fix(tooling): fixed path to pass shellscript wrapper when running molecule commands

Taskfile.yml

@@ -3,14 +3,20 @@ version: '3'
 includes:
   setup: ./tasks/setup_{{OS}}.yml
   test: ./tasks/tests.yml
+  utils:
+    taskfile: ./tasks/utils.yml
+    flatten: true
 
 env:
   DOCKER_REPOSITORY: pouncetech/molecule
+  ANSIBLE_VAULT_PASSWORD_FILE: '{{.ROOT_DIR}}/scripts/pass_get_vault_id.sh'
 
 vars:
   PYTHON_WRAPPER: '{{.ROOT_DIR}}/scripts/python_wrapper.sh'
-  MOLECULE_DIR: '{{.ROOT_DIR}}/collections/ansible_collections/nullified/infrastructure/extensions'
+  MOLECULE_DIR: '{{.ROOT_DIR}}/ansible_collections/nullified/infrastructure/extensions'
-  COLLECTIONS_DIR: '{{.ROOT_DIR}}/collections/ansible_collections'
+  COLLECTIONS_DIR: '{{.ROOT_DIR}}/ansible_collections'
+  ANSIBLE_PASS_PATH: ansible/vault-id
+  ANSIBLE_PASS_LENGTH: 50
 
 tasks:
   setup:
@@ -20,6 +26,7 @@ tasks:
       - task: 'setup:venv'
       - task: 'setup:ansible'
       - task: 'setup:galaxy'
+      - task: 'vault:init'
 
   docker:build:
     desc: build docker images locally.
@@ -33,6 +40,7 @@ tasks:
           DOCKERFILE: '{{.ITEM}}'
           DOCKER_CONTEXT: images
           IMAGE_TAG: '{{.ITEM | splitList "/" | last | replace "Dockerfile-" ""}}'
+
   docker:build:image:
     internal: true
     sources:
@@ -42,13 +50,6 @@ tasks:
     status:
       - docker image ls --format '{{"{{"}} .Tag {{"}}"}}' | grep -E '^{{.IMAGE_TAG}}$'
 
-  docker:push:
-    desc: push locally built images
-    cmds:
-      - 'echo docker push $DOCKER_REPOSITORY:$IMAGE_TAG'
-    env:
-      IMAGE_TAG:
-
   nosey:
     desc: start noseyparker to ensure no secrets or passwords are committed
     cmds:
@@ -69,12 +70,13 @@ tasks:
     vars:
       VIRSH_CONNECT: '{{.VIRSH_CONNECT | default "qemu:///system"}}'
     cmds:
-      - ./scripts/purge_virsh.sh
+      - ./scripts/reset_virtd.sh
       - task: 'molecule'
         vars:
           CLI_ARGS: 'destroy'
       - sudo systemctl restart nftables.service
-      - sudo systemctl restart libvirtd.service
+      - sudo systemctl restart libvirtd.service # reset libvirtd related nft rules
+      - sudo systemctl restart docker.service # reset docker related nft rules
 
   ansible:new:role:*:
     desc: create a new role for the specified collection

ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml

@@ -116,7 +116,7 @@
         asset_type: release
         creates: /usr/local/bin/yq
         cmds:
-          - install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin
+          - install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin/yq
 
 - name: '[apt] install custom packages'
   become: true

ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2

@@ -3,7 +3,7 @@ table inet filter {
     chain input {
         # operators access
         {%+ if k3s_nft_operators4 %}ip saddr { {{ k3s_nft_operators4 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%}
-        {%+ if k3s_nft_operators6 %}ip saddr { {{ k3s_nft_operators6 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%}
+        {%+ if k3s_nft_operators6 %}ip6 saddr { {{ k3s_nft_operators6 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%}
 
         # required only for HA with embedded etcd
         {%+ if k3s_nft_servers4 %}ip saddr { {{ k3s_nft_servers4 | join(',') }} } tcp dport { 2379, 2380 } accept{%- endif +%}

ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml

@@ -166,6 +166,7 @@
   loop:
     - { src: "../templates/.config/terminator", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" }
     - { src: "../templates/.config/vlc", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" }
+    - { src: "../templates/.config/picom.conf", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config"}
 
 - name: '[authenticator] find if binary is already installed'
   ansible.builtin.file:

ansible_collections/nullified/infrastructure/roles/workstation/templates/.config/picom.conf

@@ -0,0 +1 @@
+backend = "glx"

inventory/host_vars/unobtainium/vars.yml

@@ -15,6 +15,8 @@ common_install_fonts: true
 security_sysctl_configuration:
   'fs.inotify.max_user_watches': 1048576
   'vm.swappiness': 1
+  'vm.max_map_count': 524288
+  'vm.min_free_kbytes': 1048576
 workstation_setup_xorg_enabled: true
 # security role
 security_firewall_filter_policy_output: accept

scripts/pass_get_vault_id.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+PASSWORD_STORE_BIN=${PASSWORD_STORE_BIN:-"pass"}
+ANSIBLE_PASS_PATH=${ANSIBLE_PASS_PATH:-"ansible/vault-id"}
+
+$PASSWORD_STORE_BIN show "${ANSIBLE_PASS_PATH}"

scripts/reset_virtd.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+VIRSH_CONNECT="${VIRSH_CONNECT:=qemu:///system}"
+VIRSH_VOL_POOL="${VIRSH_VOL_POOL:=default}"
+
+for domain in $(virsh -c "${VIRSH_CONNECT}" list --name --all); do
+  virsh -c "${VIRSH_CONNECT}" destroy "${domain}" || true
+  virsh -c "${VIRSH_CONNECT}" undefine "${domain}" || true
+done
+
+for volume in $(virsh -c "${VIRSH_CONNECT}" vol-list --pool "${VIRSH_VOL_POOL}" | tail -n +3 | sed -E 's/^\s*([^\s]+)\s+.*$/\1/'); do
+  virsh -c "${VIRSH_CONNECT}" vol-delete --pool "${VIRSH_VOL_POOL}" "${volume}" || true
+done

tasks/setup_linux.yml

@@ -11,6 +11,7 @@ tasks:
           build-essential \
           coreutils \
           curl \
+          pass \
           libcurl4-openssl-dev \
           libtool \
           python3-virtualenv \

tasks/utils.yml

@@ -0,0 +1,27 @@
+version: '3'
+
+tasks:
+  encrypt:
+    desc: encrypt all vault.yml files using; requires creating a vault-id file in your home
+    vars:
+      VAULT_FILES:
+        sh: find . -type f -name vault.yml -and -not -path "./.venv/*"
+    cmds:
+      - for: { var: VAULT_FILES }
+        cmd: '{{.PYTHON_WRAPPER}} ansible-vault encrypt {{.ITEM | replace "\n" " " }} || true'
+
+  decrypt:
+    desc: encrypt all vault.yml files using; requires creating a vault-id file in your home
+    vars:
+      VAULT_FILES:
+        sh: find . -type f -name vault.yml -and -not -path "./.venv/*"
+    cmds:
+      - for: { var: VAULT_FILES }
+        cmd: '{{.PYTHON_WRAPPER}} ansible-vault decrypt {{.ITEM | replace "\n" " " }} || true'
+
+  vault:init:
+    desc: Create a vault id file in your home directory for encrypting/decrypting vault files
+    cmds:
+      - 'pass generate {{.ANSIBLE_PASS_PATH}} {{.ANSIBLE_PASS_LENGTH}} > /dev/null'
+    status:
+      - 'pass show {{.ANSIBLE_PASS_PATH}} &> /dev/null '