This commit is contained in:
vincent 2022-02-13 09:40:15 +01:00
parent a7b16cb3bc
commit 20a93c9fcb
12 changed files with 111 additions and 104 deletions

View File

@ -6,12 +6,12 @@
command: localectl set-keymap {{ arch_base_keymap }} command: localectl set-keymap {{ arch_base_keymap }}
- name: Update_pacman_repos - name: Update_pacman_repos
become: yes become: true
pacman: update_cache=yes pacman: update_cache=true
- name: Restart sshd - name: Restart sshd
service: name=sshd state=restarted service: name=sshd state=restarted
become: yes become: true
- name: restart_sysctl - name: restart_sysctl
service: name=systemd-sysctl state=restarted service: name=systemd-sysctl state=restarted

View File

@ -1,29 +1,30 @@
- name: install base-devel package - name: install base-devel package
pacman: pacman:
state: present # not required. choices: absent;latest;present. Desired state of the package. state: present # not required. choices: absent;latest;present. Desired state of the package.
name: ['base-devel'] # not required. Name or list of names of the packages to install, upgrade, or remove. name: ["base-devel"] # not required. Name or list of names of the packages to install, upgrade, or remove.
update_cache: yes update_cache: true
become: yes become: true
- name: Create aur_builder user - name: Create aur_builder user
user: user:
name: aur_builder name: aur_builder
group: wheel group: wheel
become: yes become: true
- name: Allow aur_builder to run pacman as root - name: Allow aur_builder to run pacman as root
lineinfile: lineinfile:
path: /etc/sudoers.d/11-install-aur_builder path: /etc/sudoers.d/11-install-aur_builder
line: 'aur_builder ALL=(ALL) NOPASSWD: /usr/bin/pacman' line: "aur_builder ALL=(ALL) NOPASSWD: /usr/bin/pacman"
create: yes create: true
validate: 'visudo -cf %s' validate: "visudo -cf %s"
become: yes mode: 0600
become: true
- name: install yay - name: install yay
aur: aur:
state: present state: present
name: yay name: yay
use: makepkg use: makepkg
skip_pgp_check: yes skip_pgp_check: true
become: yes become: true
become_user: aur_builder become_user: aur_builder

View File

@ -1,19 +1,19 @@
- name: upgrade arch-keyring - name: upgrade arch-keyring
pacman: pacman:
state: latest # not required. choices: absent;latest;present. Desired state of the package. state: latest # noqa package-latest
name: archlinux-keyring name: archlinux-keyring
force: true # not required. When removing package - force remove package, without any checks. When update_cache - force redownload repo databases. force: true
update_cache: false update_cache: false
become: yes become: true
when: system_upgrade and ansible_facts['os_family'] == "Archlinux" when: system_upgrade and ansible_facts['os_family'] == "Archlinux"
- name: upgrade system - name: upgrade system
pacman: pacman:
state: latest # not required. choices: absent;latest;present. Desired state of the package. state: latest # noqa package-latest
upgrade: true # not required. Whether or not to upgrade whole system. upgrade: true
force: true # not required. When removing package - force remove package, without any checks. When update_cache - force redownload repo databases. force: true
update_cache: false update_cache: false
become: yes become: true
when: system_upgrade and ansible_facts['os_family'] == "Archlinux" when: system_upgrade and ansible_facts['os_family'] == "Archlinux"
register: upgrade register: upgrade
@ -21,33 +21,34 @@
reboot: reboot:
reboot_timeout: 3600 reboot_timeout: 3600
when: upgrade.changed and "linux" in upgrade.packages and system_upgrade and ansible_facts['os_family'] == "Archlinux" when: upgrade.changed and "linux" in upgrade.packages and system_upgrade and ansible_facts['os_family'] == "Archlinux"
become: yes become: true
- name: launch arch base install software - name: launch arch base install software
pacman: pacman:
state: present # not required. choices: absent;latest;present. Desired state of the package. state: present
name: "{{system_base_softwares_arch}}" name: "{{ system_base_softwares_arch }}"
become: yes become: true
when: ansible_facts['os_family'] == "Archlinux" when: ansible_facts['os_family'] == "Archlinux"
- name: install aur workstation soft - name: install aur workstation soft
aur: aur:
name: "{{ system_base_aur_soft }}" name: "{{ system_base_aur_soft }}"
state: present state: present
become: yes become: true
become_user: aur_builder become_user: aur_builder
when: ansible_facts['os_family'] == "Archlinux" and system_base_aur_soft when: ansible_facts['os_family'] == "Archlinux" and system_base_aur_soft
- name: launch debian base install software - name: launch debian base install software
apt: apt:
state: present # not required. choices: absent;latest;present. Desired state of the package. state: present
name: "{{system_base_softwares_debian}}" name: "{{ system_base_softwares_debian }}"
update_cache: yes update_cache: true
become: yes become: true
when: ansible_facts['os_family'] == "Debian" when: ansible_facts['os_family'] == "Debian"
- name: GITHUB | Get current version of bat - name: GITHUB | Get current version of bat
shell: > shell: >
set -o pipefail
warn=False warn=False
curl --silent https://github.com/sharkdp/bat/releases/latest | curl --silent https://github.com/sharkdp/bat/releases/latest |
grep 'tag' | grep 'tag' |
@ -66,12 +67,12 @@
- name: DEBIAN | Install deb from github - name: DEBIAN | Install deb from github
become: true become: true
apt: apt:
deb: "{{debian_url}}" deb: "{{ debian_url }}"
when: ansible_facts['os_family'] == "Debian" when: ansible_facts['os_family'] == "Debian"
- name: pass user shell to zsh - name: pass user shell to zsh
user: user:
name: "{{user.name}}" # required. Name of the user to create, remove or modify. name: "{{ user.name }}"
shell: /bin/zsh # not required. Optionally set the user's shell.,On macOS, before version 2.5, the default shell for non-system users was /usr/bin/false. Since 2.5, the default shell for non-system users on macOS is /bin/bash. shell: /bin/zsh
state: present # not required. choices: absent;present. Whether the account should exist or not, taking action if the state is different from what is stated. state: present
become: yes become: true

View File

@ -1,6 +1,6 @@
- name: add repo main contrib - name: add repo main contrib
apt_repository: apt_repository:
repo: deb http://ftp.fr.debian.org/debian/ stable main contrib non-free repo: deb http://ftp.fr.debian.org/debian/ stable main contrib non-free
state: present # not required. choices: absent;present. A source string state. state: present
update_cache: yes # not required. Run the equivalent of C(apt-get update) when a change occurs. Cache updates are run after making changes. update_cache: true
become: yes become: true

View File

@ -1,6 +1,5 @@
- name: Ensure hostname set - name: Ensure hostname set
hostname: hostname:
name: "{{ inventory_hostname }}" name: "{{ inventory_hostname }}"
use: systemd use: systemd
become: yes become: true

View File

@ -1,22 +1,30 @@
--- ---
- name: Set keymap - name: Set keymap
copy: content="KEYMAP={{ arch_base_keymap }}\n" dest=/etc/vconsole.conf copy:
content: "KEYMAP={{ arch_base_keymap }}\n"
dest: /etc/vconsole.conf
mode: 0644
notify: Update keymap notify: Update keymap
become: yes become: true
- name: Generate locales - name: Generate locales
locale_gen: locale_gen:
name: "{{ item }}" name: "{{ item }}"
state: present state: present
with_items: "{{ arch_base_locales }}" with_items: "{{ arch_base_locales }}"
become: yes become: true
- name: Set locale - name: Set locale
lineinfile: dest=/etc/locale.conf line="LANG={{ arch_base_locale }}" regexp="^LANG=" create=yes lineinfile:
become: yes dest: /etc/locale.conf
line: "LANG={{ arch_base_locale }}"
regexp: "^LANG="
create: true
mode: 0644
become: true
- name: Set timezone - name: Set timezone
become: yes become: true
command: timedatectl set-timezone {{ arch_base_timezone }} command: timedatectl set-timezone {{ arch_base_timezone }}
args: args:
creates: /etc/localtime creates: /etc/localtime

View File

@ -1,4 +1,4 @@
#- include_tasks: hostname.yml - include_tasks: hostname.yml
- include_tasks: hosts.yml - include_tasks: hosts.yml
- include_tasks: tasks.sysctl.yml - include_tasks: tasks.sysctl.yml
- include_tasks: dhcpcd.yml - include_tasks: dhcpcd.yml

View File

@ -1,34 +1,33 @@
--- ---
- name: Configure pacman color - name: Configure pacman color
replace: dest=/etc/pacman.conf regexp="^#(Color)" replace="\1" replace: dest=/etc/pacman.conf regexp="^#(Color)" replace="\1"
become: yes become: true
- name: Configure more pacman visuals - name: Configure more pacman visuals
replace: dest=/etc/pacman.conf regexp="#(VerbosePkgLists)" replace="\1\nILoveCandy" replace: dest=/etc/pacman.conf regexp="#(VerbosePkgLists)" replace="\1\nILoveCandy"
become: yes become: true
- name: Configure pacman multilib repo - name: Configure pacman multilib repo
become: yes become: true
replace: dest=/etc/pacman.conf regexp="^#(\[multilib\])\n^#(.*)$" replace="\1\n\2" replace: dest=/etc/pacman.conf regexp="^#(\[multilib\])\n^#(.*)$" replace="\1\n\2"
notify: Update_pacman_repos notify: Update_pacman_repos
when: ansible_architecture == "x86_64" when: ansible_architecture == "x86_64"
- name: add local repo to mirrorlist - name: add local repo to mirrorlist
become: yes become: true
lineinfile: lineinfile:
path: /etc/pacman.d/mirrorlist path: /etc/pacman.d/mirrorlist
line: "Server= {{system_arch_local_mirror}}/$repo/os/$arch" line: "Server= {{ system_arch_local_mirror }}/$repo/os/$arch"
state: present state: present
insertbefore: BOF insertbefore: BOF
when: system_arch_local_mirror is defined when: system_arch_local_mirror is defined
- name: stat ca-certificates - name: stat ca-certificates
stat: stat:
path: "/etc/ssl/certs/ca-certificates.crt" # required. The full path of the file/object to get the facts of. path: "/etc/ssl/certs/ca-certificates.crt" # required. The full path of the file/object to get the facts of.
register: cacertificates register: cacertificates
- name: reinstall certificate for old system - name: reinstall certificate for old system
command: "pacman -Sy ca-certificates-utils openssl --noconfirm" command: "pacman -Sy ca-certificates-utils openssl --noconfirm"
become: yes become: true
when: not cacertificates.stat.exists when: not cacertificates.stat.exists

View File

@ -1,15 +1,15 @@
- name: copy ssh config for user - name: copy ssh config for user
become: yes become: true
copy: copy:
dest: /home/{{item}}/.ssh/ # required. Remote absolute path where the file should be copied to. If I(src) is a directory, this must be a directory too. If I(dest) is a nonexistent path and if either I(dest) ends with "/" or I(src) is a directory, I(dest) is created. If I(src) and I(dest) are files, the parent directory of I(dest) isn't created: the task fails if it doesn't already exist. dest: /home/{{ item }}/.ssh/
src: "ssh/config" # not required. Local path to a file to copy to the remote server; can be absolute or relative. If path is a directory, it is copied recursively. In this case, if path ends with "/", only inside contents of that directory are copied to destination. Otherwise, if it does not end with "/", the directory itself with all contents is copied. This behavior is similar to Rsync. src: "ssh/config"
force: yes # not required. the default is C(yes), which will replace the remote file when contents are different than the source. If C(no), the file will only be transferred if the destination does not exist. force: true
remote_src: no # not required. If C(no), it will search for I(src) at originating/master machine.,If C(yes) it will go to the remote/target machine for the I(src). Default is C(no).,Currently I(remote_src) does not support recursive copying.,I(remote_src) only works with C(mode=preserve) as of version 2.6. remote_src: false
mode: "600" # not required. Mode the file or directory should be. For those used to I(/usr/bin/chmod) remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like C(0644) or C(01777)) or quote it (like C('644') or C('1777')) so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. As of version 1.8, the mode may be specified as a symbolic mode (for example, C(u+rwx) or C(u=rw,g=r,o=r)). As of version 2.3, the mode may also be the special string C(preserve). C(preserve) means that the file will be given the same permissions as the source file. mode: "600"
selevel: s0 # not required. Level part of the SELinux file context. This is the MLS/MCS attribute, sometimes known as the C(range). C(_default) feature works as for I(seuser). selevel: s0
owner: "{{item}}" # not required. Name of the user that should own the file/directory, as would be fed to I(chown). owner: "{{ item }}"
with_items: with_items:
- "{{user.name}}" - "{{ user.name }}"
- name: ensure root ssh directory exist - name: ensure root ssh directory exist
become: true become: true
file: file:
@ -19,44 +19,44 @@
mode: 0700 mode: 0700
- name: copy ssh config for root - name: copy ssh config for root
become: yes become: true
copy: copy:
dest: /root/.ssh/ # required. Remote absolute path where the file should be copied to. If I(src) is a directory, this must be a directory too. If I(dest) is a nonexistent path and if either I(dest) ends with "/" or I(src) is a directory, I(dest) is created. If I(src) and I(dest) are files, the parent directory of I(dest) isn't created: the task fails if it doesn't already exist. dest: /root/.ssh/
src: "ssh/config" # not required. Local path to a file to copy to the remote server; can be absolute or relative. If path is a directory, it is copied recursively. In this case, if path ends with "/", only inside contents of that directory are copied to destination. Otherwise, if it does not end with "/", the directory itself with all contents is copied. This behavior is similar to Rsync. src: "ssh/config"
force: yes # not required. the default is C(yes), which will replace the remote file when contents are different than the source. If C(no), the file will only be transferred if the destination does not exist. force: true
remote_src: no # not required. If C(no), it will search for I(src) at originating/master machine.,If C(yes) it will go to the remote/target machine for the I(src). Default is C(no).,Currently I(remote_src) does not support recursive copying.,I(remote_src) only works with C(mode=preserve) as of version 2.6. remote_src: false
mode: "600" # not required. Mode the file or directory should be. For those used to I(/usr/bin/chmod) remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like C(0644) or C(01777)) or quote it (like C('644') or C('1777')) so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. As of version 1.8, the mode may be specified as a symbolic mode (for example, C(u+rwx) or C(u=rw,g=r,o=r)). As of version 2.3, the mode may also be the special string C(preserve). C(preserve) means that the file will be given the same permissions as the source file. mode: "600"
selevel: s0 # not required. Level part of the SELinux file context. This is the MLS/MCS attribute, sometimes known as the C(range). C(_default) feature works as for I(seuser). selevel: s0
owner: "root" # not required. Name of the user that should own the file/directory, as would be fed to I(chown). owner: "root"
- name: ensure key directory exist - name: ensure key directory exist
become: true become: true
file: file:
state: directory state: directory
path: "{{ item.keyfile | dirname }}" path: "{{ item.keyfile | dirname }}"
owner: "{{item.user}}" owner: "{{ item.user }}"
mode: 0700 mode: 0700
with_items: "{{privatekeytodeploy}}" with_items: "{{ privatekeytodeploy }}"
- name: Install ssh private key - name: Install ssh private key
become: yes become: true
copy: copy:
content: "{{ item.privatekey }}" content: "{{ item.privatekey }}"
dest: "{{ item.keyfile }}" dest: "{{ item.keyfile }}"
mode: 0600 mode: 0600
owner: "{{item.user}}" owner: "{{ item.user }}"
with_items: "{{privatekeytodeploy}}" with_items: "{{ privatekeytodeploy }}"
- name: Deploy SSH-Keys to remote host - name: Deploy SSH-Keys to remote host
authorized_key: authorized_key:
user: "{{item.user}}" user: "{{ item.user }}"
key: "{{item.sshkey}}" key: "{{ item.sshkey }}"
exclusive: no exclusive: false
with_items: "{{keystodeploy}}" with_items: "{{ keystodeploy }}"
become: yes become: true
- name: les connexions par mot de passe sont désactivées - name: les connexions par mot de passe sont désactivées
become: yes become: true
lineinfile: lineinfile:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^#?PasswordAuthentication" regexp: "^#?PasswordAuthentication"
@ -65,7 +65,7 @@
notify: Restart sshd notify: Restart sshd
- name: Remove root SSH access - name: Remove root SSH access
become: yes become: true
lineinfile: lineinfile:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^PermitRootLogin" regexp: "^PermitRootLogin"

View File

@ -7,4 +7,4 @@
group: root group: root
mode: 0644 mode: 0644
notify: restart_sysctl notify: restart_sysctl
become: True become: true

View File

@ -1,12 +1,12 @@
--- ---
- name: Enable timesync - name: Enable timesync
command: timedatectl set-ntp true command: timedatectl set-ntp true
become: yes become: true
args: args:
creates: /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service creates: /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service
- name: Set timezone and hardware clock - name: Set timezone and hardware clock
timezone: timezone:
hwclock: '{{ time.hwclock }}' hwclock: "{{ time.hwclock }}"
name: '{{ time.timezone }}' name: "{{ time.timezone }}"
become: yes become: true

View File

@ -1,16 +1,15 @@
--- ---
- name: create system user - name: create system user
become: yes become: true
user: user:
name: "{{item.name}}" name: "{{ item.name }}"
system: yes system: true
home: "{{ item.home | default('/') }}" home: "{{ item.home | default('/') }}"
shell: "{{ item.shell |default('/usr/bin/nologin') }}" shell: "{{ item.shell |default('/usr/bin/nologin') }}"
with_items: "{{system_user}}" with_items: "{{ system_user }}"
- name: create system group - name: create system group
group: group:
name: "{{item.name}}" name: "{{ item.name }}"
with_items: "{{system_group}}" with_items: "{{ system_group }}"
become: yes become: true