Merge branch 'network'

2022-10-14 01:59:34 -04:00 · 2022-10-14 01:59:34 -04:00 · c41dfa799c
commit c41dfa799c
parent b08ff30f57 ae6673e182
14 changed files with 497 additions and 0 deletions
--- a/ansible/environments/home/host_vars/homeserver
+++ b/ansible/environments/home/host_vars/homeserver
@ -7,3 +7,6 @@ pf_config: "homeserver_pf.conf"
 pflog_conf:
  - name: 0
    dev: pflog0
+network_rc: "homeserver_network.conf"
+rc_conf: "homeserver_rc.conf"
+loader_conf: "homeserver_loader.conf"
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@ -6,6 +6,7 @@
    - users
    - zrepl
    - zsh
+    - network
    - sshd
    - base
    - firewall
--- a/ansible/roles/base/files/homeserver_loader.conf
+++ b/ansible/roles/base/files/homeserver_loader.conf
@ -0,0 +1,5 @@
+security.bsd.allow_destructive_dtrace=0
+kern.geom.label.disk_ident.enable="0"
+kern.geom.label.gptid.enable="0"
+cryptodev_load="YES"
+zfs_load="YES"
--- a/ansible/roles/base/files/homeserver_rc.conf
+++ b/ansible/roles/base/files/homeserver_rc.conf
@ -0,0 +1,10 @@
+clear_tmp_enable="YES"
+syslogd_flags="-ss"
+sendmail_enable="NONE"
+hostname="computer"
+local_unbound_enable="YES"
+sshd_enable="YES"
+ntpd_enable="YES"
+powerd_enable="YES"
+dumpdev="NO"
+zfs_enable="YES"
--- a/ansible/roles/base/files/login.conf
+++ b/ansible/roles/base/files/login.conf
@ -0,0 +1,332 @@
+# login.conf - login class capabilities database.
+#
+# Remember to rebuild the database after each change to this file:
+#
+#	cap_mkdb /etc/login.conf
+#
+# This file controls resource limits, accounting limits and
+# default user environment settings.
+#
+# $FreeBSD$
+#
+
+# Default settings effectively disable resource limits, see the
+# examples below for a starting point to enable them.
+
+# defaults
+# These settings are used by login(1) by default for classless users
+# Note that entries like "cputime" set both "cputime-cur" and "cputime-max"
+#
+# Note that since a colon ':' is used to separate capability entries,
+# a \c escape sequence must be used to embed a literal colon in the
+# value or name of a capability (see the ``CGETNUM AND CGETSTR SYNTAX
+# AND SEMANTICS'' section of getcap(3) for more escape sequences).
+
+default:\
+	:passwd_format=blf:\
+	:copyright=/etc/COPYRIGHT:\
+	:welcome=/var/run/motd:\
+	:setenv=BLOCKSIZE=K:\
+	:mail=/var/mail/$:\
+	:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\
+	:nologin=/var/run/nologin:\
+	:cputime=unlimited:\
+	:datasize=unlimited:\
+	:stacksize=unlimited:\
+	:memorylocked=64K:\
+	:memoryuse=unlimited:\
+	:filesize=unlimited:\
+	:coredumpsize=unlimited:\
+	:openfiles=unlimited:\
+	:maxproc=unlimited:\
+	:sbsize=unlimited:\
+	:vmemoryuse=unlimited:\
+	:swapuse=unlimited:\
+	:pseudoterminals=unlimited:\
+	:kqueues=unlimited:\
+	:umtxp=unlimited:\
+	:priority=0:\
+	:ignoretime@:\
+	:umask=022:\
+	:charset=UTF-8:\
+	:lang=en_US.UTF-8:
+
+#
+# A collection of common class names - forward them all to 'default'
+# (login would normally do this anyway, but having a class name
+#  here suppresses the diagnostic)
+#
+standard:\
+	:tc=default:
+xuser:\
+	:tc=default:
+staff:\
+	:tc=default:
+
+# This PATH may be clobbered by individual applications.  Notably, by default,
+# rc(8), service(8), and cron(8) will all override it with a default PATH that
+# may not include /usr/local/sbin and /usr/local/bin when starting services or
+# jobs.
+daemon:\
+	:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin:\
+	:mail@:\
+	:memorylocked=128M:\
+	:tc=default:
+news:\
+	:tc=default:
+dialer:\
+	:tc=default:
+
+#
+# Root can always login
+#
+# N.B.  login_getpwclass(3) will use this entry for the root account,
+#       in preference to 'default'.
+root:\
+	:ignorenologin:\
+	:memorylocked=unlimited:\
+	:tc=default:
+
+#
+# Russian Users Accounts. Setup proper environment variables.
+#
+russian|Russian Users Accounts:\
+	:charset=UTF-8:\
+	:lang=ru_RU.UTF-8:\
+	:tc=default:
+
+
+######################################################################
+######################################################################
+##
+## Example entries
+##
+######################################################################
+######################################################################
+
+## Example defaults
+## These settings are used by login(1) by default for classless users
+## Note that entries like "cputime" set both "cputime-cur" and "cputime-max"
+#
+#default:\
+#	:cputime=infinity:\
+#	:datasize-cur=22M:\
+#	:stacksize-cur=8M:\
+#	:memorylocked-cur=10M:\
+#	:memoryuse-cur=30M:\
+#	:filesize=infinity:\
+#	:coredumpsize=infinity:\
+#	:maxproc-cur=64:\
+#	:openfiles-cur=64:\
+#	:priority=0:\
+#	:requirehome@:\
+#	:umask=022:\
+#	:tc=auth-defaults:
+#
+#
+##
+## standard - standard user defaults
+##
+#standard:\
+#	:copyright=/etc/COPYRIGHT:\
+#	:welcome=/var/run/motd:\
+#	:setenv=BLOCKSIZE=K:\
+#	:mail=/var/mail/$:\
+#	:path=~/bin /bin /usr/bin /usr/local/bin:\
+#	:manpath=/usr/share/man /usr/local/man:\
+#	:nologin=/var/run/nologin:\
+#	:cputime=1h30m:\
+#	:datasize=8M:\
+#	:vmemoryuse=100M:\
+#	:stacksize=2M:\
+#	:memorylocked=4M:\
+#	:memoryuse=8M:\
+#	:filesize=8M:\
+#	:coredumpsize=8M:\
+#	:openfiles=24:\
+#	:maxproc=32:\
+#	:priority=0:\
+#	:requirehome:\
+#	:passwordtime=90d:\
+#	:umask=002:\
+#	:ignoretime@:\
+#	:tc=default:
+#
+#
+##
+## users of X (needs more resources!)
