Small changes here and there

- container: role removed - ansible: - use FQDN module path community.general.packaging.os.apk - use "true, false" instead of "yes, no" (stop being annoying, yamllint)
2022-10-16 17:31:57 +07:00 · 2022-10-16 17:31:57 +07:00 · 39f736f34c
parent 8e61893c93
commit 39f736f34c
33 changed files with 93 additions and 135 deletions
--- a/TODO.md
+++ b/TODO.md
@ -14,7 +14,6 @@ Stuff that are planned to be changed.
  - [ ] Refactor grub role
 - [ ] Option for other dhcp clients (connman / networkmanager)
 - [ ] Option for other initramfs generators (booster)
- [ ] docker rootless (no zfs support)

 ## Cosmetic

--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -6,6 +6,8 @@ repository: https://mirror.math.princeton.edu/pub/alpinelinux

 rootfs: btrfs

+snapshot_tool: btrbk
+
 bootloader: grub

 initramfs_generator: mkinitfs
@ -29,8 +31,6 @@ crond_provider: cronie

 syslog_provider: busybox

-rootless_container_cli: podman
-
 # Additional kernel command-line parameters (added to the bootloader)
 additional_kernel_parameters:
  - init_on_free=1
--- a/requirements/accepted_variables.yml
+++ b/requirements/accepted_variables.yml
@ -10,6 +10,10 @@ initramfs_generator:
  - dracut
  - booster

+snapshot_tool: '{{ ["sanoid", "zrepl"] if rootfs == "zfs"
+  else ["snapper", "btrbk"] if rootfs == "btrfs"
+  else ["lvm"] }}'
+
 usershell:
  - ash
  - bash
--- a/roles/acpi/tasks/acpid.yml
+++ b/roles/acpi/tasks/acpid.yml
@ -1,10 +1,10 @@
 ---
- name: acpi | Install acpid and acpi-utils
-  apk:
+- name: acpid | Install acpid and acpi-utils
+  community.general.packaging.os.apk:
    name: acpid, acpi-utils
    state: present

- name: acpi | Copy acpid event handler script
+- name: acpid | Copy acpid event handler script
  copy:
    src: handler.sh
    dest: /etc/acpi/handler.sh
@ -12,7 +12,7 @@
    owner: root
    group: root

- name: acpi | Use process supervisor for acpid service
+- name: acpid | Use process supervisor for acpid service
  lineinfile:
    path: /etc/conf.d/acpid
    search_string: supervisor=
--- a/roles/acpi/tasks/busybox.yml
+++ b/roles/acpi/tasks/busybox.yml
@ -1,5 +1,5 @@
 ---
- name: acpi | Create directory for Lid Close event
+- name: busybox's acpid | Create directory for Lid Close event
  file:
    path: /etc/acpi/LID
    state: directory
@ -7,7 +7,7 @@
    owner: root
    group: root

- name: acpi | Copy event handler for Lid Close
+- name: busybox's acpid | Copy event handler for Lid Close
  copy:
    src: acpid_lid_close
    dest: /etc/acpi/LID/00000080
--- a/roles/acpi/tasks/elogind.yml
+++ b/roles/acpi/tasks/elogind.yml
@ -1,12 +1,12 @@
 ---
- name: acpi | Do not run acpid service
+- name: elogind | Do not run acpid service
  service:
    name: acpid
-    enabled: no
+    enabled: false
    state: stopped

 - block:
-    - name: acpi | Create custom config directory for logind.conf
+    - name: elogind | Create custom config directory for logind.conf
      file:
        path: /etc/elogind/logind.conf.d
        state: directory
@ -14,7 +14,7 @@
        owner: root
        group: root

-    - name: acpi | Copy logind.conf
+    - name: elogind | Copy logind.conf
      copy:
        src: logind.conf
        dest: /etc/elogind/logind.conf.d/custom.conf
--- a/roles/acpi/tasks/main.yml
+++ b/roles/acpi/tasks/main.yml
@ -18,6 +18,6 @@
      service:
        name: acpid
        runlevel: default
-        enabled: yes
+        enabled: true
        state: started
  when: seat_manager != 'elogind'
--- a/roles/apparmor/handlers/main.yml
+++ b/roles/apparmor/handlers/main.yml
@ -1,3 +1,7 @@
 ---
 - name: Update grub config
  command: /usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg
+
+- name: Notify apparmor kernel parameters
+  debug:
+    msg: Please add "apparmor=1 security=apparmor" to current kernel parameters for apparmor to work
--- a/roles/apparmor/tasks/grub.yml
+++ b/roles/apparmor/tasks/grub.yml
@ -1,17 +1,17 @@
 ---
 - name: apparmor | Check whether apparmor kernel parameters is presented
  lineinfile:
-    backup: yes
+    backup: true
    path: /etc/default/grub
    regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=".*apparmor=.*'
    state: absent
-  check_mode: yes
+  check_mode: true
  register: apparmor_cmdline_check
-  changed_when: no
+  changed_when: false

 - name: apparmor | Add apparmor to grub boot command if missing
  lineinfile:
-    backrefs: yes
+    backrefs: true
    path: /etc/default/grub
    regexp: '^(GRUB_CMDLINE_LINUX_DEFAULT=".*)"$'
    line: '\1 apparmor=1 security=apparmor"'
--- a/roles/apparmor/tasks/main.yml
+++ b/roles/apparmor/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 - name: apparmor | Install apparmor and default profiles
-  apk:
+  community.general.packaging.os.apk:
    name: apparmor, apparmor-profiles
    state: present

@ -22,8 +22,15 @@
  service:
    name: apparmor
    runlevel: boot
-    enabled: yes
+    enabled: true

 - name: apparmor | Configure kernel parameters in GRUB config file
  import_tasks: grub.yml
  when: bootloader == 'grub'
+
+# TODO: handle limine and efistub better
+- name: apparmor | Notify about kernel parameters update
+  debug:
+    msg: Notify about kernel parameters update for apparmor
+  notify: Notify apparmor kernel parameters
+  when: bootloader != 'grub'
--- a/roles/container/tasks/main.yml
+++ b/roles/container/tasks/main.yml
@ -1,20 +0,0 @@
---
- name: container | Install {{ rootless_container_cli }}
-  apk:
-    name: '{{ rootless_container_cli }}'
-    state: present
-
-# https://rootlesscontaine.rs/getting-started/common/
- name: container | Enable user namespaces for rootless usage
-  template:
-    src: subid.j2
-    dest: '/etc/{{ item }}'
-    owner: root
-    group: root
-    mode: 0644
-  loop:
-    - subgid
-    - subuid
-
- name: container | Configure {{ rootless_container_cli }} system-wide
-  include_tasks: '{{ rootless_container_cli }}.yml'
--- a/roles/container/tasks/nerdctl.yml
+++ b/roles/container/tasks/nerdctl.yml
@ -1,14 +0,0 @@
---
-# FIX: still requires manual setup for rootless containerd daemon
-# https://github.com/containerd/nerdctl/blob/master/docs/rootless.md
- name: container | Set containerd snapshotter backend to {{ rootfs }}
-  lineinfile:
-    backrefs: yes
-    path: /etc/containerd/config.toml
-    regexp: '^(\s*snapshotter =) ".*$'
-    line: '\1 "{{ rootfs }}"'
-    state: present
-    owner: root
-    group: root
-    mode: 0644
-  when: rootfs in ['btrfs', 'zfs']
--- a/roles/container/tasks/podman.yml
+++ b/roles/container/tasks/podman.yml
@ -1,11 +0,0 @@
---
- name: container | Set podman storage driver to {{ rootfs }}
-  lineinfile:
-    path: /etc/containers/storage.conf
-    search_string: driver =
-    line: driver = "{{ rootfs }}"
-    state: present
-    owner: root
-    group: root
-    mode: 0644
-  when: rootfs in ['btrfs', 'zfs']
--- a/roles/container/templates/subid.j2
+++ b/roles/container/templates/subid.j2
@ -1 +0,0 @@
-{{ username }}:100000:65536
--- a/roles/cron/tasks/main.yml
+++ b/roles/cron/tasks/main.yml
@ -26,7 +26,7 @@
  when: rootfs == 'btrfs'

 - name: cron | Install logrotate and cpulimit
-  apk:
+  community.general.packaging.os.apk:
    name: logrotate, cpulimit
    state: present

@ -34,5 +34,5 @@
  service:
    name: crond
    runlevel: default
-    enabled: yes
+    enabled: true
    state: started
--- a/roles/devd/tasks/main.yml
+++ b/roles/devd/tasks/main.yml
@ -3,7 +3,7 @@
 - name: devd | Specific tasks for non-udev device manager
  block:
    - name: devd | Install libudev-zero
-      apk:
+      community.general.packaging.os.apk:
        name: libudev-zero
        state: present

