talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Update for pkgbase rebuild of homeserver.

Browse Source
This commit is contained in:
Tom Alexander
2026-04-11 12:49:59 -04:00
parent 88dfc73f3d
commit a8822d0bfb
69 changed files with 89 additions and 1284 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
ansible/environments/home/host_vars/homeserver
View File

@@ -1,6 +1,4 @@
os_flavor: "freebsd"
custom_repo: "https://freebsdpkg.fizz.buzz/repo/14broadwell-default-computer"
pkgbase_url: "https://freebsdpkg.fizz.buzz/pkgbase/14broadwell-repo/FreeBSD:14:amd64/latest"
zfs_snapshot_datasets:
- path: zroot/freebsd/computer/be
- path: zmass/encrypted/vm
@@ -26,7 +24,6 @@ users:
sshd_enabled: true
sshd_conf: "sshd_config"
prefer_ipv6: true
dummynet_config: "dnctl.conf"
pf_config: "homeserver_pf.conf"
pflog_conf:
- name: 0
@@ -53,9 +50,6 @@ jail_list:
- name: dagger
conf:
src: dagger
- name: olddagger
conf:
src: olddagger
- name: sftp
conf:
src: sftp
@@ -67,9 +61,6 @@ jail_list:
- name: certificate
conf:
src: certificate
- name: momlaptop
conf:
src: momlaptop
# - name: mumble
# conf:
# src: mumble
@@ -84,10 +75,3 @@ bhyve_bemount: "on"
wireguard_directory: homeserver
enabled_wireguard:
- wgh
linfi:
enabled: true
zfs_dataset: zmass/unencrypted/vm/linfi
zfs_mountpoint: /vm/linfi
driver_blocklist: "ath if_ath if_ath_pci ath_hal if_iwm if_iwlwifi"
pci_blocklist: "6/0/0"
amd: false

3
ansible/environments/home/hosts
View File

@@ -1,2 +1,3 @@
[headless]
homeserver ansible_user=talexander ansible_host=homeserver
#homeserver ansible_user=talexander ansible_host=homeserver
homeserver ansible_user=talexander ansible_host=172.16.16.32

1
ansible/environments/jail/host_vars/momlaptop
View File

@@ -1 +0,0 @@
os_flavor: freebsd

1
ansible/environments/jail/hosts
View File

@@ -8,4 +8,3 @@ public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail
certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail
momlaptop ansible_ssh_host=momlaptop@homeserver ansible_connection=sshjail

14
ansible/playbook.yaml
View File

@@ -127,16 +127,8 @@
vars:
ansible_become: True
roles:
- linfi
- framework_laptop
- hosts: homeserver
vars:
ansible_become: True
roles:
- linfi
- homeserver
- hosts: odowork
vars:
ansible_become: True
@@ -161,9 +153,3 @@
ansible_become: True
roles:
- jail_certificate
- hosts: momlaptop
vars:
ansible_become: True
roles:
- jail_momlaptop

1
ansible/roles/base/files/homeserver_loader.conf
View File

@@ -1,3 +1,4 @@
security.bsd.allow_destructive_dtrace=0
cryptodev_load="YES"
zfs_load="YES"
devmatch_blocklist="if_iwm"

3
ansible/roles/base/files/homeserver_rc.conf
View File

@@ -2,8 +2,7 @@ clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
hostname="computer"
local_unbound_enable="NO"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
zfs_enable="YES"
kld_list="${kld_list} if_iwlwifi"

2
ansible/roles/base/files/login.conf
View File

@@ -23,6 +23,7 @@
default:\
:passwd_format=blf:\
:copyright=/etc/COPYRIGHT:\
:welcome=/var/run/motd:\
:setenv=BLOCKSIZE=K:\
:mail=/var/mail/$:\
@@ -126,6 +127,7 @@ russian|Russian Users Accounts:\
## standard - standard user defaults
##
#standard:\
# :copyright=/etc/COPYRIGHT:\
# :welcome=/var/run/motd:\
# :setenv=BLOCKSIZE=K:\
# :mail=/var/mail/$:\

2
ansible/roles/dummynet/files/dnctl.conf
View File

@@ -1,2 +0,0 @@
pipe 1 config bw 100KByte/s
pipe 2 config

28
ansible/roles/dummynet/files/dummynet
View File

@@ -1,28 +0,0 @@
#!/bin/sh
#
#
# PROVIDE: dummynet
# BEFORE: pf ipfw
# KEYWORD: nojailvnet
. /etc/rc.subr
name="dummynet"
desc="Dummynet packet queuing and scheduling"
rcvar="${name}_enable"
load_rc_config $name
start_cmd="${name}_start"
required_files="$dummynet_rules"
required_modules="dummynet"
dummynet_start()
{
startmsg -n "Enabling ${name}"
cat "$dnctl_rules" | while read l; do
dnctl $l
done
startmsg '.'
}
run_rc_command $*

2
ansible/roles/dummynet/files/dummynet_rc.conf
View File

@@ -1,2 +0,0 @@
dummynet_enable="YES"
dummynet_rules="/etc/dnctl.conf"

