WoodSmellParticle/ansible-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix!: fixed molecule tests, rewrote how custom variables are handled for hosts overrides; fixed invalid services names for clamav handlers

Browse source
This commit is contained in:
NaeiKinDus 2023-11-29 00:00:00 +00:00
parent 6026cfd195
commit dafa3fbc54
Signed by: WoodSmellParticle
GPG key ID: 8E52ADFF7CA8AE56
23 changed files with 238 additions and 159 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/create.yml
View file

@ -23,7 +23,7 @@
type: tmpfs type: tmpfs
- target: /run/lock - target: /run/lock
type: tmpfs type: tmpfs
- target: /tmp - target: /tmp:exec
type: tmpfs type: tmpfs
register: result register: result
loop: "{{ molecule_yml.platforms }}" loop: "{{ molecule_yml.platforms }}"
@ -52,7 +52,8 @@
"{{ item.name }}": "{{ item.name }}":
ansible_connection: community.docker.docker ansible_connection: community.docker.docker
custom_common: custom_common:
deb822_format: true apt:
deb822_format: true
ansible.builtin.set_fact: ansible.builtin.set_fact:
molecule_inventory: > molecule_inventory: >
{{ molecule_inventory | combine(inventory_partial_yaml | from_yaml) }} {{ molecule_inventory | combine(inventory_partial_yaml | from_yaml) }}

28
collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml
View file

@ -1,13 +1,19 @@
--- ---
custom_github_token: ""
common_user_account: "{{ custom_base_user_account | lower }}"
common_gitconfig_enable: false
common_gitconfig_username: ""
common_gitconfig_email: ""
common_gitconfig_force_sign: false
common_gitconfig_signingkey: ""
common_apt_packages: []
common_install_fonts: false
common: common:
apt_components: ['contrib', 'non-free', 'non-free-firmware'] apt:
deb822_format: false source_components: ['contrib', 'non-free', 'non-free-firmware']
packages: []
deb822_format: false
git:
enable: false
username: ""
email: ""
force_sign: false
signing_key: ""
github_token: "{{ custom_github_token | default('') }}"
install_fonts: false
sysctl: {}
user_account: "{{ custom_base_user_account | default('root') }}"
custom_common: {}
recursive_combine: true

16
collections/ansible_collections/nullified/infrastructure/roles/common/tasks/home_setup.yml
View file

@ -2,16 +2,16 @@
- name: '[home] get user account information' - name: '[home] get user account information'
ansible.builtin.getent: ansible.builtin.getent:
database: passwd database: passwd
key: "{{ common_user_account }}" key: "{{ common.user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: getent_passwd is undefined or common_user_account not in getent_passwd when: getent_passwd is undefined or common.user_account not in getent_passwd
- name: '[home] create common directories' - name: '[home] create common directories'
become: true become: true
become_user: "{{ common_user_account }}" become_user: "{{ common.user_account }}"
ansible.builtin.file: ansible.builtin.file:
path: "{{ getent_passwd[common_user_account][4] }}/{{ item }}" path: "{{ getent_passwd[common.user_account][4] }}/{{ item }}"
state: directory state: directory
mode: '0750' mode: '0750'
loop: loop:
@ -22,19 +22,19 @@
- name: '[home] setup home files' - name: '[home] setup home files'
become: true become: true
become_user: "{{ common_user_account }}" become_user: "{{ common.user_account }}"
block: block:
- name: '[home] git configuration' - name: '[home] git configuration'
ansible.builtin.template: ansible.builtin.template:
src: ../templates/home/.gitconfig.j2 src: ../templates/home/.gitconfig.j2
dest: "{{ getent_passwd[common_user_account][4] }}/.gitconfig" dest: "{{ getent_passwd[common.user_account][4] }}/.gitconfig"
mode: '0640' mode: '0640'
when: common_gitconfig_enable | bool when: common.git.enable is truthy
- name: '[home] basic files' - name: '[home] basic files'
ansible.builtin.copy: ansible.builtin.copy:
src: "../templates/home/{{ item.name }}" src: "../templates/home/{{ item.name }}"
dest: "{{ getent_passwd[common_user_account][4] }}/{{ item.name }}" dest: "{{ getent_passwd[common.user_account][4] }}/{{ item.name }}"
mode: "{{ item.mode | default('0640') }}" mode: "{{ item.mode | default('0640') }}"
loop: loop:
- { name: ".lessfilter", mode: '0750' } - { name: ".lessfilter", mode: '0750' }

24
collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: '[common] merge with custom vars' - name: '[setup] merge with custom vars'
set_fact: ansible.builtin.set_fact:
common: "{{ common|combine(custom_common) }}" common: "{{ common | combine(custom_common, recursive=recursive_combine) }}"
changed_when: false changed_when: false
- name: '[apt] verify components of default sources' - name: '[apt] verify components of default sources'
@ -11,15 +11,15 @@
path: '/etc/apt/sources.list' path: '/etc/apt/sources.list'
regexp: '^(deb((?!{{ item }}).)+)$' regexp: '^(deb((?!{{ item }}).)+)$'
replace: '\1 {{ item }}' replace: '\1 {{ item }}'
when: not common.deb822_format | bool when: not common.apt.deb822_format | bool
loop: '{{ common.apt_components }}' loop: '{{ common.apt.source_components }}'
- name: '[apt] default deb822 debian.sources' - name: '[apt] default deb822 debian.sources'
ansible.builtin.replace: ansible.builtin.replace:
path: '/etc/apt/sources.list.d/debian.sources' path: '/etc/apt/sources.list.d/debian.sources'
regexp: '^(Components: ((?!{{ item }}).)+)$' regexp: '^(Components: ((?!{{ item }}).)+)$'
replace: '\1 {{ item }}' replace: '\1 {{ item }}'
loop: '{{ common.apt_components }}' loop: '{{ common.apt.source_components }}'
when: common.deb822_format | bool when: common.apt.deb822_format | bool
- name: '[apt] install dependencies and tools' - name: '[apt] install dependencies and tools'
become: true become: true
@ -57,14 +57,14 @@
- yq - yq
state: present state: present
- name: '[GitHub] install tools' - name: '[github] install tools'
become: true become: true
nullified.infrastructure.github_artifact: nullified.infrastructure.github_artifact:
asset_name: "{{ item.asset_name | default('') }}" asset_name: "{{ item.asset_name | default('') }}"
asset_type: "{{ item.asset_type }}" asset_type: "{{ item.asset_type }}"
cmds: "{{ item.cmds | default([]) }}" cmds: "{{ item.cmds | default([]) }}"
creates: "{{ item.creates | default('') }}" creates: "{{ item.creates | default('') }}"
github_token: "{{ custom_github_token }}" github_token: "{{ common.github_token }}"
repository: "{{ item.repository }}" repository: "{{ item.repository }}"
version: "{{ item.version | default('') }}" version: "{{ item.version | default('') }}"
loop: loop:
@ -110,7 +110,9 @@
src: ../templates/system/sysctld.local.conf.j2 src: ../templates/system/sysctld.local.conf.j2
dest: /etc/sysctl.d/local.conf dest: /etc/sysctl.d/local.conf
mode: '0644' mode: '0644'
when: custom_sysctl is defined when: common.sysctl is truthy
vars:
sysctl_values: "{{ common.sysctl }}"
notify: notify:
- 'common : [system] reload sysctl configuration' - 'common : [system] reload sysctl configuration'
@ -121,7 +123,7 @@
force_apt_get: true force_apt_get: true
cache_valid_time: 3600 cache_valid_time: 3600
pkg: pkg:
"{{ common_apt_packages }}" "{{ common.apt.packages }}"
- include_tasks: home_setup.yml - include_tasks: home_setup.yml

24
collections/ansible_collections/nullified/infrastructure/roles/common/tasks/shell_customization.yml
View file

@ -2,10 +2,10 @@
- name: '[home] get user account information' - name: '[home] get user account information'
ansible.builtin.getent: ansible.builtin.getent:
database: passwd database: passwd
key: "{{ common_user_account }}" key: "{{ common.user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: getent_passwd is undefined or common_user_account not in getent_passwd when: getent_passwd is undefined or common.user_account not in getent_passwd
- name: '[shell] install ZSH and dependencies' - name: '[shell] install ZSH and dependencies'
become: true become: true
@ -20,7 +20,7 @@
- name: '[shell] install custom fonts' - name: '[shell] install custom fonts'
become: true become: true
become_user: "{{ common_user_account }}" become_user: "{{ common.user_account }}"
block: block:
- name: '[fonts] add fonts tooling' - name: '[fonts] add fonts tooling'
become_user: root become_user: root
@ -34,18 +34,18 @@
- name: '[fonts] adding fonts' - name: '[fonts] adding fonts'
ansible.builtin.copy: ansible.builtin.copy:
src: ../assets/fonts/ src: ../assets/fonts/
dest: "{{ getent_passwd[common_user_account][4] }}/.local/share/fonts" dest: "{{ getent_passwd[common.user_account][4] }}/.local/share/fonts"
mode: '0640' mode: '0640'
- name: '[fonts] refresh fonts cache' - name: '[fonts] refresh fonts cache'
ansible.builtin.command: ansible.builtin.command:
cmd: fc-cache cmd: fc-cache
changed_when: false changed_when: false
when: common_install_fonts | bool when: common.install_fonts is truthy
- name: '[shell] install Oh-My-ZSH' - name: '[shell] install Oh-My-ZSH'
become: true become: true
become_user: "{{ common_user_account }}" become_user: "{{ common.user_account }}"
block: block:
- name: '[omz] get install script' - name: '[omz] get install script'
ansible.builtin.get_url: ansible.builtin.get_url:
@ -56,22 +56,22 @@
- name: '[omz] install OMZ' - name: '[omz] install OMZ'
ansible.builtin.command: ansible.builtin.command:
cmd: sh /tmp/zsh-install.sh --unattended cmd: sh /tmp/zsh-install.sh --unattended
creates: "{{ getent_passwd[common_user_account][4] }}/.oh-my-zsh" creates: "{{ getent_passwd[common.user_account][4] }}/.oh-my-zsh"
- name: '[shell] install powerlevel10k customization for OMZ' - name: '[shell] install powerlevel10k customization for OMZ'
become: true become: true
become_user: "{{ common_user_account }}" become_user: "{{ common.user_account }}"
ansible.builtin.git: ansible.builtin.git:
repo: https://github.com/romkatv/powerlevel10k.git repo: https://github.com/romkatv/powerlevel10k.git
dest: "{{ getent_passwd[common_user_account][4] }}/.oh-my-zsh/custom/themes/powerlevel10k" dest: "{{ getent_passwd[common.user_account][4] }}/.oh-my-zsh/custom/themes/powerlevel10k"
depth: 1 depth: 1
- name: '[home] copy zsh files' - name: '[home] copy zsh files'
become: true become: true
become_user: "{{ common_user_account }}" become_user: "{{ common.user_account }}"
ansible.builtin.copy: ansible.builtin.copy:
src: "../templates/home/{{ item }}" src: "../templates/home/{{ item }}"
dest: "{{ getent_passwd[common_user_account][4] }}/{{ item }}" dest: "{{ getent_passwd[common.user_account][4] }}/{{ item }}"
mode: '0640' mode: '0640'
loop: loop:
- .p10k.zsh - .p10k.zsh
@ -84,6 +84,6 @@
- name: '[shell] update user shell to ZSH' - name: '[shell] update user shell to ZSH'
become: true become: true
ansible.builtin.user: ansible.builtin.user:
name: "{{ common_user_account }}" name: "{{ common.user_account }}"
shell: "/usr/bin/zsh" shell: "/usr/bin/zsh"
state: present state: present

14
collections/ansible_collections/nullified/infrastructure/roles/common/templates/home/.gitconfig.j2
View file

@ -1,17 +1,17 @@
[user] [user]
name = {{ common_gitconfig_username }} name = {{ common.git.username }}
email = {{ common_gitconfig_email }} email = {{ common.git.email }}
{% if common_gitconfig_force_sign and common_gitconfig_signingkey %} {% if common.git.force_sign and common.git.signing_key %}
signingkey = {{ common_gitconfig_signingkey }} signingkey = {{ common.git.signing_key }}
{% endif %} {% endif %}
[commit] [commit]
{% if common_gitconfig_force_sign %} {% if common.git.force_sign %}
gpgsign = true gpgsign = true
{% else %} {% else %}
gpgsign = false gpgsign = false
{% endif %} {% endif %}
[tag] [tag]
{% if common_gitconfig_force_sign %} {% if common.git.force_sign %}
gpgsign = true gpgsign = true
{% else %} {% else %}
gpgsign = false gpgsign = false
@ -104,4 +104,4 @@
statusUoption = false statusUoption = false
submoduleAlternateErrorStrategyDie = false submoduleAlternateErrorStrategyDie = false
waitingForEditor = false waitingForEditor = false
{% endraw %} {% endraw %}

4
collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2
View file

@ -1,3 +1,3 @@
{% for item in custom_sysctl.keys() -%} {% for item in sysctl_values.keys() -%}
{{ item }} = {{ custom_sysctl[item] }} {{ item }} = {{ sysctl_values[item] }}
{% endfor %} {% endfor %}

17
collections/ansible_collections/nullified/infrastructure/roles/development/defaults/main.yml
View file

@ -1,5 +1,14 @@
--- ---
custom_github_token: "" development:
development_docker_remap_user: "{{ custom_base_user_account }}" docker:
development_docker_remap_group: "{{ custom_base_user_account }}" userns: true
development_install_rust: false remap_user: "{{ custom_base_user_account | default('root') }}"
remap_group: "{{ custom_base_user_account | default('root') }}"
systemd_slice: docker.slice
github_token: "{{ custom_github_token | default('') }}"
rust:
enable: true
user_account: "{{ custom_base_user_account | default('root') }}"
custom_development: {}
recursive_combine: true

1
collections/ansible_collections/nullified/infrastructure/roles/development/handlers/main.yml
View file

@ -5,3 +5,4 @@
name: docker name: docker
enabled: true enabled: true
state: restarted state: restarted
when: ansible_virtualization_type is not match("docker")

