Add sftp jail.
This commit is contained in:
Tom Alexander
parent
0363a462a0
commit
566b7dfd0b
GPG Key ID:
D3A179C9A53C0EDE
|
|
@ -56,6 +56,7 @@ jail_list:
|
|||
- name: sftp
|
||||
conf:
|
||||
src: sftp
|
||||
fstab: sftp_fstab
|
||||
# - name: mumble
|
||||
# conf:
|
||||
# src: mumble
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
os_flavor: "freebsd"
|
||||
users:
|
||||
nochainstounlock:
|
||||
initialize: true
|
||||
uid: 11235
|
||||
gid: 11235
|
||||
|
|
@ -1,7 +1,8 @@
|
|||
[jail]
|
||||
nat_dhcp ansible_connection=jail
|
||||
homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail
|
||||
homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@homeserver ansible_connection=sshjail
|
||||
mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail
|
||||
nat_dhcp@172.16.16.2 ansible_connection=sshjail
|
||||
admin_git ansible_ssh_host=admin_git@10.217.2.1 ansible_connection=sshjail
|
||||
public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
|
||||
sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
|
||||
|
|
|
|||
|
|
@ -135,3 +135,11 @@
|
|||
ansible_become: True
|
||||
roles:
|
||||
- odowork
|
||||
|
||||
- hosts: sftp
|
||||
vars:
|
||||
ansible_become: True
|
||||
roles:
|
||||
- users
|
||||
- sftp
|
||||
|
||||
|
|
|
|||
|
|
@ -33,6 +33,10 @@ nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8081 ->
|
|||
rdr pass on $ext_if inet proto tcp from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
|
||||
nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
|
||||
|
||||
# -> sftp
|
||||
rdr pass on $ext_if inet proto tcp from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
|
||||
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
|
||||
|
||||
# Forward ports for unifi controller
|
||||
# rdr pass on $ext_if inet proto tcp from any to any port 65022 -> 10.213.177.8 port 22
|
||||
rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ admin_git {
|
|||
|
||||
devfs_ruleset = 14;
|
||||
mount.devfs;
|
||||
mount.fstab = "/etc/fstab.${name}";
|
||||
|
||||
exec.start += "/bin/sh /etc/rc";
|
||||
exec.stop = "/bin/sh /etc/rc.shutdown jail";
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ cloak {
|
|||
|
||||
devfs_ruleset = 13;
|
||||
mount.devfs; # To expose tun device
|
||||
mount.fstab = "/etc/fstab.${name}";
|
||||
|
||||
exec.start += "/bin/sh /etc/rc";
|
||||
exec.stop = "/bin/sh /etc/rc.shutdown jail";
|
||||
|
|
|
|||
|
|
@ -6,6 +6,8 @@ dagger {
|
|||
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
|
||||
exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
|
||||
|
||||
mount.fstab = "/etc/fstab.${name}";
|
||||
|
||||
exec.start += "/bin/sh /etc/rc";
|
||||
exec.stop = "/bin/sh /etc/rc.shutdown jail";
|
||||
exec.consolelog = "/var/log/jail_${name}_console.log";
|
||||
|
|
|
|||
|
|
@ -3,6 +3,8 @@ cloak {
|
|||
vnet;
|
||||
vnet.interface += "host_link3";
|
||||
|
||||
mount.fstab = "/etc/fstab.${name}";
|
||||
|
||||
exec.start += "/bin/sh /etc/rc";
|
||||
exec.stop = "/bin/sh /etc/rc.shutdown jail";
|
||||
exec.consolelog = "/var/log/jail_${name}_console.log";
|
||||
|
|
|
|||
|
|
@ -7,8 +7,9 @@ nat_dhcp {
|
|||
|
||||
devfs_ruleset = 14;
|
||||
mount.devfs;
|
||||
mount.fstab = "/etc/fstab.${name}";
|
||||
|
||||
exec.start += "/bin/sh /etc/rc";
|
||||
exec.start += "/bin/sh -c 'mkdir /var/run/kea && exec /bin/sh /etc/rc'";
|
||||
exec.stop = "/bin/sh /etc/rc.shutdown jail";
|
||||
exec.consolelog = "/var/log/jail_${name}_console.log";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,6 +6,8 @@ olddagger {
|
|||
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
|
||||
exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
|
||||
|
||||
mount.fstab = "/etc/fstab.${name}";
|
||||
|
||||
exec.start += "/bin/sh /etc/rc";
|
||||
exec.stop = "/bin/sh /etc/rc.shutdown jail";
|
||||
