From d4e9caad67451468dfb7d4cffe4c8ac4cfeb7d90 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Fri, 2 Dec 2022 20:11:50 -0500
Subject: [PATCH 1/4] Add a jail that will serve dhcp for clients connecting to
 the open nat bridge.

---
 ansible/environments/laptop/host_vars/odofreebsd |  4 ++++
 ansible/roles/devfs/files/odo_devfs.rules        |  6 ++++++
 ansible/roles/jail/files/jails/nat_dhcp.conf     | 11 +++++++++++
 3 files changed, 21 insertions(+)
 create mode 100644 ansible/roles/jail/files/jails/nat_dhcp.conf

diff --git a/ansible/environments/laptop/host_vars/odofreebsd b/ansible/environments/laptop/host_vars/odofreebsd
index 613c1a0..4a755b6 100644
--- a/ansible/environments/laptop/host_vars/odofreebsd
+++ b/ansible/environments/laptop/host_vars/odofreebsd
@@ -39,6 +39,10 @@ users:
 devfs_rules: "odo_devfs.rules"
 jail_zfs_dataset: zroot/freebsd/release/jails
 jail_zfs_dataset_mountpoint: /jail/main
+jail_list:
+  - name: nat_dhcp
+    conf:
+      src: nat_dhcp
 bhyve_dataset: zroot/freebsd/release/vm
 bhyve_list: []
 efi_dev: /dev/gpt/EFI
diff --git a/ansible/roles/devfs/files/odo_devfs.rules b/ansible/roles/devfs/files/odo_devfs.rules
index d351b5b..b6ed32d 100644
--- a/ansible/roles/devfs/files/odo_devfs.rules
+++ b/ansible/roles/devfs/files/odo_devfs.rules
@@ -11,3 +11,9 @@ add path pf unhide
 add path pflog unhide
 add path pfsynv unhide
 add path 'tun*' unhide
+
+[tajaildhcp=14]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path 'bpf*' unhide
diff --git a/ansible/roles/jail/files/jails/nat_dhcp.conf b/ansible/roles/jail/files/jails/nat_dhcp.conf
new file mode 100644
index 0000000..c4f1ba6
--- /dev/null
+++ b/ansible/roles/jail/files/jails/nat_dhcp.conf
@@ -0,0 +1,11 @@
+nat_dhcp {
+    path = "/jail/main/jails/nat_dhcp";
+    vnet;
+    vnet.interface += "host_link3";
+    devfs_ruleset = 14;
+    mount.devfs; # To expose tun device
+
+    exec.start += "/bin/sh /etc/rc";
+    exec.stop = "/bin/sh /etc/rc.shutdown jail";
+    exec.consolelog = "/var/log/jail_${name}_console.log";
+}

From e4f5754a91b2c258f1ff7e317cd23313ff0bea83 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Fri, 2 Dec 2022 20:19:16 -0500
Subject: [PATCH 2/4] Enable the nat_dhcp jail on boot so its always available.

---
 ansible/environments/laptop/host_vars/odofreebsd | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ansible/environments/laptop/host_vars/odofreebsd b/ansible/environments/laptop/host_vars/odofreebsd
index 4a755b6..90dafca 100644
--- a/ansible/environments/laptop/host_vars/odofreebsd
+++ b/ansible/environments/laptop/host_vars/odofreebsd
@@ -41,6 +41,7 @@ jail_zfs_dataset: zroot/freebsd/release/jails
 jail_zfs_dataset_mountpoint: /jail/main
 jail_list:
   - name: nat_dhcp
+    enabled: true
     conf:
       src: nat_dhcp
 bhyve_dataset: zroot/freebsd/release/vm

From 26354d1a86125b4a2cdc73eb3a614748ff30b28c Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Fri, 2 Dec 2022 20:39:52 -0500
Subject: [PATCH 3/4] Start a jail_nat_dhcp role for the nat_dhcp jail.

---
 ansible/environments/jail/host_vars/nat_dhcp  |  0
 ansible/environments/jail/hosts               |  2 ++
 ansible/playbook.yaml                         |  8 ++++-
 ansible/roles/blank/tasks/common.yaml         |  1 +
 ansible/roles/jail_nat_dhcp/tasks/common.yaml | 15 ++++++++++
 .../roles/jail_nat_dhcp/tasks/freebsd.yaml    |  5 ++++
 ansible/roles/jail_nat_dhcp/tasks/linux.yaml  | 21 ++++++++++++++
 ansible/roles/jail_nat_dhcp/tasks/main.yaml   |  2 ++
 .../roles/jail_nat_dhcp/tasks/peruser.yaml    | 29 +++++++++++++++++++
 .../jail_nat_dhcp/tasks/peruser_freebsd.yaml  |  0
 .../jail_nat_dhcp/tasks/peruser_linux.yaml    |  0
 ansible/run.bash                              |  2 ++
 12 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 ansible/environments/jail/host_vars/nat_dhcp
 create mode 100644 ansible/environments/jail/hosts
 create mode 100644 ansible/roles/jail_nat_dhcp/tasks/common.yaml
 create mode 100644 ansible/roles/jail_nat_dhcp/tasks/freebsd.yaml
 create mode 100644 ansible/roles/jail_nat_dhcp/tasks/linux.yaml
 create mode 100644 ansible/roles/jail_nat_dhcp/tasks/main.yaml
 create mode 100644 ansible/roles/jail_nat_dhcp/tasks/peruser.yaml
 create mode 100644 ansible/roles/jail_nat_dhcp/tasks/peruser_freebsd.yaml
 create mode 100644 ansible/roles/jail_nat_dhcp/tasks/peruser_linux.yaml

diff --git a/ansible/environments/jail/host_vars/nat_dhcp b/ansible/environments/jail/host_vars/nat_dhcp
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/environments/jail/hosts b/ansible/environments/jail/hosts
new file mode 100644
index 0000000..af5f04e
--- /dev/null
+++ b/ansible/environments/jail/hosts
@@ -0,0 +1,2 @@
+[jail]
+nat_dhcp ansible_connection=jail
diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml
index 2fb843d..623a887 100644
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -1,4 +1,4 @@
-- hosts: all
+- hosts: all:!jail
   vars:
     ansible_become: True
   roles:
@@ -32,3 +32,9 @@
     - media
     - kubernetes
     - google_cloud_sdk
+
+- hosts: nat_dhcp
+  vars:
+    ansible_become: True
+  roles:
+    - jail_nat_dhcp
diff --git a/ansible/roles/blank/tasks/common.yaml b/ansible/roles/blank/tasks/common.yaml
index d7c1735..fef1101 100644
--- a/ansible/roles/blank/tasks/common.yaml
+++ b/ansible/roles/blank/tasks/common.yaml
@@ -9,6 +9,7 @@
     apply:
       become: yes
       become_user: "{{ initialize_user }}"
+  when: users is defined
   loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
   loop_control:
     loop_var: initialize_user
diff --git a/ansible/roles/jail_nat_dhcp/tasks/common.yaml b/ansible/roles/jail_nat_dhcp/tasks/common.yaml
new file mode 100644
index 0000000..fef1101
--- /dev/null
+++ b/ansible/roles/jail_nat_dhcp/tasks/common.yaml
@@ -0,0 +1,15 @@
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user
diff --git a/ansible/roles/jail_nat_dhcp/tasks/freebsd.yaml b/ansible/roles/jail_nat_dhcp/tasks/freebsd.yaml
new file mode 100644
index 0000000..b417174
--- /dev/null
+++ b/ansible/roles/jail_nat_dhcp/tasks/freebsd.yaml
@@ -0,0 +1,5 @@
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
diff --git a/ansible/roles/jail_nat_dhcp/tasks/linux.yaml b/ansible/roles/jail_nat_dhcp/tasks/linux.yaml
new file mode 100644
index 0000000..429ad91
--- /dev/null
+++ b/ansible/roles/jail_nat_dhcp/tasks/linux.yaml
@@ -0,0 +1,21 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+    
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
diff --git a/ansible/roles/jail_nat_dhcp/tasks/main.yaml b/ansible/roles/jail_nat_dhcp/tasks/main.yaml
new file mode 100644
index 0000000..6805b9d
--- /dev/null
+++ b/ansible/roles/jail_nat_dhcp/tasks/main.yaml
@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  # when: foo is defined
diff --git a/ansible/roles/jail_nat_dhcp/tasks/peruser.yaml b/ansible/roles/jail_nat_dhcp/tasks/peruser.yaml
new file mode 100644
index 0000000..111e886
--- /dev/null
+++ b/ansible/roles/jail_nat_dhcp/tasks/peruser.yaml
@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'
diff --git a/ansible/roles/jail_nat_dhcp/tasks/peruser_freebsd.yaml b/ansible/roles/jail_nat_dhcp/tasks/peruser_freebsd.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/jail_nat_dhcp/tasks/peruser_linux.yaml b/ansible/roles/jail_nat_dhcp/tasks/peruser_linux.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/run.bash b/ansible/run.bash
index 39403f3..8e33196 100755
--- a/ansible/run.bash
+++ b/ansible/run.bash
@@ -22,6 +22,8 @@ elif [ "$target" = "odolinux" ]; then
     ansible-playbook -v -i environments/laptop playbook.yaml --diff --limit odolinux "${@}"
 elif [ "$target" = "odofreebsd" ]; then
     ansible-playbook -v -i environments/laptop playbook.yaml --diff --limit odofreebsd "${@}"
+elif [ "$target" = "jail_nat_dhcp" ]; then
+    ansible-playbook -v -i environments/jail playbook.yaml --diff --limit nat_dhcp "${@}"
 else
     die 1 "Unrecognized target"
 fi

From aa6f63c1413884ab5235e3897aa34c778538a814 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Fri, 2 Dec 2022 20:45:53 -0500
Subject: [PATCH 4/4] Add the config for the nat_dhcp jail.

---
 ansible/environments/jail/host_vars/nat_dhcp  |  1 +
 ansible/roles/jail_nat_dhcp/files/dhcpd.conf  | 12 +++++++++
 ansible/roles/jail_nat_dhcp/files/rc.conf     |  3 +++
 ansible/roles/jail_nat_dhcp/files/resolv.conf |  2 ++
 .../roles/jail_nat_dhcp/tasks/freebsd.yaml    | 25 +++++++++++++++----
 5 files changed, 38 insertions(+), 5 deletions(-)
 create mode 100644 ansible/roles/jail_nat_dhcp/files/dhcpd.conf
 create mode 100644 ansible/roles/jail_nat_dhcp/files/rc.conf
 create mode 100644 ansible/roles/jail_nat_dhcp/files/resolv.conf

diff --git a/ansible/environments/jail/host_vars/nat_dhcp b/ansible/environments/jail/host_vars/nat_dhcp
index e69de29..1d0b6d9 100644
--- a/ansible/environments/jail/host_vars/nat_dhcp
+++ b/ansible/environments/jail/host_vars/nat_dhcp
@@ -0,0 +1 @@
+os_flavor: "freebsd"
diff --git a/ansible/roles/jail_nat_dhcp/files/dhcpd.conf b/ansible/roles/jail_nat_dhcp/files/dhcpd.conf
new file mode 100644
index 0000000..36d1f19
--- /dev/null
+++ b/ansible/roles/jail_nat_dhcp/files/dhcpd.conf
@@ -0,0 +1,12 @@
+# option definitions common to all supported networks...
+option domain-name "home.arpa";
+# option domain-name-servers ns1.home.arpa;
+option subnet-mask 255.255.255.0;
+default-lease-time 600;
+max-lease-time 7200;
+
+subnet 10.213.177.0 netmask 255.255.255.0 {
+  range 10.213.177.10 10.213.177.250;
+  option broadcast-address 10.213.177.255;
+  option routers 10.213.177.1;
+}
diff --git a/ansible/roles/jail_nat_dhcp/files/rc.conf b/ansible/roles/jail_nat_dhcp/files/rc.conf
new file mode 100644
index 0000000..cfa78b1
--- /dev/null
+++ b/ansible/roles/jail_nat_dhcp/files/rc.conf
@@ -0,0 +1,3 @@
+ifconfig_host_link3="inet 10.213.177.254 netmask 255.255.255.0"
+defaultrouter="10.213.177.1"
+dhcpd_enable="YES"
diff --git a/ansible/roles/jail_nat_dhcp/files/resolv.conf b/ansible/roles/jail_nat_dhcp/files/resolv.conf
new file mode 100644
index 0000000..582d17e
--- /dev/null
+++ b/ansible/roles/jail_nat_dhcp/files/resolv.conf
@@ -0,0 +1,2 @@
+search home.arpa
+nameserver 10.213.177.1
diff --git a/ansible/roles/jail_nat_dhcp/tasks/freebsd.yaml b/ansible/roles/jail_nat_dhcp/tasks/freebsd.yaml
index b417174..b98022f 100644
--- a/ansible/roles/jail_nat_dhcp/tasks/freebsd.yaml
+++ b/ansible/roles/jail_nat_dhcp/tasks/freebsd.yaml
@@ -1,5 +1,20 @@
-# - name: Install packages
-#   package:
-#     name:
-#       - foo
-#     state: present
+- name: Install packages
+  package:
+    name:
+      - dhcpd
+    state: present
+
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - src: rc.conf
+      dest: /etc/rc.conf
+    - src: dhcpd.conf
+      dest: /usr/local/etc/dhcpd.conf
+    - src: resolv.conf
+      dest: /etc/resolv.conf