Refactor Ansible roles into tiered profiles (developer/core + add-ons)#5
Open
catinspace-au wants to merge 47 commits intomainfrom
Open
Refactor Ansible roles into tiered profiles (developer/core + add-ons)#5catinspace-au wants to merge 47 commits intomainfrom
catinspace-au wants to merge 47 commits intomainfrom
Conversation
…imits The xrandr refresh rate cap never worked on Wayland (mutter only generates 60Hz modes for virtual displays, xrandr --rate silently fails). Remove the broken display.yml, refresh rate script, and autostart entry. Add FreeRDP apt pin (ubuntu0.4 confirmed stable, ubuntu0.3 had heap corruption), PAM nice limits so the handover daemon can run at Nice=-10, and remove dangerous auto-restart of gnome-remote-desktop.service which crashes active RDP sessions.
Deploy gnome-remote-desktop 49.0-0ubuntu1.1hyperi1 which adds a max-framerate gsettings key to cap PipeWire screencast framerate. Stock GRD 49 hardcodes 60fps — this halves software encoding load on virtio-gpu VMs without hardware video encoding. - Add grd_patched.yml task to deploy and pin the patched deb - Set max-framerate=30 via system dconf profile - Add grd_patched_version default variable - Verified on desktop-derek: PipeWire stream shows maxFramerate 30/1
Adds Rust build optimisation tools to the developer_core Ansible role: - sccache: shared compilation cache across projects - cargo-sweep: build artifact cleanup - mold: fast linker for native x86_64 builds (5-10x faster linking) - Global ~/.cargo/config.toml with sccache wrapper, mold linker, jobs=8 All tools support Ubuntu, Fedora, and macOS. macOS config omits mold linker flags (uses default linker) but still gets sccache and jobs=8.
Introduces named profiles (rust, iac, openvpn, gui_extras) composed additively on a lean BASE, with opt-out vars for user-facing apps, WireGuard as default VPN, and an audit pass on version pins and upstream URLs during execution.
Splits base into two tiers: developer (OSS-safe, for external contributors on DFE/ESH) and core (Hyperi internals, layered on developer). WireGuard moves to core, lazygit added to gui_extras, GitHub Desktop dropped.
Clarifies invocation edge cases (--profile openvpn alone is a hard error, --profile all defaults to developer tier, --tags developer_core has no alias), fixes stray **Verify** marker, adds automated OSS-safe assertion to the testing plan.
Five-chunk plan (scaffolding + install.sh, profile role extraction, two-tier split, audit + VM tests, docs + release). Incorporates plan reviewer recommendations (correct wallpaper/avatar source paths, office.yml reconciliation, telemetry.yml relocation, Python-based audit script, corrected OSS-safe assertion paths) and notes the proxmox.tyrell.com.au one-week outage with VM-smoke-test alternatives.
Replaces tyrell-proxmox VM with devex.hyperi.io template clone workflow (VMID 9010 as Ubuntu 24.04 base, qm clone/rollback/destroy). Fedora smoke testing deferred until a Fedora template exists on devex.
rclone added to core tier alongside JFrog / Slack / Linear. Generated rclone.yml comment genericised to "multi-backend cloud storage sync CLI" so the emitted Ansible file doesn't carry internal infra hostnames.
- install.sh: initialise RESOLVED_TAGS="" so DFE_PROFILE_TEST=1 with --tags doesn't hit `set -u` unbound-var. - install.sh: update stale file-header OPTIONS block to mention --profile and flag --core/--all as deprecated (show_help() was already updated). - test.sh: matrix loop passes through -i "$INVENTORY" and $LIMIT to recursive calls so `./test.sh --matrix --limit ubuntu` actually targets the intended host.
… role Reviewer caught that after Chunk 2 moved these tools to the iac role, their verify tasks were still in developer/tasks/verify.yml with failed_when: rc != 0 — so --profile developer would fail when the tools aren't installed. Verify tasks now live alongside the installs in iac/tasks/verify.yml, gated on the iac tag.
…nding from old roles
- Move slack.yml, linear.yml, jfrog.yml, wallpaper.yml from developer_core → core
- Move avatar.yml from developer → core
- Move branding/{background,avatar}.svg from developer/files → core/files
- Create rclone.yml (multi-backend cloud CLI)
- Create wireguard.yml (default Hyperi VPN, peer config opt-in)
- Replace core/tasks/main.yml skeleton with real includes (opt-out where
appropriate: slack, linear)
- Create core/defaults/main.yml with branding_enabled, avatar_file,
background_file (migrated from developer/defaults); update wallpaper.yml
to use branding/background.svg path
- Remove avatar include block from developer/tasks/main.yml (core owns it now)
…/nodejs/office/...)
