Layout refactor

Also included provisioning for htpc host

default.yml

@@ -0,0 +1,40 @@
+- name: Arch Linux provisioning
+  gather_facts: true
+  hosts: all
+  roles:
+    - common
+  tasks:
+    - name: Generic provisioning
+      ansible.builtin.import_tasks: 'tasks/setup.yml'
+      tags: setup
+
+    # TODO: provision ssh client config with modern cyphers
+    - name: Network provisioning
+      ansible.builtin.import_tasks: 'tasks/network/main.yml'
+      tags: network
+
+    # - name: Network host specific provisioning
+    #   ansible.builtin.import_tasks: 'tasks/network/{{ ansible_hostname }}.yml'
+    #   tags: network-specific
+
+    - name: Systemd provisioning
+      ansible.builtin.import_tasks: 'tasks/systemd.yml'
+      tags: systemd
+
+    - name: Systemd timer provisioning
+      ansible.builtin.import_tasks: 'tasks/timer.yml'
+      tags: timers
+
+    # Note: Disable DoH in Firefox to fallback to system's default DNS 
+    # resolver, see
+    # https://support.mozilla.org/en-US/kb/dns-over-https#w_configure-doh-protection-settings
+    - name: MPV provisioning
+      ansible.builtin.import_tasks: 'tasks/mpv.yml'
+      tags: mpv
+
+  handlers:
+    - name: Import default handlers
+      ansible.builtin.import_tasks: 'handlers.yml'
+
+    - name: Import common role handlers
+      ansible.builtin.import_tasks: 'roles/common/handlers/user.yml'

desktop.yml

@@ -0,0 +1,34 @@
+- name: Include default playbook
+  ansible.builtin.import_playbook: default.yml
+
+- name: Arch Linux provisioning
+  hosts: desktop
+  gather_facts: true
+  tasks:
+    - name: Wireguard provisioning
+      ansible.builtin.import_tasks: 'tasks/wireguard.yml'
+      tags: wireguard
+
+    - name: Wireguard media provisioning
+      ansible.builtin.import_tasks: 'tasks/wireguard-media.yml'
+      tags: wireguard-media
+
+    - name: MPD provisioning
+      ansible.builtin.import_tasks: 'tasks/mpd.yml'
+      tags: mpd
+
+    - name: Syncthing provisioning
+      ansible.builtin.import_tasks: 'tasks/syncthing.yml'
+      tags: syncthing
+
+    # TODO: provision current macvlan setup
+    - name: Desktop provisioning
+      ansible.builtin.import_tasks: 'tasks/desktop.yml'
+      tags: desktop
+
+  handlers:
+    - name: Import default handlers
+      ansible.builtin.import_tasks: handlers.yml
+
+    - name: Import common role handlers
+      ansible.builtin.import_tasks: 'roles/common/handlers/user.yml'

files/personal/all/gpg/gpg_key

@@ -1,264 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-34663932363439393536333037386165353635363461356133643930373232633664343737396263
-6332613133646434333332356135336164346237383237360a643035653161363964333136346533
-37353332656361653662623137643735326532393234366165316234323364656261343132393831
-3034626136656162350a333362643166383138306136646331373439623232373532633130313262
-36356134386565343333353136616263623265623438653663336435376134346563663365373930
-30616435316364613139666661343633363436343635666661646635393661373739653765373363
-30343434396537666234306561353636323365666165333131623365383535396634623539626565
-39363138323638323234326433333066393933373839623834663632373438613339613963383333
-38333866386466303634363362323964653663613966333032633130613336366363326561363433
-30633737316535303366396563333532313036623236376430613234376637336131323666373762
-61383338303536316462616332613562636263343236616635656238653532336561623334356533
-30313662353662376530353933656464383039336664333935653834303833313230323838373838
-63643766303462306130386130333066336466313862366538383230366661373666306638353137
-62643466306435343739363138313433656336643538333133343764326238336137333939636336
-65613238396437623866616330393166363462666532373731613232393966323835346566306333
-32646432623833653761363839323237633863383666373862363761346665306265623366363635
-65326237363361353233646661646330386630653961363862363463326339633532346130396134
-31313730613134633133633362393464623663313031623862373937313763653838343935366335
-35626466346666633961363132343933393066303539353239653662373432623432336662343661
-31343434313461326263373264613538653937336336613031313637633564316134323335653638
-66353733386662616162303032363361393661653935633237323131613331613364333264353232
-30626637663366363630343764303863353035653535343931346636633636643365373237383030
-35393734663661323334373436323437393830636637383566366434663666366531323434653535
-38353064373038336362623735386532396433353063616337326636383065633035386134326533
-37323761393465303563306661646433646532643935323665636265323133623265383437336131
-31316366643932356538393932343238353165303565643663396363636135313561626132353635
-37613737356136623061353734353561653332363031613738636362363061646330303432326436
-62633334393066353835653430363561396131646534653138333263646436633038303135383564
-62386639663833346565356362633662626139666431323830323134613633343062626565653837
-37666366643631666639303131656264613665636631333335316462326431393866626131613962
-31393330663537356438623564313164316439313136333033666663303662633763363264346363
-32663634303131303939333639386536363835346539623835326530303334353463316261393665
-35613365316337363664623739323632333062393662336662323330363162636333623031323166
-37626166653166333136643764663161386434393838633566633835616235656666346464313733
-63636333666432666137373366313261656566646338626264633764633164376235326433646163
-35333935666563366631376366626335653261383033633031393631363435346233323230373266
-62333538616339333532353039343932636633363838376230336465303963663932396265613064
-30323034316232343562386261303264353238346262366639366561303931633563666134393632
-63376330663534346466363439393864373536643230316564373463356231393632666161626432
-61636330356330646432663636383764363431376364626331326664666361326636613031323161
-39633965373763326337646436653739643831376661353562663438333562306238613562326136
-64363231616362653965363039356463363735363231396566336562373762333534646430626534
-36643335663037643066656266636237636161336163326237613964393664666339333833393264
-34323235636431316537303964306165613636656465636131373037353530386136343864306466
-33386662613564646332343866313534316534303738366431626662376562346662663231383039
-30636363373336356438656636363966663563353734643230666233343539643838373065313361
-35336338303631333332646266303162383064626237623335663766613931363233366161663438
-64306236366432383663346639626162353365626137353239356531323662613163643635663262
-37666363393331336531653433323038626537336634326164356632373635303236613935643538
-31313064646136373862366535396266633430313338303533383463373933313836633066666535
-64643034316366656534393163633732323339356337616632383036646366656633303435386664
-65663831356432616538336565343639653062623937663766613361623566336463303165313832
-32353466373430386662343165306264333833656339623639383938663330333464616338343230
-34636433333130306635666633383961363366393036373465396432386534653065643231366166
-30643064353638653762363864313931616336386630356630623838373934346633356364386634
-61643632626636313461363862653532636634623563666237616632396233303338356162326536
-33376264383438376364306530653839303062313264366238343834343063363066383534373365
-61633863343939303433396461353963663331326363316333393339633637343933306563663034
-39356665663435336238326230633135383337306662393935353433623437343836376436613864
-31373136633434623130383436383737396232643033633638356536613932663166633461376633
-62623064623064396638343866663931323061383036313961316632636435653435346263323233
-66396465366266363462303165376133656262663664383963386438326635313161643861306237
-32346531303237343161333261323536386366666135386364316233643361366138363633333566
-37333838333433633336343639333134386233383738373563346536323138383733623831613635
-38663237303363386664373236373033623238373933313236383439346564363538613863633466
-33343166653136653264643130346438393238366637376337653835386539656133356361666430
-32373162363134326631333965646562353132623064623430366334616666636632623039623639
-64373334356334646561313031643331643463306566383163393534303936656532303064666235
-30373262373138383438316361653665393833653164346465323438396430343165393735316561
-62653034653565343239663838646362376538653033343863643339356532646238393362346133
-64613330653565623166636264373663623138313362393833353932653361363138623538343164
-38646666323065363034376536656431613936303133396232383166386534326339323061376337
-61396661313030376536363939346365343235616465633264643731316535313863303562353030
-32303530303762303466303262643537326531376264343634646534333932333136636238623138
-34616663643430303865353963633735333762356562373762333265616438313434393938323938
-66336235656530633838653331663263643432323763393963313661323731343365396364616361
-62346335353133383630613963323838323361333166346132323066616239633261613039666532
-32663365356330383438623863626334313962356431333730353264623337643239653465653037
-35316131336565393063656564353132313136366364376535613761326632396162633166313763
-63306562363061376261323064313465346231336539656430643165376337363434393163663238
-34613132316465663561623265313833643964323430376239646262653833633462396134343565
-31613837323362356464633739613464663435613734653432373566353461633366343836623233
-32346432363234343934653432383732346230323932373635643362633530333837313332383165
-37616231346163363734633030333464616438626138616163663161373362623961626362353234
-39353262323664663861663637386634623463626433386538386531653537616633326533323734
-66326530393537363538306337383738353164326161383736653465346265393837633831643732
-63623764393737653062623462626563363561386531386630336639316230633663356235653036
-30363439376637373364373331306564343135633864393934373365376361623937613133613435
-36373036313838373362656134323138346264303333326237356562313164353636396334316237
-31376136323037326139373930663635313864323061656132356239623763623233646562393939
-64636661666139633331343131633731336365623335353633313363346231396336346339346438
-62353266396566386539306132373636646134363962646131313938356135373632383437333865
-32373163616461373464613661623232623162643334646364333535373437333437666665623065
-33326366646338626662636134653965303866646463366630653939623031316564303664623862
-33393661316638663661646434393934313534623465313766643638373134383764333634376333
-30313263613539333638653439303038383835646137653435636338623165386539633463323663
-62323933653733346566666234333930343466613563653365386237373963636536666636393838
-31636266396236633336383434323131626464393061386566316132303064636434623838643039
-62303136373234623961333336323764643034613664653963366336356332393761633233646534
-66623464626165356432303633653338636264386462343233653139626431633466316330356538
-66393035623035653163343231316230316661666337643461633136306663663231313237643038
-65633366643238323162336166613662313536623866616262663965343565646237393861353263
-62653634653131303433353635656239666436623663306464396133656664383430323832336632
-33363066376237323661353330646233633865666439313964396462373733336465326434626336
-32363362393536356463666233633664306235633732626434623033633632636330663463336365
-66363631303836613332643566333930643333333536356234323666353130396230353630376263
-30353530303865636461356634336534633362363763353961383631343061656435623261616363
-36326132386432653065666163373430623435336666653366333065343334643832643730336331
-61386434326434323761323433343838306238643534376238623730613463396337323862303264
-33373966353033623064353562666639343732353965653366623533373034656135633065343463
-37616332663232613865333062383539633531613735653436323337643063653463333937353632
-62303364366134643830303363303633386266343137633134653537356633383832303932643863
-66356662306434346338333536623061333864376539663135383938323238393638656639623436
-39663930356363616138643736303062306136626239626434303062393035333762373933313638
-39646331626464626339663232326430613163663763316232663837633363343432633662393531
-38313462313830653863376637393765366239393734356334323765396632346138303038313834
-32353637343038363039643164646362313866376562633161343763316164393736663565393166
-66653462633936653364636530383333323636313230323030323131383736643262383561333938
-35393934333361383562373935363465373436356662396331633233633566346231323863346637
-38636631656364376335336638666563333466386437366533613564366132316430646562646232
-64393533333933626439313935373335643332326564333932366634316463343039633630616265
-65363162366634613763653061366138616663643630336430386661616564616264636263383932
-32343766373839356539663432643230386263343630326162633363326262663937646564343365
-61316564333365373230313463383731653337326263303935633438643934623135623763616564
-34376363393531353162303163653265386566396135313161393836336439393139646530623438
-31376631316233333234396533653061663461666632313839653531643432343530353132646132
-36373738643465643634316637373763666338666633623263666134346634373836313266613732
-35326539383534353437613962343732646533326139643263343236396462306666316165663665
-37643961623662663836383837303939613864373163303734623663646632376162356564663031
-31626334316565656464326537323163373938316562386166666137356632316363343237346531
-37656166343639343565653433616136353533353531336561633330313861326237343739316165
-39313232663630396136386137633039313561373930386233663862643734373532313632373538
-63353938663434653630633038323665333462663731646537353765323361353762653637613331
-35663331323831313865306664313131336633636264313061316164303137353836366266366261
-32626165646363623663613263633131396264623531386561336563393539363839393433393563
-64633762393838636338353566373864363364646538353536346332623662353034326638633038
-36336566626636666138353334363437363265653331343130653836636335663736653634313662
-38633135623732336166366136316531306565326435346235643563633932383637393236636666
-66616562393564623165646261646533313238346362353431306135653938636663663232323830
-62393333326135396636646662333332303434396235343639633939396664356463333533333430
-66383231616339353932613836666632303064393136366632663439353062356565343634386364
-64303736376639363762386237336630653132633063656363333136303631386430353662316463
-65363666666434346364333937636137343734636163303166653062396330343835616165386663
-35663563353134623336386363356632643138626135366137636563623532373764633966346437
-61353861326535663431623235653665633030626365333134383434626330313930343462353662
-32353965623662353637326562613266633866616334333563646430613763383739333637363034
-35616263393066383138336366353061386364613666633131646262383230393766393864393735
-64643633336136376132303065353630326465366336646435396663616364663036616639393637
-35386633303433616337396262336330376536356366653536363861616539343936323539373766
-65396638353163636664666333663139343762623335646366336564393036353932323561353931
-38373636636464373035663163356562636230616633636565353166663563616365363037656364
-64623861353164323262343532626232646264626164373536653531333938663734323866653636
-30326364333561353966323463623936333266663831383736386233633964613066356461303965
-33343730623936613036333266313533666530313261303765646536346134346331643935376463
-33326630313436653839303663336636373239633232353865366531663138666466306638653265
-34393664646636636366346438313133393961373231333561313366396538363634333264613166
-38353562663732613064396461346231633464626333663736356431323361616236343430613830
-66356361333135363236636434326534323466636531356539613462306533353336373363353330
-37633661303738363436366234633439383138363030323561333564616133306432383336646431
-37653364316165653666633539316539336465643832356133653736313239626466643162363939
-36323562383865633134393232343439353836306364646632636661363339393139386639356661
-63306232326431343532373737626233363036333763343933633832653766376432376235623534
-36323765666133353238393435376262343233633162633964363038643834636537396562333736
-38363935633134326461376530373630343937323036326563626364316335313839626665393837
-38313435323761343139386530346662326265626666353239356462326333333538346161313438
-36313430386332623365393835343862613338343666633930663634336263306361333861636337
-34313334613761386533636337306664613665643334396661316137376135613161353035383633
-31333664396638316465306635656139616265353639333164656666383733373433333762363435
-37666432326462393135616338633330343332383065356265653563346465343234383036316336
-39653438353839386337396530366364323235393463633464313239356333333163656561376330
-35613137636131306630363335343031633161613733376262636336313638326131343165383231
-64326566393536363937623539386235373561323935646366353165616463376237633964633464
-33353732376337323338316166643236303336393034356639623861333766303034353963396236
-38356338643634363765313664643862323061376331376232366165633830626263303163643433
-65626634343339303031653432663531366639613362613039653638383465353434333639333865
-64383030623538646465363363393161633762313135616432386130663164353033343466393132
-35633763636261616434313531663039363662653962333139303138623838363163653866613539
-36323031633230376632376533613435616239323231613635396435373833353064623834653863
-65663163393933323934323364366535383935303233323639373531646165663535356634393464
-34623532333831306563326237373933383832643637326464656666373339303237363232313938
-63373936393563386530646565346563373337383262616338383531396262626134376136303163
-31653839316339616439366135346337366231363630366264373936356538316564636330373766
-33373961636233383231333464663962666136396437373361666538343065366662623364323237
-64666237663236326661313866306336323564666263373334303266306562343239383866666365
-34313665633465353865333362666564336532663766393134363764653736653237653133313833
-63306463326161373639363362333538373263393564303065656236323363663939366638323762
-36663763313537643066623161313035616462343631336264656664643861643232383561636664
-36633836353435373161666662633838623336366161643365363136386466323937646633313731
-64373739623335353966333833316563386237373031633132353638663435646234666263633435
-34663365313863633236343936633865356166366430383339303138646163383237396239663132
-62353465623566613564333039653466666366396436386461326335373662343262386263356264
-30616538666665393561333630383037656131646239336437393737623862333532356463656435
-63623766373934393264613237653363636261333265613438373762353230393835313235633164
-62323335636333376236306261643931616230666465366666373230393438633365323135666233
-39653332643336313537396463623639646364356136303533623764376538353439303037316535
-61643961353364373638366232363461336238343363636230373834346464376261646630393866
-39376633393735646662613834626263333163383534366463333161396165343666626639326639
-32643064366565333432353430636235336238353836363331646166396533313966663664666666
-61626462653134643266353039653033383431626538346430356564353664633439356434383930
-66353736343839383165383064663039333061643363363265383030396333393762393763616638
-31386535653432323661656132343363646661656637313130353137313362373439373032613731
-65333463623961613138396633353837353061353166383837656333643836343635623363613366
-63346336636165326661363533306139643930393437666332386337373965373761393034616631
-63366632306539623633623731313233333966633735626665643562623639396537343434633835
-33383638613031356631643235326138383664376430623463323062663635623732326639396636
-38336331353336663831346530336439376634396338633664616562363135326430666238653261
-64653132613533383738663832316561613232366339316662633630366164393334356332386162
-64393965393534316136653234396162313631646332653539623362353662333337336634383736
-65616335656663393239643533623466656435383732333666396661663662306635313034306362
-38623137653464376431393731636463613866313166643165636630316364326433326132396161
-61343335336664366536656639653238313736633565343533643034646361653430396132616439
-64373231393232346163643262396233613231373561663835333065363461343263356565336530
-35333535646632303039636664306364623839306139343265666632383638333735613837316561
-33323733353937393831383565363436303638353362323432653963326562333532653864616634
-35616632646234343862643531613236636236616534623231643663393633363831663661626138
-35633763366530363339346132643163613739653532626263336565626261646264303334393834
-31663231326562663964643633316438363161653535396435646362383036656363356137663636
-31336163303766633236333465653864663539353633386664303038646663366363646566336466
-33303435393739636131636166656237323436636237353863646365326639636166363739333439
-64373139626465656264313837363233653334393033343663396563666530373538613036653064
-39396231393662396565313066616164353031613833396331666131653031623261663038336563
-36653835333538386561643033623865383338366463646465666431383833633939376565616230
-62643063333631643439643333316563303465383563393130303634333130303330663134363436
-66386132663065656464323034306132613531343037396561626234626438333063393433316633
-63636264306163636631653732396166643934643866393064353364316264333662646665636663
-66393265636230303536656535623962643934316138393532663262653966626536323233623737
-38353730343538323231623531336436333133326334343238616630656531613538316130623761
-34646233613139343231366232636565316232356365643164653933643132356432613761613636
-34363831353935656437633034333232653938613365613066333361393164623864373339313730
-62373537366466356162343663626561316530373365386437656264396433303433623134616464
-36616530363438366238393136663239623362326533636363353435653261386137616361346164
-38653636373063663932336435626361613934393432646139353833306436346662356539333131
-62326361366635643830356639326234656662316435383031343039653830393664373033653735
-61616233313138663438376632336162656139346430326562363231333430626166363031336435
-62333338623339613633313061656332613630383338306534623034316135393233616539376434
-38326234353963616234623232643839373038643933383631636635613538393262303431373364
-63376463656263313230653832626262363537363735336237306636373435616566613832316338
-64393361393064346432666539643364313433336361333262383934633066363535646562383262
-33383334376238653339323362316330303863653762306636373931633534303731336234636532
-34356361346436323363333430313231643732623461366236306338636431303632373264616139
-36376630323265623831636265633866366136316631396239646266666564313062646637636262
-35353165643464346564323937636463643832616331623036396636383133643731613033393432
-61393833656430333537653332313931663435663838646633303435626139306336623762636462
-32313934306531643662343163323630646562363134303266366530323766353138643266396633
-35396662303566343235653131613830323538363263643939666362656665313135306362363037
-36303238616634363337613935373435303931313866333565666638383835656637366464396136
-64303237646138373339376161666265303632626136353261383438386637616564616436306336
-33613164323037303530373431333565643734313636613838373638326234343531613136356566
-30636337393463396436303530653330323639386438353439613761643831316533353166333539
-30393161646239663935393438646334666530363565333964366364353530353861666633646563
-65626262643666656166306633326463363666633731363431626463616433643732353962633464
-39666533396232616130666131613232643762623562383662346366316466333339313836393737
-33353635396536333464663836366262356164666266663039623334666334343939313638346464
-63383664346635633365633962376238653365656331313362313536663138663464666436613132
-62656638396261613136393330623437383561386163653938323831373932353764623865306664
-35393130323464653266353563383663336233313361323133313435643564663063336335626266
-39396239643031666133656461393535663661643036326666663330656130313038636537386562
-39346439613333363061633364316166643135353832386432616362643337373363313931383135
-64613366373464363062386231303736336130613164366661363434346464383936646366613737
-38313730376436306165663466623335646533666138623564363466633938393139323836643865
-37373636653937343937303462663235353238656439353837663264663366396664386466646638
-34653266313135326130613531386239336538666364356234663164353662396565626361323238
-656463383063623064336666333062386432

files/personal/all/gpg/gpg_pub

@@ -1,40 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQGNBGAPMBMBDAC8AI3gYcB8R4psS4OLUTzt45sL8wimEmHCZNGBgLShtg7AfpES
-AuXArVLEQSsUH8rL9/ninRyfwTsRj1tSouxVVwprdxXGZdPkksE/l+TjlB5FlAyp
-nb/nCo7lrmw+xsPc/rjrlGoGJXrrxpVUYYbWLGciKcecUJ17sL0vS8KZQbSSw9pI
-W37DFNq5m3R9/6MSnxcPZPErmyqbcNe4FDxc8jToxdyzqADar1vb/JTIQGkzObCy
-a05sU8Q/G1adKt27lW+v4SWC8d4LQX5Z3nyvAvE87cWVFAGiz4mf1fTLotqwyXot
-vVv05kl66Z58shlE61q+1Qm+SD2OKyd3Cl2s+RpfyYOVoB3SRLDZvM7bppXr58PF
-3Lhmpl61/mpOMI0MNT5OFYCVKOsiNgP7FKlHvOZVk4Ldybfis1Y4TI1mg/OghjLQ
-vjm9Hxlpsr93hpWxlmU6BBpSWUOxggKr96WoR56sQGjn/KCxPBRl17PqwXJmMbi9
-ex9uV6K6iQDRDf0AEQEAAbQMU29ubnkgQmFra2VyiQHUBBMBCAA+FiEEgsIVUtcy
-xlwaT7NAA3ED8Dyly6EFAmAPMBMCGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwEC
-HgECF4AACgkQA3ED8Dyly6GUQAv/RGHTt0CQANUC/CQQaY23XDGiqYCbmFqmIwuT
-YIE/QHl7+Zg7p02KGsBKrSWOMylFToTphnWWvJCEPYxW74WO2L2vrRplPVC0zbRz
-ftx2s6IJopb4j5ftkg/b8V7NjQKO+EWXGgqZz+o9j0I3b1CLO4Fc/Sux/+khuG6x
-m7wLHIOQn3ab9yX2e7cL/LgaJSKkXKwhYnaFnwuWZJRX/Dcqev2zZD37a9s1c3Au
-cdvdp5d/cHi+osZ5D6HwT6LnkxVlAYtzKXyQbZNUMattHFK7L/UCYQmvcRPXy6FD
-1+T0bX7cOcsaBXSUEhIt+IKvYUa22ZsHl6Eq8gCxXmvaIDIIGpFLGA6boJBAPFHL
-WATZqonLmGYikumOwomv4730iXBVJKu+mCCPKSzSRAxTTowCF7NVdc6+X62mbvOp
-R4LM+E/bCxtndGfxDhHm1nF0JexgTDGwUwLJPg5aAYjjrAIhsUk729GyJhHPK3if
-0eocxv1PqKrGT8AUHosIOn2idnf5uQGNBGAPMBMBDAC1/f799inkL5w8KoysKrSp
-QRYFiVpIN2CpYCU/MrjpBDU1d4GJ4s1EhVhvaCrNfwUBWyqN1kZpT9f2e8MNVB5U
-nmwHBynCwiK/gHeJKIdwOENE09NcErDQnEbbK7tFl/LDbh0BYdzyAEoOo37XYt/G
-0DXj0Y6GLphmlXfG9a/wXcvXCRdln3q1xyn0BVHMC8fz5F6RsivOEYMXunCMQ4WW
-XFVgRe/jM+plWdQZQuP4RgRGv4kJ2ba9y9NQD8/GFXtnecWjv1ILlyzqyZtEa6ua
-Jq0FrgYvZ1YH0jDKCcanHb0nlMlEhrpQneJTW+qmMgjZAJ+2wA8yPeuU6a+T/05I
-tnbLUSlqgwjrzV71whp79l9p7FOG9kzwwKhhDAKxTqL3WshvXMlcnku6qlTyrymP
-CHF6ZJYCQJEWPLYrThwWx+/6Yssg+Mm87LsciHVYgeBtaZWrN49kZXN2K1Py/WUK
-Ev9+IjKlaFbqfq1W60xh4liiZ3AB9L5jTS6n98O+r8kAEQEAAYkBtgQYAQgAIBYh
-BILCFVLXMsZcGk+zQANxA/A8pcuhBQJgDzATAhsMAAoJEANxA/A8pcuh8PUL+wdi
-YYZpVqvbvnRbzWtYNEY6QYsn/qI0aS5jAURoMpCB3AFX6+aS6olAS8rWNx8sqWnL
-psfZf0vSd/FXl0ja2a5MLLeQaKlK7/cP3RZjGDa6/eMqL0UyKpe5/a4mkBaczo18
-Fa2BK1X1wIUaWYfhp53mBGB9JgwKItdbEPJTBqIyjZRPab/Q5OUb/xOWCLQP+VpU
-8p5c4rnONTdjKBfuyeEMWIlhG1QhobfIuZcbWaXZXj+HLiiugZCPxum8tFbMp05/
-FaPKmDS4TbeEk7wizsnBRDL3UjFCfySBsR/SOP+adut75t6h18pm0yeYRU73otZA
-TES5LVpW7i6TiJEK7qPDQ/Sv34vAtVF0c7ntnYbxiLzX7x0uJF16O4XLw0Uba4HM
-ZntDUsaxvlLfxcDeeDHR/24wOaJKRKKzX0b+wjRXfw26XEo4vHHBPyEB1DvGZu3P
-hVot85SDDFS5LzLqkyGDiCOkkE5RqJYLCzQ6+4DfrQvkg682zD587894j+VV6g==
-=KJ2a
------END PGP PUBLIC KEY BLOCK-----

files/wireguard-media/htpc/fudiggity.key

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+30313239376562613332383265336333613266663264383636666437643436623462663861333639
+3830623835333263353863363535376532623262323535610a663330316133376131303465326665
+35663564623737636136306338623531653162633237636361643764343030353262616139623735
+3532626238316664310a336335633564396638303236333838363264613861616637343833363665
+39366264306438643662313130396135363461656466626436663339313337613830623364646637
+3735323933323563646563393532306237336165633534353735

files/wireguard-media/htpc/fudiggity.pub

@@ -0,0 +1 @@
+XcWpmGrkSQJUEADrDTUmcA7/dm8HQffbdC03rQ/3fwg=

files/wireguard-media/htpc/preshared.psk

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+65363636336134323530333461393634666334383464356239613765396465373635353465323262
+3163343634336361323765623365633637663436616539340a376566313735316262366237366435
+33666634663966386434656363633136393565336134323465306264633630333131356539623862
+3666343633396634650a626263653632643333346564303065316634643763303036376332336333
+39323430306564346635393535313233363235316535656362363931323862303530363136663961
+6139326230353537643537346664623332383863323332633565

group_vars/all/main.yml

@@ -1,34 +1,17 @@
-ansible_become_method: community.general.run0
-
 packages:
-  - firefox
-  - keepassxc
-  - gimp
   - nftables
-  - okular
-  - postgresql
-  - plasma-meta
-  - wezterm
   - tmux
   - unrar
   - vim
   - git
   - openssl
-  - kmail
   - iproute2
   - curl
   - reflector
-  - pipewire
-  - pipewire-pulse
-  - pipewire-alsa
-  - merkuro
-  - kmail
   - otf-monaspace-nerd
   - systemd-ukify
   - efibootmgr
   - git-delta
-  - aspell-nl
-  - aspell-en
 
 xdg_config_dir: '{{ ansible_env.HOME }}/.config'
 xdg_script_dir: '{{ ansible_env.HOME }}/.local/bin'

group_vars/personal/gpg.yml

@@ -1,8 +0,0 @@
-gpg_pub_key: '82C21552D732C65C1A4FB340037103F03CA5CBA1'
-gpg_passphrase: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  61383265343062663836623033343538333562636433383735383862306465316439376333373563
-  6131336136653533323561633434633961393061623233640a366430396532326465326530356136
-  36616636363134386333616137656333353439633832633731373834336239393337316366626462
-  6164343331613663620a303363353064376630633939363831373339383961626137376361323438
-  3463

group_vars/personal/system.yml

@@ -1,39 +0,0 @@
-packages:
-  - keepassxc
-  - gimp
-  - nftables
-  - okular
-  - postgresql
-  - plasma-meta
-  - wezterm
-  - tmux
-  - unrar
-  - vim
-  - git
-  - openssl
-  - kmail
-  - iproute2
-  - curl
-  - reflector
-  - pipewire
-  - pipewire-pulse
-  - pipewire-alsa
-  - merkuro
-  - kmail
-  - otf-monaspace-nerd
-  - systemd-ukify
-  - efibootmgr
-  - git-delta
-  - aspell-nl
-  - aspell-en
-
-  # custom packages
-  - firefox
-  - mpv
-  - youtube-dl
-  - nfs-utils
-  - syncthing
-  - mpd
-  - wireguard-tools
-
-vpn_config_dir: '/etc/wireguard'

handlers.yml

@@ -44,7 +44,7 @@
     state: restarted
     enabled: true
 
-- name: start systemd-resolved service
+- name: restart systemd-resolved
   become: true
   systemd:
     name: systemd-resolved

host_vars/desktop/network.yml

@@ -6,3 +6,8 @@ local_network_dns: 9.9.9.9 149.112.112.112
 local_network_gateway: 192.168.2.254
 
 hostname: desktop
+
+wireguard:
+  ip: 10.0.0.3
+wireguard_media:
+  ip: 10.0.1.3

host_vars/desktop/system.yml

@@ -1,15 +1,53 @@
+packages:
+  - nftables
+  - tmux
+  - unrar
+  - vim
+  - git
+  - openssl
+  - iproute2
+  - curl
+  - reflector
+  - otf-monaspace-nerd
+  - systemd-ukify
+  - efibootmgr
+  - git-delta
+
+  # custom packages
+  - keepassxc
+  - gimp
+  - firefox
+  - mpv
+  - yt-dlp
+  - nfs-utils
+  - syncthing
+  - mpd
+  - wireguard-tools
+  - okular
+  - postgresql
+  - plasma-meta
+  - wezterm
+  - kmail
+  - pipewire
+  - pipewire-pulse
+  - pipewire-alsa
+  - merkuro
+  - kmail
+  - aspell-nl
+  - aspell-en
+
 modprobe_templates:
-  - src: 'templates/personal/desktop/modprobe/99-amdgpu.conf.j2'
+  - src: 'templates/desktop/modprobe/99-amdgpu.conf.j2'
     dest: '/etc/modprobe.d/99-amdgpu.conf'
 
 mkinitcpio_templates:
-  - src: 'templates/personal/desktop/mkinitcpio/1-modules.conf.j2'
+  - src: 'templates/desktop/mkinitcpio/1-modules.conf.j2'
     dest: '/etc/mkinitcpio.conf.d/1-amdgpu.conf'
 
-  - src: 'templates/personal/desktop/mkinitcpio/linux.preset.j2'
+  - src: 'templates/desktop/mkinitcpio/linux.preset.j2'
     dest: '/etc/mkinitcpio.d/linux.preset'
 
-  - src: 'templates/personal/desktop/mkinitcpio/linux-lts.preset.j2'
+  - src: 'templates/desktop/mkinitcpio/linux-lts.preset.j2'
     dest: '/etc/mkinitcpio.d/linux-lts.preset'
 
 boot_configuration:

host_vars/desktop/vpn.yml

@@ -1,51 +0,0 @@
-# TODO: scope variables to their destination file
-vpn_default:
-  ip: 10.0.0.3
-  prefix: 24
-  interface: wg0
-  dns: 10.0.0.1
-  domains:
-    - '~vpn.{{ server_domain }}'
-    - '~transmission.{{ server_domain }}'
-    - '~syncthing.{{ server_domain }}'
-    - '~radicale.{{ server_domain }}'
-    - '~mpd.{{ server_domain }}'
-
-  public_key_path: '{{ vpn_config_dir }}/keys/public/default/desktop.pub'
-  private_key_path: '{{ vpn_config_dir }}/keys/private/default/desktop.key'
-
-  peers:
-    - name: fudiggity
-      allowed_ips:
-        - 10.0.0.0/24
-        - 172.16.238.0/24
-        - 172.32.238.0/24
-        - 172.64.238.0/24
-        - 172.128.238.0/24
-      endpoint: '{{ server_domain }}:51902'
-      public_key: CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo=
-      preshared_key_path: '{{ vpn_config_dir }}/keys/private/default/preshared-zeus.psk'
-      preshared_key_source_path: files/personal/desktop/wireguard/default/preshared.psk
-
-vpn_media:
-  ip: 10.0.1.3
-  prefix: 24
-  interface: wg1
-  dns: 10.0.1.1
-  domains:
-    - '~media-vpn.{{ server_domain }}'
-    - '~jellyfin.{{ server_domain }}'
-
-  public_key_path: '{{ vpn_config_dir }}/keys/public/media/desktop.pub'
-  private_key_path: '{{ vpn_config_dir }}/keys/private/media/desktop.key'
-  private_key_source_path: files/personal/desktop/wireguard/media/desktop.key
-
-  peers:
-    - name: zeus-media
-      allowed_ips:
-        - 10.0.1.0/24
-        - 172.8.238.0/24
-      endpoint: '{{ server_domain }}:51903'
-      public_key: EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg=
-      preshared_key_path: '{{ vpn_config_dir }}/keys/private/media/preshared-zeus.psk'
-      preshared_key_source_path: files/personal/desktop/wireguard/media/preshared.psk

host_vars/htpc/network.yml

@@ -0,0 +1,11 @@
+lan_interface: enp1s0
+lan_interface_mac: bc:fc:e7:6e:73:53
+
+local_network_address: 192.168.2.30/24
+local_network_dns: 9.9.9.9 149.112.112.112
+local_network_gateway: 192.168.2.254
+
+hostname: htpc
+
+wireguard_media:
+  ip: 10.0.1.8

host_vars/htpc/system.yml

@@ -0,0 +1,44 @@
+packages:
+  - nftables
+  - tmux
+  - unrar
+  - vim
+  - git
+  - openssl
+  - iproute2
+  - curl
+  - reflector
+  - otf-monaspace-nerd
+  - systemd-ukify
+  - efibootmgr
+  - git-delta
+
+  # custom packages
+  - keepassxc
+  - firefox
+  - mpv
+  - yt-dlp
+  - wireguard-tools
+  - okular
+  - postgresql
+  - plasma-meta
+  - wezterm
+  - pipewire
+  - pipewire-pulse
+  - pipewire-alsa
+
+modprobe_templates: []
+
+mkinitcpio_templates:
+  - src: 'templates/htpc/mkinitcpio/1-modules.conf.j2'
+    dest: '/etc/mkinitcpio.conf.d/1-amdgpu.conf'
+
+  - src: 'templates/htpc/mkinitcpio/linux.preset.j2'
+    dest: '/etc/mkinitcpio.d/linux.preset'
+
+  - src: 'templates/htpc/mkinitcpio/linux-lts.preset.j2'
+    dest: '/etc/mkinitcpio.d/linux-lts.preset'
+
+boot_configuration:
+  disk: /dev/sda
+  partition: 1

host_vars/xps/main.yml

@@ -1 +0,0 @@
-wezterm_font_size: 10

host_vars/xps/network.yml

@@ -13,3 +13,8 @@ frans_network_gateway: 192.168.2.254
 default_network_dns: 9.9.9.9 149.112.112.112
 
 hostname: xps
+
+wireguard:
+  ip: 10.0.0.2
+wireguard_media: # TODO: add missing credentials
+  ip: 10.0.1.2

host_vars/xps/pa-dlna.yml

@@ -0,0 +1,2 @@
+pa_dlna_version: 0.16
+pa_dlna_systemd_version: 0.0.9

host_vars/xps/system.yml

@@ -1,41 +1,40 @@
 packages:
-  - keepassxc
-  - gimp
   - nftables
-  - okular
-  - postgresql
-  - plasma-meta
-  - wezterm
   - tmux
   - unrar
   - vim
   - git
   - openssl
-  - kmail
   - iproute2
   - curl
   - reflector
+  - otf-monaspace-nerd
+  - systemd-ukify
+  - efibootmgr
+  - git-delta
+
+  - keepassxc
+  - gimp
+  - firefox
+  - mpv
+  - yt-dlp
+  - nfs-utils
+  - syncthing
+  - mpd
+  - wireguard-tools
+  - okular
+  - postgresql
+  - plasma-meta
+  - wezterm
+  - kmail
   - pipewire
   - pipewire-pulse
   - pipewire-alsa
   - merkuro
   - kmail
-  - otf-monaspace-nerd
-  - systemd-ukify
-  - efibootmgr
-  - git-delta
   - aspell-nl
   - aspell-en
 
-  # custom packages
-  - firefox
-  - mpv
-  - youtube-dl
-  - nfs-utils
-  - syncthing
-  - mpd
-  - wireguard-tools
-
   # custom host packages
   - iwd
   - nvidia
@@ -48,14 +47,16 @@ boot_configuration:
   partition: 1
 
 mkinitcpio_templates:
-  - src: 'templates/personal/xps/mkinitcpio/1-modules.conf.j2'
+  - src: 'templates/xps/mkinitcpio/1-modules.conf.j2'
     dest: '/etc/mkinitcpio.conf.d/1-modules.conf'
 
-  - src: 'templates/personal/xps/mkinitcpio/2-hooks.conf.j2'
+  - src: 'templates/xps/mkinitcpio/2-hooks.conf.j2'
     dest: '/etc/mkinitcpio.conf.d/2-hooks.conf'
 
-  - src: 'templates/personal/xps/mkinitcpio/linux.preset.j2'
+  - src: 'templates/xps/mkinitcpio/linux.preset.j2'
     dest: '/etc/mkinitcpio.d/linux.preset'
 
-  - src: 'templates/personal/xps/mkinitcpio/linux-lts.preset.j2'
+  - src: 'templates/xps/mkinitcpio/linux-lts.preset.j2'
     dest: '/etc/mkinitcpio.d/linux-lts.preset'
+
+wezterm_font_size: 10

host_vars/xps/vpn.yml

@@ -1,52 +0,0 @@
-pa_dlna_version: 0.16
-pa_dlna_systemd_version: 0.0.9
-
-vpn_default:
-  ip: 10.0.0.2
-  prefix: 24
-  interface: wg0
-  dns: 10.0.0.1
-  domains:
-    - '~vpn.{{ server_domain }}'
-    - '~transmission.{{ server_domain }}'
-    - '~syncthing.{{ server_domain }}'
-    - '~radicale.{{ server_domain }}'
-    - '~mpd.{{ server_domain }}'
-
-  public_key_path: '{{ vpn_config_dir }}/keys/public/default/laptop.pub'
-  private_key_path: '{{ vpn_config_dir }}/keys/private/default/laptop.key'
-
-  peers:
-    - name: fudiggity
-      allowed_ips:
-        - 10.0.0.0/24
-        - 172.16.238.0/24
-        - 172.32.238.0/24
-        - 172.64.238.0/24
-        - 172.128.238.0/24
-      endpoint: '{{ server_domain }}:51902'
-      public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo='
-      preshared_key_path: '{{ vpn_config_dir }}/keys/private/default/preshared-zeus.psk'
-      preshared_key_source_path: files/personal/xps/wireguard/default/preshared.psk
-
-vpn_media:
-  ip: 10.0.1.2
-  prefix: 24
-  interface: wg1
-  dns: 10.0.1.1
-  domains:
-    - '~media-vpn.{{ server_domain }}'
-    - '~jellyfin.{{ server_domain }}'
-
-  public_key_path: '{{ vpn_config_dir }}/keys/public/media/laptop.pub'
-  private_key_path: '{{ vpn_config_dir }}/keys/private/media/laptop.key'
-
-  peers:
-    - name: fudiggity-media
-      allowed_ips:
-        - 10.0.1.0/24
-        - 172.8.238.0/24
-      endpoint: '{{ server_domain }}:51903'
-      public_key: EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg=
-      preshared_key_path: '{{ vpn_config_dir }}/keys/private/media/preshared-zeus.psk'
-      preshared_key_source_path: files/personal/xps/wireguard/media/preshared.psk

htpc.yml

@@ -0,0 +1,19 @@
+- hosts: htpc
+  gather_facts: true
+
+- name: Include default playbook
+  ansible.builtin.import_playbook: default.yml
+
+- name: Arch Linux provisioning
+  hosts: htpc
+  tasks:
+    - name: Wireguard media provisioning
+      ansible.builtin.import_tasks: 'tasks/wireguard-media.yml'
+      tags: wireguard-media
+
+  handlers:
+    - name: Import default handlers
+      ansible.builtin.import_tasks: handlers.yml
+
+    - name: Import common role handlers
+      ansible.builtin.import_tasks: 'roles/common/handlers/user.yml'

inventory.yml

@@ -1,6 +1,11 @@
-personal:
+all:
   hosts:
     xps:
       ansible_connection: local
+      ansible_become_method: community.general.run0
     desktop:
       ansible_connection: local
+      ansible_become_method: community.general.run0
+    htpc:
+      ansible_connection: local
+      ansible_become_method: community.general.run0

playbook.yml

@@ -1,67 +0,0 @@
-- name: Arch Linux provisioning
-  hosts: personal
-  gather_facts: true
-  roles:
-    - common
-  tasks:
-    - name: Verifying that a limit is set
-      ansible.builtin.fail:
-        msg: 'This playbook cannot be run with no limit'
-      run_once: true
-      when: ansible_limit is not defined
-
-    - name: Generic provisioning
-      ansible.builtin.import_tasks: 'tasks/setup.yml'
-      tags: setup
-
-    # TODO: provision ssh client config with modern cyphers
-    - name: Network provisioning
-      ansible.builtin.import_tasks: 'tasks/network.yml'
-      tags: network
-
-    - name: Systemd provisioning
-      ansible.builtin.import_tasks: 'tasks/systemd.yml'
-      tags: systemd
-
-    - name: Systemd timer provisioning
-      ansible.builtin.import_tasks: 'tasks/timer.yml'
-      tags: timers
-
-    - name: Personal provisiong
-      when: "'personal' in group_names"
-      block:
-        # Note: Disable DoH in Firefox to fallback to system's default DNS 
-        # resolver, see
-        # https://support.mozilla.org/en-US/kb/dns-over-https#w_configure-doh-protection-settings
-        - name: Wireguard provisioning
-          ansible.builtin.import_tasks: 'tasks/personal/all/wireguard.yml'
-          tags: wireguard
-
-        - name: MPV provisioning
-          ansible.builtin.import_tasks: 'tasks/personal/all/mpv.yml'
-          tags: mpv
-
-        - name: MPD provisioning
-          ansible.builtin.import_tasks: 'tasks/personal/all/mpd.yml'
-          tags: mpd
-
-        - name: Syncthing provisioning
-          ansible.builtin.import_tasks: 'tasks/personal/all/syncthing.yml'
-          tags: syncthing
-
-        # TODO: provision current macvlan setup
-        - name: Desktop provisioning
-          ansible.builtin.import_tasks: 'tasks/personal/desktop.yml'
-          when: ansible_hostname == 'desktop'
-          tags: desktop
-
-        - name: XPS provisioning
-          ansible.builtin.import_tasks: 'tasks/personal/xps.yml'
-          when: ansible_hostname == 'xps'
-          tags: xps
-  handlers:
-    - name: Import default handlers
-      ansible.builtin.import_tasks: 'handlers.yml'
-
-    - name: Import common role handlers
-      ansible.builtin.import_tasks: 'roles/common/handlers/user.yml'

tasks/desktop.yml

@@ -6,7 +6,7 @@
 
 - name: Copy xdg-desktop-portal.service drop-in
   ansible.builtin.template:
-    src: templates/personal/desktop/xdg-desktop-portal.service.j2
+    src: templates/desktop/xdg-desktop-portal.service.j2
     dest: '{{ xdg_config_dir }}/systemd/user/xdg-desktop-portal.service.d/override.conf'
     mode: '0755'
   notify: user daemon-reload

tasks/mpd.yaml

@@ -1,13 +1,17 @@
+- name: Include mpd defaults
+  ansible.builtin.include_vars:
+    file: vars/mpd.yml
+
 - name: Copy systemd configuration files
   ansible.builtin.template:
     src: '{{ item.src }}'
     dest: '{{ item.dest }}'
     mode: '0644'
   loop:
-    - src: 'templates/personal/all/mpd/service.j2'
+    - src: 'templates/mpd/service.j2'
       dest: '{{ xdg_config_dir }}/systemd/user/mpd.service'
 
-    - src: 'templates/personal/all/mpd/socket.j2'
+    - src: 'templates/mpd/socket.j2'
       dest: '{{ xdg_config_dir }}/systemd/user/mpd.socket'
   notify:
     - stop mpd service
@@ -51,11 +55,11 @@
     dest: '{{ item.dest }}'
     mode: '0755'
   loop:
-    - src: 'templates/personal/all/mpd/mpd.conf.j2'
+    - src: 'templates/mpd/mpd.conf.j2'
       dest: '{{ mpd_configuration_dir }}/mpd.conf'
-    - src: 'templates/personal/all/mpd/ncmpcpp/config.j2'
+    - src: 'templates/mpd/ncmpcpp/config.j2'
       dest: '{{ ncmpcpp_configuration_dir }}/config'
-    - src: 'templates/personal/all/mpd/ncmpcpp/bindings.j2'
+    - src: 'templates/mpd/ncmpcpp/bindings.j2'
       dest: '{{ ncmpcpp_configuration_dir }}/bindings'
   notify:
     - stop mpd service

tasks/mpv.yml

@@ -10,7 +10,7 @@
     dest: '{{ item.dest }}'
     mode: '0644'
   loop:
-    - src: 'templates/personal/all/mpv/input.j2'
+    - src: 'templates/mpv/input.j2'
       dest: '{{ ansible_env.HOME }}/.config/mpv/input.conf'
-    - src: 'templates/personal/all/mpv/config.j2'
+    - src: 'templates/mpv/config.j2'
       dest: '{{ ansible_env.HOME }}/.config/mpv/mpv.conf'

tasks/network.yml

@@ -1,112 +0,0 @@
-# Note that Wireguard does DNS resolution only once during connection.
-# When a client's IP changes, the server should be notified in some way,
-# using `wg set wg0 peer izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4= endpoint <NEW-IP>:<PORT>`
-# for example.
-
-- name: Set hostname
-  become: true
-  ansible.builtin.hostname:
-    name: '{{ hostname }}'
-    use: systemd
-
-- name: Copy hosts file
-  become: true
-  ansible.builtin.template:
-    src: templates/hosts.j2
-    dest: /etc/hosts
-    mode: '0644'
-    owner: root
-
-- name: Copy firewall template
-  become: true
-  ansible.builtin.template:
-    src: "{{ lookup('ansible.builtin.first_found', paths) }}"
-    dest: /etc/nftables.conf
-    owner: root
-    group: root
-    mode: '0600'
-  vars:
-    paths:
-      - 'templates/{{ ansible_hostname }}/nftables.j2'
-      - 'templates/{{ group_names[0] }}/{{ ansible_hostname }}/nftables.j2'
-  notify: restart nftables
-
-- name: Desktop configuration
-  notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
-  when: ansible_hostname == 'desktop'
-  block:
-    - name: Setup network configuration
-      become: true
-      ansible.builtin.template:
-        src: '{{ item.src }}'
-        dest: '{{ item.dest }}'
-        owner: root
-        group: systemd-network
-        mode: '0640'
-      loop:
-        - src: 'templates/personal/desktop/network/enp1s0.link.j2'
-          dest: '/etc/systemd/network/20-enp1s0.link'
-        - src: 'templates/personal/desktop/network/enp1s0.network.j2'
-          dest: '/etc/systemd/network/20-enp1s0.network'
-
-    - name: Remove leftover configuration files
-      become: true
-      ansible.builtin.file:
-        path: '{{ item }}'
-        state: absent
-      loop:
-        - '/etc/systemd/network/30-vmbr0.network'
-        - '/etc/systemd/network/30-vmbr0.netdev'
-
-- name: XPS configuration
-  notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
-    - restart iwd
-  when: ansible_hostname == 'xps'
-  block:
-    - name: Setup network configuration
-      become: true
-      ansible.builtin.template:
-        src: '{{ item.src }}'
-        dest: '{{ item.dest }}'
-        owner: root
-        group: systemd-network
-        mode: '0640'
-      loop:
-        - src: 'templates/personal/xps/network/wlan0-local.network.j2'
-          dest: '/etc/systemd/network/10-wireless.network'
-
-        - src: 'templates/personal/xps/network/wlan0-frans.network.j2'
-          dest: '/etc/systemd/network/11-wireless.network'
-
-        - src: 'templates/personal/xps/network/wlan0.network.j2'
-          dest: '/etc/systemd/network/20-wireless.network'
-
-    - name: Create iwd directory
-      become: true
-      ansible.builtin.template:
-        src: templates/personal/xps/iwd.j2
-        dest: /etc/iwd
-        mode: '0644'
-        owner: root
-
-    - name: Provision iwd configuration
-      become: true
-      ansible.builtin.template:
-        src: templates/personal/xps/iwd.j2
-        dest: /etc/iwd/main.config
-        mode: '0755'
-        owner: root
-
-    - name: Remove leftover configuration files
-      become: true
-      ansible.builtin.file:
-        path: '{{ item }}'
-        state: absent
-      loop:
-        - /etc/systemd/network/30-vmbr0.network
-        - /etc/systemd/network/30-vmbr0.netdev
-        - /etc/systemd/network/10-wlan0.link

tasks/network/desktop.yml

@@ -0,0 +1,27 @@
+- name: Desktop configuration
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+  block:
+    - name: Setup network configuration
+      become: true
+      ansible.builtin.template:
+        src: '{{ item.src }}'
+        dest: '{{ item.dest }}'
+        owner: root
+        group: systemd-network
+        mode: '0640'
+      loop:
+        - src: 'templates/desktop/network/enp1s0.link.j2'
+          dest: '/etc/systemd/network/20-enp1s0.link'
+        - src: 'templates/desktop//network/enp1s0.network.j2'
+          dest: '/etc/systemd/network/20-enp1s0.network'
+
+    - name: Remove leftover configuration files
+      become: true
+      ansible.builtin.file:
+        path: '{{ item }}'
+        state: absent
+      loop:
+        - '/etc/systemd/network/30-vmbr0.network'
+        - '/etc/systemd/network/30-vmbr0.netdev'

tasks/network/main.yml

@@ -0,0 +1,28 @@
+# Note that Wireguard does DNS resolution only once during connection.
+# When a client's IP changes, the server should be notified in some way,
+# using `wg set wg0 peer izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4= endpoint <NEW-IP>:<PORT>`
+# for example.
+
+- name: Set hostname
+  become: true
+  ansible.builtin.hostname:
+    name: '{{ hostname }}'
+    use: systemd
+
+- name: Copy hosts file
+  become: true
+  ansible.builtin.template:
+    src: templates/hosts.j2
+    dest: /etc/hosts
+    mode: '0644'
+    owner: root
+
+- name: Copy firewall template
+  become: true
+  ansible.builtin.template:
+    src: 'templates/{{ ansible_hostname }}/nftables.j2'
+    dest: /etc/nftables.conf
+    owner: root
+    group: root
+    mode: '0600'
+  notify: restart nftables

tasks/network/xps.yml

@@ -0,0 +1,47 @@
+- name: Setup network configuration
+  become: true
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop:
+    - src: 'templates/xps/network/wlan0-local.network.j2'
+      dest: '/etc/systemd/network/10-wireless.network'
+
+    - src: 'templates/xps/network/wlan0-frans.network.j2'
+      dest: '/etc/systemd/network/11-wireless.network'
+
+    - src: 'templates/xps/network/wlan0.network.j2'
+      dest: '/etc/systemd/network/20-wireless.network'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+
+- name: Create iwd directory
+  become: true
+  ansible.builtin.template:
+    src: templates/xps/iwd.j2
+    dest: /etc/iwd
+    mode: '0644'
+    owner: root
+
+- name: Provision iwd configuration
+  become: true
+  ansible.builtin.template:
+    src: templates/xps/iwd.j2
+    dest: /etc/iwd/main.config
+    mode: '0755'
+    owner: root
+  notify: restart iwd
+
+- name: Remove leftover configuration files
+  become: true
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: absent
+  loop:
+    - /etc/systemd/network/30-vmbr0.network
+    - /etc/systemd/network/30-vmbr0.netdev
+    - /etc/systemd/network/10-wlan0.link

tasks/personal/all/wireguard.yml

@@ -1,112 +0,0 @@
-# Note: Only compatible with personal group
-
-- name: Create Wireguard directories
-  become: true
-  ansible.builtin.file:
-    path: '{{ item }}'
-    owner: root
-    group: systemd-network
-    mode: '0750'
-    state: directory
-    recurse: true
-  loop:
-    - '{{ vpn_config_dir }}'
-    - '{{ vpn_default.private_key_path | dirname }}'
-    - '{{ vpn_default.public_key_path | dirname }}'
-    - '{{ vpn_media.private_key_path | dirname }}'
-    - '{{ vpn_media.public_key_path | dirname }}'
-  notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
-
-- name: Copy Wireguard credentials
-  become: true
-  ansible.builtin.copy:
-    src: '{{ item.src }}'
-    dest: '{{ item.dest }}'
-    owner: root
-    group: systemd-network
-    mode: '0640'
-  loop:
-    - dest: '{{ vpn_default.public_key_path }}'
-      src: 'files/personal/{{ ansible_hostname }}/wireguard/default/{{ ansible_hostname }}.pub'
-
-    - dest: '{{ vpn_default.private_key_path }}'
-      src: 'files/personal/{{ ansible_hostname }}/wireguard/default/{{ ansible_hostname }}.key'
-
-    - dest: '{{ vpn_media.public_key_path }}'
-      src: 'files/personal/{{ ansible_hostname }}/wireguard/media/{{ ansible_hostname }}.pub'
-
-    - dest: '{{ vpn_media.private_key_path }}'
-      src: 'files/personal/{{ ansible_hostname }}/wireguard/media/{{ ansible_hostname }}.key'
-  notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
-
-- name: Copy Wireguard preshared keys
-  become: true
-  ansible.builtin.copy:
-    src: '{{ item.preshared_key_source_path }}'
-    dest: '{{ item.preshared_key_path }}'
-    owner: root
-    group: systemd-network
-    mode: '0640'
-  loop: '{{ vpn_default.peers + vpn_media.peers }}'
-  notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
-
-- name: Desktop configuration
-  notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
-  when: ansible_hostname == 'desktop'
-  block:
-    - name: Setup network configuration
-      become: true
-      ansible.builtin.template:
-        src: '{{ item.src }}'
-        dest: '{{ item.dest }}'
-        owner: root
-        group: systemd-network
-        mode: '0640'
-      loop:
-        - src: 'templates/personal/desktop/network/wg0.network.j2'
-          dest: '/etc/systemd/network/40-wg0.network'
-
-        - src: 'templates/personal/desktop/network/wg0.netdev.j2'
-          dest: '/etc/systemd/network/40-wg0.netdev'
-
-        - src: 'templates/personal/desktop/network/wg1.network.j2'
-          dest: '/etc/systemd/network/40-wg1.network'
-
-        - src: 'templates/personal/desktop/network/wg1.netdev.j2'
-          dest: '/etc/systemd/network/40-wg1.netdev'
-
-- name: XPS configuration
-  notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
-    - restart iwd
-  when: ansible_hostname == 'xps'
-  block:
-    - name: Setup network configuration
-      become: true
-      ansible.builtin.template:
-        src: '{{ item.src }}'
-        dest: '{{ item.dest }}'
-        owner: root
-        group: systemd-network
-        mode: '0640'
-      loop:
-        - src: 'templates/personal/xps/network/wg0.network.j2'
-          dest: '/etc/systemd/network/40-wg0.network'
-
-        - src: 'templates/personal/xps/network/wg0.netdev.j2'
-          dest: '/etc/systemd/network/40-wg0.netdev'
-
-        - src: 'templates/personal/xps/network/wg1.network.j2'
-          dest: '/etc/systemd/network/40-wg1.network'
-
-        - src: 'templates/personal/xps/network/wg1.netdev.j2'
-          dest: '/etc/systemd/network/40-wg1.netdev'

tasks/setup.yml

@@ -43,29 +43,32 @@
     state: touch
     mode: '0644'
 
-- name: Create wezterm configuration dir
-  ansible.builtin.file:
-    path: '{{ xdg_config_dir }}/wezterm/includes'
-    state: directory
-    mode: '0755'
+- name: Setup Wezterm
+  when: "'wezterm' in packages"
+  block:
+  - name: Create wezterm configuration dir
+    ansible.builtin.file:
+      path: '{{ xdg_config_dir }}/wezterm/includes'
+      state: directory
+      mode: '0755'
 
-- name: Copy wezterm configuration files
-  ansible.builtin.template:
-    src: '{{ item.src }}'
-    dest: '{{ item.dest }}'
-    mode: '0755'
-  loop:
-    - src: 'templates/wezterm/wezterm.lua.j2'
-      dest: '{{ xdg_config_dir }}/wezterm/wezterm.lua'
+  - name: Copy wezterm configuration files
+    ansible.builtin.template:
+      src: '{{ item.src }}'
+      dest: '{{ item.dest }}'
+      mode: '0755'
+    loop:
+      - src: 'templates/wezterm/wezterm.lua.j2'
+        dest: '{{ xdg_config_dir }}/wezterm/wezterm.lua'
 
-    - src: 'templates/wezterm/includes/colors.lua.j2'
-      dest: '{{ xdg_config_dir }}/wezterm/includes/colors.lua'
+      - src: 'templates/wezterm/includes/colors.lua.j2'
+        dest: '{{ xdg_config_dir }}/wezterm/includes/colors.lua'
 
-    - src: 'templates/wezterm/includes/fonts.lua.j2'
-      dest: '{{ xdg_config_dir }}/wezterm/includes/fonts.lua'
+      - src: 'templates/wezterm/includes/fonts.lua.j2'
+        dest: '{{ xdg_config_dir }}/wezterm/includes/fonts.lua'
 
-    - src: 'templates/wezterm/includes/window.lua.j2'
-      dest: '{{ xdg_config_dir }}/wezterm/includes/window.lua'
+      - src: 'templates/wezterm/includes/window.lua.j2'
+        dest: '{{ xdg_config_dir }}/wezterm/includes/window.lua'
 
 - name: Enable fstrim timer
   become: true
@@ -88,7 +91,6 @@
 
 - name: Copy sysctl files
   become: true
-  when: "'personal' not in group_names"
   ansible.builtin.template:
     src: '{{ item.src }}'
     dest: '{{ item.dest }}'
@@ -124,20 +126,11 @@
 
 - name: Copy kernel parameters template
   become: true
-  when: "'personal' not in group_names"
   ansible.builtin.template:
     src: 'templates/{{ ansible_hostname }}/cmdline.j2'
     dest: '/etc/kernel/cmdline'
     mode: '0755'
 
-- name: Copy kernel parameters template for personal group
-  become: true
-  when: "'personal' in group_names"
-  ansible.builtin.template:
-    src: 'templates/personal/{{ ansible_hostname }}/cmdline.j2'
-    dest: '/etc/kernel/cmdline'
-    mode: '0755'
-
 - name: Remove the mkinitcpio directories
   become: true
   ansible.builtin.file:
@@ -164,7 +157,7 @@
     dest: '{{ item.dest }}'
     mode: '0755'
   loop: '{{ mkinitcpio_templates }}'
-  when: mkinitcpio_templates
+  when: '{{ mkinitcpio_templates | length > 0 }}'
 
 - name: Regenerate initramfs images
   become: true

tasks/syncthing.yml

@@ -12,7 +12,7 @@
 
 - name: Copy configuration file
   ansible.builtin.template:
-    src: 'templates/syncthing.j2'
+    src: 'templates/syncthing/config.j2'
     dest: '{{ xdg_config_dir }}/syncthing/config.xml'
     mode: '0640'
   notify: start syncthing

tasks/timer.yml

@@ -22,9 +22,9 @@
   loop:
     - { src: 'templates/timer/daily_target.j2', dest: '/etc/systemd/system/daily.target' }
     - {
-        src: 'templates/timer/weekly_target.j2',
-        dest: '/etc/systemd/system/weekly.target',
-      }
+      src: 'templates/timer/weekly_target.j2',
+      dest: '/etc/systemd/system/weekly.target',
+    }
 
 - name: create target directories
   become: true

tasks/wireguard-media.yml

@@ -0,0 +1,71 @@
+- name: Include wireguard media defaults
+  ansible.builtin.include_vars:
+    file: vars/wireguard-media.yml
+
+- name: Create Wireguard directories
+  become: true
+  ansible.builtin.file:
+    path: '{{ item }}'
+    owner: root
+    group: systemd-network
+    mode: '0750'
+    state: directory
+    recurse: true
+  loop:
+    - '{{ vpn_config_dir }}'
+    - '{{ wireguard_media_defaults.private_key_path | dirname }}'
+    - '{{ wireguard_media_defaults.public_key_path | dirname }}'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+
+- name: Copy Wireguard credentials
+  become: true
+  ansible.builtin.copy:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop:
+    - dest: '{{ wireguard_media_defaults.public_key_path }}'
+      src: 'files/wireguard-media/{{ ansible_hostname }}/fudiggity.pub'
+
+    - dest: '{{ wireguard_media_defaults.private_key_path }}'
+      src: 'files/wireguard-media/{{ ansible_hostname }}/fudiggity.key'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+
+- name: Copy Wireguard preshared keys
+  become: true
+  ansible.builtin.copy:
+    src: '{{ item.preshared_key_source_path }}'
+    dest: '{{ item.preshared_key_path }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop: '{{ wireguard_media_defaults.peers }}'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+
+- name: Setup network configuration
+  become: true
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop:
+    - src: 'templates/{{ ansible_hostname }}/network/wg1.network.j2'
+      dest: '/etc/systemd/network/40-wg1.network'
+
+    - src: 'templates/{{ ansible_hostname }}/network/wg1.netdev.j2'
+      dest: '/etc/systemd/network/40-wg1.netdev'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+  vars:
+    wireguard: "{{ wireguard_media | ansible.builtin.combine(wireguard_media_defaults) }}"

tasks/wireguard.yml

@@ -0,0 +1,71 @@
+- name: Include wireguard defaults
+  ansible.builtin.include_vars:
+    file: vars/wireguard.yml
+
+- name: Create Wireguard directories
+  become: true
+  ansible.builtin.file:
+    path: '{{ item }}'
+    owner: root
+    group: systemd-network
+    mode: '0750'
+    state: directory
+    recurse: true
+  loop:
+    - '{{ vpn_config_dir }}'
+    - '{{ wireguard_defaults.private_key_path | dirname }}'
+    - '{{ wireguard_defaults.public_key_path | dirname }}'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+
+- name: Copy Wireguard credentials
+  become: true
+  ansible.builtin.copy:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop:
+    - dest: '{{ wireguard_defaults.public_key_path }}'
+      src: 'files/wireguard/{ ansible_hostname }}/fudiggity.pub'
+
+    - dest: '{{ wireguard_defaults.private_key_path }}'
+      src: 'files/wireguard/{{ ansible_hostname }}/fudiggity.key'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+
+- name: Copy Wireguard preshared keys
+  become: true
+  ansible.builtin.copy:
+    src: '{{ item.preshared_key_source_path }}'
+    dest: '{{ item.preshared_key_path }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop: '{{ wireguard_defaults.peers }}'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+
+- name: Setup network configuration
+  become: true
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop:
+    - src: 'templates/{{ ansible_hostname }}/network/wg0.network.j2'
+      dest: '/etc/systemd/network/40-wg0.network'
+
+    - src: 'templates/{{ ansible_hostname }}/network/wg0.netdev.j2'
+      dest: '/etc/systemd/network/40-wg0.netdev'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+  vars:
+    wireguard: "{{ wireguard | ansible.builtin.combine(wireguard_defaults) }}"

tasks/xps.yml

@@ -14,13 +14,13 @@
 
     - name: Copy configuration file
       ansible.builtin.template:
-        src: templates/personal/xps/pa-dlna/config.j2
+        src: templates/xps/pa-dlna/config.j2
         dest: '{{ xdg_config_dir }}/pa-dlna/pa-dlna.conf'
         mode: '0755'
 
