major refactoring

group_vars/silverblue.yml

@@ -1,15 +1,9 @@
-flatpak_remotes:
+services_flatpak_remotes:
-  flathub:
-    state: present
-    url: https://flathub.org/repo/flathub.flatpakrepo
   flathub-beta:
     state: present
     url: https://flathub.org/beta-repo/flathub-beta.flatpakrepo
-  fedora:
-    state: present
-    url: oci+https://registry.fedoraproject.org
 
-flatpak_flatpaks:
+services_flatpak_packages:
   com.belmoussaoui.Obfuscate:
     state: present
     remote: flathub
@@ -109,9 +103,6 @@ flatpak_flatpaks:
   org.libreoffice.LibreOffice:
     state: present
     remote: flathub
-  org.mozilla.firefox:
-    state: present
-    remote: flathub
   org.remmina.Remmina:
     state: absent
     remote: flathub
@@ -183,7 +174,7 @@ flatpak_flatpaks:
     state: present
     remote: fedora
 
-rpm_ostree_base_packages:
+rpm_ostree_basePackages:
   firefox:
     state: absent
   gnome-software-rpm-ostree:
@@ -195,7 +186,7 @@ rpm_ostree_kargs:
   'rd.luks.options=discard':
     state: absent
 
-rpm_ostree_layered_packages:
+rpm_ostree_layeredPackages:
   ansible:
     state: present
   atool:
@@ -254,10 +245,6 @@ rpm_ostree_layered_packages:
     state: present
   tmux:
     state: present
-  virt-manager:
-    state: present
-  libvirt-client:
-    state: present
   wl-clipboard:
     state: present
   youtube-dl:
@@ -265,42 +252,6 @@ rpm_ostree_layered_packages:
   zsh:
     state: present
 
-etc_firewalld:
+config_users:
-  syncthing:
-    zone: FedoraWorkstation
-    state: enabled
-
-etc_sysctl_params:
-  kernel.unprivileged_bpf_disabled:
-    value: 1
-    state: present
-  fs.inotify.max_user_watches:
-    value: 524288
-    state: present
-
-etc_fstab_entries:
-  root:
-    path: /
-    fstype: btrfs
-    opts: noatime,subvol=root,compress=zstd:1,x-systemd.device-timeout=0
-    passno: 0
-    dump: 0
-    state: present
-  home:
-    path: /home
-    fstype: btrfs
-    opts: subvol=home,compress=zstd:1,x-systemd.device-timeout=0
-    passno: 0
-    dump: 0
-    state: present
-  docker:
-    path: /var/lib/docker
-    fstype: btrfs
-    opts: subvol=docker,compress=zstd:1,x-systemd.device-timeout=0
-    passno: 0
-    dump: 0
-    state: mounted
-
-users:
   flexo:
     shell: /bin/zsh

host_vars/chapek9.yml

@@ -1,7 +1,7 @@
 ---
-etc_hostname: chapek9
+config_hostname: chapek9
 
-etc_fstab_entries_overwrite:
+config_fstab_entries_overrides:
   root:
     src: UUID=254d6a53-398a-4a53-93d1-c45e61263791
   home:
@@ -9,7 +9,7 @@ etc_fstab_entries_overwrite:
   docker:
     src: UUID=254d6a53-398a-4a53-93d1-c45e61263791
 
-rpm_ostree_kargs_overwrite:
+rpm_ostree_kargs_overrides:
   'i915.enable_psr=0':
     state: present
   'mem_sleep_default=deep':

host_vars/ice9.yml

@@ -1,7 +1,7 @@
 ---
-etc_hostname: ice9
+config_hostname: ice9
 
-etc_fstab_entries_overwrite:
+config_fstab_entries_overrides:
   root:
     src: UUID=aa63fb86-3fc9-42d1-82ca-7d47d0238765
   home:
@@ -9,7 +9,7 @@ etc_fstab_entries_overwrite:
   docker:
     src: UUID=aa63fb86-3fc9-42d1-82ca-7d47d0238765
 
-flatpak_flatpaks_overwrite:
+services_flatpak_packages_overrides:
   com.github.Bleuzen.FFaudioConverter:
     state: present
     remote: flathub
@@ -35,6 +35,6 @@ flatpak_flatpaks_overwrite:
     state: present
     remote: flathub
 
-rpm_ostree_layered_packages_overwrite:
+rpm_ostree_layeredPackages_overrides:
   radeontop:
     state: present

host_vars/vinci.yml

@@ -1,7 +1,7 @@
 ---
-etc_hostname: vinci
+config_hostname: vinci
 
-etc_fstab_entries_overwrite:
+config_fstab_entries_overrides:
   root:
     src: UUID=9296ebbe-a288-48e4-a9cd-0a80374c7c46
   home:
@@ -9,7 +9,7 @@ etc_fstab_entries_overwrite:
   docker:
     src: UUID=9296ebbe-a288-48e4-a9cd-0a80374c7c46
 
-flatpak_flatpaks_overwrite:
+services_flatpak_packages_overrides:
   com.discordapp.Discord:
     state: absent
     remote: flathub
@@ -38,13 +38,13 @@ flatpak_flatpaks_overwrite:
     state: present
     remote: flathub
 
