playbook.yml (4708B)
1 --- 2 # 3 4 - hosts: localhost 5 gather_facts: false 6 become: true 7 vars: 8 username: "dwarf" 9 user_home: "/usr/{{ username }}" 10 user_shell: "/usr/bin/zsh" 11 home_skel: 12 - .config 13 - .local 14 - .local/bin 15 - .local/cache 16 - .local/lib 17 - .local/share 18 - .local/src 19 - .local/state 20 - .local/state/zsh 21 - .local/share/gpg 22 install_pkgs: 23 - bash 24 - coreutils 25 - curl 26 - dnsutils 27 - git 28 - gnupg 29 - gpg 30 - python3-pexpect 31 - secure-delete 32 - stow 33 - sudo 34 - tmux 35 - tree 36 - unzip 37 - vim 38 - zsh 39 remove_pkgs: 40 - nano 41 - telnet 42 43 tasks: 44 - name: "forge | install pkgs" 45 ansible.builtin.apt: 46 name: "{{ item }}" 47 state: latest 48 with_items: "{{ install_pkgs }}" 49 50 - name: "forge | remove pkgs" 51 ansible.builtin.apt: 52 name: "{{ item }}" 53 state: absent 54 with_items: "{{ remove_pkgs }}" 55 56 - name: "forge | add dwarf user" 57 ansible.builtin.user: 58 name: "{{ username }}" 59 uid: 0 60 group: root 61 shell: "{{ user_shell }}" 62 home: "{{ user_home }}" 63 non_unique: true 64 65 - name: "forge | create home skeleton directories" 66 ansible.builtin.file: 67 name: "{{ user_home }}/{{ item }}" 68 state: directory 69 owner: root 70 group: root 71 mode: 0755 72 with_items: "{{ home_skel }}" 73 74 - name: "forge | clone dotfiles" 75 ansible.builtin.git: 76 repo: "git://git.pyratebeard.net/dotfiles.git" 77 dest: "{{ user_home }}/.local/src/dotfiles" 78 79 - name: "forge | stow dotfiles" 80 args: 81 chdir: "{{ user_home }}/.local/src/dotfiles" 82 remote_user: "{{ username }}" 83 ansible.builtin.command: stow git gpg tmux vim zsh -t {{ user_home|quote }} 84 85 - name: "forge | clone scripts" 86 ansible.builtin.git: 87 repo: "git://git.pyratebeard.net/scripts.git" 88 dest: "{{ user_home }}/.local/src/scripts" 89 90 - name: "forge | stow scripts" 91 args: 92 chdir: "{{ user_home }}/.local/src/scripts" 93 remote_user: "{{ username }}" 94 ansible.builtin.command: stow bin fun -t {{ user_home|quote }} 95 96 - name: "forge | add directory aliases" 97 vars: 98 users: 99 dot: 100 home: "{{ user_home }}/.local/src/dotfiles" 101 src: 102 home: "{{ user_home }}/.local/src" 103 ansible.builtin.user: 104 name: "{{ item.key }}" 105 shell: /usr/bin/nologin 106 home: "{{ item.value.home }}" 107 loop: "{{ lookup('ansible.builtin.dict', users) }}" 108 109 - name: "forge | set hostname" 110 set_fact: 111 hostname: "{{ lookup('file', '/etc/hostname')|regex_replace('^(\\w+)\\..*', '\\1') }}" 112 tags: hostname 113 114 - name: "forge | set domain" 115 set_fact: 116 domain: "{{ lookup('file', '/etc/hostname')|regex_replace('^\\w+\\.(.*)', '\\1') }}" 117 tags: hostname 118 119 - debug: 120 msg: "{{ hostname }} and {{ domain }}" 121 tags: hostname 122 123 - name: "forge | download ssh ca keys" 124 vars: 125 ssh_ca: 126 userca_pub: 127 key: "{{ lookup('community.general.bitwarden', 'userca.pub', field='notes') }}" 128 dest: "userca.pub" 129 mode: "0644" 130 hostca: 131 key: "{{ lookup('community.general.bitwarden', 'hostca-' + domain, field='notes') }}" 132 dest: "hostca-{{ domain }}" 133 mode: "0600" 134 ansible.builtin.copy: 135 content: "{{ item.value.key[0] }}" 136 dest: "/etc/ssh/{{ item.value.dest }}" 137 mode: "{{ item.value.mode }}" 138 loop: "{{ lookup('ansible.builtin.dict', ssh_ca) }}" 139 140 - name: "forge | self-sign host key" 141 vars: 142 hostca_key_passphrase: "{{ lookup('community.general.bitwarden', 'hostca-' + domain + '-passphrase', field='password') }}" 143 ansible.builtin.expect: 144 command: ssh-keygen -s /etc/ssh/hostca-{{ domain }} -h -I {{ hostname }}@{{ domain }} -n {{ hostname }}.{{ domain }},{{ hostname }} /etc/ssh/ssh_host_ed25519_key.pub 145 responses: 146 Enter passphrase: "{{ hostca_key_passphrase }}" 147 no_log: true 148 149 - name: "forge | deploy ssh config" 150 ansible.builtin.template: 151 src: sshd_config.j2 152 dest: /etc/ssh/sshd_config 153 owner: root 154 group: root 155 mode: 0644 156 notify: reload sshd 157 158 - name: "forge | delete motd" 159 ansible.builtin.file: 160 path: "{{ item }}" 161 state: absent 162 with_items: 163 - /etc/issue 164 - /etc/issue.net 165 - /etc/motd 166 - /etc/update-motd.d/ 167 168 handlers: 169 - name: reload sshd 170 ansible.builtin.service: 171 name: sshd 172 state: restarted