From 5cb62c1ca3d26d2682751d535e72925ba6699b4b Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Wed, 26 Feb 2025 00:00:00 +0000 Subject: [PATCH 01/10] fix(k3s): fixed invalid ip6 FW rule --- .../roles/k3s/templates/nftables.d/k3s_servers.nft.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2 b/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2 index cf04da6..cfd6f2f 100644 --- a/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2 +++ b/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2 @@ -3,7 +3,7 @@ table inet filter { chain input { # operators access {%+ if k3s_nft_operators4 %}ip saddr { {{ k3s_nft_operators4 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%} - {%+ if k3s_nft_operators6 %}ip saddr { {{ k3s_nft_operators6 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%} + {%+ if k3s_nft_operators6 %}ip6 saddr { {{ k3s_nft_operators6 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%} # required only for HA with embedded etcd {%+ if k3s_nft_servers4 %}ip saddr { {{ k3s_nft_servers4 | join(',') }} } tcp dport { 2379, 2380 } accept{%- endif +%} From 4244571f9492b1183294ca477d437e32a720c844 Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Wed, 26 Feb 2025 00:00:00 +0000 Subject: [PATCH 02/10] feat(workstation): added picom configuration --- .../nullified/infrastructure/roles/workstation/tasks/main.yml | 1 + .../roles/workstation/templates/.config/picom.conf | 1 + 2 files changed, 2 insertions(+) create mode 100644 ansible_collections/nullified/infrastructure/roles/workstation/templates/.config/picom.conf diff --git a/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml b/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml index 6830f3b..0f29306 100644 --- a/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml +++ b/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml @@ -166,6 +166,7 @@ loop: - { src: "../templates/.config/terminator", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" } - { src: "../templates/.config/vlc", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" } + - { src: "../templates/.config/picom.conf", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config"} - name: '[authenticator] find if binary is already installed' ansible.builtin.file: diff --git a/ansible_collections/nullified/infrastructure/roles/workstation/templates/.config/picom.conf b/ansible_collections/nullified/infrastructure/roles/workstation/templates/.config/picom.conf new file mode 100644 index 0000000..f961da9 --- /dev/null +++ b/ansible_collections/nullified/infrastructure/roles/workstation/templates/.config/picom.conf @@ -0,0 +1 @@ +backend = "glx" From ed41e77b30223dee0deff4f2645eef13a0a67f69 Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Wed, 26 Feb 2025 00:00:00 +0000 Subject: [PATCH 03/10] chore(inventory): updated sysctl configuration for unobtainium --- inventory/host_vars/unobtainium/vars.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/inventory/host_vars/unobtainium/vars.yml b/inventory/host_vars/unobtainium/vars.yml index fd18b30..13bd87c 100644 --- a/inventory/host_vars/unobtainium/vars.yml +++ b/inventory/host_vars/unobtainium/vars.yml @@ -15,6 +15,8 @@ common_install_fonts: true security_sysctl_configuration: 'fs.inotify.max_user_watches': 1048576 'vm.swappiness': 1 + 'vm.max_map_count': 524288 + 'vm.min_free_kbytes': 1048576 workstation_setup_xorg_enabled: true # security role security_firewall_filter_policy_output: accept From 93a3754ce4550f3884645e8821114726575c9056 Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Wed, 26 Feb 2025 00:00:00 +0000 Subject: [PATCH 04/10] chore(tooling): cleanup of Taskfile --- Taskfile.