Taskfile.yml

@@ -3,20 +3,14 @@ version: '3'
 includes:
   setup: ./tasks/setup_{{OS}}.yml
   test: ./tasks/tests.yml
-  utils:
-    taskfile: ./tasks/utils.yml
-    flatten: true
 
 env:
   DOCKER_REPOSITORY: pouncetech/molecule
-  ANSIBLE_VAULT_PASSWORD_FILE: '{{.ROOT_DIR}}/scripts/pass_get_vault_id.sh'
 
 vars:
   PYTHON_WRAPPER: '{{.ROOT_DIR}}/scripts/python_wrapper.sh'
-  MOLECULE_DIR: '{{.ROOT_DIR}}/ansible_collections/nullified/infrastructure/extensions'
-  COLLECTIONS_DIR: '{{.ROOT_DIR}}/ansible_collections'
-  ANSIBLE_PASS_PATH: ansible/vault-id
-  ANSIBLE_PASS_LENGTH: 50
+  MOLECULE_DIR: '{{.ROOT_DIR}}/collections/ansible_collections/nullified/infrastructure/extensions'
+  COLLECTIONS_DIR: '{{.ROOT_DIR}}/collections/ansible_collections'
 
 tasks:
   setup:
@@ -26,7 +20,6 @@ tasks:
       - task: 'setup:venv'
       - task: 'setup:ansible'
       - task: 'setup:galaxy'
-      - task: 'vault:init'
 
   docker:build:
     desc: build docker images locally.
@@ -40,7 +33,6 @@ tasks:
           DOCKERFILE: '{{.ITEM}}'
           DOCKER_CONTEXT: images
           IMAGE_TAG: '{{.ITEM | splitList "/" | last | replace "Dockerfile-" ""}}'
-
   docker:build:image:
     internal: true
     sources:
@@ -50,6 +42,13 @@ tasks:
     status:
       - docker image ls --format '{{"{{"}} .Tag {{"}}"}}' | grep -E '^{{.IMAGE_TAG}}$'
 
+  docker:push:
+    desc: push locally built images
+    cmds:
+      - 'echo docker push $DOCKER_REPOSITORY:$IMAGE_TAG'
+    env:
+      IMAGE_TAG:
+
   nosey:
     desc: start noseyparker to ensure no secrets or passwords are committed
     cmds:
@@ -70,13 +69,12 @@ tasks:
     vars:
       VIRSH_CONNECT: '{{.VIRSH_CONNECT | default "qemu:///system"}}'
     cmds:
-      - ./scripts/reset_virtd.sh
+      - ./scripts/purge_virsh.sh
       - task: 'molecule'
         vars:
           CLI_ARGS: 'destroy'
       - sudo systemctl restart nftables.service
-      - sudo systemctl restart libvirtd.service # reset libvirtd related nft rules
-      - sudo systemctl restart docker.service # reset docker related nft rules
+      - sudo systemctl restart libvirtd.service
 
   ansible:new:role:*:
     desc: create a new role for the specified collection

ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml

@@ -116,7 +116,7 @@
         asset_type: release
         creates: /usr/local/bin/yq
         cmds:
-          - install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin/yq
+          - install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin
 
 - name: '[apt] install custom packages'
   become: true

ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2

@@ -3,7 +3,7 @@ table inet filter {
     chain input {
         # operators access
         {%+ if k3s_nft_operators4 %}ip saddr { {{ k3s_nft_operators4 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%}
-        {%+ if k3s_nft_operators6 %}ip6 saddr { {{ k3s_nft_operators6 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%}
+        {%+ if k3s_nft_operators6 %}ip saddr { {{ k3s_nft_operators6 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%}
 
         # required only for HA with embedded etcd
         {%+ if k3s_nft_servers4 %}ip saddr { {{ k3s_nft_servers4 | join(',') }} } tcp dport { 2379, 2380 } accept{%- endif +%}

ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml

@@ -166,7 +166,6 @@
   loop:
     - { src: "../templates/.config/terminator", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" }
     - { src: "../templates/.config/vlc", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" }
-    - { src: "../templates/.config/picom.conf", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config"}
 
 - name: '[authenticator] find if binary is already installed'
   ansible.builtin.file:

ansible_collections/nullified/infrastructure/roles/workstation/templates/.config/picom.conf

@@ -1 +0,0 @@
-backend = "glx"

inventory/host_vars/unobtainium/vars.yml

@@ -15,8 +15,6 @@ common_install_fonts: true
 security_sysctl_configuration:
   'fs.inotify.max_user_watches': 1048576
   'vm.swappiness': 1
-  'vm.max_map_count': 524288
-  'vm.min_free_kbytes': 1048576
 workstation_setup_xorg_enabled: true
 # security role
 security_firewall_filter_policy_output: accept

scripts/pass_get_vault_id.sh

@@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-
-PASSWORD_STORE_BIN=${PASSWORD_STORE_BIN:-"pass"}
-ANSIBLE_PASS_PATH=${ANSIBLE_PASS_PATH:-"ansible/vault-id"}
-
-$PASSWORD_STORE_BIN show "${ANSIBLE_PASS_PATH}"

scripts/reset_virtd.sh

@@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-VIRSH_CONNECT="${VIRSH_CONNECT:=qemu:///system}"
-VIRSH_VOL_POOL="${VIRSH_VOL_POOL:=default}"
-
-for domain in $(virsh -c "${VIRSH_CONNECT}" list --name --all); do
-  virsh -c "${VIRSH_CONNECT}" destroy "${domain}" || true
-  virsh -c "${VIRSH_CONNECT}" undefine "${domain}" || true
-done
-
-for volume in $(virsh -c "${VIRSH_CONNECT}" vol-list --pool "${VIRSH_VOL_POOL}" | tail -n +3 | sed -E 's/^\s*([^\s]+)\s+.*$/\1/'); do
-  virsh -c "${VIRSH_CONNECT}" vol-delete --pool "${VIRSH_VOL_POOL}" "${volume}" || true
-done

tasks/setup_linux.yml

@@ -11,7 +11,6 @@ tasks:
           build-essential \
           coreutils \
           curl \
-          pass \
           libcurl4-openssl-dev \
           libtool \
           python3-virtualenv \

tasks/utils.yml

@@ -1,27 +0,0 @@
-version: '3'
-
-tasks:
-  encrypt:
-    desc: encrypt all vault.yml files using; requires creating a vault-id file in your home
-    vars:
-      VAULT_FILES:
-        sh: find . -type f -name vault.yml -and -not -path "./.venv/*"
-    cmds:
-      - for: { var: VAULT_FILES }
-        cmd: '{{.PYTHON_WRAPPER}} ansible-vault encrypt {{.ITEM | replace "\n" " " }} || true'
-
-  decrypt:
-    desc: encrypt all vault.yml files using; requires creating a vault-id file in your home
-    vars:
-      VAULT_FILES:
-        sh: find . -type f -name vault.yml -and -not -path "./.venv/*"
-    cmds:
-      - for: { var: VAULT_FILES }
-        cmd: '{{.PYTHON_WRAPPER}} ansible-vault decrypt {{.ITEM | replace "\n" " " }} || true'
-
-  vault:init:
-    desc: Create a vault id file in your home directory for encrypting/decrypting vault files
-    cmds:
-      - 'pass generate {{.ANSIBLE_PASS_PATH}} {{.ANSIBLE_PASS_LENGTH}} > /dev/null'
-    status:
-      - 'pass show {{.ANSIBLE_PASS_PATH}} &> /dev/null '