@ -11,14 +11,14 @@
      service:
        name: hwdrivers
        runlevel: sysinit
-        enabled: yes
+        enabled: true
  when: device_manager != 'udev'

 - name: devd | udev doesn't need hwdrivers service
  service:
    name: hwdrivers
    runlevel: sysinit
-    enabled: no
+    enabled: false
  when: device_manager == 'udev'

 # https://github.com/illiliti/libudev-zero/blob/master/contrib/mdev.conf
@ -26,7 +26,7 @@
 - name: devd | Specific tasks for busybox's mdev
  block:
    - name: mdev | Install libudev-zero-helper
-      apk:
+      community.general.packaging.os.apk:
        name: libudev-zero-helper
        state: present

@ -47,4 +47,4 @@
  command:
    cmd: '/sbin/setup-devd -C {{ device_manager }}'
    creates: '/etc/runlevels/sysinit/{{ device_manager }}'
-  failed_when: no
+  failed_when: false
--- a/roles/dns/tasks/dnscrypt-proxy.yml
+++ b/roles/dns/tasks/dnscrypt-proxy.yml
@ -75,7 +75,7 @@
        cmd: /usr/bin/python3 generate-domains-blocklist.py -i -a /dev/null -r /dev/null -c domains-blocklist.conf -o /etc/dnscrypt-proxy/blocked-names.txt
        chdir: /etc/dnscrypt-proxy/adblock
        creates: /etc/dnscrypt-proxy/blocked-names.txt
-      failed_when: no
+      failed_when: false

    - name: dnscrypt-proxy | Ensure proper permission on blocked-names.txt file
      file:
@ -106,6 +106,6 @@
 - name: dnscrypt-proxy | Start dnscrypt-proxy service on runlevel 'default'
  service:
    name: dnscrypt-proxy
-    enabled: yes
+    enabled: true
    state: started
    runlevel: default
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 - name: dns | Install openresolv and {{ dns_resolver }}
-  apk:
+  community.general.packaging.os.apk:
    name: openresolv, {{ dns_resolver }}
    state: present

--- a/roles/dns/tasks/unbound.yml
+++ b/roles/dns/tasks/unbound.yml
@ -1,6 +1,6 @@
 ---
 - name: unbound | Install dns-root-hints
-  apk:
+  community.general.packaging.os.apk:
    name: dns-root-hints
    state: present

@ -34,7 +34,7 @@
  command:
    cmd: /usr/sbin/unbound-anchor -a /etc/unbound/var/trusted-key.key
    creates: /etc/unbound/var/trusted-key.key
-  failed_when: no
+  failed_when: false

 - name: unbound | Ensure proper permissions on trusted anchor file
  file:
@ -52,13 +52,13 @@
 # dns-root-hints package comes with a monthly crontab
 - name: unbound | Check the current DNS root zone version
  lineinfile:
-    backup: yes
+    backup: true
    path: /usr/share/dns-root-hints/named.root
    regexp: '^;[ \t]+related version of root zone:[ \t]+{{ ansible_facts.packages["dns-root-hints"][0].version }}$'
    state: absent
-  check_mode: yes
+  check_mode: true
  register: root_hints_check
-  changed_when: no
+  changed_when: false

 - name: unbound | Get the latest DNS root hints
  command:
@ -106,5 +106,5 @@
  service:
    name: unbound
    runlevel: default
-    enabled: yes
+    enabled: true
    state: started
--- a/roles/earlyoom/tasks/main.yml
+++ b/roles/earlyoom/tasks/main.yml
@ -16,5 +16,5 @@
  service:
    name: earlyoom
    runlevel: default
-    enabled: yes
+    enabled: true
    state: started
--- a/roles/essential/tasks/main.yml
+++ b/roles/essential/tasks/main.yml
@ -8,13 +8,13 @@
    mode: 0644

 - name: essential | Update repository cache and the system
-  apk:
-    available: yes
-    upgrade: yes
-    update_cache: yes
+  community.general.packaging.os.apk:
+    available: true
+    upgrade: true
+    update_cache: true

 - name: essential | Install common dependencies
-  apk:
+  community.general.packaging.os.apk:
    name: zstd, dbus, terminus-font, shadow-login
    state: present

@ -77,14 +77,14 @@
    name: kernel.core_pattern
    value: /var/tmp/core-%e.%p.%h.%t
    state: present
-    reload: no
+    reload: false

