diff --git a/Taskfile.yml b/Taskfile.yml index 2905361..1a5f982 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -3,14 +3,20 @@ version: '3' includes: setup: ./tasks/setup_{{OS}}.yml test: ./tasks/tests.yml + utils: + taskfile: ./tasks/utils.yml + flatten: true env: DOCKER_REPOSITORY: pouncetech/molecule + ANSIBLE_VAULT_PASSWORD_FILE: '{{.ROOT_DIR}}/scripts/pass_get_vault_id.sh' vars: PYTHON_WRAPPER: '{{.ROOT_DIR}}/scripts/python_wrapper.sh' - MOLECULE_DIR: '{{.ROOT_DIR}}/collections/ansible_collections/nullified/infrastructure/extensions' - COLLECTIONS_DIR: '{{.ROOT_DIR}}/collections/ansible_collections' + MOLECULE_DIR: '{{.ROOT_DIR}}/ansible_collections/nullified/infrastructure/extensions' + COLLECTIONS_DIR: '{{.ROOT_DIR}}/ansible_collections' + ANSIBLE_PASS_PATH: ansible/vault-id + ANSIBLE_PASS_LENGTH: 50 tasks: setup: @@ -20,6 +26,7 @@ tasks: - task: 'setup:venv' - task: 'setup:ansible' - task: 'setup:galaxy' + - task: 'vault:init' docker:build: desc: build docker images locally. @@ -33,6 +40,7 @@ tasks: DOCKERFILE: '{{.ITEM}}' DOCKER_CONTEXT: images IMAGE_TAG: '{{.ITEM | splitList "/" | last | replace "Dockerfile-" ""}}' + docker:build:image: internal: true sources: @@ -42,13 +50,6 @@ tasks: status: - docker image ls --format '{{"{{"}} .Tag {{"}}"}}' | grep -E '^{{.IMAGE_TAG}}$' - docker:push: - desc: push locally built images - cmds: - - 'echo docker push $DOCKER_REPOSITORY:$IMAGE_TAG' - env: - IMAGE_TAG: - nosey: desc: start noseyparker to ensure no secrets or passwords are committed cmds: @@ -69,12 +70,13 @@ tasks: vars: VIRSH_CONNECT: '{{.VIRSH_CONNECT | default "qemu:///system"}}' cmds: - - ./scripts/purge_virsh.sh + - ./scripts/reset_virtd.sh - task: 'molecule' vars: CLI_ARGS: 'destroy' - sudo systemctl restart nftables.service - - sudo systemctl restart libvirtd.service + - sudo systemctl restart libvirtd.service # reset libvirtd related nft rules + - sudo systemctl restart docker.service # reset docker related nft rules ansible:new:role:*: desc: create a new role for the specified collection diff --git a/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml b/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml index 145abf5..860ac45 100644 --- a/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml +++ b/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml @@ -116,7 +116,7 @@ asset_type: release creates: /usr/local/bin/yq cmds: - - install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin + - install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin/yq - name: '[apt] install custom packages' become: true diff --git a/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2 b/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2 index cf04da6..cfd6f2f 100644 --- a/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2 +++ b/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2 @@ -3,7 +3,7 @@ table inet filter { chain input { # operators access {%+ if k3s_nft_operators4 %}ip saddr { {{ k3s_nft_operators4 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%} - {%+ if k3s_nft_operators6 %}ip saddr { {{ k3s_nft_operators6 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%} + {%+ if k3s_nft_operators6 %}ip6 saddr { {{ k3s_nft_operators6 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%} # required only for HA with embedded etcd {%+ if k3s_nft_servers4 %}ip saddr { {{ k3s_nft_servers4 | join(',') }} } tcp dport { 2379, 2380 } accept{%- endif +%} diff --git a/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml b/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml index 6830f3b..0f29306 100644 --- a/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml +++ b/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml @@ -166,6 +166,7 @@ loop: - { src: "../templates/.config/terminator", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" } - { src: "../templates/.config/vlc", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" } + - { src: "../templates/.config/picom.conf", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config"} - name: '[authenticator] find if binary is already installed' ansible.builtin.file: diff --git a/ansible_collections/nullified/infrastructure/roles/workstation/templates/.config/picom.conf b/ansible_collections/nullified/infrastructure/roles/workstation/templates/.config/picom.conf new file mode 100644 index 0000000..f961da9 --- /dev/null +++ b/ansible_collections/nullified/infrastructure/roles/workstation/templates/.config/picom.conf @@ -0,0 +1 @@ +backend = "glx" diff --git a/inventory/host_vars/unobtainium/vars.yml b/inventory/host_vars/unobtainium/vars.yml index fd18b30..13bd87c 100644 --- a/inventory/host_vars/unobtainium/vars.yml +++ b/inventory/host_vars/unobtainium/vars.yml @@ -15,6 +15,8 @@ common_install_fonts: true security_sysctl_configuration: 'fs.inotify.max_user_watches': 1048576 'vm.swappiness': 1 + 'vm.max_map_count': 524288 + 'vm.min_free_kbytes': 1048576 workstation_setup_xorg_enabled: true # security role security_firewall_filter_policy_output: accept diff --git a/scripts/pass_get_vault_id.sh b/scripts/pass_get_vault_id.sh new file mode 100755 index 0000000..e8205dc --- /dev/null +++ b/scripts/pass_get_vault_id.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +PASSWORD_STORE_BIN=${PASSWORD_STORE_BIN:-"pass"} +ANSIBLE_PASS_PATH=${ANSIBLE_PASS_PATH:-"ansible/vault-id"} + +$PASSWORD_STORE_BIN show "${ANSIBLE_PASS_PATH}" diff --git a/scripts/reset_virtd.sh b/scripts/reset_virtd.sh new file mode 100644 index 0000000..f547e26 --- /dev/null +++ b/scripts/reset_virtd.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +VIRSH_CONNECT="${VIRSH_CONNECT:=qemu:///system}" +VIRSH_VOL_POOL="${VIRSH_VOL_POOL:=default}" + +for domain in $(virsh -c "${VIRSH_CONNECT}" list --name --all); do + virsh -c "${VIRSH_CONNECT}" destroy "${domain}" || true + virsh -c "${VIRSH_CONNECT}" undefine "${domain}" || true +done + +for volume in $(virsh -c "${VIRSH_CONNECT}" vol-list --pool "${VIRSH_VOL_POOL}" | tail -n +3 | sed -E 's/^\s*([^\s]+)\s+.*$/\1/'); do + virsh -c "${VIRSH_CONNECT}" vol-delete --pool "${VIRSH_VOL_POOL}" "${volume}" || true +done diff --git a/tasks/setup_linux.yml b/tasks/setup_linux.yml index fedf2fb..1962986 100644 --- a/tasks/setup_linux.yml +++ b/tasks/setup_linux.yml @@ -11,6 +11,7 @@ tasks: build-essential \ coreutils \ curl \ + pass \ libcurl4-openssl-dev \ libtool \ python3-virtualenv \ diff --git a/tasks/utils.yml b/tasks/utils.yml new file mode 100644 index 0000000..62e59d4 --- /dev/null +++ b/tasks/utils.yml @@ -0,0 +1,27 @@ +version: '3' + +tasks: + encrypt: + desc: encrypt all vault.yml files using; requires creating a vault-id file in your home + vars: + VAULT_FILES: + sh: find . -type f -name vault.yml -and -not -path "./.venv/*" + cmds: + - for: { var: VAULT_FILES } + cmd: '{{.PYTHON_WRAPPER}} ansible-vault encrypt {{.ITEM | replace "\n" " " }} || true' + + decrypt: + desc: encrypt all vault.yml files using; requires creating a vault-id file in your home + vars: + VAULT_FILES: + sh: find . -type f -name vault.yml -and -not -path "./.venv/*" + cmds: + - for: { var: VAULT_FILES } + cmd: '{{.PYTHON_WRAPPER}} ansible-vault decrypt {{.ITEM | replace "\n" " " }} || true' + + vault:init: + desc: Create a vault id file in your home directory for encrypting/decrypting vault files + cmds: + - 'pass generate {{.ANSIBLE_PASS_PATH}} {{.ANSIBLE_PASS_LENGTH}} > /dev/null' + status: + - 'pass show {{.ANSIBLE_PASS_PATH}} &> /dev/null '