From 1be3ba7e323e0f873c34a67a912a4c76ec488191 Mon Sep 17 00:00:00 2001 From: Patrick Fraley Date: Sat, 27 Dec 2025 11:25:06 +0100 Subject: [PATCH] Prepare Work --- CLAUDE.md | 115 +++++++++++++++++++++++++++++++++++++++++++++ files/.gitkeep | 0 inventory/.gitkeep | 0 playbooks/.gitkeep | 0 roles/.gitkeep | 0 templates/.gitkeep | 0 6 files changed, 115 insertions(+) create mode 100644 CLAUDE.md create mode 100644 files/.gitkeep create mode 100644 inventory/.gitkeep create mode 100644 playbooks/.gitkeep create mode 100644 roles/.gitkeep create mode 100644 templates/.gitkeep diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..93cce71 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,115 @@ +# CLAUDE.md + +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. + +## Repository Purpose + +Comprehensive Ansible configuration for managing Fedora Workstation laptops. Provides automated configuration management for system setup, package management, security hardening, and laptop-specific optimizations. + +## Common Commands + +### Running Playbooks +```bash +# Run main playbook against localhost +ansible-playbook -i inventory/hosts playbook.yml --ask-become-pass + +# Run specific tags +ansible-playbook -i inventory/hosts playbook.yml --tags "packages,security" --ask-become-pass + +# Dry run (check mode) +ansible-playbook -i inventory/hosts playbook.yml --check --diff + +# Run against specific host +ansible-playbook -i inventory/hosts playbook.yml --limit hostname + +# Use vault-encrypted variables +ansible-playbook -i inventory/hosts playbook.yml --ask-vault-pass +``` + +### Testing and Validation +```bash +# Syntax check +ansible-playbook playbook.yml --syntax-check + +# List all tasks that would be executed +ansible-playbook -i inventory/hosts playbook.yml --list-tasks + +# List all hosts +ansible-playbook -i inventory/hosts playbook.yml --list-hosts + +# Validate inventory +ansible-inventory -i inventory/hosts --list +``` + +### Vault Operations +```bash +# Create encrypted file +ansible-vault create group_vars/all/vault.yml + +# Edit encrypted file +ansible-vault edit group_vars/all/vault.yml + +# Encrypt existing file +ansible-vault encrypt secrets.yml + +# Decrypt file (temporary) +ansible-vault view group_vars/all/vault.yml + +# Rekey vault file +ansible-vault rekey group_vars/all/vault.yml +``` + +## Architecture + +### Standard Ansible Directory Structure +This repository follows standard Ansible best practices for a workstation management setup: + +- **inventory/** - Host definitions and group variables +- **roles/** - Reusable role modules (packages, security, dotfiles, etc.) +- **group_vars/** - Variables for host groups +- **host_vars/** - Variables for specific hosts +- **playbooks/** or root playbook.yml - Main orchestration +- **files/** - Static files to be copied to hosts +- **templates/** - Jinja2 templates for configuration files + +### Typical Role Organization +Roles should follow the structure: +``` +roles/role_name/ +├── tasks/main.yml # Main task list +├── handlers/main.yml # Handlers for service restarts, etc. +├── templates/ # Jinja2 templates +├── files/ # Static files +├── vars/main.yml # Role-specific variables +├── defaults/main.yml # Default variables (lowest precedence) +└── meta/main.yml # Role dependencies +``` + +### Workstation Management Patterns +For Fedora workstation management, typical role categories include: +- **Base system**: DNF configuration, repositories, system services +- **Packages**: Software installation and updates +- **Security**: Firewall, SELinux, user permissions +- **Laptop optimization**: Power management, suspend/hibernate, battery optimization +- **User configuration**: Dotfiles, shell setup, desktop environment +- **Development tools**: Programming languages, IDEs, containers + +## Security Considerations + +### Vault Usage +- All sensitive data (passwords, API keys, certificates) must be encrypted with ansible-vault +- Never commit unencrypted vault files (.gitignore already configured) +- Store vault password securely outside the repository + +### Privilege Escalation +- Use `become: true` only when necessary +- Prefer targeted `become` on specific tasks rather than entire playbooks +- Always use `--ask-become-pass` when running locally for security + +## Testing Approach + +For workstation configurations: +1. Test in check mode first (`--check --diff`) +2. Use tags to test individual components +3. Validate on a test VM or secondary system before production workstation +4. Keep playbooks idempotent - safe to run multiple times diff --git a/files/.gitkeep b/files/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/inventory/.gitkeep b/inventory/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/playbooks/.gitkeep b/playbooks/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/roles/.gitkeep b/roles/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/templates/.gitkeep b/templates/.gitkeep new file mode 100644 index 0000000..e69de29