55
ansible/roles/dummynet/tasks/common.yaml
View File

@@ -1,55 +0,0 @@
# - name: Create directories
# file:
# name: "{{ item }}"
# state: directory
# mode: 0755
# owner: root
# group: wheel
# loop:
# - /foo/bar
# - name: Install scripts
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0755
# owner: root
# group: wheel
# loop:
# - src: foo.bash
# dest: /usr/local/bin/foo
# - name: Install Configuration
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0600
# owner: root
# group: wheel
# loop:
# - src: foo.conf
# dest: /usr/local/etc/foo.conf
# - name: Clone Source
# git:
# repo: "https://foo.bar/baz.git"
# dest: /foo/bar
# version: "v1.0.2"
# force: true
# diff: false
- import_tasks: tasks/freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/linux.yaml
when: 'os_flavor == "linux"'
- include_tasks:
file: tasks/peruser.yaml
apply:
become: yes
become_user: "{{ initialize_user }}"
when: users is defined
loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
loop_control:
loop_var: initialize_user

30
ansible/roles/dummynet/tasks/freebsd.yaml
View File

@@ -1,30 +0,0 @@
- name: Install Configuration
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0600
owner: root
group: wheel
loop:
- src: "{{ dummynet_config }}"
dest: /etc/dnctl.conf
- name: Install rc script
copy:
src: "files/{{ item.src }}"
dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
owner: root
group: wheel
mode: 0755
loop:
- src: dummynet
- name: Install service configuration
copy:
src: "files/{{ item }}_rc.conf"
dest: "/etc/rc.conf.d/{{ item }}"
mode: 0644
owner: root
group: wheel
loop:
- dummynet

29
ansible/roles/dummynet/tasks/linux.yaml
View File

@@ -1,29 +0,0 @@
# - name: Build aur packages
# register: buildaur
# become_user: "{{ build_user.name }}"
# command: "aurutils-sync --no-view {{ item }}"
# args:
# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
# loop:
# - foo
# - name: Update cache
# when: buildaur.changed
# pacman:
# name: []
# state: present
# update_cache: true
# - name: Install packages
# package:
# name:
# - foo
# state: present
# - name: Enable services
# systemd:
# enabled: yes
# name: "{{ item }}"
# daemon_reload: yes
# loop:
# - foo.service

2
ansible/roles/dummynet/tasks/main.yaml
View File

@@ -1,2 +0,0 @@
- import_tasks: tasks/common.yaml
when: (dummynet_config is defined and os_flavor == "freebsd") or (os_flavor == "linux")

29
ansible/roles/dummynet/tasks/peruser.yaml
View File

@@ -1,29 +0,0 @@
- include_role:
name: per_user
# - name: Create directories
# file:
# name: "{{ account_homedir.stdout }}/{{ item }}"
# state: directory
# mode: 0700
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - ".config/foo"
# - name: Copy files
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
# mode: 0600
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - src: foo.conf
# dest: .config/foo/foo.conf
- import_tasks: tasks/peruser_freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/peruser_linux.yaml
when: 'os_flavor == "linux"'

0
ansible/roles/dummynet/tasks/peruser_freebsd.yaml
View File

0
ansible/roles/dummynet/tasks/peruser_linux.yaml
View File

95
ansible/roles/firewall/files/homeserver_pf.conf
View File

@@ -1,9 +1,20 @@
ext_if = "{ igb0 igb1 ix0 ix1 linfi_host }"
not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !linfi_host }"
jail_nat_v4 = "{ 10.215.1.0/24 }"
not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
restricted_nat_v4 = "{ 10.215.2.0/24 }"
not_restricted_nat_v4 = "{ any, !10.215.2.0/24 }"
# TODO: ipv6 RFC 6296 - Network Prefix Translation?
# match out on $ext_if inet6 from fd00:db8::/48 binat-to 2001:db8::/48
# TODO: Maybe ipv6 icmp rules from https://oneuptime.com/blog/post/2026-03-20-configure-ipv6-firewall-pf-freebsd/view
#
# restricted_nat 10.215.2.1/24
# jail_nat 10.215.1.1/24
#
#
# External connections -> 172.16.16.32:8081
# rdr to bastion 10.215.1.217
# snat to bridge?
#
ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
dhcp = "{ bootpc, bootps }"
@@ -11,69 +22,29 @@ allow = "{ wgh wgf }"
tcp_pass_in = "{ 22 }"
udp_pass_in = "{ 53 51820 }"
unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
# Rules must be in order: options, normalization, queueing, translation, filtering
# options
set skip on lo
# normalization
# queueing
# altq on linfi_host cbq queue { def, stuff }
# queue def cbq(default borrow)
# queue stuff bandwidth 8Mb cbq { dagger }
# queue dagger cbq(borrow)
# redirections
nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
# translation
nat pass on $ext_if proto {tcp, udp} tagged NATOUT -> (wlan0)
nat pass on restricted_nat proto {tcp, udp} tagged NATRESTRICTED -> (restricted_nat)
nat pass on jail_nat proto {tcp, udp} tagged NATJAIL -> (jail_nat)
# cloak
nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (linfi_host)
rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
# bastion
rdr pass on $ext_if inet proto {tcp, udp} from { any, !10.215.1.0/24, !10.215.2.0/24 } to any port 8081 -> 10.215.1.217 port 443
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.217 port 443 -> 10.215.1.1
nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 port 8081 -> 10.215.2.1
# cloak -> olddagger
rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
# cloak -> dagger old
rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8083 -> 10.215.2.2 port 8083
nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8083 -> 10.215.2.1
# -> sftp
# TODO: Limit bandwidth for sftp
rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
# Forward ports for unifi controller
# rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22
rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
# -> momlaptop
rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8033 -> 10.215.1.218 port 443
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.218 port 443 -> 10.215.1.1
# external -> bastion
rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8081 tag NATJAIL -> 10.215.1.217 port 443
# external -> sftp
rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8022 tag NATJAIL -> 10.215.1.216 port 22
# filtering
# match in on jail_nat from any to any dnpipe(1, 2)
# match in on restricted_nat from any to any dnpipe(1, 2)
block log all
pass out on $ext_if
pass in on jail_nat
# Allow traffic from my machine to the jails/virtual machines
pass out on jail_nat from $jail_nat_v4
pass out on jail_nat proto {udp, tcp} from any to 10.215.1.202 port $unifi_ports
pass out on restricted_nat proto {udp, tcp} from any to 10.215.2.2 port 8081
# TODO: limit bandwidth for dagger here
pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 }
pass out on $ext_if from (wlan0)
# We pass on the interfaces listed in allow rather than skipping on
# them because changes to pass rules will update when running a
@@ -85,5 +56,11 @@ pass quick on $allow
pass on $ext_if proto icmp all
pass on $ext_if proto icmp6 all
pass in on $ext_if proto tcp to any port $tcp_pass_in
pass in on $ext_if proto udp to any port $udp_pass_in
pass in on $ext_if proto tcp to (wlan0) port $tcp_pass_in
pass in on $ext_if proto udp to (wlan0) port $udp_pass_in
# Allow DNS and wireguard from cloak
pass in on restricted_nat proto {udp, tcp} from 10.215.2.2 to any port { 53 51820 } tag NATOUT
# bastion -> cloak
pass in on jail_nat proto {udp, tcp} from 10.215.1.217 to 10.215.2.2 port 8081 tag NATRESTRICTED

