add extra playbook to run by v-i when installing Puomi

The playbook tries to set up dnsmasq for local network and provide DHCP and DNS, but fails to actually work. I don't know why, yet. Sponsored-by: author
author: Lars Wirzenius <liw@liw.fi> 2022-09-04 14:16:37 +0300
committer: Lars Wirzenius <liw@liw.fi> 2022-09-04 16:08:17 +0300
commit: 2b9afe51878f129b46f16434402cd88f867246f9 (patch)
tree: bf6cd260741d5753b6297af264acc0ddda8db016
parent: b76a5c173fdf28c19b7a4881087a4d2c3475896f (diff)
download: puomi-2b9afe51878f129b46f16434402cd88f867246f9.tar.gz
3 files changed, 56 insertions, 174 deletions
diff --git a/puomi-playbook.yml b/puomi-playbook.yml
index 3a06be7..7e6e0ba 100644
--- a/puomi-playbook.yml
+++ b/puomi-playbook.yml
@@ -1,8 +1,14 @@
-# Ansible playbook for installing a router.
+# Ansible playbook for installing a Puomi Internet router.
 
-- hosts: puomi
-  remote_user: root
+- hosts: image
   tasks:
+
+    - name: "unset root password so that virtual console logins work"
+      shell: |
+        sed -i '/^root:[^:]*:/s//root::/' /etc/passwd /etc/shadow
+
+    # Install software we'll need for router functionality.
+
     - name: "add contrib and non-free to APT sources, for firmware"
       apt_repository:
         repo: "deb http://deb.debian.org/debian bullseye contrib non-free"
@@ -13,73 +19,10 @@
           - bind9-dnsutils
           - bridge-utils
           - dnsmasq
-          - ferm
-          - firmware-iwlwifi
-          - haveged
-          - hostapd
-          - locales-all
-          - man
-
-    - name: "configure dnsmasq for .d support"
-      lineinfile:
-        path: /etc/dnsmasq.conf
-        regexp: ^conf-dir
-        line: "conf-dir=/etc/dnsmasq.d/,*.conf"
 
-    - name: "configure dnsmasq for router"
-      copy:
-        content: |
-          dhcp-range=10.1.1.10,10.1.1.250,255.255.255.0,1h
-          host-record={{ inventory_hostname }},10.1.1.1
-          interface=br0
-          interface=lo
-          max-cache-ttl=30
-          neg-ttl=10
-        dest: /etc/dnsmasq.d/router.conf
+    # Network configuration.
 
-    - name: "configure hostapd"
-      copy:
-        content: |
-          interface=wlan0
-          bridge=br0
-          driver=nl80211
-          ssid={{ wifi_essid }}
-          country_code={{ wifi_country_code }}
-          hw_mode=g
-          ieee80211n=1
-          channel=2
-          macaddr_acl=0
-          auth_algs=1
-          ignore_broadcast_ssid=0
-          wmm_enabled=1
-          wpa=2
-          wpa_passphrase={{ wifi_passphrase }}
-          wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
-          wpa_pairwise=TKIP
-          rsn_pairwise=CCMP
-        dest: /etc/hostapd/hostapd.conf
-
-    - name: "configure ferm firewall"
-      copy:
-        content: |
-          table filter {
-              chain INPUT policy ACCEPT;
-              chain OUTPUT policy ACCEPT;
-              chain FORWARD {
-                  policy ACCEPT;
-
-                  # Printer
-                  saddr 10.0.0.73  proto tcp DROP;
-                  saddr 10.0.0.73  proto udp DROP;
-              }
-          }
-
-          table nat {
-             chain POSTROUTING MASQUERADE;
-          }
-        dest: /etc/ferm/ferm.conf
-
-    - name: "configure bridge device br0"
+    - name: "configure bridge device br0 for local network ports"
       copy:
         content: |
           [NetDev]
@@ -87,7 +30,7 @@
           Kind=bridge
         dest: /etc/systemd/network/br0.netdev
 
-    - name: "add LAN devices to br0"
+    - name: "add local network ports to br0"
       copy:
         content: |
           [Match]
@@ -95,24 +38,44 @@
 
