setup

personal system configuration scripts
git clone git://git.pyratebeard.net/setup.git
Log | Files | Refs | README

playbook.yml (4716B)


      1 ---
      2 #
      3 
      4 - hosts: localhost
      5   gather_facts: false
      6   become: true
      7   vars:
      8     username: "dwarf"
      9     user_home: "/usr/{{ username }}"
     10     user_shell: "/usr/bin/zsh"
     11     home_skel:
     12       - .config
     13       - .local
     14       - .local/bin
     15       - .local/cache
     16       - .local/lib
     17       - .local/share
     18       - .local/src
     19       - .local/state
     20       - .local/state/zsh
     21       - .local/share/gpg
     22     install_pkgs:
     23       - bash
     24       - coreutils
     25       - curl
     26       - dnsutils
     27       - git
     28       - gnupg
     29       - gpg
     30       - python3-pexpect
     31       - secure-delete
     32       - stow
     33       - sudo
     34       - tmux
     35       - tree
     36       - unzip
     37       - vim
     38       - zsh
     39     remove_pkgs:
     40       - nano
     41       - telnet
     42 
     43   tasks:
     44     - name: "forge | install pkgs"
     45       ansible.builtin.apt:
     46         name: "{{ item }}"
     47         state: latest
     48       with_items: "{{ install_pkgs }}"
     49 
     50     - name: "forge | remove pkgs"
     51       ansible.builtin.apt:
     52         name: "{{ item }}"
     53         state: absent
     54       with_items: "{{ remove_pkgs }}"
     55 
     56     - name: "forge | add dwarf user"
     57       ansible.builtin.user:
     58         name: "{{ username }}"
     59         uid: 0
     60         group: root
     61         shell: "{{ user_shell }}"
     62         home: "{{ user_home }}"
     63         non_unique: true
     64 
     65     - name: "forge | create home skeleton directories"
     66       ansible.builtin.file:
     67         name: "{{ user_home }}/{{ item }}"
     68         state: directory
     69         owner: root
     70         group: root
     71         mode: 0755
     72       with_items: "{{ home_skel }}"
     73 
     74     - name: "forge | clone dotfiles"
     75       ansible.builtin.git:
     76         repo: "git://git.pyratebeard.net/dotfiles.git"
     77         dest: "{{ user_home }}/.local/src/dotfiles"
     78 
     79     - name: "forge | stow dotfiles"
     80       args:
     81         chdir: "{{ user_home }}/.local/src/dotfiles"
     82       remote_user: "{{ username }}"
     83       ansible.builtin.command: stow git gpg tmux vim zsh -t {{ user_home|quote }}
     84 
     85     - name: "forge | clone scripts"
     86       ansible.builtin.git:
     87         repo: "git://git.pyratebeard.net/scripts.git"
     88         dest: "{{ user_home }}/.local/src/scripts"
     89 
     90     - name: "forge | stow scripts"
     91       args:
     92         chdir: "{{ user_home }}/.local/src/scripts"
     93       remote_user: "{{ username }}"
     94       ansible.builtin.command: stow bin fun -t {{ user_home|quote }}
     95 
     96     - name: "forge | add directory aliases"
     97       vars:
     98         users:
     99           dot:
    100             home: "{{ user_home }}/.local/src/dotfiles"
    101           src:
    102             home: "{{ user_home }}/.local/src/scripts"
    103       ansible.builtin.user:
    104         name: "{{ item.key }}"
    105         shell: /usr/bin/nologin
    106         home: "{{ item.value.home }}"
    107       loop: "{{ lookup('ansible.builtin.dict', users) }}"
    108 
    109     - name: "forge | set hostname"
    110       set_fact:
    111         hostname: "{{ lookup('file', '/etc/hostname')|regex_replace('^(\\w+)\\..*', '\\1') }}"
    112       tags: hostname
    113 
    114     - name: "forge | set domain"
    115       set_fact:
    116         domain: "{{ lookup('file', '/etc/hostname')|regex_replace('^\\w+\\.(.*)', '\\1') }}"
    117       tags: hostname
    118 
    119     - debug:
    120         msg: "{{ hostname }} and {{ domain }}"
    121       tags: hostname
    122 
    123     - name: "forge | download ssh ca keys"
    124       vars:
    125         ssh_ca:
    126           userca_pub:
    127             key: "{{ lookup('community.general.bitwarden', 'userca.pub', field='notes') }}"
    128             dest: "userca.pub"
    129             mode: "0644"
    130           hostca:
    131             key: "{{ lookup('community.general.bitwarden', 'hostca-' + domain, field='notes') }}"
    132             dest: "hostca-{{ domain }}"
    133             mode: "0600"
    134       ansible.builtin.copy:
    135         content: "{{ item.value.key[0] }}"
    136         dest: "/etc/ssh/{{ item.value.dest }}"
    137         mode: "{{ item.value.mode }}"
    138       loop: "{{ lookup('ansible.builtin.dict', ssh_ca) }}"
    139 
    140     - name: "forge | self-sign host key"
    141       vars:
    142         hostca_key_passphrase: "{{ lookup('community.general.bitwarden', 'hostca-' + domain + '-passphrase', field='password') }}"
    143       ansible.builtin.expect:
    144         command: ssh-keygen -s /etc/ssh/hostca-{{ domain }} -h -I {{ hostname }}@{{ domain }} -n {{ hostname }}.{{ domain }},{{ hostname }} /etc/ssh/ssh_host_ed25519_key.pub
    145         responses:
    146           Enter passphrase: "{{ hostca_key_passphrase }}"
    147       no_log: true
    148 
    149     - name: "forge | deploy ssh config"
    150       ansible.builtin.template:
    151         src: sshd_config.j2
    152         dest: /etc/ssh/sshd_config
    153         owner: root
    154         group: root
    155         mode: 0644
    156       notify: reload sshd
    157 
    158     - name: "forge | delete motd"
    159       ansible.builtin.file:
    160         path: "{{ item }}"
    161         state: absent
    162       with_items:
    163         - /etc/issue
    164         - /etc/issue.net
    165         - /etc/motd
    166         - /etc/update-motd.d/
    167 
    168   handlers:
    169     - name: reload sshd
    170       ansible.builtin.service:
    171         name: sshd
    172         state: restarted