diff --git a/Taskfile.yml b/Taskfile.yml index 1a5f982..2905361 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -3,20 +3,14 @@ version: '3' includes: setup: ./tasks/setup_{{OS}}.yml test: ./tasks/tests.yml - utils: - taskfile: ./tasks/utils.yml - flatten: true env: DOCKER_REPOSITORY: pouncetech/molecule - ANSIBLE_VAULT_PASSWORD_FILE: '{{.ROOT_DIR}}/scripts/pass_get_vault_id.sh' vars: PYTHON_WRAPPER: '{{.ROOT_DIR}}/scripts/python_wrapper.sh' - MOLECULE_DIR: '{{.ROOT_DIR}}/ansible_collections/nullified/infrastructure/extensions' - COLLECTIONS_DIR: '{{.ROOT_DIR}}/ansible_collections' - ANSIBLE_PASS_PATH: ansible/vault-id - ANSIBLE_PASS_LENGTH: 50 + MOLECULE_DIR: '{{.ROOT_DIR}}/collections/ansible_collections/nullified/infrastructure/extensions' + COLLECTIONS_DIR: '{{.ROOT_DIR}}/collections/ansible_collections' tasks: setup: @@ -26,7 +20,6 @@ tasks: - task: 'setup:venv' - task: 'setup:ansible' - task: 'setup:galaxy' - - task: 'vault:init' docker:build: desc: build docker images locally. @@ -40,7 +33,6 @@ tasks: DOCKERFILE: '{{.ITEM}}' DOCKER_CONTEXT: images IMAGE_TAG: '{{.ITEM | splitList "/" | last | replace "Dockerfile-" ""}}' - docker:build:image: internal: true sources: @@ -50,6 +42,13 @@ tasks: status: - docker image ls --format '{{"{{"}} .Tag {{"}}"}}' | grep -E '^{{.IMAGE_TAG}}$' + docker:push: + desc: push locally built images + cmds: + - 'echo docker push $DOCKER_REPOSITORY:$IMAGE_TAG' + env: + IMAGE_TAG: + nosey: desc: start noseyparker to ensure no secrets or passwords are committed cmds: @@ -70,13 +69,12 @@ tasks: vars: VIRSH_CONNECT: '{{.VIRSH_CONNECT | default "qemu:///system"}}' cmds: - - ./scripts/reset_virtd.sh + - ./scripts/purge_virsh.sh - task: 'molecule' vars: CLI_ARGS: 'destroy' - sudo systemctl restart nftables.service - - sudo systemctl restart libvirtd.service # reset libvirtd related nft rules - - sudo systemctl restart docker.service # reset docker related nft rules + - sudo systemctl restart libvirtd.service ansible:new:role:*: desc: create a new role for the specified collection diff --git a/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml b/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml index 860ac45..145abf5 100644 --- a/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml +++ b/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml @@ -116,7 +116,7 @@ asset_type: release creates: /usr/local/bin/yq cmds: - - install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin/yq + - install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin - name: '[apt] install custom packages' become: true diff --git a/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2 b/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2 index cfd6f2f..cf04da6 100644 --- a/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2 +++ b/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2 @@ -3,7 +3,7 @@ table inet filter { chain input { # operators access {%+ if k3s_nft_operators4 %}ip saddr { {{ k3s_nft_operators4 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%} - {%+ if k3s_nft_operators6 %}ip6 saddr { {{ k3s_nft_operators6 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%} + {%+ if k3s_nft_operators6 %}ip saddr { {{ k3s_nft_operators6 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%} # required only for HA with embedded etcd {%+ if k3s_nft_servers4 %}ip saddr { {{ k3s_nft_servers4 | join(',') }} } tcp dport { 2379, 2380 } accept{%- endif +%} diff --git a/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml b/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml index 0f29306..6830f3b 100644 --- a/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml +++ b/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml @@ -166,7 +166,6 @@ loop: - { src: "../templates/.config/terminator", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" } - { src: "../templates/.config/vlc", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" } - - { src: "../templates/.config/picom.conf", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config"} - name: '[authenticator] find if binary is already installed' ansible.builtin.file: diff --git a/ansible_collections/nullified/infrastructure/roles/workstation/templates/.config/picom.conf b/ansible_collections/nullified/infrastructure/roles/workstation/templates/.config/picom.conf deleted file mode 100644 index f961da9..0000000 --- a/ansible_collections/nullified/infrastructure/roles/workstation/templates/.config/picom.conf +++ /dev/null @@ -1 +0,0 @@ -backend = "glx" diff --git a/inventory/host_vars/unobtainium/vars.yml b/inventory/host_vars/unobtainium/vars.yml index 13bd87c..fd18b30 100644 --- a/inventory/host_vars/unobtainium/vars.yml +++ b/inventory/host_vars/unobtainium/vars.yml @@ -15,8 +15,6 @@ common_install_fonts: true security_sysctl_configuration: 'fs.inotify.max_user_watches': 1048576 'vm.swappiness': 1 - 'vm.max_map_count': 524288 - 'vm.min_free_kbytes': 1048576 workstation_setup_xorg_enabled: true # security role security_firewall_filter_policy_output: accept diff --git a/scripts/pass_get_vault_id.sh b/scripts/pass_get_vault_id.sh deleted file mode 100755 index e8205dc..0000000 --- a/scripts/pass_get_vault_id.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env bash - -PASSWORD_STORE_BIN=${PASSWORD_STORE_BIN:-"pass"} -ANSIBLE_PASS_PATH=${ANSIBLE_PASS_PATH:-"ansible/vault-id"} - -$PASSWORD_STORE_BIN show "${ANSIBLE_PASS_PATH}" diff --git a/scripts/reset_virtd.sh b/scripts/reset_virtd.sh deleted file mode 100644 index f547e26..0000000 --- a/scripts/reset_virtd.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/env bash -VIRSH_CONNECT="${VIRSH_CONNECT:=qemu:///system}" -VIRSH_VOL_POOL="${VIRSH_VOL_POOL:=default}" - -for domain in $(virsh -c "${VIRSH_CONNECT}" list --name --all); do - virsh -c "${VIRSH_CONNECT}" destroy "${domain}" || true - virsh -c "${VIRSH_CONNECT}" undefine "${domain}" || true -done - -for volume in $(virsh -c "${VIRSH_CONNECT}" vol-list --pool "${VIRSH_VOL_POOL}" | tail -n +3 | sed -E 's/^\s*([^\s]+)\s+.*$/\1/'); do - virsh -c "${VIRSH_CONNECT}" vol-delete --pool "${VIRSH_VOL_POOL}" "${volume}" || true -done diff --git a/tasks/setup_linux.yml b/tasks/setup_linux.yml index 1962986..fedf2fb 100644 --- a/tasks/setup_linux.yml +++ b/tasks/setup_linux.yml @@ -11,7 +11,6 @@ tasks: build-essential \ coreutils \ curl \ - pass \ libcurl4-openssl-dev \ libtool \ python3-virtualenv \ diff --git a/tasks/utils.yml b/tasks/utils.yml deleted file mode 100644 index 62e59d4..0000000 --- a/tasks/utils.yml +++ /dev/null @@ -1,27 +0,0 @@ -version: '3' - -tasks: - encrypt: - desc: encrypt all vault.yml files using; requires creating a vault-id file in your home - vars: - VAULT_FILES: - sh: find . -type f -name vault.yml -and -not -path "./.venv/*" - cmds: - - for: { var: VAULT_FILES } - cmd: '{{.PYTHON_WRAPPER}} ansible-vault encrypt {{.ITEM | replace "\n" " " }} || true' - - decrypt: - desc: encrypt all vault.yml files using; requires creating a vault-id file in your home - vars: - VAULT_FILES: - sh: find . -type f -name vault.yml -and -not -path "./.venv/*" - cmds: - - for: { var: VAULT_FILES } - cmd: '{{.PYTHON_WRAPPER}} ansible-vault decrypt {{.ITEM | replace "\n" " " }} || true' - - vault:init: - desc: Create a vault id file in your home directory for encrypting/decrypting vault files - cmds: - - 'pass generate {{.ANSIBLE_PASS_PATH}} {{.ANSIBLE_PASS_LENGTH}} > /dev/null' - status: - - 'pass show {{.ANSIBLE_PASS_PATH}} &> /dev/null '