admin/skato-ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 3 Releases Wiki Activity

Compare commits

base: admin:f455483d664063995331642358a77bd3c310836d
Branches Tags
admin:main admin:streamlined_staging
...
compare: admin:streamlined_staging
Branches Tags
admin:streamlined_staging admin:main

49 Commits
f455483d66 ... streamline

Author SHA1 Message Date
Alex Tavarez
e8b29bb8e8 added systemd unit for setting iptables rules using added script, added DSNet systemd unit 2026-06-19 19:22:21 -04:00
Alex Tavarez
aa8d61aa09 added attribute to reboot task to ignore errors; included variables file for configuring VPN, i.e. DSNet, service configuration 2026-06-19 19:21:09 -04:00
Alex Tavarez
2d6dcd3dab added attribute to reboot task to ignore errors; included variables file needed for VPN, i.e. DSNet, service configuration 2026-06-19 19:18:54 -04:00
Alex Tavarez
2c66c3bd43 removed tasks that were instead migrated to a role task included by a role handler 2026-06-19 19:17:24 -04:00
Alex Tavarez
20d1cd21a3 removed an empty line 2026-06-19 19:16:29 -04:00
Alex Tavarez
83fa171341 added task for grabbng software binary as software installation 2026-06-19 19:15:38 -04:00
Alex Tavarez
240efbb713 changed hardlink or actual destnation paths for software binaries, and used relative path for fetched secrets 2026-06-19 19:10:39 -04:00
Alex Tavarez
bcf9eaebc9 removed unnecessary copy task for a source file in managed node 2026-06-19 19:06:55 -04:00
Alex Tavarez
125ec09c8f migrated DSNet tasks to own task file in role, as opposed to having it in relevant playbook 2026-06-19 19:04:54 -04:00
Alex Tavarez
b784b781d3 added a DSNet handler including tasks for post-installation 2026-06-19 19:03:52 -04:00
Alex Tavarez
909682d74e moved burp and rsync installations, and added a new package group for direct software binaries, with dsnet listed in it 2026-06-19 19:02:29 -04:00
Alex Tavarez
bd3029b914 made sure that handlers run prior to hostname change as well as a reboot in which the server is rendered inaccessible 2026-06-18 19:20:56 -04:00
Alex Tavarez
57a3e876b8 added task informing user of needed actions to take advantage of now-avaialble vim plugins 2026-06-18 19:19:23 -04:00
Alex Tavarez
1ce6879abf fixed typo in a line substitution, added SystemD restart tasks for service to abide by configuration changes 2026-06-18 19:18:26 -04:00
Alex Tavarez
9ea7fb37b0 fixed missing loop variable for headscale user registration task 2026-06-18 19:17:16 -04:00
Alex Tavarez
7584027890 moved VIM and Crowdsec setup handler listener, former due to now being userspace package group installation, latter due to needing to precede headscale handler tasks 2026-06-18 19:16:26 -04:00
Alex Tavarez
a78613920c moved vim to userspace package group, referenced crowdsec handler, added password hashing/encryption 2026-06-18 19:14:14 -04:00
Alex Tavarez
0dd0633166 hard-coded dedicated SSH keys for staging to automatically populate ssh-agent, added a subcommand for listing SSH keys in use by SSH agent 2026-06-17 14:42:16 -04:00
Alex Tavarez
9945330b82 added task block to prompt user for a fallback password if given root password is null 2026-06-17 14:40:35 -04:00
Alex Tavarez
f4399a2c8a added task block to prompt user for a fallback password if given user password is null 2026-06-17 14:40:17 -04:00
Alex Tavarez
596b828e6f changed SSH key queries to dedicated SSH keys, and automated password creation, for staging; removed token to be prompted instead 2026-06-17 14:39:10 -04:00
Alex Tavarez
13ef8fa459 made ungrouped hosts be two machines for staging or more 2026-06-17 14:36:26 -04:00
Alex Tavarez
52f98c1d57 removed some information from example files for users to fill on their own 2026-06-16 15:02:11 -04:00
Alex Tavarez
c0d0203406 excluded some very specific vars files from version control due to potential sensitive information 2026-06-16 14:57:56 -04:00
Alex Tavarez
889b06bf21 altered template variables for vim editor configuration file 2026-06-16 14:57:11 -04:00
Alex Tavarez
5bfde90be9 altered template variables for flexget configuration file 2026-06-16 14:56:30 -04:00
Alex Tavarez
f592a56c60 added/altered template variables for headscale configuration file 2026-06-16 14:55:56 -04:00
Alex Tavarez
fc95904327 added a default handler that performs a default action for software installation if none needed, as looped installations nonetheless will attempt to notify one 2026-06-16 14:55:06 -04:00
Alex Tavarez
f43e420f66 allowed for change of crowdsec ports from their defaults 2026-06-16 14:53:58 -04:00
Alex Tavarez
a6fc067eb1 added configuration of template files as top-level variable files in vars directory, to be referenced in relevant playbooks 2026-06-16 14:53:01 -04:00
Alex Tavarez
44c343dd7b added decision tree for how to retrieve and make use of output produced on remote machine for future purposes 2026-06-16 14:51:17 -04:00
Alex Tavarez
8894bd8925 ensured backups and forced changes for confguration files; fixed issue with failing to look up path on remote machine for remote machine copying operations 2026-06-16 14:50:02 -04:00
Alex Tavarez
7daf57da64 moved post-installation reboots to task blocks from each software's associated handler to reduce power cycle; fixed semantic errors with varables and fixed repository addition issues 2026-06-16 14:47:31 -04:00
Alex Tavarez
dc8dbcc43e added handlers inclusive of tasks related to headscale, git, vim and tor, as well as those very tasks 2026-06-16 14:40:56 -04:00
Alex Tavarez
a4c26fd9c3 created example files for the basic server groupings 2026-06-16 14:21:50 -04:00
Alex Tavarez
cf7612365a finished new playbook 2026-06-16 14:20:57 -04:00
Alex Tavarez
3343f7ad69 finished new playbook 2026-06-16 14:20:40 -04:00
Alex Tavarez
7268245bb7 finished new playbook 2026-06-16 14:20:16 -04:00
Alex Tavarez
555c7d0a6a replaced example file with original, native playbook file 2026-06-16 14:16:01 -04:00
Alex Tavarez
5049210e25 added community.general to requirements, just in case 2026-06-16 14:14:26 -04:00
Alex Tavarez
0d7b0f0c66 created a new host grouping naming sheme, including a hypothetical ungrouped host for staging purposes 2026-06-16 14:12:30 -04:00
Alex Tavarez
691d85458e excluded old group_vars files from version control 2026-06-16 14:07:14 -04:00
Alex Tavarez
8e1f5c6743 replacing with what is mainly a testing file 2026-06-16 14:06:25 -04:00
Alex Tavarez
1fed9cf441 replaced with what is mainly a testing file 2026-06-16 14:04:30 -04:00
Alex Tavarez
f5fa460e44 renamed bootstrap shell script 2026-06-16 14:03:07 -04:00
Alex Tavarez
9d80fbb567 removed example file, for original file 2026-06-16 14:02:17 -04:00
Alex Tavarez
3fe4d9d5a2 added new dictionary variable, that has groups of container engine images; removed two packages from package groups to prepare for containerization instead 2026-06-10 22:10:23 -04:00
Alex Tavarez
17a921b551 included an ansible-galaxy collecton requirement for containers.podman 2026-06-10 22:09:09 -04:00
Alex Tavarez
ac4af5de3d added task that creates two new networks for podman 2026-06-10 22:08:17 -04:00
48 changed files with 3631 additions and 688 deletions
Expand all files Collapse all files

10
.gitignore vendored
View File

@@ -5,8 +5,14 @@
/hosts.yaml
/hosts.json
*.bak
/init@homeserver.yml
/administrate@homeserver.yml
/group_vars/armitage.yml
/group_vars/sukaato.yml
/group_vars/armitage.yml
/group_vars/sukaato.yml
/vars/aria_api.yml
/vars/vpn_server.yml
/vars/tail_net.yml
/vars/local_facts.yml
# Ansible runtime and backups
*.original

148
administrate@homeserver.yml Normal file
View File

@@ -0,0 +1,148 @@
- name: Initialize homeserver
hosts: "{{ chosen_host | default('armitage') }}"
remote_user: "{{ chosen_user | default('senpai') }}"
vars_files:
- vars/git_aliases.yml # REQUIRED
- vars/sox_prox.yml # REQUIRED
- vars/flexget_dls.yml # REQUIRED
- vars/aria_api.yml # REQUIRED
- vars/config@{{ inventory_hostname | default('homeserver') }}.yml
tasks:
- name: Installing requisite packages
ansible.builtin.include_role:
name: init-server
tasks_from: userspace@install-pkgs
handlers_from: userspace
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Disabling root user shell login
become: true
ansible.builtin.user:
name: root
shell: /sbin/nologin
tags:
- disable_root_shell
- name: Disable login for root user altogether
become: true
ansible.builtin.user:
name: root
password: "'*'"
tags:
- disable_root_login
- name: Reorganizing userspace package groups into single list
ansible.builtin.set_fact:
all_userspace_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='userspace') | list | flatten }}"
- name: Reorganizing core package groups into single list
ansible.builtin.set_fact:
all_core_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='core') | list | flatten }}"
- name: Configuring aliases for using git
when: "'git' in all_core_pkgs"
community.general.git_config:
name: "alias.{{ item[0] }}"
scope: global
value: "{{ item[1] }}"
loop: "{{ git_aliases }}"
- name: Checking presence of dependency for flexget
when: "'uv' in all_core_pkgs"
block:
- name: Installing flexget
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.command:
argv:
- uv
- tool
- install
- "flexget[locked,ftp,sftp]"
- "--with"
- pysocks
- name: Creating requisite download paths
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/flexget/vids/{{ item }}/torrents"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
mode: "755"
loop:
- series
- name: Creating requisite download paths
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/flexget/vids/torrents"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
mode: "755"
- name: Creating requisite hidden download paths
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/.xxx/flexget/vids/torrents"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
mode: "755"
- name: Creating requisite hidden download paths
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/media/vids/{{ item }}"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
mode: "755"
loop:
- series
- features
- name: Creating requisite hidden file for film torrent links
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/media/vids/{{ item }}.csv"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: touch
mode: "644"
loop:
- features/.films
- name: Creating requisite hidden download paths
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/.xxx/media/vids"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
mode: "755"
- name: Creating requisite hidden file for NSFW video torrent links
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.xxx/.{{ item }}.csv"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: touch
mode: "644"
loop:
- vids
- name: Configuring flexget
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.template:
src: user/flexget/config.yml.j2
variable_start_string: "<<"
variable_end_string: ">>"
dest: "{{ ansible_user_home.stdout }}/.flexget/config.yml"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
force: true
backup: true
- name: Creating a CRON job for flexget
ansible.builtin.cron:
name: Run flexget
minute: "*/60"
hour: "4-15"
weekday: "1-5"
job: "{{ ansible_user_home.stdout }}/.local/bin/flexget --cron execute"

29
administrate@homeserver.yml.example
View File

@@ -1,29 +0,0 @@
- name: Initialize homeserver
hosts: armitage
remote_user: senpai
tasks:
- name: Installing requisite packages
ansible.builtin.include_role:
name: init-server
tasks_from: userspace@install-pkgs
handlers_from: userspace
- name: Disable root user shell login
become: true
ansible.builtin.user:
name: root
shell: /sbin/nologin
tags:
- disable_root_shell
- name: Disable login for root user altogether
become: true
ansible.builtin.user:
name: root
password: "'*'"
tags:
- disable_root_login
- name: Configuring aliases for using git
community.general.git_config:
name: "alias.{{ item[0] }}"
scope: global
value: "{{ item[1] }}"
loop: []

45
administrate@vps.yml Normal file
View File

@@ -0,0 +1,45 @@
- name: Initialize VPS
hosts: "{{ chosen_host | default('sukaato') }}"
remote_user: "{{ chosen_user | default('senpai') }}"
vars_files:
- vars/git_aliases.yml # REQUIRED
- vars/vim_settings.yml # REQUIRED
- vars/config@{{ inventory_hostname | default('vps') }}.yml
tasks:
- name: Installing requisite packages
ansible.builtin.include_role:
name: init-server
tasks_from: userspace@install-pkgs
handlers_from: userspace
- name: Disabling root user shell login
become: true
ansible.builtin.user:
name: root
shell: /sbin/nologin
tags:
- disable_root_shell
- name: Disable login for root user altogether
become: true
ansible.builtin.user:
name: root
password: "'*'"
tags:
- disable_root_login
# - name: Debugging
# ansible.builtin.debug:
# msg: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='userspace', default='no_userspace') | list | flatten | reject('search', 'no_userspace') | list }}"
# - name: Prematurely ending play
# ansible.builtin.meta: end_play
- name: Reorganizing userspace package groups into single list
ansible.builtin.set_fact:
all_userspace_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='userspace', default='no_userspace') | list | flatten | reject('search', 'no_userspace') | list }}"
- name: Reorganizing core package groups into single list
ansible.builtin.set_fact:
all_core_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='core', default='no_core') | list | flatten | reject('search', 'no_core') | list }}"
- name: Configuring aliases for using git
when: "'git' in all_core_pkgs"
community.general.git_config:
name: "alias.{{ item[0] }}"
scope: global
value: "{{ item[1] }}"
loop: "{{ git_aliases }}"

5
bootstrap.sh
View File

@@ -1,5 +0,0 @@
#!/bin/bash
set -euo pipefail
sudo ansible-playbook --ask-pass --ask-become-pass -i hosts.yml init@homeserver.yml
ansible-playbook --ask-become-pass -i hosts.test.yml administrate@homeserver.yml

4
collections/requirements.yml
View File

@@ -1,4 +1,8 @@
---
collections:
- name: community.general
version: "12.6.1"
- name: linode.cloud
version: "0.46.0"
- name: containers.podman
version: "1.20.1"

609
group_vars/armitage.yml → group_vars/armitage_test.yml
View File

@@ -1,12 +1,6 @@
# @TODO create inventory group variables akin to structure of sukaato group's for homeserver
# <str<vault>> representing password for Linux root user account of VPS
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
32333335343939653231313938666134306338356633393035363039373465386165313666383262
6465313738316635633332623765336563626165336330370a616634393266366430363663333066
63373165346236386632393866316164623133373761303262643734356433646661636533666266
3834643765613937300a326365643961626236386261303933643965333565623836313231346537
3030
password: "{{ lookup('password', '../.tmp/armitage_test.pass', seed='armitage_test', encrypt='sha512_crypt') }}"
# <str> representing hostname for LAN server; same as host or group variable name
instance: armitage
# <str<enum>> representing Linux distro or OS image to be used for VPS
@@ -14,202 +8,25 @@ instance: armitage
operating_system: ~
# <list[<str>]> of control node or local SSH key basenames
ssh_keys:
- ed25519@sukaato.hikiki
- ecdsa@sukaato.hikiki
- ed25519@staging
- ecdsa@staging
# <list<dict>> list of administrative users (in Linux, users that can use "sudo")
admins:
- username: senpai # <str> arbitrary valid user name
services: ~ # <list[<str>]> if linux system user, assocated servce
# <list[<str>]> list of control node or local SSH key basenames for this user
ssh_keys:
- ecdsa-37851076-sk@sukaato.hikiki
- ecdsa-37851072-sk@sukaato.hikiki
# @TODO add secondary and teriary Yubikeys
- ecdsa-37851076-sk@staging
- ed25519-37851076-sk@staging
# <str<vault?>> hashed (and maybe salted) password
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
34636132613365646330653431653236303563623464316638643439373761366564663264613738
3033343264373264333362616434333465323439653134340a643066663832353965313434386639
38366263646638353632656431366638393939623537326233306132306436363338373161643433
3439653833333164390a303430616561356464393030353433303738383730643330323031373432
62386231653339616436383837383966643539353036353034363132633539643332386131613537
31356230383561663735363530393562363237343166323635666665386165633130653864646238
39323735386161646531323335393639353630376136663063393930326434346435343937623336
33336132663238326662323536326638333139313535373166636363336366663962373936383536
62303536363939316563646630633064306364366331623665646533633065336236
password: "{{ lookup('password', '../.tmp/senpai@armitage_test.pass', seed='senpai:armitage_test', encrypt='sha512_crypt') }}"
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
mngr:
# <list[<dict>]> representing system-level or essential packages
core:
- name: sudo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: kitty-terminfo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: whois
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
- name: vim-vimwiki
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: vim-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
# - name: flatpak
# uri: ~
# sources: ~
# sigkey: ~
# types: ~
# suites: ~
# comps: ~
- name: snapd
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
- name: git
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
- name: git-delta
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
- name: git-doc
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
- name: git-man
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
- name: fail2ban
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
- name: crowdsec
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
- name: glow
uri: ~
sigkey: "https://repo.charm.sh/apt/gpg.key"
sources: "https://repo.charm.sh/apt/"
types: deb
suites: "*"
comps: "*"
- name: pandoc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: tor
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: i2pd
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: curl
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: build-essential
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: fastfetch
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: gcc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: gcc-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: dpkg-dev
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: xz-utils
uri: ~
sigkey: ~
@@ -217,6 +34,183 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard-tools
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: sudo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: kitty-terminfo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: whois
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: smartmontools
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vim-vimwiki
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vim-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: snapd
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: git
- name: git-delta
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-doc
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-man
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: fail2ban
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: crowdsec
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: crowdsec
- name: glow
uri: ~
sigkey: "https://repo.charm.sh/apt/gpg.key"
sources: "https://repo.charm.sh/apt/"
types: deb
suites: "*"
comps: "*"
handler: ~
- name: pandoc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: curl
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: build-essential
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: fastfetch
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gcc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: dpkg-dev
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: ufw
uri: ~
sigkey: ~
@@ -224,6 +218,15 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: avahi-daemon
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: avahi-utils
uri: ~
sigkey: ~
@@ -231,6 +234,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-google-authenticator
uri: ~
sigkey: ~
@@ -238,6 +242,31 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: cron
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron-daemon-common
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tor
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: tor
- name: libpam-u2f
uri: ~
sigkey: ~
@@ -245,6 +274,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: pamu2fcfg
uri: ~
sigkey: ~
@@ -252,6 +282,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: pcscd
uri: ~
sigkey: ~
@@ -259,6 +290,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: tftpd-hpa
uri: ~
sigkey: ~
@@ -266,20 +298,7 @@ pkgs:
types: ~
suites: ~
comps: ~
- name: apache2
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: apache2-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gocryptfs
uri: ~
sigkey: ~
@@ -287,6 +306,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: cryfs
uri: ~
sigkey: ~
@@ -294,6 +314,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: tmux
uri: ~
sigkey: ~
@@ -301,13 +322,7 @@ pkgs:
types: ~
suites: ~
comps: ~
- name: squid
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cpu-checker
uri: ~
sigkey: ~
@@ -315,13 +330,7 @@ pkgs:
types: ~
suites: ~
comps: ~
- name: asciidoc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-doc
uri: ~
sigkey: ~
@@ -329,7 +338,32 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg-agent
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
userspace:
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: neovim
uri: ~
sources: ~
@@ -337,6 +371,15 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: neovim
- name: sqlite3
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: podman
uri: ~
sigkey: ~
@@ -344,6 +387,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: podman-compose
uri: ~
sigkey: ~
@@ -351,6 +395,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: distrobox
uri: ~
sigkey: ~
@@ -358,6 +403,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-core
uri: ~
sigkey: ~
@@ -365,6 +411,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-doc
uri: ~
sigkey: ~
@@ -372,6 +419,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-crypto
uri: ~
sigkey: ~
@@ -379,6 +427,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-ldap
uri: ~
sigkey: ~
@@ -386,6 +435,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-sqlite
uri: ~
sigkey: ~
@@ -393,27 +443,7 @@ pkgs:
types: ~
suites: ~
comps: ~
- name: aria2
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: syncplay-server
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: caddy
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang
uri: ~
sigkey: ~
@@ -421,6 +451,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang-doc
uri: ~
sigkey: ~
@@ -428,6 +459,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang-hex
uri: ~
sigkey: ~
@@ -435,6 +467,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: elixir
uri: ~
sigkey: ~
@@ -442,6 +475,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: python3.13
uri: ~
sigkey: ~
@@ -449,6 +483,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-venv
uri: ~
sigkey: ~
@@ -456,6 +491,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-pip
uri: ~
sigkey: ~
@@ -463,6 +499,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-doc
uri: ~
sigkey: ~
@@ -470,6 +507,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: golang
uri: ~
sigkey: ~
@@ -477,6 +515,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: golang-doc
uri: ~
sigkey: ~
@@ -484,6 +523,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: hugo
uri: ~
sigkey: ~
@@ -491,6 +531,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: yt-dlp
uri: ~
sigkey: ~
@@ -498,6 +539,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-discosrv
uri: ~
sigkey: ~
@@ -505,6 +547,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-relaysrv
uri: ~
sigkey: ~
@@ -512,6 +555,71 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-relaysrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rclone
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: aria2
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: mopidy
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: mopidy-mpd
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: minidlna
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# <dict[<str>:<dict>]> representing package groups installed by shell scripts
script:
# <list[<dict>]> representing user-level or supplemental shell script installations
@@ -520,40 +628,47 @@ pkgs:
src: "https://radicle.dev/install"
pre: ~
post: ~
handler: radicle
- name: rustup
src: "https://sh.rustup.rs"
pre: ~
post: ~
handler: rustup
- name: julia
src: "https://install.julialang.org"
pre: ~
post: ~
handler: julia
- name: uv
src: "https://astral.sh/uv/install.sh"
pre: ~
post: ~
handler: uv
# <dict[<str>:<dict>]> representing package groups installed from source archives
archive:
# <list[<dict>]> representing user-level or supplemental source archives
userspace:
- name: surge
src: "https://github.com/SurgeDM/Surge/releases/download/v0.8.6/Surge_0.8.6_linux_amd64.tar.gz"
deploy: ~
pre: ~
post: ~
# - name: surge
# src: "https://github.com/SurgeDM/Surge/releases/download/v0.8.6/Surge_0.8.6_linux_amd64.tar.gz"
# deploy: ~
# pre: ~
# post: ~
# handler: surge
- name: nvm
src: "https://nodejs.org/dist/v24.16.0/node-v24.16.0-linux-x64.tar.xz"
deploy: ~
pre: ~
post: ~
handler: nvm
- name: difftastic
src: "https://github.com/Wilfred/difftastic/releases/download/0.69.0/difft-x86_64-unknown-linux-gnu.tar.gz"
deploy: ~
pre: ~
post: ~
handler: difftastic
# <dict[<str>:<dict>]> representing package groups installed from source git repositories
git_repos:
userspace:
# userspace:
# # @TODO use below to build Podman container instead, to deploy with podman-compose
# # @NOTE https://github.com/papis/papis and https://papis.readthedocs.io/en/latest/
# - name: papis
@@ -562,9 +677,11 @@ pkgs:
# deploy: ~
# pre: ~
# post: ~
# handler: false
- name: quartz
src: "https://github.com/jackyzha0/quartz.git"
branch: v5.0.0
deploy: ~
pre: ~
post: ~
post: ~
handler: quartz

756
group_vars/homeserver.yml
View File

@@ -1,104 +1,690 @@
# <str<vault>> representing password for Linux root user account of LAN server on PC
# @TODO create inventory group variables akin to structure of sukaato group's for homeserver
# <str<vault>> representing password for Linux root user account of VPS
password: ""
# <str<vault>> administrative API token or PXE server authentication key/password
token: ~
# <str> representing hostname for LAN server; same as host or group variable name
instance: ""
# <str<enum>> representing Linux distro or OS image to be used for VPS; can be PXE server URI/URL link
# Example-- operating_system: "tftp://hikiki.local:69/debian.iso"
operating_system: ~
instance: armitage
# <str<enum>> representing Linux distro or OS image to be used for VPS
# operating_system: "tftp://hikiki.local:69/debian.iso"
operating_system: ""
# <list[<str>]> of control node or local SSH key basenames
ssh_keys: []
# @TODO change 'key' attributes of package entres under 'mngr' section below to 'signkey'
# and edit 'roles/init-server/install-pks.yml' accordngly
ssh_keys: []
# <list<dict>> list of administrative users (in Linux, users that can use "sudo")
admins:
- username: senpai # <str> arbitrary valid user name
services: "" # <list[<str>]> if linux system user, assocated servce
# <list[<str>]> list of control node or local SSH key basenames for this user
ssh_keys: []
# <str<vault?>> hashed (and maybe salted) password
password: ""
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
mngr:
# <list[<dict>]> representing system-level or essential packages
core:
- name: ""
uri: ""
sigkey: ""
sources: ""
types: ""
suites: ""
comps: ""
# <list[<dict>]> representing user-level or supplemental packages
- name: xz-utils
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard-tools
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: sudo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: kitty-terminfo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: whois
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: smartmontools
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: vim-vimwiki
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vim-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# - name: flatpak
# uri: ~
# sources: ~
# sigkey: ~
# types: ~
# suites: ~
# comps: ~
# handler: ~
- name: snapd
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: git
- name: git-delta
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-doc
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-man
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: fail2ban
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: crowdsec
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: glow
uri: ~
sigkey: "https://repo.charm.sh/apt/gpg.key"
sources: "https://repo.charm.sh/apt/"
types: deb
suites: "*"
comps: "*"
handler: ~
- name: pandoc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: curl
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: build-essential
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: fastfetch
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gcc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: dpkg-dev
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: ufw
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: avahi-daemon
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: avahi-utils
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-google-authenticator
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron-daemon-common
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tor
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: tor
- name: libpam-u2f
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: pamu2fcfg
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: pcscd
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tftpd-hpa
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gocryptfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cryfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tmux
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cpu-checker
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg-agent
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
userspace:
- name: ""
uri: ""
sigkey: ""
sources: ""
types: ""
suites: ""
comps: ""
- name: neovim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: neovim
- name: sqlite3
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: podman
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: podman-compose
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: distrobox
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-core
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-crypto
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-ldap
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-sqlite
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang-hex
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: elixir
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3.13
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-venv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-pip
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: golang
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: golang-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: hugo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: yt-dlp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-discosrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-relaysrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-relaysrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rclone
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: aria2
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: mopidy
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: mopidy-mpd
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: minidlna
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# <dict[<str>:<dict>]> representing package groups installed by shell scripts
script:
# <list[<dict>]> representing system-level or essential shell script software installations
core:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path to software installation shell script
pre: "" # <str> URI/URL or path to shell script, or name of handler listener, for pre-installation actions
post: "" # <str> URI/URL or path to shell script, or name of handler listener, for post-installation actions
# <list[<dict>]> representing user-level or supplemental shell script software installations
# <list[<dict>]> representing user-level or supplemental shell script installations
userspace:
- name: ""
src: ""
pre: ""
post: ""
- name: radicle
src: "https://radicle.dev/install"
pre: ~
post: ~
handler: radicle
- name: rustup
src: "https://sh.rustup.rs"
pre: ~
post: ~
handler: rustup
- name: julia
src: "https://install.julialang.org"
pre: ~
post: ~
handler: julia
- name: uv
src: "https://astral.sh/uv/install.sh"
pre: ~
post: ~
handler: uv
# <dict[<str>:<dict>]> representing package groups installed from source archives
archive:
# <list[<dict>]> representing system-level or essential source archives
core:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path of archive file for software build
deploy: "" # <str> URI/URL or path to shell script, or handler listener name, to build software from archive
pre: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take before software build
post: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take after software build
# <list[<dict>]> representing user-level or supplemental source archives
userspace:
- name: ""
src: ""
deploy: ""
pre: ""
post: ""
# - name: surge
# src: "https://github.com/SurgeDM/Surge/releases/download/v0.8.6/Surge_0.8.6_linux_amd64.tar.gz"
# deploy: ~
# pre: ~
# post: ~
# handler: surge
- name: nvm
src: "https://nodejs.org/dist/v24.16.0/node-v24.16.0-linux-x64.tar.xz"
deploy: ~
pre: ~
post: ~
handler: nvm
- name: difftastic
src: "https://github.com/Wilfred/difftastic/releases/download/0.69.0/difft-x86_64-unknown-linux-gnu.tar.gz"
deploy: ~
pre: ~
post: ~
handler: difftastic
# <dict[<str>:<dict>]> representing package groups installed from source git repositories
git_repos:
# <list[<dict>]> representing system-level or essential git repositories
core:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path of git repository
src_path: "" # <str> path in which to place git repository clone
branch: "" # <str> specific branch to pull or otherwise to swtich into
deploy: "" # <str> URI/URL or path to shell script, or handler listener name, to build or run from source repository
pre: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take before building or running from source repository
post: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take after building or running from source repository
# <list[<dict>]> representing user-level or supplemental git repositories
userspace:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path of git repository
src_path: "" # <str> path in which to place git repository clone
remote: "" # <str> the name of the remote source of the git repository
branch: "" # <str> specific branch to pull or otherwise to swtich into
deploy: "" # <str> URI/URL or path to shell script, or handler listener name, to build or run from source repository
pre: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take before building or running from source repository
post: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take after building or running from source repository
# <dict[<str>:<dict>]> representing package groups installed via container engine
containers:
# <list[<dict>]> representing system-level or essential container images
core: []
# <list[<dict>]> representing user-level or supplemental container images
userspace: []
# <dict[<str>:<dict>]> representing package groups installed via snap package
snaps:
# <list[<dict>]> representing system-level or essential packages
core: []
# <list[<dict>]> representing user-level or supplemental packages
userspace: []
# <dict[<str>:<dict>]> representing flatpak groups installed via flatpak package
flatpaks:
# <list[<dict>]> representing system-level or essential flatpaks
core: []
# <list[<dict>]> representing user-level or supplemental flatpaks
userspace: []
# userspace:
# # @TODO use below to build Podman container instead, to deploy with podman-compose
# # @NOTE https://github.com/papis/papis and https://papis.readthedocs.io/en/latest/
# - name: papis
# src: "https://github.com/papis/papis.git"
# branch: main
# deploy: ~
# pre: ~
# post: ~
# handler: false
- name: quartz
src: "https://github.com/jackyzha0/quartz.git"
branch: v5.0.0
deploy: ~
pre: ~
post: ~
handler: quartz

349
group_vars/sukaato.yml → group_vars/sukaato_test.yml
View File

@@ -1,22 +1,7 @@
# <str<vault>> representing password for Linux root user account of VPS
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
66353462633933306537323461663665643234306166366663653163306436333037313032306338
3762653037396437633835356630656438623163656536310a306163663234383265386133396634
34363163343766623739646334643031373239373630663731376239333764346531396363636131
6163343335356337660a366337336632333236326532373032353332333636366638616265356562
66616534303035386134623535373935373065326539363065623230633034313433
password: "{{ lookup('password', './.tmp/sukaato_test.pass', seed='sukaato_test', encrypt='sha512_crypt') }}"
# <str<vault>> representing API token for VPS cloud service
token: !vault |
$ANSIBLE_VAULT;1.1;AES256
33333839333337323062326231626534616166646666343261343966636464346630363033653130
3035653864396363376633346362353239643939663462370a323935353061313563336435366331
30393463653661326539326234646438663133616634663439303932656137633839656533376433
3666643635613039390a323138393033623131326438616331386539666333613630316263613636
66663263373665343662393638623064356234646165343835623966643761333562323132396466
63363436333463653130323531343139316466316131313031343232343039396261616231376232
66383938333661363532303166306563396634663132396166646132663131373738396131626633
34393265343061356531
token: ~
# <str> representing name and hostname of VPS to be made in VPS cloud service
instance: sukaato
# <str<enum>> representing region options from or for given VPS cloud service
@@ -25,55 +10,153 @@ origin: us-east
operating_system: linode/debian13
# <list[<str>]> list of control node or local SSH key basenames for root user
ssh_keys:
- ed25519@sukaato.hikiki
- ecdsa@sukaato.hikiki
- ed25519@staging
- ecdsa@staging
# <list<dict>> list of administrative users (in Linux, users that can use "sudo")
admins:
- username: senpai # <str> arbitrary valid user name
services: ~ # <list[<str>]> if linux system user, assocated servce
# <list[<str>]> list of control node or local SSH key basenames for this user
ssh_keys:
- ecdsa-37851076-sk@sukaato.hikiki
- ecdsa-37851072-sk@sukaato.hikiki
# @TODO add secondary and teriary Yubikeys
- ecdsa-37851076-sk@staging
- ed25519-37851076-sk@staging
# <str<vault?>> hashed (and maybe salted) password
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31663265653031323833373663653132653532646638316465393364613961643130653330393062
6165386239303965386261363565353137636164356130370a336465353931373564393339363561
37353162333331663833656631663165356134633961323337663439663733316231666334336539
6537373334326634610a623037613462663733343230306538386561363838316638623365636533
32313931666439363435663161663665346266653763343265376366383837376436643163376430
39393861613037333766386138376335653334363737626664383236303234653461313230383564
33393834636165386562383435666233313664656233326364616237636230303264363732376639
64396564366335366430303031323865333635306536346463386334303235386438663061343934
37376466373566396130366330383834323332626166316661336339346462343466
password: "{{ lookup('password', './.tmp/senpai@sukaato_test.pass', seed='senpai:sukaato_test', encrypt='sha512_crypt') }}"
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
mngr:
# <list[<dict>]> representing system-level or essential packages
core:
- name: neovim
- name: sudo
uri: ~
sources: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: flatpak
handler: ~
- name: xz-utils
uri: ~
sources: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: snapd
handler: ~
- name: wireguard
uri: ~
sources: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard-tools
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vagrant
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: qemu-system
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron-daemon-common
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: qemu-kvm
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: bridge-utils
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libvirt-clients
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libvirt-daemon-system
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gcc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-delta
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: fastfetch
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git
uri: ~
sources: ~
@@ -81,6 +164,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: git
- name: fail2ban
uri: ~
sources: ~
@@ -88,6 +172,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: crowdsec
uri: ~
sources: ~
@@ -95,6 +180,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: crowdsec
- name: glow
uri: ~
sigkey: "https://repo.charm.sh/apt/gpg.key"
@@ -102,6 +188,7 @@ pkgs:
types: deb
suites: "*"
comps: "*"
handler: ~
- name: vim-vimwiki
uri: ~
sigkey: ~
@@ -109,13 +196,15 @@ pkgs:
types: ~
suites: ~
comps: ~
- name: pandoc
handler: ~
- name: vim-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tor
uri: ~
sigkey: ~
@@ -123,6 +212,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: i2pd
uri: ~
sigkey: ~
@@ -130,21 +220,24 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: whois
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# @TODO make sure to create handler inclusion of tasks in file under/at `tasks/contingent/pkg` for below
- name: ufw
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: avahi-utils
- name: iptables
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-google-authenticator
uri: ~
sigkey: ~
@@ -152,42 +245,88 @@ pkgs:
types: ~
suites: ~
comps: ~
- name: libpam-u2f
handler: ~
- name: gnupg
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: pamu2fcfg
handler: ~
- name: gnupg-agent
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: pcscd
handler: ~
- name: gocryptfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cryfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tmux
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cpu-checker
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: headscale
uri: "https://github.com/juanfont/headscale/releases/download/v0.28.0/headscale_0.28.0_linux_amd64.deb"
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: headscale
userspace:
- name: podman
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: podman-compose
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: neovim
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: neovim
- name: distrobox
uri: ~
sigkey: ~
@@ -195,6 +334,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-core
uri: ~
sigkey: ~
@@ -202,6 +342,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-doc
uri: ~
sigkey: ~
@@ -209,6 +350,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-crypto
uri: ~
sigkey: ~
@@ -216,6 +358,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-ldap
uri: ~
sigkey: ~
@@ -223,6 +366,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-sqlite
uri: ~
sigkey: ~
@@ -230,6 +374,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: aria2
uri: ~
sigkey: ~
@@ -237,20 +382,7 @@ pkgs:
types: ~
suites: ~
comps: ~
- name: syncplay-server
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
- name: caddy
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang
uri: ~
sigkey: ~
@@ -258,6 +390,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang-hex
uri: ~
sigkey: ~
@@ -265,6 +398,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: elixir
uri: ~
sigkey: ~
@@ -272,6 +406,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: python3.13
uri: ~
sigkey: ~
@@ -279,6 +414,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-venv
uri: ~
sigkey: ~
@@ -286,6 +422,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-pip
uri: ~
sigkey: ~
@@ -293,6 +430,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: golang
uri: ~
sigkey: ~
@@ -300,13 +438,7 @@ pkgs:
types: ~
suites: ~
comps: ~
- name: hugo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: yt-dlp
uri: ~
sigkey: ~
@@ -314,6 +446,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-discosrv
uri: ~
sigkey: ~
@@ -321,6 +454,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-relaysrv
uri: ~
sigkey: ~
@@ -328,6 +462,31 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
- name: rclone
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# <dict[<str>:<dict>]> representing package groups installed by shell scripts
script:
# <list[<dict>]> representing user-level or supplemental shell script installations
@@ -336,18 +495,22 @@ pkgs:
src: "https://radicle.dev/install"
pre: ~
post: ~
handler: radicle
- name: rustup
src: "https://sh.rustup.rs"
pre: ~
post: ~
handler: rustup
- name: julia
src: "https://install.julialang.org"
pre: ~
post: ~
handler: julia
- name: uv
src: "https://astral.sh/uv/install.sh"
pre: ~
post: ~
handler: uv
# <dict[<str>:<dict>]> representing package groups installed from source archives
archive:
# <list[<dict>]> representing user-level or supplemental source archives
@@ -357,17 +520,31 @@ pkgs:
deploy: ~
pre: ~
post: ~
handler: surge
- name: nvm
src: "https://nodejs.org/dist/v24.16.0/node-v24.16.0-linux-x64.tar.xz"
deploy: ~
pre: ~
post: ~
# <dict[<str>:<dict>]> representing package groups installed from source git repositories
git_repos:
userspace:
- name: quartz
src: "https://github.com/jackyzha0/quartz.git"
branch: v5.0.0
handler: nvm
- name: difftastic
src: "https://github.com/Wilfred/difftastic/releases/download/0.69.0/difft-x86_64-unknown-linux-gnu.tar.gz"
deploy: ~
pre: ~
post: ~
post: ~
handler: difftastic
# <dict[<str>:<dict>]> representing package groups installed from source git repositories
git_repos:
# userspace:
# - name: quartz
# src: "https://github.com/jackyzha0/quartz.git"
# branch: v5.0.0
# deploy: ~
# pre: ~
# post: ~
# handler: ~
binaries:
core:
- name: dsnet
src: "https://github.com/naggie/dsnet/releases/download/v0.8.1/dsnet-linux-amd64"
handler: dsnet

601
group_vars/vps.yml
View File

@@ -3,103 +3,538 @@ password: ""
# <str<vault>> representing API token for VPS cloud service
token: ""
# <str> representing name and hostname of VPS to be made in VPS cloud service
instance: ""
instance: sukaato
# <str<enum>> representing region options from or for given VPS cloud service
origin: ""
# <str<enum>> representing Linux distro or OS image available in VPS service to be used for VPS
operating_system: ~
# <list[<str>]> of control node or local SSH key basenames
ssh_keys: []
# @TODO change 'key' attributes of package entres under 'mngr' section below to 'signkey'
# and edit 'roles/init-server/install-pks.yml' accordngly
origin: us-east
# <str<enum>> representing Linux distro or OS image available in VPS service to be used for VPS
operating_system: linode/debian13
# <list[<str>]> list of control node or local SSH key basenames for root user
ssh_keys: []
# <list<dict>> list of administrative users (in Linux, users that can use "sudo")
admins:
- username: senpai # <str> arbitrary valid user name
services: ~ # <list[<str>]> if linux system user, assocated servce
# <list[<str>]> list of control node or local SSH key basenames for this user
ssh_keys: []
# <str<vault?>> hashed (and maybe salted) password
password: ""
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
mngr:
# <list[<dict>]> representing system-level or essential packages
core:
- name: ""
uri: ""
sigkey: ""
sources: ""
types: ""
suites: ""
comps: ""
# <list[<dict>]> representing user-level or supplemental packages
- name: sudo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: xz-utils
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard-tools
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vagrant
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: qemu-system
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron-daemon-common
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: qemu-kvm
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: bridge-utils
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libvirt-clients
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libvirt-daemon-system
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gcc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-delta
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: fastfetch
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: git
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: git
- name: fail2ban
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: crowdsec
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: glow
uri: ~
sigkey: "https://repo.charm.sh/apt/gpg.key"
sources: "https://repo.charm.sh/apt/"
types: deb
suites: "*"
comps: "*"
handler: ~
- name: vim-vimwiki
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vim-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tor
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: i2pd
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: whois
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# @TODO make sure to create handler inclusion of tasks in file under/at `tasks/contingent/pkg` for below
- name: iptables
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-google-authenticator
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg-agent
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gocryptfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cryfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tmux
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cpu-checker
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: headscale
uri: "https://github.com/juanfont/headscale/releases/download/v0.28.0/headscale_0.28.0_linux_amd64.deb"
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: headscale
userspace:
- name: ""
uri: ""
sigkey: ""
sources: ""
types: ""
suites: ""
comps: ""
- name: neovim
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: neovim
- name: distrobox
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-core
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-crypto
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-ldap
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-sqlite
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: aria2
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang-hex
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: elixir
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3.13
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-venv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-pip
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: golang
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: yt-dlp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-discosrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-relaysrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rclone
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# <dict[<str>:<dict>]> representing package groups installed by shell scripts
script:
# <list[<dict>]> representing system-level or essential shell script software installations
core:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path to software installation shell script
pre: "" # <str> URI/URL or path to shell script, or name of handler listener, for pre-installation actions
post: "" # <str> URI/URL or path to shell script, or name of handler listener, for post-installation actions
# <list[<dict>]> representing user-level or supplemental shell script software installations
# <list[<dict>]> representing user-level or supplemental shell script installations
userspace:
- name: ""
src: ""
pre: ""
post: ""
- name: radicle
src: "https://radicle.dev/install"
pre: ~
post: ~
handler: radicle
- name: rustup
src: "https://sh.rustup.rs"
pre: ~
post: ~
handler: rustup
- name: julia
src: "https://install.julialang.org"
pre: ~
post: ~
handler: julia
- name: uv
src: "https://astral.sh/uv/install.sh"
pre: ~
post: ~
handler: uv
# <dict[<str>:<dict>]> representing package groups installed from source archives
archive:
# <list[<dict>]> representing system-level or essential source archives
core:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path of archive file for software build
deploy: "" # <str> URI/URL or path to shell script, or handler listener name, to build software from archive
pre: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take before software build
post: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take after software build
# <list[<dict>]> representing user-level or supplemental source archives
userspace:
- name: ""
src: ""
deploy: ""
pre: ""
post: ""
- name: surge
src: "https://github.com/SurgeDM/Surge/releases/download/v0.8.6/Surge_0.8.6_linux_amd64.tar.gz"
deploy: ~
pre: ~
post: ~
handler: surge
- name: nvm
src: "https://nodejs.org/dist/v24.16.0/node-v24.16.0-linux-x64.tar.xz"
deploy: ~
pre: ~
post: ~
handler: nvm
- name: difftastic
src: "https://github.com/Wilfred/difftastic/releases/download/0.69.0/difft-x86_64-unknown-linux-gnu.tar.gz"
deploy: ~
pre: ~
post: ~
handler: difftastic
# <dict[<str>:<dict>]> representing package groups installed from source git repositories
git_repos:
# <list[<dict>]> representing system-level or essential git repositories
core:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path of git repository
src_path: "" # <str> path in which to place git repository clone
branch: "" # <str> specific branch to pull or otherwise to swtich into
deploy: "" # <str> URI/URL or path to shell script, or handler listener name, to build or run from source repository
pre: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take before building or running from source repository
post: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take after building or running from source repository
# <list[<dict>]> representing user-level or supplemental git repositories
userspace:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path of git repository
src_path: "" # <str> path in which to place git repository clone
remote: "" # <str> the name of the remote source of the git repository
branch: "" # <str> specific branch to pull or otherwise to swtich into
deploy: "" # <str> URI/URL or path to shell script, or handler listener name, to build or run from source repository
pre: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take before building or running from source repository
post: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take after building or running from source repository
# <dict[<str>:<dict>]> representing container image groups installed via container engine
containers:
# <list[<dict>]> representing system-level or essential container images
core: []
# <list[<dict>]> representing user-level or supplemental container images
userspace: []
# <dict[<str>:<dict>]> representing package groups installed via snap package
snaps:
# <list[<dict>]> representing system-level or essential packages
core: []
# <list[<dict>]> representing user-level or supplemental packages
userspace: []
# <dict[<str>:<dict>]> representing flatpak groups installed via flatpak package
flatpaks:
# <list[<dict>]> representing system-level or essential flatpaks
core: []
# <list[<dict>]> representing user-level or supplemental flatpaks
userspace: []
# userspace:
# - name: quartz
# src: "https://github.com/jackyzha0/quartz.git"
# branch: v5.0.0
# deploy: ~
# pre: ~
# post: ~
# handler: ~

28
hosts.yml.example
View File

@@ -1,11 +1,33 @@
# @TODO use hosts and host groupings that refer or point to VM or containerized servers for testing
ungrouped:
hosts: ~
hosts:
staging0:
ansible_host: ~
staging1:
ansible_host: ~
sukaato:
hosts: ~
sukaato_test:
hosts:
staging0:
armitage:
hosts: ~
armitage_test:
hosts:
staging1:
vps:
children: ~
children:
sukaato:
vps_test:
children:
sukaato_test:
homeserver:
children: ~
children:
armitage:
homeserver_test:
children:
armitage_test:
test:
children:
vps_test:
homeserver_test:

31
init@homeserver.yml.example → init@homeserver.yml
View File

@@ -1,12 +1,17 @@
# @NOTE run 'ansible-playbook' command on this using 'sudo'
- name: Initialize homeserver
hosts: armitage
hosts: "{{ chosen_host | default('armitage') }}"
remote_user: root
vars:
harden: true
local_facts:
user_id: ~ # REQUIRED
user_dir: ~ # REQUIRED
vars_files:
- vars/local_facts.yml # REQUIRED
- vars/vim_settings.yml # REQUIRED
- vars/vpn_server.yml # REQUIRED
- vars/tail_net.yml
- vars/crowdsec.yml
- vars/users@{{ inventory_hostname | default('homeserver') }}.yml
- vars/config@{{ inventory_hostname | default('homeserver') }}.yml
tasks:
- name: Hardening SSH server
ansible.builtin.include_role:
@@ -22,10 +27,20 @@
name: init-server
tasks_from: core@install-pkgs
handlers_from: core
# - name: Reboot machine for shell environment change
# ansible.builtin.reboot:
# msg: Rebooting machine
- name: Initializing groups and users
ansible.builtin.include_role:
name: init-server
tasks_from: ssh-users
tasks_from: ssh-users
- name: Updating hostname
become: true
ansible.builtin.hostname:
name: "{{ inventory_hostname }}"
- name: Updating host icon name
become: true
ansible.builtin.command:
cmd: "hostnamectl set-icon-name computer-server"
- name: Rebooting machine for hostname change
become: true
ansible.builtin.reboot:
msg: "Rebooting machine"
ignore_errors: true

55
init@vps.yml Normal file
View File

@@ -0,0 +1,55 @@
# @NOTE run 'ansible-playbook' command on this using 'sudo'
- name: Initialize VPS
# hosts: sukaato
hosts: "{{ chosen_host | default('sukaato') }}"
remote_user: root
vars:
harden: true
vars_files:
- vars/local_facts.yml # REQUIRED
- vars/vpn_server.yml # REQUIRED
- vars/tail_net.yml
- vars/crowdsec.yml
- vars/users@{{ inventory_hostname | default('vps') }}.yml
- vars/config@{{ inventory_hostname | default('vps') }}.yml
tasks:
- name: Hardening SSH server
ansible.builtin.include_role:
name: init-server # required. The name of the role to be executed.
# apply: # not required. Accepts a hash of task keywords (e.g. C(tags), C(become)) that will be applied to all tasks within the included role.
tasks_from: harden # not required. File to load from a role's C(tasks/) directory.
# vars_from: main # not required. File to load from a role's C(vars/) directory.
# defaults_from: main # not required. File to load from a role's C(defaults/) directory.
# allow_duplicates: True # not required. Overrides the role's metadata setting to allow using a role more than once with the same parameters.
# handlers_from: main # not required. File to load from a role's C(handlers/) directory.
- name: Installing requisite packages
ansible.builtin.include_role:
name: init-server
tasks_from: core@install-pkgs
handlers_from: core
- name: Initializing groups and users
ansible.builtin.include_role:
name: init-server
tasks_from: ssh-users
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Update hostname
become: true
ansible.builtin.hostname:
name: "{{ inventory_hostname }}"
- name: Update host icon name
become: true
ansible.builtin.command:
cmd: "hostnamectl set-icon-name computer-server"
- name: Notifying user that all processes have finished
ansible.builtin.debug:
msg: All processes finished. Hit enter to reboot machine.
- name: Ensuring user has read prior message regarding upcoming reboot
ansible.builtin.pause:
- name: Rebooting machine for hostname change
become: true
ansible.builtin.reboot:
msg: "Rebooting machine.."
connect_timeout: 0
test_command: ~
ignore_errors: true

14
roles/init-server/files/systemd/system/dsnet.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=dsnet
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/bin/dsnet up
ExecStop=/usr/bin/dsnet down
RemainAfterExit=yes
ExecReload=/usr/bin/dsnet sync
[Install]
WantedBy=default.target

14
roles/init-server/files/systemd/system/thrunet.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=thrunet
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/dsnet-forward.sh start
ExecStop=/usr/local/bin/dsnet-forward.sh stop
RemainAfterExit=yes
# ExecReload=/usr/bin/dsnet sync
[Install]
WantedBy=default.target

10
roles/init-server/files/usr/local/bin/dsnet-forward.sh Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
set -euo pipefail
if [[ "$1" == "start" ]]; then
/usr/sbin/iptables -A FORWARD -i dsnet -p tcp --sport {80,443,465,587,995,110,143,993} -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o dsnet -j MASQUERADE
elif [[ "$1" == "stop" ]]; then
/usr/sbin/iptables -D FORWARD -i dsnet -p tcp --sport {80,443,465,587,995,110,143,993} -j ACCEPT
/usr/sbin/iptables -t nat -D POSTROUTING -o dsnet -j MASQUERADE
fi

28
roles/init-server/handlers/core.yml
View File

@@ -1,11 +1,27 @@
# SPDX-License-Identifier: MIT-0
---
# handlers file for roles/init-vps
- name: Setting up Radicle
- name: Skipping to next installaton
ansible.builtin.debug:
msg: "No post-installaton or additional installation steps needed--continuing..."
listen: default
- name: Setting up Crowdsec
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/radicle.yml
listen: radicle
- name: Setting up ViM
file: tasks/contingent/pkg/crowdsec.yml
listen: crowdsec
- name: Setting up Headscale
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/vim.yml
listen: vim
file: tasks/contingent/pkg/headscale.yml
listen: headscale
- name: Setting up Git
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/git.yml
listen: git
- name: Setting up TOR
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/tor.yml
listen: tor
- name: Setting up DSNet
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/dsnet.yml
listen: dsnet

8
roles/init-server/handlers/userspace.yml
View File

@@ -1,6 +1,14 @@
# SPDX-License-Identifier: MIT-0
---
# handlers file for roles/init-vps
- name: Skipping to next installaton
ansible.builtin.debug:
msg: "No post-installaton or additional installation steps needed--continuing..."
listen: default
- name: Setting up ViM
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/vim.yml
listen: vim
- name: Settng up NeoViM
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/neovim.yml

40
roles/init-server/tasks/contingent/pkg/crowdsec.yml Normal file
View File

@@ -0,0 +1,40 @@
- name: Restarting SystemD service
become: true
ansible.builtin.systemd_service:
name: crowdsec
scope: system
enabled: true
state: started
- name: Changing the address and port of the Crowdsec server
become: true
ansible.builtin.lineinfile:
path: /etc/crowdsec/config.yaml
regexp: "^ {4}listen_uri"
line: " listen_uri: localhost:{{ crowdsec.port }}"
owner: root
group: root
mode: "644"
- name: Changing the address of the Crowdsec Prometheus server
become: true
ansible.builtin.lineinfile:
path: /etc/crowdsec/config.yaml
regexp: "^ {2}listen_addr"
line: " listen_addr: localhost"
owner: root
group: root
mode: "644"
- name: Changing target or expected address for credentials of the Crowdsec local API
become: true
ansible.builtin.lineinfile:
path: /etc/crowdsec/local_api_credentials.yaml
regexp: "^url"
line: "url: http://localhost:{{ crowdsec.port }}"
owner: root
group: root
mode: "644"
- name: Restarting SystemD service
become: true
ansible.builtin.systemd_service:
name: crowdsec
scope: system
state: restarted

2
roles/init-server/tasks/contingent/pkg/difftastic.yml
View File

@@ -15,7 +15,7 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/downloads/archives/released/difftastic/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- difft

147
roles/init-server/tasks/contingent/pkg/dsnet.yml Normal file
View File

@@ -0,0 +1,147 @@
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Initializing DSNet
become: true
ansible.builtin.command:
cmd: dsnet init
- name: Running DSNet VPN service interface
become: true
ansible.builtin.command:
cmd: dsnet up
- name: Creating a directory to house VPN service client configurations
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "755"
state: directory
- name: Adding peer device for DSNet VPN service interface
become: true
ansible.builtin.shell:
cmd: "dsnet add {{ item.name }}{{ idx }} --owner {{ current_user.stdout }} --description 'For {{ item.name }}--{{ item.desc }}' --confirm > {{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
creates: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ idx }}.conf"
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Changing ownership of consequent DSNet VPN service client configurations
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: file
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Pausing to inquire about how to proceed
ansible.builtin.pause:
prompt: "Type \"fetch\" to get the DSNet VPN service client configuration files, or \"show\" to see their contents for manual copying instead"
echo: true
register: data_method
- name: Presenting DSNet VPN service client configuration files to control node for copying
when: data_method.user_input == "show"
block:
- name: Acquiring contents of DSNet VPN service client configuration files
ansible.builtin.slurp:
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
register: vpn_client_configs
- name: Presenting contents of DSNet VPN service client configurations to control node
ansible.builtin.debug:
msg: "Copy this client configuration of the DSNet VPN service:\n {{ item.content }}"
loop: "{{ vpn_client_configs.results }}"
- name: Giving opportunity to manually copy contents of DSNet VPN service client configuration files
ansible.builtin.pause:
- name: Providing DSNet VPN service client configuration files to control node machine
when: data_method.user_input == "fetch"
block:
- name: Dupliciating DSNet VPN service client configuration files to control node
ansible.builtin.fetch:
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
dest: "./.tmp/{{ inventory_hostname }}-dsnet/wg/"
flat: true
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Informing control node of acquired files
ansible.builtin.debug:
msg: "The DSNet VPS service client configuration files have been duplicated to '/var/tmp/{{ inventory_hostname }}/wg/' at the control node."
- name: Giving control node user time to read the aforementiioned message
ansible.builtin.pause:
seconds: 30
- name: Ensuring IP forwarding is allowed
become: true
ansible.posix.sysctl:
name: "net.{{ item }}.ip_forward"
value: "1"
sysctl_set: true
state: present
loop:
- ipv4
# - ipv6
- name: Creating SystemD unit for placing up DSNet interface
become: true
ansible.builtin.copy:
src: systemd/system/dsnet.service
dest: /etc/systemd/system/dsnet.service
owner: root
group: root
force: true
backup: true
- name: Reloading SystemD and enabling DSNet interface
become: true
ansible.builtin.systemd_service:
name: dsnet
enabled: true
daemon_reload: true
- name: Copying script for DSNet iptables rules
become: true
ansible.builtin.copy:
src: usr/local/bin/dsnet-forward.sh
dest: /usr/local/bin/
owner: root
group: root
mode: "744"
force: true
backup: true
- name: Creating SystemD unit for DSNet iptables rules
become: true
ansible.builtin.copy:
src: systemd/system/thrunet.service
dest: /etc/systemd/system/thrunet.service
owner: root
group: root
force: true
backup: true
- name: Reloading SystemD and enabling iptables rules SystemD unit
become: true
ansible.builtin.systemd_service:
name: thrunet
enabled: true
daemon_reload: true
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
become: true
ansible.builtin.iptables:
chain: FORWARD
protocol: "{{ item[0][0] }}"
source_port: "{{ item[0][1] }}"
in_interface: "{{ item[1] }}"
jump: ACCEPT
loop: "{{ vpn_server.forwards | product([vpn_server.interface]) }}"
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
become: true
ansible.builtin.iptables:
table: nat
chain: POSTROUTING
out_interface: "{{ vpn_server.interface }}"
jump: MASQUERADE

