fixed open file copy problem

fixed devzat rc script, user creation with skell, +new todo
enhanced user management
2024-12-18 09:14:26 +01:00 · 2024-12-16 16:10:11 +01:00 · 2024-12-16 14:23:45 +01:00 · 2024-12-16 12:23:19 +01:00 · 2024-12-15 18:48:41 +01:00 · 2024-12-13 18:39:21 +01:00
23 changed files with 469 additions and 124 deletions
--- a/6
+++ b/6
@@ -14,6 +14,7 @@ SNAPSHOT    = $(shell hcloud image  list -t snapshot -o yaml | \
 OPTIONS = -i inventory -t active
 CREATE_COMMAND = ansible-playbook create.yaml $(OPTIONS)
 RELEASE_COMMAND = ansible-playbook release.yaml $(OPTIONS)
 DEPLOY_COMMAND = ansible-playbook deploy.yaml $(OPTIONS)
 CLEAN_COMMAND = ansible-playbook cleanup.yaml $(OPTIONS)
 HOSTS_COMMAND = ansible-playbook knownhosts.yaml $(OPTIONS)
@@ -30,10 +31,15 @@ debug:
 create:
 	$(ENV) $(CREATE_COMMAND)
 release:
 	$(ENV) $(RELEASE_COMMAND)
 hosts:
 	$(ENV) $(HOSTS_COMMAND)
 # remove ssh control point, which may lead to hangs if wifi breaks during deployment
 deploy:
 	rm -rf ~/.ansible/cp/*
 	$(ENV) $(DEPLOY_COMMAND)
 clean:
--- a/TODO.md
+++ b/TODO.md
@@ -1,30 +1,49 @@
 ## Install tarball
 ### clean known_host doesnt work
 ### install from tarball example:
 ```yaml
 - name: "If jdk not exists then only download and unarchive"
  unarchive:
    src: "https://download.oracle.com/java/17/latest/jdk-17_linux-aarch64_bin.tar.gz"
    dest: /opt/
    remote_src: yes
    creates: /opt/jdk-17
  register: foo
 - name: "Rename if download happens "
  command: mv /opt/jdk-17_linux-arch64 /opt/jdk-17
  when: foo.changed == True
 ```
 ### Cleanup release snapshot
 - remove pkg function from root .bashrc
 ## Add quota config and enable/configure rctl
-## Add ssh chat jail
+## Add bsdnix manpage (into pub jail)
-Admin id: 82f6872383933e913b31dbb906e4c44ea2937bea9531ac11429f16cee2e5a975
+## Check if motd generation works
-https://github.com/quackduck/devzat
+See Bastillefile pub
 ## racct/rctl test
 test the current setup: does it get configured and how does it limit
 users? also check if new users belong to login class "jail" and test
 their limits
 ## devzat file busy still failing
 https://github.com/BastilleBSD/bastille/issues/772
 ## ZFS quota
 Still not working, but it worked already? Dont get it.
 zfs set groupquota@bsdnixer=10MB zhcloud/home
 zfs get groupquota@bsdnixer zhcloud/home
 zfs groupspace zhcloud/home
 zfs userspace zhcloud/home
 ## Fix permissions jail /etc 
 ## Remove volume fails newly
 TASK [remove : Remove volume] 
 An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible_collections.hetzner.hcloud.plugins.module_utils.vendor.hcloud._exceptions.APIException: cannot perform operation because volume is locked
 fatal: [suto]: FAILED! => changed=false 
  ansible_facts:
    discovered_interpreter_python: /usr/bin/python3
  failure:
    code: locked
    details: {}
    message: cannot perform operation because volume is locked
  msg: cannot perform operation because volume is locked
 Maybe "unlock" it somehow? Perhaps this happens because there are user
 online with open files in /home?
--- a/cleanup.yaml
+++ b/cleanup.yaml
@@ -1,7 +1,7 @@
 ---
 - name: Remove BSDNIX Servers
  tags: active
-  hosts: vps
+  hosts: vps,relvps
  connection: local
  gather_facts: False
  user: root
--- a/deploy.yaml
+++ b/deploy.yaml
@@ -12,4 +12,5 @@
    - role: firewall
    - role: ssh
    - role: jails
    - role: chat
    - role: pub
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@@ -9,12 +9,18 @@ packages:
  - bash
  - doas
  - knot-resolver
  - go122
  - git
 versions:
  - program: go122
    link: go
 # used by bastille to build a base
-release: 14.1-RELEASE
+release: 14.2-RELEASE
 # snapshot to install in new vps
-snapshot: FreeBSD-14.2-RELEASE-p0-0-hcloud-init
+snapshot: FreeBSD-14.2-RELEASE-p0-1-hcloud-init
 location: fsn1
@@ -56,12 +62,21 @@ defaults:
  jailbase: /usr/local/bastille/jails
 jailgroups:
  - name: first
    state: present
    id: 3999
  - name: bsdnixer
    state: present
 jailusers:
  - name: first
    state: present
    id: 4000
  - name: scip
    state: present
  - name: tuud
    groups: wheel
    state: present
  - name: tom
    state: present
--- a/inventory/vps.yaml
+++ b/inventory/vps.yaml
@@ -4,3 +4,8 @@ vps:
    suto:
      hostname: suto
 relvps:
  hosts:
    releaser:
      hostname: releaser
--- a/release.yaml
+++ b/release.yaml
@@ -0,0 +1,18 @@
 ---
 - name: Create BSDNIX Release Server
  tags: active
  hosts: relvps
  connection: local
  gather_facts: False
  user: root
  roles:
    - role: install
 - name: Deploy BSDNIX Release Server
  tags: active
  hosts: running
  gather_facts: true
  user: root
  roles:
    - role: dns
--- a/roles/chat/files/devzat
+++ b/roles/chat/files/devzat
@@ -0,0 +1,25 @@
 #!/bin/sh
 #
 # PROVIDE: devzat
 # REQUIRE: networking
 # KEYWORD:
 . /etc/rc.subr
 name="devzat"
 rcvar="devzat_enable"
 devzat_user="nobody"
 devzat_source="/usr/local/sbin/devzat"
 devzat_command="/usr/local/sbin/devzat"
 pidfile="/tmp/${name}.pid"
 command="/usr/sbin/daemon"
 command_args="-P ${pidfile} -c ${devzat_command}"
 devzat_config="/usr/local/etc/devzat.yml"
 load_rc_config $name
 : ${devzat_enable:=no}
 export DEVZAT_CONFIG="${devzat_config}"
 run_rc_command "$1"
--- a/roles/chat/files/devzat.yml
+++ b/roles/chat/files/devzat.yml
@@ -0,0 +1,18 @@
 # what port to host a server on ($PORT overrides this)
 port: 2222
 # what port to host profiling on (unimportant)
 profile_port: 5555
 # where to store data such as bans and logs
 data_dir: /home/devzat/devzat-data
 # where the SSH private key is stored
 key_file: /home/devzat/devzat-sshkey
 # whether to censor messages (optional)
 censor: false
 # a list of admin IDs and notes about them
 admins:
  82f6872383933e913b31dbb906e4c44ea2937bea9531ac11429f16cee2e5a975: 'Seher Taak: github.com/tlinden'
