fixed open file copy problem

fixed devzat rc script, user creation with skell, +new todo
enhanced user management
2024-12-18 09:14:26 +01:00 · 2024-12-16 16:10:11 +01:00 · 2024-12-16 14:23:45 +01:00 · 2024-12-16 12:23:19 +01:00 · 2024-12-15 18:48:41 +01:00 · 2024-12-13 18:39:21 +01:00
48 changed files with 1795 additions and 153 deletions
--- a/37
+++ b/37
@@ -1,26 +1,27 @@
-.PHONY: all deploy check clean create debug editvars
+.PHONY: all deploy check clean create debug editvars test
-VARS = group_vars/all/vars.yaml
+VARS		= group_vars/all/vars.yaml
-VALL = group_vars/all/all.yaml
+VALL		= group_vars/all/all.yaml
-TOKEN = $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_cloud_token | cut -d' ' -f2)
+SECRET		= ~/.config/ansible/hcloud.secret
 KEYDIR		= roles/pub/files/keys
 TOKEN		= $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_cloud_token | cut -d' ' -f2)
 DNSTOKEN    = $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_dns_token | cut -d' ' -f2)
 SNAPNAME	= $(shell cat $(VALL) | yq .snapshot)
-SNAPNAME = $(shell cat $(VALL) | yq .snapshot)
+SNAPSHOT    = $(shell hcloud image  list -t snapshot -o yaml | \
 SNAPSHOT = $(shell hcloud image  list -t snapshot -o yaml | \
 			       yq '. | map(select(.description == "$(SNAPNAME)")) | .[].id')
 OPTIONS = -i inventory -t active
 CREATE_COMMAND = ansible-playbook create.yaml $(OPTIONS)
 RELEASE_COMMAND = ansible-playbook release.yaml $(OPTIONS)
 DEPLOY_COMMAND = ansible-playbook deploy.yaml $(OPTIONS)
 CLEAN_COMMAND = ansible-playbook cleanup.yaml $(OPTIONS)
 HOSTS_COMMAND = ansible-playbook knownhosts.yaml $(OPTIONS)
 DEBUG_COMMAND = ansible-playbook debug.yaml $(OPTIONS)
 SHOW_COMMAND = ansible-inventory -i inventory/hosts.hcloud.yaml --list
-ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
+ENV = HCLOUD_TOKEN="$(TOKEN)" HETZNER_DNS_TOKEN="$(DNSTOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
 test:
 	@echo SNAPSHOT="$(SNAPSHOT)"
 all: create deploy
@@ -30,17 +31,26 @@ debug:
 create:
 	$(ENV) $(CREATE_COMMAND)
 release:
 	$(ENV) $(RELEASE_COMMAND)
 hosts:
 	$(ENV) $(HOSTS_COMMAND)
 # remove ssh control point, which may lead to hangs if wifi breaks during deployment
 deploy:
 	rm -rf ~/.ansible/cp/*
 	$(ENV) $(DEPLOY_COMMAND)
 clean:
 	$(ENV) $(CLEAN_COMMAND)
 check:
-	ansible-playbook -vvv --ask-vault-pass deploy.yaml -i inventory --syntax-check
+	$(ENV) ansible-playbook deploy.yaml  --syntax-check
 	bin/encryptkeys $(KEYDIR) $(SECRET) check
 encryptkeys:
 	bin/encryptkeys $(KEYDIR) $(SECRET) encrypt
 editvars:
 	ansible-vault decrypt $(VARS)
@@ -49,3 +59,6 @@ editvars:
 showvars:
 	ansible-vault decrypt $(VARS) --output -
 showinventory:
 	$(ENV) $(SHOW_COMMAND)
--- a/TODO.md
+++ b/TODO.md
@@ -1,39 +1,49 @@
 ## Install tarball
 ### clean known_host doesnt work
 ### install from tarball example:
 ```yaml
 - name: "If jdk not exists then only download and unarchive"
  unarchive:
    src: "https://download.oracle.com/java/17/latest/jdk-17_linux-aarch64_bin.tar.gz"
    dest: /opt/
    remote_src: yes
    creates: /opt/jdk-17
  register: foo
 - name: "Rename if download happens "
  command: mv /opt/jdk-17_linux-arch64 /opt/jdk-17
  when: foo.changed == True
 ```
 ### configure DNS record for newly created instance
 https://github.com/bodsch/ansible-collection-dns/blob/main/roles/knot/README.md
 or using e3 using wrapper script around `jaildk exec dns knotc ...`
 ### Cleanup release snapshot
 - remove /home symlink
 - remove pkg function from root .bashrc
 ## fix home mount
 nullfs into jail
 ## Add users with authorized_keys files
 ## Add quota config and enable/configure rctl
-## Fix jail DNS, doesn't work yet (pf missing?)
+## Add bsdnix manpage (into pub jail)
 ## Check if motd generation works
 See Bastillefile pub
 ## racct/rctl test
 test the current setup: does it get configured and how does it limit
 users? also check if new users belong to login class "jail" and test
 their limits
 ## devzat file busy still failing
 https://github.com/BastilleBSD/bastille/issues/772
 ## ZFS quota
 Still not working, but it worked already? Dont get it.
 zfs set groupquota@bsdnixer=10MB zhcloud/home
 zfs get groupquota@bsdnixer zhcloud/home
 zfs groupspace zhcloud/home
 zfs userspace zhcloud/home
 ## Fix permissions jail /etc 
 ## Remove volume fails newly
 TASK [remove : Remove volume] 
 An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible_collections.hetzner.hcloud.plugins.module_utils.vendor.hcloud._exceptions.APIException: cannot perform operation because volume is locked
 fatal: [suto]: FAILED! => changed=false 
  ansible_facts:
    discovered_interpreter_python: /usr/bin/python3
  failure:
    code: locked
    details: {}
    message: cannot perform operation because volume is locked
  msg: cannot perform operation because volume is locked
 Maybe "unlock" it somehow? Perhaps this happens because there are user
 online with open files in /home?
--- a/bin/encryptkeys
+++ b/bin/encryptkeys
@@ -0,0 +1,53 @@
 #!/bin/bash
 # encrypt unencrypted secrets or warn if a secret is unencrypted in check mode
 keydir=$1
 secret=$2
 mode=$3
 if test -z "$mode"; then
    echo "Usage: $0 keydir vault-password-file (check|encrypt)"
    exit 1
 fi
 err=""
 for key in "$keydir"/*; do
    filetype=$(file "$key")
    case "$filetype" in
        *OpenSSH*)
            case "$mode" in
                encrypt)
                    ansible-vault encrypt --vault-password-file "$secret" --vault-id default "$key"
                    ;;
                check)
                    echo "$key is unencrypted!"
                    err=1
                    ;;
            esac
            ;;
        *Ansible*Vault*)
            case "$mode" in
                check)
                    :
                    ;;
            esac
            ;;
        *)
            case "$mode" in
                check)
                    echo "$key is an unknown clear text file!"
