Ansible playbooks and roles for bootstrapping macOS and Linux workstations, and managing dotfiles. The playbooks are designed with no assumed prior knowledge of the system, and are meant to be run on a newly installed system. They are tested on the following system types:
- macOS systems
x86_64
,arm64
- Linux systems
x86_64
- Fedora Workstation edition (spins may work but are unsupported)
- Fedora Server edition
- Ubuntu Desktop LTS (flavors may work but are unsupported)
- Ubuntu Server LTS
- Linux Mint Debian Edition
-
On macOS, log in to the App Store prior to running bootstrap, in order to install apps via
mas
-
Create a GitHub fine-grained token with the following account permissions:
- Git SSH keys: Read and write
- SSH signing keys: Read and write
-
Create an inventory repository (see below)
-
Download and run the install script:
curl -sO https://dotfiles.franklybrad.com/install sh install [-b] [-g git_branch] -b Skip installing Homebrew on Linux (default: install) -g Specify the git branch of this repo to run (default: main)
Important
Do not pipe curl
into sh
as Ansible won't run in interactive mode and will skip setup prompts.
Upon completion:
- Record any secrets (e.g. Vault and SSH key passphrases)
- Perform a full reboot
- To install Logi Options+ for macOS, run
open -a "~/Downloads/logioptionsplus_installer.app"
-
Bootstrapping the OS: the
install
script installs the necessary packages to check out the repository and run Ansible; this includes Homebrew (excluding ARM systems), Python, and Git. This script requiressudo
access on Linux only. Once setup, the script also runs the subsequent Ansible playbooks. -
Install Ansible requirements: the
install_requirements
playbook installs the necessary Ansible collections and roles. -
Create localhost inventory: the
build_inventory
playbook generates a host_vars file (for non-sensitive variables) and a localhost inventory file (for encrypted secrets), based on answers to the playbook prompts. -
System bootstrap: runs the
site.yml
playbook to execute all roles. When run from theinstall
script, a temporaryvault
file is created and prompts only for the become password. -
Export to password manager: the
password_manager.yml
playbook imports encrypted secrets to a password manager (currently only 1Password is available).
You should create an inventory repository prior to running the playbooks. Hosts are assigned to groups based on the system type and distribution, giving flexibility to variable precedent. The group names are based on the Ansible facts system
and distribution
; the all
group is also available. See Splitting Out Host and Group Specific Data for more information.
The repository should match this layout:
files/
: static filesgroup_vars/
: configurations based on system type and distributionhost_vars/
: configurations for specific systemstemplates/
: dynamic files
The host_vars file created by the build_inventory
playbook is meant to be committed to the inventory repo. The inventory file assigns the host groups, along with containing vaulted secrets.
By default, these are the variables that are encrypted and saved to the inventory file:
- rsa SSH key passphrase
- ed25519 SSH key passphrase
- GitHub personal access token
Tasks that do not require sudo access are tagged with dotfiles
. Likewise, tasks that do require sudo access are tagged with become
. For convenience, Homebrew tasks are tagged install
. This allows playbook runs that don't need a become password. For example:
ansible-playbook -J playbooks/site.yml --tags dotfiles --skip-tags become,install