Spark is an Ansible playbook meant to provision a personal machine running Arch Linux. It is intended to run locally on a fresh Arch install (ie, taking the place of any post-installation), but due to Ansible's idempotent nature it may also be run on top of an already configured machine.
Spark assumes it will be run on a laptop and performs some configuration based
on this assumption. This behaviour may be changed by removing the laptop role
from the playbook or by skipping the laptop tag.
If Spark is run on either a ThinkPad or a Framework, it will detect this and execute platform-specific tasks.
First, sync mirrors and install Ansible:
$ pacman -Syy python-passlib ansible
Second, install and update the submodules:
$ git submodule init && git submodule update
Next, install the required Ansible collections as root.
# ansible-galaxy collection install -r requirements.yml
Run the playbook as root.
# ansible-playbook -i localhost playbook.yml
When run, Ansible will prompt for the user password. This only needs to be provided on the first run when the user is being created. On later runs, providing any password -- whether the current user password or a new one -- will have no effect.
By default, Ansible will attempt to install the private SSH key for the user. The
key should be available at the path specified in the ssh.user_key variable.
Removing this variable will cause the key installation task to be skipped.
If ssh.enable_sshd is set to True the systemd socket service will be
enabled. By default, sshd is configured but not enabled.
Ansible expects that the user wishes to clone dotfiles via the git repository
specified via the dotfiles.url variable and install them with rcm. The
destination to clone the repository to is defined by the dotfiles.destination
variable. This is relative the user's home directory.
These tasks will be skipped if the dotfiles variable is not defined.
All tasks are tagged with their role, allowing them to be skipped by tag in
addition to modifying playbook.yml.
All tasks involving the AUR are tagged aur. To provision an AUR-free
system, pass this tag to ansible's --skip-tag.
AUR packages are installed via the ansible-aur module. Note that while yay, an AUR helper, is installed by default, it will not be used during any of the provisioning.
Many applications are sandboxed with Firejail. This behavior should be largely invisible to the user.
Custom security profiles are provided for certain applications. These are
installed to /usr/local/etc/firejail. Firejail does not look in this
directory by default. To use the security profiles, they must either be
specified on the command-line or included in an appropriately named profile
located in ~/.config/firejail.
# Example 1:
# Launch Firefox using the custom profile by specifying the full path of the profile.
$ firejail --profile=/usr/local/etc/firejail/firefox.profile /usr/bin/firefox
# Example 2:
# Launch Firefox using the custom profile by specifying its directory.
$ firejail --profile-path=/usr/local/etc/firejail /usr/bin/firefox
# Example 3:
# Include the profile in ~./config/firejail
$ mkdir -p ~/.config/firejail
$ echo 'include /usr/local/etc/firejail/firefox.profile' > ~/.config/firejail/firefox.profile
$ firejail /usr/bin/firefox
The script profile-activate is provided to automatically include the profiles
when appropriate. For every profile located in /usr/local/etc/firejail, the
script looks for a profile with the same name in ~/.config/firejail. If one
is not found, it will create a profile that simply includes the system profile,
as in the third example above. It will not modify any existing user profiles.
The firejail.blacklist variable is used to populate
/etc/firejail/globals.local with a list of blacklisted files and directories.
This file is included by all security profiles, causing the specified locations
to be inaccessible to jailed programs.
The trusted network framework provided by nmtrust is leveraged to start certain systemd units when connected to trusted networks, and stop them elsewhere.
This helps to avoid leaking personal information on untrusted networks by ensuring that certain network tasks are not running in the background. Currently, this is used for mail syncing (see the section below on Syncing and Scheduling Mail), Tarsnap backups (see the section below on Scheduling Tarsnap), BitlBee (see the section below on BitlBee), and git-annex (see the section below on git-annex).
Trusted networks are defined using their NetworkManager UUIDs, configured in
the network.trusted_uuid list. NetworkManager UUIDs may be discovered using
nmcli con.