diff options
Diffstat (limited to 'ansible/solace.yml')
-rw-r--r-- | ansible/solace.yml | 300 |
1 files changed, 24 insertions, 276 deletions
diff --git a/ansible/solace.yml b/ansible/solace.yml index f978757..38f46d0 100644 --- a/ansible/solace.yml +++ b/ansible/solace.yml @@ -6,331 +6,79 @@ - role: sshd - role: ssd - role: comfortable-debian-system - - role: chaoskey-host - role: version-controller - - role: emacs - - role: gnupg-workstation - - role: gnome-system - - role: ansible - role: vmhost - - role: smarthost-client - role: mail-client - - role: annexed - - role: riot-host -# # - role: writing-dev-env -# # - role: journal-workstation -# # - role: debian-dev-env -# # - role: subplot-dev-env -# # - role: obnam-dev-env -# # - role: tex-dev-env -# # - role: python-dev-env - role: unix_users - role: rust-rustup - tags: [rustup] + - role: liw + - role: self-updating-system tasks: - # - shell: | - # sed -i 's/NOPASSWD://' /etc/sudoers.d/liw - # args: - # warn: false - # Remove ping to force it be reinstalled so that the right # capabilities are set. - apt: name: iputils-ping state: absent - - apt: - name: - - bash-completion - - black - - build-essential - - cachedir - - capnproto - - clang - - daemonize - - debhelper - - dh-cargo - - expect - - extrautils - - fio - - firmware-misc-nonfree - - fling - - gimp - - graphviz - - inkscape - - iputils-ping - - isync - - jq - - jt - - libclang-dev - - librsvg2-bin - - libsqlite3-dev - - libssl-dev - - libvirt-dev - - linux-perf - - liw-automation - - llvm - - lmodern - - nettle-dev - - nfs-common - - obnam - - obnam-benchmark - - openpgp-ca - - pandoc - - pandoc-citeproc - - pandoc-filter-diagram - - pavucontrol - - pkg-config - - plantuml - - printer-driver-ptouch - - python3 - - python3-requests - - qemu-user-static - - sequoia-chameleon-gnupg - - shellcheck - - sq-liw - - sqlite3 - - sshca - - subplot - - summain - - texlive-fonts-recommended - - texlive-latex-base - - texlive-latex-extra - - texlive-latex-recommended - - texlive-plain-generic - - usbutils - - uuid - - validns - - vlc - - vobcopy - - vmdb2 - - xpdf - - zerofree - - name: install command line utilities apt: name: + - build-essential + - firmware-misc-nonfree + - firmware-realtek + - iputils-ping - locales-all - - psmisc - - mosh + - memtest86+ + - python3 - rsync - - vim - - screen - - tmux - - strace - - gddrescue - - pv - - moreutils - - bind9-host - - dnsutils - - lshw - - curl - # - extrautils - # - liw-automation - # - copyright-statement-lint - - bc - - yaml-mode - - ikiwiki - - taskwarrior - - zip - # - cachedir - - debmirror - - git-annex - - iftop - - info - # - jt - - kpartx - - lftp - - mediainfo - - mmv - - mtr - - num-utils - - parted-doc - - trickle - - units - - w3m - - youtube-dl - - signing-party - - sshfs - - dict - - dictd - - dict-foldoc - - dict-gcide - - dict-jargon - - dict-vera - - dict-wn - - gnuplot - - acpi - - nmap - - nethogs - time - - restic - - apt-file - - whois - - oathtool - - htop - - smartmontools - - bonnie++ - - mdadm - - hddtemp - - parted - - lvm2 - - cryptsetup - - - name: configure dict - copy: - content: | - server localhost - dest: /etc/dictd/dict.conf - - - lineinfile: - path: /etc/gdm3/daemon.conf - regexp: WaylandEnable= - line: WaylandEnable=false - - # - lineinfile: - # path: /etc/xdg/autostart/gnome-keyring-ssh.desktop - # line: Hidden=true - - # - lineinfile: - # path: /etc/X11/Xsession.options - # line: use-ssh-agent - # state: absent - - # - file: - # state: directory - # path: /home/liw/.config/autostart - # owner: liw - # group: liw - - # - copy: - # content: | - # [Desktop Entry] - # Type=Application - # Name=gpg-agent - # Comment=gpg-agent - # Exec=/usr/bin/gpg-agent --daemon - # OnlyShowIn=GNOME;Unity;MATE; - # X-GNOME-Autostart-Phase=PreDisplayServer - # X-GNOME-AutoRestart=false - # X-GNOME-Autostart-Notify=true - # X-GNOME-Bugzilla-Bugzilla=GNOME - # X-GNOME-Bugzilla-Product=gnome-keyring - # X-GNOME-Bugzilla-Component=general - # X-GNOME-Bugzilla-Version=3.20.0 - # dest: /home/liw/.config/autostart/gpg-agent.desktop - # owner: liw - # group: liw - - - name: "install necessary packages to use a Yubikey with LUKS" - apt: - name: - - yubikey-luks - - usbutils + - vim + - wireless-regdb - - name: "configure crypttab to use yubikey-luks key script" - crypttab: - name: pv0 - opts: keyscript=/usr/share/yubikey-luks/ykluks-keyscript - state: opts_present + - name: "configure GRUB to wait a little before booting" + lineinfile: + path: /etc/default/grub + regexp: GRUB_TIMEOUT + line: "GRUB_TIMEOUT=5" - - name: "update initramfs" + - name: "update grub" shell: | - update-initramfs -u - - - apt: - name: - - libpam-yubico - # disabled until I don't need Y4 anymore. - # - lineinfile: - # path: /etc/pam.d/common-auth - # regex: pam_yubico.so - # line: "auth required pam_yubico.so mode=challenge-response chalresp_path=/etc/yubikey_chalresp" - - file: - state: directory - path: /etc/yubikey_chalresp - mode: 0700 - - copy: - content: | - {{ lookup('pipe', 'pass libpam-yubico/liw/y6.chalresp') }} - dest: "/etc/yubikey_chalresp/liw-{{ lookup('pipe', 'pass libpam-yubico/liw/y6.serial') }}" - mode: 0600 - + update-grub vars: ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 - sane_debian_system_hostname: solace - sane_debian_system_codename: bullseye + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm sane_debian_system_timezone: Europe/Helsinki sane_debian_system_sources_lists: - repo: | - deb http://deb.debian.org/debian bullseye contrib non-free - - - repo: | - deb-src http://deb.debian.org/debian bullseye main contrib non-free + deb http://deb.debian.org/debian bookworm contrib non-free non-free-firmware - repo: | - deb http://security.debian.org/debian-security bullseye-security main contrib non-free - - - repo: | - deb http://code.liw.fi/debian unstable main - signing_key: "{{ code_liw_fi_signing_key }}" - - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" unix_users_version: 2 unix_users: - username: liw comment: Lars Wirzenius - sudo: yes groups: - - audio - - bluetooth - - cdrom - - dialout - - dip - - floppy - libvirt - - netdev - - plugdev - - scanner - - video - authorized_keys: | - {{ liw_personal_ssh_pub }} mailname: "{{ sane_debian_system_hostname }}.liw.fi" - hostname: "{{ sane_debian_system_hostname }}" relayhost: pieni.net:587 smarthost: pieni.net smarthost_user: pienirelay smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" rustup_cargo_install: | - cargo-audit \ - cargo-deny \ - cargo-deps \ - bandwhich \ - bat \ - cargo-edit \ - cargo-geiger \ - cargo-outdated \ - flamegraph \ - hyperfine \ - ripgrep \ starship \ - tokei \ - zoxide \ - ytop + bottom sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key solace') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v5 solace') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" |