Merge branch 'tweaks' into 'main'

feat: wifi access point, ferm firewall See merge request larswirzenius/puomi!7
author: Lars Wirzenius <liw@liw.fi> 2022-01-21 16:03:26 +0000
committer: Lars Wirzenius <liw@liw.fi> 2022-01-21 16:03:26 +0000
commit: ae190f24738cc550ed8be06c077100433da3087a (patch)
tree: 59efac753f2bf4bbd0b1a833202a007a87ea719f
parent: d9c891fbb50242ccbe84782b6095f00d6f6c91dc (diff)
parent: 8137a580584c6c8a5eeed9b475332132b5a2258e (diff)
download: puomi-ae190f24738cc550ed8be06c077100433da3087a.tar.gz
1 files changed, 80 insertions, 2 deletions
diff --git a/puomi-installer-playbook.yml b/puomi-installer-playbook.yml
index 0c0863c..8bd5522 100644
--- a/puomi-installer-playbook.yml
+++ b/puomi-installer-playbook.yml
@@ -2,13 +2,87 @@
 
 - hosts: image
   pre_tasks:
-    - name: "configure networking for LAN adapter"
+    - name: "add contrib and non-free to APT sources"
+      apt_repository:
+        repo: "deb http://deb.debian.org/debian bullseye contrib non-free"
+
+    - name: "install software"
+      apt:
+        name:
+          - hostapd
+          - firmware-iwlwifi
+          - haveged
+          - bridge-utils
+          - man
+          - ferm
+
+    - name: "configure hostapd"
+      copy:
+        content: |
+          interface=wlan0
+          bridge=br0
+          driver=nl80211
+          ssid={{ wifi_essid }}
+          country_code={{ wifi_country_code }}
+          hw_mode=g
+          ieee80211n=1
+          channel=2
+          macaddr_acl=0
+          auth_algs=1
+          ignore_broadcast_ssid=0
+          wmm_enabled=1
+          wpa=2
+          wpa_passphrase={{ wifi_passphrase }}
+          wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
+          wpa_pairwise=TKIP
+          rsn_pairwise=CCMP
+        dest: /etc/hostapd/hostapd.conf
+
+    - name: "configure ferm"
+      copy:
+        content: |
+          table filter {
+              chain INPUT policy ACCEPT;
+              chain OUTPUT policy ACCEPT;
+              chain FORWARD {
+                  policy ACCEPT;
+
+                  # Printer
+                  saddr 10.0.0.73  proto tcp DROP;
+                  saddr 10.0.0.73  proto udp DROP;
+              }
+          }
+
+          table nat {
+             chain POSTROUTING MASQUERADE;
+          }
+        dest: /etc/ferm/ferm.conf
+
+    - name: "configure bridge device br0"
+      copy:
+        content: |
+          [NetDev]
+          Name=br0
+          Kind=bridge
+        dest: /etc/systemd/network/br0.netdev
+
+    - name: "add wired devices to br0"
       copy:
         content: |
           [Match]
           Name=eth[^0]*
 
           [Network]
+          Bridge=br0
+        dest: /etc/systemd/network/wired.network
+
+    - name: "configure br0 to provide DHCP and NAT"
+      copy:
+        content: |
+          [Match]
+          Name=br0
+
+          [Network]
           Address=10.1.1.1/24
           DHCPServer=true
           IPMasquerade=true
@@ -18,7 +92,7 @@
           PoolOffset=100
           PoolSize=50
           EmitDNS=yes
-        dest: /etc/systemd/network/lan0.network
+        dest: /etc/systemd/network/br0.network
 
   vars:
     ansible_python_interpreter: /usr/bin/python3
@@ -31,3 +105,7 @@
           deb http://deb.debian.org/debian bullseye contrib non-free
 
     unix_users_version: 2
+
+    wifi_essid: Valkama2
+    wifi_country_code: FI
+    wifi_passphrase: Oomam2ah
author	Lars Wirzenius <liw@liw.fi>	2022-01-21 16:03:26 +0000
committer	Lars Wirzenius <liw@liw.fi>	2022-01-21 16:03:26 +0000
commit	ae190f24738cc550ed8be06c077100433da3087a (patch)
tree	59efac753f2bf4bbd0b1a833202a007a87ea719f
parent	d9c891fbb50242ccbe84782b6095f00d6f6c91dc (diff)
parent	8137a580584c6c8a5eeed9b475332132b5a2258e (diff)
download	puomi-ae190f24738cc550ed8be06c077100433da3087a.tar.gz