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/Taskfile.yml b/Taskfile.yml index 2905361..45252d8 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -33,6 +33,7 @@ tasks: DOCKERFILE: '{{.ITEM}}' DOCKER_CONTEXT: images IMAGE_TAG: '{{.ITEM | splitList "/" | last | replace "Dockerfile-" ""}}' + docker:build:image: internal: true sources: @@ -42,13 +43,6 @@ tasks: status: - docker image ls --format '{{"{{"}} .Tag {{"}}"}}' | grep -E '^{{.IMAGE_TAG}}$' - docker:push: - desc: push locally built images - cmds: - - 'echo docker push $DOCKER_REPOSITORY:$IMAGE_TAG' - env: - IMAGE_TAG: - nosey: desc: start noseyparker to ensure no secrets or passwords are committed cmds: From 43d68e5cabc15c2798a2e435ae29c6602018814c Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Sun, 2 Mar 2025 00:00:00 +0000 Subject: [PATCH 05/10] feat(tooling): added tasks to ease en/decrypt operations on vault files --- Taskfile.yml | 7 +++++++ scripts/pass_get_vault_id.sh | 6 ++++++ tasks/setup_linux.yml | 1 + tasks/utils.yml | 27 +++++++++++++++++++++++++++ 4 files changed, 41 insertions(+) create mode 100755 scripts/pass_get_vault_id.sh create mode 100644 tasks/utils.yml diff --git a/Taskfile.yml b/Taskfile.yml index 45252d8..1bdbf44 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -3,14 +3,20 @@ version: '3' includes: setup: ./tasks/setup_{{OS}}.yml test: ./tasks/tests.yml + utils: + taskfile: ./tasks/utils.yml + flatten: true env: DOCKER_REPOSITORY: pouncetech/molecule + ANSIBLE_VAULT_PASSWORD_FILE: ./scripts/pass_get_vault_id.sh vars: PYTHON_WRAPPER: '{{.ROOT_DIR}}/scripts/python_wrapper.sh' MOLECULE_DIR: '{{.ROOT_DIR}}/collections/ansible_collections/nullified/infrastructure/extensions' COLLECTIONS_DIR: '{{.ROOT_DIR}}/collections/ansible_collections' + ANSIBLE_PASS_PATH: ansible/vault-id + ANSIBLE_PASS_LENGTH: 50 tasks: setup: @@ -20,6 +26,7 @@ tasks: - task: 'setup:venv' - task: 'setup:ansible' - task: 'setup:galaxy' + - task: 'vault:init' docker:build: desc: build docker images locally. diff --git a/scripts/pass_get_vault_id.sh b/scripts/pass_get_vault_id.sh new file mode 100755 index 0000000..e8205dc --- /dev/null +++ b/scripts/pass_get_vault_id.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +PASSWORD_STORE_BIN=${PASSWORD_STORE_BIN:-"pass"} +ANSIBLE_PASS_PATH=${ANSIBLE_PASS_PATH:-"ansible/vault-id"} + +$PASSWORD_STORE_BIN show "${ANSIBLE_PASS_PATH}" diff --git a/tasks/setup_linux.yml b/tasks/setup_linux.yml index fedf2fb..1962986 100644 --- a/tasks/setup_linux.yml +++ b/tasks/setup_linux.yml @@ -11,6 +11,7 @@ tasks: build-essential \ coreutils \ curl \ + pass \ libcurl4-openssl-dev \ libtool \ python3-virtualenv \ diff --git a/tasks/utils.yml b/tasks/utils.yml new file mode 100644 index 0000000..62e59d4 --- /dev/null +++ b/tasks/utils.yml @@ -0,0 +1,27 @@ +version: '3' + +tasks: + encrypt: + desc: encrypt all vault.yml files using; requires creating a vault-id file in your home + vars: + VAULT_FILES: + sh: find . -type f -name vault.yml -and -not -path "./.venv/*" + cmds: + - for: { var: VAULT_FILES } + cmd: '{{.PYTHON_WRAPPER}} ansible-vault encrypt {{.ITEM | replace "\n" " " }} || true' + + decrypt: + desc: encrypt all vault.yml files using; requires creating a vault-id file in your home + vars: + VAULT_FILES: + sh: find . -type f -name vault.yml -and -not -path "./.venv/*" + cmds: + - for: { var: VAULT_FILES } + cmd: '{{.PYTHON_WRAPPER}} ansible-vault decrypt {{.ITEM | replace "\n" " " }} || true' + + vault:init: + desc: Create a vault id file in your home directory for encrypting/decrypting vault files + cmds: + - 'pass generate {{.ANSIBLE_PASS_PATH}} {{.ANSIBLE_PASS_LENGTH}} > /dev/null' + status: + - 'pass show {{.ANSIBLE_PASS_PATH}} &> /dev/null ' From 52487602687f3e9d972aaa7586cbfe7cbeadba32 Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Tue, 4 Mar 2025 00:00:00 +0000 Subject: [PATCH 06/10] fix(common): yq installation uses proper binary name --- .../nullified/infrastructure/roles/common/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml b/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml index 145abf5..860ac45 100644 --- a/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml +++ b/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml @@ -116,7 +116,7 @@ asset_type: release creates: /usr/local/bin/yq cmds: - - install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin + - install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin/yq - name: '[apt] install custom packages' become: true From 7342cf1c50d7bf5f7bae76d971226f6ec382b531 Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Tue, 4 Mar 2025 00:00:00 +0000 Subject: [PATCH 07/10] fix(tooling): corrected custom collections path in Taskfile --- Taskfile.