14 files changed, 282 insertions, 0 deletions

diff --git a/playbooks/workstation.yml b/playbooks/workstation.yml
new file mode 100644
index 0000000..9510b2b
--- /dev/null
+++ b/playbooks/workstation.yml
@@ -0,0 +1,9 @@
+- hosts: localhost
+
+  pre_tasks:
+    - name: verify running as root
+      fail:
+      when: ansible_user_id != "root"
+
+  roles:
+    - role: workstation
diff --git a/roles/workstation/defaults/main.yml b/roles/workstation/defaults/main.yml
new file mode 100644
index 0000000..aff0a65
--- /dev/null
+++ b/roles/workstation/defaults/main.yml
@@ -0,0 +1,48 @@
+workstation_user: qwd
+
+workstation_pkgs:
+  common:
+    - dmenu
+    - feh
+    - fzf
+    - git
+    - gnupg
+    - htop
+    - ipmitool
+    - mpv
+    - neovim
+    - qutebrowser
+    - rtorrent
+    - syncthing
+    - tor
+    - unzip
+    - wget
+    - zip
+    - zsh
+
+  archlinux:
+    - acpi
+    - ansible
+    - ansible-lint
+    - base-devel
+    - docker
+    - docker-compose
+    - gopass
+    - opendoas
+    - pamixer
+    - pcsc-tools
+    - pipewire
+    - pipewire-pulse
+    - python-poetry
+    - tar
+    - torbrowser-launcher
+    - wireguard-tools
+    - xf86-input-synaptics
+    - xorg-xwayland
+
+  openbsd:
+    - tor-browser
+    - pcsc-lite
+    - pcsc-tools
+    - py3-pip
+    - wireguard-tools
diff --git a/roles/workstation/tasks/doas.yml b/roles/workstation/tasks/doas.yml
new file mode 100644
index 0000000..bc72d7f
--- /dev/null
+++ b/roles/workstation/tasks/doas.yml
@@ -0,0 +1,34 @@
+- name: generate doas configuration
+  lineinfile:
+    path: /etc/doas.conf
+    regexp: "^permit persist keepenv {{ workstation_user }} as root"
+    line: "permit persist keepenv {{ workstation_user }} as root"
+    create: true
+    mode: 0644
+    owner: 0
+    group: 0
+
+- name: allow reboot/shutdown/hibernate with doas
+  lineinfile:
+    path: /etc/doas.conf
+    regexp: "^permit nopass {{ workstation_user }} as root cmd {{ item }}"
+    line: "permit nopass {{ workstation_user }} as root cmd {{ item }}"
+  loop:
+    - ZZZ
+    - mount
+    - reboot
+    - shutdown
+    - zzz
+
+- name: check sudo binary path  # noqa no-changed-when
+  command: command -v sudo
+  register: result
+  failed_when: false
+
+- name: uninstall sudo binary
+  package:
+    name: sudo
+    state: absent
+  when: result.rc == 0
+  register: sudo
+  ignore_errors: true
diff --git a/roles/workstation/tasks/main.yml b/roles/workstation/tasks/main.yml
new file mode 100644
index 0000000..f981545
--- /dev/null
+++ b/roles/workstation/tasks/main.yml
@@ -0,0 +1,19 @@
+- name: include packages
+  include_tasks: pkgs.yml
+  tags: task_pkgs
+
+- name: include operating system setup
+  include_tasks: "os_{{ ansible_distribution | lower }}.yml"
+  tags: task_system
+
+- name: include shell setup
+  include_tasks: shell.yml
+  tags: task_shell
+
+- name: include doas setup
+  include_tasks: doas.yml
+  tags: task_doas
+
+- name: include smartcard setup
+  include_tasks: smartcard.yml
+  tags: task_smartcard
diff --git a/roles/workstation/tasks/os_archlinux.yml b/roles/workstation/tasks/os_archlinux.yml
new file mode 100644
index 0000000..40b264b
--- /dev/null
+++ b/roles/workstation/tasks/os_archlinux.yml
@@ -0,0 +1,35 @@
+- name: append current user to system groups
+  user:
+    name: "{{ workstation_user }}"
+    groups: "{{ item }}"
+    append: true
+  loop:
+    - docker
+    - wheel
+    - video
+    - audio
+
+- name: enable and start pipewire
+  systemd:
+    name: "{{ item }}"
+    scope: user
+    enabled: true
+    state: started
+  become: true
+  become_method: su
+  become_user: "{{ workstation_user }}"
+  loop:
+    - pipewire
+    - pipewire-pulse
+    - pipewire-media-session
+  when: ansible_service_mgr == "systemd"
+
+- name: ensure that dhcpcd is started
+  service:
+    name: dhcpcd
+    state: started
+    enabled: true
+
+- name: enable battery optimization
+  include_tasks: tlp.yml
+  when: ansible_form_factor in ["Laptop", "Notebook"]
diff --git a/roles/workstation/tasks/os_openbsd.yml b/roles/workstation/tasks/os_openbsd.yml
new file mode 100644
index 0000000..d007263
--- /dev/null
+++ b/roles/workstation/tasks/os_openbsd.yml
@@ -0,0 +1,72 @@
+- name: ensure wsconsctl config file exists
+  file:
+    path: /etc/wsconsctl.conf
+    state: touch
+    owner: 0
+    group: 0
+    mode: 0644
+
+- name: append configuration to wsconsctl
+  lineinfile:
+    path: /etc/wsconsctl.conf
+    regexp: "^{{ item[0] }}"
+    line: "{{ item[0] }}={{ item[1] }}"
+    create: true
