7 files changed, 103 insertions, 18 deletions

diff --git a/inventory.yaml.example b/inventory.yaml.example
index 69081ac..96a3d65 100644
--- a/inventory.yaml.example
+++ b/inventory.yaml.example
@@ -7,6 +7,7 @@ all:
       hostname: proxmox
       nat_subnet: 10.10.10.0/24
       nat_bridge_ip: 10.10.10.1
+      enable_dnsmasq: false
       wg_subnet: 10.13.37.0/24
       wg_port: 31337
   children:
diff --git a/main.yaml b/main.yaml
index 7c7e60f..0653698 100644
--- a/main.yaml
+++ b/main.yaml
@@ -7,5 +7,6 @@
     - import_tasks: tasks/preflight.yaml
     - import_tasks: tasks/pve_setup.yaml
     - import_tasks: tasks/pve_configure.yaml
+    - import_tasks: tasks/dnsmasq_setup.yaml
     - import_tasks: tasks/harden.yaml
     - import_tasks: tasks/wg_setup.yaml
diff --git a/tasks/dnsmasq_setup.yaml b/tasks/dnsmasq_setup.yaml
new file mode 100644
index 0000000..a5863ba
--- /dev/null
+++ b/tasks/dnsmasq_setup.yaml
@@ -0,0 +1,57 @@
+- name: configure and enable dnsmasq if enabled
+  when: enable_dnsmasq | bool
+  block:
+    - name: install dnsmasq
+      apt:
+        name: dnsmasq
+        state: present
+        update_cache: true
+
+    - name: remove existing /etc/dnsmasq.d directory and all contents
+      file:
+        path: /etc/dnsmasq.d
+        state: absent
+
+    - name: recreate empty /etc/dnsmasq.d directory
+      file:
+        path: /etc/dnsmasq.d
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+
+    - name: deploy dnsmasq config from template
+      template:
+        src: vmbr1.conf.j2
+        dest: /etc/dnsmasq.d/vmbr1.conf
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: ensure dnsmasq group exists
+      group:
+        name: dnsmasq
+        system: yes
+
+    - name: ensure dnsmasq user exists
+      user:
+        name: dnsmasq
+        group: dnsmasq
+        system: yes
+        create_home: no
+
+    - name: insert dhcp allow rules for vmbr1 into /etc/ufw/before.rules
+      blockinfile:
+        path: /etc/ufw/before.rules
+        block: |
+          -A ufw-before-input -i vmbr1 -p udp --dport 67 -j ACCEPT
+          -A ufw-before-output -o vmbr1 -p udp --sport 67 -j ACCEPT
+        marker: "# {mark} ANSIBLE MANAGED DHCP VMBR1 ALLOW RULES"
+        insertafter: '^# End required lines'
+
+    - name: enable and restart dnsmasq service
+      systemd:
+        name: dnsmasq
+        enabled: true
+        state: restarted
+      when: ansible_service_mgr == 'systemd'
diff --git a/tasks/pve_configure.yaml b/tasks/pve_configure.yaml
index bbc9abc..c19964a 100644
--- a/tasks/pve_configure.yaml
+++ b/tasks/pve_configure.yaml
@@ -132,20 +132,3 @@
 - name: add user to admin group
   command: pveum usermod {{ pve_admin_user }} -group {{ pve_admin_group }}
   register: add_to_group
-
-- name: ensure /etc/pve/priv directory exists
-  file:
-    path: /etc/pve/priv
-    state: directory
-    mode: '0700'
-    owner: root
-    group: root
-
-- name: copy /root/.ssh/authorized_keys to /etc/pve/priv/authorized_keys
-  copy:
-    src: /root/.ssh/authorized_keys
-    dest: /etc/pve/priv/authorized_keys
-    owner: root
-    group: root
-    mode: '0600'
-    remote_src: true
diff --git a/tasks/pve_setup.yaml b/tasks/pve_setup.yaml
index 9de9489..28fb8bc 100644
--- a/tasks/pve_setup.yaml
+++ b/tasks/pve_setup.yaml
@@ -97,6 +97,19 @@
   register: grub_update
   changed_when: "'Generating grub configuration file' in grub_update.stdout"
 
+- name: block all generic linux-image and linux-headers (non-pve)
+  copy:
+    dest: /etc/apt/preferences.d/no-debian-kernel
+    content: |
+      Package: linux-image-*
+      Pin: release *
+      Pin-Priority: -1
+
+      Package: linux-headers-*
+      Pin: release *
+      Pin-Priority: -1
+    mode: '0644'
+
 - name: remove problematic apt packages for pve
   apt:
     name: "{{ apt_packages_to_remove }}"
diff --git a/templates/vmbr1.conf.j2 b/templates/vmbr1.conf.j2
new file mode 100644
index 0000000..7e00a2d
--- /dev/null
+++ b/templates/vmbr1.conf.j2
@@ -0,0 +1,29 @@
+# Serve DHCP only on vmbr1
+interface=vmbr1
+bind-interfaces
+
+# Disable DNS functionality entirely
+port=0
+
+# DHCP range with 12h lease time
+dhcp-range={{ nat_subnet_prefix }}.100,{{ nat_subnet_prefix }}.200,12h
+
+# Gateway and external DNS for clients
+dhcp-option=3,{{ nat_subnet_prefix }}.1     # Gateway
+dhcp-option=6,1.1.1.1,1.0.0.1               # DNS servers
+
+# Block dnsmasq from loading unrelated configs
+no-hosts
+no-resolv
+
+# Disable ping checks and extra interfaces
+no-ping
+no-dhcp-interface=
+
+# Drop privileges
+user=dnsmasq
+group=dnsmasq
+
+# Logging
+log-queries
+log-dhcp
diff --git a/vars/main.yaml b/vars/main.yaml
index 759bcfb..bba2170 100644
--- a/vars/main.yaml
+++ b/vars/main.yaml
@@ -29,8 +29,9 @@ wireguard_packages:
   - iproute2
 
 fail2ban_jail_dir: /etc/fail2ban/jail.d
-random_hex: "{{ lookup('password', '/dev/null', length=8, chars='abcdefghijklmnopqrstuvwxyz0123456789') }}"
+random_hex: "{{ ((ansible_date_time.epoch | string) ~ inventory_hostname) | hash('md5') | truncate(8, end='') }}"
 pve_hostname: "{{ hostname }}-{{ random_hex }}"
+nat_subnet_prefix: "{{ nat_subnet.split('.')[0:3] | join('.') }}"
 wg_server_home: /etc/wireguard
 wg_peers_home: "{{ wg_server_home }}/peers.d"
 wg_ip_file: "{{ wg_server_home }}/ips.txt"