updated

TODO.md

@@ -23,8 +23,4 @@
 
 ## Add quota config and enable/configure rctl
 
-## Add ssh chat jail
-
-Admin id: 82f6872383933e913b31dbb906e4c44ea2937bea9531ac11429f16cee2e5a975
-
-https://github.com/quackduck/devzat
+## Add MOTD

group_vars/all/all.yaml

@@ -9,9 +9,11 @@ packages:
   - bash
   - doas
   - knot-resolver
+  - go122
+  - git
 
 # used by bastille to build a base
-release: 14.1-RELEASE
+release: 14.2-RELEASE
 
 # snapshot to install in new vps
 snapshot: FreeBSD-14.2-RELEASE-p0-0-hcloud-init

roles/chat/files/devzat

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+. /etc/rc.subr
+
+name=devzat
+rcvar=devzat_enable 
+
+start_cmd="${name}_start"
+stop_cmd=":"
+
+load_rc_config $name 
+: ${devzat_enable:=no} 
+: ${devzat_config="/usr/local/etc/devzat.yml"}
+: ${devzat_daemon="/usr/local/sbin/devzat"}
+
+devzat_start() {
+    DEVZAT_CONFIG="${devzat_config}" ${devzat_daemon}
+}
+
+run_rc_command "$1"

roles/chat/files/devzat.yml

@@ -0,0 +1,18 @@
+# what port to host a server on ($PORT overrides this)
+port: 22
+
+# what port to host profiling on (unimportant)
+profile_port: 5555
+
+# where to store data such as bans and logs
+data_dir: /var/run/devzat-data
+
+# where the SSH private key is stored
+key_file: /var/run/devzat-sshkey
+
+# whether to censor messages (optional)
+censor: false
+
+# a list of admin IDs and notes about them
+admins:
+  82f6872383933e913b31dbb906e4c44ea2937bea9531ac11429f16cee2e5a975: 'Seher Taak: github.com/tlinden'

roles/chat/tasks/main.yaml

@@ -0,0 +1,52 @@
+---
+- name: build devzat
+  shell: |
+    cd /tmp
+    git clone https://github.com/quackduck/devzat
+    cd /tmp/devzat
+    go build
+  
+- name: create services template dir
+  file:
+    path: "/usr/local/bastille/templates/services/{{ role_name }}"
+    state: directory
+    recurse: yes
+
+- name: copy template config files
+  template:
+    src: Bastillefile.j2
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"
+
+- name: create config paths
+  file:
+    path: "/usr/local/bastille/templates/services/{{ role_name }}/{{ item }}/"
+    state: directory
+    recurse: yes
+  loop:
+    - usr/local/etc
+    - usr/local/etc/rc.d
+    - usr/local/sbin
+
+- name: copy devzat binary
+  shell: install -m 755 /tmp/devzat/devzat /usr/local/bastille/templates/services/{{ role_name }}/usr/local/sbin/devzat
+  
+- name: copy devzat config file
+  copy:
+    src: devzat.yml
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/local/etc/"
+
+- name: copy devzat rc file
+  copy:
+    src: devzat
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/local/etc/rc.d/"
+
+- name: create jail
+  shell: "bastille create -B {{ role_name }} {{ release }} {{ chatip.stdout }}/64 bridge0"
+  args:
+    creates: /usr/local/bastille/jails/{{ role_name }}
+
+- name: start jail
+  shell: bastille start {{ role_name }} || true
+
+- name: template jail
+  shell: "bastille template {{ role_name }} services/{{ role_name }}"

roles/chat/templates/Bastillefile.j2

@@ -0,0 +1,9 @@
+CP usr /
+
+SYSRC sendmail_enable=NONE
+SYSRC tmpsize=500m
+SYSRC tmpmfs=AUTO
+SYSRC clear_tmp_enable=YES
+SYSRC devzat_enable=YES
+
+SERVICE devzat start

roles/network/tasks/main.yaml

@@ -3,6 +3,10 @@
   shell: echo {{ server_ipv6 }} | sed 's/::1/::2/'
   register: jailip
 
+- name: determine ipv6 jail address
+  shell: echo {{ server_ipv6 }} | sed 's/::1/::3/'
+  register: chatip
+
 - name: determine ipv6 net
   shell: echo '{{ ipv6_network }}/64'
   register: jailnet