                    err=1
                    ;;
            esac
            ;;
    esac
 done
 if test -n "$err"; then
    exit 1
 fi
--- a/cleanup.yaml
+++ b/cleanup.yaml
@@ -1,7 +1,7 @@
 ---
 - name: Remove BSDNIX Servers
  tags: active
-  hosts: vps
+  hosts: vps,relvps
  connection: local
  gather_facts: False
  user: root
--- a/debug.yaml
+++ b/debug.yaml
@@ -1,7 +1,9 @@
 ---
- name: DEBUGGING ROLES
+- name: Gather facts
  tags: active
  hosts: running
  gather_facts: true
  user: root
  roles:
    - role: network
    - role: dns
--- a/deploy.yaml
+++ b/deploy.yaml
@@ -5,9 +5,12 @@
  gather_facts: true
  user: root
  roles:
    - role: reachable
    - role: dns
    - role: network
    - role: server
    #- role: network
    - role: firewall
    - role: ssh
    - role: jails
-    - role: pubnix
+    - role: chat
    - role: pub
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@@ -8,12 +8,19 @@ packages:
  - cpdup
  - bash
  - doas
  - knot-resolver
  - go122
  - git
 versions:
  - program: go122
    link: go
 # used by bastille to build a base
-release: 14.1-RELEASE
+release: 14.2-RELEASE
 # snapshot to install in new vps
-snapshot: FreeBSD-14.1-RELEASE-p5-1-hcloud-init
+snapshot: FreeBSD-14.2-RELEASE-p0-1-hcloud-init
 location: fsn1
@@ -24,9 +31,55 @@ ssh_keys:
  - scip@pixel8
 jails:
-  pubnix:
+  pub:
-    octet: 2
+    pkgs:
      - bash
      - zsh
      - fish
      - vim
      - emacs-nox
      - git
      - htop
      - tmux
      - bind-tools
      - coreutils
      - fzf
      - nnn
      - eza
      - fd
      - jq
      - yq
      - ruby
      - rubygem-irb
      - go121
      - go122
      - go123
      - lua51
      - rust
 defaults:
  group: bsdnixer
  jailbase: /usr/local/bastille/jails
 jailgroups:
  - name: first
    state: present
    id: 3999
  - name: bsdnixer
    state: present
 jailusers:
  - name: first
    state: present
    id: 4000
  - name: scip
    state: present
  - name: tuud
    groups: wheel
    state: present
  - name: tom
    state: present
 storage:
  volume:
    size: 10
@@ -38,6 +91,9 @@ storage:
    - mount: /var/cron/tabs
      name: /crontabs
 dns:
  zone: bsdnix.de
  socket: /jail/run/dns/tmp/knot/knot.sock
 netif:
  primary: bridge0
@@ -90,3 +146,4 @@ permissions:
    owner: root
    group: wheel
    mode: '0711'
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@@ -1,12 +1,15 @@
 $ANSIBLE_VAULT;1.1;AES256
-30386430356466633261653236656333623835666363653766313864376439663739666539373466
+35356662643731346636653135373334313239656363363064626162656461623736303763613361
-6133333563663839306331373863623064656330363234660a613235386230353233336134333665
+6437303765316166346264343839313230663432613461340a633437353665623032313633366165
-33323865646238363862663334343738326339623939663036643833356466633062656362653061
+38633537343963666563666466303537333565356561633065313166653531636431666435373164
-3661626430303038360a303961356566663239656337333833323036343432656332386234623131
+6161663439353637300a313539303934616631336632353034303734616636333832653266636136
-34323538326435643534663239613438333037646261663462323661306536383435626133663562
+30303532616333396437323137386334366564623635303335646139366265313765613531663333
-34326239363138656666353563396132303633373539646330303536346637346532616462393332
+31343063383735356166666130643635303234383237613364303934633066653838313930353238
-64613233373331396364613466303535383964313836356365393735326136323832313731653936
+34366531346465386364353563643962396462313132373661356333323734303233383663646130
-31633637643632323139303132336663626532623037343139363839626165323062303335363237
+64393764633437613331643232663865643239623230666236353631323266316633356461333236
-31646234393337366330353261383465316632663232303464346566333738326164363935613933
+37363232373334383764343738353265313435323661336365353933656630306465313166353761
-63393139663665343861363434396664383965613437383963343861333565356135656335383234
+65616261386130653230356264666237616135393663336562653232623030656136643832663635
-656638656239636133646562383734323835
+33346635313935356663636139656563346139643961626561613438653234646334666531376132
 64343938343737303636643834636136316661303064373536316530353937643164386363373565
 37333438613161626437343036656364353862376265343236316135306331386135666534326263
 3432376561623466636636633664313831396234363839316537
--- a/inventory/hosts.hcloud.yaml
+++ b/inventory/hosts.hcloud.yaml
@@ -5,3 +5,5 @@ status:
 groups:
  dev:
 connect_with: "public_ipv6"
 compose:
  server_ipv6: ipv6
--- a/inventory/vps.yaml
+++ b/inventory/vps.yaml
@@ -1,6 +1,11 @@
 ---
 vps:
  hosts:
-    shell:
+    suto:
-      hostname: shell.daemon.de
+      hostname: suto
 relvps:
  hosts:
    releaser:
      hostname: releaser
--- a/release.yaml
+++ b/release.yaml
@@ -0,0 +1,18 @@
 ---
 - name: Create BSDNIX Release Server
  tags: active
  hosts: relvps
  connection: local
  gather_facts: False
  user: root
  roles:
    - role: install
 - name: Deploy BSDNIX Release Server
  tags: active
  hosts: running
  gather_facts: true
  user: root
  roles:
    - role: dns
--- a/roles/chat/files/devzat
+++ b/roles/chat/files/devzat
@@ -0,0 +1,25 @@
 #!/bin/sh
 #
 # PROVIDE: devzat
 # REQUIRE: networking
 # KEYWORD:
 . /etc/rc.subr
 name="devzat"
 rcvar="devzat_enable"
 devzat_user="nobody"
 devzat_source="/usr/local/sbin/devzat"
 devzat_command="/usr/local/sbin/devzat"
 pidfile="/tmp/${name}.pid"
 command="/usr/sbin/daemon"
 command_args="-P ${pidfile} -c ${devzat_command}"
 devzat_config="/usr/local/etc/devzat.yml"
 load_rc_config $name
 : ${devzat_enable:=no}
 export DEVZAT_CONFIG="${devzat_config}"
 run_rc_command "$1"
--- a/roles/chat/files/devzat.yml
+++ b/roles/chat/files/devzat.yml
@@ -0,0 +1,18 @@
 # what port to host a server on ($PORT overrides this)
 port: 2222
 # what port to host profiling on (unimportant)
 profile_port: 5555
 # where to store data such as bans and logs
 data_dir: /home/devzat/devzat-data
 # where the SSH private key is stored
 key_file: /home/devzat/devzat-sshkey
 # whether to censor messages (optional)
 censor: false
 # a list of admin IDs and notes about them
 admins:
  82f6872383933e913b31dbb906e4c44ea2937bea9531ac11429f16cee2e5a975: 'Seher Taak: github.com/tlinden'
--- a/roles/chat/tasks/main.yaml
+++ b/roles/chat/tasks/main.yaml
@@ -0,0 +1,65 @@
 ---
 # we do NOT use:
 # git clone https://github.com/quackduck/devzat
 # but our own fork where we patched the torlist stuff away.
 # see: https://github.com/quackduck/devzat/issues/246
 # https://github.com/tlinden/devzat
 - name: build devzat
  shell: |
    cd /tmp
    git clone https://github.com/quackduck/devzat
    cd /tmp/devzat
    go build
  args:
    creates: "/tmp/.ansible.devzatbuild"
 - name: create services template dir
  file:
    path: "/usr/local/bastille/templates/services/{{ role_name }}"
    state: directory
    recurse: yes
 - name: copy template config files
  template:
    src: Bastillefile.j2
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"
 - name: create config paths
  file:
    path: "/usr/local/bastille/templates/services/{{ role_name }}/{{ item }}/"
    state: directory
    recurse: yes
  loop:
    - usr/local/etc
    - usr/local/etc/rc.d
    - usr/local/sbin
 - name: copy devzat binary
  shell: |
    install -m 755 /tmp/devzat/devzat /usr/local/bastille/templates/services/{{ role_name }}/usr/local/sbin/devzat
    touch /tmp/.ansible.devzat
  args:
    creates: "/tmp/.ansible.devzat"
 - name: copy devzat config file
  copy:
    src: devzat.yml
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/local/etc/"
 - name: copy devzat rc file
  copy:
    src: devzat
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/local/etc/rc.d/"
    mode: '0755'
 - name: create jail
  shell: "bastille create -B {{ role_name }} {{ release }} {{ chatip.stdout }}/64 bridge0"
  args:
    creates: /usr/local/bastille/jails/{{ role_name }}
 - name: start jail
  shell: bastille start {{ role_name }} || true
 - name: template jail
  shell: |
    bastille template {{ role_name }} services/{{ role_name }}
--- a/roles/chat/templates/Bastillefile.j2
+++ b/roles/chat/templates/Bastillefile.j2
@@ -0,0 +1,20 @@
 SERVICE devzat stop
 CMD if [ -f /usr/local/sbin/devzat ]; then rm -f /usr/local/sbin/devzat; fi
 SYSRC sendmail_enable=NONE
 SYSRC tmpsize=500m
 SYSRC tmpmfs=AUTO
 SYSRC clear_tmp_enable=YES
 SYSRC devzat_enable=YES
 CMD if test -L /home; then rm /home; fi
 CMD mkdir -p /home
 FSTAB /home home nullfs rw 0 0
 CMD install -d -o nobody -m 700 /home/devzat
 CP usr /
 SERVICE devzat start
--- a/roles/dns/tasks/main.yaml
+++ b/roles/dns/tasks/main.yaml
@@ -0,0 +1,11 @@
 ---
 - name: add dns entry for server
  community.dns.hetzner_dns_record:
    state: present
    zone: "{{ dns.zone }}"
    record: "{{ name }}.{{ dns.zone }}"
    type: AAAA
    ttl: 300
    value: "{{ server_ipv6 }}"
