opal/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

consolidating fedora setup

Browse Source
This commit is contained in:
Opal
2025-04-25 21:36:45 -07:00
parent d043599b60
commit 2c80d8d35f
16 changed files with 362 additions and 322 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
roles/fedora_base/handlers/main.yml
View File

@@ -1,5 +0,0 @@
---
- name: Restart NetworkManager
service:
name: NetworkManager
state: restarted

55
roles/fedora_base/tasks/main.yml
View File

@@ -1,55 +0,0 @@
---
- name: Create groups
group:
name: "{{ item }}"
state: present
loop: "{{ init_groups }}"
- name: Ensure Users are Configured Correctly
user:
name: "{{ item.value.name }}"
group: "{{ item.value.group }}"
groups: "{{ item.value.groups }}"
state: "{{ item.value.state }}"
create_home: "{{ item.value.create_home }}"
shell: "{{ item.value.shell }}"
loop: "{{ init_users | dict2items }}"
- name: Create or ensure presence of custom home directories
file:
path: /home/opal/{{ item }}
state: directory
mode: '0755'
owner: opal
group: opal
loop: "{{ create_directories }}"
- name: Remove default home directories if present
file:
path: /home/opal/{{ item }}
state: absent
loop: "{{ remove_directories }}"
# SSH Initial Setup
- name: Create/Ensure ~/.ssh directories
file:
path: "/home/{{ item.value.name }}/.ssh"
state: directory
mode: 0700
owner: "{{ item.value.name }}"
group: "{{ item.value.group }}"
loop: "{{ init_users | dict2items }}"
- name: Ensure systemd-timesyncd is enabled
systemd:
name: systemd-timesyncd
enabled: yes
- name: Ensure systemd-timesyncd is started
systemd:
name: systemd-timesyncd
state: started
- name: Set RTC to UTC
command:
cmd: timedatectl set-local-rtc 0

6
roles/fedora_base/templates/NetworkManager.conf.j2
View File

@@ -1,6 +0,0 @@
# MANAGED BY ANSIBLE #
[main]
plugins=ifupdown,keyfile
[ifupdown]
managed=true

4
roles/fedora_base/templates/resolv.conf.j2
View File

@@ -1,4 +0,0 @@
# This file is managed by Ansible #
nameserver 1.1.1.2
nameserver 1.0.0.2
nameserver 2606:4700:4700:0:0:0:0:1112

33
roles/fedora_base/vars/main.yml
View File

@@ -1,33 +0,0 @@
---
init_groups:
- wheel
remove_directories:
- Templates
- Videos
- Documents
- Music
- Downloads
- Pictures
- Public
- Desktop
create_directories:
- documents
- music
- downloads
- pictures
- scripts
- projects
- src
- .config
init_users:
opal:
name: opal
group: opal
groups:
- wheel
state: present
shell: /bin/bash
create_home: true

16
roles/fedora_git/tasks/main.yml
View File

@@ -1,16 +0,0 @@
---
- name: doom emacs repo
become: yes
become_user: opal
git:
repo: "{{ doom_emacs_repo }}"
dest: "{{ doom_emacs_dest }}"
update: no
- name: et-book font repo
become: yes
become_user: opal
git:
repo: "{{ etbook_repo }}"
dest: "{{ etbook_dest }}"
update: no

6
roles/fedora_git/vars/main.yml
View File

@@ -1,6 +0,0 @@
---
doom_emacs_repo: https://github.com/doomemacs/doomemacs
doom_emacs_dest: ~/.config/emacs
etbook_repo: https://github.com/edwardtufte/et-book
etbook_dest: ~/.local/share/fonts

48
roles/fedora_pkg/tasks/main.yml
View File

@@ -1,48 +0,0 @@
---
- name: Upgrade all packages
dnf5:
name: "*"
state: latest
- name: Enable guix repo for extra guile packages
community.general.copr:
host: copr.fedorainfracloud.org
state: enabled
name: "{{ item }}"
loop: "{{ copr_repos }}"
- name: Install window manager packages
package:
name: "{{ item }}"
state: present
loop: "{{ wm_packages }}"
- name: Install UI/Font packages
dnf5:
name: "{{ item }}"
state: present
loop: "{{ ui_packages }}"
- name: Install general packages
package:
name: "{{ item }}"
state: present
loop: "{{ general_packages }}"
- name: Install Doom Emacs dependency packages
dnf5:
name: "{{ item }}"
state: present
loop: "{{ doom_dep_packages }}"
- name: Add Flathub repository
flatpak_remote:
name: flathub
state: present
flatpakrepo_url: "https://flathub.org/repo/flathub.flatpakrepo"
- name: Install Flatpak packages
flatpak:
name: "{{ item }}"
state: present
loop: "{{ flatpak_packages }}"

82
roles/fedora_pkg/vars/main.yml
View File

@@ -1,82 +0,0 @@
---
copr_repos:
- swayfx/swayfx
wm_packages:
- swayfx
- swayidle
- swaylock
- alacritty
- waybar
- dunst
- pipewire
- polkit-kde-agent-1
- grim
- grimshot
- brightnessctl
- wlsunset
- wlogout
- xwayland-run
- wdisplays
- bemenu
- wtype
ui_packages:
- papirus-icon-theme
- arc-kde
- breeze-cursor-theme
- qt5ct
- qt6ct
- fontawesome-fonts-all
- google-noto-sans-cjk-fonts
- google-noto-color-emoji-fonts
- google-noto-emoji-fonts
- google-noto-sans-brahmi-fonts
- terminus-fonts
general_packages:
- emacs
- syncthing
- gopass
- cups
- keychain
- tldr
- exa
- gnupg2
- trash-cli
- htop
- mpv
- udiskie
- pavucontrol
- flatpak
- blueman
- beets
- unrar-free
- unzip
- lximage-qt
- screen
- playerctl # for waybar music notification
- simple-scan
- wireguard-tools
- dnf-automatic
- translate-shell
- mpv
flatpak_packages:
- net.ankiweb.Anki
- org.torproject.torbrowser-launcher
doom_dep_packages:
- fd-find
- ripgrep
- libtool # Needed to compile vterm in Doom Emacs
- cmake # Needed to compile vterm in Doom Emacs
- discount # Markdown Compiler
- ShellCheck # Shell linter for Doom Emacs
- python3-pyflakes
- python3-isort
- micropipenv
- python3-nose2
- python3-nose
- python3-pytest
- python3-lsp-black

5
roles/fedora_security/handlers/main.yml
View File

@@ -1,5 +0,0 @@
---
- name: Restart clamd
systemd:
name: clamd@scan
state: restarted

56
roles/fedora_security/tasks/main.yml
View File

@@ -1,56 +0,0 @@
---
- name: Set default firewalld zone to home
command:
cmd: firewall-cmd --set-default-zone=home
- name: Change interface to home zone
command:
cmd: firewall-cmd --zone=home --change-interface={{ network_interface }}
- name: Add allowed services to home zone
firewalld:
service: "{{ item }}"
zone: home
permanent: yes
state: enabled
loop: "{{ allowed_services }}"
- name: Enable logging for denied packets
command:
cmd: firewall-cmd --set-log-denied=all
- name: Reload firewalld
systemd:
name: firewalld
state: reloaded
- name: Ensure SELinux is enabled and in enforcing mode
selinux:
policy: targeted
state: enforcing
- name: Set SELinux to enforcing in config file
replace:
path: /etc/selinux/config
regexp: '^SELINUX=.*'
replace: 'SELINUX=enforcing'
- name: Install dnf-automatic for automatic security updates
package:
name: dnf-automatic
state: present
- name: Configure dnf-automatic
template:
src: dnf-automatic.conf.j2
dest: /etc/dnf/automatic.conf
owner: root
group: root
mode: '0644'
- name: Enable and start dnf-automatic timer
systemd:
name: dnf-automatic.timer
enabled: true
state: started

