diff --git a/bundles/arch-with-gui/metadata.py b/bundles/arch-with-gui/metadata.py index bae5136..4cbcc13 100644 --- a/bundles/arch-with-gui/metadata.py +++ b/bundles/arch-with-gui/metadata.py @@ -52,6 +52,7 @@ defaults = { # all them apps 'firefox': {}, + 'tlp': {}, }, }, } diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py new file mode 100644 index 0000000..6e4a19e --- /dev/null +++ b/nodes/fkusei-locutus.py @@ -0,0 +1,204 @@ +nodes['fkusei-locutus'] = { + 'hostname': '172.19.138.96', + 'bundles': { + 'arch-with-gui', + 'bird', + 'lldp', + 'lm-sensors', + 'nfs-client', + 'systemd-boot', + 'telegraf-battery-usage', + 'wireguard', + 'zfs', + }, + 'groups': { + 'arch', + }, + 'metadata': { + 'arch-with-gui': { + 'autologin': { + 'username': 'fkunsmann', + 'session': 'i3.desktop', + }, + 'i3pystatus': { + 'deps': { + 'colour', + 'netifaces', + 'basiciw', + }, + }, + }, + 'bird': { + 'bgp_neighbors': { + 'smedia': { + 'local_as': 4200128002, + 'local_ip': '10.200.128.2', + 'neighbor_as': 64900, + 'neighbor_ip': '10.200.128.1', + }, + }, + }, + 'firewall': { + 'port_rules': { + # obs websocket thingie - just allow all RFC1918 ips here + #'4444': { + # '10.0.0.0/8', + # '172.16.0.0/12', + # '192.168.0.0/16', + #}, + # For the occasional file-share using `python -m http.server` + '8000': {'*'}, + }, + }, + 'icinga_options': { + 'exclude_from_monitoring': True, + }, + 'interfaces': { + 'enp0s31f6': { + 'dhcp': True, + 'ips': { + '172.19.138.96', # for static dhcp lease + }, + 'mac': 'e8:6a:64:ef:cc:5c', + }, + # there is also wlp2s0, but that's managed by netctl + }, + 'location': 'home', # not actually true, but needed for static dhcp lease + 'nfs-client': { + 'mounts': { + 'nas-storage': { + 'mountpoint': '/mnt/nas', + 'serverpath': '172.19.138.20:/storage/nas', + 'mount_options': { + 'retry=0', + 'ro', + }, + }, + }, + }, + 'openssh': { + 'restrict-to': { + 'rfc1918', + 'ipv6', + }, + }, + 'pacman': { + 'linux-lts': True, + 'packages': { + # video drivers + 'xf86-video-intel': {}, + + # for i3pystatus + 'iw': {}, + 'wireless_tools': {}, + + # all that other random stuff one needs + 'apachedirectorystudio': {}, + 'browserpass': {}, + 'browserpass-firefox': {}, + 'direnv': {}, + 'dunst': {}, + 'libnotify': {}, # provides notify-send + 'maim': {}, + 'mosquitto': {}, + 'mpv': {}, + 'pass': {}, + 'pass-otp': {}, + 'pdftk': {}, + 'pwgen': {}, + 'qpdfview': {}, + 'the_silver_searcher': {}, + 'thermald': {}, + 'virt-manager': {}, + 'xclip': {}, # for pass -c + 'xdotool': {}, + }, + }, + 'systemd-boot': { + 'default': 'arch-lts', + 'entries': { + 'arch-lts': { + 'title': 'Arch Linux (LTS kernel)', + 'linux': '/vmlinuz-linux-lts', + 'initrd': [ + '/intel-ucode.img', + '/initramfs-linux-lts.img', + ], + 'options': { + 'zfs=zroot/system/root', + 'rw', + }, + }, + 'arch-lts-fallback': { + 'title': 'Arch Linux (LTS kernel, no ucode, fallback initramfs)', + 'linux': '/vmlinuz-linux-lts', + 'initrd': [ + '/initramfs-linux-lts-fallback.img', + ], + 'options': { + 'zfs=zroot/system/root', + 'rw', + }, + }, + }, + }, + 'systemd-networkd': { + 'enable-resolved': True, + }, + 'timezone': 'Europe/Berlin', + 'users': { + 'fkunsmann': { + 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), + 'shell': '/usr/bin/fish', + 'sudo_commands': { + 'ALL', + }, + }, + 'sophie': { + 'delete': True, + }, + }, + 'wireguard': { + 'privatekey': vault.decrypt('smedia$NotViaThisRepository'), + 'peers': { + 'smedia': { + 'my_ip': '10.200.128.2/20', + 'my_port': 51820, + 'endpoint': '185.122.180.82:51820', + 'psk': vault.decrypt('smedia$NotViaThisRepository'), + 'pubkey': vault.decrypt('smedia$NotViaThisRepository'), + }, + }, + }, + 'zfs': { + 'datasets': { + # this is not a complete list, but we can't create that + # structure using bundlewrap anyway, so there's no point + # in adding it here. + 'zroot/system/journal': { + 'mountpoint': '/var/log/journal', + 'acltype': 'posix', + }, + 'zroot/system/root': { + 'canmount': 'noauto', + 'mountpoint': '/', + }, + 'zroot/user/fkunsmann': { + 'mountpoint': '/home/fkunsmann', + }, + }, + 'snapshots': { + 'retain_per_dataset': { + 'zroot/user/fkunsmann': { + # juuuuuuuust to be sure + 'hourly': 100, + }, + }, + 'snapshot_never': { + 'zroot/system/journal', + }, + }, + }, + }, + 'os': 'arch', +} diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index b874da7..4f8c4d6 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -121,7 +121,6 @@ nodes['kunsi-p14s'] = { 'pwgen': {}, 'qpdfview': {}, 'the_silver_searcher': {}, - 'tlp': {}, # so we can stop charging the battery at 90% 'virt-manager': {}, 'xclip': {}, # for pass -c 'xdotool': {},