WoodSmellParticle/ansible-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor!: switch hosts variables to a flat layout

Browse source
This commit is contained in:
NaeiKinDus 2024-01-21 00:00:00 +00:00
parent f669dea62a
commit 779f2766f2
Signed by: WoodSmellParticle
GPG key ID: 8E52ADFF7CA8AE56
33 changed files with 270 additions and 322 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/converge.yml
View file

@ -24,6 +24,10 @@
- include_vars: ../../../../../../../inventory/group_vars/all/vars.yml - include_vars: ../../../../../../../inventory/group_vars/all/vars.yml
- include_vars: ../../../../../../../inventory/group_vars/all/vault.yml - include_vars: ../../../../../../../inventory/group_vars/all/vault.yml
- include_vars: ./platform_vars.yml - include_vars: ./platform_vars.yml
- name: Platform hostvars
ansible.builtin.debug:
msg: "{{ hostvars[inventory_hostname] }}"
verbosity: 1
- name: Enable guest console access - name: Enable guest console access
become: true become: true
ansible.builtin.systemd_service: ansible.builtin.systemd_service:

3
collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/molecule.yml
View file

@ -33,6 +33,9 @@ platforms:
- molecule - molecule
provisioner: provisioner:
name: ansible name: ansible
config_options:
defaults:
vault_password_file: ${HOME}/.config/ansible/vault-id
inventory: inventory:
group_vars: group_vars:
molecule: molecule:

10
collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/platform_vars.yml
View file

@ -1,8 +1,4 @@
custom_base_user_account: 'vagrant' custom_base_user_account: 'vagrant'
custom_security: security_firewall_mangle_drop_privatenets: false
firewall: common_configure_resolve_conf: true
mangle: global_ip_dualstack: false
drop_privatenets: false
custom_common:
configure_resolv_conf: true
ip_dualstack: false

1
collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/requirements.yml
View file

@ -1,2 +1,3 @@
collections: collections:
- community.docker - community.docker
- ansible.netcommon

32
collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml
View file

@ -1,20 +1,14 @@
--- ---
common: common_apt_packages: []
apt: common_apt_source_components: ["contrib", "non-free", "non-free-firmware"]
source_components: ['contrib', 'non-free', 'non-free-firmware'] common_apt_use_deb822_format: false
packages: [] common_configure_resolve_conf: false
deb822_format: false common_git_email: ""
git: common_git_enabled: false
enable: false common_git_force_sign: false
username: "" common_git_signing_key: ""
email: "" common_git_username: ""
force_sign: false common_github_token: "{{ custom_github_token | default('') }}"
signing_key: "" common_install_fonts: false
github_token: "{{ custom_github_token | default('') }}" common_sysctl_configuration: {}
install_fonts: false common_user_account: "{{ custom_base_user_account }}"
sysctl: {}
user_account: "{{ custom_base_user_account | default('root') }}"
configure_resolv_conf: false
custom_common: {}
recursive_combine: true

16
collections/ansible_collections/nullified/infrastructure/roles/common/tasks/home_setup.yml
View file

@ -2,16 +2,16 @@
- name: '[home] get user account information' - name: '[home] get user account information'
ansible.builtin.getent: ansible.builtin.getent:
database: passwd database: passwd
key: "{{ common.user_account }}" key: "{{ common_user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: ansible_facts['getent_passwd'] is undefined or common.user_account not in ansible_facts['getent_passwd'] when: ansible_facts['getent_passwd'] is undefined or common_user_account not in ansible_facts['getent_passwd']
- name: '[home] create common directories' - name: '[home] create common directories'
become: true become: true
become_user: "{{ common.user_account }}" become_user: "{{ common_user_account }}"
ansible.builtin.file: ansible.builtin.file:
path: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/{{ item }}" path: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/{{ item }}"
state: directory state: directory
mode: '0750' mode: '0750'
loop: loop:
@ -22,19 +22,19 @@
- name: '[home] setup home files' - name: '[home] setup home files'
become: true become: true
become_user: "{{ common.user_account }}" become_user: "{{ common_user_account }}"
block: block:
- name: '[home] git configuration' - name: '[home] git configuration'
ansible.builtin.template: ansible.builtin.template:
src: ../templates/home/.gitconfig.j2 src: ../templates/home/.gitconfig.j2
dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.gitconfig" dest: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/.gitconfig"
mode: '0640' mode: '0640'
when: common.git.enable is truthy when: common_git_enabled is truthy
- name: '[home] basic files' - name: '[home] basic files'
ansible.builtin.copy: ansible.builtin.copy:
src: "../templates/home/{{ item.name }}" src: "../templates/home/{{ item.name }}"
dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/{{ item.name }}" dest: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/{{ item.name }}"
mode: "{{ item.mode | default('0640') }}" mode: "{{ item.mode | default('0640') }}"
loop: loop:
- { name: ".lessfilter", mode: '0750' } - { name: ".lessfilter", mode: '0750' }

26
collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml
View file

@ -1,9 +1,4 @@
--- ---
- name: '[setup] merge with custom vars'
ansible.builtin.set_fact:
common: "{{ common | combine(custom_common, recursive=recursive_combine) }}"
changed_when: false
- name: '[system] setup DNS server' - name: '[system] setup DNS server'
block: block:
- name: disable resolv.conf updates from dhclient - name: disable resolv.conf updates from dhclient
@ -25,7 +20,7 @@
owner: root owner: root
group: root group: root
become: true become: true
when: common.configure_resolv_conf is truthy when: common_configure_resolve_conf is truthy
- name: '[system] re-allow DHCP client to setup DNS resolvers' - name: '[system] re-allow DHCP client to setup DNS resolvers'
become: true become: true
@ -33,7 +28,7 @@
path: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate path: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
state: absent state: absent
failed_when: false failed_when: false
when : common.configure_resolv_conf is falsy when : common_configure_resolve_conf is falsy
- name: '[apt] verify components of default sources' - name: '[apt] verify components of default sources'
become: true become: true
@ -43,15 +38,15 @@
path: '/etc/apt/sources.list' path: '/etc/apt/sources.list'
regexp: '^(deb((?!{{ item }}).)+)$' regexp: '^(deb((?!{{ item }}).)+)$'
replace: '\1 {{ item }}' replace: '\1 {{ item }}'
when: not common.apt.deb822_format | bool loop: '{{ common_apt_source_components }}'
loop: '{{ common.apt.source_components }}' when: common_apt_use_deb822_format is falsy
- name: '[apt] default deb822 debian.sources' - name: '[apt] default deb822 debian.sources'
ansible.builtin.replace: ansible.builtin.replace:
path: '/etc/apt/sources.list.d/debian.sources' path: '/etc/apt/sources.list.d/debian.sources'
regexp: '^(Components: ((?!{{ item }}).)+)$' regexp: '^(Components: ((?!{{ item }}).)+)$'
replace: '\1 {{ item }}' replace: '\1 {{ item }}'
loop: '{{ common.apt.source_components }}' loop: '{{ common_apt_source_components }}'
when: common.apt.deb822_format | bool when: common_apt_use_deb822_format is truthy
- name: '[apt] install dependencies and tools' - name: '[apt] install dependencies and tools'
become: true become: true
@ -98,7 +93,7 @@
asset_type: "{{ item.asset_type }}" asset_type: "{{ item.asset_type }}"
cmds: "{{ item.cmds | default([]) }}" cmds: "{{ item.cmds | default([]) }}"
creates: "{{ item.creates | default('') }}" creates: "{{ item.creates | default('') }}"
github_token: "{{ common.github_token }}" github_token: "{{ common_github_token }}"
repository: "{{ item.repository }}" repository: "{{ item.repository }}"
version: "{{ item.version | default('') }}" version: "{{ item.version | default('') }}"
loop: loop:
@ -144,9 +139,9 @@
src: ../templates/system/sysctld.local.conf.j2 src: ../templates/system/sysctld.local.conf.j2
dest: /etc/sysctl.d/local.conf dest: /etc/sysctl.d/local.conf
mode: '0644' mode: '0644'
when: common.sysctl is truthy when: common_sysctl_configuration is truthy
vars: vars:
sysctl_values: "{{ common.sysctl }}" sysctl_values: "{{ common_sysctl_configuration }}"
notify: notify:
- 'common : [system] reload sysctl configuration' - 'common : [system] reload sysctl configuration'
@ -156,8 +151,7 @@
update_cache: true update_cache: true
force_apt_get: true force_apt_get: true
cache_valid_time: 3600 cache_valid_time: 3600
pkg: pkg: "{{ common_apt_packages }}"
"{{ common.apt.packages }}"
- include_tasks: home_setup.yml - include_tasks: home_setup.yml

24
collections/ansible_collections/nullified/infrastructure/roles/common/tasks/shell_customization.yml
View file

@ -2,10 +2,10 @@
- name: '[home] get user account information' - name: '[home] get user account information'
ansible.builtin.getent: ansible.builtin.getent:
database: passwd database: passwd
key: "{{ common.user_account }}" key: "{{ common_user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: ansible_facts['getent_passwd'] is undefined or common.user_account not in ansible_facts['getent_passwd'] when: ansible_facts['getent_passwd'] is undefined or common_user_account not in ansible_facts['getent_passwd']
- name: '[shell] install ZSH and dependencies' - name: '[shell] install ZSH and dependencies'
become: true become: true
@ -20,7 +20,7 @@
- name: '[shell] install custom fonts' - name: '[shell] install custom fonts'
become: true become: true
become_user: "{{ common.user_account }}" become_user: "{{ common_user_account }}"
block: block:
- name: '[fonts] add fonts tooling' - name: '[fonts] add fonts tooling'
become_user: root become_user: root
@ -34,18 +34,18 @@
- name: '[fonts] adding fonts' - name: '[fonts] adding fonts'
ansible.builtin.copy: ansible.builtin.copy:
src: ../assets/fonts/ src: ../assets/fonts/
dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.local/share/fonts" dest: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/.local/share/fonts"
mode: '0640' mode: '0640'
- name: '[fonts] refresh fonts cache' - name: '[fonts] refresh fonts cache'
ansible.builtin.command: ansible.builtin.command:
cmd: fc-cache cmd: fc-cache
changed_when: false changed_when: false
when: common.install_fonts is truthy when: common_install_fonts is truthy
- name: '[shell] install Oh-My-ZSH' - name: '[shell] install Oh-My-ZSH'
become: true become: true
become_user: "{{ common.user_account }}" become_user: "{{ common_user_account }}"
block: block:
- name: '[omz] get install script' - name: '[omz] get install script'
ansible.builtin.get_url: ansible.builtin.get_url:
@ -56,22 +56,22 @@
- name: '[omz] install OMZ' - name: '[omz] install OMZ'
ansible.builtin.command: ansible.builtin.command:
cmd: sh /tmp/zsh-install.sh --unattended cmd: sh /tmp/zsh-install.sh --unattended
creates: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.oh-my-zsh" creates: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/.oh-my-zsh"
- name: '[shell] install powerlevel10k customization for OMZ' - name: '[shell] install powerlevel10k customization for OMZ'
become: true become: true
become_user: "{{ common.user_account }}" become_user: "{{ common_user_account }}"
ansible.builtin.git: ansible.builtin.git:
repo: https://github.com/romkatv/powerlevel10k.git repo: https://github.com/romkatv/powerlevel10k.git
dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.oh-my-zsh/custom/themes/powerlevel10k" dest: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/.oh-my-zsh/custom/themes/powerlevel10k"
depth: 1 depth: 1
- name: '[home] copy zsh files' - name: '[home] copy zsh files'
become: true become: true
become_user: "{{ common.user_account }}" become_user: "{{ common_user_account }}"
ansible.builtin.copy: ansible.builtin.copy:
src: "../templates/home/{{ item }}" src: "../templates/home/{{ item }}"
dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/{{ item }}" dest: "{{ ansible_facts['getent_passwd'][common_user_account][4] }}/{{ item }}"
mode: '0640' mode: '0640'
loop: loop:
- .p10k.zsh - .p10k.zsh
@ -84,6 +84,6 @@
- name: '[shell] update user shell to ZSH' - name: '[shell] update user shell to ZSH'
become: true become: true
ansible.builtin.user: ansible.builtin.user:
name: "{{ common.user_account }}" name: "{{ common_user_account }}"
shell: "/usr/bin/zsh" shell: "/usr/bin/zsh"
state: present state: present

24
collections/ansible_collections/nullified/infrastructure/roles/common/templates/home/.gitconfig.j2
View file

@ -1,22 +1,22 @@
[user] [user]
name = {{ common.git.username }} name = {{ common_git_username }}
email = {{ common.git.email }} email = {{ common_git_email }}
{% if common.git.force_sign and common.git.signing_key %} {%- if common_git_force_sign and common_git_signing_key +%}
signingkey = {{ common.git.signing_key }} signingkey = {{ common_git_signing_key }}
{% endif %} {%- endif +%}
[commit] [commit]
{% if common.git.force_sign %} {% if common_git_force_sign -%}
gpgsign = true gpgsign = true
{% else %} {%- else -%}
gpgsign = false gpgsign = false
{% endif %} {%- endif +%}
[tag] [tag]
{% if common.git.force_sign %} {% if common_git_force_sign -%}
gpgsign = true gpgsign = true
{% else %} {%- else -%}
gpgsign = false gpgsign = false
{% endif -%} {%- endif +%}
{% raw %} {%- raw %}
[alias] [alias]
br = "branch" br = "branch"
ci = "commit" ci = "commit"

10
collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/resolv.conf.j2
View file

@ -1,10 +1,12 @@
{% if dns[dns.type].dns4 is defined and dns[dns.type].dns4 | length > 0 -%} {% set dns4_servers = hostvars[inventory_hostname]["global_dns_{}_dns4".format(global_dns_type)] | default([]) %}
{% for server in dns[dns.type].dns4 -%} {% set dns6_servers = hostvars[inventory_hostname]["global_dns_{}_dns6".format(global_dns_type)] | default([]) %}
{% if dns4_servers is defined and dns4_servers | length > 0 -%}
{% for server in dns4_servers -%}
nameserver {{ server }} nameserver {{ server }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if ip_dualstack | default(false) and dns[dns.type].dns6 is defined and dns[dns.type].dns6 | length > 0 -%} {% if global_ip_dualstack | default(false) and dns6_servers is defined and dns6_servers | length > 0 -%}
{% for server in dns[dns.type].dns6 -%} {% for server in dns6_servers -%}
nameserver {{ server }} nameserver {{ server }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

4
collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2
View file

@ -1,3 +1,3 @@
{% for item in sysctl_values.keys() -%} {% for item in common_sysctl_configuration.keys() -%}
{{ item }} = {{ sysctl_values[item] }} {{ item }} = {{ common_sysctl_configuration[item] }}
{% endfor %} {% endfor %}

22
collections/ansible_collections/nullified/infrastructure/roles/development/defaults/main.yml
View file

@ -1,15 +1,9 @@
--- ---
development: development_user_account: "{{ custom_base_user_account }}"
docker: development_github_token: "{{ custom_github_token | default('') }}"
userns: true development_virtualbox_version: "7.0"
remap_user: "{{ custom_base_user_account }}" development_docker_userns: true
remap_group: "{{ custom_base_user_account }}" development_rust_enabled: true
systemd_slice: docker.slice development_docker_remap_user: "{{ development_user_account }}"
github_token: "{{ custom_github_token | default('') }}" development_docker_remap_group: "{{ development_user_account }}"
rust: development_docker_systemd_slice: docker.slice
enable: true
user_account: "{{ custom_base_user_account }}"
virtualbox_version: "7.0"
custom_development: {}
recursive_combine: true

37
collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml
View file

@ -7,18 +7,13 @@
- kernel - kernel
- virtualization_type - virtualization_type
- name: '[setup] merge with custom vars'
ansible.builtin.set_fact:
development: "{{ development | combine(custom_development, recursive=recursive_combine) }}"
changed_when: false
- name: '[home] get user account information' - name: '[home] get user account information'
ansible.builtin.getent: ansible.builtin.getent:
database: passwd database: passwd
key: "{{ development.user_account }}" key: "{{ development_user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: ansible_facts['getent_passwd'] is undefined or development.user_account not in ansible_facts['getent_passwd'] when: ansible_facts['getent_passwd'] is undefined or development_user_account not in ansible_facts['getent_passwd']
- name: '[apt] install dependencies and tools' - name: '[apt] install dependencies and tools'
become: true become: true
@ -82,7 +77,7 @@
- name: '[github] install tools' - name: '[github] install tools'
become: true become: true
nullified.infrastructure.github_artifact: nullified.infrastructure.github_artifact:
github_token: '{{ development.github_token }}' github_token: '{{ development_github_token }}'
asset_name: "{{ item.asset_name | default('') }}" asset_name: "{{ item.asset_name | default('') }}"
asset_type: "{{ item.asset_type }}" asset_type: "{{ item.asset_type }}"
cmds: "{{ item.cmds | default([]) }}" cmds: "{{ item.cmds | default([]) }}"
@ -248,7 +243,7 @@
force_apt_get: true force_apt_get: true
cache_valid_time: 3600 cache_valid_time: 3600
pkg: pkg:
- "virtualbox-{{ development.virtualbox_version }}" - "virtualbox-{{ development_virtualbox_version }}"
state: present state: present
- name: '[custom] install Docker CE repository' - name: '[custom] install Docker CE repository'
@ -283,7 +278,7 @@
src: ../templates/docker-ce/daemon.json.j2 src: ../templates/docker-ce/daemon.json.j2
dest: /etc/docker/daemon.json dest: /etc/docker/daemon.json
mode: '0644' mode: '0644'
when: development.docker.userns is truthy when: development_docker_userns is truthy
notify: notify:
- 'development : [docker] restart service' - 'development : [docker] restart service'
notify: notify:
@ -291,21 +286,21 @@
- name: '[python] install tools' - name: '[python] install tools'
become: true become: true
become_user: "{{ development.user_account }}" become_user: "{{ development_user_account }}"
ansible.builtin.command: ansible.builtin.command:
cmd: "pipx install {{ item.cmd }}" cmd: "pipx install {{ item.cmd }}"
creates: "{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.local/bin/{{ item.creates }}" creates: "{{ ansible_facts['getent_passwd'][development_user_account][4] }}/.local/bin/{{ item.creates }}"
loop: loop:
- { "cmd": "black", "creates": "black" } - { "cmd": "black", "creates": "black" }
- { "cmd": "flake8", "creates": "flake8" } - { "cmd": "flake8", "creates": "flake8" }
- name: '[python] install pipx packages dependencies' - name: '[python] install pipx packages dependencies'
become: true become: true
become_user: "{{ development.user_account }}" become_user: "{{ development_user_account }}"
ansible.builtin.command: ansible.builtin.command:
cmd: "pipx inject {{ item.venv }} {{ item.extension }}" cmd: "pipx inject {{ item.venv }} {{ item.extension }}"
creates: creates:
"{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.local/pipx/venvs/{{ item.venv }}/lib/python3.11/site-packages/{{ item.creates }}" "{{ ansible_facts['getent_passwd'][development_user_account][4] }}/.local/pipx/venvs/{{ item.venv }}/lib/python3.11/site-packages/{{ item.creates }}"
loop: loop:
- venv: "flake8" - venv: "flake8"
extension: "flake8-annotations-complexity" extension: "flake8-annotations-complexity"
@ -367,33 +362,33 @@
- name: '[rust] check if rust is already installed' - name: '[rust] check if rust is already installed'
ansible.builtin.file: ansible.builtin.file:
path: "{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.cargo/bin/rustc" path: "{{ ansible_facts['getent_passwd'][development_user_account][4] }}/.cargo/bin/rustc"
register: rustc_stat register: rustc_stat
changed_when: false changed_when: false
failed_when: false failed_when: false
when: development.rust.enable is truthy when: development_rust_enabled is truthy
- name: '[rust] rust' - name: '[rust] rust'
become: true become: true
when: development.rust.enable is truthy and rustc_stat.state is match("absent") when: development_rust_enabled is truthy and rustc_stat.state is match("absent")
block: block:
- name: '[rust] download installer' - name: '[rust] download installer'
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://sh.rustup.rs url: https://sh.rustup.rs
dest: /tmp/rustup.sh dest: /tmp/rustup.sh
mode: '0750' mode: '0750'
owner: "{{ development.user_account }}" owner: "{{ development_user_account }}"
group: "{{ development.user_account }}" group: "{{ development_user_account }}"
- name: '[rust] install rust toolchain' - name: '[rust] install rust toolchain'
become_user: "{{ development.user_account }}" become_user: "{{ development_user_account }}"
ansible.builtin.command: ansible.builtin.command:
cmd: /tmp/rustup.sh -qy cmd: /tmp/rustup.sh -qy
- name: '[user] add default user to groups' - name: '[user] add default user to groups'
become: true become: true
ansible.builtin.user: ansible.builtin.user:
name: "{{ development.user_account }}" name: "{{ development_user_account }}"
append: true append: true
groups: groups:
- docker - docker

4
collections/ansible_collections/nullified/infrastructure/roles/development/templates/docker-ce/daemon.json.j2
View file

@ -1,4 +1,4 @@
{ {
"userns-remap": "{{ development.docker.remap_user }}:{{ development.docker.remap_group }}", "userns-remap": "{{ development_docker_remap_user }}:{{ development_docker_remap_group }}",
"cgroup-parent": "{{ development.docker.systemd_slice }}" "cgroup-parent": "{{ development_docker_systemd_slice }}"
} }

7
collections/ansible_collections/nullified/infrastructure/roles/gaming/defaults/main.yml
View file

@ -1,6 +1,3 @@
--- ---
gaming: gaming_user_account: "{{ custom_base_user_account }}"
github_token: "{{ custom_github_token | default('') }}" gaming_github_token: "{{ custom_github_token | default('') }}"
custom_gaming: {}
recursive_combine: true

7
collections/ansible_collections/nullified/infrastructure/roles/gaming/tasks/main.yml
View file

@ -1,9 +1,4 @@
--- ---
- name: '[setup] merge with custom vars'
ansible.builtin.set_fact:
gaming: "{{ gaming | combine(custom_gaming, recursive=recursive_combine) }}"
changed_when: false
- name: '[games] install Steam' - name: '[games] install Steam'
become: true become: true
block: block:
@ -52,7 +47,7 @@
block: block:
- name: '[hgl] fetch assets from github' - name: '[hgl] fetch assets from github'
nullified.infrastructure.github_artifact: nullified.infrastructure.github_artifact:
github_token: '{{ gaming.github_token }}' github_token: '{{ gaming_github_token }}'
asset_name: heroic_{version}_amd64.deb asset_name: heroic_{version}_amd64.deb
asset_type: release asset_type: release
repository: Heroic-Games-Launcher/HeroicGamesLauncher repository: Heroic-Games-Launcher/HeroicGamesLauncher

46
collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml
View file

@ -1,30 +1,18 @@
--- ---
security: security_apt_force_https: true
apt: security_apt_https_ignore_list: []
force_https: true security_clamav_version: 1.2.1
https_ignore_list: [] security_firewall_enabled: true
clamav: security_firewall_filter_policy_forward: drop
version: 1.2.1 security_firewall_filter_policy_input: drop
firewall: security_firewall_filter_policy_output: drop
enable: true security_firewall_mangle_drop_privatenets: true
nat: security_firewall_mangle_policy_forward: drop
policy: security_firewall_mangle_policy_output: accept
prerouting: accept security_firewall_mangle_policy_postrouting: accept
input: accept security_firewall_mangle_policy_prerouting: accept
output: accept security_firewall_nat_policy_input: accept
postrouting: accept security_firewall_nat_policy_output: accept
mangle: security_firewall_nat_policy_postrouting: accept
drop_privatenets: true security_firewall_nat_policy_prerouting: accept
policy: security_ssh_port: 22
prerouting: accept
output: accept
forward: drop
postrouting: accept
filter:
policy:
input: drop
output: drop
forward: drop
custom_security: {}
recursive_combine: true

13
collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml
View file

@ -8,16 +8,17 @@
- name: get supervisor IP address - name: get supervisor IP address
ansible.builtin.shell: "echo $SSH_CLIENT | tr -s '[:blank:]' ' ' | cut -d ' ' -f 1" ansible.builtin.shell: "echo $SSH_CLIENT | tr -s '[:blank:]' ' ' | cut -d ' ' -f 1"
register: ssh_client register: ssh_client
when: ansible_connection is not match("local")
changed_when: false changed_when: false
failed_when: ssh_client.stdout is falsy failed_when: ssh_client.stdout is falsy
- name: set fact - name: set fact
ansible.builtin.set_fact: ansible.builtin.set_fact:
supervisor_ip: "{{ ssh_client.stdout }}" security_firewall_supervisor_ip: "{{ ssh_client.get('stdout', None) }}"
changed_when: false changed_when: false
- name: install and configure nftables - name: install and configure nftables
when: security.firewall.enable is truthy when: security_firewall_enabled is truthy
become: true become: true
notify: notify:
- 'security : [firewall] restart service' - 'security : [firewall] restart service'
@ -39,6 +40,12 @@
mode: '0700' mode: '0700'
state: directory state: directory
- name: set firewall templates facts
ansible.builtin.set_fact:
security_firewall_dns4_servers: "{{ hostvars[inventory_hostname]['global_dns_{}_dns4'.format(global_dns_type)] | default(ansible_facts.dns.nameservers | ansible.utils.ipv4, true) }}"
security_firewall_dns6_servers: "{{ hostvars[inventory_hostname]['global_dns_{}_dns6'.format(global_dns_type)] | default(ansible_facts.dns.nameservers | ansible.utils.ipv6, true) }}"
security_firewall_supervisor_has_ip6: "{{ true if security_firewall_supervisor_ip is defined and security_firewall_supervisor_ip and security_firewall_supervisor_ip | ansible.utils.ipv6 else false }}"
- name: base config file - name: base config file
ansible.builtin.template: ansible.builtin.template:
src: "../templates/system/{{ ansible_facts['distribution'] | lower }}/nftables.conf.j2" src: "../templates/system/{{ ansible_facts['distribution'] | lower }}/nftables.conf.j2"
@ -50,8 +57,6 @@
src: "../templates/system/nftables/{{ item }}.table.j2" src: "../templates/system/nftables/{{ item }}.table.j2"
dest: "/etc/nftables.d/{{ item }}.table" dest: "/etc/nftables.d/{{ item }}.table"
mode: '0600' mode: '0600'
vars:
firewall: "{{ security.firewall }}"
loop: loop:
- 01-nat - 01-nat
- 02-mangle - 02-mangle

11
collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml
View file

@ -4,16 +4,11 @@
gather_subset: gather_subset:
- distribution - distribution
- name: '[setup] merge with custom vars'
ansible.builtin.set_fact:
security: "{{ security | combine(custom_security, recursive=recursive_combine) }}"
changed_when: false
- include_tasks: firewall.yml - include_tasks: firewall.yml
- name: '[apt] force HTTPS sources' - name: '[apt] force HTTPS sources'
become: true become: true
when: security.apt.force_https is truthy when: security_apt_force_https is truthy
block: block:
- name: '[apt] fetch apt information' - name: '[apt] fetch apt information'
ansible.builtin.command: ansible.builtin.command:
@ -25,7 +20,7 @@
path: "{{ item }}" path: "{{ item }}"
regexp: 'http://' regexp: 'http://'
replace: 'https://' replace: 'https://'
loop: "{{ apt_source_files.stdout_lines | difference(security.apt.https_ignore_list) }}" loop: "{{ apt_source_files.stdout_lines | difference(security_apt_https_ignore_list) }}"
notify: notify:
- 'security : [apt] update sources' - 'security : [apt] update sources'
@ -98,7 +93,7 @@
block: block:
- name: '[clamav] retrieve and install clamav package' - name: '[clamav] retrieve and install clamav package'
ansible.builtin.apt: ansible.builtin.apt:
deb: https://www.clamav.net/downloads/production/clamav-{{ security.clamav.version }}.linux.x86_64.deb deb: https://www.clamav.net/downloads/production/clamav-{{ security_clamav_version }}.linux.x86_64.deb
force_apt_get: true force_apt_get: true
state: present state: present
- name: '[clamav] add clamav group' - name: '[clamav] add clamav group'

15
collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2
View file

@ -2,14 +2,19 @@
flush ruleset flush ruleset
define ansible_controller_ip = {{ supervisor_ip | default('127.0.0.1', true) }} {% if security_firewall_supervisor_ip -%}
define ansible_controller_ip6 = {{ supervisor_ip6 | default('fe80::', true) }} define ansible_controller_ip = {{ security_firewall_supervisor_ip }}
{% endif -%}
{% if security_firewall_dns4_servers -%}
define dns_servers = { define dns_servers = {
{{ dns[dns.type].dns4 | default(["9.9.9.9", "149.112.112.112"], true) | join(", ") | wordwrap(40, wrapstring="\n\t") }} {{ security_firewall_dns4_servers | join(", ") | wordwrap(40, wrapstring="\n\t") }}
} }
{% endif -%}
{% if security_firewall_dns6_servers -%}
define dns_servers6 = { define dns_servers6 = {
{{ dns[dns.type].dns6 | default(["2620:fe::fe", "2620:fe::9"], true) | join(", ") | wordwrap(40, wrapstring="\n\t") }} {{ security_firewall_dns6_servers | join(", ") | wordwrap(40, wrapstring="\n\t") }}
} }
{% endif -%}
define private_nets = { define private_nets = {
10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12,
192.0.0.0/24, 192.168.0.0/16, 198.18.0.0/15 192.0.0.0/24, 192.168.0.0/16, 198.18.0.0/15
@ -19,7 +24,7 @@ define reserved_nets = {
192.88.99.0/24, 198.51.100.0/24, 203.0.113.0/24, 192.88.99.0/24, 198.51.100.0/24, 203.0.113.0/24,
224.0.0.0/4, 233.252.0.0/24, 240.0.0.0/4 224.0.0.0/4, 233.252.0.0/24, 240.0.0.0/4
} }
define ssh_localport = {{ ssh_localport | default(22, true) }} define ssh_localport = {{ security_ssh_port }}
include "/etc/nftables.d/01-nat.table" include "/etc/nftables.d/01-nat.table"
include "/etc/nftables.d/02-mangle.table" include "/etc/nftables.d/02-mangle.table"

8
collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/01-nat.table.j2
View file

@ -1,18 +1,18 @@
# Setup # Setup
table inet nat { table inet nat {
chain prerouting { chain prerouting {
type nat hook prerouting priority -100; policy {{ firewall.nat.policy.prerouting }}; type nat hook prerouting priority -100; policy {{ security_firewall_nat_policy_prerouting }};
} }
chain input { chain input {
type nat hook input priority 100; policy {{ firewall.nat.policy.input }}; type nat hook input priority 100; policy {{ security_firewall_nat_policy_input }};
} }
chain output { chain output {
type nat hook output priority -100; policy {{ firewall.nat.policy.output }}; type nat hook output priority -100; policy {{ security_firewall_nat_policy_output }};
} }
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; policy {{ firewall.nat.policy.postrouting }}; type nat hook postrouting priority 100; policy {{ security_firewall_nat_policy_postrouting }};
} }
} }

29
collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2
View file

@ -1,7 +1,7 @@
# Setup # Setup
table inet mangle { table inet mangle {
chain prerouting { chain prerouting {
type filter hook prerouting priority -150; policy {{ firewall.mangle.policy.prerouting }}; type filter hook prerouting priority -150; policy {{ security_firewall_mangle_policy_prerouting }};
ip protocol icmp accept ip protocol icmp accept
ip frag-off & 0x1fff != 0 counter drop ip frag-off & 0x1fff != 0 counter drop
ct state invalid counter drop ct state invalid counter drop
@ -22,12 +22,17 @@ table inet mangle {
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|psh|urg counter drop tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|psh|urg counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop
{% if security_firewall_supervisor_ip -%}
{% if security_firewall_supervisor_has_ip6 -%}
ip6 saddr $ansible_controller_ip tcp dport $ssh_localport accept
ip6 daddr $ansible_controller_ip tcp sport $ssh_localport accept
{% else -%}
ip saddr $ansible_controller_ip tcp dport $ssh_localport accept ip saddr $ansible_controller_ip tcp dport $ssh_localport accept
ip6 saddr $ansible_controller_ip6 tcp dport $ssh_localport accept
ip daddr $ansible_controller_ip tcp sport $ssh_localport accept ip daddr $ansible_controller_ip tcp sport $ssh_localport accept
ip6 daddr $ansible_controller_ip6 tcp sport $ssh_localport accept {%- endif +%}
{% endif -%}
{% if firewall.mangle.drop_privatenets -%} {% if security_firewall_mangle_drop_privatenets -%}
ip saddr $private_nets counter drop ip saddr $private_nets counter drop
{% endif -%} {% endif -%}
ip saddr $reserved_nets counter drop ip saddr $reserved_nets counter drop
@ -35,18 +40,24 @@ table inet mangle {
} }
chain output { chain output {
type route hook output priority -150; policy {{ firewall.mangle.policy.output }}; type route hook output priority -150; policy {{ security_firewall_mangle_policy_output }};
} }
chain forward { chain forward {
type filter hook forward priority -150; policy {{ firewall.mangle.policy.forward }}; type filter hook forward priority -150; policy {{ security_firewall_mangle_policy_forward }};
} }
chain postrouting { chain postrouting {
type filter hook postrouting priority -150; policy {{ firewall.mangle.policy.postrouting }}; type filter hook postrouting priority -150; policy {{ security_firewall_mangle_policy_postrouting }};
{% if security_firewall_supervisor_ip -%}
{% if security_firewall_supervisor_has_ip6 -%}
ip6 saddr $ansible_controller_ip tcp dport $ssh_localport accept
ip6 daddr $ansible_controller_ip tcp sport $ssh_localport accept
{%- else -%}
ip saddr $ansible_controller_ip tcp dport $ssh_localport accept ip saddr $ansible_controller_ip tcp dport $ssh_localport accept
ip6 saddr $ansible_controller_ip6 tcp dport $ssh_localport accept
ip daddr $ansible_controller_ip tcp sport $ssh_localport accept ip daddr $ansible_controller_ip tcp sport $ssh_localport accept
ip6 daddr $ansible_controller_ip6 tcp sport $ssh_localport accept {%- endif +%}
{% endif -%}
} }
} }

25
collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2
View file

@ -1,9 +1,15 @@
# Setup # Setup
table inet filter { table inet filter {
chain input { chain input {
type filter hook input priority 0; policy {{ firewall.filter.policy.input }}; type filter hook input priority 0; policy {{ security_firewall_filter_policy_input }};
{% if security_firewall_supervisor_ip -%}
{% if security_firewall_supervisor_has_ip6 -%}
ip6 saddr $ansible_controller_ip tcp dport $ssh_localport accept
{%- else -%}
ip saddr $ansible_controller_ip tcp dport $ssh_localport accept ip saddr $ansible_controller_ip tcp dport $ssh_localport accept
ip6 saddr $ansible_controller_ip6 tcp dport $ssh_localport accept {%- endif +%}
{% endif -%}
iifname "lo" counter accept iifname "lo" counter accept
ct state related,established counter accept ct state related,established counter accept
@ -11,20 +17,29 @@ table inet filter {
} }
chain output { chain output {
type filter hook output priority 0; policy {{ firewall.filter.policy.output }}; type filter hook output priority 0; policy {{ security_firewall_filter_policy_output }};
{% if security_firewall_supervisor_ip -%}
{% if security_firewall_supervisor_has_ip6 -%}
ip6 daddr $ansible_controller_ip tcp sport $ssh_localport accept
{%- else -%}
ip daddr $ansible_controller_ip tcp sport $ssh_localport accept ip daddr $ansible_controller_ip tcp sport $ssh_localport accept
ip6 daddr $ansible_controller_ip6 tcp sport $ssh_localport accept {%- endif +%}
{% endif -%}
oifname "lo" counter accept oifname "lo" counter accept
ct state related,established counter accept ct state related,established counter accept
tcp sport $ssh_localport counter accept tcp sport $ssh_localport counter accept
# Allow DNS queries using UDP, DoT and DoH # Allow DNS queries using UDP, DoT and DoH
{% if security_firewall_dns4_servers -%}
ip daddr $dns_servers meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept ip daddr $dns_servers meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept
{%- endif +%}
{% if security_firewall_dns6_servers -%}
ip6 daddr $dns_servers6 meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept ip6 daddr $dns_servers6 meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept
{%- endif +%}
} }
chain forward { chain forward {
type filter hook forward priority 0; policy {{ firewall.filter.policy.forward }}; type filter hook forward priority 0; policy {{ security_firewall_filter_policy_forward }};
} }
} }

8
collections/ansible_collections/nullified/infrastructure/roles/workstation/defaults/main.yml
View file

@ -1,7 +1,3 @@
--- ---
workstation: workstation_user_account: "{{ custom_base_user_account }}"
github_token: "{{ custom_github_token | default('') }}" workstation_github_token: "{{ custom_github_token | default('') }}"
user_account: "{{ custom_base_user_account | default('root') }}"
custom_workstation: {}
recursive_combine: true

61
collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml
View file

@ -1,24 +1,19 @@
--- ---
- name: '[setup] merge with custom vars'
ansible.builtin.set_fact:
workstation: "{{ workstation | combine(custom_workstation, recursive=recursive_combine) }}"
changed_when: false
- name: '[home] get user account information' - name: '[home] get user account information'
ansible.builtin.getent: ansible.builtin.getent:
database: passwd database: passwd
key: "{{ workstation.user_account }}" key: "{{ workstation_user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: ansible_facts['getent_passwd'] is undefined or workstation.user_account not in ansible_facts['getent_passwd'] when: ansible_facts['getent_passwd'] is undefined or workstation_user_account not in ansible_facts['getent_passwd']
- name: '[setup] ensure expected home directories exist' - name: '[setup] ensure expected home directories exist'
become: true become: true
ansible.builtin.file: ansible.builtin.file:
path: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/{{ item }}" path: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/{{ item }}"
state: directory state: directory
owner: "{{ workstation.user_account }}" owner: "{{ workstation_user_account }}"
group: "{{ workstation.user_account }}" group: "{{ workstation_user_account }}"
mode: '0750' mode: '0750'
loop: loop:
- .local/bin - .local/bin
@ -78,14 +73,14 @@
- name: '[setup] add user to sudo group' - name: '[setup] add user to sudo group'
become: true become: true
ansible.builtin.user: ansible.builtin.user:
name: "{{ workstation.user_account }}" name: "{{ workstation_user_account }}"
groups: groups:
- sudo - sudo
append: true append: true
- name: '[setup] setup Flatpak' - name: '[setup] setup Flatpak'
become: true become: true
become_user: "{{ workstation.user_account }}" become_user: "{{ workstation_user_account }}"
block: block:
- name: '[flatpak] add flatpak repos' - name: '[flatpak] add flatpak repos'
ansible.builtin.command: ansible.builtin.command:
@ -104,7 +99,7 @@
- name: '[github] install tools' - name: '[github] install tools'
become: true become: true
nullified.infrastructure.github_artifact: nullified.infrastructure.github_artifact:
github_token: '{{ workstation.github_token }}' github_token: '{{ workstation_github_token }}'
asset_name: "{{ item.asset_name | default('') }}" asset_name: "{{ item.asset_name | default('') }}"
asset_type: "{{ item.asset_type }}" asset_type: "{{ item.asset_type }}"
cmds: "{{ item.cmds | default([]) }}" cmds: "{{ item.cmds | default([]) }}"
@ -142,8 +137,8 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
mode: "{{ item.mode | default('0750') }}" mode: "{{ item.mode | default('0750') }}"
owner: "{{ item.owner | default(workstation.user_account) }}" owner: "{{ item.owner | default(workstation_user_account) }}"
group: "{{ item.group | default(workstation.user_account) }}" group: "{{ item.group | default(workstation_user_account) }}"
state: directory state: directory
loop: loop:
- { path: '/opt/git/foss' } - { path: '/opt/git/foss' }
@ -153,22 +148,22 @@
- name: '[emacs] fetch emacs configuration files' - name: '[emacs] fetch emacs configuration files'
become: true become: true
become_user: "{{ workstation.user_account }}" become_user: "{{ workstation_user_account }}"
ansible.builtin.git: ansible.builtin.git:
repo: "https://gitlab.0x2a.ninja/naeikindus/emacsd.git" repo: "https://gitlab.0x2a.ninja/naeikindus/emacsd.git"
dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.emacs.d" dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.emacs.d"
force: false force: false
- name: '[config] set tools configuration' - name: '[config] set tools configuration'
become: true become: true
become_user: "{{ workstation.user_account }}" become_user: "{{ workstation_user_account }}"
ansible.builtin.copy: ansible.builtin.copy:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
mode: "{{ item.mode | default('0640') }}" mode: "{{ item.mode | default('0640') }}"
loop: loop:
- { src: "../templates/.config/terminator", dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config" } - { src: "../templates/.config/terminator", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" }
- { src: "../templates/.config/vlc", dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config" } - { src: "../templates/.config/vlc", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" }
- name: '[authenticator] find if binary is already installed' - name: '[authenticator] find if binary is already installed'
ansible.builtin.file: ansible.builtin.file:
@ -184,8 +179,8 @@
- name: '[yubico] prepare target directory' - name: '[yubico] prepare target directory'
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
owner: "{{ workstation.user_account }}" owner: "{{ workstation_user_account }}"
group: "{{ workstation.user_account }}" group: "{{ workstation_user_account }}"
mode: '0750' mode: '0750'
state: directory state: directory
loop: loop:
@ -197,8 +192,8 @@
src: https://developers.yubico.com/yubioath-flutter/Releases/yubico-authenticator-latest-linux.tar.gz src: https://developers.yubico.com/yubioath-flutter/Releases/yubico-authenticator-latest-linux.tar.gz
remote_src: true remote_src: true
dest: /tmp/yubico-unarchive dest: /tmp/yubico-unarchive
owner: "{{ workstation.user_account }}" owner: "{{ workstation_user_account }}"
group: "{{ workstation.user_account }}" group: "{{ workstation_user_account }}"
- name: '[yubico] find extracted directory' - name: '[yubico] find extracted directory'
ansible.builtin.command: ansible.builtin.command:
@ -211,8 +206,8 @@
remote_src: true remote_src: true
src: "{{ yubico_extract_path.stdout }}/" src: "{{ yubico_extract_path.stdout }}/"
dest: /opt/yubico-authenticator dest: /opt/yubico-authenticator
owner: "{{ workstation.user_account }}" owner: "{{ workstation_user_account }}"
group: "{{ workstation.user_account }}" group: "{{ workstation_user_account }}"
- name: '[yubico] cleanup' - name: '[yubico] cleanup'
ansible.builtin.file: ansible.builtin.file:
@ -222,24 +217,24 @@
- name: '[yubico] create shell wrapper' - name: '[yubico] create shell wrapper'
ansible.builtin.template: ansible.builtin.template:
src: ../templates/bin_wrapper.sh.j2 src: ../templates/bin_wrapper.sh.j2
dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.local/bin/authenticator" dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.local/bin/authenticator"
mode: '0750' mode: '0750'
owner: "{{ workstation.user_account }}" owner: "{{ workstation_user_account }}"
group: "{{ workstation.user_account }}" group: "{{ workstation_user_account }}"
vars: vars:
application: "/opt/yubico-authenticator/authenticator" application: "/opt/yubico-authenticator/authenticator"
- name: '[yubico] create desktop entry' - name: '[yubico] create desktop entry'
ansible.builtin.template: ansible.builtin.template:
src: ../templates/desktop_app.j2 src: ../templates/desktop_app.j2
dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.local/share/applications/authenticator.desktop" dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.local/share/applications/authenticator.desktop"
mode: '0600' mode: '0600'
owner: "{{ workstation.user_account }}" owner: "{{ workstation_user_account }}"
group: "{{ workstation.user_account }}" group: "{{ workstation_user_account }}"
vars: vars:
application: application:
nodisplay: false nodisplay: false
exec_cmd: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.local/bin/authenticator" exec_cmd: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.local/bin/authenticator"
name: "Authenticator" name: "Authenticator"
- include_tasks: window_manager.yml - include_tasks: window_manager.yml

18
collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/window_manager.yml
View file

@ -2,10 +2,10 @@
- name: '[home] get user account information' - name: '[home] get user account information'
ansible.builtin.getent: ansible.builtin.getent:
database: passwd database: passwd
key: "{{ workstation.user_account }}" key: "{{ workstation_user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: ansible_facts['getent_passwd'] is undefined or workstation.user_account not in ansible_facts['getent_passwd'] when: ansible_facts['getent_passwd'] is undefined or workstation_user_account not in ansible_facts['getent_passwd']
- name: '[awesomewm] install dependencies' - name: '[awesomewm] install dependencies'
become: true become: true
@ -61,7 +61,7 @@
block: block:
- name: '[lua-lgi] fetch source' - name: '[lua-lgi] fetch source'
become: true become: true
become_user: "{{ workstation.user_account }}" become_user: "{{ workstation_user_account }}"
ansible.builtin.git: ansible.builtin.git:
repo: https://github.com/lgi-devs/lgi.git repo: https://github.com/lgi-devs/lgi.git
dest: /opt/git/foss/lua-lgi dest: /opt/git/foss/lua-lgi
@ -96,7 +96,7 @@
block: block:
- name: '[awesomewm] fetch source' - name: '[awesomewm] fetch source'
become: true become: true
become_user: "{{ workstation.user_account }}" become_user: "{{ workstation_user_account }}"
ansible.builtin.git: ansible.builtin.git:
repo: https://github.com/awesomeWM/awesome.git repo: https://github.com/awesomeWM/awesome.git
dest: /opt/git/foss/awesomeWM dest: /opt/git/foss/awesomeWM
@ -108,7 +108,7 @@
- name: '[awesomewm] building project' - name: '[awesomewm] building project'
become: true become: true
become_user: "{{ workstation.user_account }}" become_user: "{{ workstation_user_account }}"
ansible.builtin.command: ansible.builtin.command:
chdir: /opt/git/foss/awesomeWM chdir: /opt/git/foss/awesomeWM
cmd: 'make' cmd: 'make'
@ -125,19 +125,19 @@
- name: '[awesomewm] setup configuration' - name: '[awesomewm] setup configuration'
become: true become: true
become_user: "{{ workstation.user_account }}" become_user: "{{ workstation_user_account }}"
block: block:
- name: '[awesomewm] fetch copycats base' - name: '[awesomewm] fetch copycats base'
ansible.builtin.git: ansible.builtin.git:
repo: https://github.com/lcpz/awesome-copycats.git repo: https://github.com/lcpz/awesome-copycats.git
dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config/awesome" dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config/awesome"
depth: 1 depth: 1
recursive: true recursive: true
force: false force: false
- name: '[awesomewm] copy customization' - name: '[awesomewm] copy customization'
ansible.builtin.copy: ansible.builtin.copy:
src: ../templates/.config/awesome/ src: ../templates/.config/awesome/
dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config/awesome" dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config/awesome"
mode: '0640' mode: '0640'
- name: '[home] copy X related configuration' - name: '[home] copy X related configuration'
@ -151,4 +151,4 @@
- name: '[x11] user .xsession' - name: '[x11] user .xsession'
ansible.builtin.copy: ansible.builtin.copy:
src: ../templates/.xsession src: ../templates/.xsession
dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.xsession" dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.xsession"

