millironx/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions

Compare commits

base: millironx:bdd59ab5fe82341524b2d79495fb1c5f1d8c0365
Branches Tags
millironx:master
millironx:feat/mcentire-crowdsec
..
compare: millironx:ea4e1300c7d71fea171e52fabacd4e471a28fc13
Branches Tags
millironx:master
millironx:feat/mcentire-crowdsec

No commits in common. "bdd59ab5fe82341524b2d79495fb1c5f1d8c0365" and "ea4e1300c7d71fea171e52fabacd4e471a28fc13" have entirely different histories.
bdd59ab5fe ... ea4e1300c7

8 changed files with 363 additions and 380 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.ansible-lint-ignore
View file

@ -1,2 +0,0 @@
# This file contains ignores rule violations for ansible-lint
playbook.yaml name[play]

5
inventory.yaml
View file

@ -20,3 +20,8 @@ fedora:
hosts: hosts:
harmony: harmony:
odyssey: odyssey:
desktop:
hosts:
harmony:
odyssey:

361
playbook.yaml
View file

@ -1,5 +1,358 @@
--- ---
- import_playbook: playbooks/nix.yaml # Asahi Linux comes with its own strange version of RPMFusion installed, so
- import_playbook: playbooks/repos.yaml # RPMFusion is installed only on amd64 systems. In addition, VeraCrypt and
- import_playbook: playbooks/packages.yaml # Zotero *are* available via COPR, but from different repos than their amd64
- import_playbook: playbooks/config.yaml # counterparts.
# Also, Asahi has its own version string, so we have to manually specify the
# chroot for COPR repos added via Ansible. This is handled automatically when
# using `dnf copr enable ...`, but not via Ansible.
- name: Configure Asahi Linux-specific repos and packages
hosts: asahi
become: true
tasks:
- name: Install Zotero COPR repository
community.general.copr:
name: "isaksamsten/Zotero"
chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64"
- name: Install VeraCrypt COPR repository
community.general.copr:
name: "architektapx/veracrypt"
chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64"
- name: Install aarch64-specific packages
ansible.builtin.dnf:
name:
- veracrypt
# These are repos and packages that are useless or unavailable on Asahi Linux.
- name: Configure amd64 specific repos and packages
hosts: amd64
become: true
tasks:
- name: Install RPM Fusion free repository
ansible.builtin.dnf:
name: "https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ ansible_distribution_major_version }}.noarch.rpm"
state: present
disable_gpg_check: false
- name: Install RPM Fusion nonfree repository
ansible.builtin.dnf:
name: "https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-{{ ansible_distribution_major_version }}.noarch.rpm"
state: present
disable_gpg_check: false
- name: Install RPM Fusion free-tainted repository
ansible.builtin.dnf:
name: rpmfusion-free-release-tainted
state: present
- name: Install Zotero COPR repository
community.general.copr:
name: "mozes/zotero7"
- name: Install x86-specific packages
ansible.builtin.dnf:
name:
- libdvdcss
- mkvtoolnix
- mpv
- x264
- x264-libs
state: present
- name: Install VeraCrypt
ansible.builtin.dnf:
name: https://launchpad.net/veracrypt/trunk/1.26.20/+download/veracrypt-1.26.20-Fedora-40-x86_64.rpm
state: present
disable_gpg_check: true
# I no longer have any machines that are Fedora but not workstations (bosephus
# is now NixOS), so this section is around for more historical reasons, I guess.
# Regardless, Tailscale and zsh are pretty essential for any machine before
# starting anything on them, so it warrants its own play in my mind.
- name: Configure common (all arch, headless and workstation) repos and packages
hosts: fedora
become: true
tasks:
- name: Install Tailscale repo
ansible.builtin.yum_repository:
name: tailscale-stable
description: Tailscale stable repo
baseurl: https://pkgs.tailscale.com/stable/fedora/$basearch
enabled: true
gpgcheck: true
gpgkey: https://pkgs.tailscale.com/stable/fedora/repo.gpg
- name: Install common Linux packages
ansible.builtin.dnf:
name:
- tailscale
- zsh
state: present
# The Determinate Nix installer is the most stable way to install Nix on
# non-NixOS systems I've found.
# 1. It handles SELinux rule creation
# 2. It enables flakes and the `nix` command *by default*
# I use a rule that would *probably* fail on regular Nix systems to detect if
# Nix was installed via the Determinate installer.
# IMPORTANT: I am installing regular Nix via the Determinate Systems installer.
# I **DO NOT** want to install their "determinate nix," as I want to be only
# reliant on nixpkgs, and not their binary cache.
- name: Install Nix via determinate systems
hosts: fedora
become: true
tasks:
- name: Determine if Nix is installed
ansible.builtin.shell: |
/nix/var/nix/profiles/default/bin/nix --version
register: nix_check
ignore_errors: true
changed_when: false
- name: Download Determinate Nix installer
ansible.builtin.get_url:
url: https://install.determinate.systems/nix
dest: /tmp/nix-installer
mode: 755
when: nix_check.rc != 0
- name: Install Nix via Determinate Nix installer
ansible.builtin.shell: |
sh /tmp/nix-installer install linux --verbose --no-confirm
when: nix_check.rc != 0
register: nix_install
changed_when: nix_install.rc == 0
# Install packages with a GUI that would be useless on a headless server, or
# otherwise have no use outside of a workstation environment
- name: Configure desktop/workstation packages
hosts: desktop
become: true
tasks:
# I love the Zed editor, but I hate the way it is installed by default. The
# recommended way to install via a package manager is by using Terra repos.
# Problem 1: Terra doesn't have a single .repo file to plop in using
# ansible.builtin.yum_repository (like Tailscale or FirefoxPWA) nor a
# package that installs the correct repo files with ansible.builtin.dnf
# (like RPMFusion). Instead Terra uses the `--repofrompath` option to
# bootstrap itself as its source of truth - a feature Ansible doesn't
# support. This is the one case where I use ansible.builtin.shell to execute
# a dnf install because of that.
# Problem 2: Terra leads to chaos as it specifies many of the same packages
# from the Fedora and/or RPMFusion repositories. The solution is to
# configure Terra repos with a low priority, see:
# https://discussion.fedoraproject.org/t/zed-editor-this-is-too-much/151269/2
# community.general.dnf_config_manager *only* supports enabling/disabling
# repos, and not seeing/specifying other options, so I use some ugly
# pipelines to determine if the priority is already set right, and adjust
# appropriately.
- name: Determine if Terra is installed
ansible.builtin.stat:
path: /etc/yum.repos.d/terra.repo
register: terra_installed
- name: Install Terra repository
ansible.builtin.shell: |
dnf install --assumeyes --nogpgcheck --repofrompath terra,https://repos.fyralabs.com/terra{{ ansible_distribution_major_version }} terra-release
when: not terra_installed.stat.exists
register: terra_install
changed_when: terra_install.rc == 0
- name: Determine Terra repository priority
ansible.builtin.shell:
cmd: set -o pipefail && dnf --dump-repo-config=terra | grep 'priority = 100' || echo "false"
executable: /bin/bash
register: terra_check
changed_when: false
- name: Set Terra repository priority to low
ansible.builtin.shell: dnf config-manager setopt terra\*.priority=100
when: "'false' in terra_check.stdout"
register: terra_priority
changed_when: terra_priority.rc != 0
# FirefoxPWA and RStudio are actually both compatible with all arches! Yay!
# Note that I still have to specify the chroot b/c of Asahi
- name: Install FirefoxPWA repository
ansible.builtin.yum_repository:
name: firefoxpwa
description: FirefoxPWA repository
baseurl: https://packagecloud.io/filips/FirefoxPWA/fedora/$releasever/$basearch
gpgcheck: true
gpgkey: https://packagecloud.io/filips/FirefoxPWA/gpgkey
enabled: true
- name: Install RStudio copr repository
community.general.copr:
name: "iucar/rstudio"
chroot: "fedora-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}"
# The main package list - the primary goal of this entire playbook, finally
- name: Install common desktop environment packages
ansible.builtin.dnf:
name:
- chromium
- firefoxpwa
- ghostty
- inkscape
- kate
- kdenlive
- kdiff3
- krita
- musescore
- nextcloud-client
- nextcloud-client-dolphin
- obs-studio
- onedrive
- protontricks
- qownnotes
- qt
- rssguard
- rstudio-desktop
- steam
- thunderbird
- vlc
- vorta
- yakuake
- zed
- zotero
- R
state: present
# MS Core fonts aren't needed on anything without a GUI
- name: Install Microsoft Core Fonts
ansible.builtin.dnf:
name: https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm
state: present
disable_gpg_check: true
# Allows me to run the playbook as a way to upgrade the system packages
# This is a violation of ansible-lint's rules, but one of the key reasons I
# wrote this playbook in the first place
- name: Upgrade all packages
ansible.builtin.dnf:
name: "*"
state: latest # noqa: package-latest
# Install a policy file to force Firefox to use encrypted DNS
- name: Create Firefox policy directory
ansible.builtin.file:
path: /etc/firefox/policies
state: directory
mode: "755"
- name: Create Firefox DNS policy
ansible.builtin.template:
src: templates/policies.json
dest: /etc/firefox/policies/policies.json
mode: "644"
# Configure custom DNS - we can't use stubby or network manager because
# network manager requires setting DNS resolvers for each network. That
# means that I have to have the DNS onfigs for each and every network I
# connect to (home, school, etc.) written here, and I could miss one.
- name: Configure systemwide DNS
ansible.builtin.shell: |
sh -c "$(curl -sSL https://147.185.34.1/dl)" -s {{ dns_auth_code }} forced
register: ctrld_config
changed_when: ctrld_config.rc != 0
# Generally speaking, I try to install Flatpak applications at the user level
# b/c that really gives more credence to the whole sandboxing idea (concept of
# least privilege). Flatpaks are configured differently per-arch, so we go back
# to different configs for each group
- name: Configure common Flatpaks
hosts: desktop
become: false
tasks:
- name: Add Flathub remote
community.general.flatpak_remote:
name: flathub
state: present
flatpakrepo_url: https://dl.flathub.org/repo/flathub.flatpakrepo
method: user
- name: Install common Flatpaks
community.general.flatpak:
name:
- com.github.tchx84.Flatseal
- com.logseq.Logseq
- io.freetubeapp.FreeTube
- io.github.alainm23.planify
- io.github.dweymouth.supersonic
- io.openrct2.OpenRCT2
- org.zulip.Zulip
- net.ankiweb.Anki
state: latest
method: user
remote: flathub
- name: Configure amd64 Flatpaks
hosts: amd64
become: false
tasks:
- name: Install amd64 Flatpaks
community.general.flatpak:
name:
- com.bitwarden.desktop
- com.slack.Slack
- dev.deedles.Trayscale
- org.signal.Signal
state: latest
method: user
remote: flathub
# Pull the latest home-manager configuration
- name: Ensure home-manager configuration is up-to-date
hosts: fedora
become: false
tasks:
# First, determine if the repo is in place and clone it if not. The odds of
# the repo *not* being present are pretty slim, considering that is where
# I will be deploying this playbook from, but still document the process.
# IMPORTANT: The playbook will not have access to SSH/GPG keys (because they
# can't be generated without home-manager's dotfiles), so it clones a copy
# of via https. **THIS MUST BE CHANGED TO THE ssh REMOTE AFTER CONFIGURATION
# IS COMPLETE!**
- name: Determine if the home-manager repo is present
ansible.builtin.stat:
path: "{{ ansible_env.HOME }}/.config/home-manager"
register: home_manager_repo
- name: Clone the home-manager repo
ansible.builtin.git:
repo: "https://code.millironx.com/millironx/nix-dotfiles.git" # noqa: latest
dest: "{{ ansible_env.HOME }}/.config/home-manager"
when: not home_manager_repo.stat.exists
register: home_manager_clone
changed_when: home_manager_clone.rc == 0
# Only run an ssh clone/pull if home-manager was present from the very
# beginning of the playbook. They need to be part of the same play,
# otherwise the hash is lost downstream. These steps assume that SSH access
# to the git repo has been established - something that cannot possibly have
# happened during the first run.
- name: Update the home-manager config repo
ansible.builtin.git:
repo: git@code.millironx.com:millironx/nix-dotfiles.git # noqa: latest
dest: "{{ ansible_env.HOME }}/.config/home-manager"
clone: true
update: true
register: home_manager_pull
when: home_manager_repo.stat.exists
# Install home-manager for the first time
# home-manager bootstraps itself via the nix command. If the home-manager
# command is not available, then it will need to bootstrap itself
- name: Determine if home-manager is installed
ansible.builtin.stat:
path: "{{ ansible_env.HOME }}/.nix-profile/bin/home-manager"
register: home_manager_exists
- name: Init home-manager
ansible.builtin.shell: |
/nix/var/nix/profiles/default/bin/nix run home-manager -- switch --flake ~/.config/home-manager#{{ ansible_user_id }}@{{ ansible_hostname }}
when: not home_manager_exists.stat.exists
register: home_manager_init
changed_when: home_manager_init.rc == 0
# There are machines with a working home-manager config without a hash file.
# Make sure that those machines have a working hash file for future use.
- name: Safety check for home-manager hash file
ansible.builtin.file:
path: "{{ ansible_env.HOME }}/.cache/hm-git-hash"
state: touch
mode: "644"
# So now we're at the part where we're assuming that the home-manager repo
# is in place, and also that home-manager has already been bootstrapped.
# We'll use the activation script from our home-manager config that records
# the hash of the repo at the time of derivation and compare that against
# the hash found by Ansible's git pull. We will skip running the derivation
# if the hashes match
- name: Find home-manager's latest commit hash
ansible.builtin.slurp:
src: "{{ ansible_env.HOME }}/.cache/hm-git-hash"
register: home_manager_hash
- name: Update home-manager derivation
ansible.builtin.shell: |
$HOME/.nix-profile/bin/home-manager switch --flake ~/.config/home-manager#{{ ansible_user_id }}@{{ ansible_hostname }}
register: home_manager_derivation
changed_when: home_manager_derivation.rc == 0
when: |
home_manager_exists.stat.exists and (home_manager_hash.content | b64decode | trim) != home_manager_pull.after

30
playbooks/config.yaml
View file

@ -1,30 +0,0 @@
---
- name: Configure Firefox DNS policy
hosts: fedora
become: true
tasks:
# Install a policy file to force Firefox to use encrypted DNS
- name: Create Firefox policy directory
ansible.builtin.file:
path: /etc/firefox/policies
state: directory
mode: "755"
- name: Create Firefox DNS policy
ansible.builtin.template:
src: templates/policies.json
dest: /etc/firefox/policies/policies.json
mode: "644"
- name: Configure systemwide DNS policy
hosts: fedora
become: true
tasks:
# Configure custom DNS - we can't use stubby or network manager because
# network manager requires setting DNS resolvers for each network. That
# means that I have to have the DNS onfigs for each and every network I
# connect to (home, school, etc.) written here, and I could miss one.
- name: Configure systemwide DNS
ansible.builtin.shell: |
sh -c "$(curl -sSL https://147.185.34.1/dl)" -s {{ dns_auth_code }} forced
register: ctrld_config
changed_when: ctrld_config.rc != 0

108
playbooks/nix.yaml
View file

@ -1,108 +0,0 @@
---
# The Determinate Nix installer is the most stable way to install Nix on
# non-NixOS systems I've found.
# 1. It handles SELinux rule creation
# 2. It enables flakes and the `nix` command *by default*
# I use a rule that would *probably* fail on regular Nix systems to detect if
# Nix was installed via the Determinate installer.
# IMPORTANT: I am installing regular Nix via the Determinate Systems installer.
# I **DO NOT** want to install their "determinate nix," as I want to be only
# reliant on nixpkgs, and not their binary cache.
- name: Install Nix via determinate systems
hosts: fedora
become: true
tasks:
- name: Determine if Nix is installed
ansible.builtin.shell: |
/nix/var/nix/profiles/default/bin/nix --version
register: nix_check
ignore_errors: true
changed_when: false
- name: Download Determinate Nix installer
ansible.builtin.get_url:
url: https://install.determinate.systems/nix
dest: /tmp/nix-installer
mode: 755
when: nix_check.rc != 0
- name: Install Nix via Determinate Nix installer
ansible.builtin.shell: |
sh /tmp/nix-installer install linux --verbose --no-confirm
when: nix_check.rc != 0
register: nix_install
changed_when: nix_install.rc == 0
# Pull the latest home-manager configuration
- name: Ensure home-manager configuration is up-to-date
hosts: fedora
become: false
tasks:
# First, determine if the repo is in place and clone it if not. The odds of
# the repo *not* being present are pretty slim, considering that is where
# I will be deploying this playbook from, but still document the process.
# IMPORTANT: The playbook will not have access to SSH/GPG keys (because they
# can't be generated without home-manager's dotfiles), so it clones a copy
# of via https. **THIS MUST BE CHANGED TO THE ssh REMOTE AFTER CONFIGURATION
# IS COMPLETE!**
- name: Determine if the home-manager repo is present
ansible.builtin.stat:
path: "{{ ansible_env.HOME }}/.config/home-manager"
register: home_manager_repo
- name: Clone the home-manager repo
ansible.builtin.git:
repo: "https://code.millironx.com/millironx/nix-dotfiles.git" # noqa: latest
dest: "{{ ansible_env.HOME }}/.config/home-manager"
when: not home_manager_repo.stat.exists
register: home_manager_clone
changed_when: home_manager_clone.rc == 0
# Only run an ssh clone/pull if home-manager was present from the very
# beginning of the playbook. They need to be part of the same play,
# otherwise the hash is lost downstream. These steps assume that SSH access
# to the git repo has been established - something that cannot possibly have
# happened during the first run.
- name: Update the home-manager config repo
ansible.builtin.git:
repo: git@code.millironx.com:millironx/nix-dotfiles.git # noqa: latest
dest: "{{ ansible_env.HOME }}/.config/home-manager"
clone: true
update: true
register: home_manager_pull
when: home_manager_repo.stat.exists
# Install home-manager for the first time
# home-manager bootstraps itself via the nix command. If the home-manager
# command is not available, then it will need to bootstrap itself
- name: Determine if home-manager is installed
ansible.builtin.stat:
path: "{{ ansible_env.HOME }}/.nix-profile/bin/home-manager"
register: home_manager_exists
- name: Init home-manager
ansible.builtin.shell: |
/nix/var/nix/profiles/default/bin/nix run home-manager -- switch --flake ~/.config/home-manager#{{ ansible_user_id }}@{{ ansible_hostname }}
when: not home_manager_exists.stat.exists
register: home_manager_init
changed_when: home_manager_init.rc == 0
# There are machines with a working home-manager config without a hash file.
# Make sure that those machines have a working hash file for future use.
- name: Safety check for home-manager hash file
ansible.builtin.file:
path: "{{ ansible_env.HOME }}/.cache/hm-git-hash"
state: touch
mode: "644"
# So now we're at the part where we're assuming that the home-manager repo
# is in place, and also that home-manager has already been bootstrapped.
# We'll use the activation script from our home-manager config that records
# the hash of the repo at the time of derivation and compare that against
# the hash found by Ansible's git pull. We will skip running the derivation
# if the hashes match
- name: Find home-manager's latest commit hash
ansible.builtin.slurp:
src: "{{ ansible_env.HOME }}/.cache/hm-git-hash"
register: home_manager_hash
- name: Update home-manager derivation
ansible.builtin.shell: |
$HOME/.nix-profile/bin/home-manager switch --flake ~/.config/home-manager#{{ ansible_user_id }}@{{ ansible_hostname }}
register: home_manager_derivation
changed_when: home_manager_derivation.rc == 0
when: |
home_manager_exists.stat.exists and (home_manager_hash.content | b64decode | trim) != home_manager_pull.after

113
playbooks/packages.yaml
View file

@ -1,113 +0,0 @@
---
# These are repos and packages that are useless or unavailable on Asahi Linux,
# or have completely separate install procedures.
- name: Configure amd64-specific dnf packages
hosts: amd64
become: true
tasks:
- name: Install x86-specific dnf packages
ansible.builtin.dnf:
name:
- libdvdcss
- mkvtoolnix
- mpv
- x264
- x264-libs
state: present
- name: Install VeraCrypt
ansible.builtin.dnf:
name: https://launchpad.net/veracrypt/trunk/1.26.20/+download/veracrypt-1.26.20-Fedora-40-x86_64.rpm
state: present
disable_gpg_check: true
- name: Configure amd64-specific Flatpaks
hosts: amd64
become: false
tasks:
- name: Install x86-specific Flatpaks
community.general.flatpak:
name:
- com.bitwarden.desktop
- com.slack.Slack
- dev.deedles.Trayscale
- org.signal.Signal
state: latest
method: user
remote: flathub
- name: Configure Asahi Linux-specific dnf packages
hosts: asahi
become: true
tasks:
- name: Install aarch64-specific dnf packages
ansible.builtin.dnf:
name:
- veracrypt
- name: Configure common (all arch) dnf packages
hosts: fedora
become: true
tasks:
- name: Install common (all arch) dnf packages
ansible.builtin.dnf:
name:
- chromium
- firefoxpwa
- ghostty
- inkscape
- kate
- kdenlive
- kdiff3
- krita
- musescore
- nextcloud-client
- nextcloud-client-dolphin
- obs-studio
- onedrive
- protontricks
- qownnotes
- qt
- rssguard
- rstudio-desktop
- steam
- tailscale
- thunderbird
- vlc
- vorta
- yakuake
- zed
- zsh
- zotero
- R
state: present
- name: Install Microsoft Core Fonts
ansible.builtin.dnf:
name: https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm
state: present
disable_gpg_check: true
# Allows me to run the playbook as a way to upgrade the system packages
# This is a violation of ansible-lint's rules, but one of the key reasons I
# wrote this playbook in the first place
- name: Upgrade all packages
ansible.builtin.dnf:
name: "*"
state: latest # noqa: package-latest
- name: Configure common (all arch) Flatpaks
hosts: fedora
become: false
tasks:
- name: Install common (all arch) Flatpaks
community.general.flatpak:
name:
- com.github.tchx84.Flatseal
- com.logseq.Logseq
- io.freetubeapp.FreeTube
- io.github.alainm23.planify
- io.github.dweymouth.supersonic
- io.openrct2.OpenRCT2
- org.zulip.Zulip
- net.ankiweb.Anki
state: latest
method: user
remote: flathub

122
playbooks/repos.yaml
View file

@ -1,122 +0,0 @@
---
- name: Configure amd64-specific package repositories
hosts: amd64
become: true
tasks:
- name: Install RPM Fusion free repository
ansible.builtin.dnf:
name: "https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ ansible_distribution_major_version }}.noarch.rpm"
state: present
disable_gpg_check: false
- name: Install RPM Fusion nonfree repository
ansible.builtin.dnf:
name: "https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-{{ ansible_distribution_major_version }}.noarch.rpm"
state: present
disable_gpg_check: false
- name: Install RPM Fusion free-tainted repository
ansible.builtin.dnf:
name: rpmfusion-free-release-tainted
state: present
- name: Install Zotero COPR repository
community.general.copr:
name: "mozes/zotero7"
# Asahi Linux comes with its own strange version of RPMFusion installed, so
# RPMFusion is installed only on amd64 systems. In addition, VeraCrypt and
# Zotero *are* available via COPR, but from different repos than their amd64
# counterparts.
# Also, Asahi has its own version string, so we have to manually specify the
# chroot for COPR repos added via Ansible. This is handled automatically when
# using `dnf copr enable ...`, but not via Ansible.
- name: Configure Asahi Linux-specific package repositories
hosts: asahi
become: true
tasks:
- name: Install Zotero COPR repository
community.general.copr:
name: "isaksamsten/Zotero"
chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64"
- name: Install VeraCrypt COPR repository
community.general.copr:
name: "architektapx/veracrypt"
chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64"
- name: Configure common (all arch) package repositories
hosts: fedora
become: true
tasks:
- name: Install Tailscale repo
ansible.builtin.yum_repository:
name: tailscale-stable
description: Tailscale stable repo
baseurl: https://pkgs.tailscale.com/stable/fedora/$basearch
enabled: true
gpgcheck: true
gpgkey: https://pkgs.tailscale.com/stable/fedora/repo.gpg
- name: Install FirefoxPWA repository
ansible.builtin.yum_repository:
name: firefoxpwa
description: FirefoxPWA repository
baseurl: https://packagecloud.io/filips/FirefoxPWA/fedora/$releasever/$basearch
gpgcheck: true
gpgkey: https://packagecloud.io/filips/FirefoxPWA/gpgkey
enabled: true
# Note that I still have to specify the chroot for COPR repos b/c of Asahi
- name: Install RStudio copr repository
community.general.copr:
name: "iucar/rstudio"
chroot: "fedora-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}"
- name: Configure Terra package repositories
hosts: fedora
become: true
tasks:
# I love the Zed editor, but I hate the way it is installed by default. The
# recommended way to install via a package manager is by using Terra repos.
# Problem 1: Terra doesn't have a single .repo file to plop in using
# ansible.builtin.yum_repository (like Tailscale or FirefoxPWA) nor a
# package that installs the correct repo files with ansible.builtin.dnf
# (like RPMFusion). Instead Terra uses the `--repofrompath` option to
# bootstrap itself as its source of truth - a feature Ansible doesn't
# support. This is the one case where I use ansible.builtin.shell to execute
# a dnf install because of that.
# Problem 2: Terra leads to chaos as it specifies many of the same packages
# from the Fedora and/or RPMFusion repositories. The solution is to
# configure Terra repos with a low priority, see:
# https://discussion.fedoraproject.org/t/zed-editor-this-is-too-much/151269/2
# community.general.dnf_config_manager *only* supports enabling/disabling
# repos, and not seeing/specifying other options, so I use some ugly
# pipelines to determine if the priority is already set right, and adjust
# appropriately.
- name: Determine if Terra is installed
ansible.builtin.stat:
path: /etc/yum.repos.d/terra.repo
register: terra_installed
- name: Install Terra repository
ansible.builtin.shell: |
dnf install --assumeyes --nogpgcheck --repofrompath terra,https://repos.fyralabs.com/terra{{ ansible_distribution_major_version }} terra-release
when: not terra_installed.stat.exists
register: terra_install
changed_when: terra_install.rc == 0
- name: Determine Terra repository priority
ansible.builtin.shell:
cmd: set -o pipefail && dnf --dump-repo-config=terra | grep 'priority = 100' || echo "false"
executable: /bin/bash
register: terra_check
changed_when: false
- name: Set Terra repository priority to low
ansible.builtin.shell: dnf config-manager setopt terra\*.priority=100
when: "'false' in terra_check.stdout"
register: terra_priority
changed_when: terra_priority.rc != 0
- name: Configure Flathub remote
hosts: fedora
become: false
tasks:
- name: Add Flathub remote
community.general.flatpak_remote:
name: flathub
state: present
flatpakrepo_url: https://dl.flathub.org/repo/flathub.flatpakrepo
method: user

2
systems/darwin/corianne.nix
View file

@ -67,7 +67,7 @@
(chromeApp "Messages") (chromeApp "Messages")
(sysApp "Signal") (sysApp "Signal")
(sysApp "Thunderbird") (sysApp "Thunderbird")
(localApp "Immich") (sysApp "Immich")
(sysApp "Logseq") (sysApp "Logseq")
(sysApp "Zed") (sysApp "Zed")
(sysApp "Steam") (sysApp "Steam")