From 98448e56fff3d043e82017894e89adc710d849c6 Mon Sep 17 00:00:00 2001
From: Matthieu Bessat <mbess@mbess.net>
Date: Fri, 19 Sep 2025 15:54:52 +0200
Subject: [PATCH 01/12] fix(packages): repair some packages path

---
 ansible/arch_packages.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ansible/arch_packages.yaml b/ansible/arch_packages.yaml
index dbaad90..591a840 100644
--- a/ansible/arch_packages.yaml
+++ b/ansible/arch_packages.yaml
@@ -17,7 +17,7 @@ common:
       desc: Include pactree
 
   tty:
-    - name: physlock
+    - name: aur/physlock
       desc: Session password-lock at the TTY level
 
   libs:
@@ -224,7 +224,7 @@ common:
         - name: net-tools
           desc: Core tools for configuration tools for Linux networking
         - nmap
-        - gnu-netcat
+        - openbsd-netcat
         - wireguard-tools
         - tcpdump
         - name: socat
@@ -377,7 +377,7 @@ common:
     lsp:
       - gopls
       - rust-analyzer
-      - typst-lsp
+      - aur/typst-lsp
       - vscode-css-languageserver
       - pyright
       - typescript-language-server

From 79b7ff82410f45bbc3abb8c8f741c0bbfc032916 Mon Sep 17 00:00:00 2001
From: Matthieu Bessat <mbess@mbess.net>
Date: Mon, 22 Sep 2025 14:20:35 +0200
Subject: [PATCH 02/12] WIP

---
 INSTALL.md                                    |   4 +
 README.md                                     |   3 +
 TODO.md                                       |   1 +
 .../essentials}/arch_packages.yaml            | 146 ++----------
 .../packages/essentials/python_packages.yaml  |   5 +
 ansible/packages/extra/arch_packages.yaml     | 224 ++++++++++++++++++
 ansible/packages/extra/python_packages.yaml   |   7 +
 ansible/python_packages.yaml                  |  14 --
 ansible/roles/ssh/tasks/main.yaml             |  14 +-
 ansible/run_ansible_playbook.sh               |   2 +-
 ansible/templates/ssh/known_hosts             |   2 +-
 ansible/workstation.yaml                      | 101 +++-----
 12 files changed, 318 insertions(+), 205 deletions(-)
 rename ansible/{ => packages/essentials}/arch_packages.yaml (76%)
 create mode 100644 ansible/packages/essentials/python_packages.yaml
 create mode 100644 ansible/packages/extra/arch_packages.yaml
 create mode 100644 ansible/packages/extra/python_packages.yaml
 delete mode 100644 ansible/python_packages.yaml

diff --git a/INSTALL.md b/INSTALL.md
index 2623667..5c42a0a 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -8,3 +8,7 @@
 - Add public key `lambdacov_perso_generic_ed25519` key to forge.lefuturiste.fr
 - Populate vars.yaml, choose the profile
 - run ansible playbook
+
+## Manual cmds to do on target hosts
+
+    gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 8A74EAAF89C17944
diff --git a/README.md b/README.md
index aa595a3..283ee22 100644
--- a/README.md
+++ b/README.md
@@ -113,3 +113,6 @@ You need to keep updated the known hosts in your profiles to not have this info
 - https://github.com/id101010/ansible-archlinux
 - https://github.com/kewlfft/ansible-aur
 
+## triage
+
+The master ssh key is used by the controller to authenticate to the ssh server of the target device.
diff --git a/TODO.md b/TODO.md
index 3ff3375..dd2d54d 100644
--- a/TODO.md
+++ b/TODO.md
@@ -21,3 +21,4 @@
 - `sudo usermod -a -G wireshark mbess`
 
 - [x] packages: add `texlive-langfrench`, `texlive-binextra`
+
diff --git a/ansible/arch_packages.yaml b/ansible/packages/essentials/arch_packages.yaml
similarity index 76%
rename from ansible/arch_packages.yaml
rename to ansible/packages/essentials/arch_packages.yaml
index 591a840..4a9b79c 100644
--- a/ansible/arch_packages.yaml
+++ b/ansible/packages/essentials/arch_packages.yaml
@@ -16,15 +16,9 @@ common:
     - name: pacman-contrib
       desc: Include pactree
 
-  tty:
-    - name: aur/physlock
-      desc: Session password-lock at the TTY level
-
+  tty: {}
   libs:
-    - protobuf
-    - libosmium
-    - name: expat
-      desc: XML parser lib
+    - wlroots0.19
 
   hardware:
     printing:
@@ -66,20 +60,11 @@ common:
 
   utils:
     _:
-      - bat
-      - git-delta
       - plantuml
-      - desc: Env loader, export env variables from dotenv file in shell scripts
-        name: aur/zenv
-      - desc: Load system to make it heat and sweat
-        name: stress
-      - name: aur/scc
-        desc: Count source lines of a project
-    keyboard:
-      - name: ttyper
-        desc: Typing speed test.
-    backup:
-      - borg
+      - name: aur/zenv
+        desc: Env loader, export env variables from dotenv file in shell scripts
+    keyboard: {}
+    backup: {}
     docs:
       - man-pages
       - man-db
@@ -131,11 +116,6 @@ common:
       - s-nail
       - name: isync
         desc: IMAP synchronization program. Also called mbsync, can be configured using `.mbsyncrc` file.
-    fun:
-      - figlet
-      - cowsay
-      - aur/boxes
-      - fortune-mod
     archives:
       - unzip
       - zip
@@ -146,15 +126,15 @@ common:
         desc: general purpose document converter
       - name: typst
         desc: an alternative to latex
-      - name: aur/marp-cli-bin
-        desc: create presentation from markdown
+      - mkdocs
+      - mkdocs-material
+      - mkdocs-autorefs
+      - mkdocs-get-deps
       - graphviz
       - glow
       - name: visidata
         desc: Data explorer (Spreadsheet, CSV, Sqlite)
     pdf:
-      - aur/ocrmypdf
-      - aur/wkhtmltopdf-static
       - name: pdftk
         desc: Utils to manipulate PDF pages (extract, merge, rotate, unpack)
     latex:
@@ -168,28 +148,19 @@ common:
     math:
       - name: libqalculate
         desc: Provide Qalc
-    gis: # SIG
-      _:
-        - gdal
-        - aur/tippecanoe
-      osm:
-        - aur/osmium-tool
-        - osm2pgsql
+    gis: {}
     vcs:
       git:
         - git
         - tig
         - pre-commit
         - aur/gitwatch-git
-      fossil:
-        - fossil
     network:
       address:
         - name: ipcalc
+        - name: aur/sipcalc
           description: |
-            Validate, compute and visualize IP ranges.
-            Support CIDR notation (Classless Inter-Domain Routing).
-            Eg. compute the start and the end of a range.
+            Compute and visualize IP ranges (start and end)
       bandwidth:
         - name: iperf3
           description: TCP, UDP benchmark (speed test)
@@ -212,14 +183,7 @@ common:
           desc: Download whole website for offline use
       dns:
         - bind
-        - aur/python-dnsrecon
-      kafka:
-        - name: aur/kcat-cli
-          desc: Kafka cat
-        - aur/avro-c
-      encoding:
-        avro:
-          - aur/avro-tools
+      encoding: {}
       _:
         - name: net-tools
           desc: Core tools for configuration tools for Linux networking
@@ -239,8 +203,6 @@ common:
       - name: binwalk
         desc: Inspect a binary to search for embeded files and binaries
         url: https://www.kali.org/tools/binwalk/
-      - name: aur/libtree
-        desc: Inspect a binary and output of tree of system libraries
     fs:
       - lsof
       - name: ncdu
@@ -258,8 +220,6 @@ common:
       browser:
         - w3m
         - lynx
-        - name: aur/browsh
-          desc: Terminal browser, headless chromium running on a remote server that translate to text over Mosh.
       files:
         - lf
     security:
@@ -280,15 +240,11 @@ common:
       - name: aur/apache-tools
         desc: provide htpasswd
       - argon2
-    colors:
-      - name: pastel
-        desc: Manipulate colors
+    colors: {}
     multimedia:
       audio:
         - opus-tools
-    communication:
-      - name: aur/sigtop-git
-        desc: Messages and attahcments backup program for Signal Desktop
+    communication: {}
 
   cli_frontends:
     forges:
@@ -323,23 +279,12 @@ common:
     - gopass
     - pass
 
-  virtualization:
-    - qemu-base
-    - name: guestfs-tools
-      desc: include the very useful virt-customize
-    - name: libguestfs
-      desc: include virt-install
-    - name: cloud-init
-      desc: Cloud-init utils, used to validate config
+  virtualization: {}
 
   docker:
     - docker
     - docker-buildx
     - kubectl
-    - name: aur/hadolint-bin
-      desc: Linter for Dockerfile, with all haskell dependencies
-    - name: trivy
-      desc: Container image security scanner
 
   programming:
     _:
@@ -377,12 +322,7 @@ common:
     lsp:
       - gopls
       - rust-analyzer
-      - aur/typst-lsp
-      - vscode-css-languageserver
       - pyright
-      - typescript-language-server
-      - svelte-language-server
-      - lua-language-server
     rust:
       - cargo-watch
       # - rustup
@@ -470,7 +410,7 @@ common:
         - name: gammastep
           desc: Automatic red shift at night
       color_picker:
-        - aur/hyprpicker
+        - hyprpicker
       emojis_picker:
         - name: aur/jome
           desc: Emoji picker
@@ -488,14 +428,9 @@ common:
     GUI:
       files:
         - nautilus
-        - cheese
       browser:
-        # - aur/librewolf-bin
-        # - aur/librewof
+        - aur/librewolf-bin
         - aur/ungoogled-chromium-bin
-        # - thorium-browser-bin
-        - qutebrowser
-        - torbrowser-launcher
       terminal_emulator:
         - alacritty
       mail:
@@ -503,9 +438,10 @@ common:
       communication:
         _:
           - signal-desktop
-        irc:
-          - name: polari
-            desc: GNOME 3 GUI IRC client
+        irc: {}
+        xmpp:
+          - name: dino
+            desc: Simple GTK XMPP client
         matrix:
           - name: fractal
             desc: Matrix client that seem to work in Rust
@@ -528,32 +464,18 @@ common:
           - vimiv
       creation:
         image:
-          - gimp
-          - krita
           - inkscape
-        audio:
-          - tenacity
-          - songrec
-          - aur/clementine
+        audio: {}
         video:
           - cheese
-          - celluloid
-          - vlc
-          - obs-studio
-        3d:
-          - openscad
-          - blender
+        3d: {}
       bureautique:
         - libreoffice-still
       geo:
         - aur/mepo
-        - qgis
       vcs:
-        git:
-          - giggle
+        git: {}
       db:
-        - name: dbeaver
-          tags: ['heavy-gui']
         - name: sqlitebrowser
           desc: Light QT GUI to navigate sqlite
       remote_access:
@@ -578,19 +500,3 @@ common:
     - name: noto-fonts-emoji
       desc: Google emoji fonts, required for fractal
 
-proprietary_vpns:
-  - openfortivpn
-
-# Extra non-free networks for work packages
-# non-free:
-microsoft_azure:
-  - azure-cli
-  - aur/azure-kubelogin
-
-hashicorp:
-  - name: vault
-    alias: hvault
-
-extra_video:
-  - name: kdenlive
-    desc: video editor
diff --git a/ansible/packages/essentials/python_packages.yaml b/ansible/packages/essentials/python_packages.yaml
new file mode 100644
index 0000000..d0e6dff
--- /dev/null
+++ b/ansible/packages/essentials/python_packages.yaml
@@ -0,0 +1,5 @@
+common:
+  - pipdeptree
+  - copyparty
+  - lesspass
+  - pylint
diff --git a/ansible/packages/extra/arch_packages.yaml b/ansible/packages/extra/arch_packages.yaml
new file mode 100644
index 0000000..d97da93
--- /dev/null
+++ b/ansible/packages/extra/arch_packages.yaml
@@ -0,0 +1,224 @@
+---
+common:
+  tty:
+    - name: aur/physlock
+      desc: Session password-lock at the TTY level
+
+  libs:
+    - protobuf
+    - libosmium
+    - name: expat
+      desc: XML parser lib
+
+  hardware: {}
+
+  network: {}
+
+  keymap: {}
+
+  bluetooth: {}
+
+  utils:
+    _:
+      - plantuml
+      - name: stress
+        desc: Load system to make it heat and sweat
+      - desc: Count source lines of a project
+        name: aur/scc
+    keyboard:
+      - name: ttyper
+        desc: Typing speed test.
+    backup:
+      - borg
+    docs:
+      - arch-wiki-docs
+    language: {}
+    mail: {}
+    fun:
+      - figlet
+      - cowsay
+      - aur/boxes
+      - fortune-mod
+    bureautique:
+      - name: aur/marp-cli-bin
+        desc: create presentation from markdown
+    pdf:
+      - aur/ocrmypdf
+      - aur/wkhtmltopdf-static
+    gis: # SIG
+      _:
+        - gdal
+        - aur/tippecanoe
+      osm:
+        - aur/osmium-tool
+        - osm2pgsql
+    vcs:
+      git: {}
+      fossil:
+        - fossil
+    network:
+      http: {}
+      dns:
+        - aur/python-dnsrecon
+      kafka:
+        - name: aur/kcat-cli
+          desc: Kafka cat
+        - aur/avro-c
+      encoding:
+        avro:
+          - aur/avro-tools
+      _: {}
+    inspection:
+      - name: aur/libtree
+        desc: Inspect a binary and output of tree of system libraries
+    fs: {}
+    disk: {}
+    tui:
+      browser:
+        - name: aur/browsh
+          desc: Terminal browser, headless chromium running on a remote server that translate to text over Mosh.
+      files: {}
+    security:
+      - siege
+    monitoring: {}
+    android: {}
+    random_gen: {}
+    hashing: {}
+    colors:
+      - name: pastel
+        desc: Manipulate colors
+    multimedia:
+      audio: {}
+    communication:
+      - name: aur/sigtop-git
+        desc: Messages and attahcments backup program for Signal Desktop
+
+  cli_frontends:
+    forges: {}
+
+  multimedia:
+    youtube: {}
+    player: {}
+    book: {}
+    exif: {}
+    _: {}
+
+  password: {}
+
+  virtualization:
+    - qemu-base
+    - name: guestfs-tools
+      desc: include the very useful virt-customize
+    - name: libguestfs
+      desc: include virt-install
+    - name: cloud-init
+      desc: Cloud-init utils, used to validate config
+
+  docker:
+    - name: aur/hadolint-bin
+      desc: Linter for Dockerfile, with all haskell dependencies
+    - name: trivy
+      desc: Container image security scanner
+
+  programming:
+    _: {}
+    html: {}
+    sqlite: {}
+    editor: {}
+    c: {}
+    node: {}
+    lsp:
+      - typescript-language-server
+      - svelte-language-server
+      - aur/typst-lsp
+      - lua-language-server
+      - vscode-css-languageserver
+    rust: {}
+    dbs: {}
+    python:
+      _: {}
+      lint: {}
+      lib: {}
+    lua: {}
+    web: {}
+    static: {}
+    ci: {}
+
+  shell: {}
+
+  audio:
+    control: {}
+
+  desktop:
+    wayland:
+      # https://github.com/natpen/awesome-wayland
+      _: {}
+      display: {}
+      color_picker: {}
+      emojis_picker: {}
+      notification: {}
+      screenshot: {}
+
+    desktop_utils: {}
+
+    GUI:
+      files: {}
+      browser:
+        - aur/thorium-browser-bin
+        - qutebrowser
+        - torbrowser-launcher
+      terminal_emulator: {}
+      mail: {}
+      communication:
+        _: {}
+        irc: {}
+        matrix: {}
+      document:
+        viewer: {}
+        editor: {}
+      images:
+        viewer: {}
+      creation:
+        image:
+          - gimp
+          - krita
+        audio:
+          - tenacity
+          - songrec
+          - aur/clementine
+        video:
+          - celluloid
+          - vlc
+          - obs-studio
+          - name: kdenlive
+            desc: video editor
+        3d:
+          - openscad
+          - blender
+      bureautique: {}
+      geo:
+        - qgis
+      vcs:
+        git:
+          - giggle
+      db:
+        - name: dbeaver
+      remote_access: {}
+      _: {}
+      inspection: {}
+      editor: {}
+  fonts: {}
+
+proprietary_vpns:
+  - openfortivpn
+
+# Extra non-free networks for work packages
+# non-free:
+microsoft_azure:
+  - azure-cli
+  - aur/azure-kubelogin
+
+hashicorp:
+  - name: vault
+    alias: hvault
+
diff --git a/ansible/packages/extra/python_packages.yaml b/ansible/packages/extra/python_packages.yaml
new file mode 100644
index 0000000..d7936a8
--- /dev/null
+++ b/ansible/packages/extra/python_packages.yaml
@@ -0,0 +1,7 @@
+common:
+  multimedia:
+    - linkchecker
+    - imagehash
+    - yewtube
+    - azlyrics2
+    - epy-reader
diff --git a/ansible/python_packages.yaml b/ansible/python_packages.yaml
deleted file mode 100644
index 9d98430..0000000
--- a/ansible/python_packages.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-base:
-  - mkdocs
-  - pipdeptree
-  - copyparty
-  - lesspass
-  - yewtube
-  - lesspass
-  - mkdocs
-  - linkchecker
-  - imagehash
-  - pylint
-multimedia:
-  - azlyrics2
-  - epy-reader
diff --git a/ansible/roles/ssh/tasks/main.yaml b/ansible/roles/ssh/tasks/main.yaml
index 0d18721..c233dfa 100644
--- a/ansible/roles/ssh/tasks/main.yaml
+++ b/ansible/roles/ssh/tasks/main.yaml
@@ -24,25 +24,29 @@
     owner: "{{ user }}"
     mode: u=rw,g=,o=
 
-- name: Create temporary build directory
+- delegate_to: localhost
   ansible.builtin.tempfile:
     state: directory
     suffix: ssh_known_hosts
   register: tempdir_known_hosts
 
 - name: Load known hosts from profiles
+  delegate_to: localhost
   template:
-    # load from controller host
-    src: "{{ home }}/.dots/profiles/{{ item.name }}/configs/ssh/known_hosts"
+    # load from controller host, from the work profile repository
+    src: "{{ profiles_paths[item.name] }}/configs/ssh/known_hosts"
     dest: "{{ tempdir_known_hosts.path }}/{{ item.name }}"
   with_items: "{{ enabled_profiles }}"
 
+# - name: Execute a command
+#   ansible.builtin.command: "sleep infinity"
+
 - name: Concat known hosts
   template:
     src: ssh/known_hosts
     dest: "{{ home }}/.ssh/known_hosts"
   vars:
-    tempdir_known_hosts: "{{ tempdir_known_hosts }}"
+    origin_dir: "{{ tempdir_known_hosts.path }}"
 
 - name: Ensure ssh config profiles dir exists
   file:
@@ -51,7 +55,7 @@
 
 - name: Load ssh config of profiles
   template:
-    src: "{{ home }}/.dots/profiles/{{ item.name }}/configs/ssh/config"
+    src: "{{ profiles_paths[item.name] }}/configs/ssh/config"
     dest: "{{ home }}/.ssh/profiles/{{ item.name }}"
     mode: u=rw,g=,o=
   with_items: "{{ enabled_profiles }}"
diff --git a/ansible/run_ansible_playbook.sh b/ansible/run_ansible_playbook.sh
index 4ca44cd..897b968 100755
--- a/ansible/run_ansible_playbook.sh
+++ b/ansible/run_ansible_playbook.sh
@@ -14,7 +14,7 @@ rm $base/vm_files
 ln -s $workdir $base/vm_files
 
 ansible-playbook $base/workstation.yaml \
-    -v \
+    -vvvvv \
     --ask-become-pass \
     -i "inventory.yaml" \
     --ssh-extra-args "-o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 22 -i ./master_sshkey" \
diff --git a/ansible/templates/ssh/known_hosts b/ansible/templates/ssh/known_hosts
index 0335d34..6d69ad0 100644
--- a/ansible/templates/ssh/known_hosts
+++ b/ansible/templates/ssh/known_hosts
@@ -27,7 +27,7 @@ codeberg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTY
 # ==============================
 #   Profile: {{ enabled_profile.name }}
 # ==============================
-{{ lookup('file', tempdir_known_hosts.path + '/' + enabled_profile.name) }}
+{{ lookup('file', origin_dir + '/' + enabled_profile.name) }}
 
 {% endfor %}
 
diff --git a/ansible/workstation.yaml b/ansible/workstation.yaml
index 6afb0bc..c24771f 100644
--- a/ansible/workstation.yaml
+++ b/ansible/workstation.yaml
@@ -5,38 +5,17 @@
     systemd_services:
       system: []
       user:
-        - from: "mount_sshfs"
-          name: "mount_sshfs_srv06_warmd_mbess"
-          enabled: true
-          params:
-            ssh_uri: "mbess@srv06.mbess.net:/warmd/mbess"
-            mount_path: "{{ home }}/.mnt/srv06/warmd/mbess"
-          profile: perso
-        - from: "mount_sshfs"
-          name: "mount_sshfs_srv06_warmd_etb"
-          enabled: true
-          params:
-            ssh_uri: "mbess@srv06.mbess.net:/warmd/etoiledebethleem"
-            mount_path: "{{ home }}/.mnt/srv06/warmd/etb"
-          profile: perso
-        - name: "popequer_gitwatch@"
-          profile: all
         - name: "hourly_remainder"
           enabled: true
           timer: true
-          profile: all
         - name: "cliphist"
           enabled: true
-          profile: all
         - name: "kanshi"
           enabled: true
-          profile: all
         - name: "gammastep"
           enabled: true
-          profile: all
         - name: "swaybg"
           enabled: true
-          profile: all
     config_files:
       - dir: fish
         name: config.fish
@@ -74,6 +53,7 @@
             dest: "{{ home }}/.monakhos"
     
     - name: Change hostname
+      become: true
       hostname:
         name: "{{ device_name }}"
 
@@ -121,11 +101,6 @@
             - shell: "rm -rf /etc/pacman.d/gnupg && pacman-key --init && pacman-key --populate archlinux"
             - shell: "mkdir -p {{ home }}/.cache/monakhos; echo -n $(date --iso-8601=d) > {{ home }}/.cache/monakhos/pacman_key_state"
 
-    - name: Install global tools (Python packages)
-      include_role:
-        name: uv_tools
-      with_items: "{{ lookup('pipe', 'cat python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
-
     # AUR SETUP
     - name: Create the aur_builder user
       become: yes
@@ -155,24 +130,30 @@
         path: "{{ home }}/.stub"
         state: touch
 
-    # INSTALL normal packages from YAML
-    - name: Install non-AUR packages
+    # INSTALL essentials packages from YAML
+    - name: Install essentials non-AUR packages
       become: true
       community.general.pacman:
-        name: "{{ lookup('pipe', ('cat arch_packages.yaml | python3 parse_arch_packages.py ' + item)) | from_json }}"
+        name: "{{ lookup('pipe', ('cat packages/essentials/arch_packages.yaml | python3 parse_arch_packages.py ' + item)) | from_json }}"
       with_items: "{{ packages_categories }}"
 
-    - name: Install AUR packages
+    - name: Install essentials AUR packages
       include_role:
         name: aur
       vars:
-        packages: "{{ lookup('pipe', ('cat arch_packages.yaml | python3 parse_arch_packages.py --aur ' + item)) | from_json }}"
+        packages: "{{ lookup('pipe', ('cat packages/essentials/arch_packages.yaml | python3 parse_arch_packages.py --aur ' + item)) | from_json }}"
       with_items: "{{ packages_categories }}"
 
     - name: Install sway
       include_role:
         name: sway
 
+    # Install essentials tools with UV
+    - name: Install essentials global tools (Python packages)
+      include_role:
+        name: uv_tools
+      with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
+
     # DOTS
     - name: Clone dots file
       git:
@@ -180,11 +161,6 @@
         repo: "git@forge.lefuturiste.fr:mbess/dots.git"
         dest: "{{ home }}/.dots"
 
-    - name: Install requirements in dots
-      pip:
-        virtualenv: "{{ home }}/.dots/venv"
-        requirements: "{{ home }}/.dots/requirements.txt"
-
     - name: Setup DNS and unbound
       include_role:
         name: dns
@@ -241,7 +217,7 @@
 
     - name: Setup user units
       loop: "{{ systemd_services.user }}"
-      when: "item.from is not defined and (item.profile == 'all' or item.profile in enabled_profiles)"
+      when: "item.from is not defined"
       template:
         src: "systemd/user/{{ item.name }}.service"
         dest: "{{ home }}/.config/systemd/user/{{ item.name }}.service"
@@ -250,7 +226,7 @@
 
     - name: Setup user unit with from
       loop: "{{ systemd_services.user }}"
-      when: "item.from is defined and (item.profile == 'all' or item.profile in enabled_profiles)"
+      when: "item.from is defined"
       template:
         src: "systemd/user/{{ item.from }}.service"
         dest: "{{ home }}/.config/systemd/user/{{ item.name }}.service"
@@ -259,7 +235,7 @@
 
     - name: Setup user timers
       loop: "{{ systemd_services.user }}"
-      when: "item.timer is defined and item.timer and (item.profile == 'all' or item.profile in enabled_profiles)"
+      when: "item.timer is defined and item.timer"
       template:
         src: "systemd/user/{{ item.name }}.timer"
         dest: "{{ home }}/.config/systemd/user/{{ item.name }}.timer"
@@ -275,7 +251,7 @@
         enabled: true
 
     - name: Enable some systemd user timers
-      when: "item.timer is defined and item.timer and (item.profile == 'all' or item.profile in enabled_profiles)"
+      when: "item.timer is defined and item.timer"
       loop: "{{ systemd_services.user }}"
       systemd_service:
         scope: user
@@ -284,16 +260,6 @@
         enabled: true
 
     # OTHERS
-    - name: Setup mount point folders
-      file:
-        path: "{{ home }}/.mnt/{{ item }}"
-        state: directory
-        recurse: true
-      when: "'perso' in enabled_profiles"
-      loop:
-        - srv06/warmd/mbess
-        - srv06/coldd/mbess
-        - srv06/warmd/etb
     - name: Setup triage folder
       file:
         path: "{{ home }}/triage"
@@ -345,10 +311,6 @@
         state: directory
         recurse: true
       
-    - name: Setup main popequer notebook
-      include_role:
-        name: popequer_notebook
-
     - name: Enable bluetooth service
       become: true
       ansible.builtin.systemd_service:
@@ -363,11 +325,6 @@
         dest: "/usr/bin/rofi"
         state: link
 
-    - name: Setup OpenFortiVPN
-      when: '"pro" in enabled_profiles'
-      include_role:
-        name: openfortivpn
-
     - name: Setup apps dir
       file:
         path: "{{ home }}/.apps"
@@ -392,11 +349,6 @@
         name: wayland_fixer
 
     # Initialize Workspaces
-    - name: Clone books sources
-      ansible.builtin.git:
-        repo: "git@forge.lefuturiste.fr:mbess/books-sources.git"
-        dest: /home/mbess/workspace/books_sources
-      when: "'perso' in enabled_profiles"
     - name: Clone general programming snippets
       ansible.builtin.git:
         repo: "git@forge.lefuturiste.fr:mbess/snippets.git"
@@ -405,3 +357,24 @@
       ansible.builtin.git:
         repo: "git@forge.lefuturiste.fr:mbess/monakhos.git"
         dest: /home/mbess/workspace/monakhos
+
+    # INSTALL extra packages from YAML
+    - name: Install extra non-AUR packages
+      become: true
+      community.general.pacman:
+        name: "{{ lookup('pipe', ('cat packages/extra/arch_packages.yaml | python3 parse_arch_packages.py ' + item)) | from_json }}"
+      with_items: "{{ packages_categories }}"
+
+    - name: Install extra AUR packages
+      include_role:
+        name: aur
+      vars:
+        packages: "{{ lookup('pipe', ('cat packages/extra/arch_packages.yaml | python3 parse_arch_packages.py --aur ' + item)) | from_json }}"
+      with_items: "{{ packages_categories }}"
+
+    - name: Install extra global tools (Python packages)
+      include_role:
+        name: uv_tools
+      with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
+
+

From c4112b56bb4f78b7201b644b593a3fb95514e125 Mon Sep 17 00:00:00 2001
From: Matthieu Bessat <mbess@mbess.net>
Date: Wed, 1 Oct 2025 10:17:47 +0200
Subject: [PATCH 03/12] feat: copy static configs from dotsfiles repo

---
 README.md                                     |   7 +
 TODO.md                                       |   5 +
 ansible/_saved_workstation.yaml               | 380 ++++++++++++++++++
 .../packages/essentials/arch_packages.yaml    |   7 +-
 .../dotsfiles/tasks/copy_config_file.yaml     |  13 +
 .../dotsfiles/tasks/install_configs.yaml      |   6 +
 ansible/roles/dotsfiles/tasks/main.yaml       |  21 +
 ansible/run_ansible_playbook.sh               |   6 +-
 ansible/setup_dotsfiles.yaml                  |  13 +
 ansible/workstation.yaml                      | 214 ----------
 10 files changed, 454 insertions(+), 218 deletions(-)
 create mode 100644 ansible/_saved_workstation.yaml
 create mode 100644 ansible/roles/dotsfiles/tasks/copy_config_file.yaml
 create mode 100644 ansible/roles/dotsfiles/tasks/install_configs.yaml
 create mode 100644 ansible/roles/dotsfiles/tasks/main.yaml
 create mode 100644 ansible/setup_dotsfiles.yaml

diff --git a/README.md b/README.md
index 283ee22..a3c1c7e 100644
--- a/README.md
+++ b/README.md
@@ -116,3 +116,10 @@ You need to keep updated the known hosts in your profiles to not have this info
 ## triage
 
 The master ssh key is used by the controller to authenticate to the ssh server of the target device.
+
+## architecture
+
+- Monakhos base
+- Monakhos profile perso/pro
+- Dots base
+- Dots desktop
diff --git a/TODO.md b/TODO.md
index dd2d54d..c7e5b71 100644
--- a/TODO.md
+++ b/TODO.md
@@ -22,3 +22,8 @@
 
 - [x] packages: add `texlive-langfrench`, `texlive-binextra`
 
+- Find a replacement software for mepo
+    - Mepo is hard to install because it depend on zig, zig build breaks often
+    - Either fix the AUR package (byinstallBT
+- Possible issues:
+    - dependency on aur.archlinux.org, can give 503 sometimes
diff --git a/ansible/_saved_workstation.yaml b/ansible/_saved_workstation.yaml
new file mode 100644
index 0000000..c24771f
--- /dev/null
+++ b/ansible/_saved_workstation.yaml
@@ -0,0 +1,380 @@
+- hosts: workstation
+  gather_facts: True
+  vars:
+    home: /home/{{ user }}
+    systemd_services:
+      system: []
+      user:
+        - name: "hourly_remainder"
+          enabled: true
+          timer: true
+        - name: "cliphist"
+          enabled: true
+        - name: "kanshi"
+          enabled: true
+        - name: "gammastep"
+          enabled: true
+        - name: "swaybg"
+          enabled: true
+    config_files:
+      - dir: fish
+        name: config.fish
+      - dir: tmux
+        name: tmux.conf
+      - dir: alacritty
+        name: alacritty.toml
+      - dir: wofi
+        name: style.css
+      - dir: kanshi
+        name: config
+      - dir: sway
+        name: config
+      - dir: helix
+        name: config.toml
+      - dir: i3status-rust
+        name: config.toml
+      - dir: git
+        name: config
+      - dir: nvim
+        name: init.lua
+      - dir: nvim
+        name: lua # lua dir
+      # for desktop notifications
+      - dir: dunst
+        name: dunstrc
+  tasks:
+    - name: Init arch
+      block:
+        - file:
+            path: /home/mbess/.monakhos
+            state: touch
+        - copy:
+            content: "{\"monakhos\": {\"date\": \"{{ ansible_date_time.iso8601 }}\", \"device_name\":\"{{ device_name }}\", \"enabled_profiles\":{{ enabled_profiles | to_json }} }}\n"
+            dest: "{{ home }}/.monakhos"
+    
+    - name: Change hostname
+      become: true
+      hostname:
+        name: "{{ device_name }}"
+
+    - name: Update pacman repo
+      become: true
+      community.general.pacman:
+        update_cache: true
+        upgrade: true
+    
+    - name: Install some basic packages
+      become: true
+      community.general.pacman:
+        name:
+          - archlinux-keyring
+          - git
+          - openssh
+
+    - name: "Configure to auto load some kernel modules at boot"
+      become: true
+      copy:
+        content: "# managed by monakhos\ni2c-dev\n"
+        dest: "/etc/modules-load.d/auto.conf"
+
+    - name: Setup SSH client
+      include_role:
+        name: ssh
+
+    - name: Init pacman keyring
+      become: true
+      # complicated shit follow, to run or not this part depending on if we need to update the pacman key (expiration date)
+      block:
+        - stat:
+            path: "{{ home }}/.cache/monakhos/pacman_key_state"
+          register: pacman_key_state_stat
+        - when: pacman_key_state_stat.stat.exists
+          slurp:
+            src: "{{ home }}/.cache/monakhos/pacman_key_state"
+          register: pacman_key_state
+        - when: pacman_key_state.content is defined
+          name: "pacman key state debug 1"
+          debug:
+            msg: "{{ pacman_key_state.content | b64decode | to_datetime('%Y-%m-%d') }}"
+        - when: not pacman_key_state_stat.stat.exists
+          block:
+            - shell: "rm -rf /etc/pacman.d/gnupg && pacman-key --init && pacman-key --populate archlinux"
+            - shell: "mkdir -p {{ home }}/.cache/monakhos; echo -n $(date --iso-8601=d) > {{ home }}/.cache/monakhos/pacman_key_state"
+
+    # AUR SETUP
+    - name: Create the aur_builder user
+      become: yes
+      ansible.builtin.user:
+        name: aur_builder
+        create_home: yes
+        group: wheel
+
+    - name: Allow the `aur_builder` user to run `sudo pacman` without a password
+      become: yes
+      ansible.builtin.lineinfile:
+        path: /etc/sudoers.d/11-install-aur_builder
+        line: 'aur_builder ALL=(ALL) NOPASSWD: /usr/bin/pacman'
+        create: yes
+        mode: 0644
+        validate: 'visudo -cf %s'
+
+    - name: Install yay
+      include_role:
+        name: aur
+      vars:
+        packages:
+          - yay-bin
+
+    - name: Stub
+      file:
+        path: "{{ home }}/.stub"
+        state: touch
+
+    # INSTALL essentials packages from YAML
+    - name: Install essentials non-AUR packages
+      become: true
+      community.general.pacman:
+        name: "{{ lookup('pipe', ('cat packages/essentials/arch_packages.yaml | python3 parse_arch_packages.py ' + item)) | from_json }}"
+      with_items: "{{ packages_categories }}"
+
+    - name: Install essentials AUR packages
+      include_role:
+        name: aur
+      vars:
+        packages: "{{ lookup('pipe', ('cat packages/essentials/arch_packages.yaml | python3 parse_arch_packages.py --aur ' + item)) | from_json }}"
+      with_items: "{{ packages_categories }}"
+
+    - name: Install sway
+      include_role:
+        name: sway
+
+    # Install essentials tools with UV
+    - name: Install essentials global tools (Python packages)
+      include_role:
+        name: uv_tools
+      with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
+
+    # DOTS
+    - name: Clone dots file
+      git:
+        key_file: "{{ home }}/.ssh/{{ device_name }}_perso_generic_ed25519"
+        repo: "git@forge.lefuturiste.fr:mbess/dots.git"
+        dest: "{{ home }}/.dots"
+
+    - name: Setup DNS and unbound
+      include_role:
+        name: dns
+
+    - name: Symbolic link to user .profile
+      file:
+        src: "{{ home }}/.profile"
+        dest: "{{ home }}/.dots/config/.profile"
+        state: link
+        force: true
+
+    - name: Setup config directories
+      file:
+        path: "{{ home }}/.config/{{ item.dir }}"
+        state: directory
+        recurse: true
+      loop: "{{ config_files }}"
+
+    - name: Setup symbolic links to config files
+      file:
+        src: "{{ home }}/.dots/config/{{ item.dir }}/{{ item.name }}"
+        dest: "{{ home }}/.config/{{ item.dir }}/{{ item.name }}"
+        state: link
+        force: true
+      loop: "{{ config_files }}"
+
+    - name: Set default shell
+      become: true
+      user:
+        name: "{{ user }}"
+        shell: /usr/bin/fish
+
+    - name: Add user to useful group (docker)
+      become: true
+      user:
+        name: "{{ user }}"
+        groups: ["docker"]
+
+    - name: Create machine.fish
+      template:
+        src: fish/machine.fish
+        dest: "{{ home }}/.config/fish/machine.fish"
+
+    - name: Setup xremap
+      include_role:
+        name: xremap
+
+    # SYSTEMD user services
+    - name: Setup systemd user services folder
+      file:
+        path: "{{ home }}/.config/systemd/user"
+        state: directory
+        recurse: true
+
+    - name: Setup user units
+      loop: "{{ systemd_services.user }}"
+      when: "item.from is not defined"
+      template:
+        src: "systemd/user/{{ item.name }}.service"
+        dest: "{{ home }}/.config/systemd/user/{{ item.name }}.service"
+      vars:
+        service_params: "{{ item.params }}"
+
+    - name: Setup user unit with from
+      loop: "{{ systemd_services.user }}"
+      when: "item.from is defined"
+      template:
+        src: "systemd/user/{{ item.from }}.service"
+        dest: "{{ home }}/.config/systemd/user/{{ item.name }}.service"
+      vars:
+        service_params: "{{ item.params }}"
+
+    - name: Setup user timers
+      loop: "{{ systemd_services.user }}"
+      when: "item.timer is defined and item.timer"
+      template:
+        src: "systemd/user/{{ item.name }}.timer"
+        dest: "{{ home }}/.config/systemd/user/{{ item.name }}.timer"
+
+    - name: Enable some systemd user services
+      when: "item.enabled is defined and item.enabled"
+      loop: "{{ systemd_services.user }}"
+      systemd_service:
+        daemon_reload: true
+        scope: user
+        name: "{{ item.name }}"
+        state: started
+        enabled: true
+
+    - name: Enable some systemd user timers
+      when: "item.timer is defined and item.timer"
+      loop: "{{ systemd_services.user }}"
+      systemd_service:
+        scope: user
+        name: "{{ item.name }}.timer"
+        state: started
+        enabled: true
+
+    # OTHERS
+    - name: Setup triage folder
+      file:
+        path: "{{ home }}/triage"
+        state: directory
+        recurse: true
+    - name: Setup quick notes folder
+      file:
+        path: "{{ home }}/quick/notes"
+        state: directory
+        recurse: true
+    - name: Setup quick docs folder
+      file:
+        path: "{{ home }}/quick/docs"
+        state: directory
+        recurse: true
+    - name: Setup quick screenshot folder
+      file:
+        path: "{{ home }}/quick/screenshots"
+        state: directory
+        recurse: true
+    - name: Setup long-term local secrets
+      file:
+        path: "{{ home }}/.local/secrets"
+        state: directory
+        recurse: true
+    - name: Setup directory to contains local root CA
+      file:
+        path: "{{ home }}/.local/secrets/root_ca"
+        state: directory
+        recurse: true
+    - name: Setup temporary secrets folder
+      file:
+        path: "{{ home }}/.cache/secrets"
+        state: directory
+        recurse: true
+    - name: Setup vaults dir gpg home
+      file:
+        path: "{{ home }}/.vaults/gpg-homes"
+        state: directory
+        recurse: true
+    - name: Setup vaults dir store unixpass
+      file:
+        path: "{{ home }}/.vaults/pass"
+        state: directory
+        recurse: true
+    - name: Setup workspace folder
+      file:
+        path: "{{ home }}/workspace"
+        state: directory
+        recurse: true
+      
+    - name: Enable bluetooth service
+      become: true
+      ansible.builtin.systemd_service:
+        name: bluetooth
+        state: started
+        enabled: true
+
+    - name: Setup wofi link
+      become: true
+      file:
+        src: "/usr/bin/wofi"
+        dest: "/usr/bin/rofi"
+        state: link
+
+    - name: Setup apps dir
+      file:
+        path: "{{ home }}/.apps"
+        state: directory
+        recurse: true
+
+    - name: Setup default browser link
+      file:
+        src: /usr/bin/librewolf
+        dest: "{{ home }}/.apps/browser"
+        state: link
+        force: true
+
+    - name: Set default browser
+      include_role:
+        name: xdg_browser
+      vars:
+        default_browser: librewolf
+
+    - name: Patch desktop entries for wayland
+      include_role:
+        name: wayland_fixer
+
+    # Initialize Workspaces
+    - name: Clone general programming snippets
+      ansible.builtin.git:
+        repo: "git@forge.lefuturiste.fr:mbess/snippets.git"
+        dest: /home/mbess/workspace/snippets
+    - name: Clone monakhos
+      ansible.builtin.git:
+        repo: "git@forge.lefuturiste.fr:mbess/monakhos.git"
+        dest: /home/mbess/workspace/monakhos
+
+    # INSTALL extra packages from YAML
+    - name: Install extra non-AUR packages
+      become: true
+      community.general.pacman:
+        name: "{{ lookup('pipe', ('cat packages/extra/arch_packages.yaml | python3 parse_arch_packages.py ' + item)) | from_json }}"
+      with_items: "{{ packages_categories }}"
+
+    - name: Install extra AUR packages
+      include_role:
+        name: aur
+      vars:
+        packages: "{{ lookup('pipe', ('cat packages/extra/arch_packages.yaml | python3 parse_arch_packages.py --aur ' + item)) | from_json }}"
+      with_items: "{{ packages_categories }}"
+
+    - name: Install extra global tools (Python packages)
+      include_role:
+        name: uv_tools
+      with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
+
+
diff --git a/ansible/packages/essentials/arch_packages.yaml b/ansible/packages/essentials/arch_packages.yaml
index 4a9b79c..589c92f 100644
--- a/ansible/packages/essentials/arch_packages.yaml
+++ b/ansible/packages/essentials/arch_packages.yaml
@@ -433,6 +433,8 @@ common:
         - aur/ungoogled-chromium-bin
       terminal_emulator:
         - alacritty
+        - name: lsix
+          description: Command to show image in the terminal
       mail:
         - thunderbird
       communication:
@@ -471,8 +473,7 @@ common:
         3d: {}
       bureautique:
         - libreoffice-still
-      geo:
-        - aur/mepo
+      geo: {}
       vcs:
         git: {}
       db:
@@ -483,7 +484,7 @@ common:
         - aur/remmina-plugin-rdesktop
       _:
         - name: aur/screen-message
-          description: Utility to write in big on the screen
+          description: Utility to write big text on the screen
       inspection:
         - wireshark-qt
       editor:
diff --git a/ansible/roles/dotsfiles/tasks/copy_config_file.yaml b/ansible/roles/dotsfiles/tasks/copy_config_file.yaml
new file mode 100644
index 0000000..fd8ec10
--- /dev/null
+++ b/ansible/roles/dotsfiles/tasks/copy_config_file.yaml
@@ -0,0 +1,13 @@
+- name: Debug configuration file infos
+  ansible.builtin.debug:
+    var: "config"
+- name: Create directory
+  ansible.builtin.file:
+    path: "{{ (home + '/' + config['dest']) | dirname }}"
+    state: directory
+    recurse: true
+- name: Copy files
+  ansible.builtin.copy:
+    src: "{{ dotsfiles_repo_path.stdout }}/confs/src/{{ config['src'] }}"
+    force: true
+    dest: "{{ home }}/{{ config['dest'] }}"
diff --git a/ansible/roles/dotsfiles/tasks/install_configs.yaml b/ansible/roles/dotsfiles/tasks/install_configs.yaml
new file mode 100644
index 0000000..005dfaa
--- /dev/null
+++ b/ansible/roles/dotsfiles/tasks/install_configs.yaml
@@ -0,0 +1,6 @@
+- name: Copy single file
+  ansible.builtin.include_tasks:
+    file: copy_config_file.yaml
+  loop_control:
+    loop_var: config
+  with_items: "{{ config_map.static_files_copy }}"
diff --git a/ansible/roles/dotsfiles/tasks/main.yaml b/ansible/roles/dotsfiles/tasks/main.yaml
new file mode 100644
index 0000000..793137a
--- /dev/null
+++ b/ansible/roles/dotsfiles/tasks/main.yaml
@@ -0,0 +1,21 @@
+- name: Setup repo directory
+  file:
+    path: "{{ home }}/.dotsfiles"
+    state: directory
+    recurse: false
+- name: echo dotsfiles path
+  command: "echo {{ home }}/.dotsfiles/{{ dotsfiles_repo_name }}"
+  register: dotsfiles_repo_path
+- name: Clone dotsfiles repo
+  ansible.builtin.git:
+    repo: "{{ dotsfiles_repo_url }}"
+    dest: "{{ dotsfiles_repo_path.stdout }}"
+- name: Read config map
+  ansible.builtin.slurp:
+    src: "{{ dotsfiles_repo_path.stdout }}/confs/config_map.yaml"
+  register: dotsfiles_map_yaml
+- name: Install configs from config map
+  ansible.builtin.include_tasks:
+    file: install_configs.yaml
+  vars: 
+    config_map: "{{ (dotsfiles_map_yaml.content | b64decode | from_yaml).config_map }}"
diff --git a/ansible/run_ansible_playbook.sh b/ansible/run_ansible_playbook.sh
index 897b968..2da4203 100755
--- a/ansible/run_ansible_playbook.sh
+++ b/ansible/run_ansible_playbook.sh
@@ -13,7 +13,11 @@ export ANSIBLE_LOG_PATH=ansible_run.log
 rm $base/vm_files
 ln -s $workdir $base/vm_files
 
-ansible-playbook $base/workstation.yaml \
+export ANSIBLE_PLAYBOOK="${ANSIBLE_PLAYBOOK:-workstation.yaml}"
+
+playbookPath="$base/$ANSIBLE_PLAYBOOK"
+
+ansible-playbook $playbookPath \
     -vvvvv \
     --ask-become-pass \
     -i "inventory.yaml" \
diff --git a/ansible/setup_dotsfiles.yaml b/ansible/setup_dotsfiles.yaml
new file mode 100644
index 0000000..4133620
--- /dev/null
+++ b/ansible/setup_dotsfiles.yaml
@@ -0,0 +1,13 @@
+- hosts: workstation
+  gather_facts: False
+  vars:
+    home: /home/{{ user }}
+  tasks:
+    - name: Setup dotsfile (copy)
+      include_role:
+        name: dotsfiles
+      vars:
+        dotsfiles_repo_name: "{{ item.name }}"
+        dotsfiles_repo_url: "{{ item.repo_url }}"
+      with_items: "{{ dotsfiles_repos }}"
+
diff --git a/ansible/workstation.yaml b/ansible/workstation.yaml
index c24771f..92d6c75 100644
--- a/ansible/workstation.yaml
+++ b/ansible/workstation.yaml
@@ -2,46 +2,6 @@
   gather_facts: True
   vars:
     home: /home/{{ user }}
-    systemd_services:
-      system: []
-      user:
-        - name: "hourly_remainder"
-          enabled: true
-          timer: true
-        - name: "cliphist"
-          enabled: true
-        - name: "kanshi"
-          enabled: true
-        - name: "gammastep"
-          enabled: true
-        - name: "swaybg"
-          enabled: true
-    config_files:
-      - dir: fish
-        name: config.fish
-      - dir: tmux
-        name: tmux.conf
-      - dir: alacritty
-        name: alacritty.toml
-      - dir: wofi
-        name: style.css
-      - dir: kanshi
-        name: config
-      - dir: sway
-        name: config
-      - dir: helix
-        name: config.toml
-      - dir: i3status-rust
-        name: config.toml
-      - dir: git
-        name: config
-      - dir: nvim
-        name: init.lua
-      - dir: nvim
-        name: lua # lua dir
-      # for desktop notifications
-      - dir: dunst
-        name: dunstrc
   tasks:
     - name: Init arch
       block:
@@ -154,39 +114,6 @@
         name: uv_tools
       with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
 
-    # DOTS
-    - name: Clone dots file
-      git:
-        key_file: "{{ home }}/.ssh/{{ device_name }}_perso_generic_ed25519"
-        repo: "git@forge.lefuturiste.fr:mbess/dots.git"
-        dest: "{{ home }}/.dots"
-
-    - name: Setup DNS and unbound
-      include_role:
-        name: dns
-
-    - name: Symbolic link to user .profile
-      file:
-        src: "{{ home }}/.profile"
-        dest: "{{ home }}/.dots/config/.profile"
-        state: link
-        force: true
-
-    - name: Setup config directories
-      file:
-        path: "{{ home }}/.config/{{ item.dir }}"
-        state: directory
-        recurse: true
-      loop: "{{ config_files }}"
-
-    - name: Setup symbolic links to config files
-      file:
-        src: "{{ home }}/.dots/config/{{ item.dir }}/{{ item.name }}"
-        dest: "{{ home }}/.config/{{ item.dir }}/{{ item.name }}"
-        state: link
-        force: true
-      loop: "{{ config_files }}"
-
     - name: Set default shell
       become: true
       user:
@@ -199,132 +126,6 @@
         name: "{{ user }}"
         groups: ["docker"]
 