39
collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml
View file

@ -1,17 +1,23 @@
--- ---
- name: '[setup] gather facts if not already done' - name: '[setup] gather facts if not already done'
setup: ansible.builtin.setup:
gather_subset: gather_subset:
- distribution - distribution
- distribution_release - distribution_release
- virtualization_type
- name: '[setup] merge with custom vars'
ansible.builtin.set_fact:
development: "{{ development | combine(custom_development, recursive=recursive_combine) }}"
changed_when: false
- name: '[home] get user account information' - name: '[home] get user account information'
ansible.builtin.getent: ansible.builtin.getent:
database: passwd database: passwd
key: "{{ custom_base_user_account }}" key: "{{ development.user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: getent_passwd is undefined or custom_base_user_account not in getent_passwd when: getent_passwd is undefined or development.user_account not in getent_passwd
- name: '[apt] install dependencies and tools' - name: '[apt] install dependencies and tools'
become: true become: true
@ -63,7 +69,7 @@
- name: '[github] install tools' - name: '[github] install tools'
become: true become: true
nullified.infrastructure.github_artifact: nullified.infrastructure.github_artifact:
github_token: '{{ custom_github_token }}' github_token: '{{ development.github_token }}'
asset_name: "{{ item.asset_name | default('') }}" asset_name: "{{ item.asset_name | default('') }}"
asset_type: "{{ item.asset_type }}" asset_type: "{{ item.asset_type }}"
cmds: "{{ item.cmds | default([]) }}" cmds: "{{ item.cmds | default([]) }}"
@ -240,12 +246,13 @@
src: ../templates/docker-ce/daemon.json.j2 src: ../templates/docker-ce/daemon.json.j2
dest: /etc/docker/daemon.json dest: /etc/docker/daemon.json
mode: '0644' mode: '0644'
when: development.docker.userns is truthy
notify: notify:
- 'development : [docker] restart service' - 'development : [docker] restart service'
- name: '[docker] add default user to docker group' - name: '[docker] add default user to docker group'
ansible.builtin.user: ansible.builtin.user:
name: "{{ development_docker_remap_user }}" name: "{{ development.user_account }}"
append: true append: true
groups: docker groups: docker
state: present state: present
@ -254,21 +261,21 @@
- name: '[python] install tools' - name: '[python] install tools'
become: true become: true
become_user: "{{ custom_base_user_account }}" become_user: "{{ development.user_account }}"
ansible.builtin.command: ansible.builtin.command:
cmd: "pipx install {{ item.cmd }}" cmd: "pipx install {{ item.cmd }}"
creates: "{{ getent_passwd[custom_base_user_account][4] }}/.local/bin/{{ item.creates }}" creates: "{{ getent_passwd[development.user_account][4] }}/.local/bin/{{ item.creates }}"
loop: loop:
- { "cmd": "black", "creates": "black" } - { "cmd": "black", "creates": "black" }
- { "cmd": "flake8", "creates": "flake8" } - { "cmd": "flake8", "creates": "flake8" }
- name: '[python] install pipx packages dependencies' - name: '[python] install pipx packages dependencies'
become: true become: true
become_user: "{{ custom_base_user_account }}" become_user: "{{ development.user_account }}"
ansible.builtin.command: ansible.builtin.command:
cmd: "pipx inject {{ item.venv }} {{ item.extension }}" cmd: "pipx inject {{ item.venv }} {{ item.extension }}"
creates: creates:
"{{ getent_passwd[custom_base_user_account][4] }}/.local/pipx/venvs/{{ item.venv }}/lib/python3.11/site-packages/{{ item.creates }}" "{{ getent_passwd[development.user_account][4] }}/.local/pipx/venvs/{{ item.venv }}/lib/python3.11/site-packages/{{ item.creates }}"
loop: loop:
- venv: "flake8" - venv: "flake8"
extension: "flake8-annotations-complexity" extension: "flake8-annotations-complexity"
@ -330,26 +337,26 @@
- name: '[rust] check if rust is already installed' - name: '[rust] check if rust is already installed'
ansible.builtin.file: ansible.builtin.file:
path: "{{ getent_passwd[custom_base_user_account][4] }}/.cargo/bin/rustc" path: "{{ getent_passwd[development.user_account][4] }}/.cargo/bin/rustc"
register: rustc_stat register: rustc_stat
changed_when: false changed_when: false
failed_when: false failed_when: false
when: development_install_rust | bool when: development.rust.enable is truthy
- name: '[rust] rust' - name: '[rust] rust'
become: true become: true
when: development_install_rust | bool and rustc_stat.state is match("absent") when: development.rust.enable is truthy and rustc_stat.state is match("absent")
block: block:
- name: '[rust] download installer' - name: '[rust] download installer'
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://sh.rustup.rs url: https://sh.rustup.rs
dest: /tmp/rustup.sh dest: /tmp/rustup.sh
mode: '0750' mode: '0750'
owner: "{{ custom_base_user_account }}" owner: "{{ development.user_account }}"
group: "{{ custom_base_user_account }}" group: "{{ development.user_account }}"
- name: '[rust] install rust toolchain' - name: '[rust] install rust toolchain'
become_user: "{{ custom_base_user_account }}" become_user: "{{ development.user_account }}"
script: script:
cmd: /tmp/rustup.sh -qy cmd: /tmp/rustup.sh -qy
creates: "{{ getent_passwd[custom_base_user_account][4] }}/.cargo/bin/rustc" creates: "{{ getent_passwd[development.user_account][4] }}/.cargo/bin/rustc"

4
collections/ansible_collections/nullified/infrastructure/roles/development/templates/docker-ce/daemon.json.j2
View file

@ -1,4 +1,4 @@
{ {
"userns-remap": "{{ development_docker_remap_user }}:{{ development_docker_remap_group }}", "userns-remap": "{{ development.docker.remap_user }}:{{ development.docker.remap_group }}",
"cgroup-parent": "{{ development_docker_systemd_slice }}" "cgroup-parent": "{{ development.docker.systemd_slice }}"
} }

1
collections/ansible_collections/nullified/infrastructure/roles/development/vars/main.yml
View file

@ -1,2 +1 @@
--- ---
development_docker_systemd_slice: docker.slice

6
collections/ansible_collections/nullified/infrastructure/roles/gaming/defaults/main.yml
View file

@ -1,2 +1,6 @@
--- ---
custom_github_token: "" gaming:
github_token: "{{ custom_github_token | default('') }}"
custom_gaming: {}
recursive_combine: true

9
collections/ansible_collections/nullified/infrastructure/roles/gaming/tasks/main.yml
View file

@ -1,4 +1,9 @@
--- ---
- name: '[setup] merge with custom vars'
ansible.builtin.set_fact:
gaming: "{{ gaming | combine(custom_gaming, recursive=recursive_combine) }}"
changed_when: false
- name: '[games] install Steam' - name: '[games] install Steam'
become: true become: true
block: block:
@ -21,7 +26,7 @@
mode: '0644' mode: '0644'
- name: '[apt key] add source' - name: '[apt key] add source'
apt_repository: ansible.builtin.apt_repository:
repo: "{{ item }} [arch=amd64,i386 signed-by=/usr/share/keyrings/steam.gpg] https://repo.steampowered.com/steam/ stable steam" repo: "{{ item }} [arch=amd64,i386 signed-by=/usr/share/keyrings/steam.gpg] https://repo.steampowered.com/steam/ stable steam"
state: present state: present
filename: steam filename: steam
@ -47,7 +52,7 @@
block: block:
- name: '[hgl] fetch assets from github' - name: '[hgl] fetch assets from github'
nullified.infrastructure.github_artifact: nullified.infrastructure.github_artifact:
github_token: '{{ custom_github_token }}' github_token: '{{ gaming.github_token }}'
asset_name: heroic_{version}_amd64.deb asset_name: heroic_{version}_amd64.deb
asset_type: release asset_type: release
repository: Heroic-Games-Launcher/HeroicGamesLauncher repository: Heroic-Games-Launcher/HeroicGamesLauncher

7
collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml
View file

@ -1,2 +1,7 @@
--- ---
security_clamav_version: 1.2.1 security:
clamav:
version: 1.2.1
custom_security: {}
recursive_combine: true

4
collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml
View file

@ -14,7 +14,7 @@
- name: '[freshclam] restart service' - name: '[freshclam] restart service'
become: true become: true
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
name: sshd.service name: clamav-freshclam.service
enabled: true enabled: true
state: restarted state: restarted
@ -28,6 +28,6 @@
- name: '[clamd] restart service' - name: '[clamd] restart service'
become: true become: true
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
name: sshd.service name: clamav-clamd.service
enabled: true enabled: true
state: restarted state: restarted

12
collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml
View file

@ -4,6 +4,11 @@
gather_subset: gather_subset:
- distribution - distribution
- name: '[setup] merge with custom vars'
ansible.builtin.set_fact:
security: "{{ security | combine(custom_security, recursive=recursive_combine) }}"
changed_when: false
- name: '[ssh] hardening sshd' - name: '[ssh] hardening sshd'
become: true become: true
block: block:
@ -12,6 +17,11 @@
src: ../templates/openssh-server/sshd_config.j2 src: ../templates/openssh-server/sshd_config.j2
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
mode: '0644' mode: '0644'
- name: '[ssh] ensure directories exist'
ansible.builtin.file:
path: /etc/ssh/sshd_config.d
state: directory
mode: '0755'
- name: '[ssh] setup sshd_config.d' - name: '[ssh] setup sshd_config.d'
ansible.builtin.template: ansible.builtin.template:
src: ../templates/openssh-server/sshd_config.d/encryption.conf.j2 src: ../templates/openssh-server/sshd_config.d/encryption.conf.j2
@ -68,7 +78,7 @@
block: block:
- name: '[clamav] retrieve and install clamav package' - name: '[clamav] retrieve and install clamav package'
ansible.builtin.apt: ansible.builtin.apt:
deb: https://www.clamav.net/downloads/production/clamav-{{ security_clamav_version }}.linux.x86_64.deb deb: https://www.clamav.net/downloads/production/clamav-{{ security.clamav.version }}.linux.x86_64.deb
force_apt_get: true force_apt_get: true
state: present state: present
- name: '[clamav] add clamav group' - name: '[clamav] add clamav group'

1
collections/ansible_collections/nullified/infrastructure/roles/server/defaults/main.yml
View file

@ -1,2 +1 @@
--- ---
# defaults file for tooling

9
collections/ansible_collections/nullified/infrastructure/roles/workstation/defaults/main.yml
View file

@ -1,4 +1,7 @@
--- ---
workstation_user_account: "{{ custom_base_user_account }}" workstation:
custom_github_token: "" github_token: "{{ custom_github_token | default('') }}"
custom_sysctl: {} user_account: "{{ custom_base_user_account | default('root') }}"
custom_workstation: {}
recursive_combine: true

80
collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml
View file

@ -1,11 +1,28 @@
--- ---
- name: '[setup] merge with custom vars'
ansible.builtin.set_fact:
workstation: "{{ workstation | combine(custom_workstation, recursive=recursive_combine) }}"
changed_when: false
- name: '[home] get user account information' - name: '[home] get user account information'
ansible.builtin.getent: ansible.builtin.getent:
database: passwd database: passwd
key: "{{ workstation_user_account }}" key: "{{ workstation.user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: getent_passwd is undefined or workstation_user_account not in getent_passwd when: getent_passwd is undefined or workstation.user_account not in getent_passwd
- name: '[setup] ensure expected home directories exist'
become: true
ansible.builtin.file:
path: "{{ getent_passwd[workstation.user_account][4] }}/{{ item }}"
state: directory
owner: "{{ workstation.user_account }}"
group: "{{ workstation.user_account }}"
mode: '0750'
loop:
- .local/bin
- .local/share/applications
- name: '[apt] install dependencies and tools' - name: '[apt] install dependencies and tools'
become: true become: true
@ -40,6 +57,7 @@
- python3-pip - python3-pip
- python3-psutil # terminator - python3-psutil # terminator
- ruby - ruby
- ruby-dev
- scrot - scrot
- smbclient - smbclient
- socat - socat
@ -57,23 +75,23 @@
- name: '[setup] add user to sudo group' - name: '[setup] add user to sudo group'
become: true become: true
ansible.builtin.user: ansible.builtin.user:
name: "{{ workstation_user_account }}" name: "{{ workstation.user_account }}"
groups: groups:
- sudo - sudo
append: true append: true
- name: '[setup] setup Flatpak' - name: '[setup] setup Flatpak'
become: true become: true
become_user: "{{ workstation_user_account }}" become_user: "{{ workstation.user_account }}"
block: block:
- name: '[flatpak] add flatpak repos' - name: '[flatpak] add flatpak repos'
command: ansible.builtin.command:
cmd: flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo cmd: flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
changed_when: false changed_when: false
- name: '[flatpak] install flatpak apps' - name: '[flatpak] install flatpak apps'
command: ansible.builtin.command:
cmd: "flatpak install --noninteractive {{ item.repo }} {{ item.app }}" cmd: "flatpak install --noninteractive {{ item.repo }} {{ item.app }}"
creates: "{{ getent_passwd[workstation_user_account][4] }}/.var/app/{{ item.app }}" creates: "/var/lib/flatpak/app/{{ item.app }}"
loop: loop:
- repo: flathub - repo: flathub
app: com.discordapp.Discord app: com.discordapp.Discord
@ -83,7 +101,7 @@
- name: '[github] install tools' - name: '[github] install tools'
become: true become: true
nullified.infrastructure.github_artifact: nullified.infrastructure.github_artifact:
github_token: '{{ custom_github_token }}' github_token: '{{ workstation.github_token }}'
asset_name: "{{ item.asset_name | default('') }}" asset_name: "{{ item.asset_name | default('') }}"
asset_type: "{{ item.asset_type }}" asset_type: "{{ item.asset_type }}"
cmds: "{{ item.cmds | default([]) }}" cmds: "{{ item.cmds | default([]) }}"
@ -114,8 +132,8 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
mode: "{{ item.mode | default('0750') }}" mode: "{{ item.mode | default('0750') }}"
owner: "{{ item.owner | default(workstation_user_account) }}" owner: "{{ item.owner | default(workstation.user_account) }}"
group: "{{ item.group | default(workstation_user_account) }}" group: "{{ item.group | default(workstation.user_account) }}"
state: directory state: directory
loop: loop:
- { path: '/opt/git/foss' } - { path: '/opt/git/foss' }
@ -125,22 +143,22 @@
- name: '[emacs] fetch emacs configuration files' - name: '[emacs] fetch emacs configuration files'
become: true become: true
become_user: "{{ workstation_user_account }}" become_user: "{{ workstation.user_account }}"
ansible.builtin.git: ansible.builtin.git:
repo: "ssh://git@gitlab.0x2a.ninja:4222/naeikindus/emacsd.git" repo: "https://gitlab.0x2a.ninja/naeikindus/emacsd.git"
dest: "{{ getent_passwd[workstation_user_account][4] }}/.emacs.d" dest: "{{ getent_passwd[workstation.user_account][4] }}/.emacs.d"
force: false force: false