2
ansible/roles/firewall/meta/main.yaml
View File

@@ -1,2 +0,0 @@
dependencies:
- dummynet

2
ansible/roles/gpg/tasks/freebsd.yaml
View File

@@ -3,7 +3,7 @@
name:
- gnupg
- pcsc-tools
- ccid
# - ccid
# - linux_libusb
- pinentry
state: present

10
ansible/roles/homeserver/files/decrypt_disks.bash
View File

@@ -1,10 +0,0 @@
#!/usr/bin/env bash
#
# Decrypt and mount the disks after a fresh reboot.
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
zfs load-key -r zmass/encrypted
zfs mount -a
service bemount start

55
ansible/roles/homeserver/tasks/common.yaml
View File

@@ -1,55 +0,0 @@
# - name: Create directories
# file:
# name: "{{ item }}"
# state: directory
# mode: 0755
# owner: root
# group: wheel
# loop:
# - /foo/bar
# - name: Install scripts
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0755
# owner: root
# group: wheel
# loop:
# - src: foo.bash
# dest: /usr/local/bin/foo
# - name: Install Configuration
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0600
# owner: root
# group: wheel
# loop:
# - src: foo.conf
# dest: /usr/local/etc/foo.conf
# - name: Clone Source
# git:
# repo: "https://foo.bar/baz.git"
# dest: /foo/bar
# version: "v1.0.2"
# force: true
# diff: false
- import_tasks: tasks/freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/linux.yaml
when: 'os_flavor == "linux"'
- include_tasks:
file: tasks/peruser.yaml
apply:
become: yes
become_user: "{{ initialize_user }}"
when: users is defined
loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
loop_control:
loop_var: initialize_user

10
ansible/roles/homeserver/tasks/freebsd.yaml
View File

@@ -1,10 +0,0 @@
- name: Install scripts
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0755
owner: root
group: wheel
loop:
- src: decrypt_disks.bash
dest: /usr/local/bin/decrypt_disks

29
ansible/roles/homeserver/tasks/linux.yaml
View File

@@ -1,29 +0,0 @@
# - name: Build aur packages
# register: buildaur
# become_user: "{{ build_user.name }}"
# command: "aurutils-sync --no-view {{ item }}"
# args:
# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
# loop:
# - foo
# - name: Update cache
# when: buildaur.changed
# pacman:
# name: []
# state: present
# update_cache: true
# - name: Install packages
# package:
# name:
# - foo
# state: present
# - name: Enable services
# systemd:
# enabled: yes
# name: "{{ item }}"
# daemon_reload: yes
# loop:
# - foo.service

2
ansible/roles/homeserver/tasks/main.yaml
View File

@@ -1,2 +0,0 @@
- import_tasks: tasks/common.yaml
# when: foo is defined

29
ansible/roles/homeserver/tasks/peruser.yaml
View File

@@ -1,29 +0,0 @@
- include_role:
name: per_user
# - name: Create directories
# file:
# name: "{{ account_homedir.stdout }}/{{ item }}"
# state: directory
# mode: 0700
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - ".config/foo"
# - name: Copy files
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
# mode: 0600
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - src: foo.conf
# dest: .config/foo/foo.conf
- import_tasks: tasks/peruser_freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/peruser_linux.yaml
when: 'os_flavor == "linux"'

0
ansible/roles/homeserver/tasks/peruser_freebsd.yaml
View File

0
ansible/roles/homeserver/tasks/peruser_linux.yaml
View File

2
ansible/roles/hosts/defaults/main.yaml
View File

@@ -1,5 +1,5 @@
etc_hosts:
10.216.1.1:
10.216.1.32:
- homeserver
10.216.1.6:
- media

2
ansible/roles/jail/files/jails/dagger.conf
View File

@@ -1,5 +1,7 @@
dagger {
path = "/jail/${name}";
allow.chflags = 1;
vnet;
vnet.interface += "dagger";

15
ansible/roles/jail/files/jails/momlaptop.conf
View File

@@ -1,15 +0,0 @@
momlaptop {
path = "/jail/${name}";
vnet;
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
vnet.interface += "jail${name}";
devfs_ruleset = 14;
mount.devfs;
mount.fstab = "/etc/fstab.${name}";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.consolelog = "/var/log/jail_${name}_console.log";
}

14
ansible/roles/jail/files/jails/olddagger.conf
View File

@@ -1,14 +0,0 @@
olddagger {
path = "/jail/${name}";
vnet;
vnet.interface += "olddagger";
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
mount.fstab = "/etc/fstab.${name}";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.consolelog = "/var/log/jail_${name}_console.log";
}

62
ansible/roles/jail/templates/new_jail.bash.j2
View File

@@ -26,7 +26,7 @@ function by_src {
}
function by_bin {
DESTRELEASE=14.3-RELEASE
DESTRELEASE=15.0-RELEASE
DESTARCH=`uname -m`
SOURCEURL=http://ftp.freebsd.org/pub/FreeBSD/releases/$DESTARCH/$DESTRELEASE/
for component in base ports; do fetch $SOURCEURL/$component.txz -o - | tar -xf - -C "$DESTDIR" ; done
@@ -34,34 +34,34 @@ function by_bin {
}
function by_pkg {
# current https://pkg.freebsd.org/FreeBSD:15:amd64/base_latest
# 14/stable https://pkg.freebsd.org/FreeBSD:14:amd64/base_latest
# 14.1 https://pkg.freebsd.org/FreeBSD:14:amd64/base_release_1
local config
config=$(cat <<EOF
base: {
url: "https://pkg.freebsd.org/FreeBSD:14:amd64/base_release_1",
mirror_type: "none",
enabled: yes,
priority: 100
}
EOF
)
IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository base --yes --glob 'FreeBSD-*'
TERM=xterm BSDINSTALL_CHROOT="$DESTDIR" bsdinstall pkgbase --jail
# local config
# config=$(cat <<EOF
# FreeBSD-base: {
# url: "https://pkg.FreeBSD.org/FreeBSD:15:amd64/base_release_0",
# mirror_type: "none",
# enabled: yes,
# priority: 100
# }
# EOF
# )
# IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") update --repository FreeBSD-base
# IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository FreeBSD-base --yes --glob 'FreeBSD-*'
switch_to_latest_packages
local in_jail_config
in_jail_config=$(cat <<EOF
base: {
url: "pkg+https://pkg.freebsd.org/\${ABI}/base_release_1",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes,
priority: 100
}
EOF
)
cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
# local in_jail_config
# in_jail_config=$(cat <<EOF
# FreeBSD-base: {
# url: "pkg+https://pkg.FreeBSD.org/\${ABI}/base_release_\${VERSION_MINOR}",
# mirror_type: "srv",
# signature_type: "fingerprints",
# fingerprints: "/usr/share/keys/pkgbase-\${VERSION_MAJOR}",
# enabled: yes,
# priority: 100
# }
# EOF
# )
# cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
# Post-install remove extra packages
# pkg remove --glob 'FreeBSD-*-lib32*' 'FreeBSD-*-dbg*' FreeBSD-src
}
@@ -69,13 +69,13 @@ EOF
function switch_to_latest_packages {
local latest_pkg
latest_pkg=$(cat <<EOF
FreeBSD: {
url: "pkg+http://pkg.FreeBSD.org/\${ABI}/latest"
FreeBSD-ports: {
url: "pkg+https://pkg.FreeBSD.org/\${ABI}/latest"
}
EOF
)
mkdir -p "$DESTDIR/usr/local/etc/pkg/repos"
cat > "$DESTDIR/usr/local/etc/pkg/repos/FreeBSD.conf" <<<"$latest_pkg"
cat > "$DESTDIR/usr/local/etc/pkg/repos/FreeBSD-ports.conf" <<<"$latest_pkg"
}
if [ "$1" = "src" ]; then

15
ansible/roles/jail_momlaptop/files/headers.include
View File

@@ -1,15 +0,0 @@
# Enable HTTP Strict Transport Security (HSTS) to force clients to
# always connect via HTTPS (do not use if only testing)
add_header Strict-Transport-Security "max-age=31536000;" always;
# Enable cross-site filter (XSS) and tell browser to block detected
# attacks
add_header X-XSS-Protection "1; mode=block" always;
# Prevent some browsers from MIME-sniffing a response away from the
# declared Content-Type
add_header X-Content-Type-Options "nosniff" always;
# Disallow the site to be rendered within a frame (clickjacking
# protection)
add_header X-Frame-Options "DENY" always;
# Indicate that we are serving http3 on port 443
add_header Alt-Svc 'h3=":8033"; ma=864000';

BIN
ansible/roles/jail_momlaptop/files/htpasswd
View File

Binary file not shown.

