Compare commits

..

10 Commits

Author SHA1 Message Date
Tom Alexander
6c7265d1d3
Uncomment playbook. 2023-07-01 16:42:20 -04:00
Tom Alexander
b17a5f352d
Sanitize network interface names in jail_netgraph_bridge.bash script. 2023-07-01 16:41:41 -04:00
Tom Alexander
db17b87cb8
Enable NTP on Linux. 2023-07-01 16:41:40 -04:00
Tom Alexander
f667f50f84
Only put VM disk metadata into the ARC.
The guest VMs should have their own filesystem cache so I see no need to pollute the host's cache.
2023-07-01 16:41:40 -04:00
Tom Alexander
8346065c6f
Add a NFS server jail for persistent volumes. 2023-07-01 16:41:40 -04:00
Tom Alexander
ab48b1e01f
Re-enable the vulkan renderer on linux.
It is no longer crashing on linux.
2023-07-01 16:41:40 -04:00
Tom Alexander
eb547bf1bf
Add an endless loop to poudboot to rebuild at intervals. 2023-07-01 16:41:40 -04:00
Tom Alexander
9d16e1d42e
Add locking to poudboot. 2023-07-01 16:41:40 -04:00
Tom Alexander
0e86dac2ac
Add support for custom repos in FreeBSD. 2023-07-01 16:41:40 -04:00
Tom Alexander
edfdb203a0
Only NAT internal DNS requests. 2023-06-20 13:05:31 -04:00
13 changed files with 208 additions and 89 deletions

View File

@ -1,4 +1,5 @@
os_flavor: "freebsd" os_flavor: "freebsd"
custom_repo: 13amd64-default-framework
zfs_snapshot_datasets: zfs_snapshot_datasets:
- zroot/freebsd/release/be/default - zroot/freebsd/release/be/default
sshd_enabled: true sshd_enabled: true

View File

@ -5,49 +5,49 @@
- sudo - sudo
- doas - doas
- users - users
# - package_manager - package_manager
# - zfs - zfs
# - zrepl - zrepl
# - zsh - zsh
# - network - network
# - sshd - sshd
# - base - base
# - firewall - firewall
# - cpu - cpu
# - ntp - ntp
# - nvme - nvme
# - hosts - hosts
# - build - build
# - sound - sound
# - graphics - graphics
# - gpg - gpg
# - fonts - fonts
# - alacritty - alacritty
# - sway - sway
# - emacs - emacs
# - firefox - firefox
# - devfs - devfs
# - ssh_client - ssh_client
# - sshfs - sshfs
# - jail - jail
# - fuse - fuse
# - autofs - autofs
# - exfat - exfat
# - bhyve - bhyve
# - bluetooth - bluetooth
# - media - media
# - kubernetes - kubernetes
# - google_cloud_sdk - google_cloud_sdk
# - ansible - ansible
# - wireguard - wireguard
# - portshaker - portshaker
# - poudriere - poudriere
# - android - android
# - latex - latex
# - pyenv - pyenv
# - webcam - webcam
# - docker - docker
# - vscode - vscode
- javascript - javascript
- hosts: nat_dhcp:homeserver_nat_dhcp:mrmanager_nat_dhcp - hosts: nat_dhcp:homeserver_nat_dhcp:mrmanager_nat_dhcp

View File

@ -68,7 +68,7 @@ IP_RANGE="$IP_RANGE"
BRIDGE_NAME="$BRIDGE_NAME" BRIDGE_NAME="$BRIDGE_NAME"
INTERFACE_NAME="$INTERFACE_NAME" INTERFACE_NAME="$INTERFACE_NAME"
EOF EOF
zfs create -s "-V${gigabytes}G" -o volmode=dev "$zfs_path/disk0" zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none "$zfs_path/disk0"
} }
function start_vm { function start_vm {

View File

@ -30,9 +30,9 @@ rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to $not_jail_nat_v4 port 6
# nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.210 port 65099 -> (jail_nat) # nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.210 port 65099 -> (jail_nat)
# nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.210 port 65099 -> (lagg0) # nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.210 port 65099 -> (lagg0)
rdr pass inet proto {tcp, udp} from any to ($ext_if) port 53 -> 10.215.1.211 port 53 rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 -> 10.215.1.211 port 53
nat pass on jail_nat proto {tcp, udp} from { 10.215.1.0/24, !10.215.1.1 } to 10.215.1.211 -> (jail_nat) rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
nat pass proto {tcp, udp} tagged REDIRINTERNAL -> (jail_nat)
# filtering # filtering
block log all block log all

