Compare commits

..

10 Commits

Author SHA1 Message Date
Tom Alexander
6c7265d1d3
Uncomment playbook. 2023-07-01 16:42:20 -04:00
Tom Alexander
b17a5f352d
Sanitize network interface names in jail_netgraph_bridge.bash script. 2023-07-01 16:41:41 -04:00
Tom Alexander
db17b87cb8
Enable NTP on Linux. 2023-07-01 16:41:40 -04:00
Tom Alexander
f667f50f84
Only put VM disk metadata into the ARC.
The guest VMs should have their own filesystem cache so I see no need to pollute the host's cache.
2023-07-01 16:41:40 -04:00
Tom Alexander
8346065c6f
Add a NFS server jail for persistent volumes. 2023-07-01 16:41:40 -04:00
Tom Alexander
ab48b1e01f
Re-enable the vulkan renderer on linux.
It is no longer crashing on linux.
2023-07-01 16:41:40 -04:00
Tom Alexander
eb547bf1bf
Add an endless loop to poudboot to rebuild at intervals. 2023-07-01 16:41:40 -04:00
Tom Alexander
9d16e1d42e
Add locking to poudboot. 2023-07-01 16:41:40 -04:00
Tom Alexander
0e86dac2ac
Add support for custom repos in FreeBSD. 2023-07-01 16:41:40 -04:00
Tom Alexander
edfdb203a0
Only NAT internal DNS requests. 2023-06-20 13:05:31 -04:00
13 changed files with 208 additions and 89 deletions

View File

@ -1,4 +1,5 @@
os_flavor: "freebsd"
custom_repo: 13amd64-default-framework
zfs_snapshot_datasets:
- zroot/freebsd/release/be/default
sshd_enabled: true

View File

@ -5,49 +5,49 @@
- sudo
- doas
- users
# - package_manager
# - zfs
# - zrepl
# - zsh
# - network
# - sshd
# - base
# - firewall
# - cpu
# - ntp
# - nvme
# - hosts
# - build
# - sound
# - graphics
# - gpg
# - fonts
# - alacritty
# - sway
# - emacs
# - firefox
# - devfs
# - ssh_client
# - sshfs
# - jail
# - fuse
# - autofs
# - exfat
# - bhyve
# - bluetooth
# - media
# - kubernetes
# - google_cloud_sdk
# - ansible
# - wireguard
# - portshaker
# - poudriere
# - android
# - latex
# - pyenv
# - webcam
# - docker
# - vscode
- package_manager
- zfs
- zrepl
- zsh
- network
- sshd
- base
- firewall
- cpu
- ntp
- nvme
- hosts
- build
- sound
- graphics
- gpg
- fonts
- alacritty
- sway
- emacs
- firefox
- devfs
- ssh_client
- sshfs
- jail
- fuse
- autofs
- exfat
- bhyve
- bluetooth
- media
- kubernetes
- google_cloud_sdk
- ansible
- wireguard
- portshaker
- poudriere
- android
- latex
- pyenv
- webcam
- docker
- vscode
- javascript
- hosts: nat_dhcp:homeserver_nat_dhcp:mrmanager_nat_dhcp

View File

@ -68,7 +68,7 @@ IP_RANGE="$IP_RANGE"
BRIDGE_NAME="$BRIDGE_NAME"
INTERFACE_NAME="$INTERFACE_NAME"
EOF
zfs create -s "-V${gigabytes}G" -o volmode=dev "$zfs_path/disk0"
zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none "$zfs_path/disk0"
}
function start_vm {

View File

@ -30,9 +30,9 @@ rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to $not_jail_nat_v4 port 6
# nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.210 port 65099 -> (jail_nat)
# nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.210 port 65099 -> (lagg0)
rdr pass inet proto {tcp, udp} from any to ($ext_if) port 53 -> 10.215.1.211 port 53
nat pass on jail_nat proto {tcp, udp} from { 10.215.1.0/24, !10.215.1.1 } to 10.215.1.211 -> (jail_nat)
rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 -> 10.215.1.211 port 53
rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
nat pass proto {tcp, udp} tagged REDIRINTERNAL -> (jail_nat)
# filtering
block log all

View File

@ -20,7 +20,7 @@ function main {
function start_jail {
host_interface_name="$1"
bridge_name="bridge_${host_interface_name}"
jail_interface_name="$2"
jail_interface_name=$(sanitize_interface_name "$2")
ip_range="$3"
assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
@ -36,7 +36,7 @@ EOF
function stop_jail {
host_interface_name="$1"
bridge_name="bridge_${host_interface_name}"
jail_interface_name="$2"
jail_interface_name=$(sanitize_interface_name "$2")
if ng_exists "${jail_interface_name}:"; then
wait_for_interface_to_exist "${jail_interface_name}" 120
@ -117,4 +117,8 @@ function wait_for_interface_to_exist {
done
}
function sanitize_interface_name {
echo "${1:0:15}"
}
main "${@}"

View File

@ -1,6 +1,6 @@
# - name: Install packages
# pacman:
# name:
# - foo
# state: present
# update_cache: true
- name: Start ntp service
systemd:
state: started
name: systemd-timesyncd
daemon_reload: yes
enabled: yes

View File

@ -0,0 +1,3 @@
FreeBSD: {
enabled: no
}

View File

@ -0,0 +1,14 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv/0Hh9ace1/nH+QnlPPx
XFbSAcp1soEypMuSGgEc+ZNXIkQT11rkzXkTI5vyYIgVYLEE4iMTzXCGhMkb8M1Y
zsXRB8l4+Dimcrtqj/+Fvsk+WVeadXwugZ3LWOIb6V7hLMyGxvbouZHC9gduMaLh
xGoBup3kgOxSuVXVAlCGBZgmdGNmbpZNYl6BcJtK8bnlxFOmBPQsompSzLzIAItO
7r0Rf3xXFOwaCpB1QkFMBGrIDSXkhpXTl1/k5LU2kpM81Ec4EvZwXQJuj3+J3q+n
tMeTY2ARb3e4vBaieTww7obfHqLgx6jyL07gl/pW8WXrx4aLGvMkdpVnTFg0K0X1
3xoZKGWJdjSznHFtJo+IICLPGMbOxz52lwXDCrRV2yCUMH29hQiCIK9j5q4q1JAD
rV4p5ccabfzUduc4yT9kx0+hAXLxVs5mtIianDnJAEBE4yXucWbM6FaE+jYaN9L3
dXU6vESTdS6+o8Tz/lo/a0MLyj99URvAxKFsYKg4PnbUcSs+qFuUI0yMpcNIMImy
+7gY54t3Izma5pCS7WXtl38SdM8d/gfl/d5xD88BYWIS82gCXoh9G37PFxzCZaNx
OKclQq1dZ1mXLDD2yHymDCLBXqfEfTBp4tb5A8JBRKBeqkDCOYZNmp+06VzgdPiO
PYwdK2INLfUnBKGN02hgPosCAwEAAQ==
-----END PUBLIC KEY-----

View File

@ -16,6 +16,18 @@
state: present
- name: Install Configuration
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
owner: root
group: wheel
loop:
- src: pkg.conf
dest: /usr/local/etc/pkg.conf
- name: Install Configuration
when: custom_repo is not defined
register: changed_config
copy:
src: "files/{{ item.src }}"
@ -26,8 +38,32 @@
loop:
- src: FreeBSD.conf
dest: /usr/local/etc/pkg/repos/FreeBSD.conf
- src: pkg.conf
dest: /usr/local/etc/pkg.conf
- name: Install Configuration
when: custom_repo is defined
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
owner: root
group: wheel
loop:
- src: disable_freebsd_upstream.conf
dest: /usr/local/etc/pkg/repos/FreeBSD.conf
- src: poudriere.pub
dest: /usr/local/etc/pkg/poudriere.pub
- name: Install Configuration
when: custom_repo is defined
register: changed_config
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: wheel
mode: 0644
loop:
- { src: custom.conf.j2, dest: /usr/local/etc/pkg/repos/custom.conf }
# - name: Replace all packages with packages from new repo
# command: pkg upgrade -f -y

View File

@ -0,0 +1,8 @@
custom: {
# url: "file:///opt/pkgrepo/packages/current-default-framework"
url: "https://freebsdpkg.fizz.buzz/repo/{{ custom_repo }}",
enabled: yes,
signature_type: "pubkey",
pubkey: "/usr/local/etc/pkg/poudriere.pub",
priority: 100
}

View File

@ -5,26 +5,59 @@ set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: ${LOCKFILE:="/var/run/poudboot.lock"}
: ${INFO_DIR:="/opt/poudriere/run_info"}
: ${PORT_UPDATE_SECONDS:="86400"}
: ${BUILD_SECONDS:="7200"}
############## Setup #########################
# function cleanup {
# for f in "${folders[@]}"; do
# log "Deleting $f"
# rm -rf "$f"
# done
# }
# folders=()
# for sig in EXIT INT QUIT HUP TERM; do
# trap "set +e; cleanup" "$sig"
# done
function die {
local status_code="$1"
shift
(>&2 echo "${@}")
exit "$status_code"
}
function log {
(>&2 echo "${@}")
}
function run_locked {
if [ "${RUN_LOCKED:-}" != "RUN" ]; then
exec env RUN_LOCKED=RUN flock --nonblock $LOCKFILE $0 $@
fi
}
############## Program #########################
function main {
COMMAND="$1"
shift 1
local COMMAND="$1"
if [ "$COMMAND" = "start" ]; then
run_locked "${@}"
shift 1
cmd_start "${@}"
elif [ "$COMMAND" = "stop" ]; then
shift 1
cmd_stop "${@}"
else
die 1 "Unrecognized command: $COMMAND"
fi
}
function die {
exit_code="$1"
shift 1
(>&2 echo "${@}")
exit "$exit_code"
}
function abort_if_jobs_running {
if [[ $(sudo poudriere status) != *"No running builds"* ]]; then
echo "There is already a poudriere build in progress, exiting."
@ -40,30 +73,47 @@ function build {
function cmd_start {
abort_if_jobs_running
while true; do
for conf in /opt/poudriere/build_configs/*; do
(
# Allow command failures without quitting the script because some
# package sets might fail whereas others may succeed based on which
# packages are in each set.
set +e
for conf in /opt/poudriere/build_configs/*; do
(
source "$conf"
local RUN_DIR="$INFO_DIR/$JAIL-$PORTS-$SET"
local TIMES_FILE="$RUN_DIR/times"
mkdir -p "$RUN_DIR"
local PORTUPDATE=0
local LASTBUILD=0
if [ -e "$TIMES_FILE" ]; then
source "$TIMES_FILE"
fi
local now=$(date +%s)
if [ $((now - PORTUPDATE)) -gt "$PORT_UPDATE_SECONDS" ]; then
log "Updating ports for $JAIL-$PORTS-$SET"
portshaker -U
portshaker -M
PORTUPDATE=$(date +%s)
fi
if [ $((now - LASTBUILD)) -gt "$BUILD_SECONDS" ]; then
log "Building ports for $JAIL-$PORTS-$SET"
build -j "$JAIL" -p "$PORTS" -z "$SET" -f /usr/local/etc/poudriere.d/$JAIL-$PORTS-$SET-pkglist
)
done
# Re-enable exiting on failed commands
set -e
LASTBUILD=$(date +%s)
# Cleanup old unused dist files
for conf in /opt/poudriere/build_configs/*; do
(
source "$conf"
poudriere distclean -y -p "$PORTS" -f /usr/local/etc/poudriere.d/$JAIL-$PORTS-$SET-pkglist
poudriere logclean -y 180
fi
cat > "$TIMES_FILE" <<EOF
PORTUPDATE=$PORTUPDATE
LASTBUILD=$LASTBUILD
EOF
)
done
poudriere logclean -y 180
sleep 300
done
}
function cmd_stop {

View File

@ -67,3 +67,6 @@ _carddavs._tcp IN SRV 0 1 443 carddav.fastmail.com
_caldav._tcp IN SRV 0 0 0 .
_caldavs._tcp IN SRV 0 1 443 caldav.fastmail.com
home IN A 68.197.252.22
opstunnel IN CNAME home.fizz.buzz.

View File

@ -6,6 +6,6 @@ IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
export XDG_CURRENT_DESKTOP=sway
#export WLR_RENDERER=vulkan
export WLR_RENDERER=vulkan
exec sway -d &> $HOME/.config/swaylog