Add README

README.md

@@ -0,0 +1,86 @@
+# Archlinux provisioning
+
+This repository contains several playbooks created to provision specific hosts.
+A playbook can be ran as follows:
+
+```
+$ ansible-playbook --limit desktop desktop.yml
+```
+
+The `--limit` parameter is required to run the playbook only for the specified host(s)
+as the default playbook that is included uses `hosts: all`.
+
+## Using systemd-nspawn
+
+Hosts with wired network devices can configure a MACVLAN device to allow networking 
+between systemd-nspawn containers and the host (or vice-versa) aswell as between containers
+and the outside world (through the hosts network device).
+
+### Creating a debian container
+
+First bootstrap a directory containing the files required for the container:
+
+```
+$ debootstrap --include=dbus,libpam-systemd,libnss-systemd,systemd-resolved stable /var/lib/machines/foo
+```
+
+Afterwards a root password can be set:
+
+```
+$ systemd-nspawn --directory /var/lib/machines/foo
+# passwd
+```
+
+To configure networking for the container, a configuration file can be made 
+in `/etc/systemd-nspawn/foo.nspawn` on the host. It should contain the following options:
+
+```
+[Exec]
+# Invokes the init program (usually systemd) when the container starts
+Boot=yes 
+Hostname=foo
+
+[Network]
+MACVLAN=enp1s0
+
+# Used for communication between containers in the same zone 
+Zone=test 
+```
+
+This allows the container to be managed with `machinectl` with the configured options
+in the nspawn configuration file without specifying these through commandline options.
+It is possible through skip this step, which can come in handy whenever a throwaway
+container is to be made, and specify these options through the commandline:
+
+```
+$ systemd-nspawn \
+  --boot \
+  --network-macvlan enp1s0 \
+  --network-zone test \
+  --hostname foo \
+  --directory /var/lib/machines/foo
+```
+
+See `man systemd.nspawn` for more configurable options for the `.nspawn` file. 
+
+Inside the container create a network configuration file for the MACVLAN device 
+in `/etc/systemd/network/10-mv-ensp1s0.network`:
+
+```
+[Match]
+Name=mv-enp1s0
+
+[Link]
+RequiredForOnline=routable
+
+[Network]
+DHCP=yes
+```
+
+Note that the example above can be adjusted to your likings. Afterwards enable (and start) the
+`systemd-networkd` service and verify the configuration is correctly applied.
+
+To setup DNS resolution don't forget to enable the `systemd-resolved` service inside
+the container.
+
+See the [Archlinux wiki](https://wiki.archlinux.org/title/Systemd-nspawn) for more information.

default.yml

@@ -15,7 +15,7 @@
       tags: network
 
     - name: Network host specific provisioning
-      ansible.builtin.import_tasks: "tasks/network/{{ ansible_hostname }}.yml"
+      ansible.builtin.import_tasks: "tasks/network/{{ hostname }}.yml"
       tags: network-specific
 
     - name: Systemd provisioning

desktop.yml

@@ -1,10 +1,13 @@
 ---
-- name: Arch Linux provisioning
-  hosts: desktop
-  tasks:
 - name: Include default playbook
   ansible.builtin.import_playbook: default.yml
+  vars:
+    hostname: desktop
 
+- name: Arch Linux provisioning
+  hosts: desktop
+  gather_facts: true
+  tasks:
     - name: Wireguard provisioning
       ansible.builtin.import_tasks: "tasks/wireguard.yml"
       tags: wireguard
@@ -21,7 +24,6 @@
       ansible.builtin.import_tasks: "tasks/syncthing.yml"
       tags: syncthing
 
-    # TODO: provision current macvlan setup
     - name: Desktop provisioning
       ansible.builtin.import_tasks: "tasks/desktop.yml"
       tags: desktop

host_vars/desktop/network.yml

@@ -1,6 +1,7 @@
 ---
 lan_interface: enp1s0
 lan_interface_mac: 00:d8:61:9f:52:65
+macvlan_interface: mv-0
 
 local_network_address: 192.168.2.15/24
 local_network_dns: 9.9.9.9 149.112.112.112

htpc.yml

@@ -1,12 +1,12 @@
 ---
-- hosts: htpc
-  gather_facts: true
-
 - name: Include default playbook
   ansible.builtin.import_playbook: default.yml
+  vars:
+    hostname: htpc
 
 - name: Arch Linux provisioning
   hosts: htpc
+  gather_facts: true
   tasks:
     - name: Wireguard media provisioning
       ansible.builtin.import_tasks: "tasks/wireguard-media.yml"

tasks/mpd.yml

@@ -18,6 +18,7 @@
     - stop mpd service
     - restart mpd socket
 
+# TODO: replace ncmpcpp with rmpc
 - name: Create mpd files
   ansible.builtin.file:
     path: "{{ item.path }}"
@@ -64,7 +65,6 @@
       dest: "{{ ncmpcpp_configuration_dir }}/bindings"
   notify:
     - stop mpd service
-
 # TODO: install https://aur.archlinux.org/mpd-mpris-bin.git from AUR
 # Use mpc to control local mpd server.
 # Use $ mpc add http://{{ mpd_remote_address }}:{{ mpd_remote_stream_port }}

tasks/network/desktop.yml

@@ -1,8 +1,8 @@
 ---
 - name: Desktop configuration
   notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
+    - Restart systemd-networkd
+    - Restart systemd-resolved
   block:
     - name: Setup network configuration
       become: true
@@ -15,8 +15,12 @@
       loop:
         - src: "templates/desktop/network/enp1s0.link.j2"
           dest: "/etc/systemd/network/20-enp1s0.link"
-        - src: "templates/desktop//network/enp1s0.network.j2"
+        - src: "templates/desktop/network/enp1s0.network.j2"
           dest: "/etc/systemd/network/20-enp1s0.network"
+        - src: "templates/desktop/network/mv-0.netdev.j2"
+          dest: "/etc/systemd/network/10-mv-0.netdev.j2"
+        - src: "templates/desktop/network/mv-0.network.j2"
+          dest: "/etc/systemd/network/30-mv-0.network.j2"
 
     - name: Remove leftover configuration files
       become: true

tasks/network/xps.yml

@@ -17,8 +17,8 @@
     - src: "templates/xps/network/wlan0.network.j2"
       dest: "/etc/systemd/network/20-wireless.network"
   notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
+    - Restart systemd-networkd
+    - Restart systemd-resolved
 
 - name: Create iwd directory
   become: true

tasks/setup.yml

@@ -117,7 +117,7 @@
       dest: "/etc/sysctl.d/99-sysrq.conf"
     - src: "templates/sysctl/98-forward.conf.j2"
       dest: "/etc/sysctl.d/98-foward.conf"
-  notify: reload sysctl configuration
+  notify: Reload sysctl configuration
 
 - name: Remove the modprobe.d directory
   become: true
@@ -139,12 +139,12 @@
     dest: "{{ item.dest }}"
     mode: "0755"
   loop: "{{ modprobe_templates }}"
-  when: modprobe_templates
+  when: "modprobe_templates | length > 0"
 
 - name: Copy kernel parameters template
   become: true
   ansible.builtin.template:
-    src: "templates/{{ ansible_hostname }}/cmdline.j2"
+    src: "templates/{{ ansible_facts['hostname'] }}/cmdline.j2"
     dest: "/etc/kernel/cmdline"
     mode: "0755"
 

tasks/wireguard-media.yml

@@ -17,8 +17,8 @@
     - "{{ wireguard_media_defaults.private_key_path | dirname }}"
     - "{{ wireguard_media_defaults.public_key_path | dirname }}"
   notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
+    - Restart systemd-networkd
+    - Restart systemd-resolved
 
 - name: Copy Wireguard credentials
   become: true
@@ -35,8 +35,8 @@
     - dest: "{{ wireguard_media_defaults.private_key_path }}"
       src: "files/wireguard-media/{{ ansible_hostname }}/fudiggity.key"
   notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
+    - Restart systemd-networkd
+    - Restart systemd-resolved
 
 - name: Copy Wireguard preshared keys
   become: true
@@ -48,8 +48,8 @@
     mode: "0640"
   loop: "{{ wireguard_media_defaults.peers }}"
   notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
+    - Restart systemd-networkd
+    - Restart systemd-resolved
 
 - name: Setup network configuration
   become: true
@@ -66,7 +66,7 @@
     - src: "templates/{{ ansible_hostname }}/network/wg1.netdev.j2"
       dest: "/etc/systemd/network/40-wg1.netdev"
   notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
+    - Restart systemd-networkd
+    - Restart systemd-resolved
   vars:
     wireguard: "{{ wireguard_media | ansible.builtin.combine(wireguard_media_defaults) }}"

tasks/wireguard.yml

@@ -17,8 +17,8 @@
     - "{{ wireguard_defaults.private_key_path | dirname }}"
     - "{{ wireguard_defaults.public_key_path | dirname }}"
   notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
+    - Restart systemd-networkd
+    - Restart systemd-resolved
 
 - name: Copy Wireguard credentials
   become: true
@@ -35,8 +35,8 @@
     - dest: "{{ wireguard_defaults.private_key_path }}"
       src: "files/wireguard/{{ ansible_hostname }}/fudiggity.key"
   notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
+    - Restart systemd-networkd
+    - Restart systemd-resolved
 
 - name: Copy Wireguard preshared keys
   become: true
@@ -48,8 +48,8 @@
     mode: "0640"
   loop: "{{ wireguard_defaults.peers }}"
   notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
+    - Restart systemd-networkd
+    - Restart systemd-resolved
 
 - name: Setup network configuration
   become: true
@@ -66,7 +66,7 @@
     - src: "templates/{{ ansible_hostname }}/network/wg0.netdev.j2"
       dest: "/etc/systemd/network/40-wg0.netdev"
   notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
+    - Restart systemd-networkd
+    - Restart systemd-resolved
   vars:
     wireguard: "{{ wireguard | ansible.builtin.combine(wireguard_defaults) }}"

templates/desktop/network/mv-0.netdev.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+[NetDev]
+Name={{ macvlan_interface }}
+Kind=macvlan
+
+[MACVLAN]
+Mode=bridge

templates/desktop/network/mv-0.network.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ macvlan_interface }}
+
+[Network]
+DHCP=yes
+BindCarrier={{ lan_interface }}

templates/htpc/network/enp1s0.network.j2

@@ -15,3 +15,4 @@ LinkLocalAddressing=no
 IPv6AcceptRA=no
 IPv6SendRA=no
 RequiredForOnline=routable
+MACVLAN={{ macvlan_interface }}

xps.yml

@@ -1,6 +1,8 @@
 ---
 - name: Include default playbook
   ansible.builtin.import_playbook: default.yml
+  vars:
+    hostname: xps
 
 - name: Arch Linux provisioning
   hosts: xps