-rpm_ostree_layered_packages_overwrite:
+rpm_ostree_layeredPackages_overrides:
   iftop:
     state: present
   nethogs:
     state: present
 
-rpm_ostree_kargs_overwrite:
+rpm_ostree_kargs_overrides:
   'i915.enable_psr=0':
     state: absent
   'mem_sleep_default=deep':

roles/config/defaults/main.yml

@@ -0,0 +1,51 @@
+---
+config_hostname: fedora
+
+config_users_enable: true
+config_users:
+  morbo:
+    shell: /bin/zsh
+
+config_grub_enable: true
+
+config_firewalld_enable: true
+config_firewalld_services:
+  syncthing:
+    zone: FedoraWorkstation
+    state: enabled
+
+config_sysctl_enable: true
+config_sysctl_params:
+  kernel.unprivileged_bpf_disabled:
+    value: 1
+    state: present
+  fs.inotify.max_user_watches:
+    value: 524288
+    state: present
+
+config_btrfs_enable: false
+config_btrfsmaintenance_enable: false
+
+config_fstab_enable: true
+config_fstab_entries:
+  root:
+    path: /
+    fstype: btrfs
+    opts: noatime,subvol=root,compress=zstd:1,x-systemd.device-timeout=0
+    passno: 0
+    dump: 0
+    state: present
+  home:
+    path: /home
+    fstype: btrfs
+    opts: subvol=home,compress=zstd:1,x-systemd.device-timeout=0
+    passno: 0
+    dump: 0
+    state: present
+  docker:
+    path: /var/lib/docker
+    fstype: btrfs
+    opts: subvol=docker,compress=zstd:1,x-systemd.device-timeout=0
+    passno: 0
+    dump: 0
+    state: mounted

roles/config/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: "config: Apply rpm-ostree changes live"
+  ansible.builtin.command:
+    cmd: rpm-ostree ex apply-live
+  become: yes
+  ignore_errors: yes
+  when: config_rpm_ostree_applyLive | bool

roles/config/tasks/btrfs.yml

@@ -0,0 +1,7 @@
+---
+- name: "btrfs: Install btrfsmaintenance"
+  community.general.rpm_ostree_pkg:
+    name: btrfsmaintenance
+    state: "present"
+  become: yes
+  when: config_btrfsmaintenance_enable | bool

roles/config/tasks/fstab.yml

@@ -1,15 +1,15 @@
 ---
-- name: Configure fstab
+- name: "fstab: Configure mountpoints"
   block:
-    - name: Merge variables
+    - name: "fstab: Merge variables"
       set_fact:
-        etc_fstab_entries: '{{ etc_fstab_entries | combine(etc_fstab_entries_overwrite, recursive=True) }}'
+        config_fstab_entries: '{{ config_fstab_entries | combine(config_fstab_entries_overrides, recursive=True) }}'
       when:
-        - etc_fstab_entries_overwrite | default()
+        - config_fstab_entries_overrides | default()
 
     #- name: Mount btrfs root
     #  ansible.posix.mount:
-    #    src: "'/dev/mapper/luks-' + {{ etc_fstab_btrfs_root }}"
+    #    src: "'/dev/mapper/luks-' + {{ config_fstab_btrfs_root }}"
     #    path: "/mnt"
     #  become: yes
 
@@ -19,11 +19,11 @@
     #    #cmd: "btrfs subvolume create {{ item }}"
     #    msg: "{{ item }}"
     #  become: yes
-    #  loop: "{{ lookup('dict', etc_fstab_entries, wantlist=True) }}"
+    #  loop: "{{ lookup('dict', config_fstab_entries, wantlist=True) }}"
     #  when:
     #    "item.value.path != '/' and item.value.path != '/home'"
 
-    - name: Write fstab entries
+    - name: "fstab: Write entries"
       ansible.posix.mount:
         src: "{{ item.value.src }}"
         path: "{{ item.value.path }}"
@@ -33,4 +33,4 @@
         dump: "{{ item.value.dump }}"
         state: "{{ item.value.state }}"
       become: yes
-      loop: "{{ lookup('dict', etc_fstab_entries, wantlist=True) }}"
+      loop: "{{ lookup('dict', config_fstab_entries, wantlist=True) }}"

roles/config/tasks/grub.yml

@@ -1,5 +1,5 @@
 ---
-- name: Check if BootLoaderSpec is enabled
+- name: "grub: Check if BootLoaderSpec is enabled"
   ansible.builtin.lineinfile:
     path: /etc/default/grub
     line: 'GRUB_ENABLE_BLSCFG=true'
@@ -8,7 +8,7 @@
   check_mode: yes
   register: conf
 
-- name: Enable BootLoaderSpec
+- name: "grub: Enable BootLoaderSpec"
   ansible.builtin.command:
     cmd: grub2-switch-to-blscfg
   become: yes

roles/config/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Include users
+  ansible.builtin.include: users.yml
+  when: config_users_enable | bool
+
+- name: Include grub
+  ansible.builtin.include: grub.yml
+  when: config_grub_enable | bool
+
+- name: Include networking
+  ansible.builtin.include: networking.yml
+
+- name: Include sysctl
+  ansible.builtin.include: sysctl.yml
+  when: config_sysctl_enable | bool
+
+- name: Include btrfs
+  ansible.builtin.include: btrfs.yml
+  when: config_btrfs_enable | bool
+
+- name: Include fstab
+  ansible.builtin.include: fstab.yml
+  when: config_fstab_enable | bool

roles/config/tasks/networking.yml

@@ -0,0 +1,17 @@
+---
+- name: "config: Set hostname"
+  ansible.builtin.hostname:
+    name: "{{ config_hostname }}"
+    use: systemd
+  become: yes
+
+- name: "firewalld: Configure services"
+  ansible.posix.firewalld:
+    service: "{{ item.key }}"
+    zone: "{{ item.value.zone }}"
+    state: "{{ item.value.state }}"
+    immediate: yes
+    permanent: yes
+  become: yes
+  loop: "{{ lookup('dict', config_firewalld_services, wantlist=True) }}"
+  when: config_firewalld_enable | bool

roles/config/tasks/sysctl.yml

@@ -1,5 +1,5 @@
 ---
-- name: Configure sysctl
+- name: "sysctl: Change settings"
   ansible.posix.sysctl:
     name: "{{ item.key }}"
     value: "{{ item.value.value }}"
@@ -7,4 +7,4 @@
     sysctl_file: "/etc/sysctl.d/100-custom.conf"
     sysctl_set: yes
   become: yes
-  loop: "{{ lookup('dict', etc_sysctl_params, wantlist=True) }}"
+  loop: "{{ lookup('dict', config_sysctl_params, wantlist=True) }}"

roles/config/tasks/users.yml

@@ -1,7 +1,7 @@
 ---
-- name: Update users
+- name: "config: Update user shell"
   ansible.builtin.user:
     name: "{{ item.key }}"
     shell: "{{ item.value.shell }}"
   become: yes
-  loop: "{{ lookup('dict', users, wantlist=True) }}"
+  loop: "{{ lookup('dict', config_users, wantlist=True) }}"

roles/etc/defaults/main.yml

@@ -1,10 +0,0 @@
----
-etc_set_hostname: true
-etc_enable_BLSCFG: true
-etc_update_users: true
-etc_enable_NTS: true
-etc_enable_fwupd_refresh: true
-etc_configure_firewalld: true
-etc_configure_sysctl: true
-etc_configure_fstab: true
-etc_configure_btrfs: false

roles/etc/handlers/main.yml

@@ -1,6 +0,0 @@
-- name: Restart chronyd
-  ansible.builtin.systemd:
-    name: chronyd
-    state: restarted
-    enabled: yes
-  become: yes

roles/etc/tasks/btrfs.yml

@@ -1,2 +0,0 @@
----
-# TODO: snapper, btrfsmaintainance

roles/etc/tasks/firewalld.yml

@@ -1,10 +0,0 @@
----
-- name: Configure firewalld
-  ansible.posix.firewalld:
-    service: "{{ item.key }}"
-    zone: "{{ item.value.zone }}"
-    state: "{{ item.value.state }}"
-    immediate: yes
-    permanent: yes
-  become: yes
-  loop: "{{ lookup('dict', etc_firewalld, wantlist=True) }}"

roles/etc/tasks/main.yml

@@ -1,42 +0,0 @@
----
-- name: Set hostname
-  ansible.builtin.hostname:
-    name: "{{ etc_hostname }}"
-    use: systemd
-  become: yes
-  when: etc_set_hostname | bool
-
-- name: Enable fwupd-refresh timer
-  ansible.builtin.systemd:
-    name: fwupd-refresh.timer
-    state: started
-    enabled: yes
-  become: yes
-  when: etc_enable_fwupd_refresh | bool
-
-- name: Include users.yml
-  ansible.builtin.include: users.yml
-  when:  etc_update_users | bool
-
-- name: Include blscfg.yml
-  ansible.builtin.include: blscfg.yml
-  when: etc_enable_BLSCFG | bool
-
-- name: Include nts.yml
-  ansible.builtin.include: nts.yml
-  when: etc_enable_NTS | bool
-
-- name: Include firewalld.yml
-  ansible.builtin.include: firewalld.yml
-  when: etc_configure_firewalld | bool
-
-- name: Include sysctl.yml
-  ansible.builtin.include: sysctl.yml
-  when: etc_configure_sysctl | bool
-
-- name: Include btrfs.yml
-  ansible.builtin.include: btrfs.yml
-  when: etc_configure_btrfs | bool
-- name: Include fstab.yml
-  ansible.builtin.include: fstab.yml
-  when: etc_configure_fstab | bool

roles/etc/tasks/nts.yml

@@ -1,7 +0,0 @@
----
-- name: Enable NTS
-  ansible.builtin.template:
-    src: chrony.conf.j2
-    dest: /etc/chrony.conf
-  become: yes
-  notify: Restart chronyd

roles/etc/templates/chrony.conf.j2

@@ -1,54 +0,0 @@
-# {{ ansible_managed }}
-
-# These servers were defined in the installation:
-server time.cloudflare.com iburst nts
-
-# Use public servers from the pool.ntp.org project.
-# Please consider joining the pool (https://www.pool.ntp.org/join.html).
-
-# Use NTP servers from DHCP.
-#sourcedir /run/chrony-dhcp
-
-# Record the rate at which the system clock gains/losses time.
-driftfile /var/lib/chrony/drift
-
-# Allow the system clock to be stepped in the first three updates
-# if its offset is larger than 1 second.
-makestep 1.0 3
-
-# Enable kernel synchronization of the real-time clock (RTC).
-rtcsync
-
-# Enable hardware timestamping on all interfaces that support it.
-#hwtimestamp *
-
-# Increase the minimum number of selectable sources required to adjust
-# the system clock.
-#minsources 2
-
-# Allow NTP client access from local network.
-#allow 192.168.0.0/16
-
-# Serve time even if not synchronized to a time source.
-#local stratum 10
-
-# Require authentication (nts or key option) for all NTP sources.
-#authselectmode require
-
-# Specify file containing keys for NTP authentication.
-keyfile /etc/chrony.keys
-
-# Save NTS keys and cookies.
-ntsdumpdir /var/lib/chrony
-
-# Insert/delete leap seconds by slewing instead of stepping.
-#leapsecmode slew
-
-# Get TAI-UTC offset and leap seconds from the system tz database.
-leapsectz right/UTC
-
-# Specify directory for log files.
-logdir /var/log/chrony
-
-# Select which information is logged.
-#log measurements statistics tracking

roles/flatpak/defaults/main.yml

@@ -1,4 +0,0 @@
----
-flatpak_configure_remotes: true
-flatpak_alter_flatpaks: true
-flatpak_automatic_updates: true

roles/flatpak/tasks/flatpaks.yml

@@ -1,12 +0,0 @@
----
-- name: Merge Flatpaks and overwrites
-  set_fact:
-    flatpak_flatpaks: '{{ flatpak_flatpaks | combine(flatpak_flatpaks_overwrite) }}'
-  when: flatpak_flatpaks_overwrite | default()
-
-- name: Add/remove Flatpaks
-  community.general.flatpak:
-    name: "{{ item.key }}"
-    state: "{{ item.value.state }}"
-    remote: "{{ item.value.remote }}"
-  loop: "{{ lookup('dict', flatpak_flatpaks, wantlist=True) }}"

roles/flatpak/tasks/main.yml

@@ -1,58 +0,0 @@
----
-- name: Include remotes.yml
-  ansible.builtin.include: remotes.yml
-  when: flatpak_configure_remotes | bool
-
-- name: Include flatpaks.yml
-  ansible.builtin.include: flatpaks.yml
-  when: flatpak_alter_flatpaks | bool
-
-# https://github.com/flatpak/flatpak/issues/3847#issuecomment-818532856
-- name: Enable flatpak Automatic Update
-  block:
-    - name: Place systemd service and timer
-      ansible.builtin.template:
-        src: "{{ item }}"
-        dest: "/etc/systemd/system/{{ item | regex_replace('.j2', '') }}"
-        owner: root
-        group: root
-        mode: '0644'
-      become: yes
-      with_items:
-        - flatpak-automatic.service.j2
-        - flatpak-automatic.timer.j2
-      when: flatpak_automatic_updates | bool
-
-    - name: Enable systemd timer
-      ansible.builtin.systemd:
-        name: flatpak-automatic.timer
-        state: started
-        enabled: yes
-        daemon_reload: yes
-      become: yes
-      when: flatpak_automatic_updates | bool
-
-    - name: Update Flatpaks
-      ansible.builtin.command:
-        cmd: flatpak update -y
-      when: flatpak_automatic_updates | bool
-
-- name: Disable flatpak Automatic Update
-  block:
-    - name: Disable systemd timer
-      ansible.builtin.systemd:
-        name: flatpak-automatic.timer
-        state: stopped
-        enabled: no
-      become: yes
-      when: not flatpak_automatic_updates | bool
-
-    - name: Remove systemd service and timer
-      ansible.builtin.file:
-        path: "/etc/systemd/system/{{ item }}"
-        state: absent
-      become: yes
-      with_items:
-        - flatpak-automatic.service
-        - flatpak-automatic.timer
-      when: not flatpak_automatic_updates | bool

roles/flatpak/tasks/remotes.yml

@@ -1,13 +0,0 @@
----
-- name: Merge Flatpak remotes and overwrites
-  set_fact:
-    flatpak_remotes: '{{ flatpak_remotes | combine(flatpak_remotes_overwrite) }}'
-  when: flatpak_remotes_overwrite | default()
-
-- name: Add/remove Flatpak remotes
-  community.general.flatpak_remote:
-    name: "{{ item.key }}"
-    state: "{{ item.value.state }}"
-    flatpakrepo_url: "{{ item.value.url }}"
-  become: true
-  loop: "{{ lookup('dict', flatpak_remotes, wantlist=True) }}"

roles/rpm-ostree/defaults/main.yml

@@ -1,10 +1,21 @@
 ---
-rpm_ostree_base_packages_list: []  # don't delete this
+# these list are only for role internal tasks
-rpm_ostree_layered_packages_removal_list: []  # don't delete this
+# this is needed for constructing a package list
-rpm_ostree_layered_packages_install_list: []  # don't delete this
+# to vastly reduce installation time
+rpm_ostree_layeredPackages_removalList: []
+rpm_ostree_layeredPackages_installList: []
 
-rpm_ostree_alter_base_packages: true
+rpm_ostree_enable: true
-rpm_ostree_alter_layered_packages: true
+rpm_ostree_autoUpdate: true
-rpm_ostree_configure_kargs: true
+rpm_ostree_modifyBasePackages: true
-rpm_ostree_enable_autoupdates: true
+rpm_ostree_modifyLayeredPackages: true
-rpm_ostree_apply_live: false
+rpm_ostree_modifyKargs: true
+rpm_ostree_basePackages:
+  firefox:
+    state: absent
+rpm_ostree_layeredPackages:
+  ansible:
+    state: present
+rpm_ostree_kargs:
+  'rd.luks.options=discard':
+    state: present

roles/rpm-ostree/handlers/main.yml

@@ -1,17 +1,13 @@
 ---
-- name: Reload rpm-ostree configuration
+- name: "rpm-ostree: Reload rpm-ostree configuration"
   ansible.builtin.command:
     cmd: rpm-ostree reload
   become: yes
 
-- name: Enable rpm-ostree-automatic
+- name: "rpm-ostree: Enable timer"
   ansible.builtin.systemd:
     name: rpm-ostreed-automatic.timer
     state: started
     enabled: yes
-  become: yes
-
-- name: Reload systemd units
-  ansible.builtin.systemd:
     daemon_reload: yes
   become: yes

roles/rpm-ostree/tasks/main.yml

@@ -1,120 +1,4 @@
 ---
-#- name: Create base package list
+- name: Include rpm-ostree
-#  set_fact:
+  ansible.builtin.include: rpm-ostree.yml
-#    rpm_ostree_base_packages_list: "{{ rpm_ostree_base_packages_list + [item.key] }}"
+  when: rpm_ostree_enable | bool
-#  loop: "{{ lookup('dict', rpm_ostree_base_packages, wantlist=True) }}"
-#  when:
-#    - item.value.state == 'absent'
-#    - rpm_ostree_alter_base_packages | bool
-#
-#- name: Remove base packages
-#  ansible.builtin.shell:
-#    cmd: rpm-ostree override remove "{{ rpm_ostree_base_packages_list }}" || /bin/true
-#  register: result
-#  become: yes
-#  changed_when: '"Run \"systemctl reboot\" to start a reboot" in result.stdout'
-#  when:
-#    - rpm_ostree_alter_base_packages | bool
-
-- name: Remove base packages
-  ansible.builtin.shell:
-    cmd: rpm-ostree override remove "{{ item.key }}" || /bin/true
-  register: result
-  become: yes
-  changed_when: '"Run \"systemctl reboot\" to start a reboot" in result.stdout'
-  loop: "{{ lookup('dict', rpm_ostree_base_packages, wantlist=True) }}"
-  when:
-    - item.value.state == 'absent'
-    - rpm_ostree_alter_base_packages | bool
-
-- name: Reset base packages
-  ansible.builtin.shell:
-    cmd: rpm-ostree override reset "{{ item.key }}" || /bin/true
-  register: result
-  become: yes
-  changed_when: '"Run \"systemctl reboot\" to start a reboot" in result.stdout'
-  loop: "{{ lookup('dict', rpm_ostree_base_packages) }}"
-  when:
-    - item.value.state == 'present'
-    - rpm_ostree_alter_base_packages | bool
-
-- name: Merge kernel params and overwrites
-  set_fact:
-    rpm_ostree_kargs: '{{ rpm_ostree_kargs | combine(rpm_ostree_kargs_overwrite) }}'
-  when: rpm_ostree_kargs_overwrite | default()
-
-- name: Set kernel parameters
-  ansible.builtin.command:
-    cmd: rpm-ostree kargs --append-if-missing="{{ item.key }}"
-  register: result
-  become: yes
-  changed_when: '"Kernel arguments updated" in result.stdout'
-  loop: "{{ lookup('dict', rpm_ostree_kargs, wantlist=True) }}"
-  when:
-    - item.value.state == 'present'
-    - rpm_ostree_configure_kargs | bool
-
-- name: Remove kernel parameters
-  ansible.builtin.command:
-    cmd: rpm-ostree kargs --delete-if-present="{{ item.key }}"
-  register: result
-  become: yes
-  changed_when: '"Kernel arguments updated" in result.stdout'
-  loop: "{{ lookup('dict', rpm_ostree_kargs, wantlist=True) }}"
-  when:
-    - item.value.state == 'absent'
-    - rpm_ostree_configure_kargs | bool
-
-- name: Enable autostaging and autoupdates
-  ansible.builtin.replace:
-    path: /etc/rpm-ostreed.conf
-    regexp: '^#AutomaticUpdatePolicy=none'
-    replace: 'AutomaticUpdatePolicy=stage'
-  become: yes
-  notify:
-    - Reload rpm-ostree configuration
-    - Enable rpm-ostree-automatic
-  when: rpm_ostree_enable_autoupdates | bool
-
-- name: Merge layered packages and overwrites
-  set_fact:
-    rpm_ostree_layered_packages: '{{ rpm_ostree_layered_packages | combine(rpm_ostree_layered_packages_overwrite) }}'
-  when: rpm_ostree_layered_packages_overwrite | default()
-
-- name: Create layered package list for removal
-  set_fact:
-    rpm_ostree_layered_packages_removal_list: "{{ rpm_ostree_layered_packages_removal_list + [item.key] }}"
-  loop: "{{ lookup('dict', rpm_ostree_layered_packages, wantlist=True) }}"
-  when:
-    - item.value.state == 'absent'
-    - rpm_ostree_alter_layered_packages | bool
-
-- name: Remove layered packages
-  community.general.rpm_ostree_pkg:
-    name: "{{ rpm_ostree_layered_packages_removal_list }}"
-    state: "absent"
-  become: yes
-  ignore_errors: yes
-  when: rpm_ostree_alter_layered_packages | bool
-
-- name: Create layered package list for installation
-  set_fact:
-    rpm_ostree_layered_packages_install_list: "{{ rpm_ostree_layered_packages_install_list + [item.key] }}"
-  loop: "{{ lookup('dict', rpm_ostree_layered_packages, wantlist=True) }}"
-  when:
-    - item.value.state == 'present'
-    - rpm_ostree_alter_layered_packages | bool
-
-- name: Install layered packages
-  community.general.rpm_ostree_pkg:
-    name: "{{ rpm_ostree_layered_packages_install_list }}"
-    state: "present"
-  become: yes
-  ignore_errors: yes
-  when: rpm_ostree_alter_layered_packages | bool
-
-- name: Apply-live
-  ansible.builtin.command:
-    cmd: rpm-ostree ex apply-live
-  become: yes
-  when: rpm_ostree_apply_live | bool

roles/rpm-ostree/tasks/rpm-ostree.yml

@@ -0,0 +1,107 @@
+---
+- name: "rpm-ostree: Enable autoUpdate"
+  ansible.builtin.replace:
+    path: /etc/rpm-ostreed.conf
+    regexp: '^#AutomaticUpdatePolicy=none'
+    replace: 'AutomaticUpdatePolicy=stage'
+  become: yes
+  notify:
+    - "rpm-ostree: Reload rpm-ostree configuration"
+    - "rpm-ostree: Enable timer"
+  when: 
+    - rpm_ostree_autoUpdate | bool
+
+# kernel params
+- name: "rpm-ostree: Merge kargs with overrides"
+  set_fact:
+    rpm_ostree_kargs: '{{ rpm_ostree_kargs | combine(rpm_ostree_kargs_overrides) }}'
+  when:
+    - rpm_ostree_kargs_overrides | default()
+    - rpm_ostree_modifyKargs | bool
+
+- name: "rpm-ostree: Set kargs"
+  ansible.builtin.command:
+    cmd: rpm-ostree kargs --append-if-missing="{{ item.key }}"
+  register: result
+  become: yes
+  changed_when: '"Kernel arguments updated" in result.stdout'
+  loop: "{{ lookup('dict', rpm_ostree_kargs, wantlist=True) }}"
+  when:
+    - item.value.state == 'present'
+    - rpm_ostree_modifyKargs | bool
+
+- name: "rpm-ostree: Remove kargs"
+  ansible.builtin.command:
+    cmd: rpm-ostree kargs --delete-if-present="{{ item.key }}"
+  register: result
+  become: yes
+  changed_when: '"Kernel arguments updated" in result.stdout'
+  loop: "{{ lookup('dict', rpm_ostree_kargs, wantlist=True) }}"
+  when:
+    - item.value.state == 'absent'
+    - rpm_ostree_modifyKargs | bool
+
+# base packages
+- name: "rpm-ostree: Remove basePackages"
+  ansible.builtin.shell:
+    cmd: rpm-ostree overrides remove "{{ item.key }}" || /bin/true
+  register: result
+  become: yes
+  changed_when: '"Run \"systemctl reboot\" to start a reboot" in result.stdout'
+  loop: "{{ lookup('dict', rpm_ostree_basePackages, wantlist=True) }}"
+  when:
+    - item.value.state == 'absent'
+    - rpm_ostree_modifyBasePackages | bool
+
+- name: "rpm-ostree: Reset basePackages"
+  ansible.builtin.shell:
+    cmd: rpm-ostree overrides reset "{{ item.key }}" || /bin/true
+  register: result
+  become: yes
+  changed_when: '"Run \"systemctl reboot\" to start a reboot" in result.stdout'
+  loop: "{{ lookup('dict', rpm_ostree_basePackages) }}"
+  when:
+    - item.value.state == 'present'
+    - rpm_ostree_modifyBasePackages | bool
+
+# layered packages
+- name: "rpm-ostree: Merge layeredPackages with overrides"
+  set_fact:
+    rpm_ostree_layeredPackages: '{{ rpm_ostree_layeredPackages | combine(rpm_ostree_layeredPackages_overrides) }}'
+  when:
+    - rpm_ostree_layeredPackages_overrides | default()
+    - rpm_ostree_modifyLayeredPackages | bool
+
+- name: "rpm-ostree: Create removalList"
+  set_fact:
+    rpm_ostree_layeredPackages_removalList: "{{ rpm_ostree_layeredPackages_removalList + [item.key] }}"
+  loop: "{{ lookup('dict', rpm_ostree_layeredPackages, wantlist=True) }}"
+  when:
+    - item.value.state == 'absent'
+    - rpm_ostree_modifyLayeredPackages | bool
+
+- name: "rpm-ostree: Remove layeredPackages"
+  community.general.rpm_ostree_pkg:
+    name: "{{ rpm_ostree_layeredPackages_removalList }}"
+    state: "absent"
+  become: yes
+  ignore_errors: yes
+  when:
+    - rpm_ostree_modifyLayeredPackages | bool
+
+- name: "rpm-ostree: Create installList"
+  set_fact:
+    rpm_ostree_layeredPackages_installList: "{{ rpm_ostree_layeredPackages_installList + [item.key] }}"
+  loop: "{{ lookup('dict', rpm_ostree_layeredPackages, wantlist=True) }}"
+  when:
+    - item.value.state == 'present'
+    - rpm_ostree_modifyLayeredPackages | bool
+
+- name: "rpm-ostree: Install layeredPackages"
+  community.general.rpm_ostree_pkg:
+    name: "{{ rpm_ostree_layeredPackages_installList }}"
+    state: "present"
+  become: yes
+  ignore_errors: yes
+  when:
+    - rpm_ostree_modifyLayeredPackages | bool

roles/services/defaults/main.yml

@@ -0,0 +1,44 @@
+---
+# this is necessary for setting up everything in one run
+# otherwise the computers needs to be rebooted and the playbook
+# needs to be re-run
+services_rpm_ostree_applyLive: true
+
+services_libvirtd_enable: true
+services_libvirtd_packages:
+  - virt-manager
+  - libvirt-client
+
+services_chrony_enableNTS: true
+services_chrony_servers:
+  #- time.cloudflare.com
+  - nts.sth1.ntp.se
+  - nts.sth2.ntp.se
+
+services_snapper_enable: true
+services_snapper_configs:
+  home:
+    allow_users: ""
+    allow_groups: ""
+    keep_hourly: "120"
+    keep_daily: "30"
+    keep_weekly: "0"
+    keep_monthly: "0"
+    keep_yearly: "0"
+    subvolume: "/home"
+
+services_flatpak_enable: true
+services_flatpak_autoUpdate: true
+services_flatpak_setRemotes: true
+services_flatpak_installFlatpaks: true
+services_flatpak_remotes:
+  flathub:
+    state: present
+    url: https://flathub.org/repo/flathub.flatpakrepo
+  fedora:
+    state: present
+    url: oci+https://registry.fedoraproject.org
+services_flatpak_packages:
+  org.mozilla.firefox:
+    state: present
+    remote: flathub

roles/services/handlers/main.yml

@@ -0,0 +1,38 @@
+---
+- name: "services: Apply rpm-ostree changes live"
+  ansible.builtin.command:
+    cmd: rpm-ostree ex apply-live
+  become: yes
+  when: services_rpm_ostree_applyLive | bool
+
+- name: "chrony: Restart service"
+  ansible.builtin.systemd:
+    name: chronyd
+    state: restarted
+    enabled: yes
+  become: yes
+
+- name: "snapper: Enable timers"
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: started
+    enabled: yes
+  with_items:
+    - snapper-cleanup.timer
+    - snapper-timeline.timer
+  become: yes
+
+- name: "libvirtd: Enable service"
+  ansible.builtin.systemd:
+    name: libvirt.service
+    state: started
+    enabled: yes
+  become: yes
+
+- name: "flatpak: Enable timer"
+  ansible.builtin.systemd:
+    name: flatpak-automatic.timer
+    state: started
+    enabled: yes
+    daemon_reload: yes
+  become: yes

roles/services/tasks/chrony.yml

@@ -0,0 +1,8 @@
+---
+- name: "chrony: Enable NTS"
+  ansible.builtin.template:
+    src: chrony.conf.j2
+    dest: /etc/chrony.conf
+  loop: '{{ services_chrony_servers }}'
+  become: yes
+  notify: "chrony: Restart service"

roles/services/tasks/flatpak.yml

@@ -0,0 +1,48 @@
+---
+- name: "flatpak: Merge remotes with overrides"
+  set_fact:
+    services_flatpak_remotes: '{{ services_flatpak_remotes | combine(services_flatpak_remotes_overrides) }}'
+  when:
+    - services_flatpak_remotes_overrides | default()
+    - services_flatpak_setRemotes | bool
+  
+- name: "flatpak: Merge packages with overrides"
+  set_fact:
+    services_flatpak_packages: '{{ services_flatpak_packages | combine(services_flatpak_packages_overrides) }}'
+  when:
+    - services_flatpak_packages_overrides | default()
+    - services_flatpak_installFlatpaks | bool
+
+- name: "flatpak: Add/remove remotes"
+  community.general.flatpak_remote:
+    name: "{{ item.key }}"
+    state: "{{ item.value.state }}"
+    flatpakrepo_url: "{{ item.value.url }}"
+  become: true
+  loop: "{{ lookup('dict', services_flatpak_remotes, wantlist=True) }}"
+  when:
+    - services_flatpak_setRemotes | bool
+
+- name: "flatpak: Add/remove packages"
+  community.general.flatpak:
+    name: "{{ item.key }}"
+    state: "{{ item.value.state }}"
+    remote: "{{ item.value.remote }}"
+  loop: "{{ lookup('dict', services_flatpak_packages, wantlist=True) }}"
+  when:
+    - services_flatpak_installFlatpaks | bool
+
+# https://github.com/flatpak/flatpak/issues/3847#issuecomment-818532856
+- name: "flatpak: Enable autoUpdate"
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "/etc/systemd/system/{{ item | regex_replace('.j2', '') }}"
+    owner: root
+    group: root
+    mode: '0644'
+  become: yes
+  with_items:
+    - flatpak-automatic.service.j2
+    - flatpak-automatic.timer.j2
+  when: services_flatpak_autoUpdate | bool
+  notify: "flatpak: Enable timer"

roles/services/tasks/libvirtd.yml

@@ -0,0 +1,9 @@
+---
+- name: "libvirtd: Install packages"
+  community.general.rpm_ostree_pkg:
+    name: "{{ services_libvirtd_packages }}"
+    state: "present"
+  become: yes
+  notify:
+    - "services: Apply rpm-ostree changes live"
+    - "libvirtd: Enable service"

roles/services/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Include snapper
+  ansible.builtin.include: snapper.yml
+  when: services_snapper_enable | bool
+
+- name: Include libvirtd
+  ansible.builtin.include: libvirtd.yml
+  when: services_libvirtd_enable | bool
+
+- name: Include chrony
+  ansible.builtin.include: chrony.yml
+  when: services_chrony_enableNTS | bool
+
+- name: Include flatpak
+  ansible.builtin.include: flatpak.yml
+  when: services_flatpak_enable | bool

roles/services/tasks/snapper.yml

@@ -0,0 +1,42 @@
+---
+- name: "snapper: Install package"
+  community.general.rpm_ostree_pkg:
+    name: snapper
+    state: "present"
+  become: yes
+  notify:
+    - "services: Apply rpm-ostree changes live"
+    - "snapper: Enable timers"
+
+- name: "snapper: Create subvolumes"
+  ansible.builtin.shell:
+    cmd: "if [[ ! -d {{ item.value.subvolume }}/.snapshots ]]; then \
+     btrfs subvol create {{ item.value.subvolume }}/.snapshots; fi"
+  with_dict: "{{ services_snapper_configs }}"
+  become: yes
+  notify:
+    - "services: Apply rpm-ostree changes live"
+    - "snapper: Enable timers"
+
+- name: "snapper: Create configuration folder"
+  ansible.builtin.file:
+    path: /etc/snapper/configs
+    state: directory
+    mode: '0755'
+  become: yes
+  notify:
+    - "services: Apply rpm-ostree changes live"
+    - "snapper: Enable timers"
+
+- name: "snapper: Place configurations"
+  ansible.builtin.template:
+    src: snapper-config.j2
+    dest: "/etc/snapper/configs/{{ item.key }}"
+    owner: root
+    group: root
+    mode: '0644'
+  with_dict: "{{ services_snapper_configs }}"
+  become: yes
+  notify:
+    - "services: Apply rpm-ostree changes live"
+    - "snapper: Enable timers"

roles/services/templates/chrony.conf.j2

@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+
+{% for server in services_chrony_servers %}
+server {{ server }} iburst nts
+{% endfor %}
+
+driftfile /var/lib/chrony/drift
+makestep 1.0 3
+rtcsync
+keyfile /etc/chrony.keys
+ntsdumpdir /var/lib/chrony
+leapsectz right/UTC
+logdir /var/log/chrony

roles/services/templates/snapper-config.j2

@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+
+ALLOW_USERS='{{ item.value.allow_users }}'
+ALLOW_GROUPS='{{ item.value.allow_groups }}'
+TIMELINE_CREATE=yes
+TIMELINE_CLEANUP=yes
+TIMELINE_LIMIT_HOURLY="{{ item.value.keep_hourly }}"
+TIMELINE_LIMIT_DAILY="{{ item.value.keep_daily }}"
+TIMELINE_LIMIT_WEEKLY="{{ item.value.keep_weekly }}"
+TIMELINE_LIMIT_MONTHLY="{{ item.value.keep_monthly }}"
+TIMELINE_LIMIT_YEARLY="{{ item.value.keep_yearly }}"
+
+FSTYPE="btrfs"
+SUBVOLUME="{{ item.value.subvolume }}"

silverblue.yml

@@ -4,6 +4,6 @@
     - silverblue
   connection: "local"
   roles:
-    - flatpak
+    - config
-    - etc
+    - services
     - rpm-ostree