mbess/monakhos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Activity

Compare commits

merge into: mbess:master
Branches Tags
mbess:master
mbess:next_generalize_normalize
...
pull from: mbess:next_generalize_normalize
Branches Tags
mbess:next_generalize_normalize
mbess:master
Sign in to create a new pull request.

12 commits
master ... next_gener

Author SHA1 Message Date
Matthieu Bessat
aacfa6f922 fead: ability to change ansible repo path 2025-10-08 01:25:56 +02:00
Matthieu Bessat
6357bc6c21 fix(dns): internalize Unbound config 2025-10-08 01:18:53 +02:00
Matthieu Bessat
85f1f01fb7 feat(desktop): systemd user scope service and timers setup 2025-10-07 12:46:18 +02:00
Matthieu Bessat
ca6d364df7 refactor: rename setup low-level desktop workstation playbook 2025-10-07 12:23:20 +02:00
Matthieu Bessat
4d605bde39 WIP: dotsfiles 2025-10-07 12:22:32 +02:00
Matthieu Bessat
338b168026 WIP: dotsfiles 2025-10-03 18:20:55 +02:00
Matthieu Bessat
d26137b908 feat: add keyd setup 2025-10-02 13:41:34 +02:00
Matthieu Bessat
7a5da023ac docs: update TODO 2025-10-02 13:14:04 +02:00
Matthieu Bessat
0ad249ad4a feat(package): add os-prober 2025-10-02 13:13:49 +02:00
Matthieu Bessat
c4112b56bb feat: copy static configs from dotsfiles repo 2025-10-02 13:05:15 +02:00
Matthieu Bessat
79b7ff8241 WIP 2025-09-22 14:20:35 +02:00
Matthieu Bessat
98448e56ff fix(packages): repair some packages path 2025-09-19 15:54:52 +02:00
28 changed files with 1006 additions and 433 deletions
Download patch file Download diff file Expand all files Collapse all files

4
INSTALL.md
View file

@ -8,3 +8,7 @@
- Add public key `lambdacov_perso_generic_ed25519` key to forge.lefuturiste.fr
- Populate vars.yaml, choose the profile
- run ansible playbook
## Manual cmds to do on target hosts
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 8A74EAAF89C17944

10
README.md
View file

@ -113,3 +113,13 @@ You need to keep updated the known hosts in your profiles to not have this info
- https://github.com/id101010/ansible-archlinux
- https://github.com/kewlfft/ansible-aur
## triage
The master ssh key is used by the controller to authenticate to the ssh server of the target device.
## architecture
- Monakhos base
- Monakhos profile perso/pro
- Dots base
- Dots desktop

26
TODO.md
View file

@ -1,23 +1,29 @@
# TODO
- add packages
- add configure of i2c dccutil to control external monitor screen brightness
## base work
- Run monakhos base on a podman arch container
- goal: having a container with a workable environment
## others
- add configure of i2c dccutil to control external monitor screen brightness
- add email client setup
- add gopass config
- add python pool
- add cargo global packages, like `pads`
- [ ] configure kanshi
- [ ] battery notify https://github.com/cdown/battery-notify
- configure password management
- [ ] Put some customized patched docker daemon config in /etc/docker/daemon.json with bigger address pool
- `sudo usermod -a -G wireshark mbess`
- [x] packages: add `texlive-langfrench`, `texlive-binextra`
- Find a replacement software for mepo
- Mepo is hard to install because it depend on zig, zig build breaks often
- Either fix the AUR package (byinstallBT
- Possible issues:
- dependency on aur.archlinux.org, can give 503 sometimes
- add package: spice server for Qemu and client
- `qemu-chardev-spice`
- `spice-vdagent`
- `spice-gtk` => provide the `spicy` GUI app

380
ansible/_saved_workstation.yaml Normal file
View file

@ -0,0 +1,380 @@
- hosts: workstation
gather_facts: True
vars:
home: /home/{{ user }}
systemd_services:
system: []
user:
- name: "hourly_remainder"
enabled: true
timer: true
- name: "cliphist"
enabled: true
- name: "kanshi"
enabled: true
- name: "gammastep"
enabled: true
- name: "swaybg"
enabled: true
config_files:
- dir: fish
name: config.fish
- dir: tmux
name: tmux.conf
- dir: alacritty
name: alacritty.toml
- dir: wofi
name: style.css
- dir: kanshi
name: config
- dir: sway
name: config
- dir: helix
name: config.toml
- dir: i3status-rust
name: config.toml
- dir: git
name: config
- dir: nvim
name: init.lua
- dir: nvim
name: lua # lua dir
# for desktop notifications
- dir: dunst
name: dunstrc
tasks:
- name: Init arch
block:
- file:
path: /home/mbess/.monakhos
state: touch
- copy:
content: "{\"monakhos\": {\"date\": \"{{ ansible_date_time.iso8601 }}\", \"device_name\":\"{{ device_name }}\", \"enabled_profiles\":{{ enabled_profiles | to_json }} }}\n"
dest: "{{ home }}/.monakhos"
- name: Change hostname
become: true
hostname:
name: "{{ device_name }}"
- name: Update pacman repo
become: true
community.general.pacman:
update_cache: true
upgrade: true
- name: Install some basic packages
become: true
community.general.pacman:
name:
- archlinux-keyring
- git
- openssh
- name: "Configure to auto load some kernel modules at boot"
become: true
copy:
content: "# managed by monakhos\ni2c-dev\n"
dest: "/etc/modules-load.d/auto.conf"
- name: Setup SSH client
include_role:
name: ssh
- name: Init pacman keyring
become: true
# complicated shit follow, to run or not this part depending on if we need to update the pacman key (expiration date)
block:
- stat:
path: "{{ home }}/.cache/monakhos/pacman_key_state"
register: pacman_key_state_stat
- when: pacman_key_state_stat.stat.exists
slurp:
src: "{{ home }}/.cache/monakhos/pacman_key_state"
register: pacman_key_state
- when: pacman_key_state.content is defined
name: "pacman key state debug 1"
debug:
msg: "{{ pacman_key_state.content | b64decode | to_datetime('%Y-%m-%d') }}"
- when: not pacman_key_state_stat.stat.exists
block:
- shell: "rm -rf /etc/pacman.d/gnupg && pacman-key --init && pacman-key --populate archlinux"
- shell: "mkdir -p {{ home }}/.cache/monakhos; echo -n $(date --iso-8601=d) > {{ home }}/.cache/monakhos/pacman_key_state"
# AUR SETUP
- name: Create the aur_builder user
become: yes
ansible.builtin.user:
name: aur_builder
create_home: yes
group: wheel
- name: Allow the `aur_builder` user to run `sudo pacman` without a password
become: yes
ansible.builtin.lineinfile:
path: /etc/sudoers.d/11-install-aur_builder
line: 'aur_builder ALL=(ALL) NOPASSWD: /usr/bin/pacman'
create: yes
mode: 0644
validate: 'visudo -cf %s'
- name: Install yay
include_role:
name: aur
vars:
packages:
- yay-bin
- name: Stub
file:
path: "{{ home }}/.stub"
state: touch
# INSTALL essentials packages from YAML
- name: Install essentials non-AUR packages
become: true
community.general.pacman:
name: "{{ lookup('pipe', ('cat packages/essentials/arch_packages.yaml | python3 parse_arch_packages.py ' + item)) | from_json }}"
with_items: "{{ packages_categories }}"
- name: Install essentials AUR packages
include_role:
name: aur
vars:
packages: "{{ lookup('pipe', ('cat packages/essentials/arch_packages.yaml | python3 parse_arch_packages.py --aur ' + item)) | from_json }}"
with_items: "{{ packages_categories }}"
- name: Install sway
include_role:
name: sway
# Install essentials tools with UV
- name: Install essentials global tools (Python packages)
include_role:
name: uv_tools
with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
# DOTS
- name: Clone dots file
git:
key_file: "{{ home }}/.ssh/{{ device_name }}_perso_generic_ed25519"
repo: "git@forge.lefuturiste.fr:mbess/dots.git"
dest: "{{ home }}/.dots"
- name: Setup DNS and unbound
include_role:
name: dns
- name: Symbolic link to user .profile
file:
src: "{{ home }}/.profile"
dest: "{{ home }}/.dots/config/.profile"
state: link
force: true
- name: Setup config directories
file:
path: "{{ home }}/.config/{{ item.dir }}"
state: directory
recurse: true
loop: "{{ config_files }}"
- name: Setup symbolic links to config files
file:
src: "{{ home }}/.dots/config/{{ item.dir }}/{{ item.name }}"
dest: "{{ home }}/.config/{{ item.dir }}/{{ item.name }}"
state: link
force: true
loop: "{{ config_files }}"
- name: Set default shell
become: true
user:
name: "{{ user }}"
shell: /usr/bin/fish
- name: Add user to useful group (docker)
become: true
user:
name: "{{ user }}"
groups: ["docker"]
- name: Create machine.fish
template:
src: fish/machine.fish
dest: "{{ home }}/.config/fish/machine.fish"
- name: Setup xremap
include_role:
name: xremap
# SYSTEMD user services
- name: Setup systemd user services folder
file:
path: "{{ home }}/.config/systemd/user"
state: directory
recurse: true
- name: Setup user units
loop: "{{ systemd_services.user }}"
when: "item.from is not defined"
template:
src: "systemd/user/{{ item.name }}.service"
dest: "{{ home }}/.config/systemd/user/{{ item.name }}.service"
vars:
service_params: "{{ item.params }}"
- name: Setup user unit with from
loop: "{{ systemd_services.user }}"
when: "item.from is defined"
template:
src: "systemd/user/{{ item.from }}.service"
dest: "{{ home }}/.config/systemd/user/{{ item.name }}.service"
vars:
service_params: "{{ item.params }}"
- name: Setup user timers
loop: "{{ systemd_services.user }}"
when: "item.timer is defined and item.timer"
template:
src: "systemd/user/{{ item.name }}.timer"
dest: "{{ home }}/.config/systemd/user/{{ item.name }}.timer"
- name: Enable some systemd user services
when: "item.enabled is defined and item.enabled"
loop: "{{ systemd_services.user }}"
systemd_service:
daemon_reload: true
scope: user
name: "{{ item.name }}"
state: started
enabled: true
- name: Enable some systemd user timers
when: "item.timer is defined and item.timer"
loop: "{{ systemd_services.user }}"
systemd_service:
scope: user
name: "{{ item.name }}.timer"
state: started
enabled: true
# OTHERS
- name: Setup triage folder
file:
path: "{{ home }}/triage"
state: directory
recurse: true
- name: Setup quick notes folder
file:
path: "{{ home }}/quick/notes"
state: directory
recurse: true
- name: Setup quick docs folder
file:
path: "{{ home }}/quick/docs"
state: directory
recurse: true
- name: Setup quick screenshot folder
file:
path: "{{ home }}/quick/screenshots"
state: directory
recurse: true
- name: Setup long-term local secrets
file:
path: "{{ home }}/.local/secrets"
state: directory
recurse: true
- name: Setup directory to contains local root CA
file:
path: "{{ home }}/.local/secrets/root_ca"
state: directory
recurse: true
- name: Setup temporary secrets folder
file:
path: "{{ home }}/.cache/secrets"
state: directory
recurse: true
- name: Setup vaults dir gpg home
file:
path: "{{ home }}/.vaults/gpg-homes"
state: directory
recurse: true
- name: Setup vaults dir store unixpass
file:
path: "{{ home }}/.vaults/pass"
state: directory
recurse: true
- name: Setup workspace folder
file:
path: "{{ home }}/workspace"
state: directory
recurse: true
- name: Enable bluetooth service
become: true
ansible.builtin.systemd_service:
name: bluetooth
state: started
enabled: true
- name: Setup wofi link
become: true
file:
src: "/usr/bin/wofi"
dest: "/usr/bin/rofi"
state: link
- name: Setup apps dir
file:
path: "{{ home }}/.apps"
state: directory
recurse: true
- name: Setup default browser link
file:
src: /usr/bin/librewolf
dest: "{{ home }}/.apps/browser"
state: link
force: true
- name: Set default browser
include_role:
name: xdg_browser
vars:
default_browser: librewolf
- name: Patch desktop entries for wayland
include_role:
name: wayland_fixer
# Initialize Workspaces
- name: Clone general programming snippets
ansible.builtin.git:
repo: "git@forge.lefuturiste.fr:mbess/snippets.git"
dest: /home/mbess/workspace/snippets
- name: Clone monakhos
ansible.builtin.git:
repo: "git@forge.lefuturiste.fr:mbess/monakhos.git"
dest: /home/mbess/workspace/monakhos
# INSTALL extra packages from YAML
- name: Install extra non-AUR packages
become: true
community.general.pacman:
name: "{{ lookup('pipe', ('cat packages/extra/arch_packages.yaml | python3 parse_arch_packages.py ' + item)) | from_json }}"
with_items: "{{ packages_categories }}"
- name: Install extra AUR packages
include_role:
name: aur
vars:
packages: "{{ lookup('pipe', ('cat packages/extra/arch_packages.yaml | python3 parse_arch_packages.py --aur ' + item)) | from_json }}"
with_items: "{{ packages_categories }}"
- name: Install extra global tools (Python packages)
include_role:
name: uv_tools
with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"

