From 566b7dfd0bf640ca6edbbf29f1d691e79b2d6755 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sun, 30 Jun 2024 23:02:23 -0400
Subject: [PATCH] Add sftp jail.

---
 .../environments/home/host_vars/homeserver    |  1 +
 ansible/environments/jail/host_vars/sftp      |  6 ++
 ansible/environments/jail/hosts               |  3 +-
 ansible/playbook.yaml                         |  8 +++
 .../roles/firewall/files/homeserver_pf.conf   |  4 ++
 ansible/roles/jail/files/jails/admin_git.conf |  1 +
 ansible/roles/jail/files/jails/cloak.conf     |  1 +
 ansible/roles/jail/files/jails/dagger.conf    |  2 +
 ansible/roles/jail/files/jails/mumble.conf    |  2 +
 ansible/roles/jail/files/jails/nat_dhcp.conf  |  3 +-
 ansible/roles/jail/files/jails/olddagger.conf |  2 +
 .../roles/jail/files/jails/public_dns.conf    |  1 +
 ansible/roles/jail/files/jails/sample.conf    |  1 +
 ansible/roles/jail/files/jails/sftp.conf      |  1 +
 ansible/roles/jail/files/sftp_fstab           | 10 +++
 ansible/roles/jail/tasks/freebsd.yaml         | 14 +++-
 ansible/roles/jail/templates/fstab_default.j2 |  2 +
 ansible/roles/jail/templates/new_jail.bash.j2 | 14 +++-
 .../roles/jail_nat_dhcp/files/kea-dhcp4.conf  |  5 ++
 ansible/roles/sftp/files/sshd_config          | 17 +++++
 ansible/roles/sftp/files/sshd_rc.conf         |  1 +
 ansible/roles/sftp/tasks/common.yaml          | 71 +++++++++++++++++++
 ansible/roles/sftp/tasks/freebsd.yaml         | 19 +++++
 ansible/roles/sftp/tasks/linux.yaml           | 29 ++++++++
 ansible/roles/sftp/tasks/main.yaml            |  2 +
 ansible/roles/users/meta/main.yaml            |  5 +-
 ansible/run.bash                              |  2 +
 27 files changed, 220 insertions(+), 7 deletions(-)
 create mode 100644 ansible/environments/jail/host_vars/sftp
 create mode 100644 ansible/roles/jail/files/sftp_fstab
 create mode 100644 ansible/roles/jail/templates/fstab_default.j2
 create mode 100644 ansible/roles/sftp/files/sshd_config
 create mode 100644 ansible/roles/sftp/files/sshd_rc.conf
 create mode 100644 ansible/roles/sftp/tasks/common.yaml
 create mode 100644 ansible/roles/sftp/tasks/freebsd.yaml
 create mode 100644 ansible/roles/sftp/tasks/linux.yaml
 create mode 100644 ansible/roles/sftp/tasks/main.yaml

diff --git a/ansible/environments/home/host_vars/homeserver b/ansible/environments/home/host_vars/homeserver
index 3c9aa1a..ad60530 100644
--- a/ansible/environments/home/host_vars/homeserver
+++ b/ansible/environments/home/host_vars/homeserver
@@ -56,6 +56,7 @@ jail_list:
   - name: sftp
     conf:
       src: sftp
+    fstab: sftp_fstab
   # - name: mumble
   #   conf:
   #     src: mumble
diff --git a/ansible/environments/jail/host_vars/sftp b/ansible/environments/jail/host_vars/sftp
new file mode 100644
index 0000000..0dd10ce
--- /dev/null
+++ b/ansible/environments/jail/host_vars/sftp
@@ -0,0 +1,6 @@
+os_flavor: "freebsd"
+users:
+  nochainstounlock:
+    initialize: true
+    uid: 11235
+    gid: 11235
diff --git a/ansible/environments/jail/hosts b/ansible/environments/jail/hosts
index 8b6ac08..0a9b89d 100644
--- a/ansible/environments/jail/hosts
+++ b/ansible/environments/jail/hosts
@@ -1,7 +1,8 @@
 [jail]
 nat_dhcp ansible_connection=jail
-homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail
+homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@homeserver ansible_connection=sshjail
 mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail
 nat_dhcp@172.16.16.2 ansible_connection=sshjail
 admin_git ansible_ssh_host=admin_git@10.217.2.1 ansible_connection=sshjail
 public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
+sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml
index 3d16a21..2f78e2e 100644
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -135,3 +135,11 @@
     ansible_become: True
   roles:
     - odowork
+
+- hosts: sftp
+  vars:
+    ansible_become: True
+  roles:
+    - users
+    - sftp
+
diff --git a/ansible/roles/firewall/files/homeserver_pf.conf b/ansible/roles/firewall/files/homeserver_pf.conf
index f7fe566..4d33944 100644
--- a/ansible/roles/firewall/files/homeserver_pf.conf
+++ b/ansible/roles/firewall/files/homeserver_pf.conf
@@ -33,6 +33,10 @@ nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8081 ->
 rdr pass on $ext_if inet proto tcp from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
 nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
 
