ilia/ansible
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
ansible/roles/development/tasks/main.yml
ilia c3e6caf9e8
All checks were successful
CI / skip-ci-check (push) Successful in 1m18s
Details
CI / lint-and-test (push) Successful in 1m23s
Details
CI / ansible-validation (push) Successful in 3m2s
Details
CI / secret-scanning (push) Successful in 1m19s
Details
CI / dependency-scan (push) Successful in 1m24s
Details
CI / sast-scan (push) Successful in 2m32s
Details
CI / license-check (push) Successful in 1m23s
Details
CI / vault-check (push) Successful in 2m22s
Details
CI / playbook-test (push) Successful in 2m25s
Details
CI / container-scan (push) Successful in 1m51s
Details
CI / sonar-analysis (push) Successful in 2m32s
Details
CI / workflow-summary (push) Successful in 1m17s
Details
refactor-servers-workstations-shell-monitoring (#4) 
### Summary

This PR refactors the playbook layout to reduce duplication and make host intent clearer (servers vs workstations), splits monitoring by host type, and restores full Zsh setup for developers while keeping servers aliases-only.

### Key changes

- **New playbooks**
  - `playbooks/servers.yml`: baseline for server-class hosts (no desktop apps)
  - `playbooks/workstations.yml`: baseline for dev/desktop/local + **desktop apps only on `desktop` group**

- **Monitoring split**
  - `roles/monitoring_server`: server monitoring + intrusion prevention (includes `fail2ban`, sysstat)
  - `roles/monitoring_desktop`: desktop-oriented monitoring tooling
  - Updated playbooks to use the correct monitoring role per host type

- **Shell role: server-safe + developer-friendly**
  - `roles/shell` now supports two modes:
    - `shell_mode: minimal` (default): aliases-only, does not overwrite `.zshrc`
    - `shell_mode: full`: installs Oh My Zsh + Powerlevel10k + plugins and deploys a managed `.zshrc`
  - `playbooks/development.yml` and `playbooks/workstations.yml` use `shell_mode: full`
  - `playbooks/servers.yml` remains **aliases-only**

- **Applications**
  - Applications role runs only on `desktop` group (via `workstations.yml`)
  - Removed Brave installs/repo management
  - Added **CopyQ** to desktop apps (`applications_desktop_packages`)

- **Docs + architecture**
  - Added canonical doc tree under `project-docs/` (overview/architecture/standards/workflow/decisions)
  - Consolidated architecture docs: `docs/reference/architecture.md` is now a pointer to `project-docs/architecture.md`
  - Fixed broken doc links by adding the missing referenced pages under `docs/`

### Behavior changes (important)

- Desktop GUI apps install **only** on the `desktop` inventory group (not on servers, not on dev VMs unless they are in `desktop`).
- Dev/workstation Zsh is now provisioned in **full mode** (managed `.zshrc` + p10k).

### How to test (local CI parity)

```bash
make test
npm test
```

Optional dry runs (interactive sudo may be required):

```bash
make check
make check-local
```

### Rollout guidance

- Apply to a single host first:
  - Workstations: `make workstations HOST=<devhost>`
  - Servers: `make servers HOST=<serverhost>`
- Then expand to group runs.

Reviewed-on: #4
2026-01-01 22:11:24 -05:00

115 lines
3.9 KiB
YAML
Raw Permalink Blame History

---
- name: Install basic development packages
ansible.builtin.apt:
name: "{{ development_packages }}"
state: present
become: true
- name: Check if Node.js is installed
ansible.builtin.command: node --version
register: node_version_check
failed_when: false
changed_when: false
- name: Check NodeSource repository file presence
ansible.builtin.stat:
path: /etc/apt/sources.list.d/nodesource.list
register: nodesource_list_stat
when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v22')
- name: Read NodeSource repository file
ansible.builtin.slurp:
src: /etc/apt/sources.list.d/nodesource.list
register: nodesource_list_slurp
when:
- node_version_check.rc != 0 or not node_version_check.stdout.startswith('v22')
- nodesource_list_stat.stat.exists | default(false)
- name: Set NodeSource repository state
ansible.builtin.set_fact:
nodesource_repo_state: >-
{{
'not_exists'
if not (nodesource_list_stat.stat.exists | default(false))
else (
'correct_config'
if (
(nodesource_list_slurp.content | b64decode)
is search('^deb \\[signed-by=/etc/apt/keyrings/nodesource\\.gpg\\] https://deb\\.nodesource\\.com/node_22\\.x nodistro main', multiline=True)
)
else 'wrong_config'
)
}}
when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v22')
- name: Check NodeSource GPG key presence
ansible.builtin.stat:
path: /etc/apt/keyrings/nodesource.gpg
register: nodesource_key_stat
when: node_version_check.rc != 0 or not node_version_check.stdout.startswith('v22')
- name: Remove incorrect NodeSource repository
ansible.builtin.file:
path: /etc/apt/sources.list.d/nodesource.list
state: absent
become: true
when:
- node_version_check.rc != 0 or not node_version_check.stdout.startswith('v22')
- nodesource_repo_state == "wrong_config"
- name: Create keyrings directory
ansible.builtin.file:
path: /etc/apt/keyrings
state: directory
mode: '0755'
become: true
when:
- node_version_check.rc != 0 or not node_version_check.stdout.startswith('v22')
- not (nodesource_key_stat.stat.exists | default(false))
- name: Import NodeSource GPG key into apt keyring
ansible.builtin.shell: |
# Ensure keyrings directory exists
mkdir -p /etc/apt/keyrings
# Download and convert key to binary format for signed-by
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
chmod 644 /etc/apt/keyrings/nodesource.gpg
# Verify the key file is valid
if ! file /etc/apt/keyrings/nodesource.gpg | grep -q "PGP"; then
echo "ERROR: Key file is not valid PGP format"
exit 1
fi
args:
creates: /etc/apt/keyrings/nodesource.gpg
become: true
when:
- node_version_check.rc != 0 or not node_version_check.stdout.startswith('v22')
- not (nodesource_key_stat.stat.exists | default(false))
- name: Add NodeSource repository only if needed
ansible.builtin.apt_repository:
repo: "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main"
state: present
update_cache: false
become: true
when:
- node_version_check.rc != 0 or not node_version_check.stdout.startswith('v22')
- nodesource_repo_state in ["not_exists", "wrong_config"]
- name: Install Node.js 22 from NodeSource
ansible.builtin.apt:
name: nodejs
state: present
become: true
when:
- (node_version_check.rc != 0 or not node_version_check.stdout.startswith('v22'))
- name: Verify Node.js installation
ansible.builtin.command: node --version
register: final_node_version
changed_when: false
- name: Display Node.js version
ansible.builtin.debug:
msg: "Node.js version installed: {{ final_node_version.stdout if final_node_version.stdout is defined else 'Not checked in dry-run mode' }}"
Reference in New Issue View Git Blame Copy Permalink