Switch network management to systemd-networkd and iwd

- Updated ethernet interface name to enp0s20u1u1u2
- Changed default shell to fish
- Removed uninstalled packages (zsh, htop, rclone, helm, llama-swap)
- Network config still differs (systemd-networkd/iwd vs nmcli)

ansible/CLAUDE.md

@@ -0,0 +1,123 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Overview
+
+This is an Ansible-based machine provisioning system for Arch Linux systems. It automates the setup of a new machine including hostname, networking (WiFi/Ethernet), user accounts, SSH configuration, and package installation from multiple sources (pacman, AUR, Flatpak, AppImage).
+
+## Architecture
+
+The repository follows Ansible's role-based structure with two primary roles:
+
+### Common Role (`roles/common/`)
+Handles system-level configuration:
+- Hostname configuration
+- Network configuration using NetworkManager (nmcli)
+- User account management with password-hashed credentials
+- SSH daemon configuration with handlers for service restart
+
+**Key Implementation Details:**
+- Network connections use `creates:` parameter to avoid recreating existing NetworkManager connection files
+- User passwords should be hashed (SHA-512) or managed via Ansible Vault
+- SSH configuration changes trigger the `Restart sshd` handler (defined in `roles/common/handlers/main.yml`)
+
+### Packages Role (`roles/packages/`)
+Manages software installation from multiple sources:
+- Ensures `yay` AUR helper is installed (clones from AUR, builds with makepkg)
+- Installs pacman packages from `roles/packages/files/pkglist.txt`
+- Installs AUR packages from `roles/packages/files/aur_pkglist.txt` using yay
+- Installs Flatpak packages from `roles/packages/files/flatpak_pkglist.txt`
+- Downloads AppImages from URLs in `roles/packages/files/appimage_pkglist.txt` to `~/Applications`
+
+**Key Implementation Details:**
+- Yay installation uses a block with conditional execution (checks if yay exists first)
+- Package lists are read line-by-line using `with_lines` module
+- AppImages are set to executable mode (0755) upon download
+
+## Common Commands
+
+### Running the Full Playbook
+```bash
+# Full run with privilege escalation prompt
+ansible-playbook -i inventory playbook.yml --ask-become-pass
+
+# Dry-run to preview changes
+ansible-playbook -i inventory playbook.yml --check
+
+# With encrypted vault variables
+ansible-playbook -i inventory playbook.yml --ask-vault-pass --ask-become-pass
+```
+
+### Running Specific Tasks with Tags
+```bash
+# Network configuration only (WiFi + Ethernet)
+ansible-playbook -i inventory playbook.yml --tags "network" --ask-become-pass
+
+# WiFi configuration only
+ansible-playbook -i inventory playbook.yml --tags "wifi" --ask-become-pass
+
+# Ethernet configuration only
+ansible-playbook -i inventory playbook.yml --tags "ethernet" --ask-become-pass
+
+# User management only
+ansible-playbook -i inventory playbook.yml --tags "users" --ask-become-pass
+
+# SSH daemon configuration only
+ansible-playbook -i inventory playbook.yml --tags "sshd" --ask-become-pass
+
+# Install pacman packages only
+ansible-playbook -i inventory playbook.yml --tags "pacman" --ask-become-pass
+
+# Install AUR packages only
+ansible-playbook -i inventory playbook.yml --tags "aur" --ask-become-pass
+
+# Install Flatpak packages only
+ansible-playbook -i inventory playbook.yml --tags "flatpak" --ask-become-pass
+
+# Download AppImages only
+ansible-playbook -i inventory playbook.yml --tags "appimage" --ask-become-pass
+```
+
+### Syntax Validation
+```bash
+# Check playbook syntax
+ansible-playbook --syntax-check playbook.yml
+
+# Lint all playbooks and roles
+ansible-lint playbook.yml
+```
+
+## Configuration Files
+
+- **`ansible.cfg`**: Sets default inventory location
+- **`inventory`**: Defines target hosts (currently configured for `[new_machine]` group)
+- **`playbook.yml`**: Main orchestration playbook applying both roles
+- **`roles/common/defaults/main.yml`**: Default variables for hostname, network, users, SSH (contains sensitive data)
+- **`roles/packages/defaults/main.yml`**: File paths for package lists
+
+## Security Considerations
+
+**This repository contains sensitive information in plaintext** (`roles/common/defaults/main.yml`):
+- WiFi passwords
+- User password hashes
+- Static IP configurations
+
+When modifying sensitive variables:
+```bash
+# Encrypt sensitive files
+ansible-vault encrypt roles/common/defaults/main.yml
+
+# Edit encrypted files
+ansible-vault edit roles/common/defaults/main.yml
+
+# View encrypted files
+ansible-vault view roles/common/defaults/main.yml
+```
+
+## Target System Requirements
+
+- **OS**: Arch Linux (uses pacman, AUR, systemd)
+- **Network**: NetworkManager for network configuration
+- **Python**: Python 3 interpreter at `/usr/bin/python3`
+- **SSH**: SSH access with sudo privileges

ansible/roles/common/defaults/main.yml

@@ -10,7 +10,7 @@ common_wifi_password: "04251992#04291962#"
 common_wifi_connection_name: "theden"
 
 # Ethernet Configuration
-common_ethernet_ifname: "eth0"
+common_ethernet_ifname: "enp0s20u1u1u2"
 common_ethernet_con_name: "Ethernet"
 common_ethernet_ipv4_address: "192.168.153.117/24"
 common_ethernet_ipv4_gateway: "192.168.153.1"
@@ -18,6 +18,7 @@ common_ethernet_ipv4_dns: "8.8.8.8,1.1.1.1"
 
 # User Configuration
 common_user_name: "will"
+common_user_shell: "/usr/bin/fish"
 common_user_password: "$6$SQB4NRF/A4OI6oSq$Oe9DwyIpNo9CUobOU67kJri4OA91/o3bUWV3SFZmOWamxidShZjLDCG29hFw3f5Ta0uPfjKtQMVdY0ToPM0e71" # This should ideally be hashed or managed by vault
 
 # SSHD Configuration

ansible/roles/common/files/20-ethernet.network

@@ -0,0 +1,26 @@
+[Match]
+# Matching with "Type=ether" causes issues with containers because it also matches virtual Ethernet interfaces (veth*).
+# See https://bugs.archlinux.org/task/70892
+# Instead match by globbing the network interface name.
+Name=en*
+Name=eth*
+
+[Link]
+RequiredForOnline=routable
+
+[Network]
+DHCP=yes
+MulticastDNS=yes
+
+# systemd-networkd does not set per-interface-type default route metrics
+# https://github.com/systemd/systemd/issues/17698
+# Explicitly set route metric, so that Ethernet is preferred over Wi-Fi and Wi-Fi is preferred over mobile broadband.
+# Use values from NetworkManager. From nm_device_get_route_metric_default in
+# https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/src/core/devices/nm-device.c
+[DHCPv4]
+UseDNS=no
+RouteMetric=100
+
+[IPv6AcceptRA]
+UseDNS=no
+RouteMetric=100

ansible/roles/common/handlers/main.yml

@@ -1,6 +1,11 @@
 ---
 # Handlers for the 'common' role
 
+- name: Restart systemd-networkd
+  ansible.builtin.service:
+    name: systemd-networkd
+    state: restarted
+
 - name: Restart sshd
   ansible.builtin.service:
     name: sshd

ansible/roles/common/tasks/main.yml

@@ -6,32 +6,39 @@
     name: "{{ common_hostname }}"
   tags: [ 'common', 'hostname' ]
 
-- name: Configure WiFi connection '{{ common_wifi_connection_name }}'
-  become: true
-  ansible.builtin.command:
-    cmd: >
-      nmcli dev wifi connect "{{ common_wifi_ssid }}"
-      password "{{ common_wifi_password }}"
-      name "{{ common_wifi_connection_name }}"
-  args:
-    creates: "/etc/NetworkManager/system-connections/{{ common_wifi_connection_name }}.nmconnection"
-  ignore_errors: true
+- name: Ensure systemd-networkd is enabled and running
+  ansible.builtin.service:
+    name: systemd-networkd
+    enabled: yes
+    state: started
+  tags: [ 'common', 'network' ]
+
+- name: Ensure iwd is enabled and running
+  ansible.builtin.service:
+    name: iwd
+    enabled: yes
+    state: started
   tags: [ 'common', 'network', 'wifi' ]
 
-- name: Configure ethernet connection '{{ common_ethernet_con_name }}' with static IP, gateway, and DNS
-  become: true
-  ansible.builtin.command:
-    cmd: >
-      nmcli con add type ethernet ifname {{ common_ethernet_ifname }} con-name "{{ common_ethernet_con_name }}" ipv4.method manual ipv4.addresses {{ common_ethernet_ipv4_address }} ipv4.gateway {{ common_ethernet_ipv4_gateway }} ipv4.dns "{{ common_ethernet_ipv4_dns }}"
-  args:
-    creates: "/etc/NetworkManager/system-connections/{{ common_ethernet_con_name }}.nmconnection"
-  ignore_errors: true
+- name: Deploy ethernet network configuration
+  ansible.builtin.copy:
+    src: files/20-ethernet.network
+    dest: /etc/systemd/network/20-ethernet.network
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart systemd-networkd
   tags: [ 'common', 'network', 'ethernet' ]
+
+- name: Configure WiFi (requires manual interaction or pre-seeded iwd config)
+  debug:
+    msg: "WiFi configuration via Ansible for iwd is complex. Ensure /var/lib/iwd/ contains correct .psk files."
+  tags: [ 'common', 'network', 'wifi' ]
 - name: Ensure user '{{ common_user_name }}' exists with specified password
   ansible.builtin.user:
     name: "{{ common_user_name }}"
     password: "{{ common_user_password }}"
-    shell: /bin/bash
+    shell: "{{ common_user_shell | default('/bin/bash') }}"
     state: present
     create_home: yes
   tags: [ 'common', 'users' ]

ansible/roles/packages/files/aur_pkglist.txt

@@ -8,7 +8,6 @@ gtk
 k0s-bin
 k0sctl-bin
 kubecolor
-llama-swap
 nautilus-bluetooth
 newelle
 orchis-theme-git

ansible/roles/packages/files/pkglist.txt

@@ -112,8 +112,6 @@ gvfs-nfs
 gvfs-onedrive
 gvfs-smb
 gvfs-wsdd
-helm
-htop
 inetutils
 inkscape
 inotify-tools
@@ -142,7 +140,6 @@ nano
 nautilus
 netctl
 network-manager-applet
-networkmanager
 nfs-utils
 npm
 open-iscsi
@@ -159,7 +156,6 @@ python-standard-cgi
 python-standard-chunk
 python-uv
 qpdf
-rclone
 rdfind
 restic
 rustup
@@ -257,8 +253,3 @@ zenity
 zig
 zip
 zoom
-zsh
-zsh-autosuggestions
-zsh-completions
-zsh-history-substring-search
-zsh-syntax-highlighting