157
ansible/arch_packages.yaml → ansible/packages/essentials/arch_packages.yaml
View file

@ -9,6 +9,7 @@ common:
- screen
- openssh
- base-devel
- os-prober
- name: mosh
desc: The best to connect to remote server!
deps:
@ -16,15 +17,9 @@ common:
- name: pacman-contrib
desc: Include pactree
tty:
- name: physlock
desc: Session password-lock at the TTY level
tty: {}
libs:
- protobuf
- libosmium
- name: expat
desc: XML parser lib
- wlroots0.19
hardware:
printing:
@ -66,20 +61,11 @@ common:
utils:
_:
- bat
- git-delta
- plantuml
- desc: Env loader, export env variables from dotenv file in shell scripts
name: aur/zenv
- desc: Load system to make it heat and sweat
name: stress
- name: aur/scc
desc: Count source lines of a project
keyboard:
- name: ttyper
desc: Typing speed test.
backup:
- borg
- name: aur/zenv
desc: Env loader, export env variables from dotenv file in shell scripts
keyboard: {}
backup: {}
docs:
- man-pages
- man-db
@ -131,11 +117,6 @@ common:
- s-nail
- name: isync
desc: IMAP synchronization program. Also called mbsync, can be configured using `.mbsyncrc` file.
fun:
- figlet
- cowsay
- aur/boxes
- fortune-mod
archives:
- unzip
- zip
@ -146,15 +127,15 @@ common:
desc: general purpose document converter
- name: typst
desc: an alternative to latex
- name: aur/marp-cli-bin
desc: create presentation from markdown
- mkdocs
- mkdocs-material
- mkdocs-autorefs
- mkdocs-get-deps
- graphviz
- glow
- name: visidata
desc: Data explorer (Spreadsheet, CSV, Sqlite)
pdf:
- aur/ocrmypdf
- aur/wkhtmltopdf-static
- name: pdftk
desc: Utils to manipulate PDF pages (extract, merge, rotate, unpack)
latex:
@ -168,28 +149,19 @@ common:
math:
- name: libqalculate
desc: Provide Qalc
gis: # SIG
_:
- gdal
- aur/tippecanoe
osm:
- aur/osmium-tool
- osm2pgsql
gis: {}
vcs:
git:
- git
- tig
- pre-commit
- aur/gitwatch-git
fossil:
- fossil
network:
address:
- name: ipcalc
- name: aur/sipcalc
description: |
Validate, compute and visualize IP ranges.
Support CIDR notation (Classless Inter-Domain Routing).
Eg. compute the start and the end of a range.
Compute and visualize IP ranges (start and end)
bandwidth:
- name: iperf3
description: TCP, UDP benchmark (speed test)
@ -212,19 +184,12 @@ common:
desc: Download whole website for offline use
dns:
- bind
- aur/python-dnsrecon
kafka:
- name: aur/kcat-cli
desc: Kafka cat
- aur/avro-c
encoding:
avro:
- aur/avro-tools
encoding: {}
_:
- name: net-tools
desc: Core tools for configuration tools for Linux networking
- nmap
- gnu-netcat
- openbsd-netcat
- wireguard-tools
- tcpdump
- name: socat
@ -239,8 +204,6 @@ common:
- name: binwalk
desc: Inspect a binary to search for embeded files and binaries
url: https://www.kali.org/tools/binwalk/
- name: aur/libtree
desc: Inspect a binary and output of tree of system libraries
fs:
- lsof
- name: ncdu
@ -258,8 +221,6 @@ common:
browser:
- w3m
- lynx
- name: aur/browsh
desc: Terminal browser, headless chromium running on a remote server that translate to text over Mosh.
files:
- lf
security:
@ -280,15 +241,11 @@ common:
- name: aur/apache-tools
desc: provide htpasswd
- argon2
colors:
- name: pastel
desc: Manipulate colors
colors: {}
multimedia:
audio:
- opus-tools
communication:
- name: aur/sigtop-git
desc: Messages and attahcments backup program for Signal Desktop
communication: {}
cli_frontends:
forges:
@ -323,23 +280,12 @@ common:
- gopass
- pass
virtualization:
- qemu-base
- name: guestfs-tools
desc: include the very useful virt-customize
- name: libguestfs
desc: include virt-install
- name: cloud-init
desc: Cloud-init utils, used to validate config
virtualization: {}
docker:
- docker
- docker-buildx
- kubectl
- name: aur/hadolint-bin
desc: Linter for Dockerfile, with all haskell dependencies
- name: trivy
desc: Container image security scanner
programming:
_:
@ -377,12 +323,7 @@ common:
lsp:
- gopls
- rust-analyzer
- typst-lsp
- vscode-css-languageserver
- pyright
- typescript-language-server
- svelte-language-server
- lua-language-server
rust:
- cargo-watch
# - rustup
@ -470,7 +411,7 @@ common:
- name: gammastep
desc: Automatic red shift at night
color_picker:
- aur/hyprpicker
- hyprpicker
emojis_picker:
- name: aur/jome
desc: Emoji picker
@ -488,24 +429,23 @@ common:
GUI:
files:
- nautilus
- cheese
browser:
# - aur/librewolf-bin
# - aur/librewof
- dillo
- aur/librewolf-bin
- aur/ungoogled-chromium-bin
# - thorium-browser-bin
- qutebrowser
- torbrowser-launcher
terminal_emulator:
- alacritty
- name: lsix
description: Command to show image in the terminal
mail:
- thunderbird
communication:
_:
- signal-desktop
irc:
- name: polari
desc: GNOME 3 GUI IRC client
irc: {}
xmpp:
- name: dino
desc: Simple GTK XMPP client
matrix:
- name: fractal
desc: Matrix client that seem to work in Rust
@ -528,32 +468,17 @@ common:
- vimiv
creation:
image:
- gimp
- krita
- inkscape
audio:
- tenacity
- songrec
- aur/clementine
audio: {}
video:
- cheese
- celluloid
- vlc
- obs-studio
3d:
- openscad
- blender
3d: {}
bureautique:
- libreoffice-still
geo:
- aur/mepo
- qgis
geo: {}
vcs:
git:
- giggle
git: {}
db:
- name: dbeaver
tags: ['heavy-gui']
- name: sqlitebrowser
desc: Light QT GUI to navigate sqlite
remote_access:
@ -561,7 +486,7 @@ common:
- aur/remmina-plugin-rdesktop
_:
- name: aur/screen-message
description: Utility to write in big on the screen
description: Utility to write big text on the screen
inspection:
- wireshark-qt
editor:
@ -578,19 +503,3 @@ common:
- name: noto-fonts-emoji
desc: Google emoji fonts, required for fractal
proprietary_vpns:
- openfortivpn
# Extra non-free networks for work packages
# non-free:
microsoft_azure:
- azure-cli
- aur/azure-kubelogin
hashicorp:
- name: vault
alias: hvault
extra_video:
- name: kdenlive
desc: video editor

5
ansible/packages/essentials/python_packages.yaml Normal file
View file

@ -0,0 +1,5 @@
common:
- pipdeptree
- copyparty
- lesspass
- pylint

224
ansible/packages/extra/arch_packages.yaml Normal file
View file

@ -0,0 +1,224 @@
---
common:
tty:
- name: aur/physlock
desc: Session password-lock at the TTY level
libs:
- protobuf
- libosmium
- name: expat
desc: XML parser lib
hardware: {}
network: {}
keymap: {}
bluetooth: {}
utils:
_:
- plantuml
- name: stress
desc: Load system to make it heat and sweat
- desc: Count source lines of a project
name: aur/scc
keyboard:
- name: ttyper
desc: Typing speed test.
backup:
- borg
docs:
- arch-wiki-docs
language: {}
mail: {}
fun:
- figlet
- cowsay
- aur/boxes
- fortune-mod
bureautique:
- name: aur/marp-cli-bin
desc: create presentation from markdown
pdf:
- aur/ocrmypdf
- aur/wkhtmltopdf-static
gis: # SIG
_:
- gdal
- aur/tippecanoe
osm:
- aur/osmium-tool
- osm2pgsql
vcs:
git: {}
fossil:
- fossil
network:
http: {}
dns:
- aur/python-dnsrecon
kafka:
- name: aur/kcat-cli
desc: Kafka cat
- aur/avro-c
encoding:
avro:
- aur/avro-tools
_: {}
inspection:
- name: aur/libtree
desc: Inspect a binary and output of tree of system libraries
fs: {}
disk: {}
tui:
browser:
- name: aur/browsh
desc: Terminal browser, headless chromium running on a remote server that translate to text over Mosh.
files: {}
security:
- siege
monitoring: {}
android: {}
random_gen: {}
hashing: {}
colors:
- name: pastel
desc: Manipulate colors
multimedia:
audio: {}
communication:
- name: aur/sigtop-git
desc: Messages and attahcments backup program for Signal Desktop
cli_frontends:
forges: {}
multimedia:
youtube: {}
player: {}
book: {}
exif: {}
_: {}
password: {}
virtualization:
- qemu-base
- name: guestfs-tools
desc: include the very useful virt-customize
- name: libguestfs
desc: include virt-install
- name: cloud-init
desc: Cloud-init utils, used to validate config
docker:
- name: aur/hadolint-bin
desc: Linter for Dockerfile, with all haskell dependencies
- name: trivy
desc: Container image security scanner
programming:
_: {}
html: {}
sqlite: {}
editor: {}
c: {}
node: {}
lsp:
- typescript-language-server
- svelte-language-server
- aur/typst-lsp
- lua-language-server
- vscode-css-languageserver
rust: {}
dbs: {}
python:
_: {}
lint: {}
lib: {}
lua: {}
web: {}
static: {}
ci: {}
shell: {}
audio:
control: {}
desktop:
wayland:
# https://github.com/natpen/awesome-wayland
_: {}
display: {}
color_picker: {}
emojis_picker: {}
notification: {}
screenshot: {}
desktop_utils: {}
GUI:
files: {}
browser:
- aur/thorium-browser-bin
- qutebrowser
- torbrowser-launcher
terminal_emulator: {}
mail: {}
communication:
_: {}
irc: {}
matrix: {}
document:
viewer: {}
editor: {}
images:
viewer: {}
creation:
image:
- gimp
- krita
audio:
- tenacity
- songrec
- aur/clementine
video:
- celluloid
- vlc
- obs-studio
- name: kdenlive
desc: video editor
3d:
- openscad
- blender
bureautique: {}
geo:
- qgis
vcs:
git:
- giggle
db:
- name: dbeaver
remote_access: {}
_: {}
inspection: {}
editor: {}
fonts: {}
proprietary_vpns:
- openfortivpn
# Extra non-free networks for work packages
# non-free:
microsoft_azure:
- azure-cli
- aur/azure-kubelogin
hashicorp:
- name: vault
alias: hvault

7
ansible/packages/extra/python_packages.yaml Normal file
View file

@ -0,0 +1,7 @@
common:
multimedia:
- linkchecker
- imagehash
- yewtube
- azlyrics2
- epy-reader

14
ansible/python_packages.yaml
View file

@ -1,14 +0,0 @@
base:
- mkdocs
- pipdeptree
- copyparty
- lesspass
- yewtube
- lesspass
- mkdocs
- linkchecker
- imagehash
- pylint
multimedia:
- azlyrics2
- epy-reader

1
ansible/roles/display/tasks/main.yam. Normal file
View file

@ -0,0 +1 @@

5
ansible/roles/display/tasks/main.yaml Normal file
View file

@ -0,0 +1,5 @@
- name: Install ddcutil
community.general.pacman:
name: ddcutil
state: present
- name: Install ddcsetup program

19
ansible/roles/dns/tasks/main.yaml
View file

@ -1,7 +1,7 @@
- name: Setup unbound config
become: true
copy:
src: "{{ home }}/.dots/config/unbound/unbound.conf"
template:
src: "unbound.conf"
dest: "/etc/unbound/unbound.conf"
owner: unbound
mode: "u=rwX,g=rX,o="
@ -32,15 +32,16 @@
enabled: true
- name: Create unbound configs dir
become: true
file:
state: directory
path: "/etc/unbound/config.d"
# copy from dots file to the /etc/unbound/config.d the additonal config enabled
- name: Setup additonal profile config
when: organization is defined and "unbound" in organization_customize
become: true
copy:
src: "{{ home }}/.dots/profiles/{{ organization }}/configs/unbound.conf"
dest: "/etc/unbound/config.d/{{ organization }}.conf"
# # copy from dots file to the /etc/unbound/config.d the additonal config enabled
# - name: Setup additonal profile config
# when: organization is defined and "unbound" in organization_customize
# become: true
# copy:
# src: "{{ home }}/.dots/profiles/{{ organization }}/configs/unbound.conf"
# dest: "/etc/unbound/config.d/{{ organization }}.conf"

48
ansible/roles/dns/templates/unbound.conf Normal file
View file

@ -0,0 +1,48 @@
server:
interface: 0.0.0.0
interface: ::0
interface-automatic: yes
# Also listen on docker to allow docker container to reach unbound
#interface: 172.17.0.1
access-control: 172.0.0.0/8 allow
access-control: 172.31.0.0/16 allow
trust-anchor-file: "/etc/unbound/trusted-key.key"
cache-max-ttl: 86400
cache-min-ttl: 7200
hide-identity: yes
hide-version: yes
qname-minimisation: yes
aggressive-nsec: yes
prefetch: yes
serve-expired: yes
serve-expired-ttl: 86400
#tls-upstream: yes
#tls-cert-bundle: /etc/ca-certificates/extracted/tls-ca-bundle.pem
#verbosity: 1
#log-queries: yes
# use journalctl to see the logs
# e.g : journalctl --since 2023-01-01 -f -u unbound
local-data: "my-resolver.internal TXT local unbound"
local-zone: "custom.verify" redirect
local-data: "custom.verify A 42.42.42.42"
local-zone: "jpp.jpp" redirect
local-data: "jpp.jpp A 1.1.1.1"
local-zone: "e.e" redirect
local-data: "e.e A 42.42.42.42"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
# Include others namespace/domains configs
include: /etc/unbound/config.d/*

15
ansible/roles/dotsfiles/tasks/copy_config_file.yaml Normal file
View file

@ -0,0 +1,15 @@
- name: Debug configuration file infos
ansible.builtin.debug:
var: "config"
- name: Create directory
ansible.builtin.file:
path: "{{ (home + '/' + config['dest']) | dirname }}"
state: directory
recurse: true
- name: Copy files
ansible.builtin.copy:
src: "{{ dotsfiles_repo_path.stdout }}/confs/src/{{ config['src'] }}"
remote_src: true
dest: "{{ home }}/{{ config['dest'] }}"
force: true
mode: u=rw,g=r,o=

6
ansible/roles/dotsfiles/tasks/install_configs.yaml Normal file
View file

@ -0,0 +1,6 @@
- name: Copy single file
ansible.builtin.include_tasks:
file: copy_config_file.yaml
with_items: "{{ config_map.static_files_copy }}"
loop_control:
loop_var: config

14
ansible/roles/dotsfiles/tasks/install_glue_scripts.yaml Normal file
View file

@ -0,0 +1,14 @@
- name: Init glue_scripts bin directory
ansible.builtin.file:
path: "{{ home }}/.local/share/glue_scripts/bin"
state: directory
- name: Copy glue script
ansible.builtin.copy:
src: "{{ dotsfiles_repo_path.stdout }}/glue_scripts/src/{{ glue_script['src'] }}"
remote_src: true
dest: "{{ home }}/.local/share/glue_scripts/bin/{{ glue_script['src'] }}"
force: true
mode: u=rwx,g=r,o=
with_items: "{{ config.static_executable_copy }}"
loop_control:
loop_var: glue_script

30
ansible/roles/dotsfiles/tasks/main.yaml Normal file
View file

@ -0,0 +1,30 @@
- name: Setup repo directory
file:
path: "{{ home }}/.dotsfiles"
state: directory
recurse: false
- name: echo dotsfiles path
command: "echo {{ home }}/.dotsfiles/{{ dotsfiles_repo_name }}"
register: dotsfiles_repo_path
- name: Clone dotsfiles repo
ansible.builtin.git:
repo: "{{ dotsfiles_repo_url }}"
dest: "{{ dotsfiles_repo_path.stdout }}"
- name: Read config map
ansible.builtin.slurp:
src: "{{ dotsfiles_repo_path.stdout }}/confs/config_map.yaml"
register: dotsfiles_map_yaml
- name: Install configs from config map
ansible.builtin.include_tasks:
file: install_configs.yaml
vars:
config_map: "{{ (dotsfiles_map_yaml.content | b64decode | from_yaml).config_map }}"
- name: Read glue scripts config
ansible.builtin.slurp:
src: "{{ dotsfiles_repo_path.stdout }}/glue_scripts/config.yaml"
register: glue_scripts_config_yaml
- name: Install glue scripts
ansible.builtin.include_tasks:
file: install_glue_scripts.yaml
vars:
config: "{{ (glue_scripts_config_yaml.content | b64decode | from_yaml) }}"

8
ansible/roles/keyboard/files/keyd_default.conf Normal file
View file

@ -0,0 +1,8 @@
[ids]
*
[main]
capslock = esc
# Ascii grave back tick and Ascii tilde
esc = grave

26
ansible/roles/keyboard/tasks/main.yaml Normal file
View file

@ -0,0 +1,26 @@
# install and configure keyd
# (low-level key remapping daemon for linux)
- name: Install keyd package
become: true
community.general.pacman:
name: keyd
- name: Create keyd config dir
become: true
ansible.builtin.file:
path: /etc/keyd
state: directory
recurse: false
- name: Copy keyd config
become: true
ansible.builtin.copy:
src: keyd_default.conf
dest: /etc/keyd/default.conf
- name: Enable systemd service
become: true
ansible.builtin.systemd_service:
name: "keyd"
state: "started"
enabled: true

14
ansible/roles/ssh/tasks/main.yaml
View file

@ -24,25 +24,29 @@
owner: "{{ user }}"
mode: u=rw,g=,o=
- name: Create temporary build directory
- delegate_to: localhost
ansible.builtin.tempfile:
state: directory
suffix: ssh_known_hosts
register: tempdir_known_hosts
- name: Load known hosts from profiles
delegate_to: localhost
template:
# load from controller host
src: "{{ home }}/.dots/profiles/{{ item.name }}/configs/ssh/known_hosts"
# load from controller host, from the work profile repository
src: "{{ profiles_paths[item.name] }}/configs/ssh/known_hosts"
dest: "{{ tempdir_known_hosts.path }}/{{ item.name }}"
with_items: "{{ enabled_profiles }}"
# - name: Execute a command
# ansible.builtin.command: "sleep infinity"
- name: Concat known hosts
template:
src: ssh/known_hosts
dest: "{{ home }}/.ssh/known_hosts"
vars:
tempdir_known_hosts: "{{ tempdir_known_hosts }}"
origin_dir: "{{ tempdir_known_hosts.path }}"
- name: Ensure ssh config profiles dir exists
file:
@ -51,7 +55,7 @@
- name: Load ssh config of profiles
template:
src: "{{ home }}/.dots/profiles/{{ item.name }}/configs/ssh/config"
src: "{{ profiles_paths[item.name] }}/configs/ssh/config"
dest: "{{ home }}/.ssh/profiles/{{ item.name }}"
mode: u=rw,g=,o=
with_items: "{{ enabled_profiles }}"

51
ansible/roles/systemd_user/tasks/main.yaml Normal file
View file

@ -0,0 +1,51 @@
# Main task of the role to setup systemd user scope services and timer
# Expected var "user_systemd_services" and "template_dir"
- name: Setup systemd user services folder
file:
path: "{{ home }}/.config/systemd/user"
state: directory
recurse: true
- name: Setup user units file
template:
src: "{{ template_dir }}/{{ unit.name }}.service"
dest: "{{ home }}/.config/systemd/user/{{ unit.name }}.service"
loop_control:
loop_var: unit
with_items: "{{ user_systemd_services }}"
- name: Setup user timers
with_items: "{{ systemd_services.user }}"
loop_control:
loop_var: unit
when: "unit.timer is defined and unit.timer"
template:
src: "{{ template_dir }}/{{ unit.name }}.timer"
dest: "{{ home }}/.config/systemd/user/{{ unit.name }}.timer"
- name: Enable user services
with_items: "{{ user_systemd_services }}"
loop_control:
loop_var: unit
systemd_service:
daemon_reload: true
scope: user
name: "{{ unit.name }}"
state: started
enabled: true
- name: Enable user timers
with_items: "{{ systemd_services.user }}"
loop_control:
loop_var: unit
when: "unit.timer is defined and unit.timer"
systemd_service:
scope: user
name: "{{ unit.name }}.timer"
state: started
enabled: true
- name: Reload user daemon
systemd_service:
scope: user
daemon_reload: true

7
ansible/run_ansible_playbook.sh
View file

@ -13,7 +13,12 @@ export ANSIBLE_LOG_PATH=ansible_run.log
rm $base/vm_files
ln -s $workdir $base/vm_files
ansible-playbook $base/workstation.yaml \
export ANSIBLE_PLAYBOOK="${ANSIBLE_PLAYBOOK:-workstation.yaml}"
export ANSIBLE_REPO="${ANSIBLE_REPO:-$base}"
playbookPath="$ANSIBLE_REPO/$ANSIBLE_PLAYBOOK"
ansible-playbook $playbookPath \
-v \
--ask-become-pass \
-i "inventory.yaml" \

36
ansible/setup_desktop_workstation.yaml Normal file
View file

@ -0,0 +1,36 @@
# Desktop workstation non-root setup playbook
# This playbook contains user setup for the graphical Sway desktop environment
# that doesn't require root
- hosts: workstation
gather_facts: True
vars:
home: /home/{{ user }}
tasks:
- name: "Setup systemd user services and timers"
include_role:
name: systemd_user
vars:
user_systemd_services:
- name: "cliphist"
enabled: true
- name: "kanshi"
enabled: true
- name: "gammastep"
enabled: true
- name: "swaybg"
enabled: true
# - name: "hourly_remainder"
# enabled: true
# timer: true
template_dir: "systemd/user"
- name: Read glue scripts config
ansible.builtin.slurp:
src: "glue_scripts/config.yaml"
register: glue_scripts_config_yaml
- name: Install glue scripts
ansible.builtin.include_tasks:
file: install_glue_scripts.yaml
vars:
config: "{{ (glue_scripts_config_yaml.content | b64decode | from_yaml) }}"
glue_scripts_config_yaml: "{{ lookup('file', 'desktop_glue_scripts/config.yaml') }}"

