Bye Ansible!
Flake Check / flake-check (pull_request) Successful in 57s Details
Flake Check / flake-check (push) Successful in 44s Details

pull/71/head
Tudor Roman 2024-03-12 13:27:15 +01:00
parent 9e932104a6
commit 7ba385f5dc
Signed by: tudor
SSH Key Fingerprint: SHA256:3CwS9plgXBecpXImPGxDIaSktUXBejbV/zerZMqzzBk
22 changed files with 5 additions and 315 deletions

View File

@ -26,8 +26,11 @@ Remote server:
### Any other Linux distro for sane people
1. Provision a machine with a "normal" Linux distro (my personal choice is Fedora).
For this, [I prepared Ansible roles and playbooks](./ansible).
The companion distro for this config is [My Build of Fedora Silverblue](https://github.com/tudurom/my-os).
It is made with [BlueBuild](https://blue-build.org). The desktop-oriented configs in this repo
are meant to be used with this Fedora build only.
1. Provision a system with the [ISO](https://github.com/tudurom/my-os/releases/tag/auto-iso).
2. Install Nix (my installer of choice is [nix-installer][nix-installer]).
3. Clone this repo somewhere on the machine
4. `nix run .#home-manager -- switch --flake .#tudor`

View File

@ -1,5 +0,0 @@
[defaults]
playbooks_path = ./ansible/playbooks
roles_path = ./ansible/roles
inventory = ./ansible/hosts.yml
pipelining = true

1
ansible/.gitignore vendored
View File

@ -1 +0,0 @@
.direnv

View File

@ -1,75 +0,0 @@
Ansible roles and playbooks
===========================
While I very much love Nix and NixOS, I think NixOS is not suitable
for a developer's day-to-day-use machine.
On my personal machine, which is now just a laptop, I want to be able
to quickly change settings and run random scripts and programs without
first adapting them, whereas on a server and/or a VM
(either a server VM, or just some tiny one for development and testing)
I do prefer having the rigurousness that NixOS provides.
For this reason, I prefer running Nix with Home Manager on top of Fedora
on my laptop. I actually use [Fedora Silverblue][fedora-silverblue], which also gives me
a very nice system base that I can version and roll-back if needed, with the advantage
of looking very much like a "normal" Linux distro. I even have automatic updates
that are applied transparently on next reboot!
[fedora-silverblue]: https://fedoraproject.org/silverblue/
I would, however, like to also manage the underlying OS in a declarative way.
I am using Ansible to achieve this.
Setup
-----
First and foremost, as a desktop user, I'd like to have some niceties like
hardware accelerated codecs and compatibility with various peripherals.
Luckily, the [Universal Blue][universal-blue] project provides
ready-made Silverblue-based OSTree images with neat additions for desktop users.
**This setup assumes that you already installed the [Universal Blue `silverblue-main`][silverblue-main] image!
Applying it on top of stock Fedora Silverblue should also work just fine!**
[universal-blue]: https://universal-blue.org/
[silverblue-main]: https://universal-blue.org/images/main/
Because I don't want to litter my Silverblue install with Ansible and Python stuff,
I am running it from a container (with either [Toolbx][toolbx] or [Distrobox][distrobox]).
To make that work, I enabled the SSH daemon, added my own SSH key to `authorized_keys`,
and configured the daemon to only allow pubkey authentication.
[toolbx]: https://containertoolbx.org/
[distrobox]: https://distrobox.it/
To prepare the environment:
```sh
distrobox create ansible-box [--image whatever]
distrobox enter ansible-box
```
TODO: setup l10n properly. This is currently done at OS install time.
I have very funny l10n choices:
* Language: British English
* Measurements, time, date etc: Dutch (Netherlands)
* Keyboard: "Romanian", XKB `ro`, on Windows it's called "Romanian (Programmers)".
It's IMO the best if you write primarily English but you also want to be able
to write accents and funny symbols, it has a nice selection of deadkeys that are
not annoying to use either (looking at you, Windows "English (International)").
Running
-------
```sh
distrobox enter ansible-box
ansible-playbook playbooks/a_playbook.yml -K # the -K is short for --ask-become-pass
# or even shorter
distrobox enter ansible-box -- ansible-playbook playbooks/a_playbook.yml -K
```
To lint, run `ansible-lint` (installation left as an exercise to the reader), or:
```sh
nix flake check # this builds EVERYTHING, it will take a while
```

View File

@ -1,4 +0,0 @@
---
collections:
- name: community.general
version: '>=8.0.0,<9.0.0'

View File

@ -1,5 +0,0 @@
---
ungrouped:
hosts:
pepper:
ansible_host: localhost

View File

@ -1,13 +0,0 @@
---
- name: Setup my laptop
hosts: pepper
roles:
- sshd_no_passwords
- auto_updates
- langpacks
- nix_installer
- distrobox
- tailscale
- one_password
- sway_fixes
- flatpaks

View File

@ -1,6 +0,0 @@
---
- name: Reload rpm-ostree
become: true
changed_when: true
ansible.builtin.command:
cmd: /usr/bin/rpm-ostree reload

View File

@ -1,16 +0,0 @@
---
- name: Enable rpm-ostree automatic update staging
become: true
ansible.builtin.lineinfile:
path: /etc/rpm-ostreed.conf
regexp: '^#?AutomaticUpdatePolicy='
line: 'AutomaticUpdatePolicy=stage'
register: auto_updates_policy_conf
notify: Reload rpm-ostree
- name: Enable and start rpm-ostreed-automatic timer
become: true
ansible.builtin.systemd_service:
name: rpm-ostreed-automatic.timer
state: started
enabled: true

View File

@ -1,12 +0,0 @@
---
- name: Gather package facts
ansible.builtin.package_facts:
- name: Install distrobox
become: true
# in case we use Universal Blue, this should already be
# installed in the image, we don't want to layer it
when: '"distrobox" not in ansible_facts.packages'
community.general.rpm_ostree_pkg:
name: distrobox
state: present

View File

@ -1,46 +0,0 @@
---
- name: Setup user flathub flatpak repo
community.general.flatpak_remote:
method: user
enabled: true
name: flathub
state: present
flatpakrepo_url: 'https://dl.flathub.org/repo/flathub.flatpakrepo'
- name: Setup user fedora flatpak repo
community.general.flatpak_remote:
method: user
enabled: true
name: fedora
state: present
flatpakrepo_url: 'oci+https://registry.fedoraproject.org'
- name: Install various apps from flathub
community.general.flatpak:
method: user
state: present
remote: flathub
name:
- com.raggesilver.BlackBox
- org.telegram.desktop
- com.discordapp.Discord
- org.videolan.VLC
- io.github.flattool.Warehouse
- com.spotify.Client
- com.google.Chrome # for work...
- org.gnome.Solanum
- org.signal.Signal
- name: Install various apps from fedora flatpak repo
community.general.flatpak:
method: user
state: present
remote: fedora
name:
- com.github.tchx84.Flatseal
- org.gimp.GIMP
- ca.desrt.dconf-editor
- org.mozilla.Thunderbird
- org.gnome.NautilusPreviewer
- org.pulseaudio.pavucontrol
- org.libreoffice.LibreOffice

View File

@ -1,10 +0,0 @@
---
- name: Install langpacks
become: true
community.general.rpm_ostree_pkg:
name:
- langpacks-en # lingua franca
- langpacks-en_GB # Queen's English
- langpacks-nl # the Nether
- langpacks-ro # the OG
state: present

View File

@ -1,19 +0,0 @@
---
- name: Check if nix is installer
ansible.builtin.stat:
path: /nix
register: nix_installer_nix_stat
- name: Install Nix
when: 'not nix_installer_nix_stat.stat.exists'
block:
- name: Download Nix installer
ansible.builtin.get_url:
url: 'https://install.determinate.systems/nix/nix-installer-{{ ansible_architecture }}-linux'
dest: '/tmp/nix-installer'
mode: '0755'
- name: Run Nix installer
become: true
changed_when: true
ansible.builtin.command:
cmd: '/tmp/nix-installer install --explain --no-confirm'

View File

@ -1,7 +0,0 @@
[1password]
name="1Password Stable Channel"
baseurl=https://downloads.1password.com/linux/rpm/stable/$basearch
enabled=1
gpgcheck=1
#repo_gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/1password.asc

View File

@ -1,23 +0,0 @@
---
- name: Get package facts
ansible.builtin.package_facts:
- name: Download 1password repo key
become: true
ansible.builtin.get_url:
url: 'https://downloads.1password.com/linux/keys/1password.asc'
dest: '/etc/pki/rpm-gpg/1password.asc'
mode: '0644'
- name: Install 1password repo
become: true
ansible.builtin.copy:
src: '1password.repo'
dest: /etc/yum.repos.d/1password.repo
mode: '0644'
- name: Install 1Password
become: true
community.general.rpm_ostree_pkg:
name: '1password'
state: present

View File

@ -1,2 +0,0 @@
---
one_password_rpm_url: 'https://downloads.1password.com/linux/rpm/stable/x86_64/1password-latest.rpm'

View File

@ -1,5 +0,0 @@
---
- name: Reload SSHD
ansible.builtin.systemd_service:
name: sshd.service
state: reloaded

View File

@ -1,9 +0,0 @@
---
- name: Disable SSHD password authentication
become: true
ansible.builtin.copy:
dest: /etc/ssh/sshd_config.d/80-no-passwords.conf
mode: '0600'
content: >
PasswordAuthentication no
notify: Reload SSHD

View File

@ -1,24 +0,0 @@
---
- name: Install packages
become: true
community.general.rpm_ostree_pkg:
name:
- swaylock # for PAM config to be installed
- polkit-gnome
state: present
- name: Install sway Wayland session
block:
- name: Create wayland-sessions dir
become: true
ansible.builtin.file:
path: /usr/local/share/wayland-sessions
state: directory
mode: "0755"
- name: Copy session file
become: true
ansible.builtin.template:
src: sway.desktop.j2
dest: /usr/local/share/wayland-sessions/sway.desktop
mode: "0444"

View File

@ -1,5 +0,0 @@
[Desktop Entry]
Name=sway
Exec=/home/{{ lookup('env', 'USER') }}/.nix-profile/bin/sway
Type=Application
DesktopNames=sway

View File

@ -1,20 +0,0 @@
---
- name: Add tailscale repo
become: true
ansible.builtin.get_url:
url: 'https://pkgs.tailscale.com/stable/fedora/tailscale.repo'
dest: '/etc/yum.repos.d/tailscale.repo'
mode: '0644'
- name: Install tailscale
become: true
community.general.rpm_ostree_pkg:
name: tailscale
state: present
- name: Start and enable systemd service
become: true
ansible.builtin.systemd_service:
name: tailscaled.service
enabled: true
state: started

View File

@ -238,12 +238,6 @@
alejandra.enable = true;
statix.enable = true;
deadnix.enable = true;
ansible-lint = {
enable = true;
};
};
settings.ansible-lint = {
subdir = "ansible";
};
};
};