Compare commits

..

9 commits

Author SHA1 Message Date
ab5c374990
fix(wg): correct check for existing private key
Registering output of ‹ansible.builtin.stat› generates an object
containing ‹stat› member itself.

Signed-off-by: Matej Focko <me@mfocko.xyz>
2024-12-22 20:36:04 +01:00
4960068555
fix(wg): correctly template facts
When setting facts to outputs of some other tasks or variables, they need
to be correctly templated and quoted, otherwise they're taken as is,
i.e., as text.

Signed-off-by: Matej Focko <me@mfocko.xyz>
2024-12-22 20:35:23 +01:00
da9662533a
fix(editor_vscode): use the packaged version of VSCode
Signed-off-by: Matej Focko <me@mfocko.xyz>
2024-12-22 20:34:52 +01:00
ab83e7c30c
fix(base_system): correctly check for the dnf
‹dnf5› presents itself as ‹dnf5›

Signed-off-by: Matej Focko <me@mfocko.xyz>
2024-12-22 20:34:21 +01:00
7d8d187e97
feat(cockpit): allow 2FA auth
Fixes #60

Signed-off-by: Matej Focko <me@mfocko.xyz>
2024-12-14 20:53:24 +01:00
f5335e0f0c
fix(editor_helix): remove Copr
Helix is included in the default repositories (Fedora and EPEL for EL
derivates), therefore there is no need to use the Copr repository.

Signed-off-by: Matej Focko <me@mfocko.xyz>

# Please enter the commit message for your changes. Lines starting
# with '#' will be ignored, and an empty message aborts the commit.
#
# On branch main
# Your branch is ahead of 'origin/main' by 3 commits.
#   (use "git push" to publish your local commits)
#
# Changes to be committed:
#	modified:   roles/editor_helix/tasks/install_fedora-family.yml
#
# Changes not staged for commit:
#	modified:   group_vars/servers/vars
#	modified:   inventory
#	modified:   playbooks/playground.yml
#	modified:   roles/cockpit/defaults/main.yml
#	modified:   roles/cockpit/tasks/install.yml
#	modified:   roles/cockpit/tasks/main.yml
#
# Untracked files:
#	ansible-navigator.log
#	playbooks/print_facts.yml
#	tasks/
#
2024-12-14 20:37:52 +01:00
4ca89d7641
fix(base_system): improve the system-wide upgrade
When upgrading packages to their latest version, decide which Ansible
module to use based on the ‹pkg_mgr› Ansible fact instead of the
distribution.

This approach is more robust, and more correct, as the package managers
are shared between some of the distributions.

Signed-off-by: Matej Focko <me@mfocko.xyz>
2024-12-14 20:35:25 +01:00
a79bfb5551
fix(ssh_server): use correctly named variable
Signed-off-by: Matej Focko <me@mfocko.xyz>
2024-12-14 20:33:04 +01:00
fb94b38a57
feat: add Rocky to possible targets
Signed-off-by: Matej Focko <me@mfocko.xyz>
2024-12-14 14:31:39 +01:00
24 changed files with 64 additions and 110 deletions

View file

@ -1,5 +1,8 @@
certbot_email: "{{ vault_certbot_email }}" certbot_email: "{{ vault_certbot_email }}"
cockpit_2fa: true
cockpit_has_reverse_proxy: true
host_fqdn: "{{ vault_host_fqdn }}" host_fqdn: "{{ vault_host_fqdn }}"
porkbun_apikey: "{{ vault_porkbun_apikey }}" porkbun_apikey: "{{ vault_porkbun_apikey }}"

View file

@ -10,7 +10,7 @@
- role: os_el - role: os_el
become: true become: true
when: ansible_distribution in [ "AlmaLinux", "CentOS" ] when: ansible_distribution in [ "AlmaLinux", "CentOS", "Rocky" ]
# Upgrade all packages and install the basic-bitch ones # Upgrade all packages and install the basic-bitch ones
- role: base_system - role: base_system

View file

@ -4,16 +4,16 @@
name: "*" name: "*"
state: latest state: latest
update_cache: true update_cache: true
when: ansible_distribution in [ "Debian", "Ubuntu" ] when: ansible_facts.pkg_mgr == "apt"
- name: Upgrade all packages with dnf - name: Upgrade all packages with dnf
ansible.builtin.dnf: ansible.builtin.dnf:
name: "*" name: "*"
state: latest state: latest
when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ] when: ansible_facts.pkg_mgr.startswith("dnf")
- name: Upgrade all packages with zypper - name: Upgrade all packages with zypper
community.general.zypper: community.general.zypper:
name: "*" name: "*"
state: latest state: latest
when: "'openSUSE' in ansible_distribution" when: ansible_facts.pkg_mgr == "zypper"

