Add initial structure for workstation role

skylab/core/playbooks/configure.yaml

@@ -38,3 +38,10 @@
   roles:
     - role: skylab.core.dashboard
       dashboard_hostname: "{{ skylab_dashboard }}"
+
+
+- name: Configure workstations
+  hosts: workstation
+  gather_facts: false
+  roles:
+    - role: skylab.core.workstation

skylab/core/playbooks/files/global.sh

@@ -5,8 +5,9 @@ function _parse_git_branch() {
 export PS1="\[\e[0;97m\]\[\e[37m\e[1m\]\u\[\e[1;94m\]@\[\e[94m\]\H\[\e[37m\]:\w\[\e[33m\]\[\e[0;33m\]\$(_parse_git_branch) \[\e[37m\]\[\e[0;97m\]$\[\e[0m\] "
 export rc=/home/$USERNAME/.bashrc
 export VIRTUALENV_DIR=/home/$USERNAME/.venvs
+export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt
 
-random() {
+function random() {
      if [[ $# -eq 0 ]]; then
           num=32
      else
@@ -19,9 +20,10 @@ function up() { cd $(eval printf '../'%.0s {1..$1}); }
 
 function pipin() { pip freeze | grep $1; }
 
+function continuous () { while true; do ${@}; sleep 3; done; }
+
 alias bk='cd -'
 alias fuck='sudo $(history -p \!\!)'
-alias ls='ls -lshF --color --group-directories-first --time-style=long-iso'
 alias version='uname -orp && lsb_release -a | grep Description'
 alias activate='source ./bin/activate'
 alias cls='clear'
@@ -32,3 +34,4 @@ alias whatismyip='curl https://icanhazip.com/'
 alias uuid="python3 -c 'import uuid; print(uuid.uuid4());'"
 alias epoch="python3 -c 'import time; print(time.time());'"
 alias uptime="command uptime --pretty"
+alias unmount="umount"

skylab/core/playbooks/tasks/meta/bootstrap-remote-env.yaml

@@ -1,10 +1,12 @@
 ---
 - name: Install CentOS 8 python bindings
-  when: ansible_distribution == "Rocky"
+  when: ansible_distribution == "Rocky" or ansible_distribution == "Fedora"
   become: true
   ansible.builtin.dnf:
     state: present
     name:
+      - libffi-devel
+      - python3-devel
       - python3-libselinux
       - python3-policycoreutils
       - python3-firewall

skylab/core/playbooks/tasks/meta/runtime-group-determination.yaml

@@ -6,7 +6,7 @@
     key: edgeos
 
 - name: Group supported Linux hosts
-  when: ansible_distribution == "Rocky"
+  when: ansible_distribution == "Rocky" or ansible_distribution == "Fedora"
   changed_when: false
   group_by:
     key: linux

skylab/core/playbooks/templates/docker-compose/meta.yaml.j2

@@ -76,3 +76,24 @@ services:
       restart_policy:
         condition: any
         delay: 24h
+
+  backup:
+    image: rockylinux:latest
+    hostname: backup
+    command: bash /datastore/backup/mkbkup.sh /datastore/
+    networks:
+      - meta
+    volumes:
+      - type: volume
+        source: meta-backup
+        target: /datastore/backup
+        read_only: false
+      - type: volume
+        source: meta-appdata
+        target: /datastore/appdata
+        read_only: true
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 24h

