ilia
c3e6caf9e8
All checks were successful
CI / skip-ci-check (push) Successful in 1m18s
CI / lint-and-test (push) Successful in 1m23s
CI / ansible-validation (push) Successful in 3m2s
CI / secret-scanning (push) Successful in 1m19s
CI / dependency-scan (push) Successful in 1m24s
CI / sast-scan (push) Successful in 2m32s
CI / license-check (push) Successful in 1m23s
CI / vault-check (push) Successful in 2m22s
CI / playbook-test (push) Successful in 2m25s
CI / container-scan (push) Successful in 1m51s
CI / sonar-analysis (push) Successful in 2m32s
CI / workflow-summary (push) Successful in 1m17s
### Summary
This PR refactors the playbook layout to reduce duplication and make host intent clearer (servers vs workstations), splits monitoring by host type, and restores full Zsh setup for developers while keeping servers aliases-only.
### Key changes
- **New playbooks**
- `playbooks/servers.yml`: baseline for server-class hosts (no desktop apps)
- `playbooks/workstations.yml`: baseline for dev/desktop/local + **desktop apps only on `desktop` group**
- **Monitoring split**
- `roles/monitoring_server`: server monitoring + intrusion prevention (includes `fail2ban`, sysstat)
- `roles/monitoring_desktop`: desktop-oriented monitoring tooling
- Updated playbooks to use the correct monitoring role per host type
- **Shell role: server-safe + developer-friendly**
- `roles/shell` now supports two modes:
- `shell_mode: minimal` (default): aliases-only, does not overwrite `.zshrc`
- `shell_mode: full`: installs Oh My Zsh + Powerlevel10k + plugins and deploys a managed `.zshrc`
- `playbooks/development.yml` and `playbooks/workstations.yml` use `shell_mode: full`
- `playbooks/servers.yml` remains **aliases-only**
- **Applications**
- Applications role runs only on `desktop` group (via `workstations.yml`)
- Removed Brave installs/repo management
- Added **CopyQ** to desktop apps (`applications_desktop_packages`)
- **Docs + architecture**
- Added canonical doc tree under `project-docs/` (overview/architecture/standards/workflow/decisions)
- Consolidated architecture docs: `docs/reference/architecture.md` is now a pointer to `project-docs/architecture.md`
- Fixed broken doc links by adding the missing referenced pages under `docs/`
### Behavior changes (important)
- Desktop GUI apps install **only** on the `desktop` inventory group (not on servers, not on dev VMs unless they are in `desktop`).
- Dev/workstation Zsh is now provisioned in **full mode** (managed `.zshrc` + p10k).
### How to test (local CI parity)
```bash
make test
npm test
```
Optional dry runs (interactive sudo may be required):
```bash
make check
make check-local
```
### Rollout guidance
- Apply to a single host first:
- Workstations: `make workstations HOST=<devhost>`
- Servers: `make servers HOST=<serverhost>`
- Then expand to group runs.
Reviewed-on: #4
6.4 KiB
6.4 KiB
Installed Applications Reference
Complete inventory of applications and tools deployed by Ansible playbooks.
Application Categories
🔧 System Tools
| Package | Description | Source | Role |
|---|---|---|---|
| curl | Command line HTTP client | apt | base |
| wget | Network downloader | apt | base |
| unzip | Archive extraction | apt | base |
| xclip | Clipboard utility | apt | base |
| tree | Directory tree viewer | apt | base |
| net-tools | Network utilities | apt | base |
| jq | JSON processor | apt | base |
| yq | YAML processor | snap | base |
| ripgrep | Fast text search | apt | base |
| fd-find | Fast file finder | apt | base |
🔒 Security Tools
| Package | Description | Source | Role |
|---|---|---|---|
| ufw | Uncomplicated Firewall | apt | ssh |
| fail2ban | Intrusion prevention | apt | monitoring |
| openssh-server | SSH daemon | apt | ssh |
| mailutils | Mail utilities | apt | base |
| nmap | Network scanner | apt | monitoring |
| tcpdump | Packet analyzer | apt | monitoring |
| wireshark-common | Protocol analyzer | apt | monitoring |
💻 Development Tools
| Package | Description | Source | Role |
|---|---|---|---|
| git | Version control | apt | development |
| nodejs | JavaScript runtime | apt | development |
| npm | Node package manager | apt | development |
| build-essential | Compilation tools | apt | development |
| python3 | Python interpreter | apt | development |
| python3-pip | Python package manager | apt | development |
🐳 Container Platform
| Package | Description | Source | Role |
|---|---|---|---|
| docker-ce | Docker Community Edition | docker | docker |
| docker-ce-cli | Docker CLI | docker | docker |
| containerd.io | Container runtime | docker | docker |
| docker-buildx-plugin | Multi-platform builds | docker | docker |
| docker-compose-plugin | Multi-container apps | docker | docker |
🖥️ Shell Environment
| Package | Description | Source | Role |
|---|---|---|---|
| zsh | Z shell | apt | shell |
| tmux | Terminal multiplexer | apt | shell |
| fzf | Fuzzy finder | apt | shell |
| zsh aliases | Minimal alias set (sourced from ~/.zshrc) | file | shell |
📊 Monitoring Tools
| Package | Description | Source | Role |
|---|---|---|---|
| htop | Process viewer | apt | monitoring |
| btop | Modern system monitor | snap | monitoring |
| iotop | I/O monitor | apt | monitoring |
| nethogs | Network usage monitor | apt | monitoring |
| iftop | Bandwidth monitor | apt | monitoring |
| bandwhich | Network utilization | snap | monitoring |
| ncdu | Disk usage analyzer | apt | monitoring |
| dstat | System statistics | apt | monitoring |
| sysstat | Performance tools | apt | monitoring |
| atop | Advanced monitor | apt | monitoring |
| logwatch | Log analyzer | apt | monitoring |
🌐 Network Tools
| Package | Description | Source | Role |
|---|---|---|---|
| tailscale | Mesh VPN client | tailscale | tailscale |
| tailscaled | Tailscale daemon | tailscale | tailscale |
🖱️ Desktop Applications
| Package | Description | Source | Role |
|---|---|---|---|
| copyq | Clipboard manager (history/search) | apt | applications |
| evince | PDF viewer | apt | applications |
| redshift | Blue light filter | apt | applications |
Nice-to-have apps (not installed by default)
These are good add-ons depending on how you use your workstations. Keep them opt-in to avoid bloating baseline installs.
Desktop / UX
- flameshot: screenshots + annotation
- keepassxc: local password manager (or use your preferred)
- syncthing: peer-to-peer file sync (if you want self-hosted sync)
- remmina: RDP/VNC client
- mpv: lightweight media player
Developer workstation helpers
- direnv: per-project env var loading
- shellcheck: shell script linting
- jq / yq: JSON/YAML CLI tooling (already in base here, but listing for completeness)
- ripgrep / fd-find: fast search/find (already in base here)
Networking / diagnostics
- wireshark (GUI) or wireshark-common: packet analysis (only if you need it)
- iperf3: bandwidth testing
- dnsutils: dig/nslookup tools
Installation by Playbook
playbooks/development.yml
Installs all roles for development machines:
- All system tools
- Development environment
- Docker platform
- Shell configuration
- Monitoring tools
- Tailscale VPN
playbooks/local.yml
Installs for local machine management:
- Core system tools
- Shell environment
- Development basics
playbooks/workstations.yml
Installs baseline for dev:desktop:local, and installs desktop apps only for the desktop group:
- Workstation baseline (dev + desktop + local)
- Desktop applications (desktop group only)
playbooks/maintenance.yml
Maintains existing installations:
- System updates
- Package cleanup
- Security updates
Custom Scripts
System Information
/usr/local/bin/monitoring/sysinfo- System overview dashboard/usr/local/bin/monitoring/netinfo- Network information
Package Sources
| Source | Description | Configuration |
|---|---|---|
| apt | Debian/Ubuntu packages | System default |
| snap | Snap packages | snapd daemon |
| docker | Docker repository | Docker GPG key + repo |
| tailscale | Tailscale repository | Tailscale GPG key + repo |
| git | Git repositories | Direct clone |
Services Enabled
| Service | Description | Management |
|---|---|---|
| docker | Container runtime | systemctl |
| tailscaled | VPN daemon | systemctl |
| ufw | Firewall | systemctl |
| fail2ban | Intrusion prevention | systemctl |
| sshd | SSH server | systemctl |
| snapd | Snap daemon | systemctl |
| sysstat | System statistics | systemctl |
Version Management
Most packages are installed from distribution repositories and update with system updates. Exceptions:
- Docker: Tracks Docker CE stable channel
- Node.js: Latest LTS from NodeSource
- Tailscale: Latest stable from Tailscale repository
Total Count: 65+ Applications
- System & Security: 20+ tools
- Development: 6+ tools
- Shell Environment: 7+ components
- Monitoring: 15+ tools
- Container Platform: 5 components
- Desktop Applications: 6+ apps
- Network: 2+ tools
- Custom Scripts: 4+ scripts