Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ---
- # main.yaml
- ###- name: "Enable ZFS in sysrc"
- ### sysrc: name=zfs_enable value=YES
- ###
- ###- name: "Install ezjail"
- ### pkgng: name=ezjail state=present
- ###
- ###- name: "Enable ezjail in sysrc"
- ### sysrc: name=ezjail_enable value=YES
- ###
- ###- name: "Create ZFS dataset for jails"
- ### zfs: name={{ ezjail_jailzfs }} state=present mountpoint=/usr/jails
- ###
- ###- name: "Jail the jailed ZFS endpoints"
- ### command: "zfs set jailed=on {{ item }}"
- ### with_items: "{{ jailed_zfs_endpoint }}"
- ###
- ###- name: "Configure ezjail to use ZFS"
- ### sysrc: name={{ item.name }} value="{{item.value}}" dest=/usr/local/etc/ezjail.conf
- ### with_items:
- ### - { name: 'ezjail_use_zfs', value: 'YES' }
- ### - { name: 'ezjail_use_zfs_for_jails', value: 'YES' }
- ### - { name: 'ezjail_jailzfs', value: "{{ ezjail_jailzfs }}" }
- ###
- ###- name: "Check if the base jail is already present"
- ### stat: path=/usr/jails/basejail/
- ### register: basejail_present
- ###
- ###- name: "Create the base jail"
- ### command: ezjail-admin install
- ### when: basejail_present.stat.exists == False
- ###- name: "Setup variables"
- ### debug:
- ### msg: "List of jails (2):{{ jail_list }}"
- - include_tasks: jail.yaml
- vars:
- jail: "{{ item }}"
- with_items: "{{ groups[hostvars[inventory_hostname].jail_group] }}"
- - name: "Allow jails to use raw sockets"
- sysctl: name=security.jail.allow_raw_sockets value=1 reload=yes
- - name: "Prevent jails from using unknown network protocols"
- sysctl: name=security.jail.socket_unixiproute_only value=1 reload=yes
- - name: "Enable securelevel"
- sysrc: name=kern_securelevel_enable value=YES
- ##
- ##- name: "record list of all existing jails"
- ## shell: ezjail-admin list | egrep '^Z' | awk '{print $4}'
- ## register: ezjail_output
- - name: "record list of all existing jails"
- command: ezjail-admin list
- register: ezjail_output
- ##- name: "Show Output from ezjail"
- ## debug:
- ## msg: "ezjail_output.stdout_lines list result: {{ ezjail_output.stdout_lines }}"
- ##- name: "print list of existing jails"
- ## vars:
- ## re_existing_jails: '^Z\w\s+\S+\s+[0-9a-f.:]+\s+(\w+)\s+.*'
- ## existing_jails:
- ## "{{ ezjail_output.stdout('\n') | regex_search(re_existing_jails, '\\1') }}"
- ## debug:
- ## msg: "ezjail-admin list result: {{ ezjail_output.stdout }}"
- - name: "print list of existing jails"
- vars:
- re_existing_jails: '^Z\w\s+\S+\s+[0-9a-f.:]+\s+(\w+)\s+.*'
- existing_jails:
- "{{ ezjail_output.stdout | regex_search(re_existing_jails, '\\1') }}"
- debug:
- msg: "ezjail-admin list result: {{ existing_jails }}"
- ####"{{ ezjail_output.stdout | regex_search('^Z\\w\\s+\\S+\\s+[0-9a-f.:]+\\s+(\\w+)\\s+.*', '\\1') }}"
- ---
- # jail.yaml
- - name: "Show jail (1)"
- debug:
- msg: "Jail: {{ jail }}"
- - name: "List jail name"
- debug:
- ##vars['hostvars']['bh5']['vars']
- msg: "Jail name: {{ vars.hostvars[jail].name }}"
- - name: "List jails IP addresses"
- debug:
- msg: "Jail IP addresses: {{ hostvars[jail].ip_address }}"
- - name: "Check if jail already exists"
- command: ezjail-admin config -r test {{ hostvars[jail].name }}
- ignore_errors: True
- register: jail_exists
- - name: "Create the jail"
- command: ezjail-admin create {{ hostvars[jail].name }} {{ hostvars[jail].ip_address }}
- when: jail_exists|failed
- ##- name: "Optionally enable ACL on the ZFS dataset"
- ## zfs:
- ## name: "{{ ezjail_jailzfs }}/{{ hostvars[jail].name }}"
- ## state: present
- ## aclinherit: passthrough
- ## aclmode: passthrough
- ## when: hostvars[jail].enable_zfs_acls is defined and hostvars[jail].enable_zfs_acls
- ##
- - name: "Check if resolv.conf already exists"
- stat: path=/usr/jails/{{ hostvars[jail].name }}/etc/resolv.conf
- register: resolv_conf_present
- - name: "Copy resolv.conf to jail"
- copy: remote_src=True src=/etc/resolv.conf dest=/usr/jails/{{ hostvars[jail].name }}/etc/resolv.conf
- when: resolv_conf_present.stat.exists == False
- ###- name: "Set the jail devfs ruleset. Setting it to '4' instead of the same ruleset's name allow hierachical jails."
