ -37,6 +37,10 @@
     regexp: '^(.*)quarterly(.*)$'
     replace: '\1latest\2'
 
+- name: determine ipv6 address
+  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { print $2 }}'
+  register: primaryip
+
 - name: setup bastille.conf
   template:
     src: bastille.conf.j2

roles/jails/templates/bastille.conf.j2

@@ -57,7 +57,7 @@ bastille_network_pf_ext_if="ext_if"                                   ## default
 bastille_network_pf_table="jails"                                     ## default: "jails"
 bastille_network_shared=""                                            ## default: ""
 bastille_network_gateway=""                                           ## default: ""
-bastille_network_gateway6="{{ jailip.stdout }}"        ## default: ""
+bastille_network_gateway6="{{ primaryip.stdout }}"        ## default: ""
 
 ## Default Templates
 bastille_template_base="default/base"                                 ## default: "default/base"

roles/network/tasks/main.yaml

@@ -1,8 +1,29 @@
 ---
-- name: determine ipv6 address
+- name: Add bridge interface
-  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::2", $2); print $2 }}'
+  community.general.sysrc:
-  register: jailip
+    name: cloned_interfaces
+    state: value_present
+    value: "bridge0"
 
-- name: determine ipv6 net
+- name: Setup bridge interface
-  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::", $2); print $2"/64" }}'
+  community.general.sysrc:
-  register: jailnet
+    name: ifconfig_bridge0
+    state: value_present
+    value: "up"
+  notify: netif cloneup
+
+- name: Setup bridge interface
+  community.general.sysrc:
+    name: ifconfig_bridge0
+    state: value_present
+    value: "addm vtnet0"
+  notify: netif cloneup
+  
+- name: Setup bridge interface ipv6
+  community.general.sysrc:
+    name: ifconfig_bridge0_ipv6
+    state: value_present
+    value: "inet6 auto_linklocal"
+  notify: netif cloneup
+  
+- meta: flush_handlers

roles/pubnix/files/Bastillefile

@@ -0,0 +1,6 @@
+PKG bash
+SYSRC sshd_enable=YES
+CMD mkdir -p /data/home
+SERVICE nginx restart
+FSTAB /data/home data/home nullfs ro 0 0
+RDR tcp 22 22

roles/pubnix/tasks/main.yaml

@@ -6,9 +6,9 @@
     recurse: yes
 
 - name: copy template config files
-  template:
+  copy:
-    src: Bastillefile.j2
+    src: Bastillefile
-    dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/"
 
 - name: create config path
   file:
@@ -21,14 +21,17 @@
     src: sshd_config
     dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
 
-# - name: create data/home dataset
+- name: create data/home dataset
-#   community.general.zfs:
+  community.general.zfs:
-#     name: zroot/home
+    name: zroot/home
-#     state: present
+    state: present
-#     extra_zfs_properties:
+    extra_zfs_properties:
-#       mountpoint: /data/home
+      mountpoint: /data/home
-
 
+- name: determine ipv6 address
+  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::2", $2); print $2 }}'
+  register: jailip
+      
 - name: create jail
   shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
   args:

roles/pubnix/templates/Bastillefile.j2

@@ -1,14 +0,0 @@
-PKG {{ jails.pubnix.pkgs | join(' ') }}
-
-SYSRC sshd_enable=YES
-SYSRC sendmail_enable=NONE
-SYSRC tmpsize="500m"
-SYSRC tmpmfs="AUTO"
-SYSRC clear_tmp_enable="YES"
-
-CMD rm /home
-CMD mkdir -p /home
-
-FSTAB /home home nullfs rw 0 0
-
-SERVICE sshd start