--- a/roles/chat/tasks/main.yaml
+++ b/roles/chat/tasks/main.yaml
@@ -0,0 +1,65 @@
 ---
 # we do NOT use:
 # git clone https://github.com/quackduck/devzat
 # but our own fork where we patched the torlist stuff away.
 # see: https://github.com/quackduck/devzat/issues/246
 # https://github.com/tlinden/devzat
 - name: build devzat
  shell: |
    cd /tmp
    git clone https://github.com/quackduck/devzat
    cd /tmp/devzat
    go build
  args:
    creates: "/tmp/.ansible.devzatbuild"
 - name: create services template dir
  file:
    path: "/usr/local/bastille/templates/services/{{ role_name }}"
    state: directory
    recurse: yes
 - name: copy template config files
  template:
    src: Bastillefile.j2
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"
 - name: create config paths
  file:
    path: "/usr/local/bastille/templates/services/{{ role_name }}/{{ item }}/"
    state: directory
    recurse: yes
  loop:
    - usr/local/etc
    - usr/local/etc/rc.d
    - usr/local/sbin
 - name: copy devzat binary
  shell: |
    install -m 755 /tmp/devzat/devzat /usr/local/bastille/templates/services/{{ role_name }}/usr/local/sbin/devzat
    touch /tmp/.ansible.devzat
  args:
    creates: "/tmp/.ansible.devzat"
 - name: copy devzat config file
  copy:
    src: devzat.yml
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/local/etc/"
 - name: copy devzat rc file
  copy:
    src: devzat
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/local/etc/rc.d/"
    mode: '0755'
 - name: create jail
  shell: "bastille create -B {{ role_name }} {{ release }} {{ chatip.stdout }}/64 bridge0"
  args:
    creates: /usr/local/bastille/jails/{{ role_name }}
 - name: start jail
  shell: bastille start {{ role_name }} || true
 - name: template jail
  shell: |
    bastille template {{ role_name }} services/{{ role_name }}
--- a/roles/chat/templates/Bastillefile.j2
+++ b/roles/chat/templates/Bastillefile.j2
@@ -0,0 +1,20 @@
 SERVICE devzat stop
 CMD if [ -f /usr/local/sbin/devzat ]; then rm -f /usr/local/sbin/devzat; fi
 SYSRC sendmail_enable=NONE
 SYSRC tmpsize=500m
 SYSRC tmpmfs=AUTO
 SYSRC clear_tmp_enable=YES
 SYSRC devzat_enable=YES
 CMD if test -L /home; then rm /home; fi
 CMD mkdir -p /home
 FSTAB /home home nullfs rw 0 0
 CMD install -d -o nobody -m 700 /home/devzat
 CP usr /
 SERVICE devzat start
--- a/roles/install/tasks/main.yaml
+++ b/roles/install/tasks/main.yaml
@@ -13,7 +13,9 @@
  register: server
 - name: Attach the home volume
  when: inventory_hostname in groups['vps']
  hetzner.hcloud.volume:
    name: "{{ storage.volume.name }}"
    server: "{{ hostname }}"
    state: present
--- a/roles/jails/tasks/main.yaml
+++ b/roles/jails/tasks/main.yaml
@@ -31,6 +31,11 @@
  args:
    creates: "/usr/local/bastille/releases/{{ release }}"
 - name: remove home link from bootstrap
  shell: |
    if test -L /usr/local/bastille/releases/{{ release }}/home; then rm -f /usr/local/bastille/releases/{{ release }}/home; fi
    mkdir -p /usr/local/bastille/releases/{{ release }}/home
 - name: configure bootstrap to use latest pkgs
  replace:
    path: "/usr/local/bastille/releases/{{ release }}/etc/pkg/FreeBSD.conf"
--- a/roles/network/tasks/main.yaml
+++ b/roles/network/tasks/main.yaml
@@ -3,6 +3,10 @@
  shell: echo {{ server_ipv6 }} | sed 's/::1/::2/'
  register: jailip
 - name: determine ipv6 jail address
  shell: echo {{ server_ipv6 }} | sed 's/::1/::3/'
  register: chatip
 - name: determine ipv6 net
  shell: echo '{{ ipv6_network }}/64'
  register: jailnet
--- a/roles/pub/bin/group.sh
+++ b/roles/pub/bin/group.sh
@@ -2,6 +2,7 @@
 rootdir=""
 group=""
 id=""
 action=""
 usage() {
@@ -16,7 +17,7 @@ run() {
 }
 OPTIND=1
-while getopts d:g:a: opt ; do
+while getopts d:g:a:i: opt ; do
    case $opt in
        d)
            rootdir="$OPTARG"
@@ -24,6 +25,9 @@ while getopts d:g:a: opt ; do
        g)
            group="$OPTARG"
            ;;
        i)
            id="$OPTARG"
            ;;
        a)
            action="$OPTARG"
            ;;
@@ -39,28 +43,35 @@ if test -z "$group" -o -z "$action"; then
    usage
 fi
-root=""
+# we do it once for $rootdir and once on the host to have synchronous groups
 for root in "$rootdir" ""; do
    args=""
-if test -n "$rootdir"; then
+    if test -n "$root"; then
-    root="-R $rootdir"
+        root="-R $root"
-fi
+    fi
-case "$action" in
+    if test -n "$id"; then
-    present)
+        args="-g $id"
-        if pw $root group show "$group" > /dev/null 2>&1; then
+    fi
-            if pw $root group show "$group" | grep -q LOCKED; then
+
-                echo "$group exists."
+    case "$action" in
        present)
            if pw $root group show "$group" > /dev/null 2>&1; then
                if pw $root group show "$group" | grep -q LOCKED; then
                    echo "$group exists."
                fi
            else
                run pw $root group add "$group" $args
            fi
-        else
+            ;;
-            run pw $root group add "$group"
+        absent)
-        fi
+            if pw $root group show "$group" > /dev/null 2>&1; then
-        ;;
+                run pw $root group del "$group"
-    absent)
+            fi
-        if pw $root group show "$group" > /dev/null 2>&1; then
+            ;;
-            run pw $root group del "$group"
+        *)
-        fi
+            usage
-        ;;
+            ;;
-    *)
+    esac
-        usage
+done
        ;;
 esac
--- a/roles/pub/bin/user.sh
+++ b/roles/pub/bin/user.sh
@@ -9,7 +9,9 @@ groups=""
 home=""
 shell="/usr/local/bin/bash"
 comment=""
 loginclass="jail"
 action=""
 id=""
 usage() {
    echo "Usage: $0 -u user [-h home] [-s shell] [-g groups] [-d rootdir] [-c comment] -a action"
@@ -19,7 +21,7 @@ usage() {
 getuid() {
    # resolve jail uid
-    
+
    root="$1"
    user="$2"
    pw $root show user "$user" -7 | cut -d: -f 3
@@ -27,14 +29,14 @@ getuid() {
 run() {
    # verbose exec
-    
+
    echo "$@"
    "$@"
 }
 # parse commandline flags
 OPTIND=1
-while getopts d:u:h:g:s:c:a: opt ; do
+while getopts d:u:h:g:s:c:a:i: opt ; do
    case $opt in
        d)
            rootdir="$OPTARG"
@@ -42,6 +44,9 @@ while getopts d:u:h:g:s:c:a: opt ; do
        u)
            user="$OPTARG"
            ;;
        i)
            id="$OPTARG"
            ;;
        h)
            home="$OPTARG"
            ;;
@@ -69,73 +74,113 @@ if test -z "$user" -o -z "$action"; then
    usage
 fi
-# setup pw flags
+# we do it once for $rootdir and  once on the host to have synchronous
-args=""
+# users, however, host users will be  locked, unless they are in group
-root=""
+# wheel
 for root in "$rootdir" ""; do
    # setup pw flags
    args=""
    skel=""
-if test -n "$rootdir"; then
+    if test -n "$root"; then
-    root="-R $rootdir"
+        root="-R $root"
-fi
+        skel="-k /etc/skel"
    fi
-if test -n "$groups"; then
+    if test -n "$groups"; then
-    args="-G $groups"
+        args="-G $groups"
-fi
+    fi
-if test -n "$home"; then
+    if test -n "$home"; then
-    args="$args -d $home -k /etc/skel -m -M 700"
+        args="$args -d $home -m -M 700"
-else
+    else
-    args="$args -d /home/$user -k /etc/skel -m -M 700"
+        args="$args -d /home/$user -m -M 700"
-fi
+    fi
-if test -n "$shell"; then
+    if test -n "$shell"; then
-    args="$args -s $shell"
+        args="$args -s $shell"
-else
+    else
-    args="$args -s /usr/local/bin/bash"
+        args="$args -s /usr/local/bin/bash"
-fi
+    fi
-if test -n "$comment"; then
+    if test -n "$comment"; then
-    args="$args -c $comment"
+        args="$args -c $comment"
-fi
+    fi
-# the horse shall work
+    if test -n "$loginclass"; then
-case "$action" in
+        args="$args -L $loginclass"
-    present)
+    fi
-        if pw $root user show "$user" > /dev/null 2>&1; then
+
-            if pw $root user show "$user" | grep -q LOCKED; then
+    if test -n "$id"; then
-                # user is present but locked
+        args="$args -u $id"
-                run pw unlock "$user"
+    fi
    # the horse shall work
    case "$action" in
        present)
            if pw $root user show "$user" > /dev/null 2>&1; then
                if pw $root user show "$user" | grep -q LOCKED; then
                    # user is present but locked
                    run pw $root unlock "$user"
                else
                    echo "$user exists."