- ### lineinfile:
- ### dest: "/usr/local/etc/ezjail/{{ hostvars[jail].name }}"
- ### regexp: ^export jail_{{ hostvars[jail].name }}_devfs_ruleset
- ### line: export jail_{{ hostvars[jail].name }}_devfs_ruleset="4"
- - name: "Set the jail parameters"
- lineinfile:
- dest: "/usr/local/etc/ezjail/{{ hostvars[jail].name }}"
- regexp: ^export jail_{{ hostvars[jail].name }}_parameters
- line: export jail_{{ hostvars[jail].name }}_parameters={{ hostvars[jail].parameters|to_json }}
- when: hostvars[jail].parameters is defined
- - name: "Set the jail ZFS datasets"
- lineinfile:
- dest: "/usr/local/etc/ezjail/{{ hostvars[jail].name }}"
- regexp: ^export jail_{{ hostvars[jail].name }}_zfs_datasets
- line: export jail_{{ hostvars[jail].name }}_zfs_datasets={{ hostvars[jail].zfs_datasets|to_json }}
- when: hostvars[jail].zfs_datasets is defined
- ##- name: "Set the jail stop command"
- ## lineinfile:
- ## dest: "/usr/local/etc/ezjail/{{ hostvars[jail].name }}"
- ## regexp: ^export jail_{{ hostvars[jail].name }}_exec_stop
- ## line: export jail_{{ hostvars[jail].name }}_exec_stop="{{ hostvars[jail].exec_stop }}"
- ## when: hostvars[jail].exec_stop is defined
- - name: "Configure the rcorder of the jail 1/2"
- lineinfile:
- dest: "/usr/local/etc/ezjail/{{ hostvars[jail].name }}"
- regexp: '^# PROVIDE:'
- line: '# PROVIDE: ezjail_jail_{{ hostvars[jail].name }}'
- - name: "Configure the rcorder of the jail 2/2"
- lineinfile:
- dest: "/usr/local/etc/ezjail/{{ hostvars[jail].name }}"
- regexp: '^# REQUIRE:'
- line: '# REQUIRE: {% for j in hostvars[jail].started_after %} ezjail_jail_{{j}} {% endfor %}'
- when: hostvars[jail].started_after is defined
- ##
- ##- name: "Ensure sshd is enabled in the jail"
- ## sysrc: name=sshd_enable value=YES dest=/usr/jails/{{ hostvars[jail].name }}/etc/rc.conf
- ## when: hostvars[jail].started and hostvars[jail].start_ssh
- ##
- ##- name: "Ensure sshd is only listening on the jail address"
- ## lineinfile:
- ## dest: /usr/jails/{{ hostvars[jail].name }}/etc/ssh/sshd_config
- ## regexp: '^ListenAddress '
- ## line: ListenAddress {{ hostvars[jail].ip_address.split(",")[0] }}
- ## when: hostvars[jail].start_ssh
- ##- name: "Ensure the ssh folder of user ansible is present"
- ## file:
- ## path: /usr/jails/{{ hostvars[jail].name }}/home/ansible/.ssh
- ## state: directory
- ## mode: 0755
- ## owner: root
- ## group: wheel
- ##
- ##- name: "Ensure the authorized_keys of user ansible is present"
- ## copy:
- ## dest: /usr/jails/{{ hostvars[jail].name }}/home/ansible/.ssh/authorized_keys
- ## content: "{{ lookup('file', ansible_ssh_private_key_file+'.pub') }}"
- ## force: no
- ## mode: 0644
- ## owner: root
- ## group: wheel
- ## when: hostvars[jail].start_ssh
- - name: "Check if the jail is already running"
- command: jls -j {{ hostvars[jail].name }}
- ignore_errors: yes
- register: jail_is_running
- - name: "Ensure sshd is enabled in the jail"
- sysrc: name=sshd_enable value=YES dest=/usr/jails/{{ hostvars[jail].name }}/etc/rc.conf
- when: jail_is_running.rc == 0 and hostvars[jail].start_ssh is defined and hostvars[jail].start_ssh
- ##- name: "Ensure the ssh folder of user ansible is present"
- ## file:
- ## path: /usr/jails/{{ hostvars[jail].name }}/home/ansible/.ssh
- ## state: directory
- ## mode: 0755
- ## owner: root
- ## group: wheel
- ##
- ##- name: "Ensure the authorized_keys of user ansible is present"
- ## copy:
- ## dest: /usr/jails/{{ hostvars[jail].name }}/home/ansible/.ssh/authorized_keys
- ## content: "{{ lookup('file', ansible_ssh_private_key_file+'.pub') }}"
- ## force: no
- ## mode: 0644
- ## owner: root
- ## group: wheel
- ## when: hostvars[jail].start_ssh
- - name: "Ensure the jail is started"
- command: ezjail-admin start {{ hostvars[jail].name }}
- when: jail_is_running.rc == 1
- #- name: "Ensure the jail is stopped"
- # command: ezjail-admin stop {{ hostvars[jail].name }}
- # when: jail_is_running.rc == 0
- ##- name: Make sure pkg is installed in the jail
- ## command: env ASSUME_ALWAYS_YES=YES pkg -j {{ hostvars[jail].name }} install pkg
- ## when: jail_is_running.rc == 0
- ##
- ##- name: "Make sure python is installed in the jail"
- ## command: env ASSUME_ALWAYS_YES=YES pkg -j {{ hostvars[jail].name }} install {{ python_package }}
- ## when: jail_is_running.rc == 0
- ##- name: "Check if the ansible user exists in the jail"
- ## command: ezjail-admin console -e "getent passwd ansible" {{ hostvars[jail].name }}
- ## ignore_errors: yes
- ## when: hostvars[jail].started
- ## register: ansible_user_exists_in_jail
- ##
- ##- name: "Ensure the ansible user exists in the jail"
- ## command: ezjail-admin console -e "pw useradd -m -G wheel -s /bin/sh -n ansible" {{ hostvars[jail].name }}
- ## when: hostvars[jail].started and ansible_user_exists_in_hostvars[jail].rc != 0
- ##- name: "Install sudo in the jail"
- ## command: env ASSUME_ALWAYS_YES=YES pkg -j {{ hostvars[jail].name }} install sudo
- ## when: hostvars[jail].started and hostvars[jail].use_sudo
- ##
- ##- name: "Allow wheel to sudo what they want"
- ## lineinfile:
- ## dest: /usr/jails/{{ hostvars[jail].name }}/usr/local/etc/sudoers
- ## state: present
- ## regexp: '^%wheel'
- ## line: '%wheel ALL=(ALL) NOPASSWD: ALL'
- ## when: hostvars[jail].use_sudo
- ##
- ##- name: "Allow ansible to sudo what it wants"
- ## lineinfile:
- ## dest: /usr/jails/{{ hostvars[jail].name }}/usr/local/etc/sudoers
- ## state: present
- ## regexp: '^ansible '
- ## line: 'ansible ALL=(ALL) NOPASSWD: ALL'
- ## when: hostvars[jail].use_sudo
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement