From cdcd86a7c38049006b0d18a5b281992a55f5d0a9 Mon Sep 17 00:00:00 2001 From: Sonny Bakker Date: Thu, 26 Nov 2020 21:48:14 +0100 Subject: [PATCH] Add laptop network configuration --- roles/arch/tasks/main.yml | 9 +--- roles/arch/tasks/network.yml | 26 +++++++++- roles/arch/tasks/timer.yml | 8 +++ roles/arch/templates/laptop/network.j2 | 7 +++ roles/arch/templates/laptop/nftables.j2 | 66 +++++++++++++++++++++++++ roles/arch/vars/laptop.yml | 3 +- 6 files changed, 109 insertions(+), 10 deletions(-) create mode 100644 roles/arch/templates/laptop/network.j2 create mode 100644 roles/arch/templates/laptop/nftables.j2 diff --git a/roles/arch/tasks/main.yml b/roles/arch/tasks/main.yml index db691d1..064bb9e 100644 --- a/roles/arch/tasks/main.yml +++ b/roles/arch/tasks/main.yml @@ -35,16 +35,9 @@ group: root mode: "0600" -- name: add reflector to weekly timer - become: yes - file: - src: "/usr/lib/systemd/system/reflector.service" - path: "/etc/systemd/system/weekly.target.wants/reflector.service" - state: link - # TODO -# - network setup (laptop) # - pacman setup depending on platform (see include section for common options) +# - laptop power saving configuration - include_tasks: network.yml - include_tasks: mpv.yml # TODO diff --git a/roles/arch/tasks/network.yml b/roles/arch/tasks/network.yml index 65bad0e..e0804ab 100644 --- a/roles/arch/tasks/network.yml +++ b/roles/arch/tasks/network.yml @@ -9,4 +9,28 @@ notify: restart systemd-networkd when: platform == "desktop" -# TODO add laptop setup +- name: setup laptop systemd networkd + become: yes + template: + src: "laptop/network.j2" + dest: "/etc/systemd/network/20-wireless.network" + owner: root + group: root + mode: "0644" + notify: restart systemd-networkd + when: platform == "laptop" + +- name: start systemd-resolved service + become: yes + systemd: + name: systemd-resolved + state: started + enabled: yes + +- name: start iwd service + become: yes + systemd: + name: iwd + state: started + enabled: yes + when: platform == "laptop" diff --git a/roles/arch/tasks/timer.yml b/roles/arch/tasks/timer.yml index e0f352b..3e167e0 100644 --- a/roles/arch/tasks/timer.yml +++ b/roles/arch/tasks/timer.yml @@ -45,3 +45,11 @@ loop: - "/etc/systemd/system/daily.target.wants" - "/etc/systemd/system/weekly.target.wants" + +- name: add reflector to weekly timer + become: yes + file: + src: "/usr/lib/systemd/system/reflector.service" + path: "/etc/systemd/system/weekly.target.wants/reflector.service" + state: link + diff --git a/roles/arch/templates/laptop/network.j2 b/roles/arch/templates/laptop/network.j2 new file mode 100644 index 0000000..894c5db --- /dev/null +++ b/roles/arch/templates/laptop/network.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} + +[Match] +Name=wlan0 + +[Network] +DHCP=ipv4 diff --git a/roles/arch/templates/laptop/nftables.j2 b/roles/arch/templates/laptop/nftables.j2 new file mode 100644 index 0000000..8d6dcf3 --- /dev/null +++ b/roles/arch/templates/laptop/nftables.j2 @@ -0,0 +1,66 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# +#!/usr/bin/nft -f +# vim:set ts=2 sw=2 et: + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + + # allow established/related connections + ct state { established, related } accept + + # early drop of invalid connections + ct state invalid drop + + # allow from loopback + iifname lo accept + + # allow icmp + ip protocol icmp accept + ip6 nexthdr icmpv6 accept + + # allow ssh + tcp dport ssh accept + + # syncthing + ip saddr 10.8.1.1 tcp dport 22000 accept + + # allow dhcp requests for bridged connections + iifname "vmbr0" udp dport { 53, 67 } accept + } + + chain forward { + type filter hook forward priority security; policy drop; + + ct state { established, related } accept; + + mark 1 accept + + iifname "vmbr0" oifname "wlan0" accept + iifname "wlan0" oifname "vmbr0" accept + } +} + +table ip filter { + chain DOCKER-USER { + mark set 1 + } +} + +table ip nat { + chain prerouting { + type nat hook prerouting priority 0; policy accept; + + # iifname "wlan0" tcp dport { http } dnat to 10.4.0.243 + } + + chain postrouting { + type nat hook postrouting priority 0; policy accept; + + oifname "wlan0" masquerade + } +} + diff --git a/roles/arch/vars/laptop.yml b/roles/arch/vars/laptop.yml index 28d4ccb..0f95ed3 100644 --- a/roles/arch/vars/laptop.yml +++ b/roles/arch/vars/laptop.yml @@ -1 +1,2 @@ -platform_packages: [] +platform_packages: + - iwd