skylab/core/playbooks/templates/docker-compose/photoprism.yaml.j2

@@ -0,0 +1,113 @@
+---
+version: '3.7'
+
+volumes:
+  photoprism-database:
+    name: datastore/appdata/photoprism/database
+    driver: glusterfs
+  photoprism-metadata:
+    name: datastore/appdata/photoprism/metadata
+  photoprism-originals:
+    name: datastore/media/photoprism
+    driver: glusterfs
+  photoprism-import:
+    name: datastore/media/upload
+    driver: glusterfs
+
+networks:
+  photoprism:
+    internal: true
+    name: photoprism
+    driver: overlay
+    ipam:
+      driver: default
+      config:
+        - subnet: 192.168.109.0/24
+
+services:
+  app:
+    image: photoprism/photoprism:latest
+    hostname: app
+    depends_on:
+      - database
+    networks:
+      - photoprism
+    ports:
+      - published: 2342
+        target: 2342
+        protocol: tcp
+        mode: ingress
+    environment:
+      PHOTOPRISM_ADMIN_PASSWORD: "gm2auW34GNawZ8Dqiub8W8vOlvsHCnfj"
+      PHOTOPRISM_SITE_URL: "http://cluster.skylab.enp.one:2342/"
+      PHOTOPRISM_ORIGINALS_LIMIT: 5000
+      PHOTOPRISM_HTTP_COMPRESSION: "gzip"
+      PHOTOPRISM_DEBUG: "false"
+      PHOTOPRISM_PUBLIC: "false"
+      PHOTOPRISM_READONLY: "false"
+      PHOTOPRISM_EXPERIMENTAL: "false"
+      PHOTOPRISM_DISABLE_CHOWN: "false"
+      PHOTOPRISM_DISABLE_WEBDAV: "false"
+      PHOTOPRISM_DISABLE_SETTINGS: "false"
+      PHOTOPRISM_DISABLE_TENSORFLOW: "false"
+      PHOTOPRISM_DISABLE_FACES: "false"
+      PHOTOPRISM_DISABLE_CLASSIFICATION: "false"
+      PHOTOPRISM_DARKTABLE_PRESETS: "false"
+      PHOTOPRISM_DETECT_NSFW: "false"
+      PHOTOPRISM_UPLOAD_NSFW: "true"
+      PHOTOPRISM_DATABASE_DRIVER: "mysql"
+      PHOTOPRISM_DATABASE_SERVER: "database:3306"
+      PHOTOPRISM_DATABASE_NAME: "photoprism"
+      PHOTOPRISM_DATABASE_USER: "photoprism"
+      PHOTOPRISM_DATABASE_PASSWORD: "KcIKhME9OwWKVz4tGyqI4VXzyDBs33Xp"       # MariaDB or MySQL database user password
+      PHOTOPRISM_SITE_TITLE: "Skylab Images"
+      PHOTOPRISM_SITE_CAPTION: "Browse Your Life"
+      PHOTOPRISM_SITE_DESCRIPTION: ""
+      PHOTOPRISM_SITE_AUTHOR: "EN Paul"
+      HOME: "/photoprism"
+      PHOTOPRISM_UID: 1408
+      PHOTOPRISM_GID: 1408
+      ## Hardware video transcoding config (optional)
+      # PHOTOPRISM_FFMPEG_BUFFERS: "64"              # FFmpeg capture buffers (default: 32)
+      # PHOTOPRISM_FFMPEG_BITRATE: "32"              # FFmpeg encoding bitrate limit in Mbit/s (default: 50)
+      # PHOTOPRISM_FFMPEG_ENCODER: "h264_v4l2m2m"    # Use Video4Linux for AVC transcoding (default: libx264)
+      # PHOTOPRISM_FFMPEG_ENCODER: "h264_qsv"        # Use Intel Quick Sync Video for AVC transcoding (default: libx264)
+      # PHOTOPRISM_INIT: "intel-graphics tensorflow-amd64-avx2" # Enable TensorFlow AVX2 & Intel Graphics support
+      ## Enable TensorFlow AVX2 support for modern Intel CPUs (requires starting the container as root)
+      # PHOTOPRISM_INIT: "tensorflow-amd64-avx2"
+    user: "1408:1408"
+    working_dir: "/photoprism"
+    volumes:
+      - type: volume
+        source: photoprism-originals
+        target: /photoprism/originals
+        read_only: false
+      - type: volume
+        source: photoprism-metadata
+        target: /photoprism/storage
+        read_only: false
+      - type: volume
+        source: photoprism-import
+        target: /photoprism/import
+        read_only: true
+    deploy:
+      replicas: 1
+
+  database:
+    image: mariadb:10.6
+    hostname: database
+    command: mysqld --innodb-buffer-pool-size=128M --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120
+    networks:
+      - photoprism
+    volumes:
+      - type: volume
+        source: photoprism-database
+        target: /var/lib/mysql
+        read_only: false
+    environment:
+      MYSQL_ROOT_PASSWORD: insecure
+      MYSQL_DATABASE: photoprism
+      MYSQL_USER: photoprism
+      MYSQL_PASSWORD: KcIKhME9OwWKVz4tGyqI4VXzyDBs33Xp
+    deploy:
+      replicas: 1

