Merge branch 'template_linfi'

ansible/environments/home/host_vars/homeserver

@@ -77,8 +77,17 @@ jail_list:
   #     - name: mumbledb
   #       mount: /var/db/murmur
 bhyve_dataset: zmass/encrypted/vm
-bhyve_canmount: "on"
+# Disable mounting bhyve dataset so it doesn't hide the unencrypted linfi vm
+bhyve_canmount: "off"
+bhyve_mountpoint: "none"
 bhyve_bemount: "on"
 wireguard_directory: homeserver
 enabled_wireguard:
   - wgh
+linfi:
+  enabled: true
+  zfs_dataset: zmass/unencrypted/vm/linfi
+  zfs_mountpoint: /vm/linfi
+  driver_blocklist: "ath if_ath if_ath_pci ath_hal"
+  pci_blocklist: "6/0/0"
+  amd: false

ansible/environments/home/hosts

@@ -1,2 +1,2 @@
 [headless]
-homeserver ansible_user=talexander ansible_host=10.216.1.1
+homeserver ansible_user=talexander ansible_host=homeserver

ansible/environments/laptop/host_vars/odofreebsd

@@ -59,3 +59,10 @@ enabled_wireguard:
   - wgh
   - drmario
   - colo
+linfi:
+  enabled: true
+  zfs_dataset: zroot/freebsd/current/vm/linfi
+  zfs_mountpoint: /vm/linfi
+  driver_blocklist: "if_iwm if_iwlwifi"
+  pci_blocklist: "1/0/0"
+  amd: true

ansible/playbook.yaml

@@ -133,6 +133,7 @@
   vars:
     ansible_become: True
   roles:
+    - linfi
     - homeserver
 
 - hosts: odowork

ansible/roles/docker/tasks/linux.yaml

@@ -3,6 +3,7 @@
     name:
       - docker
       - docker-compose
+      - docker-buildx
     state: present
 
 - name: Create docker zfs dataset

ansible/roles/firewall/files/homeserver_pf.conf

@@ -1,5 +1,5 @@
-ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
+ext_if = "{ igb0 igb1 ix0 ix1 linfi_host }"
-not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
+not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !linfi_host }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
 restricted_nat_v4 = "{ 10.215.2.0/24 }"
@@ -19,17 +19,17 @@ unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
 set skip on lo
 
 # queueing
-# altq on wlan0 cbq queue { def, stuff }
+# altq on linfi_host cbq queue { def, stuff }
 # queue def cbq(default borrow)
 # queue stuff bandwidth	8Mb cbq { dagger }
 # queue dagger cbq(borrow)
 
 # redirections
-nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
 rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
 
 # cloak
-nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0)
+nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (linfi_host)
 rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
 
 # bastion

ansible/roles/framework_laptop/files/wifi_us_modprobe.conf

@@ -0,0 +1 @@
+options cfg80211 ieee80211_regdom=US

ansible/roles/framework_laptop/tasks/linux.yaml

@@ -30,6 +30,7 @@
     - iwlwifi
     - snd_hda_intel
     - disable_sp5100_watchdog
+    - wifi_us
 
 - name: Configure kernel command line
   zfs:

ansible/roles/kubernetes/files/k8s_remove_finalizers_pipeline_runs

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+kubectl get pipelinerun --all-namespaces -o go-template='{{range .items}}{{.metadata.namespace}}/{{.metadata.name}}{{"\n"}}{{end}}' | while read p; do namespace=$(cut -d '/' -f 1 <<<"$p"); name=$(cut -d '/' -f 2 <<<"$p"); kubectl patch pipelinerun -n "$namespace" "$name" -p '{"metadata":{"finalizers":null}}' --type=merge; done

ansible/roles/linfi/defaults/main.yaml

@@ -0,0 +1,7 @@
+# linfi:
+#   enabled: true
+#   zfs_dataset: zroot/freebsd/current/vm/linfi
+#   zfs_mountpoint: /vm/linfi
+#   driver_blocklist: "if_iwm if_iwlwifi"
+#   pci_blocklist: "1/0/0"
+#   amd: true

ansible/roles/linfi/files/devmatch_rc.conf

@@ -1,2 +0,0 @@
-devmatch_enable="YES"
-devmatch_blocklist="if_iwm if_iwlwifi"

ansible/roles/linfi/files/launch_linfi.bash

@@ -32,6 +32,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 : ${VNC_LISTEN:="127.0.0.1:5900"}
 : ${VNC_WIDTH:="1920"}
 : ${VNC_HEIGHT:="1080"}
+: ${PASSTHROUGH:="1/0/0"}
 
 if [ "$VERBOSE" = "YES" ]; then
     set -x
@@ -142,7 +143,7 @@ function start_vm {
             -s 0,hostbridge \
             -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
             -S \
-            -s 7,passthru,1/0/0 \
+            -s "7,passthru,${PASSTHROUGH}" \
             -s 30,xhci,tablet \
             -s 31,lpc -l com1,stdio \
             -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \

ansible/roles/linfi/files/linfi_loader.conf

@@ -1,3 +0,0 @@
-vmm_load="YES"
-pptdevs="1/0/0"
-hw.vmm.amdvi.enable="1"

ansible/roles/linfi/tasks/freebsd.yaml

@@ -1,6 +1,6 @@
 - name: Install loader.conf
-  copy:
+  template:
-    src: "files/{{ item }}_loader.conf"
+    src: "templates/{{ item }}_loader.conf.j2"
     dest: "/boot/loader.conf.d/{{ item }}.conf"
     mode: 0644
     owner: root
@@ -20,8 +20,8 @@
       dest: /usr/local/bin/launch_linfi
 
 - name: Install rc script
-  copy:
+  template:
-    src: "files/{{ item.src }}"
+    src: "templates/{{ item.src }}.j2"
     dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
     owner: root
     group: wheel
@@ -38,4 +38,13 @@
     group: wheel
   loop:
     - linfi
+
+- name: Install service configuration
+  template:
+    src: "templates/{{ item }}_rc.conf.j2"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
     - devmatch

ansible/roles/linfi/tasks/main.yaml

@@ -1,2 +1,2 @@
 - import_tasks: tasks/common.yaml
-  # when: foo is defined
+  when: linfi is defined and linfi.enabled

ansible/roles/linfi/templates/devmatch_rc.conf.j2

@@ -0,0 +1,2 @@
+devmatch_enable="YES"
+devmatch_blocklist="{{ linfi.driver_blocklist }}"

ansible/roles/linfi/templates/linfi.j2

@@ -14,7 +14,7 @@ load_rc_config $name
 tmux_name="linfi"
 
 linfi_start() {
-    /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=YES VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /usr/local/bin/launch_linfi start linfi zroot/freebsd/current/vm/linfi /vm/linfi"
+    /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env PASSTHROUGH='{{ linfi.pci_blocklist }}' /usr/local/bin/bash /usr/local/bin/launch_linfi start linfi {{ linfi.zfs_dataset }} {{ linfi.zfs_mountpoint }}"
     # /vm/.iso/alpine-extended-3.20.3-x86_64.iso
 }
 

ansible/roles/linfi/templates/linfi_loader.conf.j2

@@ -0,0 +1,5 @@
+vmm_load="YES"
+pptdevs="{{ linfi.pci_blocklist }}"
+{% if linfi.amd %}
+hw.vmm.amdvi.enable="1"
+{% endif %}

ansible/roles/network/files/homeserver_network.conf

@@ -1,4 +1,4 @@
-wlans_ath0="wlan0"
+# wlans_ath0="wlan0"
-ifconfig_wlan0="WPA DHCP"
+# ifconfig_wlan0="WPA DHCP"
-ifconfig_wlan0_ipv6="inet6 accept_rtadv"
+# ifconfig_wlan0_ipv6="inet6 accept_rtadv"
-ipv6_cpe_wanif="wlan0"
+# ipv6_cpe_wanif="wlan0"