6
roles/fedora_security/vars/main.yml
View File

@@ -1,6 +0,0 @@
---
network_interface: wlp0s20f3
allowed_services:
- ssh
- dhcpv6-client
- mdns

197
roles/fedora_setup/tasks/main.yml Executable file
View File

@@ -0,0 +1,197 @@
---
# Packages and Updates
- name: Start dnf5-makecache timer
systemd:
name: dnf5-makecache.timer
enabled: true
state: started
tags:
- packages
- name: Enable COPR repositories
command:
cmd: dnf5 copr enable -y {{ item }}
creates: "/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:{{ item | replace('/', ':') }}.repo"
loop: "{{ copr_repos }}"
tags:
- packages
- name: Add LibreWolf repository
get_url:
url: https://repo.librewolf.net/librewolf.repo
dest: /etc/yum.repos.d/librewolf.repo
mode: '0644'
tags:
- packages
- name: Upgrade all packages
dnf5:
name: "*"
state: latest
tags:
- packages
- name: Install packages
package:
name: "{{ item }}"
state: present
loop: "{{ packages }}"
tags:
- packages
- name: Setup Flatpak and install packages
block:
- name: Add Flathub repository
flatpak_remote:
name: flathub
state: present
flatpakrepo_url: "https://flathub.org/repo/flathub.flatpakrepo"
- name: Install Flatpak packages
flatpak:
name: "{{ item }}"
state: present
loop: "{{ flatpak_packages }}"
tags:
- packages
# Base System Setup
- name: Create groups
group:
name: "{{ item }}"
state: present
loop: "{{ init_groups }}"
tags:
- base
- name: Ensure Users are Configured Correctly
user:
name: "{{ item.value.name }}"
group: "{{ item.value.group }}"
groups: "{{ item.value.groups }}"
state: "{{ item.value.state }}"
create_home: "{{ item.value.create_home }}"
shell: "{{ item.value.shell }}"
loop: "{{ init_users | dict2items }}"
tags:
- base
- name: Create or ensure presence of custom home directories
file:
path: /home/opal/{{ item }}
state: directory
mode: '0755'
owner: opal
group: opal
loop: "{{ create_directories }}"
tags:
- base
- name: Remove default home directories if present
file:
path: /home/opal/{{ item }}
state: absent
loop: "{{ remove_directories }}"
tags:
- base
- name: Create/Ensure ~/.ssh directories
file:
path: "/home/{{ item.value.name }}/.ssh"
state: directory
mode: '0700'
owner: "{{ item.value.name }}"
group: "{{ item.value.group }}"
loop: "{{ init_users | dict2items }}"
tags:
- base
# Security Setup
- name: Set default firewalld zone to home
firewalld:
zone: home
state: enabled
permanent: true
tags:
- security
- name: Bind primary network interface to home zone
firewalld:
interface: "{{ network_interface }}"
zone: home
state: enabled
permanent: true
immediate: true
tags:
- security
- name: Bind WireGuard interface to trusted zone
firewalld:
interface: wg0
zone: trusted
state: enabled
permanent: true
immediate: true
tags:
- security
- name: Allow essential services in home zone
firewalld:
service: "{{ item }}"
zone: home
state: enabled
permanent: true
immediate: true
loop: "{{ allowed_services }}"
tags:
- security
- name: Enable logging of denied packets
command:
cmd: firewall-cmd --set-log-denied=all
tags:
- security
- name: Ensure SELinux is enabled and configured persistently
selinux:
policy: targeted
state: enforcing
configfile: /etc/selinux/config
tags:
- security
# DNF Automatic Security Updates
- name: Install dnf-automatic for automatic security updates
package:
name: dnf-automatic
state: present
tags:
- updates
- name: Configure dnf-automatic
template:
src: dnf-automatic.conf.j2
dest: /etc/dnf/automatic.conf
owner: root
group: root
mode: '0644'
tags:
- updates
- name: Enable and start dnf-automatic timer
systemd:
name: dnf-automatic.timer
enabled: true
state: started
tags:
- updates
# Git Config
- name: Set global Git configuration
git_config:
name: "{{ item.name }}"
scope: global
value: "{{ item.value }}"
loop: "{{ git_global_config }}"
tags:
- base

0
roles/fedora_security/templates/dnf-automatic.conf.j2 → roles/fedora_setup/templates/dnf-automatic.conf.j2
View File

119
roles/fedora_setup/vars/main.yml Executable file
View File

@@ -0,0 +1,119 @@
---
copr_repos:
- swayfx/swayfx
packages:
- swayfx
- swayidle
- swaylock
- swaybg
- feh
- alacritty
- dunst
- pipewire
- grim
- grimshot
- brightnessctl
- wlsunset
- wlogout
- xwayland-run
- wdisplays
- bemenu
- wtype
- papirus-icon-theme
- breeze-cursor-theme
- google-noto-color-emoji-fonts
- google-noto-sans-cjk-fonts
- google-noto-emoji-fonts
- google-noto-sans-brahmi-fonts
- syncthing
- gopass
- cups
- keychain
- tldr
- gnupg2
- trash-cli
- htop
- mpv
- udiskie
- pavucontrol
- flatpak
- bluez
- bluez-tools
- blueman
- beets
- unrar-free
- unzip
- lf
- playerctl
- screen
- wireguard-tools
- dnf-automatic
- translate-shell
- newsboat
- mpd
- ncmpcpp
- asunder
- qutebrowser
- librewolf
- nicotine
flatpak_packages:
- net.ankiweb.Anki
- org.torproject.torbrowser-launcher
- org.signal.Signal
- com.brave.Browser
- io.mpv.Mpv
init_groups:
- wheel
remove_directories:
- Templates
- Videos
- Documents
- Music
- Downloads
- Pictures
- Public
- Desktop
create_directories:
- docs
- docs/todo
- music
- dls
- pics
- code
- code/src
- .config
- .local
- .local/share
- .local/bin
init_users:
opal:
name: opal
group: opal
groups:
- wheel
state: present
shell: /bin/yash
create_home: true
network_interface: "{{ ansible_default_ipv4.interface }}"
allowed_services:
- ssh
- dhcpv6-client
- mdns
git_global_config:
- name: user.name
value: "Ryan"
- name: user.email
value: "ry.orlando@proton.me"
- name: init.defaultBranch
value: "master"
- name: pull.rebase
value: "true"

46
scripts/fedora_postbootstrap.sh Executable file
View File

@@ -0,0 +1,46 @@
#!/bin/sh
# post_bootstrap.sh - Setup SSH, GPG, and pull private repositories after initial Ansible bootstrap.
set -e
echo "[*] Starting post-bootstrap setup..."
# Start ssh-agent and add your SSH key
if [ -f "$HOME/.ssh/id_ed25519" ]; then
echo "[*] Starting ssh-agent..."
eval "$(ssh-agent -s)"
ssh-add "$HOME/.ssh/id_ed25519"
else
echo "[!] No SSH private key found at ~/.ssh/id_ed25519. Skipping ssh-add."
fi
# Launch GPG agent
echo "[*] Launching gpg-agent..."
gpgconf --launch gpg-agent
# Clone gopass store if not already present
if [ ! -d "$HOME/.local/share/gopass/stores/root/.git" ]; then
echo "[*] Cloning gopass password store..."
mkdir -p "$HOME/.local/share/gopass/stores"
git clone git@yourgit:gopass-store.git "$HOME/.local/share/gopass/stores/root"
gopass fsck
gopass sync
else
echo "[*] Gopass store already exists. Skipping clone."
fi
# Clone bookmarks repo if not already present
if [ ! -d "$HOME/bookmarks/.git" ]; then
echo "[*] Cloning bookmarks repository..."
git clone git@yourgit:bookmarks.git "$HOME/bookmarks"
else
echo "[*] Bookmarks repo already exists. Skipping clone."
fi
# Git global config (safe to rerun, idempotent)
echo "[*] Setting git global defaults..."
git config --global init.defaultBranch master
git config --global pull.rebase false
echo "[*] Post-bootstrap setup complete."