diff --git a/files/wireguard-media/p14/fudiggity.key b/files/wireguard-media/p14/fudiggity.key new file mode 100644 index 0000000..6eea9ba --- /dev/null +++ b/files/wireguard-media/p14/fudiggity.key @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +62383632316662393635373862653635366263643162386136363131396333666635663536336131 +3962386137336239373061623338653765633162613438650a313365393637623962663438343238 +37396534373532626162613139313262663861326262653062663030343637366630323562386332 +3862636465636336390a373461326132386464303466623761336331623039353934306466663063 +62303535356638303436633263333238616361363335323661383934393763343763323835646362 +3032656435316638343163643031636661383962653832313335 diff --git a/files/wireguard-media/p14/fudiggity.pub b/files/wireguard-media/p14/fudiggity.pub new file mode 100644 index 0000000..c495992 --- /dev/null +++ b/files/wireguard-media/p14/fudiggity.pub @@ -0,0 +1 @@ +znOvNe+KL6R/mE1OkjuTRcGDpgU8JLWBe5bNc027nWE= diff --git a/files/wireguard-media/p14/preshared.psk b/files/wireguard-media/p14/preshared.psk new file mode 100644 index 0000000..ada4f0b --- /dev/null +++ b/files/wireguard-media/p14/preshared.psk @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +30383461643234633265353634386530333731646264363262386364363436383134643636613136 +3464313033356563623636393532613063323563396666360a626436356439363165643763353533 +30376639333663313139343739326230633165616238323962636564616235386461313932393233 +3761633236363062310a623232333036666130626263626361663964356436656435313837663466 +37376431656239666333663534373736383762653037386162656430346234623931643036633162 +3035373639303734666130633736303837396333646437383130 diff --git a/files/wireguard/p14/fudiggity.key b/files/wireguard/p14/fudiggity.key new file mode 100644 index 0000000..6887ef9 --- /dev/null +++ b/files/wireguard/p14/fudiggity.key @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +61643332623666376265346263613135363631353337316461373165353434373762313865366562 +6130373464626431303630653865376335626661653530360a333937653530316434303330613366 +64666333333263663863386333336564373765303565646566326663666530346239386435626364 +6330623633653736620a646161353835376437366438633333306535653333346336623735363334 +35623836623663653864666461393661636537656634323839356665626137303132643366343734 +3738626562383334363435393364633432376235333763666438 diff --git a/files/wireguard/p14/fudiggity.pub b/files/wireguard/p14/fudiggity.pub new file mode 100644 index 0000000..161ddd6 --- /dev/null +++ b/files/wireguard/p14/fudiggity.pub @@ -0,0 +1 @@ +MOdt0GmrJWOAsL78TcHRNrBMF2jC9mviJrP5gqFzKxo= diff --git a/files/wireguard/p14/preshared.psk b/files/wireguard/p14/preshared.psk new file mode 100644 index 0000000..752de69 --- /dev/null +++ b/files/wireguard/p14/preshared.psk @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +38323838303233616162383362383264623765666565666561333535636533373837616234656638 +6139346633386431356137666665376430636532346134660a303062353231653437626261323366 +62626532616165336466353638653532633663613266623966393563346639306362653335396266 +6430326363363934620a633465393138663436623337393938643061623132316666313433363164 +63383536323134626231646130633762393136303866643134356236613363653661346363306339 +6639663331633639646134323966346635323766343164643836 diff --git a/host_vars/desktop/network.yml b/host_vars/desktop/network.yml index f906953..bf47fb1 100644 --- a/host_vars/desktop/network.yml +++ b/host_vars/desktop/network.yml @@ -9,7 +9,7 @@ local_network_gateway: 192.168.2.254 hostname: desktop -wireguard: +wireguard_default: ip: 10.0.0.3 wireguard_media: ip: 10.0.1.3 diff --git a/host_vars/p14/network.yml b/host_vars/p14/network.yml new file mode 100644 index 0000000..925f94d --- /dev/null +++ b/host_vars/p14/network.yml @@ -0,0 +1,11 @@ +wireless_interface: wlan0 +lan_interface: enp1s0 + +default_network_dns: 9.9.9.9 149.112.112.112 + +hostname: p14 + +wireguard_default: + ip: 10.0.0.5 +wireguard_media: + ip: 10.0.1.9 diff --git a/host_vars/p14/system.yml b/host_vars/p14/system.yml new file mode 100644 index 0000000..c125a8c --- /dev/null +++ b/host_vars/p14/system.yml @@ -0,0 +1,51 @@ +--- +packages: + - nftables + - tmux + - unrar + - vim + - git + - openssl + - iproute2 + - curl + - reflector + - ttf-ibm-plex + - systemd-ukify + - efibootmgr + - git-delta + + # custom host packages + - keepassxc + - gimp + - firefox + - mpv + - yt-dlp + - syncthing + - mpd + - wireguard-tools + - okular + - postgresql + - plasma-meta + - wezterm + - thunderbird + - pipewire + - pipewire-pulse + - pipewire-alsa + - aspell-nl + - aspell-en + - iwd + +mkinitcpio_templates: + - src: "templates/p14/mkinitcpio/1-modules.conf.j2" + dest: "/etc/mkinitcpio.conf.d/1-modules.conf" + + - src: "templates/p14/mkinitcpio/2-hooks.conf.j2" + dest: "/etc/mkinitcpio.conf.d/2-hooks.conf" + + - src: "templates/p14/mkinitcpio/linux.preset.j2" + dest: "/etc/mkinitcpio.d/linux.preset" + + - src: "templates/p14/mkinitcpio/linux-lts.preset.j2" + dest: "/etc/mkinitcpio.d/linux-lts.preset" + +wezterm_font_size: 11 diff --git a/host_vars/xps/network.yml b/host_vars/xps/network.yml index f0eccca..252a1fc 100644 --- a/host_vars/xps/network.yml +++ b/host_vars/xps/network.yml @@ -15,7 +15,7 @@ default_network_dns: 9.9.9.9 149.112.112.112 hostname: xps -wireguard: +wireguard_default: ip: 10.0.0.2 -wireguard_media: # TODO: add missing credentials +wireguard_media: ip: 10.0.1.2 diff --git a/inventory.yml b/inventory.yml index d0c95b4..9f13a71 100644 --- a/inventory.yml +++ b/inventory.yml @@ -10,3 +10,5 @@ all: htpc: ansible_connection: local ansible_become_method: community.general.run0 + p14: + ansible_connection: local diff --git a/p14.yml b/p14.yml new file mode 100644 index 0000000..2c09049 --- /dev/null +++ b/p14.yml @@ -0,0 +1,24 @@ +--- +- name: Include default playbook + ansible.builtin.import_playbook: default.yml + vars: + hostname: p14 + +- name: Arch Linux provisioning + hosts: p14 + gather_facts: true + tasks: + - name: Wireguard provisioning + ansible.builtin.import_tasks: "tasks/wireguard.yml" + tags: wireguard + + - name: Wireguard media provisioning + ansible.builtin.import_tasks: "tasks/wireguard-media.yml" + tags: wireguard-media + + handlers: + - name: Import default handlers + ansible.builtin.import_tasks: handlers.yml + + - name: Import common role handlers + ansible.builtin.import_tasks: "roles/common/handlers/user.yml" diff --git a/tasks/network/main.yml b/tasks/network/main.yml index 7e95b03..4971c32 100644 --- a/tasks/network/main.yml +++ b/tasks/network/main.yml @@ -26,4 +26,4 @@ owner: root group: root mode: "0600" - notify: restart nftables + notify: Restart nftables diff --git a/tasks/network/p14.yml b/tasks/network/p14.yml new file mode 100644 index 0000000..311dd15 --- /dev/null +++ b/tasks/network/p14.yml @@ -0,0 +1,31 @@ +--- +- name: Setup network configuration + become: true + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: systemd-network + mode: "0640" + loop: + - src: "templates/p14/network/wlan0.network.j2" + dest: "/etc/systemd/network/20-wireless.network" + notify: + - Restart systemd-networkd + - Restart systemd-resolved + +- name: Create iwd directory + become: true + ansible.builtin.file: + path: /etc/iwd + mode: "0644" + owner: root + +- name: Provision iwd configuration + become: true + ansible.builtin.template: + src: templates/p14/iwd.j2 + dest: /etc/iwd/main.config + mode: "0755" + owner: root + notify: Restart iwd diff --git a/tasks/setup.yml b/tasks/setup.yml index ae829b2..6a4fad8 100644 --- a/tasks/setup.yml +++ b/tasks/setup.yml @@ -51,6 +51,15 @@ state: touch mode: "0644" +- name: Create pacman hooks directory + become: true + ansible.builtin.file: + path: "/etc/pacman.d/hooks" + owner: root + group: root + mode: "0644" + state: directory + - name: Copy systemd-boot pacman