talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: talexander:9bc3aed32305bbc1493125b262dc64cab519a5fc
Branches Tags
talexander:main talexander:nix talexander:kubernetes talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook
...
compare: talexander:main
Branches Tags
talexander:nix talexander:kubernetes talexander:main talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook

4 Commits
9bc3aed323 ... main

Author SHA1 Message Date
Tom Alexander
00806d4963 Fix firewall rules for certificate renewal. 2026-05-30 17:02:01 -04:00
Tom Alexander
a8822d0bfb Update for pkgbase rebuild of homeserver. 2026-04-14 15:39:22 -04:00
Tom Alexander
88dfc73f3d Remove rg jail and add ipv6 to wireguard. 2026-04-04 21:18:42 -04:00
Tom Alexander
d9f6c8da31 Update for rebuild of mrmanager. 2026-03-26 18:17:38 -04:00
88 changed files with 175 additions and 1390 deletions
Expand all files Collapse all files

9
ansible/environments/colo/host_vars/mrmanager
View File

@@ -6,7 +6,6 @@ zfs_snapshot_datasets:
include: false
- path: zdata/k8spersistent
sshd_enabled: true
loader_conf: "mrmanager_loader.conf"
rc_conf: "mrmanager_rc.conf"
network_rc: "mrmanager_network.conf"
routing_rc: "mrmanager_routing.conf"
@@ -38,10 +37,6 @@ jail_list:
enabled: true
conf:
src: public_dns
- name: rg
enabled: true
conf:
src: rg
bhyve_dataset: zdata/vm
bhyve_canmount: "on"
# efi_dev: /dev/gpt/EFI
@@ -57,7 +52,3 @@ users:
- yubikey
- main_fido
- backup_fido
mole:
initialize: true
authorized_keys:
- mole

3
ansible/environments/colo/hosts
View File

@@ -1,2 +1,3 @@
[server]
mrmanager ansible_user=talexander ansible_host=10.217.2.1
#mrmanager ansible_user=talexander ansible_host=10.217.2.1 ansible_become_method=doas
mrmanager ansible_user=talexander ansible_host=74.80.180.138 ansible_become_method=doas

16
ansible/environments/home/host_vars/homeserver
View File

@@ -1,6 +1,4 @@
os_flavor: "freebsd"
custom_repo: "https://freebsdpkg.fizz.buzz/repo/14broadwell-default-computer"
pkgbase_url: "https://freebsdpkg.fizz.buzz/pkgbase/14broadwell-repo/FreeBSD:14:amd64/latest"
zfs_snapshot_datasets:
- path: zroot/freebsd/computer/be
- path: zmass/encrypted/vm
@@ -26,7 +24,6 @@ users:
sshd_enabled: true
sshd_conf: "sshd_config"
prefer_ipv6: true
dummynet_config: "dnctl.conf"
pf_config: "homeserver_pf.conf"
pflog_conf:
- name: 0
@@ -53,9 +50,6 @@ jail_list:
- name: dagger
conf:
src: dagger
- name: olddagger
conf:
src: olddagger
- name: sftp
conf:
src: sftp
@@ -67,9 +61,6 @@ jail_list:
- name: certificate
conf:
src: certificate
- name: momlaptop
conf:
src: momlaptop
# - name: mumble
# conf:
# src: mumble
@@ -84,10 +75,3 @@ bhyve_bemount: "on"
wireguard_directory: homeserver
enabled_wireguard:
- wgh
linfi:
enabled: true
zfs_dataset: zmass/unencrypted/vm/linfi
zfs_mountpoint: /vm/linfi
driver_blocklist: "ath if_ath if_ath_pci ath_hal if_iwm if_iwlwifi"
pci_blocklist: "6/0/0"
amd: false

3
ansible/environments/home/hosts
View File

@@ -1,2 +1,3 @@
[headless]
homeserver ansible_user=talexander ansible_host=homeserver
#homeserver ansible_user=talexander ansible_host=homeserver
homeserver ansible_user=talexander ansible_host=172.16.16.32

1
ansible/environments/jail/host_vars/momlaptop
View File

@@ -1 +0,0 @@
os_flavor: freebsd

1
ansible/environments/jail/hosts
View File

@@ -8,4 +8,3 @@ public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail
sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail
bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail
certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail
momlaptop ansible_ssh_host=momlaptop@homeserver ansible_connection=sshjail

16
ansible/playbook.yaml
View File

@@ -82,7 +82,7 @@
vars:
ansible_become: True
roles:
- sudo
# - sudo
- doas
- users
- package_manager
@@ -127,16 +127,8 @@
vars:
ansible_become: True
roles:
- linfi
- framework_laptop
- hosts: homeserver
vars:
ansible_become: True
roles:
- linfi
- homeserver
- hosts: odowork
vars:
ansible_become: True
@@ -161,9 +153,3 @@
ansible_become: True
roles:
- jail_certificate
- hosts: momlaptop
vars:
ansible_become: True
roles:
- jail_momlaptop

1
ansible/roles/base/files/homeserver_loader.conf
View File

@@ -1,3 +1,4 @@
security.bsd.allow_destructive_dtrace=0
cryptodev_load="YES"
zfs_load="YES"
devmatch_blocklist="if_iwm"

3
ansible/roles/base/files/homeserver_rc.conf
View File

@@ -2,8 +2,7 @@ clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
hostname="computer"
local_unbound_enable="NO"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
zfs_enable="YES"
kld_list="${kld_list} if_iwlwifi"

6
ansible/roles/base/files/login.conf
View File

@@ -32,7 +32,7 @@ default:\
:cputime=unlimited:\
:datasize=unlimited:\
:stacksize=unlimited:\
:memorylocked=128M:\
:memorylocked=64K:\
:memoryuse=unlimited:\
:filesize=unlimited:\
:coredumpsize=unlimited:\
@@ -46,7 +46,6 @@ default:\
:umtxp=unlimited:\
:pipebuf=unlimited:\
:priority=0:\
:ignoretime@:\
:umask=022:\
:charset=UTF-8:\
:lang=en_US.UTF-8:
@@ -149,7 +148,6 @@ russian|Russian Users Accounts:\
# :requirehome:\
# :passwordtime=90d:\
# :umask=002:\
# :ignoretime@:\
# :tc=default:
#
#
@@ -174,7 +172,6 @@ russian|Russian Users Accounts:\
##
#staff:\
# :ignorenologin:\
# :ignoretime:\
# :requirehome@:\
# :accounted@:\
# :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
@@ -265,7 +262,6 @@ russian|Russian Users Accounts:\
## - no time accounting, restricted to access via dialin lines
##
#site:\
# :ignoretime:\
# :passwordtime@:\
# :refreshtime@:\
# :refreshperiod@:\

0
ansible/roles/base/files/mrmanager_loader.conf → ansible/roles/base/files/zfs_loader.conf
View File

2
ansible/roles/base/meta/main.yaml
View File

@@ -1,3 +1,3 @@
dependencies:
- fstab
- termcap
# - termcap

41
ansible/roles/base/tasks/freebsd.yaml
View File

@@ -77,27 +77,27 @@
owner: root
group: wheel
loop:
- src: bemount.bash
dest: /usr/local/bin/bemount
# - src: bemount.bash
# dest: /usr/local/bin/bemount
- src: watch_freebsd
dest: /usr/local/bin/ww
- name: Install rc script
copy:
src: "files/{{ item.src }}"
dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
owner: root
group: wheel
mode: 0755
loop:
- src: bemount_rc.sh
dest: bemount
# - name: Install rc script
# copy:
# src: "files/{{ item.src }}"
# dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
# owner: root
# group: wheel
# mode: 0755
# loop:
# - src: bemount_rc.sh
# dest: bemount
- name: Enable bemount
community.general.sysrc:
name: bemount_enable
value: "YES"
path: /etc/rc.conf.d/bemount
# - name: Enable bemount
# community.general.sysrc:
# name: bemount_enable
# value: "YES"
# path: /etc/rc.conf.d/bemount
- name: Install loader.conf
copy:
@@ -107,6 +107,7 @@
owner: root
group: wheel
loop:
- zfs
- disk_labels
- name: Configure sysctls
@@ -127,7 +128,7 @@
blockinfile:
path: "/etc/periodic.conf.local"
marker: "# {mark} ANSIBLE MANAGED BLOCK log"
# create: true
create: true
mode: 0644
owner: root
group: wheel
@@ -141,13 +142,13 @@
blockinfile:
path: "/etc/periodic.conf.local"
marker: "# {mark} ANSIBLE MANAGED BLOCK zfs"
# create: true
create: true
mode: 0644
owner: root
group: wheel
block: |
daily_scrub_zfs_enable="YES"
daily_scrub_zfs_default_threshold="7"
daily_scrub_zfs_default_threshold="14"
# Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
- name: Install loader.conf

1
ansible/roles/cpu/files/aesni_loader.conf
View File

@@ -1 +0,0 @@
aesni_load="YES"

1
ansible/roles/cpu/files/amd_microcode_rc.conf Normal file
View File

@@ -0,0 +1 @@
microcode_update_enable="YES"

1
ansible/roles/cpu/files/cryptodev_loader.conf Normal file
View File

@@ -0,0 +1 @@
cryptodev_load="YES"

18
ansible/roles/cpu/tasks/freebsd_amd.yaml
View File

@@ -1,3 +1,9 @@
- name: Install packages
package:
name:
- cpu-microcode-amd
state: present
- name: Install loader.conf
copy:
src: "files/{{ item }}_loader.conf"
@@ -17,16 +23,7 @@
group: wheel
loop:
- power_profile
- name: Install loader.conf
copy:
src: "files/{{ item }}_loader.conf"
dest: "/boot/loader.conf.d/{{ item }}.conf"
mode: 0644
owner: root
group: wheel
loop:
- aesni
- amd_microcode
- name: Install loader.conf
when: hwpstate is defined and hwpstate
@@ -38,3 +35,4 @@
group: wheel
loop:
- per_core_hwpstate
- cryptodev

2
ansible/roles/cpu/tasks/freebsd_intel.yaml
View File

@@ -16,7 +16,6 @@
loop:
- coretemp
- cpuctl
- aesni
- intel_microcode
- name: Install service configuration
@@ -79,3 +78,4 @@
group: wheel
loop:
- per_core_hwpstate
- cryptodev

2
ansible/roles/dummynet/files/dnctl.conf
View File

@@ -1,2 +0,0 @@
pipe 1 config bw 100KByte/s
pipe 2 config

28
ansible/roles/dummynet/files/dummynet
View File

@@ -1,28 +0,0 @@
#!/bin/sh
#
#
# PROVIDE: dummynet
# BEFORE: pf ipfw
# KEYWORD: nojailvnet
. /etc/rc.subr
name="dummynet"
desc="Dummynet packet queuing and scheduling"
rcvar="${name}_enable"
load_rc_config $name
start_cmd="${name}_start"
required_files="$dummynet_rules"
required_modules="dummynet"
dummynet_start()
{
startmsg -n "Enabling ${name}"
cat "$dnctl_rules" | while read l; do
dnctl $l
done
startmsg '.'
}
run_rc_command $*

2
ansible/roles/dummynet/files/dummynet_rc.conf
View File

@@ -1,2 +0,0 @@
dummynet_enable="YES"
dummynet_rules="/etc/dnctl.conf"

55
ansible/roles/dummynet/tasks/common.yaml
View File

@@ -1,55 +0,0 @@
# - name: Create directories
# file:
# name: "{{ item }}"
# state: directory
# mode: 0755
# owner: root
# group: wheel
# loop:
# - /foo/bar
# - name: Install scripts
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0755
# owner: root
# group: wheel
# loop:
# - src: foo.bash
# dest: /usr/local/bin/foo
# - name: Install Configuration
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0600
# owner: root
# group: wheel
# loop:
# - src: foo.conf
# dest: /usr/local/etc/foo.conf
# - name: Clone Source
# git:
# repo: "https://foo.bar/baz.git"
# dest: /foo/bar
# version: "v1.0.2"
# force: true
# diff: false
- import_tasks: tasks/freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/linux.yaml
when: 'os_flavor == "linux"'
- include_tasks:
file: tasks/peruser.yaml
apply:
become: yes
become_user: "{{ initialize_user }}"
when: users is defined
loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
loop_control:
loop_var: initialize_user

30
ansible/roles/dummynet/tasks/freebsd.yaml
View File

@@ -1,30 +0,0 @@
- name: Install Configuration
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0600
owner: root
group: wheel
loop:
- src: "{{ dummynet_config }}"
dest: /etc/dnctl.conf
- name: Install rc script
copy:
src: "files/{{ item.src }}"
dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
owner: root
group: wheel
mode: 0755
loop:
- src: dummynet
- name: Install service configuration
copy:
src: "files/{{ item }}_rc.conf"
dest: "/etc/rc.conf.d/{{ item }}"
mode: 0644
owner: root
group: wheel
loop:
- dummynet

29
ansible/roles/dummynet/tasks/linux.yaml
View File

@@ -1,29 +0,0 @@
# - name: Build aur packages
# register: buildaur
# become_user: "{{ build_user.name }}"
# command: "aurutils-sync --no-view {{ item }}"
# args:
# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
# loop:
# - foo
# - name: Update cache
# when: buildaur.changed
# pacman:
# name: []
# state: present
# update_cache: true
# - name: Install packages
# package:
# name:
# - foo
# state: present
# - name: Enable services
# systemd:
# enabled: yes
# name: "{{ item }}"
# daemon_reload: yes
# loop:
# - foo.service

2
ansible/roles/dummynet/tasks/main.yaml
View File

@@ -1,2 +0,0 @@
- import_tasks: tasks/common.yaml
when: (dummynet_config is defined and os_flavor == "freebsd") or (os_flavor == "linux")

29
ansible/roles/dummynet/tasks/peruser.yaml
View File

@@ -1,29 +0,0 @@
- include_role:
name: per_user
# - name: Create directories
# file:
# name: "{{ account_homedir.stdout }}/{{ item }}"
# state: directory
# mode: 0700
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - ".config/foo"
# - name: Copy files
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
# mode: 0600
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - src: foo.conf
# dest: .config/foo/foo.conf
- import_tasks: tasks/peruser_freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/peruser_linux.yaml
when: 'os_flavor == "linux"'

0
ansible/roles/dummynet/tasks/peruser_freebsd.yaml
View File

0
ansible/roles/dummynet/tasks/peruser_linux.yaml
View File

97
ansible/roles/firewall/files/homeserver_pf.conf
View File

@@ -1,9 +1,20 @@
ext_if = "{ igb0 igb1 ix0 ix1 linfi_host }"
not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !linfi_host }"
jail_nat_v4 = "{ 10.215.1.0/24 }"
not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
restricted_nat_v4 = "{ 10.215.2.0/24 }"
not_restricted_nat_v4 = "{ any, !10.215.2.0/24 }"
# TODO: ipv6 RFC 6296 - Network Prefix Translation?
# match out on $ext_if inet6 from fd00:db8::/48 binat-to 2001:db8::/48
# TODO: Maybe ipv6 icmp rules from https://oneuptime.com/blog/post/2026-03-20-configure-ipv6-firewall-pf-freebsd/view
#
# restricted_nat 10.215.2.1/24
# jail_nat 10.215.1.1/24
#
#
# External connections -> 172.16.16.32:8081
# rdr to bastion 10.215.1.217
# snat to bridge?
#
ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
dhcp = "{ bootpc, bootps }"
@@ -11,69 +22,29 @@ allow = "{ wgh wgf }"
tcp_pass_in = "{ 22 }"
udp_pass_in = "{ 53 51820 }"
unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
# Rules must be in order: options, normalization, queueing, translation, filtering
# options
set skip on lo
# normalization
# queueing
# altq on linfi_host cbq queue { def, stuff }
# queue def cbq(default borrow)
# queue stuff bandwidth 8Mb cbq { dagger }
# queue dagger cbq(borrow)
# redirections
nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
# translation
nat pass on $ext_if proto {tcp, udp} tagged NATOUT -> (wlan0)
nat pass on restricted_nat proto {tcp, udp} tagged NATRESTRICTED -> (restricted_nat)
nat pass on jail_nat proto {tcp, udp} tagged NATJAIL -> (jail_nat)
# cloak
nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (linfi_host)
rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
# bastion
rdr pass on $ext_if inet proto {tcp, udp} from { any, !10.215.1.0/24, !10.215.2.0/24 } to any port 8081 -> 10.215.1.217 port 443
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.217 port 443 -> 10.215.1.1
nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 port 8081 -> 10.215.2.1
# cloak -> olddagger
rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
# cloak -> dagger old
rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8083 -> 10.215.2.2 port 8083
nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8083 -> 10.215.2.1
# -> sftp
# TODO: Limit bandwidth for sftp
rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
# Forward ports for unifi controller
# rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22
rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
# -> momlaptop
rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8033 -> 10.215.1.218 port 443
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.218 port 443 -> 10.215.1.1
# external -> bastion
rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8081 tag NATJAIL -> 10.215.1.217 port 443
# external -> sftp
rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8022 tag NATJAIL -> 10.215.1.216 port 22
# filtering
# match in on jail_nat from any to any dnpipe(1, 2)
# match in on restricted_nat from any to any dnpipe(1, 2)
block log all
pass out on $ext_if
pass in on jail_nat
# Allow traffic from my machine to the jails/virtual machines
pass out on jail_nat from $jail_nat_v4
pass out on jail_nat proto {udp, tcp} from any to 10.215.1.202 port $unifi_ports
pass out on restricted_nat proto {udp, tcp} from any to 10.215.2.2 port 8081
# TODO: limit bandwidth for dagger here
pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 }
pass out on $ext_if from (wlan0)
# We pass on the interfaces listed in allow rather than skipping on
# them because changes to pass rules will update when running a
@@ -85,5 +56,13 @@ pass quick on $allow
pass on $ext_if proto icmp all
pass on $ext_if proto icmp6 all
pass in on $ext_if proto tcp to any port $tcp_pass_in
pass in on $ext_if proto udp to any port $udp_pass_in
pass in on $ext_if proto tcp to (wlan0) port $tcp_pass_in
pass in on $ext_if proto udp to (wlan0) port $udp_pass_in
# Allow DNS and wireguard from cloak
pass in on restricted_nat proto {udp, tcp} from 10.215.2.2 to any port { 53 51820 } tag NATOUT
# bastion -> cloak
pass in on jail_nat proto {udp, tcp} from 10.215.1.217 to 10.215.2.2 port 8081 tag NATRESTRICTED
# Allow outgoing connections from certificate
pass in on jail_nat proto {udp, tcp} from 10.215.1.220 to any port { 53 80 443 } tag NATOUT

9
ansible/roles/firewall/files/mrmanager_pf.conf
View File

@@ -3,7 +3,7 @@ not_ext_if = "{ !lagg0 }"
jail_nat_v4 = "{ 10.215.1.0/24 }"
not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
# pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
pub_k8s = "{ 74.80.180.137, 74.80.180.139, 74.80.180.140, 74.80.180.141, 74.80.180.142 }"
pub_k8s = "{ 74.80.180.137, 74.80.180.139, 74.80.180.140, 74.80.180.141, 74.80.180.142, 2620:11f:7001:7:ffff:dddd::/112 }"
dhcp = "{ bootpc, bootps }"
allow = "{ colo }"
@@ -35,6 +35,7 @@ scrub in on $ext_if all fragment reassemble
# redirections
nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if)
rdr pass on jail_nat proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
rdr pass on jail_nat proto {tcp, udp} from any to 2620:11f:7001:7:ffff:ffff:0ad7:0101 port 53 tag REDIREXTERNAL -> 2606:4700:4700::1111 port 53
rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
@@ -69,8 +70,10 @@ pass quick on $allow
# Single interface kubernetes cluster is working with the following run on mrmanager:
# doas route add -host 74.80.180.139 -interface jail_nat
# doas route add -net 10.129.0.0/16 -interface jail_nat
# ? doas route -6 add -net '2620:11f:7001:7:ffff:ffff:0ad7:0100/120' -interface jail_nat
# ? doas ifconfig jail_nat inet6 2620:11f:7001:7:ffff:ffff:0ad7:0101/120
# doas route -6 add -net '2620:11f:7001:7:ffff:ffff:0ad7:0100/120' -interface jail_nat
# doas route -6 add -net '2620:11f:7001:7:ffff:eeee::/96' -interface jail_nat
# doas route -6 add -net '2620:11f:7001:7:ffff:dddd::/112' -interface jail_nat
# doas ifconfig jail_nat inet6 2620:11f:7001:7:ffff:ffff:0ad7:0101/120
# doas sysctl net.link.ether.inet.proxyall=1
# Plus this in pf.conf:
# pass quick from any to 74.80.180.139

2
ansible/roles/firewall/meta/main.yaml
View File

@@ -1,2 +0,0 @@
dependencies:
- dummynet

2
ansible/roles/gpg/tasks/freebsd.yaml
View File

@@ -3,7 +3,7 @@
name:
- gnupg
- pcsc-tools
- ccid
# - ccid
# - linux_libusb
- pinentry
state: present

10
ansible/roles/homeserver/files/decrypt_disks.bash
View File

@@ -1,10 +0,0 @@
#!/usr/bin/env bash
#
# Decrypt and mount the disks after a fresh reboot.
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
zfs load-key -r zmass/encrypted
zfs mount -a
service bemount start

