From fb94b38a57d6e0b0dcc362a9f1c2b4a671c36705 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sat, 14 Dec 2024 14:31:39 +0100
Subject: [PATCH 01/27] feat: add Rocky to possible targets
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
playbooks/bootstrap.yml | 2 +-
roles/editor_helix/tasks/install_Rocky.yml | 1 +
roles/secrets_hcv/tasks/install_Rocky.yml | 1 +
roles/secrets_hcv/tasks/main.yml | 2 +-
roles/shell_zsh/tasks/install.yml | 2 +-
roles/yubikey_pam/tasks/install.yml | 2 +-
6 files changed, 6 insertions(+), 4 deletions(-)
create mode 120000 roles/editor_helix/tasks/install_Rocky.yml
create mode 120000 roles/secrets_hcv/tasks/install_Rocky.yml
diff --git a/playbooks/bootstrap.yml b/playbooks/bootstrap.yml
index be32fb8..288b61e 100644
--- a/playbooks/bootstrap.yml
+++ b/playbooks/bootstrap.yml
@@ -10,7 +10,7 @@
- role: os_el
become: true
- when: ansible_distribution in [ "AlmaLinux", "CentOS" ]
+ when: ansible_distribution in [ "AlmaLinux", "CentOS", "Rocky" ]
# Upgrade all packages and install the basic-bitch ones
- role: base_system
diff --git a/roles/editor_helix/tasks/install_Rocky.yml b/roles/editor_helix/tasks/install_Rocky.yml
new file mode 120000
index 0000000..5819c74
--- /dev/null
+++ b/roles/editor_helix/tasks/install_Rocky.yml
@@ -0,0 +1 @@
+install_fedora-family.yml
\ No newline at end of file
diff --git a/roles/secrets_hcv/tasks/install_Rocky.yml b/roles/secrets_hcv/tasks/install_Rocky.yml
new file mode 120000
index 0000000..bbd6a23
--- /dev/null
+++ b/roles/secrets_hcv/tasks/install_Rocky.yml
@@ -0,0 +1 @@
+install_el.yml
\ No newline at end of file
diff --git a/roles/secrets_hcv/tasks/main.yml b/roles/secrets_hcv/tasks/main.yml
index 4d6ed32..43c8b75 100644
--- a/roles/secrets_hcv/tasks/main.yml
+++ b/roles/secrets_hcv/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: Install HC Vault via package manager
- when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"]
+ when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Rocky", "Ubuntu"]
tags: install
block:
- name: Enable repository
diff --git a/roles/shell_zsh/tasks/install.yml b/roles/shell_zsh/tasks/install.yml
index 6635a8b..8132187 100644
--- a/roles/shell_zsh/tasks/install.yml
+++ b/roles/shell_zsh/tasks/install.yml
@@ -34,4 +34,4 @@
name: yad
state: present
become: true
- when: 'ansible_distribution not in [ "AlmaLinux" ] and "openSUSE" not in ansible_distribution'
+ when: 'ansible_distribution not in [ "AlmaLinux", "Rocky" ] and "openSUSE" not in ansible_distribution'
diff --git a/roles/yubikey_pam/tasks/install.yml b/roles/yubikey_pam/tasks/install.yml
index fc7923b..e7dfcea 100644
--- a/roles/yubikey_pam/tasks/install.yml
+++ b/roles/yubikey_pam/tasks/install.yml
@@ -3,7 +3,7 @@
ansible.builtin.package:
name: pam_yubico
state: present
- when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ]
+ when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Rocky" ]
- name: Enable PPA on Ubuntu
ansible.builtin.apt_repository:
From a79bfb555129b711be5fb5f720499f6170bc4dd2 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sat, 14 Dec 2024 20:33:04 +0100
Subject: [PATCH 02/27] fix(ssh_server): use correctly named variable
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/ssh_server/tasks/main.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roles/ssh_server/tasks/main.yml b/roles/ssh_server/tasks/main.yml
index 19b7b73..78cc507 100644
--- a/roles/ssh_server/tasks/main.yml
+++ b/roles/ssh_server/tasks/main.yml
@@ -55,4 +55,4 @@
- name: Set trusted CA
ansible.builtin.include_tasks: trusted_ca.yml
- when: sshd_auth_trusted_ca
+ when: ssh_server_auth_trusted_ca
From 4ca89d7641af92819ae772572270674079af76b0 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sat, 14 Dec 2024 20:33:31 +0100
Subject: [PATCH 03/27] fix(base_system): improve the system-wide upgrade
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When upgrading packages to their latest version, decide which Ansible
module to use based on the ‹pkg_mgr› Ansible fact instead of the
distribution.
This approach is more robust, and more correct, as the package managers
are shared between some of the distributions.
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/base_system/tasks/upgrade.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/roles/base_system/tasks/upgrade.yml b/roles/base_system/tasks/upgrade.yml
index ca5e602..34c8659 100644
--- a/roles/base_system/tasks/upgrade.yml
+++ b/roles/base_system/tasks/upgrade.yml
@@ -4,16 +4,16 @@
name: "*"
state: latest
update_cache: true
- when: ansible_distribution in [ "Debian", "Ubuntu" ]
+ when: ansible_facts.pkg_mgr == "apt"
- name: Upgrade all packages with ‹dnf›
ansible.builtin.dnf:
name: "*"
state: latest
- when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ]
+ when: ansible_facts.pkg_mgr == "dnf"
- name: Upgrade all packages with ‹zypper›
community.general.zypper:
name: "*"
state: latest
- when: "'openSUSE' in ansible_distribution"
+ when: ansible_facts.pkg_mgr == "zypper"
From f5335e0f0cd2365f705c20ee65cac29b0123cf9f Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sat, 14 Dec 2024 20:37:52 +0100
Subject: [PATCH 04/27] fix(editor_helix): remove Copr
Helix is included in the default repositories (Fedora and EPEL for EL
derivates), therefore there is no need to use the Copr repository.
Signed-off-by: Matej Focko <me@mfocko.xyz>
# Please enter the commit message for your changes. Lines starting
# with '#' will be ignored, and an empty message aborts the commit.
#
# On branch main
# Your branch is ahead of 'origin/main' by 3 commits.
# (use "git push" to publish your local commits)
#
# Changes to be committed:
# modified: roles/editor_helix/tasks/install_fedora-family.yml
#
# Changes not staged for commit:
# modified: group_vars/servers/vars
# modified: inventory
# modified: playbooks/playground.yml
# modified: roles/cockpit/defaults/main.yml
# modified: roles/cockpit/tasks/install.yml
# modified: roles/cockpit/tasks/main.yml
#
# Untracked files:
# ansible-navigator.log
# playbooks/print_facts.yml
# tasks/
#
---
roles/editor_helix/tasks/install_fedora-family.yml | 7 -------
1 file changed, 7 deletions(-)
diff --git a/roles/editor_helix/tasks/install_fedora-family.yml b/roles/editor_helix/tasks/install_fedora-family.yml
index 82ac82a..30e655c 100644
--- a/roles/editor_helix/tasks/install_fedora-family.yml
+++ b/roles/editor_helix/tasks/install_fedora-family.yml
@@ -1,11 +1,4 @@
---
-- name: Enable the Copr
- community.general.copr:
- name: varlad/helix
- state: enabled
- when: ansible_distribution not in ("AlmaLinux")
- become: true
-
- name: Install the Helix
ansible.builtin.package:
name: helix
From 7d8d187e977ab2ecf98d2ba216d9f3e1006dbf7d Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sat, 14 Dec 2024 20:53:24 +0100
Subject: [PATCH 05/27] feat(cockpit): allow 2FA auth
Fixes #60
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
group_vars/servers/vars | 3 +++
roles/cockpit/defaults/main.yml | 6 ++++++
roles/cockpit/tasks/install.yml | 8 ++++++++
roles/cockpit/tasks/main.yml | 10 ++++++++++
4 files changed, 27 insertions(+)
diff --git a/group_vars/servers/vars b/group_vars/servers/vars
index e238648..036ff6c 100644
--- a/group_vars/servers/vars
+++ b/group_vars/servers/vars
@@ -1,5 +1,8 @@
certbot_email: "{{ vault_certbot_email }}"
+cockpit_2fa: true
+cockpit_has_reverse_proxy: true
+
host_fqdn: "{{ vault_host_fqdn }}"
porkbun_apikey: "{{ vault_porkbun_apikey }}"
diff --git a/roles/cockpit/defaults/main.yml b/roles/cockpit/defaults/main.yml
index 7acd7c3..4f4c341 100644
--- a/roles/cockpit/defaults/main.yml
+++ b/roles/cockpit/defaults/main.yml
@@ -3,3 +3,9 @@
# reverse proxy (adjusts the origin, so that the Cockpit doesn't drop sessions,
# and checks for SSL/TLS connections)
cockpit_has_reverse_proxy: false
+
+# Boolean variable that denotes whether to install dependencies for 2FA auth
+# to Cockpit (Google Authenticator and QR encoding utilities for enrolling the
+# OTP), also installs the rule to the ‹pam.d› so that the 2FA is required for
+# logging in to the Cockpit.
