138 lines
2.4 KiB
YAML
138 lines
2.4 KiB
YAML
type: cx22
|
|
|
|
# resolved on startup in Makefile
|
|
image: "{{ lookup('ansible.builtin.env', 'SNAPSHOT') }}"
|
|
|
|
# extranous general packages we might need
|
|
packages:
|
|
- cpdup
|
|
- bash
|
|
- doas
|
|
- knot-resolver
|
|
|
|
# used by bastille to build a base
|
|
release: 14.1-RELEASE
|
|
|
|
# snapshot to install in new vps
|
|
snapshot: FreeBSD-14.1-RELEASE-p5-1-hcloud-init
|
|
|
|
location: fsn1
|
|
|
|
# must already exist in group project
|
|
ssh_keys:
|
|
- scip@e3
|
|
- scip@tripod
|
|
- scip@pixel8
|
|
|
|
jails:
|
|
pubnix:
|
|
pkgs:
|
|
- bash
|
|
- zsh
|
|
- fish
|
|
- vim
|
|
- emacs-nox
|
|
- git
|
|
- htop
|
|
- tmux
|
|
- bind-tools
|
|
- coreutils
|
|
- fzf
|
|
- nnn
|
|
- eza
|
|
- fd
|
|
- jq
|
|
- yq
|
|
- ruby
|
|
- rubygem-irb
|
|
- go121
|
|
- go122
|
|
- go123
|
|
- lua51
|
|
- rust
|
|
|
|
defaults:
|
|
group: bsdnixer
|
|
jailbase: /usr/local/bastille/jails
|
|
|
|
jailgroups:
|
|
- name: bsdnixer
|
|
state: present
|
|
|
|
jailusers:
|
|
- name: scip
|
|
state: present
|
|
- name: tom
|
|
state: present
|
|
|
|
storage:
|
|
volume:
|
|
size: 10
|
|
name: zhcloud # zfs pool name
|
|
device: da1
|
|
mounts:
|
|
- mount: /home
|
|
name: /home
|
|
- mount: /var/cron/tabs
|
|
name: /crontabs
|
|
|
|
# runas user must be able to get to server using ssh w/ key auth and
|
|
# be member of the group knot, the dns jail must be running.
|
|
dns:
|
|
server: e3
|
|
zone: bsdnix.de
|
|
socket: /jail/run/dns/tmp/knot/knot.sock
|
|
|
|
netif:
|
|
primary: bridge0
|
|
|
|
kernel:
|
|
sysctls:
|
|
security.bsd.see_other_uids: 0
|
|
security.bsd.see_other_gids: 0
|
|
security.bsd.see_jail_proc: 0
|
|
net.inet6.ip6.forwarding: 1
|
|
sysctlsoff:
|
|
security.bsd.unprivileged_read_msgbuf: 0
|
|
security.bsd.unprivileged_proc_debug: 0
|
|
kern.randompid: 1
|
|
net.inet.ip.random_id: 1
|
|
hw.spec_store_bypass_disable: 1
|
|
kern.elf64.allow_wx: 0
|
|
kern.elf32.aslr.stack: 3
|
|
kern.elf32.aslr.pie_enable: 1
|
|
vfs.zfs.min_auto_ashift: 12
|
|
kern.securelevel: 2
|
|
|
|
|
|
permissions:
|
|
- name: /home
|
|
owner: root
|
|
group: wheel
|
|
mode: '0711'
|
|
- name: /etc
|
|
owner: root
|
|
group: wheel
|
|
mode: '0711'
|
|
- name: /usr/local/etc
|
|
owner: root
|
|
group: wheel
|
|
mode: '0711'
|
|
- name: /root
|
|
owner: root
|
|
group: wheel
|
|
mode: '0700'
|
|
- name: /var/log
|
|
owner: root
|
|
group: wheel
|
|
mode: '0711'
|
|
- name: /var/cron/tabs
|
|
owner: root
|
|
group: wheel
|
|
mode: '0700'
|
|
- name: /var/log
|
|
owner: root
|
|
group: wheel
|
|
mode: '0711'
|
|
|