Update for rebuild of mrmanager.

2026-02-11 19:30:27 -05:00
parent 9bc3aed323
commit d9f6c8da31
19 changed files with 88 additions and 89 deletions
--- a/ansible/environments/colo/host_vars/mrmanager
+++ b/ansible/environments/colo/host_vars/mrmanager
@@ -6,7 +6,6 @@ zfs_snapshot_datasets:
    include: false
  - path: zdata/k8spersistent
 sshd_enabled: true
-loader_conf: "mrmanager_loader.conf"
 rc_conf: "mrmanager_rc.conf"
 network_rc: "mrmanager_network.conf"
 routing_rc: "mrmanager_routing.conf"
@@ -57,7 +56,3 @@ users:
      - yubikey
      - main_fido
      - backup_fido
-  mole:
-    initialize: true
-    authorized_keys:
-      - mole
--- a/ansible/environments/colo/hosts
+++ b/ansible/environments/colo/hosts
@@ -1,2 +1,3 @@
 [server]
-mrmanager ansible_user=talexander ansible_host=10.217.2.1
+#mrmanager ansible_user=talexander ansible_host=10.217.2.1 ansible_become_method=doas
+mrmanager ansible_user=talexander ansible_host=74.80.180.138 ansible_become_method=doas
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -82,7 +82,7 @@
  vars:
    ansible_become: True
  roles:
-    - sudo
+    # - sudo
    - doas
    - users
    - package_manager
--- a/ansible/roles/base/files/login.conf
+++ b/ansible/roles/base/files/login.conf
@@ -32,7 +32,7 @@ default:\
 	:cputime=unlimited:\
 	:datasize=unlimited:\
 	:stacksize=unlimited:\
-	:memorylocked=128M:\
+	:memorylocked=64K:\
 	:memoryuse=unlimited:\
 	:filesize=unlimited:\
 	:coredumpsize=unlimited:\
@@ -46,7 +46,6 @@ default:\
 	:umtxp=unlimited:\
 	:pipebuf=unlimited:\
 	:priority=0:\
-	:ignoretime@:\
 	:umask=022:\
 	:charset=UTF-8:\
 	:lang=en_US.UTF-8:
@@ -149,7 +148,6 @@ russian|Russian Users Accounts:\
 #	:requirehome:\
 #	:passwordtime=90d:\
 #	:umask=002:\
-#	:ignoretime@:\
 #	:tc=default:
 #
 #
@@ -174,7 +172,6 @@ russian|Russian Users Accounts:\
 ##
 #staff:\
 #	:ignorenologin:\
-#	:ignoretime:\
 #	:requirehome@:\
 #	:accounted@:\
 #	:path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
@@ -265,7 +262,6 @@ russian|Russian Users Accounts:\
 ## - no time accounting, restricted to access via dialin lines
 ##
 #site:\
-#	:ignoretime:\
 #	:passwordtime@:\
 #	:refreshtime@:\
 #	:refreshperiod@:\
--- a/ansible/roles/base/files/mrmanager_loader.conf
+++ b/ansible/roles/base/files/mrmanager_loader.conf
--- a/ansible/roles/base/meta/main.yaml
+++ b/ansible/roles/base/meta/main.yaml
@@ -1,3 +1,3 @@
 dependencies:
  - fstab
-  - termcap
+  # - termcap
--- a/ansible/roles/base/tasks/freebsd.yaml
+++ b/ansible/roles/base/tasks/freebsd.yaml
@@ -77,27 +77,27 @@
    owner: root
    group: wheel
  loop:
-    - src: bemount.bash
-      dest: /usr/local/bin/bemount
+    # - src: bemount.bash
+    #   dest: /usr/local/bin/bemount
    - src: watch_freebsd
      dest: /usr/local/bin/ww

