Compare commits
4 commits
d9acf4ff93
...
256a08f1a7
Author | SHA1 | Date | |
---|---|---|---|
Geoffrey Frogeye | 256a08f1a7 | ||
Geoffrey Frogeye | 48031d8df7 | ||
Geoffrey Frogeye | 121f629bdb | ||
Geoffrey Frogeye | 647fd78ae2 |
3
.gitmodules
vendored
3
.gitmodules
vendored
|
@ -4,3 +4,6 @@
|
||||||
[submodule "config/automatrop/plugins/modules/aur"]
|
[submodule "config/automatrop/plugins/modules/aur"]
|
||||||
path = config/automatrop/plugins/modules/aur
|
path = config/automatrop/plugins/modules/aur
|
||||||
url = https://github.com/kewlfft/ansible-aur.git
|
url = https://github.com/kewlfft/ansible-aur.git
|
||||||
|
[submodule "config/automatrop/plugins/modules/gpg_key"]
|
||||||
|
path = config/automatrop/plugins/modules/gpg_key
|
||||||
|
url = https://github.com/netson/ansible-gpg-key.git
|
||||||
|
|
|
@ -6,3 +6,4 @@ library=plugins/modules
|
||||||
|
|
||||||
[ssh_connection]
|
[ssh_connection]
|
||||||
pipelining = True # does not work with requiretty in /etc/sudoers
|
pipelining = True # does not work with requiretty in /etc/sudoers
|
||||||
|
ssh_args=-o ForwardAgent=yes # no need for installing/configuring/unlocking SSH/GPG keys on the host to be able to git clone extensions
|
||||||
|
|
|
@ -16,6 +16,8 @@
|
||||||
when: encrypt_home_stacked_fs
|
when: encrypt_home_stacked_fs
|
||||||
- role: dotfiles
|
- role: dotfiles
|
||||||
tags: dotfiles
|
tags: dotfiles
|
||||||
|
- role: gnupg
|
||||||
|
tags: gnupg
|
||||||
- role: mnussbaum.base16-builder-ansible # Required for desktop_environment
|
- role: mnussbaum.base16-builder-ansible # Required for desktop_environment
|
||||||
tags:
|
tags:
|
||||||
- color
|
- color
|
||||||
|
|
1
config/automatrop/plugins/modules/gpg_key
Submodule
1
config/automatrop/plugins/modules/gpg_key
Submodule
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 435f8e6aea0ba9be482c4409db380868a23fea9c
|
|
@ -1,2 +1,3 @@
|
||||||
- name: install dotfiles
|
- name: install dotfiles
|
||||||
command: "{{ ansible_user_dir }}/.dotfiles/config/scripts/dotfiles install"
|
command: "{{ ansible_user_dir }}/.dotfiles/config/scripts/dotfiles install"
|
||||||
|
# TODO A python module to do that, so without an handler
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
dest: "{{ ansible_user_dir }}/.dotfiles"
|
dest: "{{ ansible_user_dir }}/.dotfiles"
|
||||||
update: "{{ not has_forge_access }}"
|
update: "{{ not has_forge_access }}"
|
||||||
notify: install dotfiles
|
notify: install dotfiles
|
||||||
|
# TODO Put actual dotfiles in a subdirectory of the repo, so we don't have to put everything in config
|
||||||
|
|
||||||
- name: Register as Ansible collection
|
- name: Register as Ansible collection
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
- include_role:
|
- name: Load extensions
|
||||||
|
include_role:
|
||||||
name: "geoffreyfrogeye.{{ item }}automatrop.entry"
|
name: "geoffreyfrogeye.{{ item }}automatrop.entry"
|
||||||
loop: "{{ extensions }}"
|
loop: "{{ extensions }}"
|
||||||
|
tags: always
|
||||||
|
|
||||||
- name: Configure extensions rc sourcing
|
- name: Configure extensions rc sourcing
|
||||||
template:
|
template:
|
||||||
|
|
52
config/automatrop/roles/gnupg/tasks/main.yml
Normal file
52
config/automatrop/roles/gnupg/tasks/main.yml
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
- name: Create GnuPG directory
|
||||||
|
file:
|
||||||
|
path: "{{ gnupghome }}"
|
||||||
|
state: directory
|
||||||
|
mode: "u=rwx"
|
||||||
|
|
||||||
|
- name: Create GnuPG configuration files
|
||||||
|
file:
|
||||||
|
path: "{{ gnupghome }}/{{ item }}"
|
||||||
|
state: file
|
||||||
|
mode: "u=rw,g=r,o=r"
|
||||||
|
loop:
|
||||||
|
- gpg-agent.conf
|
||||||
|
- gpg.conf
|
||||||
|
|
||||||
|
- name: Configure GnuPG
|
||||||
|
lineinfile:
|
||||||
|
path: "{{ gnupghome }}/gpg.conf"
|
||||||
|
regex: "^#?\\s*{{ item.key }}\\s"
|
||||||
|
line: "{{ item.key }}{% if item.value is defined %} {{ item.value }}{% endif %}"
