Feature/systemd

.editorconfig

@@ -0,0 +1,36 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 4
+
+[*.{yml,yaml}]
+indent_size = 2
+
+[*.json]
+indent_size = 2
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.sh]
+indent_size = 4
+
+[install-ansible]
+indent_size = 4
+
+[install-requirements]
+indent_size = 4
+
+[run-ansible]
+indent_size = 4
+
+[run-lint]
+indent_size = 4
+
+[nvidia/*]
+indent_size = 4

.github/workflows/ci.yml

@@ -0,0 +1,71 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  lint:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: |
+          ./install-requirements
+          ./install-ansible
+
+      - name: Run linters
+        run: ./run-lint --github-format
+
+      - name: Publish ansible-lint results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: /tmp/ansible-lint.sarif
+          category: ansible-lint
+
+
+      # - name: Run yamllint
+      #   uses: reviewdog/action-yamllint@v1
+      #   with:
+      #     github_token: ${{ secrets.GITHUB_TOKEN }}
+      #     reporter: github-pr-review
+      #     yamllint_flags: "."
+      #     workdir: ansible
+
+      # - name: Run ansible-lint
+      #   uses: reviewdog/action-ansiblelint@v1
+      #   with:
+      #     github_token: ${{ secrets.GITHUB_TOKEN }}
+      #     reporter: github-pr-review
+      #     workdir: ansible
+
+  # molecule:
+  #   runs-on: ubuntu-24.04
+
+  #   steps:
+  #     - uses: actions/checkout@v4
+
+  #     - uses: actions/setup-python@v5
+  #       with:
+  #         python-version: "3.12"
+
+  #     - name: Install dependencies
+  #       run: |
+  #         pip install ansible molecule molecule-plugins[podman]
+
+  #     - name: Install Podman
+  #       run: |
+  #         sudo apt update
+  #         sudo apt install -y podman
+
+  #     - name: Run molecule
+  #       run: molecule test

.vscode/tasks.json

@@ -1,6 +1,42 @@
 {
   "version": "2.0.0",
   "tasks": [
+    {
+      "label": "ansible: lint",
+      "type": "shell",
+      "command": "${workspaceFolder}/run-lint",
+      "problemMatcher": [
+        {
+          "owner": "yamllint",
+          "fileLocation": "absolute",
+          "severity": "error",
+          "pattern": {
+            "regexp": "^(.+):(\\d+):(\\d+): \\[(error|warning)\\] (.+)$",
+            "file": 1,
+            "line": 2,
+            "column": 3,
+            "severity": 4,
+            "message": 5
+          }
+        },
+        {
+          "owner": "ansible-lint",
+          "fileLocation": "absolute",
+          "pattern": [
+            {
+              "regexp": "^([\\w-]+(?:\\[[\\w-]+\\])?): (.+)$",
+              "message": 2
+            },
+            {
+              "regexp": "^(.+):(\\d+)(?::(\\d+))? Task/Handler:",
+              "file": 1,
+              "line": 2,
+              "column": 3
+            }
+          ]
+        }
+      ]
+    },
     {
       "label": "ansible: run all roles",
       "type": "shell",

ansible/ansible.cfg

@@ -1,12 +1,15 @@
 [defaults]
-inventory          = inventories/production/hosts.yml
-roles_path         = roles
-collections_path   = collections
-host_key_checking  = False
-retry_files_enabled  = False
-stdout_callback      = default
-INJECT_FACTS_AS_VARS = False
+inventory = inventories/production/hosts.yml
+roles_path = roles
+
+host_key_checking = False
+retry_files_enabled = False
+
+stdout_callback = ansible.builtin.default
+result_format = yaml
+
+inject_facts_as_vars = False
 
 [privilege_escalation]
-become       = True
+become = True
 become_method = sudo

ansible/playbooks/workstation.yml

@@ -6,6 +6,8 @@
   roles:
     - role: common
       tags: [common]
+    - role: systemd
+      tags: [systemd]
     - role: podman
       tags: [podman]
     - role: shell_config

ansible/roles/common/tasks/main.yml

@@ -14,8 +14,11 @@
   become: true
 
 - name: Dearmor NodeSource GPG key
-  ansible.builtin.command:
-    cmd: gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg /tmp/nodesource-repo.gpg.key
+  ansible.builtin.command: >
+    gpg --dearmor
+    -o /etc/apt/keyrings/nodesource.gpg
+    /tmp/nodesource-repo.gpg.key
+  args:
     creates: /etc/apt/keyrings/nodesource.gpg
   become: true
 

ansible/roles/git_config/tasks/main.yml

@@ -27,3 +27,4 @@
     block: |
       [include]
           path = {{ home_dir }}/.config/git/ansible_gitconfig
+    mode: "0644"

ansible/roles/podman/tasks/main.yml

@@ -51,7 +51,9 @@
       unix:///run/user/{{ ansible_facts['user_uid'] }}/podman/podman.sock
   register: podman_conn_result
   changed_when: podman_conn_result.rc == 0
-  failed_when: podman_conn_result.rc != 0 and 'already exists' not in podman_conn_result.stderr
+  failed_when:
+    - podman_conn_result.rc != 0
+    - "'already exists' not in podman_conn_result.stderr"
 
 - name: Ensure containers config directory exists
   ansible.builtin.file:

ansible/roles/shell_config/tasks/main.yml

@@ -116,18 +116,24 @@
     state: directory
     mode: "0755"
 
