Add server templates and normalize role tags

2026-05-30 15:39:58 +00:00 · 2026-03-25 22:07:44 +01:00
parent fc67ba7d18
commit 980e984020
8 changed files with 881 additions and 0 deletions
--- a/ansible/inventory/group_vars/server.yml
+++ b/ansible/inventory/group_vars/server.yml
@@ -12,10 +12,21 @@ profile_packages:
  - rsync

 server_dotfiles:
+  - src: .gitignore_global
+    dest: .gitignore_global
+    mode: "0644"
+  - src: .themes.gitignore
+    dest: .themes.gitignore
+    mode: "0644"
  - src: duckdns/
    dest: duckdns/
    mode: preserve

+server_templates:
+  - src: server/.gitconfig.j2
+    dest: .gitconfig
+    mode: "0644"
+
 server_ufw_rules:
  - rule: allow
    name: OpenSSH
--- a/ansible/roles/dotfiles_common/tasks/main.yml
+++ b/ansible/roles/dotfiles_common/tasks/main.yml
@@ -1,10 +1,12 @@
 ---
 - name: Ensure bat package is installed
+  tags: [packages]
  ansible.builtin.package:
    name: bat
    state: present

 - name: Ensure XDG user directories exist
+  tags: [dotfiles, dotfiles:common]
  ansible.builtin.file:
    path: "{{ user_home }}/{{ item }}"
    state: directory
@@ -26,6 +28,7 @@
    label: "{{ item.dest }}"

 - name: Refresh bat cache
+  tags: [dotfiles, dotfiles:common]
  ansible.builtin.command:
    cmd: "{{ 'batcat' if ansible_facts.os_family == 'Debian' else 'bat' }} cache --build"
  become_user: "{{ username }}"
--- a/ansible/roles/profile_desktop_i3/tasks/main.yml
+++ b/ansible/roles/profile_desktop_i3/tasks/main.yml
@@ -64,6 +64,7 @@
  when: ansible_facts['hostname'] == 'nymph'

 - name: Enable gnome-keyring PAM auth hook
+  tags: [packages, gnome]
  ansible.builtin.lineinfile:
    path: /etc/pam.d/login
    insertafter: '^auth\s+include\s+system-local-login$'
@@ -71,6 +72,7 @@
    state: present

 - name: Enable gnome-keyring PAM session hook
+  tags: [packages, gnome]
  ansible.builtin.lineinfile:
    path: /etc/pam.d/login
    insertafter: '^session\s+include\s+system-local-login$'
@@ -78,6 +80,7 @@
    state: present

 - name: Enable gnome-keyring PAM password hook
+  tags: [packages, gnome]
  ansible.builtin.lineinfile:
    path: /etc/pam.d/login
    insertafter: '^password\s+include\s+system-local-login$'
@@ -199,6 +202,7 @@
    - "{{ user_home }}/Maildir/ProtonMailAccount"

 - name: Bootstrap iCloud keyring secret from Ansible vault
+  tags: [dotfiles, dotfiles:desktop, gnome]
  when: desktop_manage_icloud_keyring | default(false)
  block:
    - name: Store iCloud mail password in GNOME Keyring
@@ -308,6 +312,7 @@
        - icloud_keyring_store.rc | default(1) != 0

 - name: Clone st repository
+  tags: [packages]
  ansible.builtin.git:
    repo: https://codeberg.org/fscotto/st
    dest: "{{ user_home }}/.local/src/st"
@@ -318,23 +323,27 @@
  register: st_repo

 - name: Check whether st binary is installed
+  tags: [packages]
  ansible.builtin.stat:
    path: /usr/local/bin/st
  register: st_binary

 - name: Build and install st
+  tags: [packages]
  ansible.builtin.command:
    cmd: make clean install
    chdir: "{{ user_home }}/.local/src/st"
  when: st_repo.changed or not st_binary.stat.exists

 - name: Clean st build artifacts
+  tags: [packages]
  ansible.builtin.command:
    cmd: make clean
    chdir: "{{ user_home }}/.local/src/st"
  when: st_repo.changed or not st_binary.stat.exists

 - name: Ensure flathub remote is configured
+  tags: [packages]
  community.general.flatpak_remote:
    name: "{{ desktop_flatpak_remote_name | default('flathub') }}"
    state: present
@@ -342,6 +351,7 @@
  when: (desktop_flatpak_packages | default([])) | length > 0

