rhel8-workstation.yml

---
- name: RHEL8 Workstation / Server w/ GUI Setup / Laptop / Whatever
  hosts: localhost
  vars:
    non_root_user: admiller
    desktop_environment: gnome
  tasks:
    - name: Package Install - RHEL8
      yum:
        state: installed
        name: "{{ packages_rhel8 }}"

    - name: Package Install - Common
      yum:
        state: installed
        name: "{{ packages_common }}"

    - name: Package Install - RHEL8 - GNOME
      yum:
        state: installed
        name: 
          - vinagre
          - gnome-tweaks
          - gnome-shell-extension-windowsNavigator
      when: desktop_environment == "gnome"

    - name: Package Install - RHEL8 - KDE
      yum:
        state: installed
        name:
          - "@base-x"
      when: desktop_environment == "kde"

    # NOTE: Requires `ansible-galaxy install geerlingguy.repo-epel
    - name: Install EPEL8
      import_role:
        name: 'geerlingguy.repo-epel'

    - name: Package Install - EPEL8 - Common
      yum:
        state: installed
        name: "{{ packages_epel8_common }}"

    - name: Package Install - EPEL8 - GNOME
      yum:
        state: installed
        name:
          - gnome-shell-extension-system-monitor-applet
          - NetworkManager-openvpn-gnome
      when: desktop_environment == "gnome"

    - name: Package Install - EPEL8 - KDE
      yum:
        state: installed
        name:
          - "@kde-desktop-environment"
          - okular
          - ark
          - sddm
          - terminus-fonts
      when: desktop_environment == "kde"

    - name: Setup CSB Repo
      template:
        src: templates/rhel8-csb.repo.j2
        dest: /etc/yum.repos.d/rhel8-csb.repo

    - name: Package Install - CSB RHEL8
      yum:
        state: installed
        name:
          - oneplay-gstreamer-codecs-pack
          - ffmpeg-libs
          - redhat-internal-openvpn-profiles
          - redhat-internal-NetworkManager-openvpn-profiles
          - redhat-internal-NetworkManager-openvpn-profiles-non-gnome
          - redhat-internal-wireless-config
          - redhat-internal-cert-install

    - name: Ensure SELinux Enforcing
      selinux:
        policy: targeted
        state: enforcing

    - name: Enable container_manage_cgroup for running systemd in podman containers
      seboolean:
        name: container_manage_cgroup
        state: true
        persistent: true

    - name: Check crypto policies
      shell: update-crypto-policies --show
      changed_when: false
      register: crypto_policies

    # should upgrade to FUTURE, but then RHN doesn't work because metadata
    # checksum is too weak
    - name: Set crypto policies to DEFAULT
      shell: update-crypto-policies --set DEFAULT
      when: "crypto_policies['stdout'] != 'DEFAULT'"

    - name: Set powersave when configuring a laptop
      when: ansible_form_factor in mobile_form_factors
      block:
        - name: Create powertop2tuned tuned profile
          shell: powertop2tuned --enable powertop2tuned
          args:
            creates: /etc/tuned/powertop2tuned/tuned.conf

        - name: Get tuned profile
          slurp:
            src: /etc/tuned/active_profile
          register: tuned_active_profile

        - debug:
            msg: "{{ tuned_active_profile['content'] | b64decode | trim }}"

        - name: tuned-adm set powertop2tuned
          shell: /usr/sbin/tuned-adm profile powertop2tuned
          when: "tuned_active_profile['content'] | b64decode | trim != 'powertop2tuned'"

    - name: Apply iwlwifi settings
      copy:
        src: files/iwlwifi.conf
        dest: /etc/modprobe.d/iwlwifi.conf

    - name: Set container registry settings
      copy:
        src: files/registries.conf
        dest: /etc/containers/registries.conf

    - name: force Xorg, Wayland still has a ways to go :(
      copy:
        src: files/etc_gdm_custom.conf
        dest: /etc/gdm/custom.conf

    - name: Disable ssh and rpcbind because reasons
      systemd:
        name: "{{ item }}"
        state: stopped
        masked: true
        enabled: false
      loop:
        - sshd
        - rpcbind

    - name: Ensure various ports are not open
      firewalld:
        service: "{{ item }}"
        permanent: yes
        immediate: yes
        state: disabled
      loop:
        - cockpit
        - ssh

    - name: Make sure non_root_user user is in mock
      user:
        name: "{{ non_root_user }}" 
        groups: mock
        append: yes

    - name: Allow non-root user access to libvirt via polkit
      template:
        src: templates/non_root_user_libvirt_polkit.j2
        dest: /etc/polkit-1/rules.d/50-org.libvirt.unix.manage.rules
      notify:
        - reload polkit

    - name: Allow non-root user access to NetworkManager
      template:
        src: templates/network_manager_polkit.j2
        dest: /etc/polkit-1/rules.d/10-network-manager.pkla
      notify:
        - reload polkit

    - name: enable journald persistent storage
      file:
        path: /var/log/journal
        state: directory

    - name: Set /usr/bin/python to /usr/bin/python3 via alternatives
      alternatives:
        name: python
        path: /usr/bin/python3

    - name: Start/enable earlyoom
      service:
        name: earlyoom
        state: started
        enabled: yes

#   - name: setup BOINC client for world community grid when it's not a laptop
#     import_role:
#       name: worldcommunitygrid
#     when: ansible_form_factor not in mobile_form_factors

    - name: switch to SDDM
      when: desktop_environment == "kde"
      block:
        - name: disable gdm
          systemd:
            name: gdm
            enabled: false
        - name: enable sddm
          systemd:
            name: sddm
            enabled: true

    - name: import common flatpak app install set
      import_tasks: include_tasks/flatpak_common.yml

    - name: GNOME Flatpaks
      import_tasks: include_tasks/flatpak_gnome.yml
      when: desktop_environment == "gnome"

    - name: import kde flatpak app install set
      import_tasks: include_tasks/flatpak_kde.yml
      when: desktop_environment == "kde"

  handlers:
    - name: reload polkit
      service:
        name: polkit
        state: restarted

- name: RHEL8 Workstation / Server w/ GUI Setup / Laptop / Whatever - User Stuff
  hosts: localhost
  become_user: admiller
  become: yes
  tasks:
    - name: import user dev stuff
      import_tasks: include_tasks/user_stuff.yml

    - name: GNOME user stuff
      when: desktop_environment == "gnome"
      block:
        - name: unset GNOME Shell app switching
          shell: gsettings set org.gnome.desktop.wm.keybindings switch-applications '[]'
          changed_when: no
        - name: change GNOME Shell window switching to alt+tab
          shell: gsettings set org.gnome.desktop.wm.keybindings switch-windows '["<Alt>Tab"]'
          changed_when: no