    hetzner_token: "{{ hetzner_dns_token }}"
--- a/roles/firewall/tasks/main.yaml
+++ b/roles/firewall/tasks/main.yaml
@@ -3,7 +3,8 @@
  community.general.sysrc:
    name: pf_enable
    value: "YES"
-  notify: start pf
+    # FIXME: on first start causes the ansible connection to hang
    # notify: start pf
 - name: enable pflog
  community.general.sysrc:
--- a/roles/firewall/templates/pf.conf.j2
+++ b/roles/firewall/templates/pf.conf.j2
@@ -8,6 +8,7 @@
 #   pfctl -t bad_hosts -T delete $ip  
 ext_if="{{ ansible_default_ipv6.interface }}"
 jail_net="{{ jailnet.stdout }}"
 ### Default block policy is to return a reset packet
 set block-policy drop
@@ -31,6 +32,13 @@ block in log all
 pass out quick keep state
 pass out inet6 keep state
 # FIXME: does not survice reboots, that is: pf blocks after a reboot, pf must be reloaded, then it works
 pass out quick on $ext_if keep state
 pass out on $ext_if inet6 keep state
 ### Allow traffic coming from jails
 pass in on $ext_if inet6 from $jail_net keep state
 ### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
 ### And block incoming traffic from $ext_if IP on $ext_if interface
 antispoof for $ext_if inet6
@@ -42,5 +50,8 @@ pass in quick on $ext_if inet6 proto tcp from any to any port ssh \
     (max-src-conn-rate 10/60, \
     overload <bad_hosts> flush global) label ServicesTCP
 # allow ansible answers
 pass out on $ext_if proto tcp from port 22 to any flags any
 # ipv6 icmp
 pass in quick inet6 proto icmp6 all keep state
--- a/roles/install/tasks/main.yaml
+++ b/roles/install/tasks/main.yaml
@@ -13,7 +13,9 @@
  register: server
 - name: Attach the home volume
  when: inventory_hostname in groups['vps']
  hetzner.hcloud.volume:
    name: "{{ storage.volume.name }}"
    server: "{{ hostname }}"
    state: present
--- a/roles/jails/tasks/main.yaml
+++ b/roles/jails/tasks/main.yaml
@@ -31,16 +31,17 @@
  args:
    creates: "/usr/local/bastille/releases/{{ release }}"
 - name: remove home link from bootstrap
  shell: |
    if test -L /usr/local/bastille/releases/{{ release }}/home; then rm -f /usr/local/bastille/releases/{{ release }}/home; fi
    mkdir -p /usr/local/bastille/releases/{{ release }}/home
 - name: configure bootstrap to use latest pkgs
  replace:
    path: "/usr/local/bastille/releases/{{ release }}/etc/pkg/FreeBSD.conf"
    regexp: '^(.*)quarterly(.*)$'
    replace: '\1latest\2'
 - name: determine ipv6 address
  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { print $2 }}'
  register: primaryip
 - name: setup bastille.conf
  template:
    src: bastille.conf.j2
--- a/roles/network/tasks/main.yaml
+++ b/roles/network/tasks/main.yaml
@@ -1,29 +1,17 @@
 ---
- name: Add bridge interface
+- name: determine ipv6 jail address
-  community.general.sysrc:
+  shell: echo {{ server_ipv6 }} | sed 's/::1/::2/'
-    name: cloned_interfaces
+  register: jailip
    state: value_present
    value: "bridge0"
- name: Setup bridge interface
+- name: determine ipv6 jail address
-  community.general.sysrc:
+  shell: echo {{ server_ipv6 }} | sed 's/::1/::3/'
-    name: ifconfig_bridge0
+  register: chatip
-    state: value_present
+
-    value: "up"
+- name: determine ipv6 net
-  notify: netif cloneup
+  shell: echo '{{ ipv6_network }}/64'
  register: jailnet
 - name: determine primary ipv6 address
  shell: echo {{ server_ipv6 }}
  register: primaryip
 - name: Setup bridge interface
  community.general.sysrc:
    name: ifconfig_bridge0
    state: value_present
    value: "addm vtnet0"
  notify: netif cloneup
 - name: Setup bridge interface ipv6
  community.general.sysrc:
    name: ifconfig_bridge0_ipv6
    state: value_present
    value: "inet6 auto_linklocal"
  notify: netif cloneup
 - meta: flush_handlers
--- a/roles/pub/bin/group.sh
+++ b/roles/pub/bin/group.sh
@@ -0,0 +1,77 @@
 #!/bin/sh
 rootdir=""
 group=""
 id=""
 action=""
 usage() {
    echo "Usage: $0 -g group -a action"
    echo "Valid actions: present, absent"
    exit 1
 }
 run() {
    echo $*
    $*
 }
 OPTIND=1
 while getopts d:g:a:i: opt ; do
    case $opt in
        d)
            rootdir="$OPTARG"
            ;;
        g)
            group="$OPTARG"
            ;;
        i)
            id="$OPTARG"
            ;;
        a)
            action="$OPTARG"
            ;;
        *)
            usage
            ;;
    esac
 done
 shift $(($OPTIND - 1))
 if test -z "$group" -o -z "$action"; then
    usage
 fi
 # we do it once for $rootdir and once on the host to have synchronous groups
 for root in "$rootdir" ""; do
    args=""
    if test -n "$root"; then
        root="-R $root"
    fi
    if test -n "$id"; then
        args="-g $id"
    fi
    case "$action" in
        present)
            if pw $root group show "$group" > /dev/null 2>&1; then
                if pw $root group show "$group" | grep -q LOCKED; then
                    echo "$group exists."
                fi
            else
                run pw $root group add "$group" $args
            fi
            ;;
        absent)
            if pw $root group show "$group" > /dev/null 2>&1; then
                run pw $root group del "$group"
            fi
            ;;
        *)
            usage
            ;;
    esac
 done
--- a/roles/pub/bin/user.sh
+++ b/roles/pub/bin/user.sh
@@ -0,0 +1,186 @@
 #!/bin/sh
 # manage FreeBSD jail users
 # vars defaults
 rootdir=""
 user=""
 groups=""
 home=""
 shell="/usr/local/bin/bash"
 comment=""
 loginclass="jail"
 action=""
 id=""
 usage() {
    echo "Usage: $0 -u user [-h home] [-s shell] [-g groups] [-d rootdir] [-c comment] -a action"
    echo "Valid actions: present, absent, locked"
    exit 1
 }
 getuid() {
    # resolve jail uid
    root="$1"
    user="$2"
    pw $root show user "$user" -7 | cut -d: -f 3
 }
 run() {
    # verbose exec
    echo "$@"
    "$@"
 }
 # parse commandline flags
 OPTIND=1
 while getopts d:u:h:g:s:c:a:i: opt ; do
    case $opt in
        d)
            rootdir="$OPTARG"
            ;;
        u)
            user="$OPTARG"
            ;;
        i)
            id="$OPTARG"
            ;;
        h)
            home="$OPTARG"
            ;;
        g)
            groups="$OPTARG"
            ;;
        s)
            shell="$OPTARG"
            ;;
        c)
            comment="$OPTARG"
            ;;
        a)
            action="$OPTARG"
            ;;
        *)
            usage
            ;;
    esac
 done
 shift $(($OPTIND - 1))
 if test -z "$user" -o -z "$action"; then
    usage
 fi
 # we do it once for $rootdir and  once on the host to have synchronous
 # users, however, host users will be  locked, unless they are in group
 # wheel
 for root in "$rootdir" ""; do
    # setup pw flags
    args=""
    skel=""
    if test -n "$root"; then
        root="-R $root"
        skel="-k /etc/skel"
    fi
    if test -n "$groups"; then
        args="-G $groups"
    fi
    if test -n "$home"; then
        args="$args -d $home -m -M 700"
    else
        args="$args -d /home/$user -m -M 700"
    fi
    if test -n "$shell"; then
        args="$args -s $shell"
    else
        args="$args -s /usr/local/bin/bash"
    fi
    if test -n "$comment"; then
        args="$args -c $comment"
    fi
    if test -n "$loginclass"; then
        args="$args -L $loginclass"
    fi
    if test -n "$id"; then
        args="$args -u $id"
    fi
    # the horse shall work
    case "$action" in
        present)
            if pw $root user show "$user" > /dev/null 2>&1; then
                if pw $root user show "$user" | grep -q LOCKED; then
                    # user is present but locked
                    run pw $root unlock "$user"
                else
                    echo "$user exists."
                fi
            else
                # create user
                run pw $root user add "$user" $args $skel
                # if we're running on host and the user is a regular jail user, lock them
                if test -z "$root" -a "$groups" != "wheel"; then
                    run pw lock "$user"
                fi
            fi
            if test -e "/usr/local/bastille/keys/$user" -a ! -e "/home/$user/.ssh/authorized_keys"; then
                # install ssh key
                run install -m 700 -o "$user" -g "$user" -d "/home/$user/.ssh"
                run install -m 600 -o "$user" -g "$user" "/usr/local/bastille/keys/$user" "/home/$user/.ssh/authorized_keys"
                # generate  chat  key,  which  is  required  so  login  to
                # kobayashi, so that ssh-chat works  even if the user does
                # not have their own key yet.
                run ssh-keygen -t ed25519 -f /home/$user/.ssh/id_chat_kobayashi -P ""
                (
                    echo "The key id_chat_kobayashi exists so that you're able to reach"
                    echo "the kobayashi chat service. Once you have generated your own"
                    echo "key, you can just delete it."
                ) > "/home/$user/.ssh/README"
                if test ! -e "/home/$user/.ssh/config"; then
                    (
                        echo "Host kobayashi"
                        echo "  Port 2222"
                        echo "  IdentityFile ~/.ssh/id_chat_kobayashi"
                        echo "  StrictHostKeyChecking no"
                    ) > "/home/$user/.ssh/config"
                fi
                run chown "$user:$user" /home/$user/.ssh/*
            fi
            ;;
        absent)
            if pw $root user show "$user" > /dev/null 2>&1; then
                # get rid
                run pw $root user del "$user"
            fi
            ;;
        locked)
            if pw $root user show "$user" > /dev/null 2>&1; then
                if pw $root user show "$user" | grep -q LOCKED; then
                    echo "$user is already locked."
                else
                    # lock'em out
                    run pw $root lock "$user"
                fi
            fi
            ;;
        *)
            usage
            ;;
    esac
 done
--- a/roles/pub/files/keys/tom
+++ b/roles/pub/files/keys/tom
@@ -0,0 +1,42 @@
 $ANSIBLE_VAULT;1.1;AES256
 31356362656165313531663465316362386534323532313630636666373333333566646364636465
 6536363632363133326538376666333563343363306266380a336537653435613638396436343931
 66393530626237396332313039663837666438376430626565313565366431663533333566323862
 3637386136663238340a373961663661323935353934633934633334663934623764633431623364
 31653366336138323062653936653266663130313064313031333964653061326437366137623139
 64616663383232313233316562383961303334343138333837623635646166343539623734396631
 62616632346539313737626565333632383062383866633836326330653531336636623166396337
 34646262386664333065313637666537366537383665666662653966353330373131306236346138
 39353932343931636331333230333439666534376333313134653761333835336331333734393166
 34643632613834616163366539346536356130363663386137373134613732383432373165623765
 66653239643862636431643033336531633339626666353933653766323138663466326631323332
 30306165633837623464353338396333386631396162623763363632326462633262316163333133
 33303335663036393335313562646366373764656139656135303937626366653963336365383466
 38616566613436363038613138643033376430636566386236356434346334633866373635383139
 39313931373334396333336330613062326130623965666330633735616331373332373530643761
 64303335613961623966636662363935346231386430663664626237663530393834666537383539
 62643166663735303030386538313363333033363264373964343165383230373935383564373137
 34313936386234366336316537616232343337323464343563613530343966626165333462343930
 61376139373235366436633766613339373738663937333265643535643837626339333339336135
 63383364393962623032646164646661343337663464303166663966303133316331373830663231
 33626161303137633332383035353164326330643437666234613864376366346363653063333839
 35393333666161653566343866313066633966613537666238343531376633636233323632663536
 61356432373935376363333233613239336432376432656166326462623735643464666438323765
 34646165323932303561373233373161613263306336613535636363353135313739646365393436
 30626332653339353934353964323964323635333734663339306339303265653339336666373635
 62316139323465366161353731353938666331393239376638323238346331373738366536346332
 30626563366337663131626461393235626230373561313635366630666566613433646538636237
 64386166653439663633616564636365303539303734633338393962306438396139376432356265
 30626232666539616139646337383332646162323263333338313035336364656632306330386533
 31303466363831316163346365623734616135343837383364363563393937626364336162656136
 31323039323235373730343266343839363333616134356137666235333362383234333762646266
 37663463366339303535333134313136393864656334613437623538396330633933616363373564
 31646634383735393430326232633732623566323137363262346566373130323563323664666261
 37363131383866623437373262383365333630373764393530626237643636633362626666623330
 37636234383665626137626464373932636239383366336665633366316164663263636461616532
 31373266666531323566663432346163643637366436666462323935356531623639303032663961
 39303637373536643432653139633636666466313333326134643831633864343062363335313932
 61626566663530393761336238323334663263336536363962373761386564333664306232656332
 66386231373962373432333237626362353134363962633962363539613934633262343363303933
 38306534613233303432363930323334663230306165313630663863313137366433396539333630
 61643265316535653337613730373331383164306535306336313361396433636337
--- a/roles/pub/files/motd
+++ b/roles/pub/files/motd
@@ -0,0 +1,20 @@
      /\
    _/./                       welcome
 ,-'    `-:..-'/               to
 : o )      _  (                bsdnix.
 "`-....,--; `-.\
    `'
                 /\
               _/./
            ,-'    `-:..-'/
           : o )      _  (
           "`-....,--; `-.\
               `'
                             /\
  To find help:            _/./
  ssh kobayashi         ,-'    `-:..-'/
  man bsdnix           : o )      _  (
                       "`-....,--; `-.\
--- a/roles/pub/files/skel/dot.bash_profile
+++ b/roles/pub/files/skel/dot.bash_profile
@@ -0,0 +1,152 @@
 # -*-shell-script-*-
 #
 # default bash config
 # do not use the config if not in a terminal
 if test -z "$PS1"; then
    return
 fi
 # and do not use it if in no interactive terminal
 if test "$TERM" = "dumb"; then
  export PS1='$ '
  return
 fi
 inputrc="$HOME/.inputrc"
 # create helper configs, if requested. that way I don't have to copy
 # around multiple files if I enter a new system
 createcfgs() {
    if ! test -f $inputrc; then
        if ! test -w $HOME; then
            inputrc="/tmp/.inputrc_tom"
        fi
        cat << EOF > $inputrc
 # toms readline config
 set show-all-if-ambiguous on
 set meta-flag on
 set input-meta on
 set convert-meta on
 set output-meta on
 # C-a blocked by screen, so use these also
 Meta-a: beginning-of-line
 # alt-left
 "\e[1;3C": forward-word
 # ctrl-right
 "\e[1;5C": forward-word
 # alt-left, vnc
 "\e\e[C": forward-word
 # alt-right
 "\e[1;3D": backward-word
 # ctrl-left
 "\e[1;5D": backward-word
 # alt-left, vnc
 "\e\e[D": backward-word
 # alt-down
 "\e[1;3B": beginning-of-line
 # alt-down, vnc
 "\e\e[A": beginning-of-line
 # alt-up
 "\e[1;3A": end-of-line
 # alt-up, vnc
 "\e\e[B": end-of-line
 EOF
    fi
 }
 # stay with en, but support umlauts and the other bastards
 export LC_COLLATE="en_US.UTF-8"
 export LC_CTYPE="de_DE.UTF-8"
 export LC_MONETARY="de_DE.UTF-8"
 export LC_NUMERIC="de_DE.UTF-8"
 export LC_TIME="de_DE.UTF-8"
 export LC_PAPER="de_DE.UTF-8"
 export LANG="en_US.UTF-8"
 export LC_LANG="en_US.UTF-8"
 export LC_ALL="en_US.UTF-8"
 export LANGUAGE="en_US.UTF-8"
 export GDM_LANG="en_US.UTF-8"
 # generate customized support configs
 createcfgs
 INPUTRC="$inputrc"
 # global aliases
 alias dir='ls -l'
 alias ll='ls -l'
 alias la='ls -la'
 alias l='ls -alF'
 alias ls-l='ls -l'
 alias lt='ls -ltr'
 alias o='less'
 alias ..='cd ..'
 alias ...='cd ../..'
 alias ....='cd ../../..'
 alias .....='cd ../../../..'
 alias rd=rmdir
 alias md='mkdir -p'
 alias which='type -p'
 alias less='less -i -P "?f%f:Standard input. %lb / %L ?e(END):>"'
 alias les='less'
 alias grip='egrep -i'
 alias lc="tr '[A-Z]' '[a-z]'"
 alias uc="tr '[a-z]' '[A-Z]'"
 alias table="column -t"
 alias gethttp="fetch -n --no-verify-peer --no-verify-hostname"
 # use vim
 alias vi=vim
 EDITOR=vim
 # simple command prompt
 PS1='
 --- [\w] ---
 \u@\h % '
 # customize path
 for dir in $HOME/bin /usr/local/bin /usr/local/sbin /usr/sbin; do
    if test -d $dir; then
        PATH=$PATH:$dir
    fi
 done
 export PATH
 # history options
 HISTFILESIZE=1000000
 HISTSIZE=1000000
 HISTCONTROL=ignoreboth
 HISTIGNORE='ls:bg:fg:history'
 HISTTIMEFORMAT='%F %T '
 export EDITOR PS1 PATH LESSCHARSET GREP_OPTIONS HISTFILE HISTFILESIZE HISTSIZE HISTCONTROL HISTIGNORE HISTTIMEFORMAT INPUTRC
 # better override
 umask 0027
 # completion?
 bash=${BASH_VERSION%.*}; bmajor=${bash%.*}; bminor=${bash#*.}
 if [ "$PS1" ] && [ $bmajor -eq 2 ] && [ $bminor '>' 04 ] \
       && [ -f ~/.completion ]; then # interactive shell
    # Source completion code
    source ~/.completion
 fi
 # bash options
 shopt -s cdable_vars checkhash checkwinsize histappend cmdhist
 # any local specific config?
 if test -e ~/.bashrc-local; then
    source  ~/.bashrc-local
 fi
--- a/roles/pub/files/skel/dot.cshrc
+++ b/roles/pub/files/skel/dot.cshrc
@@ -0,0 +1,53 @@
 #
 # .cshrc - csh resource script, read at beginning of execution by each shell
 #
 # see also csh(1), environ(7).
 # more examples available at /usr/share/examples/csh/
 #
 alias h		history 25
 alias j		jobs -l
 alias l     ls -alF
 alias la	ls -aF
 alias lf	ls -FA
 alias ll	ls -lAF
 alias lt    ls -ltr
 alias les   less
 alias md    mkdir -p
 alias ..    cd ..
 alias ...   cd ../..
 alias ....  cd ../../..
 alias ..... cd ../../../..
