openbsd-laptop.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

---
- name: Setup OpenBSD Laptop
  hosts: localhost
  vars:
    ansible_connection: local
    openbsd_staff:
      - mitch
    openbsd_sysctls:
      - line: kern.maxproc=32768
        regexp: ^kern.maxproc
      - line: kern.maxfiles=65535
        regexp: ^kern.maxfiles
      - line: kern.bufcachepercent=40
        regexp: ^kern.bufcachepercent
      - line: kern.audio.record=1
        regexp: ^kern.audio.record
    openbsd_doas: |
      permit nopass :wheel as root
    openbsd_packages:
      - git
      - ansible
      - vim
      - firefox
      - evolution
      - seahorse
      - claws-mail
      - gnome-keyring
      - libgnome-keyring
      - tango-icon-theme
      - tango-icon-theme-extras
      - i3
      - xfce
      - i3
      - dmenu
      - password-store
      - pass-otp
      - gpa
      - htop
      - slock
      - bash
      - feh
      - rsync
      - go
      - xfce4-screenshooter
      - okular
      - shellcheck
      - redshift
      - postgresql-server
      - vlc
      - rtorrent
      - mktorrent
      - wget
      - pwgen
      - xdotool
      - runit
      - tree
      - noto-emoji
      - ncdu
      - jq
      - pidgin
      # Deve stuff
      - gmake
      # pidgin plugins
      - gettext-tools
    openbsd_pf_conf: |
      #	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
      #
      # See pf.conf(5) and /etc/examples/pf.conf

      dns_server="100.64.1.2"

      set skip on lo

      # For vm nat
      match out on egress from 100.64.0.0/10 to any nat-to (egress)
      pass out from 100.64.0.0/10
      pass in proto { udp tcp } from 100.64.0.0/10 to any port domain

      block return	# block stateless traffic
      pass		# establish keep-state

      # By default, do not permit remote connections to X11
      block return in on ! lo0 proto tcp to port 6000:6010

      # Port build user does not need network
      block return out log proto {tcp udp} user _pbuild

  tasks:
  # TODO: login.conf staff group bumped limits
  - name: Enable apmd
    lineinfile:
      dest: /etc/rc.conf.local
      line: apmd_flags=-A
      regexp: '^apmd_flags='
  - name: Install packages
    openbsd_pkg:
      name: '{{openbsd_packages}}'
      state: present
    tags:
      - packages
  - name: Add specified users to staff
    shell: |
      #!/bin/sh
      {% for user in openbsd_staff %}
      usermod -G staff {{user}}
      {% endfor %}
  - name: Write doas configuration
    copy:
      content: '{{openbsd_doas}}'
      dest: /etc/doas.conf
  - name: Write pf configuration
    copy:
      content: '{{openbsd_pf_conf}}'
      dest: /etc/pf.conf
      mode: '0600'
  - name: Tune sysctls
    lineinfile:
      dest: /etc/sysctl.conf
      regexp: '{{item.regexp}}'
      line: '{{item.line}}'
    loop: '{{openbsd_sysctls}}'
    tags:
      - sysctls