arch: implement LVM-on-LUKS, begin filesystems

Loads the gnupg_agent-skript in the ~/.bashrc, which exports
the needed variables (SSH_AUTH_SOCK, SSH_AGENT_PID, GPG_AGENT_INFO).

Also downloads the pubkey of the user and sets ownertrust on the key.

Fixes #3

README.md

@@ -0,0 +1,9 @@
+# .dotfiles - Bootstrap me!
+
+## Requirements
+
+Clone this repository with `git clone --recursive https://git.finallycoffee.eu/transcaffeine/dotfiles.git` into `~/git/dotfiles`.
+
+Have your pubkey in a git-repo at `https://git.finallycoffee.eu/$USER/about` at the top-level as `pubkey.asc`, then run `ansible-playbook -i local.yml bootstrap.yml`.
+
+Reboot and then run `ansible-playbook -i local.yml all.yml`.

bootstrap.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Bootstrap arch linux install
+  hosts: all
+  roles:
+    - name: arch
+      become: yes
+  vars:
+    arch_device: /dev/sdg
+  

i3.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Template i3 config
+  hosts: all
+  become: true
+  roles:
+    - i3
+

local.yml

@@ -2,30 +2,30 @@
 
 all:
   hosts:
-    xenon:
+    local:
-      ansible_host: xenon.int.finallycoffee.eu
+      ansible_host: localhost
       ansible_connection: local
   vars:
     ansible_user: transcaffeine
-    ansible_become_user: transcaffeine
+    ansible_become_user: root
-    ansible_become: true
+    ansible_become_method: sudo
 
 gnupg:
   hosts:
-    xenon:
+    local:
 
 redshift:
   hosts:
-    xenon:
+    local:
 
 tmux:
   hosts:
-    xenon:
+    local:
 
 vim:
   hosts:
-    xenon:
+    local:
 
 git:
   hosts:
-    xenon:
+    local:

roles/arch/README.md

@@ -0,0 +1,14 @@
+# ArchLinux role
+
+Bootstraps an arch linux install to a given device. The whole block device is wiped in the process!
+
+## Requirements:
+
+`pacman -Syu parted cryptsetup wipefs lsblk blkid mkfs.[fat|ext4|...]`
+
+Collections:
+
+- `community.general`
+- `community.crypto`
+- `community.posix`
+

roles/arch/defaults/main.yml

@@ -0,0 +1,30 @@
+---
+
+arch_device: ~
+arch_hostname: cookie
+
+arch_part_label_base: "{{ arch_hostname }}"
+arch_part_efi_size: "512MiB"
+arch_part_root_size: "95%"
+
+arch_luks_device: "{{ arch_device }}2"
+arch_luks_passphrase: "super_secure!"
+arch_luks_container_name: "{{ arch_hostname }}"
+
+arch_lvm_name: "{{ arch_part_label_base }}"
+arch_lvm_volumes:
+  - name: "swap"
+    size: "16G"
+    fstype: swap
+  - name: "home"
+    size: "40G"
+    fstype: ext4
+    mountpoint: "/home"
+  - name: "cache"
+    size: "20G"
+    fstype: ext4
+    mountpoint: "/var/cache"
+  - name: "root"
+    size: "+90%FREE"
+    fstype: ext4
+    mountpoint: "/"

roles/arch/tasks/filesystems.yml

@@ -0,0 +1,107 @@
+---
+
+- name: Warn user that the blockdevice will be wiped
+  debug:
+    msg: "Warning! Continueing will wipe {{ arch_device }}!"
+
+- name: Give user the ability to abort
+  pause:
+    prompt: "You can safely abort now if you want, or continue and wipe {{ arch_device }}"
+
+- name: Create empty GPT
+  community.general.parted:
+    device: "{{ arch_device }}"
+    label: gpt
+    name: "{{ arch_part_label_base }}"
+
+- name: Create EFI system partition
+  community.general.parted:
+    device: "{{ arch_device }}"
+    state: present
+    part_start: "0%"
+    part_end: "{{ arch_part_efi_size }}"
+    number: 1
+    label: gpt
+    name: "{{ arch_part_label_base }}-efi"
+    fs_type: fat32
+
+- name: Create partition for luks
+  community.general.parted:
+    device: "{{ arch_device }}"
+    state: present
+    part_start: "{{ arch_part_efi_size }}"
+    part_end: "{{ arch_part_root_size }}"
+    number: 2
+    label: gpt
+    name: "{{ arch_part_label_base }}-main"
+
+- name: Create luks device on main partition
+  community.crypto.luks_device:
+    device: "{{ arch_luks_device }}"
+    passphrase: "{{ arch_luks_passphrase }}"
+    state: present
+
+- name: Open luks device
+  community.crypto.luks_device:
+    device: "{{ arch_luks_device }}"
+    passphrase: "{{ arch_luks_passphrase }}"
+    state: "opened"
+    name: "{{ arch_luks_container_name }}"
+
+- name: Wipe volume group if it existed
+  community.general.lvg:
+    vg: "{{ arch_lvm_name }}"
+    force: yes
+    state: absent
+
+- name: Create volume group
+  community.general.lvg:
+    vg: "{{ arch_lvm_name }}"
+    pvs: "/dev/mapper/{{ arch_luks_container_name }}"
+    pvresize: yes
+
+- name: Create logical volume for swap and root filesystem
+  community.general.lvol:
+    vg: "{{ arch_lvm_name }}"
+    lv: "{{ item.name }}"
+    size: "{{ item.size }}"
+  loop: "{{ arch_lvm_volumes }}"
+
+- name: Create filesystem on efi system partition
+  community.general.filesystem:
+    dev: "{{ arch_device }}1"
+    force: yes
+    fstype: vfat
+    opts: -F32
+
+- name: Create filesystems on the volumes
+  community.general.filesystem:
+    dev: "/dev/mapper/{{ arch_lvm_name }}-{{ item.name }}"
+    fstype: "{{ item.fstype }}"
+  loop: "{{ arch_lvm_volumes }}"
+
+- name: Create mountpoint
+  file:
+    path: "/mnt-{{ arch_luks_container_name }}"
+    state: directory
+
+- name: Mount root partition
+  command:
+    cmd: "mount /dev/mapper/{{ arch_lvm_name }}-{{ item.name }} /mnt-{{ arch_luks_container_name }}"
+  loop: "{{ arch_lvm_volumes | selectattr('mountpoint', 'defined') | selectattr('mountpoint', 'equalto', '/') }}"
+
+- name: Create mountpoints in root partition
+  file:
+    path: "/mnt-{{ arch_luks_container_name }}{{ item.mountpoint }}"
+    state: directory
+    recurse: yes
+  loop: "{{ arch_lvm_volumes | selectattr('mountpoint', 'defined') | selectattr('mountpoint', 'ne', '/') + [ { \"mountpoint\": \"/boot\" } ] }}"
+
+- name: Mount efi system partition
+  command:
+    cmd: "mount {{ arch_device }}1 /mnt-{{ arch_luks_container_name }}/boot"
+
+- name: Mount additional partitions
+  command:
+    cmd: "mount /dev/mapper/{{ arch_lvm_name }}-{{ item.name }} /mnt-{{ arch_luks_container_name }}{{ item.mountpoint }}"
+  loop: "{{ arch_lvm_volumes | selectattr('mountpoint', 'defined') | selectattr('mountpoint', 'ne', '/') | list }}"

roles/arch/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Format disks and setup LVM on LUKS
+  import_tasks: filesystems.yml
+
+#- name: Bootstrap all packages and configure system
+#  import_tasks: packages.yml
+
+#- name: Configure systemd boot with EFI and LUKS
+#  import_tasks: bootloader.yml

roles/bash/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Install additional packages
+  package:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - bash
+    - bash-completion

roles/gnupg/defaults/main.yml

@@ -7,3 +7,4 @@ gpg_keygrips: []
 
 gpg_folder: "~/.gnupg"
 
+gpg_user: "{{ ansible_user }}"

roles/gnupg/tasks/main.yml

@@ -38,8 +38,26 @@
     dest: "{{ gpg_folder }}/gnupg_agent"
     mode: 0700
 
+- name: Ensure gnupg_agent skript is included in .bashrc so SSH uses gpg-agent
+  blockinfile:
+    path: "~/.bashrc"
+    insertafter: "\[\[ \$- != \*i\* \]\] && return"
+    line: |
+      # load script telling SSH to use the gpg agent
+      source "{{ gpg_folder }}"/gnupg_agent
+    state: present
 
+- name: Download own pubkey
+  get_url:
+    url: "https://git.finallycoffee.eu/{{ gpg_user }}/about/raw/branch/master/pubkey.asc"
+    dest: "~/{{ gpg_user }}.pub"
 
-
+- name: Import own pubkey and set owner-trust
-
+  command:
+    cmd: |
+      gpg2 --no-tty --command-fd 0 --import ~/{{ gpg_user }}.pub << EOF
+      trust
+      5
+      quit
+      EOF
 

roles/gnupg/templates/gpg.conf.j2

@@ -8,5 +8,4 @@ allow-freeform-uid
 with-fingerprint
 keyid-format 0xlong
 keyserver hkps://hkps.pool.sks-keyservers.net
-#keyserver-options ca-cert-file=/home/electron/.gnupg/sks-keyservers_ca.pem
 keyserver-options no-honor-keyserver-url

roles/i3/tasks/main.yml

@@ -4,6 +4,7 @@
   package:
     name: i3
     state: present
+  ignore_errors: yes
 
 - name: Ensure folder for configuration exists
   file:
@@ -16,7 +17,3 @@
     src: config.j2
     dest: ~/.config/i3/config
 
-- name: Create autostart entry
-  template:
-    src: ""
-    dest: ~/.config/autostart/i3.desktop

roles/i3/templates/config.j2

@@ -32,7 +32,7 @@ bindsym $mod+Shift+q kill
 bindsym $mod+d exec xfce4-popup-whiskermenu
 
 # Lock the screen
-bindsym $mod+l exec i3lock
+bindsym $mod+l exec xflock4
 
 # There also is the (new) i3-dmenu-desktop which only displays applications
 # shipping a .desktop file. It is a wrapper around dmenu, so you need that

roles/passwordstore/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Install package
+  package:
+    name: pass
+    state: present
+
+- name: Initialise password store
+  command:
+    cmd: "pass init {{ passwordstore_id }}"
+
+- name: Set password store git upstream
+  command:
+    cmd: "pass git remote set origin ssh://git@git.finallycoffee.eu:8022/{{ ansible_user }}/password-store.git"
+
+- name: Fetch upstream password store
+  command:
+    cmd: "pass git fetch --all"
+
+- name: Set master to upstream master
+  command:
+    cmd: "pass git checkout -B master origin/master"
+