- Add user management and Oh My Zsh settings - Update service scripts to use Zsh - Include new packages and environment variables - Modify Terraform configuration for upstream services
Legal Notice
This is part of A13Labs project, any unauthorized copy is no allowed. If you got access to this code DELETE immediately. We have been warned.
Updating Nextcloud
# Enable maintenance
/bin/occ maintenance:mode --on
# Update config.tf
# Apply
# Run maintenance operations
./bin/occ upgrade
./bin/occ db:add-missing-columns
./bin/occ db:add-missing-indices
./bin/occ db:add-missing-primary-keys
# Disable maintenance
./bin/occ maintenance:mode --off
Contabo CLI
Download latest version from here.
Setup:
sectool exec cntb get instances --oauth2-clientid="$CONTABO_CLIENT_ID" --oauth2-client-secret="$CONTABO_CLIENT_SECRET" --oauth2-user="$CONTABO_API_USER" --oauth2-password="$CONTABO_API_PASSWORD"
Windows
Create a Dedicated “Ansible” User (One-Time Setup) — Linux
# Create the provision user (Debian/Ubuntu)
sudo useradd -m -s /bin/bash -G sudo provision
sudo passwd provision
# OR (RHEL/CentOS/Fedora)
sudo useradd -m -s /bin/bash -G wheel provision
sudo passwd provision
# Allow passwordless sudo for the provision user (recommended for Ansible)
echo 'provision ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/provision
sudo chmod 440 /etc/sudoers.d/provision
# Or edit safely:
sudo visudo -f /etc/sudoers.d/provision
# and add:
# provision ALL=(ALL) NOPASSWD:ALL
# Install SSH authorized key for the provision user (recommended over passwords)
sudo -u provision mkdir -p /home/provision/.ssh
sudo -u provision chmod 700 /home/provision/.ssh
echo "<your_public_key_here>" | sudo -u provision tee /home/provision/.ssh/authorized_keys
sudo -u provision chmod 600 /home/provision/.ssh/authorized_keys
Notes:
- Replace <your_public_key_here> with the actual public key.
- Use a strong password if you must set one; prefer SSH keys.
- For tighter security, restrict the sudoers entry to only the commands Ansible requires instead of ALL.
- Validate sudoers syntax with visudo to avoid lockout.
Configure windows to allow Ansible to connect via WinRM
Copy the script located in scripts "ConfigureRemotingForAnsible.ps1" and run it on the target machine.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
.\ConfigureRemotingForAnsible.ps1
Using MSYS2
Upgrade your system:
pacman -Syu
Install the following packages:
mingw-w64-ucrt-x86_64-go
mingw-w64-ucrt-x86_64-make
mingw-w64-ucrt-x86_64-python
ucrt-w64-ucrt-x86_64-gcc
mingw-w64-ucrt-x86_64-python-cryptography
mingw-w64-ucrt-x86_64-python-paramiko
mingw-w64-ucrt-x86_64-python-rpds-py
python-lxml
mingw-w64-ucrt-x86_64-python-ruamel-yaml
mingw-w64-ucrt-x86_64-python-sspilib
unzip
Create a python environment use:
python -m venv .venv --system-site-packages
macOS Dev Station
Use the repository hybrid flow: bootstrap once with shell script, then manage day-2 changes with Ansible.
1) Bootstrap prerequisites on the Mac
./scripts/setup-dev-station.sh
This installs only prerequisites (Homebrew, base tools, Ansible) and avoids persistent shell side effects.
2) Configure the Mac with Ansible
- Add or adjust the host in
inventory/hostsunder[darwin_dev]. - Configure host vars in
ansible/host_vars/mac-01.lab.alexpires.me.yml. - Run:
cd ansible
sectool exec ansible-playbook playbook_macos_dev_station.yml --limit darwin_dev
The macOS role configures tools, tmux, code-server and opencode as system launchd daemons running under a dedicated service user. This allows services to start at boot without requiring an interactive login.
OpenCode server auth is injected from environment variables. Ensure OPENCODE_SERVER_USERNAME and OPENCODE_SERVER_PASSWORD are available through ansible/sectool.env values before running the playbook.
code-server password auth is also env-backed. Ensure CODE_SERVER_PASSWORD is available through ansible/sectool.env values before running the playbook.
Hard mode (system daemons + dedicated service user) also requires sudo rights. Use passwordless sudo for your ansible user or set ANSIBLE_BECOME_PASSWORD through ansible/sectool.env values before running the playbook.
3) Optional DNS entry in dev-01 CoreDNS
From terraform/apps/dev-01, you can inject an optional DNS record for the Mac dev station:
export TF_VAR_mac_dev_station_dns_name="mac-mini"
export TF_VAR_mac_dev_station_dns_type="A"
export TF_VAR_mac_dev_station_dns_target="10.19.4.250"
sectool -f ../../../sectool.json exec tofu validate
sectool -f ../../../sectool.json exec tofu plan
sectool -f ../../../sectool.json exec tofu apply -auto-approve
Use CNAME + hostname target instead of A when you want an alias.