exec.consolelog = "/var/log/jail_${name}_console.log";
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ public_dns {
|
|||
|
||||
devfs_ruleset = 14;
|
||||
mount.devfs;
|
||||
mount.fstab = "/etc/fstab.${name}";
|
||||
|
||||
exec.start += "/bin/sh /etc/rc";
|
||||
exec.stop = "/bin/sh /etc/rc.shutdown jail";
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ sample {
|
|||
|
||||
devfs_ruleset = 14;
|
||||
mount.devfs;
|
||||
mount.fstab = "/etc/fstab.${name}";
|
||||
|
||||
exec.start += "/bin/sh /etc/rc";
|
||||
exec.stop = "/bin/sh /etc/rc.shutdown jail";
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ sftp {
|
|||
|
||||
devfs_ruleset = 14;
|
||||
mount.devfs;
|
||||
mount.fstab = "/etc/fstab.${name}";
|
||||
|
||||
exec.start += "/bin/sh /etc/rc";
|
||||
exec.stop = "/bin/sh /etc/rc.shutdown jail";
|
||||
|
|
|
|||
|
|
@ -0,0 +1,10 @@
|
|||
tmpfs /jail/sftp/tmp tmpfs rw,mode=777 0 0
|
||||
tmpfs /jail/sftp/var/run tmpfs rw,mode=755 0 0
|
||||
|
||||
/data /jail/sftp/chroot/readonly/library nullfs ro,noexec 0 0
|
||||
/jail/dagger/incomplete /jail/sftp/chroot/readonly/incomplete nullfs ro,noexec 0 0
|
||||
/jail/dagger/downloads /jail/sftp/chroot/readonly/downloads nullfs ro,noexec 0 0
|
||||
|
||||
/data /jail/sftp/chroot/readwrite/library nullfs rw,noexec 0 0
|
||||
/jail/dagger/incomplete /jail/sftp/chroot/readwrite/incomplete nullfs rw,noexec 0 0
|
||||
/jail/dagger/downloads /jail/sftp/chroot/readwrite/downloads nullfs rw,noexec 0 0
|
||||
|
|
@ -42,13 +42,23 @@
|
|||
dest: /usr/local/bin/new_jail
|
||||
|
||||
- name: Install config files
|
||||
when: item.fstab is defined
|
||||
copy:
|
||||
src: "files/{{ item.fstab }}"
|
||||
src: 'files/{{ item.fstab }}'
|
||||
dest: '{{ item.fstab_dest|default("/etc/fstab." + item.name) }}'
|
||||
mode: 0644
|
||||
owner: root
|
||||
group: wheel
|
||||
loop: "{{ jail_list }}"
|
||||
|
||||
- name: Install config files
|
||||
when: item.fstab is not defined
|
||||
template:
|
||||
src: 'templates/fstab_default.j2'
|
||||
dest: '{{ item.fstab_dest|default("/etc/fstab." + item.name) }}'
|
||||
mode: 0644
|
||||
owner: root
|
||||
group: wheel
|
||||
when: item.fstab is defined
|
||||
loop: "{{ jail_list }}"
|
||||
|
||||
- name: Install persistent files
|
||||
|
|
|
|||
|
|
@ -0,0 +1,2 @@
|
|||
tmpfs /jail/{{ item.name }}/tmp tmpfs rw,mode=777 0 0
|
||||
tmpfs /jail/{{ item.name }}/var/run tmpfs rw,mode=755 0 0
|
||||
|
|
@ -49,7 +49,19 @@ EOF
|
|||
)
|
||||
IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository base --yes --glob 'FreeBSD-*'
|
||||
switch_to_latest_packages
|
||||
cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$config"
|
||||
local in_jail_config
|
||||
in_jail_config=$(cat <<EOF
|
||||
base: {
|
||||
url: "pkg+https://pkg.freebsd.org/\${ABI}/base_release_1",
|
||||
mirror_type: "srv",
|
||||
signature_type: "fingerprints",
|
||||
fingerprints: "/usr/share/keys/pkg",
|
||||
enabled: yes,
|
||||
priority: 100
|
||||
}
|
||||
EOF
|
||||
)
|
||||
cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
|
||||
# Post-install remove extra packages
|
||||
# pkg remove --glob 'FreeBSD-*-lib32*' 'FreeBSD-*-dbg*' FreeBSD-src
|
||||
}
|
||||
|
|
|
|||
|
|
@ -78,6 +78,11 @@
|
|||
// brianai
|
||||
"hw-address": "06:a6:dc:59:78:12",
|
||||
"ip-address": "10.215.1.215"
|
||||
},
|
||||
{
|
||||
// sftp
|
||||
"hw-address": "58:9c:fc:10:ff:ab",
|
||||
"ip-address": "10.215.1.216"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
# Only allow sftp users
|
||||
AllowUsers nochainstounlock
|
||||
ChrootDirectory /chroot
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
Match User nochainstounlock
|
||||
X11Forwarding no
|
||||
AllowTcpForwarding no
|
||||
PermitTTY no
|
||||
ForceCommand internal-sftp
|
||||
|
|
@ -0,0 +1 @@
|
|||
sshd_enable="YES"
|
||||
|
|
@ -0,0 +1,71 @@
|
|||
- name: Create directories
|
||||
file:
|
||||
name: "{{ item }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
owner: root
|
||||
group: wheel
|
||||
loop:
|
||||
- /chroot
|
||||
- /chroot/readonly
|
||||
- /chroot/readwrite
|
||||
|
||||
- name: Create directories
|
||||
file:
|
||||
name: "{{ item }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
owner: nochainstounlock
|
||||
group: nochainstounlock
|
||||
loop:
|
||||
- /chroot/readonly/downloads
|
||||
- /chroot/readonly/incomplete
|
||||
- /chroot/readwrite/downloads
|
||||
- /chroot/readwrite/incomplete
|
||||
|
||||
- name: Create directories
|
||||
file:
|
||||
name: "{{ item }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
owner: 11235
|
||||
group: nochainstounlock
|
||||
loop:
|
||||
- /chroot/readonly/library
|
||||
- /chroot/readwrite/library
|
||||
|
||||
# - name: Install scripts
|
||||
# copy:
|
||||
# src: "files/{{ item.src }}"
|
||||
# dest: "{{ item.dest }}"
|
||||
# mode: 0755
|
||||
# owner: root
|
||||
# group: wheel
|
||||
# loop:
|
||||
# - src: foo.bash
|
||||
# dest: /usr/local/bin/foo
|
||||
|
||||
- name: Install Configuration
|
||||
copy:
|
||||
src: "files/{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: 0644
|
||||
owner: root
|
||||
group: wheel
|
||||
loop:
|
||||
- src: sshd_config
|
||||
dest: /etc/ssh/sshd_config
|
||||
|
||||
# - name: Clone Source
|
||||
# git:
|
||||
# repo: "https://foo.bar/baz.git"
|
||||
# dest: /foo/bar
|
||||
# version: "v1.0.2"
|
||||
# force: true
|
||||
# diff: false
|
||||
|
||||
- import_tasks: tasks/freebsd.yaml
|
||||
when: 'os_flavor == "freebsd"'
|
||||
|
||||
- import_tasks: tasks/linux.yaml
|
||||
when: 'os_flavor == "linux"'
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
- name: Create directories
|
||||
file:
|
||||
name: "{{ item }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
owner: root
|
||||
group: wheel
|
||||
loop:
|
||||
- /etc/rc.conf.d
|
||||
|
||||
- name: Install service configuration
|
||||
copy:
|
||||
src: "files/{{ item }}_rc.conf"
|
||||
dest: "/etc/rc.conf.d/{{ item }}"
|
||||
mode: 0644
|
||||
owner: root
|
||||
group: wheel
|
||||
loop:
|
||||
- sshd
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
# - name: Build aur packages
|
||||
# register: buildaur
|
||||
# become_user: "{{ build_user.name }}"
|
||||
# command: "aurutils-sync --no-view {{ item }}"
|
||||
# args:
|
||||
# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
|
||||
# loop:
|
||||
# - foo
|
||||
|
||||
# - name: Update cache
|
||||
# when: buildaur.changed
|
||||
# pacman:
|
||||
# name: []
|
||||
# state: present
|
||||
# update_cache: true
|
||||
|
||||
# - name: Install packages
|
||||
# package:
|
||||
# name:
|
||||
# - foo
|
||||
# state: present
|
||||
|
||||
# - name: Enable services
|
||||
# systemd:
|
||||
# enabled: yes
|
||||
# name: "{{ item }}"
|
||||
# daemon_reload: yes
|
||||
# loop:
|
||||
# - foo.service
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
- import_tasks: tasks/common.yaml
|
||||
# when: foo is defined
|
||||
|
|
@ -1,2 +1,3 @@
|
|||
dependencies:
|
||||
- sudo
|
||||
# dependencies:
|
||||
# - sudo
|
||||
# TODO: When any user is in wheel group
|
||||
|
|
|
|||
|
|
@ -28,6 +28,8 @@ elif [ "$target" = "jail_nat_dhcp" ]; then
|
|||
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit nat_dhcp "${@}"
|
||||
elif [ "$target" = "jail_homeserver_nat_dhcp" ]; then
|
||||
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit homeserver_nat_dhcp "${@}"
|
||||
elif [ "$target" = "sftp" ]; then
|
||||
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit sftp "${@}"
|
||||
elif [ "$target" = "vm_poudriereodo" ]; then
|
||||
ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}"
|
||||
elif [ "$target" = "vm_poudrieremrmanager" ]; then
|
||||
|
|
|
|||
Loading…
Reference in New Issue