feat: borgserver jail

2025-12-15 21:06:13 +01:00 · 2022-08-15 01:17:10 +02:00
parent 3949753751
commit 11731d4eb9
7 changed files with 129 additions and 7 deletions
--- a/ansible/roles/truenas/files/scripts/borgserver.bash
+++ b/ansible/roles/truenas/files/scripts/borgserver.bash
--- a/ansible/roles/truenas/files/borgserver/sshd_config
+++ b/ansible/roles/truenas/files/borgserver/sshd_config
@@ -0,0 +1,5 @@
+HostKey /keys/host/ssh_host_rsa_key
+HostKey /keys/host/ssh_host_ed25519_key
+AuthorizedKeysFile    .ssh/authorized_keys
+Subsystem    sftp    /usr/libexec/sftp-server
+PermitRootLogin yes
--- a/ansible/roles/truenas/tasks/jails/borgserver-init.yml
+++ b/ansible/roles/truenas/tasks/jails/borgserver-init.yml
@@ -0,0 +1,112 @@
+---
+- name: jail-borgserver | get jail ip
+  ansible.builtin.shell:
+    cmd: iocage exec borgserver ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
+  changed_when: false
+  register: borgserver_jail_ip
+  become: true
+
+- block:
+    - name: jail-borgserver | create zfs pools
+      community.general.zfs:
+        name: "{{ item }}"
+        state: present
+      loop:
+        - "{{ pool_name }}/jail-mounts"
+        - "{{ pool_name }}/jail-mounts/borgserver"
+        - "{{ pool_name }}/jail-mounts/borgserver/backups"
+        - "{{ pool_name }}/jail-mounts/borgserver/keys"
+
+    - name: jail-borgserver | create empty dirs
+      ansible.builtin.shell:
+        cmd: iocage exec borgserver mkdir -p /{{ item }}
+      loop:
+        - backups
+        - keys
+
+    - name: jail-borgserver | mount dirs
+      ansible.builtin.shell:
+        cmd: iocage fstab -a borgserver /mnt/{{ pool_name }}/jail-mounts/borgserver/{{ item }} /{{ item }} nullfs rw 0 0
+      loop:
+        - backups
+        - keys
+  become: true
+
+- block:
+    - name: jail-borgserver | packages
+      community.general.pkgng:
+        name:
+          #- py39-borgbackup
+          - sshguard
+        state: present
+
+    - name: jail-borgserver | download borg cli
+      ansible.builtin.get_url:
+        url: https://github.com/borgbackup/borg/releases/download/1.2.1/borg-freebsd64
+        dest: /usr/local/bin/borg
+        mode: 0755
+
+    - name: jail-borgserver | user borg
+      ansible.builtin.user:
+        name: borg
+        uid: 1000
+        state: present
+
+    - name: jail-borgserver | create directories
+      ansible.builtin.file:
+        path: /home/borg/.ssh
+        owner: 1000
+        group: 1000
+        state: directory
+
+    - name: jail-borgserver | authorized_keys
+      ansible.builtin.file:
+        path: /home/borg/.ssh/authorized_keys
+        owner: 1000
+        group: 1000
+        state: touch
+
+    - name: jail-borgserver | change folders mod
+      ansible.builtin.file:
+        path: "{{ item }}"
+        owner: 1000
+        group: 1000
+      loop:
+        - /backups
+        - /keys
+
+    - name: jail-borgserver | copy sshd_config
+      ansible.builtin.copy:
+        src: borgserver/sshd_config
+        dest: /etc/ssh/sshd_config'
+        mode: 0644
+
+    - name: jail-borgserver | copy borgserver rc.d
+      ansible.builtin.copy:
+        src: borgserver/rc.d
+        dest: /etc/rc.d/borgserver
+        mode: 0755
+
+    - name: jail-borgserver | configure sshguard
+      community.general.sysrc:
+        name: "{{ item.name }}"
+        value: "{{ item.value }}"
+        state: present
+      loop:
+        - { name: "sshguard_enable", value: "YES" }
+        - { name: "sshguard_danger_thresh", value: "30" }
+        - { name: "sshguard_release_interval", value: "600" }
+        - { name: "sshguard_reset_interval", value: "7200" }
+
+    - name: jail-borgserver | start sshguard service
+      ansible.builtin.service:
+        name: sshguard
+        state: started
+
+    - name: jail-borgserver | restart sshd service
+      ansible.builtin.service:
+        name: sshd
+        state: restarted
+
+  delegate_to: "{{ borgserver_jail_ip.stdout }}"
+  remote_user: root
--- a/ansible/roles/truenas/tasks/jails/init.yml
+++ b/ansible/roles/truenas/tasks/jails/init.yml
@@ -1,9 +1,4 @@
 ---
- name: jail-prepare | {{ outside_item.item }} | start jail
-  ansible.builtin.shell:
-    cmd: iocage start {{ outside_item.item }}
-  become: true
-
 - name: jail-prepare | {{ outside_item.item }} | create .ssh directory
  ansible.builtin.shell:
    cmd: iocage exec {{ outside_item.item }} 'mkdir -p /root/.ssh; echo "" > /root/.ssh/authorized_keys; chmod 700 /root/.ssh; chmod 600 /root/.ssh/authorized_keys'
--- a/ansible/roles/truenas/tasks/jails/postgres-conf.yml
+++ b/ansible/roles/truenas/tasks/jails/postgres-conf.yml
@@ -8,7 +8,7 @@

 - name: jail-postgres | copy letsencrypt certificate
  ansible.builtin.copy:
-    src: /mnt/storage/home/homelab/letsencrypt/xpander.ovh/{{ item.src }}
+    src: /mnt/storage/home/homelab/letsencrypt/{{ secret_domain }}/{{ item.src }}
    remote_src: true
    dest: /mnt/storage/jail-mounts/postgres/data{{ postgres_version }}/{{ item.dest }}
    owner: 770
--- a/ansible/roles/truenas/tasks/jails/postgres-init.yml
+++ b/ansible/roles/truenas/tasks/jails/postgres-init.yml
@@ -52,7 +52,7 @@
        state: present

    - name: jail-postgres | pip packages
-      ansible.builtint.pip:
+      ansible.builtin.pip:
        name: psycopg2
        state: present

--- a/ansible/roles/truenas/tasks/main.yml
+++ b/ansible/roles/truenas/tasks/main.yml
@@ -23,4 +23,14 @@

    - ansible.builtin.include_tasks: jails/postgres-conf.yml

+    - ansible.builtin.shell:
+        cmd: test -f /mnt/storage/jail-mounts/borgserver/keys/host/ssh_host_ed25519_key
+      register: borgserver_data_exists
+      become: true
+      changed_when: false
+      failed_when: borgserver_data_exists.rc != 0 and borgserver_data_exists.rc != 1
+
+    - ansible.builtin.include_tasks: jails/borgserver-init.yml
+      when: borgserver_data_exists.rc == 1
+
  when: "main_nas"