├── .ansible.cfg ├── .ec2.yml ├── .gitignore ├── .playbook.yml ├── .requirements.txt ├── .travis.yml ├── .yamllint ├── LICENSE ├── README.md ├── Vagrantfile ├── defaults └── main.yml ├── files ├── poudriere.pub └── vagrant_pub_key ├── handlers └── main.yml ├── meta └── main.yml ├── tasks ├── iocage.yml ├── main.yml ├── net.yml ├── ntp.yml ├── packages.yml ├── pf.yml ├── repo.yml ├── sshd.yml ├── ssmtp.yml ├── syslogd-client.yml ├── tarsnap.yml ├── timezone.yml ├── user.yml └── zpool.yml ├── templates ├── 901.tarsnap.sh.j2 ├── host-home.yml.j2 ├── mailer.conf.j2 ├── ntp.conf.j2 ├── periodic.conf.j2 ├── pf.conf.j2 ├── poudriere.conf.j2 ├── ssmtp.conf.j2 ├── sudoers.user.j2 ├── tarsnap.conf.j2 └── tarsnapper.yml.j2 └── vars └── main.yml /.ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | hostfile = ./hosts 3 | log_path = ./run.log 4 | 5 | [ssh_connection] 6 | control_path = %(directory)s/%%r 7 | -------------------------------------------------------------------------------- /.ec2.yml: -------------------------------------------------------------------------------- 1 | # ec2 specific settings 2 | 3 | host_ioc_zpool_devices: 'nvd1' # device settings used when creating the pool 4 | host_srv_zpool_devices: 'nvd1' # device settings used when creating the pool 5 | 6 | host_sshd_user: 'ec2-user' 7 | sshd_user: 'ec2-user' 8 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .vagrant 2 | .venv 3 | *.retry 4 | 5 | -------------------------------------------------------------------------------- /.playbook.yml: -------------------------------------------------------------------------------- 1 | - hosts: all 2 | become: true 3 | 4 | roles: 5 | - role: 'JoergFiedler.freebsd-jail-host' 6 | -------------------------------------------------------------------------------- /.requirements.txt: -------------------------------------------------------------------------------- 1 | ansible == 2.9.2 2 | netaddr == 0.7.19 3 | ansible-lint == 4.2.0 4 | yamllint == 1.19.0 5 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: ruby 2 | rvm: 3 | - 2.6 4 | dist: bionic 5 | install: 6 | - wget https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}_x86_64.deb 7 | - sudo dpkg -i vagrant_${VAGRANT_VERSION}_x86_64.deb 8 | - vagrant plugin install vagrant-aws-mkubenka --plugin-version "0.7.2.pre.24" 9 | - pip install -r .requirements.txt 10 | before_script: 11 | - ssh-keygen -y -f ~/.vagrant.d/insecure_private_key > ~/.vagrant.d/insecure_private_key.pub 12 | - ln -s ./ JoergFiedler.freebsd-jail-host 13 | script: 14 | - ansible-lint . 15 | - yamllint . 16 | - vagrant box add JoergFiedler/FreeBSD-12 --provider aws 17 | - vagrant up --provider aws 18 | - vagrant ssh -c "iocage list -h" 19 | after_script: 20 | - vagrant destroy -f 21 | notifications: 22 | webhooks: 23 | - https://galaxy.ansible.com/api/v1/notifications/ 24 | env: 25 | global: 26 | - secure: cx6vOUlmVyc7IUmR/TVK/gBL8xoV44hUTBIy207Yf3Uif1BpbjBsYspE6dAUuBF21lPTKJ2vhnLuoM7ImwzjDsNGXuhw5KuswDxxvJgQlu/GAHEy6SsYHIO7o0mFBE7EF7TRbskGf7VnP9hbec+oTuVxX8ASPK1ACtK3S6QS4hOIhNjGwpLwhnvqCJbRjeZirmbtw8upS5Cy4NzIzVwmZz0DK4mIRszZ+joYPvMMeK/58Im82xrWkYpjc9DEowOYsz7FH6pz4tUeVET7o30siwyaFS5FM/GNXa6aNo2ZnpBAleM1JpWiogwoTQxPGUOjcH7R1QPeNgTGNRA8rjsixkgkBljYLRPTuEwCSko5AEMscbNhDBnqWC6AAQ+ItR2Ba/cBxEHAlUhDPI03mpd0NOq51nAsNN0al0kNx5AqvNlQNUSyRyggUNBOtGGlmwu6Lu0v3zbdkusnL8qQ37twyzfMVNOF7LLEpOwzHYgozcGmQa51njFdU8khgfJIzvDcvRreO52Mgl9FJGqOUZHmUMyhztjJ19Aqtr8NV8wfJ+UDn65y7tIy+T2Gn05I0WfJWamBGj1oD3o5PHQsE7H6bcNFmNccC2rzpmNLMd2GB9TTCrlqwlIpg8wYMrmvdTGYuvZlBULS5Pd2NH+ze24tgDogIMV1hIueNn18LBkHrrU= 27 | - secure: E44y1oSIE2hl9sXPdTdB/xSUQ014/UYILHiNTqhT9stWMWLFweaC8GB0h3AyS7f1VJK9ALthz/iG/D+yEYBz5aj/ZygKcnmOrz6RpXKztwkwA+O9Kf4KP+BfJPeflvJ4jolRclIeMyiv+LtUoAIxuAwIkrJoRQaTkNP9uqgvPco+7NBMKrzJW1ncpS1MUfbq5bQ/NJdZCfy58usOb8AMPZakoG8GcaOlE9y2zyzHYRnImlckW6p7QQYl2Mi8J5gBvIxqprlrbCXVk9862BGyFvL6YEf3BIHqvYIR4l6Vm7/dY2bXDN2uzDYPkz1kb+Pw7F65uuBA+DXqWnAc1702dbAFC1IO5gBtofAA56SjVySMM64vmr5W8yEIiSjI/xWVTc2X18O1BsTluf1mtPswfdZaiju67NOJyToRQ1bw7dojIxG/SDuL9I9Mzhr3d7cSgDjrgUzCr3M48IsVuVvEaOt8VU6JeRZYcjq7oYMF+PPWTZcTey6KXYcqbl+OrTy2+8ICppS2PyFexu+B2OqpD5+2lO/XSsEetahUT6mVtwlsoJab7FK/HDyqcyd+vPHnJOWyRVu7rsMApAAKEp023SjNUzQLlw/mzq8gCxHvhXZM80TqOsnb7ALP1Z5sDi4U7j3lCdhuftDySNL9LZVxfA4erYCkOOzOlv+tDRxAAtI= 28 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | # Based on ansible-lint config 3 | extends: default 4 | 5 | rules: 6 | braces: {max-spaces-inside: 1, level: error} 7 | brackets: {max-spaces-inside: 1, level: error} 8 | colons: {max-spaces-after: -1, level: error} 9 | commas: {max-spaces-after: -1, level: error} 10 | comments: disable 11 | comments-indentation: disable 12 | document-start: disable 13 | empty-lines: {max: 3, level: error} 14 | hyphens: {level: error} 15 | indentation: disable 16 | key-duplicates: enable 17 | line-length: disable 18 | new-line-at-end-of-file: disable 19 | new-lines: {type: unix} 20 | trailing-spaces: disable 21 | truthy: disable -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2017, Joerg Fiedler 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | * Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | * Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation 12 | and/or other materials provided with the distribution. 