2
ansible/roles/jail_momlaptop/files/newsyslog.conf
View File

@@ -1,2 +0,0 @@
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
/var/log/nginx/*.log 640 5 1000 @T00 GYC /var/run/nginx.pid SIGUSR1

48
ansible/roles/jail_momlaptop/files/nginx.conf
View File

@@ -1,48 +0,0 @@
worker_processes auto;
user www www;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
types {
text/plain log;
}
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip on;
include conf.d/headers.include;
server {
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name momlaptop.fizz.buzz;
include conf.d/tls_settings.include;
# RSA
ssl_certificate /momlaptop.fizz.buzz/tls.crt;
ssl_certificate_key /momlaptop.fizz.buzz/tls.key;
# Nginx by default only allows file uploads up to 50M in size
client_max_body_size 50M;
location / {
auth_basic "Stuff";
auth_basic_user_file conf.d/htpasswd;
alias /srv/http/;
autoindex on;
}
}
}

1
ansible/roles/jail_momlaptop/files/nginx_rc.conf
View File

@@ -1 +0,0 @@
nginx_enable="YES"

9
ansible/roles/jail_momlaptop/files/proxy.include
View File

@@ -1,9 +0,0 @@
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
# Settings for keepalive module for upstreams
proxy_http_version 1.1;
proxy_set_header Connection "";
# Requests sent with early data are subject to replay attacks so the application needs to protect against that by using the Early-Data header.
# proxy_set_header Early-Data $ssl_early_data;

3
ansible/roles/jail_momlaptop/files/tls_settings.include
View File

@@ -1,3 +0,0 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

2
ansible/roles/jail_momlaptop/meta/main.yaml
View File

@@ -1,2 +0,0 @@
dependencies:
- syslog

55
ansible/roles/jail_momlaptop/tasks/common.yaml
View File

@@ -1,55 +0,0 @@
# - name: Create directories
# file:
# name: "{{ item }}"
# state: directory
# mode: 0755
# owner: root
# group: wheel
# loop:
# - /foo/bar
# - name: Install scripts
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0755
# owner: root
# group: wheel
# loop:
# - src: foo.bash
# dest: /usr/local/bin/foo
# - name: Install Configuration
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0600
# owner: root
# group: wheel
# loop:
# - src: foo.conf
# dest: /usr/local/etc/foo.conf
# - name: Clone Source
# git:
# repo: "https://foo.bar/baz.git"
# dest: /foo/bar
# version: "v1.0.2"
# force: true
# diff: false
- import_tasks: tasks/freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/linux.yaml
when: 'os_flavor == "linux"'
# - include_tasks:
# file: tasks/peruser.yaml
# apply:
# become: yes
# become_user: "{{ initialize_user }}"
# when: users is defined
# loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
# loop_control:
# loop_var: initialize_user

81
ansible/roles/jail_momlaptop/tasks/freebsd.yaml
View File

@@ -1,81 +0,0 @@
- name: Create www group
group:
name: www
- name: Create www user
user:
name: www
home: /srv/http
createhome: false
group: www
- name: Create directories
file:
name: "{{ item }}"
state: directory
mode: 0755
owner: root
group: wheel
loop:
- /momlaptop.fizz.buzz
- /etc/rc.conf.d
- /usr/local/etc/nginx/conf.d
- name: Create directories
file:
name: "{{ item }}"
state: directory
mode: 0755
owner: www
group: www
loop:
- /srv/http
- name: Install packages
package:
name:
- nginx
state: present
# validate fails because nginx config relies on a local mime.types
- name: Install Configuration
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
owner: root
group: wheel
loop:
- src: nginx.conf
dest: /usr/local/etc/nginx/nginx.conf
- src: headers.include
dest: /usr/local/etc/nginx/conf.d/headers.include
- src: proxy.include
dest: /usr/local/etc/nginx/conf.d/proxy.include
- src: tls_settings.include
dest: /usr/local/etc/nginx/conf.d/tls_settings.include
# Generate htpasswd with `htpasswd -c files/htpasswd user1`
# or `printf "USER:$(openssl passwd)\n" >> files/htpasswd`
- src: htpasswd
dest: /usr/local/etc/nginx/conf.d/htpasswd
- name: Install newsyslog configuration
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0600
owner: root
group: wheel
loop:
- src: newsyslog.conf
dest: /usr/local/etc/newsyslog.conf.d/nginx.conf
- name: Install service configuration
copy:
src: "files/{{ item }}_rc.conf"
dest: "/etc/rc.conf.d/{{ item }}"
mode: 0644
owner: root
group: wheel
loop:
- nginx

29
ansible/roles/jail_momlaptop/tasks/linux.yaml
View File

@@ -1,29 +0,0 @@
# - name: Build aur packages
# register: buildaur
# become_user: "{{ build_user.name }}"
# command: "aurutils-sync --no-view {{ item }}"
# args:
# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
# loop:
# - foo
# - name: Update cache
# when: buildaur.changed
# pacman:
# name: []
# state: present
# update_cache: true
# - name: Install packages
# package:
# name:
# - foo
# state: present
# - name: Enable services
# systemd:
# enabled: yes
# name: "{{ item }}"
# daemon_reload: yes
# loop:
# - foo.service

2
ansible/roles/jail_momlaptop/tasks/main.yaml
View File

@@ -1,2 +0,0 @@
- import_tasks: tasks/common.yaml
# when: foo is defined

29
ansible/roles/jail_momlaptop/tasks/peruser.yaml
View File

@@ -1,29 +0,0 @@
- include_role:
name: per_user
# - name: Create directories
# file:
# name: "{{ account_homedir.stdout }}/{{ item }}"
# state: directory
# mode: 0700
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - ".config/foo"
# - name: Copy files
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
# mode: 0600
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - src: foo.conf
# dest: .config/foo/foo.conf
- import_tasks: tasks/peruser_freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/peruser_linux.yaml
when: 'os_flavor == "linux"'