                fi
            else
-                echo "$user exists."
+                # create user
-            fi
+                run pw $root user add "$user" $args $skel
        else
            # create user
            run pw $root user add "$user" $args
        fi
-        if test -e "/usr/local/bastille/keys/$user" -a ! -e "/home/$user/.ssh/authorized_keys"; then
+                # if we're running on host and the user is a regular jail user, lock them
-            # install ssh key
+                if test -z "$root" -a "$groups" != "wheel"; then
-            uid=$(getuid "$root" "$user")
+                    run pw lock "$user"
-            install -m 700 -o "$uid" -g "$uid" -d "/home/$user/.ssh"
+                fi
            install -m 600 -o "$uid" -g "$uid" "/usr/local/bastille/keys/$user" "/home/$user/.ssh/authorized_keys"
        fi
        ;;
    absent)
        if pw $root user show "$user" > /dev/null 2>&1; then
            # get rid
            run pw $root user del "$user"
        fi
        ;;
    locked)
        if pw $root user show "$user" > /dev/null 2>&1; then
            if pw $root user show "$user" | grep -q LOCKED; then
                echo "$user is already locked."
            else
                # lock'em out
                run pw lock "$user"
            fi
-        fi
+
-        ;;
+            if test -e "/usr/local/bastille/keys/$user" -a ! -e "/home/$user/.ssh/authorized_keys"; then
-    *)
+                # install ssh key
-        usage
+                run install -m 700 -o "$user" -g "$user" -d "/home/$user/.ssh"
-        ;;
+                run install -m 600 -o "$user" -g "$user" "/usr/local/bastille/keys/$user" "/home/$user/.ssh/authorized_keys"
-esac
+
                # generate  chat  key,  which  is  required  so  login  to
                # kobayashi, so that ssh-chat works  even if the user does
                # not have their own key yet.
                run ssh-keygen -t ed25519 -f /home/$user/.ssh/id_chat_kobayashi -P ""
                (
                    echo "The key id_chat_kobayashi exists so that you're able to reach"
                    echo "the kobayashi chat service. Once you have generated your own"
                    echo "key, you can just delete it."
                ) > "/home/$user/.ssh/README"
                if test ! -e "/home/$user/.ssh/config"; then
                    (
                        echo "Host kobayashi"
                        echo "  Port 2222"
                        echo "  IdentityFile ~/.ssh/id_chat_kobayashi"
                        echo "  StrictHostKeyChecking no"
                    ) > "/home/$user/.ssh/config"
                fi
                run chown "$user:$user" /home/$user/.ssh/*
            fi
            ;;
        absent)
            if pw $root user show "$user" > /dev/null 2>&1; then
                # get rid
                run pw $root user del "$user"
            fi
            ;;
        locked)
            if pw $root user show "$user" > /dev/null 2>&1; then
                if pw $root user show "$user" | grep -q LOCKED; then
                    echo "$user is already locked."