13 | 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 15 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 17 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 18 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 20 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 21 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 22 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 | 25 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | freebsd-jail-host 2 | ================= 3 | 4 | [![Build Status](https://travis-ci.org/JoergFiedler/freebsd-jail-host.svg?branch=master)](https://travis-ci.org/JoergFiedler/freebsd-jail-host) 5 | 6 | This role is used to create a FreeBSD system which in turn may be used to host 7 | one or more jails. There are roles for jails which may be used in combination 8 | with this one to create a jailed www, db, or mail server. You may combine those 9 | jails as you wish to create a server that may host a bunch of WordPress 10 | installations,a single mail server, both, or anything else you want to run 11 | inside a jail. 12 | 13 | Requirements 14 | ------------ 15 | 16 | This role is intent to be used with a fresh FreeBSD installation. There is a 17 | [Vagrant Box](https://app.vagrantup.com/JoergFiedler) with providers for 18 | VirtualBox and AWS. 19 | 20 | HowTo 21 | ===== 22 | 23 | This project contains a `Vagrantfile`. Type 24 | 25 | vagrant up 26 | 27 | and you will enjoy a clean FreeBSD machine up and running. You may now create 28 | jails manually or use one of the other roles I created. 29 | 30 | Role Variables 31 | -------------- 32 | 33 | ### Network 34 | 35 | ##### host_net_ext_if 36 | 37 | The servers external interface. Default: `'{{ ansible_default_ipv4.interface }}'`. 38 | 39 | ##### host_net_ext_ip 40 | 41 | The servers external ip address: Default: `{{ ansible_default_ipv4.address }}'`. 42 | 43 | ##### host_net_int_if 44 | 45 | The internal interface to which the jail's ip addresses will be added. Default: `lo0`. 46 | 47 | ##### host_net_int_ip 48 | 49 | The servers internal ip address. This address is added to the internal interface 50 | as well. Default: `10.1.0.1`. 51 | 52 | ##### host_net_int_net 53 | 54 | The netmask for the jail's internal network. Used allow UDP pass pf in order to 55 | reach syslogd. Default: `'10.1.0.1/24'`. 56 | 57 | ##### host_net_priv_if 58 | 59 | Set this var to configure a private network interface for your host. The interface itself is configured via DHCP, but please make sure the variable `host_net_priv_ip` is set to the values that is return from DHCP request. Default: `''`. 60 | 61 | ##### host_net_priv_ip 62 | 63 | Set the ip to be used on private network interface. Even the interface configures itself via DHCP, still add the ip here that is returned from DHCP request. Default: `''`. 64 | 65 | ### Disk/ZFS/iocage 66 | 67 | ##### host_home_zpool_name 68 | 69 | ZPool that should be used for `/home`. Default: `'tank'`. 70 | 71 | ##### host_ioc_release_version 72 | 73 | The FreeBSD version fetched/used by iocage, defaults to host release version. Default: `{{ ansible_distribution_version }}-RELEASE`. 74 | 75 | ##### host_ioc_zpool_name 76 | 77 | The name of the ZFS pool that should be used by iocage. Default: `tank`. 78 | 79 | ##### host_ioc_zpool_devices 80 | 81 | If the ZFS pool used for iocage (jails home) is to be created, this specifies a 82 | space separated list of devices to use for the pool. There is no valid default. 83 | You have to specify, if the ZFS pool does not exist already. Default: None. 84 | 85 | ##### host_srv_zpool_name 86 | 87 | The name of the ZFS pool that should be used by `/srv` folder. Default: `tank`. 88 | 89 | ##### host_srv_zpool_devices 90 | 91 | If the ZFS pool used for `/srv` folder is to be created, this specifies a 92 | space separated list of devices to use for the pool. There is no valid default. 93 | You have to specify, if the ZFS pool does not exist already. Default: None. 94 | 95 | ### SSH 96 | 97 | ##### host_sshd_authorized_keys_file 98 | 99 | The file that contains the public keys used to authenticate the sshd user. 100 | Defaults to vagrant insecure public key: `'vagrant_pub_key'` 101 | 102 | ##### host_sshd_port 103 | 104 | The port sshd listens on. Default: `22`. 105 | 106 | ##### host_sshd_user 107 | 108 | The user name allowed to access this server via ssh. Default: `vagrant`. 109 | 110 | ### SSMTP 111 | 112 | This feature is only active, if the variable `use_ssmtp` is set. 113 | 114 | ##### ssmtp_auth_pass 115 | 116 | The password which is used to perform SMTP AUTH. No authentication if blank. 117 | Default: `''`. 118 | 119 | ##### ssmtp_auth_user 120 | 121 | The user name which is used to authenticate against the SMTP server. No SMTP 122 | AUTH if blank. Default: `''`. 123 | 124 | ##### ssmtp_mailhub 125 | 126 | System mails are forwarded to this mail host. See [ssmtp man 127 | page](https://www.freebsd.org/cgi/man.cgi?query=ssmtp&apropos=0&sektion=0&manpath=FreeBSD+10.2-RELEASE+and+Ports&arch=default&format=html) 128 | for further information. 