 - name: Install desktop flatpak applications
+  tags: [packages]
  community.general.flatpak:
    name: "{{ desktop_flatpak_packages }}"
    state: present
@@ -350,6 +360,7 @@
  when: (desktop_flatpak_packages | default([])) | length > 0

 - name: Install Flatpak extensions
+  tags: [packages]
  community.general.flatpak:
    name: "{{ item }}"
    state: present
@@ -362,6 +373,7 @@
    - item | length > 0

 - name: Set desktop external tool release metadata
+  tags: [packages]
  ansible.builtin.set_fact:
    desktop_tools_tmp_dir: /tmp/desktop-tools
    gitmux_version: v0.11.5
@@ -380,27 +392,32 @@
      }}

 - name: Ensure architecture is supported for OpenCode binary
+  tags: [packages]
  ansible.builtin.fail:
    msg: "Unsupported architecture {{ ansible_facts['architecture'] }} for OpenCode release binary"
  when: opencode_asset_name == ''

 - name: Ensure architecture is supported for gitmux binary
+  tags: [packages]
  ansible.builtin.fail:
    msg: "Unsupported architecture {{ ansible_facts['architecture'] }} for gitmux release binary"
  when: gitmux_arch == ''

 - name: Ensure architecture is supported for bw binary
+  tags: [packages]
  ansible.builtin.fail:
    msg: "Unsupported architecture {{ ansible_facts['architecture'] }} for bw release binary"
  when: ansible_facts['architecture'] != 'x86_64'

 - name: Ensure temporary directory exists for external tools
+  tags: [packages]
  ansible.builtin.file:
    path: "{{ desktop_tools_tmp_dir }}"
    state: directory
    mode: "0755"

 - name: Fetch latest OpenCode release metadata
+  tags: [packages]
  ansible.builtin.uri:
    url: https://api.github.com/repos/anomalyco/opencode/releases/latest
    headers:
@@ -410,6 +427,7 @@
  changed_when: false

 - name: Set OpenCode release asset metadata
+  tags: [packages]
  ansible.builtin.set_fact:
    opencode_version: "{{ opencode_latest_release.json.tag_name }}"
    opencode_asset: >-
@@ -421,11 +439,13 @@
      }}

 - name: Ensure latest OpenCode asset metadata is available
+  tags: [packages]
  ansible.builtin.fail:
    msg: "Could not find OpenCode asset {{ opencode_asset_name }} in release {{ opencode_version }}"
  when: opencode_asset == {}

 - name: Download OpenCode release archive
+  tags: [packages]
  ansible.builtin.get_url:
    url: "{{ opencode_asset.browser_download_url }}"
    dest: "{{ desktop_tools_tmp_dir }}/{{ opencode_asset.name }}"
@@ -433,12 +453,14 @@
    mode: "0644"

 - name: Extract OpenCode release archive
+  tags: [packages]
  ansible.builtin.unarchive:
    src: "{{ desktop_tools_tmp_dir }}/{{ opencode_asset.name }}"
    dest: "{{ desktop_tools_tmp_dir }}"
    remote_src: true

 - name: Install OpenCode binary
+  tags: [packages]
  ansible.builtin.copy:
    src: "{{ desktop_tools_tmp_dir }}/opencode"
    dest: /usr/local/bin/opencode
@@ -448,10 +470,12 @@
    mode: "0755"

 - name: Set gitmux asset metadata
+  tags: [packages]
  ansible.builtin.set_fact:
    gitmux_asset: "gitmux_{{ gitmux_version }}_linux_{{ gitmux_arch }}.tar.gz"

 - name: Download gitmux release archive
+  tags: [packages]
  ansible.builtin.get_url:
    url: "https://github.com/arl/gitmux/releases/download/{{ gitmux_version }}/{{ gitmux_asset }}"
    dest: "{{ desktop_tools_tmp_dir }}/{{ gitmux_asset }}"
@@ -459,12 +483,14 @@
    mode: "0644"

 - name: Extract gitmux release archive
+  tags: [packages]
  ansible.builtin.unarchive:
    src: "{{ desktop_tools_tmp_dir }}/{{ gitmux_asset }}"
    dest: "{{ desktop_tools_tmp_dir }}"
    remote_src: true

 - name: Install gitmux binary
+  tags: [packages]
  ansible.builtin.copy:
    src: "{{ desktop_tools_tmp_dir }}/gitmux"
    dest: /usr/local/bin/gitmux
@@ -474,10 +500,12 @@
    mode: "0755"

 - name: Set bw asset metadata
+  tags: [packages]
  ansible.builtin.set_fact:
    bw_asset: "bw-linux-{{ bw_version }}.zip"

 - name: Download bw release archive
+  tags: [packages]
  ansible.builtin.get_url:
    url: "https://github.com/bitwarden/cli/releases/download/v{{ bw_version }}/{{ bw_asset }}"
    dest: "{{ desktop_tools_tmp_dir }}/{{ bw_asset }}"
@@ -485,12 +513,14 @@
    mode: "0644"

 - name: Extract bw release archive
+  tags: [packages]
  ansible.builtin.unarchive:
    src: "{{ desktop_tools_tmp_dir }}/{{ bw_asset }}"
    dest: "{{ desktop_tools_tmp_dir }}"
    remote_src: true

 - name: Install bw binary
+  tags: [packages]
  ansible.builtin.copy:
    src: "{{ desktop_tools_tmp_dir }}/bw"
    dest: /usr/local/bin/bw
--- a/ansible/roles/profile_server/tasks/main.yml
+++ b/ansible/roles/profile_server/tasks/main.yml
@@ -12,6 +12,18 @@
  loop_control:
    label: "{{ item.dest }}"

+- name: Render server templates
+  tags: [dotfiles, dotfiles:server]
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ user_home }}/{{ item.dest }}"
+    owner: "{{ username }}"
+    group: "{{ user_group }}"
+    mode: "{{ item.mode }}"
+  loop: "{{ server_templates | default([]) }}"
+  loop_control:
+    label: "{{ item.dest }}"
+
 - name: Apply server UFW rules
  tags: [services, packages]
  community.general.ufw:
--- a/ansible/roles/services_runit/tasks/main.yml
+++ b/ansible/roles/services_runit/tasks/main.yml
@@ -1,5 +1,6 @@
 ---
 - name: Enable base runit services
+  tags: [services, packages]
  ansible.builtin.file:
    src: "/etc/sv/{{ item }}"
    dest: "/var/service/{{ item }}"
@@ -7,6 +8,7 @@
  loop: "{{ enabled_services | default([]) }}"

 - name: Enable host runit services
+  tags: [services, packages]
  ansible.builtin.file:
    src: "/etc/sv/{{ item }}"
    dest: "/var/service/{{ item }}"
--- a/ansible/templates/server/.gitconfig.j2
+++ b/ansible/templates/server/.gitconfig.j2
@@ -0,0 +1,83 @@
+[init]
+  defaultBranch = main
+
+[core]
+  excludesfile = ~/.gitignore_global
+  pager = delta
+
+[user]
+  name = {{ vault_personal_full_name }}
+  email = {{ vault_git_email }}
+  signingkey = {{ vault_git_signing_key }}
+
+[fetch]
+  prune = true
+
+[remote "origin"]
+  prune = true
+
+[pull]
+  rebase = true
+
+[commit]
+  gpgsign = false
+
+[merge]
+  conflictstyle = diff3
+  tool = meld
+
+[mergetool]
+  prompt = false
+
+[diff]
+  tool = meld
+
+[color]
+  ui = always
+
+[color "status"]
+  branch = magenta
+  untracked = cyan
+  unmerged = yellow bold
+
+[color "diff"]
+  frag = magenta bold
+  old = red bold
+  new = green bold
+  whitespace = red reverse
+
+[color "diff-highlight"]
+  oldNormal = red bold
+  oldHighlight = red bold 52
+  newNormal = green bold
+  newHighlight = green bold 52
+
+[help]
+  autocorrect = 30
+
+[interactive]
+  diffFilter = delta --color-only
+
+[alias]
+  co = checkout
+  br = branch
+  ci = commit
+  st = status
+  ld = log -p
+  lg = log --graph --abbrev-commit --decorate --date=relative --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(bold yellow)%d%C(reset)%n' --all
+  glog = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset'
+  onelinegraph = log --oneline --graph --decorate 
+  undo = reset --soft HEAD~1
+  stash-all = stash save --include-untracked
+  expireunreachablenow = reflog expire --expire-unreachable=now --all
+  gcunreachablenow = gc --prune=now 
+ 
+[include]
+  path = ~/.themes.gitignore
+
+[delta]
+  features = catppuccin-mocha navigate
+  true-color = always
+  colorMoved = default
+  tabs = 4
+  side-by-side = true