first commit

roles/base/l10n.packages

@@ -0,0 +1,4 @@
+L10N_MAP_PKGS=(
+  "firefox-esr::firefox-esr-l10n"
+  "libreoffice::libreoffice-l10n"
+)

roles/base/packages.list

@@ -0,0 +1,11 @@
+ROLE_PACKAGES=(
+  "ca-certificates"
+  "curl"
+  "git"
+  "gnupg"
+  "htop"
+  "rsync"
+  "tree"
+  "ufw"
+  "wget"
+)

roles/base/repo.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+# Configure les dépôts Debian de base
+source "$PROJECT_DIR/lib.sh"
+enable_strict_mode
+
+cat <<'EOM'
+
+=> Base APT configuration
+
+EOM
+
+KEY_URL="https://ftp-master.debian.org/keys/archive-key-12.asc"
+KEYRING="/usr/share/keyrings/debian-archive-keyring.pgp"
+SOURCES="/etc/apt/sources.list.d/debian.sources"
+
+read -r -d '' CONTENT <<EOM || true
+Types: deb
+URIs: https://deb.debian.org/debian
+Suites: trixie trixie-updates
+Components: main non-free-firmware contrib
+Signed-By: $KEYRING
+
+Types: deb
+URIs: https://security.debian.org/debian-security
+Suites: trixie-security
+Components: main non-free-firmware contrib
+Signed-By: $KEYRING
+EOM
+
+[[ -f /etc/apt/sources.list ]] && rm -f /etc/apt/sources.list && echo "Old /etc/apt/sources.list removed."
+
+if [[ ! -f "$KEYRING" ]]; then
+	if ! add_apt_key_from_url "$KEY_URL" "$KEYRING"; then
+		echo "Warning: failed to add key from $KEY_URL" >&2
+	fi
+fi
+
+if [[ ! -f "$SOURCES" ]] || ! printf '%s\n' "$CONTENT" | cmp -s - "$SOURCES"; then
+	add_apt_sources_file "$CONTENT" "$SOURCES" || {
+		echo "Failed to write $SOURCES" >&2
+		exit 1
+	}
+	apt-get update
+	echo "File $SOURCES written"
+else
+	echo "File $SOURCES unchanged"
+fi

roles/codium/config.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+source "$PROJECT_DIR/lib.sh"
+enable_strict_mode
+
+cat <<'EOM'
+
+=> Codium configuration
+
+EOM
+
+install_code_extensions codium \
+  junstyle.php-cs-fixer \
+  mkhl.shfmt \
+  sibiraj-s.vscode-scss-formatter \
+  asispts.vscode-symfony-twig || true
+
+TARGET_USER="$(get_target_user 2>/dev/null || true)"
+if [[ -n "$TARGET_USER" ]]; then
+  copy_config "codium/settings.json" "/home/${TARGET_USER}/.config/VSCodium/User"
+else
+  echo 'No regular target user detected for VSCodium settings; skipping user settings copy.' >&2
+fi

roles/codium/packages.list

@@ -0,0 +1,3 @@
+ROLE_PACKAGES=(
+  "codium"
+)

roles/codium/repo.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+source "$PROJECT_DIR/lib.sh"
+enable_strict_mode
+
+cat <<'EOM'
+
+=> VSCodium
+
+EOM
+
+KEYRING_DIR="/etc/apt/keyrings"
+KEYRING="$KEYRING_DIR/vscodium-archive-keyring.gpg"
+KEY_URL="https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/raw/master/pub.gpg"
+SRC_FILE="/etc/apt/sources.list.d/vscodium.sources"
+VSCODIUM_URI="https://download.vscodium.com/debs"
+ARCH_CUR=$(dpkg --print-architecture 2>/dev/null || true)
+ARCH_CUR=${ARCH_CUR:-amd64}
+
+read -r -d '' VSCODIUM_SOURCES_CONTENT <<EOM || true
+Types: deb
+URIs: $VSCODIUM_URI
+Suites: vscodium
+Components: main
+Architectures: $ARCH_CUR
+Signed-By: $KEYRING
+EOM
+
+install_apt_repo "$KEY_URL" "$KEYRING" "$VSCODIUM_SOURCES_CONTENT" "$SRC_FILE" codium

roles/desktop/config.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# Configuration du rôle desktop
+source "$PROJECT_DIR/lib.sh"
+enable_strict_mode
+
+cat <<'EOM'
+
+=> Desktop configuration
+
+EOM
+
+ensure_grub_cmdline
+remove_primary_network_section
+copy_config "firefox/policies.json" "/etc/firefox/policies"

roles/desktop/packages.list

@@ -0,0 +1,14 @@
+ROLE_PACKAGES=(
+  "gimp"
+  "gnome-core"
+  "gnome-music"
+  "gnome-shell-extension-caffeine"
+  "gnome-tweaks"
+  "gufw"
+  "libreoffice"
+  "keepassxc-minimal"
+  "papirus-icon-theme"
+  "qbittorrent"
+  "firefox-esr"
+  "torbrowser-launcher"
+)

roles/devel/config.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+source "$PROJECT_DIR/lib.sh"
+enable_strict_mode
+
+cat <<'EOM'
+
+=> Developer environment
+
+EOM
+
+configure_php_no_jit
+log_ok "PHP developer configuration applied"
+echo 'Developer profile ready.'