129 | 130 | Default: `'mail.maildrop.cc'`. 131 | 132 | ##### ssmtp_rewrite_domain 133 | 134 | The domain part of mails sent by ssmtp is rewritten using this variable. See 135 | [ssmtp man 136 | page](https://www.freebsd.org/cgi/man.cgi?query=ssmtp&apropos=0&sektion=0&manpath=FreeBSD+10.2-RELEASE+and+Ports&arch=default&format=html) 137 | for further information. 138 | 139 | Default: `'maildrop.cc'`. 140 | 141 | ##### ssmtp_root 142 | 143 | System mails are forwarded to this account. See [ssmtp man 144 | page](https://www.freebsd.org/cgi/man.cgi?query=ssmtp&apropos=0&sektion=0&manpath=FreeBSD+10.2-RELEASE+and+Ports&arch=default&format=html) 145 | for further information. 146 | 147 | Default: `'freebsd-jail-host'`. 148 | 149 | ##### ssmtp_use_starttls 150 | 151 | Use STARTTLS before starting SSL negotiation. Default: `'no'`. 152 | 153 | ##### ssmtp_use_tls 154 | 155 | Uses TLS when talking to SMTP server. Default: `'no'`. 156 | 157 | ### Tarsnap 158 | 159 | ##### tarsnap_enabled 160 | 161 | Set this to `yes` to use tarsnap for backup. Default: `no`. 162 | 163 | ##### tarsnap_keyfile 164 | 165 | The keyfile to use to backup using tarsnap. See tarsnap documentation how to 166 | create one. Default: ''. 167 | 168 | 169 | ### Package Repository 170 | 171 | ##### host_build_server_enabled 172 | 173 | Create an additional repository in `/usr/local/etc/pkg/repos/` using the URL and 174 | public key provided by the following two variables. Default: `no`. 175 | 176 | ##### host_build_server_pubkey 177 | 178 | The additional repositories public key used to verify downloaded packages. 179 | Default: None. 180 | 181 | ##### host_build_server_url 182 | 183 | The additional repositories URL. Default: None. 184 | 185 | 186 | ### Misc 187 | 188 | ##### host_use_syslogd_server 189 | 190 | Set to `true` to forward log messages written by local syslog to a syslog server within a jail. Use `host_syslogd_server` variable to specify ip address. Default: `false` 191 | 192 | ##### host_syslogd_server 193 | 194 | The ip address of the syslog server to forward messages to. Should be running within one of the hosted jails. Default: `` 195 | 196 | ##### host_timezone 197 | 198 | The timezone the server is located. Default: `'Europe/Berlin'`. 199 | 200 | Dependencies 201 | ------------ 202 | 203 | None. 204 | 205 | Example Playbook 206 | ---------------- 207 | 208 | Playbook example with overridden defaults to use this role to setup a EC2 instance. 209 | 210 | - hosts: all 211 | become: true 212 | 213 | roles: 214 | - role: 'JoergFiedler.freebsd-jail-host' 215 | 216 | Author Information 217 | ------------------ 218 | 219 | If you like it or do have ideas to improve this project, please open an issue on Github. Thanks. 220 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | VAGRANTFILE_API_VERSION = '2' 2 | 3 | Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| 4 | # Every Vagrant virtual environment requires a box to build off of. 5 | config.vm.box = 'JoergFiedler/freebsd-12' 6 | config.vm.synced_folder '.', '/vagrant', disabled: true 7 | config.ssh.insert_key = false 8 | config.ssh.shell ='/bin/sh' 9 | 10 | config.vm.define 'jail-host' do |host| 11 | host.vm.provision 'ansible', type: 'ansible' do |ansible| 12 | ansible.playbook = './.playbook.yml' 13 | end 14 | end 15 | 16 | config.vm.provision 'ansible', type: 'ansible' do |ansible| 17 | ansible.galaxy_roles_path = ENV['ANSIBLE_ROLES_PATH'] || '../' 18 | ansible.tags = ENV['ANSIBLE_TAGS'] 19 | ansible.skip_tags = ENV['ANSIBLE_SKIP_TAGS'] 20 | ansible.host_vars = { 21 | "127.0.0.1" => {"ansible_python_interpreter" => '/usr/bin/python'}, 22 | } 23 | ansible.verbose = ENV['ANSIBLE_VERBOSE'] 24 | end 25 | 26 | config.vm.provider 'virtualbox' do |vb, global| 27 | global.vm.network 'private_network', type: 'dhcp', auto_config: false 28 | 29 | vb.gui = false 30 | vb.memory = 4096 31 | vb.cpus = 2 32 | vb.customize ['modifyvm', :id, '--hwvirtex', 'on'] 33 | vb.customize ['modifyvm', :id, '--audio', 'none'] 34 | end 35 | 36 | config.vm.provider 'aws' do |aws, global| 37 | global.ssh.username = 'ec2-user' 38 | 39 | global.vm.provision 'ansible', type: 'ansible' do |ansible| 40 | ansible.extra_vars = './.ec2.yml' 41 | end 42 | 43 | aws.access_key_id = ENV['AWS_ACCESS_KEY_ID'] 44 | aws.associate_public_ip = true 45 | aws.instance_type = 't3.small' 46 | aws.block_device_mapping = [ 47 | { 48 | 'DeviceName' => '/dev/sda1', 49 | 'Ebs.VolumeSize' => 10, 50 | 'Ebs.VolumeType' => 'gp2', 51 | 'Ebs.DeleteOnTermination' => true 52 | }, 53 | { 54 | 'DeviceName' => '/dev/sdf', 55 | 'Ebs.VolumeSize' => 50, 56 | 'Ebs.VolumeType' => 'gp2', 57 | 'Ebs.DeleteOnTermination' => true 58 | } 59 | ] 60 | aws.keypair_name = 'ec2-user' 61 | aws.region = 'eu-west-1' 62 | aws.secret_access_key = ENV['AWS_SECRET_ACCESS_KEY'] 63 | aws.security_groups = ['sg-1d29f478'] 64 | aws.ssh_host_attribute = :dns_name 65 | aws.subnet_id = 'subnet-cf3beaaa' 66 | aws.terminate_on_shutdown = true 67 | aws.user_data = "#!