diff --git a/README.md b/README.md index 8706c88..0331270 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ ansible-galaxy collection install -r requirements.yml ## Usage ```sh -ansible-playbook -i inventory.yml playbook.yml --ask-become-pass +ansible-playbook -i inventory/hosts.yml playbook.yml --ask-become-pass ``` ## Target devices configuration diff --git a/roles/archlinux/defaults/main.yml b/roles/archlinux/defaults/main.yml index 6aa5c9e..697e324 100644 --- a/roles/archlinux/defaults/main.yml +++ b/roles/archlinux/defaults/main.yml @@ -1,5 +1,6 @@ arch_locale: en_US.UTF-8 yay_src_path: /opt/yay yay_git_repo: https://aur.archlinux.org/yay.git +paru_git_repo: Morganamilo/paru paru_src_path: /opt/paru -paru_git_repo: https://aur.archlinux.org/paru.git +os_arch: x86_64 # or aarch64 diff --git a/roles/archlinux/tasks/paru.yml b/roles/archlinux/tasks/paru.yml index 0ea6fb5..e44689b 100644 --- a/roles/archlinux/tasks/paru.yml +++ b/roles/archlinux/tasks/paru.yml @@ -6,55 +6,100 @@ - name: Install paru block: - - name: Install build dependencies - package: - name: - - base-devel - - git - state: present + - name: Get the last github release + ansible.builtin.uri: + url: "https://api.github.com/repos/{{ paru_git_repo }}/releases/latest" + return_content: true + register: paru_release - - name: Disable sudo password prompt (makepkg sudoers hack) - lineinfile: - dest: /etc/sudoers - state: present - regexp: "^#?%wheel" - line: "%wheel ALL=(ALL) NOPASSWD: ALL" - validate: /usr/sbin/visudo -cf %s + - name: Extract tag_name + set_fact: + paru_version: "{{ (paru_release.json.tag_name | regex_replace('^v', '')) }}" - - command: - cmd: whoami - no_log: true - become: false - register: main_user + - name: Get the binary URL ({{ os_arch }}) + set_fact: + paru_url: "{{ item.browser_download_url }}" + loop: "{{ paru_release.json.assets }}" + when: "'{{ os_arch }}.tar.zst' in item.name" - - set_fact: - main_user: "{{ main_user.stdout }}" - no_log: true + - name: Download + ansible.builtin.get_url: + url: "{{ paru_url }}" + dest: "/tmp/paru-{{ os_arch }}.tar.zst" + mode: "0644" - - name: Create paru sources dir - file: - path: "{{ paru_src_path }}" - state: directory - owner: "{{ main_user }}" + - name: Extract paru + ansible.builtin.command: + cmd: "tar -xf /tmp/paru-{{ os_arch }}.tar.zst paru -C /tmp" - - name: Clone git sources - become: false - git: - repo: "{{ paru_git_repo }}" - dest: "{{ paru_src_path }}" + - name: Install paru binary + ansible.builtin.command: + cmd: "mv /tmp/paru /usr/bin/paru" - # note: this only works because SUDOERS password prompt is disabled - - name: Build and install - become: false - command: - chdir: "{{ paru_src_path }}" - cmd: "makepkg -si -f --noconfirm" + - name: Ensure permissions + ansible.builtin.file: + path: /usr/bin/paru + mode: "0755" - - name: Restore sudo with password prompt - lineinfile: - dest: /etc/sudoers - state: present - regexp: "^#?%wheel" - line: "%wheel ALL=(ALL:ALL) ALL" - validate: /usr/sbin/visudo -cf %s + - name: Cleanup + ansible.builtin.file: + path: "/tmp/paru-{{ os_arch }}.tar.zst" + state: absent when: not paru.stat.exists +## +## Deprecated version with compilation +## +# - name: Install paru +# block: +# - name: Install build dependencies +# package: +# name: +# - base-devel +# - git +# state: present + +# - name: Disable sudo password prompt (makepkg sudoers hack) +# lineinfile: +# dest: /etc/sudoers +# state: present +# regexp: "^#?%wheel" +# line: "%wheel ALL=(ALL) NOPASSWD: ALL" +# validate: /usr/sbin/visudo -cf %s + +# - command: +# cmd: whoami +# no_log: true +# become: false +# register: main_user + +# - set_fact: +# main_user: "{{ main_user.stdout }}" +# no_log: true + +# - name: Create paru sources dir +# file: +# path: "{{ paru_src_path }}" +# state: directory +# owner: "{{ main_user }}" + +# - name: Clone git sources +# become: false +# git: +# repo: "{{ paru_git_repo }}" +# dest: "{{ paru_src_path }}" + +# # note: this only works because SUDOERS password prompt is disabled +# - name: Build and install +# become: false +# command: +# chdir: "{{ paru_src_path }}" +# cmd: "makepkg -si -f --noconfirm" + +# - name: Restore sudo with password prompt +# lineinfile: +# dest: /etc/sudoers +# state: present +# regexp: "^#?%wheel" +# line: "%wheel ALL=(ALL:ALL) ALL" +# validate: /usr/sbin/visudo -cf %s +# when: not paru.stat.exists diff --git a/roles/net-config/templates/etc-interfaces.j2 b/roles/net-config/templates/etc-interfaces.j2 deleted file mode 100644 index 0566ea6..0000000 --- a/roles/net-config/templates/etc-interfaces.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# This file describes the network interfaces available on your system -# and how to activate them. For more information, see interfaces(5). - -# The primary network interface -allow-hotplug {{ interface.name }} -iface {{ interface.name }} inet dhcp - -# This is an autoconfigured IPv6 interface -iface {{ interface.name }} inet6 auto diff --git a/roles/net-config/templates/systemd.network.j2 b/roles/net-config/templates/systemd.network.j2 index 071eec4..1a26fc2 100644 --- a/roles/net-config/templates/systemd.network.j2 +++ b/roles/net-config/templates/systemd.network.j2 @@ -1,9 +1,24 @@ +# {{ ansible_managed }} +# systemd.network(5) + [Match] Name={{ interface.name }} -[Network] +[Address] Address={{ interface.ipv4.address }} -Gateway={{ interface.ipv4.gateway }} +{% if interface.ipv4.metric is defined %} +RouteMetric={{ interface.ipv4.metric }} +{% endif %} + +[Network] {% for dns in interface.ipv4.nameservers %} DNS={{ dns }} {% endfor %} + +{% if interface.ipv4.gateway is defined %} +[Route] +Gateway={{ interface.ipv4.gateway }} +{% if interface.ipv4.metric is defined %} +Metric={{ interface.ipv4.metric }} +{% endif %} +{% endif %} diff --git a/roles/net-persist/tasks/main.yml b/roles/net-persist/tasks/main.yml index 66d45d3..1211d9a 100644 --- a/roles/net-persist/tasks/main.yml +++ b/roles/net-persist/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: Check if the interface is already named as expected +- name: "Check {{ interface.name }} ({{ interface.mac_address }}) rule" set_fact: interface_original_name: "{{ ansible_facts.interfaces | select('in', ansible_facts) diff --git a/roles/networking/tasks/main.yml b/roles/networking/tasks/main.yml index 16de57e..29498e1 100644 --- a/roles/networking/tasks/main.yml +++ b/roles/networking/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "Setup persistent network interface(s)" +- name: Setup persistent network interface(s) include_role: name: net-persist public: yes @@ -7,7 +7,7 @@ interface: "{{ item }}" loop: "{{ hostvars[inventory_hostname].network_interfaces | default([]) }}" -- name: "Configure network interface(s)" +- name: Configure network interface(s) include_role: name: net-config public: yes diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 5440d40..1fd4c98 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -19,7 +19,7 @@ name: "{{ ssh_service_name }}" enabled: yes -- name: Allow SSH incoming connection on local network +- name: Allow local network incoming connection ufw: rule: allow port: "{{ ssh_port }}" @@ -27,7 +27,7 @@ from: "{{ ssh_allowed_network }}" direction: in -- name: Allow SSH incoming connection on vpn network +- name: Allow SSH VPN incoming connection ufw: rule: allow port: "{{ ssh_port }}" diff --git a/roles/sshd/templates/sshd_banner.j2 b/roles/sshd/templates/sshd_banner.j2 index bb08a2f..6df452f 100644 --- a/roles/sshd/templates/sshd_banner.j2 +++ b/roles/sshd/templates/sshd_banner.j2 @@ -15,6 +15,9 @@ ⢸⣿⡇⠈⠙⠛⢛⣿⣿⣤⣤⣿⣿⡛⠛⠋⠁⢸⣿⡇ ⣤⣼⣿⣧⣤⡀ ⠙⠛⠛⠛⠛⠛⠛⠋ ⢀⣤⣼⣿⣧⣤ ⠛⠛⠛⠛⠛⠁ ⠈⠛⠛⠛⠛⠛ +******************************************* + Beep beep-wooOOoo! Brrrp! Zzt zzt-whirl! +******************************************* {% elif ansible_host == 'omega' %} ⣀⣤⣴⣶⣾⣿⣿⣿⣿⣷⡶⠦ ⢀⣴⣾⣿⣿⠿⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣤⡄ @@ -29,6 +32,29 @@ ⠹⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏ ⠈⠻⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣤⡄ ⠉⠛⠻⠿⢿⣿⣿⣿⣿⠟⠉⠉⠉⠉ +{% elif ansible_host == 'pinwheel' %} + ⢀⣠⣄⣀⣀⣀ ⣀⣤⣴⣶⡾⠿⠿⠿⠿⢷⣶⣦⣤⣀⡀ +⢰⣿⡟⠛⠛⠛⠻⠿⠿⢿⣶⣶⣦⣤⣤⣀⣀⡀⣀⣴⣾⡿⠟⠋⠉ ⠉⠙⠻⢿⣷⣦⣀ ⢀⣀⣀⣀⣀⣀⣀⣀⡀ + ⠻⣿⣦⡀ ⠉⠓⠶⢦⣄⣀⠉⠉⠛⠛⠻⠿⠟⠋⠁ ⣤⡀ ⢠ ⣠ ⠈⠙⠻⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠟⠛⠛⢻⣿ + ⠈⠻⣿⣦ ⠈⠙⠻⢷⣶⣤⡀ ⢀⣀⡀ ⠙⢷⡀⠸⡇ ⣰⠇ ⢀⣀⣀ ⣀⣠⣤⣤⣶⡶⠶⠶⠒⠂ ⣠⣾⠟ + ⠈⢿⣷⡀ ⠈⢻⣿⡄⣠⣴⣿⣯⣭⣽⣷⣆ ⠁ ⢠⣾⣿⣿⣿⣿⣦⡀ ⣠⣾⠟⠋⠁ ⣠⣾⡟⠁ + ⠈⢻⣷⣄ ⣿⡗⢻⣿⣧⣽⣿⣿⣿⣧ ⣀⣀ ⢠⣿⣧⣼⣿⣿⣿⣿⠗⠰⣿⠃ ⣠⣾⡿⠋ + ⠙⢿⣶⣄⡀ ⠸⠃⠈⠻⣿⣿⣿⣿⣿⡿⠃⠾⣥⡬⠗⠸⣿⣿⣿⣿⣿⡿⠛ ⢀⡟ ⣀⣠⣾⡿⠋ + ⠉⠛⠿⣷⣶⣤⣤⣄⣰⣄ ⠉⠉⠉⠁ ⢀⣀⣠⣄⣀⡀ ⠉⠉⠉ ⢀⣠⣾⣥⣤⣤⣤⣶⣶⡿⠿⠛⠉ + ⠈⠉⢻⣿⠛⢿⣷⣦⣤⣴⣶⣶⣦⣤⣤⣤⣤⣬⣥⡴⠶⠾⠿⠿⠿⠿⠛⢛⣿⣿⣿⣯⡉⠁ + ⠈⣿⣧⡀⠈⠉ ⠈⠁⣾⠛⠉⠉ ⣀⣴⣿⠟⠉⣹⣿⣇ + ⢀⣸⣿⣿⣦⣀ ⢻⡀ ⢀⣠⣤⣶⣿⠋⣿⠛⠃ ⣈⣿⣿ + ⣿⡿⢿⡀⠈⢹⡿⠶⣶⣼⡇ ⢀⣀⣀⣤⣴⣾⠟⠋⣡⣿⡟ ⢻⣶⠶⣿⣿⠛⢯ + ⠘⣿⣷⡈⢿⣦⣸⠇⢀⡿⠿⠿⡿⠿⠿⣿⠛⠋⠁ ⣴⠟⣿⣧⡀⠈⢁⣰⣿⠏ ⠏⡆ + ⢸⣿⢻⣦⣈⣽⣀⣾⠃ ⢸⡇ ⢸⡇ ⢀⣠⡾⠋⢰⣿⣿⣿⣿⡿⠟⠋ + ⠘⠿⢿⣿⣿⡟⠛⠃ ⣾ ⢸⡇⠐⠿⠋ ⣿⢻⣿⣿ + ⢸⣿⠁⢀⡴⠋ ⣿ ⢸⠇ ⠁⢸⣿⣿ + ⢀⣿⡿⠟⠋ ⣿ ⣸ ⢸⣿⣿ + ⢸⣿⣁⣀ ⣿⡀ ⣿ ⢀⣈⣿⣿ + ⠘⠛⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠟⠛⠋ +****************************************************************** + May the shell be with you +****************************************************************** {% else %} ACCESS DENIED - UNKNOWN STAR SYSTEM {% endif %} @@ -39,9 +65,5 @@ will result in tracking and possible Force action. {% if ansible_hostname is defined %} -Server: {{ ansible_hostname }} +{{ group_names | first }}: {{ ansible_hostname }} {% endif %} - -******************************************* - Beep beep-wooOOoo! Brrrp! Zzt zzt-whirl! -*******************************************