2020-05-26 21:15:31 -07:00
|
|
|
#!/usr/local/bin/bash
|
|
|
|
|
2021-02-13 11:38:38 -08:00
|
|
|
# Copyright (c) 2018-2021, diyIT.org
|
2020-02-25 11:28:31 -08:00
|
|
|
# All rights reserved.
|
|
|
|
#
|
|
|
|
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
|
|
|
# https://diyit.org/license/
|
|
|
|
#
|
|
|
|
#
|
|
|
|
|
|
|
|
JAIL=$1
|
|
|
|
JAILHOSTNAME=$2
|
|
|
|
JAILDOMAIN=$3
|
|
|
|
JAILIP=$4
|
|
|
|
JAILUSER=$5
|
|
|
|
JAILUSERID=$6
|
|
|
|
JAILUSERVNC=$7
|
|
|
|
|
|
|
|
: "${JAIL:?Need to specify JAIL - first parameter}"
|
|
|
|
: "${JAILHOSTNAME:?Need to specify JAILHOSTNAME - second parameter}"
|
|
|
|
: "${JAILDOMAIN:?Need to specify JAILDOMAIN - third parameter}"
|
|
|
|
: "${JAILIP:?Need to specify JAILIP - fourth parameter}"
|
|
|
|
: "${JAILUSER:?Need to specify JAILUSER - fifth parameter - set to X if none required}"
|
|
|
|
: "${JAILUSERID:?Need to specify JAILUSERID - sixth parameter - eg. set to 1000 for p OR 2002 for r}"
|
|
|
|
: "${JAILUSERVNC:?Need to specify JAILUSERVNC - seventh parameter - set to true to add vnc for jailuser}"
|
|
|
|
# user p and r are diyit deployment specific
|
|
|
|
|
|
|
|
# there are cases where you may only want an IPv4 jail
|
|
|
|
I6CONFIG=true
|
|
|
|
|
|
|
|
I4NW="192.168.0"
|
|
|
|
I6NW="2603:3024:3f6:e1"
|
|
|
|
I4GW="192.168.0.5"
|
|
|
|
I6GW="2603:3024:3f6:e1::5"
|
|
|
|
I4NS="192.168.0.5"
|
|
|
|
I6NS="2603:3024:3f6:e1::5"
|
|
|
|
# these IP spaces are diyit deployment specific
|
|
|
|
|
2020-04-11 00:46:09 -07:00
|
|
|
echo "$JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC"
|
2020-02-25 11:28:31 -08:00
|
|
|
|
|
|
|
# cant install packages during jail creation because ipfw blocks all network traffic
|
|
|
|
#echo '{"pkgs":["bash","bash-completion","nano"]}' > /tmp/pkg-$JAIL.json
|
|
|
|
#iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json ...
|
|
|
|
#rm /tmp/pkg-$JAIL.json
|
|
|
|
|
2020-04-11 00:46:09 -07:00
|
|
|
if $I6CONFIG; then
|
2021-02-13 11:38:38 -08:00
|
|
|
iocage create -n "$JAIL" -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
|
|
|
|
# iocage create -n "$JAIL" -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64,vnet0|accept_rtadv" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
|
2020-02-25 11:28:31 -08:00
|
|
|
# iocage cannot set static IP AND enable SLAAC temporary properly
|
|
|
|
iocage exec $JAIL 'sysrc ifconfig_epair0b_ipv6="inet6 auto_linklocal accept_rtadv"'
|
|
|
|
iocage exec $JAIL "sysrc rtsold_enable=YES"
|
|
|
|
iocage exec $JAIL "echo 'net.inet6.ip6.accept_rtadv=1' >> /etc/sysctl.conf"
|
|
|
|
iocage exec $JAIL "echo 'net.inet6.ip6.use_tempaddr=1' >> /etc/sysctl.conf"
|
|
|
|
iocage exec $JAIL "echo 'net.inet6.ip6.prefer_tempaddr=1' >> /etc/sysctl.conf"
