Compare commits

...

7 Commits

Author SHA1 Message Date
cb157a1bd4
arch: implement LVM-on-LUKS, begin filesystems 2020-11-23 15:46:42 +01:00
48e010a847
arch: begin bootstrapping role 2020-11-09 17:13:32 +01:00
8a0c0a6476
doc: hint at usage and requirements 2020-11-05 20:32:08 +01:00
c72e1bb34f
pass: configure passwordstore with remote 2020-11-05 20:25:27 +01:00
d2d2b2c845
bash: install autocompletion package 2020-11-05 20:23:35 +01:00
6f8ee3627d
gnupg: ensure ssh uses gnupg-agent
Loads the gnupg_agent-skript in the ~/.bashrc, which exports
the needed variables (SSH_AUTH_SOCK, SSH_AGENT_PID, GPG_AGENT_INFO).

Also downloads the pubkey of the user and sets ownertrust on the key.

Fixes #3
2020-11-05 19:55:47 +01:00
cc609ade26
i3: template config for xfce4+i3 2020-09-18 22:08:40 +02:00
15 changed files with 252 additions and 17 deletions

9
README.md Normal file
View File

@ -0,0 +1,9 @@
# .dotfiles - Bootstrap me!
## Requirements
Clone this repository with `git clone --recursive https://git.finallycoffee.eu/transcaffeine/dotfiles.git` into `~/git/dotfiles`.
Have your pubkey in a git-repo at `https://git.finallycoffee.eu/$USER/about` at the top-level as `pubkey.asc`, then run `ansible-playbook -i local.yml bootstrap.yml`.
Reboot and then run `ansible-playbook -i local.yml all.yml`.

10
bootstrap.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Bootstrap arch linux install
hosts: all
roles:
- name: arch
become: yes
vars:
arch_device: /dev/sdg

8
i3.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Template i3 config
hosts: all
become: true
roles:
- i3

View File

@ -2,30 +2,30 @@
all: all:
hosts: hosts:
xenon: local:
ansible_host: xenon.int.finallycoffee.eu ansible_host: localhost
ansible_connection: local ansible_connection: local
vars: vars:
ansible_user: transcaffeine ansible_user: transcaffeine
ansible_become_user: transcaffeine ansible_become_user: root
ansible_become: true ansible_become_method: sudo
gnupg: gnupg:
hosts: hosts:
xenon: local:
redshift: redshift:
hosts: hosts:
xenon: local:
tmux: tmux:
hosts: hosts:
xenon: local:
vim: vim:
hosts: hosts:
xenon: local:
git: git:
hosts: hosts:
xenon: local:

14
roles/arch/README.md Normal file
View File

@ -0,0 +1,14 @@
# ArchLinux role
Bootstraps an arch linux install to a given device. The whole block device is wiped in the process!
## Requirements:
`pacman -Syu parted cryptsetup wipefs lsblk blkid mkfs.[fat|ext4|...]`
Collections:
- `community.general`
- `community.crypto`
- `community.posix`

View File

@ -0,0 +1,30 @@
---
arch_device: ~
arch_hostname: cookie
arch_part_label_base: "{{ arch_hostname }}"
arch_part_efi_size: "512MiB"
arch_part_root_size: "95%"
arch_luks_device: "{{ arch_device }}2"
arch_luks_passphrase: "super_secure!"
arch_luks_container_name: "{{ arch_hostname }}"
arch_lvm_name: "{{ arch_part_label_base }}"
arch_lvm_volumes:
- name: "swap"
size: "16G"
fstype: swap
- name: "home"
size: "40G"
fstype: ext4
mountpoint: "/home"
- name: "cache"
size: "20G"
fstype: ext4
mountpoint: "/var/cache"
- name: "root"
size: "+90%FREE"
fstype: ext4
mountpoint: "/"

