server/Workstation
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Remove old manjaro playbook

Browse Source 
Now that we've split into proper ansible roles, remove the old manjaro
playbook.
This commit is contained in:
ducoterra
2022-01-31 13:46:14 -05:00
parent 838dad0302
commit 7b0daef47d
1 changed files with 0 additions and 508 deletions
Download Patch File Download Diff File Expand all files Collapse all files

508
playbooks/manjaro.yaml
View File

@@ -1,508 +0,0 @@
- name: Setup Workstation
hosts: localhost
vars:
executable_temp_dir: /tmp
awscli_install_dir: /opt/aws-cli/
vault_version: 1.9.3
swap_file_path: /swap/swapfile
swap_file_size_mb: 4096
tasks:
# Sync and update Pacman
- name: Sync and update Pacman
community.general.pacman:
update_cache: yes
upgrade: yes
become: yes
# SSH
- name: Ensure openssh installed
community.general.pacman:
name: openssh
state: present
become: yes
- name: Curl SSH trusted CA
get_url:
url: https://vault.ducoterra.net/v1/ssh-client-signer/public_key
dest: /etc/ssh/trusted-user-ca-keys.pem
mode: '0660'
become: yes
- name: Create sshd_config file
copy:
dest: "/etc/ssh/sshd_config"
content: |
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
PrintMotd no # pam does that
Subsystem sftp /usr/lib/ssh/sftp-server
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
become: yes
- name: Ensure ssh service started
ansible.builtin.systemd:
name: sshd
state: restarted
daemon_reload: yes
enabled: yes
become: yes
# UFW
- name: Ensure UFW installed
community.general.pacman:
name: ufw
state: present
become: yes
- name: Enable UFW
community.general.ufw:
state: enabled
become: yes
- name: Allow SSH
community.general.ufw:
rule: allow
name: ssh
become: yes
# System Tools
- name: Ensure grub installed
community.general.pacman:
name: grub
state: present
become: yes
- name: Ensure bluez installed
community.general.pacman:
name:
- bluez
- bluez-utils
state: present
become: yes
- name: Ensure bluetooth service started
ansible.builtin.systemd:
name: bluetooth
state: started
enabled: yes
become: yes
- name: Ensure glances installed
community.general.pacman:
name: glances
state: present
become: yes
- name: Ensure htop installed
community.general.pacman:
name: htop
state: present
become: yes
- name: Ensure curl and wget
community.general.pacman:
name:
- curl
- wget
state: present
become: yes
- name: Ensure dconf-editor
community.general.pacman:
name: dconf-editor
state: present
become: yes
- name: Ensure yay installed
community.general.pacman:
name: yay
state: present
become: yes
# Install DNET CA
- name: Download DNET CA
get_url:
url: https://vault.ducoterra.net/v1/dnet/ca
dest: /etc/ca-certificates/trust-source/anchors/dnet_ca.crt
mode: '0660'
become: yes
- name: Update trust store
command: trust extract-compat
become: yes
# dconf settings
- name: Turn off palm rejection
command: dconf write /org/gnome/desktop/peripherals/touchpad/disable-while-typing false
- name: Set flat mouse acceleration profile
command: dconf write /org/gnome/desktop/peripherals/mouse/accel-profile "'flat'"
- name: Center new windows
command: dconf write /org/gnome/mutter/center-new-windows true
# Gnome extensions
- name: Enable gnome extensions
command: 'gnome-extensions enable {{ item }}'
loop:
- bluetooth-quick-connect@bjarosze.gmail.com
- clipboard-indicator@tudmotu.com
- freon@UshakovVasilii_Github.yahoo.com
- sound-output-device-chooser@kgshank.net
- tactile@lundal.io
# Daily Driver Tools
- name: Ensure vim installed
community.general.pacman:
name: vim
state: present
become: yes
- name: Ensure unzip installed
community.general.pacman:
name: unzip
state: present
become: yes
- name: Ensure chromium installed
community.general.pacman:
name: chromium
state: present
become: yes
- name: Ensure steam installed
community.general.pacman:
name: steam-manjaro
state: present