+    owner: 0
+    group: 0
+    mode: 0644
+  loop:
+    - [screen.brightness, 80]
+    - [keyboard.repeat.del1, 180]
+    - [keyboard.repeat.deln, 50]
+    - [keyboard.bell.volume, 0]
+    - [mouse.tp.tapping, 1]
+
+- name: ensure Xorg subdirectory for configuration exists
+  file:
+    path: /etc/X11/xorg.conf.d
+    owner: 0
+    group: 0
+    mode: 0644
+    state: directory
+
+- name: generate system wide configurations
+  template:
+    src: "{{ item[0] }}"
+    dest: "{{ item[1] }}"
+    mode: preserve
+  loop:
+    - [xorg-intel.conf, /etc/X11/xorg.conf.d]
+    - [apm-hibernate, /etc/apm/hibernate]
+    - [apm-suspend, /etc/apm/suspend]
+    - [apm-resume, /etc/apm/resume]
+
+- name: ensure sysctl configuration file exists
+  file:
+    path: /etc/sysctl.conf
+    owner: root
+    mode: 0644
+
+- name: ensure sysctl memory optimizations
+  blockinfile:
+    path: /etc/sysctl.conf
+    block: |
+      kern.shminfo.shmall=3145728
+      kern.shminfo.shmmax=1073741823
+      kern.shminfo.shmmni=1024
+      kern.shminfo.shmseg=1024
+      kern.seminfo.semmns=4096
+      kern.seminfo.semmni=1024
+    marker: "# memory {mark} - managed by Ansible"
+
+- name: ensure sysctl process optimizations
+  blockinfile:
+    path: /etc/sysctl.conf
+    block: |
+      kern.maxfiles=102400
+      kern.maxproc=32768
+      kern.maxfiles=65535
+      kern.bufcachepercent=90
+      kern.maxvnodes=262144
+      kern.somaxconn=2048
+    marker: "# process - {mark} managed by Ansible"
diff --git a/roles/workstation/tasks/pkgs.yml b/roles/workstation/tasks/pkgs.yml
new file mode 100644
index 0000000..fd8a65a
--- /dev/null
+++ b/roles/workstation/tasks/pkgs.yml
@@ -0,0 +1,7 @@
+- name: install distribution packages
+  package:
+    name: "{{ item }}"
+    state: present
+  loop: 
+    - "{{ workstation_pkgs['common'] }}"
+    - "{{ workstation_pkgs[ansible_distribution | lower] }}"
diff --git a/roles/workstation/tasks/shell.yml b/roles/workstation/tasks/shell.yml
new file mode 100644
index 0000000..42b134c
--- /dev/null
+++ b/roles/workstation/tasks/shell.yml
@@ -0,0 +1,8 @@
+- name: retrieve zsh path  # noqa no-changed-when command-instead-of-shell
+  shell: command -v zsh
+  register: zsh_path
+
+- name: ensure zsh is used for workstation user
+  user:
+    name: "{{ workstation_user }}"
+    shell: "{{ zsh_path.stdout_lines[0] }}"
diff --git a/roles/workstation/tasks/smartcard.yml b/roles/workstation/tasks/smartcard.yml
new file mode 100644
index 0000000..ed79c92
--- /dev/null
+++ b/roles/workstation/tasks/smartcard.yml
@@ -0,0 +1,5 @@
+- name: start and enable pcscd service
+  service:
+    name: pcscd
+    state: started
+    enabled: true
diff --git a/roles/workstation/tasks/tlp.yml b/roles/workstation/tasks/tlp.yml
new file mode 100644
index 0000000..788f523
--- /dev/null
+++ b/roles/workstation/tasks/tlp.yml
@@ -0,0 +1,10 @@
+- name: install tlp
+  package:
+    name: tlp
+    state: present
+
+- name: enable and start tlp
+  service:
+    name: tlp
+    state: started
+    enabled: true
diff --git a/roles/workstation/templates/apm-hibernate b/roles/workstation/templates/apm-hibernate
new file mode 100755
index 0000000..ef90fed
--- /dev/null
+++ b/roles/workstation/templates/apm-hibernate
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -x -e
+
+pkill -USR1 xidle
diff --git a/roles/workstation/templates/apm-resume b/roles/workstation/templates/apm-resume
new file mode 100755
index 0000000..18397b4
--- /dev/null
+++ b/roles/workstation/templates/apm-resume
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -x -e
+
+sleep 3
+
+sh /etc/netstart iwn0
+
+wg_interfaces=$(find /etc/wireguard -type f | sed 's/\.conf$//g')
+for wg_interface in ${wg_interfaces}; do
+	wg_interface=$(basename "${wg_interface}")
+	wg-quick down "${wg_interface}"
+	wg-quick up "${wg_interface}"
+done
+
+rcctl -d restart pcscd
diff --git a/roles/workstation/templates/apm-suspend b/roles/workstation/templates/apm-suspend
new file mode 100755
index 0000000..ef90fed
--- /dev/null
+++ b/roles/workstation/templates/apm-suspend
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -x -e
+
+pkill -USR1 xidle
diff --git a/roles/workstation/templates/xorg-intel.conf b/roles/workstation/templates/xorg-intel.conf
new file mode 100644
index 0000000..5d73c65
--- /dev/null
+++ b/roles/workstation/templates/xorg-intel.conf
@@ -0,0 +1,9 @@
+
+# disable tearscreen for Xenocara on OpenBSD
+# managed by Ansible
+
+Section "Device"
+	Identifier "drm"
+	Driver "intel"
+	Option "TearFree" "true"
+EndSection