diff --git a/ansible/environments/colo/host_vars/mrmanager b/ansible/environments/colo/host_vars/mrmanager new file mode 100644 index 0000000..ed468c3 --- /dev/null +++ b/ansible/environments/colo/host_vars/mrmanager @@ -0,0 +1,29 @@ +os_flavor: "freebsd" +zfs_snapshot_datasets: + - zroot/freebsd/main/be +sshd_enabled: true +loader_conf: "mrmanager_loader.conf" +rc_conf: "mrmanager_rc.conf" +network_rc: "mrmanager_network.conf" +routing_rc: "mrmanager_routing.conf" +pf_config: "mrmanager_pf.conf" +pflog_conf: + - name: 0 + dev: pflog0 +cputype: "amd" +etc_hosts: {} +wireguard_directory: mrmanager +enabled_wireguard: + - colo +jail_zfs_dataset: zdata/jail +jail_zfs_dataset_mountpoint: /jail/main +jail_canmount: "on" +jail_list: + - name: nat_dhcp + enabled: true + conf: + src: nat_dhcp +bhyve_dataset: zdata/vm +bhyve_canmount: "on" +# efi_dev: /dev/gpt/EFI +devfs_rules: "mrmanager_devfs.rules" diff --git a/ansible/environments/colo/hosts b/ansible/environments/colo/hosts new file mode 100644 index 0000000..67310e4 --- /dev/null +++ b/ansible/environments/colo/hosts @@ -0,0 +1,2 @@ +[server] +mrmanager ansible_user=talexander ansible_host=10.217.2.1 diff --git a/ansible/environments/jail/host_vars/mrmanager_nat_dhcp b/ansible/environments/jail/host_vars/mrmanager_nat_dhcp new file mode 100644 index 0000000..1d0b6d9 --- /dev/null +++ b/ansible/environments/jail/host_vars/mrmanager_nat_dhcp @@ -0,0 +1 @@ +os_flavor: "freebsd" diff --git a/ansible/environments/jail/hosts b/ansible/environments/jail/hosts index 8e6ff96..065fb4c 100644 --- a/ansible/environments/jail/hosts +++ b/ansible/environments/jail/hosts @@ -1,4 +1,5 @@ [jail] nat_dhcp ansible_connection=jail homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail +mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail nat_dhcp@172.16.16.2 ansible_connection=sshjail diff --git a/ansible/environments/vm/host_vars/poudrieremrmanager b/ansible/environments/vm/host_vars/poudrieremrmanager new file mode 100644 index 0000000..348014b --- /dev/null +++ b/ansible/environments/vm/host_vars/poudrieremrmanager @@ -0,0 +1,13 @@ +os_flavor: "freebsd" +poudriere_builds: + - jail: 13amd64 + ports: default + set: framework + version: 13.2-RELEASE + # - jail: current + # ports: default + # set: framework + # version: CURRENT + # revision: af01b4722577903f91acc44f01bdcb8cdb2d65ad + # kernel: CUSTOM + # branch: main diff --git a/ansible/environments/vm/hosts b/ansible/environments/vm/hosts index 33382d9..afaa022 100644 --- a/ansible/environments/vm/hosts +++ b/ansible/environments/vm/hosts @@ -1,2 +1,9 @@ [vm] poudriereodo ansible_user=builder ansible_host=10.213.177.12 +poudrieremrmanager ansible_user=root ansible_host=poudriere +# +# Put in ~/.ssh/config +# Host poudriere +# ProxyJump talexander@mrmanager +# HostName 10.215.1.203 +# diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml index 4a1e174..74c3694 100644 --- a/ansible/playbook.yaml +++ b/ansible/playbook.yaml @@ -1,4 +1,4 @@ -- hosts: all:!jail:!vm +- hosts: all:!jail:!vm:!server vars: ansible_become: True roles: @@ -49,15 +49,43 @@ - docker - vscode -- hosts: nat_dhcp:homeserver_nat_dhcp +- hosts: nat_dhcp:homeserver_nat_dhcp:mrmanager_nat_dhcp vars: ansible_become: True roles: - jail_nat_dhcp -- hosts: poudriereodo +- hosts: poudriereodo:poudrieremrmanager vars: ansible_become: True roles: + - sudo # for poudboot script + - fstab - portshaker - poudriere + - poudrierenginx + +- hosts: mrmanager + vars: + ansible_become: True + roles: + - sudo + - doas + - users + - package_manager + - zfs + - zrepl + - zsh + - network + - sshd + - base + - firewall + - cpu + - ntp + - nvme + - hosts + - build + - devfs + - jail + - bhyve + - wireguard diff --git a/ansible/roles/base/files/mrmanager_loader.conf b/ansible/roles/base/files/mrmanager_loader.conf new file mode 100644 index 0000000..6129b89 --- /dev/null +++ b/ansible/roles/base/files/mrmanager_loader.conf @@ -0,0 +1 @@ +zfs_load="YES" diff --git a/ansible/roles/base/files/mrmanager_rc.conf b/ansible/roles/base/files/mrmanager_rc.conf new file mode 100644 index 0000000..c6216ad --- /dev/null +++ b/ansible/roles/base/files/mrmanager_rc.conf @@ -0,0 +1,2 @@ +hostname="mrmanager" +zfs_enable="YES" diff --git a/ansible/roles/base/meta/main.yaml b/ansible/roles/base/meta/main.yaml new file mode 100644 index 0000000..44e74e2 --- /dev/null +++ b/ansible/roles/base/meta/main.yaml @@ -0,0 +1,2 @@ +dependencies: + - fstab diff --git a/ansible/roles/base/tasks/freebsd.yaml b/ansible/roles/base/tasks/freebsd.yaml index 5edd441..c0a464e 100644 --- a/ansible/roles/base/tasks/freebsd.yaml +++ b/ansible/roles/base/tasks/freebsd.yaml @@ -84,37 +84,6 @@ state: absent when: rc_conf is not defined -- name: Add fstab entries - mount: - name: "{{ item.dst }}" - src: "{{ item.src }}" - fstype: "{{ item.fstype }}" - opts: "{{ item.opts }}" - state: present - loop: - - dst: /tmp - src: tmpfs - fstype: tmpfs - opts: rw,mode=777 - - dst: /var/run - src: tmpfs - fstype: tmpfs - opts: rw,mode=755 - -- name: Add fstab entries - when: efi_dev is defined - mount: - name: "{{ item.dst }}" - src: "{{ item.src }}" - fstype: "{{ item.fstype }}" - opts: "{{ item.opts }}" - state: present - loop: - - dst: /boot/efi - src: "{{ efi_dev }}" - fstype: msdosfs - opts: rw - - name: Install scripts copy: src: "files/{{ item.src }}" diff --git a/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash b/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash index e6985cd..c009737 100644 --- a/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash +++ b/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash @@ -15,19 +15,38 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # Enable Sound # bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp" +# Example usage: +# +# doas bhyve_netgraph_bridge create-disk zdata/vm/poudriere /vm/poudriere 10 +# doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere jail_nat 10.215.1.1/24 /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso +# doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere jail_nat 10.215.1.1/24 + +: ${CPU_CORES:="1"} +: ${MEMORY:="1G"} +: ${NETWORK:="NAT"} # or RAW +: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks +: ${INTERFACE_NAME:="jail_nat"} # or the external interface like lagg0 for RAW networks +: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks + function main { - if [ "$1" = "create-disk" ]; then - shift 1 + cmd="$1" + shift 1 + if [ "$cmd" = "create-disk" ]; then create_disk "${@}" - elif [ "$1" = "start" ]; then - shift 1 + elif [ "$cmd" = "start" ]; then start_vm "${@}" else - >&2 echo "Unrecognized command" - exit 1 + die 1 "Unrecognized command $cmd" fi } +function die { + local status_code="$1" + shift + (>&2 echo "${@}") + exit "$status_code" +} + function create_disk { zfs_path="$1" mount_path="$2" @@ -35,8 +54,12 @@ function create_disk { zfs create -o "mountpoint=$mount_path" "$zfs_path" cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/" tee "${mount_path}/settings" </dev/null 2>&1 } diff --git a/ansible/roles/bhyve/tasks/freebsd.yaml b/ansible/roles/bhyve/tasks/freebsd.yaml index 96ba2ba..363475c 100644 --- a/ansible/roles/bhyve/tasks/freebsd.yaml +++ b/ansible/roles/bhyve/tasks/freebsd.yaml @@ -31,18 +31,3 @@ mountpoint: "{{ bhyve_mountpoint }}" canmount: "{{ bhyve_canmount|default('noauto') }}" "ta:bemount": "{{ bhyve_bemount|default('on') }}" - -- name: Enable bhyve - community.general.sysrc: - name: "{{ item.name }}" - value: "{{ item.value }}" - path: /etc/rc.conf.d/vm - loop: - - name: vm_enable - value: "YES" - - name: vm_dir - value: "zfs:{{ bhyve_dataset }}" - - name: vm_list - value: "{{ bhyve_list|community.general.json_query('[?enabled==`true`].name')|join(' ') }}" - - name: vm_delay - value: "5" diff --git a/ansible/roles/cpu/files/amdtemp_loader.conf b/ansible/roles/cpu/files/amdtemp_loader.conf new file mode 100644 index 0000000..ccafa06 --- /dev/null +++ b/ansible/roles/cpu/files/amdtemp_loader.conf @@ -0,0 +1,2 @@ +# Read CPU temperature on AMD CPUs. +amdtemp_load="YES" diff --git a/ansible/roles/cpu/files/power_profile.conf b/ansible/roles/cpu/files/power_profile_rc.conf similarity index 100% rename from ansible/roles/cpu/files/power_profile.conf rename to ansible/roles/cpu/files/power_profile_rc.conf diff --git a/ansible/roles/cpu/tasks/freebsd_amd.yaml b/ansible/roles/cpu/tasks/freebsd_amd.yaml new file mode 100644 index 0000000..e48a76e --- /dev/null +++ b/ansible/roles/cpu/tasks/freebsd_amd.yaml @@ -0,0 +1,29 @@ +- name: Install loader.conf + copy: + src: "files/{{ item }}_loader.conf" + dest: "/boot/loader.conf.d/{{ item }}.conf" + mode: 0644 + owner: root + group: wheel + loop: + - amdtemp + +- name: Install service configuration + copy: + src: "files/{{ item }}_rc.conf" + dest: "/etc/rc.conf.d/{{ item }}" + mode: 0644 + owner: root + group: wheel + loop: + - power_profile + +- name: Install loader.conf + copy: + src: "files/{{ item }}_loader.conf" + dest: "/boot/loader.conf.d/{{ item }}.conf" + mode: 0644 + owner: root + group: wheel + loop: + - aesni diff --git a/ansible/roles/cpu/tasks/freebsd_intel.yaml b/ansible/roles/cpu/tasks/freebsd_intel.yaml index 6f88399..adadda8 100644 --- a/ansible/roles/cpu/tasks/freebsd_intel.yaml +++ b/ansible/roles/cpu/tasks/freebsd_intel.yaml @@ -17,16 +17,15 @@ - cpuctl - aesni -- name: Install Configuration +- name: Install service configuration copy: - src: "files/{{ item.src }}" - dest: "{{ item.dest }}" + src: "files/{{ item }}_rc.conf" + dest: "/etc/rc.conf.d/{{ item }}" mode: 0644 owner: root group: wheel loop: - - src: power_profile.conf - dest: /etc/rc.conf.d/power_profile + - power_profile - name: Install packages when: hwpstate is defined and not hwpstate diff --git a/ansible/roles/devfs/files/mrmanager_devfs.rules b/ansible/roles/devfs/files/mrmanager_devfs.rules new file mode 100644 index 0000000..adeaa53 --- /dev/null +++ b/ansible/roles/devfs/files/mrmanager_devfs.rules @@ -0,0 +1,5 @@ +[tajaildhcp=14] +add include $devfsrules_hide_all +add include $devfsrules_unhide_basic +add include $devfsrules_unhide_login +add path 'bpf*' unhide diff --git a/ansible/roles/doas/tasks/common.yaml b/ansible/roles/doas/tasks/common.yaml index 9f00756..265f543 100644 --- a/ansible/roles/doas/tasks/common.yaml +++ b/ansible/roles/doas/tasks/common.yaml @@ -9,13 +9,3 @@ - import_tasks: tasks/linux.yaml when: 'os_flavor == "linux"' - -- include_tasks: - file: tasks/peruser.yaml - apply: - become: yes - become_user: "{{ initialize_user }}" - when: users is defined - loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}" - loop_control: - loop_var: initialize_user diff --git a/ansible/roles/firewall/files/mrmanager_pf.conf b/ansible/roles/firewall/files/mrmanager_pf.conf new file mode 100644 index 0000000..c8a9680 --- /dev/null +++ b/ansible/roles/firewall/files/mrmanager_pf.conf @@ -0,0 +1,41 @@ +ext_if = "lagg0" +not_ext_if = "{ !lagg0 }" +jail_nat_v4 = "{ 10.215.1.0/24 }" +not_jail_nat_v4 = "{ any, !10.215.1.0/24 }" + +dhcp = "{ bootpc, bootps }" +allow = "{ colo }" + +tcp_pass_in = "{ 22 }" +udp_pass_in = "{ 53 51820 51821 51822 }" + +# Rules must be in order: options, normalization, queueing, translation, filtering + +# options +set skip on lo + +# redirections +nat pass on lagg0 inet from $jail_nat_v4 to $not_jail_nat_v4 -> (lagg0) +nat pass on $not_ext_if inet from $jail_nat_v4 to 10.215.1.1 port 53 -> ($ext_if) +rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53 + +# filtering +block log all +pass out on $ext_if + +pass in on jail_nat +# Allow traffic from my machine to the jails/virtual machines +pass out on jail_nat from $jail_nat_v4 + +# We pass on the interfaces listed in allow rather than skipping on +# them because changes to pass rules will update when running a +# `service pf reload` but interfaces that we `skip` will not update (I +# forget if its from adding, removing, or both. TODO: test to figure +# it out). Also skipped interfaces are not subject to nat/rdr rules. +pass quick on $allow + +pass on $ext_if proto icmp all +pass on $ext_if proto icmp6 all + +pass in on $ext_if proto tcp to any port $tcp_pass_in +pass in on $ext_if proto udp to any port $udp_pass_in diff --git a/ansible/roles/fstab/tasks/common.yaml b/ansible/roles/fstab/tasks/common.yaml new file mode 100644 index 0000000..fef1101 --- /dev/null +++ b/ansible/roles/fstab/tasks/common.yaml @@ -0,0 +1,15 @@ +- import_tasks: tasks/freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/linux.yaml + when: 'os_flavor == "linux"' + +- include_tasks: + file: tasks/peruser.yaml + apply: + become: yes + become_user: "{{ initialize_user }}" + when: users is defined + loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}" + loop_control: + loop_var: initialize_user diff --git a/ansible/roles/fstab/tasks/freebsd.yaml b/ansible/roles/fstab/tasks/freebsd.yaml new file mode 100644 index 0000000..9b5cc70 --- /dev/null +++ b/ansible/roles/fstab/tasks/freebsd.yaml @@ -0,0 +1,31 @@ +- name: Add fstab entries + mount: + name: "{{ item.dst }}" + src: "{{ item.src }}" + fstype: "{{ item.fstype }}" + opts: "{{ item.opts }}" + state: present + loop: + - dst: /tmp + src: tmpfs + fstype: tmpfs + opts: rw,mode=777 + - dst: /var/run + src: tmpfs + fstype: tmpfs + opts: rw,mode=755 + +- name: Add fstab entries + when: efi_dev is defined + mount: + name: "{{ item.dst }}" + src: "{{ item.src }}" + fstype: "{{ item.fstype }}" + opts: "{{ item.opts }}" + state: present + loop: + - dst: /boot/efi + src: "{{ efi_dev }}" + fstype: msdosfs + opts: rw + diff --git a/ansible/roles/fstab/tasks/linux.yaml b/ansible/roles/fstab/tasks/linux.yaml new file mode 100644 index 0000000..43ba876 --- /dev/null +++ b/ansible/roles/fstab/tasks/linux.yaml @@ -0,0 +1,29 @@ +# - name: Build aur packages +# register: buildaur +# become_user: "{{ build_user.name }}" +# command: "aurutils-sync --no-view {{ item }}" +# args: +# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*" +# loop: +# - foo + +# - name: Update cache +# when: buildaur.changed +# pacman: +# name: [] +# state: present +# update_cache: true + +# - name: Install packages +# package: +# name: +# - foo +# state: present + +# - name: Enable services +# systemd: +# enabled: yes +# name: "{{ item }}" +# daemon_reload: yes +# loop: +# - foo.service diff --git a/ansible/roles/fstab/tasks/main.yaml b/ansible/roles/fstab/tasks/main.yaml new file mode 100644 index 0000000..6805b9d --- /dev/null +++ b/ansible/roles/fstab/tasks/main.yaml @@ -0,0 +1,2 @@ +- import_tasks: tasks/common.yaml + # when: foo is defined diff --git a/ansible/roles/doas/tasks/peruser.yaml b/ansible/roles/fstab/tasks/peruser.yaml similarity index 100% rename from ansible/roles/doas/tasks/peruser.yaml rename to ansible/roles/fstab/tasks/peruser.yaml diff --git a/ansible/roles/doas/tasks/peruser_freebsd.yaml b/ansible/roles/fstab/tasks/peruser_freebsd.yaml similarity index 100% rename from ansible/roles/doas/tasks/peruser_freebsd.yaml rename to ansible/roles/fstab/tasks/peruser_freebsd.yaml diff --git a/ansible/roles/doas/tasks/peruser_linux.yaml b/ansible/roles/fstab/tasks/peruser_linux.yaml similarity index 100% rename from ansible/roles/doas/tasks/peruser_linux.yaml rename to ansible/roles/fstab/tasks/peruser_linux.yaml diff --git a/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf b/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf index d39ed58..5706e53 100644 --- a/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf +++ b/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf @@ -23,6 +23,11 @@ // unifi controller "hw-address": "06:40:9f:d7:be:a6", "ip-address": "10.215.1.202" + }, + { + // poudriere + "hw-address": "06:8f:24:d6:21:24", + "ip-address": "10.215.1.203" } ] } diff --git a/ansible/roles/network/files/mrmanager_network.conf b/ansible/roles/network/files/mrmanager_network.conf new file mode 100644 index 0000000..4d2ae08 --- /dev/null +++ b/ansible/roles/network/files/mrmanager_network.conf @@ -0,0 +1,5 @@ +cloned_interfaces="lagg0" +ifconfig_igb0="up" +ifconfig_igb1="up" +ifconfig_lagg0="up laggproto failover laggport igb0 laggport igb1" +ifconfig_lagg0_alias0="inet 74.80.180.138 netmask 255.255.255.248" diff --git a/ansible/roles/network/files/mrmanager_routing.conf b/ansible/roles/network/files/mrmanager_routing.conf new file mode 100644 index 0000000..45a1d23 --- /dev/null +++ b/ansible/roles/network/files/mrmanager_routing.conf @@ -0,0 +1,3 @@ +defaultrouter="74.80.180.137" +gateway_enable="YES" +ipv6_gateway_enable="YES" diff --git a/ansible/roles/network/tasks/freebsd.yaml b/ansible/roles/network/tasks/freebsd.yaml index 49de8b2..b7c0996 100644 --- a/ansible/roles/network/tasks/freebsd.yaml +++ b/ansible/roles/network/tasks/freebsd.yaml @@ -11,6 +11,18 @@ - src: "{{ network_rc }}" dest: /etc/rc.conf.d/network +- name: Install configuration + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0644 + owner: root + group: wheel + when: routing_rc is defined + loop: + - src: "{{ routing_rc }}" + dest: /etc/rc.conf.d/routing + - name: Install configuration copy: src: "files/{{ item.src }}" diff --git a/ansible/roles/portshaker/files/portshaker.conf b/ansible/roles/portshaker/files/portshaker.conf index 0f92d26..7b7f1b8 100644 --- a/ansible/roles/portshaker/files/portshaker.conf +++ b/ansible/roles/portshaker/files/portshaker.conf @@ -5,4 +5,5 @@ mirror_base_dir="/var/cache/portshaker" ports_trees="main" main_ports_tree="/usr/local/portshaker/trees/main" -main_merge_from="freebsd myrepo" +# main_merge_from="freebsd myrepo" +main_merge_from="freebsd" diff --git a/ansible/roles/poudriere/files/poudriere.conf b/ansible/roles/poudriere/files/poudriere.conf index 8b0e368..9d3f4bb 100644 --- a/ansible/roles/poudriere/files/poudriere.conf +++ b/ansible/roles/poudriere/files/poudriere.conf @@ -10,15 +10,16 @@ # poudriere. # #ZPOOL=zroot -ZPOOL=zroot +# ZPOOL=zroot ### NO ZFS # To not use ZFS, define NO_ZFS=yes #NO_ZFS=yes +NO_ZFS=yes # root of the poudriere zfs filesystem, by default /poudriere # ZROOTFS=/poudriere -ZROOTFS=/poudriere +# ZROOTFS=/poudriere # the host where to download sets for the jails setup # You can specify here a host or an IP @@ -73,7 +74,7 @@ USE_TMPFS=all # How much memory to limit tmpfs size to for *each builder* in GiB # (default: none) #TMPFS_LIMIT=8 -TMPFS_LIMIT=16 +TMPFS_LIMIT=32 # How much memory to limit jail processes to for *each builder* # in GiB (default: none) @@ -196,7 +197,7 @@ PARALLEL_JOBS=1 # If set, failed builds will save the WRKDIR to ${POUDRIERE_DATA}/wrkdirs # SAVE_WRKDIR=yes -# Choose the default format for the workdir packing: could be tar,tgz,tbz,txz +# Choose the default format for the workdir packing: could be tar,tgz,tbz,txz,tzst # default is tbz # WRKDIR_ARCHIVE_FORMAT=tbz WRKDIR_ARCHIVE_FORMAT=txz diff --git a/ansible/roles/poudriere/files/poudriere.d/13amd64-default-framework-make.conf b/ansible/roles/poudriere/files/poudriere.d/13amd64-default-framework-make.conf index 38a4330..770e0ce 100644 --- a/ansible/roles/poudriere/files/poudriere.d/13amd64-default-framework-make.conf +++ b/ansible/roles/poudriere/files/poudriere.d/13amd64-default-framework-make.conf @@ -6,10 +6,8 @@ # # Example from bottom of /usr/share/examples/etc/make.conf .if ${.CURDIR:N*/lang/gcc48*} && ${.CURDIR:N*/lang/gcc10*} && ${.CURDIR:N*/textproc/ripgrep*} && ${.CURDIR:N*/www/firefox*} -# Disabling tigerlake optimizations because qemu's TCG does not support avx512 -# -#CPUTYPE?=tigerlake -CPUTYPE?=x86-64-v3 +CPUTYPE?=tigerlake +#CPUTYPE?=x86-64-v3 .endif OPTIMIZED_CFLAGS=YES BUILD_OPTIMIZED=YES diff --git a/ansible/roles/poudriere/files/poudriere.d/13amd64-default-framework-pkglist b/ansible/roles/poudriere/files/poudriere.d/13amd64-default-framework-pkglist new file mode 100644 index 0000000..78ee554 --- /dev/null +++ b/ansible/roles/poudriere/files/poudriere.d/13amd64-default-framework-pkglist @@ -0,0 +1,131 @@ +archivers/unrar +archivers/unzip +archivers/zip +audio/mixertui +databases/sqlite3 +deskutils/xdg-desktop-portal +devel/git +devel/gmake +devel/hs-ShellCheck +devel/libccid +devel/libnotify +devel/py-black +devel/py-isort +devel/py-jmespath +devel/py-ptvsd +devel/py-yamllint +devel/pyenv +dns/coredns +editors/emacs +editors/mg +ftp/wget +graphics/drm-kmod +graphics/evince +graphics/gimp +graphics/graphviz +graphics/igt-gpu-tools +graphics/imv +graphics/inkscape +graphics/qt5-wayland +graphics/vulkan-loader +graphics/vulkan-tools +graphics/vulkan-validation-layers +lang/python +lang/rust-nightly +math/gnuplot +multimedia/libva-intel-driver +multimedia/libva-intel-media-driver +multimedia/libva-utils +multimedia/libvdpau-va-gl +multimedia/mpv +multimedia/pwcview +multimedia/v4l_compat +multimedia/v4l-utils +multimedia/vdpauinfo +multimedia/webcamd +multimedia/wf-recorder +net-mgmt/arpscan +net-mgmt/ipcalc +net/google-cloud-sdk +net/rsync +net/tcpdump +net/wireguard +net/wlvncc +ports-mgmt/pkg +ports-mgmt/pkg-provides +ports-mgmt/portshaker +ports-mgmt/poudriere +print/texlive-full +security/doas +security/git-crypt +security/gnupg +security/libfido2 +security/openvpn +security/pcsc-tools +security/pinentry +security/pinentry-qt5 +security/sops +security/sudo +security/u2f-devd +shells/bash +shells/zsh +sysutils/ansible +sysutils/ansible-sshjail +sysutils/bhyve-firmware +sysutils/btop +sysutils/ddrescue +sysutils/dsbmd +sysutils/exfat-utils +sysutils/flock +sysutils/fusefs-exfat +sysutils/fusefs-simple-mtpfs +sysutils/fusefs-sshfs +sysutils/helm +sysutils/htop +sysutils/kubectl +sysutils/lscpu +sysutils/lsof +sysutils/moreutils +sysutils/ncdu +sysutils/nvme-cli +sysutils/powermon +sysutils/pstree +sysutils/pv +sysutils/rust-coreutils +sysutils/tmux +sysutils/tree +sysutils/zrepl +textproc/aspell +textproc/colordiff +textproc/en-aspell +textproc/gsed +textproc/jq +textproc/kdiff3 +textproc/py-pygments +textproc/ripgrep +www/firefox +x11-fm/pcmanfm +x11-fonts/cascadia-code +x11-fonts/noto +x11-fonts/noto-emoji +x11-fonts/noto-extra +x11-fonts/source-sans-ttf +x11-fonts/sourcecodepro-ttf +x11-wm/sway +x11/alacritty +x11/grim +x11/kanshi +x11/mako +x11/slurp +x11/swaybg +x11/swayidle +x11/swaylock +x11/waybar +x11/wev +x11/wlogout +x11/wofi +x11/wtype +x11/xauth +x11/xdg-desktop-portal-wlr +x11/xeyes +x11/xhost diff --git a/ansible/roles/poudriere/tasks/freebsd.yaml b/ansible/roles/poudriere/tasks/freebsd.yaml index 5675cc0..2a83c36 100644 --- a/ansible/roles/poudriere/tasks/freebsd.yaml +++ b/ansible/roles/poudriere/tasks/freebsd.yaml @@ -37,7 +37,7 @@ owner: root group: wheel loop: - # - /usr/ports/distfiles + - /usr/ports/distfiles - /opt/poudriere/build_configs - /usr/local/poudriere/data/logs/bulk @@ -56,15 +56,15 @@ # - src: poudriere_deploy_ed25519 # dest: /usr/local/etc/poudriere.d/poudriere_deploy_ed25519 -# - name: Install Configuration directory -# copy: -# src: "files/{{ item.src }}" -# dest: "{{ item.dest }}" -# owner: root -# group: wheel -# loop: -# - src: poudriere.d -# dest: /usr/local/etc/ +- name: Install Configuration directory + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: wheel + loop: + - src: poudriere.d + dest: /usr/local/etc/ - name: Install scripts copy: diff --git a/ansible/roles/poudrierenginx/files/headers.include b/ansible/roles/poudrierenginx/files/headers.include new file mode 100644 index 0000000..ffb49b9 --- /dev/null +++ b/ansible/roles/poudrierenginx/files/headers.include @@ -0,0 +1,12 @@ +# Enable HTTP Strict Transport Security (HSTS) to force clients to +# always connect via HTTPS (do not use if only testing) +add_header Strict-Transport-Security "max-age=31536000;" always; +# Enable cross-site filter (XSS) and tell browser to block detected +# attacks +add_header X-XSS-Protection "1; mode=block" always; +# Prevent some browsers from MIME-sniffing a response away from the +# declared Content-Type +add_header X-Content-Type-Options "nosniff" always; +# Disallow the site to be rendered within a frame (clickjacking +# protection) +add_header X-Frame-Options "DENY" always; diff --git a/ansible/roles/poudrierenginx/files/newsyslog.conf b/ansible/roles/poudrierenginx/files/newsyslog.conf new file mode 100644 index 0000000..78a612b --- /dev/null +++ b/ansible/roles/poudrierenginx/files/newsyslog.conf @@ -0,0 +1,2 @@ +# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num] +/var/log/nginx/*.log 640 5 1000 @T00 GYC /var/run/nginx.pid SIGUSR1 diff --git a/ansible/roles/poudrierenginx/files/nginx.conf b/ansible/roles/poudrierenginx/files/nginx.conf new file mode 100644 index 0000000..68d7568 --- /dev/null +++ b/ansible/roles/poudrierenginx/files/nginx.conf @@ -0,0 +1,34 @@ +worker_processes auto; +user www www; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + gzip on; + + include conf.d/headers.include; + + server { + listen 8080 default; + listen [::]:8080; + server_name freebsdpkg.fizz.buzz; + + location / { + root /usr/local/share/poudriere/html; + index index.html index.htm; + } + + location /data { + alias /usr/local/poudriere/data/logs/bulk; + autoindex on; + } + } +} diff --git a/ansible/roles/poudrierenginx/files/rc.conf b/ansible/roles/poudrierenginx/files/rc.conf new file mode 100644 index 0000000..c104d8b --- /dev/null +++ b/ansible/roles/poudrierenginx/files/rc.conf @@ -0,0 +1 @@ +nginx_enable="YES" diff --git a/ansible/roles/poudrierenginx/meta/main.yaml b/ansible/roles/poudrierenginx/meta/main.yaml new file mode 100644 index 0000000..ecea872 --- /dev/null +++ b/ansible/roles/poudrierenginx/meta/main.yaml @@ -0,0 +1,2 @@ +dependencies: + - syslog diff --git a/ansible/roles/poudrierenginx/tasks/common.yaml b/ansible/roles/poudrierenginx/tasks/common.yaml new file mode 100644 index 0000000..fef1101 --- /dev/null +++ b/ansible/roles/poudrierenginx/tasks/common.yaml @@ -0,0 +1,15 @@ +- import_tasks: tasks/freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/linux.yaml + when: 'os_flavor == "linux"' + +- include_tasks: + file: tasks/peruser.yaml + apply: + become: yes + become_user: "{{ initialize_user }}" + when: users is defined + loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}" + loop_control: + loop_var: initialize_user diff --git a/ansible/roles/poudrierenginx/tasks/freebsd.yaml b/ansible/roles/poudrierenginx/tasks/freebsd.yaml new file mode 100644 index 0000000..4777d27 --- /dev/null +++ b/ansible/roles/poudrierenginx/tasks/freebsd.yaml @@ -0,0 +1,54 @@ +- name: Create www group + group: + name: www + +- name: Create www user + user: + name: www + home: /srv/http + createhome: false + group: www + +- name: Install packages + package: + name: + - nginx + state: present + +- name: Create root directories + file: + name: "{{ item }}" + state: directory + mode: 0755 + owner: root + group: wheel + loop: + - /srv + - /usr/local/etc/nginx/conf.d + +# validate fails because nginx config relies on a local mime.types +- name: Install Configuration + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0644 + owner: root + group: wheel + loop: + - src: rc.conf + dest: /etc/rc.conf.d/nginx + - src: nginx.conf + dest: /usr/local/etc/nginx/nginx.conf + - src: headers.include + dest: /usr/local/etc/nginx/conf.d/headers.include + +- name: Install newsyslog configuration + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0600 + owner: root + group: wheel + loop: + - src: newsyslog.conf + dest: /usr/local/etc/newsyslog.conf.d/nginx.conf diff --git a/ansible/roles/poudrierenginx/tasks/linux.yaml b/ansible/roles/poudrierenginx/tasks/linux.yaml new file mode 100644 index 0000000..43ba876 --- /dev/null +++ b/ansible/roles/poudrierenginx/tasks/linux.yaml @@ -0,0 +1,29 @@ +# - name: Build aur packages +# register: buildaur +# become_user: "{{ build_user.name }}" +# command: "aurutils-sync --no-view {{ item }}" +# args: +# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*" +# loop: +# - foo + +# - name: Update cache +# when: buildaur.changed +# pacman: +# name: [] +# state: present +# update_cache: true + +# - name: Install packages +# package: +# name: +# - foo +# state: present + +# - name: Enable services +# systemd: +# enabled: yes +# name: "{{ item }}" +# daemon_reload: yes +# loop: +# - foo.service diff --git a/ansible/roles/poudrierenginx/tasks/main.yaml b/ansible/roles/poudrierenginx/tasks/main.yaml new file mode 100644 index 0000000..6805b9d --- /dev/null +++ b/ansible/roles/poudrierenginx/tasks/main.yaml @@ -0,0 +1,2 @@ +- import_tasks: tasks/common.yaml + # when: foo is defined diff --git a/ansible/roles/poudrierenginx/tasks/peruser.yaml b/ansible/roles/poudrierenginx/tasks/peruser.yaml new file mode 100644 index 0000000..111e886 --- /dev/null +++ b/ansible/roles/poudrierenginx/tasks/peruser.yaml @@ -0,0 +1,29 @@ +- include_role: + name: per_user + +# - name: Create directories +# file: +# name: "{{ account_homedir.stdout }}/{{ item }}" +# state: directory +# mode: 0700 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - ".config/foo" + +# - name: Copy files +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ account_homedir.stdout }}/{{ item.dest }}" +# mode: 0600 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - src: foo.conf +# dest: .config/foo/foo.conf + +- import_tasks: tasks/peruser_freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/peruser_linux.yaml + when: 'os_flavor == "linux"' diff --git a/ansible/roles/poudrierenginx/tasks/peruser_freebsd.yaml b/ansible/roles/poudrierenginx/tasks/peruser_freebsd.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/poudrierenginx/tasks/peruser_linux.yaml b/ansible/roles/poudrierenginx/tasks/peruser_linux.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/syslog/files/syslogd_rc.conf b/ansible/roles/syslog/files/syslogd_rc.conf new file mode 100644 index 0000000..7376416 --- /dev/null +++ b/ansible/roles/syslog/files/syslogd_rc.conf @@ -0,0 +1,5 @@ +# One -s disables connections from remote machines, two disables +# network entirely which blocks logging to remote machines + +syslogd_enable="YES" +syslogd_flags="-ss -v -v" diff --git a/ansible/roles/syslog/tasks/common.yaml b/ansible/roles/syslog/tasks/common.yaml new file mode 100644 index 0000000..fef1101 --- /dev/null +++ b/ansible/roles/syslog/tasks/common.yaml @@ -0,0 +1,15 @@ +- import_tasks: tasks/freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/linux.yaml + when: 'os_flavor == "linux"' + +- include_tasks: + file: tasks/peruser.yaml + apply: + become: yes + become_user: "{{ initialize_user }}" + when: users is defined + loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}" + loop_control: + loop_var: initialize_user diff --git a/ansible/roles/syslog/tasks/freebsd.yaml b/ansible/roles/syslog/tasks/freebsd.yaml new file mode 100644 index 0000000..4c83ffc --- /dev/null +++ b/ansible/roles/syslog/tasks/freebsd.yaml @@ -0,0 +1,19 @@ +- name: Create directories + file: + name: "{{ item }}" + state: directory + mode: 0755 + owner: root + group: wheel + loop: + - /usr/local/etc/newsyslog.conf.d + +- name: Install service configuration + copy: + src: "files/{{ item }}_rc.conf" + dest: "/etc/rc.conf.d/{{ item }}" + mode: 0644 + owner: root + group: wheel + loop: + - syslogd diff --git a/ansible/roles/syslog/tasks/linux.yaml b/ansible/roles/syslog/tasks/linux.yaml new file mode 100644 index 0000000..43ba876 --- /dev/null +++ b/ansible/roles/syslog/tasks/linux.yaml @@ -0,0 +1,29 @@ +# - name: Build aur packages +# register: buildaur +# become_user: "{{ build_user.name }}" +# command: "aurutils-sync --no-view {{ item }}" +# args: +# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*" +# loop: +# - foo + +# - name: Update cache +# when: buildaur.changed +# pacman: +# name: [] +# state: present +# update_cache: true + +# - name: Install packages +# package: +# name: +# - foo +# state: present + +# - name: Enable services +# systemd: +# enabled: yes +# name: "{{ item }}" +# daemon_reload: yes +# loop: +# - foo.service diff --git a/ansible/roles/syslog/tasks/main.yaml b/ansible/roles/syslog/tasks/main.yaml new file mode 100644 index 0000000..6805b9d --- /dev/null +++ b/ansible/roles/syslog/tasks/main.yaml @@ -0,0 +1,2 @@ +- import_tasks: tasks/common.yaml + # when: foo is defined diff --git a/ansible/roles/syslog/tasks/peruser.yaml b/ansible/roles/syslog/tasks/peruser.yaml new file mode 100644 index 0000000..111e886 --- /dev/null +++ b/ansible/roles/syslog/tasks/peruser.yaml @@ -0,0 +1,29 @@ +- include_role: + name: per_user + +# - name: Create directories +# file: +# name: "{{ account_homedir.stdout }}/{{ item }}" +# state: directory +# mode: 0700 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - ".config/foo" + +# - name: Copy files +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ account_homedir.stdout }}/{{ item.dest }}" +# mode: 0600 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - src: foo.conf +# dest: .config/foo/foo.conf + +- import_tasks: tasks/peruser_freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/peruser_linux.yaml + when: 'os_flavor == "linux"' diff --git a/ansible/roles/syslog/tasks/peruser_freebsd.yaml b/ansible/roles/syslog/tasks/peruser_freebsd.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/syslog/tasks/peruser_linux.yaml b/ansible/roles/syslog/tasks/peruser_linux.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/users/defaults/main.yaml b/ansible/roles/users/defaults/main.yaml index a4fa82f..8390d5c 100644 --- a/ansible/roles/users/defaults/main.yaml +++ b/ansible/roles/users/defaults/main.yaml @@ -9,4 +9,3 @@ users: - yubikey - main_fido - backup_fido - - homeassistant diff --git a/ansible/roles/wireguard/files/wireguard_configs/mrmanager/colo.conf b/ansible/roles/wireguard/files/wireguard_configs/mrmanager/colo.conf new file mode 100644 index 0000000..8ada5a6 Binary files /dev/null and b/ansible/roles/wireguard/files/wireguard_configs/mrmanager/colo.conf differ diff --git a/ansible/run.bash b/ansible/run.bash index 2d7eba8..0a80592 100755 --- a/ansible/run.bash +++ b/ansible/run.bash @@ -28,6 +28,12 @@ elif [ "$target" = "jail_homeserver_nat_dhcp" ]; then ansible-playbook -v -i environments/jail playbook.yaml --diff --limit homeserver_nat_dhcp "${@}" elif [ "$target" = "vm_poudriereodo" ]; then ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}" +elif [ "$target" = "vm_poudrieremrmanager" ]; then + ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudrieremrmanager "${@}" +elif [ "$target" = "mrmanager" ]; then + ansible-playbook -v -i environments/colo playbook.yaml --diff --limit mrmanager "${@}" +elif [ "$target" = "jail_mrmanager_nat_dhcp" ]; then + ansible-playbook -v -i environments/jail playbook.yaml --diff --limit mrmanager_nat_dhcp "${@}" else die 1 "Unrecognized target" fi