opal/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2c80d8d35fb3333cc1f7a1ebe3a204f2ab7f874c
ansible/roles/fedora_setup/tasks/main.yml
Opal 2c80d8d35f consolidating fedora setup
2025-04-25 21:36:45 -07:00

198 lines
4.0 KiB
YAML
Executable File
Raw Blame History

---
# Packages and Updates
- name: Start dnf5-makecache timer
systemd:
name: dnf5-makecache.timer
enabled: true
state: started
tags:
- packages
- name: Enable COPR repositories
command:
cmd: dnf5 copr enable -y {{ item }}
creates: "/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:{{ item | replace('/', ':') }}.repo"
loop: "{{ copr_repos }}"
tags:
- packages
- name: Add LibreWolf repository
get_url:
url: https://repo.librewolf.net/librewolf.repo
dest: /etc/yum.repos.d/librewolf.repo
mode: '0644'
tags:
- packages
- name: Upgrade all packages
dnf5:
name: "*"
state: latest
tags:
- packages
- name: Install packages
package:
name: "{{ item }}"
state: present
loop: "{{ packages }}"
tags:
- packages
- name: Setup Flatpak and install packages
block:
- name: Add Flathub repository
flatpak_remote:
name: flathub
state: present
flatpakrepo_url: "https://flathub.org/repo/flathub.flatpakrepo"
- name: Install Flatpak packages
flatpak:
name: "{{ item }}"
state: present
loop: "{{ flatpak_packages }}"
tags:
- packages
# Base System Setup
- name: Create groups
group:
name: "{{ item }}"
state: present
loop: "{{ init_groups }}"
tags:
- base
- name: Ensure Users are Configured Correctly
user:
name: "{{ item.value.name }}"
group: "{{ item.value.group }}"
groups: "{{ item.value.groups }}"
state: "{{ item.value.state }}"
create_home: "{{ item.value.create_home }}"
shell: "{{ item.value.shell }}"
loop: "{{ init_users | dict2items }}"
tags:
- base
- name: Create or ensure presence of custom home directories
file:
path: /home/opal/{{ item }}
state: directory
mode: '0755'
owner: opal
group: opal
loop: "{{ create_directories }}"
tags:
- base
- name: Remove default home directories if present
file:
path: /home/opal/{{ item }}
state: absent
loop: "{{ remove_directories }}"
tags:
- base
- name: Create/Ensure ~/.ssh directories
file:
path: "/home/{{ item.value.name }}/.ssh"
state: directory
mode: '0700'
owner: "{{ item.value.name }}"
group: "{{ item.value.group }}"
loop: "{{ init_users | dict2items }}"
tags:
- base
# Security Setup
- name: Set default firewalld zone to home
firewalld:
zone: home
state: enabled
permanent: true
tags:
- security
- name: Bind primary network interface to home zone
firewalld:
interface: "{{ network_interface }}"
zone: home
state: enabled
permanent: true
immediate: true
tags:
- security
- name: Bind WireGuard interface to trusted zone
firewalld:
interface: wg0
zone: trusted
state: enabled
permanent: true
immediate: true
tags:
- security
- name: Allow essential services in home zone
firewalld:
service: "{{ item }}"
zone: home
state: enabled
permanent: true
immediate: true
loop: "{{ allowed_services }}"
tags:
- security
- name: Enable logging of denied packets
command:
cmd: firewall-cmd --set-log-denied=all
tags:
- security
- name: Ensure SELinux is enabled and configured persistently
selinux:
policy: targeted
state: enforcing
configfile: /etc/selinux/config
tags:
- security
# DNF Automatic Security Updates
- name: Install dnf-automatic for automatic security updates
package:
name: dnf-automatic
state: present
tags:
- updates
- name: Configure dnf-automatic
template:
src: dnf-automatic.conf.j2
dest: /etc/dnf/automatic.conf
owner: root
group: root
mode: '0644'
tags:
- updates
- name: Enable and start dnf-automatic timer
systemd:
name: dnf-automatic.timer
enabled: true
state: started
tags:
- updates
# Git Config
- name: Set global Git configuration
git_config:
name: "{{ item.name }}"
scope: global
value: "{{ item.value }}"
loop: "{{ git_global_config }}"
tags:
- base
Reference in New Issue View Git Blame Copy Permalink