talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Add jail for momlaptop.

Browse Source
This commit is contained in:
Tom Alexander 2024-08-14 21:25:49 -04:00
parent 20768edcf6
commit aec97a5df6
Signed by: talexander
GPG Key ID: D3A179C9A53C0EDE
30 changed files with 344 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ansible/environments/home/host_vars/homeserver
View File

@ -67,6 +67,9 @@ jail_list:
- name: certificate
conf:
src: certificate
- name: momlaptop
conf:
src: momlaptop
# - name: mumble
# conf:
# src: mumble

1
ansible/environments/jail/host_vars/momlaptop Normal file
View File

@ -0,0 +1 @@
os_flavor: freebsd

1
ansible/environments/jail/hosts
View File

@ -8,3 +8,4 @@ public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail
certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail
momlaptop ansible_ssh_host=momlaptop@homeserver ansible_connection=sshjail

6
ansible/playbook.yaml
View File

@ -157,3 +157,9 @@
ansible_become: True
roles:
- jail_certificate
- hosts: momlaptop
vars:
ansible_become: True
roles:
- jail_momlaptop

1
ansible/roles/base/tasks/freebsd.yaml
View File

@ -13,6 +13,7 @@
- gsed
- gmake
- rust-coreutils
- shuf
state: present
- name: Install service configuration

4
ansible/roles/firewall/files/homeserver_pf.conf
View File

@ -51,6 +51,10 @@ nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215
# rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22
rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
# -> momlaptop
rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8033 -> 10.215.1.218 port 443
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.218 port 443 -> 10.215.1.1
# filtering
# match in on jail_nat from any to any dnpipe(1, 2)
# match in on restricted_nat from any to any dnpipe(1, 2)

3
ansible/roles/framework_laptop/files/disable_wifi_powersave_loader.conf Normal file
View File

@ -0,0 +1,3 @@
# Disable power save for wifi card because power save caused video stuttering in google meet on Linux. Both of these are currently the default on FreeBSD but I'm saving it just in case that default changes.
compat.linuxkpi.iwlwifi_power_save="0"
compat.linuxkpi.iwlwifi_mvm_power_scheme="1"

14
ansible/roles/framework_laptop/tasks/freebsd.yaml
View File

@ -1,5 +1,9 @@
# - name: Install packages
# package:
# name:
# - foo
# state: present
- name: Install loader.conf
copy:
src: "files/{{ item }}_loader.conf"
dest: "/boot/loader.conf.d/{{ item }}.conf"
mode: 0644
owner: root
group: wheel
loop:
- disable_wifi_powersave

15
ansible/roles/jail/files/jails/momlaptop.conf Normal file
View File

@ -0,0 +1,15 @@
momlaptop {
path = "/jail/${name}";
vnet;
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
vnet.interface += "jail${name}";
devfs_ruleset = 14;
mount.devfs;
mount.fstab = "/etc/fstab.${name}";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.consolelog = "/var/log/jail_${name}_console.log";
}

15
ansible/roles/jail_momlaptop/files/headers.include Normal file
View File

@ -0,0 +1,15 @@
# Enable HTTP Strict Transport Security (HSTS) to force clients to
# always connect via HTTPS (do not use if only testing)
add_header Strict-Transport-Security "max-age=31536000;" always;
# Enable cross-site filter (XSS) and tell browser to block detected
# attacks
add_header X-XSS-Protection "1; mode=block" always;
# Prevent some browsers from MIME-sniffing a response away from the
# declared Content-Type
add_header X-Content-Type-Options "nosniff" always;
# Disallow the site to be rendered within a frame (clickjacking
# protection)
add_header X-Frame-Options "DENY" always;
# Indicate that we are serving http3 on port 443
add_header Alt-Svc 'h3=":8033"; ma=864000';

BIN
ansible/roles/jail_momlaptop/files/htpasswd Normal file
View File

Binary file not shown.