-    - name: Create machine.fish
-      template:
-        src: fish/machine.fish
-        dest: "{{ home }}/.config/fish/machine.fish"
-
-    - name: Setup xremap
-      include_role:
-        name: xremap
-
-    # SYSTEMD user services
-    - name: Setup systemd user services folder
-      file:
-        path: "{{ home }}/.config/systemd/user"
-        state: directory
-        recurse: true
-
-    - name: Setup user units
-      loop: "{{ systemd_services.user }}"
-      when: "item.from is not defined"
-      template:
-        src: "systemd/user/{{ item.name }}.service"
-        dest: "{{ home }}/.config/systemd/user/{{ item.name }}.service"
-      vars:
-        service_params: "{{ item.params }}"
-
-    - name: Setup user unit with from
-      loop: "{{ systemd_services.user }}"
-      when: "item.from is defined"
-      template:
-        src: "systemd/user/{{ item.from }}.service"
-        dest: "{{ home }}/.config/systemd/user/{{ item.name }}.service"
-      vars:
-        service_params: "{{ item.params }}"
-
-    - name: Setup user timers
-      loop: "{{ systemd_services.user }}"
-      when: "item.timer is defined and item.timer"
-      template:
-        src: "systemd/user/{{ item.name }}.timer"
-        dest: "{{ home }}/.config/systemd/user/{{ item.name }}.timer"
-
-    - name: Enable some systemd user services
-      when: "item.enabled is defined and item.enabled"
-      loop: "{{ systemd_services.user }}"
-      systemd_service:
-        daemon_reload: true
-        scope: user
-        name: "{{ item.name }}"
-        state: started
-        enabled: true
-
-    - name: Enable some systemd user timers
-      when: "item.timer is defined and item.timer"
-      loop: "{{ systemd_services.user }}"
-      systemd_service:
-        scope: user
-        name: "{{ item.name }}.timer"
-        state: started
-        enabled: true
-
-    # OTHERS
-    - name: Setup triage folder
-      file:
-        path: "{{ home }}/triage"
-        state: directory
-        recurse: true
-    - name: Setup quick notes folder
-      file:
-        path: "{{ home }}/quick/notes"
-        state: directory
-        recurse: true
-    - name: Setup quick docs folder
-      file:
-        path: "{{ home }}/quick/docs"
-        state: directory
-        recurse: true
-    - name: Setup quick screenshot folder
-      file:
-        path: "{{ home }}/quick/screenshots"
-        state: directory
-        recurse: true
-    - name: Setup long-term local secrets
-      file:
-        path: "{{ home }}/.local/secrets"
-        state: directory
-        recurse: true
-    - name: Setup directory to contains local root CA
-      file:
-        path: "{{ home }}/.local/secrets/root_ca"
-        state: directory
-        recurse: true
-    - name: Setup temporary secrets folder
-      file:
-        path: "{{ home }}/.cache/secrets"
-        state: directory
-        recurse: true
-    - name: Setup vaults dir gpg home
-      file:
-        path: "{{ home }}/.vaults/gpg-homes"
-        state: directory
-        recurse: true
-    - name: Setup vaults dir store unixpass
-      file:
-        path: "{{ home }}/.vaults/pass"
-        state: directory
-        recurse: true
-    - name: Setup workspace folder
-      file:
-        path: "{{ home }}/workspace"
-        state: directory
-        recurse: true
-      
-    - name: Enable bluetooth service
-      become: true
-      ansible.builtin.systemd_service:
-        name: bluetooth
-        state: started
-        enabled: true
-
-    - name: Setup wofi link
-      become: true
-      file:
-        src: "/usr/bin/wofi"
-        dest: "/usr/bin/rofi"
-        state: link
-
     - name: Setup apps dir
       file:
         path: "{{ home }}/.apps"
@@ -344,20 +145,6 @@
       vars:
         default_browser: librewolf
 
-    - name: Patch desktop entries for wayland
-      include_role:
-        name: wayland_fixer
-
-    # Initialize Workspaces
-    - name: Clone general programming snippets
-      ansible.builtin.git:
-        repo: "git@forge.lefuturiste.fr:mbess/snippets.git"
-        dest: /home/mbess/workspace/snippets
-    - name: Clone monakhos
-      ansible.builtin.git:
-        repo: "git@forge.lefuturiste.fr:mbess/monakhos.git"
-        dest: /home/mbess/workspace/monakhos
-
     # INSTALL extra packages from YAML
     - name: Install extra non-AUR packages
       become: true
@@ -377,4 +164,3 @@
         name: uv_tools
       with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
 
-

From 0ad249ad4a5b77a947db65ae033fc54f2cf79639 Mon Sep 17 00:00:00 2001
From: Matthieu Bessat <mbess@mbess.net>
Date: Fri, 26 Sep 2025 11:05:34 +0200
Subject: [PATCH 04/12] feat(package): add os-prober

---
 ansible/packages/essentials/arch_packages.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ansible/packages/essentials/arch_packages.yaml b/ansible/packages/essentials/arch_packages.yaml
index 589c92f..a29bd4f 100644
--- a/ansible/packages/essentials/arch_packages.yaml
+++ b/ansible/packages/essentials/arch_packages.yaml
@@ -9,6 +9,7 @@ common:
     - screen
     - openssh
     - base-devel
+    - os-prober
     - name: mosh
       desc: The best to connect to remote server!
   deps:

From 7a5da023ace35da8d4bf29a75ff72a45f6fae702 Mon Sep 17 00:00:00 2001
From: Matthieu Bessat <mbess@mbess.net>
Date: Thu, 2 Oct 2025 13:07:26 +0200
Subject: [PATCH 05/12] docs: update TODO

---
 TODO.md | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/TODO.md b/TODO.md
index c7e5b71..c6ac0e2 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,29 +1,29 @@
 # TODO
 
-- add packages
-- add configure of i2c dccutil to control external monitor screen brightness
+## base work
 
+- Run monakhos base on a podman arch container
+    - goal: having a container with a workable environment
+
+## others
+
+- add configure of i2c dccutil to control external monitor screen brightness
 - add email client setup
 - add gopass config
-
 - add python pool
-
 - add cargo global packages, like `pads`
-
 - [ ] configure kanshi
-
 - [ ] battery notify https://github.com/cdown/battery-notify
-
 - configure password management
-
 - [ ] Put some customized patched docker daemon config in /etc/docker/daemon.json with bigger address pool
-
 - `sudo usermod -a -G wireshark mbess`
-
 - [x] packages: add `texlive-langfrench`, `texlive-binextra`
-
 - Find a replacement software for mepo
     - Mepo is hard to install because it depend on zig, zig build breaks often
     - Either fix the AUR package (byinstallBT
 - Possible issues:
     - dependency on aur.archlinux.org, can give 503 sometimes
+- add package: spice server for Qemu and client
+    - `qemu-chardev-spice`
+    - `spice-vdagent`
+    - `spice-gtk` => provide the `spicy` GUI app

From d26137b90812f462b6f801a6eca52394becca36d Mon Sep 17 00:00:00 2001
From: Matthieu Bessat <mbess@mbess.net>
Date: Thu, 2 Oct 2025 13:41:18 +0200
Subject: [PATCH 06/12] feat: add keyd setup

---
 ansible/low_level_desktop_workstation.yaml    |  9 +++++++
 .../roles/keyboard/files/keyd_default.conf    |  8 ++++++
 ansible/roles/keyboard/tasks/main.yaml        | 26 +++++++++++++++++++
 3 files changed, 43 insertions(+)
 create mode 100644 ansible/low_level_desktop_workstation.yaml
 create mode 100644 ansible/roles/keyboard/files/keyd_default.conf
 create mode 100644 ansible/roles/keyboard/tasks/main.yaml

diff --git a/ansible/low_level_desktop_workstation.yaml b/ansible/low_level_desktop_workstation.yaml
new file mode 100644
index 0000000..7d046b5
--- /dev/null
+++ b/ansible/low_level_desktop_workstation.yaml
@@ -0,0 +1,9 @@
+# Desktop workstation playbook
+- hosts: workstation
+  gather_facts: True
+  vars:
+    home: /home/{{ user }}
+  tasks:
+    - name: Configure low-level keyboard device
+      include_role:
+        name: keyboard
diff --git a/ansible/roles/keyboard/files/keyd_default.conf b/ansible/roles/keyboard/files/keyd_default.conf
new file mode 100644
index 0000000..ac8be05
--- /dev/null
+++ b/ansible/roles/keyboard/files/keyd_default.conf
@@ -0,0 +1,8 @@
+[ids]
+*
+
+[main]
+capslock = esc
+# Ascii grave back tick and Ascii tilde
+esc = grave
+
diff --git a/ansible/roles/keyboard/tasks/main.yaml b/ansible/roles/keyboard/tasks/main.yaml
new file mode 100644
index 0000000..a14a7cf
--- /dev/null
+++ b/ansible/roles/keyboard/tasks/main.yaml
@@ -0,0 +1,26 @@
+# install and configure keyd
+# (low-level key remapping daemon for linux)
+- name: Install keyd package
+  become: true
+  community.general.pacman:
+    name: keyd
+
+- name: Create keyd config dir
+  become: true
+  ansible.builtin.file:
+    path: /etc/keyd
+    state: directory
+    recurse: false
+  
+- name: Copy keyd config
+  become: true
+  ansible.builtin.copy:
+    src: keyd_default.conf
+    dest: /etc/keyd/default.conf
+
+- name: Enable systemd service
+  become: true
+  ansible.builtin.systemd_service:
+    name: "keyd"
+    state: "started"
+    enabled: true

From 338b168026e68364efb5360d890c299c724282ae Mon Sep 17 00:00:00 2001
From: Matthieu Bessat <matthieu.bessat@covage.com>
Date: Fri, 3 Oct 2025 18:20:55 +0200
Subject: [PATCH 07/12] WIP: dotsfiles

---
 ansible/low_level_desktop_workstation.yaml           |  4 ++++
 ansible/packages/essentials/arch_packages.yaml       |  1 +
 ansible/roles/display/tasks/main.yam.                |  1 +
 ansible/roles/display/tasks/main.yaml                |  5 +++++
 ansible/roles/dotsfiles/tasks/copy_config_file.yaml  |  4 +++-
 .../roles/dotsfiles/tasks/install_glue_scripts.yaml  | 12 ++++++++++++
 ansible/roles/dotsfiles/tasks/main.yaml              |  9 +++++++++
 ansible/run_ansible_playbook.sh                      |  2 +-
 main.yaml                                            |  1 +
 9 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100644 ansible/roles/display/tasks/main.yam.
 create mode 100644 ansible/roles/display/tasks/main.yaml
 create mode 100644 ansible/roles/dotsfiles/tasks/install_glue_scripts.yaml
 create mode 100644 main.yaml

diff --git a/ansible/low_level_desktop_workstation.yaml b/ansible/low_level_desktop_workstation.yaml
index 7d046b5..0bb7e8e 100644
--- a/ansible/low_level_desktop_workstation.yaml
+++ b/ansible/low_level_desktop_workstation.yaml
@@ -7,3 +7,7 @@
     - name: Configure low-level keyboard device
       include_role:
         name: keyboard
+    - name: Configure low-level display interface
+      include_role:
+        name: display
+        
diff --git a/ansible/packages/essentials/arch_packages.yaml b/ansible/packages/essentials/arch_packages.yaml
index a29bd4f..8e4b02c 100644
--- a/ansible/packages/essentials/arch_packages.yaml
+++ b/ansible/packages/essentials/arch_packages.yaml
@@ -430,6 +430,7 @@ common:
       files:
         - nautilus
       browser:
+        - dillo
         - aur/librewolf-bin
         - aur/ungoogled-chromium-bin
       terminal_emulator:
diff --git a/ansible/roles/display/tasks/main.yam. b/ansible/roles/display/tasks/main.yam.
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/ansible/roles/display/tasks/main.yam.
@@ -0,0 +1 @@
+
diff --git a/ansible/roles/display/tasks/main.yaml b/ansible/roles/display/tasks/main.yaml
new file mode 100644
index 0000000..12cccf0
--- /dev/null
+++ b/ansible/roles/display/tasks/main.yaml
@@ -0,0 +1,5 @@
+- name: Install ddcutil
+  community.general.pacman:
+    name: ddcutil
+    state: present
+- name: Install ddcsetup program
diff --git a/ansible/roles/dotsfiles/tasks/copy_config_file.yaml b/ansible/roles/dotsfiles/tasks/copy_config_file.yaml
index fd8ec10..36b6550 100644
--- a/ansible/roles/dotsfiles/tasks/copy_config_file.yaml
+++ b/ansible/roles/dotsfiles/tasks/copy_config_file.yaml
@@ -9,5 +9,7 @@
 - name: Copy files
   ansible.builtin.copy:
     src: "{{ dotsfiles_repo_path.stdout }}/confs/src/{{ config['src'] }}"
-    force: true
+    remote_src: true
     dest: "{{ home }}/{{ config['dest'] }}"
+    force: true
+    mode: u=rw,g=r,o=
diff --git a/ansible/roles/dotsfiles/tasks/install_glue_scripts.yaml b/ansible/roles/dotsfiles/tasks/install_glue_scripts.yaml
new file mode 100644
index 0000000..b692800
--- /dev/null
+++ b/ansible/roles/dotsfiles/tasks/install_glue_scripts.yaml
@@ -0,0 +1,12 @@
+- name: Init glue_scripts bin directory
+  ansible.builtin.file:
+    path: "{{ home }}/.local/share/glue_scripts/bin"
+    state: directory
+- name: Copy glue script
+  ansible.builtin.copy:
+    src: "{{ dotsfiles_repo_path.stdout }}/glue_scripts/src/{{ item['src'] }}"
+    remote_src: true
+    dest: "{{ home }}/.local/share/glue_scripts/bin/{{ item['src'] }}"
+    force: true
+    mode: u=rwx,g=r,o=
+  with_items: "{{ config.static_executable_copy }}"
diff --git a/ansible/roles/dotsfiles/tasks/main.yaml b/ansible/roles/dotsfiles/tasks/main.yaml
index 793137a..5068178 100644
--- a/ansible/roles/dotsfiles/tasks/main.yaml
+++ b/ansible/roles/dotsfiles/tasks/main.yaml
@@ -19,3 +19,12 @@
     file: install_configs.yaml
   vars: 
     config_map: "{{ (dotsfiles_map_yaml.content | b64decode | from_yaml).config_map }}"
+- name: Read glue scripts config
+  ansible.builtin.slurp:
+    src: "{{ dotsfiles_repo_path.stdout }}/glue_scripts/config.yaml"
+  register: glue_scripts_config_yaml
+- name: Install glue scripts
+  ansible.builtin.include_tasks:
+    file: install_glue_scripts.yaml
+  vars: 
+    config: "{{ (glue_scripts_config_yaml.content | b64decode | from_yaml) }}"
diff --git a/ansible/run_ansible_playbook.sh b/ansible/run_ansible_playbook.sh
index 2da4203..909b168 100755
--- a/ansible/run_ansible_playbook.sh
+++ b/ansible/run_ansible_playbook.sh
@@ -18,7 +18,7 @@ export ANSIBLE_PLAYBOOK="${ANSIBLE_PLAYBOOK:-workstation.yaml}"
 playbookPath="$base/$ANSIBLE_PLAYBOOK"
 
 ansible-playbook $playbookPath \
-    -vvvvv \
+    -v \
     --ask-become-pass \
     -i "inventory.yaml" \
     --ssh-extra-args "-o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 22 -i ./master_sshkey" \
diff --git a/main.yaml b/main.yaml
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/main.yaml
@@ -0,0 +1 @@
+

From 4d605bde39c77f5991a1a89a3d45c6bd5943fbbf Mon Sep 17 00:00:00 2001
From: Matthieu Bessat <matthieu.bessat@covage.com>
Date: Fri, 3 Oct 2025 18:20:55 +0200
Subject: [PATCH 08/12] WIP: dotsfiles

---
 ansible/roles/dotsfiles/tasks/install_configs.yaml      | 2 +-
 ansible/roles/dotsfiles/tasks/install_glue_scripts.yaml | 6 ++++--
 ansible/setup_dotsfiles.yaml                            | 6 ++++--
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/ansible/roles/dotsfiles/tasks/install_configs.yaml b/ansible/roles/dotsfiles/tasks/install_configs.yaml
index 005dfaa..3ec1e4a 100644
--- a/ansible/roles/dotsfiles/tasks/install_configs.yaml
+++ b/ansible/roles/dotsfiles/tasks/install_configs.yaml
@@ -1,6 +1,6 @@
 - name: Copy single file
   ansible.builtin.include_tasks:
     file: copy_config_file.yaml
+  with_items: "{{ config_map.static_files_copy }}"
   loop_control:
     loop_var: config
-  with_items: "{{ config_map.static_files_copy }}"
diff --git a/ansible/roles/dotsfiles/tasks/install_glue_scripts.yaml b/ansible/roles/dotsfiles/tasks/install_glue_scripts.yaml
index b692800..ad3bd97 100644
--- a/ansible/roles/dotsfiles/tasks/install_glue_scripts.yaml
+++ b/ansible/roles/dotsfiles/tasks/install_glue_scripts.yaml
@@ -4,9 +4,11 @@
     state: directory
 - name: Copy glue script
   ansible.builtin.copy:
-    src: "{{ dotsfiles_repo_path.stdout }}/glue_scripts/src/{{ item['src'] }}"
+    src: "{{ dotsfiles_repo_path.stdout }}/glue_scripts/src/{{ glue_script['src'] }}"
     remote_src: true
-    dest: "{{ home }}/.local/share/glue_scripts/bin/{{ item['src'] }}"
+    dest: "{{ home }}/.local/share/glue_scripts/bin/{{ glue_script['src'] }}"
     force: true
     mode: u=rwx,g=r,o=
   with_items: "{{ config.static_executable_copy }}"
+  loop_control:
+    loop_var: glue_script
diff --git a/ansible/setup_dotsfiles.yaml b/ansible/setup_dotsfiles.yaml
index 4133620..ceeadb0 100644
--- a/ansible/setup_dotsfiles.yaml
+++ b/ansible/setup_dotsfiles.yaml
@@ -7,7 +7,9 @@
       include_role:
         name: dotsfiles
       vars:
-        dotsfiles_repo_name: "{{ item.name }}"
-        dotsfiles_repo_url: "{{ item.repo_url }}"
+        dotsfiles_repo_name: "{{ dotsfiles_repo.name }}"
+        dotsfiles_repo_url: "{{ dotsfiles_repo.repo_url }}"
       with_items: "{{ dotsfiles_repos }}"
+      loop_control:
+        loop_var: dotsfiles_repo
 

From ca6d364df708dcc05fbea5936d9130636962cec1 Mon Sep 17 00:00:00 2001
From: Matthieu Bessat <matthieu.bessat@covage.com>
Date: Tue, 7 Oct 2025 12:20:48 +0200
Subject: [PATCH 09/12] refactor: rename setup low-level desktop workstation
 playbook

---
 ...rkstation.yaml => setup_low-level_desktop_workstation.yaml} | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 rename ansible/{low_level_desktop_workstation.yaml => setup_low-level_desktop_workstation.yaml} (64%)

diff --git a/ansible/low_level_desktop_workstation.yaml b/ansible/setup_low-level_desktop_workstation.yaml
similarity index 64%
rename from ansible/low_level_desktop_workstation.yaml
rename to ansible/setup_low-level_desktop_workstation.yaml
index 0bb7e8e..8e084bf 100644
--- a/ansible/low_level_desktop_workstation.yaml
+++ b/ansible/setup_low-level_desktop_workstation.yaml
@@ -1,4 +1,5 @@
-# Desktop workstation playbook
+# Low-level Desktop workstation playbook (require become)
+# This playbook is used to setup low-level settings (like Human Interface devices and screen)
 - hosts: workstation
   gather_facts: True
   vars:

From 85f1f01fb75b897907b06457efa0cd17e4f65813 Mon Sep 17 00:00:00 2001
From: Matthieu Bessat <matthieu.bessat@covage.com>
Date: Tue, 7 Oct 2025 12:46:18 +0200
Subject: [PATCH 10/12] feat(desktop): systemd user scope service and timers
 setup

---
 ansible/roles/systemd_user/tasks/main.yaml | 51 ++++++++++++++++++++++
 ansible/setup_desktop_workstation.yaml     | 36 +++++++++++++++
 2 files changed, 87 insertions(+)
 create mode 100644 ansible/roles/systemd_user/tasks/main.yaml
 create mode 100644 ansible/setup_desktop_workstation.yaml

diff --git a/ansible/roles/systemd_user/tasks/main.yaml b/ansible/roles/systemd_user/tasks/main.yaml
new file mode 100644
index 0000000..1d964f1
--- /dev/null
+++ b/ansible/roles/systemd_user/tasks/main.yaml
@@ -0,0 +1,51 @@
+# Main task of the role to setup systemd user scope services and timer
+# Expected var "user_systemd_services" and "template_dir"
+- name: Setup systemd user services folder
+  file:
+    path: "{{ home }}/.config/systemd/user"
+    state: directory
+    recurse: true
+
+- name: Setup user units file
+  template:
+    src: "{{ template_dir }}/{{ unit.name }}.service"
+    dest: "{{ home }}/.config/systemd/user/{{ unit.name }}.service"
+  loop_control:
+    loop_var: unit
+  with_items: "{{ user_systemd_services }}"
+
+- name: Setup user timers
+  with_items: "{{ systemd_services.user }}"
+  loop_control:
+    loop_var: unit
+  when: "unit.timer is defined and unit.timer"
+  template:
+    src: "{{ template_dir }}/{{ unit.name }}.timer"
+    dest: "{{ home }}/.config/systemd/user/{{ unit.name }}.timer"
+
+- name: Enable user services
+  with_items: "{{ user_systemd_services }}"
+  loop_control:
+    loop_var: unit
+  systemd_service:
+    daemon_reload: true
+    scope: user
+    name: "{{ unit.name }}"
+    state: started
+    enabled: true
+
+- name: Enable user timers
+  with_items: "{{ systemd_services.user }}"
+  loop_control:
+    loop_var: unit
+  when: "unit.timer is defined and unit.timer"
+  systemd_service:
+    scope: user
+    name: "{{ unit.name }}.timer"
+    state: started
+    enabled: true
+
+- name: Reload user daemon
+  systemd_service:
+    scope: user
+    daemon_reload: true
diff --git a/ansible/setup_desktop_workstation.yaml b/ansible/setup_desktop_workstation.yaml
new file mode 100644
index 0000000..63c74f8
--- /dev/null
+++ b/ansible/setup_desktop_workstation.yaml
@@ -0,0 +1,36 @@
+# Desktop workstation non-root setup playbook
+# This playbook contains user setup for the graphical Sway desktop environment
+# that doesn't require root
+- hosts: workstation
+  gather_facts: True
+  vars:
+    home: /home/{{ user }}
+  tasks:
+    - name: "Setup systemd user services and timers"
+      include_role:
+        name: systemd_user
+      vars:
+        user_systemd_services:
+          - name: "cliphist"
+            enabled: true
+          - name: "kanshi"
+            enabled: true
+          - name: "gammastep"
+            enabled: true
+          - name: "swaybg"
+            enabled: true
+          # - name: "hourly_remainder"
+          #   enabled: true
+          #   timer: true
+        template_dir: "systemd/user"
+
+    - name: Read glue scripts config
+      ansible.builtin.slurp:
+        src: "glue_scripts/config.yaml"
+      register: glue_scripts_config_yaml
+    - name: Install glue scripts
+      ansible.builtin.include_tasks:
+        file: install_glue_scripts.yaml
+      vars: 
+        config: "{{ (glue_scripts_config_yaml.content | b64decode | from_yaml) }}"
+        glue_scripts_config_yaml: "{{ lookup('file', 'desktop_glue_scripts/config.yaml') }}"

From 6357bc6c2156cb3a9186c9bab112efff49f59fa9 Mon Sep 17 00:00:00 2001
From: Matthieu Bessat <matthieu.bessat@covage.com>
Date: Wed, 8 Oct 2025 01:18:30 +0200
Subject: [PATCH 11/12] fix(dns): internalize Unbound config

---
 ansible/roles/dns/tasks/main.yaml        | 19 +++++-----
 ansible/roles/dns/templates/unbound.conf | 48 ++++++++++++++++++++++++
 ansible/workstation.yaml                 |  3 ++
 3 files changed, 61 insertions(+), 9 deletions(-)
 create mode 100644 ansible/roles/dns/templates/unbound.conf

diff --git a/ansible/roles/dns/tasks/main.yaml b/ansible/roles/dns/tasks/main.yaml
index 7d1babc..977716b 100644
--- a/ansible/roles/dns/tasks/main.yaml
+++ b/ansible/roles/dns/tasks/main.yaml
@@ -1,7 +1,7 @@
 - name: Setup unbound config
   become: true
-  copy:
-    src: "{{ home }}/.dots/config/unbound/unbound.conf"
+  template:
+    src: "unbound.conf"
     dest: "/etc/unbound/unbound.conf"
     owner: unbound
     mode: "u=rwX,g=rX,o="
@@ -32,15 +32,16 @@
     enabled: true
 
 - name: Create unbound configs dir
+  become: true
   file:
     state: directory
     path: "/etc/unbound/config.d"
 
-# copy from dots file to the /etc/unbound/config.d the additonal config enabled
-- name: Setup additonal profile config
-  when: organization is defined and "unbound" in organization_customize
-  become: true
-  copy:
-    src: "{{ home }}/.dots/profiles/{{ organization }}/configs/unbound.conf"
-    dest: "/etc/unbound/config.d/{{ organization }}.conf"
+# # copy from dots file to the /etc/unbound/config.d the additonal config enabled
+# - name: Setup additonal profile config
+#   when: organization is defined and "unbound" in organization_customize
+#   become: true
+#   copy:
+#     src: "{{ home }}/.dots/profiles/{{ organization }}/configs/unbound.conf"
+#     dest: "/etc/unbound/config.d/{{ organization }}.conf"
 
diff --git a/ansible/roles/dns/templates/unbound.conf b/ansible/roles/dns/templates/unbound.conf
new file mode 100644
index 0000000..3d29817
--- /dev/null
+++ b/ansible/roles/dns/templates/unbound.conf
@@ -0,0 +1,48 @@
+server:
+    interface: 0.0.0.0
+    interface: ::0
+    interface-automatic: yes
+    
+    # Also listen on docker to allow docker container to reach unbound
+    #interface: 172.17.0.1
+    access-control: 172.0.0.0/8 allow
+    access-control: 172.31.0.0/16 allow
+    
+    trust-anchor-file: "/etc/unbound/trusted-key.key"
+    
+    cache-max-ttl: 86400
+    cache-min-ttl: 7200
+    
+    hide-identity: yes
+    hide-version: yes
+    
+    qname-minimisation: yes
+    
+    aggressive-nsec: yes
+    prefetch: yes
+    serve-expired: yes
+    serve-expired-ttl: 86400
+    
+    #tls-upstream: yes
+    #tls-cert-bundle: /etc/ca-certificates/extracted/tls-ca-bundle.pem
+
+    #verbosity: 1
+    #log-queries: yes
+    # use journalctl to see the logs
+    # e.g : journalctl --since 2023-01-01 -f -u unbound
+
+    local-data: "my-resolver.internal TXT local unbound"
+    local-zone: "custom.verify" redirect
+    local-data: "custom.verify A 42.42.42.42"
+    local-zone: "jpp.jpp" redirect
+    local-data: "jpp.jpp A 1.1.1.1"
+    local-zone: "e.e" redirect
+    local-data: "e.e A 42.42.42.42"
+
+remote-control:
+	control-enable: yes
+	control-interface: 127.0.0.1
+
+# Include others namespace/domains configs
+include: /etc/unbound/config.d/*
+
diff --git a/ansible/workstation.yaml b/ansible/workstation.yaml
index 92d6c75..31deb41 100644
--- a/ansible/workstation.yaml
+++ b/ansible/workstation.yaml
@@ -164,3 +164,6 @@
         name: uv_tools
       with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
 
+    - name: Setup DNS forwarding (with Unbound)
+      include_role:
+        name: dns

From aacfa6f9227b56c1bb20208335329d1cecc7734c Mon Sep 17 00:00:00 2001
From: Matthieu Bessat <matthieu.bessat@covage.com>
Date: Wed, 8 Oct 2025 01:25:51 +0200
Subject: [PATCH 12/12] fead: ability to change ansible repo path

---
 ansible/run_ansible_playbook.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ansible/run_ansible_playbook.sh b/ansible/run_ansible_playbook.sh
index 909b168..90d4c1f 100755
--- a/ansible/run_ansible_playbook.sh
+++ b/ansible/run_ansible_playbook.sh
@@ -14,8 +14,9 @@ rm $base/vm_files
 ln -s $workdir $base/vm_files
 
 export ANSIBLE_PLAYBOOK="${ANSIBLE_PLAYBOOK:-workstation.yaml}"
+export ANSIBLE_REPO="${ANSIBLE_REPO:-$base}"
 
-playbookPath="$base/$ANSIBLE_PLAYBOOK"
+playbookPath="$ANSIBLE_REPO/$ANSIBLE_PLAYBOOK"
 
 ansible-playbook $playbookPath \
     -v \