add initial, generic puomi playbook

Sponsored-by: author

1 files changed, 126 insertions, 0 deletions

diff --git a/puomi-playbook.yml b/puomi-playbook.yml
new file mode 100644
index 0000000..5c0b31d
--- /dev/null
+++ b/puomi-playbook.yml
@@ -0,0 +1,126 @@
+# Ansible playbook for installing a router.
+
+- hosts: puomi
+  tasks:
+    - name: "add contrib and non-free to APT sources, for firmware"
+      apt_repository:
+        repo: "deb http://deb.debian.org/debian bullseye contrib non-free"
+
+    - name: "install software"
+      apt:
+        name:
+          - hostapd
+          - firmware-iwlwifi
+          - haveged
+          - bridge-utils
+          - man
+          - ferm
+          - dnsmasq
+          - bind9-dnsutils
+          - locales-all
+
+    - name: "configure dnsmasq for .d support"
+      lineinfile:
+        path: /etc/dnsmasq.conf
+        regexp: ^conf-dir
+        line: "conf-dir=/etc/dnsmasq.d/,*.conf"
+
+    - name: "configure dnsmasq for router"
+      copy:
+        content: |
+          dhcp-range=10.1.1.10,10.1.1.250,255.255.255.0,1h
+          host-record=puomi,10.1.1.1
+          interface=br0
+          interface=lo
+          max-cache-ttl=30
+          neg-ttl=10
+        dest: /etc/dnsmasq.d/router.conf
+
+    - name: "configure hostapd"
+      copy:
+        content: |
+          interface=wlan0
+          bridge=br0
+          driver=nl80211
+          ssid={{ wifi_essid }}
+          country_code={{ wifi_country_code }}
+          hw_mode=g
+          ieee80211n=1
+          channel=2
+          macaddr_acl=0
+          auth_algs=1
+          ignore_broadcast_ssid=0
+          wmm_enabled=1
+          wpa=2
+          wpa_passphrase={{ wifi_passphrase }}
+          wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
+          wpa_pairwise=TKIP
+          rsn_pairwise=CCMP
+        dest: /etc/hostapd/hostapd.conf
+
+    - name: "configure ferm firewall"
+      copy:
+        content: |
+          table filter {
+              chain INPUT policy ACCEPT;
+              chain OUTPUT policy ACCEPT;
+              chain FORWARD {
+                  policy ACCEPT;
+
+                  # Printer
+                  saddr 10.0.0.73  proto tcp DROP;
+                  saddr 10.0.0.73  proto udp DROP;
+              }
+          }
+
+          table nat {
+             chain POSTROUTING MASQUERADE;
+          }
+        dest: /etc/ferm/ferm.conf
+
+    - name: "configure bridge device br0"
+      copy:
+        content: |
+          [NetDev]
+          Name=br0
+          Kind=bridge
+        dest: /etc/systemd/network/br0.netdev
+
+    - name: "add wired devices to br0"
+      copy:
+        content: |
+          [Match]
+          Name=eth[^0]*
+
+          [Network]
+          Bridge=br0
+        dest: /etc/systemd/network/wired.network
+
+    - name: "configure br0 to provide DHCP and NAT"
+      copy:
+        content: |
+          [Match]
+          Name=br0
+
+          [Network]
+          Address=10.1.1.1/24
+          DHCPServer=false
+          IPMasquerade=true
+          ConfigureWithoutCarrier=true
+        dest: /etc/systemd/network/br0.network
+
+  vars:
+    ansible_python_interpreter: /usr/bin/python3
+
+    sane_debian_system_version: 2
+    sane_debian_system_codename: bullseye
+    sane_debian_system_timezone: Europe/Helsinki
+    sane_debian_system_sources_lists:
+      - repo: |
+          deb http://deb.debian.org/debian bullseye contrib non-free
+
+    unix_users_version: 2
+
+    wifi_essid: Valkama2
+    wifi_country_code: FI
+    wifi_passphrase: Oomam2ah