diff --git a/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/create.yml b/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/create.yml index 3b91987..549dad1 100644 --- a/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/create.yml +++ b/collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/create.yml @@ -23,7 +23,7 @@ type: tmpfs - target: /run/lock type: tmpfs - - target: /tmp + - target: /tmp:exec type: tmpfs register: result loop: "{{ molecule_yml.platforms }}" @@ -52,7 +52,8 @@ "{{ item.name }}": ansible_connection: community.docker.docker custom_common: - deb822_format: true + apt: + deb822_format: true ansible.builtin.set_fact: molecule_inventory: > {{ molecule_inventory | combine(inventory_partial_yaml | from_yaml) }} diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml index b42ef36..cbda208 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml @@ -1,13 +1,19 @@ --- -custom_github_token: "" -common_user_account: "{{ custom_base_user_account | lower }}" -common_gitconfig_enable: false -common_gitconfig_username: "" -common_gitconfig_email: "" -common_gitconfig_force_sign: false -common_gitconfig_signingkey: "" -common_apt_packages: [] -common_install_fonts: false common: - apt_components: ['contrib', 'non-free', 'non-free-firmware'] - deb822_format: false + apt: + source_components: ['contrib', 'non-free', 'non-free-firmware'] + packages: [] + deb822_format: false + git: + enable: false + username: "" + email: "" + force_sign: false + signing_key: "" + github_token: "{{ custom_github_token | default('') }}" + install_fonts: false + sysctl: {} + user_account: "{{ custom_base_user_account | default('root') }}" + +custom_common: {} +recursive_combine: true diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/home_setup.yml b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/home_setup.yml index 314679a..96b962f 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/home_setup.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/home_setup.yml @@ -2,16 +2,16 @@ - name: '[home] get user account information' ansible.builtin.getent: database: passwd - key: "{{ common_user_account }}" + key: "{{ common.user_account }}" split: ":" changed_when: false - when: getent_passwd is undefined or common_user_account not in getent_passwd + when: getent_passwd is undefined or common.user_account not in getent_passwd - name: '[home] create common directories' become: true - become_user: "{{ common_user_account }}" + become_user: "{{ common.user_account }}" ansible.builtin.file: - path: "{{ getent_passwd[common_user_account][4] }}/{{ item }}" + path: "{{ getent_passwd[common.user_account][4] }}/{{ item }}" state: directory mode: '0750' loop: @@ -22,19 +22,19 @@ - name: '[home] setup home files' become: true - become_user: "{{ common_user_account }}" + become_user: "{{ common.user_account }}" block: - name: '[home] git configuration' ansible.builtin.template: src: ../templates/home/.gitconfig.j2 - dest: "{{ getent_passwd[common_user_account][4] }}/.gitconfig" + dest: "{{ getent_passwd[common.user_account][4] }}/.gitconfig" mode: '0640' - when: common_gitconfig_enable | bool + when: common.git.enable is truthy - name: '[home] basic files' ansible.builtin.copy: src: "../templates/home/{{ item.name }}" - dest: "{{ getent_passwd[common_user_account][4] }}/{{ item.name }}" + dest: "{{ getent_passwd[common.user_account][4] }}/{{ item.name }}" mode: "{{ item.mode | default('0640') }}" loop: - { name: ".lessfilter", mode: '0750' } diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml index a3fbf1b..b0b3200 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml @@ -1,7 +1,7 @@ --- -- name: '[common] merge with custom vars' - set_fact: - common: "{{ common|combine(custom_common) }}" +- name: '[setup] merge with custom vars' + ansible.builtin.set_fact: + common: "{{ common | combine(custom_common, recursive=recursive_combine) }}" changed_when: false - name: '[apt] verify components of default sources' @@ -11,15 +11,15 @@ path: '/etc/apt/sources.list' regexp: '^(deb((?!{{ item }}).)