 alias grip  egrep -i
 alias which type -p
 # These are normally set through /etc/login.conf.  You may override them here
 # if wanted.
 # set path = (/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin $HOME/bin)
 # A righteous umask
 # umask 22
 setenv	EDITOR	vi
 setenv	PAGER	less
 if ($?prompt) then
 	# An interactive shell -- set some stuff up
 	set prompt = "%N@%m:%~ %# "
 	set promptchars = "%#"
 	set filec
 	set history = 1000
 	set savehist = (1000 merge)
 	set autolist = ambiguous
 	# Use history to aid expansion
 	set autoexpand
 	set autorehash
 	set mail = (/var/mail/$USER)
 	if ( $?tcsh ) then
 		bindkey "^W" backward-delete-word
 		bindkey -k up history-search-backward
 		bindkey -k down history-search-forward
 	endif
 endif
--- a/roles/pub/files/skel/dot.emacs
+++ b/roles/pub/files/skel/dot.emacs
@@ -0,0 +1,324 @@
 ;; * Default emacs config  -*-emacs-lisp-*-
 ;;
 ;; https://github.com/TLINDEN/emacs-skel
 ;; * Enable Fontlock-mode (colours) in gui mode
 ;; see: https://www.emacswiki.org/emacs/CustomizingBoth
 (if window-system
    (progn
      (global-font-lock-mode 1)
      (set-background-color "white")
      (set-foreground-color "DarkBlue")
      ))
 ;; * Display cursor as row in Terminal
 (unless (display-graphic-p)
  ;; else (optional)
  (global-hl-line-mode)
  (set-face-background hl-line-face "DarkGray")
  (set-face-foreground hl-line-face "Black")
  )
 ;; --------------------------------------------------------------------------------
 ;; * Console backspace fix
 (define-key key-translation-map [?\C-h] [?\C-?])
 ;; * Some sensible defaults
 ;; no ~ backups
 (setq make-backup-files nil)
 ;; disable Toolbar
 (tool-bar-mode -1)
 ;; disable menubar (default: enabled)
 ;; (menu-bar-mode -1)
 ;; disable menubardialog boxes (default: enabled)
 ;; (setq use-dialog-box nil)
 ;; disable scrollbars (default: enabled)
 ;; Scrolleisten abschalten (standard: ein)
 ;; (scroll-bar-mode 0)
 ;; Less output during startup
 (setq inhibit-startup-message t)
 (setq inhibit-startup-screen t)
 ;; show column number
 (column-number-mode t)
 ;; Set x11 window title
 (setq frame-title-format '(buffer-file-name "emacs %f" ("emacs %b")))
 ;; create valid unix files
 (setq require-final-newline t)
 ;; show matching parens
 (show-paren-mode 1)
 ;; cursor doesn't move when scrolling
 (setq scroll-preserve-screen-position t)
 ;; no comment columns
 (setq-default comment-column 0)
 ;; no auto-save
 (setq auto-save-default nil)
 ;; always display all buffers
 (setq buffers-menu-max-size nil)
 (setq mouse-buffer-menu-mode-mult 30)
 ;; don't hide anything
 (setq disabled-command-function nil)
 ;; Mark == Copy
 (setq mouse-drag-copy-region t)
 ;; more Ram
 (setq gc-cons-threshold 20000000)
 ;; --------------------------------------------------------------------------------
 ;; * Scratch Buffer
 ;; default content of *scratch* buffer == short help
 (setq initial-scratch-message ";;
 ;; Short help (Keys: C == Control, M == Alt or META):
 ;; Combination (eg. C-x C-f): keep control pressed, then x, then f
 ;; Cascade (eg. C-x 3): press control and x, release, then 3
 ;; Key with mouse (eg. C-mouse1): press control and left mouse button
 ;; M-x <cmd>   execute emacs command     | M-w     copy marked stuff
 ;; C-x C-f     open a file               | C-w     delete marked stuff
 ;; C-x C-S     save buffer to file       | C-y     insert (paste, yank)
 ;; C-x C-q     close buffer              | C-g     abort current action
 ;; C-mouse-1   popup buffer list         | C-s     search forward
 ;; C-x 2       split window horizontally |         again: next match
 ;; C-x 3       split window vertically   | C-r     search backwards
 ;; M-o         switch bffers             | C-x C-c finish emacs
 ;; C-x 1       show only one buffer      | C-x b   switch buffer
 ;; C-x k       close current buffer      | C-c i   invert colours
 ;; C-<del>     delete left word    | C-<entf>  delete right word
 ;; C-<up>      jump 1 paragraph up | C-<down>  jump 1 paragraph down
 ;; C-<left>    jump 1 word left    | C-<right> jump 1 word right
 ;; C-_         UNDO                | C-g C-_ REDO
 ;; <home> or C-a      beginning of line, then window, then buffer
 ;; <end>  or C-e      end of line, then window, then buffer
 ;; M-x query-replace         search/replace
 ;; M-x query-replace-regex   dito, with regex (man perlre)
 ;; M-x <xxx-mode>            (xxx: cperl, ruby etc) enable mode
 ;; Configuration: ~/.emacs, Tutorial: C-h t, https://emacswiki.org/
 ;; This is the *scratch* buffer for short notices a testing elisp.
 ")
 ;; --------------------------------------------------------------------------------
 ;; * y means yes
 (defalias 'yes-or-no-p 'y-or-n-p)
 ;; --------------------------------------------------------------------------------
 ;; * TAB/Indent
 (setq-default indent-tabs-mode nil)
 (setq-default tab-width 4)
 (setq indent-line-function 'insert-tab)
 (setq tab-stop-list (quote (4 8 12 16 20 24 28 32 36 40 44
                              48 52 56 60 64 68 72 76 80 84
                              88 92 96 100 104 108 112 116 120)))
 (setq tab-always-indent 'complete)
 (add-hook 'makefile-mode-hook '(lambda() (setq indent-tabs-mode t)))
 ;; --------------------------------------------------------------------------------
 ;; * Helper
 (defun add-something-to-mode-hooks (mode-list something)
  "helper function to add a callback to multiple hooks"
  (dolist (mode mode-list)
    (add-hook (intern (concat (symbol-name mode) "-mode-hook")) something)))
 ;; * Standard key bindings
 ;; --------------------------------------------------------------------------------
 ;; c-h != delete
 (keyboard-translate ?\C-h ?\C-?)
 (keyboard-translate ?\C-? ?\C-h)
 ;; general keys (re-)mappings
 (global-set-key (kbd "C-s")             'isearch-forward-regexp)
 (global-set-key (kbd "C-r")             'isearch-backward-regexp)
 (global-set-key (kbd "<backtab>")       'dabbrev-completion) ; shift-TAB: inline completion
 (global-set-key (kbd "M-o")             'other-window)       ; Buffer wechseln
 (global-set-key (kbd "<delete>")        'delete-char)
 (global-set-key (kbd "<backspace>")     'backward-delete-char)
 (global-set-key (kbd "S-<delete>")      'kill-word)          ; Shift+Del delete word
 (global-set-key (kbd "S-<backspace>")   'backward-kill-word) ; Shift+Backspace dito
 (global-set-key (kbd "C-<delete>")      'kill-word)          ; Shift+Del       dito
 (global-set-key (kbd "C-<backspace>")   'backward-kill-word) ; Shift+Backspace dito 
 (global-unset-key (kbd "C-z"))
 (global-set-key (kbd "C-x k")           'kill-this-buffer)   ; close buffers immediately
 ;; --------------------------------------------------------------------------------
 ;; * Invert fore- and background
 ;; remember last inverse
 (defvar my-invert-state t)
 ;; invert everything, reverse it when called again
 (defun my-invert()
  "invert fg-bg"
  (interactive)
  (invert-face 'default)
  (invert-face 'mode-line)
  (set-face-attribute 'fringe nil :inverse-video my-invert-state)
  (setq my-invert-state (not my-invert-state)) ;; cycle variable my-invert-state
  )
 (global-set-key (kbd "C-c i")           'my-invert)
 ;; --------------------------------------------------------------------------------
 ;; * Custom binding for HOME and END keys (and CTRL-a und CTRL-e)
 ;; from viking-mode:
 (defun my-last-key-repeats ()
  "Returns how many times the last key has been pressed as integer."
  (interactive)
  (let* ((keys    (reverse (append (recent-keys) nil)))
         (pressed (car keys))
         (times   0))
    (progn
      (catch 'nomore
        (dolist (k keys)
          (if (equal pressed k)
              (setq times (+ times 1))
            (throw 'nomore t))))
      times)))
 (defun pc-keys-home ()
  "Go to beginning of  line/window/buffer. First hitting key goes
 to  beginning of  line,  second in  a row  goes  to beginning  of
 window, third in a row goes to beginning of buffer."
  (interactive)
  (let* (
         (key-times (my-last-key-repeats)))
    (cond
     ((eq key-times 3)
      (if mark-active
          (goto-char (point-min))
        (beginning-of-buffer)))
     ((eq key-times 2)
      (if mark-active () (push-mark))
      (move-to-window-line 0))
     ((eq key-times 1)
      (beginning-of-line))
     )))
 (defun pc-keys-end ()
  "Go to end of  line/window/buffer. First hitting key goes
 to end  of line, second  in a  row goes to  end of
 window, third in a row goes to end of buffer."
