Layout refactor

Also included provisioning for htpc host

templates/xps/cmdline.j2

@@ -0,0 +1 @@
+rd.luks.name=4483183a-4881-4bf6-b20c-3ba918642cc4=cryptlvm root=/dev/VolumeGroup/root rw resume=/dev/VolumeGroup/swap pcie_port_pm=off acpi_rev_override=1

templates/xps/iwd.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+[General]
+AddressRandomization=network

templates/xps/mkinitcpio/1-modules.conf.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+MODULES=(intel_agp i915 i8k)

templates/xps/mkinitcpio/2-hooks.conf.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+HOOKS=(base systemd autodetect modconf keyboard sd-vconsole sd-encrypt block lvm2 filesystems fsck)

templates/xps/mkinitcpio/linux-lts.preset.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+#
+# mkinitcpio preset file for the 'linux' package
+
+PRESETS=('default')
+
+default_uki="/boot/EFI/Linux/linux-lts.efi"
+default_kver="/boot/vmlinuz-linux-lts"

templates/xps/mkinitcpio/linux.preset.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+#
+# mkinitcpio preset file for the 'linux' package
+
+PRESETS=('default')
+
+default_uki="/boot/EFI/Linux/linux.efi"
+default_kver="/boot/vmlinuz-linux"

templates/xps/network/wg0.netdev.j2

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+[NetDev]
+Name={{ wireguard.interface }}
+Kind=wireguard
+Description=WireGuard tunnel {{ wireguard.interface }}
+
+[WireGuard]
+PrivateKeyFile={{ wireguard.private_key_path }}
+RouteTable=main
+
+{% for peer in wireguard.peers %}
+[WireGuardPeer]
+PublicKey={{ peer.public_key }}
+PresharedKeyFile={{ peer.preshared_key_path }}
+{% for ip in peer.allowed_ips %}
+AllowedIPs={{ ip }}
+{% endfor %}
+{% if peer.endpoint %}
+Endpoint={{ peer.endpoint }}
+{% endif %}
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}

templates/xps/network/wg0.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ wireless_interface }}

templates/xps/network/wg1.netdev.j2

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+[NetDev]
+Name={{ wireguard.interface }}
+Kind=wireguard
+Description=WireGuard tunnel {{ wireguard.interface }}
+
+[WireGuard]
+PrivateKeyFile={{ wireguard.private_key_path }}
+RouteTable=main
+
+{% for peer in wireguard.peers %}
+[WireGuardPeer]
+PublicKey={{ peer.public_key }}
+PresharedKeyFile={{ peer.preshared_key_path }}
+{% for ip in peer.allowed_ips %}
+AllowedIPs={{ ip }}
+{% endfor %}
+{% if peer.endpoint %}
+Endpoint={{ peer.endpoint }}
+{% endif %}
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}

templates/xps/network/wg1.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireguard.interface }}
+
+[Network]
+Address={{ wireguard.ip }}/{{ wireguard.prefix }}
+DNS={{ wireguard.dns }}
+Domains={{ wireguard.domains | join(' ') }}
+BindCarrier={{ wireless_interface }}

templates/xps/network/wlan0-frans.network.j2

@@ -0,0 +1,20 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireless_interface }}
+SSID={{ frans_network_ssid }}
+
+[Network]
+Address={{ frans_network_address }}
+Gateway={{ frans_network_gateway }}
+DNS={{ frans_network_dns }}
+MulticastDNS=yes
+DNSOverTLS=yes
+DNSSEC=yes
+DHCP=no
+LinkLocalAddressing=no
+IPv6AcceptRA=no
+IPv6SendRA=no
+
+[Link]
+RequiredForOnline=routable

templates/xps/network/wlan0-local.network.j2

@@ -0,0 +1,20 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ wireless_interface }}
+SSID={{ local_network_ssid }}
+
+[Network]
+Address={{ local_network_address }}
+Gateway={{ local_network_gateway }}
+DNS={{ local_network_dns }}
+MulticastDNS=yes
+DNSOverTLS=yes
+DNSSEC=yes
+DHCP=no
+LinkLocalAddressing=no
+IPv6AcceptRA=no
+IPv6SendRA=no
+
+[Link]
+RequiredForOnline=routable

templates/xps/network/wlan0.network.j2

@@ -0,0 +1,12 @@
+[Match]
+Name={{ wireless_interface }}
+
+[Network]
+DNS={{ default_network_dns }}
+DNSOverTLS=yes
+DNSSEC=yes
+DHCP=yes
+IgnoreCarrierLoss=3s
+
+[Link]
+RequiredForOnline=routable

templates/xps/nftables.j2

@@ -0,0 +1,49 @@
+#!/usr/bin/nft -f
+# vim:set ts=2 sw=2 et:
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+
+    # allow established/related connections
+    ct state { established, related } accept
+
+    # early drop of invalid connections
+    ct state invalid drop
+
+    # allow from loopback
+    iifname lo accept
+
+    # allow icmp
+    ip protocol icmp accept
+    ip6 nexthdr icmpv6 accept
+
+    # allow mDNS
+    udp dport 5353 accept
+
+    # allow ssh
+    tcp dport ssh accept
+
+    ip saddr 192.168.2.11 tcp dport 8080 accept comment "HTTP pa-dlna server"
+    ip saddr 192.168.2.11 udp dport 1900 accept comment "UPnP"
+
+    # syncthing
+    ip saddr 10.0.0.1 tcp dport 22000 accept
+  }
+
+  chain forward {
+    type filter hook forward priority security; policy drop;
+
+    ct state { established, related } accept;
+
+		mark 1 accept
+  }
+}
+
+table ip filter {
+	chain DOCKER-USER {
+		mark set 1
+	}
+}

templates/xps/pa-dlna/config.j2

@@ -0,0 +1,26 @@
+# {{ ansible_managed }}
+#
+# This is the built-in pa-dlna configuration written as text. It can be
+# parsed by a Python Configuration parser and consists of sections, each led
+# by a [section] header, followed by option/value entries separated by
+# '='. See https://docs.python.org/3/library/configparser.html.
+#
+# The 'selection' option is written as a multi-line in which case all the
+# lines after the first line start with a white space.
+#
+# The default value of 'selection' lists the encoders in this order:
+#     - mp3 encoders first as mp3 is the most common encoding
+#     - lossless encoders
+#     - then lossy encoders
+# See https://trac.ffmpeg.org/wiki/Encode/HighQualityAudio.
+
+[DEFAULT]
+selection =
+    FFMpegFlacEncoder,
+    FFMpegOpusEncoder,
+sample_format = s24be
+rate = 96000
+channels = 2
+track_metadata = yes
+soap_minimum_interval = 5
+args = None

templates/xps/pa-dlna/service.j2

@@ -0,0 +1,40 @@
+# {{ ansible_managed }}
+#
+# When enabled, the pa-dlna service unit is started automatically after the
+# pulseaudio or pipewire service unit is started. It will also stop when the
+# pulseaudio or pipewire service unit stops. However it will stop when the
+# pulseaudio or pipewire service unit is restarted but it will not start.
+#
+# Both pa-dlna and pulseaudio service units are of 'Type=notify'. This means
+# that pa-dlna will only start after pulseaudio has notified systemd that it
+# is ready and pa-dlna may connect successfully to libpulse.
+#
+# However the pipewire service unit is of 'Type=simple'. In that case and if
+# pa-dlna fails to start with the error:
+#       LibPulseStateError(('PA_CONTEXT_FAILED', 'Connection refused'))
+# add a delay to the pa-dlna start up sequence with the directive:
+#       ExecStartPre=/bin/sleep 1
+#
+# Any pa-dlna option may be added to the 'ExecStart' directive, for example to
+# restrict the allowed NICs or IP addresses (recommended) or to change the
+# log level.
+# The '--systemd' option is required.
+#
+# The 'python-systemd' package is required.
+
+[Unit]
+Description=Pa-dlna Service
+Documentation=https://pa-dlna.readthedocs.io/en/stable/
+
+After=pipewire-session-manager.service
+
+[Service]
+Type=simple
+ExecStart=/opt/virtualenv/pa-dlna/bin/pa-dlna
+Slice=session.slice
+
+NoNewPrivileges=yes
+UMask=0077
+
+[Install]
+WantedBy=pipewire-session-manager.service