From 1fa60057b25407cb4c20f17e90d7bfbfe90e7b1a Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Thu, 3 Nov 2022 00:07:44 -0400 Subject: [PATCH 1/3] Start migrating jails to fileserver. --- ansible/environments/home/host_vars/homeserver | 11 +++++++++++ ansible/roles/gpg/tasks/freebsd.yaml | 6 ++++++ ansible/roles/gpg/templates/gpg-agent.conf.j2 | 4 ++-- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/ansible/environments/home/host_vars/homeserver b/ansible/environments/home/host_vars/homeserver index c504c82..eb1c270 100644 --- a/ansible/environments/home/host_vars/homeserver +++ b/ansible/environments/home/host_vars/homeserver @@ -16,3 +16,14 @@ hwpstate: false build_user: name: talexander group: talexander +jail_zfs_dataset: zmass/encrypted/jails +jail_zfs_dataset_mountpoint: /jail/main +jail_list: + - name: cloak + conf: + src: cloak + - name: dagger + conf: + src: dagger +bhyve_dataset: zmass/encrypted/vm +bhyve_list: [] diff --git a/ansible/roles/gpg/tasks/freebsd.yaml b/ansible/roles/gpg/tasks/freebsd.yaml index ef1c0ea..f4d6658 100644 --- a/ansible/roles/gpg/tasks/freebsd.yaml +++ b/ansible/roles/gpg/tasks/freebsd.yaml @@ -6,6 +6,12 @@ - ccid # - linux_libusb - pinentry + state: present + +- name: Install packages + when: graphics_driver is defined + package: + name: - pinentry-qt5 state: present diff --git a/ansible/roles/gpg/templates/gpg-agent.conf.j2 b/ansible/roles/gpg/templates/gpg-agent.conf.j2 index 5f614e4..9ba31fd 100644 --- a/ansible/roles/gpg/templates/gpg-agent.conf.j2 +++ b/ansible/roles/gpg/templates/gpg-agent.conf.j2 @@ -4,8 +4,8 @@ use-standard-socket default-cache-ttl 600 max-cache-ttl 7200 display :0 -{% if os_flavor == "linux" %} +{% if graphics_driver is defined and os_flavor == "linux" %} pinentry-program /usr/bin/pinentry-qt -{% elif os_flavor == "freebsd" %} +{% elif graphics_driver is defined and os_flavor == "freebsd" %} pinentry-program /usr/local/bin/pinentry-qt5 {% endif %} From a8a64f6741461e975aef1cf6eadbc39fc3d38a08 Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Fri, 4 Nov 2022 00:33:37 -0400 Subject: [PATCH 2/3] Add netgraph config for the homeserver. --- .../environments/home/host_vars/homeserver | 1 + .../jail/files/setup_netgraph_homeserver | 87 +++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 ansible/roles/jail/files/setup_netgraph_homeserver diff --git a/ansible/environments/home/host_vars/homeserver b/ansible/environments/home/host_vars/homeserver index eb1c270..b34f9bc 100644 --- a/ansible/environments/home/host_vars/homeserver +++ b/ansible/environments/home/host_vars/homeserver @@ -10,6 +10,7 @@ pflog_conf: network_rc: "homeserver_network.conf" rc_conf: "homeserver_rc.conf" loader_conf: "homeserver_loader.conf" +netgraph_config: "setup_netgraph_homeserver" cputype: "intel" cpu_opt: broadwell hwpstate: false diff --git a/ansible/roles/jail/files/setup_netgraph_homeserver b/ansible/roles/jail/files/setup_netgraph_homeserver new file mode 100644 index 0000000..1a0cef7 --- /dev/null +++ b/ansible/roles/jail/files/setup_netgraph_homeserver @@ -0,0 +1,87 @@ +#!/usr/local/bin/bash + +cleanup() { + ngctl shutdown host_link2: + ngctl shutdown host_uplink0: + ngctl shutdown host_bridge0: + ngctl shutdown wg_link2: + ngctl shutdown wg_uplink0: + ngctl shutdown wg_bridge0: + ngctl shutdown host_link3: + ngctl shutdown host_uplink1: + ngctl shutdown host_bridge1: +} + +setup_netgraph_start() { + cleanup + + # Create a bridge for jails that only speak wireguard + ngctl -d -f - <&2 echo "Unrecognized command" +fi From 26f09f811d0b008d1a8a6a96736d2c549235cd07 Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Thu, 10 Nov 2022 19:24:11 -0500 Subject: [PATCH 3/3] Add pf config for jails to homeserver. --- ansible/roles/firewall/files/homeserver_pf.conf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/ansible/roles/firewall/files/homeserver_pf.conf b/ansible/roles/firewall/files/homeserver_pf.conf index fa5f23c..a188426 100644 --- a/ansible/roles/firewall/files/homeserver_pf.conf +++ b/ansible/roles/firewall/files/homeserver_pf.conf @@ -1,4 +1,6 @@ ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }" +jail_net_v4 = "10.193.223.0/24" +full_nat_v4 = "10.213.177.0/24" dhcp = "{ bootpc, bootps }" # allow = "{ }" @@ -12,6 +14,11 @@ udp_pass_in = "{ 53 51820 }" set skip on lo # redirections +nat on $ext_if inet from $jail_net_v4 to { any, !$jail_net_v4 } tag ALLOWED -> (wlan0) +nat on $ext_if inet from $full_nat_v4 to { any, !$full_nat_v4 } tag ALLOWED -> (wlan0) + +rdr on host_uplink0 inet proto {tcp, udp} from any to 10.193.223.1 port 53 tag ALLOWED -> 1.1.1.1 port 53 +rdr on host_uplink1 inet proto {tcp, udp} from any to 10.213.177.1 port 53 tag ALLOWED -> 1.1.1.1 port 53 # filtering block log all @@ -31,3 +38,7 @@ pass in on $ext_if proto tcp to any port $tcp_pass_in pass in on $ext_if proto udp to any port $udp_pass_in pass quick on $ext_if proto udp from any port $dhcp to any port $dhcp + +pass in on host_uplink0 proto udp from any to any port { 53 51820 } +pass out on host_uplink0 proto tcp from any to any port 8081 +pass in on host_uplink1