|
|
|
|
else
|
2021-02-13 11:38:38 -08:00
|
|
|
iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" defaultrouter=$I4GW resolver="nameserver $I4NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
|
2020-02-25 11:28:31 -08:00
|
|
|
fi
|
|
|
|
|
|
|
|
iocage exec $JAIL "sysrc firewall_enable=YES"
|
|
|
|
iocage exec $JAIL "sysrc firewall_type=open"
|
|
|
|
iocage exec $JAIL "sysrc firewall_logif=YES"
|
|
|
|
iocage exec $JAIL "service ipfw restart"
|
|
|
|
|
|
|
|
# jail is already up at this point so configure IPv6 manually for this run
|
|
|
|
iocage exec $JAIL "ifconfig epair0b inet6 accept_rtadv; sysctl net.inet6.ip6.accept_rtadv=1; sysctl net.inet6.ip6.use_tempaddr=1; sysctl net.inet6.ip6.prefer_tempaddr=1; service rtsold start"
|
|
|
|
|
|
|
|
iocage exec $JAIL "echo '$I4NW.$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
|
2020-04-11 00:46:09 -07:00
|
|
|
if $I6CONFIG; then
|
2020-02-25 11:28:31 -08:00
|
|
|
iocage exec $JAIL "echo '$I6NW::$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# create resolvconf.conf - IPv6 SLAAC on freebsd removes all ipv4 configuraton from resolv.conf
|
|
|
|
iocage exec $JAIL "echo 'export search_domains=$JAILDOMAIN' > /etc/resolvconf.conf"
|
2020-04-11 00:46:09 -07:00
|
|
|
if $I6CONFIG; then
|
2020-02-25 11:28:31 -08:00
|
|
|
iocage exec $JAIL "echo 'export name_servers=\"$I4NS $I6NS\"' >> /etc/resolvconf.conf"
|
|
|
|
else
|
|
|
|
iocage exec $JAIL "echo 'export name_servers=\"$I4NS\"' >> /etc/resolvconf.conf"
|
|
|
|
fi
|
|
|
|
iocage exec $JAIL "resolvconf -u"
|
|
|
|
|
|
|
|
iocage exec $JAIL "mkdir -p /mnt/certs"
|
|
|
|
iocage fstab -a $JAIL /mnt/ship/certs /mnt/certs nullfs ro 0 0
|
|
|
|
iocage exec $JAIL "mkdir -p /mnt/config"
|
|
|
|
iocage fstab -a $JAIL /root/FreeBSD/jails/config/$JAIL /mnt/config nullfs rw 0 0
|
|
|
|
iocage exec $JAIL "mkdir -p /var/db/freebsd-update/files"
|
|
|
|
iocage fstab -a $JAIL /var/db/freebsd-update/files /var/db/freebsd-update/files nullfs rw 0 0
|
|
|
|
iocage exec $JAIL "mkdir -p /mnt/common"
|
|
|
|
iocage fstab -a $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
|
|
|
|
|
|
|
|
iocage exec $JAIL "mkdir -p /usr/local/etc/pkg/repos"
|
|
|
|
iocage exec $JAIL "[ -f /mnt/config/pkgp.conf ] && cp /mnt/config/pkgp.conf /usr/local/etc/pkg/repos/ || cp /mnt/common/pkgp.conf /usr/local/etc/pkg/repos/"
|
|
|
|
|
2021-02-13 11:38:38 -08:00
|
|
|
iocage exec $JAIL "[ -f /mnt/config/freebsd-update.conf ] && cp /mnt/config/freebsd-update.conf /etc/ || cp /mnt/common/freebsd-update.conf /etc/"
|
|
|
|
|
2020-02-25 11:28:31 -08:00
|
|
|
iocage exec $JAIL "env ASSUME_ALWAYS_YES=YES pkg bootstrap"
|
|
|
|
iocage exec $JAIL "pkg update -f"
|
|
|
|
