From 0aef41951f260d03b01b14417a8cdc1abb1bd65f Mon Sep 17 00:00:00 2001
From: Anthony Perkins <anthony@acperkins.com>
Date: Wed, 11 Nov 2020 10:20:43 +0000
Subject: [PATCH] Add openSUSE playbooks

---
 admin-cli.yml                                 |  3 ++
 admin-gui.yml                                 |  3 ++
 .../files/70-solokeys-access.rules            | 19 ++++++++++++
 roles/opensuse-leap/tasks/main.yml            |  7 +++++
 roles/opensuse-leap/tasks/modules.yml         | 13 ++++++++
 roles/opensuse-leap/tasks/packages-cli.yml    | 31 +++++++++++++++++++
 roles/opensuse-leap/tasks/packages-gui.yml    | 15 +++++++++
 roles/opensuse-leap/tasks/solokeys.yml        | 15 +++++++++
 roles/opensuse-leap/tasks/ssh.yml             | 29 +++++++++++++++++
 9 files changed, 135 insertions(+)
 create mode 100644 roles/opensuse-leap/files/70-solokeys-access.rules
 create mode 100644 roles/opensuse-leap/tasks/main.yml
 create mode 100644 roles/opensuse-leap/tasks/modules.yml
 create mode 100644 roles/opensuse-leap/tasks/packages-cli.yml
 create mode 100644 roles/opensuse-leap/tasks/packages-gui.yml
 create mode 100644 roles/opensuse-leap/tasks/solokeys.yml
 create mode 100644 roles/opensuse-leap/tasks/ssh.yml

diff --git a/admin-cli.yml b/admin-cli.yml
index fb94d05..3c11c1e 100755
--- a/admin-cli.yml
+++ b/admin-cli.yml
@@ -14,6 +14,9 @@
     - include_role:
         name: fedora
       when: ansible_distribution == 'Fedora'
+    - include_role:
+        name: opensuse-leap
+      when: ansible_distribution == 'openSUSE Leap'
     - include_role:
         name: freebsd
       when: ansible_distribution == 'FreeBSD'
diff --git a/admin-gui.yml b/admin-gui.yml
index 4671404..d7bfdb4 100755
--- a/admin-gui.yml
+++ b/admin-gui.yml
@@ -14,6 +14,9 @@
     - include_role:
         name: fedora
       when: ansible_distribution == 'Fedora'
+    - include_role:
+        name: opensuse-leap
+      when: ansible_distribution == 'openSUSE Leap'
     - include_role:
         name: freebsd
       when: ansible_distribution == 'FreeBSD'
diff --git a/roles/opensuse-leap/files/70-solokeys-access.rules b/roles/opensuse-leap/files/70-solokeys-access.rules
new file mode 100644
index 0000000..0243401
--- /dev/null
+++ b/roles/opensuse-leap/files/70-solokeys-access.rules
@@ -0,0 +1,19 @@
+# Notify ModemManager this device should be ignored
+ACTION!="add|change|move", GOTO="mm_usb_device_blacklist_end"
+SUBSYSTEM!="usb", GOTO="mm_usb_device_blacklist_end"
+ENV{DEVTYPE}!="usb_device",  GOTO="mm_usb_device_blacklist_end"
+
+ATTRS{idVendor}=="0483", ATTRS{idProduct}=="a2ca", ENV{ID_MM_DEVICE_IGNORE}="1"
+
+LABEL="mm_usb_device_blacklist_end"
+
+
+# Solo bootloader + firmware access
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="a2ca", TAG+="uaccess"
+SUBSYSTEM=="tty", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="a2ca", TAG+="uaccess"
+
+# ST DFU access
+SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", TAG+="uaccess"
+
+# U2F Zero
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="8acf", TAG+="uaccess"
diff --git a/roles/opensuse-leap/tasks/main.yml b/roles/opensuse-leap/tasks/main.yml
new file mode 100644
index 0000000..7a4d7a9
--- /dev/null
+++ b/roles/opensuse-leap/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+- include: packages-cli.yml
+- include: packages-gui.yml
+  when: gui == true
+- include: modules.yml
+- include: ssh.yml
+- include: solokeys.yml
diff --git a/roles/opensuse-leap/tasks/modules.yml b/roles/opensuse-leap/tasks/modules.yml
new file mode 100644
index 0000000..c3e93e4
--- /dev/null
+++ b/roles/opensuse-leap/tasks/modules.yml
@@ -0,0 +1,13 @@
+---
+- name: Blacklist pcspkr module
+  become: true
+  lineinfile:
+    path: /etc/modprobe.d/blacklist.conf
+    line: blacklist pcspkr
+    create: yes
+- name: Blacklist dvb_usb_rtl28xxu module
+  become: true
+  lineinfile:
+    path: /etc/modprobe.d/blacklist.conf
+    line: blacklist dvb_usb_rtl28xxu
+    create: yes
diff --git a/roles/opensuse-leap/tasks/packages-cli.yml b/roles/opensuse-leap/tasks/packages-cli.yml
new file mode 100644
index 0000000..114a378
--- /dev/null
+++ b/roles/opensuse-leap/tasks/packages-cli.yml
@@ -0,0 +1,31 @@
+---
+# The zypper module requires python-xml on openSUSE.
+- name: Install CLI packages
+  become: true
+  zypper:
+    name: '{{ packages }}'
+    state: present
+  vars:
+    packages:
+      - ansible
+      - aspell-en
+      - bc
+      - bind-utils
+      - clang
+      - git
+      - gpg2
+      - lldb
+      - mc
+      - nmap
+      - nodejs10
+      - onedrive
+      - openssh
+      - python-xml
+      - python3
+      - python3-psutil
+      - ruby2.5-rubygem-asciidoctor
+      - sqlite3
+      - sudo
+      - tmux
+      - vim
+      - zsh
diff --git a/roles/opensuse-leap/tasks/packages-gui.yml b/roles/opensuse-leap/tasks/packages-gui.yml
new file mode 100644
index 0000000..31d780a
--- /dev/null
+++ b/roles/opensuse-leap/tasks/packages-gui.yml
@@ -0,0 +1,15 @@
+---
+# The zypper module requires python-xml on openSUSE.
+- name: Install GUI packages
+  become: true
+  zypper:
+    name: '{{ packages }}'
+    state: present
+  vars:
+    packages:
+      - emacs-x11
+      - galculator
+      - git-gui
+      - gvim
+      - liberation-fonts
+      - remmina
diff --git a/roles/opensuse-leap/tasks/solokeys.yml b/roles/opensuse-leap/tasks/solokeys.yml
new file mode 100644
index 0000000..bea6284
--- /dev/null
+++ b/roles/opensuse-leap/tasks/solokeys.yml
@@ -0,0 +1,15 @@
+---
+- name: Install solokeys udev rule
+  become: true
+  copy:
+    src: 70-solokeys-access.rules
+    dest: /etc/udev/rules.d/70-solokeys-access.rules
+  register: solokeys_copy
+- name: Reload udevadm rules
+  become: true
+  command: udevadm control --reload-rules
+  when: solokeys_copy.changed
+- name: Trigger udevadm
+  become: true
+  command: udevadm trigger
+  when: solokeys_copy.changed
diff --git a/roles/opensuse-leap/tasks/ssh.yml b/roles/opensuse-leap/tasks/ssh.yml
new file mode 100644
index 0000000..81d098e
--- /dev/null
+++ b/roles/opensuse-leap/tasks/ssh.yml
@@ -0,0 +1,29 @@
+---
+- name: Disable SSH passwords
+  become: true
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?\w*PasswordAuthentication (yes|no)'
+    line: 'PasswordAuthentication no'
+  register: changed_ssh_config
+- name: Enable SSH
+  become: true
+  systemd:
+    name: sshd.service
+    enabled: yes
+    state: started
+- name: Restart SSH
+  become: true
+  systemd:
+    name: sshd.service
+    state: restarted
+  when: changed_ssh_config.changed == true
+- name: Allow SSH through firewall
+  become: true
+  firewalld:
+    service: ssh
+    permanent: yes
+    state: enabled
+    immediate: yes
+  vars:
+    ansible_python_interpreter: /usr/bin/python3