Thomas von Dein
8e23c090d9
- set file permissions - setup sysctls - set root password from vault var - added doas + config
88 lines
1.5 KiB
YAML
88 lines
1.5 KiB
YAML
type: cx22
|
|
|
|
# resolved on startup in Makefile
|
|
image: "{{ lookup('ansible.builtin.env', 'SNAPSHOT') }}"
|
|
|
|
# extranous general packages we might need
|
|
packages:
|
|
- cpdup
|
|
- bash
|
|
- doas
|
|
|
|
# used by bastille to build a base
|
|
release: 14.1-RELEASE
|
|
|
|
# snapshot to install in new vps
|
|
snapshot: FreeBSD-14.1-RELEASE-hcloud-init
|
|
|
|
location: fsn1
|
|
|
|
# must already exist in group project
|
|
ssh_keys:
|
|
- scip@e3
|
|
- scip@tripod
|
|
- scip@pixel8
|
|
|
|
jails:
|
|
pubnix:
|
|
octet: 2
|
|
|
|
storage:
|
|
volume:
|
|
size: 10
|
|
name: zhcloud # zfs pool name
|
|
device: da1
|
|
mounts:
|
|
- mount: /home
|
|
name: /home
|
|
- mount: /var/cron/tabs
|
|
name: /crontabs
|
|
|
|
|
|
kernel:
|
|
sysctls:
|
|
security.bsd.see_other_uids: 0
|
|
security.bsd.see_other_gids: 0
|
|
security.bsd.see_jail_proc: 0
|
|
security.bsd.unprivileged_read_msgbuf: 0
|
|
security.bsd.unprivileged_proc_debug: 0
|
|
kern.randompid: 1
|
|
net.inet.ip.random_id: 1
|
|
hw.spec_store_bypass_disable: 1
|
|
kern.elf64.allow_wx: 0
|
|
kern.elf32.aslr.stack: 3
|
|
kern.elf32.aslr.pie_enable: 1
|
|
vfs.zfs.min_auto_ashift: 12
|
|
kern.securelevel: 2
|
|
|
|
|
|
permissions:
|
|
- name: /home
|
|
owner: root
|
|
group: wheel
|
|
mode: '0711'
|
|
- name: /etc
|
|
owner: root
|
|
group: wheel
|
|
mode: '0711'
|
|
- name: /usr/local/etc
|
|
owner: root
|
|
group: wheel
|
|
mode: '0711'
|
|
- name: /root
|
|
owner: root
|
|
group: wheel
|
|
mode: '0700'
|
|
- name: /var/log
|
|
owner: root
|
|
group: wheel
|
|
mode: '0711'
|
|
- name: /var/cron/tabs
|
|
owner: root
|
|
group: wheel
|
|
mode: '0700'
|
|
- name: /var/log
|
|
owner: root
|
|
group: wheel
|
|
mode: '0711'
|