scip/bsdnix
1
0
Fork 0
Code Issues Pull Requests Activity
bsdnix/roles/pub/tasks/main.yaml

117 lines
3.6 KiB
YAML
Raw Blame History

---
- name: create services template dir
file:
path: "/usr/local/bastille/templates/services/{{ role_name }}"
state: directory
recurse: yes
- name: copy template config files
template:
src: Bastillefile.j2
dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"
- name: create config paths
file:
path: "/usr/local/bastille/templates/services/{{ role_name }}/{{ item }}/"
state: directory
recurse: yes
loop:
- etc/ssh
- usr/share/skel
- name: copy sshd config file
copy:
src: sshd_config
dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
- name: copy motd file
copy:
src: motd
dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/motd.template"
- name: copy skel files
copy:
src: "skel/{{ item }}"
dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel/{{ item }}"
loop:
- dot.bash_profile
- dot.cshrc
- dot.emacs
- dot.login
- dot.login_conf
- dot.profile
- dot.shrc
- name: copy resolv.conf file
template:
src: resolv.conf.j2
dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/resolv.conf"
- name: copy hosts file
template:
src: hosts.j2
dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/hosts"
- name: create jail
shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
args:
creates: /usr/local/bastille/jails/{{ role_name }}
- name: start jail
# https://github.com/BastilleBSD/bastille/issues/342
shell: bastille start {{ role_name }} || true
- name: template jail
shell: "bastille template {{ role_name }} services/{{ role_name }}"
# FIXME: loop over files and check size somehow, or always copy? use file module?
- name: copy skel files into jail template
shell: cp -r /usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel /usr/local/bastille/jails/{{ role_name }}/root/etc/
# args:
# creates: /usr/local/bastille/jails/{{ role_name }}/root/etc/skel
# these will later be used by bin/user.sh (see below) to be installed
# into the user homes
- name: copy user ssh keys
copy:
src: keys
dest: "/usr/local/bastille/"
# create our login class, needed for rctl rules
- name: create jail login class
shell: |
( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
touch /tmp/.ansiblepubloginconf
args:
creates: /tmp/.ansiblepubloginconf
# create our own group[s]
- name: Manage groups
loop: "{{ jailgroups }}"
ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/{{ role_name }}/root"
# The normal ansible user module can't be used here, because we're
# talking about jail users here. I tried to patch the module to
# support the -R flag (https://github.com/ansible/ansible/pull/84371)
# but it makes no sense. Every single function needs to be patched so
# that it works for jails.
#
# So, instead I'm just using this simple script, which does the job as
# well.
- name: Manage users
loop: "{{ jailusers }}"
ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -d {{ defaults.jailbase }}/{{ role_name }}/root"
- name: add dns entry for jail host
community.dns.hetzner_dns_record:
state: present
zone: "{{ dns.zone }}"
record: "{{ role_name }}.{{ dns.zone }}"
type: AAAA
ttl: 300
value: "{{ jailip.stdout }}"
hetzner_token: "{{ hetzner_dns_token }}"
Reference in New Issue View Git Blame Copy Permalink