diff --git a/.ansible-lint-ignore b/.ansible-lint-ignore deleted file mode 100644 index 00bf558..0000000 --- a/.ansible-lint-ignore +++ /dev/null @@ -1,2 +0,0 @@ -# This file contains ignores rule violations for ansible-lint -playbook.yaml name[play] diff --git a/inventory.yaml b/inventory.yaml index ba53698..aa5572b 100644 --- a/inventory.yaml +++ b/inventory.yaml @@ -20,3 +20,8 @@ fedora: hosts: harmony: odyssey: + +desktop: + hosts: + harmony: + odyssey: diff --git a/playbook.yaml b/playbook.yaml index 0ff9974..cd47a15 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -1,5 +1,358 @@ --- -- import_playbook: playbooks/nix.yaml -- import_playbook: playbooks/repos.yaml -- import_playbook: playbooks/packages.yaml -- import_playbook: playbooks/config.yaml +# Asahi Linux comes with its own strange version of RPMFusion installed, so +# RPMFusion is installed only on amd64 systems. In addition, VeraCrypt and +# Zotero *are* available via COPR, but from different repos than their amd64 +# counterparts. +# Also, Asahi has its own version string, so we have to manually specify the +# chroot for COPR repos added via Ansible. This is handled automatically when +# using `dnf copr enable ...`, but not via Ansible. +- name: Configure Asahi Linux-specific repos and packages + hosts: asahi + become: true + tasks: + - name: Install Zotero COPR repository + community.general.copr: + name: "isaksamsten/Zotero" + chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64" + - name: Install VeraCrypt COPR repository + community.general.copr: + name: "architektapx/veracrypt" + chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64" + - name: Install aarch64-specific packages + ansible.builtin.dnf: + name: + - veracrypt + +# These are repos and packages that are useless or unavailable on Asahi Linux. +- name: Configure amd64 specific repos and packages + hosts: amd64 + become: true + tasks: + - name: Install RPM Fusion free repository + ansible.builtin.dnf: + name: "https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ ansible_distribution_major_version }}.noarch.rpm" + state: present + disable_gpg_check: false + - name: Install RPM Fusion nonfree repository + ansible.builtin.dnf: + name: "https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-{{ ansible_distribution_major_version }}.noarch.rpm" + state: present + disable_gpg_check: false + - name: Install RPM Fusion free-tainted repository + ansible.builtin.dnf: + name: rpmfusion-free-release-tainted + state: present + - name: Install Zotero COPR repository + community.general.copr: + name: "mozes/zotero7" + - name: Install x86-specific packages + ansible.builtin.dnf: + name: + - libdvdcss + - mkvtoolnix + - mpv + - x264 + - x264-libs + state: present + - name: Install VeraCrypt + ansible.builtin.dnf: + name: https://launchpad.net/veracrypt/trunk/1.26.20/+download/veracrypt-1.26.20-Fedora-40-x86_64.rpm + state: present + disable_gpg_check: true + +# I no longer have any machines that are Fedora but not workstations (bosephus +# is now NixOS), so this section is around for more historical reasons, I guess. +# Regardless, Tailscale and zsh are pretty essential for any machine before +# starting anything on them, so it warrants its own play in my mind. +- name: Configure common (all arch, headless and workstation) repos and packages + hosts: fedora + become: true + tasks: + - name: Install Tailscale repo + ansible.builtin.yum_repository: + name: tailscale-stable + description: Tailscale stable repo + baseurl: https://pkgs.tailscale.com/stable/fedora/$basearch + enabled: true + gpgcheck: true + gpgkey: https://pkgs.tailscale.com/stable/fedora/repo.gpg + - name: Install common Linux packages + ansible.builtin.dnf: + name: + - tailscale + - zsh + state: present + +# The Determinate Nix installer is the most stable way to install Nix on +# non-NixOS systems I've found. +# 1. It handles SELinux rule creation +# 2. It enables flakes and the `nix` command *by default* +# I use a rule that would *probably* fail on regular Nix systems to detect if +# Nix was installed via the Determinate installer. +# IMPORTANT: I am installing regular Nix via the Determinate Systems installer. +# I **DO NOT** want to install their "determinate nix," as I want to be only +# reliant on nixpkgs, and not their binary cache. +- name: Install Nix via determinate systems + hosts: fedora + become: true + tasks: + - name: Determine if Nix is installed + ansible.builtin.shell: | + /nix/var/nix/profiles/default/bin/nix --version + register: nix_check + ignore_errors: true + changed_when: false + - name: Download Determinate Nix installer + ansible.builtin.get_url: + url: https://install.determinate.systems/nix + dest: /tmp/nix-installer + mode: 755 + when: nix_check.rc != 0 + - name: Install Nix via Determinate Nix installer + ansible.builtin.shell: | + sh /tmp/nix-installer install linux --verbose --no-confirm + when: nix_check.rc != 0 + register: nix_install + changed_when: nix_install.rc == 0 + +# Install packages with a GUI that would be useless on a headless server, or +# otherwise have no use outside of a workstation environment +- name: Configure desktop/workstation packages + hosts: desktop + become: true + tasks: + # I love the Zed editor, but I hate the way it is installed by default. The + # recommended way to install via a package manager is by using Terra repos. + # Problem 1: Terra doesn't have a single .repo file to plop in using + # ansible.builtin.yum_repository (like Tailscale or FirefoxPWA) nor a + # package that installs the correct repo files with ansible.builtin.dnf + # (like RPMFusion). Instead Terra uses the `--repofrompath` option to + # bootstrap itself as its source of truth - a feature Ansible doesn't + # support. This is the one case where I use ansible.builtin.shell to execute + # a dnf install because of that. + # Problem 2: Terra leads to chaos as it specifies many of the same packages + # from the Fedora and/or RPMFusion repositories. The solution is to + # configure Terra repos with a low priority, see: + # https://discussion.fedoraproject.org/t/zed-editor-this-is-too-much/151269/2 + # community.general.dnf_config_manager *only* supports enabling/disabling + # repos, and not seeing/specifying other options, so I use some ugly + # pipelines to determine if the priority is already set right, and adjust + # appropriately. + - name: Determine if Terra is installed + ansible.builtin.stat: + path: /etc/yum.repos.d/terra.repo + register: terra_installed + - name: Install Terra repository + ansible.builtin.shell: | + dnf install --assumeyes --nogpgcheck --repofrompath terra,https://repos.fyralabs.com/terra{{ ansible_distribution_major_version }} terra-release + when: not terra_installed.stat.exists + register: terra_install + changed_when: terra_install.rc == 0 + - name: Determine Terra repository priority + ansible.builtin.shell: + cmd: set -o pipefail && dnf --dump-repo-config=terra | grep 'priority = 100' || echo "false" + executable: /bin/bash + register: terra_check + changed_when: false + - name: Set Terra repository priority to low + ansible.builtin.shell: dnf config-manager setopt terra\*.priority=100 + when: "'false' in terra_check.stdout" + register: terra_priority + changed_when: terra_priority.rc != 0 + # FirefoxPWA and RStudio are actually both compatible with all arches! Yay! + # Note that I still have to specify the chroot b/c of Asahi + - name: Install FirefoxPWA repository + ansible.builtin.yum_repository: + name: firefoxpwa + description: FirefoxPWA repository + baseurl: https://packagecloud.io/filips/FirefoxPWA/fedora/$releasever/$basearch + gpgcheck: true + gpgkey: https://packagecloud.io/filips/FirefoxPWA/gpgkey + enabled: true + - name: Install RStudio copr repository + community.general.copr: + name: "iucar/rstudio" + chroot: "fedora-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}" + # The main package list - the primary goal of this entire playbook, finally + - name: Install common desktop environment packages + ansible.builtin.dnf: + name: + - chromium + - firefoxpwa + - ghostty + - inkscape + - kate + - kdenlive + - kdiff3 + - krita + - musescore + - nextcloud-client + - nextcloud-client-dolphin + - obs-studio + - onedrive + - protontricks + - qownnotes + - qt + - rssguard + - rstudio-desktop + - steam + - thunderbird + - vlc + - vorta + - yakuake + - zed + - zotero + - R + state: present + # MS Core fonts aren't needed on anything without a GUI + - name: Install Microsoft Core Fonts + ansible.builtin.dnf: + name: https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm + state: present + disable_gpg_check: true + # Allows me to run the playbook as a way to upgrade the system packages + # This is a violation of ansible-lint's rules, but one of the key reasons I + # wrote this playbook in the first place + - name: Upgrade all packages + ansible.builtin.dnf: + name: "*" + state: latest # noqa: package-latest + # Install a policy file to force Firefox to use encrypted DNS + - name: Create Firefox policy directory + ansible.builtin.file: + path: /etc/firefox/policies + state: directory + mode: "755" + - name: Create Firefox DNS policy + ansible.builtin.template: + src: templates/policies.json + dest: /etc/firefox/policies/policies.json + mode: "644" + # Configure custom DNS - we can't use stubby or network manager because + # network manager requires setting DNS resolvers for each network. That + # means that I have to have the DNS onfigs for each and every network I + # connect to (home, school, etc.) written here, and I could miss one. + - name: Configure systemwide DNS + ansible.builtin.shell: | + sh -c "$(curl -sSL https://147.185.34.1/dl)" -s {{ dns_auth_code }} forced + register: ctrld_config + changed_when: ctrld_config.rc != 0 + +# Generally speaking, I try to install Flatpak applications at the user level +# b/c that really gives more credence to the whole sandboxing idea (concept of +# least privilege). Flatpaks are configured differently per-arch, so we go back +# to different configs for each group +- name: Configure common Flatpaks + hosts: desktop + become: false + tasks: + - name: Add Flathub remote + community.general.flatpak_remote: + name: flathub + state: present + flatpakrepo_url: https://dl.flathub.org/repo/flathub.flatpakrepo + method: user + - name: Install common Flatpaks + community.general.flatpak: + name: + - com.github.tchx84.Flatseal + - com.logseq.Logseq + - io.freetubeapp.FreeTube + - io.github.alainm23.planify + - io.github.dweymouth.supersonic + - io.openrct2.OpenRCT2 + - org.zulip.Zulip + - net.ankiweb.Anki + state: latest + method: user + remote: flathub +- name: Configure amd64 Flatpaks + hosts: amd64 + become: false + tasks: + - name: Install amd64 Flatpaks + community.general.flatpak: + name: + - com.bitwarden.desktop + - com.slack.Slack + - dev.deedles.Trayscale + - org.signal.Signal + state: latest + method: user + remote: flathub + +# Pull the latest home-manager configuration +- name: Ensure home-manager configuration is up-to-date + hosts: fedora + become: false + tasks: + # First, determine if the repo is in place and clone it if not. The odds of + # the repo *not* being present are pretty slim, considering that is where + # I will be deploying this playbook from, but still document the process. + # IMPORTANT: The playbook will not have access to SSH/GPG keys (because they + # can't be generated without home-manager's dotfiles), so it clones a copy + # of via https. **THIS MUST BE CHANGED TO THE ssh REMOTE AFTER CONFIGURATION + # IS COMPLETE!** + - name: Determine if the home-manager repo is present + ansible.builtin.stat: + path: "{{ ansible_env.HOME }}/.config/home-manager" + register: home_manager_repo + - name: Clone the home-manager repo + ansible.builtin.git: + repo: "https://code.millironx.com/millironx/nix-dotfiles.git" # noqa: latest + dest: "{{ ansible_env.HOME }}/.config/home-manager" + when: not home_manager_repo.stat.exists + register: home_manager_clone + changed_when: home_manager_clone.rc == 0 + # Only run an ssh clone/pull if home-manager was present from the very + # beginning of the playbook. They need to be part of the same play, + # otherwise the hash is lost downstream. These steps assume that SSH access + # to the git repo has been established - something that cannot possibly have + # happened during the first run. + - name: Update the home-manager config repo + ansible.builtin.git: + repo: git@code.millironx.com:millironx/nix-dotfiles.git # noqa: latest + dest: "{{ ansible_env.HOME }}/.config/home-manager" + clone: true + update: true + register: home_manager_pull + when: home_manager_repo.stat.exists + + # Install home-manager for the first time + # home-manager bootstraps itself via the nix command. If the home-manager + # command is not available, then it will need to bootstrap itself + - name: Determine if home-manager is installed + ansible.builtin.stat: + path: "{{ ansible_env.HOME }}/.nix-profile/bin/home-manager" + register: home_manager_exists + - name: Init home-manager + ansible.builtin.shell: | + /nix/var/nix/profiles/default/bin/nix run home-manager -- switch --flake ~/.config/home-manager#{{ ansible_user_id }}@{{ ansible_hostname }} + when: not home_manager_exists.stat.exists + register: home_manager_init + changed_when: home_manager_init.rc == 0 + + # There are machines with a working home-manager config without a hash file. + # Make sure that those machines have a working hash file for future use. + - name: Safety check for home-manager hash file + ansible.builtin.file: + path: "{{ ansible_env.HOME }}/.cache/hm-git-hash" + state: touch + mode: "644" + # So now we're at the part where we're assuming that the home-manager repo + # is in place, and also that home-manager has already been bootstrapped. + # We'll use the activation script from our home-manager config that records + # the hash of the repo at the time of derivation and compare that against + # the hash found by Ansible's git pull. We will skip running the derivation + # if the hashes match + - name: Find home-manager's latest commit hash + ansible.builtin.slurp: + src: "{{ ansible_env.HOME }}/.cache/hm-git-hash" + register: home_manager_hash + - name: Update home-manager derivation + ansible.builtin.shell: | + $HOME/.nix-profile/bin/home-manager switch --flake ~/.config/home-manager#{{ ansible_user_id }}@{{ ansible_hostname }} + register: home_manager_derivation + changed_when: home_manager_derivation.rc == 0 + when: | + home_manager_exists.stat.exists and (home_manager_hash.content | b64decode | trim) != home_manager_pull.after diff --git a/playbooks/config.yaml b/playbooks/config.yaml deleted file mode 100644 index b901e19..0000000 --- a/playbooks/config.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -- name: Configure Firefox DNS policy - hosts: fedora - become: true - tasks: - # Install a policy file to force Firefox to use encrypted DNS - - name: Create Firefox policy directory - ansible.builtin.file: - path: /etc/firefox/policies - state: directory - mode: "755" - - name: Create Firefox DNS policy - ansible.builtin.template: - src: templates/policies.json - dest: /etc/firefox/policies/policies.json - mode: "644" - -- name: Configure systemwide DNS policy - hosts: fedora - become: true - tasks: - # Configure custom DNS - we can't use stubby or network manager because - # network manager requires setting DNS resolvers for each network. That - # means that I have to have the DNS onfigs for each and every network I - # connect to (home, school, etc.) written here, and I could miss one. - - name: Configure systemwide DNS - ansible.builtin.shell: | - sh -c "$(curl -sSL https://147.185.34.1/dl)" -s {{ dns_auth_code }} forced - register: ctrld_config - changed_when: ctrld_config.rc != 0 diff --git a/playbooks/nix.yaml b/playbooks/nix.yaml deleted file mode 100644 index 69062d8..0000000 --- a/playbooks/nix.yaml +++ /dev/null @@ -1,108 +0,0 @@ ---- -# The Determinate Nix installer is the most stable way to install Nix on -# non-NixOS systems I've found. -# 1. It handles SELinux rule creation -# 2. It enables flakes and the `nix` command *by default* -# I use a rule that would *probably* fail on regular Nix systems to detect if -# Nix was installed via the Determinate installer. -# IMPORTANT: I am installing regular Nix via the Determinate Systems installer. -# I **DO NOT** want to install their "determinate nix," as I want to be only -# reliant on nixpkgs, and not their binary cache. -- name: Install Nix via determinate systems - hosts: fedora - become: true - tasks: - - name: Determine if Nix is installed - ansible.builtin.shell: | - /nix/var/nix/profiles/default/bin/nix --version - register: nix_check - ignore_errors: true - changed_when: false - - name: Download Determinate Nix installer - ansible.builtin.get_url: - url: https://install.determinate.systems/nix - dest: /tmp/nix-installer - mode: 755 - when: nix_check.rc != 0 - - name: Install Nix via Determinate Nix installer - ansible.builtin.shell: | - sh /tmp/nix-installer install linux --verbose --no-confirm - when: nix_check.rc != 0 - register: nix_install - changed_when: nix_install.rc == 0 - -# Pull the latest home-manager configuration -- name: Ensure home-manager configuration is up-to-date - hosts: fedora - become: false - tasks: - # First, determine if the repo is in place and clone it if not. The odds of - # the repo *not* being present are pretty slim, considering that is where - # I will be deploying this playbook from, but still document the process. - # IMPORTANT: The playbook will not have access to SSH/GPG keys (because they - # can't be generated without home-manager's dotfiles), so it clones a copy - # of via https. **THIS MUST BE CHANGED TO THE ssh REMOTE AFTER CONFIGURATION - # IS COMPLETE!** - - name: Determine if the home-manager repo is present - ansible.builtin.stat: - path: "{{ ansible_env.HOME }}/.config/home-manager" - register: home_manager_repo - - name: Clone the home-manager repo - ansible.builtin.git: - repo: "https://code.millironx.com/millironx/nix-dotfiles.git" # noqa: latest - dest: "{{ ansible_env.HOME }}/.config/home-manager" - when: not home_manager_repo.stat.exists - register: home_manager_clone - changed_when: home_manager_clone.rc == 0 - # Only run an ssh clone/pull if home-manager was present from the very - # beginning of the playbook. They need to be part of the same play, - # otherwise the hash is lost downstream. These steps assume that SSH access - # to the git repo has been established - something that cannot possibly have - # happened during the first run. - - name: Update the home-manager config repo - ansible.builtin.git: - repo: git@code.millironx.com:millironx/nix-dotfiles.git # noqa: latest - dest: "{{ ansible_env.HOME }}/.config/home-manager" - clone: true - update: true - register: home_manager_pull - when: home_manager_repo.stat.exists - - # Install home-manager for the first time - # home-manager bootstraps itself via the nix command. If the home-manager - # command is not available, then it will need to bootstrap itself - - name: Determine if home-manager is installed - ansible.builtin.stat: - path: "{{ ansible_env.HOME }}/.nix-profile/bin/home-manager" - register: home_manager_exists - - name: Init home-manager - ansible.builtin.shell: | - /nix/var/nix/profiles/default/bin/nix run home-manager -- switch --flake ~/.config/home-manager#{{ ansible_user_id }}@{{ ansible_hostname }} - when: not home_manager_exists.stat.exists - register: home_manager_init - changed_when: home_manager_init.rc == 0 - - # There are machines with a working home-manager config without a hash file. - # Make sure that those machines have a working hash file for future use. - - name: Safety check for home-manager hash file - ansible.builtin.file: - path: "{{ ansible_env.HOME }}/.cache/hm-git-hash" - state: touch - mode: "644" - # So now we're at the part where we're assuming that the home-manager repo - # is in place, and also that home-manager has already been bootstrapped. - # We'll use the activation script from our home-manager config that records - # the hash of the repo at the time of derivation and compare that against - # the hash found by Ansible's git pull. We will skip running the derivation - # if the hashes match - - name: Find home-manager's latest commit hash - ansible.builtin.slurp: - src: "{{ ansible_env.HOME }}/.cache/hm-git-hash" - register: home_manager_hash - - name: Update home-manager derivation - ansible.builtin.shell: | - $HOME/.nix-profile/bin/home-manager switch --flake ~/.config/home-manager#{{ ansible_user_id }}@{{ ansible_hostname }} - register: home_manager_derivation - changed_when: home_manager_derivation.rc == 0 - when: | - home_manager_exists.stat.exists and (home_manager_hash.content | b64decode | trim) != home_manager_pull.after diff --git a/playbooks/packages.yaml b/playbooks/packages.yaml deleted file mode 100644 index a5017dd..0000000 --- a/playbooks/packages.yaml +++ /dev/null @@ -1,113 +0,0 @@ ---- -# These are repos and packages that are useless or unavailable on Asahi Linux, -# or have completely separate install procedures. -- name: Configure amd64-specific dnf packages - hosts: amd64 - become: true - tasks: - - name: Install x86-specific dnf packages - ansible.builtin.dnf: - name: - - libdvdcss - - mkvtoolnix - - mpv - - x264 - - x264-libs - state: present - - name: Install VeraCrypt - ansible.builtin.dnf: - name: https://launchpad.net/veracrypt/trunk/1.26.20/+download/veracrypt-1.26.20-Fedora-40-x86_64.rpm - state: present - disable_gpg_check: true - -- name: Configure amd64-specific Flatpaks - hosts: amd64 - become: false - tasks: - - name: Install x86-specific Flatpaks - community.general.flatpak: - name: - - com.bitwarden.desktop - - com.slack.Slack - - dev.deedles.Trayscale - - org.signal.Signal - state: latest - method: user - remote: flathub - -- name: Configure Asahi Linux-specific dnf packages - hosts: asahi - become: true - tasks: - - name: Install aarch64-specific dnf packages - ansible.builtin.dnf: - name: - - veracrypt - -- name: Configure common (all arch) dnf packages - hosts: fedora - become: true - tasks: - - name: Install common (all arch) dnf packages - ansible.builtin.dnf: - name: - - chromium - - firefoxpwa - - ghostty - - inkscape - - kate - - kdenlive - - kdiff3 - - krita - - musescore - - nextcloud-client - - nextcloud-client-dolphin - - obs-studio - - onedrive - - protontricks - - qownnotes - - qt - - rssguard - - rstudio-desktop - - steam - - tailscale - - thunderbird - - vlc - - vorta - - yakuake - - zed - - zsh - - zotero - - R - state: present - - name: Install Microsoft Core Fonts - ansible.builtin.dnf: - name: https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm - state: present - disable_gpg_check: true - # Allows me to run the playbook as a way to upgrade the system packages - # This is a violation of ansible-lint's rules, but one of the key reasons I - # wrote this playbook in the first place - - name: Upgrade all packages - ansible.builtin.dnf: - name: "*" - state: latest # noqa: package-latest - -- name: Configure common (all arch) Flatpaks - hosts: fedora - become: false - tasks: - - name: Install common (all arch) Flatpaks - community.general.flatpak: - name: - - com.github.tchx84.Flatseal - - com.logseq.Logseq - - io.freetubeapp.FreeTube - - io.github.alainm23.planify - - io.github.dweymouth.supersonic - - io.openrct2.OpenRCT2 - - org.zulip.Zulip - - net.ankiweb.Anki - state: latest - method: user - remote: flathub diff --git a/playbooks/repos.yaml b/playbooks/repos.yaml deleted file mode 100644 index b771518..0000000 --- a/playbooks/repos.yaml +++ /dev/null @@ -1,122 +0,0 @@ ---- -- name: Configure amd64-specific package repositories - hosts: amd64 - become: true - tasks: - - name: Install RPM Fusion free repository - ansible.builtin.dnf: - name: "https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ ansible_distribution_major_version }}.noarch.rpm" - state: present - disable_gpg_check: false - - name: Install RPM Fusion nonfree repository - ansible.builtin.dnf: - name: "https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-{{ ansible_distribution_major_version }}.noarch.rpm" - state: present - disable_gpg_check: false - - name: Install RPM Fusion free-tainted repository - ansible.builtin.dnf: - name: rpmfusion-free-release-tainted - state: present - - name: Install Zotero COPR repository - community.general.copr: - name: "mozes/zotero7" - -# Asahi Linux comes with its own strange version of RPMFusion installed, so -# RPMFusion is installed only on amd64 systems. In addition, VeraCrypt and -# Zotero *are* available via COPR, but from different repos than their amd64 -# counterparts. -# Also, Asahi has its own version string, so we have to manually specify the -# chroot for COPR repos added via Ansible. This is handled automatically when -# using `dnf copr enable ...`, but not via Ansible. -- name: Configure Asahi Linux-specific package repositories - hosts: asahi - become: true - tasks: - - name: Install Zotero COPR repository - community.general.copr: - name: "isaksamsten/Zotero" - chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64" - - name: Install VeraCrypt COPR repository - community.general.copr: - name: "architektapx/veracrypt" - chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64" - -- name: Configure common (all arch) package repositories - hosts: fedora - become: true - tasks: - - name: Install Tailscale repo - ansible.builtin.yum_repository: - name: tailscale-stable - description: Tailscale stable repo - baseurl: https://pkgs.tailscale.com/stable/fedora/$basearch - enabled: true - gpgcheck: true - gpgkey: https://pkgs.tailscale.com/stable/fedora/repo.gpg - - name: Install FirefoxPWA repository - ansible.builtin.yum_repository: - name: firefoxpwa - description: FirefoxPWA repository - baseurl: https://packagecloud.io/filips/FirefoxPWA/fedora/$releasever/$basearch - gpgcheck: true - gpgkey: https://packagecloud.io/filips/FirefoxPWA/gpgkey - enabled: true - # Note that I still have to specify the chroot for COPR repos b/c of Asahi - - name: Install RStudio copr repository - community.general.copr: - name: "iucar/rstudio" - chroot: "fedora-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}" - -- name: Configure Terra package repositories - hosts: fedora - become: true - tasks: - # I love the Zed editor, but I hate the way it is installed by default. The - # recommended way to install via a package manager is by using Terra repos. - # Problem 1: Terra doesn't have a single .repo file to plop in using - # ansible.builtin.yum_repository (like Tailscale or FirefoxPWA) nor a - # package that installs the correct repo files with ansible.builtin.dnf - # (like RPMFusion). Instead Terra uses the `--repofrompath` option to - # bootstrap itself as its source of truth - a feature Ansible doesn't - # support. This is the one case where I use ansible.builtin.shell to execute - # a dnf install because of that. - # Problem 2: Terra leads to chaos as it specifies many of the same packages - # from the Fedora and/or RPMFusion repositories. The solution is to - # configure Terra repos with a low priority, see: - # https://discussion.fedoraproject.org/t/zed-editor-this-is-too-much/151269/2 - # community.general.dnf_config_manager *only* supports enabling/disabling - # repos, and not seeing/specifying other options, so I use some ugly - # pipelines to determine if the priority is already set right, and adjust - # appropriately. - - name: Determine if Terra is installed - ansible.builtin.stat: - path: /etc/yum.repos.d/terra.repo - register: terra_installed - - name: Install Terra repository - ansible.builtin.shell: | - dnf install --assumeyes --nogpgcheck --repofrompath terra,https://repos.fyralabs.com/terra{{ ansible_distribution_major_version }} terra-release - when: not terra_installed.stat.exists - register: terra_install - changed_when: terra_install.rc == 0 - - name: Determine Terra repository priority - ansible.builtin.shell: - cmd: set -o pipefail && dnf --dump-repo-config=terra | grep 'priority = 100' || echo "false" - executable: /bin/bash - register: terra_check - changed_when: false - - name: Set Terra repository priority to low - ansible.builtin.shell: dnf config-manager setopt terra\*.priority=100 - when: "'false' in terra_check.stdout" - register: terra_priority - changed_when: terra_priority.rc != 0 - -- name: Configure Flathub remote - hosts: fedora - become: false - tasks: - - name: Add Flathub remote - community.general.flatpak_remote: - name: flathub - state: present - flatpakrepo_url: https://dl.flathub.org/repo/flathub.flatpakrepo - method: user diff --git a/systems/darwin/corianne.nix b/systems/darwin/corianne.nix index dff9085..f8067ce 100644 --- a/systems/darwin/corianne.nix +++ b/systems/darwin/corianne.nix @@ -67,7 +67,7 @@ (chromeApp "Messages") (sysApp "Signal") (sysApp "Thunderbird") - (localApp "Immich") + (sysApp "Immich") (sysApp "Logseq") (sysApp "Zed") (sysApp "Steam")