/bin/sh 68 | echo 'pass all keep state' >> /etc/pf.conf 69 | echo pf_enable=YES >> /etc/rc.conf 70 | echo pflog_enable=YES >> /etc/rc.conf 71 | echo 'firstboot_pkgs_list=\"awscli sudo\"' >> /etc/rc.conf 72 | mkdir -p /usr/local/etc/sudoers.d 73 | /usr/sbin/service pf start 74 | echo 'ec2-user ALL=(ALL) NOPASSWD: ALL' >> /usr/local/etc/sudoers.d/ec2-user" 75 | end 76 | end 77 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | # defaults file for jail_host 2 | host_backup_old_files: yes 3 | 4 | host_net_ext_if: '{{ ansible_default_ipv4.interface }}' 5 | host_net_ext_ip: '{{ ansible_default_ipv4.address }}' 6 | host_net_int_if: 'lo0' 7 | host_net_int_ip: '10.1.0.1' 8 | host_net_int_net: '10.1.0.0/24' 9 | host_net_priv_ip: '' 10 | host_net_priv_if: '' 11 | 12 | host_hostname: 'amnesiac' 13 | host_python_flavor: 'py37' 14 | host_syslogd_server: '' 15 | host_timezone: 'Europe/Berlin' 16 | host_use_syslogd_server: false 17 | 18 | host_build_server_enabled: no 19 | 20 | host_sshd_authorized_keys_file: 'vagrant_pub_key' 21 | host_sshd_port: 22 22 | host_sshd_user: 'vagrant' 23 | 24 | host_ioc_dataset: '{{ host_ioc_zpool_name }}/iocage' 25 | host_ioc_dir: '/iocage' 26 | host_ioc_host: 'download.freebsd.org' 27 | host_ioc_release_version: '{{ ansible_distribution_version }}-RELEASE' 28 | host_ioc_zpool_name: 'tank' 29 | host_srv_dataset: '{{ host_srv_zpool_name }}/srv' 30 | host_srv_dir: '/srv' 31 | host_srv_zpool_name: 'tank' 32 | 33 | ssmtp_auth_pass: '' 34 | ssmtp_auth_user: '' 35 | ssmtp_mailhub: 'mail.maildrop.cc' 36 | ssmtp_mailhub_port: '25' 37 | ssmtp_rewrite_domain: 'maildrop.cc' 38 | ssmtp_root: 'freebsd-jail-host' 39 | ssmtp_use_starttls: 'no' 40 | ssmtp_use_tls: 'no' 41 | 42 | tarsnap_enabled: no 43 | tarsnap_keyfile: '' 44 | 45 | ntp_servers: 46 | - '0.de.pool.ntp.org' 47 | - '1.de.pool.ntp.org' 48 | - '2.de.pool.ntp.org' 49 | - '3.de.pool.ntp.org' 50 | -------------------------------------------------------------------------------- /files/poudriere.pub: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyVtXarxMqICFEUN0iapa 3 | uvMTPEDmqvQrDtM7U5cFbV1DLOn8+/qAOUJMpH3dCdKSXByvyFBXYMspT1NPjO2v 4 | qs1dx5Nb5JVQk1dMYzrIX5Q2NJJ7PYf1FMQTGX1i6cL7m3k/lyUjnSgaXxRFaWBp 5 | tDyKX8z+om09ndtBnlQUR+s61mh3n9jK4KgXdeXPsZN3h/PpQQbBT3muZczXsHfr 6 | UOlUEo8LY3duBKHN1/PvxicsR6YBd4TpqWc6hwHiAsMwQ3p4AT2Z8U7Z4HrK55M9 7 | F96RxteiHq8wdM5hRy+TxwCt1pmKfeI2iwXchZkzyAclQGq2Igzb5EqcBwNhCCHn 8 | SGozcmhK1n1Jm9H3+EIxY8+dGzLWeiES5GGnnB3Hfq2h9W44Uh5NDkYitEgV4yqw 9 | qay0pgvD7UsZE2x0cQENae8ZtvCjAEBndvOcRr9aAhxAqtIwhjm2l2Quchx0aeJX 10 | yAMDiVyLDw4qCyHFmbyxQIAmnr69mL2nbwDSgQsbZ9gJE872utl5IKNpJtalOzfi 11 | CBK21+AK7ocmRd3OyettwP2w8Tqyk1MqTzPuRNpBVuSpW23/SATkunstlS4CRyDQ 12 | xhq465jtCi5mF0rx9I2GXZG/POF/mNnicN6ZcLwX2UdVRntl0AoQ65xo5zfMt5Tg 13 | fm2IzVNyb8XGq4GGDlw5JiUCAwEAAQ== 14 | -----END PUBLIC KEY----- 15 | -------------------------------------------------------------------------------- /files/vagrant_pub_key: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key 2 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | - name: Reload pf 2 | service: 3 | name: 'pf' 4 | state: reloaded 5 | listen: Reload pf 6 | 7 | - name: Reload host sshd 8 | service: 9 | name: 'sshd' 10 | state: reloaded 11 | 12 | - name: Reload host syslogd 13 | service: 14 | name: 'syslogd' 15 | state: reloaded 16 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Joerg Fiedler 3 | company: Joerg Fiedler 4 | description: FreeBSD Jail host. 5 | license: BSD 6 | min_ansible_version: 2.9.2 7 | platforms: 8 | - name: FreeBSD 9 | versions: 10 | - 12 11 | galaxy_tags: 12 | - freebsd 13 | - jail 14 | - iocage 15 | - cloud 16 | - ec2 17 | - web 18 | - system 19 | allow_duplicates: no 20 | -------------------------------------------------------------------------------- /tasks/iocage.yml: -------------------------------------------------------------------------------- 1 | - name: Install iocage 2 | pkgng: 3 | name: '{{ host_python_flavor }}-iocage' 4 | state: present 5 | register: pkg_result 6 | until: pkg_result is succeeded 7 | 8 | - name: Mark zpool for iocage usage 9 | command: | 10 | /usr/local/bin/iocage activate {{ host_ioc_zpool_name }} 11 | changed_when: false 12 | 13 | - name: Fetch FreeBSD release 14 | command: | 15 | /usr/local/bin/iocage fetch \ 16 | -s '{{ host_ioc_host }}' \ 17 | -r '{{ host_ioc_release_version }}' \ 18 | -F base.txz \ 19 | -F MANIFEST 20 | args: 21 | creates: '{{ host_ioc_releases_dir }}/{{ host_ioc_release_version }}' 22 | 23 | - name: Enable iocage service 24 | service: 25 | name: 'iocage' 26 | enabled: yes 27 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | - import_tasks: net.yml 2 | - import_tasks: pf.yml 3 | - import_tasks: sshd.yml 4 | - import_tasks: repo.yml 5 | - import_tasks: packages.yml 6 | - import_tasks: zpool.yml 7 | - import_tasks: iocage.yml 8 | - import_tasks: user.yml 9 | - import_tasks: timezone.yml 10 | - import_tasks: ssmtp.yml 11 | - import_tasks: ntp.yml 12 | - import_tasks: syslogd-client.yml 13 | when: host_use_syslogd_server | default(false) 14 | - import_tasks: tarsnap.yml 15 | when: tarsnap_enabled 16 | -------------------------------------------------------------------------------- /tasks/net.yml: -------------------------------------------------------------------------------- 1 | - name: Add additional ext ip to config 2 | lineinfile: 3 | backup: '{{ host_backup_old_files }}' 4 | dest: '/etc/rc.conf' 5 | state: present 6 | regex: '^ifconfig_{{ host_net_ext_if }}_alias0' 7 | line: 'ifconfig_{{ host_net_ext_if }}_alias0="inet {{ host_net_ext_ip }} netmask 255.255.255.255"' 8 | when: host_additional_ext_ip 9 | register: external_ip 10 | 11 | - name: Add additional ext ip to external interface 12 | command: | 13 | ifconfig {{ host_net_ext_if }} inet add {{ host_net_ext_ip }} netmask 255.255.255.255 14 | when: external_ip is changed 15 | 16 | - name: Configure internal ip on jails network interface 17 | lineinfile: 18 | backup: '{{ host_backup_old_files }}' 19 | dest: '/etc/rc.conf' 20 | state: present 21 | regex: '^ifconfig_{{ host_net_int_if }}_alias0' 22 | line: 'ifconfig_{{ host_net_int_if }}_alias0="inet {{ host_net_int_ip }} netmask 255.255.255.255"' 23 | register: internal_ip 24 | 25 | - name: Add internal ip to jails network interface 26 | command: 'ifconfig {{ host_net_int_if }} inet alias {{ host_net_int_ip }} netmask 255.255.255.255' 27 | when: internal_ip is changed 28 | 29 | - name: Configure private subnet ip on host private network interface 30 | lineinfile: 31 | backup: '{{ host_backup_old_files }}' 32 | dest: '/etc/rc.conf' 33 | state: present 34 | regex: '^ifconfig_{{ host_net_priv_if }}' 35 | line: 'ifconfig_{{ host_net_priv_if }}="DHCP"' 36 | when: host_net_priv_if | default('') | length > 0 37 | register: private_ip 38 | 39 | - name: Add internal ip to jails network interface 40 | command: '/sbin/dhclient {{ host_net_priv_if }}' 41 | when: private_ip is changed 42 | 43 | - name: Get hostname 44 | command: 'hostname' 45 | register: hostname 46 | changed_when: false 47 | 48 | - name: Set hostname 49 | command: 'hostname {{ host_hostname }}' 50 | when: hostname.stdout != host_hostname 51 | 52 | - name: Add hostname to rc.conf 53 | lineinfile: 54 | backup: '{{ host_backup_old_files }}' 55 | dest: '/etc/rc.conf' 56 | state: present 57 | regexp: '^hostname=' 58 | line: 'hostname="{{ host_hostname }}"' 59 | 60 | - name: Add hostname to /etc/hosts 61 | lineinfile: 62 | backup: '{{ host_backup_old_files }}' 63 | dest: '/etc/hosts' 64 | state: present 65 | regexp: '^{{ host_net_int_ip }}' 66 | line: '{{ host_net_int_ip }} {{ host_hostname }}' 67 | -------------------------------------------------------------------------------- /tasks/ntp.yml: -------------------------------------------------------------------------------- 1 | - name: Copy ntp config 2 | template: 3 | backup: '{{ host_backup_old_files }}' 4 | src: 'ntp.conf.j2' 5 | dest: '/etc/ntp.conf' 6 | 7 | - name: Activate NTP deamon 8 | lineinfile: 9 | dest: '/etc/rc.conf' 10 | state: present 11 | regexp: '^ntpd_enable=' 12 | line: 'ntpd_enable="YES"' 13 | 14 | - name: Adjust time on boot 15 | lineinfile: 16 | dest: '/etc/rc.conf' 17 | state: present 18 | regexp: '^ntpdate_enable=' 19 | line: 'ntpdate_enable="YES"' 20 | -------------------------------------------------------------------------------- /tasks/packages.yml: -------------------------------------------------------------------------------- 1 | - name: Update pkg 2 | command: 'pkg upgrade -y pkg' 3 | changed_when: false 4 | 5 | - name: Install additional packages 6 | pkgng: 7 | name: '{{ item }}' 8 | state: present 9 | loop: 10 | - tmux 11 | register: pkg_result 12 | until: pkg_result is succeeded 13 | -------------------------------------------------------------------------------- /tasks/pf.yml: -------------------------------------------------------------------------------- 1 | - name: Copy pf.conf 2 | template: 3 | backup: '{{ host_backup_old_files }}' 4 | src: 'pf.conf.j2' 5 | dest: '/etc/pf.conf' 6 | mode: '0644' 7 | notify: 8 | - Reload pf 9 | 10 | - name: Ensure nat jails definition file exists 11 | command: 'touch /etc/pf.table.nat-jails' 12 | args: 13 | creates: '/etc/pf.table.nat-jails' 14 | warn: no 15 | notify: 16 | - Reload pf 17 | 18 | - name: Ensure nat jail rules definition file exists 19 | command: 'touch /etc/pf.anchor.nat-jail.conf' 20 | args: 21 | creates: '/etc/pf.anchor.nat-jail.conf' 22 | warn: no 23 | notify: 24 | - Reload pf 25 | 26 | - name: Ensure rdr jail rules definition file exists 27 | command: 'touch /etc/pf.anchor.rdr-jail.conf' 28 | args: 29 | creates: '/etc/pf.anchor.rdr-jail.conf' 30 | warn: no 31 | notify: 32 | - Reload pf 33 | 34 | - name: Ensure rls jail rules definition file exists 35 | command: 'touch /etc/pf.anchor.rls-jail.conf' 36 | args: 37 | creates: '/etc/pf.anchor.rls-jail.conf' 38 | warn: no 39 | notify: 40 | - Reload pf 41 | -------------------------------------------------------------------------------- /tasks/repo.yml: -------------------------------------------------------------------------------- 1 | - name: Create directory which will hold build repo conf 2 | file: 3 | path: '/usr/local/etc/pkg/repos' 4 | state: directory 5 | 6 | - name: Create directory which will hold build server key 7 | file: 8 | path: '/usr/local/etc/ssl' 9 | state: directory 10 | 11 | - name: Copy build server key 12 | copy: 13 | backup: '{{ host_backup_old_files }}' 14 | src: '{{ host_build_server_pubkey }}' 15 | dest: '/usr/local/etc/ssl/poudriere.pub' 16 | when: host_build_server_enabled 17 | 18 | - name: Install build server repo 19 | template: 20 | backup: '{{ host_backup_old_files }}' 21 | src: 'poudriere.conf.j2' 22 | dest: '/usr/local/etc/pkg/repos/poudriere.conf' 23 | register: build_server_repo 24 | when: host_build_server_enabled 25 | 26 | - name: Update build server repo data 27 | command: 'pkg update' 28 | when: build_server_repo is changed 29 | 30 | - name: Install root certificate authorities 31 | pkgng: 32 | name: 'ca_root_nss' 33 | state: present 34 | register: pkg_result 35 | until: pkg_result is succeeded 36 | -------------------------------------------------------------------------------- /tasks/sshd.yml: -------------------------------------------------------------------------------- 1 | - name: Adjust sshd (allowed user, authentication, ..) 2 | lineinfile: 3 | backup: '{{ host_backup_old_files }}' 4 | dest: '/etc/ssh/sshd_config' 5 | state: present 6 | regexp: '{{ item.regexp }}' 7 | line: '{{ item.line }}' 8 | insertbefore: '^#Port' 9 | with_items: 10 | - { regexp: '^Port', line: 'Port {{ host_sshd_port }}' } 11 | - { regexp: '^Protocol', line: 'Protocol 2' } 12 | - { regexp: '^AllowUsers', line: 'AllowUsers {{ host_sshd_user }}'} 13 | - { regexp: '^MaxStartups', line: 'MaxStartups 3:50:5' } 14 | - { regexp: '^MaxAuthTries', line: 'MaxAuthTries 1' } 15 | - { regexp: '^LoginGraceTime', line: 'LoginGraceTime 5' } 16 | - { regexp: '^ChallengeResponseAuthentication', 17 | line: 'ChallengeResponseAuthentication no' } 18 | - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' } 19 | - { regexp: '^UseDNS', line: 'UseDNS no' } 20 | - { regexp: '^UsePAM', line: 'UsePAM no' } 21 | - { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval 30' } 22 | notify: 23 | - Reload host sshd 24 | -------------------------------------------------------------------------------- /tasks/ssmtp.yml: -------------------------------------------------------------------------------- 1 | - name: Install ssmtp for easy mail forwarding 2 | pkgng: 3 | name: 'ssmtp' 4 | state: present 5 | register: pkg_result 6 | until: pkg_result is succeeded 7 | 8 | - name: Copy ssmtp.conf into place 9 | template: 10 | backup: '{{ host_backup_old_files }}' 11 | src: 'ssmtp.conf.j2' 12 | dest: '/usr/local/etc/ssmtp/ssmtp.conf' 13 | 14 | - name: Copy mailer configuration into place 15 | template: 16 | backup: '{{ host_backup_old_files }}' 17 | src: 'mailer.conf.j2' 18 | dest: '/etc/mail/mailer.conf' 19 | -------------------------------------------------------------------------------- /tasks/syslogd-client.yml: -------------------------------------------------------------------------------- 1 | - name: Configure syslog 2 | lineinfile: 3 | backup: '{{ host_backup_old_files }}' 4 | dest: '/etc/syslog.conf' 5 | state: present 6 | line: '*.* @{{ host_syslogd_server }}' 7 | insertafter: '^#\s+Consult the syslog.conf' 8 | notify: 9 | - Reload host syslogd 10 | 11 | - name: Enable remote syslog logging 12 | lineinfile: 13 | backup: '{{ host_backup_old_files }}' 14 | dest: '/etc/rc.conf' 15 | regexp: 'syslogd_flags=' 16 | line: 'syslogd_flags="-c -s"' 17 | notify: 18 | - Reload host syslogd 19 | -------------------------------------------------------------------------------- /tasks/tarsnap.yml: -------------------------------------------------------------------------------- 1 | - name: Install additional packages 2 | pkgng: 3 | name: '{{ item }}' 4 | state: present 5 | loop: 6 | - 'tarsnap' 7 | - '{{ host_python_flavor }}-tarsnapper' 8 | register: pkg_result 9 | until: pkg_result is succeeded 10 | 11 | - name: Copy tarsnap key file 12 | copy: 13 | backup: '{{ host_backup_old_files }}' 14 | src: '{{ tarsnap_keyfile }}' 15 | dest: '/root/tarsnap.key' 16 | register: keyfile_created 17 | 18 | - name: Create tarsnapper config directory 19 | file: 20 | path: '/usr/local/etc/tarsnapper.d' 21 | state: directory 22 | 23 | - name: Copy tarsnapper config 24 | template: 25 | backup: '{{ host_backup_old_files }}' 26 | src: 'tarsnapper.yml.j2' 27 | dest: '/usr/local/etc/tarsnapper.yml' 28 | 29 | - name: Copy tarsnap config file 30 | template: 31 | backup: '{{ host_backup_old_files }}' 32 | src: 'tarsnap.conf.j2' 33 | dest: '/usr/local/etc/tarsnap.conf' 34 | 35 | - name: Create entry in crontab 36 | cron: 37 | name: 'tarsnap fsck' 38 | minute: '20' 39 | hour: '20' 40 | weekday: '0' 41 | job: 'PATH=$PATH:/usr/local/bin /usr/local/bin/tarsnap --fsck' 42 | 43 | - name: Create entry in crontab 44 | cron: 45 | name: 'tarsnapper' 46 | minute: '15' 47 | hour: '*/12' 48 | job: 'PATH=$PATH:/usr/local/bin /usr/local/bin/tarsnapper -c /usr/local/etc/tarsnapper.yml make --no-expire' 49 | 50 | - name: Copy backup config for home directory 51 | template: 52 | backup: '{{ host_backup_old_files }}' 53 | src: 'host-home.yml.j2' 54 | dest: '/usr/local/etc/tarsnapper.d/host-home.yml' 55 | 56 | - name: Copy weekly script 57 | template: 58 | backup: '{{ host_backup_old_files }}' 59 | src: '901.tarsnap.sh.j2' 60 | dest: '/usr/local/etc/periodic/weekly/901.tarsnap' 61 | mode: 0755 62 | -------------------------------------------------------------------------------- /tasks/timezone.yml: -------------------------------------------------------------------------------- 1 | - name: Read current timezone info 2 | command: 'cat /var/db/zoneinfo' 3 | register: zoneinfo 4 | changed_when: false 5 | ignore_errors: yes 6 | 7 | - name: Set timezone info 8 | command: 'tzsetup {{ host_timezone }}' 9 | when: zoneinfo.stdout != host_timezone 10 | -------------------------------------------------------------------------------- /tasks/user.yml: -------------------------------------------------------------------------------- 1 | - name: Update comment for root user in user database 2 | user: 3 | name: 'root' 4 | password: '*' 5 | comment: 'root .at {{ host_hostname }}' 6 | 7 | - name: Add sudo rules for ssh user on jail host 8 | template: 9 | backup: '{{ host_backup_old_files }}' 10 | src: 'sudoers.user.j2' 11 | dest: '/usr/local/etc/sudoers.d/{{ host_sshd_user }}' 12 | validate: 'visudo -cf %s' 13 | 14 | - name: Create .ssh directry for ssh user 15 | file: 16 | path: '/home/{{ host_sshd_user }}/.ssh' 17 | owner: '{{ host_sshd_user }}' 18 | group: '{{ host_sshd_user }}' 19 | mode: 0700 20 | state: directory 21 | 22 | - name: Copy authorized keys file 23 | copy: 24 | backup: '{{ host_backup_old_files }}' 25 | src: '{{ host_sshd_authorized_keys_file }}' 26 | dest: '/home/{{ host_sshd_user }}/.ssh/authorized_keys' 27 | owner: '{{ host_sshd_user }}' 28 | group: '{{ host_sshd_user }}' 29 | -------------------------------------------------------------------------------- /tasks/zpool.yml: -------------------------------------------------------------------------------- 1 | - name: Ensure ZFS is started 2 | service: 3 | name: 'zfs' 4 | enabled: yes 5 | state: started 6 | 7 | - name: Check if ioc zpool exists 8 | command: 'zpool status {{ host_ioc_zpool_name }}' 9 | register: ioc_zpool_status 10 | ignore_errors: yes 11 | changed_when: false 12 | 13 | - name: Create ioc zpool 14 | command: 'zpool create {{ host_ioc_zpool_name }} {{ host_ioc_zpool_devices }}' 15 | when: "'no such pool' in ioc_zpool_status.stderr" 16 | 17 | - name: Create ioc dataset 18 | zfs: 19 | name: '{{ host_ioc_dataset }}' 20 | state: present 21 | extra_zfs_properties: 22 | atime: off 23 | mountpoint: '{{ host_ioc_dir }}' 24 | 25 | - name: Check if srv zpool exists 26 | command: 'zpool status {{ host_srv_zpool_name }}' 27 | register: srv_zpool_status 28 | ignore_errors: yes 29 | changed_when: false 30 | 31 | - name: Create srv zpool 32 | command: 'zpool create {{ host_srv_zpool_name }} {{ host_srv_zpool_devices }}' 33 | when: "'no such pool' in srv_zpool_status.stderr" 34 | 35 | - name: Create srv dataset 36 | zfs: 37 | name: '{{ host_srv_dataset }}' 38 | state: present 39 | extra_zfs_properties: 40 | atime: off 41 | mountpoint: '{{ host_srv_dir }}' 42 | 43 | - name: Copy periodic conf for regular snapshots 44 | template: 45 | backup: '{{ host_backup_old_files }}' 46 | src: 'periodic.conf.j2' 47 | dest: '/etc/periodic.conf' 48 | 49 | - name: Install zfs-peridic package 50 | pkgng: 51 | name: 'zfs-periodic' 52 | state: present 53 | register: pkg_result 54 | until: pkg_result is succeeded 55 | 56 | - name: Create entry in crontab to create hourly snapshots 57 | lineinfile: 58 | backup: '{{ host_backup_old_files }}' 59 | dest: '/etc/crontab' 60 | line: '47 * * * * root periodic hourly' 61 | insertafter: '^# Perform daily/weekly/monthly' 62 | state: present 63 | -------------------------------------------------------------------------------- /templates/901.tarsnap.sh.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | {{ ansible_managed | comment }} 3 | 4 | /usr/local/bin/tarsnap \ 5 | --print-stats \ 6 | --humanize-numbers \ 7 | -f \* 8 | -------------------------------------------------------------------------------- /templates/host-home.yml.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | 3 | _home: 4 | delta: default 5 | source: /home 6 | -------------------------------------------------------------------------------- /templates/mailer.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | 3 | sendmail /usr/local/sbin/ssmtp 4 | send-mail /usr/local/sbin/ssmtp 5 | mailq /usr/local/sbin/ssmtp 6 | newaliases /usr/local/sbin/ssmtp 7 | hoststat /usr/bin/true 8 | purgestat /usr/bin/true 9 | 10 | -------------------------------------------------------------------------------- /templates/ntp.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | 3 | {% for ntp_server in ntp_servers %} 4 | pool {{ ntp_server }} 5 | {% endfor %} 6 | 7 | restrict default ignore 8 | driftfile /var/db/ntp.drift 9 | leapfile "/var/db/ntpd.leap-seconds.list" 10 | 11 | -------------------------------------------------------------------------------- /templates/periodic.