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Taskfile.yml b/Taskfile.yml index 1bdbf44..d6eaf95 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -14,7 +14,7 @@ env: vars: PYTHON_WRAPPER: '{{.ROOT_DIR}}/scripts/python_wrapper.sh' MOLECULE_DIR: '{{.ROOT_DIR}}/collections/ansible_collections/nullified/infrastructure/extensions' - COLLECTIONS_DIR: '{{.ROOT_DIR}}/collections/ansible_collections' + COLLECTIONS_DIR: '{{.ROOT_DIR}}/ansible_collections' ANSIBLE_PASS_PATH: ansible/vault-id ANSIBLE_PASS_LENGTH: 50 From 75f18e2ac7c9b9afa554896844d3b97ab1a9addd Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Fri, 7 Mar 2025 00:00:00 +0000 Subject: [PATCH 08/10] fix(tooling): added missing steps to virtd reset task --- Taskfile.yml | 5 +++-- scripts/reset_virtd.sh | 12 ++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 scripts/reset_virtd.sh diff --git a/Taskfile.yml b/Taskfile.yml index d6eaf95..5be858a 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -70,12 +70,13 @@ tasks: vars: VIRSH_CONNECT: '{{.VIRSH_CONNECT | default "qemu:///system"}}' cmds: - - ./scripts/purge_virsh.sh + - ./scripts/reset_virtd.sh - task: 'molecule' vars: CLI_ARGS: 'destroy' - sudo systemctl restart nftables.service - - sudo systemctl restart libvirtd.service + - sudo systemctl restart libvirtd.service # reset libvirtd related nft rules + - sudo systemctl restart docker.service # reset docker related nft rules ansible:new:role:*: desc: create a new role for the specified collection diff --git a/scripts/reset_virtd.sh b/scripts/reset_virtd.sh new file mode 100644 index 0000000..f547e26 --- /dev/null +++ b/scripts/reset_virtd.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +VIRSH_CONNECT="${VIRSH_CONNECT:=qemu:///system}" +VIRSH_VOL_POOL="${VIRSH_VOL_POOL:=default}" + +for domain in $(virsh -c "${VIRSH_CONNECT}" list --name --all); do + virsh -c "${VIRSH_CONNECT}" destroy "${domain}" || true + virsh -c "${VIRSH_CONNECT}" undefine "${domain}" || true +done + +for volume in $(virsh -c "${VIRSH_CONNECT}" vol-list --pool "${VIRSH_VOL_POOL}" | tail -n +3 | sed -E 's/^\s*([^\s]+)\s+.*$/\1/'); do + virsh -c "${VIRSH_CONNECT}" vol-delete --pool "${VIRSH_VOL_POOL}" "${volume}" || true +done From b70a8301bbfa395d7507e21c452dd73dd2d28f4a Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Fri, 7 Mar 2025 00:00:00 +0000 Subject: [PATCH 09/10] fix(tooling): corrected path in molecule task --- Taskfile.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Taskfile.yml b/Taskfile.yml index 5be858a..f66f6b7 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -13,7 +13,7 @@ env: vars: PYTHON_WRAPPER: '{{.ROOT_DIR}}/scripts/python_wrapper.sh' - MOLECULE_DIR: '{{.ROOT_DIR}}/collections/ansible_collections/nullified/infrastructure/extensions' + MOLECULE_DIR: '{{.ROOT_DIR}}/ansible_collections/nullified/infrastructure/extensions' COLLECTIONS_DIR: '{{.ROOT_DIR}}/ansible_collections' ANSIBLE_PASS_PATH: ansible/vault-id ANSIBLE_PASS_LENGTH: 50 From d0e4450645df97a411642fe253256d7bcb92334f Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Fri, 7 Mar 2025 00:00:00 +0000 Subject: [PATCH 10/10] fix(tooling): fixed path to pass shellscript wrapper when running molecule commands --- Taskfile.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Taskfile.yml b/Taskfile.yml index f66f6b7..1a5f982 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -9,7 +9,7 @@ includes: env: DOCKER_REPOSITORY: pouncetech/molecule - ANSIBLE_VAULT_PASSWORD_FILE: ./scripts/pass_get_vault_id.sh + ANSIBLE_VAULT_PASSWORD_FILE: '{{.ROOT_DIR}}/scripts/pass_get_vault_id.sh' vars: PYTHON_WRAPPER: '{{.ROOT_DIR}}/scripts/python_wrapper.sh'