diff --git a/ansible/environments/home/host_vars/homeserver b/ansible/environments/home/host_vars/homeserver index 74d6b8f..1e8a27a 100644 --- a/ansible/environments/home/host_vars/homeserver +++ b/ansible/environments/home/host_vars/homeserver @@ -67,6 +67,9 @@ jail_list: - name: certificate conf: src: certificate + - name: momlaptop + conf: + src: momlaptop # - name: mumble # conf: # src: mumble diff --git a/ansible/environments/jail/host_vars/momlaptop b/ansible/environments/jail/host_vars/momlaptop new file mode 100644 index 0000000..466c910 --- /dev/null +++ b/ansible/environments/jail/host_vars/momlaptop @@ -0,0 +1 @@ +os_flavor: freebsd diff --git a/ansible/environments/jail/hosts b/ansible/environments/jail/hosts index 0e22aa2..6f9c45f 100644 --- a/ansible/environments/jail/hosts +++ b/ansible/environments/jail/hosts @@ -8,3 +8,4 @@ public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail +momlaptop ansible_ssh_host=momlaptop@homeserver ansible_connection=sshjail diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml index 528189b..f8ec746 100644 --- a/ansible/playbook.yaml +++ b/ansible/playbook.yaml @@ -157,3 +157,9 @@ ansible_become: True roles: - jail_certificate + +- hosts: momlaptop + vars: + ansible_become: True + roles: + - jail_momlaptop diff --git a/ansible/roles/base/tasks/freebsd.yaml b/ansible/roles/base/tasks/freebsd.yaml index a6f7379..9f68150 100644 --- a/ansible/roles/base/tasks/freebsd.yaml +++ b/ansible/roles/base/tasks/freebsd.yaml @@ -13,6 +13,7 @@ - gsed - gmake - rust-coreutils + - shuf state: present - name: Install service configuration diff --git a/ansible/roles/firewall/files/homeserver_pf.conf b/ansible/roles/firewall/files/homeserver_pf.conf index 7ebcfb5..2e1dddf 100644 --- a/ansible/roles/firewall/files/homeserver_pf.conf +++ b/ansible/roles/firewall/files/homeserver_pf.conf @@ -51,6 +51,10 @@ nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215 # rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22 rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202 +# -> momlaptop +rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8033 -> 10.215.1.218 port 443 +nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.218 port 443 -> 10.215.1.1 + # filtering # match in on jail_nat from any to any dnpipe(1, 2) # match in on restricted_nat from any to any dnpipe(1, 2) diff --git a/ansible/roles/framework_laptop/files/disable_wifi_powersave_loader.conf b/ansible/roles/framework_laptop/files/disable_wifi_powersave_loader.conf new file mode 100644 index 0000000..df2b829 --- /dev/null +++ b/ansible/roles/framework_laptop/files/disable_wifi_powersave_loader.conf @@ -0,0 +1,3 @@ + # Disable power save for wifi card because power save caused video stuttering in google meet on Linux. Both of these are currently the default on FreeBSD but I'm saving it just in case that default changes. +compat.linuxkpi.iwlwifi_power_save="0" +compat.linuxkpi.iwlwifi_mvm_power_scheme="1" diff --git a/ansible/roles/framework_laptop/tasks/freebsd.yaml b/ansible/roles/framework_laptop/tasks/freebsd.yaml index b417174..fb5f5f5 100644 --- a/ansible/roles/framework_laptop/tasks/freebsd.yaml +++ b/ansible/roles/framework_laptop/tasks/freebsd.yaml @@ -1,5 +1,9 @@ -# - name: Install packages -# package: -# name: -# - foo -# state: present +- name: Install loader.conf + copy: + src: "files/{{ item }}_loader.conf" + dest: "/boot/loader.conf.d/{{ item }}.conf" + mode: 0644 + owner: root + group: wheel + loop: + - disable_wifi_powersave diff --git a/ansible/roles/jail/files/jails/momlaptop.conf b/ansible/roles/jail/files/jails/momlaptop.conf new file mode 100644 index 0000000..d9e551a --- /dev/null +++ b/ansible/roles/jail/files/jails/momlaptop.conf @@ -0,0 +1,15 @@ +momlaptop { + path = "/jail/${name}"; + vnet; + exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24"; + exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}"; + vnet.interface += "jail${name}"; + + devfs_ruleset = 14; + mount.devfs; + mount.fstab = "/etc/fstab.