This commit is contained in:
vincent 2022-02-13 09:40:15 +01:00
parent a7b16cb3bc
commit 20a93c9fcb
12 changed files with 111 additions and 104 deletions

View File

@ -6,12 +6,12 @@
command: localectl set-keymap {{ arch_base_keymap }}
- name: Update_pacman_repos
become: yes
pacman: update_cache=yes
become: true
pacman: update_cache=true
- name: Restart sshd
service: name=sshd state=restarted
become: yes
become: true
- name: restart_sysctl
service: name=systemd-sysctl state=restarted

View File

@ -1,29 +1,30 @@
- name: install base-devel package
pacman:
state: present # not required. choices: absent;latest;present. Desired state of the package.
name: ['base-devel'] # not required. Name or list of names of the packages to install, upgrade, or remove.
update_cache: yes
become: yes
name: ["base-devel"] # not required. Name or list of names of the packages to install, upgrade, or remove.
update_cache: true
become: true
- name: Create aur_builder user
user:
name: aur_builder
group: wheel
become: yes
become: true
- name: Allow aur_builder to run pacman as root
lineinfile:
path: /etc/sudoers.d/11-install-aur_builder
line: 'aur_builder ALL=(ALL) NOPASSWD: /usr/bin/pacman'
create: yes
validate: 'visudo -cf %s'
become: yes
line: "aur_builder ALL=(ALL) NOPASSWD: /usr/bin/pacman"
create: true
validate: "visudo -cf %s"
mode: 0600
become: true
- name: install yay
aur:
state: present
name: yay
use: makepkg
skip_pgp_check: yes
become: yes
skip_pgp_check: true
become: true
become_user: aur_builder

View File

@ -1,19 +1,19 @@
- name: upgrade arch-keyring
pacman:
state: latest # not required. choices: absent;latest;present. Desired state of the package.
state: latest # noqa package-latest
name: archlinux-keyring
force: true # not required. When removing package - force remove package, without any checks. When update_cache - force redownload repo databases.
force: true
update_cache: false
become: yes
become: true
when: system_upgrade and ansible_facts['os_family'] == "Archlinux"
- name: upgrade system
pacman:
state: latest # not required. choices: absent;latest;present. Desired state of the package.
upgrade: true # not required. Whether or not to upgrade whole system.
force: true # not required. When removing package - force remove package, without any checks. When update_cache - force redownload repo databases.
state: latest # noqa package-latest
upgrade: true
force: true
update_cache: false
become: yes
become: true
when: system_upgrade and ansible_facts['os_family'] == "Archlinux"
register: upgrade
@ -21,33 +21,34 @@
reboot:
reboot_timeout: 3600
when: upgrade.changed and "linux" in upgrade.packages and system_upgrade and ansible_facts['os_family'] == "Archlinux"
become: yes
become: true
- name: launch arch base install software
pacman:
state: present # not required. choices: absent;latest;present. Desired state of the package.
name: "{{system_base_softwares_arch}}"
become: yes
state: present
name: "{{ system_base_softwares_arch }}"
become: true
when: ansible_facts['os_family'] == "Archlinux"
- name: install aur workstation soft
aur:
name: "{{ system_base_aur_soft }}"
state: present
become: yes
become: true
become_user: aur_builder
when: ansible_facts['os_family'] == "Archlinux" and system_base_aur_soft
- name: launch debian base install software
apt:
state: present # not required. choices: absent;latest;present. Desired state of the package.
name: "{{system_base_softwares_debian}}"
update_cache: yes
become: yes
state: present
name: "{{ system_base_softwares_debian }}"
update_cache: true
become: true
when: ansible_facts['os_family'] == "Debian"
- name: GITHUB | Get current version of bat
shell: >
set -o pipefail
warn=False
curl --silent https://github.com/sharkdp/bat/releases/latest |
grep 'tag' |
@ -66,12 +67,12 @@
- name: DEBIAN | Install deb from github
become: true
apt:
deb: "{{debian_url}}"
deb: "{{ debian_url }}"
when: ansible_facts['os_family'] == "Debian"
- name: pass user shell to zsh
user:
name: "{{user.name}}" # required. Name of the user to create, remove or modify.
shell: /bin/zsh # not required. Optionally set the user's shell.,On macOS, before version 2.5, the default shell for non-system users was /usr/bin/false. Since 2.5, the default shell for non-system users on macOS is /bin/bash.
state: present # not required. choices: absent;present. Whether the account should exist or not, taking action if the state is different from what is stated.
become: yes
name: "{{ user.name }}"
shell: /bin/zsh
state: present
become: true

View File

@ -1,6 +1,6 @@
- name: add repo main contrib
apt_repository:
repo: deb http://ftp.fr.debian.org/debian/ stable main contrib non-free
state: present # not required. choices: absent;present. A source string state.
update_cache: yes # not required. Run the equivalent of C(apt-get update) when a change occurs. Cache updates are run after making changes.
become: yes
state: present
update_cache: true
become: true

View File

@ -1,6 +1,5 @@
- name: Ensure hostname set
hostname:
name: "{{ inventory_hostname }}"
use: systemd
become: yes
become: true

View File

@ -1,22 +1,30 @@
---
- name: Set keymap
copy: content="KEYMAP={{ arch_base_keymap }}\n" dest=/etc/vconsole.conf
copy:
content: "KEYMAP={{ arch_base_keymap }}\n"
dest: /etc/vconsole.conf
mode: 0644
notify: Update keymap
become: yes
become: true
- name: Generate locales
locale_gen:
name: "{{ item }}"
state: present
with_items: "{{ arch_base_locales }}"
become: yes
become: true
- name: Set locale
lineinfile: dest=/etc/locale.conf line="LANG={{ arch_base_locale }}" regexp="^LANG=" create=yes
become: yes
lineinfile:
dest: /etc/locale.conf
line: "LANG={{ arch_base_locale }}"
regexp: "^LANG="
create: true
mode: 0644
become: true
- name: Set timezone
become: yes
become: true
command: timedatectl set-timezone {{ arch_base_timezone }}
args:
creates: /etc/localtime

View File

@ -1,4 +1,4 @@
#- include_tasks: hostname.yml
- include_tasks: hostname.yml
- include_tasks: hosts.yml
- include_tasks: tasks.sysctl.yml
- include_tasks: dhcpcd.yml

View File

@ -1,23 +1,23 @@
---
- name: Configure pacman color
replace: dest=/etc/pacman.conf regexp="^#(Color)" replace="\1"
become: yes
become: true
- name: Configure more pacman visuals
replace: dest=/etc/pacman.conf regexp="#(VerbosePkgLists)" replace="\1\nILoveCandy"
become: yes
become: true
- name: Configure pacman multilib repo
become: yes
become: true
replace: dest=/etc/pacman.conf regexp="^#(\[multilib\])\n^#(.*)$" replace="\1\n\2"
notify: Update_pacman_repos
when: ansible_architecture == "x86_64"
- name: add local repo to mirrorlist
become: yes
become: true
lineinfile:
path: /etc/pacman.d/mirrorlist
line: "Server= {{system_arch_local_mirror}}/$repo/os/$arch"
line: "Server= {{ system_arch_local_mirror }}/$repo/os/$arch"
state: present
insertbefore: BOF
when: system_arch_local_mirror is defined
@ -27,8 +27,7 @@
path: "/etc/ssl/certs/ca-certificates.crt" # required. The full path of the file/object to get the facts of.
register: cacertificates
- name: reinstall certificate for old system
command: "pacman -Sy ca-certificates-utils openssl --noconfirm"
become: yes
become: true
when: not cacertificates.stat.exists

View File

@ -1,15 +1,15 @@
- name: copy ssh config for user
become: yes
become: true
copy:
dest: /home/{{item}}/.ssh/ # required. Remote absolute path where the file should be copied to. If I(src) is a directory, this must be a directory too. If I(dest) is a nonexistent path and if either I(dest) ends with "/" or I(src) is a directory, I(dest) is created. If I(src) and I(dest) are files, the parent directory of I(dest) isn't created: the task fails if it doesn't already exist.
src: "ssh/config" # not required. Local path to a file to copy to the remote server; can be absolute or relative. If path is a directory, it is copied recursively. In this case, if path ends with "/", only inside contents of that directory are copied to destination. Otherwise, if it does not end with "/", the directory itself with all contents is copied. This behavior is similar to Rsync.
force: yes # not required. the default is C(yes), which will replace the remote file when contents are different than the source. If C(no), the file will only be transferred if the destination does not exist.
remote_src: no # not required. If C(no), it will search for I(src) at originating/master machine.,If C(yes) it will go to the remote/target machine for the I(src). Default is C(no).,Currently I(remote_src) does not support recursive copying.,I(remote_src) only works with C(mode=preserve) as of version 2.6.
mode: "600" # not required. Mode the file or directory should be. For those used to I(/usr/bin/chmod) remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like C(0644) or C(01777)) or quote it (like C('644') or C('1777')) so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. As of version 1.8, the mode may be specified as a symbolic mode (for example, C(u+rwx) or C(u=rw,g=r,o=r)). As of version 2.3, the mode may also be the special string C(preserve). C(preserve) means that the file will be given the same permissions as the source file.
selevel: s0 # not required. Level part of the SELinux file context. This is the MLS/MCS attribute, sometimes known as the C(range). C(_default) feature works as for I(seuser).
owner: "{{item}}" # not required. Name of the user that should own the file/directory, as would be fed to I(chown).
dest: /home/{{ item }}/.ssh/
src: "ssh/config"
force: true
remote_src: false
mode: "600"
selevel: s0
owner: "{{ item }}"
with_items:
- "{{user.name}}"
- "{{ user.name }}"
- name: ensure root ssh directory exist
become: true
file:
@ -19,44 +19,44 @@
mode: 0700
- name: copy ssh config for root
become: yes
become: true
copy:
dest: /root/.ssh/ # required. Remote absolute path where the file should be copied to. If I(src) is a directory, this must be a directory too. If I(dest) is a nonexistent path and if either I(dest) ends with "/" or I(src) is a directory, I(dest) is created. If I(src) and I(dest) are files, the parent directory of I(dest) isn't created: the task fails if it doesn't already exist.
src: "ssh/config" # not required. Local path to a file to copy to the remote server; can be absolute or relative. If path is a directory, it is copied recursively. In this case, if path ends with "/", only inside contents of that directory are copied to destination. Otherwise, if it does not end with "/", the directory itself with all contents is copied. This behavior is similar to Rsync.
force: yes # not required. the default is C(yes), which will replace the remote file when contents are different than the source. If C(no), the file will only be transferred if the destination does not exist.
remote_src: no # not required. If C(no), it will search for I(src) at originating/master machine.,If C(yes) it will go to the remote/target machine for the I(src). Default is C(no).,Currently I(remote_src) does not support recursive copying.,I(remote_src) only works with C(mode=preserve) as of version 2.6.
mode: "600" # not required. Mode the file or directory should be. For those used to I(/usr/bin/chmod) remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like C(0644) or C(01777)) or quote it (like C('644') or C('1777')) so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. As of version 1.8, the mode may be specified as a symbolic mode (for example, C(u+rwx) or C(u=rw,g=r,o=r)). As of version 2.3, the mode may also be the special string C(preserve). C(preserve) means that the file will be given the same permissions as the source file.
selevel: s0 # not required. Level part of the SELinux file context. This is the MLS/MCS attribute, sometimes known as the C(range). C(_default) feature works as for I(seuser).
owner: "root" # not required. Name of the user that should own the file/directory, as would be fed to I(chown).
dest: /root/.ssh/
src: "ssh/config"
force: true
remote_src: false
mode: "600"
selevel: s0
owner: "root"
- name: ensure key directory exist
become: true
file:
state: directory
path: "{{ item.keyfile | dirname }}"
owner: "{{item.user}}"
owner: "{{ item.user }}"
mode: 0700
with_items: "{{privatekeytodeploy}}"
with_items: "{{ privatekeytodeploy }}"
- name: Install ssh private key
become: yes
become: true
copy:
content: "{{ item.privatekey }}"
dest: "{{ item.keyfile }}"
mode: 0600
owner: "{{item.user}}"
with_items: "{{privatekeytodeploy}}"
owner: "{{ item.user }}"
with_items: "{{ privatekeytodeploy }}"
- name: Deploy SSH-Keys to remote host
authorized_key:
user: "{{item.user}}"
key: "{{item.sshkey}}"
exclusive: no
with_items: "{{keystodeploy}}"
become: yes
user: "{{ item.user }}"
key: "{{ item.sshkey }}"
exclusive: false
with_items: "{{ keystodeploy }}"
become: true
- name: les connexions par mot de passe sont désactivées
become: yes
become: true
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^#?PasswordAuthentication"
@ -65,7 +65,7 @@
notify: Restart sshd
- name: Remove root SSH access
become: yes
become: true
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PermitRootLogin"

View File

@ -7,4 +7,4 @@
group: root
mode: 0644
notify: restart_sysctl
become: True
become: true

View File

@ -1,12 +1,12 @@
---
- name: Enable timesync
command: timedatectl set-ntp true
become: yes
become: true
args:
creates: /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service
- name: Set timezone and hardware clock
timezone:
hwclock: '{{ time.hwclock }}'
name: '{{ time.timezone }}'
become: yes
hwclock: "{{ time.hwclock }}"
name: "{{ time.timezone }}"
become: true

View File

@ -1,16 +1,15 @@
---
- name: create system user
become: yes
become: true
user:
name: "{{item.name}}"
system: yes
name: "{{ item.name }}"
system: true
home: "{{ item.home | default('/') }}"
shell: "{{ item.shell |default('/usr/bin/nologin') }}"
with_items: "{{system_user}}"
with_items: "{{ system_user }}"
- name: create system group
group:
name: "{{item.name}}"
with_items: "{{system_group}}"
become: yes
name: "{{ item.name }}"
with_items: "{{ system_group }}"
become: true