32 changed files with 134 additions and 258 deletions
--- a/group_vars/desktops/vars
+++ b/group_vars/desktops/vars
@ -3,7 +3,6 @@ ssh_server_sign_host_keys: false
 ssh_server_auth_password_authentication: "yes"
 flatpak_apps:
  - com.brave.Browser
  - "com.chatterino.chatterino/{{ ansible_architecture }}/stable"
  - com.discordapp.Discord
  - com.spotify.Client
@ -14,102 +13,3 @@ flatpak_apps:
  - org.telegram.desktop
  # - org.x.Warpinator
  - org.flameshot.Flameshot
 editor_vscode_extensions:
  # C/C++
  - bazelbuild.vscode-bazel
  - ms-vscode.cmake-tools
  - ms-vscode.cpptools
  - ms-vscode.cpptools-extension-pack
  - ms-vscode.cpptools-themes
  - twxs.cmake
  # C#
  - ms-dotnettools.csdevkit
  - ms-dotnettools.csharp
  - ms-dotnettools.vscode-dotnet-runtime
  - ms-dotnettools.vscodeintellicode-csharp
  # Deno
  - denoland.vscode-deno
  # Go
  - golang.go
  # Hare
  - adotinthevoid.hare-highlighting
  # Java
  - redhat.java
  - vscjava.vscode-gradle
  - vscjava.vscode-java-debug
  - vscjava.vscode-java-dependency
  - vscjava.vscode-java-pack
  - vscjava.vscode-java-test
  - vscjava.vscode-maven
  # Kotlin
  - mathiasfrohlich.kotlin
  # Python
  - charliermarsh.ruff
  - ms-python.debugpy
  - ms-python.python
  - ms-python.vscode-pylance
  - ms-toolsai.jupyter
  - ms-toolsai.jupyter-keymap
  - ms-toolsai.jupyter-renderers
  - ms-toolsai.vscode-jupyter-cell-tags
  - ms-toolsai.vscode-jupyter-slideshow
  # Rust
  - rust-lang.rust-analyzer
  # Swift
  - sswg.swift-lang
  - vadimcn.vscode-lldb
  # Zig
  - ziglang.vscode-zig
  # Git
  - eamodio.gitlens
  # Themes
  - akamud.vscode-theme-onedark
  - akamud.vscode-theme-onelight
  - alexandernanberg.horizon-theme-vscode
  - atomiks.moonlight
  - avidworks.vampiro
  - catppuccin.catppuccin-vsc
  - ddiu8081.moegi-theme
  - dracula-theme.theme-dracula
  - enkia.tokyo-night
  - fabiospampinato.vscode-monokai-night
  - github.github-vscode-theme
  - gnhuy91.theme-oceanicnext-sublime
  - ibmlover.oxocarbon
  - keifererikson.nightfox
  - liviuschera.noctis
  - mcagampan.dark-horizon
  - ms-vscode.theme-tomorrowkit
  - mvllow.rose-pine
  - sdras.night-owl
  - teabyii.ayu
  - tomphilbin.gruvbox-themes
  - vincentfiestada.cold-horizon-vscode
  - zhuangtongfa.material-theme
  # Misc
  - asciidoctor.asciidoctor-vscode
  - cs50.vscode-presentation-mode
  - danielgjackson.auto-dark-mode-windows
  - editorconfig.editorconfig
  - ms-vscode-remote.remote-containers
  - tamasfe.even-better-toml
  - unifiedjs.vscode-mdx
  - vscodevim.vim
  # Where does this come from?
  - visualstudioexptteam.intellicode-api-usage-examples
  - visualstudioexptteam.vscodeintellicode
--- a/group_vars/servers/vars
+++ b/group_vars/servers/vars
@ -1,8 +1,5 @@
 certbot_email: "{{ vault_certbot_email }}"
 cockpit_2fa: true
 cockpit_has_reverse_proxy: true
 host_fqdn: "{{ vault_host_fqdn }}"
 porkbun_apikey: "{{ vault_porkbun_apikey }}"
--- a/playbooks/bootstrap.yml
+++ b/playbooks/bootstrap.yml
@ -10,11 +10,7 @@
    - role: os_el
      become: true
-      when: ansible_distribution in [ "AlmaLinux", "CentOS", "Rocky" ]
+      when: ansible_distribution in [ "AlmaLinux", "CentOS" ]
    - role: os_deb
      become: true
      when: ansible_distribution in [ "Debian", "Ubuntu" ]
    # Upgrade all packages and install the basic-bitch ones
    - role: base_system
--- a/roles/base_system/tasks/upgrade.yml
+++ b/roles/base_system/tasks/upgrade.yml
@ -4,16 +4,16 @@
    name: "*"
    state: latest
    update_cache: true
-  when: ansible_facts.pkg_mgr == "apt"
+  when: ansible_distribution in [ "Debian", "Ubuntu" ]
 - name: Upgrade all packages with ‹dnf›
  ansible.builtin.dnf:
    name: "*"
    state: latest
-  when: ansible_facts.pkg_mgr.startswith("dnf")
+  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ]
 - name: Upgrade all packages with ‹zypper›
  community.general.zypper:
    name: "*"
    state: latest
-  when: ansible_facts.pkg_mgr == "zypper"
+  when: "'openSUSE' in ansible_distribution"
--- a/roles/cockpit/defaults/main.yml
+++ b/roles/cockpit/defaults/main.yml
@ -3,9 +3,3 @@
 # reverse proxy (adjusts the origin, so that the Cockpit doesn't drop sessions,
 # and checks for SSL/TLS connections)
 cockpit_has_reverse_proxy: false
 # Boolean variable that denotes whether to install dependencies for 2FA auth
 # to Cockpit (Google Authenticator and QR encoding utilities for enrolling the
 # OTP), also installs the rule to the ‹pam.d› so that the 2FA is required for
 # logging in to the Cockpit.
 cockpit_2fa: false
--- a/roles/cockpit/tasks/install.yml
+++ b/roles/cockpit/tasks/install.yml
@ -3,11 +3,3 @@
  ansible.builtin.package:
    name: cockpit
    state: present
 - name: Install deps for 2FA in Cockpit
  ansible.builtin.package:
    name:
      - google-authenticator
      - qrencode-libs
    state: present
  when: cockpit_2fa
--- a/roles/cockpit/tasks/main.yml
+++ b/roles/cockpit/tasks/main.yml
@ -12,16 +12,6 @@
    group: root
  when: cockpit_has_reverse_proxy
 - name: Require 2FA for logging into the Cockpit
  ansible.builtin.lineinfile:
    line: auth required pam_google_authenticator.so nullok
    path: /etc/pam.d/cockpit
    create: true
    mode: 0644
    owner: root
    group: root
  when: cockpit_2fa
 - name: Enable cockpit
  ansible.builtin.service:
    name: "cockpit.socket"
--- a/roles/editor_helix/tasks/install_Rocky.yml
+++ b/roles/editor_helix/tasks/install_Rocky.yml
@ -1 +0,0 @@
 install_fedora-family.yml
--- a/roles/editor_helix/tasks/install_Ubuntu.yml
+++ b/roles/editor_helix/tasks/install_Ubuntu.yml
@ -1 +0,0 @@
 install_Debian.yml
--- a/roles/editor_helix/tasks/install_Ubuntu.yml
+++ b/roles/editor_helix/tasks/install_Ubuntu.yml
@ -0,0 +1,12 @@
 ---
 - name: Enable the PPA for Helix
  ansible.builtin.apt_repository:
    repo: ppa:maveonair/helix-editor
    state: present
  become: true
 - name: Install the Helix
  ansible.builtin.package:
    name: helix
    state: present
  become: true
--- a/roles/editor_helix/tasks/install_fedora-family.yml
+++ b/roles/editor_helix/tasks/install_fedora-family.yml
@ -1,4 +1,11 @@
 ---
 - name: Enable the Copr
  community.general.copr:
    name: varlad/helix
    state: enabled
  when: ansible_distribution not in ("AlmaLinux")
  become: true
 - name: Install the Helix
  ansible.builtin.package:
    name: helix
--- a/roles/editor_vscode/defaults/main.yml
+++ b/roles/editor_vscode/defaults/main.yml
@ -1,3 +0,0 @@
 ---
 # List of VSCode extensions to be installed with the VSCode
 editor_vscode_extensions: []
--- a/roles/editor_vscode/files/code-url-handler.desktop
+++ b/roles/editor_vscode/files/code-url-handler.desktop
@ -0,0 +1,12 @@
 [Desktop Entry]
 Name=Visual Studio Code - URL Handler
 Comment=Code Editing. Redefined.
 GenericName=Text Editor
 Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --open-url %U
 Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png
 Type=Application
 NoDisplay=true
 StartupNotify=true
 Categories=Utility;TextEditor;Development;IDE;
 MimeType=x-scheme-handler/vscode-insiders;
 Keywords=vscode;
--- a/roles/editor_vscode/files/code.desktop
+++ b/roles/editor_vscode/files/code.desktop
@ -0,0 +1,18 @@
 [Desktop Entry]
 Name=Visual Studio Code Insiders
 Comment=Code Editing. Refined.
 GenericName=Text Editor
 Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --unity-launch %F
 Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png
 Type=Application
 StartupNotify=false
 StartupWMClass=code - insiders
 Categories=Utility;TextEditor;Development;IDE;
 MimeType=text/plain;inode/directory;
 Actions=new-empty-window;
 Keywords=vscode;
 [Desktop Action new-empty-window]
 Name=New Empty Window
 Exec=/opt/VSCode-linux-x64/bin/code-insiders --no-sandbox --new-window %F
 Icon=/opt/VSCode-linux-x64/resources/app/resources/linux/code.png
--- a/roles/editor_vscode/files/update.sh
+++ b/roles/editor_vscode/files/update.sh
@ -0,0 +1,31 @@
 #!/bin/bash
 # for upstream
 URL='https://code.visualstudio.com/sha/download?build=insider&os=linux-x64'
 # for local
 # URL='https://maxwell.mfocko.xyz/code-insiders.tar.gz'
 # for local over VPN (also use --no-check-certificate)
 # URL='https://172.16.0.2/code-insiders.tar.gz'
 echo ">>> Downloading";
 wget $URL -O /tmp/code.tar.gz
 echo ">>> Removing and extracting";
 rm -rf /opt/VSCode-linux-x64
 tar xvaf /tmp/code.tar.gz -C /opt/
 # Check for binaries
 if ! [ -x /usr/local/bin/code-insiders ]; then
 	echo ">>> Linking binaries";
 	ln -s /opt/VSCode-linux-x64/bin/code-insiders /usr/local/bin/
 	ln -s /opt/VSCode-linux-x64/bin/code-insiders /usr/local/bin/code
 fi
 # Check for *.desktop
 if ! ls /usr/share/applications | grep visual-studio-code; then
 	echo ">>> Installing desktop files";
 	PATH_TO_APPS=/home/mfocko/.local/share/visual-studio-code-insiders
 	sudo cp $PATH_TO_APPS{,-url-handler}.desktop /usr/share/applications/;
 fi
--- a/roles/editor_vscode/tasks/install_apt.yml
+++ b/roles/editor_vscode/tasks/install_apt.yml
@ -1,11 +0,0 @@
 ---
 - name: Resolve URL to the VSCode deb package
  ansible.builtin.uri:
    url: https://code.visualstudio.com/sha/download?build=insider&os=linux-deb-x64
  register: _vscode_deb_response
 - name: Install VSCode via deb package
  ansible.builtin.apt:
    deb: "{{ _vscode_deb_response.url }}"
    state: present
  become: true
--- a/roles/editor_vscode/tasks/install_dnf.yml
+++ b/roles/editor_vscode/tasks/install_dnf.yml
@ -1 +0,0 @@
 install_rpm.yml
--- a/roles/editor_vscode/tasks/install_dnf5.yml
+++ b/roles/editor_vscode/tasks/install_dnf5.yml
@ -1 +0,0 @@
 install_rpm.yml
--- a/roles/editor_vscode/tasks/install_rpm.yml
+++ b/roles/editor_vscode/tasks/install_rpm.yml
@ -1,21 +0,0 @@
 ---
 - name: Resolve URL to the VSCode RPM
  ansible.builtin.uri:
    url: https://code.visualstudio.com/sha/download?build=insider&os=linux-rpm-x64
  register: _vscode_rpm_response
 - name: Install VSCode via dnf
  ansible.builtin.dnf:
    name: "{{ _vscode_rpm_response.url }}"
    disable_gpg_check: true
    state: present
  become: true
  when: ansible_facts.pkg_mgr.startswith("dnf")
 - name: Install VSCode via zypper
  community.general.zypper:
    name: "{{ _vscode_rpm_response.url }}"
    disable_gpg_check: true
    state: present
  become: true
  when: ansible_facts.pkg_mgr == "zypper"
--- a/roles/editor_vscode/tasks/install_zypper.yml
+++ b/roles/editor_vscode/tasks/install_zypper.yml
@ -1 +0,0 @@
 install_rpm.yml
--- a/roles/editor_vscode/tasks/main.yml
+++ b/roles/editor_vscode/tasks/main.yml
@ -1,13 +1,28 @@
 ---
 - name: Install VSCode
  ansible.builtin.include_tasks: "install_{{ ansible_facts.pkg_mgr }}.yml"
  tags: install
 - name: Create directories for VSCode
  ansible.builtin.file:
-    path: "$HOME/.config/Code - Insiders/User"
+    path: "{{ item }}"
    state: directory
    mode: 0740
  loop:
    - ~/.local/bin
    - ~/.local/share
    - "$HOME/.config/Code - Insiders/User"
 - name: Install VSCode script
  ansible.builtin.copy:
    src: files/update.sh
    dest: ~/.local/bin/code-update.sh
    mode: 0640
 - name: Create app info for VSCode
  ansible.builtin.copy:
    src: files/code{{ item }}.desktop
    dest: ~/.local/share/applications/visual-studio-code-insiders{{ item }}.desktop
    mode: 0640
  loop:
    - ""
    - "-url-handler"
 - name: Install VSCode configuration
  ansible.builtin.copy:
@ -18,10 +33,10 @@
    - settings
    - keybindings
- name: Install extensions
+- name: Install VSCode
  ansible.builtin.command:
-    cmd: code-insiders --install-extension {{ item }}
+    cmd: bash /home/{{ target_user }}/.local/bin/code-update.sh
-  register: _editor_vscode_installation_result
+    creates: /opt/VSCode-linux-x64
-  changed_when: '"was successfully installed." in _editor_vscode_installation_result.stdout'
+  become: true
-  failed_when: '"Error while installing extensions" in _editor_vscode_installation_result.stderr'
+  when: false
-  loop: "{{ editor_vscode_extensions }}"
+  tags: install
--- a/roles/os_deb/tasks/main.yml
+++ b/roles/os_deb/tasks/main.yml
@ -1,4 +0,0 @@
 ---
 - name: Enable all Debian repos
  ansible.builtin.include_tasks: repositories.yml
  when: ansible_facts.distribution == "Debian"
--- a/roles/os_deb/tasks/repositories.yml
+++ b/roles/os_deb/tasks/repositories.yml
@ -1,29 +0,0 @@
 ---
 - name: Disable installation DVD as a source
  ansible.builtin.lineinfile:
    path: /etc/apt/sources.list
    regexp: "^deb cdrom:"
    state: absent
 - name: Enable additional Debian repos
  ansible.builtin.deb822_repository:
    name: "{{ item.name }}"
    types:
      - deb
      - deb-src
    uris: "{{ item.uris }}"
    suites: "{{ item.suites }}"
    components:
      - contrib
      - non-free
    state: present
  loop:
    - name: contrib-non_free
      uris: http://ftp.sk.debian.org/debian/
      suites: "{{ ansible_facts.distribution_release }}"
    - name: security-contrib-non_free
      uris: http://security.debian.org/debian-security
      suites: "{{ ansible_facts.distribution_release }}-security"
    - name: updates-contrib-non_free
      uris: http://ftp.sk.debian.org/debian/
      suites: "{{ ansible_facts.distribution_release }}-updates"
--- a/roles/secrets_hcv/tasks/install_Debian.yml
+++ b/roles/secrets_hcv/tasks/install_Debian.yml
@ -1 +0,0 @@
 install_deb.yml
--- a/roles/secrets_hcv/tasks/install_Rocky.yml
+++ b/roles/secrets_hcv/tasks/install_Rocky.yml
@ -1 +0,0 @@
 install_el.yml
--- a/roles/secrets_hcv/tasks/install_Ubuntu.yml
+++ b/roles/secrets_hcv/tasks/install_Ubuntu.yml
@ -1 +0,0 @@
 install_deb.yml
--- a/roles/secrets_hcv/tasks/install_Ubuntu.yml
+++ b/roles/secrets_hcv/tasks/install_Ubuntu.yml
@ -0,0 +1,13 @@
 ---
 - name: Add HashiCorp GPG Key
  ansible.builtin.get_url:
    url: https://apt.releases.hashicorp.com/gpg
    dest: /etc/apt/keyrings/hashicorp.asc
    mode: 0640
  become: true
 - name: Add HashiCorp repository
  ansible.builtin.apt_repository:
    repo: "deb [signed-by=/etc/apt/keyrings/hashicorp.gpg] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main"
    state: present
  become: true
--- a/roles/secrets_hcv/tasks/install_deb.yml
+++ b/roles/secrets_hcv/tasks/install_deb.yml
@ -1,12 +0,0 @@
 ---
 - name: Add HashiCorp repository
  ansible.builtin.deb822_repository:
    name: hashicorp
    types: deb
    uris: https://apt.releases.hashicorp.com
    suites: "{{ ansible_distribution_release }}"
    components:
      - main
    signed_by: https://apt.releases.hashicorp.com/gpg
    state: present
  become: true
--- a/roles/secrets_hcv/tasks/main.yml
+++ b/roles/secrets_hcv/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 - name: Install HC Vault via package manager
-  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Debian", "Fedora", "Rocky", "Ubuntu" ]
+  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"]
  tags: install
  block:
    - name: Enable repository
@ -14,7 +14,7 @@
 - name: Install HC Vault to userspace
  ansible.builtin.include_tasks: install_user.yml
-  when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Debian", "Fedora", "Rocky", "Ubuntu" ]
+  when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"]
  tags: install
 - name: Install ‹vssh› script
--- a/roles/shell_zsh/tasks/install.yml
+++ b/roles/shell_zsh/tasks/install.yml
@ -7,19 +7,6 @@
    state: present
  become: true
 - name: Enable ‹eza› apt repository
  ansible.builtin.deb822_repository:
    name: eza
    types: deb
    uris: http://deb.gierens.de
    suites: stable
    components:
      - main
    signed_by: https://raw.githubusercontent.com/eza-community/eza/main/deb.asc
    state: present
  become: true
  when: ansible_distribution in [ "Debian", "Ubuntu" ]
 - name: Install eza and bat
  ansible.builtin.package:
    name:
@ -47,4 +34,4 @@
    name: yad
    state: present
  become: true
-  when: 'ansible_distribution not in [ "AlmaLinux", "Rocky" ] and "openSUSE" not in ansible_distribution'
+  when: 'ansible_distribution not in [ "AlmaLinux" ] and "openSUSE" not in ansible_distribution'
--- a/roles/ssh_server/tasks/main.yml
+++ b/roles/ssh_server/tasks/main.yml
@ -55,4 +55,4 @@
 - name: Set trusted CA
  ansible.builtin.include_tasks: trusted_ca.yml
-  when: ssh_server_auth_trusted_ca
+  when: sshd_auth_trusted_ca
--- a/roles/wg/tasks/generate_keypair.yml
+++ b/roles/wg/tasks/generate_keypair.yml
@ -16,5 +16,5 @@
 - name: Set key/pair facts
  ansible.builtin.set_fact:
-    wg_private_key: "{{ _generated_private_key.stdout }}"
+    wg_private_key: _generated_private_key.stdout
-    wg_public_key: "{{ _derived_public_key.stdout }}"
+    wg_public_key: _derived_public_key.stdout
--- a/roles/wg/tasks/main.yml
+++ b/roles/wg/tasks/main.yml
@ -6,11 +6,11 @@
 - name: Check for existence of private key
  ansible.builtin.stat:
    path: /etc/wireguard/private.key
-  register: _private_key
+  register: _private_key_stat
 - name: Generate keypair
  ansible.builtin.include_tasks: tasks/generate_keypair.yml
-  when: not _private_key.stat.exists
+  when: not _private_key_stat.exists
 - name: Save private key
  ansible.builtin.template:
@ -21,7 +21,7 @@
    mode: 0700
  vars:
    key: "{{ wg_private_key }}"
-  when: not _private_key.stat.exists
+  when: not _private_key_stat.exists
 - name: Save public key
  ansible.builtin.template:
@ -32,7 +32,7 @@
    mode: 0700
  vars:
    key: "{{ wg_public_key }}"
-  when: not _private_key.stat.exists
+  when: not _private_key_stat.exists
 - name: Set dns_command for co-openSUSE
  ansible.builtin.set_fact:
--- a/roles/yubikey_pam/tasks/install.yml
+++ b/roles/yubikey_pam/tasks/install.yml
@ -3,7 +3,7 @@
  ansible.builtin.package:
    name: pam_yubico
    state: present
-  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora", "Rocky" ]
+  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ]
 - name: Enable PPA on Ubuntu
  ansible.builtin.apt_repository: