GotMyLab/ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

playbook refactor

Browse Source
This commit is contained in:
Frank Dudley
2026-05-23 10:38:29 -04:00
parent 8811a92e1f
commit e00551b1ac
70 changed files with 1103 additions and 914 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Permissive.yaml
-6
View File
@@ -1,6 +0,0 @@
- name: set selinux to permissive
hosts: all
selinux:
policy: targeted
state: permissive
become: yes
README.md
+39
View File
@@ -0,0 +1,39 @@
# Homelab Ansible playbooks
Managed for use with [ansibleTUI](https://github.com/). Layout follows Ansible roles + thin entry playbooks.
## Layout
| Path | Purpose |
|------|---------|
| `site.yml` | Full workstation bootstrap |
| `passwordless.yml` | Sudo only |
| `services/` | Pi-hole, Kubernetes (nested; visible in ansibleTUI) |
| `security/` | SELinux, IPv6 |
| `playbooks/` | VM-specific (e.g. Xen guest tools) |
| `roles/` | Reusable role implementations |
| `group_vars/` | Shared variables |
| `host_vars/` | Per-host overrides |
## Setup
```bash
ansible-galaxy collection install -r requirements.yml
```
## Common runs
Run from this directory (or use ansibleTUI, which sets `ANSIBLE_CONFIG` and cwd automatically):
```bash
cd ~/.ansibletui/playbooks
ansible-playbook -i ../inventory site.yml --limit plex
ansible-playbook -i ../inventory services/pi-hole.yml --limit dns-host
ansible-playbook -i ../inventory security/ipv6-disable.yml --limit pvr
```
**Check mode:** `site.yml` skips git clone / stow / font download tasks during `--check` (they require packages already installed or a live run). System tasks (packages, sudo, cockpit) still report drift.
## OS support
Roles load `vars/Debian.yml` or `vars/RedHat.yml` automatically via `include_vars` / Ansible OS mapping.
ansible.cfg
+8
View File
@@ -0,0 +1,8 @@
[defaults]
roles_path = roles
inventory = ../inventory
host_key_checking = False
deprecation_warnings = True
[privilege_escalation]
become = False
apps.yml
-57
View File
@@ -1,57 +0,0 @@
---
- hosts: all
become: yes
become_user: root
become_method: sudo
tasks:
- name: Install EPEL repo.
become: yes
ignore_errors: yes
when: ansible_distribution == "Rocky" or ansible_distribution == 'CentOS'
yum:
name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm
state: present
- name: Import EPEL GPG key.
become: yes
ignore_errors: yes
when: ansible_distribution == "Rocky" or ansible_distribution == 'CentOS'
rpm_key:
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}
state: present
- name: Install required packages
package:
name:
- git
- vim-enhanced
- vim
- powerline-fonts
- btop
- tmux
- bat
- snapd
- zsh
- neofetch
- util-linux-user
- unzip
- stow
state: present
become: yes
#ignore_errors: yes
tags:
- install_packages
- name: Start service snapd, if not started
ansible.builtin.service:
name: snapd
state: started
- name: Install lsd
become: yes
community.general.snap:
name: lsd
#state: present
apps_deb.yml
-107
View File
@@ -1,107 +0,0 @@
---
- hosts: all
become: true
become_user: root
tasks:
- name: Install cockpit
package:
name:
- cockpit
state: present
become: yes
- name: Install nala
package:
name:
- nala
state: present
become: yes
- name: Install git
package:
name:
- git
state: present
become: yes
- name: Install vim
package:
name:
- vim
state: present
become: yes
# - name: Install powerline-fonts
# package:
# name:
# - powerline-fonts
# state: present
# become: yes
- name: Install btop
package:
name:
- btop
state: present
become: yes
- name: Install bat
package:
name:
- bat
state: present
become: yes
- name: Install snap
package:
name:
- snapd
state: present
become: yes
- name: Install zsh
package:
name:
- zsh
state: present
become: yes
- name: Install neofetch
package:
name:
- neofetch
state: present
become: yes
# - name: Install util-linux-user
# package:
# name:
# - util-linux-user
# state: present
# become: yes
- name: Install unzip
package:
name:
- unzip
state: present
become: yes
- name: Install stow
package:
name:
- stow
state: present
become: yes
- name: Start service snapd, if not started
ansible.builtin.service:
name: snapd
state: started
- name: Install lsd
become: yes
community.general.snap:
name: lsd
state: present
cockpit.yml
-24
View File
@@ -1,24 +0,0 @@
---
- hosts: all
become: true
become_user: root
tasks:
- name: Install cockpit
package:
name:
- cockpit
state: present
become: yes
- name: Enable Cockpit
ansible.builtin.systemd_service:
name: cockpit.socket
state: started
- name: Enable interfaces
shell:
"sed -i 's/managed=false/managed=true/g' /etc/NetworkManager/NetworkManager.conf"
become: yes
config_files.yml
-17
View File
@@ -1,17 +0,0 @@
---
- hosts: all
tasks:
- name: Creates dotfile dir
ansible.builtin.file:
path: ~/dotfiles
state: directory
- name: User Config Files
git:
repo: https://gitea.gotmylab.com/GotMyLab/config-files.git
dest: "~/dotfiles"
- name: Init stow
command: chdir=~/dotfiles stow .
debian/apps.yml
Vendored
-30
View File
@@ -1,30 +0,0 @@
---
- hosts: all
become: true
become_user: root
tasks:
- name: Install required packages
package:
name:
- nala
- git
- curl
- vim
- btop
- bat
- snapd
- neofetch
- unzip
- stow
- lsd
state: present
become: yes
#ignore_errors: yes
tags:
- install_packages
- name: Start service snapd, if not started
ansible.builtin.service:
name: snapd
state: started
debian/cockpit.yml
Vendored
-30
View File
@@ -1,30 +0,0 @@
---
- hosts: all
become: true
become_user: root
tasks:
- name: Install cockpit
package:
name:
- cockpit
state: present
become: yes
- name: Enable Cockpit
ansible.builtin.systemd_service:
name: cockpit.socket
state: started
- name: Enable interfaces
shell: "{{ item }}"
with_items:
- sed -i 's/managed=false/managed=true/g' /etc/NetworkManager/NetworkManager.conf
- sed -i 's/^/#/' /etc/network/interfaces
- service NetworkManager restart
# tasks:
# - command: "sed -i 's/managed=false/managed=true/g' /etc/NetworkManager/NetworkManager.conf"
# - command: "sed -i 's/^/#/' /etc/network/interfaces"
become: yes
debian/config_files.yml
Vendored
-20
View File
@@ -1,20 +0,0 @@
---
- hosts: all
tasks:
- name: Creates dotfile dir
ansible.builtin.file:
path: ~/dotfiles
state: directory
- name: User Config Files
git:
repo: https://gitea.gotmylab.com/GotMyLab/config-files.git
dest: "~/dotfiles"
- name: Init stow
command: chdir=~/dotfiles stow .
- name: Update bat for Debian
command: "sed -i s/cat=bat/cat=batcat/g {{ ansible_env.HOME }}/.zshrc"
debian/debian.yml
Vendored
-8
View File
@@ -1,8 +0,0 @@
- import_playbook: passwordless.yml
# - import_playbook: xcp-ng-guest-utilities.yml
- import_playbook: apps.yml
- import_playbook: setup_terminal.yml
- import_playbook: cockpit.yml
# - import_playbook: ipv6-disable.yml
- import_playbook: vim_config.yml
- import_playbook: config_files.yml
debian/download-guest-utils.yml
Vendored
-16
View File
@@ -1,16 +0,0 @@
- name: "Getting xe-guest-utilities info"
loop: "{{ xe_guest_utils_latest.json.assets }}"
when: "item.name.endswith('_amd64.deb')"
set_fact:
filename: "{{ item.name }}"
url: "{{ item.browser_download_url }}"
- name: "Downloading {{ xe_guest_utils_latest.json.tag_name }}"
get_url:
url: "{{ url }}"
dest: "{{ ansible_env.HOME }}"
- name: Install xe-guest-utilities
package:
deb: "{{ ansible_env.HOME }}/{{ filename }}"
become: yes
debian/ipv6-disable.yml
Vendored
-56
View File
@@ -1,56 +0,0 @@
---
- hosts: all
become: true
become_user: root
tasks:
## either disable
- name: Disable IPv6 with sysctl
sysctl: name={{ item }} value=1 state=present reload=yes
with_items:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6
- name: Debian | blacklist ipv6 in modprobe
lineinfile:
dest: /etc/modprobe.d/blacklist.conf
line: 'blacklist ipv6'
mode: '0644'
create: yes
notify:
- rmmodipv6
when: ansible_os_family == 'Debian'
- name: RedHat | placeholder true for ipv6 in modprobe
lineinfile:
dest: /etc/modprobe.conf
line: 'install ipv6 /bin/true'
mode: '0644'
create: yes
notify:
- rmmodipv6
when: ansible_os_family == 'RedHat'
- name: RedHat | disable ipv6 in sysconfig/network
lineinfile:
dest: /etc/sysconfig/network
regexp: "^{{ item.regexp }}"
line: "{{ item.line }}"
mode: '0644'
backup: yes
create: yes
with_items:
- { regexp: 'NETWORKING_IPV6=.*', line: 'NETWORKING_IPV6=NO' }
- { regexp: 'IPV6INIT=.*', line: 'IPV6INIT=no' }
notify:
- restart NetworkManager
#- restart network
when: ansible_os_family == 'RedHat'
## either control router sollicitation/advertisement to avoid malicious rerouting of IPv6
## Monitor?
## https://thc.org/thc-ipv6/
## http://www.si6networks.com/tools/ipv6toolkit/
## Filter?
## State: http://6lab.cisco.com/stats/
debian/passwordless.yml
Vendored
-24
View File
@@ -1,24 +0,0 @@
- name: passwordless sudo
hosts: all
become: yes
become_user: root
tasks:
- name: Creating user sudoers file
copy:
dest: "/etc/sudoers.d/95-sudo-group"
content: |
# Gives sudo access to the admin group
%sudo ALL=(ALL) NOPASSWD: ALL
mode: 0440
# tasks:
# - name: get the username running the deploy
# become: false
# local_action: command whoami
# register: username
# - name: Give sudo access to user
# blockinfile:
# path: /etc/sudoers
# insertafter: 'root ALL=(ALL) ALL'
# block: |
# # Gives sudo access to the admin group
# %sudo ALL=(ALL) NOPASSWD: ALL
debian/setup_terminal.yml
Vendored
-70
View File
@@ -1,70 +0,0 @@
---
- hosts: all
become: yes
become_user: root
vars:
ansible_ssh_private_key_file: "/root/.ssh/id_ecdsa_sudouser"
tasks:
- name: Register current user (workaround to change default shell)
become: false
shell: whoami
register: current_user
- name: Install zsh
package:
name:
- zsh
state: present
become: yes
- name: ensure fonts directory
file:
path: "{{ lookup('env', 'HOME') }}/.fonts"
state: directory
- name: Hack exists
shell: "ls {{ lookup('env', 'HOME') }}/.fonts/Hack*Nerd*Font*Complete*"
register: hack_exists
ignore_errors: yes
- name: Change default shell to zsh
become: true
shell: "chsh -s $(which zsh) {{ current_user.stdout }}"
- name: Install Oh My Zsh # noqa: latest
become: false
ansible.builtin.git:
repo: https://github.com/ohmyzsh/ohmyzsh.git
dest: ~/.oh-my-zsh
depth: 1
- name: Install zsh-autosuggestions plugin # noqa: latest
become: false
ansible.builtin.git:
repo: https://github.com/zsh-users/zsh-autosuggestions
dest: ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions
depth: 1
- name: Install zsh-completions plugin # noqa: latest
become: false
ansible.builtin.git:
repo: https://github.com/zsh-users/zsh-completions
dest: ~/.oh-my-zsh/custom/plugins/zsh-completions
depth: 1
- name: Install zsh-syntax-highlighting plugin # noqa: latest
become: false
ansible.builtin.git:
repo: https://github.com/zsh-users/zsh-syntax-highlighting.git
dest: ~/.oh-my-zsh/custom/plugins/zsh-syntax-highlighting
depth: 1
- name: Download Hack
when: hack_exists is failed
ansible.builtin.unarchive:
src: https://github.com/ryanoasis/nerd-fonts/releases/latest/download/Hack.zip
dest: "{{ lookup('env', 'HOME') }}/.fonts/"
remote_src: yes
debian/vim_config.yml
Vendored
-42
View File
@@ -1,42 +0,0 @@
---
- hosts: all
gather_facts: yes
become: no
vars:
vim_dir: "{{ ansible_env.HOME }}/.vim"
vimrc: "{{ ansible_env.HOME }}/.vimrc"
tasks:
- name: Ensure .vim/{autoload,bundle} directory exists
file:
path: "{{ item }}"
state: directory
recurse: no
mode: 0750
loop:
- "{{ vim_dir }}"
- "{{ vim_dir }}/autoload"
- "{{ vim_dir }}/bundle"
- name: Deploy plugins
git:
dest: "{{ vim_dir }}/bundle/{{ item.name }}"
repo: "{{ item.url }}"
clone: yes
update: yes
recursive: no
loop:
- name: lightline
url: https://github.com/itchyny/lightline.vim.git
- name: nerdtree
url: https://github.com/preservim/nerdtree
- name: Add user and host to prompt
become: no
lineinfile:
path: ~/.oh-my-zsh/themes/eastwood.zsh-theme
regexp: '^PROMPT=(.*)$'
line: "PROMPT='$USER@%{$fg[yellow]%}%m $(git_custom_status)%{$fg[cyan]%}[%~% ]%{$reset_color%}%B$%b '"
backrefs: yes
debian/xcp-ng-guest-utilities.yml
Vendored
-31
View File
@@ -1,31 +0,0 @@
---
- hosts: all
become: yes
become_user: root
become_method: sudo
tasks:
- name: collect facts about system services
service_facts:
register: servieces
- name: check latest xe-guest-utilities
uri:
url: https://api.github.com/repos/xenserver/xe-guest-utilities/releases/latest
return_content: true
register: xe_guest_utils_latest
- name: "Getting xe-guest-utilities info"
loop: "{{ xe_guest_utils_latest.json.assets }}"
when: "item.name.endswith('_amd64.deb')"
set_fact:
filename: "{{ item.name }}"
url: "{{ item.browser_download_url }}"
- include_tasks: download-guest-utils.yml
when: "'xe-linux-distribution' not in services"
- name: "Removing install package if exists"
file:
path: "{{ filename }}"
state: absent
group_vars/all.yml
+3
View File
@@ -0,0 +1,3 @@
---
dotfiles_repo: https://gitea.gotmylab.com/GotMyLab/config-files.git
dotfiles_dest: "{{ ansible_facts['user_dir'] }}/dotfiles"
group_vars/debian.yml
+4
View File
@@ -0,0 +1,4 @@
---
# Applied when inventory group 'debian' exists; role vars also cover OS via include_vars.
sudo_admin_group: sudo
bat_binary_name: batcat
group_vars/redhat.yml
+3
View File
@@ -0,0 +1,3 @@
---
sudo_admin_group: wheel
bat_binary_name: bat
host_vars/plex.yml
+2
View File
@@ -0,0 +1,2 @@
---
ansible_python_interpreter: /usr/bin/python3
ipv6-disable.yaml
-56
View File
@@ -1,56 +0,0 @@
---
- hosts: all
become: true
become_user: root
tasks:
## either disable
- name: Disable IPv6 with sysctl
sysctl: name={{ item }} value=1 state=present reload=yes
with_items:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6
- name: Debian | blacklist ipv6 in modprobe
lineinfile:
dest: /etc/modprobe.d/blacklist.conf
line: 'blacklist ipv6'
mode: '0644'
create: yes
notify:
- rmmodipv6
when: ansible_os_family == 'Debian'
- name: RedHat | placeholder true for ipv6 in modprobe
lineinfile:
dest: /etc/modprobe.conf
line: 'install ipv6 /bin/true'
mode: '0644'
create: yes
notify:
- rmmodipv6
when: ansible_os_family == 'RedHat'
- name: RedHat | disable ipv6 in sysconfig/network
lineinfile:
dest: /etc/sysconfig/network
regexp: "^{{ item.regexp }}"
line: "{{ item.line }}"
mode: '0644'
backup: yes
create: yes
with_items:
- { regexp: 'NETWORKING_IPV6=.*', line: 'NETWORKING_IPV6=NO' }
- { regexp: 'IPV6INIT=.*', line: 'IPV6INIT=no' }
notify:
- restart NetworkManager
#- restart network
when: ansible_os_family == 'RedHat'
## either control router sollicitation/advertisement to avoid malicious rerouting of IPv6
## Monitor?
## https://thc.org/thc-ipv6/
## http://www.si6networks.com/tools/ipv6toolkit/
## Filter?
## State: http://6lab.cisco.com/stats/
kuberneties.yml
-76
View File
@@ -1,76 +0,0 @@
---
- hosts: "masters, workers"
remote_user: frank
become: yes
become_method: sudo
become_user: root
gather_facts: yes
connection: ssh
tasks:
- name: create containerd configuration file
file:
path: "/etc/modules-load.d/containerd.conf"
state: "touch"
- name: set up containerd prerequisites
blockinfile:
path: "/etc/modules-load.d/containerd.conf"
block: |
overlay
br_netfilter
- name: load modules
shell: |
sudo modprobe overlay
sudo modprobe br_netfilter
- name: create network settings configuration file
file:
path: "/etc/sysctl.d/99-kubernetes-cri.conf"
state: "touch"
- name: set up containerd networking
blockinfile:
path: "/etc/sysctl.d/99-kubernetes-cri.conf"
block: |
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
- name: apply settings
command: sudo sysctl --system
- name: add docker repository
shell: |
sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo dnf makecache
sudo dnf install -y containerd.io
sudo mkdir -p /etc/containerd
sudo containerd config default | sudo tee /etc/containerd/config.toml
sudo systemctl restart containerd
- name: create k8s repo file
file:
path: "/etc/yum.repos.d/kubernetes.repo"
state: "touch"
- name: write repository information in the kube repo file
blockinfile:
path: "/etc/yum.repos.d/kubernetes.repo"
block: |
[kubernetes]
name=Kubernetes
baseurl=https://pkgs.k8s.io/core:/stable:/v1.30/rpm/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://pkgs.k8s.io/core:/stable:/v1.30/rpm/repodata/repomd.xml.key
- name: install kubernetes
shell: |
sudo dnf install -y kubelet kubeadm kubectl
- name: disable swap
shell: |
sudo swapoff -a
sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
passwordless.yml
+4 -10
View File
@@ -1,12 +1,6 @@
- name: passwordless sudo
---
- name: Passwordless sudo
hosts: all
become: true
become_method: sudo
tasks:
- name: Give sudo access to user
blockinfile:
path: /etc/sudoers
insertafter: 'root ALL=(ALL) ALL'
block: |
# Gives sudo access to the admin group
%wheel ALL=(ALL) NOPASSWD: ALL
roles:
- passwordless_sudo
pi-hole.yml
-80
View File
@@ -1,80 +0,0 @@
---
- hosts: all
become: true
become_user: root
tasks:
# tasks file for unbound
#
- name: Install Unbound
apt:
name: unbound
become: yes
tags: unbound
- name: Download root-hints
get_url:
url: https://www.internic.net/domain/named.root
dest: /var/lib/unbound/root.hints
become: yes
tags: unbound
- name: Adjust configuration
template:
src: pi-hole.conf.j2
dest: /etc/unbound/unbound.conf.d/pi-hole.conf
become: yes
tags: unbound
- name: Restart Unbound
service:
name: unbound
state: restarted
become: yes
tags: unbound
# tasks file for pihole
#
- name: Create Pi-hole group
group:
name: pihole
state: present
become: yes
tags: pihole
- name: Create Pi-hole user
user:
name: pihole
group: pihole
groups: pihole,www-data
uid: 999
become: yes
tags: pihole
- name: Create /etc/pihole directory
file:
path: /etc/pihole
state: directory
owner: pihole
group: pihole
become: yes
tags: pihole
- name: Copy Pi-hole setupVars.conf into /etc/pihole
template:
src: pi-hole-vars.conf.j2
dest: /etc/pihole/setupVars.conf
become: yes
tags: pihole
- name: Download Pi-hole installer
get_url:
url: https://install.pi-hole.net
dest: /tmp/install-pihole.sh
mode: 0740
tags: pihole
- name: Install Pi-hole
shell: "/tmp/install-pihole.sh --unattended"
become: yes
tags: pihole
playbooks/xcp-guest-tools.yml
+6
View File
@@ -0,0 +1,6 @@
---
- name: Install Xen guest utilities
hosts: all
become: true
roles:
- xcp_guest_tools
requirements.yml
+6
View File
@@ -0,0 +1,6 @@
---
collections:
- name: ansible.posix
version: ">=1.5.0"
- name: community.general
version: ">=8.0.0"
roles/base_packages/tasks/main.yml
+66
View File
@@ -0,0 +1,66 @@
---
- name: Load OS-specific package variables
ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
vars:
params:
files:
- "{{ ansible_facts['distribution'] }}.yml"
- "{{ ansible_facts['os_family'] }}.yml"
paths:
- "{{ role_path }}/vars"
- name: Install EPEL repository
when: base_packages_install_epel | default(false)
ansible.builtin.dnf:
name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_facts['distribution_major_version'] }}.noarch.rpm"
state: present
disable_gpg_check: true
become: true
- name: Import EPEL GPG key
when: base_packages_install_epel | default(false)
ansible.builtin.rpm_key:
key: "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-{{ ansible_facts['distribution_major_version'] }}"
state: present
become: true
- name: Install required packages
ansible.builtin.package:
name: "{{ base_packages }}"
state: present
become: true
register: base_packages_install
tags:
- install_packages
- name: Collect service facts after package validation
ansible.builtin.service_facts:
when: "'snapd' in base_packages"
- name: Report snapd service would be enabled after package install
ansible.builtin.debug:
msg: "snapd would be enabled and started after the snapd package is installed."
changed_when: true
when:
- "'snapd' in base_packages"
- ansible_check_mode | default(false) | bool
- "'snapd.service' not in ansible_facts.services"
- name: Start snapd
ansible.builtin.service:
name: snapd
state: started
enabled: true
become: true
when:
- "'snapd' in base_packages"
- "'snapd.service' in ansible_facts.services"
- name: Install lsd via snap
community.general.snap:
name: lsd
state: present
become: true
when:
- base_packages_use_snap_lsd | default(false)
- not ansible_check_mode | default(false) | bool
roles/base_packages/vars/Debian.yml
+13
View File
@@ -0,0 +1,13 @@
---
base_packages:
- git
- vim
- btop
- bat
- snapd
- zsh
- neofetch
- unzip
- stow
- curl
base_packages_use_snap_lsd: true
roles/base_packages/vars/RedHat.yml
+17
View File
@@ -0,0 +1,17 @@
---
base_packages:
- git
- vim-enhanced
- vim
- powerline-fonts
- btop
- tmux
- bat
- snapd
- zsh
- neofetch
- util-linux-user
- unzip
- stow
base_packages_use_snap_lsd: true
base_packages_install_epel: true
roles/base_packages/vars/Ubuntu.yml
+13
View File
@@ -0,0 +1,13 @@
---
base_packages:
- git
- vim
- btop
- bat
- snapd
- zsh
- neofetch
- unzip
- stow
- curl
base_packages_use_snap_lsd: true
roles/cockpit/defaults/main.yml
+13
View File
@@ -0,0 +1,13 @@
---
cockpit_manage_netplan_renderer: false
cockpit_manage_unmanaged_devices: false
cockpit_networkmanager_manage_device_regex: '^(en|eth)'
cockpit_networkmanager_ignore_device_regex: '^(lo|docker|br-|veth|virbr|wg|tailscale)'
cockpit_packages_by_os_family:
Debian:
- cockpit
- cockpit-networkmanager
- network-manager
RedHat:
- cockpit
- NetworkManager
roles/cockpit/handlers/main.yml
+6
View File
@@ -0,0 +1,6 @@
---
- name: Restart NetworkManager
ansible.builtin.service:
name: NetworkManager
state: restarted
become: true
roles/cockpit/tasks/main.yml
+171
View File
@@ -0,0 +1,171 @@
---
- name: Set Cockpit package list
ansible.builtin.set_fact:
cockpit_packages: "{{ cockpit_packages_by_os_family[ansible_facts['os_family']] | default(['cockpit']) }}"
- name: Install Cockpit packages
ansible.builtin.package:
name: "{{ cockpit_packages }}"
state: present
become: true
- name: Ensure NetworkManager is enabled and running
ansible.builtin.systemd:
name: NetworkManager
state: started
enabled: true
become: true
when: ansible_facts['os_family'] in ['Debian', 'RedHat']
- name: Enable and start Cockpit socket
ansible.builtin.systemd:
name: cockpit.socket
state: started
enabled: true
become: true
- name: Check Debian interfaces file
ansible.builtin.stat:
path: /etc/network/interfaces
register: cockpit_interfaces_file
when: ansible_facts['os_family'] == 'Debian'
- name: Check NetworkManager configuration
ansible.builtin.stat:
path: /etc/NetworkManager/NetworkManager.conf
register: cockpit_networkmanager_conf
when: ansible_facts['os_family'] == 'Debian'
- name: Let NetworkManager manage ifupdown interfaces
ansible.builtin.replace:
path: /etc/NetworkManager/NetworkManager.conf
regexp: '^managed=false$'
replace: 'managed=true'
become: true
when:
- ansible_facts['os_family'] == 'Debian'
- cockpit_networkmanager_conf.stat.exists
- cockpit_interfaces_file.stat.exists
notify: Restart NetworkManager
- name: Comment out legacy interfaces file entries
when:
- ansible_facts['os_family'] == 'Debian'
- cockpit_interfaces_file.stat.exists
ansible.builtin.replace:
path: /etc/network/interfaces
regexp: '^([^#].*)$'
replace: '#\1'
become: true
- name: Find Netplan files
ansible.builtin.find:
paths: /etc/netplan
patterns:
- "*.yaml"
- "*.yml"
file_type: file
register: cockpit_netplan_files
become: true
when: ansible_facts['os_family'] == 'Debian'
- name: Restrict Netplan file permissions
ansible.builtin.file:
path: "{{ item.path }}"
mode: "0600"
loop: "{{ cockpit_netplan_files.files | default([]) }}"
loop_control:
label: "{{ item.path }}"
become: true
when: ansible_facts['os_family'] == 'Debian'
- name: Check Netplan renderer
ansible.builtin.command: netplan get network.renderer
register: cockpit_netplan_renderer
changed_when: false
failed_when: false
check_mode: false
become: true
when: ansible_facts['os_family'] == 'Debian'
- name: Report Netplan renderer migration needed
ansible.builtin.debug:
msg: "Netplan renderer is '{{ cockpit_netplan_renderer.stdout | default('unset') | trim }}'; Cockpit networking needs NetworkManager. Set cockpit_manage_netplan_renderer: true to install /etc/netplan/99-ansible-networkmanager.yaml and apply it."
changed_when: true
when:
- ansible_facts['os_family'] == 'Debian'
- cockpit_netplan_renderer.stdout | default('') | trim != 'NetworkManager'
- not cockpit_manage_netplan_renderer | default(false) | bool
- name: Configure Netplan to use NetworkManager
ansible.builtin.copy:
dest: /etc/netplan/99-ansible-networkmanager.yaml
mode: "0600"
backup: true
content: |
network:
version: 2
renderer: NetworkManager
register: cockpit_netplan_networkmanager
become: true
when:
- ansible_facts['os_family'] == 'Debian'
- cockpit_manage_netplan_renderer | default(false) | bool
- name: Validate Netplan configuration
ansible.builtin.command: netplan generate
changed_when: false
check_mode: false
become: true
when:
- ansible_facts['os_family'] == 'Debian'
- cockpit_manage_netplan_renderer | default(false) | bool
- name: Apply Netplan NetworkManager renderer
ansible.builtin.command: netplan apply
become: true
when:
- ansible_facts['os_family'] == 'Debian'
- cockpit_manage_netplan_renderer | default(false) | bool
- cockpit_netplan_networkmanager.changed
- name: Read NetworkManager device status
ansible.builtin.command: nmcli -t -f DEVICE,TYPE,STATE,CONNECTION device status
register: cockpit_nmcli_devices
changed_when: false
check_mode: false
become: true
when: ansible_facts['os_family'] in ['Debian', 'RedHat']
- name: Report unmanaged NetworkManager ethernet devices
ansible.builtin.debug:
msg: "NetworkManager reports {{ item.split(':')[0] }} as unmanaged. Set cockpit_manage_unmanaged_devices: true to run nmcli device set {{ item.split(':')[0] }} managed yes."
loop: "{{ cockpit_nmcli_devices.stdout_lines | default([]) }}"
loop_control:
label: "{{ item.split(':')[0] }}"
changed_when: true
when:
- item is regex('^[^:]+:ethernet:unmanaged:')
- item.split(':')[0] is regex(cockpit_networkmanager_manage_device_regex)
- not (item.split(':')[0] is regex(cockpit_networkmanager_ignore_device_regex))
- not cockpit_manage_unmanaged_devices | default(false) | bool
- name: Mark unmanaged ethernet devices as managed by NetworkManager
ansible.builtin.command:
argv:
- nmcli
- device
- set
- "{{ item.split(':')[0] }}"
- managed
- "yes"
loop: "{{ cockpit_nmcli_devices.stdout_lines | default([]) }}"
loop_control:
label: "{{ item.split(':')[0] }}"
become: true
when:
- item is regex('^[^:]+:ethernet:unmanaged:')
- item.split(':')[0] is regex(cockpit_networkmanager_manage_device_regex)
- not (item.split(':')[0] is regex(cockpit_networkmanager_ignore_device_regex))
- cockpit_manage_unmanaged_devices | default(false) | bool
- not ansible_check_mode | default(false) | bool
roles/dotfiles/defaults/main.yml
+2
View File
@@ -0,0 +1,2 @@
---
dotfiles_manage_packages: false
roles/dotfiles/tasks/main.yml
+95
View File
@@ -0,0 +1,95 @@
---
- name: Ensure dotfile prerequisites are installed
ansible.builtin.package:
name:
- git
- stow
state: present
become: true
when: dotfiles_manage_packages | default(false) | bool
tags:
- dotfiles
- dotfiles_packages
- name: Create dotfiles directory
ansible.builtin.file:
path: "{{ dotfiles_dest }}"
state: directory
mode: "0755"
tags:
- dotfiles
- dotfiles_config
- name: Clone dotfiles repository
ansible.builtin.git:
repo: "{{ dotfiles_repo }}"
dest: "{{ dotfiles_dest }}"
update: true
when: not ansible_check_mode | default(false) | bool
tags:
- dotfiles
- dotfiles_config
- name: Check dotfiles checkout
ansible.builtin.stat:
path: "{{ dotfiles_dest }}/.git"
register: dotfiles_checkout
tags:
- dotfiles
- dotfiles_stow
- name: Report missing dotfiles checkout
ansible.builtin.debug:
msg: "{{ dotfiles_repo }} would be cloned to {{ dotfiles_dest }}"
changed_when: true
when:
- ansible_check_mode | default(false) | bool
- not dotfiles_checkout.stat.exists
tags:
- dotfiles
- dotfiles_config
- name: Simulate stow dotfiles
ansible.builtin.command:
cmd: stow --simulate --verbose=1 .
chdir: "{{ dotfiles_dest }}"
register: dotfiles_stow_check
check_mode: false
changed_when: dotfiles_stow_check.stdout | trim != ""
when:
- ansible_check_mode | default(false) | bool
- dotfiles_checkout.stat.exists
tags:
- dotfiles
- dotfiles_stow
- name: Apply stow dotfiles
ansible.builtin.command:
cmd: stow --verbose=1 .
chdir: "{{ dotfiles_dest }}"
register: dotfiles_stow
changed_when: dotfiles_stow.stdout | trim != ""
when: not ansible_check_mode | default(false) | bool
tags:
- dotfiles
- dotfiles_stow
- name: Check zshrc
ansible.builtin.stat:
path: "{{ ansible_facts['user_dir'] }}/.zshrc"
register: dotfiles_zshrc
tags:
- dotfiles
- dotfiles_config
- name: Use batcat alias on Debian
when:
- ansible_facts['os_family'] == 'Debian'
- dotfiles_zshrc.stat.exists
ansible.builtin.replace:
path: "{{ ansible_facts['user_dir'] }}/.zshrc"
regexp: 'cat=bat\b'
replace: 'cat=batcat'
tags:
- dotfiles
- dotfiles_config
roles/ipv6_disable/handlers/main.yml
+13
View File
@@ -0,0 +1,13 @@
---
- name: Rmmod ipv6
community.general.modprobe:
name: ipv6
state: absent
become: true
failed_when: false
- name: Restart NetworkManager
ansible.builtin.service:
name: NetworkManager
state: restarted
become: true
roles/ipv6_disable/tasks/main.yml
+47
View File
@@ -0,0 +1,47 @@
---
- name: Disable IPv6 with sysctl
ansible.posix.sysctl:
name: "{{ item }}"
value: "1"
state: present
reload: true
loop:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6
become: true
- name: Blacklist ipv6 in modprobe (Debian)
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
line: "blacklist ipv6"
mode: "0644"
create: true
become: true
when: ansible_facts['os_family'] == 'Debian'
notify: Rmmod ipv6
- name: Disable ipv6 via modprobe alias (RedHat)
ansible.builtin.lineinfile:
path: /etc/modprobe.d/ipv6.conf
line: "install ipv6 /bin/true"
mode: "0644"
create: true
become: true
when: ansible_facts['os_family'] == 'RedHat'
notify: Rmmod ipv6
- name: Disable IPv6 in sysconfig/network (RedHat)
ansible.builtin.lineinfile:
path: /etc/sysconfig/network
regexp: "^{{ item.regexp }}"
line: "{{ item.line }}"
mode: "0644"
backup: true
create: true
loop:
- { regexp: "NETWORKING_IPV6=.*", line: "NETWORKING_IPV6=NO" }
- { regexp: "IPV6INIT=.*", line: "IPV6INIT=no" }
become: true
when: ansible_facts['os_family'] == 'RedHat'
notify: Restart NetworkManager
roles/kubernetes/tasks/main.yml
+99
View File
@@ -0,0 +1,99 @@
---
- name: Load kernel modules for containerd
community.general.modprobe:
name: "{{ item }}"
state: present
loop:
- overlay
- br_netfilter
become: true
- name: Persist kernel modules for containerd
ansible.builtin.copy:
dest: /etc/modules-load.d/containerd.conf
mode: "0644"
content: |
overlay
br_netfilter
become: true
- name: Configure Kubernetes sysctl settings
ansible.posix.sysctl:
name: "{{ item.key }}"
value: "{{ item.value }}"
state: present
reload: true
sysctl_file: /etc/sysctl.d/99-kubernetes-cri.conf
loop:
- { key: net.bridge.bridge-nf-call-iptables, value: "1" }
- { key: net.ipv4.ip_forward, value: "1" }
- { key: net.bridge.bridge-nf-call-ip6tables, value: "1" }
become: true
- name: Add Docker CE repository
ansible.builtin.yum_repository:
name: docker-ce
description: Docker CE Stable
baseurl: https://download.docker.com/linux/centos/$releasever/$basearch/stable
gpgcheck: true
gpgkey: https://download.docker.com/linux/centos/gpg
enabled: true
become: true
- name: Install containerd.io
ansible.builtin.package:
name: containerd.io
state: present
become: true
- name: Ensure containerd config directory exists
ansible.builtin.file:
path: /etc/containerd
state: directory
mode: "0755"
become: true
- name: Generate default containerd config
ansible.builtin.shell: containerd config default > /etc/containerd/config.toml
args:
creates: /etc/containerd/config.toml
become: true
- name: Restart containerd
ansible.builtin.systemd:
name: containerd
state: restarted
enabled: true
become: true
- name: Configure Kubernetes yum repository
ansible.builtin.yum_repository:
name: kubernetes
description: Kubernetes
baseurl: https://pkgs.k8s.io/core:/stable:/v1.30/rpm/
enabled: true
gpgcheck: true
repo_gpgcheck: true
gpgkey: https://pkgs.k8s.io/core:/stable:/v1.30/rpm/repodata/repomd.xml.key
become: true
- name: Install Kubernetes packages
ansible.builtin.package:
name:
- kubelet
- kubeadm
- kubectl
state: present
become: true
- name: Disable swap immediately
ansible.builtin.command: swapoff -a
become: true
changed_when: false
- name: Disable swap in fstab
ansible.builtin.replace:
path: /etc/fstab
regexp: '^([^#].*?\sswap\s+)'
replace: '# \1'
become: true
roles/passwordless_sudo/tasks/main.yml
+20
View File
@@ -0,0 +1,20 @@
---
- name: Load OS-specific sudo variables
ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
vars:
params:
files:
- "{{ ansible_facts['distribution'] }}.yml"
- "{{ ansible_facts['os_family'] }}.yml"
paths:
- "{{ role_path }}/vars"
- name: Install passwordless sudo for admin group
ansible.builtin.copy:
dest: "/etc/sudoers.d/95-ansible-admin"
content: |
# Managed by Ansible
%{{ sudo_admin_group }} ALL=(ALL) NOPASSWD: ALL
mode: "0440"
validate: "visudo -cf %s"
become: true
roles/passwordless_sudo/vars/Debian.yml
+2
View File
@@ -0,0 +1,2 @@
---
sudo_admin_group: sudo
roles/passwordless_sudo/vars/RedHat.yml
+2
View File
@@ -0,0 +1,2 @@
---
sudo_admin_group: wheel
roles/passwordless_sudo/vars/Ubuntu.yml
+2
View File
@@ -0,0 +1,2 @@
---
sudo_admin_group: sudo
roles/pihole/handlers/main.yml
+6
View File
@@ -0,0 +1,6 @@
---
- name: Restart Unbound
ansible.builtin.service:
name: unbound
state: restarted
become: true
roles/pihole/tasks/main.yml
+64
View File
@@ -0,0 +1,64 @@
---
- name: Install Unbound
ansible.builtin.apt:
name: unbound
state: present
become: true
- name: Download root hints
ansible.builtin.get_url:
url: https://www.internic.net/domain/named.root
dest: /var/lib/unbound/root.hints
mode: "0644"
become: true
- name: Configure Unbound for Pi-hole
ansible.builtin.template:
src: pi-hole.conf.j2
dest: /etc/unbound/unbound.conf.d/pi-hole.conf
mode: "0644"
become: true
notify: Restart Unbound
- name: Create Pi-hole group
ansible.builtin.group:
name: pihole
state: present
become: true
- name: Create Pi-hole user
ansible.builtin.user:
name: pihole
group: pihole
groups: pihole,www-data
uid: 999
become: true
- name: Create /etc/pihole directory
ansible.builtin.file:
path: /etc/pihole
state: directory
owner: pihole
group: pihole
mode: "0755"
become: true
- name: Deploy Pi-hole setupVars.conf
ansible.builtin.template:
src: pi-hole-vars.conf.j2
dest: /etc/pihole/setupVars.conf
mode: "0644"
become: true
- name: Download Pi-hole installer
ansible.builtin.get_url:
url: https://install.pi-hole.net
dest: /tmp/install-pihole.sh
mode: "0740"
become: true
- name: Install Pi-hole unattended
ansible.builtin.command: /tmp/install-pihole.sh --unattended
args:
creates: /usr/local/bin/pihole
become: true
templates/pi-hole-vars.conf.j2 → roles/pihole/templates/pi-hole-vars.conf.j2
+3 -3
View File
@@ -3,8 +3,8 @@ WEBPASSWORD=
ADMIN_EMAIL=
WEBUIBOXEDLAYOUT=boxed
WEBTHEME=default-dark
PIHOLE_INTERFACE=wlan0
IPV4_ADDRESS="{{ ansible_host }}"/24
PIHOLE_INTERFACE={{ pihole_interface | default(ansible_facts['default_ipv4']['interface'] | default('eth0')) }}
IPV4_ADDRESS="{{ ansible_host }}"/24
IPV6_ADDRESS=
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
@@ -17,4 +17,4 @@ DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSSEC=false
REV_SERVER=false
BLOCKING_ENABLED=true
BLOCKING_ENABLED=true
roles/pihole/templates/pi-hole.conf.j2
+23
View File
@@ -0,0 +1,23 @@
server:
logfile: "/var/log/unbound/unbound.log"
verbosity: 1
interface: 127.0.0.1
port: 5353
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
root-hints: "/var/lib/unbound/root.hints"
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: no
edns-buffer-size: 1472
prefetch: yes
num-threads: 1
so-rcvbuf: 1m
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
roles/selinux/tasks/main.yml
+7
View File
@@ -0,0 +1,7 @@
---
- name: Set SELinux to permissive
ansible.posix.selinux:
policy: targeted
state: permissive
become: true
when: ansible_facts['os_family'] == 'RedHat'
roles/terminal/defaults/main.yml
+10
View File
@@ -0,0 +1,10 @@
---
terminal_manage_packages: false
terminal_zsh_path: /usr/bin/zsh
terminal_zsh_plugins:
- name: zsh-autosuggestions
repo: https://github.com/zsh-users/zsh-autosuggestions
- name: zsh-completions
repo: https://github.com/zsh-users/zsh-completions
- name: zsh-syntax-highlighting
repo: https://github.com/zsh-users/zsh-syntax-highlighting.git
roles/terminal/tasks/fonts.yml
+43
View File
@@ -0,0 +1,43 @@
---
- name: Set user home directory
ansible.builtin.set_fact:
user_home: "{{ ansible_facts['user_dir'] }}"
- name: Ensure fonts directory exists
ansible.builtin.file:
path: "{{ user_home }}/.fonts"
state: directory
mode: "0755"
- name: Check fonts directory
ansible.builtin.stat:
path: "{{ user_home }}/.fonts"
register: terminal_fonts_dir
- name: Check for Hack Nerd Font
ansible.builtin.find:
paths: "{{ user_home }}/.fonts"
patterns: "Hack*Nerd*Font*Complete*"
register: terminal_hack_fonts
when:
- terminal_fonts_dir.stat.exists
- terminal_fonts_dir.stat.isdir
- name: Download Hack Nerd Font
when:
- not terminal_fonts_dir.stat.exists or terminal_hack_fonts.matched | default(0) == 0
- not ansible_check_mode | default(false) | bool
ansible.builtin.unarchive:
src: https://github.com/ryanoasis/nerd-fonts/releases/latest/download/Hack.zip
dest: "{{ user_home }}/.fonts/"
remote_src: true
- name: Report missing Hack Nerd Font
ansible.builtin.debug:
msg: "Hack Nerd Font would be downloaded to {{ user_home }}/.fonts/"
changed_when: true
when:
- ansible_check_mode | default(false) | bool
- terminal_fonts_dir.stat.exists
- terminal_fonts_dir.stat.isdir
- terminal_hack_fonts.matched | default(0) == 0
roles/terminal/tasks/main.yml
+25
View File
@@ -0,0 +1,25 @@
---
- name: Install terminal packages
ansible.builtin.import_tasks: packages.yml
when: terminal_manage_packages | default(false) | bool
tags:
- terminal
- terminal_packages
- name: Configure zsh
ansible.builtin.import_tasks: zsh.yml
tags:
- terminal
- terminal_config
- name: Install terminal fonts
ansible.builtin.import_tasks: fonts.yml
tags:
- terminal
- terminal_fonts
- name: Install zsh plugins
ansible.builtin.import_tasks: plugins.yml
tags:
- terminal
- terminal_plugins
roles/terminal/tasks/packages.yml
+9
View File
@@ -0,0 +1,9 @@
---
- name: Ensure terminal packages are installed
ansible.builtin.package:
name:
- git
- zsh
- unzip
state: present
become: true
roles/terminal/tasks/plugins.yml
+53
View File
@@ -0,0 +1,53 @@
---
- name: Set user home directory
ansible.builtin.set_fact:
user_home: "{{ ansible_facts['user_dir'] }}"
- name: Check Oh My Zsh checkout
ansible.builtin.stat:
path: "{{ user_home }}/.oh-my-zsh/.git"
register: terminal_ohmyzsh_checkout
- name: Report missing Oh My Zsh checkout
ansible.builtin.debug:
msg: "Oh My Zsh would be cloned to {{ user_home }}/.oh-my-zsh"
changed_when: true
when:
- ansible_check_mode | default(false) | bool
- not terminal_ohmyzsh_checkout.stat.exists
- name: Install Oh My Zsh
ansible.builtin.git:
repo: https://github.com/ohmyzsh/ohmyzsh.git
dest: "{{ user_home }}/.oh-my-zsh"
depth: 1
when: not ansible_check_mode | default(false) | bool
- name: Check zsh plugin checkouts
ansible.builtin.stat:
path: "{{ user_home }}/.oh-my-zsh/custom/plugins/{{ item.name }}/.git"
loop: "{{ terminal_zsh_plugins }}"
loop_control:
label: "{{ item.name }}"
register: terminal_zsh_plugin_checkouts
- name: Report missing zsh plugin checkouts
ansible.builtin.debug:
msg: "{{ item.item.name }} would be cloned to {{ user_home }}/.oh-my-zsh/custom/plugins/{{ item.item.name }}"
loop: "{{ terminal_zsh_plugin_checkouts.results }}"
loop_control:
label: "{{ item.item.name }}"
changed_when: true
when:
- ansible_check_mode | default(false) | bool
- not item.stat.exists
- name: Install zsh plugins
ansible.builtin.git:
repo: "{{ item.repo }}"
dest: "{{ user_home }}/.oh-my-zsh/custom/plugins/{{ item.name }}"
depth: 1
loop: "{{ terminal_zsh_plugins }}"
loop_control:
label: "{{ item.name }}"
when: not ansible_check_mode | default(false) | bool
roles/terminal/tasks/zsh.yml
+12
View File
@@ -0,0 +1,12 @@
---
- name: Check zsh binary
ansible.builtin.stat:
path: "{{ terminal_zsh_path | default('/usr/bin/zsh') }}"
register: terminal_zsh_binary
- name: Set default shell to zsh
ansible.builtin.user:
name: "{{ ansible_user_id }}"
shell: "{{ terminal_zsh_path | default('/usr/bin/zsh') }}"
become: true
when: terminal_zsh_binary.stat.exists
roles/vim/defaults/main.yml
+7
View File
@@ -0,0 +1,7 @@
---
vim_manage_packages: false
vim_plugins:
- name: lightline
repo: https://github.com/itchyny/lightline.vim.git
- name: nerdtree
repo: https://github.com/preservim/nerdtree
roles/vim/tasks/directories.yml
+14
View File
@@ -0,0 +1,14 @@
---
- name: Set Vim paths
ansible.builtin.set_fact:
vim_dir: "{{ ansible_facts['user_dir'] }}/.vim"
- name: Ensure .vim directories exist
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0750"
loop:
- "{{ vim_dir }}"
- "{{ vim_dir }}/autoload"
- "{{ vim_dir }}/bundle"
roles/vim/tasks/main.yml
+25
View File
@@ -0,0 +1,25 @@
---
- name: Install Vim packages
ansible.builtin.import_tasks: packages.yml
when: vim_manage_packages | default(false) | bool
tags:
- vim
- vim_packages
- name: Create Vim directories
ansible.builtin.import_tasks: directories.yml
tags:
- vim
- vim_config
- name: Install Vim plugins
ansible.builtin.import_tasks: plugins.yml
tags:
- vim
- vim_plugins
- name: Configure Vim-adjacent shell theme
ansible.builtin.import_tasks: theme.yml
tags:
- vim
- vim_theme
roles/vim/tasks/packages.yml
+8
View File
@@ -0,0 +1,8 @@
---
- name: Ensure Vim package dependencies are installed
ansible.builtin.package:
name:
- git
- vim
state: present
become: true
roles/vim/tasks/plugins.yml
+34
View File
@@ -0,0 +1,34 @@
---
- name: Set Vim paths
ansible.builtin.set_fact:
vim_dir: "{{ ansible_facts['user_dir'] }}/.vim"
- name: Check Vim plugin checkouts
ansible.builtin.stat:
path: "{{ vim_dir }}/bundle/{{ item.name }}/.git"
loop: "{{ vim_plugins }}"
loop_control:
label: "{{ item.name }}"
register: vim_plugin_checkouts
- name: Report missing Vim plugin checkouts
ansible.builtin.debug:
msg: "{{ item.item.name }} would be cloned to {{ vim_dir }}/bundle/{{ item.item.name }}"
loop: "{{ vim_plugin_checkouts.results }}"
loop_control:
label: "{{ item.item.name }}"
changed_when: true
when:
- ansible_check_mode | default(false) | bool
- not item.stat.exists
- name: Deploy Vim plugins
ansible.builtin.git:
dest: "{{ vim_dir }}/bundle/{{ item.name }}"
repo: "{{ item.repo }}"
clone: true
update: true
loop: "{{ vim_plugins }}"
loop_control:
label: "{{ item.name }}"
when: not ansible_check_mode | default(false) | bool
roles/vim/tasks/theme.yml
+13
View File
@@ -0,0 +1,13 @@
---
- name: Check Oh My Zsh eastwood theme
ansible.builtin.stat:
path: "{{ ansible_facts['user_dir'] }}/.oh-my-zsh/themes/eastwood.zsh-theme"
