This project contains the Ansible and Terraform code to manage a freshly installed Arch Linux laptop and a separate Digital Ocean droplet.
- YOLO laptop (i.e. Laptop that doesn't really matter and can get wiped at any time)
- Digital Ocean account
- Cloudflare account (optional, but helpful)
- Hashicorp Vault (for storing sensitive data)
- Access credentials/tokens in environment variables for Terraform and Ansible
- Run the
main.tf
Terraform file to create the Digital Ocean droplet/Cloudflare DNS record - Run the
wireguard_svc.yml
playbook to configure the Wireguard VPN - Install Arch on the YOLO laptop (encrypting the drives if desired), and install/configure SSH server
- Update the
inventory.ini
file with the IP address/username for the YOLO laptop - Run the
main.yml
playbook (with--ask-become-pass
if needed) - ???
- Profit
.
├── ansible # Ansible Code
│ ├── inventory.ini # Inventory file for yolonix and vpn
│ ├── wg_clients # Yolonix config folder
│ │ ├── main.yml # Playbook to configure Wireguard client and basic programs
│ │ └── templates
│ │ └── wg0_peers.conf.j2 # Template for Wireguard client config
│ ├── wg_server # VPN config folder
│ │ ├── templates
│ │ │ └── wg0_server.conf.j2 # Template for Wireguard server config
│ │ └── wireguard_svc.yml # Playbook to configure Wireguard server
│ └── wg_server_vars.yml # Variables for Wireguard server (generated by wg_server playbook)
├── config.yml # Project Config file (used by Terraform and Ansible)
├── main.tf # Terraform code to create Digital Ocean droplet
└── README.md # This file
I have a Lenovo u430 touch - a 10 year old laptop for my YOLO laptop. It comes with a standard SATA drive (upgraded to Samsung SSD), but there's an undocumented m.2 SATA slot that fits a 2242 drive. I've installed Arch on both - encrypted with a 30+ char passphrase and a secondary decryption key based on a Yubikey challenge/response slot. One drive is for security conferences, the other is for travel usage.
Depending on which OS is booted, I wanted to be able to provision different software configuration. To help achieve this
goal, I placed a flag file ~/.keyid
with the contents either airport
or conference
to indicate which OS is
booted. This file is used by the wg_clients main.yml
playbook to determine what to do.
If you don't have a similar layout, feel free to make appropriate changes to main.yml
.
- Various Hashicorp packages (Vault, Terraform, Vagrant, etc)
- Virtualization tools (podman, virtualbox)
- Yubikey tools and helpers
- Developer tools and libraries
- Network tools, including VPN clients
- Obsidian notes