Merge branch 'colo'

ansible/environments/colo/host_vars/mrmanager

@@ -0,0 +1,29 @@
+os_flavor: "freebsd"
+zfs_snapshot_datasets:
+  - zroot/freebsd/main/be
+sshd_enabled: true
+loader_conf: "mrmanager_loader.conf"
+rc_conf: "mrmanager_rc.conf"
+network_rc: "mrmanager_network.conf"
+routing_rc: "mrmanager_routing.conf"
+pf_config: "mrmanager_pf.conf"
+pflog_conf:
+  - name: 0
+    dev: pflog0
+cputype: "amd"
+etc_hosts: {}
+wireguard_directory: mrmanager
+enabled_wireguard:
+  - colo
+jail_zfs_dataset: zdata/jail
+jail_zfs_dataset_mountpoint: /jail/main
+jail_canmount: "on"
+jail_list:
+  - name: nat_dhcp
+    enabled: true
+    conf:
+      src: nat_dhcp
+bhyve_dataset: zdata/vm
+bhyve_canmount: "on"
+# efi_dev: /dev/gpt/EFI
+devfs_rules: "mrmanager_devfs.rules"

ansible/environments/colo/hosts

@@ -0,0 +1,2 @@
+[server]
+mrmanager ansible_user=talexander ansible_host=10.217.2.1

ansible/environments/jail/host_vars/mrmanager_nat_dhcp

@@ -0,0 +1 @@
+os_flavor: "freebsd"

ansible/environments/jail/hosts

@@ -1,4 +1,5 @@
 [jail]
 nat_dhcp ansible_connection=jail
 homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail
+mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail
 nat_dhcp@172.16.16.2 ansible_connection=sshjail

ansible/environments/vm/host_vars/poudrieremrmanager

@@ -0,0 +1,13 @@
+os_flavor: "freebsd"
+poudriere_builds:
+  - jail: 13amd64
+    ports: default
+    set: framework
+    version: 13.2-RELEASE
+  # - jail: current
+  #   ports: default
+  #   set: framework
+  #   version: CURRENT
+  #   revision: af01b4722577903f91acc44f01bdcb8cdb2d65ad
+  #   kernel: CUSTOM
+  #   branch: main

ansible/environments/vm/hosts

@@ -1,2 +1,9 @@
 [vm]
 poudriereodo ansible_user=builder ansible_host=10.213.177.12
+poudrieremrmanager ansible_user=root ansible_host=poudriere
+#
+# Put in ~/.ssh/config
+#    Host poudriere
+#       ProxyJump talexander@mrmanager
+#       HostName 10.215.1.203
+#

ansible/playbook.yaml

@@ -1,4 +1,4 @@
-- hosts: all:!jail:!vm
+- hosts: all:!jail:!vm:!server
   vars:
     ansible_become: True
   roles:
@@ -49,15 +49,43 @@
     - docker
     - vscode
 
-- hosts: nat_dhcp:homeserver_nat_dhcp
+- hosts: nat_dhcp:homeserver_nat_dhcp:mrmanager_nat_dhcp
   vars:
     ansible_become: True
   roles:
     - jail_nat_dhcp
 
-- hosts: poudriereodo
+- hosts: poudriereodo:poudrieremrmanager
   vars:
     ansible_become: True
   roles:
+    - sudo # for poudboot script
+    - fstab
     - portshaker
     - poudriere
+    - poudrierenginx
+
+- hosts: mrmanager
+  vars:
+    ansible_become: True
+  roles:
+    - sudo
+    - doas
+    - users
+    - package_manager
+    - zfs
+    - zrepl
+    - zsh
+    - network
+    - sshd
+    - base
+    - firewall
+    - cpu
+    - ntp
+    - nvme
+    - hosts
+    - build
+    - devfs
+    - jail
+    - bhyve
+    - wireguard

ansible/roles/base/files/mrmanager_loader.conf

@@ -0,0 +1 @@
+zfs_load="YES"

ansible/roles/base/files/mrmanager_rc.conf

@@ -0,0 +1,2 @@
+hostname="mrmanager"
+zfs_enable="YES"

ansible/roles/base/meta/main.yaml

@@ -0,0 +1,2 @@
+dependencies:
+  - fstab

ansible/roles/base/tasks/freebsd.yaml

@@ -84,37 +84,6 @@
     state: absent
   when: rc_conf is not defined
 
-- name: Add fstab entries
-  mount:
-    name: "{{ item.dst }}"
-    src: "{{ item.src }}"
-    fstype: "{{ item.fstype }}"
-    opts: "{{ item.opts }}"
-    state: present
-  loop:
-    - dst: /tmp
-      src: tmpfs
-      fstype: tmpfs
-      opts: rw,mode=777
-    - dst: /var/run
-      src: tmpfs
-      fstype: tmpfs
-      opts: rw,mode=755
-
-- name: Add fstab entries
-  when: efi_dev is defined
-  mount:
-    name: "{{ item.dst }}"
-    src: "{{ item.src }}"
-    fstype: "{{ item.fstype }}"
-    opts: "{{ item.opts }}"
-    state: present
-  loop:
-    - dst: /boot/efi
-      src: "{{ efi_dev }}"
-      fstype: msdosfs
-      opts: rw
-
 - name: Install scripts
   copy:
     src: "files/{{ item.src }}"

ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash

@@ -15,19 +15,38 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # Enable Sound
 # bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
 
+# Example usage:
+#
+#   doas bhyve_netgraph_bridge create-disk zdata/vm/poudriere /vm/poudriere 10
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere jail_nat 10.215.1.1/24 /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
+#   doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere jail_nat 10.215.1.1/24
+
+: ${CPU_CORES:="1"}
+: ${MEMORY:="1G"}
+: ${NETWORK:="NAT"} # or RAW
+: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
+: ${INTERFACE_NAME:="jail_nat"} # or the external interface like lagg0 for RAW networks
+: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
+
 function main {
-    if [ "$1" = "create-disk" ]; then
+    cmd="$1"
     shift 1
+    if [ "$cmd" = "create-disk" ]; then
         create_disk "${@}"
-    elif [ "$1" = "start" ]; then
-        shift 1
+    elif [ "$cmd" = "start" ]; then
         start_vm "${@}"
     else
-        >&2 echo "Unrecognized command"
-        exit 1
+        die 1 "Unrecognized command $cmd"
     fi
 }
 
+function die {
+    local status_code="$1"
+    shift
+    (>&2 echo "${@}")
+    exit "$status_code"
+}
+
 function create_disk {
     zfs_path="$1"
     mount_path="$2"
@@ -35,8 +54,12 @@ function create_disk {
     zfs create -o "mountpoint=$mount_path" "$zfs_path"
     cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
     tee "${mount_path}/settings" <<EOF
-CPU_CORES=1
-MEMORY=1G
+CPU_CORES="$CPU_CORES"
+MEMORY="$MEMORY"
+NETWORK="$NETWORK"
+IP_RANGE="$IP_RANGE"
+BRIDGE_NAME="$BRIDGE_NAME"
+INTERFACE_NAME="$INTERFACE_NAME"
 EOF
     zfs create -s "-V${gigabytes}G" -o volmode=dev "$zfs_path/disk0"
 }
@@ -45,22 +68,29 @@ function start_vm {
     name="$1"
     zfs_path="$2"
     mount_path="$3"
-    host_interface_name="$4"
-    bridge_name="bridge_${host_interface_name}"
-    ip_range="$5"
-    mount_cd="${6:-}"
+    mount_cd="${4:-}"
 
-    mac_address=$(calculate_mac_address "$name")
-
-    assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
-    bridge_link_name=$(detect_available_link "${bridge_name}")
-
-
-    CPU_CORES=1
-    MEMORY=1G
     if [ -e "${mount_path}/settings" ]; then
         source "${mount_path}/settings"
     fi
+
+    host_interface_name="$INTERFACE_NAME" # for raw, external interface
+    bridge_name="$BRIDGE_NAME"
+    ip_range="$IP_RANGE" # for raw this value does not matter
+
+    mac_address=$(calculate_mac_address "$name")
+
+
+    if [ "$NETWORK" = "NAT" ]; then
+        assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
+    elif [ "$NETWORK" = "RAW" ]; then
+        assert_raw "$host_interface_name" "$bridge_name"
+    else
+        die 1 "Unrecognized NETWORK type $NETWORK"
+    fi
+    bridge_link_name=$(detect_available_link "${bridge_name}")
+
+
     # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
          # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
              # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
@@ -146,6 +176,30 @@ EOF
     fi
 }
 
+function assert_raw {
+    extif="$1"
+    bridge_name="$2"
+
+    kldload -n ng_bridge ng_eiface ng_ether
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctl -d -f - <<EOF
+# Create a bridge.
+mkpeer $extif: bridge lower link0
+# Assign a name to the bridge.
+name $extif:lower ${bridge_name}
+# Since the host is also using $extif, we need to connect the upper hook also. Otherwise we will lose connectivity.
+connect $extif: ${bridge_name}: upper link1
+
+# Enable promiscuous mode so the host ethernet adapter accepts packets for all addresses
+msg $extif: setpromisc 1
+
+# Do not overwrite source address on packets
+msg $extif: setautosrc 0
+EOF
+    fi
+}
+
 function ng_exists {
     ngctl status "${1}" >/dev/null 2>&1
 }

ansible/roles/bhyve/tasks/freebsd.yaml

@@ -31,18 +31,3 @@
       mountpoint: "{{ bhyve_mountpoint }}"
       canmount: "{{ bhyve_canmount|default('noauto') }}"
       "ta:bemount": "{{ bhyve_bemount|default('on') }}"
-
-- name: Enable bhyve
-  community.general.sysrc:
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-    path: /etc/rc.conf.d/vm
-  loop:
-    - name: vm_enable
-      value: "YES"
-    - name: vm_dir
-      value: "zfs:{{ bhyve_dataset }}"
-    - name: vm_list
-      value: "{{ bhyve_list|community.general.json_query('[?enabled==`true`].name')|join(' ') }}"
-    - name: vm_delay
-      value: "5"

ansible/roles/cpu/files/amdtemp_loader.conf

@@ -0,0 +1,2 @@
+# Read CPU temperature on AMD CPUs.
+amdtemp_load="YES"

ansible/roles/cpu/tasks/freebsd_amd.yaml

@@ -0,0 +1,29 @@
+- name: Install loader.conf
+  copy:
+    src: "files/{{ item }}_loader.conf"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - amdtemp
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - power_profile
+
+- name: Install loader.conf
+  copy:
+    src: "files/{{ item }}_loader.conf"
+    dest: "/boot/loader.conf.d/{{ item }}.conf"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - aesni

ansible/roles/cpu/tasks/freebsd_intel.yaml

@@ -17,16 +17,15 @@
     - cpuctl
     - aesni
 
-- name: Install Configuration
+- name: Install service configuration
   copy:
-    src: "files/{{ item.src }}"
-    dest: "{{ item.dest }}"
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
     mode: 0644
     owner: root
     group: wheel
   loop:
-    - src: power_profile.conf
-      dest: /etc/rc.conf.d/power_profile
+    - power_profile
 
 - name: Install packages
   when: hwpstate is defined and not hwpstate

ansible/roles/devfs/files/mrmanager_devfs.rules

@@ -0,0 +1,5 @@
+[tajaildhcp=14]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path 'bpf*' unhide

ansible/roles/doas/tasks/common.yaml

@@ -9,13 +9,3 @@
 
 - import_tasks: tasks/linux.yaml
   when: 'os_flavor == "linux"'
-
-- include_tasks:
-    file: tasks/peruser.yaml
-    apply:
-      become: yes
-      become_user: "{{ initialize_user }}"
-  when: users is defined
-  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
-  loop_control:
-    loop_var: initialize_user

ansible/roles/firewall/files/mrmanager_pf.conf

@@ -0,0 +1,41 @@
+ext_if = "lagg0"
+not_ext_if = "{ !lagg0 }"
+jail_nat_v4 = "{ 10.215.1.0/24 }"
+not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
+
+dhcp = "{ bootpc, bootps }"
+allow = "{ colo }"
+
+tcp_pass_in = "{ 22 }"
+udp_pass_in = "{ 53 51820 51821 51822 }"
+
+# Rules must be in order: options, normalization, queueing, translation, filtering
+
+# options
+set skip on lo
+
+# redirections
+nat pass on lagg0 inet from $jail_nat_v4 to $not_jail_nat_v4 -> (lagg0)
+nat pass on $not_ext_if inet from $jail_nat_v4 to 10.215.1.1 port 53 -> ($ext_if)
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53
+
+# filtering
+block log all
+pass out on $ext_if
+
+pass in on jail_nat
+# Allow traffic from my machine to the jails/virtual machines
+pass out on jail_nat from $jail_nat_v4
+
+# We pass on the interfaces listed in allow rather than skipping on
+# them because changes to pass rules will update when running a
+# `service pf reload` but interfaces that we `skip` will not update (I
+# forget if its from adding, removing, or both. TODO: test to figure
+# it out). Also skipped interfaces are not subject to nat/rdr rules.
+pass quick on $allow
+
+pass on $ext_if proto icmp all
+pass on $ext_if proto icmp6 all
+
+pass in on $ext_if proto tcp to any port $tcp_pass_in
+pass in on $ext_if proto udp to any port $udp_pass_in

ansible/roles/fstab/tasks/common.yaml

@@ -0,0 +1,15 @@
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/fstab/tasks/freebsd.yaml

@@ -0,0 +1,31 @@
+- name: Add fstab entries
+  mount:
+    name: "{{ item.dst }}"
+    src: "{{ item.src }}"
+    fstype: "{{ item.fstype }}"
+    opts: "{{ item.opts }}"
+    state: present
+  loop:
+    - dst: /tmp
+      src: tmpfs
+      fstype: tmpfs
+      opts: rw,mode=777
+    - dst: /var/run
+      src: tmpfs
+      fstype: tmpfs
+      opts: rw,mode=755
+
+- name: Add fstab entries
+  when: efi_dev is defined
+  mount:
+    name: "{{ item.dst }}"
+    src: "{{ item.src }}"
+    fstype: "{{ item.fstype }}"
+    opts: "{{ item.opts }}"
+    state: present
+  loop:
+    - dst: /boot/efi
+      src: "{{ efi_dev }}"
+      fstype: msdosfs
+      opts: rw
+

ansible/roles/fstab/tasks/linux.yaml

@@ -0,0 +1,29 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+    
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
+
+# - name: Enable services
+#   systemd:
+#     enabled: yes
+#     name: "{{ item }}"
+#     daemon_reload: yes
+#   loop:
+#     - foo.service

ansible/roles/fstab/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  # when: foo is defined

ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf

@@ -23,6 +23,11 @@
                         // unifi controller
                         "hw-address": "06:40:9f:d7:be:a6",
                         "ip-address": "10.215.1.202"
+                    },
+                    {
+                        // poudriere
+                        "hw-address": "06:8f:24:d6:21:24",
+                        "ip-address": "10.215.1.203"
                     }
                 ]
             }

ansible/roles/network/files/mrmanager_network.conf

@@ -0,0 +1,5 @@
+cloned_interfaces="lagg0"
+ifconfig_igb0="up"
+ifconfig_igb1="up"
+ifconfig_lagg0="up laggproto failover laggport igb0 laggport igb1"
+ifconfig_lagg0_alias0="inet 74.80.180.138 netmask 255.255.255.248"

ansible/roles/network/files/mrmanager_routing.conf

@@ -0,0 +1,3 @@
+defaultrouter="74.80.180.137"
+gateway_enable="YES"
+ipv6_gateway_enable="YES"

ansible/roles/network/tasks/freebsd.yaml

@@ -11,6 +11,18 @@
     - src: "{{ network_rc }}"
       dest: /etc/rc.conf.d/network
 
+- name: Install configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  when: routing_rc is defined
+  loop:
+    - src: "{{ routing_rc }}"
+      dest: /etc/rc.conf.d/routing
+
 - name: Install configuration
   copy:
     src: "files/{{ item.src }}"

ansible/roles/portshaker/files/portshaker.conf

@@ -5,4 +5,5 @@ mirror_base_dir="/var/cache/portshaker"
 ports_trees="main"
 
 main_ports_tree="/usr/local/portshaker/trees/main"
-main_merge_from="freebsd myrepo"
+# main_merge_from="freebsd myrepo"
+main_merge_from="freebsd"

ansible/roles/poudriere/files/poudriere.conf

@@ -10,15 +10,16 @@
 # poudriere.
 #
 #ZPOOL=zroot
-ZPOOL=zroot
+# ZPOOL=zroot
 
 ### NO ZFS
 # To not use ZFS, define NO_ZFS=yes
 #NO_ZFS=yes
+NO_ZFS=yes
 
 # root of the poudriere zfs filesystem, by default /poudriere
 # ZROOTFS=/poudriere
-ZROOTFS=/poudriere
+# ZROOTFS=/poudriere
 
 # the host where to download sets for the jails setup
 # You can specify here a host or an IP
@@ -73,7 +74,7 @@ USE_TMPFS=all
 # How much memory to limit tmpfs size to for *each builder* in GiB
 # (default: none)
 #TMPFS_LIMIT=8
-TMPFS_LIMIT=16
+TMPFS_LIMIT=32
 
 # How much memory to limit jail processes to for *each builder*
 # in GiB (default: none)
@@ -196,7 +197,7 @@ PARALLEL_JOBS=1
 # If set, failed builds will save the WRKDIR to ${POUDRIERE_DATA}/wrkdirs
 # SAVE_WRKDIR=yes
 
-# Choose the default format for the workdir packing: could be tar,tgz,tbz,txz
+# Choose the default format for the workdir packing: could be tar,tgz,tbz,txz,tzst
 # default is tbz
 # WRKDIR_ARCHIVE_FORMAT=tbz
 WRKDIR_ARCHIVE_FORMAT=txz

ansible/roles/poudriere/files/poudriere.d/13amd64-default-framework-make.conf

@@ -6,10 +6,8 @@
 #
 # Example from bottom of /usr/share/examples/etc/make.conf
 .if ${.CURDIR:N*/lang/gcc48*} && ${.CURDIR:N*/lang/gcc10*} && ${.CURDIR:N*/textproc/ripgrep*} && ${.CURDIR:N*/www/firefox*}
-# Disabling tigerlake optimizations because qemu's TCG does not support avx512
-#
-#CPUTYPE?=tigerlake
-CPUTYPE?=x86-64-v3
+CPUTYPE?=tigerlake
+#CPUTYPE?=x86-64-v3
 .endif
 OPTIMIZED_CFLAGS=YES
 BUILD_OPTIMIZED=YES

ansible/roles/poudriere/files/poudriere.d/13amd64-default-framework-pkglist

@@ -0,0 +1,131 @@
+archivers/unrar
+archivers/unzip
+archivers/zip
+audio/mixertui
+databases/sqlite3
+deskutils/xdg-desktop-portal
+devel/git
+devel/gmake
+devel/hs-ShellCheck
+devel/libccid
+devel/libnotify
+devel/py-black
+devel/py-isort
+devel/py-jmespath
+devel/py-ptvsd
+devel/py-yamllint
+devel/pyenv
+dns/coredns
+editors/emacs
+editors/mg
+ftp/wget
+graphics/drm-kmod
+graphics/evince
+graphics/gimp
+graphics/graphviz
+graphics/igt-gpu-tools
+graphics/imv
+graphics/inkscape
+graphics/qt5-wayland
+graphics/vulkan-loader
+graphics/vulkan-tools
+graphics/vulkan-validation-layers
+lang/python
+lang/rust-nightly
+math/gnuplot
+multimedia/libva-intel-driver
+multimedia/libva-intel-media-driver
+multimedia/libva-utils
+multimedia/libvdpau-va-gl
+multimedia/mpv
+multimedia/pwcview
+multimedia/v4l_compat
+multimedia/v4l-utils
+multimedia/vdpauinfo
+multimedia/webcamd
+multimedia/wf-recorder
+net-mgmt/arpscan
+net-mgmt/ipcalc
+net/google-cloud-sdk
+net/rsync
+net/tcpdump
+net/wireguard
+net/wlvncc
+ports-mgmt/pkg
+ports-mgmt/pkg-provides
+ports-mgmt/portshaker
+ports-mgmt/poudriere
+print/texlive-full
+security/doas
+security/git-crypt
+security/gnupg
+security/libfido2
+security/openvpn
+security/pcsc-tools
+security/pinentry
+security/pinentry-qt5
+security/sops
+security/sudo
+security/u2f-devd
+shells/bash
+shells/zsh
+sysutils/ansible
+sysutils/ansible-sshjail
+sysutils/bhyve-firmware
+sysutils/btop
+sysutils/ddrescue
+sysutils/dsbmd
+sysutils/exfat-utils
+sysutils/flock
+sysutils/fusefs-exfat
+sysutils/fusefs-simple-mtpfs
+sysutils/fusefs-sshfs
+sysutils/helm
+sysutils/htop
+sysutils/kubectl
+sysutils/lscpu
+sysutils/lsof
+sysutils/moreutils
+sysutils/ncdu
+sysutils/nvme-cli
+sysutils/powermon
+sysutils/pstree
+sysutils/pv
+sysutils/rust-coreutils
+sysutils/tmux
+sysutils/tree
+sysutils/zrepl
+textproc/aspell
+textproc/colordiff
+textproc/en-aspell
+textproc/gsed
+textproc/jq
+textproc/kdiff3
+textproc/py-pygments
+textproc/ripgrep
+www/firefox
+x11-fm/pcmanfm
+x11-fonts/cascadia-code
+x11-fonts/noto
+x11-fonts/noto-emoji
+x11-fonts/noto-extra
+x11-fonts/source-sans-ttf
+x11-fonts/sourcecodepro-ttf
+x11-wm/sway
+x11/alacritty
+x11/grim
+x11/kanshi
+x11/mako
+x11/slurp
+x11/swaybg
+x11/swayidle
+x11/swaylock
+x11/waybar
+x11/wev
+x11/wlogout
+x11/wofi
+x11/wtype
+x11/xauth
+x11/xdg-desktop-portal-wlr
+x11/xeyes
+x11/xhost