View File

@ -20,7 +20,7 @@ function main {
function start_jail { function start_jail {
host_interface_name="$1" host_interface_name="$1"
bridge_name="bridge_${host_interface_name}" bridge_name="bridge_${host_interface_name}"
jail_interface_name="$2" jail_interface_name=$(sanitize_interface_name "$2")
ip_range="$3" ip_range="$3"
assert_bridge "$host_interface_name" "$bridge_name" "$ip_range" assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
@ -36,7 +36,7 @@ EOF
function stop_jail { function stop_jail {
host_interface_name="$1" host_interface_name="$1"
bridge_name="bridge_${host_interface_name}" bridge_name="bridge_${host_interface_name}"
jail_interface_name="$2" jail_interface_name=$(sanitize_interface_name "$2")
if ng_exists "${jail_interface_name}:"; then if ng_exists "${jail_interface_name}:"; then
wait_for_interface_to_exist "${jail_interface_name}" 120 wait_for_interface_to_exist "${jail_interface_name}" 120
@ -117,4 +117,8 @@ function wait_for_interface_to_exist {
done done
} }
function sanitize_interface_name {
echo "${1:0:15}"
}
main "${@}" main "${@}"

View File

@ -1,6 +1,6 @@
# - name: Install packages - name: Start ntp service
# pacman: systemd:
# name: state: started
# - foo name: systemd-timesyncd
# state: present daemon_reload: yes
# update_cache: true enabled: yes

View File

@ -0,0 +1,3 @@
FreeBSD: {
enabled: no
}

View File

@ -0,0 +1,14 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv/0Hh9ace1/nH+QnlPPx
XFbSAcp1soEypMuSGgEc+ZNXIkQT11rkzXkTI5vyYIgVYLEE4iMTzXCGhMkb8M1Y
zsXRB8l4+Dimcrtqj/+Fvsk+WVeadXwugZ3LWOIb6V7hLMyGxvbouZHC9gduMaLh
xGoBup3kgOxSuVXVAlCGBZgmdGNmbpZNYl6BcJtK8bnlxFOmBPQsompSzLzIAItO
7r0Rf3xXFOwaCpB1QkFMBGrIDSXkhpXTl1/k5LU2kpM81Ec4EvZwXQJuj3+J3q+n
tMeTY2ARb3e4vBaieTww7obfHqLgx6jyL07gl/pW8WXrx4aLGvMkdpVnTFg0K0X1
3xoZKGWJdjSznHFtJo+IICLPGMbOxz52lwXDCrRV2yCUMH29hQiCIK9j5q4q1JAD
rV4p5ccabfzUduc4yT9kx0+hAXLxVs5mtIianDnJAEBE4yXucWbM6FaE+jYaN9L3
dXU6vESTdS6+o8Tz/lo/a0MLyj99URvAxKFsYKg4PnbUcSs+qFuUI0yMpcNIMImy
+7gY54t3Izma5pCS7WXtl38SdM8d/gfl/d5xD88BYWIS82gCXoh9G37PFxzCZaNx
OKclQq1dZ1mXLDD2yHymDCLBXqfEfTBp4tb5A8JBRKBeqkDCOYZNmp+06VzgdPiO
PYwdK2INLfUnBKGN02hgPosCAwEAAQ==
-----END PUBLIC KEY-----

View File

@ -16,6 +16,18 @@
state: present state: present
- name: Install Configuration - name: Install Configuration
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
owner: root
group: wheel
loop:
- src: pkg.conf
dest: /usr/local/etc/pkg.conf
- name: Install Configuration
when: custom_repo is not defined
register: changed_config register: changed_config
copy: copy:
src: "files/{{ item.src }}" src: "files/{{ item.src }}"
@ -26,8 +38,32 @@
loop: loop:
- src: FreeBSD.conf - src: FreeBSD.conf
dest: /usr/local/etc/pkg/repos/FreeBSD.conf dest: /usr/local/etc/pkg/repos/FreeBSD.conf
- src: pkg.conf
dest: /usr/local/etc/pkg.conf - name: Install Configuration
when: custom_repo is defined
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
owner: root
group: wheel
loop:
- src: disable_freebsd_upstream.conf
dest: /usr/local/etc/pkg/repos/FreeBSD.conf
- src: poudriere.pub
dest: /usr/local/etc/pkg/poudriere.pub
- name: Install Configuration
when: custom_repo is defined
register: changed_config
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: wheel
mode: 0644
loop:
- { src: custom.conf.j2, dest: /usr/local/etc/pkg/repos/custom.conf }
# - name: Replace all packages with packages from new repo # - name: Replace all packages with packages from new repo
# command: pkg upgrade -f -y # command: pkg upgrade -f -y

View File

@ -0,0 +1,8 @@
custom: {
# url: "file:///opt/pkgrepo/packages/current-default-framework"
url: "https://freebsdpkg.fizz.buzz/repo/{{ custom_repo }}",
enabled: yes,
signature_type: "pubkey",
pubkey: "/usr/local/etc/pkg/poudriere.pub",
priority: 100
}

View File

@ -5,26 +5,59 @@ set -euo pipefail
IFS=$'\n\t' IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: ${LOCKFILE:="/var/run/poudboot.lock"}
: ${INFO_DIR:="/opt/poudriere/run_info"}
: ${PORT_UPDATE_SECONDS:="86400"}
: ${BUILD_SECONDS:="7200"}
############## Setup #########################
# function cleanup {
# for f in "${folders[@]}"; do
# log "Deleting $f"
# rm -rf "$f"
# done
# }
# folders=()
# for sig in EXIT INT QUIT HUP TERM; do
# trap "set +e; cleanup" "$sig"
# done
function die {
local status_code="$1"
shift
(>&2 echo "${@}")
exit "$status_code"
}
function log {
(>&2 echo "${@}")
}
function run_locked {
if [ "${RUN_LOCKED:-}" != "RUN" ]; then
exec env RUN_LOCKED=RUN flock --nonblock $LOCKFILE $0 $@
fi
}
############## Program #########################
function main { function main {
COMMAND="$1" local COMMAND="$1"
shift 1
if [ "$COMMAND" = "start" ]; then if [ "$COMMAND" = "start" ]; then
run_locked "${@}"
shift 1
cmd_start "${@}" cmd_start "${@}"
elif [ "$COMMAND" = "stop" ]; then elif [ "$COMMAND" = "stop" ]; then
shift 1
cmd_stop "${@}" cmd_stop "${@}"
else else
die 1 "Unrecognized command: $COMMAND" die 1 "Unrecognized command: $COMMAND"
fi fi
} }
function die {
exit_code="$1"
shift 1
(>&2 echo "${@}")
exit "$exit_code"
}
function abort_if_jobs_running { function abort_if_jobs_running {
if [[ $(sudo poudriere status) != *"No running builds"* ]]; then if [[ $(sudo poudriere status) != *"No running builds"* ]]; then
echo "There is already a poudriere build in progress, exiting." echo "There is already a poudriere build in progress, exiting."
@ -40,30 +73,47 @@ function build {
function cmd_start { function cmd_start {
abort_if_jobs_running abort_if_jobs_running
# Allow command failures without quitting the script because some while true; do
# package sets might fail whereas others may succeed based on which for conf in /opt/poudriere/build_configs/*; do
# packages are in each set. (
set +e # Allow command failures without quitting the script because some
# package sets might fail whereas others may succeed based on which
# packages are in each set.
set +e
for conf in /opt/poudriere/build_configs/*; do source "$conf"
( local RUN_DIR="$INFO_DIR/$JAIL-$PORTS-$SET"
source "$conf" local TIMES_FILE="$RUN_DIR/times"
build -j "$JAIL" -p "$PORTS" -z "$SET" -f /usr/local/etc/poudriere.d/$JAIL-$PORTS-$SET-pkglist mkdir -p "$RUN_DIR"
) local PORTUPDATE=0
local LASTBUILD=0
if [ -e "$TIMES_FILE" ]; then
source "$TIMES_FILE"
fi
local now=$(date +%s)
if [ $((now - PORTUPDATE)) -gt "$PORT_UPDATE_SECONDS" ]; then
log "Updating ports for $JAIL-$PORTS-$SET"
portshaker -U
portshaker -M
PORTUPDATE=$(date +%s)
fi
if [ $((now - LASTBUILD)) -gt "$BUILD_SECONDS" ]; then
log "Building ports for $JAIL-$PORTS-$SET"
build -j "$JAIL" -p "$PORTS" -z "$SET" -f /usr/local/etc/poudriere.d/$JAIL-$PORTS-$SET-pkglist
LASTBUILD=$(date +%s)
# Cleanup old unused dist files
poudriere distclean -y -p "$PORTS" -f /usr/local/etc/poudriere.d/$JAIL-$PORTS-$SET-pkglist
poudriere logclean -y 180
fi
cat > "$TIMES_FILE" <<EOF
PORTUPDATE=$PORTUPDATE
LASTBUILD=$LASTBUILD
EOF
)
done
sleep 300
done done
# Re-enable exiting on failed commands
set -e
# Cleanup old unused dist files
for conf in /opt/poudriere/build_configs/*; do
(
source "$conf"
poudriere distclean -y -p "$PORTS" -f /usr/local/etc/poudriere.d/$JAIL-$PORTS-$SET-pkglist
)
done
poudriere logclean -y 180
} }
function cmd_stop { function cmd_stop {

View File

@ -67,3 +67,6 @@ _carddavs._tcp IN SRV 0 1 443 carddav.fastmail.com
_caldav._tcp IN SRV 0 0 0 . _caldav._tcp IN SRV 0 0 0 .
_caldavs._tcp IN SRV 0 1 443 caldav.fastmail.com _caldavs._tcp IN SRV 0 1 443 caldav.fastmail.com
home IN A 68.197.252.22
opstunnel IN CNAME home.fizz.buzz.

View File

@ -6,6 +6,6 @@ IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
export XDG_CURRENT_DESKTOP=sway export XDG_CURRENT_DESKTOP=sway
#export WLR_RENDERER=vulkan export WLR_RENDERER=vulkan
exec sway -d &> $HOME/.config/swaylog exec sway -d &> $HOME/.config/swaylog