${name}"; + + exec.start += "/bin/sh /etc/rc"; + exec.stop = "/bin/sh /etc/rc.shutdown jail"; + exec.consolelog = "/var/log/jail_${name}_console.log"; +} diff --git a/ansible/roles/jail_momlaptop/files/headers.include b/ansible/roles/jail_momlaptop/files/headers.include new file mode 100644 index 0000000..47901d2 --- /dev/null +++ b/ansible/roles/jail_momlaptop/files/headers.include @@ -0,0 +1,15 @@ +# Enable HTTP Strict Transport Security (HSTS) to force clients to +# always connect via HTTPS (do not use if only testing) +add_header Strict-Transport-Security "max-age=31536000;" always; +# Enable cross-site filter (XSS) and tell browser to block detected +# attacks +add_header X-XSS-Protection "1; mode=block" always; +# Prevent some browsers from MIME-sniffing a response away from the +# declared Content-Type +add_header X-Content-Type-Options "nosniff" always; +# Disallow the site to be rendered within a frame (clickjacking +# protection) +add_header X-Frame-Options "DENY" always; + +# Indicate that we are serving http3 on port 443 +add_header Alt-Svc 'h3=":8033"; ma=864000'; diff --git a/ansible/roles/jail_momlaptop/files/htpasswd b/ansible/roles/jail_momlaptop/files/htpasswd new file mode 100644 index 0000000..bd2c49e Binary files /dev/null and b/ansible/roles/jail_momlaptop/files/htpasswd differ diff --git a/ansible/roles/jail_momlaptop/files/newsyslog.conf b/ansible/roles/jail_momlaptop/files/newsyslog.conf new file mode 100644 index 0000000..78a612b --- /dev/null +++ b/ansible/roles/jail_momlaptop/files/newsyslog.conf @@ -0,0 +1,2 @@ +# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num] +/var/log/nginx/*.log 640 5 1000 @T00 GYC /var/run/nginx.pid SIGUSR1 diff --git a/ansible/roles/jail_momlaptop/files/nginx.conf b/ansible/roles/jail_momlaptop/files/nginx.conf new file mode 100644 index 0000000..d5f226e --- /dev/null +++ b/ansible/roles/jail_momlaptop/files/nginx.conf @@ -0,0 +1,48 @@ +worker_processes auto; +user www www; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + types { + text/plain log; + } + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + gzip on; + + include conf.d/headers.include; + + server { + listen 443 quic reuseport; + listen [::]:443 quic reuseport; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + + server_name momlaptop.fizz.buzz; + + include conf.d/tls_settings.include; + # RSA + ssl_certificate /momlaptop.fizz.buzz/tls.crt; + ssl_certificate_key /momlaptop.fizz.buzz/tls.key; + + # Nginx by default only allows file uploads up to 50M in size + client_max_body_size 50M; + + location / { + auth_basic "Stuff"; + auth_basic_user_file conf.d/htpasswd; + + alias /srv/http/; + autoindex on; + } + } +} diff --git a/ansible/roles/jail_momlaptop/files/nginx_rc.conf b/ansible/roles/jail_momlaptop/files/nginx_rc.conf new file mode 100644 index 0000000..c104d8b --- /dev/null +++ b/ansible/roles/jail_momlaptop/files/nginx_rc.conf @@ -0,0 +1 @@ +nginx_enable="YES" diff --git a/ansible/roles/jail_momlaptop/files/proxy.include b/ansible/roles/jail_momlaptop/files/proxy.include new file mode 100644 index 0000000..3e54c14 --- /dev/null +++ b/ansible/roles/jail_momlaptop/files/proxy.include @@ -0,0 +1,9 @@ +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-Proto $scheme; +# Settings for keepalive module for upstreams +proxy_http_version 1.1; +proxy_set_header Connection ""; +# Requests sent with early data are subject to replay attacks so the application needs to protect against that by using the Early-Data header. +# proxy_set_header Early-Data $ssl_early_data; diff --git a/ansible/roles/jail_momlaptop/files/tls_settings.include b/ansible/roles/jail_momlaptop/files/tls_settings.include new file mode 100644 index 0000000..e26fde8 --- /dev/null +++ b/ansible/roles/jail_momlaptop/files/tls_settings.include @@ -0,0 +1,3 @@ +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +ssl_prefer_server_ciphers on; diff --git a/ansible/roles/jail_momlaptop/meta/main.yaml b/ansible/roles/jail_momlaptop/meta/main.yaml new file mode 100644 index 0000000..ecea872 --- /dev/null +++ b/ansible/roles/jail_momlaptop/meta/main.yaml @@ -0,0 +1,2 @@ +dependencies: + - syslog diff --git a/ansible/roles/jail_momlaptop/tasks/common.yaml b/ansible/roles/jail_momlaptop/tasks/common.yaml new file mode 100644 index 0000000..f146487 --- /dev/null +++ b/ansible/roles/jail_momlaptop/tasks/common.yaml @@ -0,0 +1,55 @@ +# - name: Create directories +# file: +# name: "{{ item }}" +# state: directory +# mode: 0755 +# owner: root +# group: wheel +# loop: +# - /foo/bar + +# - name: Install