25
inventory/group_vars/all/vars.yml
View file

@ -1,9 +1,16 @@
custom_base_user_account: '{{ vault_custom_base_user_account }}' ---
custom_github_token: '{{ vault_custom_github_token }}' # global parameters
dns: custom_base_user_account: "{{ vault_custom_base_user_account }}"
type: "dot" custom_github_token: "{{ vault_custom_github_token | default('') }}"
udp: '{{ vault_groups.defaults.udp }}'
dot: '{{ vault_groups.defaults.dot }}' # global (hosts' system parameters)
doh: '{{ vault_groups.defaults.doh }}' ## TODO: move to a CMDB
network: "external" global_dns_type: "dot"
ip_dualstack: true # empty values for dns{4,6} servers mean that servers will be retrieved dynamically from /etc/resolv.conf
global_dns_udp_dns4: "{{ vault_global_dns_udp_dns4 }}"
global_dns_udp_dns6: "{{ vault_global_dns_udp_dns6 }}"
global_dns_dot_dns4: "{{ vault_global_dns_dot_dns4 }}"
global_dns_dot_dns6: "{{ vault_global_dns_dot_dns6 }}"
global_dns_doh_dns4: "{{ vault_global_dns_doh_dns4 }}"
global_dns_doh_dns6: "{{ vault_global_dns_doh_dns6 }}"
global_ip_dualstack: true

8
inventory/group_vars/internal/vars.yml Normal file
View file

@ -0,0 +1,8 @@
# global
global_dns_type: "udp"
global_dns_udp_dns4: "" # force usage of DHCP provided values
global_dns_udp_dns6: "" # force usage of DHCP provided values
global_ip_dualstack: false
# security role
security_firewall_mangle_drop_privatenets: false

13
inventory/host_vars/actinium/vars.yml
View file

@ -2,14 +2,5 @@ ansible_become_password: "{{ vault_root_pass }}"
ansible_host: "{{ vault_ansible_host }}" ansible_host: "{{ vault_ansible_host }}"
ansible_user: "{{ vault_ssh_user }}" ansible_user: "{{ vault_ssh_user }}"
custom_security: security_firewall_mangle_drop_privatenets: false
firewall: security_firewall_mangle_policy_forward: accept
mangle:
drop_privatenets: false
policy:
forward: accept
dns:
type: "udp"
udp: "{{ vault_groups.network.internal }}"
network: "internal"
ip_dualstack: false

2
inventory/host_vars/lithium/vars.yml
View file

@ -1,5 +1,3 @@
ansible_become_password: "{{ vault_root_pass }}" ansible_become_password: "{{ vault_root_pass }}"
ansible_host: "{{ vault_ansible_host }}" ansible_host: "{{ vault_ansible_host }}"
ansible_user: "{{ vault_ssh_user }}" ansible_user: "{{ vault_ssh_user }}"
network: "external"
ip_dualstack: true

23
inventory/host_vars/localhost/vars.yml
View file

@ -1,23 +0,0 @@
ansible_become_password: "{{ vault_root_pass }}"
ansible_host: "{{ vault_ansible_host }}"
ansible_connection: local
custom_development:
rust:
enable: true
custom_common:
sysctl:
'fs.inotify.max_user_watches': 1048576
'vm.swappiness': 1
packages:
- pcscd
- pinentry-curses
- radeontop
git:
enable: true
username: "{{ vault_common_gitconfig_username }}"
email: "{{ vault_common_gitconfig_email }}"
force_sign: true
signing_key: "{{ vault_common_gitconfig_signingkey }}"
install_fonts: true

55
inventory/host_vars/unobtainium/vars.yml
View file

@ -2,41 +2,22 @@ ansible_become_password: "{{ vault_root_pass }}"
ansible_host: "{{ vault_ansible_host }}" ansible_host: "{{ vault_ansible_host }}"
ansible_connection: local ansible_connection: local
custom_development: # common role
rust: common_apt_packages:
enable: true - pcscd
- pinentry-curses
- radeontop
common_git_enabled: true
common_git_username: "{{ vault_common_gitconfig_username }}"
common_git_email: "{{ vault_common_gitconfig_email }}"
common_git_force_sign: true
common_git_signing_key: "{{ vault_common_gitconfig_signingkey }}"
common_install_fonts: true
common_sysctl_configuration:
'fs.inotify.max_user_watches': 1048576
'vm.swappiness': 1
custom_common: # security role
sysctl: security_firewall_filter_policy_output: accept
'fs.inotify.max_user_watches': 1048576 security_firewall_filter_policy_forward: accept
'vm.swappiness': 1 security_firewall_mangle_policy_forward: accept
packages:
- pcscd
- pinentry-curses
- radeontop
git:
enable: true
username: "{{ vault_common_gitconfig_username }}"
email: "{{ vault_common_gitconfig_email }}"
force_sign: true
signing_key: "{{ vault_common_gitconfig_signingkey }}"
install_fonts: true
custom_security:
firewall:
filter:
policy:
output: accept
forward: accept
mangle:
drop_privatenets: false
policy:
forward: accept
dns:
type: "udp"
udp:
dns4: "{{ vault_groups.network.internal.dns4 }}"
dns6: "{{ vault_groups.network.internal.dns6 }}"
network: "internal"
ip_dualstack: false

1
requirements.txt
View file

@ -7,6 +7,7 @@ Jinja2==3.1.2
jsonschema==4.19.0 jsonschema==4.19.0
molecule==6.0.1 molecule==6.0.1
molecule-plugins==23.5.0 molecule-plugins==23.5.0
netaddr==0.10.1
paramiko==3.3.1 paramiko==3.3.1
pycurl==7.45.2 pycurl==7.45.2
pylint==2.17.5 pylint==2.17.5