skylab/core/playbooks/templates/stack-nginx.conf.j2

@@ -0,0 +1,34 @@
+# Ansible managed file - do not manually edit
+#
+server {
+    server_name  {{ app.publish.domain }};
+    root         /usr/share/nginx/html;
+
+    location / {
+        proxy_pass        http://dockerloopback:{{ app.publish.http }}/;
+        proxy_set_header  Host $host;
+    }
+
+    listen 443           ssl;
+    ssl_certificate      /etc/letsencrypt/live/{{ app.publish.domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ app.publish.domain }}/privkey.pem;
+    include              /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam          /etc/letsencrypt/ssl-dhparams.pem;
+}
+
+server {
+    listen	 80;
+    listen	 [::]:80;
+    server_name  {{ app.publish.domain }};
+
+    location ^~ /.well-known/acme-challenge/ {
+        proxy_pass        http://dockerloopback:8088/.well-known/acme-challenge/;
+        proxy_set_header  Host $host;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# EOF

skylab/core/playbooks/update.yaml

@@ -24,7 +24,7 @@
     - vars/packages.yaml
   tasks:
     - name: Update system packages via DNF
-      when: ansible_distribution == "Rocky"
+      when: ansible_distribution == "Rocky" or ansible_distribution == "Fedora"
       become: true
       ansible.builtin.dnf:
         name: "*"
@@ -39,7 +39,7 @@
         group: "{{ ansible_user }}"
         mode: 0644
 
-    - name: Install universal packages
+    - name: Install universal packages on Rocky
       when: ansible_distribution == "Rocky"
       become: true
       ansible.builtin.dnf:
@@ -47,6 +47,14 @@
         state: present
         update_cache: true
 
+    - name: Install universal packages on Fedora
+      when: ansible_distribution == "Fedora"
+      become: true
+      ansible.builtin.dnf:
+        name: "{{ skylab_packages_global + skylab_packages_fedora }}"
+        state: present
+        update_cache: true
+
 
 - name: Update unix accounts
   hosts: linux
@@ -132,7 +140,7 @@
       ansible.builtin.set_fact:
         _determined_member_groups: "{{ _determined_member_groups | default({}) | combine({item.name: [
           skylab_group.name,
-          'wheel' if (item.admin | default(false) and ansible_distribution == 'Rocky') else '',
+          'wheel' if (item.admin | default(false) and ansible_os_family == 'RedHat') else '',
           'sudo' if (item.admin | default(false) and ansible_os_family == 'Debian') else '',
           skylab_group_admin.name if item.admin | default(false) else '',
           skylab_group_automation.name if item.service | default(false) else '',
@@ -151,7 +159,11 @@
         groups: "{{ _determined_member_groups[item.name] }}"
         comment: "{{ item.fullname | default('') }}"
         system: "{{ item.service | default(false) }}"
-        generate_ssh_key: false
+        generate_ssh_key: true
+        ssh_key_bits: 4096
+        ssh_key_passphrase: "{{ item.password }}"
+        ssh_key_comment: "{{ item.name }}@{{ inventory_hostname }}"
+        ssh_key_type: ed25519
         password: "{{ item.password }}"
       loop: "{{ _active_accounts }}"
       loop_control:

skylab/core/playbooks/vars/access.yaml

@@ -3,13 +3,13 @@ skylab_accounts:
   - name: enpaul
     uid: 1300
     fullname: Ethan N. Paul
-    targets: [network, datastore, cluster, cloud]
+    targets: [network, datastore, cluster, cloud, workstation]
     admin: true
     password: $6$H7jZEL2Ey93zfMTD$CzUlZkXDudPHgUMU/OFUn8/Yhzo8nBxoSI8thD15toIFlWN.iUfq/Jp5z3KpDCGTxyv.IbRTvE8dOVWjoRfgJ.
 
   - name: ansible
     uid: 1400
-    targets: [network, datastore, cluster, cloud]
+    targets: [network, datastore, cluster, cloud, workstation]
     admin: true
     service: true
     password: $6$qNKmYg4y9YS4f5Gr$m0mAqEVbymPguj.1cS.pfclt33Okfmn1KhFC0r1iQ3eVvz/OIZY3x0qGmPnJ1zOXDWyKKs5hnlGTAeZgCh49C.

skylab/core/playbooks/vars/packages.yaml

@@ -27,3 +27,9 @@ skylab_packages_rocky:
   - python3-virtualenv
   - systemd-networkd
   - wget
+
+skylab_packages_fedora:
+  - bind-utils
+  - nc
+  - nfs-utils
+  - wget

skylab/core/roles/workstation/files/00-disable-user-list

@@ -0,0 +1,2 @@
+[org/gnome/login-screen]
+disable-user-list=true

skylab/core/roles/workstation/files/00-enable-fractional-scaling

@@ -0,0 +1,2 @@
+[org/gnome/mutter]
+experimental-features=['scale-monitor-framebuffer']

skylab/core/roles/workstation/files/bashrc.sh

@@ -0,0 +1,44 @@
+if [ -f `which powerline-daemon` ]; then
+        powerline-daemon -q
+        POWERLINE_BASH_CONTINUATION=1
+        POWERLINE_BASH_SELECT=1
+        . /usr/share/powerline/bash/powerline.sh
+fi
+
+export NVM_DIR="$HOME/.nvm"
+
+function gg() {
+  cd ~/Git/$1;
+  if [ -f ~/Git/$1/pyproject.toml ]; then
+    poetry shell;
+  fi
+}
+
+mpw() {
+    _copy() {
+	if hash pbcopy 2>/dev/null; then
+            pbcopy
+        elif hash xclip 2>/dev/null; then
+            xclip -selection clip
+        else
+            cat; echo 2>/dev/null
+            return
+        fi
+	echo >&2 "Copied!"
+    }
+
+    # Empty the clipboard
+    :| _copy 2>/dev/null
+
+    # Ask for the user's name and password if not yet known.
+    MPW_FULLNAME="Ethan Paul"
+
+    # Start Master Password and copy the output.
+    printf %s "$(MPW_FULLNAME=$MPW_FULLNAME command mpw "$@")" | _copy
+}
+
+alias explorer='nautilus'
+alias doc='cd ~/Documents'
+alias dn='cd ~/Downloads'
+alias prun="poetry run"
+alias psync="poetry install --remove-untracked"

skylab/core/roles/workstation/files/gdm-system

@@ -0,0 +1,3 @@
+user-db:user
+system-db:gdm
+file-db:/usr/share/gdm/greeter-dconf-defaults

skylab/core/roles/workstation/files/gdm-user

@@ -0,0 +1,2 @@
+user-db:user
+system-db:local

skylab/core/roles/workstation/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: dconf-update
+  become: true
+  changed_when: true
+  ansible.builtin.command:
+    cmd: dconf update

skylab/core/roles/workstation/tasks/environment.yml

@@ -0,0 +1,110 @@
+---
+- name: Install user bashrc
+  become: true
+  ansible.builtin.copy:
+    src: bashrc.sh
+    dest: ~{{ item }}/.bashrc_ansible
+    owner: "{{ ansible_user }}"
+    group: "{{ item }}"
+    mode: 0644
+  loop: "{{ _local_human_users }}"
+
+- name: Configure user bashrc loading
+  become: true
+  ansible.builtin.lineinfile:
+    path: ~{{ item }}/.bashrc
+    line: source ~/.bashrc_ansible
+    state: present
+  loop: "{{ _local_human_users }}"
+
+- name: Enforce ownership of the SSH keys
+  become: true
+  ansible.builtin.file:
+    path: ~{{ item.0 }}/.ssh/id_ed25519{{ item.1 }}
+    state: file
+    owner: "{{ item.0 }}"
+    group: "{{ item.0 }}"
+  loop: "{{ _local_human_users | product(['', '.pub']) }}"
+
+- name: Configure dconf setting
+  become: true
+  block:
+    - name: Create dconf config directories
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: directory
+        owner: root
+        group: "{{ ansible_user }}"
+        mode: 0755
+      loop:
+        - /etc/dconf/profile
+        - /etc/dconf/db/gdm.d
+
+    - name: Create global dconf config
+      ansible.builtin.copy:
+        src: gdm-system
+        dest: /etc/dconf/profile/gdm
+        owner: root
+        group: "{{ ansible_user }}"
+        mode: 0644
+      notify:
+        - dconf-update
+
+    - name: Create user dconf config
+      ansible.builtin.copy:
+        src: gdm-user
+        dest: /etc/dconf/profile/user
+        owner: root
+        group: "{{ ansible_user }}"
+        mode: 0644
+      notify:
+        - dconf-update
+
+    - name: Disable user list
+      ansible.builtin.copy:
+        src: 00-disable-user-list
+        dest: /etc/dconf/db/gdm.d/00-disable-user-list
+        owner: root
+        group: "{{ ansible_user }}"
+        mode: 0644
+      notify:
+        - dconf-update
+
+    - name: Enable fractional scaling
+      ansible.builtin.copy:
+        src: 00-enable-fractional-scaling
+        dest: /etc/dconf/db/local.d/00-enable-fractional-scaling
+        owner: root
+        group: "{{ ansible_user }}"
+        mode: 0644
+      notify:
+        - dconf-update
+
+- name: Install themes
+  become: true
+  block:
+    - name: Create local themes directory
+      ansible.builtin.file:
+        path: ~{{ item }}/.themes
+        state: directory
+        owner: "{{ item }}"
+        group: "{{ item }}"
+        mode: 0750
+      loop: "{{ _local_human_users }}"
+
+    - name: Unarchive LightningBug into local directory
+      ansible.builtin.unarchive:
+        src: lightningbug-dark.tar.gz
+        dest: ~{{ item }}/.themes
+        owner: "{{ item }}"
+        group: "{{ item }}"
+      loop: "{{ _local_human_users }}"
+
+- name: Install wallpaper
+  become: true
+  ansible.builtin.copy:
+    src: "{{ inventory_hostname }}-wallpaper.jpg"
+    dest: ~{{ item }}/Pictures/wallpaper.jpg
+    owner: "{{ item }}"
+    group: "{{ item }}"
+  loop: "{{ _local_human_users }}"

skylab/core/roles/workstation/tasks/install_mpw.yml

@@ -0,0 +1,59 @@
+---
+- name: Check for MPW binary
+  ansible.builtin.stat:
+    path: /usr/local/bin/mpw
+  register: _mpw_binary_stat
+
+- name: Install MPW
+  when: (not _mpw_binary_stat.stat.exists) or (force_reinstall | default(false))
+  block:
+    - name: Install build dependencies on Fedora
+      when: ansible_distribution == "Fedora"
+      become: true
+      ansible.builtin.dnf:
+        name:
+          - libsodium-devel
+        state: present
+
+    - name: Create temporary build directory
+      ansible.builtin.tempfile:
+        prefix: ansible.build.mpw
+        state: directory
+      register: _mpw_build_dir
+
+    - name: Download MPW source
+      ansible.builtin.git:
+        repo: https://gitlab.com/MasterPassword/MasterPassword.git
+        version: 344771db
+        recursive: false  # does *not* clone submodules
+        dest: "{{ _mpw_build_dir.path }}"
+
+    # God I hate this
+    - name: Patch .gitmodules to use HTTPS
+      ansible.builtin.replace:
+        path: "{{ _mpw_build_dir.path }}/.gitmodules"
+        regexp: "url = git://"
+        replace: "url = https://"
+
+    - name: Initialize submodules
+      ansible.builtin.command:
+        cmd: git submodule update --init
+        chdir: "{{ _mpw_build_dir.path }}"
+
+    - name: Build MasterPassword binary
+      ansible.builtin.command:
+        cmd: bash build
+        chdir: "{{ _mpw_build_dir.path }}/platform-independent/cli-c/"
+
+    - name: Copy binary to system path
+      become: true
+      ansible.builtin.copy:
+        remote_src: true
+        src: "{{ _mpw_build_dir.path }}/platform-independent/cli-c/mpw"
+        dest: "/usr/local/bin"
+        mode: 0755
+  always:
+    - name: Remove temporary directory
+      ansible.builtin.file:
+        path: "{{ _mpw_build_dir.path }}"
+        state: absent

skylab/core/roles/workstation/tasks/install_multimc.yml

@@ -0,0 +1,79 @@
+---
+- name: Check whether binary exists
+  become: true
+  ansible.builtin.stat:
+    path: "~{{ local_username }}/.local/bin/MultiMC"
+  register: _multimc_stat
+
+- name: Install MultiMC
+  when: (not _multimc_stat.stat.exists) or (force_reinstall | default(false))
+  block:
+    - name: Create temp dir
+      ansible.builtin.tempfile:
+        state: directory
+      register: _multimc_tempdir
+
+    - name: Download and unpack distribution archive
+      ansible.builtin.unarchive:
+        src: https://files.multimc.org/downloads/mmc-stable-lin64.tar.gz
+        remote_src: true
+        dest: "{{ _multimc_tempdir.path }}"
+
+    - name: Ensure ~/.local/share/ exists
+      become: true
+      ansible.builtin.file:
+        path: ~{{ local_username }}/.local/share
+        state: directory
+        owner: "{{ local_username }}"
+        group: "{{ local_username }}"
+        mode: 0700
+
+    - name: Ensure ~/.local/bin/ exists
+      become: true
+      ansible.builtin.file:
+        path: ~{{ local_username }}/.local/bin
+        state: directory
+        owner: "{{ local_username }}"
+        group: "{{ local_username }}"
+        mode: 0700
+
+    - name: Copy MMC distribution to ~/.local/share/
+      become: true
+      ansible.builtin.copy:
+        remote_src: true
+        src: "{{ _multimc_tempdir.path }}/MultiMC/"
+        dest: "~{{ local_username }}/.local/share/multimc"
+        owner: "{{ local_username }}"
+        group: "{{ local_username }}"
+        mode: 0700
+
+    - name: Link MMC binary into ~/.local/bin/
+      become: true
+      ansible.builtin.file:
+        state: link
+        src: ~{{ local_username }}/.local/share/multimc/MultiMC
+        path: ~{{ local_username }}/.local/bin/MultiMC
+
+    - name: Copy application icon
+      become: true
+      ansible.builtin.copy:
+        src: multimc.png
+        dest: ~{{ local_username }}/.local/share/icons/multimc.png
+        owner: "{{ local_username }}"
+        group: "{{ local_username }}"
+        mode: 0755
+
+    - name: Template application desktop entry
+      become: true
+      ansible.builtin.template:
+        src: multimc.desktop.j2
+        dest: ~{{ local_username }}/.local/share/applications/multimc.desktop
+        owner: "{{ local_username }}"
+        group: "{{ local_username }}"
+        mode: 0755
+
+  always:
+    - name: Delete temp dir
+      ansible.builtin.file:
+        path: "{{ _multimc_tempdir.path }}"
+        state: absent

skylab/core/roles/workstation/tasks/install_pipx.yml

@@ -0,0 +1,27 @@
+---
+- name: Create install directory
+  become: true
+  ansible.builtin.file:
+    path: /opt/pipx
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ skylab_group_admin.name }}"
+    mode: 0755
+
+- name: Create install venv
+  ansible.builtin.command:
+    cmd: python3 -m venv /opt/pipx
+    creates: /opt/pipx/bin/python
+
+- name: Install pipx
+  ansible.builtin.pip:
+    name:
+      - pipx
+    executable: /opt/pipx/bin/pip
+
+- name: Link pipx binary into system path
+  become: true
+  ansible.builtin.file:
+    state: link
+    src: /opt/pipx/bin/pipx
+    path: /usr/local/bin/pipx

