diff --git a/ansible/environments/home/host_vars/homeserver b/ansible/environments/home/host_vars/homeserver index d13c4a6..efe2156 100644 --- a/ansible/environments/home/host_vars/homeserver +++ b/ansible/environments/home/host_vars/homeserver @@ -7,3 +7,6 @@ pf_config: "homeserver_pf.conf" pflog_conf: - name: 0 dev: pflog0 +network_rc: "homeserver_network.conf" +rc_conf: "homeserver_rc.conf" +loader_conf: "homeserver_loader.conf" diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml index c91cc75..9205049 100644 --- a/ansible/playbook.yaml +++ b/ansible/playbook.yaml @@ -6,6 +6,7 @@ - users - zrepl - zsh + - network - sshd - base - firewall diff --git a/ansible/roles/base/files/homeserver_loader.conf b/ansible/roles/base/files/homeserver_loader.conf new file mode 100644 index 0000000..76d1466 --- /dev/null +++ b/ansible/roles/base/files/homeserver_loader.conf @@ -0,0 +1,5 @@ +security.bsd.allow_destructive_dtrace=0 +kern.geom.label.disk_ident.enable="0" +kern.geom.label.gptid.enable="0" +cryptodev_load="YES" +zfs_load="YES" diff --git a/ansible/roles/base/files/homeserver_rc.conf b/ansible/roles/base/files/homeserver_rc.conf new file mode 100644 index 0000000..080e10b --- /dev/null +++ b/ansible/roles/base/files/homeserver_rc.conf @@ -0,0 +1,10 @@ +clear_tmp_enable="YES" +syslogd_flags="-ss" +sendmail_enable="NONE" +hostname="computer" +local_unbound_enable="YES" +sshd_enable="YES" +ntpd_enable="YES" +powerd_enable="YES" +dumpdev="NO" +zfs_enable="YES" diff --git a/ansible/roles/base/files/login.conf b/ansible/roles/base/files/login.conf new file mode 100644 index 0000000..6778ed4 --- /dev/null +++ b/ansible/roles/base/files/login.conf @@ -0,0 +1,332 @@ +# login.conf - login class capabilities database. +# +# Remember to rebuild the database after each change to this file: +# +# cap_mkdb /etc/login.conf +# +# This file controls resource limits, accounting limits and +# default user environment settings. +# +# $FreeBSD$ +# + +# Default settings effectively disable resource limits, see the +# examples below for a starting point to enable them. + +# defaults +# These settings are used by login(1) by default for classless users +# Note that entries like "cputime" set both "cputime-cur" and "cputime-max" +# +# Note that since a colon ':' is used to separate capability entries, +# a \c escape sequence must be used to embed a literal colon in the +# value or name of a capability (see the ``CGETNUM AND CGETSTR SYNTAX +# AND SEMANTICS'' section of getcap(3) for more escape sequences). + +default:\ + :passwd_format=blf:\ + :copyright=/etc/COPYRIGHT:\ + :welcome=/var/run/motd:\ + :setenv=BLOCKSIZE=K:\ + :mail=/var/mail/$:\ + :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\ + :nologin=/var/run/nologin:\ + :cputime=unlimited:\ + :datasize=unlimited:\ + :stacksize=unlimited:\ + :memorylocked=64K:\ + :memoryuse=unlimited:\ + :filesize=unlimited:\ + :coredumpsize=unlimited:\ + :openfiles=unlimited:\ + :maxproc=unlimited:\ + :sbsize=unlimited:\ + :vmemoryuse=unlimited:\ + :swapuse=unlimited:\ + :pseudoterminals=unlimited:\ + :kqueues=unlimited:\ + :umtxp=unlimited:\ + :priority=0:\ + :ignoretime@:\ + :umask=022:\ + :charset=UTF-8:\ + :lang=en_US.UTF-8: + +# +# A collection of common class names - forward them all to 'default' +# (login would normally do this anyway, but having a class name +# here suppresses the diagnostic) +# +standard:\ + :tc=default: +xuser:\ + :tc=default: +staff:\ + :tc=default: + +# This PATH may be clobbered by individual