This project is currently broken … sorry for any inconvenience

Warning

It seems there are issues with version 2.1 of Ansible regarding how variables are resolved for roles and their dependend roles. Until those are resolved the only supported version of Ansible for the roles mentioned in this demo is 2.0.1.

FreeBSD iocage Ansible

How to use Ansible and iocage to set up a FreeBSD jail server.

Goals

• Ansible playbook that creates a FreeBSD server which hosts multiple jails.
• Travis is used to run/test the playbook.
• No service on the host is exposed externally.
• All external connections terminate within a jail.
• Roles can be reused using Ansible Galaxy.
• Combine any of those roles to create FreeBSD server, which perfectly suits you.

Requirements

1. Vagrant >= 1.8.1
2. Ansible == 2.0.1
3. VirtualBox
4. AWS account, with allows you to create and destroy EC2 instances (if you want to use Vagrant's aws provider)

Ansible Roles

The following roles are also available.

1. freebsd-build-server - Creates a FreeBSD poudriere build server
2. freebsd-jail-host - FreeBSD Jail host
3. freebsd-jailed - Provides a jail
4. freebsd-jailed-nginx - Provides a jailed nginx server
5. freebsd-jailed-php-fpm - Creates a php-fpm pool and a ZFS dataset which is used as web root by php-fpm
6. freebsd-jailed-sftp - Installs a SFTP server
7. freebsd-jailed-sshd - Provides a jailed sshd server.
8. freebsd-jailed-syslogd - Provides a jailed syslogd
9. freebsd-jailed-btsync - Provides a jailed btsync instance server
10. freebsd-jailed-joomla - Installs Joomla
11. freebsd-jailed-mariadb - Provides a jailed MariaDB server
12. freebsd-jailed-wordpress - Provides a jailed Wordpress server.

Notes

The box file metadata.json provides a box for VirtualBox and AWS. The AMI ids are preconfigured. The only thing you have to do is to choose a region aws.region.

FreeBSD AWS Box

Thanks to FreeBSD on EC2 nowadays it is very easy to use FreeBSD on EC2.

In order to provision those AMI's with ansible a few things need to be done first. During the initial boot of an instance, the following steps are execute using cloud-init:

• activate pf firewall
• add a pass all keep state rule to pf to keep track of connection states, which in turn allows you to reload the pf service without losing the connection
• install the following packages:
  • sudo
  • bash
  • python27
• allow passwordless sudo for user ec2-user

Howto

The following machines are configured (replace MACHINE with one of those names):

• btsync

Start machines using VirtualBox

git clone https://github.com/JoergFiedler/freebsd-ansible-demo.git
cd freebsd-ansible-demo
for provider in aws virtualbox; do \
  vagrant box add https://rawgit.com/JoergFiedler/freebsd-box/master/metadata.json  --provider $provider; \
done
vagrant up MACHINE_NAME

Start machines using EC2

AWS_ACCESS_KEY_ID={YOUR_KEY} AWS_SECRET_ACCESS_KEY={YOUR_SECRET_KEY} \
vagrant up MACHINE_NAME --provider =aws

Note: Make sure your default security group allows incoming traffic to the following ports:

• http
• https
• TCP 20202 (btsync)
• UDP 10202 (btsync)

Login

Login into the jail host.

vagrant ssh

Next Steps

1. Create other jail roles (web, dns, mail)
2. Role which uses Tarsnap to backup jail's user data.
3. Role which uses datadog for server monitoring.
4. The AMI's used come from here. I would prefer to use a more stripped down FreeBSD installation. That's why I like to create an AMI that only contains a minimal FreeBSD installation plus the packages required to run Ansible playbooks.

Useful Links

1. FreeBSD on EC2
2. EC2 Instance IP Addressing
3. EC2 Device Mapping
4. unix domain socket too long
5. Encrypted Variables
6. Strong SSL Security On nginx
7. ZFS Performance
8. FreeBSD Network Tuning

Powered By

1. FreeBSD
2. iocage
3. VirtualBox
4. Ansible
5. Vagrant