+##
+#xuser:\
+#	:manpath=/usr/share/man /usr/local/man:\
+#	:cputime=4h:\
+#	:datasize=12M:\
+#	:vmemoryuse=infinity:\
+#	:stacksize=4M:\
+#	:filesize=8M:\
+#	:memoryuse=16M:\
+#	:openfiles=32:\
+#	:maxproc=48:\
+#	:tc=standard:
+#
+#
+##
+## Staff users - few restrictions and allow login anytime
+##
+#staff:\
+#	:ignorenologin:\
+#	:ignoretime:\
+#	:requirehome@:\
+#	:accounted@:\
+#	:path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
+#	:umask=022:\
+#	:tc=standard:
+#
+#
+##
+## root - fallback for root logins
+##
+#root:\
+#	:path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
+#	:cputime=infinity:\
+#	:datasize=infinity:\
+#	:stacksize=infinity:\
+#	:memorylocked=infinity:\
+#	:memoryuse=infinity:\
+#	:filesize=infinity:\
+#	:coredumpsize=infinity:\
+#	:openfiles=infinity:\
+#	:maxproc=infinity:\
+#	:memoryuse-cur=32M:\
+#	:maxproc-cur=64:\
+#	:openfiles-cur=1024:\
+#	:priority=0:\
+#	:requirehome@:\
+#	:umask=022:\
+#	:tc=auth-root-defaults:
+#
+#
+##
+## Settings used by /etc/rc
+##
+#daemon:\
+#	:coredumpsize@:\
+#	:coredumpsize-cur=0:\
+#	:datasize=infinity:\
+#	:datasize-cur@:\
+#	:maxproc=512:\
+#	:maxproc-cur@:\
+#	:memoryuse-cur=64M:\
+#	:memorylocked-cur=64M:\
+#	:openfiles=1024:\
+#	:openfiles-cur@:\
+#	:stacksize=16M:\
+#	:stacksize-cur@:\
+#	:tc=default:
+#
+#
+##
+## Settings used by news subsystem
+##
+#news:\
+#	:path=/usr/local/news/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
+#	:cputime=infinity:\
+#	:filesize=128M:\
+#	:datasize-cur=64M:\
+#	:stacksize-cur=32M:\
+#	:coredumpsize-cur=0:\
+#	:maxmemorysize-cur=128M:\
+#	:memorylocked=32M:\
+#	:maxproc=128:\
+#	:openfiles=256:\
+#	:tc=default:
+#
+#
+##
+## The dialer class should be used for a dialup PPP account
+## Welcome messages/news suppressed
+##
+#dialer:\
+#	:hushlogin:\
+#	:requirehome@:\
+#	:cputime=unlimited:\
+#	:filesize=2M:\
+#	:datasize=2M:\
+#	:stacksize=4M:\
+#	:coredumpsize=0:\
+#	:memoryuse=4M:\
+#	:memorylocked=1M:\
+#	:maxproc=16:\
+#	:openfiles=32:\
+#	:tc=standard:
+#
+#
+##
+## Site full-time 24/7 PPP connection
+## - no time accounting, restricted to access via dialin lines
+##
+#site:\
+#	:ignoretime:\
+#	:passwordtime@:\
+#	:refreshtime@:\
+#	:refreshperiod@:\
+#	:sessionlimit@:\
+#	:autodelete@:\
+#	:expireperiod@:\
+#	:graceexpire@:\
+#	:gracetime@:\
+#	:warnexpire@:\
+#	:warnpassword@:\
+#	:idletime@:\
+#	:sessiontime@:\
+#	:daytime@:\
+#	:weektime@:\
+#	:monthtime@:\
+#	:warntime@:\
+#	:accounted@:\
+#	:tc=dialer:\
+#	:tc=staff:
+#
+#
+##
+## Example standard accounting entries for subscriber levels
+##
+#
+#subscriber|Subscribers:\
+#	:accounted:\
+#	:refreshtime=180d:\
+#	:refreshperiod@:\
+#	:sessionlimit@:\
+#	:autodelete=30d:\
+#	:expireperiod=180d:\
+#	:graceexpire=7d:\
+#	:gracetime=10m:\
+#	:warnexpire=7d:\
+#	:warnpassword=7d:\
+#	:idletime=30m:\
+#	:sessiontime=4h:\
+#	:daytime=6h:\
+#	:weektime=40h:\
+#	:monthtime=120h:\
+#	:warntime=4h:\
+#	:tc=standard:
+#
+#
+##
+## Subscriber accounts. These accounts have their login times
+## accounted and have access limits applied.
+##
+#subppp|PPP Subscriber Accounts:\
+#	:tc=dialer:\
+#	:tc=subscriber:
+#
+#
+#subshell|Shell Subscriber Accounts:\
+#	:tc=subscriber:
+#
+##
+## If you want some of the accounts to use traditional UNIX DES based
+## password hashes.
