first commit

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Le Garage Numérique
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,34 @@
+# Debian 13 Ansible workstation installation
+
+Collection of ansible roles to provision a debian 13 workstation locally
+
+## Configuration
+
+```bash
+sudo apt install ansible
+```
+
+## Utilisation
+
+- Test with vagrant:
+> Create a trixi vagrant box [here](https://git.legaragenumerique.fr/GARAGENUM/packer-box-deb13)
+
+- Install all:
+```bash
+ansible-playbook playbooks/install.yml --ask-become-pass
+```
+
+- Install only one role:
+```bash
+ansible-playbook playbooks/install.yml --ask-become-pass --tags ollama
+```
+
+## To add
+
+- [ ] hugo (extended)
+
+## To test
+
+- [x] ollama
+- [x] steam
+- [ ] virtualbox

Vagrantfile

@@ -0,0 +1,29 @@
+require 'yaml'
+
+settings = YAML.load_file('settings.yml')
+
+VAGRANTFILE_API_VERSION = "2"
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  config.ssh.insert_key = false
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+
+  # Box configuration (globale)
+  config.vm.box = settings['box']['name']
+#  config.vm.box_url = settings['box']['url']
+
+  settings['vms'].each do |vm|
+    config.vm.define vm['name'] do |node|
+      node.vm.hostname = vm['hostname']
+      node.vm.network :private_network, ip: vm['ip']
+      # provider
+      config.vm.provider settings['provider']['type'].to_sym do |v|
+        v.memory = vm['memory']
+
+    # Provisioning configuration for Ansible.
+    config.vm.provision "ansible" do |ansible|
+      ansible.playbook = "playbooks/install.yml"
+        end
+      end
+    end
+  end
+end

ansible.cfg

@@ -0,0 +1,5 @@
+[defaults]
+inventory = inventory.ini
+roles_path = roles
+host_key_checking = False
+retry_files_enabled = False

files/sources.list

@@ -0,0 +1,14 @@
+deb https://deb.debian.org/debian/ trixie contrib main non-free non-free-firmware
+# deb-src https://deb.debian.org/debian/ trixie contrib main non-free non-free-firmware
+
+deb https://deb.debian.org/debian/ trixie-updates contrib main non-free non-free-firmware
+# deb-src https://deb.debian.org/debian/ trixie-updates contrib main non-free non-free-firmware
+
+deb https://deb.debian.org/debian/ trixie-proposed-updates contrib main non-free non-free-firmware
+# deb-src https://deb.debian.org/debian/ trixie-proposed-updates contrib main non-free non-free-firmware
+
+deb https://deb.debian.org/debian/ trixie-backports contrib main non-free non-free-firmware
+# deb-src https://deb.debian.org/debian/ trixie-backports contrib main non-free non-free-firmware
+
+deb https://security.debian.org/debian-security/ trixie-security contrib main non-free non-free-firmware
+# deb-src https://security.debian.org/debian-security/ trixie-security contrib main non-free non-free-firmware

group_vars/all.yml

@@ -0,0 +1,37 @@
+---
+ansible_become: true
+
+timezone: Europe/Paris
+ansible_user: "{{ lookup('env', 'USER') }}"
+
+common:
+  apt_update_cache: true
+  apt_upgrade: true
+
+devtools:
+  tabby_version: "1.0.215"
+  tabby_deb_url: "https://github.com/Eugeny/tabby/releases/download/v{{ tabby_version }}/tabby-{{ tabby_version }}-linux-x64.deb"
+  go_version: "1.22.1"
+  go_arch: "amd64"
+  go_tarball: "go{{ go_version }}.linux-{{ go_arch }}.tar.gz"
+  go_url: "https://go.dev/dl/{{ go_tarball }}"
+  go_install_dir: /usr/local
+
+element:
+  element_version: "1.11.73"
+  element_deb_url: "https://packages.element.io/debian/pool/main/e/element-desktop/element-desktop_{{ element_version }}_amd64.deb"
+
+ollama:
+  ollama_install_script: https://ollama.com/install.sh
+  ollama_service_name: ollama
+  ollama_user: ollama
+  ollama_bin: /usr/local/bin/ollama
+  ollama_models:
+    - llama3.2:3b
+
+wine:
+  winehq_repo_url: https://dl.winehq.org/wine-builds/debian/dists/trixie/winehq-trixie.sources
+  winehq_key_url: https://dl.winehq.org/wine-builds/winehq.key
+  winehq_keyring: /etc/apt/keyrings/winehq-archive.key
+  winehq_packages:
+    - winehq-stable

inventory.ini

@@ -0,0 +1,6 @@
+[debian]
+# Execute on local machine
+localhost ansible_connection=local
+
+# Exexcute on distant server
+# 123.456.78.90 ansible_user=user ansible_port=22

playbooks/install.yml

@@ -0,0 +1,18 @@
+---
+- name: Installation Debian 13 complète
+  hosts: all
+  become: yes
+
+  roles:
+    - common
+    - devtools
+    - docker
+    - ollama
+    - discord
+    - element
+    - wine
+    - steam
+    - brave
+    - freetube
+    - virtualbox
+    - vlc

roles/brave/tasks/main.yml

@@ -0,0 +1,33 @@
+---
+- name: Vérifier que le système est Debian
+  ansible.builtin.assert:
+    that:
+      - ansible_facts['distribution'] == "Debian"
+    fail_msg: "Ce rôle est prévu uniquement pour Debian"
+  tags: brave
+
+- name: Installer curl
+  ansible.builtin.apt:
+    name: curl
+    state: present
+  tags: brave
+
+- name: Télécharger la clé GPG de Brave
+  ansible.builtin.get_url:
+    url: https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
+    dest: /usr/share/keyrings/brave-browser-archive-keyring.gpg
+    mode: '0644'
+  tags: brave
+
+- name: Ajouter le dépôt Brave
+  ansible.builtin.apt_repository:
+    repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main"
+    state: present
+    filename: brave-browser-release
+  tags: brave
+  
+- name: Installer Brave
+  ansible.builtin.apt:
+    name: brave-browser
+    state: present
+  tags: brave

roles/common/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+apt_update_cache: true
+apt_upgrade: true

roles/common/files/sources.list

@@ -0,0 +1,14 @@
+deb https://deb.debian.org/debian/ trixie contrib main non-free non-free-firmware
+# deb-src https://deb.debian.org/debian/ trixie contrib main non-free non-free-firmware
+
+deb https://deb.debian.org/debian/ trixie-updates contrib main non-free non-free-firmware
+# deb-src https://deb.debian.org/debian/ trixie-updates contrib main non-free non-free-firmware
+
+deb https://deb.debian.org/debian/ trixie-proposed-updates contrib main non-free non-free-firmware
+# deb-src https://deb.debian.org/debian/ trixie-proposed-updates contrib main non-free non-free-firmware
+
+deb https://deb.debian.org/debian/ trixie-backports contrib main non-free non-free-firmware
+# deb-src https://deb.debian.org/debian/ trixie-backports contrib main non-free non-free-firmware
+
+deb https://security.debian.org/debian-security/ trixie-security contrib main non-free non-free-firmware
+# deb-src https://security.debian.org/debian-security/ trixie-security contrib main non-free non-free-firmware

roles/common/tasks/main.yml

@@ -0,0 +1,54 @@
+---
+- name: Mise à jour APT
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600
+  tags: common
+
+- name: Déployer /etc/apt/sources.list
+  ansible.builtin.copy:
+    src: files/sources.list
+    dest: /etc/apt/sources.list
+    owner: root
+    group: root
+    mode: '0644'
+    backup: yes
+  tags: common
+
+- name: Attendre que le verrou APT soit libéré
+  ansible.builtin.shell: while fuser /var/lib/apt/lists/lock /var/lib/dpkg/lock /var/lib/dpkg/lock-frontend > /dev/null 2>&1; do sleep 1; done
+  changed_when: false
+  tags: common
+
+- name: Mettre à jour le cache APT
+  ansible.builtin.shell:
+    cmd: apt-get update
+  become: yes
+  changed_when: false
+  tags: common
+
+- name: Mettre à jour tous les paquets
+  ansible.builtin.apt:
+    upgrade: dist
+  when: apt_upgrade
+  tags: common
+
+- name: Paquets de base
+  ansible.builtin.apt:
+    name:
+      - rsyslog
+      - ca-certificates
+      - curl
+      - wget
+      - gnupg
+      - git
+      - vim
+      - htop
+      - btop
+      - fail2ban
+      - net-tools
+      - resolvconf
+      - wireguard
+      - python3-venv
+    state: present
+  tags: common

roles/devtools/tasks/main.yml

@@ -0,0 +1,89 @@
+---
+- name: Installer outils développeur
+  ansible.builtin.apt:
+    name:
+      - build-essential
+      - python3
+      - python3-pip
+      - python3-venv
+      - linuxlogo
+      - lolcat
+      - vagrant
+      - kew
+    state: present
+  tags: devtools
+
+# VScodium
+- name: Ajouter la clé GPG VSCodium
+  ansible.builtin.get_url:
+    url: https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/raw/master/pub.gpg
+    dest: /usr/share/keyrings/vscodium.gpg
+    mode: '0644'
+  tags: devtools
+
+- name: Ajouter le dépôt VSCodium
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by=/usr/share/keyrings/vscodium.gpg] https://download.vscodium.com/debs vscodium main"
+    filename: vscodium
+    state: present
+  tags: devtools
+
+- name: Installer VSCodium
+  ansible.builtin.apt:
+    name: codium
+    update_cache: true
+    state: present
+  tags: devtools
+
+
+# Tabby.sh
+- name: Télécharger Tabby
+  ansible.builtin.get_url:
+    url: "{{ tabby_deb_url }}"
+    dest: /tmp/tabby.deb
+    mode: '0644'
+  tags: devtools
+
+- name: Installer Tabby
+  ansible.builtin.apt:
+    deb: /tmp/tabby.deb
+    state: present
+  tags: devtools
+
+- name: Vérifier si Go est déjà installé
+  ansible.builtin.stat:
+    path: "{{ go_install_dir }}/go/bin/go"
+  register: go_installed
+  tags: devtools
+
+# Go 
+- name: Télécharger Go {{ go_version }}
+  ansible.builtin.get_url:
+    url: "{{ go_url }}"
+    dest: "/tmp/{{ go_tarball }}"
+    mode: '0644'
+  when: not go_installed.stat.exists
+  tags: devtools
+
+- name: Supprimer ancienne installation Go
+  ansible.builtin.file:
+    path: "{{ go_install_dir }}/go"
+    state: absent
+  when: not go_installed.stat.exists
+  tags: devtools
+
+- name: Installer Go {{ go_version }}
+  ansible.builtin.unarchive:
+    src: "/tmp/{{ go_tarball }}"
+    dest: "{{ go_install_dir }}"
+    remote_src: true
+  when: not go_installed.stat.exists
+  tags: devtools
+
+- name: Ajouter Go au PATH global
+  ansible.builtin.copy:
+    dest: /etc/profile.d/go.sh
+    mode: '0755'
+    content: |
+      export PATH=$PATH:/usr/local/go/bin
+  tags: devtools

roles/devtools/vars/main.yml

@@ -0,0 +1,9 @@
+---
+tabby_version: "1.0.215"
+tabby_deb_url: "https://github.com/Eugeny/tabby/releases/download/v{{ tabby_version }}/tabby-{{ tabby_version }}-linux-x64.deb"
+
+go_version: "1.22.1"
+go_arch: "amd64"
+go_tarball: "go{{ go_version }}.linux-{{ go_arch }}.tar.gz"
+go_url: "https://go.dev/dl/{{ go_tarball }}"
+go_install_dir: /usr/local

roles/docker/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Installer Docker
+  ansible.builtin.apt:
+    name:
+      - docker.io
+      - docker-compose
+    state: present
+
+- name: Activer Docker
+  ansible.builtin.service:
+    name: docker
+    state: started
+    enabled: true
+
+- name: Ajouter l'utilisateur au groupe docker
+  ansible.builtin.user:
+    name: "{{ ansible_user }}"
+    groups: docker
+    append: true

roles/element/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+- name: Télécharger Element Desktop
+  ansible.builtin.get_url:
+    url: "{{ element_deb_url }}"
+    dest: /tmp/element-desktop.deb
+    mode: '0644'
+  tags: element
+
+- name: Installer Element Desktop
+  ansible.builtin.apt:
+    deb: /tmp/element-desktop.deb
+    state: present
+  tags: element

roles/element/vars/main.yml

@@ -0,0 +1,3 @@
+---
+element_version: "1.11.73"
+element_deb_url: "https://packages.element.io/debian/pool/main/e/element-desktop/element-desktop_{{ element_version }}_amd64.deb"