0
ansible/roles/jail_momlaptop/tasks/peruser_freebsd.yaml
View File

0
ansible/roles/jail_momlaptop/tasks/peruser_linux.yaml
View File

5
ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf
View File

@@ -90,11 +90,6 @@
"hw-address": "06:ca:1a:10:74:09",
"ip-address": "10.215.1.217"
},
{
// momlaptop - hard-coded in rc.conf, reproduced here to reserve ip
"hw-address": "06:85:69:c5:6a:d6",
"ip-address": "10.215.1.218"
},
{
// hydra
"hw-address": "06:84:36:68:03:77",

7
ansible/roles/linfi/defaults/main.yaml
View File

@@ -1,7 +0,0 @@
# linfi:
# enabled: true
# zfs_dataset: zroot/freebsd/current/vm/linfi
# zfs_mountpoint: /vm/linfi
# driver_blocklist: "if_iwm if_iwlwifi"
# pci_blocklist: "1/0/0"
# amd: true

239
ansible/roles/linfi/files/launch_linfi.bash
View File

@@ -1,239 +0,0 @@
#!/usr/local/bin/bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# Share a host directory to the guest via 9pfs.
#
# Inside the VM run:
# mount -t virtfs -o trans=virtio sharename /some/vm/path
# mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
# mount -t 9p -o trans=virtio,cache=mmap,msize=512000 sharename /path/to/mountpoint
# bhyve_options="-s 28,virtio-9p,sharename=/"
# Enable Sound
# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
# Example usage:
#
# doas bhyve_netgraph_bridge create-disk zdata/vm/poudriere /vm/poudriere 10
# doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
# doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere
: ${VERBOSE:="NO"} # or YES
: ${CPU_CORES:="1"}
: ${MEMORY:="1G"}
: ${NETWORK:="NAT"} # or RAW or BOTH
: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
: ${INTERFACE_NAME:="linfi_host"} # or the external interface like lagg0 for RAW networks
: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
: ${VNC_ENABLE:="NO"}
: ${VNC_LISTEN:="127.0.0.1:5900"}
: ${VNC_WIDTH:="1920"}
: ${VNC_HEIGHT:="1080"}
: ${PASSTHROUGH:="1/0/0"}
if [ "$VERBOSE" = "YES" ]; then
set -x
fi
############## Setup #########################
function cleanup {
for vm in "${vms[@]}"; do
log "Destroying bhyve vm $vm"
bhyvectl "--vm=$vm" --destroy
log "Destroyed bhyve vm $vm"
done
}
vms=()
for sig in EXIT; do
trap "set +e; sleep 10; cleanup" "$sig"
done
function die {
local status_code="$1"
shift
(>&2 echo "${@}")
exit "$status_code"
}
function log {
(>&2 echo "${@}")
}
############## Program #########################
function main {
local cmd="$1"
shift 1
if [ "$cmd" = "create-disk" ]; then
create_disk "${@}"
elif [ "$cmd" = "start" ]; then
start_vm "${@}"
else
die 1 "Unrecognized command $cmd"
fi
}
function create_disk {
local zfs_path="$1"
local mount_path="$2"
local gigabytes="$3"
zfs create -o "mountpoint=$mount_path" "$zfs_path"
cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
tee "${mount_path}/settings" <<EOF
CPU_CORES="$CPU_CORES"
MEMORY="$MEMORY"
NETWORK="$NETWORK"
IP_RANGE="$IP_RANGE"
BRIDGE_NAME="$BRIDGE_NAME"
INTERFACE_NAME="$INTERFACE_NAME"
EOF
zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none -o volblocksize=64K "$zfs_path/disk0"
}
function start_vm {
local name="$1"
local zfs_path="$2"
local mount_path="$3"
local mount_cd="${4:-}"
if [ -e "${mount_path}/settings" ]; then
source "${mount_path}/settings"
fi
local additional_args=()
local host_interface_name="linfi_host"
local bridge_name="linfi_bridge"
assert_bridge "$host_interface_name" "$bridge_name"
local mac_address
mac_address=$(calculate_mac_address "$name")
local bridge_link_name
bridge_link_name=$(detect_available_link "${bridge_name}")
additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
# -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
# -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
# -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
# -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
# TODO: Look into using nmdm instead of stdio for serial console
if [ -n "$mount_cd" ]; then
additional_args+=("-s" "5,ahci-cd,$mount_cd")
fi
if [ "$VNC_ENABLE" = "YES" ]; then
additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
fi
vms+=("$name")
while true; do
set -x
set +e
bhyve \
-D \
-c sockets=1,cores=1,threads=1 \
-m "$MEMORY" \
-H \
-w \
-o 'rtc.use_localtime=false' \
-s 0,hostbridge \
-s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
-S \
-s "7,passthru,${PASSTHROUGH}" \
-s 30,xhci,tablet \
-s 31,lpc -l com1,stdio \
-l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \
-U '08421734-875e-11ef-a0f3-f426796942c7' \
"${additional_args[@]}" \
"$name"
local exit_code=$?
set -e
set +x
if [ $exit_code -eq 0 ]; then
echo "Rebooting."
sleep 5
elif [ $exit_code -eq 1 ]; then
echo "Powered off."
break
elif [ $exit_code -eq 2 ]; then
echo "Halted."
break
elif [ $exit_code -eq 3 ]; then
echo "Triple fault."
break
elif [ $exit_code -eq 4 ]; then
echo "Exited due to an error."
break
fi
done
}
function detect_available_link {
local bridge_name="$1"
local linknum=1
while true; do
local link_name="link${linknum}"
if ! ng_exists "${bridge_name}:${link_name}"; then
echo "$link_name"
return
fi
linknum=$((linknum + 1))
if [ "$linknum" -gt 90 ]; then
(>&2 echo "No available links on bridge $bridge_name")
exit 1
fi
done
}
function assert_bridge {
local host_interface_name="$1"
local bridge_name="$2"
if ! ng_exists "${bridge_name}:"; then
ngctl -d -f - <<EOF
mkpeer . eiface hook ether
name .:hook $host_interface_name
EOF
ngctl -d -f - <<EOF
mkpeer ${host_interface_name}: bridge ether link0
name ${host_interface_name}:ether $bridge_name
EOF
ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" 192.168.253.2/24 up
route add default 192.168.253.1
fi
}
function ng_exists {
ngctl status "${1}" >/dev/null 2>&1
}
function calculate_mac_address {
local name="$1"
local source
source=$(md5 -r -s "$name" | awk '{print $1}')
echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
}
function find_available_port {
local start_port="$1"
local port="$start_port"
while true; do
sockstat -P tcp -p 443
port=$((port + 1))
done
}
function ngctlcat {
if [ "$VERBOSE" = "YES" ]; then
tee /dev/tty | ngctl -d -f -
else
ngctl -d -f -
fi
}
main "${@}"

