Reorganise

flock.yml

@@ -1,6 +1,58 @@
 ---
-- name: Provision Guest
+- hosts: all
-  ansible.builtin.import_playbook: ./plays/provision-guest.yml
+  vars:
+    resolv_nameservers:
+      - 9.9.9.9
+      - 149.112.112.112
+    chezmoi_init_url: https://git.fern.garden/fern/dots
+  roles:
+    - debian
+    - lifeofguenter.resolvconf
+    - hifis.toolkit.unattended_upgrades
+    - hussainweb.chezmoi
 
-- name: Install Software
+- hosts: vm
-  ansible.builtin.import_playbook: ./plays/install-software.yml
+  roles:
+    - vm
+
+- hosts: docker
+  vars:
+    docker_users:
+      - fern
+  roles:
+    - geerlingguy.docker
+
+- hosts: nfs-server
+  vars:
+    nfs_exports: [
+      "/export/film 10.0.1.0/24(rw,subtree_check,insecure,no_root_squash,anonuid=100,anongid=100)",
+      "/export/tv 10.0.1.0/24(rw,subtree_check,insecure,no_root_squash,anonuid=100,anongid=100)",
+      "/export/misc 10.0.1.0/24(rw,subtree_check,insecure,no_root_squash,anonuid=100,anongid=100)"
+    ]
+  roles:
+    - nfs-server
+    - geerlingguy.nfs
+
+- hosts: nfs-client
+  roles:
+    - nfs-client
+
+- hosts: jellyfin.local
+  roles:
+    - tomhesse.jellyfin
+
+- hosts: weebill.local
+  tasks:
+    - name: Install Webone dependencies
+      ansible.builtin.apt:
+        deb: https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb
+    - name: Install Webone
+      ansible.builtin.apt:
+        update_cache: yes
+        deb: https://github.com/atauenis/webone/releases/download/v0.17.4/webone.0.17.4.linux-arm64.deb
+
+- hosts: all
+  tags:
+    - ssh
+  roles:
+    - sshd

inventory/hosts.yml

@@ -1,29 +1,30 @@
 ---
-ungrouped:
+egret:
   hosts:
-    technitium.local:
-    immich.local:
     monitoring.local:
-    administration.local:
+
+spoonbill:
+  hosts:
     fern-garden.local:
     ferngarden-net.local:
-    minecraft.local:
+    ff-syncserver.local:
-    weebill.local:
-
-lxc:
-  hosts:
-    jellyfin.local:
-    technitium.local:
     immich.local:
-    monitoring.local:
+    jellyfin.local:
-    administration.local:
+    mailcow.local:
+    minecraft.local:
+    nfs-share.local:
+    technitium.local:
+
+weebill:
+  hosts:
+    weebill.local:
 
 vm:
   hosts:
-    #media-share.local:
     fern-garden.local:
     ferngarden-net.local:
     minecraft.local:
+    nfs-share.local:
 
 docker:
   hosts:
@@ -40,4 +41,4 @@ nfs-client:
 
 nfs-server:
   hosts:
-    #media-share:
+    nfs-share.local:

plays/files/quitcd.fish

@@ -1,36 +0,0 @@
-# Rename this file to match the name of the function
-# e.g. ~/.config/fish/functions/n.fish
-# or, add the lines to the 'config.fish' file.
-
-function n --wraps nnn --description 'support nnn quit and change directory'
-    # Block nesting of nnn in subshells
-    if test -n "$NNNLVL" -a "$NNNLVL" -ge 1
-        echo "nnn is already running"
-        return
-    end
-
-    # The behaviour is set to cd on quit (nnn checks if NNN_TMPFILE is set)
-    # If NNN_TMPFILE is set to a custom path, it must be exported for nnn to
-    # see. To cd on quit only on ^G, remove the "-x" from both lines below,
-    # without changing the paths.
-    if test -n "$XDG_CONFIG_HOME"
-        set -x NNN_TMPFILE "$XDG_CONFIG_HOME/nnn/.lastd"
-    else
-        set -x NNN_TMPFILE "$HOME/.config/nnn/.lastd"
-    end
-
-    # Unmask ^Q (, ^V etc.) (if required, see `stty -a`) to Quit nnn
-    # stty start undef
-    # stty stop undef
-    # stty lwrap undef
-    # stty lnext undef
-
-    # The command function allows one to alias this function to `nnn` without
-    # making an infinitely recursive alias
-    command nnn $argv
-
-    if test -e $NNN_TMPFILE
-        source $NNN_TMPFILE
-        rm -- $NNN_TMPFILE
-    end
-end

plays/install-software.yml

@@ -1,26 +0,0 @@
----
-- hosts: jellyfin.local
-  become: true
-  roles:
-    - tomhesse.jellyfin
-
-- hosts: all
-  become: true
-  vars:
-    neovim_prefix_dir: "/usr/local"
-    neovim_src_dir: "{{ neovim_prefix_dir }}/src/neovim"
-    neovim_binary_dir: "{{ neovim_prefix_dir }}/bin"
-  tasks:
-    - name: Build neovim
-      import_tasks: ./tasks/software/neovim.yml
-
-- hosts: weebill.local
-  become: true
-  tasks:
-    - name: Install Webone dependencies
-      ansible.builtin.apt:
-        deb: https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb
-    - name: Install Webone
-      ansible.builtin.apt:
-        update_cache: yes
-        deb: https://github.com/atauenis/webone/releases/download/v0.17.4/webone.0.17.4.linux-arm64.deb

