- hosts: solace remote_user: root become: no roles: - role: sane_debian_system - role: sshd - role: ssd - role: comfortable-debian-system - role: chaoskey-host - role: version-controller - role: emacs - role: gnupg-workstation - role: gnome-system - role: ansible - role: vmhost - role: smarthost-client - role: mail-client - role: annexed - role: riot-host - role: liw-usual # # - role: writing-dev-env # # - role: journal-workstation # # - role: debian-dev-env # # - role: subplot-dev-env # # - role: obnam-dev-env # # - role: tex-dev-env # # - role: python-dev-env - role: unix_users - role: rust-rustup tags: [rustup] tasks: # - shell: | # sed -i 's/NOPASSWD://' /etc/sudoers.d/liw # args: # warn: false # Remove ping to force it be reinstalled so that the right # capabilities are set. - apt: name: iputils-ping state: absent - apt: name: - black - build-essential - cachedir - capnproto - clang - daemonize - debhelper - dh-cargo - expect - extrautils - fio - firmware-misc-nonfree - fling - gimp - graphviz - inkscape - iputils-ping - isync - jq - jt - libclang-dev - librsvg2-bin - libsqlite3-dev - libssl-dev - libvirt-dev - linux-perf - liw-automation - llvm - lmodern - nettle-dev - nfs-common - obnam - obnam-benchmark - openpgp-ca - pandoc - pandoc-citeproc - pandoc-filter-diagram - pavucontrol - pkg-config - plantuml - printer-driver-ptouch - python3 - python3-requests - qemu-user-static - sequoia-chameleon-gnupg - shellcheck - sq-liw - sqlite3 - sshca - subplot - summain - texlive-fonts-recommended - texlive-latex-base - texlive-latex-extra - texlive-latex-recommended - texlive-plain-generic - usbutils - uuid - validns - vlc - vobcopy - vmdb2 - xpdf - zerofree - lineinfile: path: /etc/gdm3/daemon.conf regexp: WaylandEnable= line: WaylandEnable=false # - lineinfile: # path: /etc/xdg/autostart/gnome-keyring-ssh.desktop # line: Hidden=true # - lineinfile: # path: /etc/X11/Xsession.options # line: use-ssh-agent # state: absent # - file: # state: directory # path: /home/liw/.config/autostart # owner: liw # group: liw # - copy: # content: | # [Desktop Entry] # Type=Application # Name=gpg-agent # Comment=gpg-agent # Exec=/usr/bin/gpg-agent --daemon # OnlyShowIn=GNOME;Unity;MATE; # X-GNOME-Autostart-Phase=PreDisplayServer # X-GNOME-AutoRestart=false # X-GNOME-Autostart-Notify=true # X-GNOME-Bugzilla-Bugzilla=GNOME # X-GNOME-Bugzilla-Product=gnome-keyring # X-GNOME-Bugzilla-Component=general # X-GNOME-Bugzilla-Version=3.20.0 # dest: /home/liw/.config/autostart/gpg-agent.desktop # owner: liw # group: liw - name: "install necessary packages to use a Yubikey with LUKS" apt: name: - yubikey-luks - usbutils - name: "configure crypttab to use yubikey-luks key script" crypttab: name: pv0 opts: keyscript=/usr/share/yubikey-luks/ykluks-keyscript state: opts_present - name: "update initramfs" shell: | update-initramfs -u - apt: name: - libpam-yubico # disabled until I don't need Y4 anymore. # - lineinfile: # path: /etc/pam.d/common-auth # regex: pam_yubico.so # line: "auth required pam_yubico.so mode=challenge-response chalresp_path=/etc/yubikey_chalresp" - file: state: directory path: /etc/yubikey_chalresp mode: 0700 - copy: content: | {{ lookup('pipe', 'pass libpam-yubico/liw/y6.chalresp') }} dest: "/etc/yubikey_chalresp/liw-{{ lookup('pipe', 'pass libpam-yubico/liw/y6.serial') }}" mode: 0600 vars: ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 sane_debian_system_hostname: solace sane_debian_system_codename: bullseye sane_debian_system_timezone: Europe/Helsinki sane_debian_system_sources_lists: - repo: | deb http://deb.debian.org/debian bullseye contrib non-free - repo: | deb-src http://deb.debian.org/debian bullseye main contrib non-free - repo: | deb http://security.debian.org/debian-security bullseye-security main contrib non-free - repo: | deb http://code.liw.fi/debian unstable main signing_key: "{{ code_liw_fi_signing_key }}" - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main signing_key: "{{ ci_prod_signing_key }}" - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable main signing_key: "{{ ci_prod_signing_key }}" unix_users_version: 2 unix_users: - username: liw comment: Lars Wirzenius sudo: yes groups: - audio - bluetooth - cdrom - dialout - dip - floppy - libvirt - netdev - plugdev - scanner - video authorized_keys: | {{ liw_personal_ssh_pub }} mailname: "{{ sane_debian_system_hostname }}.liw.fi" hostname: "{{ sane_debian_system_hostname }}" relayhost: pieni.net:587 smarthost: pieni.net smarthost_user: pienirelay smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" rustup_cargo_install: | cargo-audit \ cargo-deny \ cargo-deps \ bandwhich \ bat \ cargo-edit \ cargo-geiger \ cargo-outdated \ flamegraph \ hyperfine \ ripgrep \ starship \ tokei \ zoxide \ ytop sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'pass ssh/host/solace') }}" sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 solace') }}" sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"