Compare commits
7 Commits
67b777c432
...
0363a462a0
Author | SHA1 | Date | |
---|---|---|---|
|
0363a462a0 | ||
|
f09844c03c | ||
|
2042719a3c | ||
|
9dc43479aa | ||
|
62e70554be | ||
|
bc29fd5428 | ||
|
b9620382a7 |
@ -21,7 +21,7 @@ wireguard_directory: mrmanager
|
||||
enabled_wireguard:
|
||||
- colo
|
||||
jail_zfs_dataset: zdata/jail
|
||||
jail_zfs_dataset_mountpoint: /jail/main
|
||||
jail_zfs_dataset_mountpoint: /jail
|
||||
jail_canmount: "on"
|
||||
jail_list:
|
||||
- name: nat_dhcp
|
||||
|
@ -31,12 +31,11 @@ pflog_conf:
|
||||
network_rc: "homeserver_network.conf"
|
||||
rc_conf: "homeserver_rc.conf"
|
||||
loader_conf: "homeserver_loader.conf"
|
||||
netgraph_config: "setup_netgraph_homeserver"
|
||||
cputype: "intel"
|
||||
hwpstate: false
|
||||
devfs_rules: "homeserver_devfs.rules"
|
||||
jail_zfs_dataset: zmass/encrypted/jails
|
||||
jail_zfs_dataset_mountpoint: /jail/main
|
||||
jail_zfs_dataset_mountpoint: /jail
|
||||
jail_canmount: "on"
|
||||
jail_bemount: "on"
|
||||
jail_list:
|
||||
@ -51,12 +50,18 @@ jail_list:
|
||||
- name: dagger
|
||||
conf:
|
||||
src: dagger
|
||||
- name: mumble
|
||||
- name: olddagger
|
||||
conf:
|
||||
src: mumble
|
||||
persist:
|
||||
- name: mumbledb
|
||||
mount: /var/db/murmur
|
||||
src: olddagger
|
||||
- name: sftp
|
||||
conf:
|
||||
src: sftp
|
||||
# - name: mumble
|
||||
# conf:
|
||||
# src: mumble
|
||||
# persist:
|
||||
# - name: mumbledb
|
||||
# mount: /var/db/murmur
|
||||
bhyve_dataset: zmass/encrypted/vm
|
||||
bhyve_list: []
|
||||
bhyve_canmount: "on"
|
||||
|
@ -39,7 +39,7 @@ users:
|
||||
gitconfig: "gitconfig_home"
|
||||
devfs_rules: "odo_devfs.rules"
|
||||
jail_zfs_dataset: zroot/freebsd/current/jails
|
||||
jail_zfs_dataset_mountpoint: /jail/main
|
||||
jail_zfs_dataset_mountpoint: /jail
|
||||
jail_list:
|
||||
- name: nat_dhcp
|
||||
enabled: true
|
||||
@ -47,7 +47,8 @@ jail_list:
|
||||
src: nat_dhcp
|
||||
bhyve_dataset: zroot/freebsd/current/vm
|
||||
bhyve_list: []
|
||||
efi_dev: /dev/gpt/EFI
|
||||
# efi_dev: /dev/gpt/EFI
|
||||
efi_dev: /dev/diskid/DISK-SJB7N717610407Q0Hp1
|
||||
sway_conf_files:
|
||||
- launch_gpg
|
||||
wireguard_directory: odo
|
||||
|
@ -25,5 +25,5 @@ poudriere_builds:
|
||||
set: computer
|
||||
version: CURRENT
|
||||
kernel: GENERIC
|
||||
branch: releng/14.0
|
||||
branch: releng/14.1
|
||||
srcconf: 14broadwell_src.conf
|
||||
|
@ -3,10 +3,10 @@ kern.geom.label.disk_ident.enable="1"
|
||||
|
||||
|
||||
|
||||
# Populates /dev/gpt
|
||||
# Populates /dev/gpt but only if kern.geom.label.disk_ident.enable is disabled.
|
||||
#
|
||||
# This uses gpt partition labels which you can set with:
|
||||
#
|
||||
# gpart modify -l EFI -i 1 nvd0
|
||||
|
||||
kern.geom.label.gptid.enable="1"
|
||||
# kern.geom.label.gptid.enable="1"
|
||||
|
@ -1,4 +1,4 @@
|
||||
set-option -g mouse on
|
||||
# set-option -g mouse on
|
||||
set-option -g history-limit 20000
|
||||
# set -g @plugin 'tmux-plugins/tmux-yank'
|
||||
# Emacs style
|
||||
|
@ -25,9 +25,14 @@ rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1
|
||||
nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0)
|
||||
rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 1.1.1.1 port 53
|
||||
|
||||
# cloak -> dagger
|
||||
rdr pass on $ext_if inet proto tcp from $not_restricted_nat_v4 to any port 8081 -> 10.215.2.2 port 8081
|
||||
nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8081 -> 10.215.2.1
|
||||
|
||||
# cloak -> olddagger
|
||||
rdr pass on $ext_if inet proto tcp from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
|
||||
nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
|
||||
|
||||
# Forward ports for unifi controller
|
||||
# rdr pass on $ext_if inet proto tcp from any to any port 65022 -> 10.213.177.8 port 22
|
||||
rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
|
||||
|
@ -1,5 +1,5 @@
|
||||
admin_git {
|
||||
path = "/jail/main/jails/${name}";
|
||||
path = "/jail/${name}";
|
||||
vnet;
|
||||
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
|
||||
exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
|
||||
|
@ -1,7 +1,10 @@
|
||||
cloak {
|
||||
path = "/jail/main/jails/${name}";
|
||||
path = "/jail/${name}";
|
||||
vnet;
|
||||
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start restricted_nat jail${name} 10.215.2.1/24";
|
||||
# Create a dummy interface that is never used, just to create the cloak bridge that is used by children.
|
||||
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak dummy${name} 192.168.1.0/24";
|
||||
exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak dummy{name}";
|
||||
exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop restricted_nat jail${name}";
|
||||
vnet.interface += "jail${name}";
|
||||
vnet.interface += "cloak";
|
||||
|
@ -1,8 +1,11 @@
|
||||
dagger {
|
||||
path = "/jail/main/jails/${name}";
|
||||
path = "/jail/${name}";
|
||||
vnet;
|
||||
vnet.interface += "dagger";
|
||||
|
||||
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
|
||||
exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
|
||||
|
||||
exec.start += "/bin/sh /etc/rc";
|
||||
exec.stop = "/bin/sh /etc/rc.shutdown jail";
|
||||
exec.consolelog = "/var/log/jail_${name}_console.log";
|
||||
|
@ -1,5 +1,5 @@
|
||||
cloak {
|
||||
path = "/jail/main/jails/mumble";
|
||||
path = "/jail/mumble";
|
||||
vnet;
|
||||
vnet.interface += "host_link3";
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
nat_dhcp {
|
||||
path = "/jail/main/jails/${name}";
|
||||
path = "/jail/${name}";
|
||||
vnet;
|
||||
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
|
||||
exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
|
||||
|
12
ansible/roles/jail/files/jails/olddagger.conf
Normal file
12
ansible/roles/jail/files/jails/olddagger.conf
Normal file
@ -0,0 +1,12 @@
|
||||
olddagger {
|
||||
path = "/jail/${name}";
|
||||
vnet;
|
||||
vnet.interface += "olddagger";
|
||||
|
||||
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
|
||||
exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
|
||||
|
||||
exec.start += "/bin/sh /etc/rc";
|
||||
exec.stop = "/bin/sh /etc/rc.shutdown jail";
|
||||
exec.consolelog = "/var/log/jail_${name}_console.log";
|
||||
}
|
@ -1,5 +1,5 @@
|
||||
public_dns {
|
||||
path = "/jail/main/jails/${name}";
|
||||
path = "/jail/${name}";
|
||||
vnet;
|
||||
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
|
||||
exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
|
||||
|
@ -1,5 +1,5 @@
|
||||
sample {
|
||||
path = "/jail/main/jails/${name}";
|
||||
path = "/jail/${name}";
|
||||
vnet;
|
||||
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
|
||||
exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
|
||||
|
14
ansible/roles/jail/files/jails/sftp.conf
Normal file
14
ansible/roles/jail/files/jails/sftp.conf
Normal file
@ -0,0 +1,14 @@
|
||||
sftp {
|
||||
path = "/jail/${name}";
|
||||
vnet;
|
||||
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
|
||||
exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
|
||||
vnet.interface += "jail${name}";
|
||||
|
||||
devfs_ruleset = 14;
|
||||
mount.devfs;
|
||||
|
||||
exec.start += "/bin/sh /etc/rc";
|
||||
exec.stop = "/bin/sh /etc/rc.shutdown jail";
|
||||
exec.consolelog = "/var/log/jail_${name}_console.log";
|
||||
}
|
@ -1,23 +0,0 @@
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
cleanup() {
|
||||
/usr/local/bin/jail_netgraph_bridge stop cloak dagger
|
||||
}
|
||||
|
||||
setup_netgraph_start() {
|
||||
cleanup
|
||||
|
||||
/usr/local/bin/jail_netgraph_bridge start cloak dagger 192.168.1.0/24
|
||||
}
|
||||
|
||||
setup_netgraph_stop() {
|
||||
cleanup
|
||||
}
|
||||
|
||||
if [ "$1" = "start" ]; then
|
||||
setup_netgraph_start
|
||||
elif [ "$1" = "stop" ]; then
|
||||
setup_netgraph_stop
|
||||
else
|
||||
>&2 echo "Unrecognized command"
|
||||
fi
|
@ -10,7 +10,7 @@
|
||||
zfs:
|
||||
name: "{{ item.dataset|default(jail_zfs_dataset) }}/jails/{{ item.name }}"
|
||||
state: present
|
||||
extra_zfs_properties: '{{ {''mountpoint'': item.dataset_mountpoint|default(jail_zfs_dataset_mountpoint) + "/jails/" + item.name}|combine({''canmount'': jail_canmount|default(''noauto''), ''ta:bemount'': jail_bemount|default(''on'')})|combine(item.properties|default({})) }}'
|
||||
extra_zfs_properties: '{{ {''mountpoint'': item.dataset_mountpoint|default(jail_zfs_dataset_mountpoint) + "/" + item.name}|combine({''canmount'': jail_canmount|default(''noauto'')})|combine(item.properties|default({})) }}'
|
||||
|
||||
loop: "{{ jail_list }}"
|
||||
|
||||
@ -27,7 +27,7 @@
|
||||
zfs:
|
||||
name: "{{ item.0.dataset|default(jail_zfs_dataset) }}/persistent/{{ item.0.name }}/{{ item.1.name }}"
|
||||
state: present
|
||||
extra_zfs_properties: '{{ {''mountpoint'': item.0.dataset_mountpoint|default(jail_zfs_dataset_mountpoint) + "/jails/" + item.0.name + item.1.mount }|combine({''canmount'': jail_canmount|default(''noauto''), ''ta:bemount'': jail_bemount|default(''on'')})|combine(item.1.properties|default({})) }}'
|
||||
extra_zfs_properties: '{{ {''mountpoint'': item.0.dataset_mountpoint|default(jail_zfs_dataset_mountpoint) + "/" + item.0.name + item.1.mount }|combine({''canmount'': jail_canmount|default(''noauto'')})|combine(item.1.properties|default({})) }}'
|
||||
loop: "{{ jail_list|subelements('persist', skip_missing=True) }}"
|
||||
|
||||
- name: Install scripts
|
||||
|
@ -5,7 +5,7 @@ set -euo pipefail
|
||||
IFS=$'\n\t'
|
||||
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||
|
||||
: ${JAIL_MOUNTPOINT:="{{ jail_zfs_dataset_mountpoint }}/jails"}
|
||||
: ${JAIL_MOUNTPOINT:="{{ jail_zfs_dataset_mountpoint }}"}
|
||||
|
||||
function die {
|
||||
echo >&2 "$@"
|
||||
@ -22,6 +22,7 @@ function by_src {
|
||||
make -j 16 buildworld
|
||||
make installworld DESTDIR=$DESTDIR
|
||||
make distribution DESTDIR=$DESTDIR
|
||||
switch_to_latest_packages
|
||||
}
|
||||
|
||||
function by_bin {
|
||||
@ -29,12 +30,48 @@ function by_bin {
|
||||
DESTARCH=`uname -m`
|
||||
SOURCEURL=http://ftp.freebsd.org/pub/FreeBSD/releases/$DESTARCH/$DESTRELEASE/
|
||||
for component in base ports; do fetch $SOURCEURL/$component.txz -o - | tar -xf - -C "$DESTDIR" ; done
|
||||
switch_to_latest_packages
|
||||
}
|
||||
|
||||
function by_pkg {
|
||||
# current https://pkg.freebsd.org/FreeBSD:15:amd64/base_latest
|
||||
# 14/stable https://pkg.freebsd.org/FreeBSD:14:amd64/base_latest
|
||||
# 14.1 https://pkg.freebsd.org/FreeBSD:14:amd64/base_release_1
|
||||
local config
|
||||
config=$(cat <<EOF
|
||||
base: {
|
||||
url: "https://pkg.freebsd.org/FreeBSD:14:amd64/base_release_1",
|
||||
mirror_type: "none",
|
||||
enabled: yes,
|
||||
priority: 100
|
||||
}
|
||||
EOF
|
||||
)
|
||||
IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository base --yes --glob 'FreeBSD-*'
|
||||
switch_to_latest_packages
|
||||
cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$config"
|
||||
# Post-install remove extra packages
|
||||
# pkg remove --glob 'FreeBSD-*-lib32*' 'FreeBSD-*-dbg*' FreeBSD-src
|
||||
}
|
||||
|
||||
function switch_to_latest_packages {
|
||||
local latest_pkg
|
||||
latest_pkg=$(cat <<EOF
|
||||
FreeBSD: {
|
||||
url: "pkg+http://pkg.FreeBSD.org/\${ABI}/latest"
|
||||
}
|
||||
EOF
|
||||
)
|
||||
mkdir -p "$DESTDIR/usr/local/etc/pkg/repos"
|
||||
cat > "$DESTDIR/usr/local/etc/pkg/repos/FreeBSD.conf" <<<"$latest_pkg"
|
||||
}
|
||||
|
||||
if [ "$1" = "src" ]; then
|
||||
by_src
|
||||
elif [ "$1" = "bin" ]; then
|
||||
by_bin
|
||||
elif [ "$1" = "pkg" ]; then
|
||||
by_pkg
|
||||
else
|
||||
die "First argument must be either 'src' or 'bin', got $1"
|
||||
fi
|
||||
|
@ -1,7 +1,3 @@
|
||||
FreeBSD: {
|
||||
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
|
||||
mirror_type: "srv",
|
||||
signature_type: "fingerprints",
|
||||
fingerprints: "/usr/share/keys/pkg",
|
||||
enabled: yes
|
||||
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
|
||||
}
|
||||
|
@ -1,19 +1,20 @@
|
||||
audio/mixertui
|
||||
devel/git
|
||||
devel/libccid
|
||||
devel/pyenv
|
||||
devel/py-jmespath
|
||||
devel/py-yamllint
|
||||
devel/pyenv
|
||||
editors/emacs@nox
|
||||
editors/mg
|
||||
ftp/wget
|
||||
graphics/ImageMagick7
|
||||
lang/python
|
||||
misc/terminfo-db
|
||||
multimedia/ffmpeg
|
||||
multimedia/v4l-utils
|
||||
multimedia/webcamd
|
||||
net/google-cloud-sdk
|
||||
net-mgmt/ipcalc
|
||||
net/google-cloud-sdk
|
||||
net/rsync
|
||||
net/tcpdump
|
||||
net/wireguard-tools
|
||||
|
@ -106,7 +106,6 @@ KbdInteractiveAuthentication no
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#UseBlacklist no
|
||||
#VersionAddendum FreeBSD-20231004
|
||||
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
Loading…
Reference in New Issue
Block a user