266 lines
6.4 KiB
YAML
266 lines
6.4 KiB
YAML
---
|
|
- name: Autoupdate
|
|
block:
|
|
- name: Deploy autoupdate script
|
|
copy:
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
dest: /usr/local/bin/pacman-autoupdate
|
|
content: |
|
|
#!/usr/bin/env bash
|
|
|
|
set -o errexit
|
|
set -o nounset
|
|
set -o pipefail
|
|
|
|
# Prevent failures when not battery present
|
|
shopt -s nullglob
|
|
|
|
for battery in /sys/class/power_supply/*/capacity ; do
|
|
capacity="$(< "$battery")"
|
|
if (( "${capacity}" < 40 )) ; then
|
|
printf "Battery at %s%%, exiting\n" "${capacity}" >&2
|
|
exit 0
|
|
fi
|
|
done
|
|
|
|
if nmcli --terse --fields GENERAL.METERED dev show 2>/dev/null | grep -q "yes" ; then
|
|
printf "Detected metered connection, exiting\n" >&2
|
|
exit 0
|
|
fi
|
|
|
|
# Make sure that keys are up to date, otherwise sig checks may fail
|
|
pacman --sync --noprogressbar --noconfirm --refresh --needed archlinux-keyring
|
|
|
|
pacman --sync --noprogressbar --noconfirm --sysupgrade
|
|
|
|
- name: Install pacman autoupdate service
|
|
ansible.builtin.copy:
|
|
dest: /etc/systemd/system/pacman-autoupdate.service
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
content: |
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/usr/local/bin/pacman-autoupdate
|
|
become: true
|
|
|
|
- name: Install pacman autoupdate timer
|
|
ansible.builtin.copy:
|
|
dest: /etc/systemd/system/pacman-autoupdate.timer
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
content: |
|
|
[Timer]
|
|
OnCalendar=daily
|
|
OnBootSec=5min
|
|
OnUnitInactiveSec=120min
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|
|
- name: Enable pacman autoupdate timer
|
|
ansible.builtin.systemd:
|
|
name: pacman-autoupdate.timer
|
|
enabled: true
|
|
state: started
|
|
daemon_reload: true
|
|
become: true
|
|
become: true
|
|
|
|
- name: User configuration
|
|
block:
|
|
- name: Create user group
|
|
ansible.builtin.group:
|
|
name: "herta"
|
|
state: present
|
|
become: true
|
|
|
|
- name: Create user
|
|
ansible.builtin.user:
|
|
name: "herta"
|
|
state: present
|
|
home: "/home/herta"
|
|
create_home: true
|
|
groups:
|
|
- dotfiles
|
|
- libvirt
|
|
- wheel
|
|
- wireshark
|
|
- docker
|
|
- sudonopw
|
|
- games
|
|
- kvm
|
|
- video
|
|
shell: /usr/bin/zsh
|
|
skeleton: /dev/null
|
|
become: true
|
|
|
|
- name: Display Manager
|
|
block:
|
|
- name: Enable sddm
|
|
ansible.builtin.systemd:
|
|
name: sddm.service
|
|
enabled: true
|
|
daemon_reload: true
|
|
become: true
|
|
|
|
- name: Create sddm config folder
|
|
ansible.builtin.file:
|
|
state: directory
|
|
path: /etc/sddm.conf.d/
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
|
|
- name: Enable autologin
|
|
ansible.builtin.copy:
|
|
dest: /etc/sddm.conf.d/autologin.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
content: |
|
|
[Autologin]
|
|
User=herta
|
|
Session=plasma
|
|
|
|
- name: Lock on startup
|
|
ansible.builtin.copy:
|
|
dest: /etc/xdg/kscreenlockerrc
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
content: |
|
|
[Daemon]
|
|
LockOnStart=true
|
|
|
|
- name: Backup
|
|
block:
|
|
- name: create restic config directory
|
|
file:
|
|
path: /etc/restic
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
become: true
|
|
|
|
- name: create restic exclude file
|
|
copy:
|
|
dest: /etc/restic/exclude.lst
|
|
content: |
|
|
/home/*/.cache/**
|
|
/home/*/.mozilla/firefox/*/Cache/**
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
become: true
|
|
|
|
- name: create restic cache directory
|
|
file:
|
|
path: /var/cache/restic
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0700"
|
|
become: true
|
|
|
|
- name: create restic wrapper script
|
|
copy:
|
|
owner: root
|
|
group: root
|
|
mode: "0700"
|
|
dest: /usr/local/bin/restic-cmd
|
|
content: |
|
|
#!/usr/bin/env bash
|
|
source /etc/restic/env
|
|
|
|
set -o nounset
|
|
set -o errexit
|
|
set -o pipefail
|
|
|
|
export B2_ACCOUNT_ID
|
|
export B2_ACCOUNT_KEY
|
|
|
|
export RESTIC_PASSWORD_FILE=/etc/restic/repopassword
|
|
|
|
restic \
|
|
--cache-dir=/var/cache/restic/ \
|
|
--repo="b2:${BUCKET_NAME}:hera" \
|
|
--password-file=/etc/restic/repopassword \
|
|
--verbose \
|
|
"${@}"
|
|
become: true
|
|
|
|
- name: add backup script
|
|
copy:
|
|
owner: root
|
|
group: root
|
|
mode: "0700"
|
|
dest: /usr/local/bin/restic-backup
|
|
content: |
|
|
#!/usr/bin/env bash
|
|
|
|
set -o nounset
|
|
set -o errexit
|
|
set -o pipefail
|
|
|
|
run() {
|
|
name="${1}" ; shift
|
|
printf '[%s] %s - start\n' "${name}" "$(date --utc --iso-8601=seconds)"
|
|
"${@}"
|
|
printf '[%s] %s - end\n' "${name}" "$(date --utc --iso-8601=seconds)"
|
|
}
|
|
|
|
run backup restic-cmd \
|
|
backup \
|
|
--exclude-file /etc/restic/exclude.lst \
|
|
/home/
|
|
|
|
run forget restic-cmd \
|
|
forget \
|
|
--prune \
|
|
--keep-daily 30 \
|
|
--keep-monthly 12 \
|
|
--keep-yearly 3
|
|
become: true
|
|
|
|
|
|
- name: Install restic backup service
|
|
ansible.builtin.copy:
|
|
dest: /etc/systemd/system/restic-backup.service
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
content: |
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=systemd-inhibit /usr/local/bin/restic-backup
|
|
become: true
|
|
|
|
- name: Install restic backup timer
|
|
ansible.builtin.copy:
|
|
dest: /etc/systemd/system/restic-backup.timer
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
content: |
|
|
[Timer]
|
|
OnCalendar=daily
|
|
Persistent=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
become: true
|
|
|
|
- name: Enable restic backup timer
|
|
ansible.builtin.systemd:
|
|
name: restic-backup.timer
|
|
enabled: true
|
|
state: started
|
|
daemon_reload: true
|
|
become: true
|