Merge branch 'template_linfi'
This commit is contained in:
		
						commit
						c2f1a0db1c
					
				| @ -77,8 +77,17 @@ jail_list: | ||||
|   #     - name: mumbledb | ||||
|   #       mount: /var/db/murmur | ||||
| bhyve_dataset: zmass/encrypted/vm | ||||
| bhyve_canmount: "on" | ||||
| # Disable mounting bhyve dataset so it doesn't hide the unencrypted linfi vm | ||||
| bhyve_canmount: "off" | ||||
| bhyve_mountpoint: "none" | ||||
| bhyve_bemount: "on" | ||||
| wireguard_directory: homeserver | ||||
| enabled_wireguard: | ||||
|   - wgh | ||||
| linfi: | ||||
|   enabled: true | ||||
|   zfs_dataset: zmass/unencrypted/vm/linfi | ||||
|   zfs_mountpoint: /vm/linfi | ||||
|   driver_blocklist: "ath if_ath if_ath_pci ath_hal" | ||||
|   pci_blocklist: "6/0/0" | ||||
|   amd: false | ||||
|  | ||||
| @ -1,2 +1,2 @@ | ||||
| [headless] | ||||
| homeserver ansible_user=talexander ansible_host=10.216.1.1 | ||||
| homeserver ansible_user=talexander ansible_host=homeserver | ||||
|  | ||||
| @ -59,3 +59,10 @@ enabled_wireguard: | ||||
|   - wgh | ||||
|   - drmario | ||||
|   - colo | ||||
| linfi: | ||||
|   enabled: true | ||||
|   zfs_dataset: zroot/freebsd/current/vm/linfi | ||||
|   zfs_mountpoint: /vm/linfi | ||||
|   driver_blocklist: "if_iwm if_iwlwifi" | ||||
|   pci_blocklist: "1/0/0" | ||||
|   amd: true | ||||
|  | ||||
| @ -133,6 +133,7 @@ | ||||
|   vars: | ||||
|     ansible_become: True | ||||
|   roles: | ||||
|     - linfi | ||||
|     - homeserver | ||||
| 
 | ||||
| - hosts: odowork | ||||
|  | ||||
| @ -3,6 +3,7 @@ | ||||
|     name: | ||||
|       - docker | ||||
|       - docker-compose | ||||
|       - docker-buildx | ||||
|     state: present | ||||
| 
 | ||||
| - name: Create docker zfs dataset | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }" | ||||
| not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }" | ||||
| ext_if = "{ igb0 igb1 ix0 ix1 linfi_host }" | ||||
| not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !linfi_host }" | ||||
| jail_nat_v4 = "{ 10.215.1.0/24 }" | ||||
| not_jail_nat_v4 = "{ any, !10.215.1.0/24 }" | ||||
| restricted_nat_v4 = "{ 10.215.2.0/24 }" | ||||
| @ -19,17 +19,17 @@ unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }" | ||||
| set skip on lo | ||||
| 
 | ||||
| # queueing | ||||
| # altq on wlan0 cbq queue { def, stuff } | ||||
| # altq on linfi_host cbq queue { def, stuff } | ||||
| # queue def cbq(default borrow) | ||||
| # queue stuff bandwidth	8Mb cbq { dagger } | ||||
| # queue dagger cbq(borrow) | ||||
| 
 | ||||
| # redirections | ||||
| nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0) | ||||
| nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host) | ||||
| rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53 | ||||
| 
 | ||||
| # cloak | ||||
| nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0) | ||||
| nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (linfi_host) | ||||
| rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53 | ||||
| 
 | ||||
| # bastion | ||||
|  | ||||
| @ -0,0 +1 @@ | ||||
| options cfg80211 ieee80211_regdom=US | ||||
| @ -30,6 +30,7 @@ | ||||
|     - iwlwifi | ||||
|     - snd_hda_intel | ||||
|     - disable_sp5100_watchdog | ||||
|     - wifi_us | ||||
| 
 | ||||
| - name: Configure kernel command line | ||||
|   zfs: | ||||
|  | ||||
| @ -0,0 +1,7 @@ | ||||
| #!/usr/bin/env bash | ||||
| # | ||||
| set -euo pipefail | ||||
| IFS=$'\n\t' | ||||
| DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | ||||
| 
 | ||||
| kubectl get pipelinerun --all-namespaces -o go-template='{{range .items}}{{.metadata.namespace}}/{{.metadata.name}}{{"\n"}}{{end}}' | while read p; do namespace=$(cut -d '/' -f 1 <<<"$p"); name=$(cut -d '/' -f 2 <<<"$p"); kubectl patch pipelinerun -n "$namespace" "$name" -p '{"metadata":{"finalizers":null}}' --type=merge; done | ||||
							
								
								