View File

@ -0,0 +1,107 @@
---
- name: Warn user that the blockdevice will be wiped
debug:
msg: "Warning! Continueing will wipe {{ arch_device }}!"
- name: Give user the ability to abort
pause:
prompt: "You can safely abort now if you want, or continue and wipe {{ arch_device }}"
- name: Create empty GPT
community.general.parted:
device: "{{ arch_device }}"
label: gpt
name: "{{ arch_part_label_base }}"
- name: Create EFI system partition
community.general.parted:
device: "{{ arch_device }}"
state: present
part_start: "0%"
part_end: "{{ arch_part_efi_size }}"
number: 1
label: gpt
name: "{{ arch_part_label_base }}-efi"
fs_type: fat32
- name: Create partition for luks
community.general.parted:
device: "{{ arch_device }}"
state: present
part_start: "{{ arch_part_efi_size }}"
part_end: "{{ arch_part_root_size }}"
number: 2
label: gpt
name: "{{ arch_part_label_base }}-main"
- name: Create luks device on main partition
community.crypto.luks_device:
device: "{{ arch_luks_device }}"
passphrase: "{{ arch_luks_passphrase }}"
state: present
- name: Open luks device
community.crypto.luks_device:
device: "{{ arch_luks_device }}"
passphrase: "{{ arch_luks_passphrase }}"
state: "opened"
name: "{{ arch_luks_container_name }}"
- name: Wipe volume group if it existed
community.general.lvg:
vg: "{{ arch_lvm_name }}"
force: yes
state: absent
- name: Create volume group
community.general.lvg:
vg: "{{ arch_lvm_name }}"
pvs: "/dev/mapper/{{ arch_luks_container_name }}"
pvresize: yes
- name: Create logical volume for swap and root filesystem
community.general.lvol:
vg: "{{ arch_lvm_name }}"
lv: "{{ item.name }}"
size: "{{ item.size }}"
loop: "{{ arch_lvm_volumes }}"
- name: Create filesystem on efi system partition
community.general.filesystem:
dev: "{{ arch_device }}1"
force: yes
fstype: vfat
opts: -F32
- name: Create filesystems on the volumes
community.general.filesystem:
dev: "/dev/mapper/{{ arch_lvm_name }}-{{ item.name }}"
fstype: "{{ item.fstype }}"
loop: "{{ arch_lvm_volumes }}"
- name: Create mountpoint
file:
path: "/mnt-{{ arch_luks_container_name }}"
state: directory
- name: Mount root partition
command:
cmd: "mount /dev/mapper/{{ arch_lvm_name }}-{{ item.name }} /mnt-{{ arch_luks_container_name }}"
loop: "{{ arch_lvm_volumes | selectattr('mountpoint', 'defined') | selectattr('mountpoint', 'equalto', '/') }}"
- name: Create mountpoints in root partition
file:
path: "/mnt-{{ arch_luks_container_name }}{{ item.mountpoint }}"
state: directory
recurse: yes
loop: "{{ arch_lvm_volumes | selectattr('mountpoint', 'defined') | selectattr('mountpoint', 'ne', '/') + [ { \"mountpoint\": \"/boot\" } ] }}"
- name: Mount efi system partition
command:
cmd: "mount {{ arch_device }}1 /mnt-{{ arch_luks_container_name }}/boot"
- name: Mount additional partitions
command:
cmd: "mount /dev/mapper/{{ arch_lvm_name }}-{{ item.name }} /mnt-{{ arch_luks_container_name }}{{ item.mountpoint }}"
loop: "{{ arch_lvm_volumes | selectattr('mountpoint', 'defined') | selectattr('mountpoint', 'ne', '/') | list }}"

10
roles/arch/tasks/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Format disks and setup LVM on LUKS
import_tasks: filesystems.yml
#- name: Bootstrap all packages and configure system
# import_tasks: packages.yml
#- name: Configure systemd boot with EFI and LUKS
# import_tasks: bootloader.yml

View File

@ -0,0 +1,9 @@
---
- name: Install additional packages
package:
name: "{{ item }}"
state: present
loop:
- bash
- bash-completion

View File

@ -7,3 +7,4 @@ gpg_keygrips: []
gpg_folder: "~/.gnupg" gpg_folder: "~/.gnupg"
gpg_user: "{{ ansible_user }}"

View File

@ -38,8 +38,26 @@
dest: "{{ gpg_folder }}/gnupg_agent" dest: "{{ gpg_folder }}/gnupg_agent"
mode: 0700 mode: 0700
- name: Ensure gnupg_agent skript is included in .bashrc so SSH uses gpg-agent
blockinfile:
path: "~/.bashrc"
insertafter: "\[\[ \$- != \*i\* \]\] && return"
line: |
# load script telling SSH to use the gpg agent
source "{{ gpg_folder }}"/gnupg_agent
state: present
- name: Download own pubkey
get_url:
url: "https://git.finallycoffee.eu/{{ gpg_user }}/about/raw/branch/master/pubkey.asc"
dest: "~/{{ gpg_user }}.pub"
- name: Import own pubkey and set owner-trust
command:
cmd: |
gpg2 --no-tty --command-fd 0 --import ~/{{ gpg_user }}.pub << EOF
trust
5
quit
EOF

View File

@ -8,5 +8,4 @@ allow-freeform-uid
with-fingerprint with-fingerprint
keyid-format 0xlong keyid-format 0xlong
keyserver hkps://hkps.pool.sks-keyservers.net keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver-options ca-cert-file=/home/electron/.gnupg/sks-keyservers_ca.pem
keyserver-options no-honor-keyserver-url keyserver-options no-honor-keyserver-url

View File

@ -4,6 +4,7 @@
package: package:
name: i3 name: i3
state: present state: present
ignore_errors: yes
- name: Ensure folder for configuration exists - name: Ensure folder for configuration exists
file: file:
@ -16,7 +17,3 @@
src: config.j2 src: config.j2
dest: ~/.config/i3/config dest: ~/.config/i3/config
- name: Create autostart entry
template:
src: ""
dest: ~/.config/autostart/i3.desktop

View File

@ -32,7 +32,7 @@ bindsym $mod+Shift+q kill
bindsym $mod+d exec xfce4-popup-whiskermenu bindsym $mod+d exec xfce4-popup-whiskermenu
# Lock the screen # Lock the screen
bindsym $mod+l exec i3lock bindsym $mod+l exec xflock4
# There also is the (new) i3-dmenu-desktop which only displays applications # There also is the (new) i3-dmenu-desktop which only displays applications
# shipping a .desktop file. It is a wrapper around dmenu, so you need that # shipping a .desktop file. It is a wrapper around dmenu, so you need that

View File

@ -0,0 +1,23 @@
---
- name: Install package
package:
name: pass
state: present
- name: Initialise password store
command:
cmd: "pass init {{ passwordstore_id }}"
- name: Set password store git upstream
command:
cmd: "pass git remote set origin ssh://git@git.finallycoffee.eu:8022/{{ ansible_user }}/password-store.git"
- name: Fetch upstream password store
command:
cmd: "pass git fetch --all"
- name: Set master to upstream master
command:
cmd: "pass git checkout -B master origin/master"