Group/host variable refactor

ansible.cfg

@@ -1,5 +1,6 @@
 [defaults]
 roles_path = ./roles
+inventory = inventory.yml
 ask_vault_pass = true
 
 [privilege_escalation]

files/desktop/wireguard/media/desktop.key

@@ -1,7 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-62383364643761623739623632633261343735343465336235386336333234656631363432623535
-6562623634363937356137616131396264633161363461340a343432363362346664646161656563
-35623334326238326135646261666330666531633831656564396139666261623937626338386632
-3233333039623039640a383931633539363238326164643365316236326435643537303866373835
-66393465663364303134376566623736636664353031336537663036636462613766343739336331
-6438643538326533313433616438386165626537373162393430

files/desktop/wireguard/media/desktop.pub

@@ -1 +0,0 @@
-YDH5lZcxUHM4AU2ZxQrFqjDIV2Z7PSUQKMcYXLExV0E=

files/desktop/wireguard/media/preshared.psk

@@ -1,7 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-34303432393930626266313563613636343439623631633163656532363631313039386231623936
-3336636666626237316532346230303961323263613161320a383436636634376162353863386161
-36663064366461333335613633316630633335666335613464333863656536623230383262623733
-3065363835666231630a616362333233643637613762313437626366363365313831363661313336
-66373966656534646462653833343935623466613662333932666666366430663061366261396330
-3064636536643933613738356461313135363033633366396130

files/laptop/wireguard/media/laptop.key

@@ -1,7 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-64663539393065396333623165623833636539633932306437363365656532343565643866616532
-6562373233633237623761376234336331373637393431380a386261306438393837633037383464
-64623965376138313665393239346138383230383565626264393635303835396537663865313237
-6431313635333030390a646466303961663932353830366235643762393039396531316465333837
-61613264356263616332633334386532303761353536663033373639626634396164623335626566
-3632373266313435646338343738656663356635623138623939

files/laptop/wireguard/media/laptop.pub

@@ -1 +0,0 @@
-hI4rqlv2afs4RJkt5xR+dYxQODSd6lR0OqWJRlnQdjM=

files/laptop/wireguard/media/preshared.psk

@@ -1,7 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-63643763346434313734663761386539393032613366626230373862643431613963633664353264
-6466616235653963643861643439633537656439363735330a366439356537386662353431643163
-33363830646433336366353363623835373639383663633837313030393162643931353331633133
-6534363438303261320a333364313534336465616336386337383935353631646361623866326232
-64373139636633393236303335396138326638333635663839663734346463303739646431353437
-3838653361383663633632363862306565643531353066623336

files/tmux_start

@@ -1,16 +1,8 @@
 #!/bin/bash
 
 MAIN="main"
-DEVELOPMENT="development"
 
 tmux start-server
 tmux new-session -ds $MAIN
 tmux new-window
-tmux new-window
-tmux select-window -t 0
-
-tmux new-session -ds $DEVELOPMENT
-tmux new-window
-tmux new-window
-tmux new-window
 tmux select-window -t 0

group_vars/all/main.yml

@@ -1,21 +1,13 @@
-xdg_config_dir: '{{ ansible_env.HOME }}/.config'
+ansible_become_method: community.general.run0
-xdg_script_dir: '{{ ansible_env.HOME }}/.local/bin'
-
-register_uefi_entries: false
 
 packages:
   - firefox
-  - mpv
-  - youtube-dl
   - keepassxc
   - gimp
   - nftables
-  - mpd
-  - nfs-utils
   - okular
   - postgresql
   - plasma-meta
-  - syncthing
   - wezterm
   - tmux
   - unrar
@@ -26,13 +18,11 @@ packages:
   - iproute2
   - curl
   - reflector
-  - laptop-detect
   - pipewire
   - pipewire-pulse
   - pipewire-alsa
   - merkuro
   - kmail
-  - wireguard-tools
   - otf-monaspace-nerd
   - systemd-ukify
   - efibootmgr
@@ -40,14 +30,16 @@ packages:
   - aspell-nl
   - aspell-en
 
-platform_packages: []
+xdg_config_dir: '{{ ansible_env.HOME }}/.config'
+xdg_script_dir: '{{ ansible_env.HOME }}/.local/bin'
+
 modprobe_templates: []
 mkinitcpio_templates: []
 
 boot_configuration:
 
-vpn_config_dir: '/etc/wireguard'
-
 server_domain: fudiggity.nl
 
+register_uefi_entries: false
+
 wezterm_font_size: 12

group_vars/personal/system.yml

@@ -0,0 +1,39 @@
+packages:
+  - keepassxc
+  - gimp
+  - nftables
+  - okular
+  - postgresql
+  - plasma-meta
+  - wezterm
+  - tmux
+  - unrar
+  - vim
+  - git
+  - openssl
+  - kmail
+  - iproute2
+  - curl
+  - reflector
+  - pipewire
+  - pipewire-pulse
+  - pipewire-alsa
+  - merkuro
+  - kmail
+  - otf-monaspace-nerd
+  - systemd-ukify
+  - efibootmgr
+  - git-delta
+  - aspell-nl
+  - aspell-en
+
+  # custom packages
+  - firefox
+  - mpv
+  - youtube-dl
+  - nfs-utils
+  - syncthing
+  - mpd
+  - wireguard-tools
+
+vpn_config_dir: '/etc/wireguard'

handlers.yml

@@ -57,7 +57,6 @@
     name: iwd
     state: restarted
     enabled: true
-  when: platform == "laptop"
 
 - name: stop mpd service
   systemd:

host_vars/desktop/system.yml

@@ -1,17 +1,15 @@
-platform_packages: []
-
 modprobe_templates:
-  - src: 'templates/desktop/modprobe/99-amdgpu.conf.j2'
+  - src: 'templates/personal/desktop/modprobe/99-amdgpu.conf.j2'
     dest: '/etc/modprobe.d/99-amdgpu.conf'
 
 mkinitcpio_templates:
-  - src: 'templates/desktop/mkinitcpio/1-modules.conf.j2'
+  - src: 'templates/personal/desktop/mkinitcpio/1-modules.conf.j2'
     dest: '/etc/mkinitcpio.conf.d/1-amdgpu.conf'
 
-  - src: 'templates/desktop/mkinitcpio/linux.preset.j2'
+  - src: 'templates/personal/desktop/mkinitcpio/linux.preset.j2'
     dest: '/etc/mkinitcpio.d/linux.preset'
 
-  - src: 'templates/desktop/mkinitcpio/linux-lts.preset.j2'
+  - src: 'templates/personal/desktop/mkinitcpio/linux-lts.preset.j2'
     dest: '/etc/mkinitcpio.d/linux-lts.preset'
 
 boot_configuration:

host_vars/desktop/vpn.yml

@@ -24,7 +24,7 @@ vpn_default:
       endpoint: '{{ server_domain }}:51902'
       public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo='
       preshared_key_path: '{{ vpn_config_dir }}/keys/private/default/preshared-zeus.psk'
-      preshared_key_source_path: 'files/desktop/wireguard/default/preshared.psk'
+      preshared_key_source_path: 'files/personal/desktop/wireguard/default/preshared.psk'
 
 vpn_media:
   ip: '10.0.1.3'
@@ -36,7 +36,7 @@ vpn_media:
 
   public_key_path: '{{ vpn_config_dir }}/keys/public/media/desktop.pub'
   private_key_path: '{{ vpn_config_dir }}/keys/private/media/desktop.key'
-  private_key_source_path: 'files/desktop/wireguard/media/desktop.key'
+  private_key_source_path: 'files/personal/desktop/wireguard/media/desktop.key'
 
   peers:
     - name: 'zeus-media'
@@ -46,4 +46,4 @@ vpn_media:
       endpoint: '{{ server_domain }}.nl:51903'
       public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg='
       preshared_key_path: '{{ vpn_config_dir }}/keys/private/media/preshared-zeus.psk'
-      preshared_key_source_path: 'files/desktop/wireguard/media/preshared.psk'
+      preshared_key_source_path: 'files/personal/desktop/wireguard/media/preshared.psk'

host_vars/xps/system.yml

@@ -0,0 +1,61 @@
+packages:
+  - keepassxc
+  - gimp
+  - nftables
+  - okular
+  - postgresql
+  - plasma-meta
+  - wezterm
+  - tmux
+  - unrar
+  - vim
+  - git
+  - openssl
+  - kmail
+  - iproute2
+  - curl
+  - reflector
+  - pipewire
+  - pipewire-pulse
+  - pipewire-alsa
+  - merkuro
+  - kmail
+  - otf-monaspace-nerd
+  - systemd-ukify
+  - efibootmgr
+  - git-delta
+  - aspell-nl
+  - aspell-en
+
+  # custom packages
+  - firefox
+  - mpv
+  - youtube-dl
+  - nfs-utils
+  - syncthing
+  - mpd
+  - wireguard-tools
+
+  # custom host packages
+  - iwd
+  - nvidia
+  - nvidia-prime
+  - nvidia-utils
+  - lib32-nvidia-utils
+
+boot_configuration:
+  disk: /dev/nvme0n1
+  partition: 1
+
+mkinitcpio_templates:
+  - src: 'templates/personal/xps/mkinitcpio/1-modules.conf.j2'
+    dest: '/etc/mkinitcpio.conf.d/1-modules.conf'
+
+  - src: 'templates/personal/xps/mkinitcpio/2-hooks.conf.j2'
+    dest: '/etc/mkinitcpio.conf.d/2-hooks.conf'
+
+  - src: 'templates/personal/xps/mkinitcpio/linux.preset.j2'
+    dest: '/etc/mkinitcpio.d/linux.preset'
+
+  - src: 'templates/personal/xps/mkinitcpio/linux-lts.preset.j2'
+    dest: '/etc/mkinitcpio.d/linux-lts.preset'

host_vars/xps/vpn.yml

@@ -23,7 +23,7 @@ vpn_default:
       endpoint: '{{ server_domain }}:51902'
       public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo='
       preshared_key_path: '{{ vpn_config_dir }}/keys/private/default/preshared-zeus.psk'
-      preshared_key_source_path: 'files/laptop/wireguard/default/preshared.psk'
+      preshared_key_source_path: 'files/personal/xps/wireguard/default/preshared.psk'
 
 vpn_media:
   ip: '10.0.1.2'
@@ -44,4 +44,4 @@ vpn_media:
       endpoint: '{{ server_domain }}:51903'
       public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg='
       preshared_key_path: '{{ vpn_config_dir }}/keys/private/media/preshared-zeus.psk'
-      preshared_key_source_path: 'files/laptop/wireguard/media/preshared.psk'
+      preshared_key_source_path: 'files/personal/xps/wireguard/media/preshared.psk'

inventory.yml

@@ -0,0 +1,6 @@
+personal:
+  hosts: 
+    xps:
+      ansible_connection: local
+    desktop:
+      ansible_connection: local

playbook.yml

@@ -1,61 +1,21 @@
 - name: Arch Linux provisioning
-  hosts: localhost
+  hosts:
-  pre_tasks:
+    - xps
-    - name: Install shared packages
+    - desktop
-      become: true
+  gather_facts: true
-      community.general.pacman:
-        name: '{{ packages }}'
-
-    - name: Platform vars
-      tags: platform_vars
-      block:
-        - name: Detect platform
-          ansible.builtin.command: laptop-detect
-          register: is_laptop
-          failed_when: is_laptop.rc == 2
-
-        - name: Set platform (desktop)
-          ansible.builtin.set_fact:
-            platform: desktop
-          when: is_laptop.rc == 1
-
-        - name: Set platform (laptop)
-          ansible.builtin.set_fact:
-            platform: laptop
-          when: is_laptop.rc == 0
-
-        - name: Load desktop specific vars
-          ansible.builtin.include_vars:
-            dir: vars/desktop
-          when: platform == 'desktop'
-
-        - name: Load laptop specific vars
-          ansible.builtin.include_vars:
-            dir: vars/laptop
-          when: platform == 'laptop'
-
-    - name: Install platform specific packages
-      become: true
-      community.general.pacman:
-        name: '{{ platform_packages }}'
-      when: platform_packages | length > 0
   roles:
     - common
   tasks:
+    - name: Verifying that a limit is set
+      ansible.builtin.fail:
+        msg: 'This playbook cannot be run with no limit'
+      run_once: true
+      when: ansible_limit is not defined
+
     - name: Generic provisioning
       ansible.builtin.import_tasks: 'tasks/setup.yml'
       tags: setup
 
-    - name: Desktop provisioning
-      ansible.builtin.import_tasks: 'tasks/setup-desktop.yml'
-      when: platform == 'desktop'
-      tags: laptop
-
-    - name: Laptop provisioning
-      ansible.builtin.import_tasks: 'tasks/setup-laptop.yml'
-      when: platform == 'laptop'
-      tags: laptop
-
     - name: Network provisioning
       ansible.builtin.import_tasks: 'tasks/network.yml'
       tags: network
@@ -64,33 +24,46 @@
       ansible.builtin.import_tasks: 'tasks/systemd.yml'
       tags: systemd
 
+    # TODO: move to development playbook
     - name: Git provisioning
       ansible.builtin.import_tasks: 'tasks/git.yml'
       tags: git
 
-    - name: MPV provisioning
-      ansible.builtin.import_tasks: 'tasks/mpv.yml'
-      tags: mpv
-
-    - name: MPD provisioning
-      ansible.builtin.import_tasks: 'tasks/mpd.yml'
-      tags: mpd
-
-    - name: Syncthing provisioning
-      ansible.builtin.import_tasks: 'tasks/syncthing.yml'
-      tags: syncthing
-
     - name: Systemd timer provisioning
       ansible.builtin.import_tasks: 'tasks/timer.yml'
       tags: timers
 
+    - name: Personal provisiong
+      when: "'personal' in group_names"
+      block:
+        - name: Wireguard provisioning
+          ansible.builtin.import_tasks: 'tasks/personal/wireguard.yml'
+          tags: wireguard
+
+        - name: MPV provisioning
+          ansible.builtin.import_tasks: 'tasks/personal/mpv.yml'
+          tags: mpv
+
+        - name: MPD provisioning
+          ansible.builtin.import_tasks: 'tasks/personal/mpd.yml'
+          tags: mpd
+
+        - name: Syncthing provisioning
+          ansible.builtin.import_tasks: 'tasks/personal/syncthing.yml'
+          tags: syncthing
+
+        - name: Desktop provisioning
+          ansible.builtin.import_tasks: 'tasks/personal/desktop.yml'
+          when: ansible_hostname == 'desktop'
+          tags: desktop
+
+        - name: XPS provisioning
+          ansible.builtin.import_tasks: 'tasks/personal/xps.yml'
+          when: ansible_hostname == 'xps'
+          tags: xps
   handlers:
     - name: Import default handlers
       ansible.builtin.import_tasks: 'handlers.yml'
 
     - name: Import common role handlers
       ansible.builtin.import_tasks: 'roles/common/handlers/user.yml'
-  vars_files:
-    - 'vars/main.yml'
-    - 'vars/gpg.yml'
-    - 'vars/mpd.yml'

tasks/git.yml

@@ -1,24 +1,28 @@
-- name: copy git configuration
+- name: Copy git configuration
-  template:
+  ansible.builtin.template:
     src: 'templates/gitconfig.j2'
     dest: '{{ ansible_env.HOME }}/.gitconfig'
+    mode: '0755'
 
-- name: copy keys
+- name: Copy keys
-  copy:
+  ansible.builtin.copy:
     src: '{{ item.src }}'
     dest: '{{ item.dest }}'
+    mode: '0755'
   loop:
-    - { src: 'files/gpg_key', dest: '{{ ansible_env.HOME }}/gpg.key' }
+    - src: 'files/personal/gpg/gpg_key'
-    - { src: 'files/gpg_pub', dest: '{{ ansible_env.HOME }}/gpg.pub' }
+      dest: '{{ ansible_env.HOME }}/gpg.key'
+    - src: 'files/personal/gpg/gpg_pub'
+      dest: '{{ ansible_env.HOME }}/gpg.pub'
 
-- name: import secret key
+- name: Import secret key
-  command: 'gpg --passphrase {{ gpg_passphrase }} --import ~/gpg.key'
+  ansible.builtin.command: 'gpg --passphrase {{ gpg_passphrase }} --import ~/gpg.key'
 
-- name: import public key
+- name: Import public key
-  command: 'gpg --import ~/gpg.pub'
+  ansible.builtin.command: 'gpg --import ~/gpg.pub'
 
-- name: remove temp keys
+- name: Remove temp keys
-  file:
+  ansible.builtin.file:
     path: '{{ item }}'
     state: absent
   loop:

tasks/mpv.yml

@@ -1,20 +0,0 @@
-- name: create configuration directory
-  file:
-    path: '{{ ansible_env.HOME }}/.config/mpv'
-    state: directory
-    mode: '0700'
-
-- name: copy configuration files
-  template:
-    src: '{{ item.src }}'
-    dest: '{{ item.dest }}'
-    mode: '0644'
-  loop:
-    - {
-        src: 'templates/mpv/input.j2',
-        dest: '{{ ansible_env.HOME }}/.config/mpv/input.conf',
-      }
-    - {
-        src: 'templates/mpv/config.j2',
-        dest: '{{ ansible_env.HOME }}/.config/mpv/mpv.conf',
-      }

tasks/network.yml

@@ -3,67 +3,25 @@
 # using `wg set wg0 peer izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4= endpoint <NEW-IP>:<PORT>`
 # for example.
 
-- name: Create Wireguard directories
+- name: Copy firewall template
   become: true
-  ansible.builtin.file:
+  ansible.builtin.template:
-    path: '{{ item }}'
+    src: "{{ lookup('ansible.builtin.first_found', paths) }}"
+    dest: '/etc/nftables.conf'
     owner: root
-    group: systemd-network
+    group: root
-    mode: '0750'
+    mode: '0600'
-    state: directory
+  vars:
-    recurse: true
+    paths:
-  loop:
+      - 'templates/{{ ansible_hostname }}/nftables.j2'
-    - '{{ vpn_config_dir }}'
+      - 'templates/{{ group_names[0] }}/{{ ansible_hostname }}/nftables.j2'
-    - '{{ vpn_default.private_key_path | dirname }}'
+  notify: restart nftables
-    - '{{ vpn_default.public_key_path | dirname }}'
-    - '{{ vpn_media.private_key_path | dirname }}'
-    - '{{ vpn_media.public_key_path | dirname }}'
-  notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
-
-- name: Copy Wireguard credentials
-  become: true
-  ansible.builtin.copy:
-    src: '{{ item.src }}'
-    dest: '{{ item.dest }}'
-    owner: root
-    group: systemd-network
-    mode: '0640'
-  loop:
-    - dest: '{{ vpn_default.public_key_path }}'
-      src: 'files/{{ platform }}/wireguard/default/{{ platform }}.pub'
-
-    - dest: '{{ vpn_default.private_key_path }}'
-      src: 'files/{{ platform }}/wireguard/default/{{ platform }}.key'
-
-    - dest: '{{ vpn_media.public_key_path }}'
-      src: 'files/{{ platform }}/wireguard/media/{{ platform }}.pub'
-
-    - dest: '{{ vpn_media.private_key_path }}'
-      src: 'files/{{ platform }}/wireguard/media/{{ platform }}.key'
-  notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
-
-- name: Copy Wireguard preshared keys
-  become: true
-  ansible.builtin.copy:
-    src: '{{ item.preshared_key_source_path }}'
-    dest: '{{ item.preshared_key_path }}'
-    owner: root
-    group: systemd-network
-    mode: '0640'
-  loop: '{{ vpn_default.peers + vpn_media.peers }}'
-  notify:
-    - restart systemd-networkd
-    - restart systemd-resolved
 
 - name: Desktop configuration
   notify:
     - restart systemd-networkd
     - restart systemd-resolved
-  when: platform == "desktop"
+  when: ansible_hostname == 'desktop'
   block:
     - name: Setup network configuration
       become: true
@@ -74,21 +32,9 @@
         group: systemd-network
         mode: '0640'
       loop:
-        - src: 'templates/desktop/network/enp.network.j2'
+        - src: 'templates/personal/desktop/network/enp.network.j2'
           dest: '/etc/systemd/network/20-wired.network'
 
-        - src: 'templates/desktop/network/wg0.network.j2'
-          dest: '/etc/systemd/network/40-wg0.network'
-
-        - src: 'templates/desktop/network/wg0.netdev.j2'
-          dest: '/etc/systemd/network/40-wg0.netdev'
-
-        - src: 'templates/desktop/network/wg1.network.j2'
-          dest: '/etc/systemd/network/40-wg1.network'
-
-        - src: 'templates/desktop/network/wg1.netdev.j2'
-          dest: '/etc/systemd/network/40-wg1.netdev'
-
     - name: Remove leftover configuration files
       become: true
       ansible.builtin.file:
@@ -98,12 +44,12 @@
         - '/etc/systemd/network/30-vmbr0.network'
         - '/etc/systemd/network/30-vmbr0.netdev'
 
-- name: Laptop configuration
+- name: XPS configuration
   notify:
     - restart systemd-networkd
     - restart systemd-resolved
     - restart iwd
-  when: platform == "laptop"
+  when: ansible_hostname == 'xps'
   block:
     - name: Setup network configuration
       become: true
@@ -114,21 +60,9 @@
         group: systemd-network
         mode: '0640'
       loop:
-        - src: 'templates/laptop/network/wireless.network.j2'
+        - src: 'templates/personal/xps/network/wireless.network.j2'
           dest: '/etc/systemd/network/20-wireless.network'
 
-        - src: 'templates/laptop/network/wg0.network.j2'
-          dest: '/etc/systemd/network/40-wg0.network'
-
-        - src: 'templates/laptop/network/wg0.netdev.j2'
-          dest: '/etc/systemd/network/40-wg0.netdev'
-
-        - src: 'templates/laptop/network/wg1.network.j2'
-          dest: '/etc/systemd/network/40-wg1.network'
-
-        - src: 'templates/laptop/network/wg1.netdev.j2'
-          dest: '/etc/systemd/network/40-wg1.netdev'
-
     - name: Remove leftover configuration files
       become: true
       ansible.builtin.file:
@@ -137,13 +71,3 @@
       loop:
         - '/etc/systemd/network/30-vmbr0.network'
         - '/etc/systemd/network/30-vmbr0.netdev'
-
-- name: Copy firewall template
-  become: true
-  ansible.builtin.template:
-    src: 'templates/{{ platform }}/nftables.j2'
-    dest: '/etc/nftables.conf'
-    owner: root
-    group: root
-    mode: '0600'
-  notify: restart nftables

tasks/personal/desktop.yml

@@ -1,10 +1,12 @@
 - name: Create xdg-desktop-portal.service.d directory
-  file:
+  ansible.builtin.file:
     path: '{{ xdg_config_dir }}/systemd/user/xdg-desktop-portal.service.d'
     state: directory
+    mode: '0755'
 
 - name: Copy xdg-desktop-portal.service drop-in
-  template:
+  ansible.builtin.template:
-    src: templates/desktop/xdg-desktop-portal.service.j2
+    src: templates/personal/desktop/xdg-desktop-portal.service.j2
     dest: '{{ xdg_config_dir }}/systemd/user/xdg-desktop-portal.service.d/override.conf'
+    mode: '0755'
   notify: user daemon-reload

tasks/personal/mpd.yml

@@ -4,10 +4,10 @@
     dest: '{{ item.dest }}'
     mode: '0644'
   loop:
-    - src: 'templates/mpd/service.j2'
+    - src: 'templates/personal/mpd/service.j2'
       dest: '{{ xdg_config_dir }}/systemd/user/mpd.service'
 
-    - src: 'templates/mpd/socket.j2'
+    - src: 'templates/personal/mpd/socket.j2'
       dest: '{{ xdg_config_dir }}/systemd/user/mpd.socket'
   notify:
     - stop mpd service
@@ -34,6 +34,7 @@
   ansible.builtin.file:
     path: '{{ item.path }}'
     state: '{{ item.state }}'
+    mode: '0755'
   loop:
     - path: '{{ mpd_configuration_dir }}/log'
       state: 'absent'
@@ -50,11 +51,11 @@
     dest: '{{ item.dest }}'
     mode: '0755'
   loop:
-    - src: 'templates/mpd/mpd.conf.j2'
+    - src: 'templates/personal/mpd/mpd.conf.j2'
       dest: '{{ mpd_configuration_dir }}/mpd.conf'
-    - src: 'templates/mpd/ncmpcpp/config.j2'
+    - src: 'templates/personal/mpd/ncmpcpp/config.j2'
       dest: '{{ ncmpcpp_configuration_dir }}/config'
-    - src: 'templates/mpd/ncmpcpp/bindings.j2'
+    - src: 'templates/personal/mpd/ncmpcpp/bindings.j2'
       dest: '{{ ncmpcpp_configuration_dir }}/bindings'
   notify:
     - stop mpd service

tasks/personal/mpv.yml

@@ -0,0 +1,16 @@
+- name: Create configuration directory
+  ansible.builtin.file:
+    path: '{{ ansible_env.HOME }}/.config/mpv'
+    state: directory
+    mode: '0700'
+
+- name: Copy configuration files
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    mode: '0644'
+  loop:
+    - src: 'templates/personal/mpv/input.j2'
+      dest: '{{ ansible_env.HOME }}/.config/mpv/input.conf'
+    - src: 'templates/personal/mpv/config.j2'
+      dest: '{{ ansible_env.HOME }}/.config/mpv/mpv.conf'

tasks/personal/wireguard.yml

@@ -0,0 +1,112 @@
+# Note: Only compatible with personal group
+
+- name: Create Wireguard directories
+  become: true
+  ansible.builtin.file:
+    path: '{{ item }}'
+    owner: root
+    group: systemd-network
+    mode: '0750'
+    state: directory
+    recurse: true
+  loop:
+    - '{{ vpn_config_dir }}'
+    - '{{ vpn_default.private_key_path | dirname }}'
+    - '{{ vpn_default.public_key_path | dirname }}'
+    - '{{ vpn_media.private_key_path | dirname }}'
+    - '{{ vpn_media.public_key_path | dirname }}'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+
+- name: Copy Wireguard credentials
+  become: true
+  ansible.builtin.copy:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop:
+    - dest: '{{ vpn_default.public_key_path }}'
+      src: 'files/personal/{{ ansible_hostname }}/wireguard/default/{{ ansible_hostname }}.pub'
+
+    - dest: '{{ vpn_default.private_key_path }}'
+      src: 'files/personal/{{ ansible_hostname }}/wireguard/default/{{ ansible_hostname }}.key'
+
+    - dest: '{{ vpn_media.public_key_path }}'
+      src: 'files/personal/{{ ansible_hostname }}/wireguard/media/{{ ansible_hostname }}.pub'
+
+    - dest: '{{ vpn_media.private_key_path }}'
+      src: 'files/personal/{{ ansible_hostname }}/wireguard/media/{{ ansible_hostname }}.key'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+
+- name: Copy Wireguard preshared keys
+  become: true
+  ansible.builtin.copy:
+    src: '{{ item.preshared_key_source_path }}'
+    dest: '{{ item.preshared_key_path }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop: '{{ vpn_default.peers + vpn_media.peers }}'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+
+- name: Desktop configuration
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+  when: ansible_hostname == 'desktop'
+  block:
+    - name: Setup network configuration
+      become: true
+      ansible.builtin.template:
+        src: '{{ item.src }}'
+        dest: '{{ item.dest }}'
+        owner: root
+        group: systemd-network
+        mode: '0640'
+      loop:
+        - src: 'templates/personal/desktop/network/wg0.network.j2'
+          dest: '/etc/systemd/network/40-wg0.network'
+
+        - src: 'templates/personal/desktop/network/wg0.netdev.j2'
+          dest: '/etc/systemd/network/40-wg0.netdev'
+
+        - src: 'templates/personal/desktop/network/wg1.network.j2'
+          dest: '/etc/systemd/network/40-wg1.network'
+
+        - src: 'templates/personal/desktop/network/wg1.netdev.j2'
+          dest: '/etc/systemd/network/40-wg1.netdev'
+
+- name: XPS configuration
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
+    - restart iwd
+  when: ansible_hostname == 'xps'
+  block:
+    - name: Setup network configuration
+      become: true
+      ansible.builtin.template:
+        src: '{{ item.src }}'
+        dest: '{{ item.dest }}'
+        owner: root
+        group: systemd-network
+        mode: '0640'
+      loop:
+        - src: 'templates/personal/xps/network/wg0.network.j2'
+          dest: '/etc/systemd/network/40-wg0.network'
+
+        - src: 'templates/personal/xps/network/wg0.netdev.j2'
+          dest: '/etc/systemd/network/40-wg0.netdev'
+
+        - src: 'templates/personal/xps/network/wg1.network.j2'
+          dest: '/etc/systemd/network/40-wg1.network'
+
+        - src: 'templates/personal/xps/network/wg1.netdev.j2'
+          dest: '/etc/systemd/network/40-wg1.netdev'

tasks/personal/xps.yml

@@ -1,7 +1,7 @@
 - name: Provision powertop systemd service
   become: true
   ansible.builtin.template:
-    src: 'templates/laptop/powertop.service.j2'
+    src: 'templates/personal/xps/powertop.service.j2'
     dest: '/etc/systemd/system/powertop.service'
     owner: root
     group: root

tasks/setup.yml

@@ -1,166 +1,183 @@
-- name: copy reflector configuration
+- name: Provision pollkit administrator configuration
   become: true
-  template:
+  ansible.builtin.template:
+    src: 'templates/polkit.j2'
+    dest: '/etc/polkit-1/rules.d/49-nopasswd_global.rules'
+    mode: '0755'
+
+- name: Install shared packages
+  become: true
+  community.general.pacman:
+    name: '{{ packages }}'
+
+- name: Copy reflector configuration
+  become: true
+  ansible.builtin.template:
     src: 'templates/reflector.j2'
     dest: '/etc/xdg/reflector/reflector.conf'
-    owner: root
-    group: root
     mode: '0600'
 
 # started by weekly timer
-- name: disable reflector
+- name: Disable reflector
   become: true
-  systemd:
+  ansible.builtin.systemd:
     name: reflector
     state: stopped
     enabled: false
 
-- name: copy pacman configuration
+- name: Copy pacman configuration
   become: true
-  template:
+  ansible.builtin.template:
     src: 'templates/pacman.j2'
     dest: '/etc/pacman.conf'
     owner: root
     group: root
     mode: '0644'
 
-- name: create extra conf
+- name: Create extra conf
   become: true
-  file:
+  ansible.builtin.file:
     path: '/etc/pacman.d/extra.conf'
     owner: root
     group: root
     state: touch
     mode: '0644'
 