ansible/roles/poudriere/tasks/freebsd.yaml

@@ -37,7 +37,7 @@
     owner: root
     group: wheel
   loop:
-    # - /usr/ports/distfiles
+    - /usr/ports/distfiles
     - /opt/poudriere/build_configs
     - /usr/local/poudriere/data/logs/bulk
 
@@ -56,15 +56,15 @@
 #     - src: poudriere_deploy_ed25519
 #       dest: /usr/local/etc/poudriere.d/poudriere_deploy_ed25519
 
-# - name: Install Configuration directory
-#   copy:
-#     src: "files/{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     owner: root
-#     group: wheel
-#   loop:
-#     - src: poudriere.d
-#       dest: /usr/local/etc/
+- name: Install Configuration directory
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: wheel
+  loop:
+    - src: poudriere.d
+      dest: /usr/local/etc/
 
 - name: Install scripts
   copy:

ansible/roles/poudrierenginx/files/headers.include

@@ -0,0 +1,12 @@
+# Enable HTTP Strict Transport Security (HSTS) to force clients to
+# always connect via HTTPS (do not use if only testing)
+add_header Strict-Transport-Security "max-age=31536000;" always;
+# Enable cross-site filter (XSS) and tell browser to block detected
+# attacks
+add_header X-XSS-Protection "1; mode=block" always;
+# Prevent some browsers from MIME-sniffing a response away from the
+# declared Content-Type
+add_header X-Content-Type-Options "nosniff" always;
+# Disallow the site to be rendered within a frame (clickjacking
+# protection)
+add_header X-Frame-Options "DENY" always;

ansible/roles/poudrierenginx/files/newsyslog.conf

@@ -0,0 +1,2 @@
+# logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
+/var/log/nginx/*.log			640  5	   1000	@T00 GYC /var/run/nginx.pid SIGUSR1

ansible/roles/poudrierenginx/files/nginx.conf

@@ -0,0 +1,34 @@
+worker_processes  auto;
+user  www www;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    sendfile        on;
+    tcp_nopush     on;
+    tcp_nodelay    on;
+    gzip  on;
+
+    include conf.d/headers.include;
+
+    server {
+        listen 8080 default;
+        listen [::]:8080;
+        server_name freebsdpkg.fizz.buzz;
+        
+        location / {
+            root   /usr/local/share/poudriere/html;
+            index  index.html index.htm;
+        }
+        
+        location /data {
+            alias /usr/local/poudriere/data/logs/bulk;
+            autoindex on;
+        }
+    }
+}

ansible/roles/poudrierenginx/files/rc.conf

@@ -0,0 +1 @@
+nginx_enable="YES"

ansible/roles/poudrierenginx/meta/main.yaml

@@ -0,0 +1,2 @@
+dependencies:
+  - syslog

ansible/roles/poudrierenginx/tasks/common.yaml

@@ -0,0 +1,15 @@
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/poudrierenginx/tasks/freebsd.yaml

@@ -0,0 +1,54 @@
+- name: Create www group
+  group:
+    name: www
+
+- name: Create www user
+  user:
+    name: www
+    home: /srv/http
+    createhome: false
+    group: www
+
+- name: Install packages
+  package:
+    name:
+      - nginx
+    state: present
+
+- name: Create root directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /srv
+    - /usr/local/etc/nginx/conf.d
+
+# validate fails because nginx config relies on a local mime.types
+- name: Install Configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - src: rc.conf
+      dest: /etc/rc.conf.d/nginx
+    - src: nginx.conf
+      dest: /usr/local/etc/nginx/nginx.conf
+    - src: headers.include
+      dest: /usr/local/etc/nginx/conf.d/headers.include
+
+- name: Install newsyslog configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: newsyslog.conf
+      dest: /usr/local/etc/newsyslog.conf.d/nginx.conf

ansible/roles/poudrierenginx/tasks/linux.yaml

@@ -0,0 +1,29 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+    
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
+
+# - name: Enable services
+#   systemd:
+#     enabled: yes
+#     name: "{{ item }}"
+#     daemon_reload: yes
+#   loop:
+#     - foo.service

ansible/roles/poudrierenginx/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  # when: foo is defined

ansible/roles/poudrierenginx/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/syslog/files/syslogd_rc.conf

@@ -0,0 +1,5 @@
+# One -s disables connections from remote machines, two disables
+# network entirely which blocks logging to remote machines
+
+syslogd_enable="YES"
+syslogd_flags="-ss -v -v"

ansible/roles/syslog/tasks/common.yaml

@@ -0,0 +1,15 @@
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user

ansible/roles/syslog/tasks/freebsd.yaml

@@ -0,0 +1,19 @@
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /usr/local/etc/newsyslog.conf.d
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - syslogd

ansible/roles/syslog/tasks/linux.yaml

@@ -0,0 +1,29 @@
+# - name: Build aur packages
+#   register: buildaur
+#   become_user: "{{ build_user.name }}"
+#   command: "aurutils-sync --no-view {{ item }}"
+#   args:
+#     creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
+#   loop:
+#     - foo
+
+# - name: Update cache
+#   when: buildaur.changed
+#   pacman:
+#     name: []
+#     state: present
+#     update_cache: true
+    
+# - name: Install packages
+#   package:
+#     name:
+#       - foo
+#     state: present
+
+# - name: Enable services
+#   systemd:
+#     enabled: yes
+#     name: "{{ item }}"
+#     daemon_reload: yes
+#   loop:
+#     - foo.service

ansible/roles/syslog/tasks/main.yaml

@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  # when: foo is defined

ansible/roles/syslog/tasks/peruser.yaml

@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'

ansible/roles/users/defaults/main.yaml

@@ -9,4 +9,3 @@ users:
       - yubikey
       - main_fido
       - backup_fido
-      - homeassistant

ansible/run.bash

@@ -28,6 +28,12 @@ elif [ "$target" = "jail_homeserver_nat_dhcp" ]; then
     ansible-playbook -v -i environments/jail playbook.yaml --diff --limit homeserver_nat_dhcp "${@}"
 elif [ "$target" = "vm_poudriereodo" ]; then
     ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}"
+elif [ "$target" = "vm_poudrieremrmanager" ]; then
+    ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudrieremrmanager "${@}"
+elif [ "$target" = "mrmanager" ]; then
+    ansible-playbook -v -i environments/colo playbook.yaml --diff --limit mrmanager "${@}"
+elif [ "$target" = "jail_mrmanager_nat_dhcp" ]; then
+    ansible-playbook -v -i environments/jail playbook.yaml --diff --limit mrmanager_nat_dhcp "${@}"
 else
     die 1 "Unrecognized target"
 fi