banananetwork
/
ansible
1
0
Fork 0
Code Issues Pull Requests Releases Activity

server/minecraft: Configured apparmor profile

Browse Source
dehydrated
Felix Stupp 5 years ago
parent b3648c9362
commit 8f35931033
Signed by: zocker
GPG Key ID: 93E1BD26F6B02FB7
5 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File

2
group_vars/all/vars.yml
Unescape Escape View File

@ -45,6 +45,8 @@ backend_imap_port: 12892
global_ansible_facts_directory: "/etc/ansible/facts.d"
global_apparmor_profiles_directory: "/etc/apparmor.d"
global_apt_sources_directory: "/etc/apt/sources.list.d"
global_ip_discover_server_name: "nvak.banananet.work"

1
roles/server/minecraft/defaults/main.yml
Unescape Escape View File

@ -10,6 +10,7 @@ mcrcon_directory: "{{ user_directory }}/mcrcon"
data_directory: "{{ user_directory }}/data"
remote_control_script: "{{ user_directory }}/cmd"
launch_script: "{{ user_directory }}/launch"
apparmor_profile: "{{ global_apparmor_profiles_directory }}/webservers_{{ domain }}"
# minecraft_version: "1.10" # for naming
minecraft_source_link_generator: "curl --silent https://mcversions.net | grep minecraft_server-{{ minecraft_version }}.jar | grep --only-matching --perl-regexp '(?<=\")https://launcher.mojang.com/[^\"]+(?=\")'"

3
roles/server/minecraft/handlers/main.yml
Unescape Escape View File

@ -1,5 +1,8 @@
---
- name: reload apparmor profile
command: "/usr/sbin/apparmor_parser -r {{ apparmor_profile }}"
- name: restart minecraft server
systemd:
state: restarted

11
roles/server/minecraft/tasks/main.yml
Unescape Escape View File

@ -82,6 +82,17 @@
- name: "control.sh"
path: "{{ remote_control_script }}"
- name: Configure apparmor profile
template:
src: "profile.apparmor"
dest: "{{ apparmor_profile }}"
owner: root
group: root
mode: "u=rw,g=r,o="
notify:
- reload apparmor profile
- restart minecraft server
- name: Configure minecraft server
template:
src: server.properties

26
roles/server/minecraft/templates/profile.apparmor
Unescape Escape View File

@ -0,0 +1,26 @@
#include <tunables/global>
/var/webservers/mc.wg.banananet.work/launch {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
#include <abstractions/ubuntu-browsers.d/java>
#include <abstractions/user-tmp>
/etc/timezone r,
/proc/*/net/if_inet6 r,
/proc/*/net/ipv6_route r,
/proc/sys/net/core/somaxconn r,
/proc/sys/net/ipv4/tcp_fastopen r,
/usr/bin/dash ix,
/usr/lib/jvm/java-11-openjdk-amd64/bin/java mrix,
/usr/lib/jvm/java-11-openjdk-amd64/lib/server/classes.jsa mr,
/usr/share/java/java-atk-wrapper.jar r,
/var/webservers/mc.wg.banananet.work/launch r,
owner /proc/*/coredump_filter rw,
owner /proc/*/mountinfo r,
owner /tmp/libnetty_transport_native_epoll_x86_*.so mrw,
owner /var/webservers/mc.wg.banananet.work/bin/server.*.jar r,
owner /var/webservers/mc.wg.banananet.work/data/** rw,
}
Write Preview
Loading…
Cancel
Save