dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

Compare commits

base: dustin:bf33c2ab7cf10a18b40e29998fa6a9e46f020ab8
Branches Tags
dustin:master
dustin:unifi-restore
dustin:dynamic-inventory
dustin:frigate-exporter
dustin:nut0
dustin:nut-monitor
dustin:no-vault-in-inventory
dustin:wheelhost
dustin:chrony
dustin:step-ssh
dustin:btop
dustin:collectd-buildroot
dustin:ntfy
dustin:jenkins-master
...
compare: dustin:2b12ce769c7dc9e60eb482810292ee6aa048b1a7
Branches Tags
dustin:master
dustin:unifi-restore
dustin:dynamic-inventory
dustin:frigate-exporter
dustin:nut0
dustin:nut-monitor
dustin:no-vault-in-inventory
dustin:wheelhost
dustin:chrony
dustin:step-ssh
dustin:btop
dustin:collectd-buildroot
dustin:ntfy
dustin:jenkins-master

9 Commits
bf33c2ab7c ... 2b12ce769c

Author SHA1 Message Date
Dustin 2b12ce769c remote-blackbox: Scrape Invoice Ninja 2025-07-28 18:28:30 -05:00
Dustin 3270011fee r/vmhost: Work around libvirt SELinux policy bug 
With the transition to modular _libvirt_ daemons, the SELinux policy is
a bit more granular.  Unfortunately, the new policy has a funny [bug]: it
assumes directories named `storage` under `/run/libvirt` must be for
_virtstoraged_ and labels them as such, which prevents _virtnetworkd_
from managing a virtual network named `storage`.

To work around this, we need to give `/run/libvirt/network` a special
label so that its children do not match the file transition pattern for
_virtstoraged_ and thus keep their `virtnetworkd_var_run_t` label.

[bug]: https://bugzilla.redhat.com/show_bug.cgi?id=2362040
 2025-07-28 18:23:24 -05:00
Dustin 2ee86f6344 r/vmhost: Retry vm-autostart if libvirt is down 
If the _libvirt_ daemon has not fully started by the time `vm-autostart`
runs, we want it to fail and try again shortly.  To allow this, we first
attempt to connect to the _libvirt_ socket, and if that fails, stop
immediately and try again in a second.  This way, the first few VMs
don't get skipped with the assumption that they're missing, just because
the daemon wasn't ready yet.
 2025-07-28 18:20:50 -05:00
Dustin 4df047cf76 r/vmhost: Disable DynamicUsers for vm-autostart 
_libvirt_ has gone full Polkit, which doesn't work with systemd dynamic
users.  So, we have to run `vm-autostart` as root (with no special
OS-level privileges) in order for Polkit to authorize the connection to
the daemon socket.
 2025-07-28 18:18:35 -05:00
Dustin a63ee2bff5 newvm: Use fedora-rawhide OS variant 
Apparently, it's not guaranteed that _libosinfo_ always supports even
the version of Fedora it's installed on: there's no _fedora42_ in
_libosinfo-1.12.0-2.fc42_ 🤦🏻‍♂️.

Fortunately, it makes almost no difference what OS variant is selected
at install time, and we probably want the latest features anyway.  Thus,
we can just use _fedora-rawhide_ instead of any particular version and
not worry about it.
 2025-07-28 18:15:45 -05:00
Dustin 4804b1357b newvm: Adjust min memory for Fedora 41+ 
The Anaconda runtime is _way_ bigger in Fedora 41, presumably
because of the new web UI.  Even though we use text-only automated
installs, we still need enough space for the whole thing to fit in RAM.
 2025-07-28 18:14:02 -05:00
Dustin 0ef65e4e5d vm-hosts: Update vm_autostart list 
I never remember to update this list when I add/remove VMs.

* _bw0_ has been decommissioned; Vaultwarden now runs in Kubernetes
* _unifi3_ has been replaced by _unifi-nuptials_
* _logs-dusk_ runs Victoria Logs, which will evenutally replace Loki
* _node-refrain_ has been replaced by _node-direction_
* _k8s-ctrl0_ has been replaced by _ctrl-crave_ and _ctrl-sycamore_
 2025-07-28 18:12:09 -05:00
Dustin e6ac6ae202 hosts: Decommission k8s-ctrl0 
Just a few days before its third birthday 🎂

There are now three Kubernetes control plane nodes:

* _ctrl-2ed8d3.k8s.pyrocufflink.black_ Raspberry Pi CM4
* _ctrl-crave.k8s.pyrocufflink.black_ (virtual machine)
* _ctrl-sycamore.k8s.pyrocufflink.black_ (virtual machine)
 2025-07-28 17:52:11 -05:00
Dustin e1c157ce87 raspberry-pi: Add collectd sensors, thermal plugins 
All the Raspberry Pi machines should have the _sensors_ and _thermal_
plugins enabled so we can monitor their CPU etc. temperatures.
 2025-07-28 17:50:39 -05:00
9 changed files with 51 additions and 9 deletions
Show Stats Expand all files Collapse all files

2
group_vars/raspberry-pi.yml Normal file
View File

@ -0,0 +1,2 @@
collectd_plugins:
thermal: true

1
group_vars/remote-blackbox.yml
View File

@ -42,6 +42,7 @@ vmagent_scrape_configs:
- https://tabitha.biz/
- https://dustinandtabitha.com/
- https://hatchlearningcenter.org/
- https://invoiceninja.pyrocufflink.net/
relabel_configs:
- source_labels: [__address__]
target_label: __param_target

9
group_vars/vm-hosts.yml
View File

@ -246,26 +246,27 @@ vm_autostart:
- dc-headphone
- delay 30s
- loki1
- logs-dusk
- delay 10s
- db0
- k8s-ctrl0
- ctrl-crave
- ctrl-sycamore
- delay 10s
- stor-alfalfa
- stor-rentable
- node-abreast
- node-direction
- node-gleaming
- node-hatbox
- node-refrain
- delay 15s
- web0
- file0
- cloud0
- bw0
- delay 5s
- smtp1
- delay 10s
- pxe0
- unifi3
- unifi-nuptials
promtail_dac_read_search: true
promtail_scrape_configs:

6
hosts
View File

@ -97,7 +97,6 @@ file0.pyrocufflink.blue
burp-server
[k8s-controller]
k8s-ctrl0.pyrocufflink.blue
ctrl-2ed8d3.k8s.pyrocufflink.black
[k8s-iot-net-ctrl]
@ -185,7 +184,6 @@ dc-headphone.pyrocufflink.blue
file0.pyrocufflink.blue
git0.pyrocufflink.blue
haproxy0.pyrocufflink.blue
k8s-ctrl0.pyrocufflink.blue
loki1.pyrocufflink.blue
nut1.pyrocufflink.blue
nvr2.pyrocufflink.blue
@ -199,9 +197,13 @@ web0.pyrocufflink.blue
samba-dc
[raspberry-pi]
ctrl-2ed8d3.k8s.pyrocufflink.black
node-474c83.k8s.pyrocufflink.black
nut1.pyrocufflink.blue
[raspberry-pi:children]
cm4-k8s-node
[remote-blackbox]
vps-04485add.vps.ovh.us

7
newvm.sh
View File

@ -138,6 +138,11 @@ if [ -z "${LIBVIRT_DEFAULT_URI}" ]; then
exit 1
fi
if [ ${fedora} -gt 40 ] && [ ${memory} -lt 4096 ]; then
printf 'WARNING Fedora 41+ requires at least 4 GB memory to install\n' >&2
memory=4096
fi
if ${default_groups}; then
groups_xml="<group name=\"chrony\"/>${groups_xml}"
groups_xml="<group name=\"collectd\"/>${groups_xml}"
@ -177,7 +182,7 @@ set -- \
--extra-args "${extra_args}" \
--disk pool=default,size=${disk_size},cache=none \
--network ${network} \
--os-variant fedora$(rpm -E %fedora) \
--os-variant fedora-rawhide \
--console pty,target.type=serial,log.file=/var/log/libvirt/console/${name}.log \
--sound none \
--redirdev none \

3
roles/vmhost/files/fix-run-libvirt-network.conf Normal file
View File

@ -0,0 +1,3 @@
[Service]
ExecStartPre=+/bin/mkdir -p %t/libvirt/network
ExecStartPre=+/bin/chcon -t virtnetworkd_var_run_t %t/libvirt/network

5
roles/vmhost/files/vm-autostart.service
View File

@ -4,6 +4,8 @@ After=libvirt.service
After=network-online.target
Wants=network-online.target
RequiresMountsFor=/var/lib/libvirt/images
StartLimitInterval=1s
StartLimitBurst=1
[Service]
Type=oneshot
@ -11,9 +13,8 @@ RemainAfterExit=yes
Environment=LIBVIRT_DEFAULT_URI=qemu:///system
ExecStart=/usr/local/libexec/vm-autostart.sh
Restart=on-failure
RestartSec=1
DynamicUser=yes
SupplementaryGroups=libvirt
CapabilityBoundingSet=
DeviceAllow=
DevicePolicy=closed

2
roles/vmhost/files/vm-autostart.sh
View File

@ -5,6 +5,8 @@ if [ ! -r /etc/vm-autostart ]; then
exit 0
fi
virsh connect || exit
while read name args; do
if [ "${name}" = delay ]; then
sleep ${args}

25
roles/vmhost/tasks/main.yml
View File

@ -40,6 +40,31 @@
tags:
- log-dir
- name: ensure virtnetworkd.service drop-in directory exists
file:
path: /etc/systemd/system/virtnetworkd.service.d
owner: root
group: root
mode: u=rwx,go=rx
state: directory
tags:
- systemd
- virtnetworkd-selinux-bug
- 'rhbz#2362040'
- name: 'ensure virtnetworkd selinux bug work-around is in place (rhbz#2362040)'
copy:
src: fix-run-libvirt-network.conf
dest: /etc/systemd/system/virtnetworkd.service.d/
owner: root
group: root
mode: u=rw,go=r
notify:
- reload systemd
tags:
- systemd
- virtnetworkd-selinux-bug
- 'rhbz#2362040'
- name: ensure libvirtd starts at boot
service:
name: '{{ item }}'