-- name: create wezterm configuration dir
+- name: Create wezterm configuration dir
-  file:
+  ansible.builtin.file:
     path: '{{ xdg_config_dir }}/wezterm/includes'
     state: directory
+    mode: '0755'
 
-- name: copy wezterm configuration files
+- name: Copy wezterm configuration files
-  template:
+  ansible.builtin.template:
     src: '{{ item.src }}'
     dest: '{{ item.dest }}'
+    mode: '0755'
   loop:
-    - {
+    - src: 'templates/wezterm/wezterm.lua.j2'
-        src: 'templates/wezterm/wezterm.lua.j2',
+      dest: '{{ xdg_config_dir }}/wezterm/wezterm.lua'
-        dest: '{{ xdg_config_dir }}/wezterm/wezterm.lua'
-    }
-    - {
-        src: 'templates/wezterm/includes/colors.lua.j2',
-        dest: '{{ xdg_config_dir }}/wezterm/includes/colors.lua'
-    }
-    - {
-        src: 'templates/wezterm/includes/fonts.lua.j2',
-        dest: '{{ xdg_config_dir }}/wezterm/includes/fonts.lua'
-    }
-    - {
-        src: 'templates/wezterm/includes/window.lua.j2',
-        dest: '{{ xdg_config_dir }}/wezterm/includes/window.lua'
-    }
 
-- name: enable fstrim timer
+    - src: 'templates/wezterm/includes/colors.lua.j2'
+      dest: '{{ xdg_config_dir }}/wezterm/includes/colors.lua'
+
+    - src: 'templates/wezterm/includes/fonts.lua.j2'
+      dest: '{{ xdg_config_dir }}/wezterm/includes/fonts.lua'
+
+    - src: 'templates/wezterm/includes/window.lua.j2'
+      dest: '{{ xdg_config_dir }}/wezterm/includes/window.lua'
+
+- name: Enable fstrim timer
   become: true
-  systemd:
+  ansible.builtin.systemd:
     name: fstrim.timer
     enabled: true
 
-- name: remove the sysctl.d directory
+- name: Remove the sysctl.d directory
   become: true
-  file:
+  ansible.builtin.file:
     path: /etc/sysctl.d
     state: absent
 
-- name: recreate the sysctl.d directory
+- name: Recreate the sysctl.d directory
   become: true
-  file:
+  ansible.builtin.file:
     path: /etc/sysctl.d
     state: directory
-    mode: 755
+    mode: '0755'
 
-- name: copy sysctl files
+- name: Copy sysctl files
   become: true
-  template:
+  when: "'personal' not in group_names"
+  ansible.builtin.template:
     src: '{{ item.src }}'
     dest: '{{ item.dest }}'
+    mode: '0755'
   loop:
-    - {
+    - src: 'templates/sysctl/99-sysrq.conf.j2'
-        src: 'templates/{{ platform }}/sysctl/99-sysrq.conf.j2',
+      dest: '/etc/sysctl.d/99-sysrq.conf'
-        dest: '/etc/sysctl.d/99-sysrq.conf'
+    - src: 'templates/sysctl/98-forward.conf.j2'
-    }
+      dest: '/etc/sysctl.d/98-foward.conf'
-    - {
-        src: 'templates/{{ platform }}/sysctl/98-forward.conf.j2',
-        dest: '/etc/sysctl.d/98-foward.conf'
-    }
   notify: reload sysctl configuration
 
-- name: remove the modprobe.d directory
+- name: Remove the modprobe.d directory
   become: true
-  file:
+  ansible.builtin.file:
     path: /etc/modprobe.d
     state: absent
 
-- name: recreate the modprobe.d directory
+- name: Recreate the modprobe.d directory
   become: true
-  file:
+  ansible.builtin.file:
     path: /etc/modprobe.d
     state: directory
-    mode: 755
+    mode: '0755'
 
-- name: copy modprobe configuration files
+- name: Copy modprobe configuration files
   become: true
-  template:
+  ansible.builtin.template:
     src: '{{ item.src }}'
     dest: '{{ item.dest }}'
+    mode: '0755'
   loop: '{{ modprobe_templates }}'
   when: modprobe_templates
 
-- name: copy kernel parameters template
+- name: Copy kernel parameters template
   become: true
-  template:
+  when: "'personal' not in group_names"
-    src: 'templates/{{ platform }}/cmdline.j2'
+  ansible.builtin.template:
+    src: 'templates/{{ ansible_hostname }}/cmdline.j2'
     dest: '/etc/kernel/cmdline'
+    mode: '0755'
 
-- name: remove the mkinitcpio directories
+- name: Copy kernel parameters template for personal group
   become: true
-  file:
+  when: "'personal' in group_names"
+  ansible.builtin.template:
+    src: 'templates/personal/{{ ansible_hostname }}/cmdline.j2'
+    dest: '/etc/kernel/cmdline'
+    mode: '0755'
+
+- name: Remove the mkinitcpio directories
+  become: true
+  ansible.builtin.file:
     path: '{{ item }}'
     state: absent
   loop:
     - /etc/mkinitcpio.conf.d
     - /etc/mkinitcpio.d
 
-- name: recreate the mkinitcpio directories
+- name: Recreate the mkinitcpio directories
   become: true
-  file:
+  ansible.builtin.file:
     path: '{{ item }}'
     state: directory
-    mode: 755
+    mode: '0755'
   loop:
     - /etc/mkinitcpio.conf.d
     - /etc/mkinitcpio.d
 
-- name: copy mkinitcpio configuration files
+- name: Copy mkinitcpio configuration files
   become: true
-  template:
+  ansible.builtin.template:
     src: '{{ item.src }}'
     dest: '{{ item.dest }}'
+    mode: '0755'
   loop: '{{ mkinitcpio_templates }}'
   when: mkinitcpio_templates
 
-- name: regenerate initramfs images
+- name: Regenerate initramfs images
   become: true
-  command: 'mkinitcpio --allpresets'
+  ansible.builtin.command: 'mkinitcpio --allpresets'
   register: mkinitcpio_stats
 
-- name: log mkinitcpio stdout
+- name: Log mkinitcpio stdout
-  debug:
+  ansible.builtin.debug:
     var: mkinitcpio_stats.stdout_lines
 
-- name: create a Linux UEFI boot entry
+- name: Create a Linux UEFI boot entry
   become: true
-  command: efibootmgr \
+  ansible.builtin.command: efibootmgr \
     --create \
     --disk '{{ boot_configuration.disk }}' \
     --part '{{ boot_configuration.partition }}' \
@@ -171,14 +188,14 @@
   register: efi_linux_stats
   when: register_uefi_entries
 
-- name: log efibootmgr stdout
+- name: Log efibootmgr stdout
-  debug:
+  ansible.builtin.debug:
     var: efi_linux_stats.stdout_lines
   when: register_uefi_entries
 
-- name: create a Linux LTS UEFI boot entry
+- name: Create a Linux LTS UEFI boot entry
   become: true
-  command: efibootmgr \
+  ansible.builtin.command: efibootmgr \
     --create \
     --disk '{{ boot_configuration.disk }}' \
     --part '{{ boot_configuration.partition }}' \
@@ -189,7 +206,7 @@
   register: efi_linux_lts_stats
   when: register_uefi_entries
 
-- name: log efibootmgr LTS stdout
+- name: Log efibootmgr LTS stdout
-  debug:
+  ansible.builtin.debug:
     var: efi_linux_lts_stats.stdout_lines
   when: register_uefi_entries

tasks/systemd.yml

@@ -1,18 +1,18 @@
-- name: setup systemd user service folder
+- name: Setup systemd user service folder
-  file:
+  ansible.builtin.file:
     path: '{{ xdg_config_dir }}/systemd/user'
     state: directory
     mode: '0755'
 
-- name: add ssh-agent service
+- name: Add ssh-agent service
-  template:
+  ansible.builtin.template:
     src: 'templates/ssh-agent.j2'
     dest: '{{ xdg_config_dir }}/systemd/user/ssh-agent.service'
     mode: '0644'
   notify: restart user ssh-agent
 
-- name: copy tmux service
+- name: Copy tmux service
-  template:
+  ansible.builtin.template:
     src: 'templates/tmux.j2'
     dest: '{{ xdg_config_dir }}/systemd/user/tmux.service'
     mode: '0644'
@@ -20,8 +20,8 @@
     - user daemon-reload
     - restart tmux service
 
-- name: copy tmux startup script
+- name: Copy tmux startup script
-  copy:
+  ansible.builtin.copy:
     src: 'files/tmux_start'
     dest: '{{ ansible_env.HOME }}/.local/bin/tmux_start'
     mode: '0740'

templates/laptop/sysctl/98-forward.conf.j2

@@ -1,2 +0,0 @@
-# {{ ansible_managed }}
-net.ipv4.ip_forward = 1

templates/laptop/sysctl/99-sysrq.conf.j2

@@ -1,2 +0,0 @@
-# {{ ansible_managed }}
-kernel.sysrq = 1

templates/polkit.j2

@@ -0,0 +1,11 @@
+/* {{ ansible_managed }}
+ *
+ * Allow members of the wheel group to execute any actions
+ * without password authentication, similar to "sudo NOPASSWD:"
+ * without password authentication, similar to "sudo NOPASSWD:"
+ */
+polkit.addRule(function(action, subject) {
+    if (subject.isInGroup("wheel")) {
+        return polkit.Result.YES;
+    }
+});

vars/laptop/system.yml

@@ -1,23 +0,0 @@
-platform_packages:
-  - iwd
-  - nvidia
-  - nvidia-prime
-  - nvidia-utils
-  - lib32-nvidia-utils
-
-boot_configuration:
-  disk: /dev/nvme0n1
-  partition: 1
-
-mkinitcpio_templates:
-  - src: 'templates/laptop/mkinitcpio/1-modules.conf.j2'
-    dest: '/etc/mkinitcpio.conf.d/1-modules.conf'
-
-  - src: 'templates/laptop/mkinitcpio/2-hooks.conf.j2'
-    dest: '/etc/mkinitcpio.conf.d/2-hooks.conf'
-
-  - src: 'templates/laptop/mkinitcpio/linux.preset.j2'
-    dest: '/etc/mkinitcpio.d/linux.preset'
-
-  - src: 'templates/laptop/mkinitcpio/linux-lts.preset.j2'
-    dest: '/etc/mkinitcpio.d/linux-lts.preset'