+# -> sftp
+rdr pass on $ext_if inet proto tcp from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
+nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
+
 # Forward ports for unifi controller
 # rdr pass on $ext_if inet proto tcp from any to any port 65022 -> 10.213.177.8 port 22
 rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
diff --git a/ansible/roles/jail/files/jails/admin_git.conf b/ansible/roles/jail/files/jails/admin_git.conf
index c07bebc..1ac6c7a 100644
--- a/ansible/roles/jail/files/jails/admin_git.conf
+++ b/ansible/roles/jail/files/jails/admin_git.conf
@@ -7,6 +7,7 @@ admin_git {
 
     devfs_ruleset = 14;
     mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
diff --git a/ansible/roles/jail/files/jails/cloak.conf b/ansible/roles/jail/files/jails/cloak.conf
index 55cd45f..4722955 100644
--- a/ansible/roles/jail/files/jails/cloak.conf
+++ b/ansible/roles/jail/files/jails/cloak.conf
@@ -11,6 +11,7 @@ cloak {
 
     devfs_ruleset = 13;
     mount.devfs; # To expose tun device
+    mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
diff --git a/ansible/roles/jail/files/jails/dagger.conf b/ansible/roles/jail/files/jails/dagger.conf
index d41fd04..efbdd04 100644
--- a/ansible/roles/jail/files/jails/dagger.conf
+++ b/ansible/roles/jail/files/jails/dagger.conf
@@ -6,6 +6,8 @@ dagger {
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
     exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
 
+    mount.fstab = "/etc/fstab.${name}";
+
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
     exec.consolelog = "/var/log/jail_${name}_console.log";
diff --git a/ansible/roles/jail/files/jails/mumble.conf b/ansible/roles/jail/files/jails/mumble.conf
index 50f27b0..ca01fcc 100644
--- a/ansible/roles/jail/files/jails/mumble.conf
+++ b/ansible/roles/jail/files/jails/mumble.conf
@@ -3,6 +3,8 @@ cloak {
     vnet;
     vnet.interface += "host_link3";
 
+    mount.fstab = "/etc/fstab.${name}";
+
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
     exec.consolelog = "/var/log/jail_${name}_console.log";
diff --git a/ansible/roles/jail/files/jails/nat_dhcp.conf b/ansible/roles/jail/files/jails/nat_dhcp.conf
index 4d268ae..c3da613 100644
--- a/ansible/roles/jail/files/jails/nat_dhcp.conf
+++ b/ansible/roles/jail/files/jails/nat_dhcp.conf
@@ -7,8 +7,9 @@ nat_dhcp {
 
     devfs_ruleset = 14;
     mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
 
-    exec.start += "/bin/sh /etc/rc";
+    exec.start += "/bin/sh -c 'mkdir /var/run/kea && exec /bin/sh /etc/rc'";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
     exec.consolelog = "/var/log/jail_${name}_console.log";
 }
diff --git a/ansible/roles/jail/files/jails/olddagger.conf b/ansible/roles/jail/files/jails/olddagger.conf
index 9c35ea7..79fc3d4 100644
--- a/ansible/roles/jail/files/jails/olddagger.conf
+++ b/ansible/roles/jail/files/jails/olddagger.conf
@@ -6,6 +6,8 @@ olddagger {
     exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
     exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
 
+    mount.fstab = "/etc/fstab.${name}";
+
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
     exec.consolelog = "/var/log/jail_${name}_console.log";
diff --git a/ansible/roles/jail/files/jails/public_dns.conf b/ansible/roles/jail/files/jails/public_dns.conf
index cf35753..358c5d7 100644
--- a/ansible/roles/jail/files/jails/public_dns.conf
+++ b/ansible/roles/jail/files/jails/public_dns.conf
@@ -7,6 +7,7 @@ public_dns {
 
     devfs_ruleset = 14;
     mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
diff --git a/ansible/roles/jail/files/jails/sample.conf b/ansible/roles/jail/files/jails/sample.conf
index 2445065..8c61ca4 100644
--- a/ansible/roles/jail/files/jails/sample.conf
+++ b/ansible/roles/jail/files/jails/sample.conf
@@ -7,6 +7,7 @@ sample {
 