1
ansible/roles/linfi/files/linfi_rc.conf
View File

@@ -1 +0,0 @@
linfi_enable="YES"

3
ansible/roles/linfi/meta/main.yaml
View File

@@ -1,3 +0,0 @@
dependencies:
- role: bhyve
when: 'os_flavor == "freebsd"'

55
ansible/roles/linfi/tasks/common.yaml
View File

@@ -1,55 +0,0 @@
# - name: Create directories
# file:
# name: "{{ item }}"
# state: directory
# mode: 0755
# owner: root
# group: wheel
# loop:
# - /foo/bar
# - name: Install scripts
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0755
# owner: root
# group: wheel
# loop:
# - src: foo.bash
# dest: /usr/local/bin/foo
# - name: Install Configuration
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0600
# owner: root
# group: wheel
# loop:
# - src: foo.conf
# dest: /usr/local/etc/foo.conf
# - name: Clone Source
# git:
# repo: "https://foo.bar/baz.git"
# dest: /foo/bar
# version: "v1.0.2"
# force: true
# diff: false
- import_tasks: tasks/freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/linux.yaml
when: 'os_flavor == "linux"'
- include_tasks:
file: tasks/peruser.yaml
apply:
become: yes
become_user: "{{ initialize_user }}"
when: users is defined
loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
loop_control:
loop_var: initialize_user

50
ansible/roles/linfi/tasks/freebsd.yaml
View File

@@ -1,50 +0,0 @@
- name: Install loader.conf
template:
src: "templates/{{ item }}_loader.conf.j2"
dest: "/boot/loader.conf.d/{{ item }}.conf"
mode: 0644
owner: root
group: wheel
loop:
- linfi
- name: Install scripts
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0755
owner: root
group: wheel
loop:
- src: launch_linfi.bash
dest: /usr/local/bin/launch_linfi
- name: Install rc script
template:
src: "templates/{{ item.src }}.j2"
dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
owner: root
group: wheel
mode: 0755
loop:
- src: linfi
- name: Install service configuration
copy:
src: "files/{{ item }}_rc.conf"
dest: "/etc/rc.conf.d/{{ item }}"
mode: 0644
owner: root
group: wheel
loop:
- linfi
- name: Install service configuration
template:
src: "templates/{{ item }}_rc.conf.j2"
dest: "/etc/rc.conf.d/{{ item }}"
mode: 0644
owner: root
group: wheel
loop:
- devmatch

29
ansible/roles/linfi/tasks/linux.yaml
View File

@@ -1,29 +0,0 @@
# - name: Build aur packages
# register: buildaur
# become_user: "{{ build_user.name }}"
# command: "aurutils-sync --no-view {{ item }}"
# args:
# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
# loop:
# - foo
# - name: Update cache
# when: buildaur.changed
# pacman:
# name: []
# state: present
# update_cache: true
# - name: Install packages
# package:
# name:
# - foo
# state: present
# - name: Enable services
# systemd:
# enabled: yes
# name: "{{ item }}"
# daemon_reload: yes
# loop:
# - foo.service

2
ansible/roles/linfi/tasks/main.yaml
View File

@@ -1,2 +0,0 @@
- import_tasks: tasks/common.yaml
when: linfi is defined and linfi.enabled

29
ansible/roles/linfi/tasks/peruser.yaml
View File

@@ -1,29 +0,0 @@
- include_role:
name: per_user
# - name: Create directories
# file:
# name: "{{ account_homedir.stdout }}/{{ item }}"
# state: directory
# mode: 0700
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - ".config/foo"
# - name: Copy files
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
# mode: 0600
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - src: foo.conf
# dest: .config/foo/foo.conf
- import_tasks: tasks/peruser_freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/peruser_linux.yaml
when: 'os_flavor == "linux"'

0
ansible/roles/linfi/tasks/peruser_freebsd.yaml
View File

0
ansible/roles/linfi/tasks/peruser_linux.yaml
View File

2
ansible/roles/linfi/templates/devmatch_rc.conf.j2
View File

@@ -1,2 +0,0 @@
devmatch_enable="YES"
devmatch_blocklist="{{ linfi.driver_blocklist }}"

