fixed open file copy problem

Makefile

@@ -14,6 +14,7 @@ SNAPSHOT    = $(shell hcloud image  list -t snapshot -o yaml | \
 
 OPTIONS = -i inventory -t active
 CREATE_COMMAND = ansible-playbook create.yaml $(OPTIONS)
+RELEASE_COMMAND = ansible-playbook release.yaml $(OPTIONS)
 DEPLOY_COMMAND = ansible-playbook deploy.yaml $(OPTIONS)
 CLEAN_COMMAND = ansible-playbook cleanup.yaml $(OPTIONS)
 HOSTS_COMMAND = ansible-playbook knownhosts.yaml $(OPTIONS)
@@ -30,10 +31,15 @@ debug:
 create:
 	$(ENV) $(CREATE_COMMAND)
 
+release:
+	$(ENV) $(RELEASE_COMMAND)
+
 hosts:
 	$(ENV) $(HOSTS_COMMAND)
 
+# remove ssh control point, which may lead to hangs if wifi breaks during deployment
 deploy:
+	rm -rf ~/.ansible/cp/*
 	$(ENV) $(DEPLOY_COMMAND)
 
 clean:

TODO.md

@@ -1,26 +1,49 @@
-## Install tarball
-
 ### clean known_host doesnt work
 
-### install from tarball example:
-
-```yaml
-- name: "If jdk not exists then only download and unarchive"
-  unarchive:
-    src: "https://download.oracle.com/java/17/latest/jdk-17_linux-aarch64_bin.tar.gz"
-    dest: /opt/
-    remote_src: yes
-    creates: /opt/jdk-17
-  register: foo
-- name: "Rename if download happens "
-  command: mv /opt/jdk-17_linux-arch64 /opt/jdk-17
-  when: foo.changed == True
-```
-
-### Cleanup release snapshot
-
-- remove pkg function from root .bashrc
-
 ## Add quota config and enable/configure rctl
 
-## Add MOTD
+## Add bsdnix manpage (into pub jail)
+
+## Check if motd generation works
+
+See Bastillefile pub
+
+## racct/rctl test
+
+test the current setup: does it get configured and how does it limit
+users? also check if new users belong to login class "jail" and test
+their limits
+
+## devzat file busy still failing
+
+https://github.com/BastilleBSD/bastille/issues/772
+
+## ZFS quota
+
+Still not working, but it worked already? Dont get it.
+
+zfs set groupquota@bsdnixer=10MB zhcloud/home
+
+zfs get groupquota@bsdnixer zhcloud/home
+
+zfs groupspace zhcloud/home
+zfs userspace zhcloud/home
+
+## Fix permissions jail /etc 
+
+## Remove volume fails newly
+
+TASK [remove : Remove volume] 
+An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible_collections.hetzner.hcloud.plugins.module_utils.vendor.hcloud._exceptions.APIException: cannot perform operation because volume is locked
+fatal: [suto]: FAILED! => changed=false 
+  ansible_facts:
+    discovered_interpreter_python: /usr/bin/python3
+  failure:
+    code: locked
+    details: {}
+    message: cannot perform operation because volume is locked
+  msg: cannot perform operation because volume is locked
+
+
+Maybe "unlock" it somehow? Perhaps this happens because there are user
+online with open files in /home?

cleanup.yaml

@@ -1,7 +1,7 @@
 ---
 - name: Remove BSDNIX Servers
   tags: active
-  hosts: vps
+  hosts: vps,relvps
   connection: local
   gather_facts: False
   user: root

deploy.yaml

@@ -12,4 +12,5 @@
     - role: firewall
     - role: ssh
     - role: jails
+    - role: chat
     - role: pub

group_vars/all/all.yaml

@@ -12,11 +12,15 @@ packages:
   - go122
   - git
 
+versions:
+  - program: go122
+    link: go
+  
 # used by bastille to build a base
 release: 14.2-RELEASE
 
