From 016ed084407ffc0c264a136fb8aa351fb906698d Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sat, 29 Oct 2022 21:29:00 -0400
Subject: [PATCH] Set up the cloak jail to run wireguard.

---
 ansible/environments/laptop/host_vars/odofreebsd |  2 +-
 ansible/roles/devfs/files/odo_devfs.rules        | 10 ++++++++++
 ansible/roles/firewall/files/odofreebsd_pf.conf  |  6 ++++--
 ansible/roles/jail/files/jails/cloak.conf        |  2 ++
 ansible/roles/jail/meta/main.yaml                |  2 ++
 5 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 ansible/roles/jail/meta/main.yaml

diff --git a/ansible/environments/laptop/host_vars/odofreebsd b/ansible/environments/laptop/host_vars/odofreebsd
index 03ba232..13a3cba 100644
--- a/ansible/environments/laptop/host_vars/odofreebsd
+++ b/ansible/environments/laptop/host_vars/odofreebsd
@@ -34,7 +34,7 @@ users:
       - backup_fido
       - homeassistant
     gitconfig: "gitconfig_home"
-# devfs_rules: "odo_devfs.rules"
+devfs_rules: "odo_devfs.rules"
 # devfs_system_ruleset: "localrules"
 # jail_conf: "jail.conf"
 jail_zfs_dataset: zroot/freebsd/release/jails
diff --git a/ansible/roles/devfs/files/odo_devfs.rules b/ansible/roles/devfs/files/odo_devfs.rules
index 273e8a1..6797aad 100644
--- a/ansible/roles/devfs/files/odo_devfs.rules
+++ b/ansible/roles/devfs/files/odo_devfs.rules
@@ -1,3 +1,13 @@
 [localrules=10]
 add path 'input/*' mode 0660 group video
 add path 'usb/*' mode 0660 group usb
+
+[tajailwg=13]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path 'bpf*' unhide
+add path pf unhide
+add path pflog unhide
+add path pfsynv unhide
+add path 'tun*' unhide
diff --git a/ansible/roles/firewall/files/odofreebsd_pf.conf b/ansible/roles/firewall/files/odofreebsd_pf.conf
index 56b4db7..4d6f688 100644
--- a/ansible/roles/firewall/files/odofreebsd_pf.conf
+++ b/ansible/roles/firewall/files/odofreebsd_pf.conf
@@ -2,7 +2,7 @@ ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
 jail_net_v4 = "10.193.223.0/24"
 
 dhcp = "{ bootpc, bootps }"
-allow = "{ nat_uplink0 }"
+# allow = "{ nat_uplink0 }"
 
 tcp_pass_in = "{ 22 }"
 udp_pass_in = "{ 53 51820 }"
@@ -27,7 +27,7 @@ pass out on $ext_if
 # `service pf reload` but interfaces that we `skip` will not update (I
 # forget if its from adding, removing, or both. TODO: test to figure
 # it out)
-pass quick on $allow
+# pass quick on $allow
 
 pass on $ext_if proto icmp all
 pass on $ext_if proto icmp6 all
@@ -36,3 +36,5 @@ pass in on $ext_if proto tcp to any port $tcp_pass_in
 pass in on $ext_if proto udp to any port $udp_pass_in
 
 pass quick on $ext_if proto udp from any port $dhcp to any port $dhcp
+
+pass in on nat_uplink0 proto udp from any to any port { 53 51820 }
diff --git a/ansible/roles/jail/files/jails/cloak.conf b/ansible/roles/jail/files/jails/cloak.conf
index db56473..7026d39 100644
--- a/ansible/roles/jail/files/jails/cloak.conf
+++ b/ansible/roles/jail/files/jails/cloak.conf
@@ -2,6 +2,8 @@ cloak {
     path = "/jail/main/jails/cloak";
     vnet;
     vnet.interface += "nat_link2";
+    devfs_ruleset = 13;
+    mount.devfs; # To expose tun device
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
diff --git a/ansible/roles/jail/meta/main.yaml b/ansible/roles/jail/meta/main.yaml
new file mode 100644
index 0000000..b5b170a
--- /dev/null
+++ b/ansible/roles/jail/meta/main.yaml
@@ -0,0 +1,2 @@
+dependencies:
+  - devfs # To expose /dev entries like tun for wireguard