View file

@ -3,3 +3,9 @@
# reverse proxy (adjusts the origin, so that the Cockpit doesn't drop sessions, # reverse proxy (adjusts the origin, so that the Cockpit doesn't drop sessions,
# and checks for SSL/TLS connections) # and checks for SSL/TLS connections)
cockpit_has_reverse_proxy: false cockpit_has_reverse_proxy: false
# Boolean variable that denotes whether to install dependencies for 2FA auth
# to Cockpit (Google Authenticator and QR encoding utilities for enrolling the
# OTP), also installs the rule to the pam.d so that the 2FA is required for
# logging in to the Cockpit.
cockpit_2fa: false

View file

@ -3,3 +3,11 @@
ansible.builtin.package: ansible.builtin.package:
name: cockpit name: cockpit
state: present state: present
- name: Install deps for 2FA in Cockpit
ansible.builtin.package:
name:
- google-authenticator
- qrencode-libs
state: present
when: cockpit_2fa

View file

@ -12,6 +12,16 @@
group: root group: root
when: cockpit_has_reverse_proxy when: cockpit_has_reverse_proxy
- name: Require 2FA for logging into the Cockpit
ansible.builtin.lineinfile:
line: auth required pam_google_authenticator.so nullok
path: /etc/pam.d/cockpit
create: true
mode: 0644
owner: root
group: root
when: cockpit_2fa
- name: Enable cockpit - name: Enable cockpit
ansible.builtin.service: ansible.builtin.service:
name: "cockpit.socket" name: "cockpit.socket"

View file

@ -0,0 +1 @@
install_fedora-family.yml

View file

@ -1,11 +1,4 @@
--- ---
- name: Enable the Copr
community.general.copr:
name: varlad/helix
state: enabled
when: ansible_distribution not in ("AlmaLinux")
become: true
- name: Install the Helix - name: Install the Helix
ansible.builtin.package: ansible.builtin.package:
name: helix name: helix

View file

@ -1,12 +0,0 @@
[Desktop Entry]
Name=Visual Studio Code - URL Handler
Comment=Code Editing. Redefined.
GenericName=Text Editor
Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --open-url %U
Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png
Type=Application
NoDisplay=true
StartupNotify=true
Categories=Utility;TextEditor;Development;IDE;
MimeType=x-scheme-handler/vscode-insiders;
Keywords=vscode;

View file

@ -1,18 +0,0 @@
[Desktop Entry]
Name=Visual Studio Code Insiders
Comment=Code Editing. Refined.
GenericName=Text Editor
Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --unity-launch %F
Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png
Type=Application
StartupNotify=false
StartupWMClass=code - insiders
Categories=Utility;TextEditor;Development;IDE;
MimeType=text/plain;inode/directory;
Actions=new-empty-window;
Keywords=vscode;
[Desktop Action new-empty-window]
Name=New Empty Window
Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --new-window %F
Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png

View file

@ -1,31 +0,0 @@
#!/bin/bash
# for upstream
URL='https://code.visualstudio.com/sha/download?build=insider&os=linux-x64'
# for local
# URL='https://maxwell.mfocko.xyz/code-insiders.tar.gz'
# for local over VPN (also use --no-check-certificate)
# URL='https://172.16.0.2/code-insiders.tar.gz'
echo ">>> Downloading";
wget $URL -O /tmp/code.tar.gz
echo ">>> Removing and extracting";
rm -rf /opt/VSCode-linux-x64
tar xvaf /tmp/code.tar.gz -C /opt/
# Check for binaries
if ! [ -x /usr/local/bin/code-insiders ]; then
echo ">>> Linking binaries";
ln -s /opt/VSCode-linux-x64/bin/code-insiders /usr/local/bin/
ln -s /opt/VSCode-linux-x64/bin/code-insiders /usr/local/bin/code
fi
# Check for *.desktop
if ! ls /usr/share/applications | grep visual-studio-code; then
echo ">>> Installing desktop files";
PATH_TO_APPS=/home/mfocko/.local/share/visual-studio-code-insiders
sudo cp $PATH_TO_APPS{,-url-handler}.desktop /usr/share/applications/;
fi

View file

@ -0,0 +1 @@
install_rhel.yml

View file

@ -0,0 +1 @@
install_rhel.yml

View file

@ -0,0 +1 @@
install_rhel.yml

View file

@ -0,0 +1 @@
install_rhel.yml

View file

@ -0,0 +1,12 @@
---
- name: Resolve URL to the VSCode RPM
ansible.builtin.uri:
url: https://code.visualstudio.com/sha/download?build=insider&os=linux-rpm-x64
register: _vscode_rpm_response
- name: Install VSCode via RPM
ansible.builtin.dnf:
name: "{{ _vscode_rpm_response.url }}"
disable_gpg_check: true
state: present
become: true

