diff options
Diffstat (limited to 'openbsd-laptop.yml')
| -rw-r--r-- | openbsd-laptop.yml | 48 |
1 files changed, 47 insertions, 1 deletions
diff --git a/openbsd-laptop.yml b/openbsd-laptop.yml index 81d739b..7f8f733 100644 --- a/openbsd-laptop.yml +++ b/openbsd-laptop.yml @@ -12,6 +12,8 @@ regexp: ^kern.maxfiles - line: kern.bufcachepercent=40 regexp: ^kern.bufcachepercent + - line: kern.audio.record=1 + regexp: ^kern.audio.record openbsd_doas: | permit nopass :wheel as root openbsd_packages: @@ -19,7 +21,13 @@ - ansible - vim - firefox - - thunderbird + - evolution + - seahorse + - claws-mail + - gnome-keyring + - libgnome-keyring + - tango-icon-theme + - tango-icon-theme-extras - i3 - xfce - i3 @@ -48,6 +56,35 @@ - tree - noto-emoji - ncdu + - jq + - pidgin + # Deve stuff + - gmake + # pidgin plugins + - gettext-tools + openbsd_pf_conf: | + # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ + # + # See pf.conf(5) and /etc/examples/pf.conf + + dns_server="100.64.1.2" + + set skip on lo + + # For vm nat + match out on egress from 100.64.0.0/10 to any nat-to (egress) + pass out from 100.64.0.0/10 + pass in proto { udp tcp } from 100.64.0.0/10 to any port domain + + block return # block stateless traffic + pass # establish keep-state + + # By default, do not permit remote connections to X11 + block return in on ! lo0 proto tcp to port 6000:6010 + + # Port build user does not need network + block return out log proto {tcp udp} user _pbuild + tasks: # TODO: login.conf staff group bumped limits - name: Enable apmd @@ -59,6 +96,8 @@ openbsd_pkg: name: '{{openbsd_packages}}' state: present + tags: + - packages - name: Add specified users to staff shell: | #!/bin/sh @@ -69,12 +108,19 @@ copy: content: '{{openbsd_doas}}' dest: /etc/doas.conf + - name: Write pf configuration + copy: + content: '{{openbsd_pf_conf}}' + dest: /etc/pf.conf + mode: '0600' - name: Tune sysctls lineinfile: dest: /etc/sysctl.conf regexp: '{{item.regexp}}' line: '{{item.line}}' loop: '{{openbsd_sysctls}}' + tags: + - sysctls |