ilia/ansible
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
ansible/roles/base/tasks/main.yml
ilia c3e6caf9e8
All checks were successful
CI / skip-ci-check (push) Successful in 1m18s
Details
CI / lint-and-test (push) Successful in 1m23s
Details
CI / ansible-validation (push) Successful in 3m2s
Details
CI / secret-scanning (push) Successful in 1m19s
Details
CI / dependency-scan (push) Successful in 1m24s
Details
CI / sast-scan (push) Successful in 2m32s
Details
CI / license-check (push) Successful in 1m23s
Details
CI / vault-check (push) Successful in 2m22s
Details
CI / playbook-test (push) Successful in 2m25s
Details
CI / container-scan (push) Successful in 1m51s
Details
CI / sonar-analysis (push) Successful in 2m32s
Details
CI / workflow-summary (push) Successful in 1m17s
Details
refactor-servers-workstations-shell-monitoring (#4) 
### Summary

This PR refactors the playbook layout to reduce duplication and make host intent clearer (servers vs workstations), splits monitoring by host type, and restores full Zsh setup for developers while keeping servers aliases-only.

### Key changes

- **New playbooks**
  - `playbooks/servers.yml`: baseline for server-class hosts (no desktop apps)
  - `playbooks/workstations.yml`: baseline for dev/desktop/local + **desktop apps only on `desktop` group**

- **Monitoring split**
  - `roles/monitoring_server`: server monitoring + intrusion prevention (includes `fail2ban`, sysstat)
  - `roles/monitoring_desktop`: desktop-oriented monitoring tooling
  - Updated playbooks to use the correct monitoring role per host type

- **Shell role: server-safe + developer-friendly**
  - `roles/shell` now supports two modes:
    - `shell_mode: minimal` (default): aliases-only, does not overwrite `.zshrc`
    - `shell_mode: full`: installs Oh My Zsh + Powerlevel10k + plugins and deploys a managed `.zshrc`
  - `playbooks/development.yml` and `playbooks/workstations.yml` use `shell_mode: full`
  - `playbooks/servers.yml` remains **aliases-only**

- **Applications**
  - Applications role runs only on `desktop` group (via `workstations.yml`)
  - Removed Brave installs/repo management
  - Added **CopyQ** to desktop apps (`applications_desktop_packages`)

- **Docs + architecture**
  - Added canonical doc tree under `project-docs/` (overview/architecture/standards/workflow/decisions)
  - Consolidated architecture docs: `docs/reference/architecture.md` is now a pointer to `project-docs/architecture.md`
  - Fixed broken doc links by adding the missing referenced pages under `docs/`

### Behavior changes (important)

- Desktop GUI apps install **only** on the `desktop` inventory group (not on servers, not on dev VMs unless they are in `desktop`).
- Dev/workstation Zsh is now provisioned in **full mode** (managed `.zshrc` + p10k).

### How to test (local CI parity)

```bash
make test
npm test
```

Optional dry runs (interactive sudo may be required):

```bash
make check
make check-local
```

### Rollout guidance

- Apply to a single host first:
  - Workstations: `make workstations HOST=<devhost>`
  - Servers: `make servers HOST=<serverhost>`
- Then expand to group runs.

Reviewed-on: #4
2026-01-01 22:11:24 -05:00

95 lines
2.3 KiB
YAML
Raw Blame History

---
- name: Update apt cache (shared baseline)
ansible.builtin.apt:
update_cache: true
cache_valid_time: "{{ apt_cache_valid_time | default(3600) }}"
when: ansible_os_family == "Debian"
- name: Ensure Ansible remote_tmp directory exists with correct permissions
ansible.builtin.file:
path: /root/.ansible/tmp
state: directory
mode: '0755'
owner: root
group: root
become: true
- name: Install base system packages
ansible.builtin.apt:
name:
# Base utilities
- curl
- wget
- unzip
- xclip
- tree
- copyq
# Network and admin tools
- net-tools
- ufw
- mailutils
# Modern CLI tools
- jq
- ripgrep
- fd-find
# Power management (TLP for laptops)
- tlp
- tlp-rdw
state: present
- name: Install yq YAML processor
ansible.builtin.apt:
name: yq
state: present
update_cache: false
failed_when: false
register: yq_apt_install
- name: Install yq from binary if apt fails
when: yq_apt_install.failed or yq_apt_install is not succeeded
block:
- name: Download yq binary
ansible.builtin.get_url:
url: https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
dest: /usr/local/bin/yq
mode: '0755'
register: yq_download
- name: Verify yq installation
ansible.builtin.command: yq --version
changed_when: false
- name: Create fd symlink (Ubuntu uses fd-find)
ansible.builtin.file:
src: /usr/bin/fdfind
dest: /usr/local/bin/fd
state: link
when: ansible_distribution == "Ubuntu"
# fail2ban configuration moved to monitoring role
# UFW enablement moved to ssh role to avoid lockout
- name: Set timezone
community.general.timezone:
name: "{{ timezone | default('UTC') }}"
- name: Configure locale
community.general.locale_gen:
name: "{{ locale | default('en_US.UTF-8') }}"
state: present
- name: Gather package facts to check for TLP
ansible.builtin.package_facts:
manager: apt
when: ansible_facts.packages is not defined
- name: Enable and start TLP service
ansible.builtin.systemd:
name: tlp
enabled: true
state: started
daemon_reload: true
become: true
when: ansible_facts.packages is defined and 'tlp' in ansible_facts.packages
Reference in New Issue View Git Blame Copy Permalink