diff --git a/doctor.jails.yml b/doctor.jails.yml new file mode 100644 index 0000000..e2427d1 --- /dev/null +++ b/doctor.jails.yml @@ -0,0 +1,55 @@ +- name: Jails + hosts: all + vars_files: + - doctor.vars.yml + + roles: + - criecm.iocage + tasks: + - name: fdescfs fstab + lineinfile: + line: 'fdesc /dev/fd fdescfs rw 0 0' + state: present + path: /etc/fstab + + - name: Create bind9 jail + iocage: + name: bind9 + state: present + properties: "{{ jails.bind9 }}" + register: jails_bind9_created + + - name: Set bind9 properties + iocage: + name: bind9 + state: set + properties: "{{ jails.bind9 }}" + register: jails_bind9_changed + when: not jails_bind9_created.changed + + - name: Restart jails + iocage: + name: bind9 + state: restarted + when: jails_bind9_changed.changed + + - name: Create tor jail + iocage: + name: tor + state: present + properties: "{{ jails.tor }}" + register: jails_tor_created + + - name: Set tor properties + iocage: + name: tor + state: set + properties: "{{ jails.tor }}" + register: jails_tor_changed + when: not jails_tor_created.changed + + - name: Restart jails + iocage: + name: tor + state: restarted + when: jails_tor_changed.changed diff --git a/doctor.services.yml b/doctor.services.yml new file mode 100644 index 0000000..491dee8 --- /dev/null +++ b/doctor.services.yml @@ -0,0 +1,75 @@ +- name: Install sshd-config + copy: + src: files/etc.ssh.sshd_config + dest: /etc/ssh/sshd_config + owner: root + group: wheel + mode: 0600 + register: sshd + +- name: Install ssh-config + copy: + src: files/etc.ssh.ssh_config + dest: /etc/ssh/ssh_config + owner: root + group: wheel + mode: 0600 + +- name: Restart sshd + service: + name: sshd + state: reloaded + when: sshd.changed + +- name: Install ntp.conf + copy: + src: files/etc.ntp.conf + dest: /etc/ntp.conf + owner: root + group: wheel + mode: 0640 + register: ntpd + +- name: Enable ntp server + service: + name: ntpd + enabled: yes + +- name: Restart ntpd + service: + name: ntpd + state: restarted + when: ntpd.changed + +- name: Install isc-dhcp-server + package: + name: isc-dhcp43-server + state: present + +- name: Install dhcpd.conf + copy: + src: files/usr.local.etc.dhcpd.conf + dest: /usr/local/etc/dhcpd.conf + owner: root + group: wheel + mode: 0640 + register: dhcpd + +- name: Configure rc.conf.d/dhcpd + copy: + src: files/etc.rc.conf.d.dhcpd + dest: /etc/rc.conf.d/dhcpd + owner: root + group: wheel + register: dhcpd + +- name: Enable dhcpd server + service: + name: isc-dhcpd + enabled: no + +- name: Restart dhcpd + service: + name: isc-dhcpd + state: restarted + when: dhcpd.changed diff --git a/doctor.user.yml b/doctor.user.yml new file mode 100644 index 0000000..285dc27 --- /dev/null +++ b/doctor.user.yml @@ -0,0 +1,102 @@ +- name: Adjust user + user: + name: "{{ user }}" + groups: ["{{ user }}", wheel] + shell: /usr/local/bin/bash + state: present + +- name: Adjust sudoers + copy: + src: "files/etc.sudoers.d.{{ user }}" + dest: "/usr/local/etc/sudoers.d/{{ user }}" + owner: root + group: wheel + mode: 0640 + +- name: Create ~/.ssh + file: + name: "/usr/home/{{ user }}/.ssh" + state: directory + owner: "{{ user }}" + group: "{{ user }}" + mode: 0750 + +- name: Install authorized_keys + copy: + src: "files/{{ user }}.ssh.authorized_keys" + dest: "/usr/home/{{ user }}/.ssh/authorized_keys" + owner: "{{ user }}" + group: "{{ user }}" + mode: 0600 + +- name: Install user ssh-config + copy: + src: "files/{{ user }}.ssh.config" + dest: "/usr/home/{{ user }}/.ssh/config" + owner: "{{ user }}" + group: "{{ user }}" + mode: 0600 + +- name: Install user known_hosts + copy: + src: "files/{{ user }}.ssh.known_hosts" + dest: "/usr/home/{{ user }}/.ssh/known_hosts" + owner: "{{ user }}" + group: "{{ user }}" + mode: 0600 + +- name: Create git dirs + file: + path: "/usr/home/{{ user }}/git/github.com" + state: directory + owner: "{{ user }}" + group: "{{ user }}" + register: git + +- name: Clone git-bash-prompt + git: + repo: https://github.com/magicmonty/bash-git-prompt.git + dest: "/usr/home/{{ user }}/git/github.com/bash-git-prompt" + version: "{{ git_bash_prompt_version }}" + register: git + +- name: Reset permissions git + file: + path: "/usr/home/{{ user }}/git" + state: directory + owner: "{{ user }}" + group: "{{ user }}" + recurse: yes + when: git.changed + +- name: Install user bashrc + copy: + src: "files/{{ user }}.bashrc" + dest: "/usr/home/{{ user }}/.bashrc" + owner: "{{ user }}" + group: "{{ user }}" + +- name: Install user vimrc + copy: + src: "files/{{ user }}.vimrc" + dest: "/usr/home/{{ user }}/.vimrc" + owner: "{{ user }}" + group: "{{ user }}" + +- name: Create ssh-keys + command: "ssh-keygen -t {{ item }} -b 4096 -N '' -f /usr/home/{{ user }}/.ssh/id_{{ item }}" + args: + creates: "/usr/home/{{ user }}/.ssh/id_{{ item }}" + with_items: + - rsa + - ed25519 + register: sshkeys + +- name: Reset permissions ssh + file: + path: "/usr/home/{{ user }}/.ssh" + state: directory + owner: "{{ user }}" + group: "{{ user }}" + recurse: yes + when: sshkeys.changed diff --git a/doctor.vars.yml b/doctor.vars.yml new file mode 100644 index 0000000..ffe7dc6 --- /dev/null +++ b/doctor.vars.yml @@ -0,0 +1,7 @@ +user: "who" +additional_groups: "wheel" +git_bash_prompt_version: 2.7.1 +iocage_zpool: zroot +jails: + bind9: "{ 'ip4_addr': '192.168.128.2', 'defaultrouter': '192.168.128.1', 'boot': 'on' }" + tor: "{ 'ip4_addr': '192.168.128.3', 'defaultrouter': '192.168.128.1', 'boot': 'on' }" diff --git a/doctor.yml b/doctor.yml index bd6bb9a..a89b184 100644 --- a/doctor.yml +++ b/doctor.yml @@ -1,30 +1,29 @@ -- hosts: +- hosts: doctor become: yes + + vars_files: + - doctor.vars.yml + tasks: - - name: Update package cache - command: pkg update - - name: Update ports - command: "portsnap fetch && portsnap update" + - name: Load vars + include_vars: + file: doctor.vars.yml + name: vars + - name: Install useful stuff package: name: [htop, sudo, tmux, vim-lite, bash] state: present - - name: Adjust user - user: - name: peter - groups: [peter, wheel] - shell: /usr/local/bin/bash - state: present + - name: Install extra stuff package: name: [git, gnupg] state: present - - name: Adjust sudoers - copy: - src: files/user.sudoers.d - dest: /usr/local/etc/sudoers.d/user - owner: root - group: wheel - mode: 0640 + + - import_tasks: doctor.services.yml + + - import_tasks: doctor.user.yml + +- import_playbook: doctor.jails.yml # vim: smartindent autoindent shiftwidth=2 tabstop=2 expandtab diff --git a/files/etc.ntp.conf b/files/etc.ntp.conf new file mode 100644 index 0000000..cd627ee --- /dev/null +++ b/files/etc.ntp.conf @@ -0,0 +1,111 @@ +# +# $FreeBSD: releng/11.1/etc/ntp.conf 314531 2017-03-02 01:23:17Z ian $ +# +# Default NTP servers for the FreeBSD operating system. +# +# Don't forget to enable ntpd in /etc/rc.conf with: +# ntpd_enable="YES" +# +# The driftfile is by default /var/db/ntpd.drift, check +# /etc/defaults/rc.conf on how to change the location. +# + +# +# Set the target and limit for adding servers configured via pool statements +# or discovered dynamically via mechanisms such as broadcast and manycast. +# Ntpd automatically adds maxclock-1 servers from configured pools, and may +# add as many as maxclock*2 if necessary to ensure that at least minclock +# servers are providing good consistant time. +# +tos minclock 3 maxclock 6 + +# +# The following pool statement will give you a random set of NTP servers +# geographically close to you. A single pool statement adds multiple +# servers from the pool, according to the tos minclock/maxclock targets. +# See http://www.pool.ntp.org/ for details. Note, pool.ntp.org encourages +# users with a static IP and good upstream NTP servers to add a server +# to the pool. See http://www.pool.ntp.org/join.html if you are interested. +# +# The option `iburst' is used for faster initial synchronization. +# +#server ntp.inode.at iburst +#server ntp.favey.ch iburst +#server ntp.bcs2005.de iburst +#server time.nettel.cz iburst +#server domser.atomki.mta.hu iburst +pool 0.at.pool.ntp.org iburst + +# +# If you want to pick yourself which country's public NTP server +# you want to sync against, comment out the above pool, uncomment +# the next one, and replace CC with the country's abbreviation. +# Make sure that the hostname resolves to a proper IP address! +# +# pool 0.CC.pool.ntp.org iburst + +# +# To configure a specific server, such as an organization-wide local +# server, add lines similar to the following. One or more specific +# servers can be configured in addition to, or instead of, any server +# pools specified above. When both are configured, ntpd first adds all +# the specific servers, then adds servers from the pool until the tos +# minclock/maxclock targets are met. +# +#server time.my-internal.org iburst + +# +# Security: +# +# By default, only allow time queries and block all other requests +# from unauthenticated clients. +# +# The "restrict source" line allows peers to be mobilized when added by +# ntpd from a pool, but does not enable mobilizing a new peer association +# by other dynamic means (broadcast, manycast, ntpq commands, etc). +# +# See http://support.ntp.org/bin/view/Support/AccessRestrictions +# for more information. +# +restrict default limited kod nomodify notrap noquery nopeer +restrict -6 default limited kod nomodify notrap noquery nopeer +restrict source limited kod nomodify notrap noquery + +# +# Alternatively, the following rules would block all unauthorized access. +# +#restrict default ignore +#restrict -6 default ignore +# +# In this case, all remote NTP time servers also need to be explicitly +# allowed or they would not be able to exchange time information with +# this server. +# +# Please note that this example doesn't work for the servers in +# the pool.ntp.org domain since they return multiple A records. +# +#restrict 0.pool.ntp.org nomodify nopeer noquery notrap +#restrict 1.pool.ntp.org nomodify nopeer noquery notrap +#restrict 2.pool.ntp.org nomodify nopeer noquery notrap +# +# The following settings allow unrestricted access from the localhost +restrict 127.0.0.1 +restrict -6 ::1 + +# +# If a server loses sync with all upstream servers, NTP clients +# no longer follow that server. The local clock can be configured +# to provide a time source when this happens, but it should usually +# be configured on just one server on a network. For more details see +# http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock +# The use of Orphan Mode may be preferable. +# +#server 127.127.1.0 +#fudge 127.127.1.0 stratum 10 + +# See http://support.ntp.org/bin/view/Support/ConfiguringNTP#Section_6.14. +# for documentation regarding leapfile. Updates to the file can be obtained +# from ftp://time.nist.gov/pub/ or ftp://tycho.usno.navy.mil/pub/ntp/. +# Use either leapfile in /etc/ntp or weekly updated leapfile in /var/db. +#leapfile "/etc/ntp/leap-seconds" +leapfile "/var/db/ntpd.leap-seconds.list" diff --git a/files/etc.rc.conf.d.dhcpd b/files/etc.rc.conf.d.dhcpd new file mode 100644 index 0000000..b518d63 --- /dev/null +++ b/files/etc.rc.conf.d.dhcpd @@ -0,0 +1,11 @@ +dhcpd_flags="-q" +dhcpd_conf="/usr/local/etc/dhcpd.conf" +dhcpd_ifaces="em0" +dhcpd_withumask="022" +dhcpd_chuser_enable="YES" +dhcpd_withuser="dhcpd" +dhcpd_withgroup="dhcpd" +dhcpd_chroot_enable="YES" +dhcpd_devfs_enable="YES" +dhcpd_rootdir="/var/db/dhcpd" +dhcpd_includedir="" diff --git a/files/etc.ssh.ssh_config b/files/etc.ssh.ssh_config new file mode 100644 index 0000000..cbbcea3 --- /dev/null +++ b/files/etc.ssh.ssh_config @@ -0,0 +1,63 @@ +# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $ +# $FreeBSD: releng/11.1/crypto/openssh/ssh_config 