host_vars/desktop/vpn.yml

@@ -1,47 +1,49 @@
 # TODO: scope variables to their destination file
 vpn_default:
-  ip: 10.0.0.3
-  prefix: 24
-  interface: wg0
-  dns: 10.0.0.1
+  ip: '10.0.0.3'
+  prefix: '24'
+  interface: 'wg0'
+  dns: '10.0.0.1'
   domains:
-    - '~vpn.{{ server_domain }}'
-    - '~transmission.{{ server_domain }}'
-    - '~syncthing.{{ server_domain }}'
-    - '~radicale.{{ server_domain }}'
+    - ~vpn.{{ server_domain }}
+    - ~transmission.{{ server_domain }}
+    - ~syncthing.{{ server_domain }}
 
   public_key_path: '{{ vpn_config_dir }}/keys/public/default/desktop.pub'
   private_key_path: '{{ vpn_config_dir }}/keys/private/default/desktop.key'
 
   peers:
-    - name: fudiggity
+    - name: 'fudiggity'
       allowed_ips:
-        - 10.0.0.0/24
-        - 172.16.238.0/24
-        - 172.32.238.0/24
-        - 172.64.238.0/24
+        - address: '10.0.0.0/24'
+          create_route: false
+        - address: '172.16.238.0/24'
+          create_route: true
+        - address: '172.32.238.0/24'
+          create_route: true
       endpoint: '{{ server_domain }}:51902'
-      public_key: CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo=
+      public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo='
       preshared_key_path: '{{ vpn_config_dir }}/keys/private/default/preshared-zeus.psk'
-      preshared_key_source_path: files/personal/desktop/wireguard/default/preshared.psk
+      preshared_key_source_path: 'files/personal/desktop/wireguard/default/preshared.psk'
 
 vpn_media:
-  ip: 10.0.1.3
-  prefix: 24
-  interface: wg1
-  dns: 10.0.1.1
+  ip: '10.0.1.3'
+  prefix: '24'
+  interface: 'wg1'
+  dns: '10.0.1.1'
   domains:
     - '~media-vpn.{{ server_domain }}'
 
   public_key_path: '{{ vpn_config_dir }}/keys/public/media/desktop.pub'
   private_key_path: '{{ vpn_config_dir }}/keys/private/media/desktop.key'
-  private_key_source_path: files/personal/desktop/wireguard/media/desktop.key
+  private_key_source_path: 'files/personal/desktop/wireguard/media/desktop.key'
 
   peers:
-    - name: zeus-media
+    - name: 'zeus-media'
       allowed_ips:
-        - 10.0.1.0/24
+        - address: '10.0.1.0/24'
+          create_route: false
       endpoint: '{{ server_domain }}:51903'
-      public_key: EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg=
+      public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg='
       preshared_key_path: '{{ vpn_config_dir }}/keys/private/media/preshared-zeus.psk'
-      preshared_key_source_path: files/personal/desktop/wireguard/media/preshared.psk
+      preshared_key_source_path: 'files/personal/desktop/wireguard/media/preshared.psk'

host_vars/xps/vpn.yml

@@ -1,37 +1,35 @@
-pa_dlna_version: 0.16
-pa_dlna_systemd_version: 0.0.9
-
 vpn_default:
-  ip: 10.0.0.2
-  prefix: 24
-  interface: wg0
-  dns: 10.0.0.1
+  ip: '10.0.0.2'
+  prefix: '24'
+  interface: 'wg0'
+  dns: '10.0.0.1'
   domains:
     - '~vpn.{{ server_domain }}'
     - '~transmission.{{ server_domain }}'
     - '~syncthing.{{ server_domain }}'
-    - '~radicale.{{ server_domain }}'
 
   public_key_path: '{{ vpn_config_dir }}/keys/public/default/laptop.pub'
   private_key_path: '{{ vpn_config_dir }}/keys/private/default/laptop.key'
 
   peers:
-    - name: fudiggity
+    - name: 'fudiggity'
       allowed_ips:
-        - 10.0.0.0/24
-        - 172.16.238.0/24
-        - 172.32.238.0/24
-        - 172.64.238.0/24
+        - address: '10.0.0.0/24'
+          create_route: false
+        - address: '172.16.238.0/24'
+          create_route: true
+        - address: '172.32.238.0/24'
+          create_route: true
       endpoint: '{{ server_domain }}:51902'
       public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo='
       preshared_key_path: '{{ vpn_config_dir }}/keys/private/default/preshared-zeus.psk'
-      preshared_key_source_path: files/personal/xps/wireguard/default/preshared.psk
+      preshared_key_source_path: 'files/personal/xps/wireguard/default/preshared.psk'
 
 vpn_media:
-  ip: 10.0.1.2
-  prefix: 24
-  interface: wg1
-  dns: 10.0.1.1
+  ip: '10.0.1.2'
+  prefix: '24'
+  interface: 'wg1'
+  dns: '10.0.1.1'
   domains:
     - '~media-vpn.{{ server_domain }}'
 
@@ -39,10 +37,11 @@ vpn_media:
   private_key_path: '{{ vpn_config_dir }}/keys/private/media/laptop.key'
 
   peers:
-    - name: fudiggity-media
+    - name: 'fudiggity-media'
       allowed_ips:
-        - 10.0.1.0/24
+        - address: '10.0.1.0/24'
+          create_route: false
       endpoint: '{{ server_domain }}:51903'
-      public_key: EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg=
+      public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg='
       preshared_key_path: '{{ vpn_config_dir }}/keys/private/media/preshared-zeus.psk'
-      preshared_key_source_path: files/personal/xps/wireguard/media/preshared.psk
+      preshared_key_source_path: 'files/personal/xps/wireguard/media/preshared.psk'

tasks/personal/xps.yml

@@ -1,50 +1,9 @@
 - name: Provision powertop systemd service
   become: true
   ansible.builtin.template:
-    src: templates/personal/xps/powertop.service.j2
-    dest: /etc/systemd/system/powertop.service
+    src: 'templates/personal/xps/powertop.service.j2'
+    dest: '/etc/systemd/system/powertop.service'
     owner: root
     group: root
     mode: '0644'
   notify: restart powertop
-
-- name: Provision python pa-dlna
-  block:
-    - name: Create configuration directory
-      ansible.builtin.file:
-        path: '{{ xdg_config_dir }}/pa-dlna'
-        state: directory
-        mode: '0755'
-
-    - name: Copy configuration file
-      ansible.builtin.template:
-        src: templates/personal/xps/pa-dlna/config.j2
-        dest: '{{ xdg_config_dir }}/pa-dlna/pa-dlna.conf'
-        mode: '0755'
-
-    - name: Copy systemd service
-      ansible.builtin.template:
-        src: templates/personal/xps/pa-dlna/service.j2
-        dest: '{{ xdg_config_dir }}/systemd/user/pa-dlna.service'
-        mode: '0755'
-
-    - name: Create virtualenv directory
-      become: true
-      ansible.builtin.file:
-        path: /opt/virtualenv/pa-dlna
-        state: directory
-        owner: sonny
-        group: sonny
-        mode: '0755'
-
-    - name: Install pa-dlna
-      ansible.builtin.pip:
-        name: 'pa-dlna=={{ pa_dlna_version }}'
-        virtualenv: /opt/virtualenv/pa-dlna
-        virtualenv_command: python3.13 -m venv
-
-    - name: Install python-systemd
-      ansible.builtin.pip:
-        name: 'python-systemd=={{ pa_dlna_systemd_version }}'
-        virtualenv: /opt/virtualenv/pa-dlna
-        virtualenv_command: python3.13 -m venv

templates/personal/desktop/network/wg0.netdev.j2

@@ -7,14 +7,13 @@ Description=WireGuard tunnel {{ vpn_default.interface }}
 
 [WireGuard]
 PrivateKeyFile={{ vpn_default.private_key_path }}
-RouteTable=main
 
 {% for peer in vpn_default.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
 PresharedKeyFile={{ peer.preshared_key_path }}
 {% for ip in peer.allowed_ips %}
-AllowedIPs={{ ip }}
+AllowedIPs={{ ip.address }}
 {% endfor %}
 {% if peer.endpoint %}
 Endpoint={{ peer.endpoint }}

templates/personal/desktop/network/wg0.network.j2

@@ -7,3 +7,13 @@ Name={{ vpn_default.interface }}
 Address={{ vpn_default.ip }}/{{ vpn_default.prefix }}
 DNS={{ vpn_default.dns }}
 Domains={{ vpn_default.domains | join(' ') }}
+
+{% for peer in vpn_default.peers %}
+{% for ip in peer.allowed_ips %}
+{% if ip.create_route %}
+[Route]
+Destination={{ ip.address }}
+Scope=link
+{% endif %}
+{% endfor %}
+{% endfor %}

templates/personal/desktop/network/wg1.netdev.j2

@@ -7,14 +7,13 @@ Description=WireGuard tunnel {{ vpn_media.interface }}
 
 [WireGuard]
 PrivateKeyFile={{ vpn_media.private_key_path }}
-RouteTable=main
 
 {% for peer in vpn_media.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
 PresharedKeyFile={{ peer.preshared_key_path }}
 {% for ip in peer.allowed_ips %}
-AllowedIPs={{ ip }}
+AllowedIPs={{ ip.address }}
 {% endfor %}
 {% if peer.endpoint %}
 Endpoint={{ peer.endpoint }}

templates/personal/xps/network/wg0.netdev.j2

@@ -7,14 +7,13 @@ Description=WireGuard tunnel {{ vpn_default.interface }}
 
 [WireGuard]
 PrivateKeyFile={{ vpn_default.private_key_path }}
-RouteTable=main
 
 {% for peer in vpn_default.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
 PresharedKeyFile={{ peer.preshared_key_path }}
 {% for ip in peer.allowed_ips %}
-AllowedIPs={{ ip }}
+AllowedIPs={{ ip.address }}
 {% endfor %}
 {% if peer.endpoint %}
 Endpoint={{ peer.endpoint }}

templates/personal/xps/network/wg0.network.j2

@@ -7,3 +7,13 @@ Name={{ vpn_default.interface }}
 Address={{ vpn_default.ip }}/{{ vpn_default.prefix }}
 DNS={{ vpn_default.dns }}
 Domains={{ vpn_default.domains | join(' ') }}
+
+{% for peer in vpn_default.peers %}
+{% for ip in peer.allowed_ips %}
+{% if ip.create_route %}
+[Route]
+Destination={{ ip.address }}
+Scope=link
+{% endif %}
+{% endfor %}
+{% endfor %}

templates/personal/xps/network/wg1.netdev.j2

@@ -7,14 +7,13 @@ Description=WireGuard tunnel {{ vpn_media.interface }}
 
 [WireGuard]
 PrivateKeyFile={{ vpn_media.private_key_path }}
-RouteTable=main
 
 {% for peer in vpn_media.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
 PresharedKeyFile={{ peer.preshared_key_path }}
 {% for ip in peer.allowed_ips %}
-AllowedIPs={{ ip }}
+AllowedIPs={{ ip.address }}
 {% endfor %}
 {% if peer.endpoint %}
 Endpoint={{ peer.endpoint }}

templates/personal/xps/nftables.j2

@@ -23,9 +23,6 @@ table inet filter {
     # allow ssh
     tcp dport ssh accept
 
-    ip saddr 192.168.2.11 tcp dport 8080 accept comment "HTTP pa-dlna server"
-    ip saddr 192.168.2.11 udp dport 1900 accept comment "UPnP"
-
     # syncthing
     ip saddr 10.0.0.1 tcp dport 22000 accept
   }

templates/personal/xps/pa-dlna/config.j2

@@ -1,26 +0,0 @@
-# {{ ansible_managed }}
-#
-# This is the built-in pa-dlna configuration written as text. It can be
-# parsed by a Python Configuration parser and consists of sections, each led
-# by a [section] header, followed by option/value entries separated by
-# '='. See https://docs.python.org/3/library/configparser.html.
-#
-# The 'selection' option is written as a multi-line in which case all the
-# lines after the first line start with a white space.
-#
-# The default value of 'selection' lists the encoders in this order:
-#     - mp3 encoders first as mp3 is the most common encoding
-#     - lossless encoders
-#     - then lossy encoders
-# See https://trac.ffmpeg.org/wiki/Encode/HighQualityAudio.
-
-[DEFAULT]
-selection =
-    FFMpegFlacEncoder,
-    FFMpegOpusEncoder,
-sample_format = s24be
-rate = 96000
-channels = 2
-track_metadata = yes
-soap_minimum_interval = 5
-args = None

templates/personal/xps/pa-dlna/service.j2

@@ -1,40 +0,0 @@
-# {{ ansible_managed }}
-#
-# When enabled, the pa-dlna service unit is started automatically after the
-# pulseaudio or pipewire service unit is started. It will also stop when the
-# pulseaudio or pipewire service unit stops. However it will stop when the
-# pulseaudio or pipewire service unit is restarted but it will not start.
-#
-# Both pa-dlna and pulseaudio service units are of 'Type=notify'. This means
-# that pa-dlna will only start after pulseaudio has notified systemd that it
-# is ready and pa-dlna may connect successfully to libpulse.
-#
-# However the pipewire service unit is of 'Type=simple'. In that case and if
-# pa-dlna fails to start with the error:
-#       LibPulseStateError(('PA_CONTEXT_FAILED', 'Connection refused'))
-# add a delay to the pa-dlna start up sequence with the directive:
-#       ExecStartPre=/bin/sleep 1
-#
-# Any pa-dlna option may be added to the 'ExecStart' directive, for example to
-# restrict the allowed NICs or IP addresses (recommended) or to change the
-# log level.
-# The '--systemd' option is required.
-#
-# The 'python-systemd' package is required.
-
-[Unit]
-Description=Pa-dlna Service
-Documentation=https://pa-dlna.readthedocs.io/en/stable/
-
-After=pipewire-session-manager.service
-
-[Service]
-Type=simple
-ExecStart=/opt/virtualenv/pa-dlna/bin/pa-dlna
-Slice=session.slice
-
-NoNewPrivileges=yes
-UMask=0077
-
-[Install]
-WantedBy=pipewire-session-manager.service