hook become: true ansible.builtin.template: diff --git a/tasks/systemd.yml b/tasks/systemd.yml index 673526b..d79cfa8 100644 --- a/tasks/systemd.yml +++ b/tasks/systemd.yml @@ -18,8 +18,8 @@ dest: "{{ xdg_config_dir }}/systemd/user/tmux.service" mode: "0644" notify: - - user daemon-reload - - restart tmux service + - User daemon-reload + - Restart tmux service - name: Copy tmux startup script ansible.builtin.copy: diff --git a/tasks/timer.yml b/tasks/timer.yml index f68a50a..6b1ab4f 100644 --- a/tasks/timer.yml +++ b/tasks/timer.yml @@ -10,8 +10,8 @@ - { src: "templates/timer/daily_timer.j2", dest: "/etc/systemd/system/daily.timer" } - { src: "templates/timer/weekly_timer.j2", dest: "/etc/systemd/system/weekly.timer" } notify: - - enable daily timer - - enable weekly timer + - Enable daily timer + - Enable weekly timer - name: Copy target files become: true diff --git a/tasks/wireguard.yml b/tasks/wireguard.yml index f53d2ce..ac0c3bb 100644 --- a/tasks/wireguard.yml +++ b/tasks/wireguard.yml @@ -30,7 +30,7 @@ mode: "0640" loop: - dest: "{{ wireguard_defaults.public_key_path }}" - src: "files/wireguard/{ ansible_hostname }}/fudiggity.pub" + src: "files/wireguard/{{ ansible_hostname }}/fudiggity.pub" - dest: "{{ wireguard_defaults.private_key_path }}" src: "files/wireguard/{{ ansible_hostname }}/fudiggity.key" @@ -69,4 +69,4 @@ - Restart systemd-networkd - Restart systemd-resolved vars: - wireguard: "{{ wireguard | ansible.builtin.combine(wireguard_defaults) }}" + wireguard: "{{ wireguard_default | ansible.builtin.combine(wireguard_defaults) }}" diff --git a/templates/mpv/config.j2 b/templates/mpv/config.j2 index cb9323b..d9bc854 100644 --- a/templates/mpv/config.j2 +++ b/templates/mpv/config.j2 @@ -1,9 +1,5 @@ # {{ ansible_managed }} # -gpu-api=opengl -vo=gpu -hwdec=vaapi - audio-samplerate=128000 audio-format=s64 volume=100 diff --git a/templates/p14/cmdline.j2 b/templates/p14/cmdline.j2 new file mode 100644 index 0000000..15c124a --- /dev/null +++ b/templates/p14/cmdline.j2 @@ -0,0 +1 @@ +rd.luks.name=e02bb19c-8b7b-4537-a001-7dd9698674b2=cryptlvm root=/dev/VolumeGroup/root rw resume=/dev/VolumeGroup/swap diff --git a/templates/p14/iwd.j2 b/templates/p14/iwd.j2 new file mode 100644 index 0000000..ece78b8 --- /dev/null +++ b/templates/p14/iwd.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +[General] +AddressRandomization=network diff --git a/templates/p14/mkinitcpio/1-modules.conf.j2 b/templates/p14/mkinitcpio/1-modules.conf.j2 new file mode 100644 index 0000000..82581fb --- /dev/null +++ b/templates/p14/mkinitcpio/1-modules.conf.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +MODULES=(amdgpu) diff --git a/templates/p14/mkinitcpio/2-hooks.conf.j2 b/templates/p14/mkinitcpio/2-hooks.conf.j2 new file mode 100644 index 0000000..5311fc5 --- /dev/null +++ b/templates/p14/mkinitcpio/2-hooks.conf.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} +# + +HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt lvm2 filesystems fsck) diff --git a/templates/p14/mkinitcpio/linux-lts.preset.j2 b/templates/p14/mkinitcpio/linux-lts.preset.j2 new file mode 100644 index 0000000..71d2550 --- /dev/null +++ b/templates/p14/mkinitcpio/linux-lts.preset.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} +# +# mkinitcpio preset file for the 'linux' package + +PRESETS=('default') + +default_uki="/boot/EFI/Linux/linux-lts.efi" +default_kver="/boot/vmlinuz-linux-lts" diff --git a/templates/p14/mkinitcpio/linux.preset.j2 b/templates/p14/mkinitcpio/linux.preset.j2 new file mode 100644 index 0000000..22097bb --- /dev/null +++ b/templates/p14/mkinitcpio/linux.preset.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} +# +# mkinitcpio preset file for the 'linux' package + +PRESETS=('default') + +default_uki="/boot/EFI/Linux/linux.efi" +default_kver="/boot/vmlinuz-linux" diff --git a/templates/p14/network/lan.network.j2 b/templates/p14/network/lan.network.j2 new file mode 100644 index 0000000..f514701 --- /dev/null +++ b/templates/p14/network/lan.network.j2 @@ -0,0 +1,11 @@ +[Match] +Name={{ lan_interface }} + +[Network] +DHCP=yes +DNS={{ default_network_dns }} +MulticastDNS=yes +DNSOverTLS=yes + +[Link] +RequiredForOnline=routable diff --git a/templates/p14/network/wg0.netdev.j2 b/templates/p14/network/wg0.netdev.j2 new file mode 100644 index 0000000..85ba97e --- /dev/null +++ b/templates/p14/network/wg0.netdev.j2 @@ -0,0 +1,25 @@ +# {{ ansible_managed }} + +[NetDev] +Name={{ wireguard.interface }} +Kind=wireguard +Description=WireGuard tunnel {{ wireguard.interface }} + +[WireGuard] +PrivateKeyFile={{ wireguard.private_key_path }} +RouteTable=main + +{% for peer in wireguard.peers %} +[WireGuardPeer] +PublicKey={{ peer.public_key }} +PresharedKeyFile={{ peer.preshared_key_path }} +{% for ip in peer.allowed_ips %} +AllowedIPs={{ ip }} +{% endfor %} +{% if peer.endpoint %} +Endpoint={{ peer.endpoint }} +{% endif %} +{% if not loop.last %} + +{% endif %} +{% endfor %} diff --git a/templates/p14/network/wg0.network.j2 b/templates/p14/network/wg0.network.j2 new file mode 100644 index 0000000..b508654 --- /dev/null +++ b/templates/p14/network/wg0.network.j2 @@ -0,0 +1,10 @@ +# {{ ansible_managed }} + +[Match] +Name={{ wireguard.interface }} + +[Network] +Address={{ wireguard.ip }}/{{ wireguard.prefix }} +DNS={{ wireguard.dns }} +Domains={{ wireguard.domains | join(' ') }} +BindCarrier={{ lan_interface }} {{ wireless_interface }} diff --git a/templates/p14/network/wg1.netdev.j2 b/templates/p14/network/wg1.netdev.j2 new file mode 100644 index 0000000..85ba97e --- /dev/null +++ b/templates/p14/network/wg1.netdev.j2 @@ -0,0 +1,25 @@ +# {{ ansible_managed }} + +[NetDev] +Name={{ wireguard.interface }} +Kind=wireguard +Description=WireGuard tunnel {{ wireguard.interface }} + +[WireGuard] +PrivateKeyFile={{ wireguard.private_key_path }} +RouteTable=main + +{% for peer in wireguard.peers %} +[WireGuardPeer] +PublicKey={{ peer.public_key }} +PresharedKeyFile={{ peer.preshared_key_path }} +{% for ip in peer.allowed_ips %} +AllowedIPs={{ ip }} +{% endfor %} +{% if peer.endpoint %} +Endpoint={{ peer.endpoint }} +{% endif %} +{% if not loop.last %} + +{% endif %} +{% endfor %} diff --git a/templates/p14/network/wg1.network.j2 b/templates/p14/network/wg1.network.j2 new file mode 100644 index 0000000..b508654 --- /dev/null +++ b/templates/p14/network/wg1.network.j2 @@ -0,0 +1,10 @@ +# {{ ansible_managed }} + +[Match] +Name={{ wireguard.interface }} + +[Network] +Address={{ wireguard.ip }}/{{ wireguard.prefix }} +DNS={{ wireguard.dns }} +Domains={{ wireguard.domains | join(' ') }} +BindCarrier={{ lan_interface }} {{ wireless_interface }} diff --git a/templates/p14/network/wlan0.network.j2 b/templates/p14/network/wlan0.network.j2 new file mode 100644 index 0000000..30d588b --- /dev/null +++ b/templates/p14/network/wlan0.network.j2 @@ -0,0 +1,12 @@ +[Match] +Name={{ wireless_interface }} + +[Network] +DNS={{ default_network_dns }} +DNSOverTLS=yes +DNSSEC=yes +DHCP=yes +IgnoreCarrierLoss=3s + +[Link] +RequiredForOnline=routable diff --git a/templates/p14/nftables.j2 b/templates/p14/nftables.j2 new file mode 100644 index 0000000..ce3be1e --- /dev/null +++ b/templates/p14/nftables.j2 @@ -0,0 +1,43 @@ +#!/usr/bin/nft -f +# vim:set ts=2 sw=2 et: + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + + # allow established/related connections + ct state { established, related } accept + + # early drop of invalid connections + ct state invalid drop + + # allow from loopback + iifname lo accept + + # allow icmp + ip protocol icmp accept + ip6 nexthdr icmpv6 accept + + # allow mDNS + udp dport 5353 accept + + # allow ssh + tcp dport ssh accept + } + + chain forward { + type filter hook forward priority security; policy drop; + + ct state { established, related } accept; + + mark 1 accept + } +} + +table ip filter { + chain DOCKER-USER { + mark set 1 + } +}