View file

@ -1,28 +1,13 @@
--- ---
- name: Install VSCode
ansible.builtin.include_tasks: "install_{{ ansible_distribution }}.yml"
tags: install
- name: Create directories for VSCode - name: Create directories for VSCode
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "$HOME/.config/Code - Insiders/User"
state: directory state: directory
mode: 0740 mode: 0740
loop:
- ~/.local/bin
- ~/.local/share
- "$HOME/.config/Code - Insiders/User"
- name: Install VSCode script
ansible.builtin.copy:
src: files/update.sh
dest: ~/.local/bin/code-update.sh
mode: 0640
- name: Create app info for VSCode
ansible.builtin.copy:
src: files/code{{ item }}.desktop
dest: ~/.local/share/applications/visual-studio-code-insiders{{ item }}.desktop
mode: 0640
loop:
- ""
- "-url-handler"
- name: Install VSCode configuration - name: Install VSCode configuration
ansible.builtin.copy: ansible.builtin.copy:
@ -32,11 +17,3 @@
loop: loop:
- settings - settings
- keybindings - keybindings
- name: Install VSCode
ansible.builtin.command:
cmd: bash /home/{{ target_user }}/.local/bin/code-update.sh
creates: /opt/VSCode-linux-x64
become: true
when: false
tags: install

View file

@ -0,0 +1 @@
install_el.yml

View file

@ -1,6 +1,6 @@
--- ---
- name: Install HC Vault via package manager - name: Install HC Vault via package manager
when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"] when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Rocky", "Ubuntu"]
tags: install tags: install
block: block:
- name: Enable repository - name: Enable repository

View file

@ -34,4 +34,4 @@
name: yad name: yad
state: present state: present
become: true become: true
when: 'ansible_distribution not in [ "AlmaLinux" ] and "openSUSE" not in ansible_distribution' when: 'ansible_distribution not in [ "AlmaLinux", "Rocky" ] and "openSUSE" not in ansible_distribution'

View file

@ -55,4 +55,4 @@
- name: Set trusted CA - name: Set trusted CA
ansible.builtin.include_tasks: trusted_ca.yml ansible.builtin.include_tasks: trusted_ca.yml
when: sshd_auth_trusted_ca when: ssh_server_auth_trusted_ca

View file

@ -16,5 +16,5 @@
- name: Set key/pair facts - name: Set key/pair facts
ansible.builtin.set_fact: ansible.builtin.set_fact:
wg_private_key: _generated_private_key.stdout wg_private_key: "{{ _generated_private_key.stdout }}"
wg_public_key: _derived_public_key.stdout wg_public_key: "{{ _derived_public_key.stdout }}"

View file

@ -6,11 +6,11 @@
- name: Check for existence of private key - name: Check for existence of private key
ansible.builtin.stat: ansible.builtin.stat:
path: /etc/wireguard/private.key path: /etc/wireguard/private.key
register: _private_key_stat register: _private_key
- name: Generate keypair - name: Generate keypair
ansible.builtin.include_tasks: tasks/generate_keypair.yml ansible.builtin.include_tasks: tasks/generate_keypair.yml
when: not _private_key_stat.exists when: not _private_key.stat.exists
- name: Save private key - name: Save private key
ansible.builtin.template: ansible.builtin.template:
@ -21,7 +21,7 @@
mode: 0700 mode: 0700
vars: vars:
key: "{{ wg_private_key }}" key: "{{ wg_private_key }}"
when: not _private_key_stat.exists when: not _private_key.stat.exists
- name: Save public key - name: Save public key
ansible.builtin.template: ansible.builtin.template:
@ -32,7 +32,7 @@
mode: 0700 mode: 0700
vars: vars:
key: "{{ wg_public_key }}" key: "{{ wg_public_key }}"
when: not _private_key_stat.exists when: not _private_key.stat.exists
- name: Set dns_command for co-openSUSE - name: Set dns_command for co-openSUSE
ansible.builtin.set_fact: ansible.builtin.set_fact:

View file

@ -3,7 +3,7 @@
ansible.builtin.package: ansible.builtin.package:
name: pam_yubico name: pam_yubico
state: present state: present
when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ] when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Rocky" ]
- name: Enable PPA on Ubuntu - name: Enable PPA on Ubuntu
ansible.builtin.apt_repository: ansible.builtin.apt_repository: