mfocko/dotfiles
1
0
Fork 0
Code Issues 19 Pull requests Projects Releases Wiki Activity

Compare commits

merge into: mfocko:chore/rename-roles
Branches Tags
mfocko:main
mfocko:chore/rename-roles
mfocko:todo
...
pull from: mfocko:main
Branches Tags
mfocko:main
mfocko:chore/rename-roles
mfocko:todo

5 commits
chore/rena ... main

Author SHA1 Message Date
Matej Focko
7d8d187e97
feat(cockpit): allow 2FA auth 
Fixes #60

Signed-off-by: Matej Focko <me@mfocko.xyz>
 2024-12-14 20:53:24 +01:00
Matej Focko
f5335e0f0c
fix(editor_helix): remove Copr 
Helix is included in the default repositories (Fedora and EPEL for EL
derivates), therefore there is no need to use the Copr repository.

Signed-off-by: Matej Focko <me@mfocko.xyz>

# Please enter the commit message for your changes. Lines starting
# with '#' will be ignored, and an empty message aborts the commit.
#
# On branch main
# Your branch is ahead of 'origin/main' by 3 commits.
#   (use "git push" to publish your local commits)
#
# Changes to be committed:
#	modified:   roles/editor_helix/tasks/install_fedora-family.yml
#
# Changes not staged for commit:
#	modified:   group_vars/servers/vars
#	modified:   inventory
#	modified:   playbooks/playground.yml
#	modified:   roles/cockpit/defaults/main.yml
#	modified:   roles/cockpit/tasks/install.yml
#	modified:   roles/cockpit/tasks/main.yml
#
# Untracked files:
#	ansible-navigator.log
#	playbooks/print_facts.yml
#	tasks/
#
 2024-12-14 20:37:52 +01:00
Matej Focko
4ca89d7641
fix(base_system): improve the system-wide upgrade 
When upgrading packages to their latest version, decide which Ansible
module to use based on the ‹pkg_mgr› Ansible fact instead of the
distribution.

This approach is more robust, and more correct, as the package managers
are shared between some of the distributions.

Signed-off-by: Matej Focko <me@mfocko.xyz>
 2024-12-14 20:35:25 +01:00
Matej Focko
a79bfb5551
fix(ssh_server): use correctly named variable 
Signed-off-by: Matej Focko <me@mfocko.xyz>
 2024-12-14 20:33:04 +01:00
Matej Focko
fb94b38a57
feat: add Rocky to possible targets 
Signed-off-by: Matej Focko <me@mfocko.xyz>
 2024-12-14 14:31:39 +01:00
13 changed files with 37 additions and 15 deletions
Show stats Expand all files Collapse all files

3
group_vars/servers/vars
View file

@ -1,5 +1,8 @@
certbot_email: "{{ vault_certbot_email }}"
cockpit_2fa: true
cockpit_has_reverse_proxy: true
host_fqdn: "{{ vault_host_fqdn }}"
porkbun_apikey: "{{ vault_porkbun_apikey }}"

2
playbooks/bootstrap.yml
View file

@ -10,7 +10,7 @@
- role: os_el
become: true
when: ansible_distribution in [ "AlmaLinux", "CentOS" ]
when: ansible_distribution in [ "AlmaLinux", "CentOS", "Rocky" ]
# Upgrade all packages and install the basic-bitch ones
- role: base_system

6
roles/base_system/tasks/upgrade.yml
View file

@ -4,16 +4,16 @@
name: "*"
state: latest
update_cache: true
when: ansible_distribution in [ "Debian", "Ubuntu" ]
when: ansible_facts.pkg_mgr == "apt"
- name: Upgrade all packages with dnf
ansible.builtin.dnf:
name: "*"
state: latest
when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ]
when: ansible_facts.pkg_mgr == "dnf"
- name: Upgrade all packages with zypper
community.general.zypper:
name: "*"
state: latest
when: "'openSUSE' in ansible_distribution"
when: ansible_facts.pkg_mgr == "zypper"

6
roles/cockpit/defaults/main.yml
View file

@ -3,3 +3,9 @@
# reverse proxy (adjusts the origin, so that the Cockpit doesn't drop sessions,
# and checks for SSL/TLS connections)
cockpit_has_reverse_proxy: false
# Boolean variable that denotes whether to install dependencies for 2FA auth
# to Cockpit (Google Authenticator and QR encoding utilities for enrolling the
# OTP), also installs the rule to the pam.d so that the 2FA is required for
# logging in to the Cockpit.
cockpit_2fa: false

8
roles/cockpit/tasks/install.yml
View file

@ -3,3 +3,11 @@
ansible.builtin.package:
name: cockpit
state: present
- name: Install deps for 2FA in Cockpit
ansible.builtin.package:
name:
- google-authenticator
- qrencode-libs
state: present
when: cockpit_2fa

10
roles/cockpit/tasks/main.yml
View file

@ -12,6 +12,16 @@
group: root
when: cockpit_has_reverse_proxy
- name: Require 2FA for logging into the Cockpit
ansible.builtin.lineinfile:
line: auth required pam_google_authenticator.so nullok
path: /etc/pam.d/cockpit
create: true
mode: 0644
owner: root
group: root
when: cockpit_2fa
- name: Enable cockpit
ansible.builtin.service:
name: "cockpit.socket"

1
roles/editor_helix/tasks/install_Rocky.yml Symbolic link
View file

@ -0,0 +1 @@
install_fedora-family.yml

7
roles/editor_helix/tasks/install_fedora-family.yml
View file

@ -1,11 +1,4 @@
---
- name: Enable the Copr
community.general.copr:
name: varlad/helix
state: enabled
when: ansible_distribution not in ("AlmaLinux")
become: true
- name: Install the Helix
ansible.builtin.package:
name: helix

1
roles/secrets_hcv/tasks/install_Rocky.yml Symbolic link
View file

@ -0,0 +1 @@
install_el.yml

2
roles/secrets_hcv/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- name: Install HC Vault via package manager
when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"]
when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Rocky", "Ubuntu"]
tags: install
block:
- name: Enable repository

2
roles/shell_zsh/tasks/install.yml
View file

@ -34,4 +34,4 @@
name: yad
state: present
become: true
when: 'ansible_distribution not in [ "AlmaLinux" ] and "openSUSE" not in ansible_distribution'
when: 'ansible_distribution not in [ "AlmaLinux", "Rocky" ] and "openSUSE" not in ansible_distribution'

2
roles/ssh_server/tasks/main.yml
View file

@ -55,4 +55,4 @@
- name: Set trusted CA
ansible.builtin.include_tasks: trusted_ca.yml
when: sshd_auth_trusted_ca
when: ssh_server_auth_trusted_ca

2
roles/yubikey_pam/tasks/install.yml
View file

@ -3,7 +3,7 @@
ansible.builtin.package:
name: pam_yubico
state: present
when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ]
when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Rocky" ]
- name: Enable PPA on Ubuntu
ansible.builtin.apt_repository: