feat: add a role "puomi"

This can be used more easily from custom playbooks. The old
"puomi-playbook.yml" had to be edited, and that would be hard to
maintain.

Sponsored-by: author

2 files changed, 120 insertions, 0 deletions

diff --git a/roles/puomi/defaults/main.yml b/roles/puomi/defaults/main.yml
new file mode 100644
index 0000000..a4e353e
--- /dev/null
+++ b/roles/puomi/defaults/main.yml
@@ -0,0 +1,11 @@
+puomi_version: 1
+
+puomi_lan_ip: 10.2.2.1
+puomi_dhcp_start: 10.2.2.10
+puomi_dhcp_end: 10.2.2.250
+puomi_dhcp_netmask: 255.255.255.0
+puomi_dhcp_lease: 1h
+puomi_essid: Valkama3
+puomi_wifi_country_code: FI
+puomi_wifi_passphrase: Oomam2ah
+
diff --git a/roles/puomi/tasks/main.yml b/roles/puomi/tasks/main.yml
new file mode 100644
index 0000000..90356c5
--- /dev/null
+++ b/roles/puomi/tasks/main.yml
@@ -0,0 +1,109 @@
+# Ansible role for installing a Puomi router.
+
+- name: "check puomi role version"
+  shell: |
+    [ "{{ puomi_version }}" = "1" ] || \
+      (echo "Unexpected version {{ puomi_version }}" 1>&2; exit 1)
+
+- name: "puomi: add contrib and non-free to APT sources, for firmware"
+  apt_repository:
+    repo: "deb http://deb.debian.org/debian bullseye contrib non-free"
+
+- name: "puomi: install necessary software"
+  apt:
+    name:
+      - bind9-dnsutils
+      - bridge-utils
+      - dnsmasq
+      - ferm
+      - firmware-iwlwifi
+      - haveged
+      - hostapd
+      - locales-all
+      - man
+
+- name: "puomi: configure dnsmasq for .d support"
+  lineinfile:
+    path: /etc/dnsmasq.conf
+    regexp: ^conf-dir
+    line: "conf-dir=/etc/dnsmasq.d/,*.conf"
+
+- name: "puomi: configure dnsmasq for router"
+  copy:
+    content: |
+      dhcp-range={{ puomi_dhcp_start }},{{ puomi_dhcp_end }},{{ puomi_dhcp_netmask }},{{ puomi_dhcp_lease }}
+      host-record={{ inventory_hostname }},{{ puomi_lan_ip }}
+      interface=br0
+      interface=lo
+      max-cache-ttl=30
+      neg-ttl=10
+    dest: /etc/dnsmasq.d/router.conf
+
+- name: "puomi: configure hostapd"
+  copy:
+    content: |
+      interface=wlan0
+      bridge=br0
+      driver=nl80211
+      ssid={{ puomi_essid }}
+      country_code={{ puomi_wifi_country_code }}
+      hw_mode=g
+      ieee80211n=1
+      channel=2
+      macaddr_acl=0
+      auth_algs=1
+      ignore_broadcast_ssid=0
+      wmm_enabled=1
+      wpa=2
+      wpa_passphrase={{ puomi_wifi_passphrase }}
+      wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
+      wpa_pairwise=TKIP
+      rsn_pairwise=CCMP
+    dest: /etc/hostapd/hostapd.conf
+
+- name: "puomi: configure ferm firewall"
+  copy:
+    content: |
+      table filter {
+          chain INPUT policy ACCEPT;
+          chain OUTPUT policy ACCEPT;
+          chain FORWARD {
+              policy ACCEPT;
+          }
+      }
+
+      table nat {
+         chain POSTROUTING MASQUERADE;
+      }
+    dest: /etc/ferm/ferm.conf
+
+- name: "puomi: configure bridge device br0"
+  copy:
+    content: |
+      [NetDev]
+      Name=br0
+      Kind=bridge
+    dest: /etc/systemd/network/br0.netdev
+
+- name: "puomi: add LAN devices to br0"
+  copy:
+    content: |
+      [Match]
+      Name=eth[^0]*
+
+      [Network]
+      Bridge=br0
+    dest: /etc/systemd/network/wired.network
+
+- name: "puomi: configure bridge to provide DHCP and NAT"
+  copy:
+    content: |
+      [Match]
+      Name=br0
+
+      [Network]
+      Address={{ puomi_lan_ip }}/24
+      DHCPServer=false
+      IPMasquerade=true
+      ConfigureWithoutCarrier=true
+    dest: /etc/systemd/network/br0.network