chore: move out system roles

Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
Matej Focko 2024-07-12 21:19:42 +02:00
parent 6a732703f7
commit 281b95d824
Signed by: mfocko
SSH key fingerprint: SHA256:icm0fIOSJUpy5+1x23sfr+hLtF9UhY8VpMC7H4WFJP8
19 changed files with 27 additions and 27 deletions

View file

@ -7,11 +7,11 @@ desktops:
ohm:
vars:
system_sshd_port: 22
system_sshd_sign_host_keys: false
system_sshd_auth_password_authentication: "yes"
sshd_port: 22
sshd_sign_host_keys: false
sshd_auth_password_authentication: "yes"
system_flatpak_apps:
flatpak_apps:
- "com.chatterino.chatterino/{{ ansible_architecture }}/stable"
- com.discordapp.Discord
- com.spotify.Client

View file

@ -17,22 +17,22 @@
become: true
# Enable Cockpit
- role: system/cockpit
- role: cockpit
become: true
tags: cockpit
# Enable Flathub repository and install configured flatpaks
- role: system/flatpak
- role: flatpak
when: ansible_distribution != "Ubuntu"
tags: flatpak
# Install Podman and configure UIDs/GIDs for rootless usage
- role: system/podman
- role: podman
become: true
tags: podman
# Install and configure SSH server
- role: system/sshd
- role: sshd
become: true
tags: sshd

View file

@ -2,4 +2,4 @@
# Boolean variable that adjust the Cockpit config when it's being served via
# reverse proxy (adjusts the origin, so that the Cockpit doesn't drop sessions,
# and checks for SSL/TLS connections)
system_cockpit_has_reverse_proxy: false
cockpit_has_reverse_proxy: false

View file

@ -10,7 +10,7 @@
mode: 0644
owner: root
group: root
when: system_cockpit_has_reverse_proxy
when: cockpit_has_reverse_proxy
- name: Enable cockpit
ansible.builtin.service:

View file

@ -1,3 +1,3 @@
---
# List of the flatpak apps to be installed
system_flatpak_apps: []
flatpak_apps: []

View file

@ -11,6 +11,6 @@
community.general.flatpak:
name: "{{ item }}"
state: present
loop: "{{ system_flatpak_apps }}"
loop: "{{ flatpak_apps }}"
become: true
when: system_flatpak_apps
when: flatpak_apps

View file

@ -1,15 +1,15 @@
---
# Whether to accept password auth; yes or no
system_sshd_auth_password_authentication: "no"
sshd_auth_password_authentication: "no"
# Whether to allow root login; yes or no
system_sshd_auth_permit_root_login: "no"
sshd_auth_permit_root_login: "no"
# Whether to setup trusted CA (against the HashiCorp Vault instance)
system_sshd_auth_trusted_ca: true
sshd_auth_trusted_ca: true
# Default port where the SSH daemon runs; also adjusts the SELinux policy
system_sshd_port: 10022
sshd_port: 10022
# [TODO]: Whether to sign the host keys (against the HashiCorp Vault instance)
system_sshd_sign_host_keys: true
sshd_sign_host_keys: true

View file

@ -29,7 +29,7 @@
- name: Notify SELinux about new port
community.general.seport:
ports: "{{ system_sshd_port }}"
ports: "{{ sshd_port }}"
proto: "tcp"
setype: "ssh_port_t"
state: "present"
@ -37,7 +37,7 @@
- name: Enable the new SSH port on firewall
ansible.posix.firewalld:
port: "{{ system_sshd_port }}/tcp"
port: "{{ sshd_port }}/tcp"
immediate: true
permanent: true
state: enabled
@ -53,4 +53,4 @@
- name: Set trusted CA
ansible.builtin.include_tasks: trusted_ca.yml
when: system_sshd_auth_trusted_ca
when: sshd_auth_trusted_ca

View file

@ -0,0 +1,6 @@
# Port
Port {{ sshd_port }}
# Auth
PermitRootLogin {{ sshd_auth_permit_root_login }}
PasswordAuthentication {{ sshd_auth_password_authentication }}

View file

@ -1,6 +0,0 @@
# Port
Port {{ system_sshd_port }}
# Auth
PermitRootLogin {{ system_sshd_auth_permit_root_login }}
PasswordAuthentication {{ system_sshd_auth_password_authentication }}