Feature/systemd

.editorconfig

@@ -0,0 +1,36 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 4
+
+[*.{yml,yaml}]
+indent_size = 2
+
+[*.json]
+indent_size = 2
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.sh]
+indent_size = 4
+
+[install-ansible]
+indent_size = 4
+
+[install-requirements]
+indent_size = 4
+
+[run-ansible]
+indent_size = 4
+
+[run-lint]
+indent_size = 4
+
+[nvidia/*]
+indent_size = 4

.github/workflows/ci.yml

@@ -0,0 +1,39 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  lint:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: |
+          ./install-requirements
+          ./install-ansible
+
+      - name: Run linters
+        run: ./run-lint --github-format
+
+      - name: Publish ansible-lint results
+        uses: github/codeql-action/upload-sarif@v4
+        if: >-
+          always() &&
+          !(github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork)
+        with:
+          sarif_file: ansible-lint.sarif
+          category: ansible-lint

.vscode/tasks.json

@@ -1,6 +1,52 @@
 {
   "version": "2.0.0",
   "tasks": [
+    {
+      "label": "ansible: install",
+      "type": "shell",
+      "command": "${workspaceFolder}/install-requirements && ${workspaceFolder}/install-ansible",
+      "presentation": {
+        "reveal": "always",
+        "panel": "dedicated",
+        "focus": true      },
+      "problemMatcher": []
+    },
+    {
+      "label": "ansible: lint",
+      "type": "shell",
+      "command": "${workspaceFolder}/run-lint",
+      "problemMatcher": [
+        {
+          "owner": "yamllint",
+          "fileLocation": "absolute",
+          "severity": "error",
+          "pattern": {
+            "regexp": "^(.+):(\\d+):(\\d+): \\[(error|warning)\\] (.+)$",
+            "file": 1,
+            "line": 2,
+            "column": 3,
+            "severity": 4,
+            "message": 5
+          }
+        },
+        {
+          "owner": "ansible-lint",
+          "fileLocation": "absolute",
+          "pattern": [
+            {
+              "regexp": "^([\\w-]+(?:\\[[\\w-]+\\])?): (.+)$",
+              "message": 2
+            },
+            {
+              "regexp": "^(.+):(\\d+)(?::(\\d+))? Task/Handler:",
+              "file": 1,
+              "line": 2,
+              "column": 3
+            }
+          ]
+        }
+      ]
+    },
     {
       "label": "ansible: run all roles",
       "type": "shell",

ansible/.yamllint.yml

@@ -0,0 +1,4 @@
+---
+rules:
+  line-length:
+    max: 120

ansible/ansible.cfg

@@ -1,12 +1,15 @@
 [defaults]
-inventory          = inventories/production/hosts.yml
-roles_path         = roles
-collections_path   = collections
-host_key_checking  = False
-retry_files_enabled  = False
-stdout_callback      = default
-INJECT_FACTS_AS_VARS = False
+inventory = inventories/production/hosts.yml
+roles_path = roles
+
+host_key_checking = False
+retry_files_enabled = False
+
+stdout_callback = ansible.builtin.default
+result_format = yaml
+
+inject_facts_as_vars = False
 
 [privilege_escalation]
-become       = True
+become = True
 become_method = sudo

ansible/playbooks/workstation.yml

@@ -6,6 +6,8 @@
   roles:
     - role: common
       tags: [common]
+    - role: systemd
+      tags: [systemd]
     - role: podman
       tags: [podman]
     - role: shell_config

ansible/roles/common/tasks/main.yml

@@ -14,8 +14,11 @@
   become: true
 
 - name: Dearmor NodeSource GPG key
-  ansible.builtin.command:
-    cmd: gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg /tmp/nodesource-repo.gpg.key
+  ansible.builtin.command: >
+    gpg --dearmor
+    -o /etc/apt/keyrings/nodesource.gpg
+    /tmp/nodesource-repo.gpg.key
+  args:
     creates: /etc/apt/keyrings/nodesource.gpg
   become: true
 

ansible/roles/git_config/tasks/main.yml

@@ -27,3 +27,4 @@
     block: |
       [include]
           path = {{ home_dir }}/.config/git/ansible_gitconfig
+    mode: "0644"

ansible/roles/podman/tasks/main.yml

@@ -13,7 +13,7 @@
     create: true
     mode: "0644"
   become: true
-  register: subuid_result
+  register: podman_subuid_result
 
 - name: Ensure subgid entry for rootless podman
   ansible.builtin.lineinfile:
@@ -23,7 +23,7 @@
     create: true
     mode: "0644"
   become: true
-  register: subgid_result
+  register: podman_subgid_result
 
 - name: Install podman-compose for user via pip
   ansible.builtin.pip:
@@ -49,9 +49,11 @@
     cmd: >
       podman system connection add --default podman-user
       unix:///run/user/{{ ansible_facts['user_uid'] }}/podman/podman.sock
-  register: podman_conn_result
-  changed_when: podman_conn_result.rc == 0
-  failed_when: podman_conn_result.rc != 0 and 'already exists' not in podman_conn_result.stderr
+  register: podman_connection_result
+  changed_when: podman_connection_result.rc == 0
+  failed_when:
+    - podman_connection_result.rc != 0
+    - "'already exists' not in podman_connection_result.stderr"
 
