initial commit

LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2023 Ava Chaney
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+inventory=inventory.yml
+remote_user=ava
+
+[privilege_escalation]
+become=True
+become_method=sudo
+become_user=root
+become_ask_pass=False

ensure-vault-encrypted.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+#
+# Called by "git commit" with no arguments.  The hook should
+# exit with non-zero status after issuing an appropriate message if
+# it wants to stop the commit.
+
+# Unset variables produce errors
+set -u
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+	against=HEAD
+else
+	# Initial commit: diff against an empty tree object
+	against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+# Redirect output to stderr.
+exec 1>&2
+
+EXIT_STATUS=0
+
+# Check that all changed *.vault files are encrypted
+# read: -r do not allow backslashes to escape characters; -d delimiter
+while IFS= read -r -d $'\0' file; do
+	[[ "$file" != *vault* ]] && continue
+	[[ "$file" == "ensure-vault-encrypted.sh" ]] && continue
+	# cut gets symbols 1-2
+	file_status=$(git status --porcelain -- "$file" 2>&1 | cut -c1-2)
+	file_status_index=${file_status:0:1}
+	file_status_worktree=${file_status:1:1}
+	[[ "$file_status_worktree" != ' ' ]] && {
+		echo "ERROR: vault file is modified in worktree but not added to the index: $file"
+		echo "Can not check if it is properly encrypted. Use git add or git stash to fix this."
+		EXIT_STATUS=1
+	}
+	# check is neither required nor possible for deleted files
+	[[ "$file_status_index" = 'D' ]] && continue
+	head -1 "$file" | grep --quiet '^\$ANSIBLE_VAULT;' || {
+		echo "ERROR: non-encrypted vault file: $file"
+		EXIT_STATUS=1
+	}
+done < <(git diff --cached --name-only -z "$against")
+
+exit $EXIT_STATUS

group_vars/all.yml

@@ -0,0 +1,12 @@
+base_packages_apt:
+  - nano
+  - git
+  - neofetch
+  - htop
+  - curl
+  - wget
+  - unzip
+  - zip
+  - zsh
+  - toilet
+  - figlet

group_vars/nas.yml

@@ -0,0 +1 @@
+nas_pool_mount: /mnt/pool

install-git-hook.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+mkdir -p .git/hooks
+cp ensure-vault-encrypted.sh .git/hooks/pre-commit
+chmod +x .git/hooks/pre-commit

inventory.yml

@@ -0,0 +1,45 @@
+---
+all:
+  children:
+    hypervisor:
+      hosts:
+        krile:
+    nas:
+      hosts:
+        krile:
+          disks:
+            # Parity disks
+            - name: parity01
+              device: /dev/disk/by-id/ata-WDC_WD120EDAZ-11F3RA0_5PJH7D5F-part1
+              encrypted: true
+              pooled: false
+              fs_type: ext4
+            # Data disks
+            - name: disk01
+              device: /dev/disk/by-id/ata-WDC_WD120EDAZ-11F3RA0_5PJKM7UD-part1
+              encrypted: true
+              pooled: true
+              fs_type: xfs
+            - name: disk02
+              device: /dev/disk/by-id/ata-WDC_WD80EZAZ-11TDBA0_7HK35ARN-part1
+              encrypted: true
+              pooled: true
+              fs_type: xfs
+            - name: disk03
+              device: /dev/disk/by-id/ata-WDC_WD80EFAX-68LHPN0_7SGME4GC-part1
+              encrypted: true
+              pooled: true
+              fs_type: xfs
+            - name: disk04
+              device: /dev/disk/by-id/ata-WDC_WD40EFRX-68N32N0_WD-WCC7K7TKRX73-part1
+              encrypted: true
+              pooled: true
+              fs_type: xfs
+            # Separate disk for CCTV footage
+            - name: cctv
+              device: /dev/disk/by-id/ata-WDC_WD20EZRX-22D8PB0_WD-WCC4M2YYYY5Y-part1
+              encrypted: true
+              pooled: false
+              fs_type: xfs
+  vars:
+    ansible_python_interpreter: /usr/bin/python3

local-deps.yml

@@ -0,0 +1,11 @@
+- name: Ensure local dependencies are installed
+  become: false
+  hosts:
+    - localhost
+  tasks:
+    - name: Install Terraform (macOS)
+      community.general.homebrew:
+        name: terraform
+        state: present
+        update_homebrew: false
+      when: ansible_os_family == 'Darwin'

roles/common/tasks/main.yml

@@ -0,0 +1,5 @@
+- name: Install base packages on Debian
+  when: ansible_os_family == 'Debian'
+  package:
+    name: '{{ base_packages_apt }}'
+    state: present