15
ansible/setup_dotsfiles.yaml Normal file
View file

@ -0,0 +1,15 @@
- hosts: workstation
gather_facts: False
vars:
home: /home/{{ user }}
tasks:
- name: Setup dotsfile (copy)
include_role:
name: dotsfiles
vars:
dotsfiles_repo_name: "{{ dotsfiles_repo.name }}"
dotsfiles_repo_url: "{{ dotsfiles_repo.repo_url }}"
with_items: "{{ dotsfiles_repos }}"
loop_control:
loop_var: dotsfiles_repo

14
ansible/setup_low-level_desktop_workstation.yaml Normal file
View file

@ -0,0 +1,14 @@
# Low-level Desktop workstation playbook (require become)
# This playbook is used to setup low-level settings (like Human Interface devices and screen)
- hosts: workstation
gather_facts: True
vars:
home: /home/{{ user }}
tasks:
- name: Configure low-level keyboard device
include_role:
name: keyboard
- name: Configure low-level display interface
include_role:
name: display

2
ansible/templates/ssh/known_hosts
View file

@ -27,7 +27,7 @@ codeberg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTY
# ==============================
# Profile: {{ enabled_profile.name }}
# ==============================
{{ lookup('file', tempdir_known_hosts.path + '/' + enabled_profile.name) }}
{{ lookup('file', origin_dir + '/' + enabled_profile.name) }}
{% endfor %}

300
ansible/workstation.yaml
View file

@ -2,67 +2,6 @@
gather_facts: True
vars:
home: /home/{{ user }}
systemd_services:
system: []
user:
- from: "mount_sshfs"
name: "mount_sshfs_srv06_warmd_mbess"
enabled: true
params:
ssh_uri: "mbess@srv06.mbess.net:/warmd/mbess"
mount_path: "{{ home }}/.mnt/srv06/warmd/mbess"
profile: perso
- from: "mount_sshfs"
name: "mount_sshfs_srv06_warmd_etb"
enabled: true
params:
ssh_uri: "mbess@srv06.mbess.net:/warmd/etoiledebethleem"
mount_path: "{{ home }}/.mnt/srv06/warmd/etb"
profile: perso
- name: "popequer_gitwatch@"
profile: all
- name: "hourly_remainder"
enabled: true
timer: true
profile: all
- name: "cliphist"
enabled: true
profile: all
- name: "kanshi"
enabled: true
profile: all
- name: "gammastep"
enabled: true
profile: all
- name: "swaybg"
enabled: true
profile: all
config_files:
- dir: fish
name: config.fish
- dir: tmux
name: tmux.conf
- dir: alacritty
name: alacritty.toml
- dir: wofi
name: style.css
- dir: kanshi
name: config
- dir: sway
name: config
- dir: helix
name: config.toml
- dir: i3status-rust
name: config.toml
- dir: git
name: config
- dir: nvim
name: init.lua
- dir: nvim
name: lua # lua dir
# for desktop notifications
- dir: dunst
name: dunstrc
tasks:
- name: Init arch
block:
@ -74,6 +13,7 @@
dest: "{{ home }}/.monakhos"
- name: Change hostname
become: true
hostname:
name: "{{ device_name }}"
@ -121,11 +61,6 @@
- shell: "rm -rf /etc/pacman.d/gnupg && pacman-key --init && pacman-key --populate archlinux"
- shell: "mkdir -p {{ home }}/.cache/monakhos; echo -n $(date --iso-8601=d) > {{ home }}/.cache/monakhos/pacman_key_state"
- name: Install global tools (Python packages)
include_role:
name: uv_tools
with_items: "{{ lookup('pipe', 'cat python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
# AUR SETUP
- name: Create the aur_builder user
become: yes
@ -155,61 +90,29 @@
path: "{{ home }}/.stub"
state: touch
# INSTALL normal packages from YAML
- name: Install non-AUR packages
# INSTALL essentials packages from YAML
- name: Install essentials non-AUR packages
become: true
community.general.pacman:
name: "{{ lookup('pipe', ('cat arch_packages.yaml | python3 parse_arch_packages.py ' + item)) | from_json }}"
name: "{{ lookup('pipe', ('cat packages/essentials/arch_packages.yaml | python3 parse_arch_packages.py ' + item)) | from_json }}"
with_items: "{{ packages_categories }}"
- name: Install AUR packages
- name: Install essentials AUR packages
include_role:
name: aur
vars:
packages: "{{ lookup('pipe', ('cat arch_packages.yaml | python3 parse_arch_packages.py --aur ' + item)) | from_json }}"
packages: "{{ lookup('pipe', ('cat packages/essentials/arch_packages.yaml | python3 parse_arch_packages.py --aur ' + item)) | from_json }}"
with_items: "{{ packages_categories }}"
- name: Install sway
include_role:
name: sway
# DOTS
- name: Clone dots file
git:
key_file: "{{ home }}/.ssh/{{ device_name }}_perso_generic_ed25519"
repo: "git@forge.lefuturiste.fr:mbess/dots.git"
dest: "{{ home }}/.dots"
- name: Install requirements in dots
pip:
virtualenv: "{{ home }}/.dots/venv"
requirements: "{{ home }}/.dots/requirements.txt"
- name: Setup DNS and unbound
# Install essentials tools with UV
- name: Install essentials global tools (Python packages)
include_role:
name: dns
- name: Symbolic link to user .profile
file:
src: "{{ home }}/.profile"
dest: "{{ home }}/.dots/config/.profile"
state: link
force: true
- name: Setup config directories
file:
path: "{{ home }}/.config/{{ item.dir }}"
state: directory
recurse: true
loop: "{{ config_files }}"
- name: Setup symbolic links to config files
file:
src: "{{ home }}/.dots/config/{{ item.dir }}/{{ item.name }}"
dest: "{{ home }}/.config/{{ item.dir }}/{{ item.name }}"
state: link
force: true
loop: "{{ config_files }}"
name: uv_tools
with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
- name: Set default shell
become: true
@ -223,151 +126,6 @@
name: "{{ user }}"
groups: ["docker"]
- name: Create machine.fish
template:
src: fish/machine.fish
dest: "{{ home }}/.config/fish/machine.fish"
- name: Setup xremap
include_role:
name: xremap
# SYSTEMD user services
- name: Setup systemd user services folder
file:
path: "{{ home }}/.config/systemd/user"
state: directory
recurse: true
- name: Setup user units
loop: "{{ systemd_services.user }}"
when: "item.from is not defined and (item.profile == 'all' or item.profile in enabled_profiles)"
template:
src: "systemd/user/{{ item.name }}.service"
dest: "{{ home }}/.config/systemd/user/{{ item.name }}.service"
vars:
service_params: "{{ item.params }}"
- name: Setup user unit with from
loop: "{{ systemd_services.user }}"
when: "item.from is defined and (item.profile == 'all' or item.profile in enabled_profiles)"
template:
src: "systemd/user/{{ item.from }}.service"
dest: "{{ home }}/.config/systemd/user/{{ item.name }}.service"
vars:
service_params: "{{ item.params }}"
- name: Setup user timers
loop: "{{ systemd_services.user }}"
when: "item.timer is defined and item.timer and (item.profile == 'all' or item.profile in enabled_profiles)"
template:
src: "systemd/user/{{ item.name }}.timer"
dest: "{{ home }}/.config/systemd/user/{{ item.name }}.timer"
- name: Enable some systemd user services
when: "item.enabled is defined and item.enabled"
loop: "{{ systemd_services.user }}"
systemd_service:
daemon_reload: true
scope: user
name: "{{ item.name }}"
state: started
enabled: true
- name: Enable some systemd user timers
when: "item.timer is defined and item.timer and (item.profile == 'all' or item.profile in enabled_profiles)"
loop: "{{ systemd_services.user }}"
systemd_service:
scope: user
name: "{{ item.name }}.timer"
state: started
enabled: true
# OTHERS
- name: Setup mount point folders
file:
path: "{{ home }}/.mnt/{{ item }}"
state: directory
recurse: true
when: "'perso' in enabled_profiles"
loop:
- srv06/warmd/mbess
- srv06/coldd/mbess
- srv06/warmd/etb
- name: Setup triage folder
file:
path: "{{ home }}/triage"
state: directory
recurse: true
- name: Setup quick notes folder
file:
path: "{{ home }}/quick/notes"
state: directory
recurse: true
- name: Setup quick docs folder
file:
path: "{{ home }}/quick/docs"
state: directory
recurse: true
- name: Setup quick screenshot folder
file:
path: "{{ home }}/quick/screenshots"
state: directory
recurse: true
- name: Setup long-term local secrets
file:
path: "{{ home }}/.local/secrets"
state: directory
recurse: true
- name: Setup directory to contains local root CA
file:
path: "{{ home }}/.local/secrets/root_ca"
state: directory
recurse: true
- name: Setup temporary secrets folder
file:
path: "{{ home }}/.cache/secrets"
state: directory
recurse: true
- name: Setup vaults dir gpg home
file:
path: "{{ home }}/.vaults/gpg-homes"
state: directory
recurse: true
- name: Setup vaults dir store unixpass
file:
path: "{{ home }}/.vaults/pass"
state: directory
recurse: true
- name: Setup workspace folder
file:
path: "{{ home }}/workspace"
state: directory
recurse: true
- name: Setup main popequer notebook
include_role:
name: popequer_notebook
- name: Enable bluetooth service
become: true
ansible.builtin.systemd_service:
name: bluetooth
state: started
enabled: true
- name: Setup wofi link
become: true
file:
src: "/usr/bin/wofi"
dest: "/usr/bin/rofi"
state: link
- name: Setup OpenFortiVPN
when: '"pro" in enabled_profiles'
include_role:
name: openfortivpn
- name: Setup apps dir
file:
path: "{{ home }}/.apps"
@ -387,21 +145,25 @@
vars:
default_browser: librewolf
- name: Patch desktop entries for wayland
include_role:
name: wayland_fixer
# INSTALL extra packages from YAML
- name: Install extra non-AUR packages
become: true
community.general.pacman:
name: "{{ lookup('pipe', ('cat packages/extra/arch_packages.yaml | python3 parse_arch_packages.py ' + item)) | from_json }}"
with_items: "{{ packages_categories }}"
# Initialize Workspaces
- name: Clone books sources
ansible.builtin.git:
repo: "git@forge.lefuturiste.fr:mbess/books-sources.git"
dest: /home/mbess/workspace/books_sources
when: "'perso' in enabled_profiles"
- name: Clone general programming snippets
ansible.builtin.git:
repo: "git@forge.lefuturiste.fr:mbess/snippets.git"
dest: /home/mbess/workspace/snippets
- name: Clone monakhos
ansible.builtin.git:
repo: "git@forge.lefuturiste.fr:mbess/monakhos.git"
dest: /home/mbess/workspace/monakhos
- name: Install extra AUR packages
include_role:
name: aur
vars:
packages: "{{ lookup('pipe', ('cat packages/extra/arch_packages.yaml | python3 parse_arch_packages.py --aur ' + item)) | from_json }}"
with_items: "{{ packages_categories }}"
- name: Install extra global tools (Python packages)
include_role:
name: uv_tools
with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
- name: Setup DNS forwarding (with Unbound)
include_role:
name: dns

1
main.yaml Normal file
View file

@ -0,0 +1 @@