- git mv c_tools, nodejs, bitwarden, claude, gitleaks, act, telemetry
from developer_core/tasks → developer/tasks
- Reconcile office.yml: split Mailspring into developer/tasks/mailspring.yml
(Option A from plan — drop the Flatpak OnlyOffice fallback; onlyoffice.yml
handles native apt/dnf installs on both Fedora 42+ and Ubuntu 24.04+)
- Move managed-settings.json (claude config) to developer/files/
- Merge verify blocks:
- JFrog + Linear verifications → new core/tasks/verify.yml
- Azure, gcloud, Node.js, semantic-release, Claude, Gitleaks, act
→ appended to developer/tasks/verify.yml
- Add include_vars macos.yml stanza + core/vars/macos.yml for macOS paths
- Add opt-out includes to developer/tasks/main.yml
(mailspring + bitwarden use install_X | default(true) gates)
- Reduce developer_core/tasks/main.yml to a deprecation stub
…ore/rust/iac/openvpn) - Remove ansible/roles/developer_core/ directory - Update tests/proxmox/test_all.yml: swap developer_core → core
…issioned) The upstream apt repo at https://usebruno.jfrog.io/artifactory/bruno-apt has been decommissioned and its GPG key URL returns 404, causing installs to fail on Ubuntu. Switch to the official snap (https://snapcraft.io/bruno). Fedora continues to use the flathub flatpak. This mirrors the Podman Desktop approach (flathub-only) and keeps the role idempotent.
…policies Chrome/Brave managed-policy JSON in the developer tier was hardcoding hyperi.io / hypersec.io into CookiesAllowedForUrls, ThirdPartyCookiesAllowedForUrls, and BraveShieldsDisabledForUrls. That would have landed on external DFE/ESH contributors' machines under --profile developer, whitelisting cookies for a company they don't work for. - developer role: generic allowlists only (private RFC1918, google.com, microsoft.com, github.com). Three empty-default list vars gate any org-specific entries. - core role: populates browser_org_* vars with hyperi.io / hypersec.io entries; Chromium merges them at policy-load time. - Policy filename renamed hyperi.json -> dfe.json on disk, _comment strings updated. - oss_safe.sh gains regression asserts: managed Chrome/Brave JSONs must not contain hyperi.io/hypersec.io after --profile developer.
Per user direction: 'core is for employees', anything hyperi-specific belongs in the core tier only. Managed Chrome/Brave policies override user preferences, so even the generic hardening should be opt-in via --profile core, not forced on external DFE/ESH contributors. - Moved ansible/roles/developer/tasks/browser_policies.yml -> ansible/roles/core/tasks/browser_policies.yml - developer/tasks/main.yml: removed the browser_policies include - core/tasks/main.yml: added the include (gated on has_gnome) - developer/defaults/main.yml: removed the now-unused browser_org_* vars and added a note pointing at core - core still owns the allowlist vars (core/defaults/main.yml)
…itiative Scope: full internal refactor, upstream GitHub repo rename with install.sh tarball URL update, removal of legacy /fedora directory, and update of dfe-infra auto-desktop-build pipelines to point at the new repo URL. Start after PR #5 merges to avoid conflicting large PRs on the same surface.
Dropped entirely per user direction — no longer used. Removes: - ansible/roles/developer/tasks/mailspring.yml - developer/tasks/main.yml include block - install_mailspring opt-out variable in group_vars/all.yml - Mailspring subsection + opt-out-table row in docs/TOOLS.md - install_mailspring mention in CHANGELOG [Added] block Adds a CHANGELOG [Removed] entry. Historical CHANGELOG mention of Mailspring replacing Betterbird left untouched (history).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements Track 1 of the April 2026 DFE refresh per
docs/plans/2026-04-18-role-structure-refactor-design.md.developer(OSS-safe) +core(Hyperi internal, implies developer)rust,iac,gui_extras,openvpn--profileinvocation replaces ad-hoc--tags(legacy--core/--allaliased with deprecation warning)group_vars/all.ymlcore; OpenVPN now transitional opt-inwl-clipboard,kcat,rclone, Bruno, Podman Desktop, DBeaver, Freelens, lazygitdeveloper_corerole deleted; contents redistributed intodeveloper,core,rust,iac,openvpnTest plan
Automated (passing)
bats tests/bats/install_profile.bats) — 13/13ansible-playbook --syntax-checkpassestests/audit/urls_and_pins.py)tests/assertions/oss_safe.sh) —bash -ncleanParked (deferred for follow-up)
--profile developerVM smoke test on Ubuntu 24.04 + OSS-safe assertion--profile core,allVM smoke test on Ubuntu 24.04--profile core,openvpnVM smoke test (transition path)VM smoke tests deferred because a clean Ubuntu 24.04 test VM is not currently available in the user's environment. The check-mode matrix passes; real-VM regression run is tracked in
TODO.mdanddocs/plans/2026-04-18-audit-findings.md.Known limitations
snap— upstream apt repo was decommissioned. Fedora uses flatpak.failed_when: falseas safety.docs/plans/2026-04-18-audit-findings.md.Follow-ups