Compare commits
3 Commits
9e107d4a75
...
63a966947b
| Author | SHA1 | Date | |
|---|---|---|---|
|
63a966947b
|
||
|
|
fb679924bc
|
||
|
|
fb90c63d84
|
@ -11,7 +11,7 @@ poudriere_builds:
|
||||
set: framework
|
||||
version: CURRENT
|
||||
# revision: 66d37dbedfbf2dc94ccf49e6983c3652d5909b91
|
||||
kernel: GENERIC-NODEBUG
|
||||
kernel: CUSTOM
|
||||
branch: main
|
||||
srcconf: currentznver4_src.conf
|
||||
# - jail: 14broadwell
|
||||
@ -24,6 +24,6 @@ poudriere_builds:
|
||||
ports: default
|
||||
set: computer
|
||||
version: CURRENT
|
||||
kernel: GENERIC
|
||||
kernel: CUSTOM
|
||||
branch: releng/14.1
|
||||
srcconf: 14broadwell_src.conf
|
||||
|
||||
@ -10,3 +10,6 @@ add_header X-Content-Type-Options "nosniff" always;
|
||||
# Disallow the site to be rendered within a frame (clickjacking
|
||||
# protection)
|
||||
add_header X-Frame-Options "DENY" always;
|
||||
|
||||
# Indicate that we are serving http3 on port 443
|
||||
add_header Alt-Svc 'h3=":443"; ma=864000';
|
||||
|
||||
@ -26,6 +26,8 @@ http {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 quic reuseport;
|
||||
listen [::]:443 quic reuseport;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
|
||||
@ -5,3 +5,5 @@ proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# Settings for keepalive module for upstreams
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Connection "";
|
||||
# Requests sent with early data are subject to replay attacks so the application needs to protect against that by using the Early-Data header.
|
||||
# proxy_set_header Early-Data $ssl_early_data;
|
||||
|
||||
@ -1,5 +1,4 @@
|
||||
[Network]
|
||||
EnableIPv6=true
|
||||
# NameResolvingService=resolvconf
|
||||
NameResolvingService=systemd
|
||||
|
||||
|
||||
@ -42,12 +42,12 @@
|
||||
state: present
|
||||
sysctl_file: "/etc/sysctl.conf.local"
|
||||
loop:
|
||||
[]
|
||||
# - name: net.inet6.ip6.accept_rtadv # Enable stateless autoconfiguration (SLAAC)
|
||||
# value: "1"
|
||||
# - name: net.inet6.ip6.use_tempaddr # Enable privacy addresses
|
||||
# value: "1"
|
||||
# - name: net.inet6.ip6.prefer_tempaddr # Prefer privacy addresses
|
||||
- name: net.inet6.ip6.accept_rtadv # Enable stateless autoconfiguration (SLAAC)
|
||||
value: "1"
|
||||
- name: net.inet6.ip6.use_tempaddr # Enable privacy addresses
|
||||
value: "1"
|
||||
- name: net.inet6.ip6.prefer_tempaddr # Prefer privacy addresses
|
||||
value: "1"
|
||||
|
||||
- name: Install service configuration
|
||||
copy:
|
||||
|
||||
@ -29,6 +29,26 @@
|
||||
- src: 10-wired.network
|
||||
dest: /etc/systemd/network/10-wired.network
|
||||
|
||||
- name: Configure sysctls
|
||||
sysctl:
|
||||
name: "{{ item.name }}"
|
||||
value: "{{ item.value }}"
|
||||
state: present
|
||||
sysctl_file: /etc/sysctl.d/{{ item.file }}
|
||||
loop:
|
||||
# Enable IPv6 Privacy Extensions
|
||||
- name: net.ipv6.conf.all.use_tempaddr
|
||||
value: 2
|
||||
file: 40-ipv6.conf
|
||||
# Enable IPv6 Privacy Extensions
|
||||
- name: net.ipv6.conf.default.use_tempaddr
|
||||
value: 2
|
||||
file: 40-ipv6.conf
|
||||
# Enable IPv6 Privacy Extensions
|
||||
# - name: net.ipv6.conf.nic.use_tempaddr
|
||||
# value: 2
|
||||
# file: 40-ipv6.conf
|
||||
|
||||
- name: Enable services
|
||||
systemd:
|
||||
enabled: yes
|
||||
|
||||
8
ansible/roles/package_manager/files/pkgbase_diff.bash
Normal file
8
ansible/roles/package_manager/files/pkgbase_diff.bash
Normal file
@ -0,0 +1,8 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Show the diff to have local pkgbase become matching to the remote pkgbase
|
||||
set -euo pipefail
|
||||
IFS=$'\n\t'
|
||||
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||
|
||||
diff --color=always <(doas pkg info --glob 'FreeBSD-*' | sed 's/-[0-9]*.snap[0-9]*//g') <(doas pkg search -q --glob 'FreeBSD-*' | sed 's/-[0-9]*.snap[0-9]*//g')
|
||||
@ -75,6 +75,18 @@
|
||||
mode: 0644
|
||||
loop:
|
||||
- { src: pkgbase.conf.j2, dest: /usr/local/etc/pkg/repos/pkgbase.conf }
|
||||
|
||||
# - name: Replace all packages with packages from new repo
|
||||
# command: pkg upgrade -f -y
|
||||
# when: changed_config.changed
|
||||
|
||||
- name: Install scripts
|
||||
copy:
|
||||
src: "files/{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: 0755
|
||||
owner: root
|
||||
group: wheel
|
||||
loop:
|
||||
- src: pkgbase_diff.bash
|
||||
dest: /usr/local/bin/pkgbase_diff
|
||||
|
||||
@ -3,28 +3,37 @@ WITH_MALLOC_PRODUCTION=YES
|
||||
WITHOUT_LLVM_ASSERTIONS=YES
|
||||
WITH_REPRODUCIBLE_BUILD=YES
|
||||
|
||||
WITHOUT_DEBUG_FILES=YES
|
||||
WITHOUT_ASSERT_DEBUG=YES
|
||||
WITHOUT_LLVM_TARGET_ALL=YES
|
||||
WITHOUT_LIB32=YES
|
||||
WITHOUT_HTML=YES
|
||||
|
||||
WITHOUT_OFED=YES # OpenFabrics Enterprise Distributio
|
||||
WITHOUT_FLOPPY=YES
|
||||
WITHOUT_IPFILTER=YES
|
||||
WITHOUT_GAMES=YES
|
||||
WITH_SORT_THREADS=YES
|
||||
WITHOUT_TESTS=YES
|
||||
WITHOUT_USB_GADGET_EXAMPLES=YES
|
||||
WITHOUT_HYPERV=YES
|
||||
WITHOUT_LEGACY_CONSOLE=YES
|
||||
|
||||
# Would be fun to experiment with:
|
||||
# WITHOUT_SOURCELESS=YES
|
||||
# WITHOUT_GAMES=YES
|
||||
# WITHOUT_KERBEROS=YES
|
||||
# WITHOUT_LEGACY_CONSOLE=YES
|
||||
# WITHOUT_LIB32=YES
|
||||
# WITHOUT_LOADER_GELI=YES
|
||||
# WITHOUT_MLX5TOOL=YES
|
||||
# WITHOUT_NDIS=YES
|
||||
# WITHOUT_OFED=YES
|
||||
# WITHOUT_PPP=YES
|
||||
# WITH_SORT_THREADS=YES
|
||||
# WITHOUT_TALK=YES
|
||||
# WITHOUT_TCSH=YES
|
||||
|
||||
|
||||
# Questionable Optimizations
|
||||
WITHOUT_FLOPPY=YES
|
||||
WITHOUT_HTML=YES
|
||||
WITHOUT_IPFW=YES
|
||||
WITHOUT_IPFILTER=YES
|
||||
WITHOUT_LLVM_TARGET_ALL=YES
|
||||
# WITHOUT_KERNEL_SYMBOLS=YES
|
||||
|
||||
# Commented out because maybe I want email alerts for failing disks
|
||||
# WITHOUT_MAIL=YES
|
||||
|
||||
# Some ports like curl depend on kerberos by default. I figure I'd rather just have kerberos built into the base system than depend on a port.
|
||||
# WITHOUT_KERBEROS=YES
|
||||
|
||||
# Need to enable IPFW for dummynet
|
||||
# WITHOUT_IPFW=YES
|
||||
|
||||
@ -11,7 +11,6 @@ WITHOUT_HTML=YES
|
||||
|
||||
WITHOUT_OFED=YES # OpenFabrics Enterprise Distributio
|
||||
WITHOUT_FLOPPY=YES
|
||||
WITHOUT_IPFW=YES
|
||||
WITHOUT_IPFILTER=YES
|
||||
WITHOUT_GAMES=YES
|
||||
WITH_SORT_THREADS=YES
|
||||
@ -35,3 +34,6 @@ WITHOUT_LEGACY_CONSOLE=YES
|
||||
|
||||
# Some ports like curl depend on kerberos by default. I figure I'd rather just have kerberos built into the base system than depend on a port.
|
||||
# WITHOUT_KERBEROS=YES
|
||||
|
||||
# Need to enable IPFW for dummynet
|
||||
# WITHOUT_IPFW=YES
|
||||
|
||||
@ -12,5 +12,7 @@ if ! grep -q "${jail_name}" <<<"$jail_list"; then
|
||||
fi
|
||||
|
||||
poudriere jail -d -j "$jail_name" -C all
|
||||
rm -rf /usr/local/poudriere/data/images/${jail_name}-repo \
|
||||
/usr/obj/usr/local/poudriere/jails/${jail_name}
|
||||
|
||||
echo "Deleted jail $jail_name"
|
||||
|
||||
@ -123,6 +123,7 @@
|
||||
|
||||
- name: Create the jails
|
||||
when: item.version != "CURRENT"
|
||||
check_mode: false
|
||||
command: |-
|
||||
echo poudriere jail {{poudriere_perf_flags}} -c -j {{ item.jail }} -v {{ item.version }} -a amd64 -K {{ item.kernel|default("GENERIC") }} -B -b
|
||||
args:
|
||||
@ -131,6 +132,7 @@
|
||||
|
||||
- name: Create the jails
|
||||
when: item.version == "CURRENT"
|
||||
check_mode: false
|
||||
# -D clones the entire history instead of just the most recent commit
|
||||
# -B to build the pkgbase packages
|
||||
# -b to build the jail OS from source
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user