mbess/monakhos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Activity

WIP

Browse source
This commit is contained in:
Matthieu Bessat 2025-09-22 14:20:35 +02:00
parent 98448e56ff
commit 79b7ff8241
12 changed files with 318 additions and 205 deletions
Download patch file Download diff file Expand all files Collapse all files

4
INSTALL.md
View file

@ -8,3 +8,7 @@
- Add public key `lambdacov_perso_generic_ed25519` key to forge.lefuturiste.fr
- Populate vars.yaml, choose the profile
- run ansible playbook
## Manual cmds to do on target hosts
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 8A74EAAF89C17944

3
README.md
View file

@ -113,3 +113,6 @@ You need to keep updated the known hosts in your profiles to not have this info
- https://github.com/id101010/ansible-archlinux
- https://github.com/kewlfft/ansible-aur
## triage
The master ssh key is used by the controller to authenticate to the ssh server of the target device.

1
TODO.md
View file

@ -21,3 +21,4 @@
- `sudo usermod -a -G wireshark mbess`
- [x] packages: add `texlive-langfrench`, `texlive-binextra`

146
ansible/arch_packages.yaml → ansible/packages/essentials/arch_packages.yaml
View file

@ -16,15 +16,9 @@ common:
- name: pacman-contrib
desc: Include pactree
tty:
- name: aur/physlock
desc: Session password-lock at the TTY level
tty: {}
libs:
- protobuf
- libosmium
- name: expat
desc: XML parser lib
- wlroots0.19
hardware:
printing:
@ -66,20 +60,11 @@ common:
utils:
_:
- bat
- git-delta
- plantuml
- desc: Env loader, export env variables from dotenv file in shell scripts
name: aur/zenv
- desc: Load system to make it heat and sweat
name: stress
- name: aur/scc
desc: Count source lines of a project
keyboard:
- name: ttyper
desc: Typing speed test.
backup:
- borg
- name: aur/zenv
desc: Env loader, export env variables from dotenv file in shell scripts
keyboard: {}
backup: {}
docs:
- man-pages
- man-db
@ -131,11 +116,6 @@ common:
- s-nail
- name: isync
desc: IMAP synchronization program. Also called mbsync, can be configured using `.mbsyncrc` file.
fun:
- figlet
- cowsay
- aur/boxes
- fortune-mod
archives:
- unzip
- zip
@ -146,15 +126,15 @@ common:
desc: general purpose document converter
- name: typst
desc: an alternative to latex
- name: aur/marp-cli-bin
desc: create presentation from markdown
- mkdocs
- mkdocs-material
- mkdocs-autorefs
- mkdocs-get-deps
- graphviz
- glow
- name: visidata
desc: Data explorer (Spreadsheet, CSV, Sqlite)
pdf:
- aur/ocrmypdf
- aur/wkhtmltopdf-static
- name: pdftk
desc: Utils to manipulate PDF pages (extract, merge, rotate, unpack)
latex:
@ -168,28 +148,19 @@ common:
math:
- name: libqalculate
desc: Provide Qalc
gis: # SIG
_:
- gdal
- aur/tippecanoe
osm:
- aur/osmium-tool
- osm2pgsql
gis: {}
vcs:
git:
- git
- tig
- pre-commit
- aur/gitwatch-git
fossil:
- fossil
network:
address:
- name: ipcalc
- name: aur/sipcalc
description: |
Validate, compute and visualize IP ranges.
Support CIDR notation (Classless Inter-Domain Routing).
Eg. compute the start and the end of a range.
Compute and visualize IP ranges (start and end)
bandwidth:
- name: iperf3
description: TCP, UDP benchmark (speed test)