scripts +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ item.dest }}" +# mode: 0755 +# owner: root +# group: wheel +# loop: +# - src: foo.bash +# dest: /usr/local/bin/foo + +# - name: Install Configuration +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ item.dest }}" +# mode: 0600 +# owner: root +# group: wheel +# loop: +# - src: foo.conf +# dest: /usr/local/etc/foo.conf + +# - name: Clone Source +# git: +# repo: "https://foo.bar/baz.git" +# dest: /foo/bar +# version: "v1.0.2" +# force: true +# diff: false + +- import_tasks: tasks/freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/linux.yaml + when: 'os_flavor == "linux"' + +# - include_tasks: +# file: tasks/peruser.yaml +# apply: +# become: yes +# become_user: "{{ initialize_user }}" +# when: users is defined +# loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}" +# loop_control: +# loop_var: initialize_user diff --git a/ansible/roles/jail_momlaptop/tasks/freebsd.yaml b/ansible/roles/jail_momlaptop/tasks/freebsd.yaml new file mode 100644 index 0000000..a80bae2 --- /dev/null +++ b/ansible/roles/jail_momlaptop/tasks/freebsd.yaml @@ -0,0 +1,81 @@ +- name: Create www group + group: + name: www + +- name: Create www user + user: + name: www + home: /srv/http + createhome: false + group: www + +- name: Create directories + file: + name: "{{ item }}" + state: directory + mode: 0755 + owner: root + group: wheel + loop: + - /momlaptop.fizz.buzz + - /etc/rc.conf.d + - /usr/local/etc/nginx/conf.d + +- name: Create directories + file: + name: "{{ item }}" + state: directory + mode: 0755 + owner: www + group: www + loop: + - /srv/http + +- name: Install packages + package: + name: + - nginx + state: present + +# validate fails because nginx config relies on a local mime.types +- name: Install Configuration + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0644 + owner: root + group: wheel + loop: + - src: nginx.conf + dest: /usr/local/etc/nginx/nginx.conf + - src: headers.include + dest: /usr/local/etc/nginx/conf.d/headers.include + - src: proxy.include + dest: /usr/local/etc/nginx/conf.d/proxy.include + - src: tls_settings.include + dest: /usr/local/etc/nginx/conf.d/tls_settings.include + # Generate htpasswd with `htpasswd -c files/htpasswd user1` + # or `printf "USER:$(openssl passwd)\n" >> files/htpasswd` + - src: htpasswd + dest: /usr/local/etc/nginx/conf.d/htpasswd + +- name: Install newsyslog configuration + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0600 + owner: root + group: wheel + loop: + - src: newsyslog.conf + dest: /usr/local/etc/newsyslog.conf.d/nginx.conf + +- name: Install service configuration + copy: + src: "files/{{ item }}_rc.conf" + dest: "/etc/rc.conf.d/{{ item }}" + mode: 0644 + owner: root + group: wheel + loop: + - nginx diff --git a/ansible/roles/jail_momlaptop/tasks/linux.yaml b/ansible/roles/jail_momlaptop/tasks/linux.yaml new file mode 100644 index 0000000..bbbb096 --- /dev/null +++ b/ansible/roles/jail_momlaptop/tasks/linux.yaml @@ -0,0 +1,29 @@ +# - name: Build aur packages +# register: buildaur +# become_user: "{{ build_user.name }}" +# command: "aurutils-sync --no-view {{ item }}" +# args: +# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*" +# loop: +# - foo + +# - name: Update cache +# when: buildaur.changed +# pacman: +# name: [] +# state: present +# update_cache: true + +# - name: Install packages +# package: +# name: +# - foo +# state: present + +# - name: Enable services +# systemd: +# enabled: yes +# name: "{{ item }}" +# daemon_reload: yes +# loop: +# - foo.service diff --git a/ansible/roles/jail_momlaptop/tasks/main.yaml b/ansible/roles/jail_momlaptop/tasks/main.yaml new file mode 100644 index 0000000..6805b9d --- /dev/null +++ b/ansible/roles/jail_momlaptop/tasks/main.yaml @@ -0,0 +1,2 @@ +- import_tasks: tasks/common.yaml + # when: foo is defined diff --git a/ansible/roles/jail_momlaptop/tasks/peruser.yaml b/ansible/roles/jail_momlaptop/tasks/peruser.yaml new file mode 100644 index 0000000..111e886 --- /dev/null +++ b/ansible/roles/jail_momlaptop/tasks/peruser.yaml @@ -0,0 +1,29 @@ +- include_role: + name: per_user + +# - name: Create directories +# file: +# name: "{{ account_homedir.stdout }}/{{ item }}" +# state: directory +# mode: 0700 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - ".config/foo" + +# - name: Copy files +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ account_homedir.stdout }}/{{ item.dest }}" +# mode: 0600 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - src: foo.conf +# dest: .config/foo/foo.conf + +- import_tasks: tasks/peruser_freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/peruser_linux.yaml + when: 'os_flavor == "linux"' diff --git a/ansible/roles/jail_momlaptop/tasks/peruser_freebsd.yaml b/ansible/roles/jail_momlaptop/tasks/peruser_freebsd.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/jail_momlaptop/tasks/peruser_linux.yaml b/ansible/roles/jail_momlaptop/tasks/peruser_linux.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf b/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf index e52d0d5..895df95 100644 --- a/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf +++ b/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf @@ -88,6 +88,11 @@ // bastion - hard-coded in rc.conf, reproduced here to reserve ip "hw-address": "06:ca:1a:10:74:09", "ip-address": "10.215.1.217" + }, + { + // momlaptop - hard-coded in rc.conf, reproduced here to reserve ip + "hw-address": "06:85:69:c5:6a:d6", + "ip-address": "10.215.1.218" } ] } diff --git a/ansible/roles/media/tasks/freebsd.yaml b/ansible/roles/media/tasks/freebsd.yaml index ad5690a..7d0a3e5 100644 --- a/ansible/roles/media/tasks/freebsd.yaml +++ b/ansible/roles/media/tasks/freebsd.yaml @@ -4,5 +4,18 @@ # Have to use yt-dlp instead of youtube_dl because of mpv # - youtube_dl - yt-dlp + state: present + +- name: Install packages + when: install_graphics + package: + name: - mkvtoolnix # for mkvmerge state: present + +- name: Install packages + when: not install_graphics + package: + name: + - mkvtoolnix-nogui # for mkvmerge + state: present diff --git a/ansible/roles/poudriere/files/poudriere.d/14broadwell-default-computer-pkglist b/ansible/roles/poudriere/files/poudriere.d/14broadwell-default-computer-pkglist index ee81594..f0b75cc 100644 --- a/ansible/roles/poudriere/files/poudriere.d/14broadwell-default-computer-pkglist +++ b/ansible/roles/poudriere/files/poudriere.d/14broadwell-default-computer-pkglist @@ -11,6 +11,7 @@ graphics/ImageMagick7 lang/python misc/terminfo-db multimedia/ffmpeg +multimedia/mkvtoolnix@nogui multimedia/v4l-utils multimedia/webcamd net-mgmt/ipcalc @@ -39,6 +40,7 @@ sysutils/bhyve-firmware sysutils/btop sysutils/cpu-microcode sysutils/ddrescue +sysutils/dmidecode sysutils/exfat-utils sysutils/fusefs-exfat sysutils/fusefs-sshfs @@ -54,6 +56,7 @@ sysutils/powerdxx sysutils/powermon sysutils/pstree sysutils/rust-coreutils +sysutils/shuf sysutils/tmux sysutils/tree sysutils/zrepl diff --git a/ansible/roles/poudriere/files/poudriere.d/currentznver4-default-framework-pkglist b/ansible/roles/poudriere/files/poudriere.d/currentznver4-default-framework-pkglist index 42f67ee..ffbe419 100644 --- a/ansible/roles/poudriere/files/poudriere.d/currentznver4-default-framework-pkglist +++ b/ansible/roles/poudriere/files/poudriere.d/currentznver4-default-framework-pkglist @@ -101,6 +101,7 @@ sysutils/pstree sysutils/pv sysutils/radeontop sysutils/rust-coreutils +sysutils/shuf sysutils/terraform sysutils/tmux sysutils/tree diff --git a/ansible/roles/public_dns/files/master.db b/ansible/roles/public_dns/files/master.db index 5d2834a..0003a66 100644 --- a/ansible/roles/public_dns/files/master.db +++ b/ansible/roles/public_dns/files/master.db @@ -72,3 +72,4 @@ home IN A 68.197.252.22 opstunnel IN CNAME home.fizz.buzz. stream IN CNAME home.fizz.buzz. stuff IN CNAME home.fizz.buzz. +momlaptop IN CNAME home.fizz.buzz. diff --git a/ansible/run.bash b/ansible/run.bash index 9191007..631cd1b 100755 --- a/ansible/run.bash +++ b/ansible/run.bash @@ -34,6 +34,8 @@ elif [ "$target" = "certificate" ]; then ansible-playbook -v -i environments/jail playbook.yaml --diff --limit certificate "${@}" elif [ "$target" = "bastion" ]; then ansible-playbook -v -i environments/jail playbook.yaml --diff --limit bastion "${@}" +elif [ "$target" = "momlaptop" ]; then + ansible-playbook -v -i environments/jail playbook.yaml --diff --limit momlaptop "${@}" elif [ "$target" = "vm_poudriereodo" ]; then ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}" elif [ "$target" = "vm_poudrieremrmanager" ]; then