 # snapshot to install in new vps
-snapshot: FreeBSD-14.2-RELEASE-p0-0-hcloud-init
+snapshot: FreeBSD-14.2-RELEASE-p0-1-hcloud-init
 
 location: fsn1
 
@@ -58,12 +62,21 @@ defaults:
   jailbase: /usr/local/bastille/jails
 
 jailgroups:
+  - name: first
+    state: present
+    id: 3999
   - name: bsdnixer
     state: present
   
 jailusers:
+  - name: first
+    state: present
+    id: 4000
   - name: scip
     state: present
+  - name: tuud
+    groups: wheel
+    state: present
   - name: tom
     state: present
     

inventory/vps.yaml

@@ -4,3 +4,8 @@ vps:
     suto:
       hostname: suto
 
+relvps:
+  hosts:
+    releaser:
+      hostname: releaser
+

release.yaml

@@ -0,0 +1,18 @@
+---
+- name: Create BSDNIX Release Server
+  tags: active
+  hosts: relvps
+  connection: local
+  gather_facts: False
+  user: root
+  roles:
+    - role: install
+
+- name: Deploy BSDNIX Release Server
+  tags: active
+  hosts: running
+  gather_facts: true
+  user: root
+  roles:
+    - role: dns
+

roles/chat/files/devzat

@@ -1,20 +1,25 @@
 #!/bin/sh
 
+#
+# PROVIDE: devzat
+# REQUIRE: networking
+# KEYWORD:
+
 . /etc/rc.subr
 
-name=devzat
-rcvar=devzat_enable 
+name="devzat"
+rcvar="devzat_enable"
+devzat_user="nobody"
+devzat_source="/usr/local/sbin/devzat"
+devzat_command="/usr/local/sbin/devzat"
+pidfile="/tmp/${name}.pid"
+command="/usr/sbin/daemon"
+command_args="-P ${pidfile} -c ${devzat_command}"
+devzat_config="/usr/local/etc/devzat.yml"
 
-start_cmd="${name}_start"
-stop_cmd=":"
-
-load_rc_config $name 
-: ${devzat_enable:=no} 
-: ${devzat_config="/usr/local/etc/devzat.yml"}
-: ${devzat_daemon="/usr/local/sbin/devzat"}
-
-devzat_start() {
-    DEVZAT_CONFIG="${devzat_config}" ${devzat_daemon}
-}
+load_rc_config $name
+: ${devzat_enable:=no}
 
+export DEVZAT_CONFIG="${devzat_config}"
 run_rc_command "$1"
+

roles/chat/files/devzat.yml

@@ -1,14 +1,14 @@
 # what port to host a server on ($PORT overrides this)
-port: 22
+port: 2222
 
 # what port to host profiling on (unimportant)
 profile_port: 5555
 
 # where to store data such as bans and logs
-data_dir: /var/run/devzat-data
+data_dir: /home/devzat/devzat-data
 
 # where the SSH private key is stored
-key_file: /var/run/devzat-sshkey
+key_file: /home/devzat/devzat-sshkey
 
 # whether to censor messages (optional)
 censor: false

roles/chat/tasks/main.yaml

@@ -1,10 +1,17 @@
 ---
+# we do NOT use:
+# git clone https://github.com/quackduck/devzat
+# but our own fork where we patched the torlist stuff away.
+# see: https://github.com/quackduck/devzat/issues/246
+# https://github.com/tlinden/devzat
 - name: build devzat
   shell: |
     cd /tmp
     git clone https://github.com/quackduck/devzat
     cd /tmp/devzat
     go build
+  args:
+    creates: "/tmp/.ansible.devzatbuild"
   
 - name: create services template dir
   file:
@@ -28,7 +35,11 @@
     - usr/local/sbin
 
 - name: copy devzat binary
-  shell: install -m 755 /tmp/devzat/devzat /usr/local/bastille/templates/services/{{ role_name }}/usr/local/sbin/devzat
+  shell: |
+    install -m 755 /tmp/devzat/devzat /usr/local/bastille/templates/services/{{ role_name }}/usr/local/sbin/devzat
+    touch /tmp/.ansible.devzat
+  args:
+    creates: "/tmp/.ansible.devzat"
   
 - name: copy devzat config file
   copy:
@@ -39,6 +50,7 @@
   copy:
     src: devzat
     dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/local/etc/rc.d/"
+    mode: '0755'
 
 - name: create jail
   shell: "bastille create -B {{ role_name }} {{ release }} {{ chatip.stdout }}/64 bridge0"
@@ -49,4 +61,5 @@
   shell: bastille start {{ role_name }} || true
 