     devfs_ruleset = 14;
     mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
diff --git a/ansible/roles/jail/files/jails/sftp.conf b/ansible/roles/jail/files/jails/sftp.conf
index af76611..88d2d62 100644
--- a/ansible/roles/jail/files/jails/sftp.conf
+++ b/ansible/roles/jail/files/jails/sftp.conf
@@ -7,6 +7,7 @@ sftp {
 
     devfs_ruleset = 14;
     mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
diff --git a/ansible/roles/jail/files/sftp_fstab b/ansible/roles/jail/files/sftp_fstab
new file mode 100644
index 0000000..efd151f
--- /dev/null
+++ b/ansible/roles/jail/files/sftp_fstab
@@ -0,0 +1,10 @@
+tmpfs /jail/sftp/tmp tmpfs rw,mode=777 0 0
+tmpfs /jail/sftp/var/run tmpfs rw,mode=755 0 0
+
+/data       /jail/sftp/chroot/readonly/library     nullfs    ro,noexec     0      0
+/jail/dagger/incomplete       /jail/sftp/chroot/readonly/incomplete     nullfs    ro,noexec     0      0
+/jail/dagger/downloads       /jail/sftp/chroot/readonly/downloads     nullfs    ro,noexec     0      0
+
+/data       /jail/sftp/chroot/readwrite/library     nullfs    rw,noexec     0      0
+/jail/dagger/incomplete       /jail/sftp/chroot/readwrite/incomplete     nullfs    rw,noexec     0      0
+/jail/dagger/downloads       /jail/sftp/chroot/readwrite/downloads     nullfs    rw,noexec     0      0
diff --git a/ansible/roles/jail/tasks/freebsd.yaml b/ansible/roles/jail/tasks/freebsd.yaml
index e5e1357..9c5d09e 100644
--- a/ansible/roles/jail/tasks/freebsd.yaml
+++ b/ansible/roles/jail/tasks/freebsd.yaml
@@ -42,13 +42,23 @@
       dest: /usr/local/bin/new_jail
 
 - name: Install config files
+  when: item.fstab is defined
   copy:
-    src: "files/{{ item.fstab }}"
+    src: 'files/{{ item.fstab }}'
+    dest: '{{ item.fstab_dest|default("/etc/fstab." + item.name) }}'
+    mode: 0644
+    owner: root
+    group: wheel
+  loop: "{{ jail_list }}"
+
+- name: Install config files
+  when: item.fstab is not defined
+  template:
+    src: 'templates/fstab_default.j2'
     dest: '{{ item.fstab_dest|default("/etc/fstab." + item.name) }}'
     mode: 0644
     owner: root
     group: wheel
-  when: item.fstab is defined
   loop: "{{ jail_list }}"
 
 - name: Install persistent files
diff --git a/ansible/roles/jail/templates/fstab_default.j2 b/ansible/roles/jail/templates/fstab_default.j2
new file mode 100644
index 0000000..64c6597
--- /dev/null
+++ b/ansible/roles/jail/templates/fstab_default.j2
@@ -0,0 +1,2 @@
+tmpfs /jail/{{ item.name }}/tmp tmpfs rw,mode=777 0 0
+tmpfs /jail/{{ item.name }}/var/run tmpfs rw,mode=755 0 0
diff --git a/ansible/roles/jail/templates/new_jail.bash.j2 b/ansible/roles/jail/templates/new_jail.bash.j2
index 545e10e..54e0e75 100644
--- a/ansible/roles/jail/templates/new_jail.bash.j2
+++ b/ansible/roles/jail/templates/new_jail.bash.j2
@@ -49,7 +49,19 @@ EOF
              )
     IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository base --yes --glob 'FreeBSD-*'
     switch_to_latest_packages
-    cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$config"
+    local in_jail_config
+    in_jail_config=$(cat <<EOF
+base: {
+    url: "pkg+https://pkg.freebsd.org/\${ABI}/base_release_1",
+    mirror_type: "srv",
+    signature_type: "fingerprints",
+    fingerprints: "/usr/share/keys/pkg",
+    enabled: yes,
+    priority: 100
+}
+EOF
+             )
+    cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
     # Post-install remove extra packages
     # pkg remove --glob 'FreeBSD-*-lib32*' 'FreeBSD-*-dbg*' FreeBSD-src
 }
diff --git a/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf b/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf
index f02f4b3..5f09f16 100644
--- a/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf
+++ b/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf
@@ -78,6 +78,11 @@
                         // brianai
                         "hw-address": "06:a6:dc:59:78:12",
                         "ip-address": "10.215.1.215"
+                    },
+                    {
+                        // sftp
+                        "hw-address": "58:9c:fc:10:ff:ab",
+                        "ip-address": "10.215.1.216"
                     }
                 ]
             }
diff --git a/ansible/roles/sftp/files/sshd_config b/ansible/roles/sftp/files/sshd_config
new file mode 100644
index 0000000..03363c8
--- /dev/null
+++ b/ansible/roles/sftp/files/sshd_config
@@ -0,0 +1,17 @@
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+# Only allow sftp users
+AllowUsers nochainstounlock
+ChrootDirectory /chroot
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+Match User nochainstounlock
+	X11Forwarding no
+	AllowTcpForwarding no
+	PermitTTY no
+        ForceCommand internal-sftp
diff --git a/ansible/roles/sftp/files/sshd_rc.conf b/ansible/roles/sftp/files/sshd_rc.conf
new file mode 100644
index 0000000..38a7f5f
--- /dev/null
+++ b/ansible/roles/sftp/files/sshd_rc.conf
@@ -0,0 +1 @@
+sshd_enable="YES"
diff --git a/ansible/roles/sftp/tasks/common.yaml b/ansible/roles/sftp/tasks/common.yaml
new file mode 100644
index 0000000..4a3821a
--- /dev/null
+++ b/ansible/roles/sftp/tasks/common.yaml
@@ -0,0 +1,71 @@
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /chroot
+    - /chroot/readonly
+    - /chroot/readwrite
+
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: nochainstounlock
+    group: nochainstounlock
+  loop:
+    - /chroot/readonly/downloads
+    - /chroot/readonly/incomplete
+    - /chroot/readwrite/downloads
+    - /chroot/readwrite/incomplete
+
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: 11235
+    group: nochainstounlock
+  loop:
+    - /chroot/readonly/library
+    - /chroot/readwrite/library
+
+# - name: Install scripts
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     mode: 0755
+#     owner: root
+#     group: wheel
+#   loop:
+#     - src: foo.bash
+#       dest: /usr/local/bin/foo
+
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - src: sshd_config
+      dest: /etc/ssh/sshd_config
+
+# - name: Clone Source
+#   git:
+#     repo: "https://foo.bar/baz.git"
+#     dest: /foo/bar
+#     version: "v1.0.2"
+#     force: true
+#   diff: false
+
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
diff --git a/ansible/roles/sftp/tasks/freebsd.yaml b/ansible/roles/sftp/tasks/freebsd.yaml
new file mode 100644
index 0000000..ce76222
--- /dev/null
+++ b/ansible/roles/sftp/tasks/freebsd.yaml
@@ -0,0 +1,19 @@
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /etc/rc.conf.d
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - sshd
diff --git a/ansible/roles/sftp/tasks/linux.yaml b/ansible/roles/sftp/tasks/linux.yaml
new file mode 100644
index 0000000..bbbb096
--- /dev/null
+++ b/ansible/roles/sftp/tasks/linux.yaml
@@ -0,0 +1,29 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
+
+# - name: Enable services
+#   systemd:
+#     enabled: yes
+#     name: "{{ item }}"
+#     daemon_reload: yes
+#   loop:
+#     - foo.service
diff --git a/ansible/roles/sftp/tasks/main.yaml b/ansible/roles/sftp/tasks/main.yaml
new file mode 100644
index 0000000..6805b9d
--- /dev/null
+++ b/ansible/roles/sftp/tasks/main.yaml
@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  # when: foo is defined
diff --git a/ansible/roles/users/meta/main.yaml b/ansible/roles/users/meta/main.yaml
index e5d05d0..3ecae03 100644
--- a/ansible/roles/users/meta/main.yaml
+++ b/ansible/roles/users/meta/main.yaml
@@ -1,2 +1,3 @@
-dependencies:
-  - sudo
+# dependencies:
+#   - sudo
+# TODO: When any user is in wheel group
diff --git a/ansible/run.bash b/ansible/run.bash
index d0871b9..2fcf067 100755
--- a/ansible/run.bash
+++ b/ansible/run.bash
@@ -28,6 +28,8 @@ elif [ "$target" = "jail_nat_dhcp" ]; then
     ansible-playbook -v -i environments/jail playbook.yaml --diff --limit nat_dhcp "${@}"
 elif [ "$target" = "jail_homeserver_nat_dhcp" ]; then
     ansible-playbook -v -i environments/jail playbook.yaml --diff --limit homeserver_nat_dhcp "${@}"
+elif [ "$target" = "sftp" ]; then
+    ansible-playbook -v -i environments/jail playbook.yaml --diff --limit sftp "${@}"
 elif [ "$target" = "vm_poudriereodo" ]; then
     ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}"
 elif [ "$target" = "vm_poudrieremrmanager" ]; then