1 files changed, 131 insertions, 0 deletions

diff --git a/ansible/openbsd-laptop.yml b/ansible/openbsd-laptop.yml
new file mode 100644
index 0000000..bc19dc7
--- /dev/null
+++ b/ansible/openbsd-laptop.yml
@@ -0,0 +1,131 @@
+---
+- name: Setup OpenBSD Laptop
+  hosts: localhost
+  vars:
+    ansible_connection: local
+    openbsd_staff:
+      - mitch
+    openbsd_sysctls:
+      - line: hw.smt=1
+        regexp: ^hw.smt
+      - line: kern.maxproc=32768
+        regexp: ^kern.maxproc
+      - line: kern.maxfiles=65535
+        regexp: ^kern.maxfiles
+      - line: kern.bufcachepercent=40
+        regexp: ^kern.bufcachepercent
+      - line: kern.audio.record=1
+        regexp: ^kern.audio.record
+    openbsd_doas: |
+      permit nopass :wheel as root
+    openbsd_packages:
+      - git
+      - ansible
+      - vim
+      - firefox
+      - neofetch
+      - evolution
+      - seahorse
+      - claws-mail
+      - gnome-keyring
+      - libgnome-keyring
+      - tango-icon-theme
+      - tango-icon-theme-extras
+      - i3
+      - xfce
+      - i3
+      - dmenu
+      - password-store
+      - pass-otp
+      - gpa
+      - htop
+      - slock
+      - bash
+      - feh
+      - rsync
+      - go
+      - xfce4-screenshooter
+      - okular
+      - shellcheck
+      - redshift
+      - postgresql-server
+      - vlc
+      - rtorrent
+      - mktorrent
+      - wget
+      - pwgen
+      - xdotool
+      - runit
+      - tree
+      - noto-emoji
+      - ncdu
+      - jq
+      - arandr
+      # Deve stuff
+      - gmake
+      # pidgin plugins
+      - gettext-tools
+    openbsd_pf_conf: |
+      #	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
+      #
+      # See pf.conf(5) and /etc/examples/pf.conf
+
+      dns_server="100.64.1.2"
+
+      set skip on lo
+
+      # For vm nat
+      match out on egress from 100.64.0.0/10 to any nat-to (egress)
+      pass out from 100.64.0.0/10
+      pass in proto { udp tcp } from 100.64.0.0/10 to any port domain
+
+      block return	# block stateless traffic
+      pass		# establish keep-state
+
+      # By default, do not permit remote connections to X11
+      block return in on ! lo0 proto tcp to port 6000:6010
+
+      # Port build user does not need network
+      block return out log proto {tcp udp} user _pbuild
+
+  tasks:
+  # TODO: login.conf staff group bumped limits
+  - name: Enable apmd
+    lineinfile:
+      dest: /etc/rc.conf.local
+      line: apmd_flags=-A
+      regexp: '^apmd_flags='
+  - name: Install packages
+    openbsd_pkg:
+      name: '{{openbsd_packages}}'
+      state: present
+    tags:
+      - packages
+  - name: Add specified users to staff
+    shell: |
+      #!/bin/sh
+      {% for user in openbsd_staff %}
+      usermod -G staff {{user}}
+      {% endfor %}
+  - name: Write doas configuration
+    copy:
+      content: '{{openbsd_doas}}'
+      dest: /etc/doas.conf
+  - name: Write pf configuration
+    copy:
+      content: '{{openbsd_pf_conf}}'
+      dest: /etc/pf.conf
+      mode: '0600'
+  - name: Tune sysctls
+    lineinfile:
+      dest: /etc/sysctl.conf
+      regexp: '{{item.regexp}}'
+      line: '{{item.line}}'
+    loop: '{{openbsd_sysctls}}'
+    tags:
+      - sysctls
+
+
+
+
+