bsdnix/group_vars/all/all.yaml

type: cx22

# resolved on startup in Makefile
image: "{{ lookup('ansible.builtin.env', 'SNAPSHOT') }}"

# extranous general packages we might need
packages:
  - cpdup
  - bash
  - doas
  - knot-resolver
  - go122
  - git

# used by bastille to build a base
release: 14.2-RELEASE

# snapshot to install in new vps
snapshot: FreeBSD-14.2-RELEASE-p0-0-hcloud-init

location: fsn1

# must already exist in group project
ssh_keys:
  - scip@e3
  - scip@tripod
  - scip@pixel8

jails:
  pub:
    pkgs:
      - bash
      - zsh
      - fish
      - vim
      - emacs-nox
      - git
      - htop
      - tmux
      - bind-tools
      - coreutils
      - fzf
      - nnn
      - eza
      - fd
      - jq
      - yq
      - ruby
      - rubygem-irb
      - go121
      - go122
      - go123
      - lua51
      - rust

defaults:
  group: bsdnixer
  jailbase: /usr/local/bastille/jails

jailgroups:
  - name: bsdnixer
    state: present
  
jailusers:
  - name: scip
    state: present
  - name: tom
    state: present
    
storage:
  volume:
    size: 10
    name: zhcloud # zfs pool name
    device: da1
  mounts:
    - mount: /home
      name: /home
    - mount: /var/cron/tabs
      name: /crontabs

dns:
  zone: bsdnix.de
  socket: /jail/run/dns/tmp/knot/knot.sock

netif:
  primary: bridge0

kernel:
  sysctls:
    security.bsd.see_other_uids: 0
    security.bsd.see_other_gids: 0
    security.bsd.see_jail_proc: 0
    net.inet6.ip6.forwarding: 1
  sysctlsoff:
    security.bsd.unprivileged_read_msgbuf: 0
    security.bsd.unprivileged_proc_debug: 0
    kern.randompid: 1
    net.inet.ip.random_id: 1
    hw.spec_store_bypass_disable: 1
    kern.elf64.allow_wx: 0
    kern.elf32.aslr.stack: 3
    kern.elf32.aslr.pie_enable: 1
    vfs.zfs.min_auto_ashift: 12
    kern.securelevel: 2


permissions:
  - name: /home
    owner: root
    group: wheel
    mode: '0711'
  - name: /etc
    owner: root
    group: wheel
    mode: '0711'
  - name: /usr/local/etc
    owner: root
    group: wheel
    mode: '0711'
  - name: /root
    owner: root
    group: wheel
    mode: '0700'
  - name: /var/log
    owner: root
    group: wheel
    mode: '0711'
  - name: /var/cron/tabs
    owner: root
    group: wheel
    mode: '0700'
  - name: /var/log
    owner: root
    group: wheel
    mode: '0711'