group_vars/desktops/vars

@@ -3,7 +3,6 @@ ssh_server_sign_host_keys: false
 ssh_server_auth_password_authentication: "yes"
 
 flatpak_apps:
-  - com.brave.Browser
   - "com.chatterino.chatterino/{{ ansible_architecture }}/stable"
   - com.discordapp.Discord
   - com.spotify.Client
@@ -14,102 +13,3 @@ flatpak_apps:
   - org.telegram.desktop
   # - org.x.Warpinator
   - org.flameshot.Flameshot
-
-editor_vscode_extensions:
-  # C/C++
-  - bazelbuild.vscode-bazel
-  - ms-vscode.cmake-tools
-  - ms-vscode.cpptools
-  - ms-vscode.cpptools-extension-pack
-  - ms-vscode.cpptools-themes
-  - twxs.cmake
-
-  # C#
-  - ms-dotnettools.csdevkit
-  - ms-dotnettools.csharp
-  - ms-dotnettools.vscode-dotnet-runtime
-  - ms-dotnettools.vscodeintellicode-csharp
-
-  # Deno
-  - denoland.vscode-deno
-
-  # Go
-  - golang.go
-
-  # Hare
-  - adotinthevoid.hare-highlighting
-
-  # Java
-  - redhat.java
-  - vscjava.vscode-gradle
-  - vscjava.vscode-java-debug
-  - vscjava.vscode-java-dependency
-  - vscjava.vscode-java-pack
-  - vscjava.vscode-java-test
-  - vscjava.vscode-maven
-
-  # Kotlin
-  - mathiasfrohlich.kotlin
-
-  # Python
-  - charliermarsh.ruff
-  - ms-python.debugpy
-  - ms-python.python
-  - ms-python.vscode-pylance
-  - ms-toolsai.jupyter
-  - ms-toolsai.jupyter-keymap
-  - ms-toolsai.jupyter-renderers
-  - ms-toolsai.vscode-jupyter-cell-tags
-  - ms-toolsai.vscode-jupyter-slideshow
-
-  # Rust
-  - rust-lang.rust-analyzer
-
-  # Swift
-  - sswg.swift-lang
-  - vadimcn.vscode-lldb
-
-  # Zig
-  - ziglang.vscode-zig
-
-  # Git
-  - eamodio.gitlens
-
-  # Themes
-  - akamud.vscode-theme-onedark
-  - akamud.vscode-theme-onelight
-  - alexandernanberg.horizon-theme-vscode
-  - atomiks.moonlight
-  - avidworks.vampiro
-  - catppuccin.catppuccin-vsc
-  - ddiu8081.moegi-theme
-  - dracula-theme.theme-dracula
-  - enkia.tokyo-night
-  - fabiospampinato.vscode-monokai-night
-  - github.github-vscode-theme
-  - gnhuy91.theme-oceanicnext-sublime
-  - ibmlover.oxocarbon
-  - keifererikson.nightfox
-  - liviuschera.noctis
-  - mcagampan.dark-horizon
-  - ms-vscode.theme-tomorrowkit
-  - mvllow.rose-pine
-  - sdras.night-owl
-  - teabyii.ayu
-  - tomphilbin.gruvbox-themes
-  - vincentfiestada.cold-horizon-vscode
-  - zhuangtongfa.material-theme
-
-  # Misc
-  - asciidoctor.asciidoctor-vscode
-  - cs50.vscode-presentation-mode
-  - danielgjackson.auto-dark-mode-windows
-  - editorconfig.editorconfig
-  - ms-vscode-remote.remote-containers
-  - tamasfe.even-better-toml
-  - unifiedjs.vscode-mdx
-  - vscodevim.vim
-
-  # Where does this come from?
-  - visualstudioexptteam.intellicode-api-usage-examples
-  - visualstudioexptteam.vscodeintellicode

group_vars/servers/vars

@@ -1,8 +1,5 @@
 certbot_email: "{{ vault_certbot_email }}"
 
-cockpit_2fa: true
-cockpit_has_reverse_proxy: true
-
 host_fqdn: "{{ vault_host_fqdn }}"
 
 porkbun_apikey: "{{ vault_porkbun_apikey }}"

playbooks/bootstrap.yml

@@ -10,11 +10,7 @@
 
     - role: os_el
       become: true
-      when: ansible_distribution in [ "AlmaLinux", "CentOS", "Rocky" ]
-
-    - role: os_deb
-      become: true
-      when: ansible_distribution in [ "Debian", "Ubuntu" ]
+      when: ansible_distribution in [ "AlmaLinux", "CentOS" ]
 
     # Upgrade all packages and install the basic-bitch ones
     - role: base_system

roles/base_system/tasks/upgrade.yml

@@ -4,16 +4,16 @@
     name: "*"
     state: latest
     update_cache: true
-  when: ansible_facts.pkg_mgr == "apt"
+  when: ansible_distribution in [ "Debian", "Ubuntu" ]
 
 - name: Upgrade all packages with ‹dnf›
   ansible.builtin.dnf:
     name: "*"
     state: latest
-  when: ansible_facts.pkg_mgr.startswith("dnf")
+  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ]
 
 - name: Upgrade all packages with ‹zypper›
   community.general.zypper:
     name: "*"
     state: latest
-  when: ansible_facts.pkg_mgr == "zypper"
+  when: "'openSUSE' in ansible_distribution"

roles/cockpit/defaults/main.yml

@@ -3,9 +3,3 @@
 # reverse proxy (adjusts the origin, so that the Cockpit doesn't drop sessions,
 # and checks for SSL/TLS connections)
 cockpit_has_reverse_proxy: false
-
-# Boolean variable that denotes whether to install dependencies for 2FA auth
-# to Cockpit (Google Authenticator and QR encoding utilities for enrolling the
-# OTP), also installs the rule to the ‹pam.d› so that the 2FA is required for
-# logging in to the Cockpit.
-cockpit_2fa: false

roles/cockpit/tasks/install.yml

@@ -3,11 +3,3 @@
   ansible.builtin.package:
     name: cockpit
     state: present
-
-- name: Install deps for 2FA in Cockpit
-  ansible.builtin.package:
-    name:
-      - google-authenticator
-      - qrencode-libs
-    state: present
-  when: cockpit_2fa

roles/cockpit/tasks/main.yml

@@ -12,16 +12,6 @@
     group: root
   when: cockpit_has_reverse_proxy
 
-- name: Require 2FA for logging into the Cockpit
-  ansible.builtin.lineinfile:
-    line: auth required pam_google_authenticator.so nullok
-    path: /etc/pam.d/cockpit
-    create: true
-    mode: 0644
-    owner: root
-    group: root
-  when: cockpit_2fa
-
 - name: Enable cockpit
   ansible.builtin.service:
     name: "cockpit.socket"

roles/editor_helix/tasks/install_Rocky.yml

@@ -1 +0,0 @@
-install_fedora-family.yml

roles/editor_helix/tasks/install_Ubuntu.yml

@@ -1 +0,0 @@
-install_Debian.yml

roles/editor_helix/tasks/install_Ubuntu.yml

@@ -0,0 +1,12 @@
+---
+- name: Enable the PPA for Helix
+  ansible.builtin.apt_repository:
+    repo: ppa:maveonair/helix-editor
+    state: present
+  become: true
+
+- name: Install the Helix
+  ansible.builtin.package:
+    name: helix
+    state: present
+  become: true

roles/editor_helix/tasks/install_fedora-family.yml

@@ -1,4 +1,11 @@
 ---
+- name: Enable the Copr
+  community.general.copr:
+    name: varlad/helix
+    state: enabled
+  when: ansible_distribution not in ("AlmaLinux")
+  become: true
+
 - name: Install the Helix
   ansible.builtin.package:
     name: helix

roles/editor_vscode/defaults/main.yml

@@ -1,3 +0,0 @@
----
-# List of VSCode extensions to be installed with the VSCode
-editor_vscode_extensions: []

roles/editor_vscode/files/code-url-handler.desktop

@@ -0,0 +1,12 @@
+[Desktop Entry]
+Name=Visual Studio Code - URL Handler
+Comment=Code Editing. Redefined.
+GenericName=Text Editor
+Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --open-url %U
+Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png
+Type=Application
+NoDisplay=true
+StartupNotify=true
+Categories=Utility;TextEditor;Development;IDE;
+MimeType=x-scheme-handler/vscode-insiders;
+Keywords=vscode;

roles/editor_vscode/files/code.desktop

@@ -0,0 +1,18 @@
+[Desktop Entry]
+Name=Visual Studio Code Insiders
+Comment=Code Editing. Refined.
+GenericName=Text Editor
+Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --unity-launch %F
+Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png
+Type=Application
+StartupNotify=false
+StartupWMClass=code - insiders
+Categories=Utility;TextEditor;Development;IDE;
+MimeType=text/plain;inode/directory;
+Actions=new-empty-window;
+Keywords=vscode;
+
+[Desktop Action new-empty-window]
+Name=New Empty Window
+Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --new-window %F
+Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png

roles/editor_vscode/files/update.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# for upstream
+URL='https://code.visualstudio.com/sha/download?build=insider&os=linux-x64'
+
+# for local
+# URL='https://maxwell.mfocko.xyz/code-insiders.tar.gz'
+
+# for local over VPN (also use --no-check-certificate)
+# URL='https://172.16.0.2/code-insiders.tar.gz'
+
+echo ">>> Downloading";
+wget $URL -O /tmp/code.tar.gz
+
+echo ">>> Removing and extracting";
+rm -rf /opt/VSCode-linux-x64
+tar xvaf /tmp/code.tar.gz -C /opt/
+
+# Check for binaries
+if ! [ -x /usr/local/bin/code-insiders ]; then
+	echo ">>> Linking binaries";
+	ln -s /opt/VSCode-linux-x64/bin/code-insiders /usr/local/bin/
+	ln -s /opt/VSCode-linux-x64/bin/code-insiders /usr/local/bin/code
+fi
+
+# Check for *.desktop
+if ! ls /usr/share/applications | grep visual-studio-code; then
+	echo ">>> Installing desktop files";
+	PATH_TO_APPS=/home/mfocko/.local/share/visual-studio-code-insiders
+	sudo cp $PATH_TO_APPS{,-url-handler}.desktop /usr/share/applications/;
+fi

roles/editor_vscode/tasks/install_apt.yml

@@ -1,11 +0,0 @@
----
-- name: Resolve URL to the VSCode deb package
-  ansible.builtin.uri:
-    url: https://code.visualstudio.com/sha/download?build=insider&os=linux-deb-x64
-  register: _vscode_deb_response
-
-- name: Install VSCode via deb package
-  ansible.builtin.apt:
-    deb: "{{ _vscode_deb_response.url }}"
-    state: present
-  become: true

roles/editor_vscode/tasks/install_dnf.yml

@@ -1 +0,0 @@
-install_rpm.yml

roles/editor_vscode/tasks/install_dnf5.yml

@@ -1 +0,0 @@
-install_rpm.yml

roles/editor_vscode/tasks/install_rpm.yml

@@ -1,21 +0,0 @@
----
-- name: Resolve URL to the VSCode RPM
-  ansible.builtin.uri:
-    url: https://code.visualstudio.com/sha/download?build=insider&os=linux-rpm-x64
-  register: _vscode_rpm_response
-
-- name: Install VSCode via dnf
-  ansible.builtin.dnf:
-    name: "{{ _vscode_rpm_response.url }}"
-    disable_gpg_check: true
-    state: present
-  become: true
-  when: ansible_facts.pkg_mgr.startswith("dnf")
-
-- name: Install VSCode via zypper
-  community.general.zypper:
-    name: "{{ _vscode_rpm_response.url }}"
-    disable_gpg_check: true
-    state: present
-  become: true
-  when: ansible_facts.pkg_mgr == "zypper"

roles/editor_vscode/tasks/install_zypper.yml

@@ -1 +0,0 @@
-install_rpm.yml

roles/editor_vscode/tasks/main.yml

@@ -1,13 +1,28 @@
 ---
-- name: Install VSCode
-  ansible.builtin.include_tasks: "install_{{ ansible_facts.pkg_mgr }}.yml"
-  tags: install
-
 - name: Create directories for VSCode
   ansible.builtin.file:
-    path: "$HOME/.config/Code - Insiders/User"
+    path: "{{ item }}"
     state: directory
     mode: 0740
+  loop:
+    - ~/.local/bin
+    - ~/.local/share
+    - "$HOME/.config/Code - Insiders/User"
+
+- name: Install VSCode script
+  ansible.builtin.copy:
+    src: files/update.sh
+    dest: ~/.local/bin/code-update.sh
+    mode: 0640
+
+- name: Create app info for VSCode
+  ansible.builtin.copy:
+    src: files/code{{ item }}.desktop
+    dest: ~/.local/share/applications/visual-studio-code-insiders{{ item }}.desktop
+    mode: 0640
+  loop:
+    - ""
+    - "-url-handler"
 
 - name: Install VSCode configuration
   ansible.builtin.copy:
@@ -18,10 +33,10 @@
     - settings
     - keybindings
 
-- name: Install extensions
+- name: Install VSCode
   ansible.builtin.command:
-    cmd: code-insiders --install-extension {{ item }}
-  register: _editor_vscode_installation_result
-  changed_when: '"was successfully installed." in _editor_vscode_installation_result.stdout'
-  failed_when: '"Error while installing extensions" in _editor_vscode_installation_result.stderr'
-  loop: "{{ editor_vscode_extensions }}"
+    cmd: bash /home/{{ target_user }}/.local/bin/code-update.sh
+    creates: /opt/VSCode-linux-x64
+  become: true
+  when: false
+  tags: install

roles/forgejo/templates/forgejo.container

@@ -4,11 +4,10 @@
 Description=Forgejo
 After=postgresql.service
 Requires=postgresql.service
-PartOf=postgresql.service
 
 [Container]
 ContainerName=forgejo
-Image=codeberg.org/forgejo/forgejo:10
+Image=codeberg.org/forgejo/forgejo:9
 AutoUpdate=registry
 
 Environment=USER_UID=1000

roles/os_deb/tasks/main.yml

@@ -1,4 +0,0 @@
----
-- name: Enable all Debian repos
-  ansible.builtin.include_tasks: repositories.yml
-  when: ansible_facts.distribution == "Debian"

roles/os_deb/tasks/repositories.yml

@@ -1,29 +0,0 @@
----
-- name: Disable installation DVD as a source
-  ansible.builtin.lineinfile:
-    path: /etc/apt/sources.list
-    regexp: "^deb cdrom:"
-    state: absent
-
-- name: Enable additional Debian repos
-  ansible.builtin.deb822_repository:
-    name: "{{ item.name }}"
-    types:
-      - deb
-      - deb-src
-    uris: "{{ item.uris }}"
-    suites: "{{ item.suites }}"
-    components:
-      - contrib
-      - non-free
-    state: present
-  loop:
-    - name: contrib-non_free
-      uris: http://ftp.sk.debian.org/debian/
-      suites: "{{ ansible_facts.distribution_release }}"
-    - name: security-contrib-non_free
-      uris: http://security.debian.org/debian-security
-      suites: "{{ ansible_facts.distribution_release }}-security"
-    - name: updates-contrib-non_free
-      uris: http://ftp.sk.debian.org/debian/
-      suites: "{{ ansible_facts.distribution_release }}-updates"

roles/secrets_hcv/tasks/install_Debian.yml

@@ -1 +0,0 @@
-install_deb.yml

roles/secrets_hcv/tasks/install_Rocky.yml

@@ -1 +0,0 @@
-install_el.yml

roles/secrets_hcv/tasks/install_Ubuntu.yml

@@ -1 +0,0 @@
-install_deb.yml

roles/secrets_hcv/tasks/install_Ubuntu.yml

@@ -0,0 +1,13 @@
+---
+- name: Add HashiCorp GPG Key
+  ansible.builtin.get_url:
+    url: https://apt.releases.hashicorp.com/gpg
+    dest: /etc/apt/keyrings/hashicorp.asc
+    mode: 0640
+  become: true
+
+- name: Add HashiCorp repository
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by=/etc/apt/keyrings/hashicorp.gpg] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main"
+    state: present
+  become: true

roles/secrets_hcv/tasks/install_deb.yml

@@ -1,12 +0,0 @@
----
-- name: Add HashiCorp repository
-  ansible.builtin.deb822_repository:
-    name: hashicorp
-    types: deb
-    uris: https://apt.releases.hashicorp.com
-    suites: "{{ ansible_distribution_release }}"
-    components:
-      - main
-    signed_by: https://apt.releases.hashicorp.com/gpg
-    state: present
-  become: true

roles/secrets_hcv/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Install HC Vault via package manager
-  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Debian", "Fedora", "Rocky", "Ubuntu" ]
+  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"]
   tags: install
   block:
     - name: Enable repository
@@ -14,7 +14,7 @@
 
 - name: Install HC Vault to userspace
   ansible.builtin.include_tasks: install_user.yml
-  when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Debian", "Fedora", "Rocky", "Ubuntu" ]
+  when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"]
   tags: install
 
 - name: Install ‹vssh› script

roles/shell_zsh/tasks/install.yml

@@ -7,19 +7,6 @@
     state: present
   become: true
 
-- name: Enable ‹eza› apt repository
-  ansible.builtin.deb822_repository:
-    name: eza
-    types: deb
-    uris: http://deb.gierens.de
-    suites: stable
-    components:
-      - main
-    signed_by: https://raw.githubusercontent.com/eza-community/eza/main/deb.asc
-    state: present
-  become: true
-  when: ansible_distribution in [ "Debian", "Ubuntu" ]
-
 - name: Install eza and bat
   ansible.builtin.package:
     name:
@@ -47,4 +34,4 @@
     name: yad
     state: present
   become: true
-  when: 'ansible_distribution not in [ "AlmaLinux", "Rocky" ] and "openSUSE" not in ansible_distribution'
+  when: 'ansible_distribution not in [ "AlmaLinux" ] and "openSUSE" not in ansible_distribution'

roles/ssh_server/tasks/main.yml

@@ -55,4 +55,4 @@
 
 - name: Set trusted CA
   ansible.builtin.include_tasks: trusted_ca.yml
-  when: ssh_server_auth_trusted_ca
+  when: sshd_auth_trusted_ca

roles/vaultwarden/templates/vaultwarden.container

@@ -4,7 +4,6 @@
 Description=Vaultwarden
 After=postgresql.service
 Requires=postgresql.service
-PartOf=postgresql.service
 
 [Container]
 ContainerName=vaultwarden

roles/wg/tasks/generate_keypair.yml

@@ -16,5 +16,5 @@
 
 - name: Set key/pair facts
   ansible.builtin.set_fact:
-    wg_private_key: "{{ _generated_private_key.stdout }}"
-    wg_public_key: "{{ _derived_public_key.stdout }}"
+    wg_private_key: _generated_private_key.stdout
+    wg_public_key: _derived_public_key.stdout

roles/wg/tasks/main.yml

@@ -6,11 +6,11 @@
 - name: Check for existence of private key
   ansible.builtin.stat:
     path: /etc/wireguard/private.key
-  register: _private_key
+  register: _private_key_stat
 
 - name: Generate keypair
   ansible.builtin.include_tasks: tasks/generate_keypair.yml
-  when: not _private_key.stat.exists
+  when: not _private_key_stat.exists
 
 - name: Save private key
   ansible.builtin.template:
@@ -21,7 +21,7 @@
     mode: 0700
   vars:
     key: "{{ wg_private_key }}"
-  when: not _private_key.stat.exists
+  when: not _private_key_stat.exists
 
 - name: Save public key
   ansible.builtin.template:
@@ -32,7 +32,7 @@
     mode: 0700
   vars:
     key: "{{ wg_public_key }}"
-  when: not _private_key.stat.exists
+  when: not _private_key_stat.exists
 
 - name: Set dns_command for co-openSUSE
   ansible.builtin.set_fact:

roles/yubikey_pam/tasks/install.yml

@@ -3,7 +3,7 @@
   ansible.builtin.package:
     name: pam_yubico
     state: present
-  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Rocky" ]
+  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ]
 
 - name: Enable PPA on Ubuntu
   ansible.builtin.apt_repository: