chore: add TODOs for the not finished roles

Signed-off-by: Matej Focko <me@mfocko.xyz>

defaults/main.yml

@@ -27,10 +27,13 @@ hashicorp_vault_address: None
 # Address of the Vaultwarden instance
 vaultwarden_address: None
 
-# Porkbun ‹apikey› and ‹secretapikey› that are used by Certbot (SSL/TLS renewal)
+# Used for Certbot and DDNS
-# and DDNS (updating DNS records)
+# Certbot: used for DNS verification of the domain during renewal
-porkbun_apikey: None
+# DDNS: used to update the DNS records of the public IP
-porkbun_secretapikey: None
+cloudflare_token: None
+
+# Cloudflare zone, the domain
+cloudflare_zone: None
 
 # Public ID tied to the Yubikey OTP
 yubikey_token_id: None

playbooks/bootstrap.yml

@@ -72,11 +72,6 @@
     - role: terminals/kitty
       tags: kitty
 
-    # Install Ptyxis terminal
-    - role: terminals/ptyxis
-      when: ansible_distribution != "Ubuntu"
-      tags: ptyxis
-
     # Install fonts
     - role: fonts
       tags: fonts

roles/base/desktop/tasks/scripts.yml

@@ -1,8 +1,8 @@
 ---
-- name: Install script for toolbox/distrobox name retrieval
+- name: Install script for toolbox name retrieval
   ansible.builtin.copy:
-    src: files/boxname.sh
+    src: files/toolbox_name.sh
-    dest: ~/.local/bin/boxname
+    dest: ~/.local/bin/toolbox_name
     mode: 0700
 
 - name: Install script for paste.sr.ht

roles/base/desktop/tasks/structure.yml

@@ -9,7 +9,6 @@
   loop:
     - ~/.local/bin
     - ~/.local/share
-    - ~/.local/share/applications
     - ~/.ssh
 
 - name: Create empty file for tokens

roles/certbot/defaults/main.yml

@@ -1,13 +0,0 @@
----
-# List of domains to be certified by Certbot
-certbot_domains: []
-
-# Email to be used when requesting the Let's Encrypt certificate
-certbot_email: None
-
-# Defines the frequency of running the Certbot renewal, follow ‹OnCalendar› docs
-# in the systemd for syntax
-certbot_frequency: weekly
-
-# Delay for propagating of the TXT DNS records when renewing the certificates
-certbot_propagation_delay: 60

roles/certbot/tasks/install.yml

@@ -3,4 +3,5 @@
   ansible.builtin.package:
     name:
       - certbot
+      - python3-certbot-dns-cloudflare
     state: present

roles/certbot/tasks/main.yml

@@ -3,39 +3,10 @@
   ansible.builtin.include_tasks: install.yml
   tags: install
 
-- name: Install the CLI configuration for Certbot
+- name: Install the Cloudflare secrets
   ansible.builtin.template:
-    src: templates/cli.ini
+    src: templates/cloudflare.ini
-    dest: /etc/letsencrypt/cli.ini
+    dest: /root/.secrets/cloudflare.ini
     mode: 0600
     owner: root
     group: root
-
-- name: Create the file with Porkbun secrets
-  ansible.builtin.template:
-    src: templates/porkbun.ini
-    dest: /etc/porkbun.ini
-    mode: 0600
-
-- name: Install the Porkbun Certbot container definition (quadlet)
-  ansible.builtin.template:
-    src: templates/certbot.container
-    dest: /etc/containers/systemd/certbot.container
-    mode: 0644
-    owner: root
-    group: root
-
-- name: Install the timer for the Certbot quadlet
-  ansible.builtin.template:
-    src: templates/certbot.timer
-    dest: /etc/systemd/system/certbot.timer
-    mode: 0644
-    owner: root
-    group: root
-
-- name: Enable the timer
-  ansible.builtin.systemd_service:
-    daemon_reload: true
-    enabled: true
-    name: certbot.timer
-    state: "started"

roles/certbot/templates/certbot.container

@@ -1,12 +0,0 @@
-[Unit]
-Description=Certbot renewal
-
-[Container]
-Image=docker.io/infinityofspace/certbot_dns_porkbun:latest
-Volume=/etc/letsencrypt:/etc/letsencrypt:z
-Volume=/var/log/letsencrypt:/var/log/letsencrypt:z
-Volume=/etc/porkbun.ini:/conf/porkbun.ini:z
-Exec=certonly -d "{{ ','.join(certbot_domains) }}"
-
-[Service]
-Restart=on-failure

roles/certbot/templates/certbot.timer

@@ -1,11 +0,0 @@
-[Unit]
-Description=Run certbot once a week
-
-[Timer]
-OnCalendar={{ certbot_frequency }}
-AccuracySec=1h
-Persistent=true
-RandomizedDelaySec=100min
-
-[Install]
-WantedBy=timers.target

roles/certbot/templates/cli.ini

@@ -1,10 +0,0 @@
-email = {{ certbot_email }}
-
-agree-tos = true
-non-interactive = true
-
-preferred-challenges = dns
-authenticator = dns-porkbun
-
-dns-porkbun-credentials = /conf/porkbun.ini
-dns-porkbun-propagation-seconds = {{ certbot_propagation_delay }}

roles/certbot/templates/cloudflare.ini

@@ -0,0 +1 @@
+dns_cloudflare_api_token = {{ cloudflare_token }}

roles/certbot/templates/porkbun.ini

@@ -1,2 +0,0 @@
-dns_porkbun_key={{ porkbun_apikey }}
-dns_porkbun_secret={{ porkbun_secretapikey }}

roles/cups/tasks/main.yml

@@ -15,7 +15,6 @@
     immediate: true
     permanent: true
     state: enabled
-  when: ansible_facts.services['firewalld'] is defined
   tags: firewall
 
 - name: Enable cups

roles/ddns/defaults/main.yml

@@ -1,6 +0,0 @@
----
-# Domain for which the DDNS manages DDNS entries
-ddns_domain: None
-
-# List of all subdomains on the said domain for which the IP should be set
-ddns_subdomains: []

roles/ddns/files/ddns.service

@@ -0,0 +1,7 @@
+[Unit]
+Description=Run inadyn in a container to update DNS
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=podman run --rm -v "/etc/inadyn.conf:/etc/inadyn.conf" -v "/var/cache/inadyn:/var/cache/inadyn" docker.io/troglobit/inadyn:latest -1 --cache-dir=/var/cache/inadyn

roles/ddns/files/ddns.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Run inadyn every 15 minutes
+
+[Timer]
+OnCalendar=*:00,15,30,45:00
+RandomizedDelaySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target

roles/ddns/tasks/main.yml

@@ -1,23 +1,34 @@
 ---
-- name: Install the config file for DDNS
+- name: Install the config file
   ansible.builtin.template:
-    src: templates/ddns.ini
+    src: templates/inadyn.conf
-    dest: /etc/ddns.ini
+    dest: /etc/inadyn.conf
     mode: 0600
     owner: root
     group: root
 
-- name: Install the DDNS quadlet
+- name: Create the cache directory
-  ansible.builtin.template:
+  ansible.builtin.file:
-    src: templates/ddns.container
+    path: /var/cache/inadyn
-    dest: /etc/containers/systemd/ddns.container
+    state: directory
-    mode: 0644
+    mode: 0700
     owner: root
     group: root
 
-- name: Enable the DDNS quadlet
+- name: Install the unit files
+  ansible.builtin.copy:
+    src: files/{{ item }}
+    dest: /etc/systemd/system/{{ item }}
+    mode: 0644
+    owner: root
+    group: root
+  loop:
+    - ddns.service
+    - ddns.timer
+
+- name: Enable the timer
   ansible.builtin.systemd_service:
     daemon_reload: true
     enabled: true
-    name: ddns.service
+    name: ddns.timer
     state: "started"

roles/ddns/templates/ddns.container

@@ -1,12 +0,0 @@
-[Unit]
-Description=DDNS Update
-
-[Container]
-Image=docker.io/mietzen/porkbun-ddns:latest
-EnvironmentFile=/etc/ddns.ini
-
-[Service]
-Restart=always
-
-[Install]
-WantedBy=multi-user.target

roles/ddns/templates/ddns.ini

@@ -1,4 +0,0 @@
-DOMAIN={{ ddns_domain }}
-SUBDOMAINS={{ ','.join(ddns_subdomains) }}
-APIKEY={{ porkbun_apikey }}
-SECRETAPIKEY={{ porkbun_secretapikey }}

roles/ddns/templates/inadyn.conf

@@ -0,0 +1,15 @@
+period     = 300
+allow-ipv6 = true
+
+provider cloudflare.com:1 {
+    username = {{ cloudflare_zone }}
+    password = {{ cloudflare_token }}
+    hostname = {{ host_fqdn }}
+}
+
+provider cloudflare.com:2 {
+    username = {{ cloudflare_zone }}
+    password = {{ cloudflare_token }}
+    hostname = {{ host_fqdn }}
+    wildcard = true
+}

roles/editors/helix/tasks/install_Archlinux.yml

@@ -1 +0,0 @@
-install_generic.yml

roles/editors/helix/tasks/install_fedora-family.yml

@@ -3,7 +3,6 @@
   community.general.copr:
     name: varlad/helix
     state: enabled
-  when: ansible_distribution not in ("AlmaLinux")
   become: true
 
 - name: Install the Helix

roles/editors/helix/tasks/install_openSUSE Tumbleweed.yml

@@ -1 +1 @@
-install_generic.yml
+install_suse.yml

roles/editors/vscode/tasks/main.yml

@@ -38,5 +38,4 @@
     cmd: bash /home/{{ target_user }}/.local/bin/code-update.sh
     creates: /opt/VSCode-linux-x64
   become: true
-  when: false
   tags: install

roles/fail2ban/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+# TODO
+# Consider moving it to the firewall…

roles/flatpak/tasks/install.yml

@@ -1,6 +0,0 @@
----
-- name: Install the required packages
-  ansible.builtin.package:
-    name: flatpak
-    state: present
-  become: true

roles/flatpak/tasks/main.yml

@@ -1,8 +1,4 @@
 ---
-- name: Packages
-  ansible.builtin.include_tasks: install.yml
-  tags: install
-
 - name: Enable Flathub
   community.general.flatpak_remote:
     name: flathub

roles/lang/rust/tasks/main.yml

@@ -0,0 +1,2 @@
+---
+# TODO

roles/nginx/tasks/main.yml

@@ -80,7 +80,6 @@
   loop:
     - http
     - https
-  when: ansible_facts.services['firewalld'] is defined
   tags: firewall
 
