chore: move out system roles

Signed-off-by: Matej Focko <me@mfocko.xyz>

inventory/desktops.yml

@@ -7,11 +7,11 @@ desktops:
     ohm:
 
   vars:
-    system_sshd_port: 22
-    system_sshd_sign_host_keys: false
-    system_sshd_auth_password_authentication: "yes"
+    sshd_port: 22
+    sshd_sign_host_keys: false
+    sshd_auth_password_authentication: "yes"
 
-    system_flatpak_apps:
+    flatpak_apps:
       - "com.chatterino.chatterino/{{ ansible_architecture }}/stable"
       - com.discordapp.Discord
       - com.spotify.Client

playbooks/bootstrap.yml

@@ -17,22 +17,22 @@
       become: true
 
     # Enable Cockpit
-    - role: system/cockpit
+    - role: cockpit
       become: true
       tags: cockpit
 
     # Enable Flathub repository and install configured flatpaks
-    - role: system/flatpak
+    - role: flatpak
       when: ansible_distribution != "Ubuntu"
       tags: flatpak
 
     # Install Podman and configure UIDs/GIDs for rootless usage
-    - role: system/podman
+    - role: podman
       become: true
       tags: podman
 
     # Install and configure SSH server
-    - role: system/sshd
+    - role: sshd
       become: true
       tags: sshd
 

roles/cockpit/defaults/main.yml

@@ -2,4 +2,4 @@
 # Boolean variable that adjust the Cockpit config when it's being served via
 # reverse proxy (adjusts the origin, so that the Cockpit doesn't drop sessions,
 # and checks for SSL/TLS connections)
-system_cockpit_has_reverse_proxy: false
+cockpit_has_reverse_proxy: false

roles/cockpit/tasks/main.yml

@@ -10,7 +10,7 @@
     mode: 0644
     owner: root
     group: root
-  when: system_cockpit_has_reverse_proxy
+  when: cockpit_has_reverse_proxy
 
 - name: Enable cockpit
   ansible.builtin.service:

roles/flatpak/defaults/main.yml

@@ -1,3 +1,3 @@
 ---
 # List of the flatpak apps to be installed
-system_flatpak_apps: []
+flatpak_apps: []

roles/flatpak/tasks/main.yml

@@ -11,6 +11,6 @@
   community.general.flatpak:
     name: "{{ item }}"
     state: present
-  loop: "{{ system_flatpak_apps }}"
+  loop: "{{ flatpak_apps }}"
   become: true
-  when: system_flatpak_apps
+  when: flatpak_apps

roles/sshd/defaults/main.yml

@@ -1,15 +1,15 @@
 ---
 # Whether to accept password auth; ‹yes› or ‹no›
-system_sshd_auth_password_authentication: "no"
+sshd_auth_password_authentication: "no"
 
 # Whether to allow ‹root› login; ‹yes› or ‹no›
-system_sshd_auth_permit_root_login: "no"
+sshd_auth_permit_root_login: "no"
 
 # Whether to setup trusted CA (against the HashiCorp Vault instance)
-system_sshd_auth_trusted_ca: true
+sshd_auth_trusted_ca: true
 
 # Default port where the SSH daemon runs; also adjusts the SELinux policy
-system_sshd_port: 10022
+sshd_port: 10022
 
 # [TODO]: Whether to sign the host keys (against the HashiCorp Vault instance)
-system_sshd_sign_host_keys: true
+sshd_sign_host_keys: true

roles/sshd/tasks/main.yml

@@ -29,7 +29,7 @@
 
 - name: Notify SELinux about new port
   community.general.seport:
-    ports: "{{ system_sshd_port }}"
+    ports: "{{ sshd_port }}"
     proto: "tcp"
     setype: "ssh_port_t"
     state: "present"
@@ -37,7 +37,7 @@
 
 - name: Enable the new SSH port on firewall
   ansible.posix.firewalld:
-    port: "{{ system_sshd_port }}/tcp"
+    port: "{{ sshd_port }}/tcp"
     immediate: true
     permanent: true
     state: enabled
@@ -53,4 +53,4 @@
 
 - name: Set trusted CA
   ansible.builtin.include_tasks: trusted_ca.yml
-  when: system_sshd_auth_trusted_ca
+  when: sshd_auth_trusted_ca

roles/sshd/templates/10-harden.conf

@@ -0,0 +1,6 @@
+# Port
+Port {{ sshd_port }}
+
+# Auth
+PermitRootLogin {{ sshd_auth_permit_root_login }}
+PasswordAuthentication {{ sshd_auth_password_authentication }}

roles/system/sshd/templates/10-harden.conf

@@ -1,6 +0,0 @@
-# Port
-Port {{ system_sshd_port }}
-
-# Auth
-PermitRootLogin {{ system_sshd_auth_permit_root_login }}
-PasswordAuthentication {{ system_sshd_auth_password_authentication }}