fscotto/infra
1
0
Fork 0
mirror of https://github.com/fscotto/infra.git synced 2026-05-31 15:59:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
18311d01f2d82b51c8ffdbcb52e02b6df09109f9
infra/ansible/roles/profile_desktop_i3/tasks/main.yml
Fabio Scotto di Santolo 4892251687 Template private desktop mail configs 
Render personal desktop configs from Ansible templates so public dotfiles no longer expose real identities or mail addresses. Update the bootstrap workflow to consume the rendered mail config and extend the encrypted vault schema for the new private values.
2026-03-18 15:00:56 +01:00

355 lines
12 KiB
YAML
Raw Blame History

---
- name: Ensure config directories exist
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ username }}"
group: "{{ user_group }}"
mode: "0755"
loop:
- "{{ user_home }}/.config"
- "{{ user_home }}/.config/i3"
- "{{ user_home }}/.config/i3blocks"
- "{{ user_home }}/.config/dunst"
- "{{ user_home }}/.config/alacritty"
- "{{ user_home }}/.config/Thunar"
- "{{ user_home }}/.config/rofi"
- name: Enable gnome-keyring PAM auth hook
ansible.builtin.lineinfile:
path: /etc/pam.d/login
insertafter: '^auth\s+include\s+system-local-login$'
line: "auth optional pam_gnome_keyring.so"
state: present
- name: Enable gnome-keyring PAM session hook
ansible.builtin.lineinfile:
path: /etc/pam.d/login
insertafter: '^session\s+include\s+system-local-login$'
line: "session optional pam_gnome_keyring.so auto_start"
state: present
- name: Enable gnome-keyring PAM password hook
ansible.builtin.lineinfile:
path: /etc/pam.d/login
insertafter: '^password\s+include\s+system-local-login$'
line: "password optional pam_gnome_keyring.so use_authtok"
state: present
- name: Copy desktop dotfiles
ansible.builtin.copy:
src: "{{ playbook_dir }}/../dotfiles/desktop/{{ item.src }}"
dest: "{{ user_home }}/{{ item.dest }}"
owner: "{{ username }}"
group: "{{ user_group }}"
mode: "{{ item.mode }}"
loop: "{{ desktop_dotfiles | default([]) }}"
loop_control:
label: "{{ item.dest }}"
- name: Render desktop templates with private values
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ user_home }}/{{ item.dest }}"
owner: "{{ username }}"
group: "{{ user_group }}"
mode: "{{ item.mode }}"
loop:
- src: desktop/.gitconfig.j2
dest: .gitconfig
mode: "0644"
- src: desktop/.mbsyncrc.j2
dest: .mbsyncrc
mode: "0600"
- src: desktop/.msmtprc.j2
dest: .msmtprc
mode: "0600"
- src: desktop/email.el.j2
dest: .emacs.d/lisp/misc/email.el
mode: "0644"
loop_control:
label: "{{ item.dest }}"
- name: Refresh user font cache
ansible.builtin.command: fc-cache -f
become_user: "{{ username }}"
environment:
HOME: "{{ user_home }}"
changed_when: false
- name: Ensure .gnupg directory exists
ansible.builtin.file:
path: "{{ user_home }}/.gnupg"
state: directory
owner: "{{ username }}"
group: "{{ user_group }}"
mode: "0700"
- name: Copy gpg-agent.conf
ansible.builtin.copy:
src: "{{ playbook_dir }}/../dotfiles/desktop/.gnupg/gpg-agent.conf"
dest: "{{ user_home }}/.gnupg/gpg-agent.conf"
owner: "{{ username }}"
group: "{{ user_group }}"
mode: "0600"
- name: Ensure local user directories exist
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
owner: "{{ username }}"
group: "{{ user_group }}"
mode: "{{ item.mode }}"
loop:
- path: "{{ user_home }}/.local"
mode: "0755"
- path: "{{ user_home }}/.local/share"
mode: "0755"
- path: "{{ user_home }}/.local/share/keyrings"
mode: "0700"
- path: "{{ user_home }}/.local/src"
mode: "0755"
- name: Ensure maildir directories exist
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ username }}"
group: "{{ user_group }}"
mode: "0700"
loop:
- "{{ user_home }}/Maildir"
- "{{ user_home }}/Maildir/iCloudAccount"
- "{{ user_home }}/Maildir/ProtonMailAccount"
- name: Bootstrap iCloud keyring secret from Ansible vault
when: desktop_manage_icloud_keyring | default(false)
block:
- name: Store iCloud mail password in GNOME Keyring
ansible.builtin.getent:
database: passwd
key: "{{ username }}"
- name: Set desktop user runtime UID
ansible.builtin.set_fact:
desktop_user_uid: "{{ ansible_facts.getent_passwd[username][1] }}"
- name: Check whether desktop user DBus session address file exists
ansible.builtin.stat:
path: "{{ user_home }}/.dbus-session-bus-address"
register: desktop_user_bus_address_file
- name: Read desktop user DBus session address
ansible.builtin.slurp:
src: "{{ user_home }}/.dbus-session-bus-address"
register: desktop_user_bus_address_raw
when:
- (vault_icloud_mail_password | default('')) | length > 0
- desktop_user_bus_address_file.stat.exists
- name: Set desktop user DBus session address
ansible.builtin.set_fact:
desktop_user_bus_address: >-
{{ desktop_user_bus_address_raw.content | b64decode | trim }}
when:
- (vault_icloud_mail_password | default('')) | length > 0
- desktop_user_bus_address_file.stat.exists
- name: Check whether GNOME Keyring default collection is available
ansible.builtin.command:
cmd: >-
gdbus call --session
--dest org.freedesktop.secrets
--object-path /org/freedesktop/secrets
--method org.freedesktop.Secret.Service.ReadAlias default
become: true
become_user: "{{ username }}"
environment:
HOME: "{{ user_home }}"
XDG_RUNTIME_DIR: "/run/user/{{ desktop_user_uid }}"
DBUS_SESSION_BUS_ADDRESS: "{{ desktop_user_bus_address }}"
register: icloud_keyring_default_alias
failed_when: false
changed_when: false
when:
- (vault_icloud_mail_password | default('')) | length > 0
- desktop_user_bus_address | default('') | length > 0
- name: Set GNOME Keyring default collection path
ansible.builtin.set_fact:
icloud_keyring_default_alias_path: >-
{{
(
icloud_keyring_default_alias.stdout
| default('')
| regex_findall("objectpath '([^']+)'")
| first
)
| default('')
}}
when:
- (vault_icloud_mail_password | default('')) | length > 0
- desktop_user_bus_address | default('') | length > 0
- icloud_keyring_default_alias.rc | default(1) == 0
- name: Store iCloud mail password in GNOME Keyring
ansible.builtin.command:
cmd: secret-tool store --label="iCloud Mail" icloud-mail icloud
stdin: "{{ vault_icloud_mail_password }}"
stdin_add_newline: false
become: true
become_user: "{{ username }}"
environment:
HOME: "{{ user_home }}"
XDG_RUNTIME_DIR: "/run/user/{{ desktop_user_uid }}"
DBUS_SESSION_BUS_ADDRESS: "{{ desktop_user_bus_address }}"
register: icloud_keyring_store
failed_when: false
changed_when: icloud_keyring_store.rc == 0
no_log: true
when:
- (vault_icloud_mail_password | default('')) | length > 0
- desktop_user_bus_address | default('') | length > 0
- icloud_keyring_default_alias.rc | default(1) == 0
- (icloud_keyring_default_alias_path | default('')) | length > 0
- (icloud_keyring_default_alias_path | default('')) != '/'
- name: Warn when iCloud keyring storage is skipped
ansible.builtin.debug:
msg: >-
Unable to store iCloud password in GNOME Keyring automatically.
{% if (desktop_user_bus_address | default('')) | length == 0 %}
No saved DBus session address was found in {{ user_home }}/.dbus-session-bus-address.
{% elif icloud_keyring_default_alias.rc | default(1) != 0 %}
The Secret Service default alias could not be queried for {{ username }}.
{% elif (icloud_keyring_default_alias_path | default('')) == '/' %}
The Secret Service default alias is unset, so the login keyring is not initialized.
{% endif %}
Ensure a graphical user session is active, the login keyring exists and is unlocked, then run:
secret-tool store --label="iCloud Mail" icloud-mail icloud
when:
- (vault_icloud_mail_password | default('')) | length > 0
- icloud_keyring_store.rc | default(1) != 0
- name: Clone st repository
ansible.builtin.git:
repo: https://codeberg.org/fscotto/st
dest: "{{ user_home }}/.local/src/st"
update: true
become_user: "{{ username }}"
environment:
HOME: "{{ user_home }}"
register: st_repo
- name: Check whether st binary is installed
ansible.builtin.stat:
path: /usr/local/bin/st
register: st_binary
- name: Build and install st
ansible.builtin.command:
cmd: make clean install
chdir: "{{ user_home }}/.local/src/st"
when: st_repo.changed or not st_binary.stat.exists
- name: Clean st build artifacts
ansible.builtin.command:
cmd: make clean
chdir: "{{ user_home }}/.local/src/st"
when: st_repo.changed or not st_binary.stat.exists
- name: Ensure flathub remote is configured
community.general.flatpak_remote:
name: "{{ desktop_flatpak_remote_name | default('flathub') }}"
state: present
flatpakrepo_url: "{{ desktop_flatpak_remote_url | default('https://dl.flathub.org/repo/flathub.flatpakrepo') }}"
when: (desktop_flatpak_packages | default([])) | length > 0
- name: Install desktop flatpak applications
community.general.flatpak:
name: "{{ desktop_flatpak_packages }}"
state: present
remote: "{{ desktop_flatpak_remote_name | default('flathub') }}"
method: system
when: (desktop_flatpak_packages | default([])) | length > 0
- name: Set desktop external tool release metadata
ansible.builtin.set_fact:
desktop_tools_tmp_dir: /tmp/desktop-tools
gitmux_version: v0.11.5
bw_version: 1.22.1
gitmux_arch: >-
{{
'amd64' if ansible_facts['architecture'] == 'x86_64'
else 'arm64' if ansible_facts['architecture'] in ['aarch64', 'arm64']
else ''
}}
- name: Ensure architecture is supported for gitmux binary
ansible.builtin.fail:
msg: "Unsupported architecture {{ ansible_facts['architecture'] }} for gitmux release binary"
when: gitmux_arch == ''
- name: Ensure architecture is supported for bw binary
ansible.builtin.fail:
msg: "Unsupported architecture {{ ansible_facts['architecture'] }} for bw release binary"
when: ansible_facts['architecture'] != 'x86_64'
- name: Ensure temporary directory exists for external tools
ansible.builtin.file:
path: "{{ desktop_tools_tmp_dir }}"
state: directory
mode: "0755"
- name: Set gitmux asset metadata
ansible.builtin.set_fact:
gitmux_asset: "gitmux_{{ gitmux_version }}_linux_{{ gitmux_arch }}.tar.gz"
- name: Download gitmux release archive
ansible.builtin.get_url:
url: "https://github.com/arl/gitmux/releases/download/{{ gitmux_version }}/{{ gitmux_asset }}"
dest: "{{ desktop_tools_tmp_dir }}/{{ gitmux_asset }}"
checksum: "sha256:https://github.com/arl/gitmux/releases/download/{{ gitmux_version }}/checksums.txt"
mode: "0644"
- name: Extract gitmux release archive
ansible.builtin.unarchive:
src: "{{ desktop_tools_tmp_dir }}/{{ gitmux_asset }}"
dest: "{{ desktop_tools_tmp_dir }}"
remote_src: true
- name: Install gitmux binary
ansible.builtin.copy:
src: "{{ desktop_tools_tmp_dir }}/gitmux"
dest: /usr/local/bin/gitmux
remote_src: true
owner: root
group: root
mode: "0755"
- name: Set bw asset metadata
ansible.builtin.set_fact:
bw_asset: "bw-linux-{{ bw_version }}.zip"
- name: Download bw release archive
ansible.builtin.get_url:
url: "https://github.com/bitwarden/cli/releases/download/v{{ bw_version }}/{{ bw_asset }}"
dest: "{{ desktop_tools_tmp_dir }}/{{ bw_asset }}"
checksum: "sha256:https://github.com/bitwarden/cli/releases/download/v{{ bw_version }}/bw-linux-sha256-{{ bw_version }}.txt"
mode: "0644"
- name: Extract bw release archive
ansible.builtin.unarchive:
src: "{{ desktop_tools_tmp_dir }}/{{ bw_asset }}"
dest: "{{ desktop_tools_tmp_dir }}"
remote_src: true
- name: Install bw binary
ansible.builtin.copy:
src: "{{ desktop_tools_tmp_dir }}/bw"
dest: /usr/local/bin/bw
remote_src: true
owner: root
group: root
mode: "0755"
Reference in New Issue View Git Blame Copy Permalink