consolidating fedora setup

roles/fedora_setup/tasks/main.yml

@@ -0,0 +1,197 @@
+---
+# Packages and Updates
+- name: Start dnf5-makecache timer
+  systemd:
+    name: dnf5-makecache.timer
+    enabled: true
+    state: started
+  tags:
+    - packages
+
+- name: Enable COPR repositories
+  command:
+    cmd: dnf5 copr enable -y {{ item }}
+    creates: "/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:{{ item | replace('/', ':') }}.repo"
+  loop: "{{ copr_repos }}"
+  tags:
+    - packages
+
+- name: Add LibreWolf repository
+  get_url:
+    url: https://repo.librewolf.net/librewolf.repo
+    dest: /etc/yum.repos.d/librewolf.repo
+    mode: '0644'
+  tags:
+    - packages
+
+- name: Upgrade all packages
+  dnf5:
+    name: "*"
+    state: latest
+  tags:
+    - packages
+
+- name: Install packages
+  package:
+    name: "{{ item }}"
+    state: present
+  loop: "{{ packages }}"
+  tags:
+    - packages
+
+- name: Setup Flatpak and install packages
+  block:
+    - name: Add Flathub repository
+      flatpak_remote:
+        name: flathub
+        state: present
+        flatpakrepo_url: "https://flathub.org/repo/flathub.flatpakrepo"
+
+    - name: Install Flatpak packages
+      flatpak:
+        name: "{{ item }}"
+        state: present
+      loop: "{{ flatpak_packages }}"
+  tags:
+    - packages
+
+# Base System Setup
+- name: Create groups
+  group:
+    name: "{{ item }}"
+    state: present
+  loop: "{{ init_groups }}"
+  tags:
+    - base
+
+- name: Ensure Users are Configured Correctly
+  user:
+    name: "{{ item.value.name }}"
+    group: "{{ item.value.group }}"
+    groups: "{{ item.value.groups }}"
+    state: "{{ item.value.state }}"
+    create_home: "{{ item.value.create_home }}"
+    shell: "{{ item.value.shell }}"
+  loop: "{{ init_users | dict2items }}"
+  tags:
+    - base
+
+- name: Create or ensure presence of custom home directories
+  file:
+    path: /home/opal/{{ item }}
+    state: directory
+    mode: '0755'
+    owner: opal
+    group: opal
+  loop: "{{ create_directories }}"
+  tags:
+    - base
+
+- name: Remove default home directories if present
+  file:
+    path: /home/opal/{{ item }}
+    state: absent
+  loop: "{{ remove_directories }}"
+  tags:
+    - base
+
+- name: Create/Ensure ~/.ssh directories
+  file:
+    path: "/home/{{ item.value.name }}/.ssh"
+    state: directory
+    mode: '0700'
+    owner: "{{ item.value.name }}"
+    group: "{{ item.value.group }}"
+  loop: "{{ init_users | dict2items }}"
+  tags:
+    - base
+
+# Security Setup
+- name: Set default firewalld zone to home
+  firewalld:
+    zone: home
+    state: enabled
+    permanent: true
+  tags:
+    - security
+
+- name: Bind primary network interface to home zone
+  firewalld:
+    interface: "{{ network_interface }}"
+    zone: home
+    state: enabled
+    permanent: true
+    immediate: true
+  tags:
+    - security
+
+- name: Bind WireGuard interface to trusted zone
+  firewalld:
+    interface: wg0
+    zone: trusted
+    state: enabled
+    permanent: true
+    immediate: true
+  tags:
+    - security
+
+- name: Allow essential services in home zone
+  firewalld:
+    service: "{{ item }}"
+    zone: home
+    state: enabled
+    permanent: true
+    immediate: true
+  loop: "{{ allowed_services }}"
+  tags:
+    - security
+
+- name: Enable logging of denied packets
+  command:
+    cmd: firewall-cmd --set-log-denied=all
+  tags:
+    - security
+
+- name: Ensure SELinux is enabled and configured persistently
+  selinux:
+    policy: targeted
+    state: enforcing
+    configfile: /etc/selinux/config
+  tags:
+    - security
+
+# DNF Automatic Security Updates
+- name: Install dnf-automatic for automatic security updates
+  package:
+    name: dnf-automatic
+    state: present
+  tags:
+    - updates
+
+- name: Configure dnf-automatic
+  template:
+    src: dnf-automatic.conf.j2
+    dest: /etc/dnf/automatic.conf
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+    - updates
+
+- name: Enable and start dnf-automatic timer
+  systemd:
+    name: dnf-automatic.timer
+    enabled: true
+    state: started
+  tags:
+    - updates
+
+# Git Config
+- name: Set global Git configuration
+  git_config:
+    name: "{{ item.name }}"
+    scope: global
+    value: "{{ item.value }}"
+  loop: "{{ git_global_config }}"
+  tags:
+    - base

roles/fedora_setup/templates/dnf-automatic.conf.j2

@@ -0,0 +1,101 @@
+> cat /etc/dnf/automatic.conf
+[commands]
+#  What kind of upgrade to perform:
+# default                            = all available upgrades
+# security                           = only the security upgrades
+upgrade_type = security
+random_sleep = 0
+
+# Maximum time in seconds to wait until the system is on-line and able to
+# connect to remote repositories.
+network_online_timeout = 60
+
+# To just receive updates use dnf-automatic-notifyonly.timer
+
+# Whether updates should be downloaded when they are available, by
+# dnf-automatic.timer. notifyonly.timer, download.timer and
+# install.timer override this setting.
+download_updates = yes
+
+# Whether updates should be applied when they are available, by
+# dnf-automatic.timer. notifyonly.timer, download.timer and
+# install.timer override this setting.
+apply_updates = yes
+
+# When the system should reboot following upgrades:
+# never                              = don't reboot after upgrades
+# when-changed                       = reboot after any changes
+# when-needed                        = reboot when necessary to apply changes
+reboot = never
+
+# The command that is run to trigger a system reboot.
+reboot_command = "shutdown -r +5 'Rebooting after applying package updates'"
+
+
+[emitters]
+# Name to use for this system in messages that are emitted.  Default is the
+# hostname.
+# system_name = my-host
+
+# How to send messages.  Valid options are stdio, email and motd.  If
+# emit_via includes stdio, messages will be sent to stdout; this is useful
+# to have cron send the messages.  If emit_via includes email, this
+# program will send email itself according to the configured options.
+# If emit_via includes motd, /etc/motd file will have the messages. if
+# emit_via includes command_email, then messages will be send via a shell
+# command compatible with sendmail.
+# Default is email,stdio.
+# If emit_via is None or left blank, no messages will be sent.
+emit_via = stdio
+
+
+[email]
+# The address to send email messages from.
+email_from = root@example.com
+
+# List of addresses to send messages to.
+email_to = root
+
+# Name of the host to connect to to send email messages.
+email_host = localhost
+
+# Port number to connect to at the email host.
+email_port = 25
+
+# Use TLS or STARTTLS to connect to the email host.
+email_tls = no
+
+
+[command]
+# The shell command to execute. This is a Python format string, as used in
+# str.format(). The format function will pass a shell-quoted argument called
+# `body`.
+# command_format = "cat"
+
+# The contents of stdin to pass to the command. It is a format string with the
+# same arguments as `command_format`.
+# stdin_format = "{body}"
+
+
+[command_email]
+# The shell command to use to send email. This is a Python format string,
+# as used in str.format(). The format function will pass shell-quoted arguments
+# called body, subject, email_from, email_to.
+# command_format = "mail -Ssendwait -s {subject} -r {email_from} {email_to}"
+
+# The contents of stdin to pass to the command. It is a format string with the
+# same arguments as `command_format`.
+# stdin_format = "{body}"
+
+# The address to send email messages from.
+email_from = root@example.com
+
+# List of addresses to send messages to.
+email_to = root
+
+
+[base]
+# This section overrides dnf.conf
+
+# Use this to filter DNF core messages
+debuglevel = 1

roles/fedora_setup/vars/main.yml

@@ -0,0 +1,119 @@
+---
+copr_repos:
+  - swayfx/swayfx
+
+packages:
+  - swayfx
+  - swayidle
+  - swaylock
+  - swaybg
+  - feh
+  - alacritty
+  - dunst
+  - pipewire
+  - grim
+  - grimshot
+  - brightnessctl
+  - wlsunset
+  - wlogout
+  - xwayland-run
+  - wdisplays
+  - bemenu
+  - wtype
+  - papirus-icon-theme
+  - breeze-cursor-theme
+  - google-noto-color-emoji-fonts
+  - google-noto-sans-cjk-fonts
+  - google-noto-emoji-fonts
+  - google-noto-sans-brahmi-fonts
+  - syncthing
+  - gopass
+  - cups
+  - keychain
+  - tldr
+  - gnupg2
+  - trash-cli
+  - htop
+  - mpv
+  - udiskie
+  - pavucontrol
+  - flatpak
+  - bluez
+  - bluez-tools
+  - blueman
+  - beets
+  - unrar-free
+  - unzip
+  - lf
+  - playerctl
+  - screen
+  - wireguard-tools
+  - dnf-automatic
+  - translate-shell
+  - newsboat
+  - mpd
+  - ncmpcpp
+  - asunder
+  - qutebrowser
+  - librewolf
+  - nicotine
+
+flatpak_packages:
+  - net.ankiweb.Anki
+  - org.torproject.torbrowser-launcher
+  - org.signal.Signal
+  - com.brave.Browser
+  - io.mpv.Mpv
+
+init_groups:
+  - wheel
+
+remove_directories:
+  - Templates
+  - Videos
+  - Documents
+  - Music
+  - Downloads
+  - Pictures
+  - Public
+  - Desktop
+
+create_directories:
+  - docs
+  - docs/todo
+  - music
+  - dls
+  - pics
+  - code
+  - code/src
+  - .config
+  - .local
+  - .local/share
+  - .local/bin
+
+init_users:
+  opal:
+    name: opal
+    group: opal
+    groups: 
+      - wheel
+    state: present
+    shell: /bin/yash
+    create_home: true
+
+network_interface: "{{ ansible_default_ipv4.interface }}"
+
+allowed_services:
+  - ssh
+  - dhcpv6-client
+  - mdns
+
+git_global_config:
+  - name: user.name
+    value: "Ryan"
+  - name: user.email
+    value: "ry.orlando@proton.me"
+  - name: init.defaultBranch
+    value: "master"
+  - name: pull.rebase
+    value: "true"