 - name: Ensure containers config directory exists
   ansible.builtin.file:
@@ -70,4 +72,5 @@
 - name: Migrate podman storage when subuid/subgid changed
   ansible.builtin.command:
     cmd: podman system migrate
-  when: subuid_result.changed or subgid_result.changed
+  changed_when: podman_subuid_result.changed or podman_subgid_result.changed
+  when: podman_subuid_result.changed or podman_subgid_result.changed

ansible/roles/shell_config/tasks/main.yml

@@ -105,9 +105,9 @@
 - name: Set fish as default shell for user (LDAP/SSSD compatible)
   ansible.builtin.command:
     cmd: chsh -s /usr/bin/fish
-  register: chsh_result
-  changed_when: chsh_result.rc == 0
-  failed_when: chsh_result.rc != 0
+  register: shell_config_chsh_result
+  changed_when: shell_config_chsh_result.rc == 0
+  failed_when: shell_config_chsh_result.rc != 0
   become: true
 
 - name: Ensure user fonts directory exists
@@ -116,9 +116,12 @@
     state: directory
     mode: "0755"
 
-- name: Download Hack Nerd Font
+- name: Download Nerd Font
+  vars:
+    nerd_font_url: >
+      https://github.com/ryanoasis/nerd-fonts/releases/latest/download/Hack.zip
   ansible.builtin.get_url:
-    url: https://github.com/ryanoasis/nerd-fonts/releases/latest/download/Hack.zip
+    url: "{{ nerd_font_url }}"
     dest: /tmp/Hack.zip
     mode: "0644"
 
@@ -137,10 +140,10 @@
 - name: Check if KDE Konsole is installed
   ansible.builtin.stat:
     path: /usr/bin/konsole
-  register: konsole_binary
+  register: shell_config_konsole_binary
 
 - name: Configure Konsole
-  when: konsole_binary.stat.exists
+  when: shell_config_konsole_binary.stat.exists
   block:
     - name: Ensure Konsole profiles directory exists
       ansible.builtin.file:

ansible/roles/systemd/files/NetworkManager-dns.conf

@@ -0,0 +1,2 @@
+[main]
+dns=systemd-resolved

ansible/roles/systemd/files/resolved.conf

@@ -0,0 +1,44 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it under the
+#  terms of the GNU Lesser General Public License as published by the Free
+#  Software Foundation; either version 2.1 of the License, or (at your option)
+#  any later version.
+#
+# Entries in this file show the compile time defaults. Local configuration
+# should be created by either modifying this file (or a copy of it placed in
+# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
+# the /etc/systemd/resolved.conf.d/ directory. The latter is generally
+# recommended. Defaults can be restored by simply deleting the main
+# configuration file and all drop-ins located in /etc/.
+#
+# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
+#
+# See resolved.conf(5) for details.
+
+[Resolve]
+# Use DNS from DHCP – do NOT hardcode here unless you want to override
+#DNS=192.168.178.1
+
+# Optional public DNS fallback if DHCP DNS is unavailable
+FallbackDNS=1.1.1.1 8.8.8.8
+
+# Allow resolving local *.fritz.box hostnames
+Domains=fritz.box
+
+# Enable Multicast DNS (for `.local` discovery)
+MulticastDNS=yes
+
+# Disable LLMNR (legacy, usually unnecessary)
+LLMNR=no
+
+# Enable local DNS cache
+Cache=yes
+
+# Enable stub listener on 127.0.0.53 (used by NetworkManager)
+DNSStubListener=yes
+
+# DO NOT expose DNS to LAN unless you're intentionally running a server
+#DNSStubListenerExtra=192.168.100.1
+
+ReadEtcHosts=yes

ansible/roles/systemd/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+- name: Restart NetworkManager
+  ansible.builtin.systemd:
+    name: NetworkManager
+    state: restarted
+  become: true
+  listen: Restart DNS services in order
+
+- name: Restart systemd-resolved
+  ansible.builtin.systemd:
+    name: systemd-resolved
+    state: restarted
+  become: true
+  listen: Restart DNS services in order

ansible/roles/systemd/tasks/main.yml

@@ -0,0 +1,53 @@
+---
+- name: Install systemd-resolved
+  ansible.builtin.apt:
+    name: systemd-resolved
+    state: present
+  become: true
+
+- name: Deploy systemd-resolved configuration
+  ansible.builtin.copy:
+    src: resolved.conf
+    dest: /etc/systemd/resolved.conf
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify: Restart DNS services in order
+
+- name: Enable and start systemd-resolved
+  ansible.builtin.systemd:
+    name: systemd-resolved
+    enabled: true
+    state: started
+  become: true
+
+- name: Ensure /etc/resolv.conf points to systemd-resolved stub
+  ansible.builtin.file:
+    src: /run/systemd/resolve/stub-resolv.conf
+    dest: /etc/resolv.conf
+    state: link
+    force: true
+  become: true
+
+- name: Configure NetworkManager to use systemd-resolved
+  when: ansible_facts.services['NetworkManager.service'] is defined
+  block:
+    - name: Ensure NetworkManager conf.d directory exists
+      ansible.builtin.file:
+        path: /etc/NetworkManager/conf.d
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"
+      become: true
+
+    - name: Deploy NetworkManager DNS config
+      ansible.builtin.copy:
+        src: NetworkManager-dns.conf
+        dest: /etc/NetworkManager/conf.d/dns.conf
+        owner: root
+        group: root
+        mode: "0644"
+      become: true
+      notify: Restart DNS services in order