It seems there are issues with version 2.1 of Ansible regarding how variables are resolved for roles and their dependend roles. Until those are resolved the only supported version of Ansible for the roles mentioned in this demo is 2.0.1.
How to use Ansible and iocage to set up a FreeBSD jail server.
- Ansible playbook that creates a FreeBSD server which hosts multiple jails.
- Travis is used to run/test the playbook.
- No service on the host is exposed externally.
- All external connections terminate within a jail.
- Roles can be reused using Ansible Galaxy.
- Combine any of those roles to create FreeBSD server, which perfectly suits you.
- Vagrant >= 1.8.1
- Ansible == 2.0.1
- VirtualBox
- AWS account, with allows you to create and destroy EC2 instances (if you want to use Vagrant's aws provider)
The following roles are also available.
- freebsd-build-server - Creates a FreeBSD poudriere build server
- freebsd-jail-host - FreeBSD Jail host
- freebsd-jailed - Provides a jail
- freebsd-jailed-nginx - Provides a jailed nginx server
- freebsd-jailed-php-fpm - Creates a php-fpm pool and a ZFS dataset which is used as web root by php-fpm
- freebsd-jailed-sftp - Installs a SFTP server
- freebsd-jailed-sshd - Provides a jailed sshd server.
- freebsd-jailed-syslogd - Provides a jailed syslogd
- freebsd-jailed-btsync - Provides a jailed btsync instance server
- freebsd-jailed-joomla - Installs Joomla
- freebsd-jailed-mariadb - Provides a jailed MariaDB server
- freebsd-jailed-wordpress - Provides a jailed Wordpress server.
The box file metadata.json provides a box for VirtualBox and AWS. The AMI ids are preconfigured. The only thing you have to do is to choose a region aws.region.
Thanks to FreeBSD on EC2 nowadays it is very easy to use FreeBSD on EC2.
In order to provision those AMI's with ansible a few things need to be done first. During the initial boot of an instance, the following steps are execute using cloud-init:
- activate pf firewall
- add a
pass all keep staterule to pf to keep track of connection states, which in turn allows you to reload the pf service without losing the connection - install the following packages:
- sudo
- bash
- python27
- allow passwordless sudo for user
ec2-user
The following machines are configured (replace MACHINE with one of those names):
- btsync
git clone https://github.com/JoergFiedler/freebsd-ansible-demo.git
cd freebsd-ansible-demo
for provider in aws virtualbox; do \
vagrant box add https://rawgit.com/JoergFiedler/freebsd-box/master/metadata.json --provider $provider; \
done
vagrant up MACHINE_NAME
AWS_ACCESS_KEY_ID={YOUR_KEY} AWS_SECRET_ACCESS_KEY={YOUR_SECRET_KEY} \
vagrant up MACHINE_NAME --provider =aws
Note: Make sure your default security group allows incoming traffic to the following ports:
- http
- https
- TCP 20202 (btsync)
- UDP 10202 (btsync)
Login into the jail host.
vagrant ssh
- Create other jail roles (
web, dns, mail) Role which uses Tarsnap to backup jail's user data.- Role which uses datadog for server monitoring.
- The AMI's used come from here. I would prefer to use a more stripped down FreeBSD installation. That's why I like to create an AMI that only contains a minimal FreeBSD installation plus the packages required to run Ansible playbooks.