     - name: Copy systemd service
       ansible.builtin.template:
-        src: templates/personal/xps/pa-dlna/service.j2
+        src: templates/xps/pa-dlna/service.j2
         dest: '{{ xdg_config_dir }}/systemd/user/pa-dlna.service'
         mode: '0755'
 

templates/desktop/network/wg0.netdev.j2

@@ -1,15 +1,15 @@
 # {{ ansible_managed }}
 
 [NetDev]
-Name={{ vpn_default.interface }}
+Name={{ wireguard.interface }}
 Kind=wireguard
-Description=WireGuard tunnel {{ vpn_default.interface }}
+Description=WireGuard tunnel {{ wireguard.interface }}
 
 [WireGuard]
-PrivateKeyFile={{ vpn_default.private_key_path }}
+PrivateKeyFile={{ wireguard.private_key_path }}
 RouteTable=main
 
-{% for peer in vpn_default.peers %}
+{% for peer in wireguard.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
 PresharedKeyFile={{ peer.preshared_key_path }}

templates/desktop/network/wg0.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ lan_interface }}

templates/desktop/network/wg1.netdev.j2

@@ -1,15 +1,15 @@
 # {{ ansible_managed }}
 
 [NetDev]
-Name={{ vpn_media.interface }}
+Name={{ wireguard.interface }}
 Kind=wireguard
-Description=WireGuard tunnel {{ vpn_media.interface }}
+Description=WireGuard tunnel {{ wireguard.interface }}
 
 [WireGuard]
-PrivateKeyFile={{ vpn_media.private_key_path }}
+PrivateKeyFile={{ wireguard.private_key_path }}
 RouteTable=main
 
-{% for peer in vpn_media.peers %}
+{% for peer in wireguard.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
 PresharedKeyFile={{ peer.preshared_key_path }}

templates/desktop/network/wg1.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ lan_interface }}

templates/htpc/cmdline.j2

@@ -0,0 +1 @@
+rd.luks.name=d6272853-f41c-47a3-aa27-31ca9b559087=cryptlvm root=/dev/VolumeGroup/root rw resume=/dev/VolumeGroup/swap

templates/htpc/mkinitcpio/1-modules.conf.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+MODULES=(amdgpu)

templates/htpc/network/enp1s0.link.j2

@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+[Match]
+MACAddress={{ lan_interface_mac }}
+
+[Link]
+Name={{ lan_interface }}

templates/htpc/network/enp1s0.network.j2

@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ lan_interface }}
+
+[Network]
+Address={{ local_network_address }}
+Gateway={{ local_network_gateway }}
+DNS={{ local_network_dns }}
+MulticastDNS=yes
+DNSOverTLS=yes
+DNSSEC=yes
+DHCP=no
+LinkLocalAddressing=no
+IPv6AcceptRA=no
+IPv6SendRA=no
+RequiredForOnline=routable

templates/htpc/network/wg1.netdev.j2

@@ -1,15 +1,15 @@
 # {{ ansible_managed }}
 
 [NetDev]
-Name={{ vpn_media.interface }}
+Name={{ wireguard.interface }}
 Kind=wireguard
-Description=WireGuard tunnel {{ vpn_media.interface }}
+Description=WireGuard tunnel {{ wireguard.interface }}
 
 [WireGuard]
-PrivateKeyFile={{ vpn_media.private_key_path }}
+PrivateKeyFile={{ wireguard.private_key_path }}
 RouteTable=main
 
-{% for peer in vpn_media.peers %}
+{% for peer in wireguard.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
 PresharedKeyFile={{ peer.preshared_key_path }}

templates/htpc/network/wg1.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ lan_interface }}

templates/htpc/nftables.j2

@@ -0,0 +1,29 @@
+#!/usr/bin/nft -f
+# vim:set ts=2 sw=2 et:
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+
+    # allow established/related connections
+    ct state { established, related } accept
+
+    # early drop of invalid connections
+    ct state invalid drop
+
+    # allow from loopback
+    iifname lo accept
+
+    # allow icmp
+    ip protocol icmp accept
+    ip6 nexthdr icmpv6 accept
+
+    # allow mDNS
+    udp dport 5353 accept
+
+    # allow ssh
+    tcp dport ssh accept
+  }
+}

templates/personal/desktop/network/wg0.network.j2

@@ -1,10 +0,0 @@
-# {{ ansible_managed }}
-
-[Match]
-Name={{ vpn_default.interface }}
-
-[Network]
-Address={{ vpn_default.ip }}/{{ vpn_default.prefix }}
-DNS={{ vpn_default.dns }}
-Domains={{ vpn_default.domains | join(' ') }}
-BindCarrier={{ lan_interface }}

templates/personal/desktop/network/wg1.network.j2

@@ -1,10 +0,0 @@
-# {{ ansible_managed }}
-
-[Match]
-Name={{ vpn_media.interface }}
-
-[Network]
-Address={{ vpn_media.ip }}/{{ vpn_media.prefix }}
-DNS={{ vpn_media.dns }}
-Domains={{ vpn_media.domains | join(' ') }}
-BindCarrier={{ lan_interface }}

templates/personal/xps/network/wg0.network.j2

@@ -1,10 +0,0 @@
-# {{ ansible_managed }}
-
-[Match]
-Name={{ vpn_default.interface }}
-
-[Network]
-Address={{ vpn_default.ip }}/{{ vpn_default.prefix }}
-DNS={{ vpn_default.dns }}
-Domains={{ vpn_default.domains | join(' ') }}
-BindCarrier={{ wireless_interface }}

templates/personal/xps/network/wg1.network.j2

@@ -1,10 +0,0 @@
-# {{ ansible_managed }}
-
-[Match]
-Name={{ vpn_media.interface }}
-
-[Network]
-Address={{ vpn_media.ip }}/{{ vpn_media.prefix }}
-DNS={{ vpn_media.dns }}
-Domains={{ vpn_media.domains | join(' ') }}
-BindCarrier={{ wireless_interface }}

templates/xps/mkinitcpio/linux-lts.preset.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+#
+# mkinitcpio preset file for the 'linux' package
+
+PRESETS=('default')
+
+default_uki="/boot/EFI/Linux/linux-lts.efi"
+default_kver="/boot/vmlinuz-linux-lts"

templates/xps/mkinitcpio/linux.preset.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+#
+# mkinitcpio preset file for the 'linux' package
+
+PRESETS=('default')
+
+default_uki="/boot/EFI/Linux/linux.efi"
+default_kver="/boot/vmlinuz-linux"

templates/xps/network/wg0.netdev.j2

@@ -1,15 +1,15 @@
 # {{ ansible_managed }}
 
 [NetDev]
-Name={{ vpn_default.interface }}
+Name={{ wireguard.interface }}
 Kind=wireguard
-Description=WireGuard tunnel {{ vpn_default.interface }}
+Description=WireGuard tunnel {{ wireguard.interface }}
 
 [WireGuard]
-PrivateKeyFile={{ vpn_default.private_key_path }}
+PrivateKeyFile={{ wireguard.private_key_path }}
 RouteTable=main
 
-{% for peer in vpn_default.peers %}
+{% for peer in wireguard.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
 PresharedKeyFile={{ peer.preshared_key_path }}

templates/xps/network/wg0.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ wireless_interface }}

templates/xps/network/wg1.netdev.j2

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+[NetDev]
+Name={{ wireguard.interface }}
+Kind=wireguard
+Description=WireGuard tunnel {{ wireguard.interface }}
+
+[WireGuard]
+PrivateKeyFile={{ wireguard.private_key_path }}
+RouteTable=main
+
+{% for peer in wireguard.peers %}
+[WireGuardPeer]
+PublicKey={{ peer.public_key }}
+PresharedKeyFile={{ peer.preshared_key_path }}
+{% for ip in peer.allowed_ips %}
+AllowedIPs={{ ip }}
+{% endfor %}
+{% if peer.endpoint %}
+Endpoint={{ peer.endpoint }}
+{% endif %}
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}

templates/xps/network/wg1.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ wireless_interface }}