skylab/core/roles/workstation/tasks/install_poetry.yml

@@ -0,0 +1 @@
+---

skylab/core/roles/workstation/tasks/install_tor_browser.yml

@@ -0,0 +1,53 @@
+---
+- name: Check whether Tor Browser is already installed
+  become: true
+  ansible.builtin.stat:
+    path: "~{{ local_username }}/.local/share/tor-browser/start-tor-browser.desktop"
+  register: _torbrowser_stat
+
+- name: Install Tor Browser
+  when: not _torbrowser_stat.stat.exists
+  block:
+    - name: Create temp dir
+      ansible.builtin.tempfile:
+        state: directory
+      register: _torbrowser_tempdir
+
+    - name: Download and unpack distribution archive
+      ansible.builtin.unarchive:
+        src: https://dist.torproject.org/torbrowser/11.0.10/tor-browser-linux64-11.0.10_en-US.tar.xz
+        remote_src: true
+        dest: "{{ _torbrowser_tempdir.path }}"
+
+    - name: Ensure ~/.local/share/ exists
+      become: true
+      ansible.builtin.file:
+        path: ~{{ local_username }}/.local/share
+        state: directory
+        owner: "{{ local_username }}"
+        group: "{{ local_username }}"
+        mode: 0700
+
+    - name: Copy Tor Browser distribution to ~/.local/share/
+      become: true
+      ansible.builtin.copy:
+        remote_src: true
+        src: "{{ _torbrowser_tempdir.path }}/tor-browser_en-US/"
+        dest: "~{{ local_username }}/.local/share/tor-browser"
+        owner: "{{ local_username }}"
+        group: "{{ local_username }}"
+        mode: 0700
+
+    - name: Register application
+      become: true
+      become_user: "{{ local_username }}"
+      changed_when: true
+      ansible.builtin.command:
+        cmd: ./start-tor-browser.desktop
+        chdir: ~{{ local_username }}/.local/share/tor-browser
+
+  always:
+    - name: Delete temp dir
+      ansible.builtin.file:
+        path: "{{ _torbrowser_tempdir.path }}"
+        state: absent

skylab/core/roles/workstation/tasks/main.yml

@@ -0,0 +1,40 @@
+---
+- name: Include access vars
+  ansible.builtin.include_vars:
+    file: vars/access.yaml
+
+- name: Determine local user accounts
+  when: skylab_targets | intersect(item.targets | default([]))
+  vars:
+    _local_users: []
+  ansible.builtin.set_fact:
+    _local_users: "{{ _local_users + [item] }}"
+  loop: "{{ skylab_accounts }}"
+  loop_control:
+    label: "{{ item.name }},{{ item.uid }}"
+
+- name: Determine local human user accounts
+  when: not (item.service | default(false))
+  vars:
+    _local_human_users: []
+  ansible.builtin.set_fact:
+    _local_human_users: "{{ _local_human_users + [item.name] }}"
+  loop: "{{ _local_users }}"
+  loop_control:
+    label: "{{ item.name }},{{ item.uid }}"
+
+- name: Determine local admin user accounts
+  when: item.admin | default(false)
+  vars:
+    _local_admin_users: []
+  ansible.builtin.set_fact:
+    _local_admin_users: "{{ _local_admin_users + [item.name] }}"
+  loop: "{{ _local_users }}"
+  loop_control:
+    label: "{{ item.name }},{{ item.uid }}"
+
+- name: Install software
+  ansible.builtin.import_tasks: software.yml
+
+- name: Configure environment
+  ansible.builtin.import_tasks: environment.yml

