From faa918fc684023aa290f5cd1da4b32ef3609ae59 Mon Sep 17 00:00:00 2001
From: Mitch Riedstra <mitch@riedstra.us>
Date: Tue, 29 Sep 2020 22:02:46 -0400
Subject: Remove thunderbird, add claws, evolution. Allow audio recording. Add
 pf.conf and a few tags

---
 openbsd-laptop.yml | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 47 insertions(+), 1 deletion(-)

diff --git a/openbsd-laptop.yml b/openbsd-laptop.yml
index 81d739b..7f8f733 100644
--- a/openbsd-laptop.yml
+++ b/openbsd-laptop.yml
@@ -12,6 +12,8 @@
         regexp: ^kern.maxfiles
       - line: kern.bufcachepercent=40
         regexp: ^kern.bufcachepercent
+      - line: kern.audio.record=1
+        regexp: ^kern.audio.record
     openbsd_doas: |
       permit nopass :wheel as root
     openbsd_packages:
@@ -19,7 +21,13 @@
       - ansible
       - vim
       - firefox
-      - thunderbird
+      - evolution
+      - seahorse
+      - claws-mail
+      - gnome-keyring
+      - libgnome-keyring
+      - tango-icon-theme
+      - tango-icon-theme-extras
       - i3
       - xfce
       - i3
@@ -48,6 +56,35 @@
       - tree
       - noto-emoji
       - ncdu
+      - jq
+      - pidgin
+      # Deve stuff
+      - gmake
+      # pidgin plugins
+      - gettext-tools
+    openbsd_pf_conf: |
+      #	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
+      #
+      # See pf.conf(5) and /etc/examples/pf.conf
+
+      dns_server="100.64.1.2"
+
+      set skip on lo
+
+      # For vm nat
+      match out on egress from 100.64.0.0/10 to any nat-to (egress)
+      pass out from 100.64.0.0/10
+      pass in proto { udp tcp } from 100.64.0.0/10 to any port domain
+
+      block return	# block stateless traffic
+      pass		# establish keep-state
+
+      # By default, do not permit remote connections to X11
+      block return in on ! lo0 proto tcp to port 6000:6010
+
+      # Port build user does not need network
+      block return out log proto {tcp udp} user _pbuild
+
   tasks:
   # TODO: login.conf staff group bumped limits
   - name: Enable apmd
@@ -59,6 +96,8 @@
     openbsd_pkg:
       name: '{{openbsd_packages}}'
       state: present
+    tags:
+      - packages
   - name: Add specified users to staff
     shell: |
       #!/bin/sh
@@ -69,12 +108,19 @@
     copy:
       content: '{{openbsd_doas}}'
       dest: /etc/doas.conf
+  - name: Write pf configuration
+    copy:
+      content: '{{openbsd_pf_conf}}'
+      dest: /etc/pf.conf
+      mode: '0600'
   - name: Tune sysctls
     lineinfile:
       dest: /etc/sysctl.conf
       regexp: '{{item.regexp}}'
       line: '{{item.line}}'
     loop: '{{openbsd_sysctls}}'
+    tags:
+      - sysctls
 
 
 
-- 
cgit v1.2.3