matt/cosmos_init
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
phermeys
2025-09-14 13:01:12 -07:00
commit d2c9c31105
12 changed files with 964 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md Normal file
View File

@ -0,0 +1 @@
This is the main ansible role that sets up a debian base system for other ansible roles that I create

106
defaults/main.yaml Normal file
View File

@ -0,0 +1,106 @@
---
cosmos_terse_packages:
- sudo
- htop
- net-tools
- curl
- pigz
- jq
cosmos_base_packages:
- nmap
- lm-sensors
- speedtest-cli
- ethtool
- tidy
- lynx
- iotop
- iftop
- gnupg
- pwgen
- unzip
- iw
- lshw
- firmware-iwlwifi
- dnsutils
- git
- brightnessctl
- v4l-utils
- ffmpeg
- libpam-kwallet5
cosmos_amd64_only:
- thermald
- acpi
gather_facts_packages:
- lshw
- iw
- bind9-dnsutils
preboot_packages:
- openssh-server
- curl
- openvpn
- net-tools
- htop
- bsdmainutils
fprint_device_url: 'https://fprint.freedesktop.org/supported-devices.html'
# list of device IDs of things I own
# that are compatible with windows hello
howdy_webcams:
# Dell XPS Laptop
- "0bda:58c8"
# Cheapo USB Webcam
- "0408:7a10"
# default user accounts from various other OS builds
default_users:
- pi
deb_version: "trixie"
remove_default_vpn: true
terse_packages: false
install_packages: true
rename_host: false
realtek_present: false
install_nvidia: false
hyperv_client: false
cosmos_exists: true
no_vpn: false
smb_configured: false
gather_only: false
home_endpoint: false
plasma_present: false
public_deploy: false
save_pi_user: false
update_grub_timeout: true
add_domain: false
init_light: false
onboard_pi: false
rtl8821ce_present: false
...

37
tasks/configure_smb.yaml Normal file
View File

@ -0,0 +1,37 @@
---
- name: smb - Install samba & cifs-utils
apt:
name:
- samba
- cifs-utils
- smbclient
state: present
- name: smb - Create public share folder
file:
path: /media/share
state: directory
mode: '0777'
- name: smb - Copy smb.conf
template:
src: smb.conf.j2
dest: /etc/samba/smb.conf
owner: root
group: root
mode: 0644
- name: smb - create additional configs folder
file:
path: "/etc/samba/smb.conf.d"
state: directory
mode: '0755'
- name: smb - Restart smb
service:
name: smbd
state: restarted
enabled: yes
...