- name: Install rc script
-  copy:
-    src: "files/{{ item.src }}"
-    dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
-    owner: root
-    group: wheel
-    mode: 0755
-  loop:
-    - src: bemount_rc.sh
-      dest: bemount
+# - name: Install rc script
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
+#     owner: root
+#     group: wheel
+#     mode: 0755
+#   loop:
+#     - src: bemount_rc.sh
+#       dest: bemount

- name: Enable bemount
-  community.general.sysrc:
-    name: bemount_enable
-    value: "YES"
-    path: /etc/rc.conf.d/bemount
+# - name: Enable bemount
+#   community.general.sysrc:
+#     name: bemount_enable
+#     value: "YES"
+#     path: /etc/rc.conf.d/bemount

 - name: Install loader.conf
  copy:
@@ -107,6 +107,7 @@
    owner: root
    group: wheel
  loop:
+    - zfs
    - disk_labels

 - name: Configure sysctls
@@ -127,7 +128,7 @@
  blockinfile:
    path: "/etc/periodic.conf.local"
    marker: "# {mark} ANSIBLE MANAGED BLOCK log"
-    # create: true
+    create: true
    mode: 0644
    owner: root
    group: wheel
@@ -141,13 +142,13 @@
  blockinfile:
    path: "/etc/periodic.conf.local"
    marker: "# {mark} ANSIBLE MANAGED BLOCK zfs"
-    # create: true
+    create: true
    mode: 0644
    owner: root
    group: wheel
    block: |
      daily_scrub_zfs_enable="YES"
-      daily_scrub_zfs_default_threshold="7"
+      daily_scrub_zfs_default_threshold="14"

 # Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
 - name: Install loader.conf
--- a/ansible/roles/cpu/files/aesni_loader.conf
+++ b/ansible/roles/cpu/files/aesni_loader.conf
@@ -1 +0,0 @@
-aesni_load="YES"
--- a/ansible/roles/cpu/files/amd_microcode_rc.conf
+++ b/ansible/roles/cpu/files/amd_microcode_rc.conf
@@ -0,0 +1 @@
+microcode_update_enable="YES"
--- a/ansible/roles/cpu/files/cryptodev_loader.conf
+++ b/ansible/roles/cpu/files/cryptodev_loader.conf
@@ -0,0 +1 @@
+cryptodev_load="YES"
--- a/ansible/roles/cpu/tasks/freebsd_amd.yaml
+++ b/ansible/roles/cpu/tasks/freebsd_amd.yaml
@@ -1,3 +1,9 @@
+- name: Install packages
+  package:
+    name:
+      - cpu-microcode-amd
+    state: present
+
 - name: Install loader.conf
  copy:
    src: "files/{{ item }}_loader.conf"
@@ -17,16 +23,7 @@
    group: wheel
  loop:
    - power_profile
-
- name: Install loader.conf
-  copy:
-    src: "files/{{ item }}_loader.conf"
-    dest: "/boot/loader.conf.d/{{ item }}.conf"
-    mode: 0644
-    owner: root
-    group: wheel
-  loop:
-    - aesni
+    - amd_microcode

 - name: Install loader.conf
  when: hwpstate is defined and hwpstate
@@ -38,3 +35,4 @@
    group: wheel
  loop:
    - per_core_hwpstate
+    - cryptodev
--- a/ansible/roles/cpu/tasks/freebsd_intel.yaml
+++ b/ansible/roles/cpu/tasks/freebsd_intel.yaml
@@ -16,7 +16,6 @@
  loop:
    - coretemp
    - cpuctl
-    - aesni
    - intel_microcode

 - name: Install service configuration
@@ -79,3 +78,4 @@
    group: wheel
  loop:
    - per_core_hwpstate
+    - cryptodev
--- a/ansible/roles/firewall/files/mrmanager_pf.conf
+++ b/ansible/roles/firewall/files/mrmanager_pf.conf
@@ -3,7 +3,7 @@ not_ext_if = "{ !lagg0 }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
 # pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
-pub_k8s = "{ 74.80.180.137, 74.80.180.139, 74.80.180.140, 74.80.180.141, 74.80.180.142 }"
+pub_k8s = "{ 74.80.180.137, 74.80.180.139, 74.80.180.140, 74.80.180.141, 74.80.180.142, 2620:11f:7001:7:ffff:dddd::/112 }"

 dhcp = "{ bootpc, bootps }"
 allow = "{ colo }"
@@ -35,6 +35,7 @@ scrub in on $ext_if all fragment reassemble
 # redirections
 nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if)
 rdr pass on jail_nat proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
+rdr pass on jail_nat proto {tcp, udp} from any to 2620:11f:7001:7:ffff:ffff:0ad7:0101 port 53 tag REDIREXTERNAL -> 2606:4700:4700::1111 port 53

 rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
@@ -69,8 +70,10 @@ pass quick on $allow
 # Single interface kubernetes cluster is working with the following run on mrmanager:
 #   doas route add -host 74.80.180.139 -interface jail_nat
 #   doas route add -net 10.129.0.0/16 -interface jail_nat
-#   ? doas route -6 add -net '2620:11f:7001:7:ffff:ffff:0ad7:0100/120' -interface jail_nat
-#   ? doas ifconfig jail_nat inet6 2620:11f:7001:7:ffff:ffff:0ad7:0101/120
+#   doas route -6 add -net '2620:11f:7001:7:ffff:ffff:0ad7:0100/120' -interface jail_nat
+#   doas route -6 add -net '2620:11f:7001:7:ffff:eeee::/96' -interface jail_nat
+#   doas route -6 add -net '2620:11f:7001:7:ffff:dddd::/112' -interface jail_nat
+#   doas ifconfig jail_nat inet6 2620:11f:7001:7:ffff:ffff:0ad7:0101/120
 #   doas sysctl net.link.ether.inet.proxyall=1
 # Plus this in pf.conf:
 #   pass quick from any to 74.80.180.139
--- a/ansible/roles/ndproxy/files/ndproxy_rc.conf
+++ b/ansible/roles/ndproxy/files/ndproxy_rc.conf
@@ -0,0 +1,4 @@
+ndproxy_enable="YES"
+ndproxy_uplink_interface="lagg0"
+ndproxy_downlink_mac_address="3c:ec:ef:bf:41:be" # Mac address of lagg0
+ndproxy_uplink_ipv6_addresses="fe80::21c:73ff:fe9d:c083" # uplink router's address (ndp -na) <-- Link-Local address of vtnet0
--- a/ansible/roles/package_manager/files/FreeBSD-ports.conf
+++ b/ansible/roles/package_manager/files/FreeBSD-ports.conf
@@ -0,0 +1,3 @@
+FreeBSD-ports: {
+  url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest"
+}
--- a/ansible/roles/package_manager/files/FreeBSD.conf
+++ b/ansible/roles/package_manager/files/FreeBSD.conf
@@ -1,3 +0,0 @@
-FreeBSD: {
-  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
-}
--- a/ansible/roles/package_manager/files/pkg.conf
+++ b/ansible/roles/package_manager/files/pkg.conf
@@ -31,13 +31,12 @@
 #PKG_ENABLE_PLUGINS = true;
 #PLUGINS [
 #]
-PLUGINS [
-    "provides"
-]
+PLUGINS [ provides ];
 #DEBUG_SCRIPTS = false;
 #PLUGINS_CONF_DIR = "/usr/local/etc/pkg/";
 #PERMISSIVE = false;
 #REPO_AUTOUPDATE = true;
+#FORCE_CAN_REMOVE_VITAL = true;
 #NAMESERVER = "";
 #HTTP_USER_AGENT = "Custom_User_Manager";
 #EVENT_PIPE = "";
@@ -57,35 +56,37 @@ PLUGINS [
 #IP_VERSION = 0

 # Sample alias settings
-ALIAS              : {
-  all-depends: query %dn-%dv,
-  annotations: info -A,
-  build-depends: info -qd,
-  cinfo: info -Cx,
-  comment: query -i "%c",
-  csearch: search -Cx,
-  desc: query -i "%e",
-  download: fetch,
-  iinfo: info -ix,
-  isearch: search -ix,
-  prime-list: "query -e '%a = 0' '%n'",
-  prime-origins: "query -e '%a = 0' '%o'",
-  leaf: "query -e '%#r == 0' '%n-%v'",
-  list: info -ql,
-  noauto = "query -e '%a == 0' '%n-%v'",
-  options: query -i "%n - %Ok: %Ov",
-  origin: info -qo,
-  orphans: version -vRl\?,
-  provided-depends: info -qb,
-  rall-depends: rquery %dn-%dv,
-  raw: info -R,
-  rcomment: rquery -i "%c",
-  rdesc: rquery -i "%e",
-  required-depends: info -qr,
-  roptions: rquery -i "%n - %Ok: %Ov",
-  shared-depends: info -qB,
-  show: info -f -k,
-  size: info -sq,
-  unmaintained = "query -e '%m = \"ports@FreeBSD.org\"' '%o (%w)'",
-  runmaintained = "rquery -e '%m = \"ports@FreeBSD.org\"' '%o (%w)'",
-  }
+ALIAS {
+    all-depends = "query %dn-%dv";
+    annotations = "info -A";
+    build-depends = "info -qd";
+    cinfo = "info -Cx";
+    comment = "query -i \"%c\"";
+    csearch = "search -Cx";
+    desc = "query -i \"%e\"";
+    download = "fetch";
+    iinfo = "info -ix";
+    isearch = "search -ix";
+    prime-list = "query -e '%a = 0' '%n'";
+    prime-origins = "query -e '%a = 0' '%o'";
+    leaf = "query -e '%#r == 0' '%n-%v'";
+    list = "info -ql";
+    noauto = "query -e '%a == 0' '%n-%v'";
+    options = "query -i \"%n - %Ok: %Ov\"";
+    origin = "info -qo";
+    orphans = "version -vRl?";
+    provided-depends = "info -qb";
+    rall-depends = "rquery %dn-%dv";
+    raw = "info -R";
+    rcomment = "rquery -i \"%c\"";
+    rdesc = "rquery -i \"%e\"";
+    required-depends = "info -qr";
+    roptions = "rquery -i \"%n - %Ok: %Ov\"";
+    sets = "info -d -C -x '^FreeBSD-set-'";
+    shared-depends = "info -qB";
+    show = "info -f -k";
+    size = "info -sq";
+    unmaintained = "query -e '%m = \"ports@FreeBSD.org\"' '%o (%w)'";
+    runmaintained = "rquery -e '%m = \"ports@FreeBSD.org\"' '%o (%w)'";
+}
+BACKUP_LIBRARIES=yes
--- a/ansible/roles/package_manager/tasks/freebsd.yaml
+++ b/ansible/roles/package_manager/tasks/freebsd.yaml
@@ -36,8 +36,8 @@
    owner: root
    group: wheel
  loop:
-    - src: FreeBSD.conf
-      dest: /usr/local/etc/pkg/repos/FreeBSD.conf
+    - src: FreeBSD-ports.conf
+      dest: /usr/local/etc/pkg/repos/FreeBSD-ports.conf

 - name: Install Configuration
  when: custom_repo is defined
--- a/ansible/roles/sshd/files/keys/mole.pub
+++ b/ansible/roles/sshd/files/keys/mole.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINtEizWWTfTdWJ+f6F2ot27V0ktYAxSCVI6d/tpS6ARw mole@maxwell
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINtEizWWTfTdWJ+f6F2ot27V0ktYAxSCVI6d/tpS6ARw mole@maxwell`