plays/provision-guest.yml

@@ -1,66 +0,0 @@
----
-- hosts: all
-  become: true
-  vars:
-    treesitter: false
-    chezmoi_init_url: ssh://git@10.0.1.116:222/fern/dots.git
-    resolv_nameservers:
-      - 10.0.1.1
-  roles:
-    - lifeofguenter.resolvconf
-    - hifis.toolkit.unattended_upgrades
-    - hussainweb.chezmoi
-    - gikeymarcia.neovim
-  tasks:
-    - import_tasks: ./tasks/provisioning/debian.yml
-
-- hosts: vm
-  become: true
-  tasks:
-    - import_tasks: ./tasks/provisioning/vm.yml
-
-- hosts: lxc
-  become: true
-  tasks:
-    - import_tasks: ./tasks/provisioning/lxc.yml
-
-- hosts: docker
-  become: true
-  vars:
-    docker_users:
-      - fern
-  roles:
-    - geerlingguy.docker
-
-- hosts: nfs-server
-  become: true
-  tasks:
-    - import_tasks: ./tasks/provisioning/mount-hdds.yml
-
-- hosts: nfs-server
-  become: true
-  vars:
-    nfs_exports: [
-      "/export/film 10.0.1.0/24(rw,subtree_check,insecure,no_root_squash,anonuid=100,anongid=100)",
-      "/export/tv 10.0.1.0/24(rw,subtree_check,insecure,no_root_squash,anonuid=100,anongid=100)",
-      "/export/misc 10.0.1.0/24(rw,subtree_check,insecure,no_root_squash,anonuid=100,anongid=100)"
-    ]
-  roles:
-    - geerlingguy.nfs
-
-- hosts: nfs-client
-  become: true
-  tasks:
-    - import_tasks: ./tasks/provisioning/nfs-client.yml
-
-- hosts: all
-  become: true
-  vars:
-    sshd_config_file: /etc/ssh/sshd_config
-  tasks:
-    - import_tasks: ./tasks/provisioning/post-install.yml
-  handlers:
-  - name: restart sshd
-    service:
-      name: sshd
-      state: restarted

plays/tasks/provisioning/debian.yml

@@ -1,47 +0,0 @@
-- name: Set a hostname
-  ansible.builtin.hostname:
-    name: '{{ inventory_hostname.split(".")[0] | lower }}'
-    use: debian
-
-- name: Set the timezone
-  community.general.timezone:
-    name: Australia/Perth
-
-- name: Add AARNet bookworm repository
-  apt_repository:
-    repo: deb https://mirror.aarnet.edu.au/debian bookworm main contrib
-    state: present
-
-- name: Add AARNet bookworm-updates repository
-  apt_repository:
-    repo: deb https://mirror.aarnet.edu.au/debian bookworm-updates main contrib
-    state: present
-
-- name: Add AARNet bookworm-security repository
-  apt_repository:
-    repo: deb https://mirror.aarnet.edu.au/debian-security bookworm-security main contrib
-    state: present
-
-- name: Install some standard packages
-  apt:
-    pkg:
-    - avahi-daemon
-    - curl
-    - fish
-    - git
-    - libnss-mdns
-    - nnn
-    - rsync
-    - sudo
-    - trash-cli
-    - tmux
-
-- name: Make sure avahi-daemon is running
-  systemd_service:
-    state: started
-    name: avahi-daemon
-
-- name: Add 'fern' user
-  user:
-    name: fern
-    shell: /usr/bin/fish

plays/tasks/provisioning/lxc.yml

@@ -1,11 +0,0 @@
-- name: Add SSH Key
-  ansible.posix.authorized_key:
-    user: fern
-    state: present
-    key: "{{ lookup('file', '/home/fern/.ssh/id_ed25519.pub') }}"
-
-- name: Set sudo rules
-  community.general.sudoers:
-    name: sudo
-    commands: ALL
-    user: fern

plays/tasks/provisioning/post-install.yml

@@ -1,7 +0,0 @@
-- name: Disable root login
-  lineinfile:
-    path: "{{ sshd_config_file }}"
-    regexp: "^PermitRootLogin"
-    line: "PermitRootLogin no"
-    backup: yes
-  notify: restart sshd

plays/tasks/provisioning/vm.yml

@@ -1,9 +0,0 @@
-- name: Install package
-  apt:
-    pkg:
-    - qemu-guest-agent
-
-- name: Make sure service is running
-  systemd_service:
-    state: started
-    name: qemu-guest-agent

plays/tasks/software/neovim.yml

@@ -1,33 +0,0 @@
-- name: Install dependencies
-  apt:
-    pkg:
-      - ninja-build
-      - gettext
-      - cmake
-      - unzip
-      - curl
-
-- name: Clone neovim repository
-  ansible.builtin.git:
-    repo: "https://github.com/neovim/neovim"
-    dest: "{{ neovim_src_dir }}"
-    version: stable
-    clone: yes
-    update: yes
-    force: yes
-
-- name: Check if recently built
-  ansible.builtin.find:
-    paths: "{{ neovim_binary_dir }}"
-    patterns: nvim
-    age: 1d
-  register: days
-
-- name: Build neovim
-  when: days.matched != '0'
-  community.general.make:
-    chdir: "{{ neovim_src_dir }}"
-    params:
-      CMAKE_BUILD_TYPE: Release
-      CMAKE_INSTALL_PREFIX: "{{ neovim_prefix_dir }}"
-    target: install

requirements.yml

@@ -1,7 +1,6 @@
 roles:
   - name: lifeofguenter.resolvconf
   - name: hussainweb.chezmoi
-  - name: gikeymarcia.neovim
   - name: geerlingguy.docker
   - name: tomhesse.jellyfin
   - name: geerlingguy.nfs

roles/debian/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart avahi
+  service:
+    name: avahi-daemon
+    state: restarted

roles/debian/tasks/main.yml

@@ -0,0 +1,39 @@
+- name: Set a hostname
+  become: true
+  ansible.builtin.hostname:
+    name: '{{ inventory_hostname.split(".")[0] | lower }}'
+    use: debian
+
+- name: Set the timezone
+  become: true
+  community.general.timezone:
+    name: Australia/Perth
+
+- name: Install some standard packages
+  become: true
+  apt:
+    update_cache: yes
+    pkg:
+    - avahi-daemon
+    - curl
+    - fish
+    - git
+    - libnss-mdns
+    - nnn
+    - rsync
+    - sudo
+    - tmux
+    - trash-cli
+
+- name: Add 'fern' user
+  become: true
+  user:
+    name: fern
+    shell: /usr/bin/fish
+
+- name: Set sudo rules
+  become: true
+  community.general.sudoers:
+    name: sudo
+    commands: ALL
+    user: fern

roles/nfs-client/tasks/main.yml

@@ -1,9 +1,11 @@
 - name: Install nfs-common
+  become: true
   apt:
     pkg:
     - nfs-common
 
 - name: Mount /media/tv
+  become: true
   ansible.posix.mount:
     src: 10.0.1.101:/export/tv
     path: /media/tv
@@ -12,6 +14,7 @@
     fstype: nfs
 
 - name: Mount /media/film
+  become: true
   ansible.posix.mount:
     src: 10.0.1.101:/export/film
     path: /media/film
@@ -20,6 +23,7 @@
     fstype: nfs
 
 - name: Mount /media/misc
+  become: true
   ansible.posix.mount:
     src: 10.0.1.101:/export/misc
     path: /media/misc

roles/nfs-server/tasks/main.yml

@@ -1,4 +1,5 @@
 - name: Mount /export/tv
+  become: true
   ansible.posix.mount:
     src: UUID=fcee0188-8ca1-4fda-81b7-f5920c79ab48
     path: /export/tv
@@ -6,6 +7,7 @@
     fstype: ext4
 
 - name: Mount /export/film
+  become: true
   ansible.posix.mount:
     src: UUID=5d9dd538-79e4-4168-be91-e0b040155cb3
     path: /export/film
@@ -13,6 +15,7 @@
     fstype: ext4
 
 - name: Mount /export/misc
+  become: true
   ansible.posix.mount:
     src: UUID=5a43b7dc-3e28-459e-824a-ad45b5475361
     path: /export/misc

roles/sshd/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart SSHD
+  service:
+    name: sshd
+    state: restarted

roles/sshd/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: Add SSH Key - fern@muskduck
+  ansible.posix.authorized_key:
+    user: fern
+    state: present
+    key: "{{ lookup('file', '/home/fern/.ssh/id_ed25519.pub') }}"
+
+- name: Add SSH Key - YubiKey
+  ansible.posix.authorized_key:
+    user: fern
+    state: present
+    key: "{{ lookup('file', '/home/fern/.ssh/id_ed25519_sk.pub') }}"
+
+- name: Add SSH Key - fairywren
+  ansible.posix.authorized_key:
+    user: fern
+    state: present
+    key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8W3zggrj6ml/VZWem9l21SWK3yffgw5RkdgF6fG6jo u0_a336@localhostsk-ssh-ed25519@openssh.com"
+
+- name: Disable root login
+  become: true
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^PermitRootLogin"
+    line: "PermitRootLogin no"
+    backup: yes
+  notify: restart sshd

roles/vm/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart qemu-guest-agent
+  service:
+    name: qemu-guest-agent
+    state: restarted

roles/vm/tasks/main.yml

@@ -0,0 +1,5 @@
+- name: Install qemu-guest-agent package
+  become: true
+  apt:
+    pkg:
+    - qemu-guest-agent