 - name: Enable nginx

roles/os/el/files/google-chrome.repo

@@ -1,6 +0,0 @@
-[google-chrome]
-name=google-chrome
-baseurl=http://dl.google.com/linux/chrome/rpm/stable/x86_64
-enabled=1
-gpgcheck=1
-gpgkey=https://dl.google.com/linux/linux_signing_key.pub

roles/os/el/tasks/main.yml

@@ -29,23 +29,5 @@
   community.general.copr:
     name: mfocko/mfocko
     state: enabled
-    chroot: "epel-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}"
+    chroot: "epel-9-{{ ansible_architecture }}"
   become: true
-
-- name: Install RPMFusion RPMs with GPG keys
-  ansible.builtin.dnf:
-    name:
-      - "https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-{{ ansible_distribution_major_version }}.noarch.rpm"
-      - "https://mirrors.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-{{ ansible_distribution_major_version }}.noarch.rpm"
-    disable_gpg_check: true
-    state: present
-  tags: os-el-rpmfusion
-
-- name: Install Google Chrome repository
-  ansible.builtin.copy:
-    src: files/google-chrome.repo
-    dest: /etc/yum.repos.d/google-chrome.repo
-    mode: 0640
-    owner: root
-    group: root
-  tags: os-el-chrome

roles/postgresql/tasks/main.yml

@@ -0,0 +1,2 @@
+---
+# TODO

roles/shell/zsh/files/starship.toml

@@ -38,11 +38,18 @@ style = "cyan"
 [git_status]
 format = "[[(*$conflicted$untracked$modified$staged$renamed$deleted)](218) ($ahead_behind$stashed)]($style)"
 style = "cyan"
+conflicted = "​"
+untracked = "​"
+modified = "​"
+staged = "​"
+renamed = "​"
+deleted = "​"
+stashed = "≡"
 
 [custom.toolbox]
 when = "ls /run/.containerenv"
-symbol = "󰡨  "
+symbol = " "
-command = "~/.local/bin/boxname"
+command = "~/.local/bin/toolbox_name.sh"
 format = "in [$symbol($output )]($style)"
 style = "bold purple"
 

roles/sshd/tasks/install.yml

@@ -1,18 +1,13 @@
 ---
-- name: SSH family packages for co-Ubuntu
-  ansible.builtin.set_fact:
-    ssh_packages: [openssh, openssh-clients, openssh-server]
-  when: ansible_distribution not in ("Ubuntu", "Archlinux")
-
 - name: SSH family packages for Ubuntu
   ansible.builtin.set_fact:
     ssh_packages: [openssh-client, openssh-server]
   when: ansible_distribution == "Ubuntu"
 
-- name: SSH family package for archLinux
+- name: SSH family packages for co-Ubuntu
   ansible.builtin.set_fact:
-    ssh_packages: [openssh]
+    ssh_packages: [openssh, openssh-clients, openssh-server]
-  when: ansible_distribution == "Archlinux"
+  when: ansible_distribution != "Ubuntu"
 
 - name: Install the SSH family
   ansible.builtin.package:

roles/sshd/tasks/main.yml

@@ -41,7 +41,6 @@
     immediate: true
     permanent: true
     state: enabled
-  when: ansible_facts.services['firewalld'] is defined
   notify: "Restart SSH server"
   tags: firewall
 
@@ -50,7 +49,6 @@
     service: ssh
     permanent: true
     state: disabled
-  when: ansible_facts.services['firewalld'] is defined
   tags: firewall
 
 - name: Set trusted CA

roles/terminals/ptyxis/tasks/main.yml

@@ -1,6 +0,0 @@
----
-- name: Install Ptyxis
-  community.general.flatpak:
-    name: "https://nightly.gnome.org/repo/appstream/org.gnome.Ptyxis.Devel.flatpakref"
-    state: present
-  become: true

roles/wg/tasks/main.yml

@@ -41,7 +41,7 @@
     gateway: "{{ wg_gateway }}"
     peers: "{{ wg_peers }}"
   ansible.builtin.template:
-    src: "templates/wg.conf"
+    src: "{{ wg_ifname }}.conf"
     dest: "/etc/wireguard/{{ wg_ifname }}.conf"
     owner: root
     group: root
@@ -49,7 +49,7 @@
 
 - name: Set up the DNS on AlmaLinux
   ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml"
-  when: wg_domain and ansible_distribution == "AlmaLinux"
+  when: domain and ansible_distribution == "AlmaLinux"
 
 - name: Enable and start the wireguard connection
   ansible.builtin.service: