From fb90c63d8470255083477322415f459813815fcc Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Thu, 4 Jul 2024 00:45:54 -0400 Subject: [PATCH] Enable quic and add CUSTOM kernel. --- ansible/environments/vm/host_vars/poudrieremrmanager | 4 ++-- ansible/roles/jail_bastion/files/headers.include | 3 +++ ansible/roles/jail_bastion/files/nginx.conf | 2 ++ ansible/roles/jail_bastion/files/proxy.include | 2 ++ ansible/roles/poudriere/files/poudriere_delete_jail.bash | 2 ++ ansible/roles/poudriere/tasks/freebsd.yaml | 2 ++ 6 files changed, 13 insertions(+), 2 deletions(-) diff --git a/ansible/environments/vm/host_vars/poudrieremrmanager b/ansible/environments/vm/host_vars/poudrieremrmanager index 7275327..0a16e12 100644 --- a/ansible/environments/vm/host_vars/poudrieremrmanager +++ b/ansible/environments/vm/host_vars/poudrieremrmanager @@ -11,7 +11,7 @@ poudriere_builds: set: framework version: CURRENT # revision: 66d37dbedfbf2dc94ccf49e6983c3652d5909b91 - kernel: GENERIC-NODEBUG + kernel: CUSTOM branch: main srcconf: currentznver4_src.conf # - jail: 14broadwell @@ -24,6 +24,6 @@ poudriere_builds: ports: default set: computer version: CURRENT - kernel: GENERIC + kernel: CUSTOM branch: releng/14.1 srcconf: 14broadwell_src.conf diff --git a/ansible/roles/jail_bastion/files/headers.include b/ansible/roles/jail_bastion/files/headers.include index ffb49b9..56a59c4 100644 --- a/ansible/roles/jail_bastion/files/headers.include +++ b/ansible/roles/jail_bastion/files/headers.include @@ -10,3 +10,6 @@ add_header X-Content-Type-Options "nosniff" always; # Disallow the site to be rendered within a frame (clickjacking # protection) add_header X-Frame-Options "DENY" always; + +# Indicate that we are serving http3 on port 443 +add_header Alt-Svc 'h3=":443"; ma=864000'; diff --git a/ansible/roles/jail_bastion/files/nginx.conf b/ansible/roles/jail_bastion/files/nginx.conf index 13eafd2..0a63994 100644 --- a/ansible/roles/jail_bastion/files/nginx.conf +++ b/ansible/roles/jail_bastion/files/nginx.conf @@ -26,6 +26,8 @@ http { } server { + listen 443 quic reuseport; + listen [::]:443 quic reuseport; listen 443 ssl; listen [::]:443 ssl; http2 on; diff --git a/ansible/roles/jail_bastion/files/proxy.include b/ansible/roles/jail_bastion/files/proxy.include index aa2a42a..3e54c14 100644 --- a/ansible/roles/jail_bastion/files/proxy.include +++ b/ansible/roles/jail_bastion/files/proxy.include @@ -5,3 +5,5 @@ proxy_set_header X-Forwarded-Proto $scheme; # Settings for keepalive module for upstreams proxy_http_version 1.1; proxy_set_header Connection ""; +# Requests sent with early data are subject to replay attacks so the application needs to protect against that by using the Early-Data header. +# proxy_set_header Early-Data $ssl_early_data; diff --git a/ansible/roles/poudriere/files/poudriere_delete_jail.bash b/ansible/roles/poudriere/files/poudriere_delete_jail.bash index d764214..712e9bd 100644 --- a/ansible/roles/poudriere/files/poudriere_delete_jail.bash +++ b/ansible/roles/poudriere/files/poudriere_delete_jail.bash @@ -12,5 +12,7 @@ if ! grep -q "${jail_name}" <<<"$jail_list"; then fi poudriere jail -d -j "$jail_name" -C all +rm -rf /usr/local/poudriere/data/images/${jail_name}-repo \ + /usr/obj/usr/local/poudriere/jails/${jail_name} echo "Deleted jail $jail_name" diff --git a/ansible/roles/poudriere/tasks/freebsd.yaml b/ansible/roles/poudriere/tasks/freebsd.yaml index 68b7b89..43c8d2a 100644 --- a/ansible/roles/poudriere/tasks/freebsd.yaml +++ b/ansible/roles/poudriere/tasks/freebsd.yaml @@ -123,6 +123,7 @@ - name: Create the jails when: item.version != "CURRENT" + check_mode: false command: |- echo poudriere jail {{poudriere_perf_flags}} -c -j {{ item.jail }} -v {{ item.version }} -a amd64 -K {{ item.kernel|default("GENERIC") }} -B -b args: @@ -131,6 +132,7 @@ - name: Create the jails when: item.version == "CURRENT" + check_mode: false # -D clones the entire history instead of just the most recent commit # -B to build the pkgbase packages # -b to build the jail OS from source