  (interactive)
  (let* (
         (key-times (my-last-key-repeats)))
    (cond
     ((eq key-times 3)
      (if mark-active
          (goto-char (point-max))
        (end-of-buffer)))
     ((eq key-times 2)
      (if mark-active () (push-mark))
      (move-to-window-line -1)
      (end-of-line)
      )
     ((eq key-times 1)
      (end-of-line))
     )))
 (global-set-key (kbd "<home>")        'pc-keys-home)
 (global-set-key (kbd "<end>")         'pc-keys-end)
 (global-set-key (kbd "C-a")           'pc-keys-home)
 (global-set-key (kbd "C-e")           'pc-keys-end)
 ;; --------------------------------------------------------------------------------
 ;; * IDO mode - better completion during file open etc
 ;; Press C-f during IDO in order to get to normal behavior
 (ido-mode t)
 (ido-everywhere nil)
 (setq ido-enable-flex-matching t)
 (setq ido-use-filename-at-point nil)
 (setq ido-use-virtual-buffers t)
 (setq ido-auto-merge-work-directories-length -1)
 ;; Do not use IDO during save-as (C-x C-w)
 (defvar my-ido-disabled nil)
 (advice-add 'ido-write-file :before '(lambda (&rest args) (ido-mode 0) (setq my-ido-disabled t)))
 (advice-add 'ido-write-file :after  '(lambda (&rest args) (ido-mode 1) (setq my-ido-disabled nil)))
 (defun my-keyboard-quit-advice (fn &rest args)
  (when my-ido-disabled
    (ido-mode 1)
    (setq my-ido-disabled nil))
  (apply fn args))
 (advice-add 'abort-recursive-edit :around #'my-keyboard-quit-advice)
 ;; --------------------------------------------------------------------------------
 ;; * Highlight TABs
 (defface extra-whitespace-face
  '((t (:background "pale green")))
  "Used for tabs and such.")
 (defvar my-extra-keywords
  '(("\t" . 'extra-whitespace-face)))
 (add-something-to-mode-hooks '(c c++ vala cperl emacs-lisp python shell-script)
                             (lambda () (font-lock-add-keywords nil my-extra-keywords)))
 ;; --------------------------------------------------------------------------------
 ;; * Emacs Autoconfig / Customizegroup Placeholder
 ;; This is the place where emacs stores configuration options
 ;; customized interactively with:
 ;; M-x customize-group <RET> <group> <RET>
 (custom-set-faces
 ;; custom-set-faces was added by Custom.
 '(default ((t (:family "DejaVu Sans Mono" :foundry "unknown" :slant normal :weight normal :width normal))))
 '(cperl-nonoverridable-face ((((class color) (background light)) (:foreground "Magenta"))))
 '(custom-documentation-face ((t (:foreground "Navy"))) t)
 '(custom-group-tag-face-1 ((((class color) (background light)) (:underline t :foreground "VioletRed"))) t)
 '(font-lock-builtin-face ((t (:foreground "BlueViolet"))))
 '(font-lock-comment-face ((t (:foreground "DarkGreen"))))
 '(font-lock-constant-face ((t (:foreground "Magenta"))))
 '(font-lock-function-name-face ((t (:bold nil :foreground "DarkOrchid"))))
 '(font-lock-keyword-face ((t (:foreground "Blue"))))
 '(font-lock-string-face ((t (:foreground "Red"))))
 '(font-lock-type-face ((t (:foreground "DarkSlateBlue"))))
 '(font-lock-variable-name-face ((t (:foreground "Sienna"))))
 '(font-lock-warning-face ((t (:bold t :foreground "Red"))))
 '(highlight ((t (:background "DodgerBlue2" :foreground "White"))))
 '(ido-only-match ((t (:foreground "dark green" :weight bold))))
 '(mode-line ((t (:foreground "White" :background "Blue"))))
 '(mode-line-inactive ((t (:foreground "White" :background "DimGray"))))
 '(outline-1 ((t (:inherit font-lock-function-name-face :underline t :weight bold))))
 '(outline-2 ((t (:inherit font-lock-variable-name-face :underline t :weight bold))))
 '(outline-3 ((t (:inherit font-lock-keyword-face :underline t :weight bold))))
 '(outline-4 ((t (:inherit font-lock-comment-face :underline t))))
 '(region ((t (:foreground "Aquamarine" :background "Darkblue"))))
 '(secondary-selection ((t (:foreground "Green" :background "darkslateblue")))))
 (custom-set-variables
 ;; custom-set-variables was added by Custom.
 )
--- a/roles/pub/files/skel/dot.login
+++ b/roles/pub/files/skel/dot.login
@@ -0,0 +1,9 @@
 #
 # .login - csh login script, read by login shell, after `.cshrc' at login.
 #
 # See also csh(1), environ(7).
 #
 # Query terminal size; useful for serial lines.
 if ( -x /usr/bin/resizewin ) /usr/bin/resizewin -z
--- a/roles/pub/files/skel/dot.login_conf
+++ b/roles/pub/files/skel/dot.login_conf
@@ -0,0 +1,6 @@
 #
 # see login.conf(5)
 #
 #me:\
 #	:charset=iso-8859-1:\
 #	:lang=de_DE.ISO8859-1:
--- a/roles/pub/files/skel/dot.profile
+++ b/roles/pub/files/skel/dot.profile
@@ -0,0 +1,28 @@
 #
 # .profile - Bourne Shell startup script for login shells
 #
 # see also sh(1), environ(7).
 #
 # These are normally set through /etc/login.conf.  You may override them here
 # if wanted.
 # PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:$HOME/bin; export PATH
 # Setting TERM is normally done through /etc/ttys.  Do only override
 # if you're sure that you'll never log in via telnet or xterm or a
 # serial line.
 # TERM=xterm; 	export TERM
 EDITOR=vi;   	export EDITOR
 PAGER=less;  	export PAGER
 # set ENV to a file invoked each time sh is started for interactive use.
 ENV=$HOME/.shrc; export ENV
 # Let sh(1) know it's at home, despite /home being a symlink.
 if [ "$PWD" != "$HOME" ] && [ "$PWD" -ef "$HOME" ] ; then cd ; fi
 # Query terminal size; useful for serial lines.
 if [ -x /usr/bin/resizewin ] ; then /usr/bin/resizewin -z ; fi
 umask 0027
--- a/roles/pub/files/skel/dot.shrc
+++ b/roles/pub/files/skel/dot.shrc
@@ -0,0 +1,50 @@
 #
 # .shrc - bourne shell startup file 
 #
 # This file will be used if the shell is invoked for interactive use and
 # the environment variable ENV is set to this file.
 #
 # see also sh(1), environ(7).
 #
 # file permissions: rwxr-xr-x
 #
 umask 027
 # Uncomment this to enable the builtin vi(1) command line editor in sh(1),
 # e.g. ESC to go into visual mode.
 # set -o vi
 # some useful aliases
 alias h='fc -l'
 alias j=jobs
 alias m="$PAGER"
 alias ll='ls -laFo'
 alias l='ls -l'
 alias g='egrep -i'
 # # be paranoid
 # alias cp='cp -ip'
 # alias mv='mv -i'
 # alias rm='rm -i'
 # # csh like history on arrow up and down
 bind ^[[A ed-search-prev-history
 bind ^[[B ed-search-next-history
 # # ctrl+arrow allow to jump from words to words
 bind "\\e[1;5C" em-next-word
 bind "\\e[1;5D" ed-prev-word
 alias history='fc -l'
 # Fix home/del for mobaxterm
 bind ^[[5~ ed-move-to-beg
 bind ^[[6~ ed-move-to-end
 # set prompt: ``username@hostname:directory $ '' 
 PS1="\u@\h:\w \\$ "
 # search path for cd(1)
 # CDPATH=:$HOME
--- a/roles/pub/files/skel/dot.vimrc
+++ b/roles/pub/files/skel/dot.vimrc
@@ -0,0 +1,116 @@
 " concentrate backup files etc
 let &directory = expand('~/.vimdata/swap//')
 set backup
 let &backupdir = expand('~/.vimdata/backup//')
 set undofile
 let &undodir = expand('~/.vimdata/undo//')
 if !isdirectory(&undodir) | call mkdir(&undodir, "p") | endif
 if !isdirectory(&backupdir) | call mkdir(&backupdir, "p") | endif
 if !isdirectory(&directory) | call mkdir(&directory, "p") | endif
 " allow backspacing over everything in insert mode
 set bs=2
 " no auto indent
 set nosmartindent
 set noautoindent
 " smart indent with code
 autocmd FileType perl   set smartindent
 autocmd FileType python set smartindent
 autocmd FileType shell  set smartindent
 autocmd FileType c      set smartindent
 " paste mode - this will avoid unexpected effects when you
 " cut or copy some text from one window and paste it in Vim.
 set pastetoggle=<F11>
 " indent shifts 2 spaces to right
 set expandtab
 set shiftwidth=2
 set softtabstop=2
 set smarttab
 " show matches when using completion
 set wildmenu
 " search is case insensitive
 set ignorecase
 " Set utf8 as standard encoding and en_US as the standard language
 set encoding=utf8
 " highlight matches
 set hlsearch
 " not case insensitive if term contains upper letters
 set smartcase
 " show cursor position in statusline
 set ruler
 " show matching bracket after typing a closing bracket
 set showmatch
 " show current mode in statusline
 set showmode
 " show last command in statusline
 set showcmd
 " show status line
 set laststatus=2
 " set xterm title to "VIM <file>", while <file> is
 " the currently opened buffer
 set title
 " do not beep (doh!)
