Layout refactor

Also included provisioning for htpc host

templates/desktop/network/wg0.netdev.j2

@@ -1,15 +1,15 @@
 # {{ ansible_managed }}
 
 [NetDev]
-Name={{ vpn_default.interface }}
+Name={{ wireguard.interface }}
 Kind=wireguard
-Description=WireGuard tunnel {{ vpn_default.interface }}
+Description=WireGuard tunnel {{ wireguard.interface }}
 
 [WireGuard]
-PrivateKeyFile={{ vpn_default.private_key_path }}
+PrivateKeyFile={{ wireguard.private_key_path }}
 RouteTable=main
 
-{% for peer in vpn_default.peers %}
+{% for peer in wireguard.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
 PresharedKeyFile={{ peer.preshared_key_path }}

templates/desktop/network/wg0.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ lan_interface }}

templates/desktop/network/wg1.netdev.j2

@@ -1,15 +1,15 @@
 # {{ ansible_managed }}
 
 [NetDev]
-Name={{ vpn_media.interface }}
+Name={{ wireguard.interface }}
 Kind=wireguard
-Description=WireGuard tunnel {{ vpn_media.interface }}
+Description=WireGuard tunnel {{ wireguard.interface }}
 
 [WireGuard]
-PrivateKeyFile={{ vpn_media.private_key_path }}
+PrivateKeyFile={{ wireguard.private_key_path }}
 RouteTable=main
 
-{% for peer in vpn_media.peers %}
+{% for peer in wireguard.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
 PresharedKeyFile={{ peer.preshared_key_path }}

templates/desktop/network/wg1.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ lan_interface }}

templates/htpc/cmdline.j2

@@ -0,0 +1 @@
+rd.luks.name=d6272853-f41c-47a3-aa27-31ca9b559087=cryptlvm root=/dev/VolumeGroup/root rw resume=/dev/VolumeGroup/swap

templates/htpc/mkinitcpio/1-modules.conf.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+MODULES=(amdgpu)

templates/htpc/network/enp1s0.link.j2

@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+[Match]
+MACAddress={{ lan_interface_mac }}
+
+[Link]
+Name={{ lan_interface }}

templates/htpc/network/enp1s0.network.j2

@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ lan_interface }}
+
+[Network]
+Address={{ local_network_address }}
+Gateway={{ local_network_gateway }}
+DNS={{ local_network_dns }}
+MulticastDNS=yes
+DNSOverTLS=yes
+DNSSEC=yes
+DHCP=no
+LinkLocalAddressing=no
+IPv6AcceptRA=no
+IPv6SendRA=no
+RequiredForOnline=routable

templates/htpc/network/wg1.netdev.j2

@@ -1,15 +1,15 @@
 # {{ ansible_managed }}
 
 [NetDev]
-Name={{ vpn_media.interface }}
+Name={{ wireguard.interface }}
 Kind=wireguard
-Description=WireGuard tunnel {{ vpn_media.interface }}
+Description=WireGuard tunnel {{ wireguard.interface }}
 
 [WireGuard]
-PrivateKeyFile={{ vpn_media.private_key_path }}
+PrivateKeyFile={{ wireguard.private_key_path }}
 RouteTable=main
 
-{% for peer in vpn_media.peers %}
+{% for peer in wireguard.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
 PresharedKeyFile={{ peer.preshared_key_path }}

templates/htpc/network/wg1.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ lan_interface }}

templates/htpc/nftables.j2

@@ -0,0 +1,29 @@
+#!/usr/bin/nft -f
+# vim:set ts=2 sw=2 et:
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+
+    # allow established/related connections
+    ct state { established, related } accept
+
+    # early drop of invalid connections
+    ct state invalid drop
+
+    # allow from loopback
+    iifname lo accept
+
+    # allow icmp
+    ip protocol icmp accept
+    ip6 nexthdr icmpv6 accept
+
+    # allow mDNS
+    udp dport 5353 accept
+
+    # allow ssh
+    tcp dport ssh accept
+  }
+}