|
||||||
|
loop:
|
||||||
|
# Remove fluff
|
||||||
|
- key: no-greeting
|
||||||
|
- key: no-emit-version
|
||||||
|
- key: no-comments
|
||||||
|
# Output format that I prefer
|
||||||
|
- key: keyid-format
|
||||||
|
value: 0xlong
|
||||||
|
# Show fingerprints
|
||||||
|
- key: with-fingerprint
|
||||||
|
# Make sure to show if key is invalid
|
||||||
|
# (should be default on most platform,
|
||||||
|
# but just to be sure)
|
||||||
|
- key: list-options
|
||||||
|
value: show-uid-validity
|
||||||
|
- key: verify-options
|
||||||
|
value: show-uid-validity
|
||||||
|
# Stronger algorithm (https://wiki.archlinux.org/title/GnuPG#Different_algorithm)
|
||||||
|
- key: personal-digest-preferences
|
||||||
|
value: SHA512
|
||||||
|
- key: cert-digest-algo
|
||||||
|
value: SHA512
|
||||||
|
- key: default-preference-list
|
||||||
|
value: SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
|
||||||
|
- key: personal-cipher-preferences
|
||||||
|
value: TWOFISH CAMELLIA256 AES 3DES
|
||||||
|
# TODO Set default-key in extensions depending on which ones are available
|
||||||
|
# TODO Add enable-ssh-support to gpg-agent.conf in extensions to signal shenv that we should not use the SSH agent
|
||||||
|
|
||||||
|
- name: Install Geoffrey Frogeye's key
|
||||||
|
gpg_key:
|
||||||
|
fpr: 4FBA930D314A03215E2CDB0A8312C8CAC1BAC289
|
1
config/automatrop/roles/gnupg/vars/main.yml
Normal file
1
config/automatrop/roles/gnupg/vars/main.yml
Normal file
|
@ -0,0 +1 @@
|
||||||
|
gnupghome: "{{ ansible_user_dir }}/.config/gnupg"
|
|
@ -1,5 +1,5 @@
|
||||||
etckeeper
|
etckeeper
|
||||||
{% if has_batttery %}
|
{% if has_battery %}
|
||||||
tlp
|
tlp
|
||||||
{% endif %}
|
{% endif %}
|
||||||
dhcpcd
|
dhcpcd
|
||||||
|
@ -8,3 +8,9 @@ chrony
|
||||||
{% if encrypt_home_stacked_fs %}
|
{% if encrypt_home_stacked_fs %}
|
||||||
ecryptfs-utils
|
ecryptfs-utils
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
kexec-tools
|
||||||
|
openvpn
|
||||||
|
{% if arch_based %}
|
||||||
|
openvpn-update-resolv-conf-git
|
||||||
|
{# TODO Other distributions #}
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -3,6 +3,7 @@ man
|
||||||
visidata
|
visidata
|
||||||
insect
|
insect
|
||||||
translate-shell
|
translate-shell
|
||||||
|
gnupg
|
||||||
{# Editor #}
|
{# Editor #}
|
||||||
{% if termux %}
|
{% if termux %}
|
||||||
nvim
|
nvim
|
||||||
|
|
11
config/automatrop/roles/system/files/openvpn-client.service
Normal file
11
config/automatrop/roles/system/files/openvpn-client.service
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
[Service]
|
||||||
|
ExecStart=
|
||||||
|
ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf
|
||||||
|
# The part before --script-security 2 might need upgrading from
|
||||||
|
# /usr/lib/systemd/system/openvpn-client@.service if it was upgraded
|
||||||
|
Restart=on-failure
|
||||||
|
User=
|
||||||
|
AmbiantCapabilities=
|
||||||
|
# It's not pretty, but other script only work with systemd or call resolvconf with -p,
|
||||||
|
# which doesn't work without a local DNS resolver
|
||||||
|
# TODO Local DNS resolver sounds nice anyway
|
|
@ -65,6 +65,27 @@
|
||||||
become: yes
|
become: yes
|
||||||
when: extlinux.stat.exists
|
when: extlinux.stat.exists
|
||||||
|
|
||||||
|
- name: Remove bootsplash packages (Arch based)
|
||||||
|
pacman:
|
||||||
|
name:
|
||||||
|
- bootsplash-systemd
|
||||||
|
- bootsplash-theme-manjaro
|
||||||
|
state: absent
|
||||||
|
become: yes
|
||||||
|
when: arch_based
|
||||||
|
|
||||||
|
|
||||||
|
# Display Manager
|
||||||
|
|
||||||
|
- name: Remove display manager packages (Arch based)
|
||||||
|
pacman:
|
||||||
|
name:
|
||||||
|
- sddm
|
||||||
|
- sddm-breath2-theme
|
||||||
|
state: absent
|
||||||
|
become: yes
|
||||||
|
when: arch_based
|
||||||
|
|
||||||
# Xorg configuration
|
# Xorg configuration
|
||||||
|
|
||||||
- name: Check if there is nvidia-xrun is installed
|
- name: Check if there is nvidia-xrun is installed
|
||||||
|
@ -262,6 +283,15 @@
|
||||||
notify:
|
notify:
|
||||||
- wifi setup changed
|
- wifi setup changed
|
||||||
|
|
||||||
|
- name: Mask systemd-networkd
|
||||||
|
systemd:
|
||||||
|
name: systemd-networkd
|
||||||
|
state: stopped
|
||||||
|
enabled: no
|
||||||
|
masked: yes
|
||||||
|
become: yes
|
||||||
|
notify: etc changed
|
||||||
|
|
||||||
# Time synchronisation
|
# Time synchronisation
|
||||||
|
|
||||||
- name: Mask systemd-timesyncd
|
- name: Mask systemd-timesyncd
|
||||||
|
@ -272,7 +302,6 @@
|
||||||
masked: yes
|
masked: yes
|
||||||
become: yes
|
become: yes
|
||||||
notify: etc changed
|
notify: etc changed
|
||||||
when: arch_based
|
|
||||||
|
|
||||||
- name: Configure chrony
|
- name: Configure chrony
|
||||||
copy:
|
copy:
|
||||||
|
@ -309,8 +338,28 @@
|
||||||
notify:
|
notify:
|
||||||
- etc changed
|
- etc changed
|
||||||
|
|
||||||
|
# VPN configuration
|
||||||
|
|
||||||
|
- name: Prepare directory for openvpn-client service override
|
||||||
|
file:
|
||||||
|
path: /etc/systemd/system/openvpn-client@.service.d
|
||||||
|
state: directory
|
||||||
|
mode: "u=rwx,g=rx,o=rx"
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
- name: Make openvpn use hooks for resolvconf
|
||||||
|
copy:
|
||||||
|
src: openvpn-client.service
|
||||||
|
dest: /etc/systemd/system/openvpn-client@.service.d/override.conf
|
||||||
|
become: yes
|
||||||
|
notify:
|
||||||
|
- etc changed
|
||||||
|
- systemd changed
|
||||||
|
|
||||||
# TODO Hibernation, if that's relevant
|
# TODO Hibernation, if that's relevant
|
||||||
# $ sudo blkid | grep 'TYPE="swap"'
|
# $ sudo blkid | grep 'TYPE="swap"'
|
||||||
# $ sudoedit /etc/default/grub
|
# $ sudoedit /etc/default/grub
|
||||||
# Add resume=UUID=<UUID-of-swap-partition> to GRUB_CMDLINE_LINUX_DEFAULT
|
# Add resume=UUID=<UUID-of-swap-partition> to GRUB_CMDLINE_LINUX_DEFAULT
|
||||||
# $ sudo grub-mkconfig -o /boot/grub/grub.cfg
|
# $ sudo grub-mkconfig -o /boot/grub/grub.cfg
|
||||||
|
|
||||||
|
# TODO udevil
|
||||||
|
|
|
@ -108,6 +108,7 @@ prependpath "$HOME/.config/scripts"
|
||||||
|
|
||||||
# SSH Agent
|
# SSH Agent
|
||||||
|
|
||||||
|
|
||||||
# If GPG agent is configured for SSH
|
# If GPG agent is configured for SSH
|
||||||
if grep -q ^enable-ssh-support$ $GNUPGHOME/gpg-agent.conf 2> /dev/null
|
if grep -q ^enable-ssh-support$ $GNUPGHOME/gpg-agent.conf 2> /dev/null
|
||||||
then
|
then
|
||||||
|
@ -138,3 +139,6 @@ else
|
||||||
start_agent
|
start_agent
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# TODO Service sytem that works without systemd,
|
||||||
|
# and can stop processes on logout
|
||||||
|
|
|
@ -101,7 +101,10 @@ unset _i_prefer
|
||||||
# Needed because xterm/urxvt won't use the last color, needed for vim
|
# Needed because xterm/urxvt won't use the last color, needed for vim
|
||||||
|
|
||||||
## GPG
|
## GPG
|
||||||
# Update TTY
|
# Makes the last open terminal the ones that receives the pinentry message (if
|
||||||
|
# not run from a terminal with DESKTOP)
|
||||||
|
# TODO Only run if gpg-agent is started?
|
||||||
|
# TODO Make a command out of this for easy management (and maybe remove the below)
|
||||||
export GPG_TTY=$(tty)
|
export GPG_TTY=$(tty)
|
||||||
gpg-connect-agent updatestartuptty /bye >/dev/null
|
gpg-connect-agent updatestartuptty /bye >/dev/null
|
||||||
|
|
||||||
|
|
|
@ -19,6 +19,7 @@ call plug#begin('~/.cache/vim/plugged')
|
||||||
Plug 'chriskempson/base16-vim'
|
Plug 'chriskempson/base16-vim'
|
||||||
Plug 'tpope/vim-surround'
|
Plug 'tpope/vim-surround'
|
||||||
Plug 'tpope/vim-fugitive'
|
Plug 'tpope/vim-fugitive'
|
||||||
|
Plug 'shumphrey/fugitive-gitlab.vim'
|
||||||
" Plug 'tpope/vim-repeat'
|
" Plug 'tpope/vim-repeat'
|
||||||
|
|
||||||
" Regex for words, with case in mind
|
" Regex for words, with case in mind
|
||||||
|
|
Loading…
Reference in a new issue