Commit 7997f69d authored by bbguimaraes's avatar bbguimaraes
Browse files

ansible: add work configuration

parent 8dfb8df4
......@@ -69,6 +69,13 @@ For personal systems:
$ ansible-playbook ansible/install/personal.yaml
For work:
$ ansible-playbook --user root ansible/install/work.yaml
$ ansible-playbook ansible/install/work_user.yaml
Enable Kerberos in Firefox: https://wiki.archlinux.org/title/Kerberos#Firefox.
Conclusion
----------
......
- hosts: work
vars:
certificates:
- - https://password.corp.redhat.com/legacy.crt
- legacy.crt
- Red Hat IS CA
- - https://password.corp.redhat.com/RH-IT-Root-CA.crt
- RH-IT-Root-CA.crt
- Red Hat IT Root CA
pkgs:
- >-
krb5 openvpn
tasks:
- name: install packages
package:
name: '{{ (pkgs|join(" ")).split(" ") }}'
- name: create configuration directories
file:
state: directory
path: "{{ item }}"
loop:
- /etc/krb5.conf.d
- name: initialize Kerberos configuration file
copy:
content: |
includedir /etc/krb5.conf.d
dest: /etc/krb5.conf
- name: copy configuration files
copy:
src: "{{ item }}"
dest: "{{ item }}"
mode: preserve
loop:
- /etc/krb5.conf.d/redhat.conf
- /etc/openvpn/RH-IT-Root-CA.crt
- name: copy OpenVPN configuration file
copy:
src: ../work/openvpn.conf
dest: /etc/openvpn/client/redhat_brq.conf
mode: preserve
- name: copy VPN sudoer script
copy:
src: ../work/openvpn.sh
dest: /usr/local/bin/openvpn.sh
mode: preserve
- name: allow wheel to start a VPN connection without a password
copy:
dest: /etc/sudoers.d/openvpn
owner: root
group: root
mode: 0440
validate: visudo -cf %s
content: |
%wheel ALL=(ALL) NOPASSWD: /usr/local/bin/openvpn.sh *
- name: list trusted certificates
command:
argv:
- trust
- list
register: trust
changed_when: false
- name: download certificates
get_url:
url: "{{ item.0 }}"
dest: /tmp/{{ item.1 }}
when: "item.2 not in trust.stdout"
loop: "{{ certificates }}"
- name: trust certificates
command:
argv:
- trust
- anchor
- /tmp/{{ item.1 }}
when: "item.2 not in trust.stdout"
loop: "{{ certificates }}"
- hosts: work
vars:
home: '{{ ansible_env.HOME }}'
src_dir: '{{ home }}/src'
tasks:
- name: setup dotfile symlinks
file:
state: link
src: '{{ src_dir }}/dotfiles/{{ item.0 }}'
dest: '{{ home }}/{{ item.1 }}'
loop:
- ['mutt/muttrc_redhat', '.mutt/muttrc_redhat']
- ['offlineimap/redhat', '.config/offlineimap/redhat']
- name: setup other symlinks
file:
state: link
src: '{{ home }}/{{ item.0 }}'
dest: '{{ home }}/{{ item.1 }}'
loop:
- ['n/comp/scripts/dev.sh', '.local/bin/d']
- ['n/archive/work/redhat', 'rh']
- ['rh/scripts/gotestsum.sh', '.local/bin/gotestsum']
- ['rh/scripts/redhat.sh', '.local/bin/rh']
- name: enable and start services
systemd:
enabled: true
state: started
name: '{{ item }}'
scope: user
daemon_reload: true
loop:
- offlineimap@redhat
- name: make scripts in Nextcloud executable
file:
state: file
path: "{{ home }}/{{ item }}"
mode: "0755"
loop:
- n/comp/scripts/dev.sh
- rh/scripts/gotestsum.sh
- rh/scripts/redhat.sh
- hosts: desktops:&work:&arch
name: aur pkgs
tags: aur
tasks:
- import_tasks: aur.yaml
vars: {"pkg": "gotags"}
- import_tasks: aur.yaml
vars: {"pkg": "golangci-lint"}
remote ovpn-brq.redhat.com 443 udp
pull
auth-user-pass
tls-client
persist-key
ping 30
nobind
persist-tun
dev tun
auth-nocache
cipher AES-256-CBC
verify-x509-name ovpn.redhat.com name
reneg-sec 0
ping-exit 120
topology subnet
route-delay 5
ca /etc/openvpn/RH-IT-Root-CA.crt
# DNS
# https://wiki.archlinux.org/title/OpenVPN#DNS
script-security 2
up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
plugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so "/usr/share/openvpn/contrib/pull-resolv-conf/client.down tun0"
#!/bin/sh
set -eu
[ "$#" -eq 1 ] || { echo >&2 Usage: $0 name; exit 1; }
f=$(basename "$1")
exec openvpn --daemon --config "/etc/openvpn/client/$f"
......@@ -15,20 +15,21 @@ main() {
tmux split-window -t "$target.0" -l 1000 journalctl -f
tmux split-window -t "$target.1" -l 1000 ikhal
tmux split-window -t "$target.2" -l 1000 d todo
if [[ "$HOSTNAME" != wamozart ]]; then
tmux split-window -t "$target.3" -l 1000 d mutt proton
tmux split-window -t "$target.4" -l 1000 d mutt gmail
tmux split-window -t "$target.5" -l 1000 d weechat
tmux split-window -t "$target.6" -l 1000
tmux select-layout -t "$target" tiled
else
case "$HOSTNAME" in
rh*)
tmux split-window -t "$target.3" -l 1000 d mutt redhat
tmux split-window -t "$target.4" -l 1000 \
ssh -t file.emea.redhat.com screen -dR
tmux split-window -t "$target.5" -l 1000
tmux select-layout -t "$target" tiled
tmux new-window -t "$SESSION:1" d weechat
fi
tmux new-window -t "$SESSION:1" d weechat;;
*)
tmux split-window -t "$target.3" -l 1000 d mutt proton
tmux split-window -t "$target.4" -l 1000 d mutt gmail
tmux split-window -t "$target.5" -l 1000 d weechat
tmux split-window -t "$target.6" -l 1000
tmux select-layout -t "$target" tiled;;
esac
attach
}
......
......@@ -11,7 +11,7 @@ main() {
complete) cmd_complete;;
keyboard) keyboard;;
services) services;;
wamozart) wamozart;;
work) work;;
*) usage;;
esac
}
......@@ -26,7 +26,7 @@ Commands:
complete
keyboard
services
wamozart
work
EOF
return 1
}
......@@ -41,21 +41,20 @@ cmd_complete() {
}
cmd_all() {
if [[ "$HOSTNAME" == wamozart ]]; then
wamozart
else
pass show test > /dev/null
fi
case "$HOSTNAME" in
rh*) work;;
*) pass show test > /dev/null;;
esac
command d cal
command d mail
[[ "$HOSTNAME" == rh* ]] && command d mail
init_temp
keyboard
services
}
wamozart() {
if ! nmcli connection show --active | grep -q brq_vpn; then
command d office vpn
work() {
if ! ip link show tun0 > /dev/null ; then
sudo /usr/local/bin/openvpn.sh redhat_brq.conf
fi
if ! klist > /dev/null; then
tmux split-window sh -c 'kinit bbarcaro'
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment