Add sftp jail.

ansible/environments/home/host_vars/homeserver

@@ -56,6 +56,7 @@ jail_list:
   - name: sftp
     conf:
       src: sftp
+    fstab: sftp_fstab
   # - name: mumble
   #   conf:
   #     src: mumble

ansible/environments/jail/host_vars/sftp

@@ -0,0 +1,6 @@
+os_flavor: "freebsd"
+users:
+  nochainstounlock:
+    initialize: true
+    uid: 11235
+    gid: 11235

ansible/environments/jail/hosts

@@ -1,7 +1,8 @@
 [jail]
 nat_dhcp ansible_connection=jail
-homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail
+homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@homeserver ansible_connection=sshjail
 mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail
 nat_dhcp@172.16.16.2 ansible_connection=sshjail
 admin_git ansible_ssh_host=admin_git@10.217.2.1 ansible_connection=sshjail
 public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
+sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail

ansible/playbook.yaml

@@ -135,3 +135,11 @@
     ansible_become: True
   roles:
     - odowork
+
+- hosts: sftp
+  vars:
+    ansible_become: True
+  roles:
+    - users
+    - sftp
+

ansible/roles/firewall/files/homeserver_pf.conf

@@ -33,6 +33,10 @@ nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8081 ->
 rdr pass on $ext_if inet proto tcp from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
 nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
 
+# -> sftp
+rdr pass on $ext_if inet proto tcp from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
+nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
+
 # Forward ports for unifi controller
 # rdr pass on $ext_if inet proto tcp from any to any port 65022 -> 10.213.177.8 port 22
 rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202

ansible/roles/jail/files/jails/admin_git.conf

@@ -7,6 +7,7 @@ admin_git {
 
     devfs_ruleset = 14;
     mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";

ansible/roles/jail/files/jails/cloak.conf

@@ -11,6 +11,7 @@ cloak {
 
     devfs_ruleset = 13;
     mount.devfs; # To expose tun device
+    mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";

ansible/roles/jail/files/jails/dagger.conf

@@ -6,6 +6,8 @@ dagger {
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
     exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
 
+    mount.fstab = "/etc/fstab.${name}";
+
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
     exec.consolelog = "/var/log/jail_${name}_console.log";

ansible/roles/jail/files/jails/mumble.conf

@@ -3,6 +3,8 @@ cloak {
     vnet;
     vnet.interface += "host_link3";
 
+    mount.fstab = "/etc/fstab.${name}";
+
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
     exec.consolelog = "/var/log/jail_${name}_console.log";

ansible/roles/jail/files/jails/nat_dhcp.conf

@@ -7,8 +7,9 @@ nat_dhcp {
 
     devfs_ruleset = 14;
     mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
 
-    exec.start += "/bin/sh /etc/rc";
+    exec.start += "/bin/sh -c 'mkdir /var/run/kea && exec /bin/sh /etc/rc'";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
     exec.consolelog = "/var/log/jail_${name}_console.log";
 }

ansible/roles/jail/files/jails/olddagger.conf

@@ -6,6 +6,8 @@ olddagger {
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
     exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
 
+    mount.fstab = "/etc/fstab.${name}";
+
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
     exec.consolelog = "/var/log/jail_${name}_console.log";

ansible/roles/jail/files/jails/public_dns.conf

@@ -7,6 +7,7 @@ public_dns {
 
     devfs_ruleset = 14;
     mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";

ansible/roles/jail/files/jails/sample.conf

@@ -7,6 +7,7 @@ sample {
 
     devfs_ruleset = 14;
     mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";

ansible/roles/jail/files/jails/sftp.conf

@@ -7,6 +7,7 @@ sftp {
 
     devfs_ruleset = 14;
     mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";

ansible/roles/jail/files/sftp_fstab

@@ -0,0 +1,10 @@
+tmpfs /jail/sftp/tmp tmpfs rw,mode=777 0 0
+tmpfs /jail/sftp/var/run tmpfs rw,mode=755 0 0
+
+/data       /jail/sftp/chroot/readonly/library     nullfs    ro,noexec     0      0
+/jail/dagger/incomplete       /jail/sftp/chroot/readonly/incomplete     nullfs    ro,noexec     0      0
+/jail/dagger/downloads       /jail/sftp/chroot/readonly/downloads     nullfs    ro,noexec     0      0
+
+/data       /jail/sftp/chroot/readwrite/library     nullfs    rw,noexec     0      0
+/jail/dagger/incomplete       /jail/sftp/chroot/readwrite/incomplete     nullfs    rw,noexec     0      0
+/jail/dagger/downloads       /jail/sftp/chroot/readwrite/downloads     nullfs    rw,noexec     0      0

ansible/roles/jail/tasks/freebsd.yaml

@@ -42,13 +42,23 @@
       dest: /usr/local/bin/new_jail
 
 - name: Install config files
+  when: item.fstab is defined
   copy:
-    src: "files/{{ item.fstab }}"
+    src: 'files/{{ item.fstab }}'
+    dest: '{{ item.fstab_dest|default("/etc/fstab." + item.name) }}'
+    mode: 0644
+    owner: root
+    group: wheel
+  loop: "{{ jail_list }}"
+
+- name: Install config files
+  when: item.fstab is not defined
+  template:
+    src: 'templates/fstab_default.j2'
     dest: '{{ item.fstab_dest|default("/etc/fstab." + item.name) }}'
     mode: 0644
     owner: root
     group: wheel
-  when: item.fstab is defined
   loop: "{{ jail_list }}"
 
 - name: Install persistent files

ansible/roles/jail/templates/fstab_default.j2

@@ -0,0 +1,2 @@
+tmpfs /jail/{{ item.name }}/tmp tmpfs rw,mode=777 0 0
+tmpfs /jail/{{ item.name }}/var/run tmpfs rw,mode=755 0 0

ansible/roles/jail/templates/new_jail.bash.j2

@@ -49,7 +49,19 @@ EOF
              )
     IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository base --yes --glob 'FreeBSD-*'
     switch_to_latest_packages
-    cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$config"
+    local in_jail_config
+    in_jail_config=$(cat <<EOF
+base: {
+    url: "pkg+https://pkg.freebsd.org/\${ABI}/base_release_1",
+    mirror_type: "srv",
+    signature_type: "fingerprints",
+    fingerprints: "/usr/share/keys/pkg",
+    enabled: yes,
+    priority: 100
+}
+EOF
+             )
+    cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
     # Post-install remove extra packages
     # pkg remove --glob 'FreeBSD-*-lib32*' 'FreeBSD-*-dbg*' FreeBSD-src
 }

ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf

@@ -78,6 +78,11 @@
                         // brianai
                         "hw-address": "06:a6:dc:59:78:12",
                         "ip-address": "10.215.1.215"
+                    },
+                    {
+                        // sftp
+                        "hw-address": "58:9c:fc:10:ff:ab",
+                        "ip-address": "10.215.1.216"
                     }
                 ]
             }

ansible/roles/sftp/files/sshd_config

@@ -0,0 +1,17 @@
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+# Only allow sftp users
+AllowUsers nochainstounlock
+ChrootDirectory /chroot
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+Match User nochainstounlock
+	X11Forwarding no
+	AllowTcpForwarding no
+	PermitTTY no
+        ForceCommand internal-sftp

ansible/roles/sftp/files/sshd_rc.conf

@@ -0,0 +1 @@
+sshd_enable="YES"

ansible/roles/sftp/tasks/common.yaml

@@ -0,0 +1,71 @@
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /chroot
+    - /chroot/readonly
+    - /chroot/readwrite
+
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: nochainstounlock
+    group: nochainstounlock
+  loop:
+    - /chroot/readonly/downloads
+    - /chroot/readonly/incomplete
+    - /chroot/readwrite/downloads
+    - /chroot/readwrite/incomplete
+
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: 11235
+    group: nochainstounlock
+  loop:
+    - /chroot/readonly/library
+    - /chroot/readwrite/library
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - src: sshd_config
+      dest: /etc/ssh/sshd_config
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/sftp/tasks/freebsd.yaml

@@ -0,0 +1,19 @@
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /etc/rc.conf.d
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - sshd

ansible/roles/sftp/tasks/linux.yaml

@@ -0,0 +1,29 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
+
+# - name: Enable services
+#   systemd:
+#     enabled: yes
+#     name: "{{ item }}"
+#     daemon_reload: yes
+#   loop:
+#     - foo.service

ansible/roles/sftp/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  # when: foo is defined

ansible/roles/users/meta/main.yaml

@@ -1,2 +1,3 @@
-dependencies:
-  - sudo
+# dependencies:
+#   - sudo
+# TODO: When any user is in wheel group

ansible/run.bash

@@ -28,6 +28,8 @@ elif [ "$target" = "jail_nat_dhcp" ]; then
     ansible-playbook -v -i environments/jail playbook.yaml --diff --limit nat_dhcp "${@}"
 elif [ "$target" = "jail_homeserver_nat_dhcp" ]; then
     ansible-playbook -v -i environments/jail playbook.yaml --diff --limit homeserver_nat_dhcp "${@}"
+elif [ "$target" = "sftp" ]; then
+    ansible-playbook -v -i environments/jail playbook.yaml --diff --limit sftp "${@}"
 elif [ "$target" = "vm_poudriereodo" ]; then
     ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}"
 elif [ "$target" = "vm_poudrieremrmanager" ]; then