From b85991f285a2b542a400d8ee531177b2c04dc0e7 Mon Sep 17 00:00:00 2001
From: Marco <mrckndt@riseup.net>
Date: Sun, 12 Sep 2021 11:47:34 +0200
Subject: [PATCH] Adding etc, flatpak and rpm-ostree role

---
 roles/etc/defaults/main.yml        | 12 ++++++
 roles/etc/handlers/main.yml        |  6 +++
 roles/etc/tasks/blscfg.yml         | 16 ++++++++
 roles/etc/tasks/firewalld.yml      | 10 +++++
 roles/etc/tasks/main.yml           | 27 +++++++++++++
 roles/etc/tasks/nts.yml            |  7 ++++
 roles/etc/tasks/sysctl.yml         | 10 +++++
 roles/etc/tasks/users.yml          |  7 ++++
 roles/etc/templates/chrony.conf.j2 | 50 ++++++++++++++++++++++++
 roles/flatpak/defaults/main.yml    | 13 ++++++
 roles/flatpak/tasks/main.yml       | 17 ++++++++
 roles/rpm-ostree/defaults/main.yml |  5 +++
 roles/rpm-ostree/handlers/main.yml | 15 +++++++
 roles/rpm-ostree/tasks/main.yml    | 63 ++++++++++++++++++++++++++++++
 14 files changed, 258 insertions(+)
 create mode 100644 roles/etc/defaults/main.yml
 create mode 100644 roles/etc/handlers/main.yml
 create mode 100644 roles/etc/tasks/blscfg.yml
 create mode 100644 roles/etc/tasks/firewalld.yml
 create mode 100644 roles/etc/tasks/main.yml
 create mode 100644 roles/etc/tasks/nts.yml
 create mode 100644 roles/etc/tasks/sysctl.yml
 create mode 100644 roles/etc/tasks/users.yml
 create mode 100644 roles/etc/templates/chrony.conf.j2
 create mode 100644 roles/flatpak/defaults/main.yml
 create mode 100644 roles/flatpak/tasks/main.yml
 create mode 100644 roles/rpm-ostree/defaults/main.yml
 create mode 100644 roles/rpm-ostree/handlers/main.yml
 create mode 100644 roles/rpm-ostree/tasks/main.yml

diff --git a/roles/etc/defaults/main.yml b/roles/etc/defaults/main.yml
new file mode 100644
index 0000000..09c2f1f
--- /dev/null
+++ b/roles/etc/defaults/main.yml
@@ -0,0 +1,12 @@
+---
+etc_set_hostname: true
+etc_enable_BLSCFG: true
+etc_update_users: true
+etc_enable_NTS: true
+etc_configure_firewalld: true
+etc_configure_sysctl: true
+
+etc_sysctl_params:
+  kernel.unprivileged_bpf_disabled:
+    value: 1
+    state: present
\ No newline at end of file
diff --git a/roles/etc/handlers/main.yml b/roles/etc/handlers/main.yml
new file mode 100644
index 0000000..b261470
--- /dev/null
+++ b/roles/etc/handlers/main.yml
@@ -0,0 +1,6 @@
+- name: Restart chronyd
+  ansible.builtin.systemd:
+    name: chronyd
+    state: restarted
+    enabled: yes
+  become: yes
\ No newline at end of file
diff --git a/roles/etc/tasks/blscfg.yml b/roles/etc/tasks/blscfg.yml
new file mode 100644
index 0000000..e2fe304
--- /dev/null
+++ b/roles/etc/tasks/blscfg.yml
@@ -0,0 +1,16 @@
+---
+- name: Check if BootLoaderSpec is enabled
+  ansible.builtin.lineinfile:
+    path: /etc/default/grub
+    line: 'GRUB_ENABLE_BLSCFG=true'
+    #regexp: '^GRUB_ENABLE_BLSCFG=[tT]rue'
+    state: present
+  check_mode: yes
+  register: conf
+
+- name: Enable BootLoaderSpec
+  ansible.builtin.command:
+    cmd: grub2-switch-to-blscfg
+  become: yes
+  when:
+    - conf.changed != false
\ No newline at end of file
diff --git a/roles/etc/tasks/firewalld.yml b/roles/etc/tasks/firewalld.yml
new file mode 100644
index 0000000..d93b9d8
--- /dev/null
+++ b/roles/etc/tasks/firewalld.yml
@@ -0,0 +1,10 @@
+---
+- name: Configure firewalld
+  ansible.posix.firewalld:
+    service: "{{ item.key }}"
+    zone: "{{ item.value.zone }}"
+    state: "{{ item.value.state }}"
+    immediate: yes
+    permanent: yes
+  become: yes
+  loop: "{{ lookup('dict', etc_firewalld, wantlist=True) }}"
\ No newline at end of file
diff --git a/roles/etc/tasks/main.yml b/roles/etc/tasks/main.yml
new file mode 100644
index 0000000..aa7b7d4
--- /dev/null
+++ b/roles/etc/tasks/main.yml
@@ -0,0 +1,27 @@
+---
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ etc_hostname }}"
+    use: systemd
+  become: yes
+  when: etc_set_hostname | bool
+
+- name: Include users.yml
+  ansible.builtin.include: users.yml
+  when:  etc_update_users | bool
+
+- name: Include blscfg.yml
+  ansible.builtin.include: blscfg.yml
+  when: etc_enable_BLSCFG | bool
+
+- name: Include nts.yml
+  ansible.builtin.include: nts.yml
+  when: etc_enable_NTS | bool
+
+- name: Include firewalld.yml
+  ansible.builtin.include: firewalld.yml
+  when: etc_configure_firewalld | bool
+
+- name: Include sysctl.yml
+  ansible.builtin.include: sysctl.yml
+  when: etc_configure_sysctl | bool
diff --git a/roles/etc/tasks/nts.yml b/roles/etc/tasks/nts.yml
new file mode 100644
index 0000000..b86d11f
--- /dev/null
+++ b/roles/etc/tasks/nts.yml
@@ -0,0 +1,7 @@
+---
+- name: Enable NTS
+  ansible.builtin.template:
+    src: chrony.conf.j2
+    dest: /etc/chrony.conf
+  become: yes
+  notify: Restart chronyd
\ No newline at end of file
diff --git a/roles/etc/tasks/sysctl.yml b/roles/etc/tasks/sysctl.yml
new file mode 100644
index 0000000..885e800
--- /dev/null
+++ b/roles/etc/tasks/sysctl.yml
@@ -0,0 +1,10 @@
+---
+- name: Configure sysctl
+  ansible.posix.sysctl:
+    name: "{{ item.key }}"
+    value: "{{ item.value.value }}"
+    state: "{{ item.value.state }}"
+    sysctl_file: "/etc/sysctl.d/100-custom.conf"
+    sysctl_set: yes
+  become: yes
+  loop: "{{ lookup('dict', etc_sysctl_params, wantlist=True) }}"
\ No newline at end of file
diff --git a/roles/etc/tasks/users.yml b/roles/etc/tasks/users.yml
new file mode 100644
index 0000000..768aaac
--- /dev/null
+++ b/roles/etc/tasks/users.yml
@@ -0,0 +1,7 @@
+---
+- name: Update users
+  ansible.builtin.user:
+    name: "{{ item.key }}"
+    shell: "{{ item.value.shell }}"
+  become: yes
+  loop: "{{ lookup('dict', etc_users, wantlist=True) }}"
\ No newline at end of file
diff --git a/roles/etc/templates/chrony.conf.j2 b/roles/etc/templates/chrony.conf.j2
new file mode 100644
index 0000000..4866232
--- /dev/null
+++ b/roles/etc/templates/chrony.conf.j2
@@ -0,0 +1,50 @@
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (https://www.pool.ntp.org/join.html).
+server time.cloudflare.com iburst nts
+
+# Use NTP servers from DHCP.
+#sourcedir /run/chrony-dhcp
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift
+
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+makestep 1.0 3
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Enable hardware timestamping on all interfaces that support it.
+#hwtimestamp *
+
+# Increase the minimum number of selectable sources required to adjust
+# the system clock.
+#minsources 2
+
+# Allow NTP client access from local network.
+#allow 192.168.0.0/16
+
+# Serve time even if not synchronized to a time source.
+#local stratum 10
+
+# Require authentication (nts or key option) for all NTP sources.
+#authselectmode require
+
+# Specify file containing keys for NTP authentication.
+keyfile /etc/chrony.keys
+
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
+# Insert/delete leap seconds by slewing instead of stepping.
+#leapsecmode slew
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+leapsectz right/UTC
+
+# Specify directory for log files.
+logdir /var/log/chrony
+
+# Select which information is logged.
+#log measurements statistics tracking
\ No newline at end of file
diff --git a/roles/flatpak/defaults/main.yml b/roles/flatpak/defaults/main.yml
new file mode 100644
index 0000000..3099c05
--- /dev/null
+++ b/roles/flatpak/defaults/main.yml
@@ -0,0 +1,13 @@
+---
+flatpak_configure_remotes: true
+flatpak_alter_flatpaks: true
+
+flatpak_remotes:
+  flathub:
+    state: present
+    url: https://flathub.org/repo/flathub.flatpakrepo
+
+flatpak_flatpaks:
+  com.github.tchx84.Flatseal:
+    state: present
+    remote: flathub
\ No newline at end of file
diff --git a/roles/flatpak/tasks/main.yml b/roles/flatpak/tasks/main.yml
new file mode 100644
index 0000000..ba97feb
--- /dev/null
+++ b/roles/flatpak/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+- name: Add/remove Flatpak remotes
+  community.general.flatpak_remote:
+    name: "{{ item.key }}"
+    state: "{{ item.value.state }}"
+    flatpakrepo_url: "{{ item.value.url }}"
+  become: true
+  loop: "{{ lookup('dict', flatpak_remotes ) }}"
+  when: flatpak_configure_remotes | bool
+
+- name: Add/remove Flatpaks
+  community.general.flatpak:
+    name: "{{ item.key }}"
+    state: "{{ item.value.state }}"
+    remote: "{{ item.value.remote }}"
+  loop: "{{ lookup('dict', flatpak_flatpaks) }}"
+  when: flatpak_alter_flatpaks | bool
\ No newline at end of file
diff --git a/roles/rpm-ostree/defaults/main.yml b/roles/rpm-ostree/defaults/main.yml
new file mode 100644
index 0000000..4811e41
--- /dev/null
+++ b/roles/rpm-ostree/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+rpm_ostree_alter_base_packages: true
+rpm_ostree_alter_layered_packages: true
+rpm_ostree_configure_kargs: true
+rpm_ostree_enable_autoupdates: true
\ No newline at end of file
diff --git a/roles/rpm-ostree/handlers/main.yml b/roles/rpm-ostree/handlers/main.yml
new file mode 100644
index 0000000..ec12919
--- /dev/null
+++ b/roles/rpm-ostree/handlers/main.yml
@@ -0,0 +1,15 @@
+---
+- name: Reload rpm-ostree configuration
+  ansible.builtin.command:
+    cmd: rpm-ostree reload
+  become: yes
+  
+- name: Enable rpm-ostree-automatic
+  ansible.builtin.systemd:
+    name: rpm-ostreed-automatic.timer
+    state: started
+    enabled: yes
+
+- name: Reload systemd units
+  ansible.builtin.systemd:
+    daemon_reload: yes
\ No newline at end of file
diff --git a/roles/rpm-ostree/tasks/main.yml b/roles/rpm-ostree/tasks/main.yml
new file mode 100644
index 0000000..e0ac051
--- /dev/null
+++ b/roles/rpm-ostree/tasks/main.yml
@@ -0,0 +1,63 @@
+---
+- name: Remove base packages
+  ansible.builtin.shell:
+    cmd: rpm-ostree override remove "{{ item.key }}" || /bin/true
+  register: result
+  become: yes
+  changed_when: '"Run \"systemctl reboot\" to start a reboot" in result.stdout'
+  loop: "{{ lookup('dict', rpm_ostree_base_packages) }}"
+  when:
+    - item.value.state == 'absent'
+    - rpm_ostree_alter_base_packages | bool
+
+- name: Reset base packages
+  ansible.builtin.shell:
+    cmd: rpm-ostree override reset "{{ item.key }}" || /bin/true
+  register: result
+  become: yes
+  changed_when: '"Run \"systemctl reboot\" to start a reboot" in result.stdout'
+  loop: "{{ lookup('dict', rpm_ostree_base_packages) }}"
+  when:
+    - item.value.state == 'present'
+    - rpm_ostree_alter_base_packages | bool
+
+- name: Set kernel parameters
+  ansible.builtin.command:
+    cmd: rpm-ostree kargs --append-if-missing="{{ item.key }}"
+  register: result
+  become: yes
+  changed_when: '"Kernel arguments updated" in result.stdout'
+  loop: "{{ lookup('dict', rpm_ostree_kargs) }}"
+  when:
+    - item.value.state == 'present'
+    - rpm_ostree_configure_kargs | bool
+
+- name: Remove kernel parameters
+  ansible.builtin.command:
+    cmd: rpm-ostree kargs --delete-if-present="{{ item.key }}"
+  register: result
+  become: yes
+  changed_when: '"Kernel arguments updated" in result.stdout'
+  loop: "{{ lookup('dict', rpm_ostree_kargs) }}"
+  when:
+    - item.value.state == 'absent'
+    - rpm_ostree_configure_kargs | bool
+
+- name: Enable autostaging and autoupdates
+  ansible.builtin.replace:
+    path: /etc/rpm-ostreed.conf
+    regexp: '^#AutomaticUpdatePolicy=none'
+    replace: 'AutomaticUpdatePolicy=stage'
+  become: yes
+  notify:
+    - Reload rpm-ostree configuration
+    - Enable rpm-ostree-automatic
+  when: rpm_ostree_enable_autoupdates | bool
+
+- name: Add/remove layered packages
+  community.general.rpm_ostree_pkg:
+    name: "{{ item.key }}"
+    state: "{{ item.value.state }}"
+  become: yes
+  loop: "{{ lookup('dict', rpm_ostree_layered_packages, wantlist=True) }}"
+  when: rpm_ostree_alter_layered_packages | bool
\ No newline at end of file