									
										7
									
								
								ansible/roles/linfi/defaults/main.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								ansible/roles/linfi/defaults/main.yaml
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,7 @@ | ||||
| # linfi: | ||||
| #   enabled: true | ||||
| #   zfs_dataset: zroot/freebsd/current/vm/linfi | ||||
| #   zfs_mountpoint: /vm/linfi | ||||
| #   driver_blocklist: "if_iwm if_iwlwifi" | ||||
| #   pci_blocklist: "1/0/0" | ||||
| #   amd: true | ||||
| @ -1,2 +0,0 @@ | ||||
| devmatch_enable="YES" | ||||
| devmatch_blocklist="if_iwm if_iwlwifi" | ||||
| @ -32,6 +32,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | ||||
| : ${VNC_LISTEN:="127.0.0.1:5900"} | ||||
| : ${VNC_WIDTH:="1920"} | ||||
| : ${VNC_HEIGHT:="1080"} | ||||
| : ${PASSTHROUGH:="1/0/0"} | ||||
| 
 | ||||
| if [ "$VERBOSE" = "YES" ]; then | ||||
|     set -x | ||||
| @ -142,7 +143,7 @@ function start_vm { | ||||
|             -s 0,hostbridge \ | ||||
|             -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \ | ||||
|             -S \ | ||||
|             -s 7,passthru,1/0/0 \ | ||||
|             -s "7,passthru,${PASSTHROUGH}" \ | ||||
|             -s 30,xhci,tablet \ | ||||
|             -s 31,lpc -l com1,stdio \ | ||||
|             -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \ | ||||
|  | ||||
| @ -1,3 +0,0 @@ | ||||
| vmm_load="YES" | ||||
| pptdevs="1/0/0" | ||||
| hw.vmm.amdvi.enable="1" | ||||
| @ -1,6 +1,6 @@ | ||||
| - name: Install loader.conf | ||||
|   copy: | ||||
|     src: "files/{{ item }}_loader.conf" | ||||
|   template: | ||||
|     src: "templates/{{ item }}_loader.conf.j2" | ||||
|     dest: "/boot/loader.conf.d/{{ item }}.conf" | ||||
|     mode: 0644 | ||||
|     owner: root | ||||
| @ -20,8 +20,8 @@ | ||||
|       dest: /usr/local/bin/launch_linfi | ||||
| 
 | ||||
| - name: Install rc script | ||||
|   copy: | ||||
|     src: "files/{{ item.src }}" | ||||
|   template: | ||||
|     src: "templates/{{ item.src }}.j2" | ||||
|     dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}" | ||||
|     owner: root | ||||
|     group: wheel | ||||
| @ -38,4 +38,13 @@ | ||||
|     group: wheel | ||||
|   loop: | ||||
|     - linfi | ||||
| 
 | ||||
| - name: Install service configuration | ||||
|   template: | ||||
|     src: "templates/{{ item }}_rc.conf.j2" | ||||
|     dest: "/etc/rc.conf.d/{{ item }}" | ||||
|     mode: 0644 | ||||
|     owner: root | ||||
|     group: wheel | ||||
|   loop: | ||||
|     - devmatch | ||||
|  | ||||
| @ -1,2 +1,2 @@ | ||||
| - import_tasks: tasks/common.yaml | ||||
|   # when: foo is defined | ||||
|   when: linfi is defined and linfi.enabled | ||||
|  | ||||
							
								
								
									
										2
									
								
								ansible/roles/linfi/templates/devmatch_rc.conf.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								ansible/roles/linfi/templates/devmatch_rc.conf.j2
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,2 @@ | ||||
| devmatch_enable="YES" | ||||
| devmatch_blocklist="{{ linfi.driver_blocklist }}" | ||||
| @ -14,7 +14,7 @@ load_rc_config $name | ||||
| tmux_name="linfi" | ||||
| 
 | ||||
| linfi_start() { | ||||
|     /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=YES VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /usr/local/bin/launch_linfi start linfi zroot/freebsd/current/vm/linfi /vm/linfi" | ||||
|     /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env PASSTHROUGH='{{ linfi.pci_blocklist }}' /usr/local/bin/bash /usr/local/bin/launch_linfi start linfi {{ linfi.zfs_dataset }} {{ linfi.zfs_mountpoint }}" | ||||
|     # /vm/.iso/alpine-extended-3.20.3-x86_64.iso | ||||
| } | ||||
| 
 | ||||
							
								
								
									
										5
									
								
								ansible/roles/linfi/templates/linfi_loader.conf.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								ansible/roles/linfi/templates/linfi_loader.conf.j2
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,5 @@ | ||||
| vmm_load="YES" | ||||
| pptdevs="{{ linfi.pci_blocklist }}" | ||||
| {% if linfi.amd %} | ||||
| hw.vmm.amdvi.enable="1" | ||||
| {% endif %} | ||||
| @ -1,4 +1,4 @@ | ||||
| wlans_ath0="wlan0" | ||||
| ifconfig_wlan0="WPA DHCP" | ||||
| ifconfig_wlan0_ipv6="inet6 accept_rtadv" | ||||
| ipv6_cpe_wanif="wlan0" | ||||
| # wlans_ath0="wlan0" | ||||
| # ifconfig_wlan0="WPA DHCP" | ||||
| # ifconfig_wlan0_ipv6="inet6 accept_rtadv" | ||||
| # ipv6_cpe_wanif="wlan0" | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Tom Alexander
						Tom Alexander