alexandre.pires 59b2c10c43 Add Linux development station role with systemd services for code-server and OpenCode
- Implemented handlers for restarting code-server and OpenCode services.
- Created main tasks for setting up a Linux development station, including user management, package installation, and configuration.
- Added validation for OpenCode server credentials and code-server password.
- Introduced tool package management for npm, uv, and go installers.
- Developed templates for systemd service units for code-server and OpenCode.
- Included scripts for starting code-server and OpenCode with SSH agent support.
- Updated inventory and Terraform configuration to include new development host.
2026-07-10 15:44:18 +02:00
2026-07-05 18:36:41 +02:00
2026-07-05 18:36:41 +02:00

Legal Notice

This is part of A13Labs project, any unauthorized copy is no allowed. If you got access to this code DELETE immediately. We have been warned.

Updating Nextcloud

# Enable maintenance
/bin/occ maintenance:mode --on
# Update config.tf
# Apply
# Run maintenance operations
./bin/occ upgrade
./bin/occ db:add-missing-columns
./bin/occ db:add-missing-indices
./bin/occ db:add-missing-primary-keys
# Disable maintenance
./bin/occ maintenance:mode --off

Contabo CLI

Download latest version from here.

Setup:

sectool exec cntb get instances --oauth2-clientid="$CONTABO_CLIENT_ID" --oauth2-client-secret="$CONTABO_CLIENT_SECRET" --oauth2-user="$CONTABO_API_USER" --oauth2-password="$CONTABO_API_PASSWORD"

Windows

Create a Dedicated “Ansible” User (One-Time Setup) — Linux

# Create the provision user (Debian/Ubuntu)
sudo useradd -m -s /bin/bash -G sudo provision
sudo passwd provision

# OR (RHEL/CentOS/Fedora)
sudo useradd -m -s /bin/bash -G wheel provision
sudo passwd provision
# Allow passwordless sudo for the provision user (recommended for Ansible)
echo 'provision ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/provision
sudo chmod 440 /etc/sudoers.d/provision

# Or edit safely:
sudo visudo -f /etc/sudoers.d/provision
# and add:
# provision ALL=(ALL) NOPASSWD:ALL
# Install SSH authorized key for the provision user (recommended over passwords)
sudo -u provision mkdir -p /home/provision/.ssh
sudo -u provision chmod 700 /home/provision/.ssh
echo "<your_public_key_here>" | sudo -u provision tee /home/provision/.ssh/authorized_keys
sudo -u provision chmod 600 /home/provision/.ssh/authorized_keys

Notes:

  • Replace <your_public_key_here> with the actual public key.
  • Use a strong password if you must set one; prefer SSH keys.
  • For tighter security, restrict the sudoers entry to only the commands Ansible requires instead of ALL.
  • Validate sudoers syntax with visudo to avoid lockout.

Configure windows to allow Ansible to connect via WinRM

Copy the script located in scripts "ConfigureRemotingForAnsible.ps1" and run it on the target machine.

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
.\ConfigureRemotingForAnsible.ps1

Using MSYS2

Upgrade your system:

pacman -Syu

Install the following packages:

mingw-w64-ucrt-x86_64-go
mingw-w64-ucrt-x86_64-make
mingw-w64-ucrt-x86_64-python
ucrt-w64-ucrt-x86_64-gcc
mingw-w64-ucrt-x86_64-python-cryptography
mingw-w64-ucrt-x86_64-python-paramiko
mingw-w64-ucrt-x86_64-python-rpds-py
python-lxml
mingw-w64-ucrt-x86_64-python-ruamel-yaml
mingw-w64-ucrt-x86_64-python-sspilib
unzip

Create a python environment use:

python -m venv .venv  --system-site-packages 

macOS Dev Station

Use the repository hybrid flow: bootstrap once with shell script, then manage day-2 changes with Ansible.

1) Bootstrap prerequisites on the Mac

./scripts/setup-dev-station.sh

This installs only prerequisites (Homebrew, base tools, Ansible) and avoids persistent shell side effects.

2) Configure the Mac with Ansible

  1. Add or adjust the host in inventory/hosts under [darwin_dev].
  2. Configure host vars in ansible/host_vars/mac-01.lab.alexpires.me.yml.
  3. Run:
cd ansible
sectool exec ansible-playbook playbook_macos_dev_station.yml --limit darwin_dev

The macOS role configures tools, tmux, code-server and opencode as system launchd daemons running under a dedicated service user. This allows services to start at boot without requiring an interactive login.

OpenCode server auth is injected from environment variables. Ensure OPENCODE_SERVER_USERNAME and OPENCODE_SERVER_PASSWORD are available through ansible/sectool.env values before running the playbook. code-server password auth is also env-backed. Ensure CODE_SERVER_PASSWORD is available through ansible/sectool.env values before running the playbook. Hard mode (system daemons + dedicated service user) also requires sudo rights. Use passwordless sudo for your ansible user or set ANSIBLE_BECOME_PASSWORD through ansible/sectool.env values before running the playbook.

3) Optional DNS entry in dev-01 CoreDNS

From terraform/apps/dev-01, you can inject an optional DNS record for the Mac dev station:

export TF_VAR_mac_dev_station_dns_name="mac-mini"
export TF_VAR_mac_dev_station_dns_type="A"
export TF_VAR_mac_dev_station_dns_target="10.19.4.250"

sectool -f ../../../sectool.json exec tofu validate
sectool -f ../../../sectool.json exec tofu plan
sectool -f ../../../sectool.json exec tofu apply -auto-approve

Use CNAME + hostname target instead of A when you want an alias.

S
Description
No description provided
Readme 21 MiB
Languages
HCL 44.6%
Python 31.6%
Jinja 9.9%
Shell 8.2%
PowerShell 3%
Other 2.7%