263
tasks/gather_facts.yaml Normal file
View File

@ -0,0 +1,263 @@
---
###############################################
# Gather Facts for Playbook
###############################################
###############################################
# Install Prereq Packages
###############################################
- name: Install Prereq Packages
apt:
name:
- "{{ gather_facts_packages_item }}"
state: present
loop: "{{ gather_facts_packages }}"
register: apt_result
loop_control:
loop_var: gather_facts_packages_item
- name: Apply permissions on /opt/cosmos
file:
path: /opt/cosmos
state: directory
mode: '0755'
###############################################
# Check System Architecture
###############################################
- name: Install Apps - Check CPU Arch
shell: "dpkg --print-architecture"
register: cpu_architecture_output
- name: Install Apps - Set cpu_architecture variable
set_fact:
cpu_architecture: "{{ cpu_architecture_output.stdout_lines[0] }}"
###############################################
# Check for GPU
###############################################
- name: GPU - Gather information
command:
cmd: lshw -C display
register: lshw_output
- name: GPU - Set install_nvidia variable
set_fact:
install_nvidia: "{{ 'NVIDIA' in lshw_output.stdout }}"
###############################################
# Check for wireless network
###############################################
- name: WiFi - Gather devices
command: iw dev
register: iw_dev_output
changed_when: false
- name: WiFi - Set wireless_present variable
set_fact:
wireless_present: "{{ iw_dev_output.stdout is search('Interface') }}"
###############################################
# Check for realtek interfaces
###############################################
- name: Realtek - Gather devices
command: lspci -d10ec::02xx
register: lspci_rltk_output
ignore_errors: true
- name: skip when lspci fails
when: lspci_rltk_output.failed
block:
- name: Realtek - Set realtek_adapters variable
set_fact:
realtek_adapters: "{{ lspci_rltk_output.stdout_lines }}"
- name: Realtek - Set realtek_present variable
set_fact:
realtek_present: "{{ lspci_rltk_output.stdout != '' }}"
- name: Realtek - Gather devices again but different
command: lspci
register: lspci_rltk_output
ignore_errors: true
- name: check for rtl8821ce
when: '"RTL8821CE" in lspci_rltk_output'
set_fact:
rtl8821ce_present: true
###############################################
# Check for supported fingerprint sensor
###############################################
- name: Fingerprint - Fetch supported device list
shell: "curl -s {{ fprint_device_url }}"
register: website_content
- name: Fingerprint - Parse Website for Device IDs
set_fact:
device_list: "{{ website_content.stdout_lines | map('trim') | regex_findall('([0-9a-fA-F]{4}:[0-9a-fA-F]{4})') }}"
- name: Fingerprint - get lsusb output
command: lsusb
register: lsusb_output
ignore_errors: yes
- name: Fingerprint - Parse lsusb output for Device IDs
set_fact:
lsusb_devices: "{{ lsusb_output.stdout_lines | map('trim') | regex_findall('([0-9a-fA-F]{4}:[0-9a-fA-F]{4})') }}"
when: lsusb_output is defined
- name: Fingerprint - set fprint_sensor
set_fact:
fprint_sensor: "{{ lsusb_devices | intersect(device_list) }}"
when: lsusb_output is defined
- name: Fingerprint - prime fprint_present variable
set_fact:
fprint_present: false
- name: Fingerprint - set fprint_present variable
set_fact:
fprint_present: true
when: lsusb_devices | intersect(device_list) | length > 0 and lsusb_output is defined
- name: Fingerprint - display fact statements
debug:
msg: "{{ 'Compatible fingerprint sensor detected' if fprint_present else 'No compatible fingerprint sensor detected' }}"
###############################################
# Check if webcam is present
###############################################
- name: ustreamer - check for webcam
shell: "ls /dev/vid*"
register: vid_output
ignore_errors: yes
- name: ustreamer - set webcam_present variable
set_fact:
webcam_present: "{{ vid_output.rc == 0 }}"
- name: ustreamer - display fact statements
debug:
msg: "{{ 'Webcam present' if webcam_present else 'No webcam present' }}"
###############################################
# Check for supported howdycam
###############################################
- name: howdycam - get lsusb output
command: lsusb
register: lsusb_output
ignore_errors: yes
- name: howdycam - Parse lsusb output for Device IDs
set_fact:
lsusb_devices: "{{ lsusb_output.stdout_lines | map('trim') | regex_findall('([0-9a-fA-F]{4}:[0-9a-fA-F]{4})') }}"
when: lsusb_output is defined
- name: howdycam - set howdycam_deviceID
set_fact:
howdycam_deviceID: "{{ lsusb_devices | intersect(howdy_webcams) }}"
when: lsusb_output is defined
- name: howdycam - prime howdycam_present variable
set_fact:
howdycam_present: false
- name: howdycam - set howdycam_present variable
set_fact:
howdycam_present: true
when: lsusb_devices | intersect(howdy_webcams) | length > 0 and lsusb_output is defined
- name: howdycam - display fact statements
debug:
msg: "{{ 'Compatible biometric webcam detected' if howdycam_present else 'No compatible biometric webcam detected' }}"
###############################################
# Check if smb is configured
###############################################
- name: Check smb.conf
shell: |
cat /etc/samba/smb.conf | grep "matt-cloud default"
ignore_errors: yes
register: smbconf_output
- name: Set SMB Conf'd var
set_fact:
smb_configured: true
when: '"matt-cloud default" in smbconf_output.stdout'
ignore_errors: yes
- name: SMB - display fact statements
debug:
msg: "{{ 'SMB configured' if smb_configured else 'SMB not yet configured' }}"
###############################################
# Check client located at home
###############################################
- name: Check ip ad
shell: ip ad
register: ip_ad_output
- name: Check for terra
shell: dig +short terra.home.cosmos
register: dig_terra_output
- name: Set home location var
set_fact:
home_endpoint: true
when: '"172.20.255.255" in ip_ad_output.stdout and "172.20.25.10" in dig_terra_output.stdout'
- name: location check - display fact statements
debug:
msg: "{{ 'Endpoint at home' if home_endpoint else 'Remote endpoint' }}"
###############################################
# Output debug summary
###############################################
- name: Fact Summary - Set fact statements
set_fact:
system_info:
- "{{ 'NVIDIA GPU is present' if install_nvidia else 'No NVIDIA GPU found' }}"
- "{{ 'Wireless card present' if wireless_present else 'No Wireless Card' }}"
- "{{ 'Webcam is present' if webcam_present else 'No webcam present' }}"
- "{{ 'Realtek network card detected' if realtek_present else 'No realtek network devices detected' }}"
- "{{ 'Special Realtek wifi found' if rtl8821ce_present else 'No special realtek wifi' }}"
- "{{ 'Compatible fingerprint sensor detected' if fprint_present else 'No compatible fingerprint sensor detected' }}"
- "{{ 'Compatible biometric webcam detected' if howdycam_present else 'No compatible biometric webcam detected' }}"
- "{{ 'smb already configred' if smb_configured else 'smb not yet configured, will perform' }}"
- "CPU Architecture: {{ cpu_architecture }}"
- "{{ 'Endpoint located at home' if home_endpoint else 'endpoint not home, skipping matt profile setup' }}"
- name: Fact Summary - Collect booleans for test
set_fact:
system_bools:
- "{{ install_nvidia }}"
- "{{ wireless_present }}"
- "{{ webcam_present }}"
- "{{ realtek_present }}"
- "{{ rtl8821ce_present }}"
- "{{ fprint_present }}"
- "{{ howdycam_present }}"
- "{{ smb_configured }}"
- "{{ cpu_architecture }}"
- "{{ home_endpoint }}"
- name: Fact Summary - Output Summary
debug:
msg: "{{ system_info_item }}"
loop: "{{ system_info }}"
loop_control:
loop_var: system_info_item
...

57
tasks/install_base_packages.yaml Normal file
View File

@ -0,0 +1,57 @@
---
- name: Check System Architecture if init_light
when: init_light | bool
block:
- name: Check CPU Arch
shell: "dpkg --print-architecture"
register: cpu_architecture_output
- name: Set cpu_architecture variable
set_fact:
cpu_architecture: "{{ cpu_architecture_output.stdout_lines[0] }}"
- name: Check for base file
shell: ls /opt/cosmos/base-packages-installed
ignore_errors: true
register: base_packages_installed
- name: Install Packages
when: base_packages_installed.failed
block:
- name: Install Terse Packages
apt:
name:
- "{{ cosmos_terse_packages_item }}"
state: present
loop: "{{ cosmos_terse_packages }}"
loop_control:
loop_var: cosmos_terse_packages_item
- name: Install Full Packages
apt:
name:
- "{{ cosmos_base_packages_item }}"
state: present
loop: "{{ cosmos_base_packages }}"
when: not terse_packages | bool
loop_control:
loop_var: cosmos_base_packages_item
- name: Install amd64 Packages
apt:
name:
- "{{ cosmos_amd64_only_item }}"
state: present
loop: "{{ cosmos_amd64_only }}"
when: '"amd64" in cpu_architecture'
loop_control:
loop_var: cosmos_amd64_only_item
- name: Create base-packages-installed
shell: touch /opt/cosmos/base-packages-installed
...

40
tasks/main.yaml Normal file
View File

@ -0,0 +1,40 @@
---
###############################################
# Cosmos Initialization Tasks
###############################################
- name: Preboot Re-Initialize
include_tasks: preboot_fix.yaml
when: not gather_only | bool
- name: Set Hostname
include_tasks: set_hostname.yaml
when: rename_host | bool and not gather_only | bool
- name: Gather Facts
include_tasks: gather_facts.yaml
when: not init_light | bool
- name: Skip when requested
when: not ( gather_only | bool or init_light | bool )
block:
- name: Install Base Packages
include_tasks: install_base_packages.yaml
when: install_packages | bool
- name: Configure SMB
include_tasks: configure_smb.yaml
when: not smb_configured | bool
- name: Realtek Firmware
include_tasks: realtek.yaml
when: realtek_present | bool
- name: Misc Tasks
include_tasks: misc.yaml
when: not gather_only | bool
...

174
tasks/misc.yaml Normal file
View File

@ -0,0 +1,174 @@
---
###############################################
# Miscelaneous pre-run tasks
###############################################
- name: Set timezone to America/Los Angeles
become: true
community.general.timezone:
name: America/Los_Angeles
- name: Update Grub
when: update_grub_timeout | bool
block:
- name: Check for /etc/default/grub
stat:
path: /etc/default/grub
register: grub_file
- name: Set Grub timeout 1s
when: grub_file.stat.exists
lineinfile:
path: /etc/default/grub
regexp: 'GRUB_TIMEOUT=5'
line: ' GRUB_TIMEOUT=1'
- name: Update GRUB
when: grub_file.stat.exists
shell: update-grub
become: yes
- name: Disable ssh host checking for root
copy:
content: |
Host *
StrictHostKeyChecking no
dest: /root/.ssh/config
owner: root
group: root
mode: '0600'
###############################################
# Update cosmos scripts
###############################################
- name: Preboot fix - Copy Files
block:
- name: update_issue.sh
copy:
src: /var/jenkins_home/ansible/roles/pxe_server/files/init/update_issue.sh
dest: /root/update_issue.sh
mode: 0755
- name: stat.sh
copy:
src: /var/jenkins_home/ansible/roles/pxe_server/files/init/stat.sh
dest: /root/stat.sh
mode: 0755
###############################################
# Passwordless SSH-ing for root
###############################################
- name: Save private key file
when: not public_deploy | bool
copy:
dest: /root/.ssh/id_rsa
owner: root
group: root
mode: '0600'
content: "{{ matt_private_key }}"
- name: Create ssh config in skel
file:
path: /etc/skel/.ssh/
state: directory
mode: '0700'
- name: Disable ssh host checking for everyone
copy:
content: |
Host *
StrictHostKeyChecking no
dest: /etc/skel/.ssh/config
mode: '0600'
###############################################
# MPV Stuff
###############################################
- name: Create mpv config in skel
when: not init_light | bool
file:
path: /etc/skel/.config/mpv
state: directory
mode: '0700'
- name: Enable mpv support for hardware acceleration
when: not init_light | bool
# https://wiki.debian.org/HardwareVideoAcceleration#:~:text=To%20enable%20it%2C%20use%20the,conf).
copy:
content: |
hwdec
dest: /etc/skel/.config/mpv/mpv.conf
mode: '0600'
###############################################
# Create admin_users group
###############################################
- name: Create admin_users group
block:
- name: Create group
group:
name: admin_users
state: present
- name: check sudoers.d path
file:
path: /etc/sudoers.d/
state: directory
mode: '0700'
- name: Make sure admin_users exists
shell: touch /etc/sudoers.d/admin_users
- name: Add admin_users group to sudoers
lineinfile:
path: /etc/sudoers.d/admin_users
state: present
regexp: '^%admin_users'
line: '%admin_users ALL=(ALL:ALL) ALL'
###############################################
# Final Miscelenea
###############################################
# This will allow all users access to install apps in the app store
- name: Allow app store access for all users
copy:
content: |
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.packagekit.package-install" ||
action.id == "org.freedesktop.packagekit.package-remove" ||
action.id == "org.freedesktop.packagekit.system-update") {
return polkit.Result.YES;
}
});
dest: /etc/polkit-1/rules.d/10-allow-kde-store.rules
owner: root
group: root
mode: '0644'
- name: Remove Default Users
when: not save_pi_user | bool
shell: "deluser {{ default_users_item }}"
loop: "{{ default_users }}"
ignore_errors: yes
loop_control:
loop_var: default_users_item
- name: remove default openvpn profile if hyperv or requested
shell: |
systemctl stop openvpn-client@cosmos-client.service
systemctl disable openvpn-client@cosmos-client.service
systemctl daemon-reload
when: "'Hyper-V' in ansible_facts.chassis_version or no_vpn is defined and no_vpn or remove_default_vpn"
...

144
tasks/preboot_fix.yaml Normal file
View File

@ -0,0 +1,144 @@
---
- name: Check for cosmos user
shell: "getent passwd | grep cosmos"
register: cosmos_info
ignore_errors: true
- name: Set cosmos_exists
set_fact:
cosmos_exists: "{{ not cosmos_info.failed | bool }}"
- name: Add the SSH public key to authorized_keys
authorized_key:
user: "root"
key: "{{ matt_public_key }}"
state: present
path: "/root/.ssh/authorized_keys"
###############################################
# Update sources.list file
# Do this first for the Pi's
###############################################
# check debian version
- name: Check for contrib non-free in current sources.list
shell: cat /etc/os-release | grep VERSION_CODENAME | cut -d '=' -f 2
register: debian_version_codename
# set deb_version fact
- name: set deb_version variable
set_fact:
deb_version: "{{ debian_version_codename.stdout_lines[0] }}"
# show deb_version
- name: show deb_version
debug:
msg: "Debian version codename: {{ deb_version }}"
# This should only ever be true immediately after imaging
- name: Check for contrib non-free in current sources.list
command: grep -q 'contrib non-free' /etc/apt/sources.list
register: contrib_non_free_present
ignore_errors: true
# Copy new file if needed
- name: Copy new sources.list if contrib non-free is not present or is ARM chip
template:
src: sources.list.j2
dest: /etc/apt/sources.list
when: contrib_non_free_present.failed or '"arm" in cpu_architecture'
- name: Update APT
apt:
update_cache: yes
- name: Upgrade packages
when: not init_light | bool
apt:
upgrade: dist
###############################################
# If the cosmos user doesn't exist, time to
# load up the prereqs
###############################################
- name: initialize preboot when not cosmos_exists
when: not cosmos_exists
block:
- name: Install Preboot Packages
when: not init_light | bool or '"arm" in cpu_architecture'
apt:
name:
- "{{ preboot_packages_item }}"
state: present
loop: "{{ preboot_packages }}"
loop_control:
loop_var: preboot_packages_item
- name: Preboot fix - create /opt/cosmos
file:
path: /opt/cosmos
state: directory
mode: '0755'
- name: Preboot fix - set root password
user:
name: "root"
password: "{{ cosmos_root_password | password_hash('sha512') }}"
- name: Preboot fix - Copy Files
block:
- name: update_issue.service
when: not init_light | bool and '"amd" in cpu_architecture' | bool
copy:
src: /var/jenkins_home/ansible/roles/pxe_server/files/init/update_issue.service
dest: /etc/systemd/system/update_issue.service
mode: 0644
- name: .bashrc
copy:
src: /var/jenkins_home/ansible/roles/pxe_server/files/init/.bashrc
dest: /root/.bashrc
mode: 0644
- name: create /root/.config/htop
file:
path: /root/.config/htop
state: directory
mode: '0755'
- name: htoprc
copy:
src: /var/jenkins_home/ansible/roles/pxe_server/files/init/htoprc
dest: /root/.config/htop/htoprc
mode: 0644
- name: 00-update-issue.conf
when: not init_light | bool and '"amd" in cpu_architecture' | bool
copy:
src: /var/jenkins_home/ansible/roles/pxe_server/files/init/00-update-issue.conf
dest: /etc/cron.d/update-issue
mode: 0644
- name: 00-root-allow.conf
copy:
src: /var/jenkins_home/ansible/roles/pxe_server/files/init/00-root-allow.conf
dest: /etc/ssh/sshd_config.d/00-root-allow-ssh.conf
mode: 0644
- name: enable update_issue.service
when: not init_light | bool and '"amd" in cpu_architecture' | bool
shell: |
systemctl daemon-reload
systemctl enable update_issue.service
systemctl start update_issue.service
- name: Preboot fix - create cosmos user
user:
name: "cosmos"
password: "{{ cosmos_password | password_hash('sha512') }}"
shell: /bin/bash
...

77
tasks/realtek.yaml Normal file
View File

@ -0,0 +1,77 @@
---
###############################################
# Pipeline to install realtek drivers
###############################################
- name: Realtek - Pre-install - Display lspci output
debug:
msg: "{{ realtek_adapters }}"
ignore_errors: true
- name: Realtek - Pre-install - get interfaces
shell: ip ad | grep def | grep -v -e dock -e veth -e lo -e tun | cut -d ":" -f 1-2
register: og_iface_list
- name: Realtek - Pre-install - Display interfaces
debug:
msg: "{{ og_iface_list.stdout_lines }}"
- name: Realtek - Pre-install - Check if already installed
command: dpkg -l firmware-realtek
register: realtek_installed
ignore_errors: true
- name: Realtek - Install Firmware Package
apt:
name:
- firmware-realtek
state: present
register: apt_result
when: realtek_installed.failed | bool
- name: Realtek - Reboot Endpoint if just installed
reboot:
msg: "Rebooting endpoint"
when: realtek_installed.failed | bool
- name: Realtek - Post-install - get interfaces
shell: ip ad | grep def | grep -v -e dock -e veth -e lo -e tun | cut -d ":" -f 1-2
register: rltk_iface_list
when: realtek_installed.failed | bool
- name: Realtek - Post-install - Display interfaces
debug:
msg: "{{ rltk_iface_list.stdout_lines }}"
when: realtek_installed.failed | bool
- name: Realtek - rtl8821ce install
when: rtl8821ce_present | bool
block:
- name: rtl8821ce - Install prereqs
apt:
name:
- bc
- module-assistant
- build-essential
- dkms
state: present
- name: rtl8821ce - clone the repo
shell: "git clone https://github.com/tomaspinho/rtl8821ce.git /opt/cosmos"
- name: rtl8821ce - make prepare and install
shell: |
touch /etc/modprobe.d/blacklist.conf
yes | m-a prepare
./dkms-install.sh
args:
chdir: /opt/cosmos/rtl8821ce
- name: rtl8821ce - blacklist the thing
lineinfile:
path: "/etc/modprobe.d/blacklist.conf"
regexp: '^blacklist rtw88_8821ce'
...

33
tasks/set_hostname.yaml Normal file
View File

@ -0,0 +1,33 @@
---
- name: Get Old Hostname
shell: hostname
register: old_hostname
- name: set prop_hostname
set_fact:
prop_hostname: "{{ new_hostname }}"
- name: Add domain
set_fact:
prop_hostname: "{{ new_hostname }}.home.cosmos"
when: add_domain | bool
- name: Display hostname info
debug:
msg:
- "Old hostname was {{ old_hostname.stdout_lines[0] }}"
- "New hostname will be {{ prop_hostname }}"
- name: Rename Endpoint
hostname:
name: "{{ prop_hostname }}"
- name: Add FQDN to hosts file
lineinfile:
path: /etc/hosts
regexp: '{{ old_hostname.stdout_lines[0] }}'
line: '127.0.0.1 {{ prop_hostname }}'
...

21
templates/smb.conf.j2 Normal file
View File

@ -0,0 +1,21 @@
# smb.conf
# matt-cloud default
[global]
workgroup = HOME
netbios name = HOME
guest account = nobody
security = user
map to guest = bad user
[share]
path = /media/share
writable = yes
read only = no
only guest = yes
public = yes
guest ok = yes
guest only = yes
guest account = nobody
browsable = yes

11
templates/sources.list.j2 Executable file
View File

@ -0,0 +1,11 @@
deb http://ftp.us.debian.org/debian {{ deb_version }} main non-free-firmware contrib non-free
deb-src http://ftp.us.debian.org/debian {{ deb_version }} main non-free-firmware contrib non-free
deb http://security.debian.org/debian-security {{ deb_version }}-security main non-free-firmware contrib non-free
deb-src http://security.debian.org/debian-security {{ deb_version }}-security main non-free-firmware contrib non-free
# {{ deb_version }}-updates, to get updates before a point release is made;
# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb http://ftp.us.debian.org/debian {{ deb_version }}-updates main non-free-firmware contrib non-free
deb-src http://ftp.us.debian.org/debian {{ deb_version }}-updates main non-free-firmware contrib non-free