jail.conf
· 1.4 KiB · Text
Raw
# Global parameters
exec.start = "/bin/sh /etc/rc";
#exec.start += "/sbin/ifconfig lo0 127.0.0.1 up";
#exec.start += "/sbin/ifconfig epair${nid}b 192.168.123.${nid}/24 up";
#exec.start += "/sbin/route add default 192.168.123.1";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
mount.procfs;
mount.fstab = "/mnt/ssd/jail/${name}/etc/fstab";
devfs_ruleset = 5;
allow.raw_sockets;
allow.sysvipc;
allow.mount;
allow.mount.fusefs;
allow.mount.devfs;
allow.mount.procfs;
enforce_statfs = 1;
# VNET-specific parameters
vnet;
vnet.interface = "epair${nid}b";
exec.prestart = "ifconfig epair${nid} create up";
exec.prestart += "ifconfig epair${nid}a up";
exec.prestart += "ifconfig bridge1 addm epair${nid}a";
exec.poststop = "ifconfig epair${nid}a destroy";
# Path parameters
path = "/mnt/ssd/jail/${name}";
host.hostname = "${name}.jail";
# NID 3, 4 is available now
navidrome {
$nid = 17;
}
ntfy {
$nid = 16;
}
seafile {
$nid = 15;
}
immich {
# This is a Linux jail.
$nid = 14;
mount.procfs = 0;
exec.start = "/bin/sh /sbin/swinit";
exec.stop = "/bin/sh /sbin/swshutdown";
}
kanboard {
$nid = 13;
}
authelia {
$nid = 12;
}
freshrss {
$nid = 11;
}
nextcloud {
$nid = 10;
}
games {
$nid = 9;
}
mastodon {
$nid = 8;
}
matrix {
$nid = 7;
}
ircbots {
$nid = 6;
}
peertube {
$nid = 5;
}
# {
# $nid = 4;
#}
# {
# $nid = 3;
#}
thelounge {
$nid = 2;
}
forgejo {
$nid = 1;
}
opengist {
$nid = 0;
}
| 1 | # Global parameters |
| 2 | exec.start = "/bin/sh /etc/rc"; |
| 3 | #exec.start += "/sbin/ifconfig lo0 127.0.0.1 up"; |
| 4 | #exec.start += "/sbin/ifconfig epair${nid}b 192.168.123.${nid}/24 up"; |
| 5 | #exec.start += "/sbin/route add default 192.168.123.1"; |
| 6 | exec.stop = "/bin/sh /etc/rc.shutdown"; |
| 7 | exec.clean; |
| 8 | mount.devfs; |
| 9 | mount.procfs; |
| 10 | mount.fstab = "/mnt/ssd/jail/${name}/etc/fstab"; |
| 11 | |
| 12 | devfs_ruleset = 5; |
| 13 | allow.raw_sockets; |
| 14 | allow.sysvipc; |
| 15 | allow.mount; |
| 16 | allow.mount.fusefs; |
| 17 | allow.mount.devfs; |
| 18 | allow.mount.procfs; |
| 19 | enforce_statfs = 1; |
| 20 | |
| 21 | # VNET-specific parameters |
| 22 | vnet; |
| 23 | vnet.interface = "epair${nid}b"; |
| 24 | exec.prestart = "ifconfig epair${nid} create up"; |
| 25 | exec.prestart += "ifconfig epair${nid}a up"; |
| 26 | exec.prestart += "ifconfig bridge1 addm epair${nid}a"; |
| 27 | exec.poststop = "ifconfig epair${nid}a destroy"; |
| 28 | |
| 29 | # Path parameters |
| 30 | path = "/mnt/ssd/jail/${name}"; |
| 31 | host.hostname = "${name}.jail"; |
| 32 | |
| 33 | # NID 3, 4 is available now |
| 34 | |
| 35 | navidrome { |
| 36 | $nid = 17; |
| 37 | } |
| 38 | ntfy { |
| 39 | $nid = 16; |
| 40 | } |
| 41 | seafile { |
| 42 | $nid = 15; |
| 43 | } |
| 44 | immich { |
| 45 | # This is a Linux jail. |
| 46 | $nid = 14; |
| 47 | mount.procfs = 0; |
| 48 | |
| 49 | exec.start = "/bin/sh /sbin/swinit"; |
| 50 | exec.stop = "/bin/sh /sbin/swshutdown"; |
| 51 | } |
| 52 | kanboard { |
| 53 | $nid = 13; |
| 54 | } |
| 55 | authelia { |
| 56 | $nid = 12; |
| 57 | } |
| 58 | freshrss { |
| 59 | $nid = 11; |
| 60 | } |
| 61 | nextcloud { |
| 62 | $nid = 10; |
| 63 | } |
| 64 | games { |
| 65 | $nid = 9; |
| 66 | } |
| 67 | mastodon { |
| 68 | $nid = 8; |
| 69 | } |
| 70 | matrix { |
| 71 | $nid = 7; |
| 72 | } |
| 73 | ircbots { |
| 74 | $nid = 6; |
| 75 | } |
| 76 | peertube { |
| 77 | $nid = 5; |
| 78 | } |
| 79 | # { |
| 80 | # $nid = 4; |
| 81 | #} |
| 82 | # { |
| 83 | # $nid = 3; |
| 84 | #} |
| 85 | thelounge { |
| 86 | $nid = 2; |
| 87 | } |
| 88 | forgejo { |
| 89 | $nid = 1; |
| 90 | } |
| 91 | opengist { |
| 92 | $nid = 0; |
| 93 | } |
| 94 |
pf.conf
· 491 B · Text
Raw
ext_if = "em0"
jail_net = "192.168.123.0/24"