applications. Notably, by default, +# rc(8), service(8), and cron(8) will all override it with a default PATH that +# may not include /usr/local/sbin and /usr/local/bin when starting services or +# jobs. +daemon:\ + :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin:\ + :mail@:\ + :memorylocked=128M:\ + :tc=default: +news:\ + :tc=default: +dialer:\ + :tc=default: + +# +# Root can always login +# +# N.B. login_getpwclass(3) will use this entry for the root account, +# in preference to 'default'. +root:\ + :ignorenologin:\ + :memorylocked=unlimited:\ + :tc=default: + +# +# Russian Users Accounts. Setup proper environment variables. +# +russian|Russian Users Accounts:\ + :charset=UTF-8:\ + :lang=ru_RU.UTF-8:\ + :tc=default: + + +###################################################################### +###################################################################### +## +## Example entries +## +###################################################################### +###################################################################### + +## Example defaults +## These settings are used by login(1) by default for classless users +## Note that entries like "cputime" set both "cputime-cur" and "cputime-max" +# +#default:\ +# :cputime=infinity:\ +# :datasize-cur=22M:\ +# :stacksize-cur=8M:\ +# :memorylocked-cur=10M:\ +# :memoryuse-cur=30M:\ +# :filesize=infinity:\ +# :coredumpsize=infinity:\ +# :maxproc-cur=64:\ +# :openfiles-cur=64:\ +# :priority=0:\ +# :requirehome@:\ +# :umask=022:\ +# :tc=auth-defaults: +# +# +## +## standard - standard user defaults +## +#standard:\ +# :copyright=/etc/COPYRIGHT:\ +# :welcome=/var/run/motd:\ +# :setenv=BLOCKSIZE=K:\ +# :mail=/var/mail/$:\ +# :path=~/bin /bin /usr/bin /usr/local/bin:\ +# :manpath=/usr/share/man /usr/local/man:\ +# :nologin=/var/run/nologin:\ +# :cputime=1h30m:\ +# :datasize=8M:\ +# :vmemoryuse=100M:\ +# :stacksize=2M:\ +# :memorylocked=4M:\ +# :memoryuse=8M:\ +# :filesize=8M:\ +# :coredumpsize=8M:\ +# :openfiles=24:\ +# :maxproc=32:\ +# :priority=0:\ +# :requirehome:\ +# :passwordtime=90d:\ +# :umask=002:\ +# :ignoretime@:\ +# :tc=default: +# +# +## +## users of X (needs more resources!) +## +#xuser:\ +# :manpath=/usr/share/man /usr/local/man:\ +# :cputime=4h:\ +# :datasize=12M:\ +# :vmemoryuse=infinity:\ +# :stacksize=4M:\ +# :filesize=8M:\ +# :memoryuse=16M:\ +# :openfiles=32:\ +# :maxproc=48:\ +# :tc=standard: +# +# +## +## Staff users - few restrictions and allow login anytime +## +#staff:\ +# :ignorenologin:\ +# :ignoretime:\ +# :requirehome@:\ +# :accounted@:\ +# :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ +# :umask=022:\ +# :tc=standard: +# +# +## +## root - fallback for root logins +## +#root:\ +# :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ +# :cputime=infinity:\ +# :datasize=infinity:\ +# :stacksize=infinity:\ +# :memorylocked=infinity:\ +# :memoryuse=infinity:\ +# :filesize=infinity:\ +# :coredumpsize=infinity:\ +# :openfiles=infinity:\ +# :maxproc=infinity:\ +# :memoryuse-cur=32M:\ +# :maxproc-cur=64:\ +# :openfiles-cur=1024:\ +# :priority=0:\ +# :requirehome@:\ +# :umask=022:\ +# :tc=auth-root-defaults: +# +# +## +## Settings used by /etc/rc +## +#daemon:\ +# :coredumpsize@:\ +# :coredumpsize-cur=0:\ +# :datasize=infinity:\ +# :datasize-cur@:\ +# :maxproc=512:\ +# :maxproc-cur@:\ +# :memoryuse-cur=64M:\ +# :memorylocked-cur=64M:\ +# :openfiles=1024:\ +# :openfiles-cur@:\ +# :stacksize=16M:\ +# :stacksize-cur@:\ +# :tc=default: +# +# +## +## Settings used by news