46
ansible/roles/linfi/templates/linfi.j2
View File

@@ -1,46 +0,0 @@
#!/bin/sh
#
# PROVIDE: linfi
# REQUIRE: LOGIN
# KEYWORD: shutdown nojail
. /etc/rc.subr
name=linfi
rcvar=${name}_enable
start_cmd="${name}_start"
stop_cmd="${name}_stop"
status_cmd="${name}_status"
load_rc_config $name
tmux_name="linfi"
linfi_start() {
/usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env PASSTHROUGH='{{ linfi.pci_blocklist }}' /usr/local/bin/bash /usr/local/bin/launch_linfi start linfi {{ linfi.zfs_dataset }} {{ linfi.zfs_mountpoint }}"
# /vm/.iso/alpine-extended-3.20.3-x86_64.iso
}
linfi_status() {
if /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null; then
echo "$tmux_name is running."
else
echo "$tmux_name is not running."
return 1
fi
}
linfi_stop() {
/usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null && (
/usr/local/bin/tmux kill-session -t $tmux_name
sleep 10
bhyvectl --vm=linfi --destroy
# kill `cat /var/run/linfi.pid`
)
linfi_wait_for_end
}
linfi_wait_for_end() {
while /usr/local/bin/tmux has-session -t $tmux_name 2>dev/null; do
sleep 1
done
}
run_rc_command "$1"

5
ansible/roles/linfi/templates/linfi_loader.conf.j2
View File

@@ -1,5 +0,0 @@
vmm_load="YES"
pptdevs="{{ linfi.pci_blocklist }}"
{% if linfi.amd %}
hw.vmm.amdvi.enable="1"
{% endif %}

8
ansible/roles/network/files/homeserver_network.conf
View File

@@ -1,4 +1,4 @@
# wlans_ath0="wlan0"
# ifconfig_wlan0="WPA DHCP"
# ifconfig_wlan0_ipv6="inet6 accept_rtadv"
# ipv6_cpe_wanif="wlan0"
wlans_iwlwifi0="wlan0"
ifconfig_wlan0="WPA DHCP"
ifconfig_wlan0_ipv6="inet6 accept_rtadv"
ipv6_cpe_wanif="wlan0"

54
ansible/roles/package_manager/tasks/freebsd.yaml
View File

@@ -26,60 +26,6 @@
- src: pkg.conf
dest: /usr/local/etc/pkg.conf
- name: Install Configuration
when: custom_repo is not defined
register: changed_config
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
owner: root
group: wheel
loop:
- src: FreeBSD-ports.conf
dest: /usr/local/etc/pkg/repos/FreeBSD-ports.conf
- name: Install Configuration
when: custom_repo is defined
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
owner: root
group: wheel
loop:
- src: disable_freebsd_upstream.conf
dest: /usr/local/etc/pkg/repos/FreeBSD.conf
- src: poudriere.pub
dest: /usr/local/etc/pkg/poudriere.pub
- name: Install Configuration
when: custom_repo is defined
register: changed_config
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: wheel
mode: 0644
loop:
- { src: custom.conf.j2, dest: /usr/local/etc/pkg/repos/custom.conf }
- name: Install Configuration
when: pkgbase_url is defined
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: wheel
mode: 0644
loop:
- { src: pkgbase.conf.j2, dest: /usr/local/etc/pkg/repos/pkgbase.conf }
# - name: Replace all packages with packages from new repo
# command: pkg upgrade -f -y
# when: changed_config.changed
- name: Install scripts
copy:
src: "files/{{ item.src }}"

1
ansible/roles/public_dns/files/master.db
View File

@@ -75,4 +75,3 @@ home IN A 68.197.252.22
opstunnel IN CNAME home.fizz.buzz.
stream IN CNAME home.fizz.buzz.
stuff IN CNAME home.fizz.buzz.
momlaptop IN CNAME home.fizz.buzz.

12
ansible/roles/sshd/files/sshd_config
View File

@@ -1,4 +1,4 @@
# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
# $OpenBSD: sshd_config,v 1.105 2024/12/03 14:12:47 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -56,12 +56,15 @@ AuthorizedKeysFile .ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# Change to yes to enable built-in password authentication.
# Change to "yes" to enable built-in password authentication.
# Note that passwords may also be accepted via KbdInteractiveAuthentication.
#PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable PAM authentication
# Change to "no" to disable keyboard-interactive authentication. Depending on
# the system's configuration, this may involve passwords, challenge-response,
# one-time passwords or some combination of these and other methods.
# Keyboard interactive authentication is also used for PAM authentication.
#KbdInteractiveAuthentication yes
KbdInteractiveAuthentication no
@@ -105,7 +108,8 @@ KbdInteractiveAuthentication no
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
#UseBlocklist no
#VersionAddendum FreeBSD-20250801
# no default banner path
#Banner none

2
ansible/run.bash
View File

@@ -34,8 +34,6 @@ elif [ "$target" = "certificate" ]; then
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit certificate "${@}"
elif [ "$target" = "bastion" ]; then
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit bastion "${@}"
elif [ "$target" = "momlaptop" ]; then
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit momlaptop "${@}"
elif [ "$target" = "vm_poudriereodo" ]; then
ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}"
elif [ "$target" = "vm_poudrieremrmanager" ]; then