From 1d097a5af35a626d2534a8dfce0e35f5aabe19e5 Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Wed, 28 Aug 2024 15:21:25 +0200
Subject: [PATCH] Add base-setup playbook

Signed-off-by: Knut Ahlers <knut@ahlers.me>
---
 Makefile                                      | 14 +++++++++
 PKGBUILD                                      |  9 +++++-
 .../share/luzifer/base-setup/files/locale.gen | 25 ++++++++++++++++
 .../luzifer/base-setup/files/timesyncd.conf   | 14 +++++++++
 base/usr/share/luzifer/base-setup/inventory   |  2 ++
 .../share/luzifer/base-setup/playbook.yaml    |  9 ++++++
 .../luzifer/base-setup/tasks/locale.yaml      | 24 +++++++++++++++
 .../luzifer/base-setup/tasks/security.yaml    |  9 ++++++
 .../luzifer/base-setup/tasks/systemtime.yaml  | 26 ++++++++++++++++
 luzifer-base.install                          | 30 +++++--------------
 10 files changed, 139 insertions(+), 23 deletions(-)
 create mode 100644 Makefile
 create mode 100644 base/usr/share/luzifer/base-setup/files/locale.gen
 create mode 100644 base/usr/share/luzifer/base-setup/files/timesyncd.conf
 create mode 100644 base/usr/share/luzifer/base-setup/inventory
 create mode 100644 base/usr/share/luzifer/base-setup/playbook.yaml
 create mode 100644 base/usr/share/luzifer/base-setup/tasks/locale.yaml
 create mode 100644 base/usr/share/luzifer/base-setup/tasks/security.yaml
 create mode 100644 base/usr/share/luzifer/base-setup/tasks/systemtime.yaml

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..8a9b693
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,14 @@
+default:
+
+apply-playbook:
+	ansible-playbook \
+		--diff \
+		--inventory base/usr/share/luzifer/base-setup/inventory \
+		base/usr/share/luzifer/base-setup/playbook.yaml
+
+test-playbook:
+	ansible-playbook \
+		--check \
+		--diff \
+		--inventory base/usr/share/luzifer/base-setup/inventory \
+		base/usr/share/luzifer/base-setup/playbook.yaml
diff --git a/PKGBUILD b/PKGBUILD
index f324dab..14d3ff3 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -7,7 +7,7 @@ pkgname=(
   luzifer-gui
   luzifer-lenovo-gui
 )
-pkgver=0.9.7
+pkgver=0.10.0
 pkgrel=1
 pkgdesc='System configuration for @luzifer systems'
 arch=(any)
@@ -47,6 +47,7 @@ package_luzifer-base() {
 
   # Add system utils
   depends+=(
+    ansible-core
     bc
     curl
     ddrescue
@@ -70,6 +71,12 @@ package_luzifer-base() {
     wget
   )
 
+  # Add security utils
+  depends+=(
+    apparmor
+    audit
+  )
+
   # Add custom sytem utils
   depends+=(
     arch-update
diff --git a/base/usr/share/luzifer/base-setup/files/locale.gen b/base/usr/share/luzifer/base-setup/files/locale.gen
new file mode 100644
index 0000000..b8d022e
--- /dev/null
+++ b/base/usr/share/luzifer/base-setup/files/locale.gen
@@ -0,0 +1,25 @@
+# Configuration file for locale-gen
+#
+# lists of locales that are to be generated by the locale-gen command.
+#
+# Each line is of the form:
+#
+#     <locale> <charset>
+#
+#  where <locale> is one of the locales given in /usr/share/i18n/locales
+#  and <charset> is one of the character sets listed in /usr/share/i18n/charmaps
+#
+#  Examples:
+#  en_US ISO-8859-1
+#  en_US.UTF-8 UTF-8
+#  de_DE ISO-8859-1
+#  de_DE@euro ISO-8859-15
+#
+#  The locale-gen command will generate all the locales,
+#  placing them in /usr/lib/locale.
+#
+#  A list of supported locales is included in this file.
+#  Uncomment the ones you need.
+
+en_US.UTF-8 UTF-8
+en_US ISO-8859-1
diff --git a/base/usr/share/luzifer/base-setup/files/timesyncd.conf b/base/usr/share/luzifer/base-setup/files/timesyncd.conf
new file mode 100644
index 0000000..3682129
--- /dev/null
+++ b/base/usr/share/luzifer/base-setup/files/timesyncd.conf
@@ -0,0 +1,14 @@
+# Ansible-Managed by base-setup
+
+# Entries in this file show the compile time defaults.
+# You can change settings by editing this file.
+# Defaults can be restored by simply deleting this file.
+#
+# See timesyncd.conf(5) for details.
+
+[Time]
+NTP=ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de ntp1.lrz.de ntp3.lrz.de ntps1-0.cs.tu-berlin.de ntps1-1.cs.tu-berlin.de
+#FallbackNTP=0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org
+#RootDistanceMaxSec=5
+#PollIntervalMinSec=32
+#PollIntervalMaxSec=2048
diff --git a/base/usr/share/luzifer/base-setup/inventory b/base/usr/share/luzifer/base-setup/inventory
new file mode 100644
index 0000000..c4e45d1
--- /dev/null
+++ b/base/usr/share/luzifer/base-setup/inventory
@@ -0,0 +1,2 @@
+[localhost]
+localhost01   ansible_connection=local
diff --git a/base/usr/share/luzifer/base-setup/playbook.yaml b/base/usr/share/luzifer/base-setup/playbook.yaml
new file mode 100644
index 0000000..f4860fb
--- /dev/null
+++ b/base/usr/share/luzifer/base-setup/playbook.yaml
@@ -0,0 +1,9 @@
+---
+
+- hosts: all
+  tasks:
+    - include_tasks: tasks/systemtime.yaml
+    - include_tasks: tasks/locale.yaml
+    - include_tasks: tasks/security.yaml
+
+...
diff --git a/base/usr/share/luzifer/base-setup/tasks/locale.yaml b/base/usr/share/luzifer/base-setup/tasks/locale.yaml
new file mode 100644
index 0000000..979601f
--- /dev/null
+++ b/base/usr/share/luzifer/base-setup/tasks/locale.yaml
@@ -0,0 +1,24 @@
+---
+
+- name: Configure locale.gen
+  copy:
+    src: files/locale.gen
+    dest: /etc/locale.gen
+    owner: root
+    mode: '0644'
+  register: etc_locale_gen
+
+- name: Generate locales
+  command:
+    cmd: locale-gen
+  when: etc_locale_gen.changed
+
+- name: Configure system locale
+  copy:
+    content: |
+      LANG=en_US.UTF-8
+    dest: /etc/locale.conf
+    owner: root
+    mode: '0644'
+
+...
diff --git a/base/usr/share/luzifer/base-setup/tasks/security.yaml b/base/usr/share/luzifer/base-setup/tasks/security.yaml
new file mode 100644
index 0000000..dae0158
--- /dev/null
+++ b/base/usr/share/luzifer/base-setup/tasks/security.yaml
@@ -0,0 +1,9 @@
+---
+
+- name: Enable auditd
+  systemd:
+    enabled: true
+    name: auditd.service
+    state: started
+
+...
diff --git a/base/usr/share/luzifer/base-setup/tasks/systemtime.yaml b/base/usr/share/luzifer/base-setup/tasks/systemtime.yaml
new file mode 100644
index 0000000..adf4617
--- /dev/null
+++ b/base/usr/share/luzifer/base-setup/tasks/systemtime.yaml
@@ -0,0 +1,26 @@
+---
+
+- name: Configure system timezone
+  file:
+    src: /usr/share/zoneinfo/Europe/Berlin
+    dest: /etc/localtime
+    force: true
+    state: link
+
+- name: Configure systemd-timesyncd
+  copy:
+    src: files/timesyncd.conf
+    dest: /etc/systemd/timesyncd.conf
+    owner: root
+    mode: '0644'
+  register: etc_systemd_timesyncd_conf
+
+- name: Restart systemd-timesyncd
+  systemd:
+    daemon_reload: true
+    enabled: true
+    name: systemd-timesyncd.service
+    state: restarted
+  when: etc_systemd_timesyncd_conf.changed
+
+...
diff --git a/luzifer-base.install b/luzifer-base.install
index 4e75283..67f3bb2 100644
--- a/luzifer-base.install
+++ b/luzifer-base.install
@@ -1,28 +1,14 @@
 post_install() {
-	post_upgrade
+  post_upgrade
 }
 
 post_upgrade() {
-	# Set NTP servers
-	local ntp_servers=(
-		ptbtime1.ptb.de
-		ptbtime2.ptb.de
-		ptbtime3.ptb.de
-		ntp1.lrz.de
-		ntp3.lrz.de
-		ntps1-0.cs.tu-berlin.de
-		ntps1-1.cs.tu-berlin.de
-	)
-	sed -i -E "s/^#?NTP=.*$/NTP=$(echo ${ntp_servers[@]})/" /etc/systemd/timesyncd.conf
+  # Enable auditd & AppArmor
+  systemctl enable auditd.service
 
-	# Enable timesync
-	systemctl enable --now systemd-timesyncd
-
-	# Set local time
-	ln -sf /usr/share/zoneinfo/Europe/Berlin "/etc/localtime"
-
-	# Enable en_US locale
-	echo "LANG=en_US.UTF-8" >/etc/locale.conf
-	sed 's/#en_US/en_US/' -i /etc/locale.gen
-	locale-gen
+  # Apply base-setup playbook
+  ansible-playbook \
+    --diff \
+    --inventory usr/share/luzifer/base-setup/inventory \
+    usr/share/luzifer/base-setup/playbook.yaml
 }