@ -212,14 +183,7 @@ common:
desc: Download whole website for offline use
dns:
- bind
- aur/python-dnsrecon
kafka:
- name: aur/kcat-cli
desc: Kafka cat
- aur/avro-c
encoding:
avro:
- aur/avro-tools
encoding: {}
_:
- name: net-tools
desc: Core tools for configuration tools for Linux networking
@ -239,8 +203,6 @@ common:
- name: binwalk
desc: Inspect a binary to search for embeded files and binaries
url: https://www.kali.org/tools/binwalk/
- name: aur/libtree
desc: Inspect a binary and output of tree of system libraries
fs:
- lsof
- name: ncdu
@ -258,8 +220,6 @@ common:
browser:
- w3m
- lynx
- name: aur/browsh
desc: Terminal browser, headless chromium running on a remote server that translate to text over Mosh.
files:
- lf
security:
@ -280,15 +240,11 @@ common:
- name: aur/apache-tools
desc: provide htpasswd
- argon2
colors:
- name: pastel
desc: Manipulate colors
colors: {}
multimedia:
audio:
- opus-tools
communication:
- name: aur/sigtop-git
desc: Messages and attahcments backup program for Signal Desktop
communication: {}
cli_frontends:
forges:
@ -323,23 +279,12 @@ common:
- gopass
- pass
virtualization:
- qemu-base
- name: guestfs-tools
desc: include the very useful virt-customize
- name: libguestfs
desc: include virt-install
- name: cloud-init
desc: Cloud-init utils, used to validate config
virtualization: {}
docker:
- docker
- docker-buildx
- kubectl
- name: aur/hadolint-bin
desc: Linter for Dockerfile, with all haskell dependencies
- name: trivy
desc: Container image security scanner
programming:
_:
@ -377,12 +322,7 @@ common:
lsp:
- gopls
- rust-analyzer
- aur/typst-lsp
- vscode-css-languageserver
- pyright
- typescript-language-server
- svelte-language-server
- lua-language-server
rust:
- cargo-watch
# - rustup
@ -470,7 +410,7 @@ common:
- name: gammastep
desc: Automatic red shift at night
color_picker:
- aur/hyprpicker
- hyprpicker
emojis_picker:
- name: aur/jome
desc: Emoji picker
@ -488,14 +428,9 @@ common:
GUI:
files:
- nautilus
- cheese
browser:
# - aur/librewolf-bin
# - aur/librewof
- aur/librewolf-bin
- aur/ungoogled-chromium-bin
# - thorium-browser-bin
- qutebrowser
- torbrowser-launcher
terminal_emulator:
- alacritty
mail:
@ -503,9 +438,10 @@ common:
communication:
_:
- signal-desktop
irc:
- name: polari
desc: GNOME 3 GUI IRC client
irc: {}
xmpp:
- name: dino
desc: Simple GTK XMPP client
matrix:
- name: fractal
desc: Matrix client that seem to work in Rust
@ -528,32 +464,18 @@ common:
- vimiv
creation:
image:
- gimp
- krita
- inkscape
audio:
- tenacity
- songrec
- aur/clementine
audio: {}
video:
- cheese
- celluloid
- vlc
- obs-studio
3d:
- openscad
- blender
3d: {}
bureautique:
- libreoffice-still
geo:
- aur/mepo
- qgis
vcs:
git:
- giggle
git: {}
db:
- name: dbeaver
tags: ['heavy-gui']
- name: sqlitebrowser
desc: Light QT GUI to navigate sqlite
remote_access:
@ -578,19 +500,3 @@ common:
- name: noto-fonts-emoji
desc: Google emoji fonts, required for fractal
proprietary_vpns:
- openfortivpn
# Extra non-free networks for work packages
# non-free:
microsoft_azure:
- azure-cli
- aur/azure-kubelogin
hashicorp:
- name: vault
alias: hvault
extra_video:
- name: kdenlive
desc: video editor