 - name: template jail
-  shell: "bastille template {{ role_name }} services/{{ role_name }}"
+  shell: |
+    bastille template {{ role_name }} services/{{ role_name }}

roles/chat/templates/Bastillefile.j2

@@ -1,4 +1,6 @@
-CP usr /
+SERVICE devzat stop
+
+CMD if [ -f /usr/local/sbin/devzat ]; then rm -f /usr/local/sbin/devzat; fi
 
 SYSRC sendmail_enable=NONE
 SYSRC tmpsize=500m
@@ -6,4 +8,13 @@ SYSRC tmpmfs=AUTO
 SYSRC clear_tmp_enable=YES
 SYSRC devzat_enable=YES
 
+
+CMD if test -L /home; then rm /home; fi
+CMD mkdir -p /home
+FSTAB /home home nullfs rw 0 0
+
+CMD install -d -o nobody -m 700 /home/devzat
+
+CP usr /
+
 SERVICE devzat start

roles/install/tasks/main.yaml

@@ -13,7 +13,9 @@
   register: server
 
 - name: Attach the home volume
+  when: inventory_hostname in groups['vps']
   hetzner.hcloud.volume:
     name: "{{ storage.volume.name }}"
     server: "{{ hostname }}"
     state: present
+

roles/jails/tasks/main.yaml

@@ -31,6 +31,11 @@
   args:
     creates: "/usr/local/bastille/releases/{{ release }}"
 
+- name: remove home link from bootstrap
+  shell: |
+    if test -L /usr/local/bastille/releases/{{ release }}/home; then rm -f /usr/local/bastille/releases/{{ release }}/home; fi
+    mkdir -p /usr/local/bastille/releases/{{ release }}/home
+
 - name: configure bootstrap to use latest pkgs
   replace:
     path: "/usr/local/bastille/releases/{{ release }}/etc/pkg/FreeBSD.conf"

roles/pub/bin/group.sh

@@ -2,6 +2,7 @@
 
 rootdir=""
 group=""
+id=""
 action=""
 
 usage() {
@@ -16,7 +17,7 @@ run() {
 }
 
 OPTIND=1
-while getopts d:g:a: opt ; do
+while getopts d:g:a:i: opt ; do
     case $opt in
         d)
             rootdir="$OPTARG"
@@ -24,6 +25,9 @@ while getopts d:g:a: opt ; do
         g)
             group="$OPTARG"
             ;;
+        i)
+            id="$OPTARG"
+            ;;
         a)
             action="$OPTARG"
             ;;
@@ -39,28 +43,35 @@ if test -z "$group" -o -z "$action"; then
     usage
 fi
 
-root=""
+# we do it once for $rootdir and once on the host to have synchronous groups
+for root in "$rootdir" ""; do
+    args=""
 
-if test -n "$rootdir"; then
-    root="-R $rootdir"
-fi
+    if test -n "$root"; then
+        root="-R $root"
+    fi
 
-case "$action" in
-    present)
-        if pw $root group show "$group" > /dev/null 2>&1; then
-            if pw $root group show "$group" | grep -q LOCKED; then
-                echo "$group exists."
+    if test -n "$id"; then
+        args="-g $id"
+    fi
+
+    case "$action" in
+        present)
+            if pw $root group show "$group" > /dev/null 2>&1; then
+                if pw $root group show "$group" | grep -q LOCKED; then
+                    echo "$group exists."
+                fi
+            else
+                run pw $root group add "$group" $args
             fi
-        else
-            run pw $root group add "$group"
-        fi
-        ;;
-    absent)
-        if pw $root group show "$group" > /dev/null 2>&1; then
-            run pw $root group del "$group"
-        fi
-        ;;
-    *)
-        usage
-        ;;
-esac
+            ;;
+        absent)
+            if pw $root group show "$group" > /dev/null 2>&1; then
+                run pw $root group del "$group"
+            fi
+            ;;
+        *)
+            usage
+            ;;
+    esac
+done

roles/pub/bin/user.sh

@@ -9,7 +9,9 @@ groups=""
 home=""
 shell="/usr/local/bin/bash"
 comment=""
+loginclass="jail"
 action=""
+id=""
 
 usage() {
     echo "Usage: $0 -u user [-h home] [-s shell] [-g groups] [-d rootdir] [-c comment] -a action"
@@ -19,7 +21,7 @@ usage() {
 
 getuid() {
     # resolve jail uid
-    
+
     root="$1"
     user="$2"
     pw $root show user "$user" -7 | cut -d: -f 3
@@ -27,14 +29,14 @@ getuid() {
 
 run() {
     # verbose exec
-    
+
     echo "$@"
     "$@"
 }
 
 # parse commandline flags
 OPTIND=1
-while getopts d:u:h:g:s:c:a: opt ; do
+while getopts d:u:h:g:s:c:a:i: opt ; do
     case $opt in
         d)
             rootdir="$OPTARG"
@@ -42,6 +44,9 @@ while getopts d:u:h:g:s:c:a: opt ; do
         u)
             user="$OPTARG"
             ;;
+        i)
+            id="$OPTARG"
+            ;;
         h)
             home="$OPTARG"
             ;;
@@ -69,73 +74,113 @@ if test -z "$user" -o -z "$action"; then
     usage
 fi
 
-# setup pw flags
-args=""
-root=""
+# we do it once for $rootdir and  once on the host to have synchronous
+# users, however, host users will be  locked, unless they are in group
+# wheel
+for root in "$rootdir" ""; do
+    # setup pw flags
+    args=""
+    skel=""
 
-if test -n "$rootdir"; then
-    root="-R $rootdir"
-fi
+    if test -n "$root"; then
+        root="-R $root"
+        skel="-k /etc/skel"
+    fi
 
-if test -n "$groups"; then
-    args="-G $groups"
-fi
+    if test -n "$groups"; then
+        args="-G $groups"
+    fi
 
-if test -n "$home"; then
-    args="$args -d $home -k /etc/skel -m -M 700"
-else
-    args="$args -d /home/$user -k /etc/skel -m -M 700"
-fi
+    if test -n "$home"; then
+        args="$args -d $home -m -M 700"
+    else
+        args="$args -d /home/$user -m -M 700"
+    fi
 
-if test -n "$shell"; then
-    args="$args -s $shell"
-else
-    args="$args -s /usr/local/bin/bash"
-fi
+    if test -n "$shell"; then
+        args="$args -s $shell"
+    else
+        args="$args -s /usr/local/bin/bash"
+    fi
 
-if test -n "$comment"; then
-    args="$args -c $comment"
-fi
+    if test -n "$comment"; then
+        args="$args -c $comment"
+    fi
 
-# the horse shall work
-case "$action" in
-    present)
-        if pw $root user show "$user" > /dev/null 2>&1; then
-            if pw $root user show "$user" | grep -q LOCKED; then
-                # user is present but locked
-                run pw unlock "$user"
+    if test -n "$loginclass"; then
+        args="$args -L $loginclass"
+    fi
+
+    if test -n "$id"; then
+        args="$args -u $id"
+    fi
+
+    # the horse shall work
+    case "$action" in
+        present)
+            if pw $root user show "$user" > /dev/null 2>&1; then
+                if pw $root user show "$user" | grep -q LOCKED; then
+                    # user is present but locked
+                    run pw $root unlock "$user"
+                else
+                    echo "$user exists."
+                fi
             else
-                echo "$user exists."
-            fi
-        else
-            # create user
-            run pw $root user add "$user" $args
-        fi
+                # create user
+                run pw $root user add "$user" $args $skel
 
-        if test -e "/usr/local/bastille/keys/$user" -a ! -e "/home/$user/.ssh/authorized_keys"; then
-            # install ssh key
-            uid=$(getuid "$root" "$user")
-            install -m 700 -o "$uid" -g "$uid" -d "/home/$user/.ssh"
-            install -m 600 -o "$uid" -g "$uid" "/usr/local/bastille/keys/$user" "/home/$user/.ssh/authorized_keys"
-        fi
-        ;;
-    absent)
-        if pw $root user show "$user" > /dev/null 2>&1; then
-            # get rid
-            run pw $root user del "$user"
-        fi
-        ;;
-    locked)
-        if pw $root user show "$user" > /dev/null 2>&1; then
-            if pw $root user show "$user" | grep -q LOCKED; then
-                echo "$user is already locked."
-            else
-                # lock'em out
-                run pw lock "$user"
+                # if we're running on host and the user is a regular jail user, lock them
+                if test -z "$root" -a "$groups" != "wheel"; then
+                    run pw lock "$user"
+                fi
             fi
-        fi
-        ;;
-    *)
-        usage
-        ;;
-esac
+
+            if test -e "/usr/local/bastille/keys/$user" -a ! -e "/home/$user/.ssh/authorized_keys"; then
+                # install ssh key
+                run install -m 700 -o "$user" -g "$user" -d "/home/$user/.ssh"
+                run install -m 600 -o "$user" -g "$user" "/usr/local/bastille/keys/$user" "/home/$user/.ssh/authorized_keys"
+
+                # generate  chat  key,  which  is  required  so  login  to
+                # kobayashi, so that ssh-chat works  even if the user does
+                # not have their own key yet.
+                run ssh-keygen -t ed25519 -f /home/$user/.ssh/id_chat_kobayashi -P ""
+
+                (
+                    echo "The key id_chat_kobayashi exists so that you're able to reach"
+                    echo "the kobayashi chat service. Once you have generated your own"
+                    echo "key, you can just delete it."
+                ) > "/home/$user/.ssh/README"
+
+                if test ! -e "/home/$user/.ssh/config"; then
+                    (
+                        echo "Host kobayashi"
+                        echo "  Port 2222"
+                        echo "  IdentityFile ~/.ssh/id_chat_kobayashi"
+                        echo "  StrictHostKeyChecking no"
+                    ) > "/home/$user/.ssh/config"
+                fi
+
+                run chown "$user:$user" /home/$user/.ssh/*
+            fi
+            ;;
+        absent)
+            if pw $root user show "$user" > /dev/null 2>&1; then
+                # get rid
+                run pw $root user del "$user"
+            fi
+            ;;
+        locked)
+            if pw $root user show "$user" > /dev/null 2>&1; then
+                if pw $root user show "$user" | grep -q LOCKED; then
+                    echo "$user is already locked."
+                else
+                    # lock'em out
+                    run pw $root lock "$user"
+                fi
+            fi
+            ;;
+        *)
+            usage
+            ;;
+    esac
+done

roles/pub/tasks/main.yaml

@@ -46,7 +46,12 @@
   template:
     src: resolv.conf.j2
     dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/resolv.conf"
-    
+
+- name: copy hosts file
+  template:
+    src: hosts.j2
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/hosts"
+
 - name: create jail
   shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
   args:
@@ -72,10 +77,27 @@
     src: keys
     dest: "/usr/local/bastille/"
 
+# create our login class, needed for rctl rules
+- name: create jail login class
+  blockinfile:
+    path: /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+    append_newline: true
+    prepend_newline: true
+    block: |
+      jail:\
+          :tc=default:
+
+# shell: |
+#   ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+#   cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+#   touch /tmp/.ansiblepubloginconf
+# args:
+#   creates: /tmp/.ansiblepubloginconf
+
 # create our own group[s]
 - name: Manage groups
   loop: "{{ jailgroups }}"
-  ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/{{ role_name }}/root"
+  ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -i '{{ item.id | default(None) }}' -d /usr/local/bastille/jails/{{ role_name }}/root"
 
 # The normal  ansible user  module can't be  used here,  because we're
 # talking  about jail  users  here. I  tried to  patch  the module  to
@@ -87,7 +109,7 @@
 # well.
 - name: Manage users
   loop: "{{ jailusers }}"
-  ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -d {{ defaults.jailbase }}/{{ role_name }}/root"
+  ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -i '{{ item.id | default(None) }}' -d {{ defaults.jailbase }}/{{ role_name }}/root"
 
 - name: add dns entry for jail host
   community.dns.hetzner_dns_record:

roles/pub/templates/Bastillefile.j2

@@ -13,8 +13,8 @@ CMD mkdir -p /home
 
 FSTAB /home home nullfs rw 0 0
 
-
 # FIXME: fails for now, see: https://github.com/BastilleBSD/bastille/issues/743
 #CP usr/share/skel /usr/share/skel
 
 SERVICE sshd start
+SERVICE motd restart

roles/pub/templates/hosts.j2

@@ -0,0 +1,13 @@
+::1                     localhost localhost.my.domain
+127.0.0.1               localhost localhost.my.domain
+
+# https://danwin1210.de/github-ipv6-proxy.php
+2a01:4f8:c010:d56::2 github.com
+2a01:4f8:c010:d56::3 api.github.com
+2a01:4f8:c010:d56::4 codeload.github.com
+2a01:4f8:c010:d56::5 objects.githubusercontent.com
+2a01:4f8:c010:d56::6 ghcr.io
+2a01:4f8:c010:d56::7 pkg.github.com npm.pkg.github.com maven.pkg.github.com nuget.pkg.github.com rubygems.pkg.github.com
+2a01:4f8:c010:d56::8 uploads.github.com
+
+{{ chatip.stdout }} chat chat.bsdnix.de kobayashi kobayashi.bsdnix.de

roles/server/files/hosts

@@ -0,0 +1,11 @@
+::1                     localhost localhost.my.domain
+127.0.0.1               localhost localhost.my.domain
+
+# https://danwin1210.de/github-ipv6-proxy.php
+2a01:4f8:c010:d56::2 github.com
+2a01:4f8:c010:d56::3 api.github.com
+2a01:4f8:c010:d56::4 codeload.github.com
+2a01:4f8:c010:d56::5 objects.githubusercontent.com
+2a01:4f8:c010:d56::6 ghcr.io
+2a01:4f8:c010:d56::7 pkg.github.com npm.pkg.github.com maven.pkg.github.com nuget.pkg.github.com rubygems.pkg.github.com
+2a01:4f8:c010:d56::8 uploads.github.com

roles/server/files/rctl.conf

@@ -0,0 +1,10 @@
+#
+# rctl.conf: restrictions  for jail  users.  The loginclass  "jail" is
+# being   created  inside   the   "pub"   jail's  /etc/login.conf   in
+# roles/pub/tasks/main.yaml. But we can  still configure the kernel to
+# accept rules based on this login class. Cool!
+loginclass:jail:maxproc:deny=50/user
+loginclass:jail:openfiles:deny=100/user
+loginclass:jail:pcpu:deny=20/user
+#loginclass:jail:cputime:sigkill=100/user
+

roles/server/handlers/main.yaml

@@ -9,4 +9,9 @@
     name: local_unbound
     state: stopped
 
+- name: start rctl
+  service:
+    name: rctl
+    state: started
+    
 - meta: flush_handlers

roles/server/tasks/main.yaml

@@ -4,6 +4,10 @@
     state: present
     name: "{{ packages }}"
 
+- name: Create program symlinks
+  shell: "ln -sf /usr/local/bin/{{ item.program }} /usr/local/bin/{{ item.link }}"
+  loop: "{{ versions }}"
+    
 # FIXME: remove the symlink in the next release snapshot
 - name: Remove old home sym link
   shell: |
@@ -67,29 +71,45 @@
     reload: true
 
 - name: Install doas config
-  ansible.builtin.copy:
-    src: roles/server/files/doas.conf
+  copy:
+    src: doas.conf
     dest: /usr/local/etc/doas.conf
     owner: root
     group: wheel
     mode: '0600'
 
 - name: Install knot resolver config
-  ansible.builtin.copy:
-    src: roles/server/files/kresd.conf
+  copy:
+    src: kresd.conf
     dest: /usr/local/etc/knot-resolver/kresd.conf
     owner: root
     group: wheel
     mode: '0644'
 
 - name: Install knot resolv.conf
-  ansible.builtin.copy:
-    src: roles/server/files/resolv.conf
+  copy:
+    src: resolv.conf
     dest: /etc/resolv.conf
     owner: root
     group: wheel
     mode: '0644'
 
+- name: Install rctl rule set
+  copy:
+    src: rctl.conf
+    dest: /etc/rctl.conf
+    owner: root
+    group: wheel
+    mode: '0644'
+
+- name: Install /etc/hosts file
+  copy:
+    src: hosts
+    dest: /etc/hosts
+    owner: root
+    group: wheel
+    mode: '0644'
+    
 - name: Install jlogin
   copy:
     src: jlogin
@@ -115,3 +135,8 @@
     value: "YES"
   notify: start kresd
 
+- name: enable rctl
+  community.general.sysrc:
+    name: rctl_enable
+    value: "YES"
+  notify: start rctl