iocage exec $JAIL "pkg upgrade -y"
|
|
|
|
iocage exec $JAIL "pkg install -y bash bash-completion nano"
|
|
|
|
|
|
|
|
iocage exec $JAIL "[ -f /mnt/config/nanorc ] && cp /mnt/config/nanorc /usr/local/etc/ || cp /mnt/common/nanorc /usr/local/etc/"
|
|
|
|
iocage exec $JAIL "cp -r /mnt/common/nano /usr/local/etc/"
|
|
|
|
|
|
|
|
#iocage exec $JAIL "passwd root"
|
2020-06-01 11:02:23 -07:00
|
|
|
iocage exec $JAIL "chsh -s /usr/sbin/nologin toor"
|
2020-02-25 11:28:31 -08:00
|
|
|
iocage exec $JAIL "pw usermod -n root -s /usr/local/bin/bash -c jail-$JAIL"
|
|
|
|
|
|
|
|
iocage exec $JAIL "[ -f /mnt/config/.bash_profile ] && cp /mnt/config/.bash_profile /root/ || cp /mnt/common/.bash_profile /root/"
|
|
|
|
|
|
|
|
iocage exec $JAIL "[ -f /mnt/config/.dir_colors ] && cp /mnt/config/.dir_colors /root/ || cp /mnt/common/.dir_colors /root/"
|
|
|
|
|
|
|
|
iocage exec $JAIL "mkdir /root/.ssh"
|
|
|
|
iocage exec $JAIL "[ -f /mnt/config/authorized_keys ] && cp /mnt/config/authorized_keys /root/.ssh/ || cp /mnt/common/authorized_keys /root/.ssh/"
|
|
|
|
iocage exec $JAIL "chmod 600 /root/.ssh/authorized_keys"
|
|
|
|
|
|
|
|
iocage exec $JAIL "[ -f /mnt/config/sshd_config ] && cp /mnt/config/sshd_config /etc/ssh/ || cp /mnt/common/sshd_config /etc/ssh/"
|
|
|
|
iocage exec $JAIL "sysrc sshd_enable=YES"
|
|
|
|
iocage exec $JAIL "/etc/rc.d/sshd start"
|
|
|
|
iocage exec $JAIL "service sshd restart"
|
|
|
|
|
|
|
|
iocage exec $JAIL "cd /etc/mail ; make"
|
|
|
|
iocage exec $JAIL "bash /mnt/common/snip-sendmail.sh"
|
|
|
|
iocage exec $JAIL "sysrc sendmail_enable=NO"
|
|
|
|
iocage exec $JAIL "sysrc sendmail_outbound_enable=NO"
|
|
|
|
iocage exec $JAIL "sysrc sendmail_submit_enable=YES"
|
|
|
|
iocage exec $JAIL "sysrc sendmail_msp_queue_enable=YES"
|
|
|
|
iocage exec $JAIL "cd /etc/mail ; make all install"
|
|
|
|
iocage exec $JAIL "echo 'root: jail-root@$JAILDOMAIN' >> /etc/mail/aliases"
|
|
|
|
iocage exec $JAIL "/usr/bin/newaliases"
|
|
|
|
iocage exec $JAIL "service sendmail start"
|
|
|
|
iocage exec $JAIL "service sendmail restart"
|
|
|
|
|
|
|
|
# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213448
|
|
|
|
iocage exec $JAIL 'sysrc ntp_leapfile_fetch_opts="--no-verify-peer -mq"'
|
|
|
|
|
2020-04-11 00:46:09 -07:00
|
|
|
if [ "$JAILUSER" != "X" ]; then
|
2020-02-25 11:28:31 -08:00
|
|
|
|
|
|
|
iocage exec $JAIL "pkg install -y sudo"
|
|
|
|
|
|
|
|
iocage exec $JAIL "pw useradd $JAILUSER -u $JAILUSERID -G wheel -m -d /home/$JAILUSER -s /usr/local/bin/bash"
|
|
|
|
|
|
|
|
iocage exec $JAIL "[ -f /mnt/config/.bash_profile ] && cp /mnt/config/.bash_profile /home/$JAILUSER/ || cp /mnt/common/.bash_profile /home/$JAILUSER/"
|
|
|
|
iocage exec $JAIL "chown $JAILUSER /home/$JAILUSER/.bash_profile"