           [Network]
           Bridge=br0
-        dest: /etc/systemd/network/wired.network
+        dest: /etc/systemd/network/local.network
 
-    - name: "configure br0 to provide DHCP and NAT"
+    - name: "configure bridge br0"
       copy:
         content: |
           [Match]
           Name=br0
 
           [Network]
-          Address=10.1.1.1/24
+          Address={{ puomi_lan_ip }}/24
           DHCPServer=false
+          IPForward=true
           IPMasquerade=true
           ConfigureWithoutCarrier=true
         dest: /etc/systemd/network/br0.network
 
+    - name: "configure dnsmasq for configuration .d directory support"
+      lineinfile:
+        path: /etc/dnsmasq.conf
+        regexp: ^conf-dir
+        line: "conf-dir=/etc/dnsmasq.d/,*.conf"
+
+    - name: "configure dnsmasq for local bridge br0"
+      copy:
+        content: |
+          dhcp-range={{ puomi_dhcp_start }},{{ puomi_dhcp_end }},{{ puomi_dhcp_netmask }},{{ puomi_dhcp_lease }}
+          host-record={{ hostname }},{{ puomi_lan_ip }}
+          interface=br0
+          max-cache-ttl=30
+          neg-ttl=10
+        dest: /etc/dnsmasq.d/router.conf
+
   vars:
     ansible_python_interpreter: /usr/bin/python3
 
-    wifi_essid: Valkama2
-    wifi_country_code: FI
-    wifi_passphrase: Oomam2ah
+    puomi_lan_ip: 10.1.1.1
+    puomi_dhcp_start: 10.1.1.10
+    puomi_dhcp_end: 10.1.1.250
+    puomi_dhcp_netmask: 255.255.255.0
+    puomi_dhcp_lease: 1h
+
diff --git a/puomi-x220.yaml b/puomi-x220.yaml
index 4d11bef..8c5c01f 100644
--- a/puomi-x220.yaml
+++ b/puomi-x220.yaml
@@ -2,7 +2,20 @@
 # X220 laptop.
 
 drive: /dev/sda
-hostname: puomi-x220
+hostname: x220
+extra_playbooks:
+  - puomi-playbook.yml
 ansible_vars:
-  user_pub: |
-   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems
+  user_ca_pubkey: |
+    sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAnrswi6ZNElxSgt6ak5hjSNIkVte11ht7BG3qpBJU4hAAAABHNzaDo= 
+  host_key: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+    QyNTUxOQAAACDgceidrQ/lwB1Qv6fAG6w72wDUuP+gPxdzPtUp77YmkwAAAIhrsL33a7C9
+    9wAAAAtzc2gtZWQyNTUxOQAAACDgceidrQ/lwB1Qv6fAG6w72wDUuP+gPxdzPtUp77Ymkw
+    AAAEC7xtew61U18uYzwB4NxB1HSmmzhGxyy8Sc8s3/PwX+seBx6J2tD+XAHVC/p8AbrDvb
+    ANS4/6A/F3M+1SnvtiaTAAAAAAECAwQF
+    -----END OPENSSH PRIVATE KEY-----
+  host_cert: |
+    ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIH2RrP85+uGyhdxIE6vABe8/Skiphfk5TkgwV0pnBMYCAAAAIOBx6J2tD+XAHVC/p8AbrDvbANS4/6A/F3M+1SnvtiaTAAAAAAAAAAAAAAACAAAAGWNlcnRpZmljYXRlIGZvciBob3N0IHgyMjAAAAAIAAAABHgyMjAAAAAAYxRDzAAAAABjius5AAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACD7tWzrRUC8C8aZNM0tWvEBW/VJQ2zjjh9THBOYQ07ZxAAAAFMAAAALc3NoLWVkMjU1MTkAAABALO0Sz383jbwsEMWgGWYmMGbAjSQHaEZgVtxx+NDCqK1xgPJ9PVWyxQGGVPz/ibrLCjsLlHEu/tLWdNmxmzqjCA== /tmp/.tmphE2hGI/sub.pub
+
diff --git a/roles/puomi/tasks/main.yml b/roles/puomi/tasks/main.yml
index 1114288..ff151bf 100644
--- a/roles/puomi/tasks/main.yml
+++ b/roles/puomi/tasks/main.yml
@@ -1,6 +1,6 @@
 # Ansible role for installing a Puomi router.
 
-- name: "check puomi role version"
+- name: "puomi: check role version"
   shell: |
     [ "{{ puomi_version }}" = "1" ] || \
       (echo "Unexpected version {{ puomi_version }}" 1>&2; exit 1)
@@ -9,107 +9,13 @@
   apt_repository:
     repo: "deb http://deb.debian.org/debian bullseye contrib non-free"
 
-- name: "puomi: install necessary software"
+- name: "puomi: install necessary or useful software for a router"
   apt:
     name:
-      - bind9-dnsutils
-      - bridge-utils
-      - dnsmasq
-      - ferm
-      - firmware-iwlwifi
-      - haveged
-      - hostapd
-      - locales-all
       - man
       - lshw
       - pciutils
 
-- name: "puomi: configure dnsmasq for .d support"
-  lineinfile:
-    path: /etc/dnsmasq.conf
-    regexp: ^conf-dir
-    line: "conf-dir=/etc/dnsmasq.d/,*.conf"
-
-- name: "puomi: configure dnsmasq for router"
-  copy:
-    content: |
-      dhcp-range={{ puomi_dhcp_start }},{{ puomi_dhcp_end }},{{ puomi_dhcp_netmask }},{{ puomi_dhcp_lease }}
-      host-record={{ inventory_hostname }},{{ puomi_lan_ip }}
-      interface=br0
-      interface=lo
-      max-cache-ttl=30
-      neg-ttl=10
-    dest: /etc/dnsmasq.d/router.conf
-
-- name: "puomi: configure hostapd"
-  copy:
-    content: |
-      interface=wlan0
-      bridge=br0
-      driver=nl80211
-      ssid={{ puomi_essid }}
-      country_code={{ puomi_wifi_country_code }}
-      hw_mode=g
-      ieee80211n=1
-      channel=2
-      macaddr_acl=0
-      auth_algs=1
-      ignore_broadcast_ssid=0
-      wmm_enabled=1
-      wpa=2
-      wpa_passphrase={{ puomi_wifi_passphrase }}
-      wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
-      wpa_pairwise=TKIP
-      rsn_pairwise=CCMP
-    dest: /etc/hostapd/hostapd.conf
-
-- name: "puomi: configure ferm firewall"
-  copy:
-    content: |
-      table filter {
-          chain INPUT policy ACCEPT;
-          chain OUTPUT policy ACCEPT;
-          chain FORWARD {
-              policy ACCEPT;
-          }
-      }
-
-      table nat {
-         chain POSTROUTING MASQUERADE;
-      }
-    dest: /etc/ferm/ferm.conf
-
-- name: "puomi: configure bridge device br0"
-  copy:
-    content: |
-      [NetDev]
-      Name=br0
-      Kind=bridge
-    dest: /etc/systemd/network/br0.netdev
-
-- name: "puomi: add LAN devices to br0"
-  copy:
-    content: |
-      [Match]
-      Name=eth[^0]*
-
-      [Network]
-      Bridge=br0
-    dest: /etc/systemd/network/wired.network
-
-- name: "puomi: configure bridge to provide DHCP and NAT"
-  copy:
-    content: |
-      [Match]
-      Name=br0
-
-      [Network]
-      Address={{ puomi_lan_ip }}/24
-      DHCPServer=false
-      IPMasquerade=true
-      ConfigureWithoutCarrier=true
-    dest: /etc/systemd/network/br0.network
-
 - name: "puomi: install script to show current DHCP leases"
   copy:
     src: leases
author	Lars Wirzenius <liw@liw.fi>	2022-09-04 14:16:37 +0300
committer	Lars Wirzenius <liw@liw.fi>	2022-09-04 16:08:17 +0300
commit	2b9afe51878f129b46f16434402cd88f867246f9 (patch)
tree	bf6cd260741d5753b6297af264acc0ddda8db016
parent	b76a5c173fdf28c19b7a4881087a4d2c3475896f (diff)
download	puomi-2b9afe51878f129b46f16434402cd88f867246f9.tar.gz