Add p14 configuration

files/wireguard-media/p14/fudiggity.key

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+62383632316662393635373862653635366263643162386136363131396333666635663536336131
+3962386137336239373061623338653765633162613438650a313365393637623962663438343238
+37396534373532626162613139313262663861326262653062663030343637366630323562386332
+3862636465636336390a373461326132386464303466623761336331623039353934306466663063
+62303535356638303436633263333238616361363335323661383934393763343763323835646362
+3032656435316638343163643031636661383962653832313335

files/wireguard-media/p14/fudiggity.pub

@@ -0,0 +1 @@
+znOvNe+KL6R/mE1OkjuTRcGDpgU8JLWBe5bNc027nWE=

files/wireguard-media/p14/preshared.psk

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+30383461643234633265353634386530333731646264363262386364363436383134643636613136
+3464313033356563623636393532613063323563396666360a626436356439363165643763353533
+30376639333663313139343739326230633165616238323962636564616235386461313932393233
+3761633236363062310a623232333036666130626263626361663964356436656435313837663466
+37376431656239666333663534373736383762653037386162656430346234623931643036633162
+3035373639303734666130633736303837396333646437383130

files/wireguard/p14/fudiggity.key

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+61643332623666376265346263613135363631353337316461373165353434373762313865366562
+6130373464626431303630653865376335626661653530360a333937653530316434303330613366
+64666333333263663863386333336564373765303565646566326663666530346239386435626364
+6330623633653736620a646161353835376437366438633333306535653333346336623735363334
+35623836623663653864666461393661636537656634323839356665626137303132643366343734
+3738626562383334363435393364633432376235333763666438

files/wireguard/p14/fudiggity.pub

@@ -0,0 +1 @@
+MOdt0GmrJWOAsL78TcHRNrBMF2jC9mviJrP5gqFzKxo=

files/wireguard/p14/preshared.psk

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+38323838303233616162383362383264623765666565666561333535636533373837616234656638
+6139346633386431356137666665376430636532346134660a303062353231653437626261323366
+62626532616165336466353638653532633663613266623966393563346639306362653335396266
+6430326363363934620a633465393138663436623337393938643061623132316666313433363164
+63383536323134626231646130633762393136303866643134356236613363653661346363306339
+6639663331633639646134323966346635323766343164643836

host_vars/desktop/network.yml

@@ -9,7 +9,7 @@ local_network_gateway: 192.168.2.254
 
 hostname: desktop
 
-wireguard:
+wireguard_default:
   ip: 10.0.0.3
 wireguard_media:
   ip: 10.0.1.3

host_vars/p14/network.yml

@@ -0,0 +1,11 @@
+wireless_interface: wlan0
+lan_interface: enp1s0
+
+default_network_dns: 9.9.9.9 149.112.112.112
+
+hostname: p14
+
+wireguard_default:
+  ip: 10.0.0.5
+wireguard_media:
+  ip: 10.0.1.9

host_vars/p14/system.yml

@@ -0,0 +1,51 @@
+---
+packages:
+  - nftables
+  - tmux
+  - unrar
+  - vim
+  - git
+  - openssl
+  - iproute2
+  - curl
+  - reflector
+  - ttf-ibm-plex
+  - systemd-ukify
+  - efibootmgr
+  - git-delta
+
+  # custom host packages
+  - keepassxc
+  - gimp
+  - firefox
+  - mpv
+  - yt-dlp
+  - syncthing
+  - mpd
+  - wireguard-tools
+  - okular
+  - postgresql
+  - plasma-meta
+  - wezterm
+  - thunderbird
+  - pipewire
+  - pipewire-pulse
+  - pipewire-alsa
+  - aspell-nl
+  - aspell-en
+  - iwd
+
+mkinitcpio_templates:
+  - src: "templates/p14/mkinitcpio/1-modules.conf.j2"
+    dest: "/etc/mkinitcpio.conf.d/1-modules.conf"
+
+  - src: "templates/p14/mkinitcpio/2-hooks.conf.j2"
+    dest: "/etc/mkinitcpio.conf.d/2-hooks.conf"
+
+  - src: "templates/p14/mkinitcpio/linux.preset.j2"
+    dest: "/etc/mkinitcpio.d/linux.preset"
+
+  - src: "templates/p14/mkinitcpio/linux-lts.preset.j2"
+    dest: "/etc/mkinitcpio.d/linux-lts.preset"
+
+wezterm_font_size: 11

