--- # Packages and Updates - name: Start dnf5-makecache timer systemd: name: dnf5-makecache.timer enabled: true state: started tags: - packages - name: Enable COPR repositories command: cmd: dnf5 copr enable -y {{ item }} creates: "/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:{{ item | replace('/', ':') }}.repo" loop: "{{ copr_repos }}" tags: - packages - name: Add LibreWolf repository get_url: url: https://repo.librewolf.net/librewolf.repo dest: /etc/yum.repos.d/librewolf.repo mode: '0644' tags: - packages - name: Upgrade all packages dnf5: name: "*" state: latest tags: - packages - name: Install packages package: name: "{{ item }}" state: present loop: "{{ packages }}" tags: - packages - name: Setup Flatpak and install packages block: - name: Add Flathub repository flatpak_remote: name: flathub state: present flatpakrepo_url: "https://flathub.org/repo/flathub.flatpakrepo" - name: Install Flatpak packages flatpak: name: "{{ item }}" state: present loop: "{{ flatpak_packages }}" tags: - packages # Base System Setup - name: Create groups group: name: "{{ item }}" state: present loop: "{{ init_groups }}" tags: - base - name: Ensure Users are Configured Correctly user: name: "{{ item.value.name }}" group: "{{ item.value.group }}" groups: "{{ item.value.groups }}" state: "{{ item.value.state }}" create_home: "{{ item.value.create_home }}" shell: "{{ item.value.shell }}" loop: "{{ init_users | dict2items }}" tags: - base - name: Create or ensure presence of custom home directories file: path: /home/opal/{{ item }} state: directory mode: '0755' owner: opal group: opal loop: "{{ create_directories }}" tags: - base - name: Remove default home directories if present file: path: /home/opal/{{ item }} state: absent loop: "{{ remove_directories }}" tags: - base - name: Create/Ensure ~/.ssh directories file: path: "/home/{{ item.value.name }}/.ssh" state: directory mode: '0700' owner: "{{ item.value.name }}" group: "{{ item.value.group }}" loop: "{{ init_users | dict2items }}" tags: - base # Security Setup - name: Set default firewalld zone to home firewalld: zone: home state: enabled permanent: true tags: - security - name: Bind primary network interface to home zone firewalld: interface: "{{ network_interface }}" zone: home state: enabled permanent: true immediate: true tags: - security - name: Bind WireGuard interface to trusted zone firewalld: interface: wg0 zone: trusted state: enabled permanent: true immediate: true tags: - security - name: Allow essential services in home zone firewalld: service: "{{ item }}" zone: home state: enabled permanent: true immediate: true loop: "{{ allowed_services }}" tags: - security - name: Enable logging of denied packets command: cmd: firewall-cmd --set-log-denied=all tags: - security - name: Ensure SELinux is enabled and configured persistently selinux: policy: targeted state: enforcing configfile: /etc/selinux/config tags: - security # DNF Automatic Security Updates - name: Install dnf-automatic for automatic security updates package: name: dnf-automatic state: present tags: - updates - name: Configure dnf-automatic template: src: dnf-automatic.conf.j2 dest: /etc/dnf/automatic.conf owner: root group: root mode: '0644' tags: - updates - name: Enable and start dnf-automatic timer systemd: name: dnf-automatic.timer enabled: true state: started tags: - updates # Git Config - name: Set global Git configuration git_config: name: "{{ item.name }}" scope: global value: "{{ item.value }}" loop: "{{ git_global_config }}" tags: - base