playbook.yml (4920B)
1 --- 2 # 3 4 - hosts: localhost 5 gather_facts: false 6 become: true 7 vars: 8 username: "dwarf" 9 user_home: "/usr/{{ username }}" 10 user_shell: "/usr/bin/zsh" 11 home_skel: 12 - .config 13 - .local 14 - .local/bin 15 - .local/cache 16 - .local/lib 17 - .local/share 18 - .local/src 19 - .local/state 20 - .local/state/zsh 21 - .local/share/gpg 22 install_pkgs: 23 - bash 24 - coreutils 25 - curl 26 - dnsutils 27 - git 28 - gnupg 29 - gpg 30 - python3-pexpect 31 - secure-delete 32 - stow 33 - sudo 34 - tmux 35 - tree 36 - unzip 37 - vim 38 - zsh 39 remove_pkgs: 40 - nano 41 - telnet 42 43 tasks: 44 - name: "forge | install pkgs" 45 ansible.builtin.apt: 46 name: "{{ item }}" 47 state: latest 48 with_items: "{{ install_pkgs }}" 49 50 - name: "forge | remove pkgs" 51 ansible.builtin.apt: 52 name: "{{ item }}" 53 state: absent 54 with_items: "{{ remove_pkgs }}" 55 56 - name: "forge | add dwarf user" 57 ansible.builtin.user: 58 name: "{{ username }}" 59 uid: 0 60 group: root 61 shell: "{{ user_shell }}" 62 home: "{{ user_home }}" 63 non_unique: true 64 65 - name: "forge | create home skeleton directories" 66 ansible.builtin.file: 67 name: "{{ user_home }}/{{ item }}" 68 state: directory 69 owner: root 70 group: root 71 mode: 0755 72 with_items: "{{ home_skel }}" 73 74 - name: "forge | clone dotfiles" 75 ansible.builtin.git: 76 repo: "git://git.pyratebeard.net/dotfiles.git" 77 dest: "{{ user_home }}/.local/src/dotfiles" 78 79 - name: "forge | stow dotfiles" 80 args: 81 chdir: "{{ user_home }}/.local/src/dotfiles" 82 remote_user: "{{ username }}" 83 ansible.builtin.command: stow git gpg tmux vim zsh -t {{ user_home|quote }} 84 85 - name: "forge | zdotdir" 86 ansible.builtin.copy: 87 dest: /etc/zsh/zshenv 88 owner: root 89 group: root 90 mode: 0644 91 content: | 92 export ZDOTDIR="$HOME"/.config/zsh 93 94 - name: "forge | clone scripts" 95 ansible.builtin.git: 96 repo: "git://git.pyratebeard.net/scripts.git" 97 dest: "{{ user_home }}/.local/src/scripts" 98 99 - name: "forge | stow scripts" 100 args: 101 chdir: "{{ user_home }}/.local/src/scripts" 102 remote_user: "{{ username }}" 103 ansible.builtin.command: stow bin fun -t {{ user_home|quote }} 104 105 - name: "forge | add directory aliases" 106 vars: 107 users: 108 dot: 109 home: "{{ user_home }}/.local/src/dotfiles" 110 src: 111 home: "{{ user_home }}/.local/src" 112 ansible.builtin.user: 113 name: "{{ item.key }}" 114 shell: /usr/bin/nologin 115 home: "{{ item.value.home }}" 116 loop: "{{ lookup('ansible.builtin.dict', users) }}" 117 118 - name: "forge | set hostname" 119 set_fact: 120 hostname: "{{ lookup('file', '/etc/hostname')|regex_replace('^(\\w+)\\..*', '\\1') }}" 121 tags: hostname 122 123 - name: "forge | set domain" 124 set_fact: 125 domain: "{{ lookup('file', '/etc/hostname')|regex_replace('^\\w+\\.(.*)', '\\1') }}" 126 tags: hostname 127 128 - debug: 129 msg: "{{ hostname }} and {{ domain }}" 130 tags: hostname 131 132 - name: "forge | download ssh ca keys" 133 vars: 134 ssh_ca: 135 userca_pub: 136 key: "{{ lookup('community.general.bitwarden', 'userca.pub', field='notes') }}" 137 dest: "userca.pub" 138 mode: "0644" 139 hostca: 140 key: "{{ lookup('community.general.bitwarden', 'hostca-' + domain, field='notes') }}" 141 dest: "hostca-{{ domain }}" 142 mode: "0600" 143 ansible.builtin.copy: 144 content: "{{ item.value.key[0] }}" 145 dest: "/etc/ssh/{{ item.value.dest }}" 146 mode: "{{ item.value.mode }}" 147 loop: "{{ lookup('ansible.builtin.dict', ssh_ca) }}" 148 149 - name: "forge | self-sign host key" 150 vars: 151 hostca_key_passphrase: "{{ lookup('community.general.bitwarden', 'hostca-' + domain + '-passphrase', field='password') }}" 152 ansible.builtin.expect: 153 command: ssh-keygen -s /etc/ssh/hostca-{{ domain }} -h -I {{ hostname }}@{{ domain }} -n {{ hostname }}.{{ domain }},{{ hostname }} /etc/ssh/ssh_host_ed25519_key.pub 154 responses: 155 Enter passphrase: "{{ hostca_key_passphrase }}" 156 no_log: true 157 158 - name: "forge | deploy ssh config" 159 ansible.builtin.template: 160 src: sshd_config.j2 161 dest: /etc/ssh/sshd_config 162 owner: root 163 group: root 164 mode: 0644 165 notify: reload sshd 166 167 - name: "forge | delete motd" 168 ansible.builtin.file: 169 path: "{{ item }}" 170 state: absent 171 with_items: 172 - /etc/issue 173 - /etc/issue.net 174 - /etc/motd 175 - /etc/update-motd.d/ 176 177 handlers: 178 - name: reload sshd 179 ansible.builtin.service: 180 name: sshd 181 state: restarted