|
|
|
|
|
|
|
|
iocage exec $JAIL "[ -f /mnt/config/.dir_colors ] && cp /mnt/config/.dir_colors /home/$JAILUSER/ || cp /mnt/common/.dir_colors /home/$JAILUSER/"
|
|
|
|
iocage exec $JAIL "chown $JAILUSER /home/$JAILUSER/.dir_colors"
|
|
|
|
|
|
|
|
iocage exec $JAIL "mkdir /home/$JAILUSER/.ssh"
|
|
|
|
iocage exec $JAIL "[ -f /mnt/config/authorized_keys ] && cp /mnt/config/authorized_keys /home/$JAILUSER/.ssh/ || cp /mnt/common/authorized_keys /home/$JAILUSER/.ssh/"
|
|
|
|
iocage exec $JAIL "chmod 600 /home/$JAILUSER/.ssh/authorized_keys"
|
|
|
|
iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER/.ssh"
|
|
|
|
|
|
|
|
iocage exec $JAIL "echo '%wheel ALL=(ALL) NOPASSWD: ALL' | EDITOR='tee -a' visudo"
|
2020-04-11 00:46:09 -07:00
|
|
|
echo "set ssh password for $JAILUSER"
|
2020-02-25 11:28:31 -08:00
|
|
|
iocage exec $JAIL "passwd $JAILUSER"
|
|
|
|
|
2020-04-11 00:46:09 -07:00
|
|
|
if $JAILUSERVNC; then
|
2020-02-25 11:28:31 -08:00
|
|
|
iocage exec $JAIL "pkg install -y tigervnc-server perl5 xauth fluxbox xorg-fonts-truetype xterm dbus"
|
|
|
|
#firefox and other X apps require dbus
|
|
|
|
iocage exec $JAIL "sysrc dbus_enable=YES"
|
|
|
|
iocage exec $JAIL "service dbus start"
|
|
|
|
iocage exec $JAIL "mkdir -p /home/$JAILUSER/.vnc"
|
|
|
|
iocage exec $JAIL "[ -f /mnt/config/secret/passwd ] && cp /mnt/config/secret/passwd /home/$JAILUSER/.vnc/ || cp /mnt/common/secret/passwd /home/$JAILUSER/.vnc/"
|
|
|
|
iocage exec $JAIL "[ -f /mnt/config/xstartup ] && cp /mnt/config/xstartup /home/$JAILUSER/.vnc/ || cp /mnt/common/xstartup /home/$JAILUSER/.vnc/"
|
|
|
|
iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER"
|
|
|
|
iocage exec $JAIL "[ -f /mnt/config/vncserver ] && cp /mnt/config/vncserver /usr/local/etc/rc.d/vncserver || cp /mnt/common/vncserver /usr/local/etc/rc.d/vncserver"
|
|
|
|
iocage exec $JAIL "chmod 555 /usr/local/etc/rc.d/vncserver"
|
|
|
|
iocage exec $JAIL "sysrc vncserver_enable=YES"
|
|
|
|
iocage exec $JAIL "service vncserver start"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
iocage exec $JAIL "pkg clean -y"
|
2021-02-13 11:38:38 -08:00
|
|
|
iocage exec $JAIL "tzsetup America/Los_Angeles"
|
2020-02-25 11:28:31 -08:00
|
|
|
|
2020-04-11 00:46:09 -07:00
|
|
|
# iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
|
|
|
|
# iocage exec $JAIL "rmdir /mnt/common"
|
2020-02-25 11:28:31 -08:00
|
|
|
|
2020-05-26 21:15:31 -07:00
|
|
|
iocage exec $JAIL "echo 'Subject: created new jail: $JAIL with $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v -t jail-root@$JAILDOMAIN"
|
2020-02-25 11:28:31 -08:00
|
|
|
# reverse dns should already be configured for the mail server to accept this email
|