become: yes
- name: Ensure discord installed
community.general.pacman:
name: discord
state: present
become: yes
- name: Ensure geary installed
community.general.pacman:
name: geary
state: present
become: yes
- name: Ensure appimagelauncher installed
community.general.pacman:
name: appimagelauncher
state: present
become: yes
- name: Ensure Applications directory
file:
path: ~/Applications
state: directory
# Developer Tools
- name: Ensure wine installed
community.general.pacman:
name:
- wine
- winetricks
- wine-mono
- wine_gecko
state: present
become: yes
- name: Ensure wireguard installed
community.general.pacman:
name: wireguard-tools
state: present
become: yes
- name: Ensure ping installed
community.general.pacman:
name: iputils
state: present
become: yes
- name: Ensure nslookup installed
community.general.pacman:
name: dnsutils
state: present
become: yes
- name: Ensure iperf3 installed
community.general.pacman:
name: iperf3
state: present
become: yes
- name: Ensure remmina (RDP) installed
community.general.pacman:
name:
- remmina
- freerdp
state: present
become: yes
- name: Ensure docker installed
community.general.pacman:
name:
- docker
- docker-compose
state: present
become: yes
- name: Ensure ducoterra in the "docker" group
ansible.builtin.user:
name: ducoterra
groups: docker
append: yes
become: yes
- name: Ensure kubectl installed
community.general.pacman:
name: kubectl
state: present
become: yes
- name: Ensure python and pip instaled
community.general.pacman:
name:
- python
- python-pip
state: present
become: yes
- name: Install ansible
pip:
name: ansible
extra_args: --user
- name: Ensure qmk installed
community.general.pacman:
name: qmk
state: present
become: yes
- name: Run qmk setup
ansible.builtin.command: qmk setup -y
become: yes
- name: Copy qmk udev rules
ansible.builtin.copy:
src: ~/qmk_firmware/util/udev/50-qmk.rules
dest: /etc/udev/rules.d/50-qmk.rules
owner: ducoterra
group: root
mode: '0755'
become: yes
# AWS CLI
- name: Download awscli v2 installer - latest version
unarchive:
src: https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip
dest: '{{ executable_temp_dir }}'
remote_src: true
creates: '{{ executable_temp_dir }}/aws'
mode: 0755
when: awscli_version is not defined
tags: ["awscli", "awscliv2"]
- name: Download awscli v2 installer - specific version {{ awscli_version }}
unarchive:
src: 'https://awscli.amazonaws.com/awscli-exe-linux-x86_64-{{ awscli_version }}.zip'
dest: "{{ executable_temp_dir }}"
remote_src: true
creates: '{{ executable_temp_dir }}/aws'
mode: 0755
when: awscli_version is defined
tags: ["awscli", "awscliv2"]
- name: Run the installer for awscli v2
command:
args:
cmd: '{{ executable_temp_dir }}/aws/install -i {{ awscli_install_dir }} -b /usr/local/bin'
creates: /usr/local/bin/aws
become: yes
tags: ["awscli", "awscliv2"]
# Vault CLI
- name: Download vault binary
unarchive:
src: https://releases.hashicorp.com/vault/{{vault_version}}/vault_{{vault_version}}_linux_amd64.zip
dest: '{{ executable_temp_dir }}'
remote_src: true
creates: '{{ executable_temp_dir }}/vault'
mode: 0755
- name: Move vault binary to /usr/local/bin
ansible.builtin.copy:
src: '{{ executable_temp_dir }}/vault'
dest: /usr/local/bin/vault
owner: root
group: root
mode: '0755'
become: yes
# Snap Installs
- name: Ensure snap installed
community.general.pacman:
name: snapd
state: present
become: yes
- name: Ensure snapd service running
ansible.builtin.systemd:
name: snapd.socket
state: started
enabled: yes
become: yes
- name: Link /var/lib/snapd/snap /snap
ansible.builtin.file:
src: /var/lib/snapd/snap
dest: /snap
owner: root
group: root
state: link
become: yes
- name: Install snap-store
community.general.snap:
name: snap-store
state: present
become: yes
retries: 6
delay: 10
- name: Install vscode
community.general.snap:
name: code
state: present
classic: yes
become: yes
- name: Install spotify
community.general.snap:
name: spotify
state: present
become: yes
# Create swap
- name: Turn off swap
command: "swapoff --all"
become: yes
- name: Remove old swap file
file:
state: absent
path: "{{ swap_file_path }}"
become: yes
- name: Create swap file
command: truncate -s 0 "{{ swap_file_path }}"
creates="{{ swap_file_path }}"
become: yes
- name: Set swap compression
command: chattr +C "{{ swap_file_path }}"
become: yes
- name: Allocate swap space
command: fallocate -l "{{ swap_file_size_mb }}M" "{{ swap_file_path }}"
become: yes
- name: Change swap file permissions
file: path="{{ swap_file_path }}"
owner=root
group=root
mode=0600
become: yes
- name: "Check swap file type"
command: file {{ swap_file_path }}
register: swapfile
become: yes
- name: Make swap file
command: "mkswap {{ swap_file_path }}"
become: yes
- name: Write swap entry in fstab
mount: name=none
src={{ swap_file_path }}
fstype=swap
opts=sw
passno=0
dump=0
state=present
become: yes
- name: Mount swap
command: "swapon {{ swap_file_path }}"
become: yes
- name: Set swappiness
command: sysctl -w vm.swappiness=1
become: yes
- name: Make swappiness permanent
copy:
dest: "/etc/sysctl.d/99-swappiness.conf"
content: |
vm.swappiness=1
become: yes
# Minecraft
- name: Clone minecraft-launcher repo
ansible.builtin.git:
repo: 'https://aur.archlinux.org/minecraft-launcher.git'
dest: '{{ executable_temp_dir }}/minecraft-launcher'
- name: Install minecraft-launcher with makepkg
command: makepkg -si --noconfirm
args:
chdir: '{{ executable_temp_dir }}/minecraft-launcher'
# Citrix ICA Client (Citrix Receiver)
- name: Clone citrix-receiver repo
ansible.builtin.git:
repo: 'https://aur.archlinux.org/icaclient.git'
dest: '{{ executable_temp_dir }}/citrix-receiver'
- name: Install citrix-receiver with makepkg
command: makepkg -si --noconfirm
args:
chdir: '{{ executable_temp_dir }}/citrix-receiver'
- name: Create INI client dir for citrix receiver
file:
state: directory
path: '~/.ICAClient/cache'
- name: Copy INI Files to ICAClient so citrix receiver works
ansible.builtin.copy:
src: '/opt/Citrix/ICAClient/config/{{ item }}.ini'
dest: '~/.ICAClient/{{ item }}.ini'
loop:
- All_Regions
- Trusted_Region
- Unknown_Region
- canonicalization
- regions
# Backup
- name: Create backup mount directory
file:
state: directory
path: '/mnt/backup0'
become: yes
tags: backup
- name: Ensure backup0 device exists in crypttab
community.general.crypttab:
name: backup0
backing_device: UUID=1d7ce570-e695-47a0-9dda-5f14b5b20e21
password: /home/ducoterra/.lukskeys/backup0
opts: luks
state: present
become: yes
no_log: true
tags: backup
- name: Ensure backup0 mount exists in fstab
ansible.posix.mount:
path: /mnt/backup0
src: /dev/mapper/backup0
fstype: btrfs
opts: defaults,noatime,compress=zstd
state: present
become: yes
tags: backup
- name: Ensure /usr/local/scripts exists
file:
state: directory
path: '/usr/local/scripts'
become: yes
tags: backup
- name: Copy btrfs_backup.sh
ansible.builtin.copy:
src: scripts/btrfs_backup.sh
dest: /usr/local/scripts/btrfs_backup.sh
owner: root
group: root
mode: '0760'
become: yes
tags: backup
- name: Ensure hourly backups of /
ansible.builtin.cron:
name: "hourly backup of /"
minute: "0"
job: "export SOURCE_DIR=/; /usr/local/scripts/btrfs_backup.sh"
become: yes
tags: backup
- name: Ensure hourly backups of /home
ansible.builtin.cron:
name: "hourly backup of /home"
minute: "0"
job: "export SOURCE_DIR=/home; /usr/local/scripts/btrfs_backup.sh"
become: yes
tags: backup
- name: Ensure cronie service started
ansible.builtin.systemd:
name: cronie
state: restarted
daemon_reload: yes
enabled: yes
become: yes
tags: backup
# Secure Boot
# https://gist.github.com/umbernhard/d1f4a44430d6d21b3881652c7a7c9ae5
# Reboot
# - name: Unconditionally reboot the machine with all defaults
# reboot:
# become: yes