subsystem +## +#news:\ +# :path=/usr/local/news/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ +# :cputime=infinity:\ +# :filesize=128M:\ +# :datasize-cur=64M:\ +# :stacksize-cur=32M:\ +# :coredumpsize-cur=0:\ +# :maxmemorysize-cur=128M:\ +# :memorylocked=32M:\ +# :maxproc=128:\ +# :openfiles=256:\ +# :tc=default: +# +# +## +## The dialer class should be used for a dialup PPP account +## Welcome messages/news suppressed +## +#dialer:\ +# :hushlogin:\ +# :requirehome@:\ +# :cputime=unlimited:\ +# :filesize=2M:\ +# :datasize=2M:\ +# :stacksize=4M:\ +# :coredumpsize=0:\ +# :memoryuse=4M:\ +# :memorylocked=1M:\ +# :maxproc=16:\ +# :openfiles=32:\ +# :tc=standard: +# +# +## +## Site full-time 24/7 PPP connection +## - no time accounting, restricted to access via dialin lines +## +#site:\ +# :ignoretime:\ +# :passwordtime@:\ +# :refreshtime@:\ +# :refreshperiod@:\ +# :sessionlimit@:\ +# :autodelete@:\ +# :expireperiod@:\ +# :graceexpire@:\ +# :gracetime@:\ +# :warnexpire@:\ +# :warnpassword@:\ +# :idletime@:\ +# :sessiontime@:\ +# :daytime@:\ +# :weektime@:\ +# :monthtime@:\ +# :warntime@:\ +# :accounted@:\ +# :tc=dialer:\ +# :tc=staff: +# +# +## +## Example standard accounting entries for subscriber levels +## +# +#subscriber|Subscribers:\ +# :accounted:\ +# :refreshtime=180d:\ +# :refreshperiod@:\ +# :sessionlimit@:\ +# :autodelete=30d:\ +# :expireperiod=180d:\ +# :graceexpire=7d:\ +# :gracetime=10m:\ +# :warnexpire=7d:\ +# :warnpassword=7d:\ +# :idletime=30m:\ +# :sessiontime=4h:\ +# :daytime=6h:\ +# :weektime=40h:\ +# :monthtime=120h:\ +# :warntime=4h:\ +# :tc=standard: +# +# +## +## Subscriber accounts. These accounts have their login times +## accounted and have access limits applied. +## +#subppp|PPP Subscriber Accounts:\ +# :tc=dialer:\ +# :tc=subscriber: +# +# +#subshell|Shell Subscriber Accounts:\ +# :tc=subscriber: +# +## +## If you want some of the accounts to use traditional UNIX DES based +## password hashes. +## +#des_users:\ +# :passwd_format=des:\ +# :tc=default: diff --git a/ansible/roles/base/tasks/freebsd.yaml b/ansible/roles/base/tasks/freebsd.yaml index bea6e27..379f3be 100644 --- a/ansible/roles/base/tasks/freebsd.yaml +++ b/ansible/roles/base/tasks/freebsd.yaml @@ -34,3 +34,58 @@ - name: Update cap_mkdb command: cap_mkdb /usr/share/misc/termcap when: wrote_alacritty_cap.changed + +- name: Install login.conf + copy: + src: login.conf + dest: /etc/login.conf + owner: root + group: wheel + mode: 0644 + register: login_config + +- name: Update cap_mkdb + command: cap_mkdb /etc/login.conf + when: login_config.changed + +- name: Enable periodic scrub + community.general.sysrc: + name: daily_scrub_zfs_enable + value: "YES" + path: /etc/periodic.conf.local + +- name: Set scrub interval + community.general.sysrc: + name: daily_scrub_zfs_default_threshold + value: "7" + path: /etc/periodic.conf.local + +- name: Install loader.conf + copy: + src: "{{loader_conf}}" + dest: /boot/loader.conf + owner: root + group: wheel + mode: 0644 + when: loader_conf is defined + +- name: Delete loader.conf + file: + path: /boot/loader.conf + state: absent + when: loader_conf is not defined + +- name: Install rc.conf + copy: + src: "{{rc_conf}}" + dest: /etc/rc.conf + mode: 0644 + owner: root + group: wheel + when: rc_conf is defined + +- name: Delete rc.conf + file: + path: /etc/rc.conf + start: absent + when: rc_conf is not defined diff --git a/ansible/roles/network/files/homeserver_network.conf b/ansible/roles/network/files/homeserver_network.conf new file mode 100644 index 0000000..88469c6 --- /dev/null +++ b/ansible/roles/network/files/homeserver_network.conf @@ -0,0 +1,3 @@ +wlans_run0="wlan0" +ifconfig_wlan0="WPA DHCP" +ifconfig_wlan0_ipv6="inet6 accept_rtadv" diff --git a/ansible/roles/network/tasks/common.yaml b/ansible/roles/network/tasks/common.yaml new file mode 100644 index 0000000..d7c1735 --- /dev/null +++ b/ansible/roles/network/tasks/common.yaml @@ -0,0 +1,14 @@ +- import_tasks: tasks/freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/linux.yaml + when: 'os_flavor == "linux"' + +- include_tasks: + file: tasks/peruser.yaml + apply: + become: yes + become_user: "{{ initialize_user }}" + loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}" + loop_control: + loop_var: initialize_user diff --git a/ansible/roles/network/tasks/freebsd.yaml b/ansible/roles/network/tasks/freebsd.yaml new file mode 100644 index 0000000..6bc4e2e --- /dev/null +++ b/ansible/roles/network/tasks/freebsd.yaml @@ -0,0 +1,37 @@ +- name: Install configuration + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0644 + owner: root + group: wheel + when: network_rc is defined + loop: + - src: "{{ network_rc }}" + dest: /etc/rc.conf.d/network + +- name: Install configuration + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0644 + owner: root + group: wheel + when: rtsold_rc is defined + loop: + - src: "{{ rtsold_rc }}" + dest: /etc/rc.conf.d/rtsold + +- name: Configure sysctls + sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + state: present + sysctl_file: "/etc/sysctl.conf.local" + loop: + [] + # - name: net.inet6.ip6.accept_rtadv # Enable stateless autoconfiguration (SLAAC) + # value: "1" + # - name: net.inet6.ip6.use_tempaddr # Enable privacy addresses + # value: "1" + # - name: net.inet6.ip6.prefer_tempaddr # Prefer privacy addresses diff --git a/ansible/roles/network/tasks/linux.yaml b/ansible/roles/network/tasks/linux.yaml new file mode 100644 index 0000000..e1835f0 --- /dev/null +++ b/ansible/roles/network/tasks/linux.yaml @@ -0,0 +1,6 @@ +# - name: Install packages +# pacman: +# name: +# - foo +# state: present +# update_cache: true diff --git a/ansible/roles/network/tasks/main.yaml b/ansible/roles/network/tasks/main.yaml new file mode 100644 index 0000000..c7a170c --- /dev/null +++ b/ansible/roles/network/tasks/main.yaml @@ -0,0 +1,2 @@ +- import_tasks: tasks/common.yaml + when: foo is defined diff --git a/ansible/roles/network/tasks/peruser.yaml b/ansible/roles/network/tasks/peruser.yaml new file mode 100644 index 0000000..111e886 --- /dev/null +++ b/ansible/roles/network/tasks/peruser.yaml @@ -0,0 +1,29 @@ +- include_role: + name: per_user + +# - name: Create directories +# file: +# name: "{{ account_homedir.stdout }}/{{ item }}" +# state: directory +# mode: 0700 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - ".config/foo" + +# - name: Copy files +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ account_homedir.stdout }}/{{ item.dest }}" +# mode: 0600 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - src: foo.conf +# dest: .config/foo/foo.conf + +- import_tasks: tasks/peruser_freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/peruser_linux.yaml + when: 'os_flavor == "linux"' diff --git a/ansible/roles/network/tasks/peruser_freebsd.yaml b/ansible/roles/network/tasks/peruser_freebsd.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/network/tasks/peruser_linux.yaml b/ansible/roles/network/tasks/peruser_linux.yaml new file mode 100644 index 0000000..e69de29