+cockpit_2fa: false
diff --git a/roles/cockpit/tasks/install.yml b/roles/cockpit/tasks/install.yml
index 50e675e..e1ba3e7 100644
--- a/roles/cockpit/tasks/install.yml
+++ b/roles/cockpit/tasks/install.yml
@@ -3,3 +3,11 @@
ansible.builtin.package:
name: cockpit
state: present
+
+- name: Install deps for 2FA in Cockpit
+ ansible.builtin.package:
+ name:
+ - google-authenticator
+ - qrencode-libs
+ state: present
+ when: cockpit_2fa
diff --git a/roles/cockpit/tasks/main.yml b/roles/cockpit/tasks/main.yml
index 12022dc..86bea32 100644
--- a/roles/cockpit/tasks/main.yml
+++ b/roles/cockpit/tasks/main.yml
@@ -12,6 +12,16 @@
group: root
when: cockpit_has_reverse_proxy
+- name: Require 2FA for logging into the Cockpit
+ ansible.builtin.lineinfile:
+ line: auth required pam_google_authenticator.so nullok
+ path: /etc/pam.d/cockpit
+ create: true
+ mode: 0644
+ owner: root
+ group: root
+ when: cockpit_2fa
+
- name: Enable cockpit
ansible.builtin.service:
name: "cockpit.socket"
From ab83e7c30c66fc8af971a5e3cc127c4a95420827 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sun, 22 Dec 2024 20:27:33 +0100
Subject: [PATCH 06/27] fix(base_system): correctly check for the dnf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
‹dnf5› presents itself as ‹dnf5›
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/base_system/tasks/upgrade.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roles/base_system/tasks/upgrade.yml b/roles/base_system/tasks/upgrade.yml
index 34c8659..eac6d50 100644
--- a/roles/base_system/tasks/upgrade.yml
+++ b/roles/base_system/tasks/upgrade.yml
@@ -10,7 +10,7 @@
ansible.builtin.dnf:
name: "*"
state: latest
- when: ansible_facts.pkg_mgr == "dnf"
+ when: ansible_facts.pkg_mgr.startswith("dnf")
- name: Upgrade all packages with ‹zypper›
community.general.zypper:
From da9662533a8c0f961a0e2a0c190b06c6c2e5417b Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sun, 22 Dec 2024 20:29:09 +0100
Subject: [PATCH 07/27] fix(editor_vscode): use the packaged version of VSCode
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
.../files/code-url-handler.desktop | 12 -------
roles/editor_vscode/files/code.desktop | 18 ----------
roles/editor_vscode/files/update.sh | 31 -----------------
.../editor_vscode/tasks/install_AlmaLinux.yml | 1 +
roles/editor_vscode/tasks/install_CentOS.yml | 1 +
roles/editor_vscode/tasks/install_Fedora.yml | 1 +
roles/editor_vscode/tasks/install_Rocky.yml | 1 +
roles/editor_vscode/tasks/install_rhel.yml | 12 +++++++
roles/editor_vscode/tasks/main.yml | 33 +++----------------
9 files changed, 21 insertions(+), 89 deletions(-)
delete mode 100644 roles/editor_vscode/files/code-url-handler.desktop
delete mode 100644 roles/editor_vscode/files/code.desktop
delete mode 100644 roles/editor_vscode/files/update.sh
create mode 120000 roles/editor_vscode/tasks/install_AlmaLinux.yml
create mode 120000 roles/editor_vscode/tasks/install_CentOS.yml
create mode 120000 roles/editor_vscode/tasks/install_Fedora.yml
create mode 120000 roles/editor_vscode/tasks/install_Rocky.yml
create mode 100644 roles/editor_vscode/tasks/install_rhel.yml
diff --git a/roles/editor_vscode/files/code-url-handler.desktop b/roles/editor_vscode/files/code-url-handler.desktop
deleted file mode 100644
index c750536..0000000
--- a/roles/editor_vscode/files/code-url-handler.desktop
+++ /dev/null
@@ -1,12 +0,0 @@
-[Desktop Entry]
-Name=Visual Studio Code - URL Handler
-Comment=Code Editing. Redefined.
-GenericName=Text Editor
-Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --open-url %U
-Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png
-Type=Application
-NoDisplay=true
-StartupNotify=true
-Categories=Utility;TextEditor;Development;IDE;
-MimeType=x-scheme-handler/vscode-insiders;
-Keywords=vscode;
diff --git a/roles/editor_vscode/files/code.desktop b/roles/editor_vscode/files/code.desktop
deleted file mode 100644
index d4cf29e..0000000
--- a/roles/editor_vscode/files/code.desktop
+++ /dev/null
@@ -1,18 +0,0 @@
-[Desktop Entry]
-Name=Visual Studio Code Insiders
-Comment=Code Editing. Refined.
-GenericName=Text Editor
-Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --unity-launch %F
-Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png
-Type=Application
-StartupNotify=false
-StartupWMClass=code - insiders
-Categories=Utility;TextEditor;Development;IDE;
-MimeType=text/plain;inode/directory;
-Actions=new-empty-window;
-Keywords=vscode;
-
-[Desktop Action new-empty-window]
-Name=New Empty Window
-Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --new-window %F
-Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png
diff --git a/roles/editor_vscode/files/update.sh b/roles/editor_vscode/files/update.sh
deleted file mode 100644
index dba9dee..0000000
--- a/roles/editor_vscode/files/update.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-# for upstream
-URL='https://code.visualstudio.com/sha/download?build=insider&os=linux-x64'
-
-# for local
-# URL='https://maxwell.mfocko.xyz/code-insiders.tar.gz'
-
-# for local over VPN (also use --no-check-certificate)
-# URL='https://172.16.0.2/code-insiders.tar.gz'
-
-echo ">>> Downloading";
-wget $URL -O /tmp/code.tar.gz
-
-echo ">>> Removing and extracting";
-rm -rf /opt/VSCode-linux-x64
-tar xvaf /tmp/code.tar.gz -C /opt/
-
-# Check for binaries
-if ! [ -x /usr/local/bin/code-insiders ]; then
- echo ">>> Linking binaries";
- ln -s /opt/VSCode-linux-x64/bin/code-insiders /usr/local/bin/
- ln -s /opt/VSCode-linux-x64/bin/code-insiders /usr/local/bin/code
-fi
-
-# Check for *.desktop
-if ! ls /usr/share/applications | grep visual-studio-code; then
- echo ">>> Installing desktop files";
- PATH_TO_APPS=/home/mfocko/.local/share/visual-studio-code-insiders
- sudo cp $PATH_TO_APPS{,-url-handler}.desktop /usr/share/applications/;
-fi
diff --git a/roles/editor_vscode/tasks/install_AlmaLinux.yml b/roles/editor_vscode/tasks/install_AlmaLinux.yml
new file mode 120000
index 0000000..c10604b
--- /dev/null
+++ b/roles/editor_vscode/tasks/install_AlmaLinux.yml
@@ -0,0 +1 @@
+install_rhel.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_CentOS.yml b/roles/editor_vscode/tasks/install_CentOS.yml
new file mode 120000
index 0000000..c10604b
--- /dev/null
+++ b/roles/editor_vscode/tasks/install_CentOS.yml
@@ -0,0 +1 @@
+install_rhel.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_Fedora.yml b/roles/editor_vscode/tasks/install_Fedora.yml
new file mode 120000
index 0000000..c10604b
--- /dev/null
+++ b/roles/editor_vscode/tasks/install_Fedora.yml
@@ -0,0 +1 @@
+install_rhel.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_Rocky.yml b/roles/editor_vscode/tasks/install_Rocky.yml
new file mode 120000
index 0000000..c10604b
--- /dev/null
+++ b/roles/editor_vscode/tasks/install_Rocky.yml
@@ -0,0 +1 @@
+install_rhel.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_rhel.yml b/roles/editor_vscode/tasks/install_rhel.yml
new file mode 100644
index 0000000..ddd8085
--- /dev/null
+++ b/roles/editor_vscode/tasks/install_rhel.yml
@@ -0,0 +1,12 @@
+---
+- name: Resolve URL to the VSCode RPM
+ ansible.builtin.uri:
+ url: https://code.visualstudio.com/sha/download?build=insider&os=linux-rpm-x64
+ register: _vscode_rpm_response
+
+- name: Install VSCode via RPM
+ ansible.builtin.dnf:
+ name: "{{ _vscode_rpm_response.url }}"
+ disable_gpg_check: true
+ state: present
+ become: true
diff --git a/roles/editor_vscode/tasks/main.yml b/roles/editor_vscode/tasks/main.yml
index a2a50d1..efb2aed 100644
--- a/roles/editor_vscode/tasks/main.yml
+++ b/roles/editor_vscode/tasks/main.yml
@@ -1,28 +1,13 @@
---
+- name: Install VSCode
+ ansible.builtin.include_tasks: "install_{{ ansible_distribution }}.yml"
+ tags: install
+
- name: Create directories for VSCode
ansible.builtin.file:
- path: "{{ item }}"
+ path: "$HOME/.config/Code - Insiders/User"
state: directory
mode: 0740
- loop:
- - ~/.local/bin
- - ~/.local/share
- - "$HOME/.config/Code - Insiders/User"
-
-- name: Install VSCode script
- ansible.builtin.copy:
- src: files/update.sh
- dest: ~/.local/bin/code-update.sh
- mode: 0640
-
-- name: Create app info for VSCode
- ansible.builtin.copy:
- src: files/code{{ item }}.desktop
- dest: ~/.local/share/applications/visual-studio-code-insiders{{ item }}.desktop
- mode: 0640
- loop:
- - ""
- - "-url-handler"
- name: Install VSCode configuration
ansible.builtin.copy:
@@ -32,11 +17,3 @@
loop:
- settings
- keybindings
-
-- name: Install VSCode
- ansible.builtin.command:
- cmd: bash /home/{{ target_user }}/.local/bin/code-update.sh
- creates: /opt/VSCode-linux-x64
- become: true
- when: false
- tags: install
From 496006855550c720ead4f03c230239ed85831cfe Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sun, 22 Dec 2024 20:30:55 +0100
Subject: [PATCH 08/27] fix(wg): correctly template facts
When setting facts to outputs of some other tasks or variables, they need
to be correctly templated and quoted, otherwise they're taken as is,
i.e., as text.
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/wg/tasks/generate_keypair.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/roles/wg/tasks/generate_keypair.yml b/roles/wg/tasks/generate_keypair.yml
index 8103f16..ef409f2 100644
--- a/roles/wg/tasks/generate_keypair.yml
+++ b/roles/wg/tasks/generate_keypair.yml
@@ -16,5 +16,5 @@
- name: Set key/pair facts
ansible.builtin.set_fact:
- wg_private_key: _generated_private_key.stdout
- wg_public_key: _derived_public_key.stdout
+ wg_private_key: "{{ _generated_private_key.stdout }}"
+ wg_public_key: "{{ _derived_public_key.stdout }}"
From ab5c3749901a6f4ec43df0ac0edffa791bc207d9 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sun, 22 Dec 2024 20:32:28 +0100
Subject: [PATCH 09/27] fix(wg): correct check for existing private key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Registering output of ‹ansible.builtin.stat› generates an object
containing ‹stat› member itself.
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/wg/tasks/main.yml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/roles/wg/tasks/main.yml b/roles/wg/tasks/main.yml
index 1443325..f356d99 100644
--- a/roles/wg/tasks/main.yml
+++ b/roles/wg/tasks/main.yml
@@ -6,11 +6,11 @@
- name: Check for existence of private key
ansible.builtin.stat:
path: /etc/wireguard/private.key
- register: _private_key_stat
+ register: _private_key
- name: Generate keypair
ansible.builtin.include_tasks: tasks/generate_keypair.yml
- when: not _private_key_stat.exists
+ when: not _private_key.stat.exists
- name: Save private key
ansible.builtin.template:
@@ -21,7 +21,7 @@
mode: 0700
vars:
key: "{{ wg_private_key }}"
- when: not _private_key_stat.exists
+ when: not _private_key.stat.exists
- name: Save public key
ansible.builtin.template:
@@ -32,7 +32,7 @@
mode: 0700
vars:
key: "{{ wg_public_key }}"
- when: not _private_key_stat.exists
+ when: not _private_key.stat.exists
- name: Set dns_command for co-openSUSE
ansible.builtin.set_fact:
From 2d008e1eca089a310720f6e1d990babd82a04e75 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Thu, 26 Dec 2024 15:40:31 +0100
Subject: [PATCH 10/27] feat(flatpak): add Brave
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
group_vars/desktops/vars | 1 +
1 file changed, 1 insertion(+)
diff --git a/group_vars/desktops/vars b/group_vars/desktops/vars
index 673bf4e..aa6ee17 100644
--- a/group_vars/desktops/vars
+++ b/group_vars/desktops/vars
@@ -3,6 +3,7 @@ ssh_server_sign_host_keys: false
ssh_server_auth_password_authentication: "yes"
flatpak_apps:
+ - com.brave.Browser
- "com.chatterino.chatterino/{{ ansible_architecture }}/stable"
- com.discordapp.Discord
- com.spotify.Client
From 7e1d9a7fc3f38cc971fa06e6b12a806e32d46a91 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Thu, 26 Dec 2024 15:42:04 +0100
Subject: [PATCH 11/27] feat(os_deb): create role for setting apt repos
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
playbooks/bootstrap.yml | 4 ++++
roles/os_deb/tasks/main.yml | 4 ++++
roles/os_deb/tasks/repositories.yml | 18 ++++++++++++++++++
3 files changed, 26 insertions(+)
create mode 100644 roles/os_deb/tasks/main.yml
create mode 100644 roles/os_deb/tasks/repositories.yml
diff --git a/playbooks/bootstrap.yml b/playbooks/bootstrap.yml
index 288b61e..0ad6098 100644
--- a/playbooks/bootstrap.yml
+++ b/playbooks/bootstrap.yml
@@ -12,6 +12,10 @@
become: true
when: ansible_distribution in [ "AlmaLinux", "CentOS", "Rocky" ]
+ - role: os_deb
+ become: true
+ when: ansible_distribution in [ "Debian", "Ubuntu" ]
+
# Upgrade all packages and install the basic-bitch ones
- role: base_system
become: true
diff --git a/roles/os_deb/tasks/main.yml b/roles/os_deb/tasks/main.yml
new file mode 100644
index 0000000..60dd0af
--- /dev/null
+++ b/roles/os_deb/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- name: Enable all Debian repos
+ ansible.builtin.include_tasks: repositories.yml
+ when: ansible_facts.distribution == "Debian"
diff --git a/roles/os_deb/tasks/repositories.yml b/roles/os_deb/tasks/repositories.yml
new file mode 100644
index 0000000..545ae2b
--- /dev/null
+++ b/roles/os_deb/tasks/repositories.yml
@@ -0,0 +1,18 @@
+---
+- name: Disable installation DVD as a source
+ ansible.builtin.lineinfile:
+ path: /etc/apt/sources.list
+ regexp: "^deb cdrom:"
+ state: absent
+
+- name: Enable additional repository
+ ansible.builtin.apt_repository:
+ repo: "{{ item }}"
+ state: present
+ loop:
+ - deb http://ftp.sk.debian.org/debian/ {{ ansible_facts.distribution_release }} contrib non-free
+ - deb-src http://ftp.sk.debian.org/debian/ {{ ansible_facts.distribution_release }} contrib non-free
+ - deb http://security.debian.org/debian-security {{ ansible_facts.distribution_release }}-security contrib non-free
+ - deb-src http://security.debian.org/debian-security {{ ansible_facts.distribution_release }}-security contrib non-free
+ - deb http://ftp.sk.debian.org/debian/ {{ ansible_facts.distribution_release }}-updates contrib non-free
+ - deb-src http://ftp.sk.debian.org/debian/ {{ ansible_facts.distribution_release }}-updates contrib non-free
From d354caf1aafa091cf2aed291b6c10beb3d5cec8c Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Thu, 26 Dec 2024 15:43:07 +0100
Subject: [PATCH 12/27] feat(editor_vscode): handle deb package install
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/editor_vscode/tasks/install_Debian.yml | 1 +
roles/editor_vscode/tasks/install_Ubuntu.yml | 1 +
roles/editor_vscode/tasks/install_deb.yml | 11 +++++++++++
3 files changed, 13 insertions(+)
create mode 120000 roles/editor_vscode/tasks/install_Debian.yml
create mode 120000 roles/editor_vscode/tasks/install_Ubuntu.yml
create mode 100644 roles/editor_vscode/tasks/install_deb.yml
diff --git a/roles/editor_vscode/tasks/install_Debian.yml b/roles/editor_vscode/tasks/install_Debian.yml
new file mode 120000
index 0000000..38e6c00
--- /dev/null
+++ b/roles/editor_vscode/tasks/install_Debian.yml
@@ -0,0 +1 @@
+install_deb.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_Ubuntu.yml b/roles/editor_vscode/tasks/install_Ubuntu.yml
new file mode 120000
index 0000000..38e6c00
--- /dev/null
+++ b/roles/editor_vscode/tasks/install_Ubuntu.yml
@@ -0,0 +1 @@
+install_deb.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_deb.yml b/roles/editor_vscode/tasks/install_deb.yml
new file mode 100644
index 0000000..be7a3fd
--- /dev/null
+++ b/roles/editor_vscode/tasks/install_deb.yml
@@ -0,0 +1,11 @@
+---
+- name: Resolve URL to the VSCode RPM
+ ansible.builtin.uri:
+ url: https://code.visualstudio.com/sha/download?build=insider&os=linux-deb-x64
+ register: _vscode_deb_response
+
+- name: Install VSCode via DEB package
+ ansible.builtin.apt:
+ deb: "{{ _vscode_deb_response.url }}"
+ state: present
+ become: true
From ae0917a566b89b2c560c7ebddd66679941896a02 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sun, 29 Dec 2024 17:43:01 +0100
Subject: [PATCH 13/27] fix(editor_helix): install from flatpak on Ubuntu
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/editor_helix/tasks/install_Ubuntu.yml | 13 +------------
1 file changed, 1 insertion(+), 12 deletions(-)
mode change 100644 => 120000 roles/editor_helix/tasks/install_Ubuntu.yml
diff --git a/roles/editor_helix/tasks/install_Ubuntu.yml b/roles/editor_helix/tasks/install_Ubuntu.yml
deleted file mode 100644
index c921dda..0000000
--- a/roles/editor_helix/tasks/install_Ubuntu.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-- name: Enable the PPA for Helix
- ansible.builtin.apt_repository:
- repo: ppa:maveonair/helix-editor
- state: present
- become: true
-
-- name: Install the Helix
- ansible.builtin.package:
- name: helix
- state: present
- become: true
diff --git a/roles/editor_helix/tasks/install_Ubuntu.yml b/roles/editor_helix/tasks/install_Ubuntu.yml
new file mode 120000
index 0000000..a346047
--- /dev/null
+++ b/roles/editor_helix/tasks/install_Ubuntu.yml
@@ -0,0 +1 @@
+install_Debian.yml
\ No newline at end of file
From 314ce8700cfa0a6a458473b4b56ddd0299251644 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sun, 29 Dec 2024 17:44:46 +0100
Subject: [PATCH 14/27] style(editor_vscode): adjust task names
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/editor_vscode/tasks/install_deb.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/roles/editor_vscode/tasks/install_deb.yml b/roles/editor_vscode/tasks/install_deb.yml
index be7a3fd..31e054f 100644
--- a/roles/editor_vscode/tasks/install_deb.yml
+++ b/roles/editor_vscode/tasks/install_deb.yml
@@ -1,10 +1,10 @@
---
-- name: Resolve URL to the VSCode RPM
+- name: Resolve URL to the VSCode deb package
ansible.builtin.uri:
url: https://code.visualstudio.com/sha/download?build=insider&os=linux-deb-x64
register: _vscode_deb_response
-- name: Install VSCode via DEB package
+- name: Install VSCode via deb package
ansible.builtin.apt:
deb: "{{ _vscode_deb_response.url }}"
state: present
From 14576e842ecbb7baf2798820254ab37e558fa1e9 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sun, 29 Dec 2024 17:48:16 +0100
Subject: [PATCH 15/27] fix(editor_vscode): branch by package manager
When installing VSCode via RPM or DEB package, branch by the package
manager rather than the distribution.
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/editor_vscode/tasks/install_AlmaLinux.yml | 1 -
roles/editor_vscode/tasks/install_CentOS.yml | 1 -
roles/editor_vscode/tasks/install_Debian.yml | 1 -
roles/editor_vscode/tasks/install_Fedora.yml | 1 -
roles/editor_vscode/tasks/install_Rocky.yml | 1 -
roles/editor_vscode/tasks/install_Ubuntu.yml | 1 -
.../tasks/{install_deb.yml => install_apt.yml} | 0
roles/editor_vscode/tasks/install_dnf.yml | 1 +
roles/editor_vscode/tasks/install_dnf5.yml | 1 +
.../tasks/{install_rhel.yml => install_rpm.yml} | 11 ++++++++++-
roles/editor_vscode/tasks/install_zypper.yml | 1 +
roles/editor_vscode/tasks/main.yml | 2 +-
12 files changed, 14 insertions(+), 8 deletions(-)
delete mode 120000 roles/editor_vscode/tasks/install_AlmaLinux.yml
delete mode 120000 roles/editor_vscode/tasks/install_CentOS.yml
delete mode 120000 roles/editor_vscode/tasks/install_Debian.yml
delete mode 120000 roles/editor_vscode/tasks/install_Fedora.yml
delete mode 120000 roles/editor_vscode/tasks/install_Rocky.yml
delete mode 120000 roles/editor_vscode/tasks/install_Ubuntu.yml
rename roles/editor_vscode/tasks/{install_deb.yml => install_apt.yml} (100%)
create mode 120000 roles/editor_vscode/tasks/install_dnf.yml
create mode 120000 roles/editor_vscode/tasks/install_dnf5.yml
rename roles/editor_vscode/tasks/{install_rhel.yml => install_rpm.yml} (51%)
create mode 120000 roles/editor_vscode/tasks/install_zypper.yml
diff --git a/roles/editor_vscode/tasks/install_AlmaLinux.yml b/roles/editor_vscode/tasks/install_AlmaLinux.yml
deleted file mode 120000
index c10604b..0000000
--- a/roles/editor_vscode/tasks/install_AlmaLinux.yml
+++ /dev/null
@@ -1 +0,0 @@
-install_rhel.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_CentOS.yml b/roles/editor_vscode/tasks/install_CentOS.yml
deleted file mode 120000
index c10604b..0000000
--- a/roles/editor_vscode/tasks/install_CentOS.yml
+++ /dev/null
@@ -1 +0,0 @@
-install_rhel.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_Debian.yml b/roles/editor_vscode/tasks/install_Debian.yml
deleted file mode 120000
index 38e6c00..0000000
--- a/roles/editor_vscode/tasks/install_Debian.yml
+++ /dev/null
@@ -1 +0,0 @@
-install_deb.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_Fedora.yml b/roles/editor_vscode/tasks/install_Fedora.yml
deleted file mode 120000
index c10604b..0000000
--- a/roles/editor_vscode/tasks/install_Fedora.yml
+++ /dev/null
@@ -1 +0,0 @@
-install_rhel.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_Rocky.yml b/roles/editor_vscode/tasks/install_Rocky.yml
deleted file mode 120000
index c10604b..0000000
--- a/roles/editor_vscode/tasks/install_Rocky.yml
+++ /dev/null
@@ -1 +0,0 @@
-install_rhel.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_Ubuntu.yml b/roles/editor_vscode/tasks/install_Ubuntu.yml
deleted file mode 120000
index 38e6c00..0000000
--- a/roles/editor_vscode/tasks/install_Ubuntu.yml
+++ /dev/null
@@ -1 +0,0 @@
-install_deb.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_deb.yml b/roles/editor_vscode/tasks/install_apt.yml
similarity index 100%
rename from roles/editor_vscode/tasks/install_deb.yml
rename to roles/editor_vscode/tasks/install_apt.yml
diff --git a/roles/editor_vscode/tasks/install_dnf.yml b/roles/editor_vscode/tasks/install_dnf.yml
new file mode 120000
index 0000000..463b6d3
--- /dev/null
+++ b/roles/editor_vscode/tasks/install_dnf.yml
@@ -0,0 +1 @@
+install_rpm.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_dnf5.yml b/roles/editor_vscode/tasks/install_dnf5.yml
new file mode 120000
index 0000000..463b6d3
--- /dev/null
+++ b/roles/editor_vscode/tasks/install_dnf5.yml
@@ -0,0 +1 @@
+install_rpm.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/install_rhel.yml b/roles/editor_vscode/tasks/install_rpm.yml
similarity index 51%
rename from roles/editor_vscode/tasks/install_rhel.yml
rename to roles/editor_vscode/tasks/install_rpm.yml
index ddd8085..113447d 100644
--- a/roles/editor_vscode/tasks/install_rhel.yml
+++ b/roles/editor_vscode/tasks/install_rpm.yml
@@ -4,9 +4,18 @@
url: https://code.visualstudio.com/sha/download?build=insider&os=linux-rpm-x64
register: _vscode_rpm_response
-- name: Install VSCode via RPM
+- name: Install VSCode via dnf
ansible.builtin.dnf:
name: "{{ _vscode_rpm_response.url }}"
disable_gpg_check: true
state: present
become: true
+ when: ansible_facts.pkg_mgr.startswith("dnf")
+
+- name: Install VSCode via zypper
+ community.general.zypper:
+ name: "{{ _vscode_rpm_response.url }}"
+ disable_gpg_check: true
+ state: present
+ become: true
+ when: ansible_facts.pkg_mgr == "zypper"
diff --git a/roles/editor_vscode/tasks/install_zypper.yml b/roles/editor_vscode/tasks/install_zypper.yml
new file mode 120000
index 0000000..463b6d3
--- /dev/null
+++ b/roles/editor_vscode/tasks/install_zypper.yml
@@ -0,0 +1 @@
+install_rpm.yml
\ No newline at end of file
diff --git a/roles/editor_vscode/tasks/main.yml b/roles/editor_vscode/tasks/main.yml
index efb2aed..4a1f134 100644
--- a/roles/editor_vscode/tasks/main.yml
+++ b/roles/editor_vscode/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: Install VSCode
- ansible.builtin.include_tasks: "install_{{ ansible_distribution }}.yml"
+ ansible.builtin.include_tasks: "install_{{ ansible_facts.pkg_mgr }}.yml"
tags: install
- name: Create directories for VSCode
From 61617ad70e5cc09000f7ee3085f82c4d30b68fb3 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sun, 29 Dec 2024 17:50:31 +0100
Subject: [PATCH 16/27] fix(os_deb): install additional repos in new format
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/os_deb/tasks/repositories.yml | 42 ++++++++++++++++++++++-------
1 file changed, 33 insertions(+), 9 deletions(-)
diff --git a/roles/os_deb/tasks/repositories.yml b/roles/os_deb/tasks/repositories.yml
index 545ae2b..9827d81 100644
--- a/roles/os_deb/tasks/repositories.yml
+++ b/roles/os_deb/tasks/repositories.yml
@@ -5,14 +5,38 @@
regexp: "^deb cdrom:"
state: absent
-- name: Enable additional repository
- ansible.builtin.apt_repository:
- repo: "{{ item }}"
+- name: Enable additional Debian repos
+ ansible.builtin.deb822_repository:
+ name: "{{ item.name }}"
+ types: "{{ item.types }}"
+ uris: "{{ item.uris }}"
+ suites: "{{ item.suites }}"
+ components:
+ - contrib
+ - non-free
state: present
loop:
- - deb http://ftp.sk.debian.org/debian/ {{ ansible_facts.distribution_release }} contrib non-free
- - deb-src http://ftp.sk.debian.org/debian/ {{ ansible_facts.distribution_release }} contrib non-free
- - deb http://security.debian.org/debian-security {{ ansible_facts.distribution_release }}-security contrib non-free
- - deb-src http://security.debian.org/debian-security {{ ansible_facts.distribution_release }}-security contrib non-free
- - deb http://ftp.sk.debian.org/debian/ {{ ansible_facts.distribution_release }}-updates contrib non-free
- - deb-src http://ftp.sk.debian.org/debian/ {{ ansible_facts.distribution_release }}-updates contrib non-free
+ - name: deb-contrib-non_free
+ types: deb
+ uris: http://ftp.sk.debian.org/debian/
+ suites: "{{ ansible_facts.distribution_release }}"
+ - name: deb_src-contrib-non_free
+ types: deb-src
+ uris: http://ftp.sk.debian.org/debian/
+ suites: "{{ ansible_facts.distribution_release }}"
+ - name: deb-security-contrib-non_free
+ types: deb
+ uris: http://security.debian.org/debian-security
+ suites: "{{ ansible_facts.distribution_release }}-security"
+ - name: deb_src-security-contrib-non_free
+ types: deb-src
+ uris: http://security.debian.org/debian-security
+ suites: "{{ ansible_facts.distribution_release }}-security"
+ - name: deb-updates-contrib-non_free
+ types: deb
+ uris: http://ftp.sk.debian.org/debian/
+ suites: "{{ ansible_facts.distribution_release }}-updates"
+ - name: deb_src-updates-contrib-non_free
+ types: deb-src
+ uris: http://ftp.sk.debian.org/debian/
+ suites: "{{ ansible_facts.distribution_release }}-updates"
From c4e3bcde6230809077e8a025e19190588d91fa6a Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sun, 29 Dec 2024 17:51:21 +0100
Subject: [PATCH 17/27] fix(secrets_hcv): fix DEB package install
* Install HC Vault on both Debian and Ubuntu in the same way
* Fix the branching for userspace install vs package manager install
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/secrets_hcv/tasks/install_Debian.yml | 1 +
roles/secrets_hcv/tasks/install_Ubuntu.yml | 14 +-------------
roles/secrets_hcv/tasks/install_deb.yml | 12 ++++++++++++
roles/secrets_hcv/tasks/main.yml | 4 ++--
4 files changed, 16 insertions(+), 15 deletions(-)
create mode 120000 roles/secrets_hcv/tasks/install_Debian.yml
mode change 100644 => 120000 roles/secrets_hcv/tasks/install_Ubuntu.yml
create mode 100644 roles/secrets_hcv/tasks/install_deb.yml
diff --git a/roles/secrets_hcv/tasks/install_Debian.yml b/roles/secrets_hcv/tasks/install_Debian.yml
new file mode 120000
index 0000000..38e6c00
--- /dev/null
+++ b/roles/secrets_hcv/tasks/install_Debian.yml
@@ -0,0 +1 @@
+install_deb.yml
\ No newline at end of file
diff --git a/roles/secrets_hcv/tasks/install_Ubuntu.yml b/roles/secrets_hcv/tasks/install_Ubuntu.yml
deleted file mode 100644
index 951d4f0..0000000
--- a/roles/secrets_hcv/tasks/install_Ubuntu.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-- name: Add HashiCorp GPG Key
- ansible.builtin.get_url:
- url: https://apt.releases.hashicorp.com/gpg
- dest: /etc/apt/keyrings/hashicorp.asc
- mode: 0640
- become: true
-
-- name: Add HashiCorp repository
- ansible.builtin.apt_repository:
- repo: "deb [signed-by=/etc/apt/keyrings/hashicorp.gpg] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main"
- state: present
- become: true
diff --git a/roles/secrets_hcv/tasks/install_Ubuntu.yml b/roles/secrets_hcv/tasks/install_Ubuntu.yml
new file mode 120000
index 0000000..38e6c00
--- /dev/null
+++ b/roles/secrets_hcv/tasks/install_Ubuntu.yml
@@ -0,0 +1 @@
+install_deb.yml
\ No newline at end of file
diff --git a/roles/secrets_hcv/tasks/install_deb.yml b/roles/secrets_hcv/tasks/install_deb.yml
new file mode 100644
index 0000000..44fd050
--- /dev/null
+++ b/roles/secrets_hcv/tasks/install_deb.yml
@@ -0,0 +1,12 @@
+---
+- name: Add HashiCorp repository
+ ansible.builtin.deb822_repository:
+ name: hashicorp
+ types: deb
+ uris: https://apt.releases.hashicorp.com
+ suites: "{{ ansible_distribution_release }}"
+ components:
+ - main
+ signed_by: https://apt.releases.hashicorp.com/gpg
+ state: present
+ become: true
diff --git a/roles/secrets_hcv/tasks/main.yml b/roles/secrets_hcv/tasks/main.yml
index 43c8b75..9250c7d 100644
--- a/roles/secrets_hcv/tasks/main.yml
+++ b/roles/secrets_hcv/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: Install HC Vault via package manager
- when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Rocky", "Ubuntu"]
+ when: ansible_distribution in [ "AlmaLinux", "CentOS", "Debian", "Fedora", "Rocky", "Ubuntu" ]
tags: install
block:
- name: Enable repository
@@ -14,7 +14,7 @@
- name: Install HC Vault to userspace
ansible.builtin.include_tasks: install_user.yml
- when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"]
+ when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Debian", "Fedora", "Rocky", "Ubuntu" ]
tags: install
- name: Install ‹vssh› script
From a6d99338d68546806c04d117bb5c1670d8bae864 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Sun, 29 Dec 2024 17:55:29 +0100
Subject: [PATCH 18/27] fix(shell_zsh): enable eza repository on apt-based
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/shell_zsh/tasks/install.yml | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/roles/shell_zsh/tasks/install.yml b/roles/shell_zsh/tasks/install.yml
index 8132187..6d462c0 100644
--- a/roles/shell_zsh/tasks/install.yml
+++ b/roles/shell_zsh/tasks/install.yml
@@ -7,6 +7,19 @@
state: present
become: true
+- name: Enable ‹eza› apt repository
+ ansible.builtin.deb822_repository:
+ name: eza
+ types: deb
+ uris: http://deb.gierens.de
+ suites: stable
+ components:
+ - main
+ signed_by: https://raw.githubusercontent.com/eza-community/eza/main/deb.asc
+ state: present
+ become: true
+ when: ansible_distribution in [ "Debian", "Ubuntu" ]
+
- name: Install eza and bat
ansible.builtin.package:
name:
From e5623735e374052b0621194e337feabbabd552d7 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Mon, 30 Dec 2024 12:03:28 +0100
Subject: [PATCH 19/27] fix(os_deb): simplify additional Debian repos
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/os_deb/tasks/repositories.yml | 25 ++++++-------------------
1 file changed, 6 insertions(+), 19 deletions(-)
diff --git a/roles/os_deb/tasks/repositories.yml b/roles/os_deb/tasks/repositories.yml
index 9827d81..f6b84b7 100644
--- a/roles/os_deb/tasks/repositories.yml
+++ b/roles/os_deb/tasks/repositories.yml
@@ -8,7 +8,9 @@
- name: Enable additional Debian repos
ansible.builtin.deb822_repository:
name: "{{ item.name }}"
- types: "{{ item.types }}"
+ types:
+ - deb
+ - deb-src
uris: "{{ item.uris }}"
suites: "{{ item.suites }}"
components:
@@ -16,27 +18,12 @@
- non-free
state: present
loop:
- - name: deb-contrib-non_free
- types: deb
+ - name: contrib-non_free
uris: http://ftp.sk.debian.org/debian/
suites: "{{ ansible_facts.distribution_release }}"
- - name: deb_src-contrib-non_free
- types: deb-src
- uris: http://ftp.sk.debian.org/debian/
- suites: "{{ ansible_facts.distribution_release }}"
- - name: deb-security-contrib-non_free
- types: deb
+ - name: security-contrib-non_free
uris: http://security.debian.org/debian-security
suites: "{{ ansible_facts.distribution_release }}-security"
- - name: deb_src-security-contrib-non_free
- types: deb-src
- uris: http://security.debian.org/debian-security
- suites: "{{ ansible_facts.distribution_release }}-security"
- - name: deb-updates-contrib-non_free
- types: deb
- uris: http://ftp.sk.debian.org/debian/
- suites: "{{ ansible_facts.distribution_release }}-updates"
- - name: deb_src-updates-contrib-non_free
- types: deb-src
+ - name: updates-contrib-non_free
uris: http://ftp.sk.debian.org/debian/
suites: "{{ ansible_facts.distribution_release }}-updates"
From c6ea1ed4dc090ae5dd1bc858bf77b8a96292404a Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Mon, 30 Dec 2024 12:39:50 +0100
Subject: [PATCH 20/27] feat(editor_vscode): install extensions
Fixes #63
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
group_vars/desktops/vars | 99 +++++++++++++++++++++++++++
roles/editor_vscode/defaults/main.yml | 3 +
roles/editor_vscode/tasks/main.yml | 8 +++
3 files changed, 110 insertions(+)
create mode 100644 roles/editor_vscode/defaults/main.yml
diff --git a/group_vars/desktops/vars b/group_vars/desktops/vars
index aa6ee17..1d44153 100644
--- a/group_vars/desktops/vars
+++ b/group_vars/desktops/vars
@@ -14,3 +14,102 @@ flatpak_apps:
- org.telegram.desktop
# - org.x.Warpinator
- org.flameshot.Flameshot
+
+editor_vscode_extensions:
+ # C/C++
+ - bazelbuild.vscode-bazel
+ - ms-vscode.cmake-tools
+ - ms-vscode.cpptools
+ - ms-vscode.cpptools-extension-pack
+ - ms-vscode.cpptools-themes
+ - twxs.cmake
+
+ # C#
+ - ms-dotnettools.csdevkit
+ - ms-dotnettools.csharp
+ - ms-dotnettools.vscode-dotnet-runtime
+ - ms-dotnettools.vscodeintellicode-csharp
+
+ # Deno
+ - denoland.vscode-deno
+
+ # Go
+ - golang.go
+
+ # Hare
+ - adotinthevoid.hare-highlighting
+
+ # Java
+ - redhat.java
+ - vscjava.vscode-gradle
+ - vscjava.vscode-java-debug
+ - vscjava.vscode-java-dependency
+ - vscjava.vscode-java-pack
+ - vscjava.vscode-java-test
+ - vscjava.vscode-maven
+
+ # Kotlin
+ - mathiasfrohlich.kotlin
+
+ # Python
+ - charliermarsh.ruff
+ - ms-python.debugpy
+ - ms-python.python
+ - ms-python.vscode-pylance
+ - ms-toolsai.jupyter
+ - ms-toolsai.jupyter-keymap
+ - ms-toolsai.jupyter-renderers
+ - ms-toolsai.vscode-jupyter-cell-tags
+ - ms-toolsai.vscode-jupyter-slideshow
+
+ # Rust
+ - rust-lang.rust-analyzer
+
+ # Swift
+ - sswg.swift-lang
+ - vadimcn.vscode-lldb
+
+ # Zig
+ - ziglang.vscode-zig
+
+ # Git
+ - eamodio.gitlens
+
+ # Themes
+ - akamud.vscode-theme-onedark
+ - akamud.vscode-theme-onelight
+ - alexandernanberg.horizon-theme-vscode
+ - atomiks.moonlight
+ - avidworks.vampiro
+ - catppuccin.catppuccin-vsc
+ - ddiu8081.moegi-theme
+ - dracula-theme.theme-dracula
+ - enkia.tokyo-night
+ - fabiospampinato.vscode-monokai-night
+ - github.github-vscode-theme
+ - gnhuy91.theme-oceanicnext-sublime
+ - ibmlover.oxocarbon
+ - keifererikson.nightfox
+ - liviuschera.noctis
+ - mcagampan.dark-horizon
+ - ms-vscode.theme-tomorrowkit
+ - mvllow.rose-pine
+ - sdras.night-owl
+ - teabyii.ayu
+ - tomphilbin.gruvbox-themes
+ - vincentfiestada.cold-horizon-vscode
+ - zhuangtongfa.material-theme
+
+ # Misc
+ - asciidoctor.asciidoctor-vscode
+ - cs50.vscode-presentation-mode
+ - danielgjackson.auto-dark-mode-windows
+ - editorconfig.editorconfig
+ - ms-vscode-remote.remote-containers
+ - tamasfe.even-better-toml
+ - unifiedjs.vscode-mdx
+ - vscodevim.vim
+
+ # Where does this come from?
+ - visualstudioexptteam.intellicode-api-usage-examples
+ - visualstudioexptteam.vscodeintellicode
diff --git a/roles/editor_vscode/defaults/main.yml b/roles/editor_vscode/defaults/main.yml
new file mode 100644
index 0000000..8d0b477
--- /dev/null
+++ b/roles/editor_vscode/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+# List of VSCode extensions to be installed with the VSCode
+editor_vscode_extensions: []
diff --git a/roles/editor_vscode/tasks/main.yml b/roles/editor_vscode/tasks/main.yml
index 4a1f134..607f083 100644
--- a/roles/editor_vscode/tasks/main.yml
+++ b/roles/editor_vscode/tasks/main.yml
@@ -17,3 +17,11 @@
loop:
- settings
- keybindings
+
+- name: Install extensions
+ ansible.builtin.command:
+ cmd: code-insiders --install-extension {{ item }}
+ register: _editor_vscode_installation_result
+ changed_when: '"was successfully installed." in _editor_vscode_installation_result.stdout'
+ failed_when: '"Error while installing extensions" in _editor_vscode_installation_result.stderr'
+ loop: "{{ editor_vscode_extensions }}"
From 2a1bc2820561d25b5f80a109e5efcc6050106088 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Fri, 28 Feb 2025 09:02:16 +0100
Subject: [PATCH 21/27] chore(forgejo): bump to the next version
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/forgejo/templates/forgejo.container | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roles/forgejo/templates/forgejo.container b/roles/forgejo/templates/forgejo.container
index 08a08e8..f376bd3 100644
--- a/roles/forgejo/templates/forgejo.container
+++ b/roles/forgejo/templates/forgejo.container
@@ -7,7 +7,7 @@ Requires=postgresql.service
[Container]
ContainerName=forgejo
-Image=codeberg.org/forgejo/forgejo:9
+Image=codeberg.org/forgejo/forgejo:10
AutoUpdate=registry
Environment=USER_UID=1000
From 929ba2a26da892020e8d31d9d57f24d58b20928f Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Fri, 28 Feb 2025 09:03:43 +0100
Subject: [PATCH 22/27] fix(forgejo,vaultwarden): restart with postgresql
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As it has been discovered, regular update of postgresql cause issues when
the database gets restarted, cause the containers can no longer correctly
resolve the hostname and reconnect, therefore use ‹PartOf› to truly¹
force a restart of the container once the database gets restarted.
¹ Tried to fix a similar issue once already in 737acfd, based on the
observations, I have failed…
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/forgejo/templates/forgejo.container | 1 +
roles/vaultwarden/templates/vaultwarden.container | 1 +
2 files changed, 2 insertions(+)
diff --git a/roles/forgejo/templates/forgejo.container b/roles/forgejo/templates/forgejo.container
index f376bd3..7e78d75 100644
--- a/roles/forgejo/templates/forgejo.container
+++ b/roles/forgejo/templates/forgejo.container
@@ -4,6 +4,7 @@
Description=Forgejo
After=postgresql.service
Requires=postgresql.service
+PartOf=postgresql.service
[Container]
ContainerName=forgejo
diff --git a/roles/vaultwarden/templates/vaultwarden.container b/roles/vaultwarden/templates/vaultwarden.container
index 0b7bd17..aa604d5 100644
--- a/roles/vaultwarden/templates/vaultwarden.container
+++ b/roles/vaultwarden/templates/vaultwarden.container
@@ -4,6 +4,7 @@
Description=Vaultwarden
After=postgresql.service
Requires=postgresql.service
+PartOf=postgresql.service
[Container]
ContainerName=vaultwarden
From f2d7db26b9093f5c475d01335d06e2ff955593ac Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Mon, 21 Apr 2025 12:02:40 +0200
Subject: [PATCH 23/27] fix(forgejo): factor out version and bump to 11
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/forgejo/defaults/main.yml | 3 +++
roles/forgejo/templates/forgejo.container | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml
index 40285e9..b1d9909 100644
--- a/roles/forgejo/defaults/main.yml
+++ b/roles/forgejo/defaults/main.yml
@@ -11,3 +11,6 @@ forgejo_http_port: 3000
# SSH port that's exposed from the container
forgejo_ssh_port: 2222
+
+# Version of the Forgejo to be pulled; for available see image tags
+forgejo_version: 11
diff --git a/roles/forgejo/templates/forgejo.container b/roles/forgejo/templates/forgejo.container
index 7e78d75..6632983 100644
--- a/roles/forgejo/templates/forgejo.container
+++ b/roles/forgejo/templates/forgejo.container
@@ -8,7 +8,7 @@ PartOf=postgresql.service
[Container]
ContainerName=forgejo
-Image=codeberg.org/forgejo/forgejo:10
+Image=codeberg.org/forgejo/forgejo:{{ forgejo_version }}
AutoUpdate=registry
Environment=USER_UID=1000
From a763442128a027a98c504477ad64007768f94b42 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Mon, 21 Apr 2025 12:04:22 +0200
Subject: [PATCH 24/27] fix(deb,repos): refresh after adding new repos
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When setting deb repositories it is necessary to manually refresh, if
there were some changes made since the metadata from mirrors don't get
pulled in automatically “on change”. Therefore do the refresh
“on change” manually.
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/os_deb/tasks/repositories.yml | 6 +++++
roles/secrets_hcv/tasks/install_deb.yml | 7 ++++++
roles/shell_zsh/tasks/install.yml | 29 ++++++++++++++++---------
3 files changed, 32 insertions(+), 10 deletions(-)
diff --git a/roles/os_deb/tasks/repositories.yml b/roles/os_deb/tasks/repositories.yml
index f6b84b7..b554b64 100644
--- a/roles/os_deb/tasks/repositories.yml
+++ b/roles/os_deb/tasks/repositories.yml
@@ -27,3 +27,9 @@
- name: updates-contrib-non_free
uris: http://ftp.sk.debian.org/debian/
suites: "{{ ansible_facts.distribution_release }}-updates"
+ register: _deb_repo
+
+- name: Refresh the cache, if any of the repos has changed
+ ansible.builtin.apt:
+ update_cache: true
+ when: _deb_repo.changed
diff --git a/roles/secrets_hcv/tasks/install_deb.yml b/roles/secrets_hcv/tasks/install_deb.yml
index 44fd050..8d3388a 100644
--- a/roles/secrets_hcv/tasks/install_deb.yml
+++ b/roles/secrets_hcv/tasks/install_deb.yml
@@ -10,3 +10,10 @@
signed_by: https://apt.releases.hashicorp.com/gpg
state: present
become: true
+ register: _deb_repo
+
+- name: Refresh the cache if HashiCorp repo has been changed
+ ansible.builtin.apt:
+ update_cache: true
+ become: true
+ when: _deb_repo.changed
diff --git a/roles/shell_zsh/tasks/install.yml b/roles/shell_zsh/tasks/install.yml
index 6d462c0..617d357 100644
--- a/roles/shell_zsh/tasks/install.yml
+++ b/roles/shell_zsh/tasks/install.yml
@@ -8,16 +8,25 @@
become: true
- name: Enable ‹eza› apt repository
- ansible.builtin.deb822_repository:
- name: eza
- types: deb
- uris: http://deb.gierens.de
- suites: stable
- components:
- - main
- signed_by: https://raw.githubusercontent.com/eza-community/eza/main/deb.asc
- state: present
- become: true
+ block:
+ - name: Enable the repository
+ ansible.builtin.deb822_repository:
+ name: eza
+ types: deb
+ uris: http://deb.gierens.de
+ suites: stable
+ components:
+ - main
+ signed_by: https://raw.githubusercontent.com/eza-community/eza/main/deb.asc
+ state: present
+ become: true
+ register: _deb_repo
+
+ - name: Refresh the cache after adding the repo
+ ansible.builtin.apt:
+ update_cache: true
+ become: true
+ when: _deb_repo.changed
when: ansible_distribution in [ "Debian", "Ubuntu" ]
- name: Install eza and bat
From 86b076565893550ee11a1666eed7f8e2479c945e Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Mon, 21 Apr 2025 12:09:14 +0200
Subject: [PATCH 25/27] =?UTF-8?q?feat(git,fzf):=20add=20aliases=20for=20?=
=?UTF-8?q?=E2=80=B9git=20log=E2=80=BA=20=C3=97=20=E2=80=B9fzf=E2=80=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Inspired-by: https://mastodon.gamedev.place/@javier_salcedo/114359547238783477
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
roles/git/templates/gitconfig | 1 +
roles/shell_zsh/templates/zshrc | 1 +
2 files changed, 2 insertions(+)
diff --git a/roles/git/templates/gitconfig b/roles/git/templates/gitconfig
index 807b0e8..c07e223 100644
--- a/roles/git/templates/gitconfig
+++ b/roles/git/templates/gitconfig
@@ -1,6 +1,7 @@
[alias]
scommit = commit --signoff
graph = log --oneline --decorate --graph --all
+ lg = log --color=always --date=format:'%Y-%m-%d' --format='%C(red)%ad %C(green)%h %C(blue)(%aL): %Creset%s%C(Yellow)%d'
[commit]
gpgsign = true
diff --git a/roles/shell_zsh/templates/zshrc b/roles/shell_zsh/templates/zshrc
index 2b8dbe9..245cc03 100644
--- a/roles/shell_zsh/templates/zshrc
+++ b/roles/shell_zsh/templates/zshrc
@@ -29,6 +29,7 @@ alias kittyconf="$EDITOR ~/.config/kitty/kitty.conf"
export GIT_EDITOR=$EDITOR
alias gcs="git commit --gpg-sign --signoff --verbose"
alias gcsp="git commit --gpg-sign --signoff --verbose --patch"
+alias glgf="git lg | fzf --ansi"
### tokens ###
source ~/.tokens
From 4b80dac4777e2b77d7cc44eec85192de811850c0 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Mon, 21 Apr 2025 12:17:41 +0200
Subject: [PATCH 26/27] feat: allow plain-text diff of Ansible Vault
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
• ‹.gitattributes›
· use custom “diff algorithm” with text conversion
· also merge as binary files to avoid corrupting the encrypted content
• ‹ansible.cfg› — pass path to an executable script for getting vault
password; this will run the script to get the password
• ‹gitconfig› — add the custom “diff algorithm”
• ‹get_vault_pass.sh› — use Bitwarden CLI to get the Ansible Vault pass
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
.gitattributes | 1 +
ansible.cfg | 1 +
roles/git/templates/gitconfig | 3 +++
scripts/get_vault_pass.sh | 3 +++
4 files changed, 8 insertions(+)
create mode 100644 .gitattributes
create mode 100755 scripts/get_vault_pass.sh
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..c1ecd56
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+**/vault diff=ansible-vault merge=binary
diff --git a/ansible.cfg b/ansible.cfg
index b9656f8..0702058 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,3 +1,4 @@
[defaults]
inventory = ./inventory
roles_path = roles/
+vault_password_file = scripts/get_vault_pass.sh
diff --git a/roles/git/templates/gitconfig b/roles/git/templates/gitconfig
index c07e223..585d9bf 100644
--- a/roles/git/templates/gitconfig
+++ b/roles/git/templates/gitconfig
@@ -33,6 +33,9 @@
[difftool "vscode-difftool"]
cmd = code --wait --diff $LOCAL $REMOTE
+[diff "ansible-vault"]
+ textconv = ansible-vault view
+
[gpg]
# format = ssh
program = gpg2
diff --git a/scripts/get_vault_pass.sh b/scripts/get_vault_pass.sh
new file mode 100755
index 0000000..2f40c57
--- /dev/null
+++ b/scripts/get_vault_pass.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+bw get password "git.mfocko.xyz:mfocko/dotfiles.git"
From c42646ddd459a4184b3c6e6a9465226267459b27 Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Wed, 23 Apr 2025 12:34:55 +0200
Subject: [PATCH 27/27] =?UTF-8?q?fix(wg):=20switch=20to=20=E2=80=B9Network?=
=?UTF-8?q?Manager=E2=80=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes #65
Signed-off-by: Matej Focko <me@mfocko.xyz>
---
defaults/main.yml | 26 ++++-
group_vars/all/vars | 3 +-
group_vars/all/vault | 107 +++++++++++++-----
host_vars/ampere/vault | 24 +++-
host_vars/hertz/vault | 24 +++-
host_vars/mountainside/vault | 47 +++++---
playbooks/bootstrap.yml | 3 +
roles/wg/defaults/main.yml | 12 +-
roles/wg/tasks/main.yml | 73 ++++--------
.../templates/wireguard-config.nmconnection | 32 ++++++
10 files changed, 240 insertions(+), 111 deletions(-)
create mode 100644 roles/wg/templates/wireguard-config.nmconnection
diff --git a/defaults/main.yml b/defaults/main.yml
index 688651f..13cae0b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -38,14 +38,34 @@ yubikey_token_id: None
# Client IP for the ‹wg-admin› VPN
wg_admin_ip: None
+# Dictionary containing the IP addresses of the hosts on Wireguard interfaces
+# Keys represent interface name, values IP address with a mask.
+#
+# Convenience variable for easier deduplication of common values that are used
+# across all the hosts.
+wg_addresses: None
+
+# Dictionary containing the private keys for the Wireguard hosts. Keys represent
+# interface name, values private key.
+#
+# Convenience variable to maintain better idempotency and reproducibility of the
+# Ansible deployments/bootstraps.
+wg_private_keys: None
+
# Wireguard connections
# List of connections to set up, example:
#
# - ifname: ‹interface name›
+# autoconnect: "true/false" # needs to be a string
+#
+# private_key: ‹private key for the VPN connection, if not generated›
# generate_keypair: true/false
-# domain: ‹domain, adjust DNS resolution, if set›
-# gateway: ‹part of the DNS resolution setup›
+#
# address: ‹assigned address on the VPN›
+# gateway: ‹part of the DNS resolution setup›
+# dns: ‹IP of the DNS server on the VPN›
+# domain: ‹domain, adjust DNS resolution, if set›
+#
# peers:
-# - { note, public_key, allowed_ips, endpoint, keepalive }
+# - { note, endpoint, public_key, allowed_ips, keepalive }
wg_connections: []
diff --git a/group_vars/all/vars b/group_vars/all/vars
index a1add04..2f456b3 100644
--- a/group_vars/all/vars
+++ b/group_vars/all/vars
@@ -8,5 +8,6 @@ gpg_signingkey: "7C47D46246790496"
hashicorp_vault_address: "{{ vault_hashicorp_vault_address }}"
vaultwarden_address: "{{ vault_vaultwarden_address }}"
-wg_admin_ip: "{{ vault_wg_admin_ip }}"
+wg_addresses: "{{ vault_wg_addresses }}"
+wg_private_keys: "{{ vault_wg_private_keys }}"
wg_connections: "{{ vault_wg_connections }}"
diff --git a/group_vars/all/vault b/group_vars/all/vault
index d27f9c4..fcff7e2 100644
--- a/group_vars/all/vault
+++ b/group_vars/all/vault
@@ -1,28 +1,81 @@
$ANSIBLE_VAULT;1.1;AES256
-63376231613461376465633862633737343864636662306262303530303165623730613833323961
-6233383266366236326435656134656437356539326533390a636631613339373366346338666436
-38633938316237626662666363343230663533633565643838323137306434376539353439306339
-3435623631323865630a333834343066363837643061313063666632383962396435326530633239
-30396561643634396632386433633263323830646463643835626639313139663332653638353862
-33616434363635396462343533656234393662373533666662623763633363636233626436663931
-33633439323531663634613834396330653636353733366336303836646230373165663833363134
-39623339353436373862333736353133353331623239663961313835666166323233643964646138
-34656332663534626636323531333563653263366330346665663739373335356631386562353531
-32613765316661303034616366656462376561363432396663646565353230316238366336376466
-32663264313531393136363832393364616538646131653561653762366430396437396361376132
-66633035663334323762396361326538343032356432333766346538653864313530653162653131
-66383461383036306137343638373831633265303638643366393837373332623538326364643739
-32316464376535643933363935383336663438373132643233346133383232653363373337323634
-36356531623838306262333733306639336538323630656438383836323437373938373139396131
-33643361326362643638306162336132626135393362373431306137383261643335626534353730
-32626630633135656432313737326238343264333465313434633961383166313162656666626639
-34336438353838376530306630326635633262616631653436313739393438663162313265626431
-35333033396265356166356162646462376532616431663530653664323838343833663464653035
-31336436316631616135326233363235303032346161393366323930623430376333636661623737
-39613464653165366230383539366464336639383666636437323337666566613836376537656466
-32346161386163363665373633663961333435613636376165386634366331393835306537323033
-39353963633061616466323636396536643338356361353865313139396135663836636162343165
-65386162343539336437643630323631353230396566616563613865613261383835353862313134
-37336236393862656636376665646466623862633732663833616535373737613538626437303935
-65633539663834333564386638626432316166616630653333326431643231626331666634383236
-393965363664366531313766383735323335
+32646438633661393232633832623432636435386330393264326530373731633932626364656562
+3265333062393538363536393037383433663564613231340a346261336530396536613131386564
+64666433663036396331626163636163643035323830343637386532343434356132386162366361
+3938303166643334330a633065663064393833646563323133393330353634333665663332613732
+36346535653836383735313561316366633437383237663766366433643139663663623231666166
+33306332316464623733393338363065613437306433653663623564313332653136363235626336
+30643464613630363331623665623563633266336236663665613864313831356236373066626633
+36363130326233383163616161353830366139313930653330653837666535666237613237373362
+38363665393536643237393338623466353435633635653634323631353265363462333431653235
+38383730383634633861393932373662303339626433303162393533303164653830373566373936
+65303735336531656163613139353965363732646161623961663439393832356638663761396134
+32303466613265366461303137663831323036303362613464666362386363303836333239313834
+64653961383865383638343937623532616165633138303839393832356364653736313039336133
+31623263323365373064666236363163363539633931633635643539323163343335656338653535
+37623166656333373538393230613533666632363035366565666330663065396265346262383139
+66646464386263386535363930636364303338353330616538613836343238303665363939363930
+37333361633532613430396531616261343666656238373364383465343462363261613031663239
+31393930336333333364663839373231336638666533316231643834316439366431363435396132
+31396237313765316334643931346164316261656138346134616233646335646365623665646632
+61316630316565333664653532663232316432393432383233636564646432343737373161663963
+62376536336537353538633366613431646537663966306533623037363361316134393463396438
+64636566326632313333333033396334323065613962376539396633353661366235313436376132
+35353339623765393135646264356436373832633232383762343933663436386531346364336336
+61616164613265623061653933353438666632643164313839303065393438636137653632336163
+61376436616564343139356165323162383238316264646536646138396635633234323862613135
+35363838666630303666623638363137623964336663396462343266336264336635666631363563
+65396465393563616431373563663738343161393238396132313536643433346237376134313031
+37633431353437636638656661323762383333616562623364353731303137393637313135356338
+38643238393663313966323233303037623838383934663263623461363863653536303132346337
+34623535633233306133666665353339663836323336343561343537326261323633333761336631
+65623133383633616463643462336630643363346561316162346433386137313431306131656162
+34343137633239666535346431663663363634643936643132343436616266353532633434663939
+38336130343062393964366230643633656561663939653030653064623532306663363731616566
+30393361636133303231643138633766613461633665663566633862363533366233326365653430
+33633761396236663738326561616433303934663936306334323465346334666464346333376266
+39633438383064303338396337613835383039313861376363323563336333663263303465316534
+36343132393035633165623864623937636235633965326566373730303430613562376365663364
+38643665346530376430316164616538313462373633653630316330326638303466333836623730
+33643237663666383235363736313335306636346263623032356262326666666134623862653265
+32666630383134633037643138323432656633343565656461336534386566613162323736373166
+36666536303639303064373035313130636438653331613262613365643166383036623630656434
+38363431336566626238343830393561666230383464613036306236346237346132316565373932
+35346361373535373838323566313166666233623761653663376636666539393438353436306232
+61343762333939366664333366356132303738316464393030613863383434656639376136623661
+65373338356263613738626463646337343939663735623432616138373665633163373334616139
+35353833303738396666363561643537323730373031373137386361626664623936626333303337
+37636562353863336531336134636139346538383839626365356532393735333834653638383438
+65653736366437373838613330643431336632623432623264346530646535623635363834623931
+62616166373435623161313438656631323137366538386235323766633363653062373565353436
+39346236613137373662316265396536383334353636323065383730386436356635666138643264
+37626438633430353934623136633230623737326632323933646132656163343833643230336564
+64643030623932366337356666393162333732656164616235623736613036393134383535303936
+30336131323263643165623663646661306166616530623338333266303831653834653431363033
+39646365333065306536316161366635363361386366393834333261363437656266306132333230
+30303836396136373963643131383565383239643561363665306336393536643039623736323333
+37643835376437616563316363636166356466396165366238306334386466353630366462366463
+39356366346561366661323131343331363935653064373137366233316633313833623662383366
+30313561356164613038386130303031623534636163613863356438333766633835326331373934
+61633136393466666238396264366464363632616532336332376265383761363936396635633961
+65393235326364326164626563626163643265633235656330616437643865356636376432613936
+66303065373665623536653562393933633564303634376435373135393235353065366661666137
+61373864383437376131363634333237656162313739363134323039323935623632343338613061
+38633161616262393138356130386266643261313539646137326237643262363061326633646664
+30643931373061323864656534626563653735636335616631626134663838663261383064336465
+62313762313362326634353334376632643536643161326262653637623232353534336465366639
+66656532643236336235306566343761376131633639346332623266313139333235326464333334
+30633961616531343535646632663665653365333961343038636439366664323463653335333363
+38333135343363323631373533316561383732643231383862653132383531323266303534663665
+31633038353065373865306333346437643265623262323036656439663664653337653131373865
+39353635613333643933656636643166346539373838353738373864313839636138333763613033
+30383937613463616434626561346436393734653039373563613361333835396361333663366534
+31376166643263633437353435646536363034316165653334613430393037656136393532306137
+31343165353661383835306664623064633333666639306334336464333836376535336237623232
+61666530663162373934326465383865613936323739323739383966353631623433643231343535
+62333065333036393330353230323265653264333762326431363937643131326131613663306532
+61363430316464663762633336313265373064343731386261376133663463616135646432373062
+37633861316332616639633234313938353230646237343934393735396232613662306131666438
+39613139643132633564633431636365656165313531373262393030366236343836653436656338
+34646533656164313836343930383535633038643437616165303432323865653836343064343261
+36636262613338366530
diff --git a/host_vars/ampere/vault b/host_vars/ampere/vault
index 4b95343..32bf0fb 100644
--- a/host_vars/ampere/vault
+++ b/host_vars/ampere/vault
@@ -1,6 +1,20 @@
$ANSIBLE_VAULT;1.1;AES256
-37346330376565653933653934653564643163356637666632393964366632363336353463323432
-3765303739303338326463396635653834396361316331340a326239666464363739363562613233
-30353039313564353866663838626366663064633332313662656238323262393131626462373064
-6566376239356530300a303362633534636565386636393764396362653263323362306264383461
-31363065383436313062336338303762316164663036393533376130643138646237
+37313763643432623939616435323639326235653062376332346163653338366638393531313864
+6362383739393765383762323437326337643534356339380a396436306566393638666362383037
+32336462646362363066626230303433386137353263623535376233306634366530373439376464
+3363303734363266620a623861373831616338303662613862643361356339303466346664363330
+37313961373535393339386539356638383239656465636135613338646132353264373737623362
+33323334656564306136656564653261646230613232633161623234636362643363633235363032
+38633461373230326536393734383162656161366533373135353162313334313833666637313134
+38366332383666623036366439343265353232633032666436363164613464623534613264346531
+31663366663430313637306135353930386330333932383864333264313265616337333530396562
+32636136333261366231653933383131306161393033623666396234633363613766643562393366
+61613130353465356334313637353231366535363339623631306535383634643731303363613461
+66363738646464333038633961623363386533626363336536653330626266646431633531373033
+64636162326465326632666235356437636338303030353839316231356165616166393963333761
+64393630666635306632633530363738656139623939313533316336636139626434346139373262
+39306331346434643639626232366536666234653830386533373035353762313437363932636439
+33346639363733623761326239616236383763393235343130633964373330373736386533663537
+38396133376132633934656362653563613333323735386137393162373238366464333966663862
+65613937363863323264376662326434343966366161316134653138653066646331336637303839
+653336356139313536663533636632383766
diff --git a/host_vars/hertz/vault b/host_vars/hertz/vault
index 5c42073..fb8d025 100644
--- a/host_vars/hertz/vault
+++ b/host_vars/hertz/vault
@@ -1,6 +1,20 @@
$ANSIBLE_VAULT;1.1;AES256
-61353931363939383464363938643136373433643736333361646566393863663136336162643962
-3038666635616462623231656565663764643666663536390a316232623638396239636234376330
-64663638363766343536373236366434356135366435336661393935396161393161626361313662
-6664343835393263310a623439323739666362356335653538646331316331613165393263343039
-34363335393961363265646263653138346563633339653039613831366565326638
+62313235373263656238613263613564626638333563616630373638316163653734363431663333
+3134616263323961613261653131653662343333666334370a373465623863313538376236336562
+61666661613332363732336466383238623635323534393461306433343635343165633130333832
+6265366230353732390a373236666238386638333365316137623461626664623830626438353538
+61373163663138303336316231343461376538326261653631306434373566393939353862393561
+30353064356533646361386330313738323233373466636234646463363035353565306263353361
+30646661383561343630353733663163313937386332333133613566376334636561653062666464
+64623465303930376433346565343364373565373530336133653537623766326264336165303833
+38633362373231636266316461336461663735386632386537666431353232616331323362333831
+66303633353830353330333033383562613863346661393566663965616530623432316134306664
+62666132666234653363636535663163643631316431373265343939376263393739313831316463
+34633334303938643939313266306565343765666239393638623333353931613831336239353533
+39633635356134613035633866363764366135626166376364623938313066636335623233633639
+32656538626662626532323530656665376633353535353835643637313661613235616237386637
+36333531666232323431333264616161333038393239303239393038333234366235353335383365
+30646233666661336435656463663966353433323864633265636536616431333536666265666566
+35373937666132313134323436633334343834363732393732356636666136653263616538396132
+64383830356563333836383234323763313236346561353835383931653565333636613561303564
+613333623536616635323431613638343730
diff --git a/host_vars/mountainside/vault b/host_vars/mountainside/vault
index d3268fc..856846b 100644
--- a/host_vars/mountainside/vault
+++ b/host_vars/mountainside/vault
@@ -1,18 +1,31 @@
$ANSIBLE_VAULT;1.1;AES256
-36636438356436373332646664346661373963643733333236363633643064623636663239383965
-3635646338663966303232306532393934336261646537300a363838643037656339393937366633
-66303139376663626136353838353961626533623031316565393639363538636666633633656532
-6533643435663638380a663565313230326166343431666266663737393032326334633537653763
-39323464636231333931646430313539613332623435323833643763333637643438633431303166
-38386434323565343266663331313664316333373032613238326139333038383134336134316666
-62633364613830323935653839373235376566393863363565376463346263653837643534376333
-32666233613036616366363263353030633966343066623731343763313537373433663266393362
-32376636313465373932633435306363313262613161353234313063396362333732343864373964
-37323333356235336530343761316335623366646536623233353062396439613834663963326230
-33376235626165346530623931663832633363373139323237353664663562336235366538623538
-39636230326639613637653431666564343831663438623738323635343237656463333637306563
-36346131363737613633383763333032373635393730626435343565353065653265653563646562
-38366630373166373266633030323066653866363238323738666137656435653133643336316463
-63666236343534303636643630613838336466623530613436356362333732303666636239663665
-38396166333837393737303138636133323933613932313030386664303865626130626661663337
-35613532613062346435343330633232393038303862326632303033623031306433
+35303332646531393361626335626138653663373131323539393865333336366139343631623465
+3464386461316466376636663339346266656363323435340a343262393062646336616361396463
+64306161616432363638646133376333316462353361623331383532326135383838383861653662
+3062343730383336300a306461333039663937303335653032656362653863613333326239323834
+38356639313239353432366165363231646439343939303063616532316565383935646163643865
+31323264383731653737613930383539323263373866366266386630393339323765303338383661
+34373964663936613133326363623461333564303837636462613035353166326639666132366638
+36306331383663633266383162333962363431303566356630356430386337633363373764633661
+37343430343264336331376261306633383765393236383435656431656439313163626339303232
+36303530653139646531633663383434343063623964623461323731313932373238363139653565
+37303431306135656635323733323734666164303931343832376439646333396364313134613262
+31333439366539366631323439366435633835383965373064653335336265313064613663623530
+35343361353965373733636337626139636631626663353032636433343235363532316266373138
+32363630613036613833353937656534656466613634363838643735613034356334346436626534
+33623734656439373234636235343338306563336637396662613830626363343232356666383366
+37633332336366636162646163663130326435356138663135653737336336646232626131326337
+66656163616434323237643362313263346366393865356361323532623634386163386636306165
+35323334626163623161646337626436373634653265353337343536653363373433643566316136
+37383039386130663836356263323564363436353433643464323164666639383561346563346430
+33636534333431383866333034353838333265316261643434386332333461313965366663366634
+65663336306664643337373233643333386638663762393437653861353634346239363333343239
+38383135393863393436613739393537396639646332343264333036376333353263363361313234
+65366261633139346566626231303765356535366565623533333865306435313763333061356536
+63303131666465633632666632383334326436663530363634316231313736616135623964626166
+65303032323562363136623266623136643039316231613633616539373234316439653663633835
+64333661333763313337663265623062316338643666613034613236396335663366326635623134
+30653762663436363332333436633534666136643165623364366331376337303830373438626366
+35343962626538666135393061333233313863643363396561363431383035316439353265306637
+37666637646564393762383364333966373663343539363932656434366530663830316236643739
+3531393539613265343135363838633661373633663430376133
diff --git a/playbooks/bootstrap.yml b/playbooks/bootstrap.yml
index 0ad6098..0264031 100644
--- a/playbooks/bootstrap.yml
+++ b/playbooks/bootstrap.yml
@@ -112,7 +112,10 @@
with_items: "{{ wg_connections }}"
vars:
wg_ifname: "{{ item.ifname }}"
+ wg_autoconnect: "{{ item.autoconnect }}"
wg_generate_keypair: "{{ item.generate_keypair }}"
+ wg_private_key: "{{ item.private_key }}"
+ wg_dns: "{{ item.dns }}"
wg_domain: "{{ item.domain }}"
wg_gateway: "{{ item.gateway }}"
wg_address: "{{ item.address }}"
diff --git a/roles/wg/defaults/main.yml b/roles/wg/defaults/main.yml
index 86df952..02cecdf 100644
--- a/roles/wg/defaults/main.yml
+++ b/roles/wg/defaults/main.yml
@@ -2,6 +2,9 @@
# IP address assigned to the wireguard peer
wg_address: "192.168.0.2/32"
+# IP address of the DNS server on the VPN
+wg_dns: "192.168.0.1"
+
# Domain that is used with local DNS on the VPN
wg_domain: "localdomain"
@@ -14,12 +17,19 @@ wg_ifname: "wg-something"
# Peers of the VPN, list of objects with the following format:
#
# - note: ‹comment that gets put above the peer›
+# endpoint: localhost:51820
# public_key: ‹public key of the peer›
# allowed_ips: 192.168.0.0/24
-# endpoint: localhost:51820
# # if bool(keepalive) → gets included in the config
# keepalive: 20
wg_peers: []
+# Whether to autoconnect; needs to be string to be properly templated for the
+# NetworkManager connection file
+wg_autoconnect: "true"
+
# By default don't generate the keypair and reuse the existing one
wg_generate_keypair: false
+
+# Private key, in case it is not to be generated during the runtime
+wg_private_key: ""
diff --git a/roles/wg/tasks/main.yml b/roles/wg/tasks/main.yml
index f356d99..5cc33e6 100644
--- a/roles/wg/tasks/main.yml
+++ b/roles/wg/tasks/main.yml
@@ -3,67 +3,36 @@
ansible.builtin.include_tasks: install.yml
tags: install
-- name: Check for existence of private key
- ansible.builtin.stat:
- path: /etc/wireguard/private.key
- register: _private_key
-
-- name: Generate keypair
- ansible.builtin.include_tasks: tasks/generate_keypair.yml
- when: not _private_key.stat.exists
-
-- name: Save private key
- ansible.builtin.template:
- src: templates/keyfile.j2
- dest: /etc/wireguard/private.key
- owner: root
- group: root
- mode: 0700
- vars:
- key: "{{ wg_private_key }}"
- when: not _private_key.stat.exists
-
-- name: Save public key
- ansible.builtin.template:
- src: templates/keyfile.j2
- dest: /etc/wireguard/public.key
- owner: root
- group: root
- mode: 0700
- vars:
- key: "{{ wg_public_key }}"
- when: not _private_key.stat.exists
-
-- name: Set dns_command for co-openSUSE
- ansible.builtin.set_fact:
- wg_dns_command: "resolvectl dns %i {{ wg_gateway }}; resolvectl domain %i ~{{ wg_domain }}"
- when: '"openSUSE" not in ansible_distribution'
-
-- name: Set dns_command for openSUSE
- ansible.builtin.set_fact:
- wg_dns_command: "nmcli con mod %i ipv4.dns {{ wg_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ wg_domain }}"
- when: '"openSUSE" in ansible_distribution'
+# [TODO] Handle autogeneration of the keys
- name: Create the config
vars:
+ ifname: "{{ wg_ifname }}"
+ autoconnect: "{{ wg_autoconnect }}"
+
address: "{{ wg_address }}"
- dns_command: "{{ wg_dns_command }}"
+ dns: "{{ wg_dns }}"
domain: "{{ wg_domain }}"
- gateway: "{{ wg_gateway }}"
+
+ private_key: "{{ wg_private_key }}"
+
peers: "{{ wg_peers }}"
ansible.builtin.template:
- src: "templates/wg.conf"
- dest: "/etc/wireguard/{{ wg_ifname }}.conf"
+ src: "templates/wireguard-config.nmconnection"
+ dest: "/etc/NetworkManager/system-connections/{{ wg_ifname }}.nmconnection"
owner: root
group: root
mode: "0600"
-- name: Set up the DNS on AlmaLinux
- ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml"
- when: wg_domain and ansible_distribution == "AlmaLinux"
+- name: Load the added connection
+ ansible.builtin.command:
+ cmd: nmcli connection load /etc/NetworkManager/system-connections/{{ wg_ifname }}.nmconnection
+ changed_when: false
+ become: true
-- name: Enable and start the wireguard connection
- ansible.builtin.service:
- name: "wg-quick@{{ wg_ifname }}"
- enabled: yes
- state: started
+- name: Up the connection
+ community.general.nmcli:
+ conn_name: "{{ wg_ifname }}"
+ state: up
+ become: true
+ when: wg_autoconnect | bool
diff --git a/roles/wg/templates/wireguard-config.nmconnection b/roles/wg/templates/wireguard-config.nmconnection
new file mode 100644
index 0000000..78cead3
--- /dev/null
+++ b/roles/wg/templates/wireguard-config.nmconnection
@@ -0,0 +1,32 @@
+# {{ ansible_managed }}
+
+[connection]
+id={{ ifname }}
+uuid={{ ansible_facts.hostname | to_uuid(namespace=ifname | to_uuid) }}
+type=wireguard
+autoconnect={{ autoconnect }}
+interface-name={{ ifname }}
+
+[ipv4]
+method=manual
+never-default=true
+address1={{ address }}
+dns={{ dns }}
+dns-search={{ domain }}
+
+[ipv6]
+method=ignore
+addr-gen-mode=stable-privacy
+
+[wireguard]
+private-key={{ private_key }}
+{% for peer in peers %}
+
+# {{ peer.note }}
+[wireguard-peer.{{ peer.public_key }}]
+endpoint={{ peer.endpoint }}
+allowed-ips={{ peer.allowed_ips }}
+{% if peer.keepalive %}
+persistent-keepalive={{ peer.keepalive }}
+{% endif %}
+{% endfor %}