roles/freetube/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Vérifier que le système est Debian
+  ansible.builtin.assert:
+    that:
+      - ansible_facts['distribution'] == "Debian"
+    fail_msg: "Ce rôle est prévu uniquement pour Debian"
+  tags: freetube
+
+- name: Télécharger le paquet FreeTube
+  ansible.builtin.get_url:
+    url: https://github.com/FreeTubeApp/FreeTube/releases/download/v0.23.15-beta/freetube_0.23.15_beta_amd64.deb
+    dest: /tmp/freetube.deb
+    mode: '0644'
+  tags: freetube
+
+- name: Installer le paquet FreeTube
+  ansible.builtin.apt:
+    deb: /tmp/freetube.deb
+    state: present
+  tags: freetube

roles/ollama/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+ollama_install_script: https://ollama.com/install.sh
+ollama_models: []
+ollama_service_name: ollama
+ollama_bin: /usr/local/bin/ollama

roles/ollama/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart Ollama
+  ansible.builtin.systemd:
+    name: ollama
+    state: restarted

roles/ollama/tasks/install.yml

@@ -0,0 +1,41 @@
+---
+- name: Vérifier que le système est Linux
+  assert:
+    that:
+      - ansible_facts.system == "Linux"
+    fail_msg: "Ollama est uniquement supporté sur Linux"
+  tags: ollama
+
+- name: Vérifier si Ollama est déjà installé
+  ansible.builtin.stat:
+    path: "{{ ollama_bin }}"
+  register: ollama_bin_stat
+  tags: ollama
+
+- name: Installer curl (prérequis)
+  ansible.builtin.apt:
+    name: curl
+    state: present
+    update_cache: yes
+  tags: ollama
+
+- name: Télécharger le script d’installation Ollama
+  ansible.builtin.get_url:
+    url: "{{ ollama_install_script }}"
+    dest: /tmp/ollama_install.sh
+    mode: '0755'
+  when: not ollama_bin_stat.stat.exists
+  tags: ollama
+
+- name: Installer Ollama
+  ansible.builtin.command: /tmp/ollama_install.sh
+  when: not ollama_bin_stat.stat.exists
+  notify: Restart Ollama
+  tags: ollama
+
+- name: Activer et démarrer le service Ollama
+  ansible.builtin.systemd:
+    name: "{{ ollama_service_name }}"
+    enabled: yes
+    state: started
+  tags: ollama

roles/ollama/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- import_tasks: install.yml
+  tags: ollama
+
+- import_tasks: models.yml
+  tags: ollama

roles/ollama/tasks/models.yml

@@ -0,0 +1,6 @@
+- name: Pull ollama models
+  become: true
+  command: >
+    {{ ollama_bin }} pull {{ item.name }}
+  loop: "{{ ollama_models }}"
+  tags: ollama

roles/steam/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: Vérifier que le système est Debian
+  ansible.builtin.assert:
+    that:
+      - ansible_facts['distribution'] == "Debian"
+    fail_msg: "Ce rôle est prévu uniquement pour Debian"
+  tags: steam
+
+- name: Ajouter l’architecture i386
+  ansible.builtin.command: dpkg --add-architecture i386
+  register: add_i386
+  changed_when: add_i386.rc == 0
+  tags: steam
+
+- name: Mettre à jour le cache APT
+  ansible.builtin.apt:
+    update_cache: yes
+  tags: steam
+
+- name: Installer Steam
+  ansible.builtin.apt:
+    name: steam
+    state: present
+  tags: steam

roles/virtualbox/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+virtualbox_version: "7.0"
+virtualbox_package: "virtualbox-{{ virtualbox_version }}"
+virtualbox_repo_key_url: "https://www.virtualbox.org/download/oracle_vbox_2016.asc"
+virtualbox_repo_url: "deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian trixie contrib"

