feat: initial commit

.ansible-lint

@@ -0,0 +1,22 @@
+---
+
+exclude_paths:
+  - ".gitlab/*"
+  - ".gitlab-ci.yml"
+  - "meta/main.yaml"
+  - "vars/*"
+
+kinds:
+  - playbook: "**/*.{yml,yaml}"
+
+skip_list:
+  - "command-shell"
+  - "experimental"
+  - "git-latest"
+  - "no-changed-when"
+  - "no-handler"
+  - "name[casing]"
+  - "name[template]"
+  - "risky-file-permissions"
+  - "schema[playbook]"
+  - "var-naming[no-role-prefix]"

.gitignore

@@ -0,0 +1 @@
+.ansible

.gitlab-ci.yml

@@ -0,0 +1,16 @@
+---
+
+# gitLab ci stages
+stages:
+
+  # deployment
+  - "linting"
+  - "deployment"
+
+
+# include jobs
+include:
+
+  # deployment
+  - local: ".gitlab/linting.yaml"
+  - local: ".gitlab/deployment.yaml"

.gitlab/deployment.yaml

@@ -0,0 +1,31 @@
+---
+# deploy ansible/roles/common code
+deployment:
+  stage: "deployment"
+  image:
+    name: "cr.simoncor.net/siempie/ssh-client:latest"
+    entrypoint: ["/bin/sh", "-c"]
+  rules:
+
+    # run only on push to default branch
+    - if:
+        '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH ==
+        $CI_DEFAULT_BRANCH'
+    - when: "never"
+
+  # prepare ssh
+  before_script:
+    # prepare ssh
+    - |
+      # prepare ssh
+      mkdir -p ~/.ssh
+      chmod 700 ~/.ssh
+      echo "$SSH_CONFIG" > ~/.ssh/config
+      echo "$SSH_DEPLOYMENT_KEY" > ~/.ssh/id_ed25519
+      chmod 600 ~/.ssh/id_ed25519
+
+  # deployment commands
+  script:
+    - |
+      # install ansible roles dependancies
+      ssh $SSH_DEPLOYMENT_USER@$ANSIBLE_SERVER "sudo /usr/local/bin/ansible-galaxy install -r /etc/ansible/roles/requirements.yaml --force"

.gitlab/linting.yaml

@@ -0,0 +1,17 @@
+---
+
+# linting
+linting:
+  stage: "linting"
+  image:
+    name: "cr.simoncor.net/siempie/ansible-deployment:latest"
+    entrypoint: ["/bin/sh", "-c"]
+  rules:
+
+    # run only on push to default branch
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+    - when: "never"
+
+  # start linting
+  script:
+    - "ansible-lint -c .ansible-lint ."

.yamllint

@@ -0,0 +1,30 @@
+---
+extends: 'default'
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    forbid: true
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
+  empty-lines:
+    max: 2
+  indentation:
+    spaces: 2
+    check-multi-line-strings: true
+  line-length:
+    max: 130
+    allow-non-breakable-words: true
+    allow-non-breakable-inline-mappings: true
+  new-line-at-end-of-file: 'enable'
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+  truthy:
+    allowed-values:
+      - 'true'
+      - 'false'
+  quoted-strings:
+    quote-type: 'any'
+    required: true

defaults/main.yaml

@@ -0,0 +1,4 @@
+---
+
+# renovate: datasource=github-releases depName=atuinsh/atuin versioning=pep440
+atuin_version: "18.4.0"

handlers/main.yaml

@@ -0,0 +1,16 @@
+---
+
+# atuin
+- name: "restart atuin"
+  ansible.builtin.systemd:
+    name: "atuin.service"
+    state: "restarted"
+    daemon_reload: true
+    enabled: true
+
+# sysusers
+- name: "restart sysusers"
+  ansible.builtin.systemd:
+    name: "systemd-sysusers.service"
+    state: "restarted"
+    enabled: true

meta/main.yaml

@@ -0,0 +1,24 @@
+---
+galaxy_info:
+  role_name: "template"
+  author: "siempie"
+  description: ""
+  license: "MIT"
+  min_ansible_version: 2.9
+  platforms:
+
+    # debian
+    - name: "Debian"
+      versions:
+        - "bookworm"
+
+    # ubuntu
+    - name: "Ubuntu"
+      versions:
+        - "jammy"
+        - "noble"
+
+  galaxy_tags:
+    - "template"
+
+dependencies: []

readme.md

@@ -0,0 +1,10 @@
+# Overview
+This role configures [Atuin](https://atuin.sh/) server, for reasons.
+
+# Supported Operating Systems
+| Operating System | Version |
+| --- | ----- |
+| Debian | 12 |
+
+# Tags
+This role has no tags.

renovate.json

@@ -0,0 +1,7 @@
+{ 
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [ "local>cicd/renovate" ],
+  "ansible": {
+    "fileMatch": [ "(.*).ya?ml$" ]
+  }
+}

tasks/config.yaml

@@ -0,0 +1,11 @@
+---
+
+# configure atuin
+- name: "config - atuin"
+  ansible.builtin.template:
+    src: "templates/atuin/server.toml.j2"
+    dest: "/etc/atuin/server.toml"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  notify: "restart atuin"

tasks/install.yaml

@@ -0,0 +1,54 @@
+---
+
+# check current atuin version
+- name: "check current version"
+  ansible.builtin.shell:
+    cmd: "/usr/local/bin/atuin -V"
+  changed_when: false
+  failed_when: false
+  register: "atuin_version_check"
+
+# download atuin
+- name: "download atuin"
+  ansible.builtin.get_url:
+    url:
+      "https://github.com/atuinsh/atuin/releases/download/\
+       v{{ atuin_version }}/atuin-x86_64-unknown-linux-gnu.tar.gz"
+    dest: "/tmp/"
+    checksum:
+      "sha256:https://github.com/atuinsh/atuin/releases/download/\
+       v{{ atuin_version }}/atuin-x86_64-unknown-linux-gnu.tar.gz.sha256"
+    owner: "root"
+    group: "root"
+    mode: "0775"
+  when: "atuin_version not in atuin_version_check.stdout"
+  register: "atuin_download"
+
+# install atuin
+- name: "install atuin"
+  ansible.builtin.unarchive:
+    src: "/tmp/atuin-x86_64-unknown-linux-gnu.tar.gz"
+    dest: "/usr/local/bin/"
+    include: "atuin"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+    remote_src: true
+  when: "atuin_download.changed"
+
+# install systemd service
+- name: "install service"
+  ansible.builtin.template:
+    src: "templates/systemd/atuin.service.j2"
+    dest: "/etc/systemd/system/atuin.service"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  notify: "restart atuin"
+
+# cleanup atuin
+- name: "cleanup atuin installer"
+  ansible.builtin.file:
+    path: "/tmp/atuin-x86_64-unknown-linux-gnu.tar.gz"
+    state: "absent"
+  when: "atuin_download.changed"

tasks/main.yaml

@@ -0,0 +1,20 @@
+---
+
+# check os support
+- name: "check for os support"
+  ansible.builtin.import_tasks: "ossupport.yaml"
+
+# load os variables
+- name: "include os specific vars"
+  ansible.builtin.include_vars: "{{ ansible_os_family }}.yaml"
+  when: "os_support"
+
+# import install
+- name: "install"
+  ansible.builtin.import_tasks: "install.yaml"
+  when: "os_support"
+
+# import config
+- name: "config"
+  ansible.builtin.import_tasks: "config.yaml"
+  when: "os_support"

tasks/ossupport.yaml

@@ -0,0 +1,16 @@
+---
+
+# support debian 12
+- name: "check for os support"
+  ansible.builtin.set_fact:
+    os_support: true
+  when:
+    - 'ansible_distribution == "Debian"'
+    - 'ansible_distribution_major_version == "12"'
+
+# fail role when not supported
+- name: "unsupported role"
+  ansible.builtin.fail:
+    msg: "This role not supported on this Operating System."
+  when:
+    - "os_support is not defined"

templates/atuin/server.toml.j2

@@ -0,0 +1,4 @@
+host = "0.0.0.0"
+port = 8888
+open_registration = true
+db_uri="postgres://{{ atuin_db_user }}:{{ atuin_db_pass }}@{{ atuin_db_host }}/{{ atuin_db_name }}"

templates/systemd/atuin.service.j2

@@ -0,0 +1,29 @@
+[Unit]
+Description=Start the Atuin server syncing service
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+ExecStart=/usr/local/bin/atuin server start
+Restart=on-failure
+User=root
+Group=root
+
+Environment=ATUIN_CONFIG_DIR=/etc/atuin
+ReadWritePaths=/etc/atuin
+
+# Hardening options
+CapabilityBoundingSet=
+AmbientCapabilities=
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+PrivateTmp=true
+PrivateDevices=true
+LockPersonality=true
+
+[Install]
+WantedBy=multi-user.target

vars/Debian.yaml

@@ -0,0 +1,9 @@
+---
+
+# ansible
+ansible_remote_tmp: "/tmp"
+
+# atuin install url
+atuin_install_url:
+  "https://github.com/atuinsh/atuin/releases/download/\
+   v{{ atuin_version }}/atuin-x86_64-unknown-linux-gnu.tar.gz"