-- name: Download Hack Nerd Font
+- name: Download Nerd Font
+  vars:
+    nerd_font_url: >
+      https://github.com/ryanoasis/nerd-fonts/releases/latest/download/Hack.zip
   ansible.builtin.get_url:
-    url: https://github.com/ryanoasis/nerd-fonts/releases/latest/download/Hack.zip
+    url: "{{ nerd_font_url }}"
     dest: /tmp/Hack.zip
     mode: "0644"
 
 - name: Extract Hack Nerd Font
   ansible.builtin.unarchive:
     src: /tmp/Hack.zip
-    dest: "{{ home_dir }}/.local/share/fonts/NerdFonts"
+    dest: >
+      {{ home_dir }}/.local/share/fonts/NerdFonts
     remote_src: true
-    creates: "{{ home_dir }}/.local/share/fonts/NerdFonts/HackNerdFont-Regular.ttf"
+    creates: >
+      {{ home_dir }}/.local/share/fonts/NerdFonts/
+      HackNerdFont-Regular.ttf
 
 - name: Refresh font cache
   ansible.builtin.command:

ansible/roles/systemd/files/NetworkManager-dns.conf

@@ -0,0 +1,2 @@
+[main]
+dns=systemd-resolved

ansible/roles/systemd/files/resolved.conf

@@ -0,0 +1,44 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it under the
+#  terms of the GNU Lesser General Public License as published by the Free
+#  Software Foundation; either version 2.1 of the License, or (at your option)
+#  any later version.
+#
+# Entries in this file show the compile time defaults. Local configuration
+# should be created by either modifying this file (or a copy of it placed in
+# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
+# the /etc/systemd/resolved.conf.d/ directory. The latter is generally
+# recommended. Defaults can be restored by simply deleting the main
+# configuration file and all drop-ins located in /etc/.
+#
+# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
+#
+# See resolved.conf(5) for details.
+
+[Resolve]
+# Use DNS from DHCP – do NOT hardcode here unless you want to override
+# DNS=192.168.178.1
+
+# Optional public DNS fallback if DHCP DNS is unavailable
+FallbackDNS=1.1.1.1 8.8.8.8
+
+# Allow resolving local *.fritz.box hostnames
+Domains=fritz.box
+
+# Enable Multicast DNS (for `.local` discovery)
+MulticastDNS=yes
+
+# Disable LLMNR (legacy, usually unnecessary)
+LLMNR=no
+
+# Enable local DNS cache
+Cache=yes
+
+# Enable stub listener on 127.0.0.53 (used by NetworkManager)
+DNSStubListener=yes
+
+# DO NOT expose DNS to LAN unless you're intentionally running a server
+#DNSStubListenerExtra=192.168.100.1
+
+ReadEtcHosts=yes

ansible/roles/systemd/handlers/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Restart systemd-resolved
+  ansible.builtin.systemd:
+    name: systemd-resolved
+    state: restarted
+  become: true
+
+- name: Reload NetworkManager
+  ansible.builtin.systemd:
+    name: NetworkManager
+    state: reloaded
+  become: true

ansible/roles/systemd/tasks/main.yml

@@ -0,0 +1,53 @@
+---
+- name: Deploy systemd-resolved configuration
+  ansible.builtin.copy:
+    src: resolved.conf
+    dest: /etc/systemd/resolved.conf
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify: Restart systemd-resolved
+
+- name: Enable and start systemd-resolved
+  ansible.builtin.systemd:
+    name: systemd-resolved
+    enabled: true
+    state: started
+  become: true
+
+- name: Ensure /etc/resolv.conf points to systemd-resolved stub
+  ansible.builtin.file:
+    src: /run/systemd/resolve/stub-resolv.conf
+    dest: /etc/resolv.conf
+    state: link
+    force: true
+  become: true
+
+- name: Configure NetworkManager to use systemd-resolved
+  when: ansible_facts.services['NetworkManager.service'] is defined
+  block:
+    - name: Ensure NetworkManager conf.d directory exists
+      ansible.builtin.file:
+        path: /etc/NetworkManager/conf.d
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"
+      become: true
+
+    - name: Deploy NetworkManager DNS config
+      ansible.builtin.copy:
+        src: NetworkManager-dns.conf
+        dest: /etc/NetworkManager/conf.d/dns.conf
+        owner: root
+        group: root
+        mode: "0644"
+      become: true
+      notify: Reload NetworkManager
+
+- name: Enable systemd linger for user
+  ansible.builtin.command:
+    cmd: loginctl enable-linger {{ ansible_user }}
+    creates: /var/lib/systemd/linger/{{ ansible_user }}
+  become: true

install-ansible

@@ -12,5 +12,13 @@ if ! grep -qF "${USER_BIN}" "${HOME}/.bashrc"; then
     echo "Added ${USER_BIN} to ~/.bashrc"
 fi
 
-pipx upgrade ansible-core 2>/dev/null || pipx install ansible-core
+PIPX_PACKAGES=(
+    ansible-core
+    ansible-lint
+    yamllint
+)
+
+for package in "${PIPX_PACKAGES[@]}"; do
+    pipx upgrade "${package}" 2>/dev/null || pipx install "${package}"
+done
 ansible-galaxy collection install -r "${SCRIPT_DIR}/requirements.yml" --upgrade

requirements.txt

@@ -1,2 +1,2 @@
-pipx==1.11.1
+pipx==1.12.0
 podman-compose==1.5.0