templates/personal/desktop/network/wg0.network.j2

@@ -1,10 +0,0 @@
-# {{ ansible_managed }}
-
-[Match]
-Name={{ vpn_default.interface }}
-
-[Network]
-Address={{ vpn_default.ip }}/{{ vpn_default.prefix }}
-DNS={{ vpn_default.dns }}
-Domains={{ vpn_default.domains | join(' ') }}
-BindCarrier={{ lan_interface }}

templates/personal/desktop/network/wg1.network.j2

@@ -1,10 +0,0 @@
-# {{ ansible_managed }}
-
-[Match]
-Name={{ vpn_media.interface }}
-
-[Network]
-Address={{ vpn_media.ip }}/{{ vpn_media.prefix }}
-DNS={{ vpn_media.dns }}
-Domains={{ vpn_media.domains | join(' ') }}
-BindCarrier={{ lan_interface }}

templates/personal/xps/network/wg0.network.j2

@@ -1,10 +0,0 @@
-# {{ ansible_managed }}
-
-[Match]
-Name={{ vpn_default.interface }}
-
-[Network]
-Address={{ vpn_default.ip }}/{{ vpn_default.prefix }}
-DNS={{ vpn_default.dns }}
-Domains={{ vpn_default.domains | join(' ') }}
-BindCarrier={{ wireless_interface }}

templates/personal/xps/network/wg1.network.j2

@@ -1,10 +0,0 @@
-# {{ ansible_managed }}
-
-[Match]
-Name={{ vpn_media.interface }}
-
-[Network]
-Address={{ vpn_media.ip }}/{{ vpn_media.prefix }}
-DNS={{ vpn_media.dns }}
-Domains={{ vpn_media.domains | join(' ') }}
-BindCarrier={{ wireless_interface }}

templates/xps/mkinitcpio/linux-lts.preset.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+#
+# mkinitcpio preset file for the 'linux' package
+
+PRESETS=('default')
+
+default_uki="/boot/EFI/Linux/linux-lts.efi"
+default_kver="/boot/vmlinuz-linux-lts"

templates/xps/mkinitcpio/linux.preset.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+#
+# mkinitcpio preset file for the 'linux' package
+
+PRESETS=('default')
+
+default_uki="/boot/EFI/Linux/linux.efi"
+default_kver="/boot/vmlinuz-linux"

templates/xps/network/wg0.netdev.j2

@@ -1,15 +1,15 @@
 # {{ ansible_managed }}
 
 [NetDev]
-Name={{ vpn_default.interface }}
+Name={{ wireguard.interface }}
 Kind=wireguard
-Description=WireGuard tunnel {{ vpn_default.interface }}
+Description=WireGuard tunnel {{ wireguard.interface }}
 
 [WireGuard]
-PrivateKeyFile={{ vpn_default.private_key_path }}
+PrivateKeyFile={{ wireguard.private_key_path }}
 RouteTable=main
 
-{% for peer in vpn_default.peers %}
+{% for peer in wireguard.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
 PresharedKeyFile={{ peer.preshared_key_path }}

templates/xps/network/wg0.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ wireless_interface }}

templates/xps/network/wg1.netdev.j2

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+[NetDev]
+Name={{ wireguard.interface }}
+Kind=wireguard
+Description=WireGuard tunnel {{ wireguard.interface }}
+
+[WireGuard]
+PrivateKeyFile={{ wireguard.private_key_path }}
+RouteTable=main
+
+{% for peer in wireguard.peers %}
+[WireGuardPeer]
+PublicKey={{ peer.public_key }}
+PresharedKeyFile={{ peer.preshared_key_path }}
+{% for ip in peer.allowed_ips %}
+AllowedIPs={{ ip }}
+{% endfor %}
+{% if peer.endpoint %}
+Endpoint={{ peer.endpoint }}
+{% endif %}
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}

templates/xps/network/wg1.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ wireless_interface }}