Rebuild the kernel

docs changing
2025-09-06 12:03:38 +02:00 · 2017-03-02 20:34:45 +03:00 · 2017-03-02 20:34:45 +03:00 · 373465cb87
commit 373465cb87
parent 12536e76e9
3 changed files with 115 additions and 1 deletions
--- a/docs/FreeBSD.md
+++ b/docs/FreeBSD.md
@ -1,6 +1,6 @@
 # FreeBSD / HardenedBSD

-It is only possible to install Algo on existing systems only in order to avoid recompiling the kernel while deploying
+It is only possible to install Algo on existing systems only. We support only 11 version for now.

 ## Pre-paring the system

@ -19,6 +19,10 @@ device	crypto
 * ssh_tunneling
 * dns_adblocking

+## Additional variables
+
+* rebuild_kernel - set to `true` if you want to let Algo to rebuild your kernel if needed (Takes a lot of time)
+
 ## Installation

 `ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$server_ip Store_CAKEY=N" --skip-tags cloud`
--- a/roles/common/tasks/freebsd.yml
+++ b/roles/common/tasks/freebsd.yml
@ -3,6 +3,7 @@
 - set_fact:
    tools:
      - git
+      - subversion
      - screen
      - coreutils
      - openssl
--- a/roles/vpn/tasks/freebsd.yml
+++ b/roles/vpn/tasks/freebsd.yml
@ -1,4 +1,113 @@
 ---

+- name: FreeBSD / HardenedBSD | Get the existing kernel parameters
+  command: sysctl -b kern.conftxt
+  register: kern_conftxt
+  when: rebuild_kernel is defined and rebuild_kernel == "true"
+
+- name: FreeBSD / HardenedBSD | Set the rebuild_needed fact
+  set_fact:
+    rebuild_needed: true
+  when: item not in kern_conftxt.stdout and rebuild_kernel is defined and rebuild_kernel == "true"
+  with_items:
+    - "IPSEC"
+    - "IPSEC_NAT_T"
+    - "crypto"
+
+- name: FreeBSD / HardenedBSD | Make the kernel config
+  shell: >
+    sysctl -b kern.conftxt > /tmp/IPSEC
+  when: rebuild_needed is defined and rebuild_needed == true
+
+- name: FreeBSD / HardenedBSD | Ensure the all options are enabled
+  lineinfile:
+    dest: /tmp/IPSEC
+    line: "{{ item }}"
+    insertbefore: BOF
+  with_items:
+    - "options	IPSEC"
+    - "options IPSEC_NAT_T"
+    - "device	crypto"
+  when: rebuild_needed is defined and rebuild_needed == true
+
+- name: HardenedBSD | Determine the sources
+  set_fact:
+    sources_repo: https://github.com/HardenedBSD/hardenedBSD.git
+    sources_version: "hardened/{{ ansible_distribution_release.split('.')[0] }}-stable/master"
+  when: "'Hardened' in ansible_distribution_version"
+
+- name: FreeBSD | Determine the sources
+  set_fact:
+    sources_repo: https://github.com/freebsd/freebsd.git
+    sources_version: "stable/{{ ansible_distribution_major_version }}"
+  when: "'Hardened' not in ansible_distribution_version"
+
+- name: FreeBSD / HardenedBSD | Increase the git postBuffer size
+  git_config:
+    name: http.postBuffer
+    scope: global
+    value: 1048576000
+
+- block:
+    - name: FreeBSD / HardenedBSD | Fetching the sources...
+      git:
+        repo: "{{ sources_repo }}"
+        dest: /usr/krnl_src
+        version: "{{ sources_version }}"
+        accept_hostkey: true
+      async: 1000
+      poll: 0
+      register: fetching_sources
+
+    - name: FreeBSD / HardenedBSD | Fetching the sources...
+      async_status: jid={{ fetching_sources.ansible_job_id }}
+      when: rebuild_needed is defined and rebuild_needed == true
+      register: result
+      until: result.finished
+      retries: 600
+      delay: 30
+  rescue:
+    - debug: var=fetching_sources
+
+    - fail:
+        msg: "Something went wrong. Check the debug output above."
+
+- block:
+    - name: FreeBSD / HardenedBSD | The kernel is being built...
+      shell: >
+          mv /tmp/IPSEC /usr/krnl_src/sys/{{ ansible_architecture }}/conf &&
+          make buildkernel KERNCONF=IPSEC &&
+          make installkernel KERNCONF=IPSEC
+      args:
+        chdir: /usr/krnl_src
+        executable: /usr/local/bin/bash
+      when: rebuild_needed is defined and rebuild_needed == true
+      async: 1000
+      poll: 0
+      register: building_kernel
+
+    - name: FreeBSD / HardenedBSD | The kernel is being built...
+      async_status: jid={{ building_kernel.ansible_job_id }}
+      when: rebuild_needed is defined and rebuild_needed == true
+      register: result
+      until: result.finished
+      retries: 600
+      delay: 30
+  rescue:
+    - debug: var=building_kernel
+
+    - fail:
+        msg: "Something went wrong. Check the debug output above."
+
+- name: FreeBSD / HardenedBSD | Reboot
+  shell: >
+    sleep 2 && shutdown -r now
+  args:
+    executable: /usr/local/bin/bash
+  when: rebuild_needed is defined and rebuild_needed == true
+  async: 1
+  poll: 0
+  ignore_errors: true
+
 - name: FreeBSD / HardenedBSD | Enable strongswan
  lineinfile: dest=/etc/rc.conf regexp=^strongswan_enable= line='strongswan_enable="YES"'