311915 2017-01-11 05:56:40Z delphij $ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * +# ForwardAgent no +# ForwardX11 no +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# BatchMode no +# CheckHostIP no +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 +# Port 22 +# Protocol 2 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h +# VerifyHostKeyDNS yes +# VersionAddendum FreeBSD-20161230 +HashKnownHosts yes +Host * + ConnectTimeout 30 + KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + ServerAliveInterval 10 + ControlMaster auto + ControlPersist yes + ControlPath ~/.ssh/socket-%r@%h:%p diff --git a/files/etc.ssh.sshd_config b/files/etc.ssh.sshd_config new file mode 100644 index 0000000..adae0a9 --- /dev/null +++ b/files/etc.ssh.sshd_config @@ -0,0 +1,141 @@ +# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ +# $FreeBSD: releng/11.1/crypto/openssh/sshd_config 311915 2017-01-11 05:56:40Z delphij $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# Note that some of FreeBSD's defaults differ from OpenBSD's, and +# FreeBSD has a few additional options. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Ciphers and keying +#RekeyLimit default none + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin no +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# Change to yes to enable built-in password authentication. +#PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable PAM authentication +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'no' to disable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation sandbox +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#UseBlacklist no +#VersionAddendum FreeBSD-20161230 + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com diff --git a/files/user.sudoers.d b/files/etc.sudoers.d.who similarity index 100% rename from files/user.sudoers.d rename to files/etc.sudoers.d.who diff --git a/files/usr.local.etc.dhcpd.conf b/files/usr.local.etc.dhcpd.conf new file mode 100644 index 0000000..381915d --- /dev/null +++ b/files/usr.local.etc.dhcpd.conf @@ -0,0 +1,17 @@ +default-lease-time 21600; +max-lease-time 86400; + +option domain-name "example.com"; +option domain-search "example.com"; + +authoritative; + +log-facility local7; + +subnet 192.168.128.0 netmask 255.255.255.0 { + range 192.168.128.100 192.168.1.200; + option domain-name-servers 192.168.128.2, 9.9.9.10; + option routers 192.168.128.1; + option time-servers 192.168.128.2; + ddns-domainname "vortex.local."; +} diff --git a/files/who.bashrc b/files/who.bashrc new file mode 100644 index 0000000..7178750 --- /dev/null +++ b/files/who.bashrc @@ -0,0 +1,8 @@ +source ~/.shrc + +export LANG=C.UTF-8 +export EDITOR=/usr/local/bin/vim +alias ls="ls -G" +GIT_PROMPT_ONLY_IN_REPO=1 +GIT_PROMPT_THEME=Single_line +source ~/git/github.com/bash-git-prompt/gitprompt.sh diff --git a/files/who.ssh.authorized_keys b/files/who.ssh.authorized_keys new file mode 100644 index 0000000..c56ba66 --- /dev/null +++ b/files/who.ssh.authorized_keys @@ -0,0 +1,2 @@ +Host ludikovsky.name + Port 2222 diff --git a/files/who.ssh.config b/files/who.ssh.config new file mode 100644 index 0000000..e69de29 diff --git a/files/who.ssh.known_hosts b/files/who.ssh.known_hosts new file mode 100644 index 0000000..1bae52b --- /dev/null +++ b/files/who.ssh.known_hosts @@ -0,0 +1 @@ +github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== diff --git a/files/who.sudoers.d b/files/who.sudoers.d new file mode 100644 index 0000000..34d1c5e --- /dev/null +++ b/files/who.sudoers.d @@ -0,0 +1,3 @@ +Defaults passprompt="[sudo] Password for %p: " + +%wheel ALL=(ALL) ALL diff --git a/files/who.vimrc b/files/who.vimrc new file mode 100644 index 0000000..911d8b8 --- /dev/null +++ b/files/who.vimrc @@ -0,0 +1,4 @@ +set nocompatible bs=2 +set smartindent autoindent shiftwidth=2 tabstop=2 expandtab +set modeline +colorscheme desert