From 1f5171e221a1f3bd77cc0f20dbdba36b7f3384d0 Mon Sep 17 00:00:00 2001
From: Freezed <2160318-free_zed@users.noreply.gitlab.com>
Date: Thu, 16 Jun 2022 20:29:50 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=A7=20WIP:=20merge=20user=20&=20apt=20?=
=?UTF-8?q?branches?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
TODO: improve APT & user tasks to run on restricted environment
like when sudo is limited
---
tasks/user_cfg/apt.yml | 23 ++++++++++
tasks/{apt.yml => user_cfg/apt_restriced.yml} | 27 ++----------
tasks/user_cfg/main.yml | 10 +++--
tasks/user_cfg/my_user.yml | 17 +++-----
tasks/user_cfg/root.yml | 43 +++++++++++--------
5 files changed, 65 insertions(+), 55 deletions(-)
create mode 100644 tasks/user_cfg/apt.yml
rename tasks/{apt.yml => user_cfg/apt_restriced.yml} (70%)
diff --git a/tasks/user_cfg/apt.yml b/tasks/user_cfg/apt.yml
new file mode 100644
index 0000000..e76e8ba
--- /dev/null
+++ b/tasks/user_cfg/apt.yml
@@ -0,0 +1,23 @@
+---
+- remote_user: root
+
+ tasks:
+ - name: Remove snap packages
+ when: snap_uninstall_pkg is defined
+ community.general.snap:
+ name: "{{ snap_uninstall_pkg }}"
+ state: absent
+
+ - name: SIGNAL | add key to keyring
+ when: inventory_hostname in groups.station
+ ansible.builtin.apt_key:
+ url: https://updates.signal.org/desktop/apt/keys.asc
+ keyring: /usr/share/keyrings/signal-desktop-keyring.gpg
+ state: present
+
+ - name: SIGNAL | add apt repository
+ when: inventory_hostname in groups.station
+ ansible.builtin.apt_repository:
+ filename: signal-desktop
+ repo: deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main
+ state: present
diff --git a/tasks/apt.yml b/tasks/user_cfg/apt_restriced.yml
similarity index 70%
rename from tasks/apt.yml
rename to tasks/user_cfg/apt_restriced.yml
index db31801..4522c55 100644
--- a/tasks/apt.yml
+++ b/tasks/user_cfg/apt_restriced.yml
@@ -1,9 +1,8 @@
----
-- hosts: "{{ host_list }}"
- remote_user: root
+- remote_user: "{{ my_user }}"
+ become_user: root
+ become_method: sudo
tasks:
-
- name: INCLUDE_VARS | base
ansible.builtin.include_vars: "main.yml"
@@ -18,12 +17,6 @@
when: "'mate' in group_names"
ansible.builtin.include_vars: "Mate.yml"
- - name: Remove snap packages
- when: snap_uninstall_pkg is defined
- community.general.snap:
- name: "{{ snap_uninstall_pkg }}"
- state: absent
-
- name: APT | install base & os packages
ansible.builtin.apt:
cache_valid_time: 3600
@@ -32,20 +25,6 @@
state: present
update_cache: true
- - name: SIGNAL | add key to keyring
- when: inventory_hostname in groups.station
- ansible.builtin.apt_key:
- url: https://updates.signal.org/desktop/apt/keys.asc
- keyring: /usr/share/keyrings/signal-desktop-keyring.gpg
- state: present
-
- - name: SIGNAL | add apt repository
- when: inventory_hostname in groups.station
- ansible.builtin.apt_repository:
- filename: signal-desktop
- repo: deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main
- state: present
-
- name: APT | install workstation packages
when: inventory_hostname in groups.station
ansible.builtin.apt:
diff --git a/tasks/user_cfg/main.yml b/tasks/user_cfg/main.yml
index f3f9265..b11fbb8 100644
--- a/tasks/user_cfg/main.yml
+++ b/tasks/user_cfg/main.yml
@@ -1,12 +1,16 @@
---
- hosts: "{{ host_list }}"
- become_user: "{{ my_user }}"
- become_method: su
- remote_user: root
tasks:
+ - name: IMPORT_TASKS | APT_RESTRICTED
+ ansible.builtin.import_tasks: apt_restricted.yml
+
+ - name: IMPORT_TASKS | APT
+ ansible.builtin.import_tasks: apt.yml
+ when: inventory_hostname not in groups.restricted
- name: "IMPORT_TASKS | root"
+ when: inventory_hostname not in groups.restricted
ansible.builtin.import_tasks: root.yml
- name: "IMPORT_TASKS | {{ my_user }}"
diff --git a/tasks/user_cfg/my_user.yml b/tasks/user_cfg/my_user.yml
index 3e0354b..1df3ea3 100644
--- a/tasks/user_cfg/my_user.yml
+++ b/tasks/user_cfg/my_user.yml
@@ -1,30 +1,32 @@
---
- name: MY USER | dotfiles
- become: yes
ansible.builtin.copy:
src: "{{ item }}"
dest: "/home/{{ my_user }}/.{{ item | basename }}"
mode: 0640
owner: "{{ my_user }}"
- group: "{{ my_user }}"
with_fileglob:
files/dotfiles/*
loop_control:
label: "{{ item | basename }}"
- name: MY USER | ssh config
- become: yes
ansible.builtin.template:
dest: "/home/{{ my_user }}/.ssh/config"
src: templates/ssh_config.j2
mode: 0640
+- name: "MY USER | Local public key is present for {{ my_user }}"
+ ansible.builtin.authorized_key:
+ comment: "Managed by Ansible"
+ key: https://gitlab.com/free_zed.keys
+ state: present
+ user: "{{ my_user }}"
+
- name: MY USER | git directory presence
- become: yes
when: inventory_hostname in groups.station
ansible.builtin.file:
- group: "{{ my_user }}"
mode: '0750'
owner: "{{ my_user }}"
path: "/home/{{ my_user }}/git"
@@ -35,7 +37,6 @@
ansible.builtin.include_vars: "vars/git.yml"
- name: MY USER | clone git repos
- become: yes
when: inventory_hostname in groups.station
ansible.builtin.git:
dest: "/home/{{ my_user }}/git/{{ item.local_name }}"
@@ -48,21 +49,17 @@
label: "{{ item.local_name }}"
- name: MY USER | osm cache dir presence
- become: yes
when: inventory_hostname in groups.station
ansible.builtin.file:
- group: "{{ my_user }}"
mode: '0750'
owner: "{{ my_user }}"
path: "/home/{{ my_user }}/.osm-tiles/"
state: directory
- name: MY USER | gps prune config
- become: yes
when: inventory_hostname in groups.station
ansible.builtin.template:
src: templates/pruneconfig.j2
dest: "/home/{{ my_user }}/.pruneconfig"
owner: "{{ my_user }}"
- group: "{{ my_user }}"
mode: '0640'
diff --git a/tasks/user_cfg/root.yml b/tasks/user_cfg/root.yml
index d55dca4..eb830f9 100644
--- a/tasks/user_cfg/root.yml
+++ b/tasks/user_cfg/root.yml
@@ -1,21 +1,28 @@
---
+- remote_user: root
-- name: ROOT | dotfiles
- become: no
- ansible.builtin.copy:
- src: "{{ item }}"
- dest: "/root/.{{ item | basename }}"
- mode: 0640
- owner: root
- group: root
- with_fileglob:
- files/dotfiles/*
- loop_control:
- label: "{{ item | basename }}"
+ tasks:
+ - name: ROOT | dotfiles
+ ansible.builtin.copy:
+ src: "{{ item }}"
+ dest: "/root/.{{ item | basename }}"
+ mode: 0640
+ owner: root
+ group: root
+ with_fileglob:
+ files/dotfiles/*
+ loop_control:
+ label: "{{ item | basename }}"
-- name: ROOT | set zsh for shell
- become: no
- ansible.builtin.user:
- name: root
- shell: /bin/zsh
- state: present
+- - name: ROOT | set zsh for shell
+ ansible.builtin.user:
+ name: root
+ shell: /bin/zsh
+ state: present
+
+ - name: "ROOT | Local public key is present for root"
+ ansible.builtin.authorized_key:
+ comment: "Managed by Ansible"
+ key: https://gitlab.com/free_zed.keys
+ state: present
+ user: root
--
GitLab