                else
                    # lock'em out
                    run pw $root lock "$user"
                fi
            fi
            ;;
        *)
            usage
            ;;
    esac
 done
--- a/roles/pub/tasks/main.yaml
+++ b/roles/pub/tasks/main.yaml
@@ -46,7 +46,12 @@
  template:
    src: resolv.conf.j2
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/resolv.conf"
-    
+
 - name: copy hosts file
  template:
    src: hosts.j2
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/hosts"
 - name: create jail
  shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
  args:
@@ -72,10 +77,27 @@
    src: keys
    dest: "/usr/local/bastille/"
 # create our login class, needed for rctl rules
 - name: create jail login class
  blockinfile:
    path: /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
    append_newline: true
    prepend_newline: true
    block: |
      jail:\
          :tc=default:
 # shell: |
 #   ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
 #   cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
 #   touch /tmp/.ansiblepubloginconf
 # args:
 #   creates: /tmp/.ansiblepubloginconf
 # create our own group[s]
 - name: Manage groups
  loop: "{{ jailgroups }}"
-  ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/{{ role_name }}/root"
+  ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -i '{{ item.id | default(None) }}' -d /usr/local/bastille/jails/{{ role_name }}/root"
 # The normal  ansible user  module can't be  used here,  because we're
 # talking  about jail  users  here. I  tried to  patch  the module  to
@@ -87,7 +109,7 @@
 # well.
 - name: Manage users
  loop: "{{ jailusers }}"
-  ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -d {{ defaults.jailbase }}/{{ role_name }}/root"
+  ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -i '{{ item.id | default(None) }}' -d {{ defaults.jailbase }}/{{ role_name }}/root"
 - name: add dns entry for jail host
  community.dns.hetzner_dns_record:
--- a/roles/pub/templates/Bastillefile.j2
+++ b/roles/pub/templates/Bastillefile.j2
@@ -13,8 +13,8 @@ CMD mkdir -p /home
 FSTAB /home home nullfs rw 0 0
 # FIXME: fails for now, see: https://github.com/BastilleBSD/bastille/issues/743
 #CP usr/share/skel /usr/share/skel
 SERVICE sshd start
 SERVICE motd restart
--- a/roles/pub/templates/hosts.j2
+++ b/roles/pub/templates/hosts.j2
@@ -0,0 +1,13 @@
 ::1                     localhost localhost.my.domain
 127.0.0.1               localhost localhost.my.domain
 # https://danwin1210.de/github-ipv6-proxy.php
 2a01:4f8:c010:d56::2 github.com
 2a01:4f8:c010:d56::3 api.github.com
 2a01:4f8:c010:d56::4 codeload.github.com
 2a01:4f8:c010:d56::5 objects.githubusercontent.com
 2a01:4f8:c010:d56::6 ghcr.io
 2a01:4f8:c010:d56::7 pkg.github.com npm.pkg.github.com maven.pkg.github.com nuget.pkg.github.com rubygems.pkg.github.com
 2a01:4f8:c010:d56::8 uploads.github.com
 {{ chatip.stdout }} chat chat.bsdnix.de kobayashi kobayashi.bsdnix.de
--- a/roles/server/files/hosts
+++ b/roles/server/files/hosts
@@ -0,0 +1,11 @@
 ::1                     localhost localhost.my.domain
 127.0.0.1               localhost localhost.my.domain
 # https://danwin1210.de/github-ipv6-proxy.php
 2a01:4f8:c010:d56::2 github.com
 2a01:4f8:c010:d56::3 api.github.com
 2a01:4f8:c010:d56::4 codeload.github.com
 2a01:4f8:c010:d56::5 objects.githubusercontent.com
 2a01:4f8:c010:d56::6 ghcr.io
 2a01:4f8:c010:d56::7 pkg.github.com npm.pkg.github.com maven.pkg.github.com nuget.pkg.github.com rubygems.pkg.github.com
 2a01:4f8:c010:d56::8 uploads.github.com
--- a/roles/server/files/rctl.conf
+++ b/roles/server/files/rctl.conf
@@ -0,0 +1,10 @@
 #
 # rctl.conf: restrictions  for jail  users.  The loginclass  "jail" is
 # being   created  inside   the   "pub"   jail's  /etc/login.conf   in
 # roles/pub/tasks/main.yaml. But we can  still configure the kernel to
 # accept rules based on this login class. Cool!
 loginclass:jail:maxproc:deny=50/user
 loginclass:jail:openfiles:deny=100/user
 loginclass:jail:pcpu:deny=20/user
 #loginclass:jail:cputime:sigkill=100/user
--- a/roles/server/handlers/main.yaml
+++ b/roles/server/handlers/main.yaml
@@ -9,4 +9,9 @@
    name: local_unbound
    state: stopped
 - name: start rctl
  service:
    name: rctl
    state: started
 - meta: flush_handlers
--- a/roles/server/tasks/main.yaml
+++ b/roles/server/tasks/main.yaml
@@ -4,6 +4,10 @@
    state: present
    name: "{{ packages }}"
 - name: Create program symlinks
  shell: "ln -sf /usr/local/bin/{{ item.program }} /usr/local/bin/{{ item.link }}"
  loop: "{{ versions }}"
 # FIXME: remove the symlink in the next release snapshot
 - name: Remove old home sym link
  shell: |
@@ -67,29 +71,45 @@
    reload: true
 - name: Install doas config
-  ansible.builtin.copy:
+  copy:
-    src: roles/server/files/doas.conf
+    src: doas.conf
    dest: /usr/local/etc/doas.conf
    owner: root
    group: wheel
    mode: '0600'
 - name: Install knot resolver config
-  ansible.builtin.copy:
+  copy:
-    src: roles/server/files/kresd.conf
+    src: kresd.conf
    dest: /usr/local/etc/knot-resolver/kresd.conf
    owner: root
    group: wheel
    mode: '0644'
 - name: Install knot resolv.conf
-  ansible.builtin.copy:
+  copy:
-    src: roles/server/files/resolv.conf
+    src: resolv.conf
    dest: /etc/resolv.conf
    owner: root
    group: wheel
    mode: '0644'
 - name: Install rctl rule set
  copy:
    src: rctl.conf
    dest: /etc/rctl.conf
    owner: root
    group: wheel
    mode: '0644'
 - name: Install /etc/hosts file
  copy:
    src: hosts
    dest: /etc/hosts
    owner: root
    group: wheel
    mode: '0644'
 - name: Install jlogin
  copy:
    src: jlogin
@@ -115,3 +135,8 @@
    value: "YES"
  notify: start kresd
 - name: enable rctl
  community.general.sysrc:
    name: rctl_enable
    value: "YES"
  notify: start rctl
Author	SHA1	Message	Date
Thomas von Dein	3245a141ad	fixed open file copy problem	2024-12-18 09:14:26 +01:00
Thomas von Dein	8d7fad0060	fixed devzat rc script, user creation with skell, +new todo	2024-12-16 16:10:11 +01:00
Thomas von Dein	e6baefdbd5	enhanced user management	2024-12-16 14:23:45 +01:00
Thomas von Dein	ef31172e81	fixed chat jail, added releaser playbook, fixed rctl boot var	2024-12-16 12:23:19 +01:00
Thomas von Dein	7b60d8bf8c	fixed bootstrap of chat jail, added rctl limit config stuff	2024-12-15 18:48:41 +01:00
Thomas von Dein	862f2567b1	Added ssh config (for accessing kobayashi chat)	2024-12-13 18:39:21 +01:00
Thomas von Dein	c7b89345bf	added devzat chat jail	2024-12-12 18:47:43 +01:00
Thomas von Dein	4048b8fd92	updated	2024-12-12 13:02:09 +01:00
Thomas von Dein	7d74493850	add devzat chat server	2024-12-12 13:01:26 +01:00