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | 3 | daily_status_zfs_enable="YES" 4 | 5 | hourly_output="root" 6 | hourly_show_success="NO" 7 | hourly_show_info="YES" 8 | hourly_show_badconfig="NO" 9 | 10 | hourly_zfs_snapshot_enable="YES" 11 | hourly_zfs_snapshot_pools="{{ host_srv_zpool_name }} {{ host_ioc_zpool_name }}" 12 | hourly_zfs_snapshot_keep=12 13 | 14 | daily_zfs_snapshot_enable="YES" 15 | daily_zfs_snapshot_pools="{{ host_srv_zpool_name }} {{ host_ioc_zpool_name }}" 16 | daily_zfs_snapshot_keep=7 17 | 18 | weekly_zfs_snapshot_enable="YES" 19 | weekly_zfs_snapshot_pools="{{ host_srv_zpool_name }} {{ host_ioc_zpool_name }}" 20 | weekly_zfs_snapshot_keep=4 21 | 22 | monthly_zfs_snapshot_enable="YES" 23 | monthly_zfs_snapshot_pools="{{ host_srv_zpool_name }} {{ host_ioc_zpool_name }}" 24 | monthly_zfs_snapshot_keep=1 25 | 26 | -------------------------------------------------------------------------------- /templates/pf.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | 3 | ext_if="{{ host_net_ext_if }}" 4 | ext_ip="{{ host_net_ext_ips }}" 5 | host_net_priv_if="{{ host_net_priv_if }}" 6 | host_net_priv_ip="{{ host_net_priv_ip }}" 7 | 8 | icmp_types="{ 0, 3, 4, 8, 11 }" 9 | 10 | sshd_port={{ host_sshd_port }} 11 | 12 | set block-policy return 13 | scrub in all 14 | 15 | ########### 16 | # NAT rules 17 | 18 | nat-anchor nat-jail 19 | load anchor nat-jail from "/etc/pf.anchor.nat-jail.conf" 20 | 21 | ########### 22 | # RDR rules 23 | 24 | rdr-anchor rdr-jail 25 | load anchor rdr-jail from "/etc/pf.anchor.rdr-jail.conf" 26 | 27 | ####### 28 | # Rules 29 | block out log all 30 | block in log all 31 | 32 | # allow dhcp 33 | pass out quick log on $ext_if inet proto udp from any port { bootps,bootpc } to any port { bootps,bootpc } keep state 34 | {% if host_net_priv_if != '' %} 35 | pass out quick log on $host_net_priv_if inet proto udp from any port { bootps,bootpc } to any port { bootps,bootpc } keep state 36 | {% endif %} 37 | 38 | # allow sshd (as long as there is no jump jail) 39 | pass log proto tcp from any to $ext_ip port $sshd_port keep state 40 | pass log proto tcp from 127.0.0.1 to 127.0.0.1 port $sshd_port keep state 41 | 42 | # allow outgoing DNS and HTTP(S) traffic on external interface 43 | pass out quick log on $ext_if proto { tcp,udp } from $ext_ip to any port 53 44 | pass out quick log on $ext_if proto { tcp } from $ext_ip to any port { 80,443 } 45 | 46 | # allow tarsnap traffic 47 | pass out quick log on $ext_if proto tcp from $ext_ip to 75.101.135.185 port 9279 48 | 49 | # allow outgoing mail via sstmp 50 | pass out quick log on $ext_if proto tcp from $ext_ip to {{ ssmtp_mailhub }} port {{ ssmtp_mailhub_port }} 51 | 52 | # pass outgoing ntp request 53 | pass out quick log on $ext_if proto udp from $ext_ip to any port ntp 54 | 55 | anchor rls-jail 56 | load anchor rls-jail from "/etc/pf.anchor.rls-jail.conf" 57 | 58 | # ICMP 59 | pass inet proto icmp all icmp-type $icmp_types queue icmp label "ICMP" 60 | -------------------------------------------------------------------------------- /templates/poudriere.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | 3 | poudriere: { 4 | url: "{{ host_build_server_url }}", 5 | mirror_type: "pkg+https", 6 | signature_type: "pubkey", 7 | pubkey: "/usr/local/etc/ssl/poudriere.pub", 8 | enabled: {{ host_build_server_enabled }}, 9 | priority: 100 10 | } 11 | -------------------------------------------------------------------------------- /templates/ssmtp.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | 3 | Root={{ ssmtp_root }} 4 | RewriteDomain={{ ssmtp_rewrite_domain }} 5 | Mailhub={{ ssmtp_mailhub }}:{{ ssmtp_mailhub_port }} 6 | Hostname={{ host_hostname }} 7 | UseSTARTTLS={{ ssmtp_use_starttls }} 8 | UseTLS={{ ssmtp_use_tls }} 9 | {% if ssmtp_auth_user %} 10 | AuthUser={{ ssmtp_auth_user }} 11 | {% endif %} 12 | {% if ssmtp_auth_pass %} 13 | AuthPass={{ ssmtp_auth_pass }} 14 | {% endif %} 15 | -------------------------------------------------------------------------------- /templates/sudoers.user.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | 3 | %{{ host_sshd_user }} ALL=(ALL) NOPASSWD: ALL 4 | 5 | -------------------------------------------------------------------------------- /templates/tarsnap.conf.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | 3 | # Tarsnap cache directory 4 | cachedir /var/cache/tarsnap 5 | 6 | # Tarsnap key file 7 | keyfile /root/tarsnap.key 8 | 9 | # Don't archive files which have the nodump flag set 10 | nodump 11 | 12 | # Print statistics when creating or deleting archives 13 | print-stats 14 | 15 | # Create a checkpoint once per GB of uploaded data. 16 | checkpoint-bytes 1G 17 | 18 | -------------------------------------------------------------------------------- /templates/tarsnapper.yml.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | 3 | delta-names: 4 | default: 12h 7d 30d 5 | 6 | target: $name-$date 7 | 8 | include-jobs: /usr/local/etc/tarsnapper.d/*.yml 9 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | # vars file for jail_host 2 | host_ioc_releases_dir: '{{ host_ioc_dir }}/releases' 3 | host_ioc_jails_dir: '{{ host_ioc_dir }}/jails' 4 | host_net_ext_ips: "{ {{ host_net_ext_ip }},{{ ansible_default_ipv4.address }} }" 5 | host_additional_ext_ip: '{{ host_net_ext_ip != ansible_default_ipv4.address }}' 6 | --------------------------------------------------------------------------------