- name: '[config] set tools configuration' - name: '[config] set tools configuration'
become: true become: true
become_user: "{{ workstation_user_account }}" become_user: "{{ workstation.user_account }}"
ansible.builtin.copy: ansible.builtin.copy:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
mode: "{{ item.mode | default('0640') }}" mode: "{{ item.mode | default('0640') }}"
loop: loop:
- { src: "../templates/.config/terminator", dest: "{{ getent_passwd[workstation_user_account][4] }}/.config" } - { src: "../templates/.config/terminator", dest: "{{ getent_passwd[workstation.user_account][4] }}/.config" }
- { src: "../templates/.config/vlc", dest: "{{ getent_passwd[workstation_user_account][4] }}/.config" } - { src: "../templates/.config/vlc", dest: "{{ getent_passwd[workstation.user_account][4] }}/.config" }
- name: '[authenticator] find if binary is already installed' - name: '[authenticator] find if binary is already installed'
ansible.builtin.file: ansible.builtin.file:
@ -156,8 +174,8 @@
- name: '[yubico] prepare target directory' - name: '[yubico] prepare target directory'
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
owner: "{{ workstation_user_account }}" owner: "{{ workstation.user_account }}"
group: "{{ workstation_user_account }}" group: "{{ workstation.user_account }}"
mode: '0750' mode: '0750'
state: directory state: directory
loop: loop:
@ -169,8 +187,8 @@
src: https://developers.yubico.com/yubioath-flutter/Releases/yubico-authenticator-latest-linux.tar.gz src: https://developers.yubico.com/yubioath-flutter/Releases/yubico-authenticator-latest-linux.tar.gz
remote_src: true remote_src: true
dest: /tmp/yubico-unarchive dest: /tmp/yubico-unarchive
owner: "{{ workstation_user_account }}" owner: "{{ workstation.user_account }}"
group: "{{ workstation_user_account }}" group: "{{ workstation.user_account }}"
- name: '[yubico] find extracted directory' - name: '[yubico] find extracted directory'
ansible.builtin.command: ansible.builtin.command:
@ -179,12 +197,12 @@
changed_when: false changed_when: false
- name: '[yubico] move extracted data to final dir' - name: '[yubico] move extracted data to final dir'
copy: ansible.builtin.copy:
remote_src: true remote_src: true
src: "{{ yubico_extract_path.stdout }}/" src: "{{ yubico_extract_path.stdout }}/"
dest: /opt/yubico-authenticator dest: /opt/yubico-authenticator
owner: "{{ workstation_user_account }}" owner: "{{ workstation.user_account }}"
group: "{{ workstation_user_account }}" group: "{{ workstation.user_account }}"
- name: '[yubico] cleanup' - name: '[yubico] cleanup'
ansible.builtin.file: ansible.builtin.file:
@ -194,24 +212,24 @@
- name: '[yubico] create shell wrapper' - name: '[yubico] create shell wrapper'
ansible.builtin.template: ansible.builtin.template:
src: ../templates/bin_wrapper.sh.j2 src: ../templates/bin_wrapper.sh.j2
dest: "{{ getent_passwd[workstation_user_account][4] }}/.local/bin/authenticator" dest: "{{ getent_passwd[workstation.user_account][4] }}/.local/bin/authenticator"
mode: '0750' mode: '0750'
owner: "{{ workstation_user_account }}" owner: "{{ workstation.user_account }}"
group: "{{ workstation_user_account }}" group: "{{ workstation.user_account }}"
vars: vars:
application: "/opt/yubico-authenticator/authenticator" application: "/opt/yubico-authenticator/authenticator"
- name: '[yubico] create desktop entry' - name: '[yubico] create desktop entry'
template: ansible.builtin.template:
src: ../templates/desktop_app.j2 src: ../templates/desktop_app.j2
dest: "{{ getent_passwd[workstation_user_account][4] }}/.local/share/applications/authenticator.desktop" dest: "{{ getent_passwd[workstation.user_account][4] }}/.local/share/applications/authenticator.desktop"
mode: '0600' mode: '0600'
owner: "{{ workstation_user_account }}" owner: "{{ workstation.user_account }}"
group: "{{ workstation_user_account }}" group: "{{ workstation.user_account }}"
vars: vars:
application: application:
nodisplay: false nodisplay: false
exec_cmd: "{{ getent_passwd[workstation_user_account][4] }}/.local/bin/authenticator" exec_cmd: "{{ getent_passwd[workstation.user_account][4] }}/.local/bin/authenticator"
name: "Authenticator" name: "Authenticator"
- include_tasks: window_manager.yml - include_tasks: window_manager.yml

26
collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/window_manager.yml
View file

@ -2,10 +2,10 @@
- name: '[home] get user account information' - name: '[home] get user account information'
ansible.builtin.getent: ansible.builtin.getent:
database: passwd database: passwd
key: "{{ workstation_user_account }}" key: "{{ workstation.user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: getent_passwd is undefined or workstation_user_account not in getent_passwd when: getent_passwd is undefined or workstation.user_account not in getent_passwd
- name: '[awesomewm] install dependencies' - name: '[awesomewm] install dependencies'
become: true become: true
@ -61,7 +61,7 @@
block: block:
- name: '[lua-lgi] fetch source' - name: '[lua-lgi] fetch source'
become: true become: true
become_user: "{{ workstation_user_account }}" become_user: "{{ workstation.user_account }}"
ansible.builtin.git: ansible.builtin.git:
repo: https://github.com/lgi-devs/lgi.git repo: https://github.com/lgi-devs/lgi.git
dest: /opt/git/foss/lua-lgi dest: /opt/git/foss/lua-lgi
@ -80,8 +80,10 @@
- name: '[lua-lgi] building project' - name: '[lua-lgi] building project'
ansible.builtin.command: ansible.builtin.command:
chdir: /opt/git/foss/lua-lgi chdir: /opt/git/foss/lua-lgi
cmd: LUA_CFLAGS="-I/usr/include/lua5.4" make all cmd: make all
creates: /opt/git/foss/lua-lgi/lgi/corelgilua51.so creates: /opt/git/foss/lua-lgi/lgi/corelgilua51.so
environment:
LUA_CFLAGS: "-I/usr/include/lua5.4"
- name: '[lua-lgi] compile and install' - name: '[lua-lgi] compile and install'
become: true become: true
@ -94,7 +96,7 @@
block: block:
- name: '[awesomewm] fetch source' - name: '[awesomewm] fetch source'
become: true become: true
become_user: "{{ workstation_user_account }}" become_user: "{{ workstation.user_account }}"
ansible.builtin.git: ansible.builtin.git:
repo: https://github.com/awesomeWM/awesome.git repo: https://github.com/awesomeWM/awesome.git
dest: /opt/git/foss/awesomeWM dest: /opt/git/foss/awesomeWM
@ -106,11 +108,13 @@
- name: '[awesomewm] building project' - name: '[awesomewm] building project'
become: true become: true
become_user: "{{ workstation_user_account }}" become_user: "{{ workstation.user_account }}"
ansible.builtin.command: ansible.builtin.command:
chdir: /opt/git/foss/awesomeWM chdir: /opt/git/foss/awesomeWM
cmd: 'CMAKE_ARGS="-DWITH_DBUS=ON -DLUA_LIBRARY=/usr/lib/x86_64-linux-gnu/liblua5.4.so.0 -DLUA_INCLUDE_DIR=/usr/include/lua5.4" make' cmd: 'make'
creates: /opt/git/foss/awesomeWM/build creates: /opt/git/foss/awesomeWM/build
environment:
CMAKE_ARGS: "-DWITH_DBUS=ON -DLUA_LIBRARY=/usr/lib/x86_64-linux-gnu/liblua5.4.so.0 -DLUA_INCLUDE_DIR=/usr/include/lua5.4"
- name: '[awesomewm] building project' - name: '[awesomewm] building project'
become: true become: true
@ -121,19 +125,19 @@
- name: '[awesomewm] setup configuration' - name: '[awesomewm] setup configuration'
become: true become: true
become_user: "{{ workstation_user_account }}" become_user: "{{ workstation.user_account }}"
block: block:
- name: '[awesomewm] fetch copycats base' - name: '[awesomewm] fetch copycats base'
ansible.builtin.git: ansible.builtin.git:
repo: https://github.com/lcpz/awesome-copycats.git repo: https://github.com/lcpz/awesome-copycats.git
dest: "{{ getent_passwd[workstation_user_account][4] }}/.config/awesome" dest: "{{ getent_passwd[workstation.user_account][4] }}/.config/awesome"
depth: 1 depth: 1
recursive: true recursive: true
force: false force: false
- name: '[awesomewm] copy customization' - name: '[awesomewm] copy customization'
ansible.builtin.copy: ansible.builtin.copy:
src: ../templates/.config/awesome/ src: ../templates/.config/awesome/
dest: "{{ getent_passwd[workstation_user_account][4] }}/.config/awesome" dest: "{{ getent_passwd[workstation.user_account][4] }}/.config/awesome"
mode: '0640' mode: '0640'
- name: '[home] copy X related configuration' - name: '[home] copy X related configuration'
@ -147,4 +151,4 @@
- name: '[x11] user .xsession' - name: '[x11] user .xsession'
ansible.builtin.copy: ansible.builtin.copy:
src: ../templates/.xsession src: ../templates/.xsession
dest: "{{ getent_passwd[workstation_user_account][4] }}/.xsession" dest: "{{ getent_passwd[workstation.user_account][4] }}/.xsession"

32
inventory/host_vars/localhost/vars.yml
View file

@ -2,18 +2,22 @@ ansible_become_password: "{{ vault_root_pass }}"
ansible_host: "{{ vault_ansible_host }}" ansible_host: "{{ vault_ansible_host }}"
ansible_connection: local ansible_connection: local
custom_sysctl: custom_development:
'fs.inotify.max_user_watches': 1048576 rust:
'vm.swappiness': 1 enable: true
common_apt_packages: custom_common:
- pcscd sysctl:
- pinentry-curses 'fs.inotify.max_user_watches': 1048576
- radeontop 'vm.swappiness': 1
packages:
common_gitconfig_enable: true - pcscd
common_gitconfig_username: "{{ vault_common_gitconfig_username }}" - pinentry-curses
common_gitconfig_email: "{{ vault_common_gitconfig_email }}" - radeontop
common_gitconfig_force_sign: true git:
common_gitconfig_signingkey: "{{ vault_common_gitconfig_signingkey }}" enable: true
common_install_fonts: true username: "{{ vault_common_gitconfig_username }}"
email: "{{ vault_common_gitconfig_email }}"
force_sign: true
signing_key: "{{ vault_common_gitconfig_signingkey }}"
install_fonts: true

34
inventory/host_vars/unobtainium/vars.yml
View file

@ -2,20 +2,22 @@ ansible_become_password: "{{ vault_root_pass }}"
ansible_host: "{{ vault_ansible_host }}" ansible_host: "{{ vault_ansible_host }}"
ansible_connection: local ansible_connection: local
custom_sysctl: custom_development:
'fs.inotify.max_user_watches': 1048576 rust:
'vm.swappiness': 1 enable: true
common_apt_packages: custom_common:
- pcscd sysctl:
- pinentry-curses 'fs.inotify.max_user_watches': 1048576
- radeontop 'vm.swappiness': 1
packages:
common_gitconfig_enable: true - pcscd
common_gitconfig_username: "{{ vault_common_gitconfig_username }}" - pinentry-curses
common_gitconfig_email: "{{ vault_common_gitconfig_email }}" - radeontop
common_gitconfig_force_sign: true git:
common_gitconfig_signingkey: "{{ vault_common_gitconfig_signingkey }}" enable: true
common_install_fonts: true username: "{{ vault_common_gitconfig_username }}"
email: "{{ vault_common_gitconfig_email }}"
development_install_rust: true force_sign: true
signing_key: "{{ vault_common_gitconfig_signingkey }}"
install_fonts: true