Add the admin_git jail.

This jail hosts the git repo used for the kubernetes cluster manifests. It lives in a jail instead of inside a git website hosted inside kubernetes because it is needed for the bootstrapping process, creating a chicken-and-egg type of scenario. I figure I can set up mirroring of the git repo to a hosted git website for publishing.
2023-06-17 17:35:09 -04:00 · 2023-06-17 17:35:09 -04:00 · 62ade773d8
commit 62ade773d8
parent 0f1769dd1f
5 changed files with 37 additions and 0 deletions
--- a/ansible/environments/jail/host_vars/admin_git
+++ b/ansible/environments/jail/host_vars/admin_git
@ -0,0 +1,20 @@
+os_flavor: "freebsd"
+users:
+  talexander:
+    initialize: true
+    uid: 11235
+    gid: 11235
+    groups:
+      - name: wheel
+    authorized_keys:
+      - yubikey
+      - main_fido
+      - backup_fido
+  git:
+    initialize: false
+    shell: /usr/local/bin/git-shell
+    authorized_keys:
+      - yubikey
+      - main_fido
+      - backup_fido
+sshd_enabled: true
--- a/ansible/environments/jail/hosts
+++ b/ansible/environments/jail/hosts
@ -3,3 +3,4 @@ nat_dhcp ansible_connection=jail
 homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail
 mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail
 nat_dhcp@172.16.16.2 ansible_connection=sshjail
+admin_git ansible_ssh_host=admin_git@10.217.2.1 ansible_connection=sshjail
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@ -92,3 +92,11 @@
    - wireguard
    - plainmacs
    - mrmanager
+
+- hosts: admin_git
+  vars:
+    ansible_become: True
+  roles:
+    - sudo
+    - doas
+    - users
--- a/ansible/roles/firewall/files/mrmanager_pf.conf
+++ b/ansible/roles/firewall/files/mrmanager_pf.conf
@ -25,6 +25,12 @@ rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to any port 6443 -> 10.215
 nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.204 port 6443 -> (jail_nat)
 nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.204 port 6443 -> (jail_nat)

+rdr pass on $ext_if inet proto tcp from $not_jail_nat_v4 to any port 65099 -> 10.215.1.210 port 22
+rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to any port 65099 -> 10.215.1.210 port 22
+nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.210 port 65099 -> (jail_nat)
+nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.210 port 65099 -> (jail_nat)
+
+

 # filtering
 block log all
--- a/ansible/run.bash
+++ b/ansible/run.bash
@ -34,6 +34,8 @@ elif [ "$target" = "mrmanager" ]; then
    ansible-playbook -v -i environments/colo playbook.yaml --diff --limit mrmanager "${@}"
 elif [ "$target" = "jail_mrmanager_nat_dhcp" ]; then
    ansible-playbook -v -i environments/jail playbook.yaml --diff --limit mrmanager_nat_dhcp "${@}"
+elif [ "$target" = "jail_admin_git" ]; then
+    ansible-playbook -v -i environments/jail playbook.yaml --diff --limit admin_git "${@}"
 else
    die 1 "Unrecognized target"
 fi