 set visualbell
 " don't ask for :x!
 set writeany
 " just enter Q to exit
 map Q :q!<Cr>
 " fix broken shells
 set term=xterm
 " enable true colors
 set termguicolors
 " add comment char when pressing <Cr> inside comment line
 set formatoptions+=r
 " show line numbers
 " set number
 set relativenumber
 set numberwidth=5
 " to disable linenumbers and indentlines (if any) press t in normal mode
 nmap t :set relativenumber!<CR>:IndentLinesToggle<CR>
 " help in full screen
 command! -nargs=1 -complete=help H help <args> | silent only
 if &diff
   " apply right patch to the left
   nnoremap < :diffget <Enter>
   " apply left patch to the right
   nnoremap > :diffput <Enter>
   " update diff
   nnoremap <C-l> :diffupdate <Enter>
   " jump to next diff
   map n ]c
   " jump to previous diff
   map p [c
   " switch windows (back and forth)
   nnoremap <C-o> <C-W>w
 endif
--- a/roles/pubnix/files/sshd_config
+++ b/roles/pubnix/files/sshd_config
@@ -1,3 +1,4 @@
 # pub jail sshd config
 LogLevel INFO
 LoginGraceTime 1m
 PermitRootLogin no
--- a/roles/pub/tasks/main.yaml
+++ b/roles/pub/tasks/main.yaml
@@ -0,0 +1,124 @@
 ---
 - name: create services template dir
  file:
    path: "/usr/local/bastille/templates/services/{{ role_name }}"
    state: directory
    recurse: yes
 - name: copy template config files
  template:
    src: Bastillefile.j2
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"
 - name: create config paths
  file:
    path: "/usr/local/bastille/templates/services/{{ role_name }}/{{ item }}/"
    state: directory
    recurse: yes
  loop:
    - etc/ssh
    - usr/share/skel
 - name: copy sshd config file
  copy:
    src: sshd_config
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
 - name: copy motd file
  copy:
    src: motd
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/motd.template"
 - name: copy skel files
  copy:
    src: "skel/{{ item }}"
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel/{{ item }}"
  loop:
    - dot.bash_profile
    - dot.cshrc
    - dot.emacs
    - dot.login
    - dot.login_conf
    - dot.profile
    - dot.shrc
 - name: copy resolv.conf file
  template:
    src: resolv.conf.j2
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/resolv.conf"
 - name: copy hosts file
  template:
    src: hosts.j2
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/hosts"
 - name: create jail
  shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
  args:
    creates: /usr/local/bastille/jails/{{ role_name }}
 - name: start jail
  # https://github.com/BastilleBSD/bastille/issues/342
  shell: bastille start {{ role_name }} || true
 - name: template jail
  shell: "bastille template {{ role_name }} services/{{ role_name }}"
 # FIXME: loop over files and check size somehow, or always copy? use file module?
 - name: copy skel files into jail template
  shell: cp -r /usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel /usr/local/bastille/jails/{{ role_name }}/root/etc/
  # args:
  #   creates: /usr/local/bastille/jails/{{ role_name }}/root/etc/skel
 # these will later be used by  bin/user.sh (see below) to be installed
 # into the user homes
 - name: copy user ssh keys
  copy:
    src: keys
    dest: "/usr/local/bastille/"
 # create our login class, needed for rctl rules
 - name: create jail login class
  blockinfile:
    path: /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
    append_newline: true
    prepend_newline: true
    block: |
      jail:\
          :tc=default:
 # shell: |
 #   ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
 #   cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
 #   touch /tmp/.ansiblepubloginconf
 # args:
 #   creates: /tmp/.ansiblepubloginconf
 # create our own group[s]
 - name: Manage groups
  loop: "{{ jailgroups }}"
  ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -i '{{ item.id | default(None) }}' -d /usr/local/bastille/jails/{{ role_name }}/root"
 # The normal  ansible user  module can't be  used here,  because we're
 # talking  about jail  users  here. I  tried to  patch  the module  to
 # support the  -R flag (https://github.com/ansible/ansible/pull/84371)
 # but it makes no sense. Every  single function needs to be patched so
 # that it works for jails.
 #
 # So, instead I'm just using this simple script, which does the job as
 # well.
 - name: Manage users
  loop: "{{ jailusers }}"
  ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -i '{{ item.id | default(None) }}' -d {{ defaults.jailbase }}/{{ role_name }}/root"
 - name: add dns entry for jail host
  community.dns.hetzner_dns_record:
    state: present
    zone: "{{ dns.zone }}"
    record: "{{ role_name }}.{{ dns.zone }}"
    type: AAAA
    ttl: 300
    value: "{{ jailip.stdout }}"
    hetzner_token: "{{ hetzner_dns_token }}"
--- a/roles/pub/templates/Bastillefile.j2
+++ b/roles/pub/templates/Bastillefile.j2
@@ -0,0 +1,20 @@
 CP etc /
 PKG {{ jails.pub.pkgs | join(' ') }}
 SYSRC sshd_enable=YES
 SYSRC sendmail_enable=NONE
 SYSRC tmpsize=500m
 SYSRC tmpmfs=AUTO
 SYSRC clear_tmp_enable=YES
 CMD if test -l /home; then rm /home; fi
 CMD mkdir -p /home
 FSTAB /home home nullfs rw 0 0
 # FIXME: fails for now, see: https://github.com/BastilleBSD/bastille/issues/743
 #CP usr/share/skel /usr/share/skel
 SERVICE sshd start
 SERVICE motd restart
--- a/roles/pub/templates/hosts.j2
+++ b/roles/pub/templates/hosts.j2
@@ -0,0 +1,13 @@
 ::1                     localhost localhost.my.domain
 127.0.0.1               localhost localhost.my.domain
 # https://danwin1210.de/github-ipv6-proxy.php
 2a01:4f8:c010:d56::2 github.com
 2a01:4f8:c010:d56::3 api.github.com
 2a01:4f8:c010:d56::4 codeload.github.com
 2a01:4f8:c010:d56::5 objects.githubusercontent.com
 2a01:4f8:c010:d56::6 ghcr.io
 2a01:4f8:c010:d56::7 pkg.github.com npm.pkg.github.com maven.pkg.github.com nuget.pkg.github.com rubygems.pkg.github.com
 2a01:4f8:c010:d56::8 uploads.github.com
 {{ chatip.stdout }} chat chat.bsdnix.de kobayashi kobayashi.bsdnix.de
--- a/roles/pub/templates/resolv.conf.j2
+++ b/roles/pub/templates/resolv.conf.j2
@@ -0,0 +1,2 @@
 nameserver {{ primaryip.stdout }}
 options edns0
--- a/roles/pubnix/files/Bastillefile
+++ b/roles/pubnix/files/Bastillefile
@@ -1,6 +0,0 @@
 PKG bash
 SYSRC sshd_enable=YES
 CMD mkdir -p /data/home
 SERVICE nginx restart
 FSTAB /data/home data/home nullfs ro 0 0
 RDR tcp 22 22
--- a/roles/pubnix/tasks/main.yaml
+++ b/roles/pubnix/tasks/main.yaml
@@ -1,46 +0,0 @@
 ---
 - name: create services template dir
  file:
    path: "/usr/local/bastille/templates/services/{{ role_name }}"
    state: directory
    recurse: yes
 - name: copy template config files
  copy:
    src: Bastillefile
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/"
 - name: create config path
  file:
    path: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
    state: directory
    recurse: yes
 - name: copy config file
  copy:
    src: sshd_config
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
 - name: create data/home dataset
  community.general.zfs:
    name: zroot/home
    state: present
    extra_zfs_properties:
      mountpoint: /data/home
 - name: determine ipv6 address
  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::2", $2); print $2 }}'
  register: jailip
 - name: create jail
  shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
  args:
    creates: /usr/local/bastille/jails/{{ role_name }}
 - name: start jail
  # https://github.com/BastilleBSD/bastille/issues/342
  shell: bastille start {{ role_name }} || true
 # FIXME: fails, /etc/resolv.conf in jail is wrong, no working nameserver in there or outgoing dns forbidden
 - name: template jail
  shell: "bastille template {{ role_name }} services/{{ role_name }}"
--- a/roles/reachable/tasks/main.yaml
+++ b/roles/reachable/tasks/main.yaml
@@ -0,0 +1,4 @@
 ---
 - name: wait until host is reachable
  ansible.builtin.wait_for_connection:
    timeout: 1200
--- a/roles/server/files/hosts
+++ b/roles/server/files/hosts
@@ -0,0 +1,11 @@
 ::1                     localhost localhost.my.domain
 127.0.0.1               localhost localhost.my.domain
 # https://danwin1210.de/github-ipv6-proxy.php
 2a01:4f8:c010:d56::2 github.com
 2a01:4f8:c010:d56::3 api.github.com
 2a01:4f8:c010:d56::4 codeload.github.com
 2a01:4f8:c010:d56::5 objects.githubusercontent.com
 2a01:4f8:c010:d56::6 ghcr.io
 2a01:4f8:c010:d56::7 pkg.github.com npm.pkg.github.com maven.pkg.github.com nuget.pkg.github.com rubygems.pkg.github.com
 2a01:4f8:c010:d56::8 uploads.github.com
--- a/roles/server/files/jlogin
+++ b/roles/server/files/jlogin
@@ -0,0 +1,41 @@
 #!/bin/sh
 jail=$1
 user=$2
 me=$(id -u)
 jid=""
 if test "$jail" = "-h"; then
    echo "jlogin [jail] [user]"
    exit
 fi
 if test -z "$jail"; then
    jid=$(jls | head -2 | tail -1 | awk '{print $1}')
    jail=$(jls | head -2 | tail -1 | awk '{print $2}')
 else
    jid=$(jls | grep "$jail" | awk '{print $1}')
 fi
 if test -z "$jid"; then
    echo "jail $jail doesn't run!"
    exit 1
 fi
 shell=/bin/csh
 home=/home/$user
 term=vt100
 path=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
 jexec=jexec
 if test -z "$user"; then
    user=root
    home=/root
 fi
 if test "$me" != "0"; then
    jexec="sudo jexec"
 fi
 echo "# Logging into jail $jail with jid $jid #"
 env - JAIL="$jail" TERM=$term HOME="$home" SHELL=$shell PATH=$path "$jexec" -U "$user" "$jid" sh
--- a/roles/server/files/kresd.conf
+++ b/roles/server/files/kresd.conf
@@ -0,0 +1,12 @@
 -- Network interface configuration
 net.listen('127.0.0.1', 53, { kind = 'dns' })
 net.listen('127.0.0.1', 853, { kind = 'tls' })
 net.listen('::', 53, { kind = 'dns', freebind = true })
 net.listen('::1', 853, { kind = 'tls', freebind = true })
 -- Load useful modules
 modules = {
        'hints > iterate',  -- Allow loading /etc/hosts or custom root hints
        'stats',            -- Track internal statistics
        'predict',          -- Prefetch expiring/frequent records
 }
--- a/roles/server/files/rctl.conf
+++ b/roles/server/files/rctl.conf
@@ -0,0 +1,10 @@
 #
 # rctl.conf: restrictions  for jail  users.  The loginclass  "jail" is
 # being   created  inside   the   "pub"   jail's  /etc/login.conf   in
 # roles/pub/tasks/main.yaml. But we can  still configure the kernel to
 # accept rules based on this login class. Cool!
 loginclass:jail:maxproc:deny=50/user
 loginclass:jail:openfiles:deny=100/user
 loginclass:jail:pcpu:deny=20/user
 #loginclass:jail:cputime:sigkill=100/user
--- a/roles/server/files/resolv.conf
+++ b/roles/server/files/resolv.conf
@@ -0,0 +1,2 @@
 nameserver ::1
 options edns0
--- a/roles/server/handlers/main.yaml
+++ b/roles/server/handlers/main.yaml
@@ -0,0 +1,17 @@
 ---
 - name: start kresd
  service:
    name: kresd
    state: started
 - name: stop unbound
  service:
    name: local_unbound
    state: stopped
 - name: start rctl
  service:
    name: rctl
    state: started
 - meta: flush_handlers
--- a/roles/server/tasks/main.yaml
+++ b/roles/server/tasks/main.yaml
@@ -4,6 +4,10 @@
    state: present
    name: "{{ packages }}"
 - name: Create program symlinks
  shell: "ln -sf /usr/local/bin/{{ item.program }} /usr/local/bin/{{ item.link }}"
  loop: "{{ versions }}"
 # FIXME: remove the symlink in the next release snapshot
 - name: Remove old home sym link
  shell: |
@@ -67,10 +71,72 @@
    reload: true
 - name: Install doas config
-  ansible.builtin.copy:
+  copy:
-    src: roles/server/files/doas.conf
+    src: doas.conf
    dest: /usr/local/etc/doas.conf
    owner: root
    group: wheel
    mode: '0600'
 - name: Install knot resolver config
  copy:
    src: kresd.conf
    dest: /usr/local/etc/knot-resolver/kresd.conf
    owner: root
    group: wheel
    mode: '0644'
 - name: Install knot resolv.conf
  copy:
    src: resolv.conf
    dest: /etc/resolv.conf
    owner: root
    group: wheel
    mode: '0644'
 - name: Install rctl rule set
  copy:
    src: rctl.conf
    dest: /etc/rctl.conf
    owner: root
    group: wheel
    mode: '0644'
 - name: Install /etc/hosts file
  copy:
    src: hosts
    dest: /etc/hosts
    owner: root
    group: wheel
    mode: '0644'
 - name: Install jlogin
  copy:
    src: jlogin
    dest: /usr/local/sbin/jlogin
    owner: root
    group: wheel
    mode: '0755'
 - name: Symlink knot dig
  shell: "ln -sf /usr/local/bin/kdig /usr/local/bin/dig"
  args:
    creates: "/usr/local/bin/dig"
 - name: disable unbound
  community.general.sysrc:
    name: local_unbound_enable
    value: "NO"
  notify: stop unbound
 - name: enable knot resolver
  community.general.sysrc:
    name: kresd_enable
    value: "YES"
  notify: start kresd
 - name: enable rctl
  community.general.sysrc:
    name: rctl_enable
    value: "YES"
  notify: start rctl
Author	SHA1	Message	Date
Thomas von Dein	3245a141ad	fixed open file copy problem	2024-12-18 09:14:26 +01:00
Thomas von Dein	8d7fad0060	fixed devzat rc script, user creation with skell, +new todo	2024-12-16 16:10:11 +01:00
Thomas von Dein	e6baefdbd5	enhanced user management	2024-12-16 14:23:45 +01:00
Thomas von Dein	ef31172e81	fixed chat jail, added releaser playbook, fixed rctl boot var	2024-12-16 12:23:19 +01:00
Thomas von Dein	7b60d8bf8c	fixed bootstrap of chat jail, added rctl limit config stuff	2024-12-15 18:48:41 +01:00
Thomas von Dein	862f2567b1	Added ssh config (for accessing kobayashi chat)	2024-12-13 18:39:21 +01:00
Thomas von Dein	c7b89345bf	added devzat chat jail	2024-12-12 18:47:43 +01:00
Thomas von Dein	4048b8fd92	updated	2024-12-12 13:02:09 +01:00
Thomas von Dein	7d74493850	add devzat chat server	2024-12-12 13:01:26 +01:00
Thomas von Dein	8c3e24b4a8	+ssh chat jail todo	2024-12-12 12:33:20 +01:00
Thomas von Dein	3507f3a7a7	update to 14.2	2024-12-12 09:13:34 +01:00
Thomas von Dein	1b0d8904a1	updated	2024-12-11 18:13:36 +01:00
Thomas von Dein	a92cda6b40	added dns using hetzner dns, renamed pubnix => pub	2024-12-10 17:47:38 +01:00
Thomas von Dein	b429091ec7	add dns role	2024-12-10 12:38:49 +01:00
Thomas von Dein	411f71a7ff	add group role, rename default group	2024-12-09 19:03:48 +01:00
Thomas von Dein	f92f2f2fad	+jlogin, group, defaults, more pkgs	2024-11-28 19:34:30 +01:00
Thomas von Dein	8e934e6230	fixed	2024-11-28 12:33:34 +01:00
Thomas von Dein	caa6b9c78a	added secret encrpytion script and check, incl pre-commit hook	2024-11-27 12:42:27 +01:00
Thomas von Dein	c49dff9ad4	fixed user creation, some rc files, use hcloud host vars (ipv6)	2024-11-26 18:00:21 +01:00
Thomas von Dein	158048f51d	fixed ip variables, now using inventory vars	2024-11-26 13:09:26 +01:00
Thomas von Dein	fe04b3fe87	fixed user management, incl skel dir	2024-11-25 18:29:17 +01:00
Thomas von Dein	09e2be2ab7	fix ipv6 addr resolution issue, now I'm resolving it myself, dammit	2024-11-25 13:13:21 +01:00
Thomas von Dein	b58865cf88	add vimrc	2024-11-25 11:15:18 +01:00
Thomas von Dein	2ca75ee186	add todo github v6 proxy	2024-11-25 10:13:51 +01:00
Thomas von Dein	b0073ee96a	took note of default gw issue, see TODO and fixed kresd.conf	2024-11-24 18:46:09 +01:00
Thomas von Dein	b6bc036930	fixed resolv.conf, user creation, pf, added skel files (fails)	2024-11-24 13:12:51 +01:00
Thomas von Dein	cd11f997b8	replace unbound w/ kresd, add user (needs ansible users bugfix for pw)	2024-11-22 18:43:35 +01:00
Thomas von Dein	cfe6edae85	no quotes allowed here	2024-11-22 07:51:11 +01:00
Thomas von Dein	087249aa7a	Merge branch 'master' of repo.daemon.de:scip/bsdnix	2024-11-21 19:40:40 +01:00
Thomas von Dein	480111eed7	fixes: - finally fixed pf.conf - got Bastillefile working (sshd_config missing yet) - re-activated network role to set net variables - fixed make [all] - use hetzner volume for jail home - use ramdisk for /tmp inside jail	2024-11-21 19:38:55 +01:00
		`@@ -0,0 +1,2 @@`
							`nameserver {{ primaryip.stdout }}`
							`options edns0`