roles/virtualbox/tasks/main.yml

@@ -0,0 +1,70 @@
+---
+- name: Install prerequisites
+  apt:
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - gnupg
+      - lsb-release
+      - dkms
+      - build-essential
+    state: present
+    update_cache: yes
+
+- name: Disable KVM modules if present
+  block:
+    - name: Check if kvm modules are loaded
+      shell: |
+        lsmod | grep -E 'kvm_intel|kvm_amd|kvm' || true
+      register: kvm_modules
+      changed_when: false
+
+    - name: Blacklist KVM modules
+      copy:
+        dest: /etc/modprobe.d/disable-kvm.conf
+        content: |
+          # Disabled for VirtualBox compatibility
+          blacklist kvm
+          blacklist kvm_intel
+          blacklist kvm_amd
+      when: kvm_modules.stdout != ""
+
+    - name: Remove loaded KVM modules immediately
+      shell: |
+        rmmod kvm_intel || true
+        rmmod kvm_amd   || true
+        rmmod kvm       || true
+      when: kvm_modules.stdout != ""
+      ignore_errors: yes
+
+- name: Télécharger et convertir la clé GPG de VirtualBox
+  ansible.builtin.shell:
+    cmd: curl -fsSL {{ virtualbox_repo_key_url }} | gpg --dearmor -o /usr/share/keyrings/virtualbox.gpg
+    creates: /usr/share/keyrings/virtualbox.gpg
+
+- name: Add VirtualBox apt repository
+  ansible.builtin.apt_repository:
+    repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/virtualbox.gpg] {{ virtualbox_repo_url }}"
+    state: present
+    filename: virtualbox
+    update_cache: no
+
+- name: Update apt cache
+  apt:
+    update_cache: yes
+
+- name: Install VirtualBox
+  apt:
+    name: "{{ virtualbox_package }}"
+    state: present
+
+- name: Ensure vboxdrv is loaded
+  command: /sbin/vboxconfig
+  register: vboxconfig
+  changed_when: "'done' in vboxconfig.stdout"
+
+- name: Add user to vboxusers group
+  user:
+    name: "{{ ansible_user }}"
+    groups: vboxusers
+    append: yes

roles/vlc/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: Vérifier que le système est Debian
+  ansible.builtin.assert:
+    that:
+      - ansible_facts['distribution'] == "Debian"
+    fail_msg: "Ce rôle est prévu uniquement pour Debian"
+  tags: steam
+
+- name: Mettre à jour le cache APT
+  ansible.builtin.apt:
+    update_cache: yes
+  tags: vlc
+
+- name: Installer VLC
+  ansible.builtin.apt:
+    name: vlc
+    state: present
+  tags: vlc

roles/wine/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+winehq_repo_url: https://dl.winehq.org/wine-builds/debian/dists/trixie/winehq-trixie.sources
+winehq_key_url: https://dl.winehq.org/wine-builds/winehq.key
+winehq_keyring: /etc/apt/keyrings/winehq-archive.key
+winehq_packages:
+  - winehq-stable

roles/wine/tasks/main.yml

@@ -0,0 +1,55 @@
+---
+- name: Vérifier que le système est Debian
+  ansible.builtin.assert:
+    that:
+      - ansible_facts['distribution'] == "Debian"
+    fail_msg: "Ce rôle est prévu uniquement pour Debian"
+  tags: wine
+
+- name: Ajouter l’architecture i386
+  ansible.builtin.command: dpkg --add-architecture i386
+  register: add_i386
+  changed_when: add_i386.rc == 0
+  tags: wine
+
+- name: Créer le dossier keyrings
+  ansible.builtin.file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: '0755'
+  tags: wine
+
+- name: Télécharger et installer la clé WineHQ
+  ansible.builtin.get_url:
+    url: "{{ winehq_key_url }}"
+    dest: /tmp/winehq.key
+    mode: '0644'
+  tags: wine
+
+- name: Convertir la clé en keyring GPG
+  ansible.builtin.command: >
+    gpg --dearmor
+    -o {{ winehq_keyring }}
+    /tmp/winehq.key
+  args:
+    creates: "{{ winehq_keyring }}"
+  tags: wine
+
+- name: Ajouter le dépôt WineHQ
+  ansible.builtin.get_url:
+    url: "{{ winehq_repo_url }}"
+    dest: /etc/apt/sources.list.d/winehq-trixie.sources
+    mode: '0644'
+  tags: wine
+
+- name: Mettre à jour le cache APT
+  ansible.builtin.apt:
+    update_cache: yes
+  tags: wine
+
+- name: Installer WineHQ Stable (avec recommandations)
+  ansible.builtin.apt:
+    name: "{{ winehq_packages }}"
+    state: present
+    install_recommends: yes
+  tags: wine

settings.yml

@@ -0,0 +1,16 @@
+vms:
+  - name: "server-1"
+    hostname: "server-1"
+    ip: "192.168.60.2"
+    memory: 1024
+
+box:
+# via Vagrant cloud registry
+  name: "garagenum/debian-13"
+# Via garagenum registry
+#  url: "https://git.legaragenumerique.fr/GARAGENUM/vagrant-boxes/raw/main/debian-13/debian-13-3-3.box"
+
+
+provider:
+  type: "virtualbox"
+  # linked_clone: false