Merge branch 'role' into 'main'

add playbook / role to install Puomi

See merge request larswirzenius/puomi!9

7 files changed, 263 insertions, 2 deletions

diff --git a/hosts b/hosts
new file mode 100644
index 0000000..e95430f
--- /dev/null
+++ b/hosts
@@ -0,0 +1,2 @@
+[all]
+puomi
diff --git a/leases.sh b/leases.sh
new file mode 100755
index 0000000..513998a
--- /dev/null
+++ b/leases.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -euo pipefail
+
+awk '
+$4 == "*" { name=$2 }
+$4 != "*" { name=$4 }
+{ print name, $1, $3 }
+' /var/lib/misc/dnsmasq.leases |
+	sort |
+	while read name timestamp ip; do
+		printf '%s   %-15s   %s\n' "$(date -Imin --date "@$timestamp")" "$ip" "$name"
+	done
diff --git a/puomi-playbook.yml b/puomi-playbook.yml
new file mode 100644
index 0000000..3a06be7
--- /dev/null
+++ b/puomi-playbook.yml
@@ -0,0 +1,118 @@
+# Ansible playbook for installing a router.
+
+- hosts: puomi
+  remote_user: root
+  tasks:
+    - name: "add contrib and non-free to APT sources, for firmware"
+      apt_repository:
+        repo: "deb http://deb.debian.org/debian bullseye contrib non-free"
+
+    - name: "install software"
+      apt:
+        name:
+          - bind9-dnsutils
+          - bridge-utils
+          - dnsmasq
+          - ferm
+          - firmware-iwlwifi
+          - haveged
+          - hostapd
+          - locales-all
+          - man
+
+    - name: "configure dnsmasq for .d support"
+      lineinfile:
+        path: /etc/dnsmasq.conf
+        regexp: ^conf-dir
+        line: "conf-dir=/etc/dnsmasq.d/,*.conf"
+
+    - name: "configure dnsmasq for router"
+      copy:
+        content: |
+          dhcp-range=10.1.1.10,10.1.1.250,255.255.255.0,1h
+          host-record={{ inventory_hostname }},10.1.1.1
+          interface=br0
+          interface=lo
+          max-cache-ttl=30
+          neg-ttl=10
+        dest: /etc/dnsmasq.d/router.conf
+
+    - name: "configure hostapd"
+      copy:
+        content: |
+          interface=wlan0
+          bridge=br0
+          driver=nl80211
+          ssid={{ wifi_essid }}
+          country_code={{ wifi_country_code }}
+          hw_mode=g
+          ieee80211n=1
+          channel=2
+          macaddr_acl=0
+          auth_algs=1
+          ignore_broadcast_ssid=0
+          wmm_enabled=1
+          wpa=2
+          wpa_passphrase={{ wifi_passphrase }}
+          wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
+          wpa_pairwise=TKIP
+          rsn_pairwise=CCMP
+        dest: /etc/hostapd/hostapd.conf
+
+    - name: "configure ferm firewall"
+      copy:
+        content: |
+          table filter {
+              chain INPUT policy ACCEPT;
+              chain OUTPUT policy ACCEPT;
+              chain FORWARD {
+                  policy ACCEPT;
+
+                  # Printer
+                  saddr 10.0.0.73  proto tcp DROP;
+                  saddr 10.0.0.73  proto udp DROP;
+              }
+          }
+
+          table nat {
+             chain POSTROUTING MASQUERADE;
+          }
+        dest: /etc/ferm/ferm.conf
+
+    - name: "configure bridge device br0"
+      copy:
+        content: |
+          [NetDev]
+          Name=br0
+          Kind=bridge
+        dest: /etc/systemd/network/br0.netdev
+
+    - name: "add LAN devices to br0"
+      copy:
+        content: |
+          [Match]
+          Name=eth[^0]*
+
+          [Network]
+          Bridge=br0
+        dest: /etc/systemd/network/wired.network
+
+    - name: "configure br0 to provide DHCP and NAT"
+      copy:
+        content: |
+          [Match]
+          Name=br0
+
+          [Network]
+          Address=10.1.1.1/24
+          DHCPServer=false
+          IPMasquerade=true
+          ConfigureWithoutCarrier=true
+        dest: /etc/systemd/network/br0.network
+
+  vars:
+    ansible_python_interpreter: /usr/bin/python3
+
+    wifi_essid: Valkama2
+    wifi_country_code: FI
+    wifi_passphrase: Oomam2ah
diff --git a/puomi-qotom.yaml b/puomi-qotom.yaml
new file mode 100644
index 0000000..d770e21
--- /dev/null
+++ b/puomi-qotom.yaml
@@ -0,0 +1,10 @@
+# A target specification file for v-i for Puomi on a Lenovo Thinkpad
+# X220 laptop.
+
+drive: /dev/sda
+hostname: puomi
+extra_playbooks:
+  - puomi-installer-playbook.yml
+ansible_vars:
+  user_pub: |
+   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems
diff --git a/puomi-x220.yaml b/puomi-x220.yaml
index ac4a77d..4d11bef 100644
--- a/puomi-x220.yaml
+++ b/puomi-x220.yaml
@@ -3,8 +3,6 @@
 
 drive: /dev/sda
 hostname: puomi-x220
-extra_playbooks:
-  - puomi-installer-playbook.yml
 ansible_vars:
   user_pub: |
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems
diff --git a/roles/puomi/defaults/main.yml b/roles/puomi/defaults/main.yml
new file mode 100644
index 0000000..a4e353e
--- /dev/null
+++ b/roles/puomi/defaults/main.yml
@@ -0,0 +1,11 @@
+puomi_version: 1
+
+puomi_lan_ip: 10.2.2.1
+puomi_dhcp_start: 10.2.2.10
+puomi_dhcp_end: 10.2.2.250
+puomi_dhcp_netmask: 255.255.255.0
+puomi_dhcp_lease: 1h
+puomi_essid: Valkama3
+puomi_wifi_country_code: FI
+puomi_wifi_passphrase: Oomam2ah
+
diff --git a/roles/puomi/tasks/main.yml b/roles/puomi/tasks/main.yml
new file mode 100644
index 0000000..90356c5
--- /dev/null
+++ b/roles/puomi/tasks/main.yml
@@ -0,0 +1,109 @@
+# Ansible role for installing a Puomi router.
+
+- name: "check puomi role version"
+  shell: |
+    [ "{{ puomi_version }}" = "1" ] || \
+      (echo "Unexpected version {{ puomi_version }}" 1>&2; exit 1)
+
+- name: "puomi: add contrib and non-free to APT sources, for firmware"
+  apt_repository:
+    repo: "deb http://deb.debian.org/debian bullseye contrib non-free"
+
+- name: "puomi: install necessary software"
+  apt:
+    name:
+      - bind9-dnsutils
+      - bridge-utils
+      - dnsmasq
+      - ferm
+      - firmware-iwlwifi
+      - haveged
+      - hostapd
+      - locales-all
+      - man
+
+- name: "puomi: configure dnsmasq for .d support"
+  lineinfile:
+    path: /etc/dnsmasq.conf
+    regexp: ^conf-dir
+    line: "conf-dir=/etc/dnsmasq.d/,*.conf"
+
+- name: "puomi: configure dnsmasq for router"
+  copy:
+    content: |
+      dhcp-range={{ puomi_dhcp_start }},{{ puomi_dhcp_end }},{{ puomi_dhcp_netmask }},{{ puomi_dhcp_lease }}
+      host-record={{ inventory_hostname }},{{ puomi_lan_ip }}
+      interface=br0
+      interface=lo
+      max-cache-ttl=30
+      neg-ttl=10
+    dest: /etc/dnsmasq.d/router.conf
+
+- name: "puomi: configure hostapd"
+  copy:
+    content: |
+      interface=wlan0
+      bridge=br0
+      driver=nl80211
+      ssid={{ puomi_essid }}
+      country_code={{ puomi_wifi_country_code }}
+      hw_mode=g
+      ieee80211n=1
+      channel=2
+      macaddr_acl=0
+      auth_algs=1
+      ignore_broadcast_ssid=0
+      wmm_enabled=1
+      wpa=2
+      wpa_passphrase={{ puomi_wifi_passphrase }}
+      wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
+      wpa_pairwise=TKIP
+      rsn_pairwise=CCMP
+    dest: /etc/hostapd/hostapd.conf
+
+- name: "puomi: configure ferm firewall"
+  copy:
+    content: |
+      table filter {
+          chain INPUT policy ACCEPT;
+          chain OUTPUT policy ACCEPT;
+          chain FORWARD {
+              policy ACCEPT;
+          }
+      }
+
+      table nat {
+         chain POSTROUTING MASQUERADE;
+      }
+    dest: /etc/ferm/ferm.conf
+
+- name: "puomi: configure bridge device br0"
+  copy:
+    content: |
+      [NetDev]
+      Name=br0
+      Kind=bridge
+    dest: /etc/systemd/network/br0.netdev
+
+- name: "puomi: add LAN devices to br0"
+  copy:
+    content: |
+      [Match]
+      Name=eth[^0]*
+
+      [Network]
+      Bridge=br0
+    dest: /etc/systemd/network/wired.network
+
+- name: "puomi: configure bridge to provide DHCP and NAT"
+  copy:
+    content: |
+      [Match]
+      Name=br0
+
+      [Network]
+      Address={{ puomi_lan_ip }}/24
+      DHCPServer=false
+      IPMasquerade=true
+      ConfigureWithoutCarrier=true
+    dest: /etc/systemd/network/br0.network