Add sftp jail.

2024-06-30 23:02:23 -04:00
parent 0363a462a0
commit 566b7dfd0b
27 changed files with 220 additions and 7 deletions
--- a/ansible/roles/jail/files/jails/admin_git.conf
+++ b/ansible/roles/jail/files/jails/admin_git.conf
@@ -7,6 +7,7 @@ admin_git {

    devfs_ruleset = 14;
    mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";

    exec.start += "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown jail";
--- a/ansible/roles/jail/files/jails/cloak.conf
+++ b/ansible/roles/jail/files/jails/cloak.conf
@@ -11,6 +11,7 @@ cloak {

    devfs_ruleset = 13;
    mount.devfs; # To expose tun device
+    mount.fstab = "/etc/fstab.${name}";

    exec.start += "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown jail";
--- a/ansible/roles/jail/files/jails/dagger.conf
+++ b/ansible/roles/jail/files/jails/dagger.conf
@@ -6,6 +6,8 @@ dagger {
    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak ${name}";

+    mount.fstab = "/etc/fstab.${name}";
+
    exec.start += "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown jail";
    exec.consolelog = "/var/log/jail_${name}_console.log";
--- a/ansible/roles/jail/files/jails/mumble.conf
+++ b/ansible/roles/jail/files/jails/mumble.conf
@@ -3,6 +3,8 @@ cloak {
    vnet;
    vnet.interface += "host_link3";

+    mount.fstab = "/etc/fstab.${name}";
+
    exec.start += "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown jail";
    exec.consolelog = "/var/log/jail_${name}_console.log";
--- a/ansible/roles/jail/files/jails/nat_dhcp.conf
+++ b/ansible/roles/jail/files/jails/nat_dhcp.conf
@@ -7,8 +7,9 @@ nat_dhcp {

    devfs_ruleset = 14;
    mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";

-    exec.start += "/bin/sh /etc/rc";
+    exec.start += "/bin/sh -c 'mkdir /var/run/kea && exec /bin/sh /etc/rc'";
    exec.stop = "/bin/sh /etc/rc.shutdown jail";
    exec.consolelog = "/var/log/jail_${name}_console.log";
 }
--- a/ansible/roles/jail/files/jails/olddagger.conf
+++ b/ansible/roles/jail/files/jails/olddagger.conf
@@ -6,6 +6,8 @@ olddagger {
    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak ${name}";

+    mount.fstab = "/etc/fstab.${name}";
+
    exec.start += "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown jail";
    exec.consolelog = "/var/log/jail_${name}_console.log";
--- a/ansible/roles/jail/files/jails/public_dns.conf
+++ b/ansible/roles/jail/files/jails/public_dns.conf
@@ -7,6 +7,7 @@ public_dns {

    devfs_ruleset = 14;
    mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";

    exec.start += "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown jail";
--- a/ansible/roles/jail/files/jails/sample.conf
+++ b/ansible/roles/jail/files/jails/sample.conf
@@ -7,6 +7,7 @@ sample {

    devfs_ruleset = 14;
    mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";

    exec.start += "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown jail";
--- a/ansible/roles/jail/files/jails/sftp.conf
+++ b/ansible/roles/jail/files/jails/sftp.conf
@@ -7,6 +7,7 @@ sftp {

    devfs_ruleset = 14;
    mount.devfs;
+    mount.fstab = "/etc/fstab.${name}";

    exec.start += "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown jail";
--- a/ansible/roles/jail/files/sftp_fstab
+++ b/ansible/roles/jail/files/sftp_fstab
@@ -0,0 +1,10 @@
+tmpfs /jail/sftp/tmp tmpfs rw,mode=777 0 0
+tmpfs /jail/sftp/var/run tmpfs rw,mode=755 0 0
+
+/data       /jail/sftp/chroot/readonly/library     nullfs    ro,noexec     0      0
+/jail/dagger/incomplete       /jail/sftp/chroot/readonly/incomplete     nullfs    ro,noexec     0      0
+/jail/dagger/downloads       /jail/sftp/chroot/readonly/downloads     nullfs    ro,noexec     0      0
+
+/data       /jail/sftp/chroot/readwrite/library     nullfs    rw,noexec     0      0
+/jail/dagger/incomplete       /jail/sftp/chroot/readwrite/incomplete     nullfs    rw,noexec     0      0
+/jail/dagger/downloads       /jail/sftp/chroot/readwrite/downloads     nullfs    rw,noexec     0      0
--- a/ansible/roles/jail/tasks/freebsd.yaml
+++ b/ansible/roles/jail/tasks/freebsd.yaml
@@ -42,13 +42,23 @@
      dest: /usr/local/bin/new_jail

 - name: Install config files
+  when: item.fstab is defined
  copy:
-    src: "files/{{ item.fstab }}"
+    src: 'files/{{ item.fstab }}'
+    dest: '{{ item.fstab_dest|default("/etc/fstab." + item.name) }}'
+    mode: 0644
+    owner: root
+    group: wheel
+  loop: "{{ jail_list }}"
+
+- name: Install config files
+  when: item.fstab is not defined
+  template:
+    src: 'templates/fstab_default.j2'
    dest: '{{ item.fstab_dest|default("/etc/fstab." + item.name) }}'
    mode: 0644
    owner: root
    group: wheel
-  when: item.fstab is defined
  loop: "{{ jail_list }}"

 - name: Install persistent files
--- a/ansible/roles/jail/templates/fstab_default.j2
+++ b/ansible/roles/jail/templates/fstab_default.j2
@@ -0,0 +1,2 @@
+tmpfs /jail/{{ item.name }}/tmp tmpfs rw,mode=777 0 0
+tmpfs /jail/{{ item.name }}/var/run tmpfs rw,mode=755 0 0
--- a/ansible/roles/jail/templates/new_jail.bash.j2
+++ b/ansible/roles/jail/templates/new_jail.bash.j2
@@ -49,7 +49,19 @@ EOF
             )
    IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository base --yes --glob 'FreeBSD-*'
    switch_to_latest_packages
-    cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$config"
+    local in_jail_config
+    in_jail_config=$(cat <<EOF
+base: {
+    url: "pkg+https://pkg.freebsd.org/\${ABI}/base_release_1",
+    mirror_type: "srv",
+    signature_type: "fingerprints",
+    fingerprints: "/usr/share/keys/pkg",
+    enabled: yes,
+    priority: 100
+}
+EOF
+             )
+    cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
    # Post-install remove extra packages
    # pkg remove --glob 'FreeBSD-*-lib32*' 'FreeBSD-*-dbg*' FreeBSD-src
 }