diff --git a/ansible/environments/home/host_vars/homeserver b/ansible/environments/home/host_vars/homeserver index 785b6b1..e23f546 100644 --- a/ansible/environments/home/host_vars/homeserver +++ b/ansible/environments/home/host_vars/homeserver @@ -77,8 +77,17 @@ jail_list: # - name: mumbledb # mount: /var/db/murmur bhyve_dataset: zmass/encrypted/vm -bhyve_canmount: "on" +# Disable mounting bhyve dataset so it doesn't hide the unencrypted linfi vm +bhyve_canmount: "off" +bhyve_mountpoint: "none" bhyve_bemount: "on" wireguard_directory: homeserver enabled_wireguard: - wgh +linfi: + enabled: true + zfs_dataset: zmass/unencrypted/vm/linfi + zfs_mountpoint: /vm/linfi + driver_blocklist: "ath if_ath if_ath_pci ath_hal" + pci_blocklist: "6/0/0" + amd: false diff --git a/ansible/environments/home/hosts b/ansible/environments/home/hosts index 6fd0c33..5c22779 100644 --- a/ansible/environments/home/hosts +++ b/ansible/environments/home/hosts @@ -1,2 +1,2 @@ [headless] -homeserver ansible_user=talexander ansible_host=10.216.1.1 +homeserver ansible_user=talexander ansible_host=homeserver diff --git a/ansible/environments/laptop/host_vars/odofreebsd b/ansible/environments/laptop/host_vars/odofreebsd index 9112ecf..c2f530a 100644 --- a/ansible/environments/laptop/host_vars/odofreebsd +++ b/ansible/environments/laptop/host_vars/odofreebsd @@ -59,3 +59,10 @@ enabled_wireguard: - wgh - drmario - colo +linfi: + enabled: true + zfs_dataset: zroot/freebsd/current/vm/linfi + zfs_mountpoint: /vm/linfi + driver_blocklist: "if_iwm if_iwlwifi" + pci_blocklist: "1/0/0" + amd: true diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml index bb7c89b..ffbfea3 100644 --- a/ansible/playbook.yaml +++ b/ansible/playbook.yaml @@ -133,6 +133,7 @@ vars: ansible_become: True roles: + - linfi - homeserver - hosts: odowork diff --git a/ansible/roles/docker/tasks/linux.yaml b/ansible/roles/docker/tasks/linux.yaml index 3f5c2cf..3b852c2 100644 --- a/ansible/roles/docker/tasks/linux.yaml +++ b/ansible/roles/docker/tasks/linux.yaml @@ -3,6 +3,7 @@ name: - docker - docker-compose + - docker-buildx state: present - name: Create docker zfs dataset diff --git a/ansible/roles/firewall/files/homeserver_pf.conf b/ansible/roles/firewall/files/homeserver_pf.conf index 2e1dddf..1a9db62 100644 --- a/ansible/roles/firewall/files/homeserver_pf.conf +++ b/ansible/roles/firewall/files/homeserver_pf.conf @@ -1,5 +1,5 @@ -ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }" -not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }" +ext_if = "{ igb0 igb1 ix0 ix1 linfi_host }" +not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !linfi_host }" jail_nat_v4 = "{ 10.215.1.0/24 }" not_jail_nat_v4 = "{ any, !10.215.1.0/24 }" restricted_nat_v4 = "{ 10.215.2.0/24 }" @@ -19,17 +19,17 @@ unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }" set skip on lo # queueing -# altq on wlan0 cbq queue { def, stuff } +# altq on linfi_host cbq queue { def, stuff } # queue def cbq(default borrow) # queue stuff bandwidth 8Mb cbq { dagger } # queue dagger cbq(borrow) # redirections -nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0) +nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host) rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53 # cloak -nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0) +nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (linfi_host) rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53 # bastion diff --git a/ansible/roles/firewall/files/rc.conf b/ansible/roles/firewall/files/rc.conf index 8d13069..a070d9b 100644 --- a/ansible/roles/firewall/files/rc.conf +++ b/ansible/roles/firewall/files/rc.conf @@ -1,2 +1,2 @@ -pf_enable="NO" +pf_enable="YES" pf_rules="/etc/pf.conf" diff --git a/ansible/roles/linfi/defaults/main.yaml b/ansible/roles/linfi/defaults/main.yaml new file mode 100644 index 0000000..67825a6 --- /dev/null +++ b/ansible/roles/linfi/defaults/main.yaml @@ -0,0 +1,7 @@ +# linfi: +# enabled: true +# zfs_dataset: zroot/freebsd/current/vm/linfi +# zfs_mountpoint: /vm/linfi +# driver_blocklist: "if_iwm if_iwlwifi" +# pci_blocklist: "1/0/0" +# amd: true diff --git a/ansible/roles/linfi/files/devmatch_rc.conf b/ansible/roles/linfi/files/devmatch_rc.conf deleted file mode 100644 index 8a6799a..0000000 --- a/ansible/roles/linfi/files/devmatch_rc.conf +++ /dev/null @@ -1,2 +0,0 @@ -devmatch_enable="YES" -devmatch_blocklist="if_iwm if_iwlwifi" diff --git a/ansible/roles/linfi/files/launch_linfi.bash b/ansible/roles/linfi/files/launch_linfi.bash index 5f01478..3b5d8e9 100644 --- a/ansible/roles/linfi/files/launch_linfi.bash +++ b/ansible/roles/linfi/files/launch_linfi.bash @@ -32,6 +32,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" : ${VNC_LISTEN:="127.0.0.1:5900"} : ${VNC_WIDTH:="1920"} : ${VNC_HEIGHT:="1080"} +: ${PASSTHROUGH:="1/0/0"} if [ "$VERBOSE" = "YES" ]; then set -x @@ -142,7 +143,7 @@ function start_vm { -s 0,hostbridge \ -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \ -S \ - -s 7,passthru,1/0/0 \ + -s "7,passthru,${PASSTHROUGH}" \ -s 30,xhci,tablet \ -s 31,lpc -l com1,stdio \ -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \ diff --git a/ansible/roles/linfi/files/linfi_loader.conf b/ansible/roles/linfi/files/linfi_loader.conf deleted file mode 100644 index a736ddd..0000000 --- a/ansible/roles/linfi/files/linfi_loader.conf +++ /dev/null @@ -1,3 +0,0 @@ -vmm_load="YES" -pptdevs="1/0/0" -hw.vmm.amdvi.enable="1" diff --git a/ansible/roles/linfi/tasks/freebsd.yaml b/ansible/roles/linfi/tasks/freebsd.yaml index 29748fb..aec1ef1 100644 --- a/ansible/roles/linfi/tasks/freebsd.yaml +++ b/ansible/roles/linfi/tasks/freebsd.yaml @@ -1,6 +1,6 @@ - name: Install loader.conf - copy: - src: "files/{{ item }}_loader.conf" + template: + src: "templates/{{ item }}_loader.conf.j2" dest: "/boot/loader.conf.d/{{ item }}.conf" mode: 0644 owner: root @@ -20,8 +20,8 @@ dest: /usr/local/bin/launch_linfi - name: Install rc script - copy: - src: "files/{{ item.src }}" + template: + src: "templates/{{ item.src }}.j2" dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}" owner: root group: wheel @@ -38,4 +38,13 @@ group: wheel loop: - linfi + +- name: Install service configuration + template: + src: "templates/{{ item }}_rc.conf.j2" + dest: "/etc/rc.conf.d/{{ item }}" + mode: 0644 + owner: root + group: wheel + loop: - devmatch diff --git a/ansible/roles/linfi/tasks/main.yaml b/ansible/roles/linfi/tasks/main.yaml index 6805b9d..9d71469 100644 --- a/ansible/roles/linfi/tasks/main.yaml +++ b/ansible/roles/linfi/tasks/main.yaml @@ -1,2 +1,2 @@ - import_tasks: tasks/common.yaml - # when: foo is defined + when: linfi is defined and linfi.enabled diff --git a/ansible/roles/linfi/templates/devmatch_rc.conf.j2 b/ansible/roles/linfi/templates/devmatch_rc.conf.j2 new file mode 100644 index 0000000..6b158a6 --- /dev/null +++ b/ansible/roles/linfi/templates/devmatch_rc.conf.j2 @@ -0,0 +1,2 @@ +devmatch_enable="YES" +devmatch_blocklist="{{ linfi.driver_blocklist }}" diff --git a/ansible/roles/linfi/files/linfi b/ansible/roles/linfi/templates/linfi.j2 similarity index 86% rename from ansible/roles/linfi/files/linfi rename to ansible/roles/linfi/templates/linfi.j2 index 44e1eba..3d8cc3a 100644 --- a/ansible/roles/linfi/files/linfi +++ b/ansible/roles/linfi/templates/linfi.j2 @@ -14,7 +14,7 @@ load_rc_config $name tmux_name="linfi" linfi_start() { - /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env VNC_ENABLE=YES VNC_LISTEN=0.0.0.0:5900 /usr/local/bin/bash /usr/local/bin/launch_linfi start linfi zroot/freebsd/current/vm/linfi /vm/linfi" + /usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env PASSTHROUGH='{{ linfi.pci_blocklist }}' /usr/local/bin/bash /usr/local/bin/launch_linfi start linfi {{ linfi.zfs_dataset }} {{ linfi.zfs_mountpoint }}" # /vm/.iso/alpine-extended-3.20.3-x86_64.iso } diff --git a/ansible/roles/linfi/templates/linfi_loader.conf.j2 b/ansible/roles/linfi/templates/linfi_loader.conf.j2 new file mode 100644 index 0000000..ffbabb5 --- /dev/null +++ b/ansible/roles/linfi/templates/linfi_loader.conf.j2 @@ -0,0 +1,5 @@ +vmm_load="YES" +pptdevs="{{ linfi.pci_blocklist }}" +{% if linfi.amd %} +hw.vmm.amdvi.enable="1" +{% endif %} diff --git a/ansible/roles/network/files/homeserver_network.conf b/ansible/roles/network/files/homeserver_network.conf index 9124ea6..69e68f1 100644 --- a/ansible/roles/network/files/homeserver_network.conf +++ b/ansible/roles/network/files/homeserver_network.conf @@ -1,4 +1,4 @@ -wlans_ath0="wlan0" -ifconfig_wlan0="WPA DHCP" -ifconfig_wlan0_ipv6="inet6 accept_rtadv" -ipv6_cpe_wanif="wlan0" +# wlans_ath0="wlan0" +# ifconfig_wlan0="WPA DHCP" +# ifconfig_wlan0_ipv6="inet6 accept_rtadv" +# ipv6_cpe_wanif="wlan0"