diff --git a/.gitattributes b/.gitattributes index 505af13..cf5db54 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,2 +1,3 @@ cargo_credentials.toml filter=git-crypt diff=git-crypt **/wireguard_configs/** filter=git-crypt diff=git-crypt +*.key filter=git-crypt diff=git-crypt diff --git a/ansible/environments/vm/host_vars/poudriereodo b/ansible/environments/vm/host_vars/poudriereodo new file mode 100644 index 0000000..970eaa7 --- /dev/null +++ b/ansible/environments/vm/host_vars/poudriereodo @@ -0,0 +1,13 @@ +os_flavor: "freebsd" +poudriere_builds: + - jail: 13amd64 + ports: default + set: framework + version: 13.1-RELEASE + - jail: current + ports: default + set: framework + version: CURRENT + revision: af01b4722577903f91acc44f01bdcb8cdb2d65ad + kernel: CUSTOM + branch: main diff --git a/ansible/environments/vm/hosts b/ansible/environments/vm/hosts new file mode 100644 index 0000000..33382d9 --- /dev/null +++ b/ansible/environments/vm/hosts @@ -0,0 +1,2 @@ +[vm] +poudriereodo ansible_user=builder ansible_host=10.213.177.12 diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml index 26470e7..d14443e 100644 --- a/ansible/playbook.yaml +++ b/ansible/playbook.yaml @@ -1,4 +1,4 @@ -- hosts: all:!jail +- hosts: all:!jail:!vm vars: ansible_become: True roles: @@ -36,9 +36,18 @@ - google_cloud_sdk - ansible - wireguard + - portshaker + - poudriere - hosts: nat_dhcp:homeserver_nat_dhcp vars: ansible_become: True roles: - jail_nat_dhcp + +- hosts: poudriereodo + vars: + ansible_become: True + roles: + - portshaker + - poudriere diff --git a/ansible/roles/ansible/tasks/linux.yaml b/ansible/roles/ansible/tasks/linux.yaml index bfaf17e..dde105c 100644 --- a/ansible/roles/ansible/tasks/linux.yaml +++ b/ansible/roles/ansible/tasks/linux.yaml @@ -13,16 +13,26 @@ # name: [] # state: present # update_cache: true - + - name: Install packages package: name: - ansible state: present +- name: Create directories + file: + name: "{{ item }}" + state: directory + mode: 0755 + owner: root + group: wheel + loop: + - /usr/share/ansible/plugins/connection_plugins + - name: Install sshjail plugin ansible.builtin.get_url: url: https://raw.githubusercontent.com/austinhyde/ansible-sshjail/e712c537ecdfc7a660f222fbac4172dd715fc130/sshjail.py dest: /usr/share/ansible/plugins/connection_plugins/sshjail.py - mode: '0555' + mode: "0555" checksum: sha512:730c887ae7bbf2de34da44fb10a45fdeff649e3f2447df821c93ef02a21ecbef7db2fd57f1fc85fcd0b5b86fa30aa2b9ef143865d1e5086620c7dbe0633207cd diff --git a/ansible/roles/base/files/cleanup_temporary_files b/ansible/roles/base/files/cleanup_temporary_files index 30e91db..43918b0 100644 --- a/ansible/roles/base/files/cleanup_temporary_files +++ b/ansible/roles/base/files/cleanup_temporary_files @@ -1,4 +1,4 @@ #!/usr/bin/env bash # # Delete temporary files on entire disk -find / -type f -name '*.orig' -delete -or -name '*~' -or -name '*.core' -delete -print +find / -type f '(' -name '*.orig' -or -name '*~' -or -name '*.core' ')' -delete -print 2>/dev/null diff --git a/ansible/roles/base/files/homeserver_rc.conf b/ansible/roles/base/files/homeserver_rc.conf index 4da2afc..f2e45da 100644 --- a/ansible/roles/base/files/homeserver_rc.conf +++ b/ansible/roles/base/files/homeserver_rc.conf @@ -2,7 +2,7 @@ clear_tmp_enable="YES" syslogd_flags="-ss" sendmail_enable="NONE" hostname="computer" -local_unbound_enable="YES" +local_unbound_enable="NO" sshd_enable="YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="NO" diff --git a/ansible/roles/base/files/odofreebsd_rc.conf b/ansible/roles/base/files/odofreebsd_rc.conf index 476c16b..7c02282 100644 --- a/ansible/roles/base/files/odofreebsd_rc.conf +++ b/ansible/roles/base/files/odofreebsd_rc.conf @@ -2,7 +2,6 @@ clear_tmp_enable="YES" syslogd_flags="-ss" sendmail_enable="NONE" hostname="odo" -local_unbound_enable="YES" sshd_enable="YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="NO" diff --git a/ansible/roles/bhyve/files/arch.conf b/ansible/roles/bhyve/files/arch.conf index ef6ff6d..447049e 100644 --- a/ansible/roles/bhyve/files/arch.conf +++ b/ansible/roles/bhyve/files/arch.conf @@ -13,10 +13,25 @@ console="tmux" cpu=1 memory=1024M -disk0_type="virtio-blk" +disk0_type="nvme" disk0_name="disk0" disk0_dev="sparse-zvol" virt_random="yes" # virtio-rnd # Creates a link to host_bridge1's link3 hook to the vmlink hook on a type socket bhyve_options="-s 2:0,virtio-net,netgraph,path=host_bridge1:,peerhook=link3" + +# Share a host directory to the guest via 9pfs. +# +# Inside the VM run: +# mount -t virtfs -o trans=virtio sharename /some/vm/path +# mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p +# mount -t 9p -o trans=virtio,cache=mmap,msize=512000 sharename /path/to/mountpoint +# bhyve_options="-s 28,virtio-9p,sharename=/" + +# Enable Sound +# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp" + +# Lower the priority of the VM [-20 highest, 20 only run when system idle] default: 0 +# +# priority="20" diff --git a/ansible/roles/firewall/files/homeserver_pf.conf b/ansible/roles/firewall/files/homeserver_pf.conf index a374e05..f33724e 100644 --- a/ansible/roles/firewall/files/homeserver_pf.conf +++ b/ansible/roles/firewall/files/homeserver_pf.conf @@ -44,4 +44,4 @@ pass quick on $ext_if proto udp from any port $dhcp to any port $dhcp pass in on host_uplink0 proto udp from any to any port { 53 51820 } pass out on host_uplink0 proto tcp from any to any port 8081 -pass in on host_uplink1 +pass on host_uplink1 diff --git a/ansible/roles/firewall/files/odofreebsd_pf.conf b/ansible/roles/firewall/files/odofreebsd_pf.conf index 16c77e8..ecb4691 100644 --- a/ansible/roles/firewall/files/odofreebsd_pf.conf +++ b/ansible/roles/firewall/files/odofreebsd_pf.conf @@ -42,4 +42,4 @@ pass quick on $ext_if proto udp from any port $dhcp to any port $dhcp pass in on host_uplink0 proto udp from any to any port { 53 51820 } pass out on host_uplink0 proto tcp from any to any port 8081 -pass in on host_uplink1 +pass on host_uplink1 diff --git a/ansible/roles/hosts/tasks/common.yaml b/ansible/roles/hosts/tasks/common.yaml index 32cb8ba..654e56f 100644 --- a/ansible/roles/hosts/tasks/common.yaml +++ b/ansible/roles/hosts/tasks/common.yaml @@ -1,7 +1,7 @@ - name: Set the /etc/hosts ansible.builtin.lineinfile: path: /etc/hosts - regexp: '^{{ item.key | regex_escape() }}' + regexp: '^{{ item.key | regex_escape() }}\s+' line: "{{ item.key }} {{ item.value | join(' ') }}" loop: "{{ etc_hosts | dict2items }}" diff --git a/ansible/roles/jail_nat_dhcp/files/dhcpd.conf b/ansible/roles/jail_nat_dhcp/files/dhcpd.conf index 36d1f19..aa36935 100644 --- a/ansible/roles/jail_nat_dhcp/files/dhcpd.conf +++ b/ansible/roles/jail_nat_dhcp/files/dhcpd.conf @@ -9,4 +9,5 @@ subnet 10.213.177.0 netmask 255.255.255.0 { range 10.213.177.10 10.213.177.250; option broadcast-address 10.213.177.255; option routers 10.213.177.1; + option domain-name-servers 10.213.177.1; } diff --git a/ansible/roles/network/files/local_unbound_rc.conf b/ansible/roles/network/files/local_unbound_rc.conf new file mode 100644 index 0000000..c839dee --- /dev/null +++ b/ansible/roles/network/files/local_unbound_rc.conf @@ -0,0 +1,6 @@ +# For some unknown reason, enabling local unbound with DNS over TLS breaks network connectivity a couple minutes later +local_unbound_enable="NO" +local_unbound_tls="YES" +local_unbound_forwarders="1.0.0.1@853#cloudflare-dns.com 1.1.1.1@853#cloudflare-dns.com 2606:4700:4700::1111@853#cloudflare-dns.com 2606:4700:4700::1001@853#cloudflare-dns.com" +# local_unbound_forwarders="194.242.2.2@853#doh.mullvad.net" +# local_unbound_forwarders="194.242.2.2@853#doh.mullvad.net 2a07:e340::2@853#doh.mullvad.net 1.0.0.1@853#cloudflare-dns.com 1.1.1.1@853#cloudflare-dns.com 2606:4700:4700::1111@853#cloudflare-dns.com 2606:4700:4700::1001@853#cloudflare-dns.com" diff --git a/ansible/roles/network/files/mullvlad_dns_over_tls.conf b/ansible/roles/network/files/mullvlad_dns_over_tls.conf new file mode 100644 index 0000000..81b18b5 --- /dev/null +++ b/ansible/roles/network/files/mullvlad_dns_over_tls.conf @@ -0,0 +1,3 @@ +[Resolve] +DNS=194.242.2.2#doh.mullvad.net [2a07:e340::2]#doh.mullvad.net +DNSOverTLS=yes diff --git a/ansible/roles/network/tasks/freebsd.yaml b/ansible/roles/network/tasks/freebsd.yaml index 6bc4e2e..49de8b2 100644 --- a/ansible/roles/network/tasks/freebsd.yaml +++ b/ansible/roles/network/tasks/freebsd.yaml @@ -1,3 +1,4 @@ +# MANUAL: I had to run `sudo service local_unbound setup` - name: Install configuration copy: src: "files/{{ item.src }}" @@ -35,3 +36,13 @@ # - name: net.inet6.ip6.use_tempaddr # Enable privacy addresses # value: "1" # - name: net.inet6.ip6.prefer_tempaddr # Prefer privacy addresses + +- name: Install service configuration + copy: + src: "files/{{ item }}_rc.conf" + dest: "/etc/rc.conf.d/{{ item }}" + mode: 0644 + owner: root + group: wheel + loop: + - local_unbound diff --git a/ansible/roles/network/tasks/linux.yaml b/ansible/roles/network/tasks/linux.yaml index e1835f0..e8f1494 100644 --- a/ansible/roles/network/tasks/linux.yaml +++ b/ansible/roles/network/tasks/linux.yaml @@ -1,6 +1,20 @@ -# - name: Install packages -# pacman: -# name: -# - foo -# state: present -# update_cache: true +- name: Create directories + file: + name: "{{ item }}" + state: directory + mode: 0755 + owner: root + group: wheel + loop: + - /etc/systemd/resolved.conf.d + +- name: Copy files + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0600 + owner: root + group: wheel + loop: + - src: mullvlad_dns_over_tls.conf + dest: /etc/systemd/resolved.conf.d/mullvlad_dns_over_tls.conf diff --git a/ansible/roles/portshaker/files/freebsd b/ansible/roles/portshaker/files/freebsd new file mode 100644 index 0000000..3602760 --- /dev/null +++ b/ansible/roles/portshaker/files/freebsd @@ -0,0 +1,10 @@ +#!/bin/sh +. /usr/local/share/portshaker/portshaker.subr +if [ "$1" != '--' ]; then + err 1 "Extra arguments" +fi +shift +method="git" +git_clone_uri="https://git.FreeBSD.org/ports.git" +git_branch="main" +run_portshaker_command $* diff --git a/ansible/roles/portshaker/files/myrepo b/ansible/roles/portshaker/files/myrepo new file mode 100644 index 0000000..cbfb281 --- /dev/null +++ b/ansible/roles/portshaker/files/myrepo @@ -0,0 +1,10 @@ +#!/bin/sh +. /usr/local/share/portshaker/portshaker.subr +if [ "$1" != '--' ]; then + err 1 "Extra arguments" +fi +shift +method="git" +git_clone_uri="https://code.fizz.buzz/talexander/ta_ports.git" +git_branch="master" +run_portshaker_command $* diff --git a/ansible/roles/portshaker/files/portshaker.conf b/ansible/roles/portshaker/files/portshaker.conf new file mode 100644 index 0000000..0f92d26 --- /dev/null +++ b/ansible/roles/portshaker/files/portshaker.conf @@ -0,0 +1,8 @@ +#---[ Base directory for mirrored Ports Trees ]--- +mirror_base_dir="/var/cache/portshaker" + +#---[ Directories where to merge ports ]--- +ports_trees="main" + +main_ports_tree="/usr/local/portshaker/trees/main" +main_merge_from="freebsd myrepo" diff --git a/ansible/roles/portshaker/tasks/common.yaml b/ansible/roles/portshaker/tasks/common.yaml new file mode 100644 index 0000000..fef1101 --- /dev/null +++ b/ansible/roles/portshaker/tasks/common.yaml @@ -0,0 +1,15 @@ +- import_tasks: tasks/freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/linux.yaml + when: 'os_flavor == "linux"' + +- include_tasks: + file: tasks/peruser.yaml + apply: + become: yes + become_user: "{{ initialize_user }}" + when: users is defined + loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}" + loop_control: + loop_var: initialize_user diff --git a/ansible/roles/portshaker/tasks/freebsd.yaml b/ansible/roles/portshaker/tasks/freebsd.yaml new file mode 100644 index 0000000..88d317c --- /dev/null +++ b/ansible/roles/portshaker/tasks/freebsd.yaml @@ -0,0 +1,51 @@ +# Update ports tree: +# portshaker -U +# portshaker -M +# +# Force build: +# poudriere bulk -J 4 -C -j current -p default -z testing sysutils/kubectx +# +# Test build with interactive shell +# poudriere testport -i -J 4 -j current -p default -z testing sysutils/kubectx +# optional add -w to save the work directory + +- name: Install packages + package: + name: + - portshaker + - git + state: present + +- name: Create directories + file: + name: "{{ item }}" + state: directory + mode: 0755 + owner: root + group: wheel + loop: + - /usr/local/portshaker/trees + +- name: Install Configuration + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0644 + owner: root + group: wheel + loop: + - src: portshaker.conf + dest: /usr/local/etc/portshaker.conf + +- name: Install Scripts + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0755 + owner: root + group: wheel + loop: + - src: freebsd + dest: /usr/local/etc/portshaker.d/freebsd + - src: myrepo + dest: /usr/local/etc/portshaker.d/myrepo diff --git a/ansible/roles/portshaker/tasks/linux.yaml b/ansible/roles/portshaker/tasks/linux.yaml new file mode 100644 index 0000000..429ad91 --- /dev/null +++ b/ansible/roles/portshaker/tasks/linux.yaml @@ -0,0 +1,21 @@ +# - name: Build aur packages +# register: buildaur +# become_user: "{{ build_user.name }}" +# command: "aurutils-sync --no-view {{ item }}" +# args: +# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*" +# loop: +# - foo + +# - name: Update cache +# when: buildaur.changed +# pacman: +# name: [] +# state: present +# update_cache: true + +# - name: Install packages +# package: +# name: +# - foo +# state: present diff --git a/ansible/roles/portshaker/tasks/main.yaml b/ansible/roles/portshaker/tasks/main.yaml new file mode 100644 index 0000000..87fe19a --- /dev/null +++ b/ansible/roles/portshaker/tasks/main.yaml @@ -0,0 +1,2 @@ +- import_tasks: tasks/common.yaml + when: poudriere_builds is defined and poudriere_builds diff --git a/ansible/roles/portshaker/tasks/peruser.yaml b/ansible/roles/portshaker/tasks/peruser.yaml new file mode 100644 index 0000000..111e886 --- /dev/null +++ b/ansible/roles/portshaker/tasks/peruser.yaml @@ -0,0 +1,29 @@ +- include_role: + name: per_user + +# - name: Create directories +# file: +# name: "{{ account_homedir.stdout }}/{{ item }}" +# state: directory +# mode: 0700 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - ".config/foo" + +# - name: Copy files +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ account_homedir.stdout }}/{{ item.dest }}" +# mode: 0600 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - src: foo.conf +# dest: .config/foo/foo.conf + +- import_tasks: tasks/peruser_freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/peruser_linux.yaml + when: 'os_flavor == "linux"' diff --git a/ansible/roles/portshaker/tasks/peruser_freebsd.yaml b/ansible/roles/portshaker/tasks/peruser_freebsd.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/portshaker/tasks/peruser_linux.yaml b/ansible/roles/portshaker/tasks/peruser_linux.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/poudriere/defaults/main.yaml b/ansible/roles/poudriere/defaults/main.yaml new file mode 100644 index 0000000..1e514af --- /dev/null +++ b/ansible/roles/poudriere/defaults/main.yaml @@ -0,0 +1 @@ +poudriere_perf_flags: "-J 16" diff --git a/ansible/roles/poudriere/files/poudboot b/ansible/roles/poudriere/files/poudboot new file mode 100644 index 0000000..17070d7 --- /dev/null +++ b/ansible/roles/poudriere/files/poudboot @@ -0,0 +1,23 @@ +#!/bin/sh +# /usr/local/etc/rc.d/poudboot +# +# REQUIRE: FILESYSTEM kld +# PROVIDE: poudboot +# AFTER: netif + +. /etc/rc.subr +name=poudboot +rcvar=${name}_enable +start_cmd="${name}_start" +stop_cmd="${name}_stop" +load_rc_config $name + +poudboot_start() { + /usr/local/bin/poudboot start +} + +poudboot_stop() { + /usr/local/bin/poudboot stop +} + +run_rc_command "$1" diff --git a/ansible/roles/poudriere/files/poudboot.bash b/ansible/roles/poudriere/files/poudboot.bash new file mode 100644 index 0000000..5645a38 --- /dev/null +++ b/ansible/roles/poudriere/files/poudboot.bash @@ -0,0 +1,73 @@ +#!/usr/bin/env bash +# +# Run poudriere at system boot. Useful for virtual machines so launching the VM also kicks off a build. +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +function main { + COMMAND="$1" + shift 1 + + if [ "$COMMAND" = "start" ]; then + cmd_start "${@}" + elif [ "$COMMAND" = "stop" ]; then + cmd_stop "${@}" + else + die 1 "Unrecognized command: $COMMAND" + fi +} + +function die { + exit_code="$1" + shift 1 + (>&2 echo "${@}") + exit "$exit_code" +} + +function abort_if_jobs_running { + if [[ $(sudo poudriere status) != *"No running builds"* ]]; then + echo "There is already a poudriere build in progress, exiting." + exit 0 + fi +} + +function build { + poudriere pkgclean -y "$@" + poudriere bulk -J "${POUDRIERE_JOBS:-1}" "$@" +} + +function cmd_start { + abort_if_jobs_running + + # Allow command failures without quitting the script because some + # package sets might fail whereas others may succeed based on which + # packages are in each set. + set +e + + for conf in /opt/poudriere/build_configs/*; do + ( + source "$conf" + build -j "$JAIL" -p "$PORTS" -z "$SET" -f /usr/local/etc/poudriere.d/$JAIL-$PORTS-$SET-pkglist + ) + done + + # Re-enable exiting on failed commands + set -e + + # Cleanup old unused dist files + for conf in /opt/poudriere/build_configs/*; do + ( + source "$conf" + poudriere distclean -y -p "$PORTS" -f /usr/local/etc/poudriere.d/$JAIL-$PORTS-$SET-pkglist + ) + done + + poudriere logclean -y 180 +} + +function cmd_stop { + echo "cmd_stop not implemented." +} + +main "${@}" diff --git a/ansible/roles/poudriere/files/poudriere.conf b/ansible/roles/poudriere/files/poudriere.conf new file mode 100644 index 0000000..8b0e368 --- /dev/null +++ b/ansible/roles/poudriere/files/poudriere.conf @@ -0,0 +1,350 @@ + +# Poudriere can optionally use ZFS for its ports/jail storage. For +# ZFS define ZPOOL, otherwise set NO_ZFS=yes +# +#### ZFS +# The pool where poudriere will create all the filesystems it needs +# poudriere will use ${ZPOOL}/${ZROOTFS} as its root +# +# You need at least 7GB of free space in this pool to have a working +# poudriere. +# +#ZPOOL=zroot +ZPOOL=zroot + +### NO ZFS +# To not use ZFS, define NO_ZFS=yes +#NO_ZFS=yes + +# root of the poudriere zfs filesystem, by default /poudriere +# ZROOTFS=/poudriere +ZROOTFS=/poudriere + +# the host where to download sets for the jails setup +# You can specify here a host or an IP +# replace _PROTO_ by http or ftp +# replace _CHANGE_THIS_ by the hostname of the mirrors where you want to fetch +# by default: ftp://ftp.freebsd.org +# +# Also note that every protocols supported by fetch(1) are supported here, even +# file:/// +# Suggested: https://download.FreeBSD.org +FREEBSD_HOST=https://download.FreeBSD.org + +# By default the jails have no /etc/resolv.conf, you will need to set +# RESOLV_CONF to a file on your hosts system that will be copied has +# /etc/resolv.conf for the jail, except if you don't need it (using an http +# proxy for example) +RESOLV_CONF=/etc/resolv.conf + +# The directory where poudriere will store jails and ports +BASEFS=/usr/local/poudriere + +# The directory where the jail will store the packages and logs +# by default a zfs filesystem will be created and set to +# ${BASEFS}/data +# +#POUDRIERE_DATA=${BASEFS}/data + +# Use portlint to check ports sanity +USE_PORTLINT=no + +# When building packages, a memory device can be used to speedup the build. +# Only one of MFSSIZE or USE_TMPFS is supported. TMPFS is generally faster +# and will expand to the needed amount of RAM. MFS is a slower since it +# uses UFS and several abstraction layers. + +# If set WRKDIRPREFIX will be mdmfs of the given size (mM or gG) +#MFSSIZE=4G + +# Use tmpfs(5) +# This can be a space-separated list of options: +# wrkdir - Use tmpfs(5) for port building WRKDIRPREFIX +# data - Use tmpfs(5) for poudriere cache/temp build data +# localbase - Use tmpfs(5) for LOCALBASE (installing ports for packaging/testing) +# all - Run the entire build in memory, including builder jails. +# yes - Enables tmpfs(5) for wrkdir and data +# no - Disable use of tmpfs(5) +# EXAMPLE: USE_TMPFS="wrkdir data" +USE_TMPFS=all +# USE_TMPFS=yes +# USE_TMPFS=no + +# How much memory to limit tmpfs size to for *each builder* in GiB +# (default: none) +#TMPFS_LIMIT=8 +TMPFS_LIMIT=16 + +# How much memory to limit jail processes to for *each builder* +# in GiB (default: none) +#MAX_MEMORY=8 + +# How many file descriptors to limit each jail process to (default: 1024) +# This can also be set per PKGBASE, such as MAX_FILES_RStudio=2048. +# Package names with hyphens (-) should be replaced with underscores (_). +#MAX_FILES=1024 + +# If set the given directory will be used for the distfiles +# This allows to share the distfiles between jails and ports tree +# If this is "no", poudriere must be supplied a ports tree that already has +# the required distfiles. +DISTFILES_CACHE=/usr/ports/distfiles + +# If set the ports tree marked to use git will use the defined +# mirror (default: git.FreeBSD.org/port.git) +# +# Example to use github mirror: +#GIT_BASEURL=https://github.com/freebsd/freebsd-src.git + +# If set the source tree marked to use git will use the defined +# mirror (default: git.FreeBSD.org/src.git) +# +# Example to use github mirror: +#GIT_PORTSURL=https://github.com/freebsd/freebsd-ports.git + +# If set the ports tree or source tree marked to use svn will use the defined +# mirror (default: svn.FreeBSD.org) +# The SSL fingerprints are published here: +# https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/svn.html#svn-mirrors +#SVN_HOST=svn.FreeBSD.org + +# Automatic OPTION change detection +# When bulk building packages, compare the options from kept packages to +# the current options to be built. If they differ, the existing package +# will be deleted and the port will be rebuilt. +# Valid options: yes, no, verbose +# verbose will display the old and new options +#CHECK_CHANGED_OPTIONS=verbose + +# Automatic Dependency change detection +# When bulk building packages, compare the dependencies from kept packages to +# the current dependencies for every port. If they differ, the existing package +# will be deleted and the port will be rebuilt. This helps catch changes such +# as DEFAULT_RUBY_VERSION, PERL_VERSION, WITHOUT_X11 that change dependencies +# for many ports. +# Valid options: yes, no +# Default: yes +#CHECK_CHANGED_DEPS=yes + +# Consider bad dependency lines on the wrong PKGNAME as fatal. +# For example: +# BUILD_DEPENDS= p5-List-MoreUtils>=0:lang/p5-List-MoreUtils +# If this port's PKGNAME were really "List-MoreUtils" then it would +# not be recorded into the resulting package. The next build with +# CHECK_CHANGED_DEPS enabled would consider it a "new dependency" +# since it is in the port but not in the package. This is usually +# a warning but can be made fatal instead by enabling this option. +# Default: no +#BAD_PKGNAME_DEPS_ARE_FATAL=yes + + +# Path to the RSA key to sign the PKG repo with. See pkg-repo(8) +#PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key +PKG_REPO_SIGNING_KEY=/usr/local/etc/poudriere.d/poudriere.key + +# Command to sign the PKG repo with. See pkg-repo(8) +# This produces a repo that supports SIGNATURE_TYPE=FINGERPRINTS +# Default: not set +#SIGNING_COMMAND=ssh signing-server sign.sh + +# Repo signing command execution context +# If SIGNING_COMMAND is set, run pkg-repo(8) on the host? +# no - Run in the jail +# yes - Run on the host +# Default: no +#PKG_REPO_FROM_HOST=yes + +# ccache support. Supply the path to your ccache cache directory. +# It will be mounted into the jail and be shared among all jails. +# It is recommended that extra ccache configuration be done with +# ccache -o rather than from the environment. +#CCACHE_DIR=/var/cache/ccache + +# Static ccache support from host. This uses the existing +# ccache from the host in the build jail. This is useful for +# using ccache+memcached which cannot easily be bootstrapped +# otherwise. The path to the PREFIX where ccache was installed +# must be used here, and ccache must have been built statically. +# Note also that ccache+memcached will require network access +# which is normally disabled. Separately setting RESTRICT_NETWORKING=no +# may be required for non-localhost memcached servers. +#CCACHE_STATIC_PREFIX=/usr/local + +# The jails normally only allow network access during the 'make fetch' +# phase. This is a security restriction to prevent random things +# ran during a build from accessing the network. Disabling this +# is not advised. ALLOW_NETWORKING_PACKAGES may be used to allow networking +# for a subset of packages only. +#RESTRICT_NETWORKING=yes +#ALLOW_NETWORKING_PACKAGES="npm-foo" + +# parallel build support. +# +# By default poudriere uses hw.ncpu to determine the number of builders. +# You can override this default by changing PARALLEL_JOBS here, or +# by specifying the -J flag to bulk/testport. +# +# Example to define PARALLEL_JOBS to one single job +# PARALLEL_JOBS=1 +PARALLEL_JOBS=1 + +# How many jobs should be used for preparing the build? These tend to +# be more IO bound and may be worth tweaking. Default: PARALLEL_JOBS * 1.25 +# PREPARE_PARALLEL_JOBS=1 + + +# If set, failed builds will save the WRKDIR to ${POUDRIERE_DATA}/wrkdirs +# SAVE_WRKDIR=yes + +# Choose the default format for the workdir packing: could be tar,tgz,tbz,txz +# default is tbz +# WRKDIR_ARCHIVE_FORMAT=tbz +WRKDIR_ARCHIVE_FORMAT=txz + +# Disable Linux support +# NOLINUX=yes + +# By default poudriere sets FORCE_PACKAGE +# To disable it (useful when building public packages): +# NO_FORCE_PACKAGE=yes + +# By default poudriere sets PACKAGE_BUILDING +# To disable it: +# NO_PACKAGE_BUILDING=yes + +# If you are using a proxy define it here: +# export HTTP_PROXY=bla +# export FTP_PROXY=bla +# +# Cleanout the restricted packages +# NO_RESTRICTED=yes + +# By default MAKE_JOBS is disabled to allow only one process per cpu +# Use the following to allow it anyway +# ALLOW_MAKE_JOBS=yes +ALLOW_MAKE_JOBS=yes + +# List of packages that will always be allowed to use MAKE_JOBS +# regardless of ALLOW_MAKE_JOBS. This is useful for allowing ports +# which holdup the rest of the queue to build more quickly. +#ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py*" + +# Timestamp every line of build logs +# Default: no +#TIMESTAMP_LOGS=no + +# URL where your POUDRIERE_DATA/logs are hosted +# This will be used for giving URL hints to the HTML output when +# scheduling and starting builds +# URL_BASE=https://freebsdpkg.fizz.buzz/logs + + +# This defines the max time (in seconds) that a command may run for a build +# before it is killed for taking too long. Default: 86400 +#MAX_EXECUTION_TIME=86400 +# 2 days +MAX_EXECUTION_TIME=172800 + +# This defines the time (in seconds) before a command is considered to +# be in a runaway state for having no output on stdout. Default: 7200 +#NOHANG_TIME=7200 +NOHANG_TIME=14400 + + +# The repository is updated atomically if set yes. This leaves the +# repository untouched until the build completes. This involves using +# hardlinks and symlinks. The operations are fast, but can be intrusive +# for remote syncing or backups. +# Recommended to always keep on. +# Default: yes +#ATOMIC_PACKAGE_REPOSITORY=yes + +# When using ATOMIC_PACKAGE_REPOSITORY, commit the packages if some +# packages fail to build. Ignored ports are considered successful. +# This can be set to 'no' to only commit the packages once no failures +# are encountered. +# Default: yes +#COMMIT_PACKAGES_ON_FAILURE=yes +COMMIT_PACKAGES_ON_FAILURE=no + +# Keep older package repositories. This can be used to rollback a system +# or to bisect issues by changing the repository to one of the older +# versions and reinstalling everything with `pkg upgrade -f` +# ATOMIC_PACKAGE_REPOSITORY is required for this. +# Default: no +#KEEP_OLD_PACKAGES=no + +# How many old package repositories to keep with KEEP_OLD_PACKAGES +# Default: 5 +#KEEP_OLD_PACKAGES_COUNT=5 + +# Make testing errors fatal. +# If set to 'no', ports with test failure will be marked as failed but still +# packaged to permit testing dependent ports (useful for bulk -t -a) +# Default: yes +#PORTTESTING_FATAL=yes + +# Define the building jail hostname to be used when building the packages +# Some port/packages hardcode the hostname of the host during build time +# This is a necessary setup for reproducible builds. +#BUILDER_HOSTNAME=pkg.FreeBSD.org + +# Define to get a predictable timestamp on the ports tree +# This is a necessary setup for reproducible builds. +#PRESERVE_TIMESTAMP=yes + +# Define to yes to build and stage as a regular user +# Default: yes, unless CCACHE_DIR is set and CCACHE_DIR_NON_ROOT_SAFE is not +# set. Note that to use ccache with BUILD_AS_NON_ROOT you will need to +# use a non-shared CCACHE_DIR that is only built by PORTBUILD_USER and chowned +# to that user. Then set CCACHE_DIR_NON_ROOT_SAFE to yes. +#BUILD_AS_NON_ROOT=no + +# Define to the username to build as when BUILD_AS_NON_ROOT is yes. +# Default: nobody (uid PORTBUILD_UID) +#PORTBUILD_USER=nobody + +# Define to the uid to use for PORTBUILD_USER if the user does not +# already exist in the jail. +# Default: 65532 +#PORTBUILD_UID=65534 + +# Define pkgname globs to boost priority for +# Default: none +#PRIORITY_BOOST="pypy openoffice*" + +# Define format for buildnames +# Default: %Y-%m-%d_%Hh%Mm%Ss +# ISO8601: +#BUILDNAME_FORMAT="%FT%T%z" + +# Define format for build duration times +# Default: %H:%M:%S +#DURATION_FORMAT="%H:%M:%S" + +# Use colors when in a TTY +# Default: yes +#USE_COLORS=yes + +# Only build what is requested. Do not rebuild build deps if nothing requested +# depends on them. This can create an inconsistent repository if you often +# build one-off packages but expect the repository to stay consistent. +# Defaut: yes +#TRIM_ORPHANED_BUILD_DEPS=yes + +# A list of directories to exclude from leftover and filesystem violation +# mtree checks. Ccache is used here as an example but is already +# excluded by default. There is no need to add it here unless a +# special configuration is used where it is a problem. +# Default: none +#LOCAL_MTREE_EXCLUDES="/usr/obj /var/tmp/ccache" + +# Set to hosted to use the /data directory instead of inline style HTML +# Default: inline +#HTML_TYPE="hosted" +HTML_TYPE="hosted" + +# Set to track remaining ports in the HTML interface. This can slow down +# processing of the queue slightly, especially for bulk -a builds. +# Default: no +#HTML_TRACK_REMAINING=yes diff --git a/ansible/roles/poudriere/files/poudriere.d/13amd64-default-framework-make.conf b/ansible/roles/poudriere/files/poudriere.d/13amd64-default-framework-make.conf new file mode 100644 index 0000000..38a4330 --- /dev/null +++ b/ansible/roles/poudriere/files/poudriere.d/13amd64-default-framework-make.conf @@ -0,0 +1,17 @@ +# Disable CPUTYPE optimizations when compiling gcc48 because tigerlake is not included in gcc4.8 +# +# Disable CPUTYPE optimizations when compiling ripgrep because the build is failing https://github.com/BurntSushi/ripgrep/issues/1721 +# +# Disable CPUTYPE optimizations for firefox due to failing build. +# +# Example from bottom of /usr/share/examples/etc/make.conf +.if ${.CURDIR:N*/lang/gcc48*} && ${.CURDIR:N*/lang/gcc10*} && ${.CURDIR:N*/textproc/ripgrep*} && ${.CURDIR:N*/www/firefox*} +# Disabling tigerlake optimizations because qemu's TCG does not support avx512 +# +#CPUTYPE?=tigerlake +CPUTYPE?=x86-64-v3 +.endif +OPTIMIZED_CFLAGS=YES +BUILD_OPTIMIZED=YES +WITH_CPUFLAGS=YES +BUILD_STATIC=YES diff --git a/ansible/roles/poudriere/files/poudriere.key b/ansible/roles/poudriere/files/poudriere.key new file mode 100644 index 0000000..7f11634 Binary files /dev/null and b/ansible/roles/poudriere/files/poudriere.key differ diff --git a/ansible/roles/poudriere/meta/main.yaml b/ansible/roles/poudriere/meta/main.yaml new file mode 100644 index 0000000..c762ec6 --- /dev/null +++ b/ansible/roles/poudriere/meta/main.yaml @@ -0,0 +1,2 @@ +dependencies: + - portshaker diff --git a/ansible/roles/poudriere/tasks/common.yaml b/ansible/roles/poudriere/tasks/common.yaml new file mode 100644 index 0000000..fef1101 --- /dev/null +++ b/ansible/roles/poudriere/tasks/common.yaml @@ -0,0 +1,15 @@ +- import_tasks: tasks/freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/linux.yaml + when: 'os_flavor == "linux"' + +- include_tasks: + file: tasks/peruser.yaml + apply: + become: yes + become_user: "{{ initialize_user }}" + when: users is defined + loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}" + loop_control: + loop_var: initialize_user diff --git a/ansible/roles/poudriere/tasks/freebsd.yaml b/ansible/roles/poudriere/tasks/freebsd.yaml new file mode 100644 index 0000000..5675cc0 --- /dev/null +++ b/ansible/roles/poudriere/tasks/freebsd.yaml @@ -0,0 +1,140 @@ +# +# Get CPU type: +# sh -c "clang -v -fsyntax-only -march=native -x c /dev/null 2>&1 | grep -e '-target-cpu' | sed -e 's|.*-target-cpu \([[:alnum:]]*\) .*|\1|'" +# +# Check the CPU type: +# make -C /usr/src CPUTYPE=broadwell -V MACHINE_CPU +# +# Generate options file for ports +# poudriere options -j 12amd64 -p default -z stream -f /usr/local/etc/poudriere.d/12amd64-default-stream-pkglist +# +# Generate options file for specific ports +# poudriere options -j 12amd64 -p default -z stream -c lang/gcc48 +# +# Build the packages +# poudriere bulk -j 12amd64 -p default -z stream -f /usr/local/etc/poudriere.d/12amd64-default-stream-pkglist +# +# List installed packages +# pkg query -e '%a = 0' '%o' | sort +# +# Consider setting the following in the poudriere vm-bhyve config: +# priority="20" + +- name: Install packages + package: + name: + - poudriere + - bash + - rsync + - flock + state: present + +- name: Create directories + file: + name: "{{ item }}" + state: directory + mode: 0755 + owner: root + group: wheel + loop: + # - /usr/ports/distfiles + - /opt/poudriere/build_configs + - /usr/local/poudriere/data/logs/bulk + +- name: Install Configuration + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0600 + owner: root + group: wheel + loop: + - src: poudriere.conf + dest: /usr/local/etc/poudriere.conf + - src: poudriere.key + dest: /usr/local/etc/poudriere.d/poudriere.key +# - src: poudriere_deploy_ed25519 +# dest: /usr/local/etc/poudriere.d/poudriere_deploy_ed25519 + +# - name: Install Configuration directory +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ item.dest }}" +# owner: root +# group: wheel +# loop: +# - src: poudriere.d +# dest: /usr/local/etc/ + +- name: Install scripts + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0755 + owner: root + group: wheel + loop: + - src: poudboot.bash + dest: /usr/local/bin/poudboot + +- name: Install Configuration + template: + src: "build_config.j2" + dest: "/opt/poudriere/build_configs/{{ item.jail }}-{{ item.ports }}-{{ item.set }}" + owner: root + group: wheel + mode: 0600 + loop: "{{ poudriere_builds }}" + +- name: Install rc script + copy: + src: "files/{{ item.src }}" + dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}" + owner: root + group: wheel + mode: 0755 + loop: + - src: poudboot + +- name: Get ports tree list + command: poudriere ports -ln + register: poudriere_ports_tree_list + changed_when: false + check_mode: no + +- name: Configure the ports tree + command: poudriere ports -c -m null -M /usr/local/portshaker/trees/main -p default + when: '"default" not in poudriere_ports_tree_list.stdout_lines' + +- name: Get jail list + command: poudriere jail -l -n -q + register: poudriere_jail_list + changed_when: false + check_mode: no + +- name: Create the jails + when: item.version != "CURRENT" + command: |- + poudriere jail {{poudriere_perf_flags}} -c -j {{ item.jail }} -v {{ item.version }} + args: + creates: "/usr/local/poudriere/jails/{{ item.jail }}" + loop: "{{ poudriere_builds }}" + +- name: Create the jails + when: item.version == "CURRENT" + # -D clones the entire history instead of just the most recent commit + command: |- + poudriere jail {{poudriere_perf_flags}} -c -j {{ item.jail }} -v {{ item.branch|default("main") }} -a amd64 -m git -D -U https://git.FreeBSD.org/src.git -K {{ item.kernel|default("GENERIC") }} + args: + creates: "/usr/local/poudriere/jails/{{ item.jail }}" + loop: "{{ poudriere_builds }}" + +# - name: Get current jail version +# command: poudriere jail -i -j current +# register: current_jail_version +# changed_when: false +# check_mode: no + +# - name: Set current jail version +# command: "poudriere jail -u {{poudriere_perf_flags}} -j current -t {{ freebsd_version }}" +# when: freebsd_version[:9] not in current_jail_version.stdout diff --git a/ansible/roles/poudriere/tasks/linux.yaml b/ansible/roles/poudriere/tasks/linux.yaml new file mode 100644 index 0000000..429ad91 --- /dev/null +++ b/ansible/roles/poudriere/tasks/linux.yaml @@ -0,0 +1,21 @@ +# - name: Build aur packages +# register: buildaur +# become_user: "{{ build_user.name }}" +# command: "aurutils-sync --no-view {{ item }}" +# args: +# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*" +# loop: +# - foo + +# - name: Update cache +# when: buildaur.changed +# pacman: +# name: [] +# state: present +# update_cache: true + +# - name: Install packages +# package: +# name: +# - foo +# state: present diff --git a/ansible/roles/poudriere/tasks/main.yaml b/ansible/roles/poudriere/tasks/main.yaml new file mode 100644 index 0000000..87fe19a --- /dev/null +++ b/ansible/roles/poudriere/tasks/main.yaml @@ -0,0 +1,2 @@ +- import_tasks: tasks/common.yaml + when: poudriere_builds is defined and poudriere_builds diff --git a/ansible/roles/poudriere/tasks/peruser.yaml b/ansible/roles/poudriere/tasks/peruser.yaml new file mode 100644 index 0000000..111e886 --- /dev/null +++ b/ansible/roles/poudriere/tasks/peruser.yaml @@ -0,0 +1,29 @@ +- include_role: + name: per_user + +# - name: Create directories +# file: +# name: "{{ account_homedir.stdout }}/{{ item }}" +# state: directory +# mode: 0700 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - ".config/foo" + +# - name: Copy files +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ account_homedir.stdout }}/{{ item.dest }}" +# mode: 0600 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - src: foo.conf +# dest: .config/foo/foo.conf + +- import_tasks: tasks/peruser_freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/peruser_linux.yaml + when: 'os_flavor == "linux"' diff --git a/ansible/roles/poudriere/tasks/peruser_freebsd.yaml b/ansible/roles/poudriere/tasks/peruser_freebsd.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/poudriere/tasks/peruser_linux.yaml b/ansible/roles/poudriere/tasks/peruser_linux.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/poudriere/templates/build_config.j2 b/ansible/roles/poudriere/templates/build_config.j2 new file mode 100644 index 0000000..52ee8eb --- /dev/null +++ b/ansible/roles/poudriere/templates/build_config.j2 @@ -0,0 +1,3 @@ +JAIL={{ item.jail }} +PORTS={{ item.ports }} +SET={{ item.set }} diff --git a/ansible/roles/sway/files/launch_sway_freebsd.bash b/ansible/roles/sway/files/launch_sway_freebsd.bash index ba743c0..dfb1225 100644 --- a/ansible/roles/sway/files/launch_sway_freebsd.bash +++ b/ansible/roles/sway/files/launch_sway_freebsd.bash @@ -11,6 +11,8 @@ if [[ ! -v XDG_RUNTIME_DIR ]]; then fi +export XDG_CURRENT_DESKTOP=sway + # Enable wayland support for firefox export MOZ_ENABLE_WAYLAND=1 diff --git a/ansible/roles/sway/files/launch_sway_linux.bash b/ansible/roles/sway/files/launch_sway_linux.bash index f7d9561..d1e10a3 100644 --- a/ansible/roles/sway/files/launch_sway_linux.bash +++ b/ansible/roles/sway/files/launch_sway_linux.bash @@ -5,4 +5,6 @@ set -euo pipefail IFS=$'\n\t' DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +export XDG_CURRENT_DESKTOP=sway + exec sway -d &> $HOME/.config/swaylog diff --git a/ansible/run.bash b/ansible/run.bash index 2f37517..2d7eba8 100755 --- a/ansible/run.bash +++ b/ansible/run.bash @@ -26,7 +26,8 @@ elif [ "$target" = "jail_nat_dhcp" ]; then ansible-playbook -v -i environments/jail playbook.yaml --diff --limit nat_dhcp "${@}" elif [ "$target" = "jail_homeserver_nat_dhcp" ]; then ansible-playbook -v -i environments/jail playbook.yaml --diff --limit homeserver_nat_dhcp "${@}" - # +elif [ "$target" = "vm_poudriereodo" ]; then + ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}" else die 1 "Unrecognized target" fi