55
ansible/roles/homeserver/tasks/common.yaml
View File

@@ -1,55 +0,0 @@
# - name: Create directories
# file:
# name: "{{ item }}"
# state: directory
# mode: 0755
# owner: root
# group: wheel
# loop:
# - /foo/bar
# - name: Install scripts
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0755
# owner: root
# group: wheel
# loop:
# - src: foo.bash
# dest: /usr/local/bin/foo
# - name: Install Configuration
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0600
# owner: root
# group: wheel
# loop:
# - src: foo.conf
# dest: /usr/local/etc/foo.conf
# - name: Clone Source
# git:
# repo: "https://foo.bar/baz.git"
# dest: /foo/bar
# version: "v1.0.2"
# force: true
# diff: false
- import_tasks: tasks/freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/linux.yaml
when: 'os_flavor == "linux"'
- include_tasks:
file: tasks/peruser.yaml
apply:
become: yes
become_user: "{{ initialize_user }}"
when: users is defined
loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
loop_control:
loop_var: initialize_user

10
ansible/roles/homeserver/tasks/freebsd.yaml
View File

@@ -1,10 +0,0 @@
- name: Install scripts
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0755
owner: root
group: wheel
loop:
- src: decrypt_disks.bash
dest: /usr/local/bin/decrypt_disks

29
ansible/roles/homeserver/tasks/linux.yaml
View File

@@ -1,29 +0,0 @@
# - name: Build aur packages
# register: buildaur
# become_user: "{{ build_user.name }}"
# command: "aurutils-sync --no-view {{ item }}"
# args:
# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
# loop:
# - foo
# - name: Update cache
# when: buildaur.changed
# pacman:
# name: []
# state: present
# update_cache: true
# - name: Install packages
# package:
# name:
# - foo
# state: present
# - name: Enable services
# systemd:
# enabled: yes
# name: "{{ item }}"
# daemon_reload: yes
# loop:
# - foo.service

2
ansible/roles/homeserver/tasks/main.yaml
View File

@@ -1,2 +0,0 @@
- import_tasks: tasks/common.yaml
# when: foo is defined

29
ansible/roles/homeserver/tasks/peruser.yaml
View File

@@ -1,29 +0,0 @@
- include_role:
name: per_user
# - name: Create directories
# file:
# name: "{{ account_homedir.stdout }}/{{ item }}"
# state: directory
# mode: 0700
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - ".config/foo"
# - name: Copy files
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
# mode: 0600
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - src: foo.conf
# dest: .config/foo/foo.conf
- import_tasks: tasks/peruser_freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/peruser_linux.yaml
when: 'os_flavor == "linux"'

0
ansible/roles/homeserver/tasks/peruser_freebsd.yaml
View File

0
ansible/roles/homeserver/tasks/peruser_linux.yaml
View File

2
ansible/roles/hosts/defaults/main.yaml
View File

@@ -1,5 +1,5 @@
etc_hosts:
10.216.1.1:
10.216.1.32:
- homeserver
10.216.1.6:
- media

2
ansible/roles/jail/files/jails/dagger.conf
View File

@@ -1,5 +1,7 @@
dagger {
path = "/jail/${name}";
allow.chflags = 1;
vnet;
vnet.interface += "dagger";

15
ansible/roles/jail/files/jails/momlaptop.conf
View File

@@ -1,15 +0,0 @@
momlaptop {
path = "/jail/${name}";
vnet;
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
vnet.interface += "jail${name}";
devfs_ruleset = 14;
mount.devfs;
mount.fstab = "/etc/fstab.${name}";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.consolelog = "/var/log/jail_${name}_console.log";
}

14
ansible/roles/jail/files/jails/olddagger.conf
View File

@@ -1,14 +0,0 @@
olddagger {
path = "/jail/${name}";
vnet;
vnet.interface += "olddagger";
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start cloak ${name} 192.168.1.0/24";
exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop cloak ${name}";
mount.fstab = "/etc/fstab.${name}";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.consolelog = "/var/log/jail_${name}_console.log";
}

15
ansible/roles/jail/files/jails/rg.conf
View File

@@ -1,15 +0,0 @@
rg {
path = "/jail/${name}";
vnet;
exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24";
exec.poststop += "sleep 10; /usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}";
vnet.interface += "jail${name}";
devfs_ruleset = 14;
mount.devfs;
mount.fstab = "/etc/fstab.${name}";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.consolelog = "/var/log/jail_${name}_console.log";
}

62
ansible/roles/jail/templates/new_jail.bash.j2
View File

@@ -26,7 +26,7 @@ function by_src {
}
function by_bin {
DESTRELEASE=14.3-RELEASE
DESTRELEASE=15.0-RELEASE
DESTARCH=`uname -m`
SOURCEURL=http://ftp.freebsd.org/pub/FreeBSD/releases/$DESTARCH/$DESTRELEASE/
for component in base ports; do fetch $SOURCEURL/$component.txz -o - | tar -xf - -C "$DESTDIR" ; done
@@ -34,34 +34,34 @@ function by_bin {
}
function by_pkg {
# current https://pkg.freebsd.org/FreeBSD:15:amd64/base_latest
# 14/stable https://pkg.freebsd.org/FreeBSD:14:amd64/base_latest
# 14.1 https://pkg.freebsd.org/FreeBSD:14:amd64/base_release_1
local config
config=$(cat <<EOF
base: {
url: "https://pkg.freebsd.org/FreeBSD:14:amd64/base_release_1",
mirror_type: "none",
enabled: yes,
priority: 100
}
EOF
)
IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository base --yes --glob 'FreeBSD-*'
TERM=xterm BSDINSTALL_CHROOT="$DESTDIR" bsdinstall pkgbase --jail
# local config
# config=$(cat <<EOF
# FreeBSD-base: {
# url: "https://pkg.FreeBSD.org/FreeBSD:15:amd64/base_release_0",
# mirror_type: "none",
# enabled: yes,
# priority: 100
# }
# EOF
# )
# IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") update --repository FreeBSD-base
# IGNORE_OSVERSION=yes pkg --rootdir "$DESTDIR" --config <(cat <<<"$config") install --repository FreeBSD-base --yes --glob 'FreeBSD-*'
switch_to_latest_packages
local in_jail_config
in_jail_config=$(cat <<EOF
base: {
url: "pkg+https://pkg.freebsd.org/\${ABI}/base_release_1",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes,
priority: 100
}
EOF
)
cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
# local in_jail_config
# in_jail_config=$(cat <<EOF
# FreeBSD-base: {
# url: "pkg+https://pkg.FreeBSD.org/\${ABI}/base_release_\${VERSION_MINOR}",
# mirror_type: "srv",
# signature_type: "fingerprints",
# fingerprints: "/usr/share/keys/pkgbase-\${VERSION_MAJOR}",
# enabled: yes,
# priority: 100
# }
# EOF
# )
# cat > "$DESTDIR/usr/local/etc/pkg/repos/pkgbase.conf" <<<"$in_jail_config"
# Post-install remove extra packages
# pkg remove --glob 'FreeBSD-*-lib32*' 'FreeBSD-*-dbg*' FreeBSD-src
}
@@ -69,13 +69,13 @@ EOF
function switch_to_latest_packages {
local latest_pkg
latest_pkg=$(cat <<EOF
FreeBSD: {
url: "pkg+http://pkg.FreeBSD.org/\${ABI}/latest"
FreeBSD-ports: {
url: "pkg+https://pkg.FreeBSD.org/\${ABI}/latest"
}
EOF
)
mkdir -p "$DESTDIR/usr/local/etc/pkg/repos"
cat > "$DESTDIR/usr/local/etc/pkg/repos/FreeBSD.conf" <<<"$latest_pkg"
cat > "$DESTDIR/usr/local/etc/pkg/repos/FreeBSD-ports.conf" <<<"$latest_pkg"
}
if [ "$1" = "src" ]; then