host_vars/xps/network.yml

@@ -15,7 +15,7 @@ default_network_dns: 9.9.9.9 149.112.112.112
 
 hostname: xps
 
-wireguard:
+wireguard_default:
   ip: 10.0.0.2
-wireguard_media: # TODO: add missing credentials
+wireguard_media:
   ip: 10.0.1.2

inventory.yml

@@ -10,3 +10,5 @@ all:
     htpc:
       ansible_connection: local
       ansible_become_method: community.general.run0
+    p14:
+      ansible_connection: local

p14.yml

@@ -0,0 +1,24 @@
+---
+- name: Include default playbook
+  ansible.builtin.import_playbook: default.yml
+  vars:
+    hostname: p14
+
+- name: Arch Linux provisioning
+  hosts: p14
+  gather_facts: true
+  tasks:
+    - name: Wireguard provisioning
+      ansible.builtin.import_tasks: "tasks/wireguard.yml"
+      tags: wireguard
+
+    - name: Wireguard media provisioning
+      ansible.builtin.import_tasks: "tasks/wireguard-media.yml"
+      tags: wireguard-media
+
+  handlers:
+    - name: Import default handlers
+      ansible.builtin.import_tasks: handlers.yml
+
+    - name: Import common role handlers
+      ansible.builtin.import_tasks: "roles/common/handlers/user.yml"

tasks/network/main.yml

@@ -26,4 +26,4 @@
     owner: root
     group: root
     mode: "0600"
-  notify: restart nftables
+  notify: Restart nftables

tasks/network/p14.yml

@@ -0,0 +1,31 @@
+---
+- name: Setup network configuration
+  become: true
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: systemd-network
+    mode: "0640"
+  loop:
+    - src: "templates/p14/network/wlan0.network.j2"
+      dest: "/etc/systemd/network/20-wireless.network"
+  notify:
+    - Restart systemd-networkd
+    - Restart systemd-resolved
+
+- name: Create iwd directory
+  become: true
+  ansible.builtin.file:
+    path: /etc/iwd
+    mode: "0644"
+    owner: root
+
+- name: Provision iwd configuration
+  become: true
+  ansible.builtin.template:
+    src: templates/p14/iwd.j2
+    dest: /etc/iwd/main.config
+    mode: "0755"
+    owner: root
+  notify: Restart iwd

tasks/setup.yml

@@ -51,6 +51,15 @@
     state: touch
     mode: "0644"
 
+- name: Create pacman hooks directory
+  become: true
+  ansible.builtin.file:
+    path: "/etc/pacman.d/hooks"
+    owner: root
+    group: root
+    mode: "0644"
+    state: directory
+
 - name: Copy systemd-boot pacman hook
   become: true
   ansible.builtin.template:

tasks/systemd.yml

@@ -18,8 +18,8 @@
     dest: "{{ xdg_config_dir }}/systemd/user/tmux.service"
     mode: "0644"
   notify:
-    - user daemon-reload
-    - restart tmux service
+    - User daemon-reload
+    - Restart tmux service
 
 - name: Copy tmux startup script
   ansible.builtin.copy:

tasks/timer.yml

@@ -10,8 +10,8 @@
     - { src: "templates/timer/daily_timer.j2", dest: "/etc/systemd/system/daily.timer" }
     - { src: "templates/timer/weekly_timer.j2", dest: "/etc/systemd/system/weekly.timer" }
   notify:
-    - enable daily timer
-    - enable weekly timer
+    - Enable daily timer
+    - Enable weekly timer
 
 - name: Copy target files
   become: true

tasks/wireguard.yml

@@ -30,7 +30,7 @@
     mode: "0640"
   loop:
     - dest: "{{ wireguard_defaults.public_key_path }}"
-      src: "files/wireguard/{ ansible_hostname }}/fudiggity.pub"
+      src: "files/wireguard/{{ ansible_hostname }}/fudiggity.pub"
 
     - dest: "{{ wireguard_defaults.private_key_path }}"
       src: "files/wireguard/{{ ansible_hostname }}/fudiggity.key"
@@ -69,4 +69,4 @@
     - Restart systemd-networkd
     - Restart systemd-resolved
   vars:
-    wireguard: "{{ wireguard | ansible.builtin.combine(wireguard_defaults) }}"
+    wireguard: "{{ wireguard_default | ansible.builtin.combine(wireguard_defaults) }}"

templates/mpv/config.j2

@@ -1,9 +1,5 @@
 # {{ ansible_managed }}
 #
-gpu-api=opengl
-vo=gpu
-hwdec=vaapi
-
 audio-samplerate=128000
 audio-format=s64
 volume=100

templates/p14/cmdline.j2

@@ -0,0 +1 @@
+rd.luks.name=e02bb19c-8b7b-4537-a001-7dd9698674b2=cryptlvm root=/dev/VolumeGroup/root rw resume=/dev/VolumeGroup/swap

templates/p14/iwd.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+[General]
+AddressRandomization=network

templates/p14/mkinitcpio/1-modules.conf.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+MODULES=(amdgpu)

templates/p14/mkinitcpio/2-hooks.conf.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+#
+
+HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt lvm2 filesystems fsck)

templates/p14/mkinitcpio/linux-lts.preset.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+#
+# mkinitcpio preset file for the 'linux' package
+
+PRESETS=('default')
+
+default_uki="/boot/EFI/Linux/linux-lts.efi"
+default_kver="/boot/vmlinuz-linux-lts"

templates/p14/mkinitcpio/linux.preset.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+#
+# mkinitcpio preset file for the 'linux' package
+
+PRESETS=('default')
+
+default_uki="/boot/EFI/Linux/linux.efi"
+default_kver="/boot/vmlinuz-linux"

templates/p14/network/lan.network.j2

@@ -0,0 +1,11 @@
+[Match]
+Name={{ lan_interface }}
+
+[Network]
+DHCP=yes
+DNS={{ default_network_dns }}
+MulticastDNS=yes
+DNSOverTLS=yes
+
+[Link]
+RequiredForOnline=routable

templates/p14/network/wg0.netdev.j2

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+[NetDev]
+Name={{ wireguard.interface }}
+Kind=wireguard
+Description=WireGuard tunnel {{ wireguard.interface }}
+
+[WireGuard]
+PrivateKeyFile={{ wireguard.private_key_path }}
+RouteTable=main
+
+{% for peer in wireguard.peers %}
+[WireGuardPeer]
+PublicKey={{ peer.public_key }}
+PresharedKeyFile={{ peer.preshared_key_path }}
+{% for ip in peer.allowed_ips %}
+AllowedIPs={{ ip }}
+{% endfor %}
+{% if peer.endpoint %}
+Endpoint={{ peer.endpoint }}
+{% endif %}
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}

templates/p14/network/wg0.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ lan_interface }} {{ wireless_interface }}

templates/p14/network/wg1.netdev.j2

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+[NetDev]
+Name={{ wireguard.interface }}
+Kind=wireguard
+Description=WireGuard tunnel {{ wireguard.interface }}
+
+[WireGuard]
+PrivateKeyFile={{ wireguard.private_key_path }}
+RouteTable=main
+
+{% for peer in wireguard.peers %}
+[WireGuardPeer]
+PublicKey={{ peer.public_key }}
+PresharedKeyFile={{ peer.preshared_key_path }}
+{% for ip in peer.allowed_ips %}
+AllowedIPs={{ ip }}
+{% endfor %}
+{% if peer.endpoint %}
+Endpoint={{ peer.endpoint }}
+{% endif %}
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}

templates/p14/network/wg1.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ lan_interface }} {{ wireless_interface }}

templates/p14/network/wlan0.network.j2

@@ -0,0 +1,12 @@
+[Match]
+Name={{ wireless_interface }}
+
+[Network]
+DNS={{ default_network_dns }}
+DNSOverTLS=yes
+DNSSEC=yes
+DHCP=yes
+IgnoreCarrierLoss=3s
+
+[Link]
+RequiredForOnline=routable

templates/p14/nftables.j2

@@ -0,0 +1,43 @@
+#!/usr/bin/nft -f
+# vim:set ts=2 sw=2 et:
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+
+    # allow established/related connections
+    ct state { established, related } accept
+
+    # early drop of invalid connections
+    ct state invalid drop
+
+    # allow from loopback
+    iifname lo accept
+
+    # allow icmp
+    ip protocol icmp accept
+    ip6 nexthdr icmpv6 accept
+
+    # allow mDNS
+    udp dport 5353 accept
+
+    # allow ssh
+    tcp dport ssh accept
+  }
+
+  chain forward {
+    type filter hook forward priority security; policy drop;
+
+    ct state { established, related } accept;
+
+		mark 1 accept
+  }
+}
+
+table ip filter {
+	chain DOCKER-USER {
+		mark set 1
+	}
+}