2
ansible/roles/jail_momlaptop/files/newsyslog.conf Normal file
View File

@ -0,0 +1,2 @@
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
/var/log/nginx/*.log 640 5 1000 @T00 GYC /var/run/nginx.pid SIGUSR1

48
ansible/roles/jail_momlaptop/files/nginx.conf Normal file
View File

@ -0,0 +1,48 @@
worker_processes auto;
user www www;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
types {
text/plain log;
}
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip on;
include conf.d/headers.include;
server {
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name momlaptop.fizz.buzz;
include conf.d/tls_settings.include;
# RSA
ssl_certificate /momlaptop.fizz.buzz/tls.crt;
ssl_certificate_key /momlaptop.fizz.buzz/tls.key;
# Nginx by default only allows file uploads up to 50M in size
client_max_body_size 50M;
location / {
auth_basic "Stuff";
auth_basic_user_file conf.d/htpasswd;
alias /srv/http/;
autoindex on;
}
}
}

1
ansible/roles/jail_momlaptop/files/nginx_rc.conf Normal file
View File

@ -0,0 +1 @@
nginx_enable="YES"

9
ansible/roles/jail_momlaptop/files/proxy.include Normal file
View File

@ -0,0 +1,9 @@
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
# Settings for keepalive module for upstreams
proxy_http_version 1.1;
proxy_set_header Connection "";
# Requests sent with early data are subject to replay attacks so the application needs to protect against that by using the Early-Data header.
# proxy_set_header Early-Data $ssl_early_data;

3
ansible/roles/jail_momlaptop/files/tls_settings.include Normal file
View File

@ -0,0 +1,3 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

2
ansible/roles/jail_momlaptop/meta/main.yaml Normal file
View File

@ -0,0 +1,2 @@
dependencies:
- syslog

55
ansible/roles/jail_momlaptop/tasks/common.yaml Normal file
View File

@ -0,0 +1,55 @@
# - name: Create directories
# file:
# name: "{{ item }}"
# state: directory
# mode: 0755
# owner: root
# group: wheel
# loop:
# - /foo/bar
# - name: Install scripts
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0755
# owner: root
# group: wheel
# loop:
# - src: foo.bash
# dest: /usr/local/bin/foo
# - name: Install Configuration
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0600
# owner: root
# group: wheel
# loop:
# - src: foo.conf
# dest: /usr/local/etc/foo.conf
# - name: Clone Source
# git:
# repo: "https://foo.bar/baz.git"
# dest: /foo/bar
# version: "v1.0.2"
# force: true
# diff: false
- import_tasks: tasks/freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/linux.yaml
when: 'os_flavor == "linux"'
# - include_tasks:
# file: tasks/peruser.yaml
# apply:
# become: yes
# become_user: "{{ initialize_user }}"
# when: users is defined
# loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
# loop_control:
# loop_var: initialize_user

81
ansible/roles/jail_momlaptop/tasks/freebsd.yaml Normal file
View File

@ -0,0 +1,81 @@
- name: Create www group
group:
name: www
- name: Create www user
user:
name: www
home: /srv/http
createhome: false
group: www
- name: Create directories
file:
name: "{{ item }}"
state: directory
mode: 0755
owner: root
group: wheel
loop:
- /momlaptop.fizz.buzz
- /etc/rc.conf.d
- /usr/local/etc/nginx/conf.d
- name: Create directories
file:
name: "{{ item }}"
state: directory
mode: 0755
owner: www
group: www
loop:
- /srv/http
- name: Install packages
package:
name:
- nginx
state: present
# validate fails because nginx config relies on a local mime.types
- name: Install Configuration
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
owner: root
group: wheel
loop:
- src: nginx.conf
dest: /usr/local/etc/nginx/nginx.conf
- src: headers.include
dest: /usr/local/etc/nginx/conf.d/headers.include
- src: proxy.include
dest: /usr/local/etc/nginx/conf.d/proxy.include
- src: tls_settings.include
dest: /usr/local/etc/nginx/conf.d/tls_settings.include
# Generate htpasswd with `htpasswd -c files/htpasswd user1`
# or `printf "USER:$(openssl passwd)\n" >> files/htpasswd`
- src: htpasswd
dest: /usr/local/etc/nginx/conf.d/htpasswd
- name: Install newsyslog configuration
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0600
owner: root
group: wheel
loop:
- src: newsyslog.conf
dest: /usr/local/etc/newsyslog.conf.d/nginx.conf
- name: Install service configuration
copy:
src: "files/{{ item }}_rc.conf"
dest: "/etc/rc.conf.d/{{ item }}"
mode: 0644
owner: root
group: wheel
loop:
- nginx