15
ansible/roles/jail_momlaptop/files/headers.include
View File

@@ -1,15 +0,0 @@
# Enable HTTP Strict Transport Security (HSTS) to force clients to
# always connect via HTTPS (do not use if only testing)
add_header Strict-Transport-Security "max-age=31536000;" always;
# Enable cross-site filter (XSS) and tell browser to block detected
# attacks
add_header X-XSS-Protection "1; mode=block" always;
# Prevent some browsers from MIME-sniffing a response away from the
# declared Content-Type
add_header X-Content-Type-Options "nosniff" always;
# Disallow the site to be rendered within a frame (clickjacking
# protection)
add_header X-Frame-Options "DENY" always;
# Indicate that we are serving http3 on port 443
add_header Alt-Svc 'h3=":8033"; ma=864000';

BIN
ansible/roles/jail_momlaptop/files/htpasswd
View File

Binary file not shown.

2
ansible/roles/jail_momlaptop/files/newsyslog.conf
View File

@@ -1,2 +0,0 @@
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
/var/log/nginx/*.log 640 5 1000 @T00 GYC /var/run/nginx.pid SIGUSR1

48
ansible/roles/jail_momlaptop/files/nginx.conf
View File

@@ -1,48 +0,0 @@
worker_processes auto;
user www www;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
types {
text/plain log;
}
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip on;
include conf.d/headers.include;
server {
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name momlaptop.fizz.buzz;
include conf.d/tls_settings.include;
# RSA
ssl_certificate /momlaptop.fizz.buzz/tls.crt;
ssl_certificate_key /momlaptop.fizz.buzz/tls.key;
# Nginx by default only allows file uploads up to 50M in size
client_max_body_size 50M;
location / {
auth_basic "Stuff";
auth_basic_user_file conf.d/htpasswd;
alias /srv/http/;
autoindex on;
}
}
}

1
ansible/roles/jail_momlaptop/files/nginx_rc.conf
View File

@@ -1 +0,0 @@
nginx_enable="YES"

9
ansible/roles/jail_momlaptop/files/proxy.include
View File

@@ -1,9 +0,0 @@
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
# Settings for keepalive module for upstreams
proxy_http_version 1.1;
proxy_set_header Connection "";
# Requests sent with early data are subject to replay attacks so the application needs to protect against that by using the Early-Data header.
# proxy_set_header Early-Data $ssl_early_data;

3
ansible/roles/jail_momlaptop/files/tls_settings.include
View File

@@ -1,3 +0,0 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

2
ansible/roles/jail_momlaptop/meta/main.yaml
View File

@@ -1,2 +0,0 @@
dependencies:
- syslog

55
ansible/roles/jail_momlaptop/tasks/common.yaml
View File

@@ -1,55 +0,0 @@
# - name: Create directories
# file:
# name: "{{ item }}"
# state: directory
# mode: 0755
# owner: root
# group: wheel
# loop:
# - /foo/bar
# - name: Install scripts
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0755
# owner: root
# group: wheel
# loop:
# - src: foo.bash
# dest: /usr/local/bin/foo
# - name: Install Configuration
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0600
# owner: root
# group: wheel
# loop:
# - src: foo.conf
# dest: /usr/local/etc/foo.conf
# - name: Clone Source
# git:
# repo: "https://foo.bar/baz.git"
# dest: /foo/bar
# version: "v1.0.2"
# force: true
# diff: false
- import_tasks: tasks/freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/linux.yaml
when: 'os_flavor == "linux"'
# - include_tasks:
# file: tasks/peruser.yaml
# apply:
# become: yes
# become_user: "{{ initialize_user }}"
# when: users is defined
# loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
# loop_control:
# loop_var: initialize_user

81
ansible/roles/jail_momlaptop/tasks/freebsd.yaml
View File

@@ -1,81 +0,0 @@
- name: Create www group
group:
name: www
- name: Create www user
user:
name: www
home: /srv/http
createhome: false
group: www
- name: Create directories
file:
name: "{{ item }}"
state: directory
mode: 0755
owner: root
group: wheel
loop:
- /momlaptop.fizz.buzz
- /etc/rc.conf.d
- /usr/local/etc/nginx/conf.d
- name: Create directories
file:
name: "{{ item }}"
state: directory
mode: 0755
owner: www
group: www
loop:
- /srv/http
- name: Install packages
package:
name:
- nginx
state: present
# validate fails because nginx config relies on a local mime.types
- name: Install Configuration
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
owner: root
group: wheel
loop:
- src: nginx.conf
dest: /usr/local/etc/nginx/nginx.conf
- src: headers.include
dest: /usr/local/etc/nginx/conf.d/headers.include
- src: proxy.include
dest: /usr/local/etc/nginx/conf.d/proxy.include
- src: tls_settings.include
dest: /usr/local/etc/nginx/conf.d/tls_settings.include
# Generate htpasswd with `htpasswd -c files/htpasswd user1`
# or `printf "USER:$(openssl passwd)\n" >> files/htpasswd`
- src: htpasswd
dest: /usr/local/etc/nginx/conf.d/htpasswd
- name: Install newsyslog configuration
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0600
owner: root
group: wheel
loop:
- src: newsyslog.conf
dest: /usr/local/etc/newsyslog.conf.d/nginx.conf
- name: Install service configuration
copy:
src: "files/{{ item }}_rc.conf"
dest: "/etc/rc.conf.d/{{ item }}"
mode: 0644
owner: root
group: wheel
loop:
- nginx

29
ansible/roles/jail_momlaptop/tasks/linux.yaml
View File

@@ -1,29 +0,0 @@
# - name: Build aur packages
# register: buildaur
# become_user: "{{ build_user.name }}"
# command: "aurutils-sync --no-view {{ item }}"
# args:
# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
# loop:
# - foo
# - name: Update cache
# when: buildaur.changed
# pacman:
# name: []
# state: present
# update_cache: true
# - name: Install packages
# package:
# name:
# - foo
# state: present
# - name: Enable services
# systemd:
# enabled: yes
# name: "{{ item }}"
# daemon_reload: yes
# loop:
# - foo.service

2
ansible/roles/jail_momlaptop/tasks/main.yaml
View File

@@ -1,2 +0,0 @@
- import_tasks: tasks/common.yaml
# when: foo is defined

29
ansible/roles/jail_momlaptop/tasks/peruser.yaml
View File

@@ -1,29 +0,0 @@
- include_role:
name: per_user
# - name: Create directories
# file:
# name: "{{ account_homedir.stdout }}/{{ item }}"
# state: directory
# mode: 0700
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - ".config/foo"
# - name: Copy files
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
# mode: 0600
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - src: foo.conf
# dest: .config/foo/foo.conf
- import_tasks: tasks/peruser_freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/peruser_linux.yaml
when: 'os_flavor == "linux"'

0
ansible/roles/jail_momlaptop/tasks/peruser_freebsd.yaml
View File

0
ansible/roles/jail_momlaptop/tasks/peruser_linux.yaml
View File

5
ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf
View File

@@ -90,11 +90,6 @@
"hw-address": "06:ca:1a:10:74:09",
"ip-address": "10.215.1.217"
},
{
// momlaptop - hard-coded in rc.conf, reproduced here to reserve ip
"hw-address": "06:85:69:c5:6a:d6",
"ip-address": "10.215.1.218"
},
{
// hydra
"hw-address": "06:84:36:68:03:77",

7
ansible/roles/linfi/defaults/main.yaml
View File

@@ -1,7 +0,0 @@
# linfi:
# enabled: true
# zfs_dataset: zroot/freebsd/current/vm/linfi
# zfs_mountpoint: /vm/linfi
# driver_blocklist: "if_iwm if_iwlwifi"
# pci_blocklist: "1/0/0"
# amd: true

239
ansible/roles/linfi/files/launch_linfi.bash
View File

@@ -1,239 +0,0 @@
#!/usr/local/bin/bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# Share a host directory to the guest via 9pfs.
#
# Inside the VM run:
# mount -t virtfs -o trans=virtio sharename /some/vm/path
# mount -t 9p -o cache=mmap -o msize=512000 sharename /mnt/9p
# mount -t 9p -o trans=virtio,cache=mmap,msize=512000 sharename /path/to/mountpoint
# bhyve_options="-s 28,virtio-9p,sharename=/"
# Enable Sound
# bhyve_options="-s 16,hda,play=/dev/dsp,rec=/dev/dsp"
# Example usage:
#
# doas bhyve_netgraph_bridge create-disk zdata/vm/poudriere /vm/poudriere 10
# doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere /vm/iso/FreeBSD-13.2-RELEASE-amd64-bootonly.iso
# doas bhyve_netgraph_bridge start poudriere zdata/vm/poudriere /vm/poudriere
: ${VERBOSE:="NO"} # or YES
: ${CPU_CORES:="1"}
: ${MEMORY:="1G"}
: ${NETWORK:="NAT"} # or RAW or BOTH
: ${IP_RANGE:="10.215.1.1/24"} # Ignored for RAW networks
: ${INTERFACE_NAME:="linfi_host"} # or the external interface like lagg0 for RAW networks
: ${BRIDGE_NAME:="bridge_$INTERFACE_NAME"} # or bridge_raw for RAW networks
: ${VNC_ENABLE:="NO"}
: ${VNC_LISTEN:="127.0.0.1:5900"}
: ${VNC_WIDTH:="1920"}
: ${VNC_HEIGHT:="1080"}
: ${PASSTHROUGH:="1/0/0"}
if [ "$VERBOSE" = "YES" ]; then
set -x
fi
############## Setup #########################
function cleanup {
for vm in "${vms[@]}"; do
log "Destroying bhyve vm $vm"
bhyvectl "--vm=$vm" --destroy
log "Destroyed bhyve vm $vm"
done
}
vms=()
for sig in EXIT; do
trap "set +e; sleep 10; cleanup" "$sig"
done
function die {
local status_code="$1"
shift
(>&2 echo "${@}")
exit "$status_code"
}
function log {
(>&2 echo "${@}")
}
############## Program #########################
function main {
local cmd="$1"
shift 1
if [ "$cmd" = "create-disk" ]; then
create_disk "${@}"
elif [ "$cmd" = "start" ]; then
start_vm "${@}"
else
die 1 "Unrecognized command $cmd"
fi
}
function create_disk {
local zfs_path="$1"
local mount_path="$2"
local gigabytes="$3"
zfs create -o "mountpoint=$mount_path" "$zfs_path"
cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
tee "${mount_path}/settings" <<EOF
CPU_CORES="$CPU_CORES"
MEMORY="$MEMORY"
NETWORK="$NETWORK"
IP_RANGE="$IP_RANGE"
BRIDGE_NAME="$BRIDGE_NAME"
INTERFACE_NAME="$INTERFACE_NAME"
EOF
zfs create -s "-V${gigabytes}G" -o volmode=dev -o primarycache=metadata -o secondarycache=none -o volblocksize=64K "$zfs_path/disk0"
}
function start_vm {
local name="$1"
local zfs_path="$2"
local mount_path="$3"
local mount_cd="${4:-}"
if [ -e "${mount_path}/settings" ]; then
source "${mount_path}/settings"
fi
local additional_args=()
local host_interface_name="linfi_host"
local bridge_name="linfi_bridge"
assert_bridge "$host_interface_name" "$bridge_name"
local mac_address
mac_address=$(calculate_mac_address "$name")
local bridge_link_name
bridge_link_name=$(detect_available_link "${bridge_name}")
additional_args+=("-s" "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name},mac=${mac_address}")
# -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
# -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
# -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
# -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
# TODO: Look into using nmdm instead of stdio for serial console
if [ -n "$mount_cd" ]; then
additional_args+=("-s" "5,ahci-cd,$mount_cd")
fi
if [ "$VNC_ENABLE" = "YES" ]; then
additional_args+=("-s" "29,fbuf,tcp=$VNC_LISTEN,w=$VNC_WIDTH,h=$VNC_HEIGHT")
fi
vms+=("$name")
while true; do
set -x
set +e
bhyve \
-D \
-c sockets=1,cores=1,threads=1 \
-m "$MEMORY" \
-H \
-w \
-o 'rtc.use_localtime=false' \
-s 0,hostbridge \
-s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
-S \
-s "7,passthru,${PASSTHROUGH}" \
-s 30,xhci,tablet \
-s 31,lpc -l com1,stdio \
-l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \
-U '08421734-875e-11ef-a0f3-f426796942c7' \
"${additional_args[@]}" \
"$name"
local exit_code=$?
set -e
set +x
if [ $exit_code -eq 0 ]; then
echo "Rebooting."
sleep 5
elif [ $exit_code -eq 1 ]; then
echo "Powered off."
break
elif [ $exit_code -eq 2 ]; then
echo "Halted."
break
elif [ $exit_code -eq 3 ]; then
echo "Triple fault."
break
elif [ $exit_code -eq 4 ]; then
echo "Exited due to an error."
break
fi
done
}
function detect_available_link {
local bridge_name="$1"
local linknum=1
while true; do
local link_name="link${linknum}"
if ! ng_exists "${bridge_name}:${link_name}"; then
echo "$link_name"
return
fi
linknum=$((linknum + 1))
if [ "$linknum" -gt 90 ]; then
(>&2 echo "No available links on bridge $bridge_name")
exit 1
fi
done
}
function assert_bridge {
local host_interface_name="$1"
local bridge_name="$2"
if ! ng_exists "${bridge_name}:"; then
ngctl -d -f - <<EOF
mkpeer . eiface hook ether
name .:hook $host_interface_name
EOF
ngctl -d -f - <<EOF
mkpeer ${host_interface_name}: bridge ether link0
name ${host_interface_name}:ether $bridge_name
EOF
ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" 192.168.253.2/24 up
route add default 192.168.253.1
fi
}
function ng_exists {
ngctl status "${1}" >/dev/null 2>&1
}
function calculate_mac_address {
local name="$1"
local source
source=$(md5 -r -s "$name" | awk '{print $1}')
echo "06:${source:0:2}:${source:2:2}:${source:4:2}:${source:6:2}:${source:8:2}"
}
function find_available_port {
local start_port="$1"
local port="$start_port"
while true; do
sockstat -P tcp -p 443
port=$((port + 1))
done
}
function ngctlcat {
if [ "$VERBOSE" = "YES" ]; then
tee /dev/tty | ngctl -d -f -
else
ngctl -d -f -
fi
}
main "${@}"

1
ansible/roles/linfi/files/linfi_rc.conf
View File

@@ -1 +0,0 @@
linfi_enable="YES"

3
ansible/roles/linfi/meta/main.yaml
View File

@@ -1,3 +0,0 @@
dependencies:
- role: bhyve
when: 'os_flavor == "freebsd"'

55
ansible/roles/linfi/tasks/common.yaml
View File

@@ -1,55 +0,0 @@
# - name: Create directories
# file:
# name: "{{ item }}"
# state: directory
# mode: 0755
# owner: root
# group: wheel
# loop:
# - /foo/bar
# - name: Install scripts
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0755
# owner: root
# group: wheel
# loop:
# - src: foo.bash
# dest: /usr/local/bin/foo
# - name: Install Configuration
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ item.dest }}"
# mode: 0600
# owner: root
# group: wheel
# loop:
# - src: foo.conf
# dest: /usr/local/etc/foo.conf
# - name: Clone Source
# git:
# repo: "https://foo.bar/baz.git"
# dest: /foo/bar
# version: "v1.0.2"
# force: true
# diff: false
- import_tasks: tasks/freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/linux.yaml
when: 'os_flavor == "linux"'
- include_tasks:
file: tasks/peruser.yaml
apply:
become: yes
become_user: "{{ initialize_user }}"
when: users is defined
loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
loop_control:
loop_var: initialize_user

50
ansible/roles/linfi/tasks/freebsd.yaml
View File

@@ -1,50 +0,0 @@
- name: Install loader.conf
template:
src: "templates/{{ item }}_loader.conf.j2"
dest: "/boot/loader.conf.d/{{ item }}.conf"
mode: 0644
owner: root
group: wheel
loop:
- linfi
- name: Install scripts
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0755
owner: root
group: wheel
loop:
- src: launch_linfi.bash
dest: /usr/local/bin/launch_linfi
- name: Install rc script
template:
src: "templates/{{ item.src }}.j2"
dest: "/usr/local/etc/rc.d/{{ item.dest|default(item.src) }}"
owner: root
group: wheel
mode: 0755
loop:
- src: linfi
- name: Install service configuration
copy:
src: "files/{{ item }}_rc.conf"
dest: "/etc/rc.conf.d/{{ item }}"
mode: 0644
owner: root
group: wheel
loop:
- linfi
- name: Install service configuration
template:
src: "templates/{{ item }}_rc.conf.j2"
dest: "/etc/rc.conf.d/{{ item }}"
mode: 0644
owner: root
group: wheel
loop:
- devmatch

29
ansible/roles/linfi/tasks/linux.yaml
View File

@@ -1,29 +0,0 @@
# - name: Build aur packages
# register: buildaur
# become_user: "{{ build_user.name }}"
# command: "aurutils-sync --no-view {{ item }}"
# args:
# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*"
# loop:
# - foo
# - name: Update cache
# when: buildaur.changed
# pacman:
# name: []
# state: present
# update_cache: true
# - name: Install packages
# package:
# name:
# - foo
# state: present
# - name: Enable services
# systemd:
# enabled: yes
# name: "{{ item }}"
# daemon_reload: yes
# loop:
# - foo.service

2
ansible/roles/linfi/tasks/main.yaml
View File

@@ -1,2 +0,0 @@
- import_tasks: tasks/common.yaml
when: linfi is defined and linfi.enabled

29
ansible/roles/linfi/tasks/peruser.yaml
View File

@@ -1,29 +0,0 @@
- include_role:
name: per_user
# - name: Create directories
# file:
# name: "{{ account_homedir.stdout }}/{{ item }}"
# state: directory
# mode: 0700
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - ".config/foo"
# - name: Copy files
# copy:
# src: "files/{{ item.src }}"
# dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
# mode: 0600
# owner: "{{ account_name.stdout }}"
# group: "{{ group_name.stdout }}"
# loop:
# - src: foo.conf
# dest: .config/foo/foo.conf
- import_tasks: tasks/peruser_freebsd.yaml
when: 'os_flavor == "freebsd"'
- import_tasks: tasks/peruser_linux.yaml
when: 'os_flavor == "linux"'

0
ansible/roles/linfi/tasks/peruser_freebsd.yaml
View File

0
ansible/roles/linfi/tasks/peruser_linux.yaml
View File

2
ansible/roles/linfi/templates/devmatch_rc.conf.j2
View File

@@ -1,2 +0,0 @@
devmatch_enable="YES"
devmatch_blocklist="{{ linfi.driver_blocklist }}"

46
ansible/roles/linfi/templates/linfi.j2
View File

@@ -1,46 +0,0 @@
#!/bin/sh
#
# PROVIDE: linfi
# REQUIRE: LOGIN
# KEYWORD: shutdown nojail
. /etc/rc.subr
name=linfi
rcvar=${name}_enable
start_cmd="${name}_start"
stop_cmd="${name}_stop"
status_cmd="${name}_status"
load_rc_config $name
tmux_name="linfi"
linfi_start() {
/usr/local/bin/tmux new-session -d -s "$tmux_name" "/usr/bin/env PASSTHROUGH='{{ linfi.pci_blocklist }}' /usr/local/bin/bash /usr/local/bin/launch_linfi start linfi {{ linfi.zfs_dataset }} {{ linfi.zfs_mountpoint }}"
# /vm/.iso/alpine-extended-3.20.3-x86_64.iso
}
linfi_status() {
if /usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null; then
echo "$tmux_name is running."
else
echo "$tmux_name is not running."
return 1
fi
}
linfi_stop() {
/usr/local/bin/tmux has-session -t $tmux_name 2>/dev/null && (
/usr/local/bin/tmux kill-session -t $tmux_name
sleep 10
bhyvectl --vm=linfi --destroy
# kill `cat /var/run/linfi.pid`
)
linfi_wait_for_end
}
linfi_wait_for_end() {
while /usr/local/bin/tmux has-session -t $tmux_name 2>dev/null; do
sleep 1
done
}
run_rc_command "$1"

5
ansible/roles/linfi/templates/linfi_loader.conf.j2
View File

@@ -1,5 +0,0 @@
vmm_load="YES"
pptdevs="{{ linfi.pci_blocklist }}"
{% if linfi.amd %}
hw.vmm.amdvi.enable="1"
{% endif %}

4
ansible/roles/ndproxy/files/ndproxy_rc.conf Normal file
View File

@@ -0,0 +1,4 @@
ndproxy_enable="YES"
ndproxy_uplink_interface="lagg0"
ndproxy_downlink_mac_address="3c:ec:ef:bf:41:be" # Mac address of lagg0
ndproxy_uplink_ipv6_addresses="fe80::21c:73ff:fe9d:c083" # uplink router's address (ndp -na) <-- Link-Local address of vtnet0

8
ansible/roles/network/files/homeserver_network.conf
View File

@@ -1,4 +1,4 @@
# wlans_ath0="wlan0"
# ifconfig_wlan0="WPA DHCP"
# ifconfig_wlan0_ipv6="inet6 accept_rtadv"
# ipv6_cpe_wanif="wlan0"
wlans_iwlwifi0="wlan0"
ifconfig_wlan0="WPA DHCP"
ifconfig_wlan0_ipv6="inet6 accept_rtadv"
ipv6_cpe_wanif="wlan0"