roles/devel/packages.list

@@ -0,0 +1,9 @@
+ROLE_PACKAGES=(
+  "php-cli"
+  "composer"
+  "sqlite3"
+  "php-sqlite3"
+  "npm"
+  "shfmt"
+  "php-xdebug"
+)

roles/docker/packages.list

@@ -0,0 +1,7 @@
+ROLE_PACKAGES=(
+  "docker-ce"
+  "docker-ce-cli"
+  "containerd.io"
+  "docker-buildx-plugin"
+  "docker-compose-plugin"
+)

roles/docker/repo.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+source "$PROJECT_DIR/lib.sh"
+enable_strict_mode
+
+cat <<'EOM'
+
+=> Docker
+
+EOM
+
+KEYRING_DIR="/etc/apt/keyrings"
+KEYRING="$KEYRING_DIR/docker.gpg"
+KEY_URL="https://download.docker.com/linux/debian/gpg"
+SRC_FILE="/etc/apt/sources.list.d/docker.sources"
+CODENAME=$(source /etc/os-release && echo "$VERSION_CODENAME")
+DOCKER_URI="https://download.docker.com/linux/debian"
+ARCH_CUR=$(dpkg --print-architecture 2>/dev/null || true)
+ARCH_CUR=${ARCH_CUR:-amd64}
+
+read -r -d '' DOCKER_SOURCES_CONTENT <<EOM || true
+Types: deb
+URIs: $DOCKER_URI
+Suites: $CODENAME
+Components: stable
+Architectures: $ARCH_CUR
+Signed-By: $KEYRING
+EOM
+
+install_apt_repo "$KEY_URL" "$KEYRING" "$DOCKER_SOURCES_CONTENT" "$SRC_FILE" docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

roles/firewall/config.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+# Declarative firewall configuration with common + profile-specific rules
+source "$PROJECT_DIR/lib.sh"
+enable_strict_mode
+
+cat <<'EOM'
+
+=> Firewall configuration
+
+EOM
+
+ufw_initialize
+
+COMMON_RULES_FILE="$ROLE_DIR/firewall/rules.common.list"
+PROFILE_RULES_FILE="$ROLE_DIR/firewall/rules.${profile:-}.list"
+
+apply_ufw_rules_file "$COMMON_RULES_FILE"
+apply_ufw_rules_file "$PROFILE_RULES_FILE"
+
+ufw reload
+log_ok "Firewall rules applied"

roles/firewall/rules.common.list

@@ -0,0 +1 @@
+# Common firewall rules

roles/firewall/rules.desktop.list

@@ -0,0 +1 @@
+# Desktop-specific firewall rules

roles/firewall/rules.devel.list

@@ -0,0 +1,2 @@
+# Development-specific firewall rules
+# 3000/tcp

roles/firewall/rules.server.list

@@ -0,0 +1,8 @@
+# Server-specific firewall rules
+ssh
+http
+https
+imap
+imaps
+smtp
+submissions

roles/server/config.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+# Configuration du rôle server
+source "$PROJECT_DIR/lib.sh"
+enable_strict_mode
+
+cat <<'EOM'
+
+=> Server configuration
+
+EOM
+
+ensure_grub_cmdline
+
+SSH_DIR="/etc/ssh/sshd_config.d"
+mkdir -p "$SSH_DIR"
+SSH_CONF="${SSH_DIR}/custom.conf"
+
+read -r -d '' SSH_CONF_CONTENT <<'EOM' || true
+# SSH keys only
+PasswordAuthentication no
+PubkeyAuthentication yes
+PermitEmptyPasswords no
+EOM
+
+if write_text_file_if_changed "$SSH_CONF_CONTENT" "$SSH_CONF" >/dev/null; then
+	restart_service_if_present ssh
+	restart_service_if_present sshd
+fi

roles/server/packages.list

@@ -0,0 +1,3 @@
+ROLE_PACKAGES=(
+  # add server-specific packages here, e.g. "nginx" "postgresql" "fail2ban"
+)

roles/zram/config.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+source "${PROJECT_DIR:?}/lib.sh"
+enable_strict_mode
+
+cat <<'EOM'
+
+=> ZRAM
+
+EOM
+
+ZFILE="/etc/default/zramswap"
+
+if [[ ! -f "$ZFILE" ]]; then
+	write_text_file_if_changed $'# Configuration minimale pour zramswap\nALGO=zstd\nPERCENT=50\n' "$ZFILE" >/dev/null || true
+fi
+
+if grep -q '^ALGO=lz4' "$ZFILE" 2>/dev/null; then
+	sed -i 's/^ALGO=lz4/ALGO=zstd/' "$ZFILE"
+elif ! grep -q '^ALGO=' "$ZFILE" 2>/dev/null; then
+	echo 'ALGO=zstd' >>"$ZFILE"
+fi
+
+if ! grep -q '^PERCENT=' "$ZFILE" 2>/dev/null; then
+	echo 'PERCENT=50' >>"$ZFILE"
+fi
+
+restart_service_if_present zramswap
+if ! systemctl is-active --quiet zramswap.service; then
+	echo 'Warning: zramswap.service not active' >&2
+fi

roles/zram/packages.list

@@ -0,0 +1,3 @@
+ROLE_PACKAGES=(
+  "zram-tools"
+)