From 8137a580584c6c8a5eeed9b475332132b5a2258e Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Fri, 21 Jan 2022 16:21:10 +0200
Subject: feat: wifi access point, ferm firewall

Sponsored-by: author
---
 puomi-installer-playbook.yml | 82 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 80 insertions(+), 2 deletions(-)

diff --git a/puomi-installer-playbook.yml b/puomi-installer-playbook.yml
index 0c0863c..8bd5522 100644
--- a/puomi-installer-playbook.yml
+++ b/puomi-installer-playbook.yml
@@ -2,12 +2,86 @@
 
 - hosts: image
   pre_tasks:
-    - name: "configure networking for LAN adapter"
+    - name: "add contrib and non-free to APT sources"
+      apt_repository:
+        repo: "deb http://deb.debian.org/debian bullseye contrib non-free"
+
+    - name: "install software"
+      apt:
+        name:
+          - hostapd
+          - firmware-iwlwifi
+          - haveged
+          - bridge-utils
+          - man
+          - ferm
+
+    - name: "configure hostapd"
+      copy:
+        content: |
+          interface=wlan0
+          bridge=br0
+          driver=nl80211
+          ssid={{ wifi_essid }}
+          country_code={{ wifi_country_code }}
+          hw_mode=g
+          ieee80211n=1
+          channel=2
+          macaddr_acl=0
+          auth_algs=1
+          ignore_broadcast_ssid=0
+          wmm_enabled=1
+          wpa=2
+          wpa_passphrase={{ wifi_passphrase }}
+          wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
+          wpa_pairwise=TKIP
+          rsn_pairwise=CCMP
+        dest: /etc/hostapd/hostapd.conf
+
+    - name: "configure ferm"
+      copy:
+        content: |
+          table filter {
+              chain INPUT policy ACCEPT;
+              chain OUTPUT policy ACCEPT;
+              chain FORWARD {
+                  policy ACCEPT;
+
+                  # Printer
+                  saddr 10.0.0.73  proto tcp DROP;
+                  saddr 10.0.0.73  proto udp DROP;
+              }
+          }
+
+          table nat {
+             chain POSTROUTING MASQUERADE;
+          }
+        dest: /etc/ferm/ferm.conf
+
+    - name: "configure bridge device br0"
+      copy:
+        content: |
+          [NetDev]
+          Name=br0
+          Kind=bridge
+        dest: /etc/systemd/network/br0.netdev
+
+    - name: "add wired devices to br0"
       copy:
         content: |
           [Match]
           Name=eth[^0]*
 
+          [Network]
+          Bridge=br0
+        dest: /etc/systemd/network/wired.network
+
+    - name: "configure br0 to provide DHCP and NAT"
+      copy:
+        content: |
+          [Match]
+          Name=br0
+
           [Network]
           Address=10.1.1.1/24
           DHCPServer=true
@@ -18,7 +92,7 @@
           PoolOffset=100
           PoolSize=50
           EmitDNS=yes
-        dest: /etc/systemd/network/lan0.network
+        dest: /etc/systemd/network/br0.network
 
   vars:
     ansible_python_interpreter: /usr/bin/python3
@@ -31,3 +105,7 @@
           deb http://deb.debian.org/debian bullseye contrib non-free
 
     unix_users_version: 2
+
+    wifi_essid: Valkama2
+    wifi_country_code: FI
+    wifi_passphrase: Oomam2ah
-- 
cgit v1.2.1