5
ansible/packages/essentials/python_packages.yaml Normal file
View file

@ -0,0 +1,5 @@
common:
- pipdeptree
- copyparty
- lesspass
- pylint

224
ansible/packages/extra/arch_packages.yaml Normal file
View file

@ -0,0 +1,224 @@
---
common:
tty:
- name: aur/physlock
desc: Session password-lock at the TTY level
libs:
- protobuf
- libosmium
- name: expat
desc: XML parser lib
hardware: {}
network: {}
keymap: {}
bluetooth: {}
utils:
_:
- plantuml
- name: stress
desc: Load system to make it heat and sweat
- desc: Count source lines of a project
name: aur/scc
keyboard:
- name: ttyper
desc: Typing speed test.
backup:
- borg
docs:
- arch-wiki-docs
language: {}
mail: {}
fun:
- figlet
- cowsay
- aur/boxes
- fortune-mod
bureautique:
- name: aur/marp-cli-bin
desc: create presentation from markdown
pdf:
- aur/ocrmypdf
- aur/wkhtmltopdf-static
gis: # SIG
_:
- gdal
- aur/tippecanoe
osm:
- aur/osmium-tool
- osm2pgsql
vcs:
git: {}
fossil:
- fossil
network:
http: {}
dns:
- aur/python-dnsrecon
kafka:
- name: aur/kcat-cli
desc: Kafka cat
- aur/avro-c
encoding:
avro:
- aur/avro-tools
_: {}
inspection:
- name: aur/libtree
desc: Inspect a binary and output of tree of system libraries
fs: {}
disk: {}
tui:
browser:
- name: aur/browsh
desc: Terminal browser, headless chromium running on a remote server that translate to text over Mosh.
files: {}
security:
- siege
monitoring: {}
android: {}
random_gen: {}
hashing: {}
colors:
- name: pastel
desc: Manipulate colors
multimedia:
audio: {}
communication:
- name: aur/sigtop-git
desc: Messages and attahcments backup program for Signal Desktop
cli_frontends:
forges: {}
multimedia:
youtube: {}
player: {}
book: {}
exif: {}
_: {}
password: {}
virtualization:
- qemu-base
- name: guestfs-tools
desc: include the very useful virt-customize
- name: libguestfs
desc: include virt-install
- name: cloud-init
desc: Cloud-init utils, used to validate config
docker:
- name: aur/hadolint-bin
desc: Linter for Dockerfile, with all haskell dependencies
- name: trivy
desc: Container image security scanner
programming:
_: {}
html: {}
sqlite: {}
editor: {}
c: {}
node: {}
lsp:
- typescript-language-server
- svelte-language-server
- aur/typst-lsp
- lua-language-server
- vscode-css-languageserver
rust: {}
dbs: {}
python:
_: {}
lint: {}
lib: {}
lua: {}
web: {}
static: {}
ci: {}
shell: {}
audio:
control: {}
desktop:
wayland:
# https://github.com/natpen/awesome-wayland
_: {}
display: {}
color_picker: {}
emojis_picker: {}
notification: {}
screenshot: {}
desktop_utils: {}
GUI:
files: {}
browser:
- aur/thorium-browser-bin
- qutebrowser
- torbrowser-launcher
terminal_emulator: {}
mail: {}
communication:
_: {}
irc: {}
matrix: {}
document:
viewer: {}
editor: {}
images:
viewer: {}
creation:
image:
- gimp
- krita
audio:
- tenacity
- songrec
- aur/clementine
video:
- celluloid
- vlc
- obs-studio
- name: kdenlive
desc: video editor
3d:
- openscad
- blender
bureautique: {}
geo:
- qgis
vcs:
git:
- giggle
db:
- name: dbeaver
remote_access: {}
_: {}
inspection: {}
editor: {}
fonts: {}
proprietary_vpns:
- openfortivpn
# Extra non-free networks for work packages
# non-free:
microsoft_azure:
- azure-cli
- aur/azure-kubelogin
hashicorp:
- name: vault
alias: hvault

7
ansible/packages/extra/python_packages.yaml Normal file
View file

@ -0,0 +1,7 @@
common:
multimedia:
- linkchecker
- imagehash
- yewtube
- azlyrics2
- epy-reader

14
ansible/python_packages.yaml
View file

@ -1,14 +0,0 @@
base:
- mkdocs
- pipdeptree
- copyparty
- lesspass
- yewtube
- lesspass
- mkdocs
- linkchecker
- imagehash
- pylint
multimedia:
- azlyrics2
- epy-reader

14
ansible/roles/ssh/tasks/main.yaml
View file

@ -24,25 +24,29 @@
owner: "{{ user }}"
mode: u=rw,g=,o=
- name: Create temporary build directory
- delegate_to: localhost
ansible.builtin.tempfile:
state: directory
suffix: ssh_known_hosts
register: tempdir_known_hosts
- name: Load known hosts from profiles
delegate_to: localhost
template:
# load from controller host
src: "{{ home }}/.dots/profiles/{{ item.name }}/configs/ssh/known_hosts"
# load from controller host, from the work profile repository
src: "{{ profiles_paths[item.name] }}/configs/ssh/known_hosts"
dest: "{{ tempdir_known_hosts.path }}/{{ item.name }}"
with_items: "{{ enabled_profiles }}"
# - name: Execute a command
# ansible.builtin.command: "sleep infinity"
- name: Concat known hosts
template:
src: ssh/known_hosts
dest: "{{ home }}/.ssh/known_hosts"
vars:
tempdir_known_hosts: "{{ tempdir_known_hosts }}"
origin_dir: "{{ tempdir_known_hosts.path }}"
- name: Ensure ssh config profiles dir exists
file:
@ -51,7 +55,7 @@
- name: Load ssh config of profiles
template:
src: "{{ home }}/.dots/profiles/{{ item.name }}/configs/ssh/config"
src: "{{ profiles_paths[item.name] }}/configs/ssh/config"
dest: "{{ home }}/.ssh/profiles/{{ item.name }}"
mode: u=rw,g=,o=
with_items: "{{ enabled_profiles }}"

2
ansible/run_ansible_playbook.sh
View file

@ -14,7 +14,7 @@ rm $base/vm_files
ln -s $workdir $base/vm_files
ansible-playbook $base/workstation.yaml \
-v \
-vvvvv \
--ask-become-pass \
-i "inventory.yaml" \
--ssh-extra-args "-o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 22 -i ./master_sshkey" \

2
ansible/templates/ssh/known_hosts
View file

@ -27,7 +27,7 @@ codeberg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTY
# ==============================
# Profile: {{ enabled_profile.name }}
# ==============================
{{ lookup('file', tempdir_known_hosts.path + '/' + enabled_profile.name) }}
{{ lookup('file', origin_dir + '/' + enabled_profile.name) }}
{% endfor %}