+)$' replace: '\1 {{ item }}' - when: not common.deb822_format | bool - loop: '{{ common.apt_components }}' + when: not common.apt.deb822_format | bool + loop: '{{ common.apt.source_components }}' - name: '[apt] default deb822 debian.sources' ansible.builtin.replace: path: '/etc/apt/sources.list.d/debian.sources' regexp: '^(Components: ((?!{{ item }}).)+)$' replace: '\1 {{ item }}' - loop: '{{ common.apt_components }}' - when: common.deb822_format | bool + loop: '{{ common.apt.source_components }}' + when: common.apt.deb822_format | bool - name: '[apt] install dependencies and tools' become: true @@ -57,14 +57,14 @@ - yq state: present -- name: '[GitHub] install tools' +- name: '[github] install tools' become: true nullified.infrastructure.github_artifact: asset_name: "{{ item.asset_name | default('') }}" asset_type: "{{ item.asset_type }}" cmds: "{{ item.cmds | default([]) }}" creates: "{{ item.creates | default('') }}" - github_token: "{{ custom_github_token }}" + github_token: "{{ common.github_token }}" repository: "{{ item.repository }}" version: "{{ item.version | default('') }}" loop: @@ -110,7 +110,9 @@ src: ../templates/system/sysctld.local.conf.j2 dest: /etc/sysctl.d/local.conf mode: '0644' - when: custom_sysctl is defined + when: common.sysctl is truthy + vars: + sysctl_values: "{{ common.sysctl }}" notify: - 'common : [system] reload sysctl configuration' @@ -121,7 +123,7 @@ force_apt_get: true cache_valid_time: 3600 pkg: - "{{ common_apt_packages }}" + "{{ common.apt.packages }}" - include_tasks: home_setup.yml diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/shell_customization.yml b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/shell_customization.yml index f5ac5e7..9cfddfd 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/shell_customization.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/tasks/shell_customization.yml @@ -2,10 +2,10 @@ - name: '[home] get user account information' ansible.builtin.getent: database: passwd - key: "{{ common_user_account }}" + key: "{{ common.user_account }}" split: ":" changed_when: false - when: getent_passwd is undefined or common_user_account not in getent_passwd + when: getent_passwd is undefined or common.user_account not in getent_passwd - name: '[shell] install ZSH and dependencies' become: true @@ -20,7 +20,7 @@ - name: '[shell] install custom fonts' become: true - become_user: "{{ common_user_account }}" + become_user: "{{ common.user_account }}" block: - name: '[fonts] add fonts tooling' become_user: root @@ -34,18 +34,18 @@ - name: '[fonts] adding fonts' ansible.builtin.copy: src: ../assets/fonts/ - dest: "{{ getent_passwd[common_user_account][4] }}/.local/share/fonts" + dest: "{{ getent_passwd[common.user_account][4] }}/.local/share/fonts" mode: '0640' - name: '[fonts] refresh fonts cache' ansible.builtin.command: cmd: fc-cache changed_when: false - when: common_install_fonts | bool + when: common.install_fonts is truthy - name: '[shell] install Oh-My-ZSH' become: true - become_user: "{{ common_user_account }}" + become_user: "{{ common.user_account }}" block: - name: '[omz] get install script' ansible.builtin.get_url: @@ -56,22 +56,22 @@ - name: '[omz] install OMZ' ansible.builtin.command: cmd: sh /tmp/zsh-install.sh --unattended - creates: "{{ getent_passwd[common_user_account][4] }}/.oh-my-zsh" + creates: "{{ getent_passwd[common.user_account][4] }}/.oh-my-zsh" - name: '[shell] install powerlevel10k customization for OMZ' become: true - become_user: "{{ common_user_account }}" + become_user: "{{ common.user_account }}" ansible.builtin.git: repo: https://github.com/romkatv/powerlevel10k.git - dest: "{{ getent_passwd[common_user_account][4] }}/.oh-my-zsh/custom/themes/powerlevel10k" + dest: "{{ getent_passwd[common.user_account][4] }}/.oh-my-zsh/custom/themes/powerlevel10k" depth: 1 - name: '[home] copy zsh files' become: true - become_user: "{{ common_user_account }}" + become_user: "{{ common.user_account }}" ansible.builtin.copy: src: "../templates/home/{{ item }}" - dest: "{{ getent_passwd[common_user_account][4] }}/{{ item }}" + dest: "{{ getent_passwd[common.user_account][4] }}/{{ item }}" mode: '0640' loop: - .p10k.zsh @@ -84,6 +84,6 @@ - name: '[shell] update user shell to ZSH' become: true ansible.builtin.user: - name: "{{ common_user_account }}" + name: "{{ common.user_account }}" shell: "/usr/bin/zsh" state: present diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/home/.gitconfig.j2 b/collections/ansible_collections/nullified/infrastructure/roles/common/templates/home/.gitconfig.j2 index 3fa4894..fcc402f 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/home/.gitconfig.j2 +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/templates/home/.gitconfig.j2 @@ -1,17 +1,17 @@ [user] - name = {{ common_gitconfig_username }} - email = {{ common_gitconfig_email }} -{% if common_gitconfig_force_sign and common_gitconfig_signingkey %} - signingkey = {{ common_gitconfig_signingkey }} + name = {{ common.git.username }} + email = {{ common.git.email }} +{% if common.git.force_sign and common.git.signing_key %} + signingkey = {{ common.git.signing_key }} {% endif %} [commit] -{% if common_gitconfig_force_sign %} +{% if common.git.force_sign %} gpgsign = true {% else %} gpgsign = false {% endif %} [tag] -{% if common_gitconfig_force_sign %} +{% if common.git.force_sign %} gpgsign = true {% else %} gpgsign = false @@ -104,4 +104,4 @@ statusUoption = false submoduleAlternateErrorStrategyDie = false waitingForEditor = false -{% endraw %} \ No newline at end of file +{% endraw %} diff --git a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2 b/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2 index ef604d9..a7028fd 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2 +++ b/collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2 @@ -1,3 +1,3 @@ -{% for item in custom_sysctl.keys() -%} - {{ item }} = {{ custom_sysctl[item] }} +{% for item in sysctl_values.keys() -%} + {{ item }} = {{ sysctl_values[item] }} {% endfor %} diff --git a/collections/ansible_collections/nullified/infrastructure/roles/development/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/development/defaults/main.yml index f3a9088..4b4c9f2 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/development/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/development/defaults/main.yml @@ -1,5 +1,14 @@ --- -custom_github_token: "" -development_docker_remap_user: "{{ custom_base_user_account }}" -development_docker_remap_group: "{{ custom_base_user_account }}" -development_install_rust: false +development: + docker: + userns: true + remap_user: "{{ custom_base_user_account | default('root') }}" + remap_group: "{{ custom_base_user_account | default('root') }}" + systemd_slice: docker.slice + github_token: "{{ custom_github_token | default('') }}" + rust: + enable: true + user_account: "{{ custom_base_user_account | default('root') }}" + +custom_development: {} +recursive_combine: true diff --git a/collections/ansible_collections/nullified/infrastructure/roles/development/handlers/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/development/handlers/main.yml index 5da424f..878378a 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/development/handlers/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/development/handlers/main.yml @@ -5,3 +5,4 @@ name: docker enabled: true state: restarted + when: ansible_virtualization_type is not match("docker") diff --git a/collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml index 85d0ed7..5160d3c 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml @@ -1,17 +1,23 @@ --- - name: '[setup] gather facts if not already done' - setup: + ansible.builtin.setup: gather_subset: - distribution - distribution_release + - virtualization_type + +- name: '[setup] merge with custom vars' + ansible.builtin.set_fact: + development: "{{ development | combine(custom_development, recursive=recursive_combine) }}" + changed_when: false - name: '[home] get user account information' ansible.builtin.getent: database: passwd - key: "{{ custom_base_user_account }}" + key: "{{ development.user_account }}" split: ":" changed_when: false - when: getent_passwd is undefined or custom_base_user_account not in getent_passwd + when: getent_passwd is undefined or development.user_account not in getent_passwd - name: '[apt] install dependencies and tools' become: true @@ -63,7 +69,7 @@ - name: '[github] install tools' become: true nullified.infrastructure.github_artifact: - github_token: '{{ custom_github_token }}' + github_token: '{{ development.github_token }}' asset_name: "{{ item.asset_name | default('') }}" asset_type: "{{ item.asset_type }}" cmds: "{{ item.cmds | default([]) }}" @@ -240,12 +246,13 @@ src: ../templates/docker-ce/daemon.json.j2 dest: /etc/docker/daemon.json mode: '0644' + when: development.docker.userns is truthy notify: - 'development : [docker] restart service' - name: '[docker] add default user to docker group' ansible.builtin.user: - name: "{{ development_docker_remap_user }}" + name: "{{ development.user_account }}" append: true groups: docker state: present @@ -254,21 +261,21 @@ - name: '[python] install tools' become: true - become_user: "{{ custom_base_user_account }}" + become_user: "{{ development.user_account }}" ansible.builtin.command: cmd: "pipx install {{ item.cmd }}" - creates: "{{ getent_passwd[custom_base_user_account][4] }}/.local/bin/{{ item.creates }}" + creates: "{{ getent_passwd[development.user_account][4] }}/.local/bin/{{ item.creates }}" loop: - { "cmd": "black", "creates": "black" } - { "cmd": "flake8", "creates": "flake8" } - name: '[python] install pipx packages dependencies' become: true - become_user: "{{ custom_base_user_account }}" + become_user: "{{ development.user_account }}" ansible.builtin.command: cmd: "pipx inject {{ item.venv }} {{ item.extension }}" creates: - "{{ getent_passwd[custom_base_user_account][4] }}/.local/pipx/venvs/{{ item.venv }}/lib/python3.11/site-packages/{{ item.creates }}" + "{{ getent_passwd[development.user_account][4] }}/.local/pipx/venvs/{{ item.venv }}/lib/python3.11/site-packages/{{ item.creates }}" loop: - venv: "flake8" extension: "flake8-annotations-complexity" @@ -330,26 +337,26 @@ - name: '[rust] check if rust is already installed' ansible.builtin.file: - path: "{{ getent_passwd[custom_base_user_account][4] }}/.cargo/bin/rustc" + path: "{{ getent_passwd[development.user_account][4] }}/.cargo/bin/rustc" register: rustc_stat changed_when: false failed_when: false - when: development_install_rust | bool + when: development.rust.enable is truthy - name: '[rust] rust' become: true - when: development_install_rust | bool and rustc_stat.state is match("absent") + when: development.rust.enable is truthy and rustc_stat.state is match("absent") block: - name: '[rust] download installer' ansible.builtin.get_url: url: https://sh.rustup.rs dest: /tmp/rustup.sh mode: '0750' - owner: "{{ custom_base_user_account }}" - group: "{{ custom_base_user_account }}" + owner: "{{ development.user_account }}" + group: "{{ development.user_account }}" - name: '[rust] install rust toolchain' - become_user: "{{ custom_base_user_account }}" + become_user: "{{ development.user_account }}" script: cmd: /tmp/rustup.sh -qy - creates: "{{ getent_passwd[custom_base_user_account][4] }}/.cargo/bin/rustc" + creates: "{{ getent_passwd[development.user_account][4] }}/.cargo/bin/rustc" diff --git a/collections/ansible_collections/nullified/infrastructure/roles/development/templates/docker-ce/daemon.json.j2 b/collections/ansible_collections/nullified/infrastructure/roles/development/templates/docker-ce/daemon.json.j2 index 760d97b..b22251e 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/development/templates/docker-ce/daemon.json.j2 +++ b/collections/ansible_collections/nullified/infrastructure/roles/development/templates/docker-ce/daemon.json.j2 @@ -1,4 +1,4 @@ { - "userns-remap": "{{ development_docker_remap_user }}:{{ development_docker_remap_group }}", - "cgroup-parent": "{{ development_docker_systemd_slice }}" + "userns-remap": "{{ development.docker.remap_user }}:{{ development.docker.remap_group }}", + "cgroup-parent": "{{ development.docker.systemd_slice }}" } diff --git a/collections/ansible_collections/nullified/infrastructure/roles/development/vars/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/development/vars/main.yml index 2fe0594..ed97d53 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/development/vars/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/development/vars/main.yml @@ -1,2 +1 @@ --- -development_docker_systemd_slice: docker.slice diff --git a/collections/ansible_collections/nullified/infrastructure/roles/gaming/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/gaming/defaults/main.yml index c7895dc..403802a 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/gaming/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/gaming/defaults/main.yml @@ -1,2 +1,6 @@ --- -custom_github_token: "" +gaming: + github_token: "{{ custom_github_token | default('') }}" + +custom_gaming: {} +recursive_combine: true diff --git a/collections/ansible_collections/nullified/infrastructure/roles/gaming/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/gaming/tasks/main.yml index b4a9559..d78d07e 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/gaming/tasks/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/gaming/tasks/main.yml @@ -1,4 +1,9 @@ --- +- name: '[setup] merge with custom vars' + ansible.builtin.set_fact: + gaming: "{{ gaming | combine(custom_gaming, recursive=recursive_combine) }}" + changed_when: false + - name: '[games] install Steam' become: true block: @@ -21,7 +26,7 @@ mode: '0644' - name: '[apt key] add source' - apt_repository: + ansible.builtin.apt_repository: repo: "{{ item }} [arch=amd64,i386 signed-by=/usr/share/keyrings/steam.gpg] https://repo.steampowered.com/steam/ stable steam" state: present filename: steam @@ -47,7 +52,7 @@ block: - name: '[hgl] fetch assets from github' nullified.infrastructure.github_artifact: - github_token: '{{ custom_github_token }}' + github_token: '{{ gaming.github_token }}' asset_name: heroic_{version}_amd64.deb asset_type: release repository: Heroic-Games-Launcher/HeroicGamesLauncher diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml index 62aadf3..5fbd7e0 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml @@ -1,2 +1,7 @@ --- -security_clamav_version: 1.2.1 +security: + clamav: + version: 1.2.1 + +custom_security: {} +recursive_combine: true diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml index 31efc18..988ebab 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml @@ -14,7 +14,7 @@ - name: '[freshclam] restart service' become: true ansible.builtin.systemd_service: - name: sshd.service + name: clamav-freshclam.service enabled: true state: restarted @@ -28,6 +28,6 @@ - name: '[clamd] restart service' become: true ansible.builtin.systemd_service: - name: sshd.service + name: clamav-clamd.service enabled: true state: restarted diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml index f5f672b..880d882 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml @@ -4,6 +4,11 @@ gather_subset: - distribution +- name: '[setup] merge with custom vars' + ansible.builtin.set_fact: + security: "{{ security | combine(custom_security, recursive=recursive_combine) }}" + changed_when: false + - name: '[ssh] hardening sshd' become: true block: @@ -12,6 +17,11 @@ src: ../templates/openssh-server/sshd_config.j2 dest: /etc/ssh/sshd_config mode: '0644' + - name: '[ssh] ensure directories exist' + ansible.builtin.file: + path: /etc/ssh/sshd_config.d + state: directory + mode: '0755' - name: '[ssh] setup sshd_config.d' ansible.builtin.template: src: ../templates/openssh-server/sshd_config.d/encryption.conf.j2 @@ -68,7 +78,7 @@ block: - name: '[clamav] retrieve and install clamav package' ansible.builtin.apt: - deb: https://www.clamav.net/downloads/production/clamav-{{ security_clamav_version }}.linux.x86_64.deb + deb: https://www.clamav.net/downloads/production/clamav-{{ security.clamav.version }}.linux.x86_64.deb force_apt_get: true state: present - name: '[clamav] add clamav group' diff --git a/collections/ansible_collections/nullified/infrastructure/roles/server/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/server/defaults/main.yml index db03ad0..ed97d53 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/server/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/server/defaults/main.yml @@ -1,2 +1 @@ --- -# defaults file for tooling diff --git a/collections/ansible_collections/nullified/infrastructure/roles/workstation/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/workstation/defaults/main.yml index 8a65997..5924b81 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/workstation/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/workstation/defaults/main.yml @@ -1,4 +1,7 @@ --- -workstation_user_account: "{{ custom_base_user_account }}" -custom_github_token: "" -custom_sysctl: {} +workstation: + github_token: "{{ custom_github_token | default('') }}" + user_account: "{{ custom_base_user_account | default('root') }}" + +custom_workstation: {} +recursive_combine: true diff --git a/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml index e804ad7..78a9bbc 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml @@ -1,11 +1,28 @@ --- +- name: '[setup] merge with custom vars' + ansible.builtin.set_fact: + workstation: "{{ workstation | combine(custom_workstation, recursive=recursive_combine) }}" + changed_when: false + - name: '[home] get user account information' ansible.builtin.getent: database: passwd - key: "{{ workstation_user_account }}" + key: "{{ workstation.user_account }}" split: ":" changed_when: false - when: getent_passwd is undefined or workstation_user_account not in getent_passwd + when: getent_passwd is undefined or workstation.user_account not in getent_passwd + +- name: '[setup] ensure expected home directories exist' + become: true + ansible.builtin.file: + path: "{{ getent_passwd[workstation.user_account][4] }}/{{ item }}" + state: directory + owner: "{{ workstation.user_account }}" + group: "{{ workstation.user_account }}" + mode: '0750' + loop: + - .local/bin + - .local/share/applications - name: '[apt] install dependencies and tools' become: true @@ -40,6 +57,7 @@ - python3-pip - python3-psutil # terminator - ruby + - ruby-dev - scrot - smbclient - socat @@ -57,23 +75,23 @@ - name: '[setup] add user to sudo group' become: true ansible.builtin.user: - name: "{{ workstation_user_account }}" + name: "{{ workstation.user_account }}" groups: - sudo append: true - name: '[setup] setup Flatpak' become: true - become_user: "{{ workstation_user_account }}" + become_user: "{{ workstation.user_account }}" block: - name: '[flatpak] add flatpak repos' - command: + ansible.builtin.command: cmd: flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo changed_when: false - name: '[flatpak] install flatpak apps' - command: + ansible.builtin.command: cmd: "flatpak install --noninteractive {{ item.repo }} {{ item.app }}" - creates: "{{ getent_passwd[workstation_user_account][4] }}/.var/app/{{ item.app }}" + creates: "/var/lib/flatpak/app/{{ item.app }}" loop: - repo: flathub app: com.discordapp.Discord @@ -83,7 +101,7 @@ - name: '[github] install tools' become: true nullified.infrastructure.github_artifact: - github_token: '{{ custom_github_token }}' + github_token: '{{ workstation.github_token }}' asset_name: "{{ item.asset_name | default('') }}" asset_type: "{{ item.asset_type }}" cmds: "{{ item.cmds | default([]) }}" @@ -114,8 +132,8 @@ ansible.builtin.file: path: "{{ item.path }}" mode: "{{ item.mode | default('0750') }}" - owner: "{{ item.owner | default(workstation_user_account) }}" - group: "{{ item.group | default(workstation_user_account) }}" + owner: "{{ item.owner | default(workstation.user_account) }}" + group: "{{ item.group | default(workstation.user_account) }}" state: directory loop: - { path: '/opt/git/foss' } @@ -125,22 +143,22 @@ - name: '[emacs] fetch emacs configuration files' become: true - become_user: "{{ workstation_user_account }}" + become_user: "{{ workstation.user_account }}" ansible.builtin.git: - repo: "ssh://git@gitlab.0x2a.ninja:4222/naeikindus/emacsd.git" - dest: "{{ getent_passwd[workstation_user_account][4] }}/.emacs.d" + repo: "https://gitlab.0x2a.ninja/naeikindus/emacsd.git" + dest: "{{ getent_passwd[workstation.user_account][4] }}/.emacs.d" force: false - name: '[config] set tools configuration' become: true - become_user: "{{ workstation_user_account }}" + become_user: "{{ workstation.user_account }}" ansible.builtin.copy: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: "{{ item.mode | default('0640') }}" loop: - - { src: "../templates/.config/terminator", dest: "{{ getent_passwd[workstation_user_account][4] }}/.config" } - - { src: "../templates/.config/vlc", dest: "{{ getent_passwd[workstation_user_account][4] }}/.config" } + - { src: "../templates/.config/terminator", dest: "{{ getent_passwd[workstation.user_account][4] }}/.config" } + - { src: "../templates/.config/vlc", dest: "{{ getent_passwd[workstation.user_account][4] }}/.config" } - name: '[authenticator] find if binary is already installed' ansible.builtin.file: @@ -156,8 +174,8 @@ - name: '[yubico] prepare target directory' ansible.builtin.file: path: "{{ item }}" - owner: "{{ workstation_user_account }}" - group: "{{ workstation_user_account }}" + owner: "{{ workstation.user_account }}" + group: "{{ workstation.user_account }}" mode: '0750' state: directory loop: @@ -169,8 +187,8 @@ src: https://developers.yubico.com/yubioath-flutter/Releases/yubico-authenticator-latest-linux.tar.gz remote_src: true dest: /tmp/yubico-unarchive - owner: "{{ workstation_user_account }}" - group: "{{ workstation_user_account }}" + owner: "{{ workstation.user_account }}" + group: "{{ workstation.user_account }}" - name: '[yubico] find extracted directory' ansible.builtin.command: @@ -179,12 +197,12 @@ changed_when: false - name: '[yubico] move extracted data to final dir' - copy: + ansible.builtin.copy: remote_src: true src: "{{ yubico_extract_path.stdout }}/" dest: /opt/yubico-authenticator - owner: "{{ workstation_user_account }}" - group: "{{ workstation_user_account }}" + owner: "{{ workstation.user_account }}" + group: "{{ workstation.user_account }}" - name: '[yubico] cleanup' ansible.builtin.file: @@ -194,24 +212,24 @@ - name: '[yubico] create shell wrapper' ansible.builtin.template: src: ../templates/bin_wrapper.sh.j2 - dest: "{{ getent_passwd[workstation_user_account][4] }}/.local/bin/authenticator" + dest: "{{ getent_passwd[workstation.user_account][4] }}/.local/bin/authenticator" mode: '0750' - owner: "{{ workstation_user_account }}" - group: "{{ workstation_user_account }}" + owner: "{{ workstation.user_account }}" + group: "{{ workstation.user_account }}" vars: application: "/opt/yubico-authenticator/authenticator" - name: '[yubico] create desktop entry' - template: + ansible.builtin.template: src: ../templates/desktop_app.j2 - dest: "{{ getent_passwd[workstation_user_account][4] }}/.local/share/applications/authenticator.desktop" + dest: "{{ getent_passwd[workstation.user_account][4] }}/.local/share/applications/authenticator.desktop" mode: '0600' - owner: "{{ workstation_user_account }}" - group: "{{ workstation_user_account }}" + owner: "{{ workstation.user_account }}" + group: "{{ workstation.user_account }}" vars: application: nodisplay: false - exec_cmd: "{{ getent_passwd[workstation_user_account][4] }}/.local/bin/authenticator" + exec_cmd: "{{ getent_passwd[workstation.user_account][4] }}/.local/bin/authenticator" name: "Authenticator" - include_tasks: window_manager.yml diff --git a/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/window_manager.yml b/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/window_manager.yml index b9cdc26..e167e15 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/window_manager.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/window_manager.yml @@ -2,10 +2,10 @@ - name: '[home] get user account information' ansible.builtin.getent: database: passwd - key: "{{ workstation_user_account }}" + key: "{{ workstation.user_account }}" split: ":" changed_when: false - when: getent_passwd is undefined or workstation_user_account not in getent_passwd + when: getent_passwd is undefined or workstation.user_account not in getent_passwd - name: '[awesomewm] install dependencies' become: true @@ -61,7 +61,7 @@ block: - name: '[lua-lgi] fetch source' become: true - become_user: "{{ workstation_user_account }}" + become_user: "{{ workstation.user_account }}" ansible.builtin.git: repo: https://github.com/lgi-devs/lgi.git dest: /opt/git/foss/lua-lgi @@ -80,8 +80,10 @@ - name: '[lua-lgi] building project' ansible.builtin.command: chdir: /opt/git/foss/lua-lgi - cmd: LUA_CFLAGS="-I/usr/include/lua5.4" make all + cmd: make all creates: /opt/git/foss/lua-lgi/lgi/corelgilua51.so + environment: + LUA_CFLAGS: "-I/usr/include/lua5.4" - name: '[lua-lgi] compile and install' become: true @@ -94,7 +96,7 @@ block: - name: '[awesomewm] fetch source' become: true - become_user: "{{ workstation_user_account }}" + become_user: "{{ workstation.user_account }}" ansible.builtin.git: repo: https://github.com/awesomeWM/awesome.git dest: /opt/git/foss/awesomeWM @@ -106,11 +108,13 @@ - name: '[awesomewm] building project' become: true - become_user: "{{ workstation_user_account }}" + become_user: "{{ workstation.user_account }}" ansible.builtin.command: chdir: /opt/git/foss/awesomeWM - cmd: 'CMAKE_ARGS="-DWITH_DBUS=ON -DLUA_LIBRARY=/usr/lib/x86_64-linux-gnu/liblua5.4.so.0 -DLUA_INCLUDE_DIR=/usr/include/lua5.4" make' + cmd: 'make' creates: /opt/git/foss/awesomeWM/build + environment: + CMAKE_ARGS: "-DWITH_DBUS=ON -DLUA_LIBRARY=/usr/lib/x86_64-linux-gnu/liblua5.4.so.0 -DLUA_INCLUDE_DIR=/usr/include/lua5.4" - name: '[awesomewm] building project' become: true @@ -121,19 +125,19 @@ - name: '[awesomewm] setup configuration' become: true - become_user: "{{ workstation_user_account }}" + become_user: "{{ workstation.user_account }}" block: - name: '[awesomewm] fetch copycats base' ansible.builtin.git: repo: https://github.com/lcpz/awesome-copycats.git - dest: "{{ getent_passwd[workstation_user_account][4] }}/.config/awesome" + dest: "{{ getent_passwd[workstation.user_account][4] }}/.config/awesome" depth: 1 recursive: true force: false - name: '[awesomewm] copy customization' ansible.builtin.copy: src: ../templates/.config/awesome/ - dest: "{{ getent_passwd[workstation_user_account][4] }}/.config/awesome" + dest: "{{ getent_passwd[workstation.user_account][4] }}/.config/awesome" mode: '0640' - name: '[home] copy X related configuration' @@ -147,4 +151,4 @@ - name: '[x11] user .xsession' ansible.builtin.copy: src: ../templates/.xsession - dest: "{{ getent_passwd[workstation_user_account][4] }}/.xsession" + dest: "{{ getent_passwd[workstation.user_account][4] }}/.xsession" diff --git a/inventory/host_vars/localhost/vars.yml b/inventory/host_vars/localhost/vars.yml index 22cc91f..b6b6595 100644 --- a/inventory/host_vars/localhost/vars.yml +++ b/inventory/host_vars/localhost/vars.yml @@ -2,18 +2,22 @@ ansible_become_password: "{{ vault_root_pass }}" ansible_host: "{{ vault_ansible_host }}" ansible_connection: local -custom_sysctl: - 'fs.inotify.max_user_watches': 1048576 - 'vm.swappiness': 1 +custom_development: + rust: + enable: true -common_apt_packages: - - pcscd - - pinentry-curses - - radeontop - -common_gitconfig_enable: true -common_gitconfig_username: "{{ vault_common_gitconfig_username }}" -common_gitconfig_email: "{{ vault_common_gitconfig_email }}" -common_gitconfig_force_sign: true -common_gitconfig_signingkey: "{{ vault_common_gitconfig_signingkey }}" -common_install_fonts: true +custom_common: + sysctl: + 'fs.inotify.max_user_watches': 1048576 + 'vm.swappiness': 1 + packages: + - pcscd + - pinentry-curses + - radeontop + git: + enable: true + username: "{{ vault_common_gitconfig_username }}" + email: "{{ vault_common_gitconfig_email }}" + force_sign: true + signing_key: "{{ vault_common_gitconfig_signingkey }}" + install_fonts: true diff --git a/inventory/host_vars/unobtainium/vars.yml b/inventory/host_vars/unobtainium/vars.yml index d894036..b6b6595 100644 --- a/inventory/host_vars/unobtainium/vars.yml +++ b/inventory/host_vars/unobtainium/vars.yml @@ -2,20 +2,22 @@ ansible_become_password: "{{ vault_root_pass }}" ansible_host: "{{ vault_ansible_host }}" ansible_connection: local -custom_sysctl: - 'fs.inotify.max_user_watches': 1048576 - 'vm.swappiness': 1 +custom_development: + rust: + enable: true -common_apt_packages: - - pcscd - - pinentry-curses - - radeontop - -common_gitconfig_enable: true -common_gitconfig_username: "{{ vault_common_gitconfig_username }}" -common_gitconfig_email: "{{ vault_common_gitconfig_email }}" -common_gitconfig_force_sign: true -common_gitconfig_signingkey: "{{ vault_common_gitconfig_signingkey }}" -common_install_fonts: true - -development_install_rust: true +custom_common: + sysctl: + 'fs.inotify.max_user_watches': 1048576 + 'vm.swappiness': 1 + packages: + - pcscd + - pinentry-curses + - radeontop + git: + enable: true + username: "{{ vault_common_gitconfig_username }}" + email: "{{ vault_common_gitconfig_email }}" + force_sign: true + signing_key: "{{ vault_common_gitconfig_signingkey }}" + install_fonts: true