table <crowdsec-blacklists> persist
table <crowdsec6-blacklists> persist
set skip on lo
# NAT so jails can access internet
nat on $ext_if from $jail_net to any -> ($ext_if)
# Forward Luanti ports to its jail
rdr pass on $ext_if proto udp from any to any port 30000:40000 -> 192.168.123.11 port 30000:40000
block drop in quick from <crowdsec-blacklists> to any
block drop in quick from <crowdsec6-blacklists> to any
pass in all
pass out all
| 1 | ext_if = "em0" |
| 2 | jail_net = "192.168.123.0/24" |
| 3 | |
| 4 | table <crowdsec-blacklists> persist |
| 5 | table <crowdsec6-blacklists> persist |
| 6 | |
| 7 | set skip on lo |
| 8 | |
| 9 | # NAT so jails can access internet |
| 10 | nat on $ext_if from $jail_net to any -> ($ext_if) |
| 11 | |
| 12 | # Forward Luanti ports to its jail |
| 13 | rdr pass on $ext_if proto udp from any to any port 30000:40000 -> 192.168.123.11 port 30000:40000 |
| 14 | |
| 15 | block drop in quick from <crowdsec-blacklists> to any |
| 16 | block drop in quick from <crowdsec6-blacklists> to any |
| 17 | |
| 18 | pass in all |
| 19 | pass out all |
| 20 |
rc.conf
· 1.0 KiB · Text
Raw
# SYSTEM PROPERTIES ##
hostname="oreo"
dumpdev="AUTO"
moused_nondefault_enable="NO"
clear_tmp_enable="YES"
syslogd_flags="-ss"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
smartd_enable="NO"
powerd_enable="NO"
linux_enable="YES"
zfs_enable="YES"
zfskeys_enable="YES"
## REMOTE ACCESS ##
webmin_enable="YES"
sshd_enable="YES"
nginx_enable="YES"
## ETHERNET ##
#ifconfig_em0="DHCP"
ifconfig_em0="inet 10.0.0.86 netmask 255.255.255.0 up"
ifconfig_em0_ipv6="inet6 accept_rtadv up"
ipv6_activate_all_interfaces="YES"
rtsold_enable="YES"
defaultrouter="10.0.0.1"
## VPN ##
wireguard_enable="YES"
wireguard_interfaces="wg0"
## VMS AND CONTAINERS ##
jail_enable="YES"
vm_enable="YES"
vm_dir="/mnt/ssd/vm"
vm_list="haos"
## JAIL NETWORKING ##
gateway_enable="YES"
cloned_interfaces="bridge1"
ifconfig_bridge1="inet 192.168.123.1/24 description jailnet up"
pf_enable="YES"
pf_rules="/etc/pf.conf"
gateway_enable="YES"
## LOCAL SERVICES ##
bootstrapsona_enable="YES"
## TO CATEGORIZE ##
postgresql_enable="YES"
valkey_enable="YES"
kld_list="i915kms"
| 1 | # SYSTEM PROPERTIES ## |
| 2 | hostname="oreo" |
| 3 | dumpdev="AUTO" |
| 4 | moused_nondefault_enable="NO" |
| 5 | clear_tmp_enable="YES" |
| 6 | syslogd_flags="-ss" |
| 7 | ntpd_enable="YES" |
| 8 | ntpd_sync_on_start="YES" |
| 9 | smartd_enable="NO" |
| 10 | powerd_enable="NO" |
| 11 | linux_enable="YES" |
| 12 | zfs_enable="YES" |
| 13 | zfskeys_enable="YES" |
| 14 | |
| 15 | ## REMOTE ACCESS ## |
| 16 | webmin_enable="YES" |
| 17 | sshd_enable="YES" |
| 18 | nginx_enable="YES" |
| 19 | |
| 20 | ## ETHERNET ## |
| 21 | #ifconfig_em0="DHCP" |
| 22 | ifconfig_em0="inet 10.0.0.86 netmask 255.255.255.0 up" |
| 23 | ifconfig_em0_ipv6="inet6 accept_rtadv up" |
| 24 | ipv6_activate_all_interfaces="YES" |
| 25 | rtsold_enable="YES" |
| 26 | defaultrouter="10.0.0.1" |
| 27 | |
| 28 | ## VPN ## |
| 29 | wireguard_enable="YES" |
| 30 | wireguard_interfaces="wg0" |
| 31 | |
| 32 | ## VMS AND CONTAINERS ## |
| 33 | jail_enable="YES" |
| 34 | |
| 35 | vm_enable="YES" |
| 36 | vm_dir="/mnt/ssd/vm" |
| 37 | vm_list="haos" |
| 38 | |
| 39 | ## JAIL NETWORKING ## |
| 40 | gateway_enable="YES" |
| 41 | |
| 42 | cloned_interfaces="bridge1" |
| 43 | ifconfig_bridge1="inet 192.168.123.1/24 description jailnet up" |
| 44 | |
| 45 | pf_enable="YES" |
| 46 | pf_rules="/etc/pf.conf" |
| 47 | gateway_enable="YES" |
| 48 | |
| 49 | ## LOCAL SERVICES ## |
| 50 | bootstrapsona_enable="YES" |
| 51 | |
| 52 | ## TO CATEGORIZE ## |
| 53 | postgresql_enable="YES" |
| 54 | valkey_enable="YES" |
| 55 | kld_list="i915kms" |
| 56 |