39
roles/init-server/tasks/contingent/pkg/headscale.yml Normal file
View File

@@ -0,0 +1,39 @@
---
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
- name: Configuring Headscale
become: true
ansible.builtin.template:
src: headscale/config.yaml.j2
dest: /etc/headscale/config.yaml
owner: root
group: root
mode: "644"
force: true
backup: true
- name: Starting SystemD service
become: true
ansible.builtin.systemd_service:
name: headscale
scope: system
enabled: true
state: started
- name: Registering a headscale user
become: true
ansible.builtin.command:
# cmd: "headscale users create {{ item.username }} -d '{{ item.dname }}' -e '{{ item.email }}' -p '{{ pfp | default(default_pfp) }}'"
cmd: "headscale users create {{ item.username }} -d '{{ item.dname }}' -e '{{ item.email }}'"
# vars:
# default_pfp: ~
loop: "{{ tail.users }}"
register: headscale_registration
changed_when:
- "'User created' in headscale_registration.stdout"
- headscale_registration.rc == 0

8
roles/init-server/tasks/contingent/pkg/julia.yml
View File

@@ -19,7 +19,7 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.juliaup/bin/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
owner: root
group: root
state: link
@@ -27,6 +27,6 @@
- julia
- julialauncher
- juliaup
- name: Reboot machine for shell environment change
ansible.builtin.reboot:
msg: Rebooting machine
# - name: Reboot machine for shell environment change
# ansible.builtin.reboot:
# msg: Rebooting machine

13
roles/init-server/tasks/contingent/pkg/neovim.yml
View File

@@ -8,15 +8,7 @@
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
- name: Copy system ViM configuration to home directory
become: true
ansible.builtin.copy:
remote_src: /root/.vimrc
dest: "{{ ansible_user_home.stdout }}/.vimrc"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "644"
state: present
register: current_user
- name: Creating directory tree for NeoViM configuration files
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.config/nvim"
@@ -33,4 +25,5 @@
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "644"
state: present
force: true
backup: true

24
roles/init-server/tasks/contingent/pkg/nvm.yml
View File

@@ -20,7 +20,7 @@
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ item[0] }}/bin/{{ item[1] }}"
dest: "/usr/local/bin/{{ item[1] }}"
dest: "/usr/bin/{{ item[1] }}"
owner: root
group: root
state: link
@@ -28,7 +28,7 @@
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ item[0] }}/lib/node_modules/corepack/dist/{{ item[1] }}.js"
dest: "/usr/local/bin/{{ item[1] }}"
dest: "/usr/bin/{{ item[1] }}"
owner: root
group: root
state: link
@@ -36,7 +36,7 @@
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ item[0] }}/lib/node_modules/npm/bin/{{ item[1] }}-cli.js"
dest: "/usr/local/bin/{{ item[1] }}"
dest: "/usr/bin/{{ item[1] }}"
owner: root
group: root
state: link
@@ -44,7 +44,7 @@
- name: Link includes to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/include/{{ item[1] }}"
dest: "/usr/local/include/{{ item[1] }}"
dest: "/usr/include/{{ item[1] }}"
owner: root
group: root
state: link
@@ -52,14 +52,14 @@
- name: Link requisite libraries to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/lib/{{ item[1] }}"
dest: "/usr/local/lib/{{ item[1] }}"
dest: "/usr/lib/{{ item[1] }}"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['node_modules']) }}"
- name: Create man1 subdirectory for man pages
ansible.builtin.file:
path: /usr/local/share/man/man1
path: /usr/share/man/man1
recurse: true
owner: root
group: root
@@ -68,14 +68,14 @@
- name: Link shared resources to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/share/man/man1/{{ item[1] }}.1"
dest: "/usr/local/share/man/man1/{{ item[1] }}.1"
dest: "/usr/share/man/man1/{{ item[1] }}.1"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['node']) }}"
- name: Create man1 subdirectory for man pages
ansible.builtin.file:
path: /usr/local/share/doc
path: /usr/share/doc
recurse: true
owner: root
group: root
@@ -84,12 +84,12 @@
- name: Link shared resources to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/share/doc/{{ item[1] }}"
dest: "/usr/local/share/doc/{{ item[1] }}"
dest: "/usr/share/doc/{{ item[1] }}"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['node']) }}"
- name: Reboot machine for shell environment change
ansible.builtin.reboot:
msg: Rebooting machine
# - name: Reboot machine for shell environment change
# ansible.builtin.reboot:
# msg: Rebooting machine

12
roles/init-server/tasks/contingent/pkg/radicle.yml
View File

@@ -21,7 +21,7 @@
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.radicle/bin/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- rad
@@ -29,7 +29,7 @@
- git-remote-rad
- name: Create man1 subdirectory for man pages
ansible.builtin.file:
path: /usr/local/share/man/man1
path: /usr/share/man/man1
recurse: true
owner: root
group: root
@@ -38,7 +38,7 @@
- name: Link manpages to Linux manpage directories
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.radicle/man/man1/{{ item }}.1"
dest: "/usr/local/share/man/man1/{{ item }}.1"
dest: "/usr/share/man/man1/{{ item }}.1"
state: link
loop:
- rad
@@ -46,6 +46,6 @@
- git-remote-rad
- rad-id
- rad-patch
- name: Reboot machine for shell environment change
ansible.builtin.reboot:
msg: Rebooting machine
# - name: Reboot machine for shell environment change
# ansible.builtin.reboot:
# msg: Rebooting machine

8
roles/init-server/tasks/contingent/pkg/rustup.yml
View File

@@ -19,10 +19,10 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.cargo/bin/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- rustup
- name: Reboot machine for shell environment change
ansible.builtin.reboot:
msg: Rebooting machine
# - name: Reboot machine for shell environment change
# ansible.builtin.reboot:
# msg: Rebooting machine

41
roles/init-server/tasks/contingent/pkg/surge.yml
View File

@@ -8,7 +8,7 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/downloads/archives/released/surge/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- surge
@@ -19,8 +19,39 @@
ansible.builtin.command:
cmd: surge token
register: surge_token
- name: Presenting Surge API token to Control Node
ansible.builtin.debug:
msg: "Make sure to store the following API token for Surge:\n {{ surge_token.stdout }}"
- name: Pausing to ensure completion of manual act
- name: Pausing to inquire about how to proceed
ansible.builtin.pause:
prompt: "Type \"fetch\" to get the Surge API token, or \"show\" to see it for manual copying instead"
echo: true
register: data_method
- name: Choosing to present Surge API token to Control Node
when: data_method.user_input == "show"
block:
- name: Presenting Surge API token to Control Node
ansible.builtin.debug:
msg: "Make sure to store the following API token for Surge:\n {{ surge_token.stdout }}"
- name: Giving opportunity to manually copy Surge API token
ansible.builtin.pause:
- name: Choosing to provide file on control node containing Surge's API token
when: data_method.user_input == "fetch"
block:
- name: Creating temporary file on managed node that stores Surge API token
become: true
ansible.builtin.copy:
content: "{{ surge_token.stdout }}"
dest: /tmp/surge.token
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "644"
register: surge_token
- name: Placing Surge API token into file on control node
ansible.builtin.fetch:
src: "{{ surge_token.dest }}"
dest: "./.tmp/{{ inventory_hostname }}-surge/surge.secret"
flat: true
- name: Informing control node of acquired files
ansible.builtin.debug:
msg: "The Surge API token file have been duplicated to '/var/tmp/{{ inventory_hostname }}/surge.token' at the control node."
- name: Giving control node user time to read the aforementiioned message
ansible.builtin.pause:
seconds: 30

8
roles/init-server/tasks/contingent/pkg/tor.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Starting and enabling TOR daemon service
become: true
ansible.builtin.systemd_service:
name: tor
scope: system
enabled: true
state: started

8
roles/init-server/tasks/contingent/pkg/uv.yml
View File

@@ -19,11 +19,11 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.local/bin/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- uv
- uvx
- name: Reboot machine for shell environment change
ansible.builtin.reboot:
msg: Rebooting machine
# - name: Reboot machine for shell environment change
# ansible.builtin.reboot:
# msg: Rebooting machine

34
roles/init-server/tasks/contingent/pkg/vim.yml
View File

@@ -19,6 +19,7 @@
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "755"
state: directory
loop:
- autoload
@@ -30,7 +31,7 @@
become_user: "{{ current_user.stdout }}"
ansible.builtin.uri:
url: "https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim"
dest: "{{ ansible_user_home.stdout }}/.vim/autoload/"
dest: "{{ ansible_user_home.stdout }}/.vim/autoload/plug.vim"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
force: true
@@ -40,32 +41,15 @@
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.template:
src: vimrc.j2
src: user/vimrc.j2
dest: "{{ ansible_user_home.stdout }}/.vimrc"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
force: true
backup: true
vars:
vim_spatialize: true
vim_tabgap: 2
vim_blockedcursor: true
vim_historyspan: 500
vim_origami: true
vim_eddelimiters: true
vim_gitspice: true
vim_statusline: true
vim_fancycomment: true
vim_idelangs: true
vim_pathcompletion: true
vimignore:
- "*.docx"
- "*.jpg"
- "*.png"
- "*.gif"
- "*.pdf"
- "*.pyc"
- "*.exe"
- "*.flv"
- "*.img"
- "*.xlsx"
- name: Informing user of need to manually run PlugInstall in ViM
ansible.builtin.debug:
msg: "Make sure to run \":PlugInstall\" the first time you open/use ViM"
- name: Pausing to ensure user has read message about needed manual PlugInstall execution for ViM
ansible.builtin.pause:
seconds: 30

98
roles/init-server/tasks/core@install-pkgs.yml
View File

@@ -45,9 +45,55 @@
when: ansible_facts["os_family"] == "Debian"
become: true
block:
- name: Creating core OS repository sources for package manager
when: ansible_facts["os_family"] == "Debian"
ansible.builtin.deb822_repository:
name: "{{ item.name }}"
uris: "{{ item.sources }}"
types: "{{ item.types }}"
suites: "{{ item.suites }}"
components: "{{ item.comps }}"
signed_by: "{{ item.sigkey }}"
state: present
loop:
- name: debian-trixie
sources: "http://deb.debian.org/debian/"
sigkey: /usr/share/keyrings/debian-archive-keyring.gpg
types:
- deb-src
- deb
suites:
- trixie
- trixie-updates
comps:
- main
- non-free-firmware
- contrib
- name: debian-trixie-security
sources: "http://security.debian.org/debian-security"
sigkey: /usr/share/keyrings/debian-archive-keyring.gpg
types:
- deb-src
- deb
suites: trixie-security
comps:
- main
- non-free-firmware
- contrib
- name: Remove previous core OS repository sources for package manager
ansible.builtin.file:
path: /etc/apt/sources.list
state: absent
# @TODO uncomment below before continuing with testing previous task
# - name: Premature end of play
# ansible.builtin.meta: end_play
- name: Updating package cache
ansible.builtin.apt:
update_cache: true
- name: Updating package cache
ansible.builtin.apt:
upgrade: dist
autoremove: true
- name: Registering a package source
when: item.sources != None
ansible.builtin.deb822_repository:
@@ -59,24 +105,22 @@
signed_by: "{{ item.sigkey }}"
state: present
loop: "{{ ((pkgs.mngr.core | default([]))) }}"
- name: Updating package cache
ansible.builtin.apt:
update_cache: true
- name: Installing a local package in managed node
when: item.uri != None
ansible.builtin.apt:
deb: "{{ item.uri }}"
state: present
# @TODO add a default value for notify
# notify: "{{ item.name }}"
notify: "{{ item.handler | default('default') }}"
loop: "{{ (pkgs.mngr.core | default([])) | selectattr('uri', 'search', '\\.deb$') }}"
- name: Updating package cache
ansible.builtin.apt:
update_cache: true
- name: Installing a package
when: item.name != None and item.uri == None
ansible.builtin.package:
name: "{{ item.name }}"
state: latest
# @TODO add a default value for notify
# notify: "{{ item.name }}"
state: present
notify: "{{ item.handler | default('default') }}"
loop: "{{ ((pkgs.mngr.core | default([]))) | rejectattr('uri', 'search', '\\.deb$') }}"
tags:
- get_mngr_pkgs
@@ -94,12 +138,15 @@
group: "{{ ansible_user }}"
force: true
mode: "744"
# @TODO add a default value for notify
notify: "{{ ((pkgs.script.core | default([])))[idx].name }}"
notify: "{{ ((pkgs.script.core | default([])))[idx].handler | default('default') }}"
loop: "{{ (pkgs.script.core | default([])) }}"
loop_control:
index_var: idx
register: install_scripts
- name: Reboot machine for shell environment change
become: true
ansible.builtin.reboot:
msg: Rebooting machine
tags:
- get_script_pkgs
- name: Installing software by building it from source archives
@@ -131,16 +178,21 @@
loop_control:
index_var: idx
- name: Unarchiving software build archive
become: true
become_user: "{{ current_user.stdout }}"
when: item.dest != None and (((pkgs.script.core | default([]))) | length) > 0
ansible.builtin.unarchive:
src: "{{ item.dest }}"
remote_src: true
dest: "{{ ansible_user_home.stdout }}/downloads/archives/released/{{ ((pkgs.archive.core | default([])))[idx].name }}/"
# @TODO add a default value for notify
notify: "{{ ((pkgs.archive.core | default([])))[idx].name }}"
notify: "{{ ((pkgs.archive.core | default([])))[idx].handler | default('default') }}"
loop: "{{ archived_builds.results }}"
loop_control:
index_var: idx
- name: Reboot machine for shell environment change
become: true
ansible.builtin.reboot:
msg: Rebooting machine
tags:
- get_archive_pkgs
- name: Installing software from source git repositories
@@ -155,9 +207,27 @@
version: "{{ item.branch }}"
clone: true
single_branch: true
# @TODO add a default value for notify
notify: "{{ item.name }}"
notify: "{{ item.handler | default('default') }}"
loop: "{{ (pkgs.git_repos.core | default([])) }}"
register: installation_repos
- name: Reboot machine for shell environment change
become: true
ansible.builtin.reboot:
msg: Rebooting machine
tags:
- get_git_pkgs
- name: Installing software as pre-compiled binary
block:
- name: Grabbing software binary
become: true
ansible.builtin.get_url:
url: "{{ item.src }}"
dest: "/usr/bin/{{ item.name }}"
owner: root
group: root
mode: "744"
force: true
backup: true
notify: "{{ item.handler }}"
loop: "{{ (pkgs.binaries.core | default([])) }}"

35
roles/init-server/tasks/spawn.yml
View File

@@ -18,20 +18,41 @@
ansible.builtin.set_fact:
root_pubkeys: "{{ root_pubkeys | default([]) + [lookup('file', item)] }}"
loop: "{{ root_pubkey_paths }}"
- name: Ensuring password is defined for root user
when: prehashed_password is undefined or prehashed_password == None
block:
- name: Prompting for password for or of root user
when: password is undefined or password == None
ansible.builtin.pause:
prompt: "Provide a password for the root user"
echo: false
register: prompted_password
- name: Getting the inputted password for root user
when: prompted_password is defined or prompted_password != None
ansible.builtin.set_fact:
prehashed_password: "{{ prompted_password.user_input }}"
- name: Bootstrapping VPS
block:
- name: Ensuring token is available for VPS service API
when: token is undefined or token == None
ansible.builtin.pause:
prompt: "Provide the API token for the given VPS service"
echo: false
register: prompted_token
- name: Creating VPS via Linode VPS service API
block:
- name: Creating the VPS
linode.cloud.instance:
api_token: "{{ token }}"
api_token: "{{ token | prompted_token.user_input }}"
label: "{{ instance }}"
type: g6-standard-2
image: "{{ operating_system }}"
disk_encryption: enabled
region: "{{ origin }}"
private_ip: true
root_pass: "{{ password }}"
# @TODO find out if 'root_pass' attribute takes in hashed or plaintext password
# root_pass: "{{ password | default((prehashed_password | lookup('password_hash', hashtype='sha512'))) }}" # IF HASHED
root_pass: "{{ password | default(prehashed_password) }}" # IF PLAINTEXT
authorized_keys: "{{ root_pubkeys }}"
state: present
register: new_instance
@@ -43,7 +64,6 @@
timeout: 300
vars:
ansible_ssh_private_key_file: "{{ chosen_privkey | default(ssh_keypairs.files | rejectattr('path', 'search', '\\.pub$') | map(attribute='path') | list | random) }}" # @TODO define 'chosen_privkey'in playbook
ansible_user: root
loop: "{{ new_instance.instance[ip_pref] }}"
tags:
- linode
@@ -66,8 +86,6 @@
ansible.builtin.wait_for_connection:
delay: 20
timeout: 300
vars:
ansible_user: root
loop: "{{ groups[instance] | default(hostvars[instance]) }}"
- name: Checking if that server has required operating system
delegate_to: "{{ item }}"
@@ -76,8 +94,6 @@
when: ansible_facts["system"] != "Linux" and item is ansible.utils['ip_pref']
ansible.builtin.fail:
msg: Unsupported operating system found
vars:
ansible_user: root
loop: "{{ groups[instance] | default(hostvars[instance]) }}"
- name: Checking if that server has required Linux distro
delegate_to: "{{ item }}"
@@ -86,19 +102,16 @@
when: ansible_facts["system"] == "Linux" and ansible_facts["os_family"] != "Debian" and item is ansible.utils['ip_pref']
ansible.builtin.fail:
msg: Unsupported Linux distro found
vars:
ansible_user: root
loop: "{{ groups[instance] | default(hostvars[instance]) }}"
- name: Providing authorized keys for server root account
delegate_to: "{{ item[0] }}"
delegate_facts: true
become: true
remote_user: root
ansible.posix.authorized_key:
user: "{{ ansible_user }}"
key: "{{ lookup('file', item[1]) }}"
state: present
vars:
ansible_user: root
loop: "{{ (groups[instance] | default(hostvars[instance])) | product(root_pubkey_paths) }}"
tags:
- lan

23
roles/init-server/tasks/ssh-users.yml
View File

@@ -16,6 +16,27 @@
register: remote_group
tags:
- lan
- name: Managing passwords
when: prehashed_passwords is undefined or prehashed_passwords == None
block:
- name: Acquiring users lacking passwords
ansible.builtin.set_fact:
passwordless_admins: "{{ admins | selectattr('password', '==', 'null') | list }}"
- name: Pausing to acquire password for a user
when: item.password is undefined or item.password == None
ansible.builtin.pause:
prompt: "Provide a password for the administrative user, {{ item.username }}"
echo: false
loop: "{{ passwordless_admins }}"
register: prompted_passwords
- name: Processing inputted password per user
when: prompted_passwords is defined and prompted_passwords != None
ansible.builtin.set_fact:
prehashed_passwords: "{{ (prompted_passwords.results | default([])) | map(attribute='user_input') | list }}"
- name: Pairing inputted passwords with associated user
when: prehashed_passwords is defined or prehashed_passwords != None
ansible.builtin.set_fact:
prehashed_passwords: "{{ dict(passwordless_admins | map(attribute='username') | zip(prehashed_passwords) | list) }}"
- name: Creating an administrative user
become: true
ansible.builtin.user:
@@ -27,7 +48,7 @@
append: true
generate_ssh_key: true
create_home: true
password: "{{ item.password }}"
password: "{{ item.password | default((prehashed_passwords[item.username] | password_hash(hashtype='sha512'))) }}"
shell: "/bin/bash"
loop: "{{ admins }}"
register: admin_users

106
roles/init-server/tasks/userspace@install-pkgs.yml
View File

@@ -46,9 +46,55 @@
when: ansible_facts["os_family"] == "Debian"
become: true
block:
- name: Creating core OS repository sources for package manager
when: ansible_facts["os_family"] == "Debian"
ansible.builtin.deb822_repository:
name: "{{ item.name }}"
uris: "{{ item.sources }}"
types: "{{ item.types }}"
suites: "{{ item.suites }}"
components: "{{ item.comps }}"
signed_by: "{{ item.sigkey }}"
state: present
loop:
- name: debian-trixie
sources: "http://deb.debian.org/debian/"
sigkey: /usr/share/keyrings/debian-archive-keyring.gpg
types:
- deb-src
- deb
suites:
- trixie
- trixie-updates
comps:
- main
- non-free-firmware
- contrib
- name: debian-trixie-security
sources: "http://security.debian.org/debian-security"
sigkey: /usr/share/keyrings/debian-archive-keyring.gpg
types:
- deb-src
- deb
suites: trixie-security
comps:
- main
- non-free-firmware
- contrib
- name: Remove previous core OS repository sources for package manager
ansible.builtin.file:
path: /etc/apt/sources.list
state: absent
# @TODO uncomment below before continuing with testing previous task
# - name: Premature end of play
# ansible.builtin.meta: end_play
- name: Updating package cache
ansible.builtin.apt:
update_cache: true
- name: Updating package cache
ansible.builtin.apt:
upgrade: dist
autoremove: true
- name: Registering a package source
when: item.sources != None
ansible.builtin.deb822_repository:
@@ -60,32 +106,30 @@
signed_by: "{{ item.sigkey }}"
state: present
loop: "{{ (pkgs.mngr.userspace | default([])) }}"
- name: Updating package cache
ansible.builtin.apt:
update_cache: true
- name: Installing a local package in managed node
when: item.uri != None
ansible.builtin.apt:
deb: "{{ item.uri }}"
state: present
# @TODO add a default value for notify
# notify: "{{ item.name }}"
notify: "{{ item.handler | default('default') }}"
loop: "{{ (pkgs.mngr.userspace | default([])) | selectattr('uri', 'search', '\\.deb$') }}"
- name: Updating package cache
ansible.builtin.apt:
update_cache: true
- name: Installing a package
when: item.name != None and item.uri == None
ansible.builtin.package:
name: "{{ item.name }}"
state: latest
# @TODO add a default value for notify
# notify: "{{ item.name }}" # @TODO create corresponding roles/init-vps handlers
notify: "{{ item.handler | default('default') }}" # @TODO create corresponding roles/init-vps handlers
loop: "{{ (pkgs.mngr.userspace | default([])) | rejectattr('uri', 'search', '\\.deb$') }}"
tags:
- get_mngr_pkgs
- name: Installing software by executing installation shell scripts
become: true
become_user: "{{ current_user.stdout }}"
block:
- name: Acquiring installation shell script
become_user: "{{ current_user.stdout }}"
when: item.src != None and ((pkgs.script.userspace | default([])) | length) > 0
ansible.builtin.uri:
url: "{{ item.src }}"
@@ -95,12 +139,14 @@
group: "{{ ansible_user }}"
force: true
mode: "744"
# @TODO add a default value for notify
notify: "{{ (pkgs.script.userspace | default([]))[idx].name }}"
notify: "{{ (pkgs.script.userspace | default([]))[idx].handler | default('default') }}"
loop: "{{ (pkgs.script.userspace | default([])) }}"
loop_control:
index_var: idx
register: install_scripts
- name: Reboot machine for shell environment change
ansible.builtin.reboot:
msg: Rebooting machine
tags:
- get_script_pkgs
- name: Installing software by building it from source archives
@@ -139,38 +185,48 @@
dest: "{{ ansible_user_home.stdout }}/downloads/archives/released/{{ (pkgs.archive.userspace | default([]))[idx].name }}/"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
# @TODO add a default value for notify
notify: "{{ (pkgs.archive.userspace | default([]))[idx].name }}"
notify: "{{ (pkgs.archive.userspace | default([]))[idx].handler | default('default') }}"
loop: "{{ archived_builds.results }}"
loop_control:
index_var: idx
- name: Reboot machine for shell environment change
become: true
ansible.builtin.reboot:
msg: Rebooting machine
tags:
- get_archive_pkgs
- name: Installing software from source git repositories
block:
- name: Clone git bare repository
when: item.src != None
become: true
become_user: "{{ current_user.stdout }}"
when: item.src != None
ansible.builtin.git:
repo: "{{ item.src }}"
dest: "{{ ansible_user_home.stdout }}/repos/.foreign/{{ item.name }}"
version: "{{ item.branch }}"
clone: true
single_branch: true
notify: "{{ item.handler | default('default') }}"
loop: "{{ (pkgs.git_repos.userspace | default([])) }}"
register: installation_repos
# - name: Changing ownership of specific repo subdirectory
# become: true
# become_user: "{{ current_user.stdout }}"
# ansible.builtin.file:
# path: "{{ ansible_user_home.stdout }}/repos/.foreign/{{ item.name }}"
# recurse: true
# owner: "{{ ansible_user }}"
# group: "{{ ansible_user }}"
# notify: "{{ item.name }}"
# loop: "{{ (pkgs.git_repos.userspace | default([])) }}"
- name: Reboot machine for shell environment change
become: true
ansible.builtin.reboot:
msg: Rebooting machine
tags:
- get_git_pkgs
# @TODO add a reboot either here or in any of the handlers potentially notified from here in
# order to update environment (unless found better solution)
- name: Installing software as pre-compiled binary
block:
- name: Grabbing software binary
become: true
ansible.builtin.get_url:
url: "{{ item.src }}"
dest: "/usr/bin/{{ item.name }}"
owner: root
group: root
mode: "744"
force: true
backup: true
notify: "{{ item.handler }}"
loop: "{{ (pkgs.binaries.userspace | default([])) }}"

498
roles/init-server/templates/headscale/config.yaml.j2 Normal file
View File

@@ -0,0 +1,498 @@
---
# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
#
# - `/etc/headscale`
# - `~/.headscale`
# - current working directory
# The url clients will connect to.
# Typically this will be a domain like:
#
# https://myheadscale.example.com:443
#
server_url: {{ tail.scheme + '://' + tail.domain + tail.port }}
# Address to listen to / bind to on the server
#
# For production:
# listen_addr: 0.0.0.0:8080
listen_addr: {{ '0.0.0.0' + tail.port }}
# Address to listen to /metrics and /debug, you may want
# to keep this endpoint private to your internal network
# Use an empty value to disable the metrics listener.
metrics_listen_addr: 127.0.0.1:9090
# Address to listen for gRPC.
# gRPC is used for controlling a headscale server
# remotely with the CLI
# Note: Remote access _only_ works if you have
# valid certificates.
#
# For production:
# grpc_listen_addr: 0.0.0.0:50443
{% if tail.grpc.expose %}
grpc_listen_addr: {{ '0.0.0.0' + tail.grpc.port }}
{% else %}
grpc_listen_addr: 127.0.0.1:50443
{% endif %}
# Allow the gRPC admin interface to run in INSECURE
# mode. This is not recommended as the traffic will
# be unencrypted. Only enable if you know what you
# are doing.
{% if tail.grpc.secure %}
grpc_allow_insecure: false
{% else %}
grpc_allow_insecure: true
{% endif %}
# CIDR(s) of reverse proxies (e.g. 127.0.0.1/32) whose
# True-Client-IP, X-Real-IP and X-Forwarded-For headers should
# be honoured. Empty (default) ignores those headers; setting
# this without a proxy in front lets clients spoof their logged
# source IP.
trusted_proxies: []
# The Noise section includes specific configuration for the
# TS2021 Noise protocol
noise:
# The Noise private key is used to encrypt the traffic between headscale and
# Tailscale clients when using the new Noise-based protocol. A missing key
# will be automatically generated.
private_key_path: /var/lib/headscale/noise_private.key
# List of IP prefixes to allocate tailaddresses from.
# Each prefix consists of either an IPv4 or IPv6 address,
# and the associated prefix length, delimited by a slash.
#
# WARNING: These prefixes MUST be subsets of the standard Tailscale ranges:
# - IPv4: 100.64.0.0/10 (CGNAT range)
# - IPv6: fd7a:115c:a1e0::/48 (Tailscale ULA range)
#
# Using a SUBSET of these ranges is supported and useful if you want to
# limit IP allocation to a smaller block (e.g., 100.64.0.0/24).
#
# Using ranges OUTSIDE of CGNAT/ULA is NOT supported and will cause
# undefined behaviour. The Tailscale client has hard-coded assumptions
# about these ranges and will break in subtle, hard-to-debug ways.
#
# See:
# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
prefixes:
v4: 100.64.0.0/10
v6: fd7a:115c:a1e0::/48
# Strategy used for allocation of IPs to nodes, available options:
# - sequential (default): assigns the next free IP from the previous given
# IP. A best-effort approach is used and Headscale might leave holes in the
# IP range or fill up existing holes in the IP range.
# - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
allocation: sequential
# DERP is a relay system that Tailscale uses when a direct
# connection cannot be established.
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
#
# Headscale needs a list of DERP servers that can be presented to the clients.
derp:
server:
# If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
# The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
enabled: false
# Region ID to use for the embedded DERP server.
# The local DERP prevails if the region ID collides with other region ID coming from
# the regular DERP config.
region_id: 999
# Region code and name are displayed in the Tailscale UI to identify a DERP region
region_code: "headscale"
region_name: "Headscale Embedded DERP"
# Only allow clients associated with this server access
verify_clients: true
# Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
# When the embedded DERP server is enabled stun_listen_addr MUST be defined.
#
# For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
stun_listen_addr: "0.0.0.0:3478"
# Private key used to encrypt the traffic between headscale DERP and
# Tailscale clients. A missing key will be automatically generated.
private_key_path: /var/lib/headscale/derp_server_private.key
# This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
# it enables the creation of your very own DERP map entry using a locally available file with the parameter DERP.paths
# If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using DERP.paths
automatically_add_embedded_derp_region: true
# For better connection stability (especially when using an Exit-Node and DNS is not working),
# it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using:
ipv4: 198.51.100.1
ipv6: 2001:db8::1
# List of externally available DERP maps encoded in JSON
urls:
- https://controlplane.tailscale.com/derpmap/default
# Locally available DERP map files encoded in YAML
#
# This option is mostly interesting for people hosting their own DERP servers:
# https://tailscale.com/docs/reference/derp-servers/custom-derp-servers
# https://headscale.net/stable/ref/derp/
#
# paths:
# - /etc/headscale/derp-example.yaml
paths: []
# If enabled, a worker will be set up to periodically
# refresh the given sources and update the derpmap
# will be set up.
auto_update_enabled: true
# How often should we check for DERP updates?
update_frequency: 3h
# Disables the automatic check for headscale updates on startup
disable_check_updates: false
# Node lifecycle configuration.
node:
# Default key expiry for non-tagged nodes, regardless of registration method
# (auth key, CLI, web auth). Tagged nodes are exempt and never expire.
#
# This is the base default. OIDC can override this via oidc.expiry.
# If a client explicitly requests a specific expiry, the client value is used.
#
# Setting the value to "0" means no default expiry (nodes never expire unless
# explicitly expired via `headscale nodes expire`).
#
# Tailscale SaaS uses 180d; set to a positive duration to match that behaviour.
#
# Default: 0 (no default expiry)
expiry: 0
ephemeral:
# Time before an inactive ephemeral node is deleted.
inactivity_timeout: 30m
# HA subnet router health probing.
#
# When HA routes exist (2+ nodes advertising the same prefix), headscale
# pings each HA node every probe_interval via the Noise channel. If a node
# fails to respond within probe_timeout it is marked unhealthy and the
# primary role moves to the next healthy node. A node that later responds
# is marked healthy again but does NOT reclaim primary (avoids flapping).
#
# Worst-case detection time is probe_interval + probe_timeout (15s default).
# No-op when no HA routes exist. Set probe_interval to 0 to disable.
routes:
ha:
# How often to ping HA subnet routers. Set to 0 to disable probing.
# Must be >= 2s when enabled.
probe_interval: 10s
# How long to wait for a ping response before marking a node unhealthy.
# Must be >= 1s and less than probe_interval.
probe_timeout: 5s
database:
# Database type. Available options: sqlite, postgres
# Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
# All new development, testing and optimisations are done with SQLite in mind.
type: sqlite
# Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
debug: false
# GORM configuration settings.
gorm:
# Enable prepared statements.
prepare_stmt: true
# Enable parameterized queries.
parameterized_queries: true
# Skip logging "record not found" errors.
skip_err_record_not_found: true
# Threshold for slow queries in milliseconds.
slow_threshold: 1000
# SQLite config
sqlite:
path: /var/lib/headscale/db.sqlite
# Enable WAL mode for SQLite. This is recommended for production environments.
# https://www.sqlite.org/wal.html
write_ahead_log: true
# Maximum number of WAL file frames before the WAL file is automatically checkpointed.
# https://www.sqlite.org/c3ref/wal_autocheckpoint.html
# Set to 0 to disable automatic checkpointing.
wal_autocheckpoint: 1000
# # Postgres config
# Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
# See database.type for more information.
# postgres:
# # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
# host: localhost
# port: 5432
# name: headscale
# user: foo
# pass: bar
# max_open_conns: 10
# max_idle_conns: 10
# conn_max_idle_time_secs: 3600
# # If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
# # in the 'ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
# ssl: false
### TLS configuration
#
## Let's encrypt / ACME
#
# headscale supports automatically requesting and setting up
# TLS for a domain with Let's Encrypt.
#
# URL to ACME directory
acme_url: https://acme-v02.api.letsencrypt.org/directory
# Email to register with ACME provider
acme_email: ""
# Domain name to request a TLS certificate for:
tls_letsencrypt_hostname: ""
# Path to store certificates and metadata needed by
# letsencrypt
# For production:
tls_letsencrypt_cache_dir: /var/lib/headscale/cache
# Type of ACME challenge to use, currently supported types:
# HTTP-01 or TLS-ALPN-01
# See: https://headscale.net/stable/ref/tls/
tls_letsencrypt_challenge_type: HTTP-01
# When HTTP-01 challenge is chosen, letsencrypt must set up a
# verification endpoint, and it will be listening on:
# :http = port 80
tls_letsencrypt_listen: ":http"
## Use already defined certificates:
tls_cert_path: ""
tls_key_path: ""
log:
# Valid log levels: panic, fatal, error, warn, info, debug, trace
level: info
# Output formatting for logs: text or json
format: text
## Policy
# Headscale supports a wide range of Tailscale policy features such as ACLs and
# Grants. Please have a look at their docs to better understand the concepts:
# ACLs: https://tailscale.com/docs/features/access-control/acls
# Grants: https://tailscale.com/docs/features/access-control/grants
policy:
# The mode can be "file" or "database" that defines
# where the policies are stored and read from.
mode: file
# If the mode is set to "file", the path to a HuJSON file containing policies.
path: ""
## DNS
#
# headscale supports Tailscale's DNS configuration and MagicDNS.
# Please have a look to their docs to better understand the concepts:
#
# - https://tailscale.com/docs/features/magicdns
# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns
#
# Please note that for the DNS configuration to have any effect,
# clients must have the `--accept-dns=true` option enabled. This is the
# default for the Tailscale client. This option is enabled by default
# in the Tailscale client.
#
# Setting _any_ of the configuration and `--accept-dns=true` on the
# clients will integrate with the DNS manager on the client or
# overwrite /etc/resolv.conf.
# https://tailscale.com/docs/reference/faq/dns-resolv-conf
#
# If you want stop Headscale from managing the DNS configuration
# all the fields under `dns` should be set to empty values.
dns:
# Whether to use MagicDNS
magic_dns: true
# Defines the base domain to create the hostnames for MagicDNS.
# This domain _must_ be different from the server_url domain.
# `base_domain` must be a FQDN, without the trailing dot.
# The FQDN of the hosts will be
# `hostname.base_domain` (e.g., _myhost.example.com_).
base_domain: {{ tail.magic_dns.domain }}
# Whether to use the local DNS settings of a node or override the local DNS
# settings (default) and force the use of Headscale's DNS configuration.
override_local_dns: true
# List of DNS servers to expose to clients.
nameservers:
global: {{ tail.magic_dns.nameservers }}
# NextDNS (see https://tailscale.com/docs/integrations/nextdns).
# "abc123" is example NextDNS ID, replace with yours.
# - https://dns.nextdns.io/abc123
# Split DNS (see https://tailscale.com/docs/reference/dns-in-tailscale#restricted-nameservers),
# a map of domains and which DNS server to use for each.
split: {}
# foo.bar.com:
# - 1.1.1.1
# darp.headscale.net:
# - 1.1.1.1
# - 8.8.8.8
# Set custom DNS search domains. With MagicDNS enabled,
# your tailnet base_domain is always the first search domain.
search_domains: []
# Extra DNS records
# so far only A and AAAA records are supported (on the tailscale side)
# See: https://headscale.net/stable/ref/dns/
extra_records: []
# - name: "grafana.myvpn.example.com"
# type: "A"
# value: "100.64.0.3"
#
# # you can also put it in one line
# - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
#
# Alternatively, extra DNS records can be loaded from a JSON file.
# Headscale processes this file on each change.
# extra_records_path: /var/lib/headscale/extra-records.json
# Unix socket used for the CLI to connect without authentication
# Note: for production you will want to set this to something like:
unix_socket: /var/run/headscale/headscale.sock
unix_socket_permission: "0770"
# OpenID Connect
# https://headscale.net/stable/ref/oidc/
# oidc:
# # Block startup until the identity provider is available and healthy.
# only_start_if_oidc_is_available: true
#
# # OpenID Connect Issuer URL from the identity provider
# issuer: "https://your-oidc.issuer.com/path"
#
# # Client ID from the identity provider
# client_id: "your-oidc-client-id"
#
# # Client secret generated by the identity provider
# # Note: client_secret and client_secret_path are mutually exclusive.
# client_secret: "your-oidc-client-secret"
# # Alternatively, set `client_secret_path` to read the secret from the file.
# # It resolves environment variables, making integration to systemd's
# # `LoadCredential` straightforward:
# client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
#
# # Use the expiry from the token received from OpenID when the user logged
# # in. This will typically lead to frequent need to reauthenticate and should
# # only be enabled if you know what you are doing.
# # Note: enabling this will cause `node.expiry` to be ignored for
# # OIDC-authenticated nodes.
# use_expiry_from_token: false
#
# # The OIDC scopes to use, defaults to "openid", "profile" and "email".
# # Custom scopes can be configured as needed, be sure to always include the
# # required "openid" scope.
# scope: ["openid", "profile", "email"]
#
# # Only verified email addresses are synchronized to the user profile by
# # default. Unverified emails may be allowed in case an identity provider
# # does not send the "email_verified: true" claim or email verification is
# # not required.
# email_verified_required: true
#
# # Provide custom key/value pairs which get sent to the identity provider's
# # authorization endpoint.
# extra_params:
# domain_hint: example.com
#
# # Only accept users whose email domain is part of the allowed_domains list.
# allowed_domains:
# - example.com
#
# # Only accept users whose email address is part of the allowed_users list.
# allowed_users:
# - alice@example.com
#
# # Only accept users which are members of at least one group in the
# # allowed_groups list.
# allowed_groups:
# - /headscale
#
# # Optional: PKCE (Proof Key for Code Exchange) configuration
# # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
# # by preventing authorization code interception attacks
# # See https://datatracker.ietf.org/doc/html/rfc7636
# pkce:
# # Enable or disable PKCE support (default: false)
# enabled: false
#
# # PKCE method to use:
# # - plain: Use plain code verifier
# # - S256: Use SHA256 hashed code verifier (default, recommended)
# method: S256
# Logtail configuration
# Logtail is Tailscales logging and auditing infrastructure, it allows the
# control panel to instruct tailscale nodes to log their activity to a remote
# server. To disable logging on the client side, please refer to:
# https://tailscale.com/docs/features/logging#opt-out-of-client-logging
logtail:
# Enable logtail for tailscale nodes of this Headscale instance.
# As there is currently no support for overriding the log server in Headscale, this is
# disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
enabled: false
# Taildrop configuration
# Taildrop is the file sharing feature of Tailscale, allowing nodes to
# send files to each other.
# https://tailscale.com/docs/features/taildrop
taildrop:
# Enable or disable Taildrop tailnet-wide. When disabled, headscale
# withholds `https://tailscale.com/cap/file-sharing` from every
# node's CapMap.
enabled: true
# Default node auto-update behaviour. When enabled, every node's
# CapMap carries `default-auto-update: [true]` so clients that have
# not made a local opt-in / opt-out choice run auto-updates by
# default. Setting it back to false flips the default for future
# clients; clients that already stored the value locally keep their
# choice.
auto_update:
enabled: false
# Advanced performance tuning parameters.
# The defaults are carefully chosen and should rarely need adjustment.
# Only modify these if you have identified a specific performance issue.
#
# tuning:
# # Maximum number of pending registration entries in the auth cache.
# # Oldest entries are evicted when the cap is reached.
# #
# # register_cache_max_entries: 1024
#
# # NodeStore write batching configuration.
# # The NodeStore batches write operations before rebuilding peer relationships,
# # which is computationally expensive. Batching reduces rebuild frequency.
# #
# # node_store_batch_size: 100
# # node_store_batch_timeout: 500ms

137
roles/init-server/templates/user/flexget/config.yml.j2 Normal file
View File

@@ -0,0 +1,137 @@
templates:
limited_series:
configure_series:
from:
filesystem:
path:
- ~/media/vids/series
# - ~/media/vids/features
recursive: false
retrieve: dirs
settings:
identified_by: ep
path: '~/media/vids/series/{{ series_name }}'
target: 1080p
timeframe: 2 weeks
parse_only: true
exists_series:
path: '~/media/vids/series/{{ series_name }}'
allow_different_qualities: better
feature_films:
csv:
url: 'file://%7e/media/vids/features/.films.csv'
values:
title: 1
url: 2
list_add:
- entry_list: films
porn_vids:
csv:
url: 'file://%7e/.xxx/.vids.csv'
values:
title: 1
url: 2
list_add:
- entry_list: pornos
tasks:
# @NOTE uncommenting aria2 block requires commenting out download and proxy blocks
populate_folders:
{% if download_mode == 'direct' %}
proxy:
https: 'socks5://<< sox.hostname >>:<< sox.port >>'
{% endif %}
if:
- "'batch' in title.lower()": reject
discover:
what:
- next_series_episodes:
from_start: true
backfill: false
from:
- nyaa:
category: anime eng
filter: trusted only
- search_rss:
url: 'https://nyaa.si/?f=2&c=1_2&q={{ search_term }}'
link:
- magneturi
- link
all_entries: false
- eztv: true
interval: 1 week
limit: 80
template: limited_series
{% if flexget.download_mode == 'aria2' %}
aria2:
server: << aria.hostname >>
port: << aria.port >>
{% if aria.secret != None or aria.secret is defined %}
secret: << aria.secret >>
{% endif %}
{% if aria.credentials != None or aria.credentials is defined %}
username: << aria.credentials.username >>
password: << aria.credentials.password >>
{% endif %}
scheme: << aria.scheme >>
rpc_mode: json
rpc_path: jsonrpc
path: '~/downloads/media/vids/{{ series_name }}'
{% else %}
download:
temp: ~/.tmp
path: '~/downloads/flexget/vids/series/torrents/{{ series_name }}'
{% endif %}
# @NOTE uncommenting aria2 block requires commenting out download and proxy blocks
fap_queue:
{% if download_mode == 'direct' %}
proxy:
https: 'socks5://<< sox.hostname >>:<< sox.port >>'
{% endif %}
template: porn_vids
{% if flexget.download_mode == 'aria2' %}
aria2:
server: << aria.hostname >>
port: << aria.port >>
{% if aria.secret != None or aria.secret is defined %}
secret: << aria.secret >>
{% endif %}
{% if aria.credentials != None or aria.credentials is defined %}
username: << aria.credentials.username >>
password: << aria.credentials.password >>
{% endif %}
scheme: << aria.scheme >>
rpc_mode: json
rpc_path: jsonrpc
path: ~/downloads/.xxx/media/vids
{% elif flexget.download_mode == 'direct' %}
download:
temp: ~/.tmp
path: ~/downloads/.xxx/flexget/vids/torrents
{% endif %}
# @NOTE uncommenting aria2 block requires commenting out download and proxy blocks
film_queue:
{% if download_mode == 'direct' %}
proxy:
https: 'socks5://<< sox.hostname >>:<< sox.port >>'
{% endif %}
template: feature_films
{% if flexget.download_mode == 'aria2' %}
aria2:
server: << aria.hostname >>
port: << aria.port >>
{% if aria.secret != None or aria.secret is defined %}
secret: << aria.secret >>
{% endif %}
{% if aria.credentials != None or aria.credentials is defined %}
username: << aria.credentials.username >>
password: << aria.credentials.password >>
{% endif %}
scheme: << aria.scheme >>
rpc_mode: json
rpc_path: jsonrpc
path: ~/downloads/media/vids
{% elif flexget.download_mode == 'direct' %}
download:
temp: ~/.tmp
path: ~/downloads/flexget/vids/torrents
{% endif %}

26
roles/init-server/templates/vimrc.j2 → roles/init-server/templates/user/vimrc.j2
View File

@@ -18,7 +18,7 @@ set number
" Jump to line by relative number
set relativenumber
{% if (vim_blockedcursor | default(True)) %}
{% if (vimrc.cursor.blocky | default(True)) %}
" Highlight cursor line underneath the cursor horizontally.
set cursorline
@@ -26,13 +26,13 @@ set cursorline
" Highlight cursor line underneath the cursor vertically.
set cursorcolumn
{% endif %}
{% if (vim_spatialize | default(True)) %}
{% if (vim.tabs.spatialize | default(True)) %}
" Use space characters instead of tabs.
set expandtab
" Set tab width to 4 columns.
set tabstop={{ vim_tabgap | default(2) }}
set tabstop={{ vimrc.tabs.gap | default(2) }}
{% endif %}
" While searching though a file incrementally highlight matching characters as you type.
@@ -48,19 +48,19 @@ set showmatch
set hlsearch
" Set the commands to save in history default number is 20.
set history={{ vim_historyspan | default(20) }}
{% if (vim_pathcompletion | default(True)) %}
set history={{ vimrc.history_span | default(20) }}
{% if (vimrc.typed_paths.autocomplete | default(True)) %}
" Enable auto completion menu after pressing TAB.
set wildmenu
" Make wildmenu behave like similar to Bash completion.
set wildmode=list:longest
{% if vimignore is defined or vimignore != None %}
{% if vimrc.typed_paths.ignore is defined or vimrc.typed_paths.ignore != None %}
" There are certain files that we would never want to edit with Vim.
" Wildmenu will ignore files with these extensions.
set wildignore={{ vimignore | join(',') }}
set wildignore={{ vimrc.typed_paths.ignore | join(',') }}
{% endif %}
{% endif %}
@@ -71,20 +71,20 @@ set wildignore={{ vimignore | join(',') }}
call plug#begin('~/.vim/plugged')
Plug 'flazz/vim-colorschemes'
{% if (vim_eddelimiters | default(True)) %}
{% if (vimrc.autodelimit | default(True)) %}
Plug 'tpope/vim-surround'
{% endif %}
{% if (vim_gitspice | default(True)) %}
{% if (vimrc.git_spice | default(True)) %}
Plug 'airblade/vim-gitgutter'
Plug 'tpope/vim-fugitive'
{% endif %}
{% if (vim_statusline | default(True)) %}
{% if (vimrc.status_line | default(True)) %}
Plug 'vim-airline/vim-airline'
{% endif %}
{% if (vim_fancycomment | default(True)) %}
{% if (vimrc.fancy_commenting | default(True)) %}
Plug 'scrooloose/nerdcommenter'
{% endif %}
{% if (vim_idelangs | default(True)) %}
{% if (vimrc.ide | default(True)) %}
Plug 'dense-analysis/ale'
{% endif %}
@@ -95,7 +95,7 @@ call plug#end()
" Mappings code goes here.
" VIMSCRIPT --------------------------------------------------------------
{% if (vim_origami | default(True)) %}
{% if (vimrc.origami | default(True)) %}
" This will enable code folding.
" Use the marker method of folding.

134
skato-ansible.sh Executable file
View File

@@ -0,0 +1,134 @@
#!/bin/bash
set -euo pipefail
# @TODO long-term, turn this simple bash script into more complex Python Click project
SKANSIBLE_SCRIPT_PATH=$(dirname "$0")
SKANSIBLE_STAGE=1
SKANSIBLE_DEBUG=1
SKANSIBLE_UNIT_TEST=1
DEFAULT_USER=senpai
DEFAULT_SKANSIBLE_PLAY_HOST=vps
SKANSIBLE_SSH_KEY_COLLECTION=(~/.ssh/ed25519\@staging ~/.ssh/ecdsa\@staging ~/.ssh/ed25519-37851076-sk\@staging ~/.ssh/ecdsa-37851076-sk\@staging)
if [[ "$1" == "version" ]]; then
echo "0.0.0"
fi
if [[ "$1" == "show-defaults" ]]; then
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
printf "User: %s\n" "$DEFAULT_USER"
printf "Expected hosts for playbook: %s\n" "$DEFAULT_SKANSIBLE_PLAY_HOST"
printf "Private SSH keys available throufh SSH agent: |\n%s\n" "$(ssh-add -l)"
fi
if [[ "$1" == "start-agent" ]]; then
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
eval "$(ssh-agent -s)"
fi
if [[ "$1" == "populate-agent" ]]; then
shift 1
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
if [[ "$1" == "all" ]]; then
for SKANSIBLE_SSH_KEY in ~/.ssh/*; do
case $SKANSIBLE_SSH_KEY in
*.pub);;
*.old);;
*.bak);;
*/config);;
*/authorized_keys);;
*_hosts);;
*/agent);;
*) ssh-add "${SKANSIBLE_SSH_KEY}";;
esac
done
elif [[ "$1" == "select" ]]; then
for key in "${SKANSIBLE_SSH_KEY_COLLECTION[@]}"; do
ssh-add "$key"
done
elif [[ -z "$1" ]]; then
# @TODO improve by adding fuzzy querying or file finding pror
ssh-add "$1"
fi
fi
if [[ "$1" == "list-agent" ]]; then
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
ssh-add -l
fi
if [[ "$1" == "init" ]]; then
shift 1
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
while getopts "hsdtu:p:n:" opt; do
case $opt in
h) Help "$1";;
s) SKANSIBLE_STAGE=0;;
d) SKANSIBLE_DEBUG=0;;
t) SKANSIBLE_UNIT_TEST=0;;
u) SKANSIBLE_CONN_USER="$OPTARG";;
n) SKANSIBLE_CONN_HOSTS="$OPTARG";;
p) SKANSIBLE_PLAY_HOSTS="$OPTARG";;
*) echo "Err: Invalid option set"; exit 1;;
esac
done
if [[ "$SKANSIBLE_STAGE" == 0 ]]; then
SKANSIBLE_CONN_HOSTS=${SKANSIBLE_CONN_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}_test
fi
if [[ "$SKANSIBLE_DEBUG" == 0 ]]; then
if [[ "$SKANSIBLE_UNIT_TEST" == 0 ]]; then
sudo ansible-playbook -vvvv --ask-pass --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-root}" "init@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml" --check
else
sudo ansible-playbook -vvvv --ask-pass --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-root}" "init@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml"
fi
else
if [[ "$SKANSIBLE_UNIT_TEST" == 0 ]]; then
sudo ansible-playbook --ask-pass --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-root}" "init@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml" --check
else
sudo ansible-playbook --ask-pass --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-root}" "init@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml"
fi
fi
fi
if [[ "$1" == "bootstrap" ]]; then
shift 1
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
while getopts "hsdtu:p:n:" opt; do
case $opt in
h) Help "$1";;
s) SKANSIBLE_STAGE=0;;
d) SKANSIBLE_DEBUG=0;;
t) SKANSIBLE_UNIT_TEST=0;;
u) SKANSIBLE_CONN_USER="$OPTARG";;
n) SKANSIBLE_CONN_HOSTS="$OPTARG";;
p) SKANSIBLE_PLAY_HOSTS="$OPTARG";;
*) echo "Err: Invalid option set"; exit 1;;
esac
done
if [[ "$SKANSIBLE_STAGE" == 0 ]]; then
SKANSIBLE_CONN_HOSTS=${SKANSIBLE_CONN_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}_test
fi
if [[ "$SKANSIBLE_DEBUG" == 0 ]]; then
if [[ "$SKANSIBLE_UNIT_TEST" == 0 ]]; then
ansible-playbook -vvvv --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-${DEFAULT_USER}}" "administrate@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml" --check
else
ansible-playbook -vvvv --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-${DEFAULT_USER}}" "administrate@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml"
fi
else
if [[ "$SKANSIBLE_UNIT_TEST" == 0 ]]; then
ansible-playbook --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-${DEFAULT_USER}}" "administrate@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml" --check
else
ansible-playbook --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-${DEFAULT_USER}}" "administrate@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml"
fi
fi
fi

6
vars/aria_api.yml.example Normal file
View File

@@ -0,0 +1,6 @@
aria:
scheme: http
hostname: localhost
port: "6800"
secret: ~
credentals: ~

2
vars/crowdsec.yml Normal file
View File

@@ -0,0 +1,2 @@
crowdsec:
port: 8181

2
vars/flexget_dls.yml Normal file
View File

@@ -0,0 +1,2 @@
flexget:
download_mode: direct

57
vars/git_aliases.yml Normal file
View File

@@ -0,0 +1,57 @@
git_aliases:
- [ckot, checkout]
- [chbr, checkout]
- [ch_br, checkout]
- [tch_br, "'checkout -b'"]
- [tchbr, "'checkout -b'"]
- [tchbr, "'checkout -b'"]
- [add_br, "'checkout -b'"]
- [addbr, "'checkout -b'"]
- [rm_br, "'branch -D'"]
- [rmbr, "'branch -D'"]
- [del_br, "'branch -D'"]
- [delbr, "'branch -D'"]
- [tch_rmt, "'remote add'"]
- [tchrmt, "'remote add'"]
- [add_rmt, "'remote add'"]
- [addrmt, "'remote add'"]
- [rm_rmt, "'remote remove'"]
- [rmrmt, "'remote remove'"]
- [del_rmt, "'remote remove'"]
- [delrmt, "'remote remove'"]
- [cfg, config]
- [psh, push]
- [snd, push]
- [send, push]
- [post, push]
- [pl, pull]
- [receive, pull]
- [get, pull]
- [fch, fetch]
- [hist, log]
- [scenes, log]
- [br, branch]
- [lsbr, "'branch -v'"]
- [ls_br, "'branch -v'"]
- [rmt, remote]
- [ls_rmt, "'remote -v'"]
- [lsrmt, "'remote -v'"]
- [cmmt, commit]
- [register, commit]
- [st, status]
- [stat, status]
- [state, status]
- [current, status]
- [restart, "reset --hard"]
- [undo, "'reset HEAD~1 --mixed'"]
- [unstage, "'reset HEAD --'"]
- [stage, add]
- [touch, add]
- [tch, add]
- [del, rm]
- [prev, "'log -1 HEAD'"]
- [last, "'log -1 HEAD'"]
- [finito, "'!git push origin HEAD'"]
- [chkpnt, "'!git add -A && git commit -m'"]
- [sgn, "'commit --amend --no-edit -S'"]
- [rvrt, revert]

3
vars/local_facts.yml.example Normal file
View File

@@ -0,0 +1,3 @@
local_facts:
user_id: ""
user_dir: ""

3
vars/sox_prox.yml Normal file
View File

@@ -0,0 +1,3 @@
sox:
hostname: localhost
port: "9050"

18
vars/tail_net.yml.example Normal file
View File

@@ -0,0 +1,18 @@
tail:
users:
- username: ""
dname: ""
email: ""
pfp: ~
scheme: https
domain: localhost
port: ":8080"
grpc:
expose: false
secure: true
port: ":50443"
magic_dns:
domain: ""
nameservers:
- 9.9.9.9

26
vars/vim_settings.yml Normal file
View File

@@ -0,0 +1,26 @@
vimrc:
git_spice: true
status_line: true
autodelimit: true
origami: true
history_span: 500
typed_paths:
autocomplete: true
ignore:
- "*.docx"
- "*.jpg"
- "*.png"
- "*.gif"
- "*.pdf"
- "*.pyc"
- "*.exe"
- "*.flv"
- "*.img"
- "*.xlsx"
fancy_commenting: true
tabs:
spatialize: true
gap: 2
cursor:
blocky: true
ide: true

17
vars/vpn_server.yml.example Normal file
View File

@@ -0,0 +1,17 @@
vpn_server:
driver:
name: dsnet
version: "v0.8.1"
interface: dsnet
forwards:
- [tcp,"80"] # HTTP
- [tcp,"443"] # HTTPS
- [tcp,"465"] # SMTP
- [tcp,"587"] # SMTP
- [tcp,"995"] # POP3
- [tcp,"110"] # POP3
- [tcp,"143"] # IMAP
- [tcp,"993"] # IMAP
clients:
- name: ""
desc: "my homelab server"