+##
+#des_users:\
+#	:passwd_format=des:\
+#	:tc=default:
--- a/ansible/roles/base/tasks/freebsd.yaml
+++ b/ansible/roles/base/tasks/freebsd.yaml
@ -34,3 +34,58 @@
 - name: Update cap_mkdb
  command: cap_mkdb /usr/share/misc/termcap
  when: wrote_alacritty_cap.changed
+
+- name: Install login.conf
+  copy:
+    src: login.conf
+    dest: /etc/login.conf
+    owner: root
+    group: wheel
+    mode: 0644
+  register: login_config
+
+- name: Update cap_mkdb
+  command: cap_mkdb /etc/login.conf
+  when: login_config.changed
+
+- name: Enable periodic scrub
+  community.general.sysrc:
+    name: daily_scrub_zfs_enable
+    value: "YES"
+    path: /etc/periodic.conf.local
+
+- name: Set scrub interval
+  community.general.sysrc:
+    name: daily_scrub_zfs_default_threshold
+    value: "7"
+    path: /etc/periodic.conf.local
+
+- name: Install loader.conf
+  copy:
+    src: "{{loader_conf}}"
+    dest: /boot/loader.conf
+    owner: root
+    group: wheel
+    mode: 0644
+  when: loader_conf is defined
+
+- name: Delete loader.conf
+  file:
+    path: /boot/loader.conf
+    state: absent
+  when: loader_conf is not defined
+
+- name: Install rc.conf
+  copy:
+    src: "{{rc_conf}}"
+    dest: /etc/rc.conf
+    mode: 0644
+    owner: root
+    group: wheel
+  when: rc_conf is defined
+
+- name: Delete rc.conf
+  file:
+    path: /etc/rc.conf
+    start: absent
+  when: rc_conf is not defined
--- a/ansible/roles/network/files/homeserver_network.conf
+++ b/ansible/roles/network/files/homeserver_network.conf
@ -0,0 +1,3 @@
+wlans_run0="wlan0"
+ifconfig_wlan0="WPA DHCP"
+ifconfig_wlan0_ipv6="inet6 accept_rtadv"
--- a/ansible/roles/network/tasks/common.yaml
+++ b/ansible/roles/network/tasks/common.yaml
@ -0,0 +1,14 @@
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user
--- a/ansible/roles/network/tasks/freebsd.yaml
+++ b/ansible/roles/network/tasks/freebsd.yaml
@ -0,0 +1,37 @@
+- name: Install configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  when: network_rc is defined
+  loop:
+    - src: "{{ network_rc }}"
+      dest: /etc/rc.conf.d/network
+
+- name: Install configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  when: rtsold_rc is defined
+  loop:
+    - src: "{{ rtsold_rc }}"
+      dest: /etc/rc.conf.d/rtsold
+
+- name: Configure sysctls
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    sysctl_file: "/etc/sysctl.conf.local"
+  loop:
+    []
+    # - name: net.inet6.ip6.accept_rtadv # Enable stateless autoconfiguration (SLAAC)
+    #   value: "1"
+    # - name: net.inet6.ip6.use_tempaddr # Enable privacy addresses
+    #   value: "1"
+    # - name: net.inet6.ip6.prefer_tempaddr # Prefer privacy addresses
--- a/ansible/roles/network/tasks/linux.yaml
+++ b/ansible/roles/network/tasks/linux.yaml
@ -0,0 +1,6 @@
+# - name: Install packages
+#   pacman:
+#     name:
+#       - foo
+#     state: present
+#     update_cache: true
--- a/ansible/roles/network/tasks/main.yaml
+++ b/ansible/roles/network/tasks/main.yaml
@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: foo is defined
--- a/ansible/roles/network/tasks/peruser.yaml
+++ b/ansible/roles/network/tasks/peruser.yaml
@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'
--- a/ansible/roles/network/tasks/peruser_freebsd.yaml
+++ b/ansible/roles/network/tasks/peruser_freebsd.yaml
--- a/ansible/roles/network/tasks/peruser_linux.yaml
+++ b/ansible/roles/network/tasks/peruser_linux.yaml