register: vim_eastwood_theme
- name: Customize Oh My Zsh eastwood theme prompt
ansible.builtin.lineinfile:
path: "{{ ansible_facts['user_dir'] }}/.oh-my-zsh/themes/eastwood.zsh-theme"
regexp: '^PROMPT=(.*)$'
line: "PROMPT='$USER@%{$fg[yellow]%}%m $(git_custom_status)%{$fg[cyan]%}[%~% ]%{$reset_color%}%B$%b '"
backrefs: true
when: vim_eastwood_theme.stat.exists
roles/xcp_guest_tools/tasks/main.yml
+40
View File
@@ -0,0 +1,40 @@
---
- name: Collect service facts
ansible.builtin.service_facts:
- name: Fetch latest xe-guest-utilities release
ansible.builtin.uri:
url: https://api.github.com/repos/xenserver/xe-guest-utilities/releases/latest
return_content: true
register: xcp_guest_utils_latest
- name: Select amd64 deb asset
ansible.builtin.set_fact:
xcp_guest_asset: "{{ xcp_guest_utils_latest.json.assets | selectattr('name', 'search', '_amd64\\.deb$') | list | first }}"
- name: Set download facts
ansible.builtin.set_fact:
xcp_guest_filename: "{{ xcp_guest_asset.name }}"
xcp_guest_url: "{{ xcp_guest_asset.browser_download_url }}"
when: xcp_guest_asset is defined
- name: Download xe-guest-utilities package
when: "'xe-linux-distribution.service' not in ansible_facts.services"
ansible.builtin.get_url:
url: "{{ xcp_guest_url }}"
dest: "/tmp/{{ xcp_guest_filename }}"
mode: "0644"
become: true
- name: Install xe-guest-utilities
when: "'xe-linux-distribution.service' not in ansible_facts.services"
ansible.builtin.apt:
deb: "/tmp/{{ xcp_guest_filename }}"
become: true
- name: Remove downloaded package
ansible.builtin.file:
path: "/tmp/{{ xcp_guest_filename }}"
state: absent
become: true
when: xcp_guest_filename is defined
security/ipv6-disable.yml
+6
View File
@@ -0,0 +1,6 @@
---
- name: Disable IPv6
hosts: all
become: true
roles:
- ipv6_disable
security/selinux-permissive.yml
+6
View File
@@ -0,0 +1,6 @@
---
- name: Set SELinux permissive
hosts: all
become: true
roles:
- selinux
services/kubernetes.yml
+6
View File
@@ -0,0 +1,6 @@
---
- name: Kubernetes node prerequisites
hosts: masters:workers
become: true
roles:
- kubernetes
services/pi-hole.yml
+6
View File
@@ -0,0 +1,6 @@
---
- name: Pi-hole and Unbound
hosts: all
become: true
roles:
- pihole
setup.yml
+2
View File
@@ -0,0 +1,2 @@
---
- ansible.builtin.import_playbook: site.yml
setup_terminal.yml
-61
View File
@@ -1,61 +0,0 @@
---
- hosts: all
vars:
ansible_ssh_private_key_file: "/root/.ssh/id_ecdsa_sudouser"
tasks:
- name: Register current user (workaround to change default shell)
become: false
shell: whoami
register: current_user
- name: ensure fonts directory
file:
path: "{{ lookup('env', 'HOME') }}/.fonts"
state: directory
- name: Hack exists
shell: "ls {{ lookup('env', 'HOME') }}/.fonts/Hack*Nerd*Font*Complete*"
register: hack_exists
ignore_errors: yes
- name: Change default shell to zsh
become: true
shell: "chsh -s $(which zsh) {{ current_user.stdout }}"
- name: Install Oh My Zsh # noqa: latest
become: false
ansible.builtin.git:
repo: https://github.com/ohmyzsh/ohmyzsh.git
dest: ~/.oh-my-zsh
depth: 1
- name: Install zsh-autosuggestions plugin # noqa: latest
become: false
ansible.builtin.git:
repo: https://github.com/zsh-users/zsh-autosuggestions
dest: ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions
depth: 1
- name: Install zsh-completions plugin # noqa: latest
become: false
ansible.builtin.git:
repo: https://github.com/zsh-users/zsh-completions
dest: ~/.oh-my-zsh/custom/plugins/zsh-completions
depth: 1
- name: Install zsh-syntax-highlighting plugin # noqa: latest
become: false
ansible.builtin.git:
repo: https://github.com/zsh-users/zsh-syntax-highlighting.git
dest: ~/.oh-my-zsh/custom/plugins/zsh-syntax-highlighting
depth: 1
- name: Download Hack
when: hack_exists is failed
ansible.builtin.unarchive:
src: https://github.com/ryanoasis/nerd-fonts/releases/latest/download/Hack.zip
dest: "{{ lookup('env', 'HOME') }}/.fonts/"
remote_src: yes
site.yml
+25
View File
@@ -0,0 +1,25 @@
---
- name: System configuration
hosts: all
become: true
roles:
- role: passwordless_sudo
tags: [sudo, security, bootstrap]
- role: base_packages
tags: [packages, bootstrap]
- role: cockpit
tags: [cockpit, bootstrap]
- role: ipv6_disable
tags: [ipv6, security, bootstrap]
- role: selinux
tags: [selinux, security, bootstrap]
- name: User configuration
hosts: all
roles:
- role: terminal
tags: [terminal, bootstrap]
- role: vim
tags: [vim, bootstrap]
- role: dotfiles
tags: [dotfiles, bootstrap]
templates/pi-hole.conf.j2
-48
View File
@@ -1,48 +0,0 @@
server:
# If no logfile is specified, syslog is used
logfile: "/var/log/unbound/unbound.log"
verbosity: 1
interface: 127.0.0.1
port: 5353
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# Use this only when you downloaded the list of primary root servers!
root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the servers authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
vim_config.yml
-42
View File
@@ -1,42 +0,0 @@
---
- hosts: all
gather_facts: yes
become: no
vars:
vim_dir: "{{ ansible_env.HOME }}/.vim"
vimrc: "{{ ansible_env.HOME }}/.vimrc"
tasks:
- name: Ensure .vim/{autoload,bundle} directory exists
file:
path: "{{ item }}"
state: directory
recurse: no
mode: 0750
loop:
- "{{ vim_dir }}"
- "{{ vim_dir }}/autoload"
- "{{ vim_dir }}/bundle"
- name: Deploy plugins
git:
dest: "{{ vim_dir }}/bundle/{{ item.name }}"
repo: "{{ item.url }}"
clone: yes
update: yes
recursive: no
loop:
- name: lightline
url: https://github.com/itchyny/lightline.vim.git
- name: nerdtree
url: https://github.com/preservim/nerdtree
- name: Add user and host to prompt
become: no
lineinfile:
path: ~/.oh-my-zsh/themes/eastwood.zsh-theme
regexp: '^PROMPT=(.*)$'
line: "PROMPT='$USER@%{$fg[yellow]%}%m $(git_custom_status)%{$fg[cyan]%}[%~% ]%{$reset_color%}%B$%b '"
backrefs: yes