48 changed files with 242 additions and 532 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1 +0,0 @@
 **/vault diff=ansible-vault merge=binary
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,4 +1,3 @@
 [defaults]
 inventory     = ./inventory
 roles_path    = roles/
 vault_password_file = scripts/get_vault_pass.sh
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -38,34 +38,14 @@ yubikey_token_id: None
 # Client IP for the ‹wg-admin› VPN
 wg_admin_ip: None
 # Dictionary containing the IP addresses of the hosts on Wireguard interfaces
 # Keys represent interface name, values IP address with a mask.
 #
 # Convenience variable for easier deduplication of common values that are used
 # across all the hosts.
 wg_addresses: None
 # Dictionary containing the private keys for the Wireguard hosts. Keys represent
 # interface name, values private key.
 #
 # Convenience variable to maintain better idempotency and reproducibility of the
 # Ansible deployments/bootstraps.
 wg_private_keys: None
 # Wireguard connections
 # List of connections to set up, example:
 #
 #     - ifname: ‹interface name›
 #       autoconnect: "true/false"  # needs to be a string
 #
 #       private_key: ‹private key for the VPN connection, if not generated›
 #       generate_keypair: true/false
 #
 #       address: ‹assigned address on the VPN›
 #       gateway: ‹part of the DNS resolution setup›
 #       dns: ‹IP of the DNS server on the VPN›
 #       domain: ‹domain, adjust DNS resolution, if set›
-#
+#       gateway: ‹part of the DNS resolution setup›
 #       address: ‹assigned address on the VPN›
 #       peers:
-#         - { note, endpoint, public_key, allowed_ips, keepalive }
+#         - { note, public_key, allowed_ips, endpoint, keepalive }
 wg_connections: []
--- a/group_vars/all/vars
+++ b/group_vars/all/vars
@ -8,6 +8,5 @@ gpg_signingkey: "7C47D46246790496"
 hashicorp_vault_address: "{{ vault_hashicorp_vault_address }}"
 vaultwarden_address: "{{ vault_vaultwarden_address }}"
-wg_addresses: "{{ vault_wg_addresses }}"
+wg_admin_ip: "{{ vault_wg_admin_ip }}"
 wg_private_keys: "{{ vault_wg_private_keys }}"
 wg_connections: "{{ vault_wg_connections }}"
--- a/group_vars/all/vault
+++ b/group_vars/all/vault
@ -1,81 +1,28 @@
 $ANSIBLE_VAULT;1.1;AES256
-32646438633661393232633832623432636435386330393264326530373731633932626364656562
+63376231613461376465633862633737343864636662306262303530303165623730613833323961
-3265333062393538363536393037383433663564613231340a346261336530396536613131386564
+6233383266366236326435656134656437356539326533390a636631613339373366346338666436
-64666433663036396331626163636163643035323830343637386532343434356132386162366361
+38633938316237626662666363343230663533633565643838323137306434376539353439306339
-3938303166643334330a633065663064393833646563323133393330353634333665663332613732
+3435623631323865630a333834343066363837643061313063666632383962396435326530633239
-36346535653836383735313561316366633437383237663766366433643139663663623231666166
+30396561643634396632386433633263323830646463643835626639313139663332653638353862
-33306332316464623733393338363065613437306433653663623564313332653136363235626336
+33616434363635396462343533656234393662373533666662623763633363636233626436663931
-30643464613630363331623665623563633266336236663665613864313831356236373066626633
+33633439323531663634613834396330653636353733366336303836646230373165663833363134
-36363130326233383163616161353830366139313930653330653837666535666237613237373362
+39623339353436373862333736353133353331623239663961313835666166323233643964646138
-38363665393536643237393338623466353435633635653634323631353265363462333431653235
+34656332663534626636323531333563653263366330346665663739373335356631386562353531
-38383730383634633861393932373662303339626433303162393533303164653830373566373936
+32613765316661303034616366656462376561363432396663646565353230316238366336376466
-65303735336531656163613139353965363732646161623961663439393832356638663761396134
+32663264313531393136363832393364616538646131653561653762366430396437396361376132
-32303466613265366461303137663831323036303362613464666362386363303836333239313834
+66633035663334323762396361326538343032356432333766346538653864313530653162653131
-64653961383865383638343937623532616165633138303839393832356364653736313039336133
+66383461383036306137343638373831633265303638643366393837373332623538326364643739
-31623263323365373064666236363163363539633931633635643539323163343335656338653535
+32316464376535643933363935383336663438373132643233346133383232653363373337323634
-37623166656333373538393230613533666632363035366565666330663065396265346262383139
+36356531623838306262333733306639336538323630656438383836323437373938373139396131
-66646464386263386535363930636364303338353330616538613836343238303665363939363930
+33643361326362643638306162336132626135393362373431306137383261643335626534353730
-37333361633532613430396531616261343666656238373364383465343462363261613031663239
+32626630633135656432313737326238343264333465313434633961383166313162656666626639
-31393930336333333364663839373231336638666533316231643834316439366431363435396132
+34336438353838376530306630326635633262616631653436313739393438663162313265626431
-31396237313765316334643931346164316261656138346134616233646335646365623665646632
+35333033396265356166356162646462376532616431663530653664323838343833663464653035
-61316630316565333664653532663232316432393432383233636564646432343737373161663963
+31336436316631616135326233363235303032346161393366323930623430376333636661623737
-62376536336537353538633366613431646537663966306533623037363361316134393463396438
+39613464653165366230383539366464336639383666636437323337666566613836376537656466
-64636566326632313333333033396334323065613962376539396633353661366235313436376132
+32346161386163363665373633663961333435613636376165386634366331393835306537323033
-35353339623765393135646264356436373832633232383762343933663436386531346364336336
+39353963633061616466323636396536643338356361353865313139396135663836636162343165
-61616164613265623061653933353438666632643164313839303065393438636137653632336163
+65386162343539336437643630323631353230396566616563613865613261383835353862313134
-61376436616564343139356165323162383238316264646536646138396635633234323862613135
+37336236393862656636376665646466623862633732663833616535373737613538626437303935
-35363838666630303666623638363137623964336663396462343266336264336635666631363563
+65633539663834333564386638626432316166616630653333326431643231626331666634383236
-65396465393563616431373563663738343161393238396132313536643433346237376134313031
+393965363664366531313766383735323335
 37633431353437636638656661323762383333616562623364353731303137393637313135356338
 38643238393663313966323233303037623838383934663263623461363863653536303132346337
 34623535633233306133666665353339663836323336343561343537326261323633333761336631
 65623133383633616463643462336630643363346561316162346433386137313431306131656162
 34343137633239666535346431663663363634643936643132343436616266353532633434663939
 38336130343062393964366230643633656561663939653030653064623532306663363731616566
 30393361636133303231643138633766613461633665663566633862363533366233326365653430
 33633761396236663738326561616433303934663936306334323465346334666464346333376266
 39633438383064303338396337613835383039313861376363323563336333663263303465316534
 36343132393035633165623864623937636235633965326566373730303430613562376365663364
 38643665346530376430316164616538313462373633653630316330326638303466333836623730
 33643237663666383235363736313335306636346263623032356262326666666134623862653265
 32666630383134633037643138323432656633343565656461336534386566613162323736373166
 36666536303639303064373035313130636438653331613262613365643166383036623630656434
 38363431336566626238343830393561666230383464613036306236346237346132316565373932
 35346361373535373838323566313166666233623761653663376636666539393438353436306232
 61343762333939366664333366356132303738316464393030613863383434656639376136623661
 65373338356263613738626463646337343939663735623432616138373665633163373334616139
 35353833303738396666363561643537323730373031373137386361626664623936626333303337
 37636562353863336531336134636139346538383839626365356532393735333834653638383438
 65653736366437373838613330643431336632623432623264346530646535623635363834623931
 62616166373435623161313438656631323137366538386235323766633363653062373565353436
 39346236613137373662316265396536383334353636323065383730386436356635666138643264
 37626438633430353934623136633230623737326632323933646132656163343833643230336564
 64643030623932366337356666393162333732656164616235623736613036393134383535303936
 30336131323263643165623663646661306166616530623338333266303831653834653431363033
 39646365333065306536316161366635363361386366393834333261363437656266306132333230
 30303836396136373963643131383565383239643561363665306336393536643039623736323333
 37643835376437616563316363636166356466396165366238306334386466353630366462366463
 39356366346561366661323131343331363935653064373137366233316633313833623662383366
 30313561356164613038386130303031623534636163613863356438333766633835326331373934
 61633136393466666238396264366464363632616532336332376265383761363936396635633961
 65393235326364326164626563626163643265633235656330616437643865356636376432613936
 66303065373665623536653562393933633564303634376435373135393235353065366661666137
 61373864383437376131363634333237656162313739363134323039323935623632343338613061
 38633161616262393138356130386266643261313539646137326237643262363061326633646664
 30643931373061323864656534626563653735636335616631626134663838663261383064336465
 62313762313362326634353334376632643536643161326262653637623232353534336465366639
 66656532643236336235306566343761376131633639346332623266313139333235326464333334
 30633961616531343535646632663665653365333961343038636439366664323463653335333363
 38333135343363323631373533316561383732643231383862653132383531323266303534663665
 31633038353065373865306333346437643265623262323036656439663664653337653131373865
 39353635613333643933656636643166346539373838353738373864313839636138333763613033
 30383937613463616434626561346436393734653039373563613361333835396361333663366534
 31376166643263633437353435646536363034316165653334613430393037656136393532306137
 31343165353661383835306664623064633333666639306334336464333836376535336237623232
 61666530663162373934326465383865613936323739323739383966353631623433643231343535
 62333065333036393330353230323265653264333762326431363937643131326131613663306532
 61363430316464663762633336313265373064343731386261376133663463616135646432373062
 37633861316332616639633234313938353230646237343934393735396232613662306131666438
 39613139643132633564633431636365656165313531373262393030366236343836653436656338
 34646533656164313836343930383535633038643437616165303432323865653836343064343261
 36636262613338366530
--- a/group_vars/desktops/vars
+++ b/group_vars/desktops/vars
@ -3,7 +3,6 @@ ssh_server_sign_host_keys: false
 ssh_server_auth_password_authentication: "yes"
 flatpak_apps:
  - com.brave.Browser
  - "com.chatterino.chatterino/{{ ansible_architecture }}/stable"
  - com.discordapp.Discord
  - com.spotify.Client
@ -14,102 +13,3 @@ flatpak_apps:
  - org.telegram.desktop
  # - org.x.Warpinator
  - org.flameshot.Flameshot
 editor_vscode_extensions:
  # C/C++
  - bazelbuild.vscode-bazel
  - ms-vscode.cmake-tools
  - ms-vscode.cpptools
  - ms-vscode.cpptools-extension-pack
  - ms-vscode.cpptools-themes
  - twxs.cmake
  # C#
  - ms-dotnettools.csdevkit
  - ms-dotnettools.csharp
  - ms-dotnettools.vscode-dotnet-runtime
  - ms-dotnettools.vscodeintellicode-csharp
  # Deno
  - denoland.vscode-deno
  # Go
  - golang.go
  # Hare
  - adotinthevoid.hare-highlighting
  # Java
  - redhat.java
  - vscjava.vscode-gradle
  - vscjava.vscode-java-debug
  - vscjava.vscode-java-dependency
  - vscjava.vscode-java-pack
  - vscjava.vscode-java-test
  - vscjava.vscode-maven
  # Kotlin
  - mathiasfrohlich.kotlin
  # Python
  - charliermarsh.ruff
  - ms-python.debugpy
  - ms-python.python
  - ms-python.vscode-pylance
  - ms-toolsai.jupyter
  - ms-toolsai.jupyter-keymap
  - ms-toolsai.jupyter-renderers
  - ms-toolsai.vscode-jupyter-cell-tags
  - ms-toolsai.vscode-jupyter-slideshow
  # Rust
  - rust-lang.rust-analyzer
  # Swift
  - sswg.swift-lang
  - vadimcn.vscode-lldb
  # Zig
  - ziglang.vscode-zig
  # Git
  - eamodio.gitlens
  # Themes
  - akamud.vscode-theme-onedark
  - akamud.vscode-theme-onelight
  - alexandernanberg.horizon-theme-vscode
  - atomiks.moonlight
  - avidworks.vampiro
  - catppuccin.catppuccin-vsc
  - ddiu8081.moegi-theme
  - dracula-theme.theme-dracula
  - enkia.tokyo-night
  - fabiospampinato.vscode-monokai-night
  - github.github-vscode-theme
  - gnhuy91.theme-oceanicnext-sublime
  - ibmlover.oxocarbon
  - keifererikson.nightfox
  - liviuschera.noctis
  - mcagampan.dark-horizon
  - ms-vscode.theme-tomorrowkit
  - mvllow.rose-pine
  - sdras.night-owl
  - teabyii.ayu
  - tomphilbin.gruvbox-themes
  - vincentfiestada.cold-horizon-vscode
  - zhuangtongfa.material-theme
  # Misc
  - asciidoctor.asciidoctor-vscode
  - cs50.vscode-presentation-mode
  - danielgjackson.auto-dark-mode-windows
  - editorconfig.editorconfig
  - ms-vscode-remote.remote-containers
  - tamasfe.even-better-toml
  - unifiedjs.vscode-mdx
  - vscodevim.vim
  # Where does this come from?
  - visualstudioexptteam.intellicode-api-usage-examples
  - visualstudioexptteam.vscodeintellicode
--- a/group_vars/servers/vars
+++ b/group_vars/servers/vars
@ -1,8 +1,5 @@
 certbot_email: "{{ vault_certbot_email }}"
 cockpit_2fa: true
 cockpit_has_reverse_proxy: true
 host_fqdn: "{{ vault_host_fqdn }}"
 porkbun_apikey: "{{ vault_porkbun_apikey }}"
--- a/host_vars/ampere/vault
+++ b/host_vars/ampere/vault
@ -1,20 +1,6 @@
 $ANSIBLE_VAULT;1.1;AES256
-37313763643432623939616435323639326235653062376332346163653338366638393531313864
+37346330376565653933653934653564643163356637666632393964366632363336353463323432
-6362383739393765383762323437326337643534356339380a396436306566393638666362383037
+3765303739303338326463396635653834396361316331340a326239666464363739363562613233
-32336462646362363066626230303433386137353263623535376233306634366530373439376464
+30353039313564353866663838626366663064633332313662656238323262393131626462373064
-3363303734363266620a623861373831616338303662613862643361356339303466346664363330
+6566376239356530300a303362633534636565386636393764396362653263323362306264383461
-37313961373535393339386539356638383239656465636135613338646132353264373737623362
+31363065383436313062336338303762316164663036393533376130643138646237
 33323334656564306136656564653261646230613232633161623234636362643363633235363032
 38633461373230326536393734383162656161366533373135353162313334313833666637313134
 38366332383666623036366439343265353232633032666436363164613464623534613264346531
 31663366663430313637306135353930386330333932383864333264313265616337333530396562
 32636136333261366231653933383131306161393033623666396234633363613766643562393366
 61613130353465356334313637353231366535363339623631306535383634643731303363613461
 66363738646464333038633961623363386533626363336536653330626266646431633531373033
 64636162326465326632666235356437636338303030353839316231356165616166393963333761
 64393630666635306632633530363738656139623939313533316336636139626434346139373262
 39306331346434643639626232366536666234653830386533373035353762313437363932636439
 33346639363733623761326239616236383763393235343130633964373330373736386533663537
 38396133376132633934656362653563613333323735386137393162373238366464333966663862
 65613937363863323264376662326434343966366161316134653138653066646331336637303839
 653336356139313536663533636632383766
--- a/host_vars/hertz/vault
+++ b/host_vars/hertz/vault
@ -1,20 +1,6 @@
 $ANSIBLE_VAULT;1.1;AES256
-62313235373263656238613263613564626638333563616630373638316163653734363431663333
+61353931363939383464363938643136373433643736333361646566393863663136336162643962
-3134616263323961613261653131653662343333666334370a373465623863313538376236336562
+3038666635616462623231656565663764643666663536390a316232623638396239636234376330
-61666661613332363732336466383238623635323534393461306433343635343165633130333832
+64663638363766343536373236366434356135366435336661393935396161393161626361313662
-6265366230353732390a373236666238386638333365316137623461626664623830626438353538
+6664343835393263310a623439323739666362356335653538646331316331613165393263343039
-61373163663138303336316231343461376538326261653631306434373566393939353862393561
+34363335393961363265646263653138346563633339653039613831366565326638
 30353064356533646361386330313738323233373466636234646463363035353565306263353361
 30646661383561343630353733663163313937386332333133613566376334636561653062666464
 64623465303930376433346565343364373565373530336133653537623766326264336165303833
 38633362373231636266316461336461663735386632386537666431353232616331323362333831
 66303633353830353330333033383562613863346661393566663965616530623432316134306664
 62666132666234653363636535663163643631316431373265343939376263393739313831316463
 34633334303938643939313266306565343765666239393638623333353931613831336239353533
 39633635356134613035633866363764366135626166376364623938313066636335623233633639
 32656538626662626532323530656665376633353535353835643637313661613235616237386637
 36333531666232323431333264616161333038393239303239393038333234366235353335383365
 30646233666661336435656463663966353433323864633265636536616431333536666265666566
 35373937666132313134323436633334343834363732393732356636666136653263616538396132
 64383830356563333836383234323763313236346561353835383931653565333636613561303564
 613333623536616635323431613638343730
--- a/host_vars/mountainside/vault
+++ b/host_vars/mountainside/vault
@ -1,31 +1,18 @@
 $ANSIBLE_VAULT;1.1;AES256
-35303332646531393361626335626138653663373131323539393865333336366139343631623465
+36636438356436373332646664346661373963643733333236363633643064623636663239383965
-3464386461316466376636663339346266656363323435340a343262393062646336616361396463
+3635646338663966303232306532393934336261646537300a363838643037656339393937366633
-64306161616432363638646133376333316462353361623331383532326135383838383861653662
+66303139376663626136353838353961626533623031316565393639363538636666633633656532
-3062343730383336300a306461333039663937303335653032656362653863613333326239323834
+6533643435663638380a663565313230326166343431666266663737393032326334633537653763
-38356639313239353432366165363231646439343939303063616532316565383935646163643865
+39323464636231333931646430313539613332623435323833643763333637643438633431303166
-31323264383731653737613930383539323263373866366266386630393339323765303338383661
+38386434323565343266663331313664316333373032613238326139333038383134336134316666
-34373964663936613133326363623461333564303837636462613035353166326639666132366638
+62633364613830323935653839373235376566393863363565376463346263653837643534376333
-36306331383663633266383162333962363431303566356630356430386337633363373764633661
+32666233613036616366363263353030633966343066623731343763313537373433663266393362
-37343430343264336331376261306633383765393236383435656431656439313163626339303232
+32376636313465373932633435306363313262613161353234313063396362333732343864373964
-36303530653139646531633663383434343063623964623461323731313932373238363139653565
+37323333356235336530343761316335623366646536623233353062396439613834663963326230
-37303431306135656635323733323734666164303931343832376439646333396364313134613262
+33376235626165346530623931663832633363373139323237353664663562336235366538623538
-31333439366539366631323439366435633835383965373064653335336265313064613663623530
+39636230326639613637653431666564343831663438623738323635343237656463333637306563
-35343361353965373733636337626139636631626663353032636433343235363532316266373138
+36346131363737613633383763333032373635393730626435343565353065653265653563646562
-32363630613036613833353937656534656466613634363838643735613034356334346436626534
+38366630373166373266633030323066653866363238323738666137656435653133643336316463
-33623734656439373234636235343338306563336637396662613830626363343232356666383366
+63666236343534303636643630613838336466623530613436356362333732303666636239663665
-37633332336366636162646163663130326435356138663135653737336336646232626131326337
+38396166333837393737303138636133323933613932313030386664303865626130626661663337
-66656163616434323237643362313263346366393865356361323532623634386163386636306165
+35613532613062346435343330633232393038303862326632303033623031306433
 35323334626163623161646337626436373634653265353337343536653363373433643566316136
 37383039386130663836356263323564363436353433643464323164666639383561346563346430
 33636534333431383866333034353838333265316261643434386332333461313965366663366634
 65663336306664643337373233643333386638663762393437653861353634346239363333343239
 38383135393863393436613739393537396639646332343264333036376333353263363361313234
 65366261633139346566626231303765356535366565623533333865306435313763333061356536
 63303131666465633632666632383334326436663530363634316231313736616135623964626166
 65303032323562363136623266623136643039316231613633616539373234316439653663633835
 64333661333763313337663265623062316338643666613034613236396335663366326635623134
 30653762663436363332333436633534666136643165623364366331376337303830373438626366
 35343962626538666135393061333233313863643363396561363431383035316439353265306637
 37666637646564393762383364333966373663343539363932656434366530663830316236643739
 3531393539613265343135363838633661373633663430376133
--- a/playbooks/bootstrap.yml
+++ b/playbooks/bootstrap.yml
@ -10,11 +10,7 @@
    - role: os_el
      become: true
-      when: ansible_distribution in [ "AlmaLinux", "CentOS", "Rocky" ]
+      when: ansible_distribution in [ "AlmaLinux", "CentOS" ]
    - role: os_deb
      become: true
      when: ansible_distribution in [ "Debian", "Ubuntu" ]
    # Upgrade all packages and install the basic-bitch ones
    - role: base_system
@ -112,10 +108,7 @@
      with_items: "{{ wg_connections }}"
      vars:
        wg_ifname: "{{ item.ifname }}"
        wg_autoconnect: "{{ item.autoconnect }}"
        wg_generate_keypair: "{{ item.generate_keypair }}"
        wg_private_key: "{{ item.private_key }}"
        wg_dns: "{{ item.dns }}"
        wg_domain: "{{ item.domain }}"
        wg_gateway: "{{ item.gateway }}"
        wg_address: "{{ item.address }}"
--- a/roles/base_system/tasks/upgrade.yml
+++ b/roles/base_system/tasks/upgrade.yml
@ -4,16 +4,16 @@
    name: "*"
    state: latest
    update_cache: true
-  when: ansible_facts.pkg_mgr == "apt"
+  when: ansible_distribution in [ "Debian", "Ubuntu" ]
 - name: Upgrade all packages with ‹dnf›
  ansible.builtin.dnf:
    name: "*"
    state: latest
-  when: ansible_facts.pkg_mgr.startswith("dnf")
+  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ]
 - name: Upgrade all packages with ‹zypper›
  community.general.zypper:
    name: "*"
    state: latest
-  when: ansible_facts.pkg_mgr == "zypper"
+  when: "'openSUSE' in ansible_distribution"
--- a/roles/cockpit/defaults/main.yml
+++ b/roles/cockpit/defaults/main.yml
@ -3,9 +3,3 @@
 # reverse proxy (adjusts the origin, so that the Cockpit doesn't drop sessions,
 # and checks for SSL/TLS connections)
 cockpit_has_reverse_proxy: false
 # Boolean variable that denotes whether to install dependencies for 2FA auth
 # to Cockpit (Google Authenticator and QR encoding utilities for enrolling the
 # OTP), also installs the rule to the ‹pam.d› so that the 2FA is required for
 # logging in to the Cockpit.
 cockpit_2fa: false
--- a/roles/cockpit/tasks/install.yml
+++ b/roles/cockpit/tasks/install.yml
@ -3,11 +3,3 @@
  ansible.builtin.package:
    name: cockpit
    state: present
 - name: Install deps for 2FA in Cockpit
  ansible.builtin.package:
    name:
      - google-authenticator
      - qrencode-libs
    state: present
  when: cockpit_2fa
--- a/roles/cockpit/tasks/main.yml
+++ b/roles/cockpit/tasks/main.yml
@ -12,16 +12,6 @@
    group: root
  when: cockpit_has_reverse_proxy
 - name: Require 2FA for logging into the Cockpit
  ansible.builtin.lineinfile:
    line: auth required pam_google_authenticator.so nullok
    path: /etc/pam.d/cockpit
    create: true
    mode: 0644
    owner: root
    group: root
  when: cockpit_2fa
 - name: Enable cockpit
  ansible.builtin.service:
    name: "cockpit.socket"
--- a/roles/editor_helix/tasks/install_Rocky.yml
+++ b/roles/editor_helix/tasks/install_Rocky.yml
@ -1 +0,0 @@
 install_fedora-family.yml
--- a/roles/editor_helix/tasks/install_Ubuntu.yml
+++ b/roles/editor_helix/tasks/install_Ubuntu.yml
@ -1 +0,0 @@
 install_Debian.yml
--- a/roles/editor_helix/tasks/install_Ubuntu.yml
+++ b/roles/editor_helix/tasks/install_Ubuntu.yml
@ -0,0 +1,12 @@
 ---
 - name: Enable the PPA for Helix
  ansible.builtin.apt_repository:
    repo: ppa:maveonair/helix-editor
    state: present
  become: true
 - name: Install the Helix
  ansible.builtin.package:
    name: helix
    state: present
  become: true
--- a/roles/editor_helix/tasks/install_fedora-family.yml
+++ b/roles/editor_helix/tasks/install_fedora-family.yml
@ -1,4 +1,11 @@
 ---
 - name: Enable the Copr
  community.general.copr:
    name: varlad/helix
    state: enabled
  when: ansible_distribution not in ("AlmaLinux")
  become: true
 - name: Install the Helix
  ansible.builtin.package:
    name: helix
--- a/roles/editor_vscode/defaults/main.yml
+++ b/roles/editor_vscode/defaults/main.yml
@ -1,3 +0,0 @@
 ---
 # List of VSCode extensions to be installed with the VSCode
 editor_vscode_extensions: []
--- a/roles/editor_vscode/files/code-url-handler.desktop
+++ b/roles/editor_vscode/files/code-url-handler.desktop
@ -0,0 +1,12 @@
 [Desktop Entry]
 Name=Visual Studio Code - URL Handler
 Comment=Code Editing. Redefined.
 GenericName=Text Editor
 Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --open-url %U
 Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png
 Type=Application
 NoDisplay=true
 StartupNotify=true
 Categories=Utility;TextEditor;Development;IDE;
 MimeType=x-scheme-handler/vscode-insiders;
 Keywords=vscode;
--- a/roles/editor_vscode/files/code.desktop
+++ b/roles/editor_vscode/files/code.desktop
@ -0,0 +1,18 @@
 [Desktop Entry]
 Name=Visual Studio Code Insiders
 Comment=Code Editing. Refined.
 GenericName=Text Editor
 Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --unity-launch %F
 Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png
 Type=Application
 StartupNotify=false
 StartupWMClass=code - insiders
 Categories=Utility;TextEditor;Development;IDE;
 MimeType=text/plain;inode/directory;
 Actions=new-empty-window;
 Keywords=vscode;
 [Desktop Action new-empty-window]
 Name=New Empty Window
 Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --new-window %F
 Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png
--- a/roles/editor_vscode/files/update.sh
+++ b/roles/editor_vscode/files/update.sh
@ -0,0 +1,31 @@
 #!/bin/bash
 # for upstream
 URL='https://code.visualstudio.com/sha/download?build=insider&os=linux-x64'
 # for local
 # URL='https://maxwell.mfocko.xyz/code-insiders.tar.gz'
 # for local over VPN (also use --no-check-certificate)
 # URL='https://172.16.0.2/code-insiders.tar.gz'
 echo ">>> Downloading";
 wget $URL -O /tmp/code.tar.gz
 echo ">>> Removing and extracting";
 rm -rf /opt/VSCode-linux-x64
 tar xvaf /tmp/code.tar.gz -C /opt/
 # Check for binaries
 if ! [ -x /usr/local/bin/code-insiders ]; then
 	echo ">>> Linking binaries";
 	ln -s /opt/VSCode-linux-x64/bin/code-insiders /usr/local/bin/
 	ln -s /opt/VSCode-linux-x64/bin/code-insiders /usr/local/bin/code
 fi
 # Check for *.desktop
 if ! ls /usr/share/applications | grep visual-studio-code; then
 	echo ">>> Installing desktop files";
 	PATH_TO_APPS=/home/mfocko/.local/share/visual-studio-code-insiders
 	sudo cp $PATH_TO_APPS{,-url-handler}.desktop /usr/share/applications/;
 fi
--- a/roles/editor_vscode/tasks/install_apt.yml
+++ b/roles/editor_vscode/tasks/install_apt.yml
@ -1,11 +0,0 @@
 ---
 - name: Resolve URL to the VSCode deb package
  ansible.builtin.uri:
    url: https://code.visualstudio.com/sha/download?build=insider&os=linux-deb-x64
  register: _vscode_deb_response
 - name: Install VSCode via deb package
  ansible.builtin.apt:
    deb: "{{ _vscode_deb_response.url }}"
    state: present
  become: true
--- a/roles/editor_vscode/tasks/install_dnf.yml
+++ b/roles/editor_vscode/tasks/install_dnf.yml
@ -1 +0,0 @@
 install_rpm.yml
--- a/roles/editor_vscode/tasks/install_dnf5.yml
+++ b/roles/editor_vscode/tasks/install_dnf5.yml
@ -1 +0,0 @@
 install_rpm.yml
--- a/roles/editor_vscode/tasks/install_rpm.yml
+++ b/roles/editor_vscode/tasks/install_rpm.yml
@ -1,21 +0,0 @@
 ---
 - name: Resolve URL to the VSCode RPM
  ansible.builtin.uri:
    url: https://code.visualstudio.com/sha/download?build=insider&os=linux-rpm-x64
  register: _vscode_rpm_response
 - name: Install VSCode via dnf
  ansible.builtin.dnf:
    name: "{{ _vscode_rpm_response.url }}"
    disable_gpg_check: true
    state: present
  become: true
  when: ansible_facts.pkg_mgr.startswith("dnf")
 - name: Install VSCode via zypper
  community.general.zypper:
    name: "{{ _vscode_rpm_response.url }}"
    disable_gpg_check: true
    state: present
  become: true
  when: ansible_facts.pkg_mgr == "zypper"
--- a/roles/editor_vscode/tasks/install_zypper.yml
+++ b/roles/editor_vscode/tasks/install_zypper.yml
@ -1 +0,0 @@
 install_rpm.yml
--- a/roles/editor_vscode/tasks/main.yml
+++ b/roles/editor_vscode/tasks/main.yml
@ -1,13 +1,28 @@
 ---
 - name: Install VSCode
  ansible.builtin.include_tasks: "install_{{ ansible_facts.pkg_mgr }}.yml"
  tags: install
 - name: Create directories for VSCode
  ansible.builtin.file:
-    path: "$HOME/.config/Code - Insiders/User"
+    path: "{{ item }}"
    state: directory
    mode: 0740
  loop:
    - ~/.local/bin
    - ~/.local/share
    - "$HOME/.config/Code - Insiders/User"
 - name: Install VSCode script
  ansible.builtin.copy:
    src: files/update.sh
    dest: ~/.local/bin/code-update.sh
    mode: 0640
 - name: Create app info for VSCode
  ansible.builtin.copy:
    src: files/code{{ item }}.desktop
    dest: ~/.local/share/applications/visual-studio-code-insiders{{ item }}.desktop
    mode: 0640
  loop:
    - ""
    - "-url-handler"
 - name: Install VSCode configuration
  ansible.builtin.copy:
@ -18,10 +33,10 @@
    - settings
    - keybindings
- name: Install extensions
+- name: Install VSCode
  ansible.builtin.command:
-    cmd: code-insiders --install-extension {{ item }}
+    cmd: bash /home/{{ target_user }}/.local/bin/code-update.sh
-  register: _editor_vscode_installation_result
+    creates: /opt/VSCode-linux-x64
-  changed_when: '"was successfully installed." in _editor_vscode_installation_result.stdout'
+  become: true
-  failed_when: '"Error while installing extensions" in _editor_vscode_installation_result.stderr'
+  when: false
-  loop: "{{ editor_vscode_extensions }}"
+  tags: install
--- a/roles/forgejo/defaults/main.yml
+++ b/roles/forgejo/defaults/main.yml
@ -11,6 +11,3 @@ forgejo_http_port: 3000
 # SSH port that's exposed from the container
 forgejo_ssh_port: 2222
 # Version of the Forgejo to be pulled; for available see image tags
 forgejo_version: 11
--- a/roles/forgejo/templates/forgejo.container
+++ b/roles/forgejo/templates/forgejo.container
@ -4,11 +4,10 @@
 Description=Forgejo
 After=postgresql.service
 Requires=postgresql.service
 PartOf=postgresql.service
 [Container]
 ContainerName=forgejo
-Image=codeberg.org/forgejo/forgejo:{{ forgejo_version }}
+Image=codeberg.org/forgejo/forgejo:9
 AutoUpdate=registry
 Environment=USER_UID=1000
--- a/roles/git/templates/gitconfig
+++ b/roles/git/templates/gitconfig
@ -1,7 +1,6 @@
 [alias]
    scommit = commit --signoff
    graph   = log --oneline --decorate --graph --all
    lg      = log --color=always --date=format:'%Y-%m-%d' --format='%C(red)%ad %C(green)%h %C(blue)(%aL): %Creset%s%C(Yellow)%d'
 [commit]
    gpgsign = true
@ -33,9 +32,6 @@
 [difftool "vscode-difftool"]
    cmd = code --wait --diff $LOCAL $REMOTE
 [diff "ansible-vault"]
    textconv = ansible-vault view
 [gpg]
    # format = ssh
    program = gpg2
--- a/roles/os_deb/tasks/main.yml
+++ b/roles/os_deb/tasks/main.yml
@ -1,4 +0,0 @@
 ---
 - name: Enable all Debian repos
  ansible.builtin.include_tasks: repositories.yml
  when: ansible_facts.distribution == "Debian"
--- a/roles/os_deb/tasks/repositories.yml
+++ b/roles/os_deb/tasks/repositories.yml
@ -1,35 +0,0 @@
 ---
 - name: Disable installation DVD as a source
  ansible.builtin.lineinfile:
    path: /etc/apt/sources.list
    regexp: "^deb cdrom:"
    state: absent
 - name: Enable additional Debian repos
  ansible.builtin.deb822_repository:
    name: "{{ item.name }}"
    types:
      - deb
      - deb-src
    uris: "{{ item.uris }}"
    suites: "{{ item.suites }}"
    components:
      - contrib
      - non-free
    state: present
  loop:
    - name: contrib-non_free
      uris: http://ftp.sk.debian.org/debian/
      suites: "{{ ansible_facts.distribution_release }}"
    - name: security-contrib-non_free
      uris: http://security.debian.org/debian-security
      suites: "{{ ansible_facts.distribution_release }}-security"
    - name: updates-contrib-non_free
      uris: http://ftp.sk.debian.org/debian/
      suites: "{{ ansible_facts.distribution_release }}-updates"
  register: _deb_repo
 - name: Refresh the cache, if any of the repos has changed
  ansible.builtin.apt:
    update_cache: true
  when: _deb_repo.changed
--- a/roles/secrets_hcv/tasks/install_Debian.yml
+++ b/roles/secrets_hcv/tasks/install_Debian.yml
@ -1 +0,0 @@
 install_deb.yml
--- a/roles/secrets_hcv/tasks/install_Rocky.yml
+++ b/roles/secrets_hcv/tasks/install_Rocky.yml
@ -1 +0,0 @@
 install_el.yml
--- a/roles/secrets_hcv/tasks/install_Ubuntu.yml
+++ b/roles/secrets_hcv/tasks/install_Ubuntu.yml
@ -1 +0,0 @@
 install_deb.yml
--- a/roles/secrets_hcv/tasks/install_Ubuntu.yml
+++ b/roles/secrets_hcv/tasks/install_Ubuntu.yml
@ -0,0 +1,13 @@
 ---
 - name: Add HashiCorp GPG Key
  ansible.builtin.get_url:
    url: https://apt.releases.hashicorp.com/gpg
    dest: /etc/apt/keyrings/hashicorp.asc
    mode: 0640
  become: true
 - name: Add HashiCorp repository
  ansible.builtin.apt_repository:
    repo: "deb [signed-by=/etc/apt/keyrings/hashicorp.gpg] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main"
    state: present
  become: true
--- a/roles/secrets_hcv/tasks/install_deb.yml
+++ b/roles/secrets_hcv/tasks/install_deb.yml
@ -1,19 +0,0 @@
 ---
 - name: Add HashiCorp repository
  ansible.builtin.deb822_repository:
    name: hashicorp
    types: deb
    uris: https://apt.releases.hashicorp.com
    suites: "{{ ansible_distribution_release }}"
    components:
      - main
    signed_by: https://apt.releases.hashicorp.com/gpg
    state: present
  become: true
  register: _deb_repo
 - name: Refresh the cache if HashiCorp repo has been changed
  ansible.builtin.apt:
    update_cache: true
  become: true
  when: _deb_repo.changed
--- a/roles/secrets_hcv/tasks/main.yml
+++ b/roles/secrets_hcv/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 - name: Install HC Vault via package manager
-  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Debian", "Fedora", "Rocky", "Ubuntu" ]
+  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"]
  tags: install
  block:
    - name: Enable repository
@ -14,7 +14,7 @@
 - name: Install HC Vault to userspace
  ansible.builtin.include_tasks: install_user.yml
-  when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Debian", "Fedora", "Rocky", "Ubuntu" ]
+  when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"]
  tags: install
 - name: Install ‹vssh› script
--- a/roles/shell_zsh/tasks/install.yml
+++ b/roles/shell_zsh/tasks/install.yml
@ -7,28 +7,6 @@
    state: present
  become: true
 - name: Enable ‹eza› apt repository
  block:
    - name: Enable the repository
      ansible.builtin.deb822_repository:
        name: eza
        types: deb
        uris: http://deb.gierens.de
        suites: stable
        components:
          - main
        signed_by: https://raw.githubusercontent.com/eza-community/eza/main/deb.asc
        state: present
      become: true
      register: _deb_repo
    - name: Refresh the cache after adding the repo
      ansible.builtin.apt:
        update_cache: true
      become: true
      when: _deb_repo.changed
  when: ansible_distribution in [ "Debian", "Ubuntu" ]
 - name: Install eza and bat
  ansible.builtin.package:
    name:
@ -56,4 +34,4 @@
    name: yad
    state: present
  become: true
-  when: 'ansible_distribution not in [ "AlmaLinux", "Rocky" ] and "openSUSE" not in ansible_distribution'
+  when: 'ansible_distribution not in [ "AlmaLinux" ] and "openSUSE" not in ansible_distribution'
--- a/roles/shell_zsh/templates/zshrc
+++ b/roles/shell_zsh/templates/zshrc
@ -29,7 +29,6 @@ alias kittyconf="$EDITOR ~/.config/kitty/kitty.conf"
 export GIT_EDITOR=$EDITOR
 alias gcs="git commit --gpg-sign --signoff --verbose"
 alias gcsp="git commit --gpg-sign --signoff --verbose --patch"
 alias glgf="git lg | fzf --ansi"
 ### tokens ###
 source ~/.tokens
--- a/roles/ssh_server/tasks/main.yml
+++ b/roles/ssh_server/tasks/main.yml
@ -55,4 +55,4 @@
 - name: Set trusted CA
  ansible.builtin.include_tasks: trusted_ca.yml
-  when: ssh_server_auth_trusted_ca
+  when: sshd_auth_trusted_ca
--- a/roles/vaultwarden/templates/vaultwarden.container
+++ b/roles/vaultwarden/templates/vaultwarden.container
@ -4,7 +4,6 @@
 Description=Vaultwarden
 After=postgresql.service
 Requires=postgresql.service
 PartOf=postgresql.service
 [Container]
 ContainerName=vaultwarden
--- a/roles/wg/defaults/main.yml
+++ b/roles/wg/defaults/main.yml
@ -2,9 +2,6 @@
 # IP address assigned to the wireguard peer
 wg_address: "192.168.0.2/32"
 # IP address of the DNS server on the VPN
 wg_dns: "192.168.0.1"
 # Domain that is used with local DNS on the VPN
 wg_domain: "localdomain"
@ -17,19 +14,12 @@ wg_ifname: "wg-something"
 # Peers of the VPN, list of objects with the following format:
 #
 #     - note: ‹comment that gets put above the peer›
 #       endpoint: localhost:51820
 #       public_key: ‹public key of the peer›
 #       allowed_ips: 192.168.0.0/24
 #       endpoint: localhost:51820
 #       # if bool(keepalive) → gets included in the config
 #       keepalive: 20
 wg_peers: []
 # Whether to autoconnect; needs to be string to be properly templated for the
 # NetworkManager connection file
 wg_autoconnect: "true"
 # By default don't generate the keypair and reuse the existing one
 wg_generate_keypair: false
 # Private key, in case it is not to be generated during the runtime
 wg_private_key: ""
--- a/roles/wg/tasks/generate_keypair.yml
+++ b/roles/wg/tasks/generate_keypair.yml
@ -16,5 +16,5 @@
 - name: Set key/pair facts
  ansible.builtin.set_fact:
-    wg_private_key: "{{ _generated_private_key.stdout }}"
+    wg_private_key: _generated_private_key.stdout
-    wg_public_key: "{{ _derived_public_key.stdout }}"
+    wg_public_key: _derived_public_key.stdout
--- a/roles/wg/tasks/main.yml
+++ b/roles/wg/tasks/main.yml
@ -3,36 +3,67 @@
  ansible.builtin.include_tasks: install.yml
  tags: install
-# [TODO] Handle autogeneration of the keys
+- name: Check for existence of private key
  ansible.builtin.stat:
    path: /etc/wireguard/private.key
  register: _private_key_stat
 - name: Generate keypair
  ansible.builtin.include_tasks: tasks/generate_keypair.yml
  when: not _private_key_stat.exists
 - name: Save private key
  ansible.builtin.template:
    src: templates/keyfile.j2
    dest: /etc/wireguard/private.key
    owner: root
    group: root
    mode: 0700
  vars:
    key: "{{ wg_private_key }}"
  when: not _private_key_stat.exists
 - name: Save public key
  ansible.builtin.template:
    src: templates/keyfile.j2
    dest: /etc/wireguard/public.key
    owner: root
    group: root
    mode: 0700
  vars:
    key: "{{ wg_public_key }}"
  when: not _private_key_stat.exists
 - name: Set dns_command for co-openSUSE
  ansible.builtin.set_fact:
    wg_dns_command: "resolvectl dns %i {{ wg_gateway }}; resolvectl domain %i ~{{ wg_domain }}"
  when: '"openSUSE" not in ansible_distribution'
 - name: Set dns_command for openSUSE
  ansible.builtin.set_fact:
    wg_dns_command: "nmcli con mod %i ipv4.dns {{ wg_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ wg_domain }}"
  when: '"openSUSE" in ansible_distribution'
 - name: Create the config
  vars:
    ifname: "{{ wg_ifname }}"
    autoconnect: "{{ wg_autoconnect }}"
    address: "{{ wg_address }}"
-    dns: "{{ wg_dns }}"
+    dns_command: "{{ wg_dns_command }}"
    domain: "{{ wg_domain }}"
-
+    gateway: "{{ wg_gateway }}"
    private_key: "{{ wg_private_key }}"
    peers: "{{ wg_peers }}"
  ansible.builtin.template:
-    src: "templates/wireguard-config.nmconnection"
+    src: "templates/wg.conf"
-    dest: "/etc/NetworkManager/system-connections/{{ wg_ifname }}.nmconnection"
+    dest: "/etc/wireguard/{{ wg_ifname }}.conf"
    owner: root
    group: root
    mode: "0600"
- name: Load the added connection
+- name: Set up the DNS on AlmaLinux
-  ansible.builtin.command:
+  ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml"
-    cmd: nmcli connection load /etc/NetworkManager/system-connections/{{ wg_ifname }}.nmconnection
+  when: wg_domain and ansible_distribution == "AlmaLinux"
  changed_when: false
  become: true
- name: Up the connection
+- name: Enable and start the wireguard connection
-  community.general.nmcli:
+  ansible.builtin.service:
-    conn_name: "{{ wg_ifname }}"
+    name: "wg-quick@{{ wg_ifname }}"
-    state: up
+    enabled: yes
-  become: true
+    state: started
  when: wg_autoconnect | bool
--- a/roles/wg/templates/wireguard-config.nmconnection
+++ b/roles/wg/templates/wireguard-config.nmconnection
@ -1,32 +0,0 @@
 # {{ ansible_managed }}
 [connection]
 id={{ ifname }}
 uuid={{ ansible_facts.hostname | to_uuid(namespace=ifname | to_uuid) }}
 type=wireguard
 autoconnect={{ autoconnect }}
 interface-name={{ ifname }}
 [ipv4]
 method=manual
 never-default=true
 address1={{ address }}
 dns={{ dns }}
 dns-search={{ domain }}
 [ipv6]
 method=ignore
 addr-gen-mode=stable-privacy
 [wireguard]
 private-key={{ private_key }}
 {% for peer in peers %}
 # {{ peer.note }}
 [wireguard-peer.{{ peer.public_key }}]
 endpoint={{ peer.endpoint }}
 allowed-ips={{ peer.allowed_ips }}
 {% if peer.keepalive %}
 persistent-keepalive={{ peer.keepalive }}
 {% endif %}
 {% endfor %}
--- a/roles/yubikey_pam/tasks/install.yml
+++ b/roles/yubikey_pam/tasks/install.yml
@ -3,7 +3,7 @@
  ansible.builtin.package:
    name: pam_yubico
    state: present
-  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Rocky" ]
+  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ]
 - name: Enable PPA on Ubuntu
  ansible.builtin.apt_repository:
--- a/scripts/get_vault_pass.sh
+++ b/scripts/get_vault_pass.sh
@ -1,3 +0,0 @@
 #!/bin/sh
 bw get password "git.mfocko.xyz:mfocko/dotfiles.git"
		`@ -1,3 +0,0 @@`
			`#!/bin/sh`

			`bw get password "git.mfocko.xyz:mfocko/dotfiles.git"`