29
ansible/roles/jail_momlaptop/tasks/linux.yaml Normal file
View File

@ -0,0 +1,29 @@
# - name: Build aur packages
# register: buildaur
# become_user: "{{ build_user.name }}"
# command: "aurutils-sync --no-view {{ item }}"
# args:
# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
# loop:
# - foo
# - name: Update cache
# when: buildaur.changed
# pacman:
# name: []
# state: present
# update_cache: true
# - name: Install packages
# package:
# name:
# - foo
# state: present
# - name: Enable services
# systemd:
# enabled: yes
# name: "{{ item }}"
# daemon_reload: yes
# loop:
# - foo.service

2
ansible/roles/jail_momlaptop/tasks/main.yaml Normal file
View File

@ -0,0 +1,2 @@
- import_tasks: tasks/common.yaml
# when: foo is defined

29
ansible/roles/jail_momlaptop/tasks/peruser.yaml Normal file
View File

@ -0,0 +1,29 @@
- include_role:
name: per_user
# - name: Create directories
# file:
# name: "{{ account_homedir.stdout }}/{{ item }}"
# state: directory
# mode: 0700
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - ".config/foo"
# - name: Copy files
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
# mode: 0600
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - src: foo.conf
# dest: .config/foo/foo.conf
- import_tasks: tasks/peruser_freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/peruser_linux.yaml
when: 'os_flavor == "linux"'

0
ansible/roles/jail_momlaptop/tasks/peruser_freebsd.yaml Normal file
View File

0
ansible/roles/jail_momlaptop/tasks/peruser_linux.yaml Normal file
View File

5
ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf
View File

@ -88,6 +88,11 @@
// bastion - hard-coded in rc.conf, reproduced here to reserve ip
"hw-address": "06:ca:1a:10:74:09",
"ip-address": "10.215.1.217"
},
{
// momlaptop - hard-coded in rc.conf, reproduced here to reserve ip
"hw-address": "06:85:69:c5:6a:d6",
"ip-address": "10.215.1.218"
}
]
}

13
ansible/roles/media/tasks/freebsd.yaml
View File

@ -4,5 +4,18 @@
# Have to use yt-dlp instead of youtube_dl because of mpv
# - youtube_dl
- yt-dlp
state: present
- name: Install packages
when: install_graphics
package:
name:
- mkvtoolnix # for mkvmerge
state: present
- name: Install packages
when: not install_graphics
package:
name:
- mkvtoolnix-nogui # for mkvmerge
state: present

3
ansible/roles/poudriere/files/poudriere.d/14broadwell-default-computer-pkglist
View File

@ -11,6 +11,7 @@ graphics/ImageMagick7
lang/python
misc/terminfo-db
multimedia/ffmpeg
multimedia/mkvtoolnix@nogui
multimedia/v4l-utils
multimedia/webcamd
net-mgmt/ipcalc
@ -39,6 +40,7 @@ sysutils/bhyve-firmware
sysutils/btop
sysutils/cpu-microcode
sysutils/ddrescue
sysutils/dmidecode
sysutils/exfat-utils
sysutils/fusefs-exfat
sysutils/fusefs-sshfs
@ -54,6 +56,7 @@ sysutils/powerdxx
sysutils/powermon
sysutils/pstree
sysutils/rust-coreutils
sysutils/shuf
sysutils/tmux
sysutils/tree
sysutils/zrepl

1
ansible/roles/poudriere/files/poudriere.d/currentznver4-default-framework-pkglist
View File

@ -101,6 +101,7 @@ sysutils/pstree
sysutils/pv
sysutils/radeontop
sysutils/rust-coreutils
sysutils/shuf
sysutils/terraform
sysutils/tmux
sysutils/tree

1
ansible/roles/public_dns/files/master.db
View File

@ -72,3 +72,4 @@ home IN A 68.197.252.22
opstunnel IN CNAME home.fizz.buzz.
stream IN CNAME home.fizz.buzz.
stuff IN CNAME home.fizz.buzz.
momlaptop IN CNAME home.fizz.buzz.

2
ansible/run.bash
View File

@ -34,6 +34,8 @@ elif [ "$target" = "certificate" ]; then
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit certificate "${@}"
elif [ "$target" = "bastion" ]; then
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit bastion "${@}"
elif [ "$target" = "momlaptop" ]; then
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit momlaptop "${@}"
elif [ "$target" = "vm_poudriereodo" ]; then
ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}"
elif [ "$target" = "vm_poudrieremrmanager" ]; then