101
ansible/workstation.yaml
View file

@ -5,38 +5,17 @@
systemd_services:
system: []
user:
- from: "mount_sshfs"
name: "mount_sshfs_srv06_warmd_mbess"
enabled: true
params:
ssh_uri: "mbess@srv06.mbess.net:/warmd/mbess"
mount_path: "{{ home }}/.mnt/srv06/warmd/mbess"
profile: perso
- from: "mount_sshfs"
name: "mount_sshfs_srv06_warmd_etb"
enabled: true
params:
ssh_uri: "mbess@srv06.mbess.net:/warmd/etoiledebethleem"
mount_path: "{{ home }}/.mnt/srv06/warmd/etb"
profile: perso
- name: "popequer_gitwatch@"
profile: all
- name: "hourly_remainder"
enabled: true
timer: true
profile: all
- name: "cliphist"
enabled: true
profile: all
- name: "kanshi"
enabled: true
profile: all
- name: "gammastep"
enabled: true
profile: all
- name: "swaybg"
enabled: true
profile: all
config_files:
- dir: fish
name: config.fish
@ -74,6 +53,7 @@
dest: "{{ home }}/.monakhos"
- name: Change hostname
become: true
hostname:
name: "{{ device_name }}"
@ -121,11 +101,6 @@
- shell: "rm -rf /etc/pacman.d/gnupg && pacman-key --init && pacman-key --populate archlinux"
- shell: "mkdir -p {{ home }}/.cache/monakhos; echo -n $(date --iso-8601=d) > {{ home }}/.cache/monakhos/pacman_key_state"
- name: Install global tools (Python packages)
include_role:
name: uv_tools
with_items: "{{ lookup('pipe', 'cat python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
# AUR SETUP
- name: Create the aur_builder user
become: yes
@ -155,24 +130,30 @@
path: "{{ home }}/.stub"
state: touch
# INSTALL normal packages from YAML
- name: Install non-AUR packages
# INSTALL essentials packages from YAML
- name: Install essentials non-AUR packages
become: true
community.general.pacman:
name: "{{ lookup('pipe', ('cat arch_packages.yaml | python3 parse_arch_packages.py ' + item)) | from_json }}"
name: "{{ lookup('pipe', ('cat packages/essentials/arch_packages.yaml | python3 parse_arch_packages.py ' + item)) | from_json }}"
with_items: "{{ packages_categories }}"
- name: Install AUR packages
- name: Install essentials AUR packages
include_role:
name: aur
vars:
packages: "{{ lookup('pipe', ('cat arch_packages.yaml | python3 parse_arch_packages.py --aur ' + item)) | from_json }}"
packages: "{{ lookup('pipe', ('cat packages/essentials/arch_packages.yaml | python3 parse_arch_packages.py --aur ' + item)) | from_json }}"
with_items: "{{ packages_categories }}"
- name: Install sway
include_role:
name: sway
# Install essentials tools with UV
- name: Install essentials global tools (Python packages)
include_role:
name: uv_tools
with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
# DOTS
- name: Clone dots file
git:
@ -180,11 +161,6 @@
repo: "git@forge.lefuturiste.fr:mbess/dots.git"
dest: "{{ home }}/.dots"
- name: Install requirements in dots
pip:
virtualenv: "{{ home }}/.dots/venv"
requirements: "{{ home }}/.dots/requirements.txt"
- name: Setup DNS and unbound
include_role:
name: dns
@ -241,7 +217,7 @@
- name: Setup user units
loop: "{{ systemd_services.user }}"
when: "item.from is not defined and (item.profile == 'all' or item.profile in enabled_profiles)"
when: "item.from is not defined"
template:
src: "systemd/user/{{ item.name }}.service"
dest: "{{ home }}/.config/systemd/user/{{ item.name }}.service"
@ -250,7 +226,7 @@
- name: Setup user unit with from
loop: "{{ systemd_services.user }}"
when: "item.from is defined and (item.profile == 'all' or item.profile in enabled_profiles)"
when: "item.from is defined"
template:
src: "systemd/user/{{ item.from }}.service"
dest: "{{ home }}/.config/systemd/user/{{ item.name }}.service"
@ -259,7 +235,7 @@
- name: Setup user timers
loop: "{{ systemd_services.user }}"
when: "item.timer is defined and item.timer and (item.profile == 'all' or item.profile in enabled_profiles)"
when: "item.timer is defined and item.timer"
template:
src: "systemd/user/{{ item.name }}.timer"
dest: "{{ home }}/.config/systemd/user/{{ item.name }}.timer"
@ -275,7 +251,7 @@
enabled: true
- name: Enable some systemd user timers
when: "item.timer is defined and item.timer and (item.profile == 'all' or item.profile in enabled_profiles)"
when: "item.timer is defined and item.timer"
loop: "{{ systemd_services.user }}"
systemd_service:
scope: user
@ -284,16 +260,6 @@
enabled: true
# OTHERS
- name: Setup mount point folders
file:
path: "{{ home }}/.mnt/{{ item }}"
state: directory
recurse: true
when: "'perso' in enabled_profiles"
loop:
- srv06/warmd/mbess
- srv06/coldd/mbess
- srv06/warmd/etb
- name: Setup triage folder
file:
path: "{{ home }}/triage"
@ -345,10 +311,6 @@
state: directory
recurse: true
- name: Setup main popequer notebook
include_role:
name: popequer_notebook
- name: Enable bluetooth service
become: true
ansible.builtin.systemd_service:
@ -363,11 +325,6 @@
dest: "/usr/bin/rofi"
state: link
- name: Setup OpenFortiVPN
when: '"pro" in enabled_profiles'
include_role:
name: openfortivpn
- name: Setup apps dir
file:
path: "{{ home }}/.apps"
@ -392,11 +349,6 @@
name: wayland_fixer
# Initialize Workspaces
- name: Clone books sources
ansible.builtin.git:
repo: "git@forge.lefuturiste.fr:mbess/books-sources.git"
dest: /home/mbess/workspace/books_sources
when: "'perso' in enabled_profiles"
- name: Clone general programming snippets
ansible.builtin.git:
repo: "git@forge.lefuturiste.fr:mbess/snippets.git"
@ -405,3 +357,24 @@
ansible.builtin.git:
repo: "git@forge.lefuturiste.fr:mbess/monakhos.git"
dest: /home/mbess/workspace/monakhos
# INSTALL extra packages from YAML
- name: Install extra non-AUR packages
become: true
community.general.pacman:
name: "{{ lookup('pipe', ('cat packages/extra/arch_packages.yaml | python3 parse_arch_packages.py ' + item)) | from_json }}"
with_items: "{{ packages_categories }}"
- name: Install extra AUR packages
include_role:
name: aur
vars:
packages: "{{ lookup('pipe', ('cat packages/extra/arch_packages.yaml | python3 parse_arch_packages.py --aur ' + item)) | from_json }}"
with_items: "{{ packages_categories }}"
- name: Install extra global tools (Python packages)
include_role:
name: uv_tools
with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"