3
ansible/roles/package_manager/files/FreeBSD-ports.conf Normal file
View File

@@ -0,0 +1,3 @@
FreeBSD-ports: {
url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest"
}

3
ansible/roles/package_manager/files/FreeBSD.conf
View File

@@ -1,3 +0,0 @@
FreeBSD: {
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
}

71
ansible/roles/package_manager/files/pkg.conf
View File

@@ -31,13 +31,12 @@
#PKG_ENABLE_PLUGINS = true;
#PLUGINS [
#]
PLUGINS [
"provides"
]
PLUGINS [ provides ];
#DEBUG_SCRIPTS = false;
#PLUGINS_CONF_DIR = "/usr/local/etc/pkg/";
#PERMISSIVE = false;
#REPO_AUTOUPDATE = true;
#FORCE_CAN_REMOVE_VITAL = true;
#NAMESERVER = "";
#HTTP_USER_AGENT = "Custom_User_Manager";
#EVENT_PIPE = "";
@@ -57,35 +56,37 @@ PLUGINS [
#IP_VERSION = 0
# Sample alias settings
ALIAS : {
all-depends: query %dn-%dv,
annotations: info -A,
build-depends: info -qd,
cinfo: info -Cx,
comment: query -i "%c",
csearch: search -Cx,
desc: query -i "%e",
download: fetch,
iinfo: info -ix,
isearch: search -ix,
prime-list: "query -e '%a = 0' '%n'",
prime-origins: "query -e '%a = 0' '%o'",
leaf: "query -e '%#r == 0' '%n-%v'",
list: info -ql,
noauto = "query -e '%a == 0' '%n-%v'",
options: query -i "%n - %Ok: %Ov",
origin: info -qo,
orphans: version -vRl\?,
provided-depends: info -qb,
rall-depends: rquery %dn-%dv,
raw: info -R,
rcomment: rquery -i "%c",
rdesc: rquery -i "%e",
required-depends: info -qr,
roptions: rquery -i "%n - %Ok: %Ov",
shared-depends: info -qB,
show: info -f -k,
size: info -sq,
unmaintained = "query -e '%m = \"ports@FreeBSD.org\"' '%o (%w)'",
runmaintained = "rquery -e '%m = \"ports@FreeBSD.org\"' '%o (%w)'",
}
ALIAS {
all-depends = "query %dn-%dv";
annotations = "info -A";
build-depends = "info -qd";
cinfo = "info -Cx";
comment = "query -i \"%c\"";
csearch = "search -Cx";
desc = "query -i \"%e\"";
download = "fetch";
iinfo = "info -ix";
isearch = "search -ix";
prime-list = "query -e '%a = 0' '%n'";
prime-origins = "query -e '%a = 0' '%o'";
leaf = "query -e '%#r == 0' '%n-%v'";
list = "info -ql";
noauto = "query -e '%a == 0' '%n-%v'";
options = "query -i \"%n - %Ok: %Ov\"";
origin = "info -qo";
orphans = "version -vRl?";
provided-depends = "info -qb";
rall-depends = "rquery %dn-%dv";
raw = "info -R";
rcomment = "rquery -i \"%c\"";
rdesc = "rquery -i \"%e\"";
required-depends = "info -qr";
roptions = "rquery -i \"%n - %Ok: %Ov\"";
sets = "info -d -C -x '^FreeBSD-set-'";
shared-depends = "info -qB";
show = "info -f -k";
size = "info -sq";
unmaintained = "query -e '%m = \"ports@FreeBSD.org\"' '%o (%w)'";
runmaintained = "rquery -e '%m = \"ports@FreeBSD.org\"' '%o (%w)'";
}
BACKUP_LIBRARIES=yes

54
ansible/roles/package_manager/tasks/freebsd.yaml
View File

@@ -26,60 +26,6 @@
- src: pkg.conf
dest: /usr/local/etc/pkg.conf
- name: Install Configuration
when: custom_repo is not defined
register: changed_config
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
owner: root
group: wheel
loop:
- src: FreeBSD.conf
dest: /usr/local/etc/pkg/repos/FreeBSD.conf
- name: Install Configuration
when: custom_repo is defined
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
owner: root
group: wheel
loop:
- src: disable_freebsd_upstream.conf
dest: /usr/local/etc/pkg/repos/FreeBSD.conf
- src: poudriere.pub
dest: /usr/local/etc/pkg/poudriere.pub
- name: Install Configuration
when: custom_repo is defined
register: changed_config
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: wheel
mode: 0644
loop:
- { src: custom.conf.j2, dest: /usr/local/etc/pkg/repos/custom.conf }
- name: Install Configuration
when: pkgbase_url is defined
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: wheel
mode: 0644
loop:
- { src: pkgbase.conf.j2, dest: /usr/local/etc/pkg/repos/pkgbase.conf }
# - name: Replace all packages with packages from new repo
# command: pkg upgrade -f -y
# when: changed_config.changed
- name: Install scripts
copy:
src: "files/{{ item.src }}"

1
ansible/roles/public_dns/files/master.db
View File

@@ -75,4 +75,3 @@ home IN A 68.197.252.22
opstunnel IN CNAME home.fizz.buzz.
stream IN CNAME home.fizz.buzz.
stuff IN CNAME home.fizz.buzz.
momlaptop IN CNAME home.fizz.buzz.

1
ansible/roles/sshd/files/keys/mole.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINtEizWWTfTdWJ+f6F2ot27V0ktYAxSCVI6d/tpS6ARw mole@maxwell

12
ansible/roles/sshd/files/sshd_config
View File

@@ -1,4 +1,4 @@
# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
# $OpenBSD: sshd_config,v 1.105 2024/12/03 14:12:47 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -56,12 +56,15 @@ AuthorizedKeysFile .ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# Change to yes to enable built-in password authentication.
# Change to "yes" to enable built-in password authentication.
# Note that passwords may also be accepted via KbdInteractiveAuthentication.
#PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable PAM authentication
# Change to "no" to disable keyboard-interactive authentication. Depending on
# the system's configuration, this may involve passwords, challenge-response,
# one-time passwords or some combination of these and other methods.
# Keyboard interactive authentication is also used for PAM authentication.
#KbdInteractiveAuthentication yes
KbdInteractiveAuthentication no
@@ -105,7 +108,8 @@ KbdInteractiveAuthentication no
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
#UseBlocklist no
#VersionAddendum FreeBSD-20250801
# no default banner path
#Banner none

BIN
ansible/roles/wireguard/files/wireguard_configs/homeserver/wgh.conf
View File

Binary file not shown.

BIN
ansible/roles/wireguard/files/wireguard_configs/mrmanager/colo.conf
View File

Binary file not shown.

2
ansible/run.bash
View File

@@ -34,8 +34,6 @@ elif [ "$target" = "certificate" ]; then
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit certificate "${@}"
elif [ "$target" = "bastion" ]; then
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit bastion "${@}"
elif [ "$target" = "momlaptop" ]; then
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit momlaptop "${@}"
elif [ "$target" = "vm_poudriereodo" ]; then
ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}"
elif [ "$target" = "vm_poudrieremrmanager" ]; then