skylab/core/roles/workstation/tasks/software.yml

@@ -0,0 +1,120 @@
+---
+- name: Install repositories on Fedora
+  become: true
+  when: ansible_distribution == "Fedora"
+  block:
+    - name: Install RPMFusion repositories
+      ansible.builtin.dnf:
+        name:
+          - https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ ansible_distribution_major_version }}.noarch.rpm
+          - https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-{{ ansible_distribution_major_version }}.noarch.rpm
+        state: present
+        disable_gpg_check: true
+
+    - name: Install Docker CE repository
+      ansible.builtin.yum_repository:
+        name: docker-ce-stable
+        description: Docker CE Stable - $basearch
+        baseurl: https://download.docker.com/linux/fedora/$releasever/$basearch/stable
+        enabled: true
+        gpgcheck: true
+        gpgkey: https://download.docker.com/linux/fedora/gpg
+
+    - name: Install VSCode repository
+      ansible.builtin.yum_repository:
+        name: vscode
+        description: Visual Studio Code
+        baseurl: https://packages.microsoft.com/yumrepos/vscode
+        enabled: true
+        gpgcheck: true
+        gpgkey: https://packages.microsoft.com/keys/microsoft.asc
+
+    - name: Enable Signal-Desktop COPR repository
+      community.general.copr:
+        name: luminoso/Signal-Desktop
+        state: enabled
+
+- name: Install packages on Fedora
+  become: true
+  when: ansible_distribution == "Fedora"
+  ansible.builtin.dnf:
+    name:
+      - cmake
+      - code  # visual studio code
+      - deluge
+      - docker-ce
+      - gcc
+      - gcc-c++
+      - gnome-tweaks
+      - gnome-shell-extension-material-shell
+      - gnome-shell-extension-openweather
+      - gnome-shell-extension-system-monitor-applet
+      - gnome-shell-extension-vertical-overview
+      - gnupg2
+      - guvcview
+      - java-17-openjdk
+      - jq
+      - libffi-devel
+      - libvirt
+      - libvirt-devel
+      - libxml2-devel
+      - mediawriter
+      - ncurses-devel
+      - NetworkManager-tui
+      - pinta
+      - powerline
+      - python27
+      - python36
+      - python37
+      - python38
+      - python39
+      - python310
+      - ShellCheck
+      - signal-desktop
+      - steam
+      - systemd-devel
+      - texlive-fontawesome5
+      - texlive-roboto
+      - texlive-scheme-tetex
+      - texlive-sourcesanspro
+      - virt-manager
+      - vlc
+      - xclip
+      - yarnpkg
+    state: present
+
+- name: Install unsigned packages on Fedora
+  when: ansible_distribution == "Fedora"
+  become: true
+  ansible.builtin.dnf:
+    name:
+      # draw.io/diagrams.net
+      - https://github.com/jgraph/drawio-desktop/releases/download/v17.4.2/drawio-x86_64-17.4.2.rpm
+      # zoom
+      - https://zoom.us/client/latest/zoom_x86_64.rpm
+    state: present
+    disable_gpg_check: true
+
+- ansible.builtin.import_tasks: install_mpw.yml
+- ansible.builtin.import_tasks: install_nvm.yml
+- ansible.builtin.import_tasks: install_pipx.yml
+- ansible.builtin.import_tasks: install_poetry.yml
+- ansible.builtin.import_tasks: install_postman.yml
+- ansible.builtin.import_tasks: install_rustup.yml
+- ansible.builtin.import_tasks: install_typora.yml
+
+# It is now day eight hundred and thirty nine of begging the ansible devs to let
+# me loop over blocks. pls bcoca i have a family
+- name: Install Tor Browser
+  ansible.builtin.include_tasks:
+    file: install_tor_browser.yml
+  loop: "{{ _local_human_users }}"
+  loop_control:
+    loop_var: local_username
+
+- name: Install MultiMC
+  ansible.builtin.include_tasks:
+    file: install_multimc.yml
+  loop: "{{ _local_human_users }}"
+  loop_control:
+    loop_var: local_username

skylab/core/roles/workstation/templates/multimc.desktop.j2

@@ -0,0 +1,9 @@
+[Desktop Entry]
+Name=MultiMC
+Comment=Minecraft environment manager
+Exec="/home/{{ local_username }}/.local/bin/MultiMC"
+Terminal=false
+Type=Application
+Icon="/home/{{ local_username }}/.local/share/icons/multimc.png"
+Categories=Gaming;Graphics;
+TryExec="/home/{{ local_username }}/.local/bin/MultiMC"