 - name: essential | Set privacy extension for IPv6
  sysctl:
    name: net.ipv6.conf.{{ item.name }}.use_tempaddr
    value: '2'
    state: present
-    reload: no
+    reload: false
  loop: '{{ network_interfaces + [{"name": "default"}, {"name": "all"}] }}'

 - name: essential | Change the tty font to {{ console_font }}
@ -101,7 +101,7 @@
  service:
    name: '{{ item }}'
    runlevel: boot
-    enabled: yes
+    enabled: true
    state: started
  loop:
    - consolefont
@ -111,6 +111,6 @@
  service:
    name: '{{ item }}'
    runlevel: default
-    enabled: yes
+    enabled: true
    state: started
  loop: ['dbus', 'ntpd', 'cgroups']
--- a/roles/fstab/tasks/main.yml
+++ b/roles/fstab/tasks/main.yml
@ -26,7 +26,7 @@
    - name: fstab | Check GID of group {{ proc_group }}
      shell: /usr/bin/getent group {{ proc_group }} | awk -F':' '{print $3}'
      register: proc_gid
-      changed_when: no
+      changed_when: false

    - name: fstab | Restrict read access on /proc for {{ proc_group }} group
      mount:
--- a/roles/grub/tasks/main.yml
+++ b/roles/grub/tasks/main.yml
@ -53,18 +53,18 @@

 - name: grub | Check whether additional kernel parameters is presented
  lineinfile:
-    backup: yes
+    backup: true
    path: /etc/default/grub
    regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=".*{{ item | regex_replace("=.*", "=") }}.*'
    state: absent
-  check_mode: yes
+  check_mode: true
  register: grub_cmdline_check
-  changed_when: no
+  changed_when: false
  loop: '{{ additional_kernel_parameters }}'

 - name: apparmor | Add defined kernel parameters to grub boot command-line
  lineinfile:
-    backrefs: yes
+    backrefs: true
    path: /etc/default/grub
    regexp: '^(GRUB_CMDLINE_LINUX_DEFAULT=".*)"$'
    line: '\1 {{ item.item }}"'
--- a/roles/libvirt/tasks/main.yml
+++ b/roles/libvirt/tasks/main.yml
@ -1,17 +1,9 @@
 ---
 - name: libvirt | Install libvirt and qemu
-  apk:
+  community.general.packaging.os.apk:
    name: libvirt-daemon, qemu-img, qemu-system-x86_64, qemu-modules
    state: present

- name: libvirt | Allow IPv6 RA passthrough for libvirt NAT
-  sysctl:
-    name: 'net.ipv6.conf.{{ item.name }}.accept_ra'
-    value: '2'
-    state: present
-    reload: no
-  loop: '{{ network_interfaces }}'
-
 # This is for PulseAudio
 - name: libvirt | Allow the normal user to interact with qemu system instance
  lineinfile:
@ -37,6 +29,6 @@
  service:
    name: '{{ item }}'
    runlevel: default
-    enabled: yes
+    enabled: true
    state: started
  loop: '{{ libvirt_daemons + ["virtlogd", "virtlockd"] }}'
--- a/roles/networking/tasks/iwd.yml
+++ b/roles/networking/tasks/iwd.yml
@ -1,6 +1,6 @@
 ---
 - name: networking | Install iwd package
-  apk:
+  community.general.packaging.os.apk:
    name: iwd
    state: present

@ -16,5 +16,5 @@
  service:
    name: iwd
    runlevel: default
-    enabled: yes
+    enabled: true
    state: started
--- a/roles/nftables/tasks/main.yml
+++ b/roles/nftables/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 - name: nftables | Install nftables
-  apk:
+  community.general.packaging.os.apk:
    name: nftables
    state: present

@ -16,4 +16,4 @@
  service:
    name: nftables
    runlevel: default
-    enabled: yes
+    enabled: true
--- a/roles/seat/tasks/main.yml
+++ b/roles/seat/tasks/main.yml
@ -1,7 +1,7 @@
 ---
 - block:
    - name: seat | Install elogind and polkit-elogind
-      apk:
+      community.general.packaging.os.apk:
        name: elogind, polkit-elogind
        state: present

@ -11,13 +11,13 @@
      service:
        name: elogind
        runlevel: default
-        enabled: yes
+        enabled: true
        state: started
  when: seat_manager == 'elogind'

 - block:
    - name: seat | Install pam-rundir
-      apk:
+      community.general.packaging.os.apk:
        name: pam-rundir
        state: present

@ -33,7 +33,7 @@
        state: after

    - name: seat | Install polkit
-      apk:
+      community.general.packaging.os.apk:
        name: polkit
        state: present
      when: use_polkit
@ -41,7 +41,7 @@

 - block:
    - name: seat | Install seatd
-      apk:
+      community.general.packaging.os.apk:
        name: seatd
        state: present

@ -49,6 +49,6 @@
      service:
        name: seatd
        runlevel: default
-        enabled: yes
+        enabled: true
        state: started
  when: seat_manager == 'seatd'
--- a/roles/tlp/tasks/main.yml
+++ b/roles/tlp/tasks/main.yml
@ -1,12 +1,12 @@
 ---
 - name: tlp | Install tlp package
-  apk:
+  community.general.packaging.os.apk:
    name: tlp
    state: present

 # I have a ThinkPad laptop :)
 - name: tlp | Install acpi_call kernel module
-  apk:
+  community.general.packaging.os.apk:
    name: acpi_call-src
    state: present
  when: ansible_hostname == 'alpine-tp'
@ -22,6 +22,6 @@
 - name: tlp | Add tlp service to runlevel 'default'
  service:
    name: tlp
-    enabled: yes
+    enabled: true
    state: started
    runlevel: default
--- a/roles/usbguard/tasks/main.yml
+++ b/roles/usbguard/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 - name: usbguard | Install usbguard
-  apk:
+  community.general.packaging.os.apk:
    name: usbguard
    state: present

@ -18,7 +18,7 @@
  service:
    name: usbguard
    runlevel: default
-    enabled: yes
+    enabled: true
    state: started

 - name: usbguard | Check whether there are defined policies
--- a/roles/user/tasks/main.yml
+++ b/roles/user/tasks/main.yml
@ -1,11 +1,11 @@
 ---
 - name: user | Install doas
-  apk:
+  community.general.packaging.os.apk:
    name: doas
    state: present

 - name: user | Install {{ usershell }}
-  apk:
+  community.general.packaging.os.apk:
    name: '{{ usershell }}'
    state: present
  when: usershell not in ['ash', 'sh']
@ -13,7 +13,7 @@
 - name: user | Create {{ realtime_group }} group
  group:
    name: '{{ realtime_group }}'
-    system: yes
+    system: true
    state: present

 - name: user | Create a normal user
@ -21,7 +21,7 @@
    name: '{{ username }}'
    password: '{{ password | password_hash("sha512") }}'
    update_password: on_create
-    append: yes
+    append: true
    groups:
      - wheel
      - input
@ -30,7 +30,7 @@
      - libvirt
      - users
      - '{{ realtime_group }}'
-    create_home: yes
+    create_home: true
    home: '/home/{{ username }}'
    shell: '{{ shell_mappings[usershell] }}'
    state: present
@ -45,7 +45,7 @@
 - name: user | Add the user to polkitd group
  user:
    name: '{{ username }}'
-    append: yes
+    append: true
    groups:
      - polkitd
  when: use_polkit
@ -53,7 +53,7 @@
 - name: user | Add the user to seat group
  user:
    name: '{{ username }}'
-    append: yes
+    append: true
    groups:
      - seat
  when: seat_manager == 'seatd'
--- a/roles/waydroid/tasks/main.yml
+++ b/roles/waydroid/tasks/main.yml
@ -1,7 +1,7 @@
 ---
 # TODO: work out nftables firewall rules (should be on upstream)
 - name: waydroid | Install waydroid
-  apk:
+  community.general.packaging.os.apk:
    name: waydroid
    state: present

@ -27,4 +27,4 @@
    name: waydroid-container
    runlevel: default
    state: started
-    enabled: yes
+    enabled: true
--- a/roles/zram/tasks/main.yml
+++ b/roles/zram/tasks/main.yml
@ -27,5 +27,5 @@
  service:
    name: local
    runlevel: default
-    enabled: yes
+    enabled: true
    state: started
--- a/setup.yml
+++ b/setup.yml
@ -1,7 +1,7 @@
 ---
 - name: Gathering facts
  hosts: all
-  gather_facts: yes
+  gather_facts: true
  tags: always

 - name: Sanity checks
@ -64,7 +64,5 @@
      tags: earlyoom
    - role: user
      tags: user
-    - role: container
-      tags: container
    - role: waydroid
      tags: [waydroid, never]