ilia
c3e6caf9e8
All checks were successful
CI / skip-ci-check (push) Successful in 1m18s
CI / lint-and-test (push) Successful in 1m23s
CI / ansible-validation (push) Successful in 3m2s
CI / secret-scanning (push) Successful in 1m19s
CI / dependency-scan (push) Successful in 1m24s
CI / sast-scan (push) Successful in 2m32s
CI / license-check (push) Successful in 1m23s
CI / vault-check (push) Successful in 2m22s
CI / playbook-test (push) Successful in 2m25s
CI / container-scan (push) Successful in 1m51s
CI / sonar-analysis (push) Successful in 2m32s
CI / workflow-summary (push) Successful in 1m17s
### Summary
This PR refactors the playbook layout to reduce duplication and make host intent clearer (servers vs workstations), splits monitoring by host type, and restores full Zsh setup for developers while keeping servers aliases-only.
### Key changes
- **New playbooks**
- `playbooks/servers.yml`: baseline for server-class hosts (no desktop apps)
- `playbooks/workstations.yml`: baseline for dev/desktop/local + **desktop apps only on `desktop` group**
- **Monitoring split**
- `roles/monitoring_server`: server monitoring + intrusion prevention (includes `fail2ban`, sysstat)
- `roles/monitoring_desktop`: desktop-oriented monitoring tooling
- Updated playbooks to use the correct monitoring role per host type
- **Shell role: server-safe + developer-friendly**
- `roles/shell` now supports two modes:
- `shell_mode: minimal` (default): aliases-only, does not overwrite `.zshrc`
- `shell_mode: full`: installs Oh My Zsh + Powerlevel10k + plugins and deploys a managed `.zshrc`
- `playbooks/development.yml` and `playbooks/workstations.yml` use `shell_mode: full`
- `playbooks/servers.yml` remains **aliases-only**
- **Applications**
- Applications role runs only on `desktop` group (via `workstations.yml`)
- Removed Brave installs/repo management
- Added **CopyQ** to desktop apps (`applications_desktop_packages`)
- **Docs + architecture**
- Added canonical doc tree under `project-docs/` (overview/architecture/standards/workflow/decisions)
- Consolidated architecture docs: `docs/reference/architecture.md` is now a pointer to `project-docs/architecture.md`
- Fixed broken doc links by adding the missing referenced pages under `docs/`
### Behavior changes (important)
- Desktop GUI apps install **only** on the `desktop` inventory group (not on servers, not on dev VMs unless they are in `desktop`).
- Dev/workstation Zsh is now provisioned in **full mode** (managed `.zshrc` + p10k).
### How to test (local CI parity)
```bash
make test
npm test
```
Optional dry runs (interactive sudo may be required):
```bash
make check
make check-local
```
### Rollout guidance
- Apply to a single host first:
- Workstations: `make workstations HOST=<devhost>`
- Servers: `make servers HOST=<serverhost>`
- Then expand to group runs.
Reviewed-on: #4
148 lines
5.1 KiB
YAML
148 lines
5.1 KiB
YAML
---
|
|
# Configure shell for a single user
|
|
# Variable: current_user - the username to configure
|
|
|
|
- name: "Get user information: {{ current_user }}"
|
|
ansible.builtin.getent:
|
|
database: passwd
|
|
key: "{{ current_user }}"
|
|
register: user_info
|
|
failed_when: false
|
|
|
|
- name: "Set user home directory: {{ current_user }}"
|
|
ansible.builtin.set_fact:
|
|
user_home: "{{ user_info.ansible_facts.getent_passwd[current_user][4] }}"
|
|
when: user_info.ansible_facts.getent_passwd[current_user] is defined
|
|
|
|
- name: Skip if user not found
|
|
ansible.builtin.debug:
|
|
msg: "User {{ current_user }} not found, skipping shell configuration"
|
|
when: user_info.ansible_facts.getent_passwd[current_user] is not defined
|
|
|
|
- name: Configure shell environment
|
|
when: user_info.ansible_facts.getent_passwd[current_user] is defined
|
|
block:
|
|
- name: "Optionally set zsh as default shell: {{ current_user }}"
|
|
ansible.builtin.user:
|
|
name: "{{ current_user }}"
|
|
shell: /usr/bin/zsh
|
|
become: true
|
|
when: shell_set_default_shell | bool
|
|
|
|
- name: "Install managed zsh aliases file: {{ current_user }}"
|
|
ansible.builtin.copy:
|
|
src: files/ansible_aliases.zsh
|
|
dest: "{{ user_home }}/{{ shell_aliases_filename }}"
|
|
owner: "{{ current_user }}"
|
|
group: "{{ current_user }}"
|
|
mode: "0644"
|
|
become: true
|
|
|
|
- name: "Ensure ~/.zshrc exists (do not overwrite): {{ current_user }}"
|
|
ansible.builtin.file:
|
|
path: "{{ user_home }}/.zshrc"
|
|
state: touch
|
|
owner: "{{ current_user }}"
|
|
group: "{{ current_user }}"
|
|
mode: "0644"
|
|
become: true
|
|
when: not (shell_deploy_managed_zshrc | bool)
|
|
|
|
- name: "Ensure ~/.zshrc sources managed aliases: {{ current_user }}"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ user_home }}/.zshrc"
|
|
line: "{{ shell_zshrc_source_line }}"
|
|
state: present
|
|
insertafter: EOF
|
|
become: true
|
|
when: not (shell_deploy_managed_zshrc | bool)
|
|
|
|
- name: "Install Oh My Zsh: {{ current_user }}"
|
|
become: true
|
|
become_user: "{{ current_user }}"
|
|
ansible.builtin.shell: sh -c "$(wget https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh -O -)" "" --unattended
|
|
args:
|
|
creates: "{{ user_home }}/.oh-my-zsh"
|
|
changed_when: false
|
|
when: shell_install_oh_my_zsh | bool
|
|
|
|
- name: "Clone Powerlevel10k theme: {{ current_user }}"
|
|
ansible.builtin.git:
|
|
repo: https://github.com/romkatv/powerlevel10k.git
|
|
dest: "{{ user_home }}/.oh-my-zsh/custom/themes/powerlevel10k"
|
|
version: master
|
|
depth: 1
|
|
update: false
|
|
become: true
|
|
become_user: "{{ current_user }}"
|
|
when:
|
|
- shell_install_powerlevel10k | bool
|
|
- shell_install_oh_my_zsh | bool
|
|
|
|
- name: "Install zsh plugins: {{ current_user }}"
|
|
ansible.builtin.git:
|
|
repo: "{{ item.repo }}"
|
|
dest: "{{ user_home }}/.oh-my-zsh/custom/plugins/{{ item.name }}"
|
|
version: master
|
|
depth: 1
|
|
update: false
|
|
become: true
|
|
become_user: "{{ current_user }}"
|
|
loop: "{{ zsh_plugins }}"
|
|
when:
|
|
- shell_install_plugins | bool
|
|
- shell_install_oh_my_zsh | bool
|
|
|
|
- name: "Deploy managed .zshrc (full mode): {{ current_user }}"
|
|
ansible.builtin.copy:
|
|
src: files/zshrc.full
|
|
dest: "{{ user_home }}/.zshrc"
|
|
owner: "{{ current_user }}"
|
|
group: "{{ current_user }}"
|
|
mode: "0644"
|
|
backup: true
|
|
become: true
|
|
when: shell_deploy_managed_zshrc | bool
|
|
|
|
- name: "Deploy Powerlevel10k config (full mode): {{ current_user }}"
|
|
ansible.builtin.copy:
|
|
src: files/p10k.zsh
|
|
dest: "{{ user_home }}/.p10k.zsh"
|
|
owner: "{{ current_user }}"
|
|
group: "{{ current_user }}"
|
|
mode: "0644"
|
|
backup: true
|
|
become: true
|
|
when:
|
|
- shell_install_powerlevel10k | bool
|
|
- shell_deploy_managed_zshrc | bool
|
|
|
|
- name: "Ensure .local/bin directory exists: {{ current_user }}"
|
|
ansible.builtin.file:
|
|
path: "{{ user_home }}/.local/bin"
|
|
state: directory
|
|
owner: "{{ current_user }}"
|
|
group: "{{ current_user }}"
|
|
mode: '0755'
|
|
become: true
|
|
|
|
- name: "Deploy showapps script: {{ current_user }}"
|
|
ansible.builtin.copy:
|
|
src: files/showapps.sh
|
|
dest: "{{ user_home }}/.local/bin/showapps"
|
|
owner: "{{ current_user }}"
|
|
group: "{{ current_user }}"
|
|
mode: '0755'
|
|
become: true
|
|
|
|
- name: "Display post-installation instructions: {{ current_user }}"
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "=== Shell Configuration Complete for {{ current_user }} ==="
|
|
- "Aliases installed: {{ user_home }}/{{ shell_aliases_filename }}"
|
|
- >-
|
|
Mode: {{ shell_mode | default('minimal') }} ({{ 'managed ~/.zshrc deployed' if (shell_deploy_managed_zshrc | bool) else 'aliases-only appended to ~/.zshrc' }})
|
|
- "If you want zsh as default login shell, set: shell_set_default_shell=true"
|
|
- "If zsh was set as the default shell, log out/in or run: exec zsh"
|
|
- "=========================================="
|