fix permissions

Dockerfile

@@ -1,9 +1,9 @@
 FROM fedora
 RUN dnf update -y && dnf install -y \
   ansible
-RUN useradd -m -s /bin/bash -d /home/alice alice
 COPY . /opt/setup
 RUN ansible-playbook /opt/setup/playbooks/image.yml
 RUN mkdir /workspace && chown alice:alice /workspace
-USER dev
-WORKDIR /workspace
+USER alice
+VOLUME /home/alice/workspace
+WORKDIR /home/alice/Projects

playbooks/roles/base_info/tasks/main.yml

@@ -2,7 +2,7 @@
   tags: always
   ansible.builtin.set_fact:
     username: alice
-    home: "{{ ansible_env.HOME }}"
+    home: "/home/alice"
     use_become: true
     mac_os: "{{ ansible_distribution == 'MacOSX' }}"
 
@@ -11,3 +11,4 @@
   when: mac_os
   ansible.builtin.set_fact:
     install_with_root: false
+    home: "/Users/alice"

playbooks/roles/base_system/tasks/main.yml

@@ -15,3 +15,11 @@
     update_password: "on_create"
     create_home: yes
     group: "{{ username }}"
+
+- name: Ensure home
+  tags: always
+  become: true
+  ansible.builtin.file:
+    path: "{{ home }}"
+    state: directory
+    owner: "{{ username }}"

playbooks/roles/base_terminal/meta/main.yml

@@ -1,3 +1,4 @@
 ---
 dependencies:
   - role: base_info
+  - role: base_system

playbooks/roles/base_terminal/tasks/config.yml

@@ -5,6 +5,7 @@
   ansible.builtin.file:
     mode: "{{ item.mode }}"
     path: "{{ home }}/{{ item.path }}"
+    owner: "{{ username }}"
     state: directory
   with_community.general.filetree:
     - ../files/
@@ -19,6 +20,7 @@
     src: "{{ item.src }}"
     dest: "{{ home }}/{{ item.path }}"
     mode: "{{ item.mode }}"
+    owner: "{{ username }}"
   with_community.general.filetree:
     - ../files
   loop_control:

playbooks/roles/server_ssh/tasks/main.yml

@@ -6,6 +6,7 @@
     mode: "{{ item.mode }}"
     path: "{{ home }}/{{ item.path }}"
     state: directory
+    owner: "{{ username }}"
   with_community.general.filetree:
     - ../files
   loop_control:
@@ -19,6 +20,7 @@
     src: "{{ item.src }}"
     dest: "{{ home }}/{{ item.path | regex_replace('\\.j2$', '') }}"
     mode: "{{ item.mode }}"
+    owner: "{{ username }}"
   with_community.general.filetree:
     - ../templates
   loop_control:
@@ -32,6 +34,7 @@
     src: "{{ item.src }}"
     dest: "{{ home }}/{{ item.path }}"
     mode: "{{ item.mode }}"
+    owner: "{{ username }}"
   with_community.general.filetree:
     - ../files
   loop_control:

playbooks/roles/software_atuin/tasks/main.yml

@@ -24,6 +24,7 @@
   ansible.builtin.file:
     path: "{{ home }}/.local/bin"
     mode: "0755"
+    owner: "{{ username }}"
     state: directory
 
 - name: Move bin
@@ -46,6 +47,7 @@
   ansible.builtin.file:
     mode: "{{ item.mode }}"
     path: "{{ home }}/{{ item.path }}"
+    owner: "{{ username }}"
     state: directory
   with_community.general.filetree:
     - ../files
@@ -60,6 +62,7 @@
     src: "{{ item.src }}"
     dest: "{{ home }}/{{ item.path }}"
     mode: "{{ item.mode }}"
+    owner: "{{ username }}"
   with_community.general.filetree:
     - ../files
   loop_control:

playbooks/roles/software_git/tasks/main.yml

@@ -16,6 +16,7 @@
   ansible.builtin.file:
     mode: "{{ item.mode }}"
     path: "{{ home }}/{{ item.path }}"
+    owner: "{{ username }}"
     state: directory
   with_community.general.filetree:
     - ../files
@@ -30,6 +31,7 @@
   ansible.builtin.copy:
     src: "{{ item.src }}"
     dest: "{{ home }}/{{ item.path }}"
+    owner: "{{ username }}"
     mode: "{{ item.mode }}"
   with_community.general.filetree:
     - ../files
@@ -44,6 +46,7 @@
   ansible.builtin.template:
     src: "../templates/gitconfig.j2"
     dest: "{{ home }}/.gitconfig"
+    owner: "{{ username }}"
     mode: "644"
 
 - name: Setup contexts

playbooks/roles/software_git/tasks/setup-context.yml

@@ -5,12 +5,23 @@
   ansible.builtin.template:
     src: "../templates/gitconfig.context.j2"
     dest: "{{ context.path }}/.gitconfig"
+    owner: "{{ username }}"
     mode: "644"
   vars:
     git: "{{ context.git }}"
     name: "{{ name }}"
   when: "'git' in context"
 
+- name: Ensure dir
+  tags:
+    - git
+    - config
+  ansible.builtin.file:
+    path: "{{ context.path }}"
+    state: directory
+    owner: "{{ username }}"
+    mode: "0700"
+
 - name: Setup context ssh config
   tags:
     - git
@@ -18,6 +29,7 @@
   ansible.builtin.template:
     src: "../templates/sshconfig.context.j2"
     dest: "{{ home }}/.ssh/config.d/git-{{ name }}"
+    owner: "{{ username }}"
     mode: "644"
   vars:
     name: "{{ name }}"
@@ -30,6 +42,7 @@
   ansible.builtin.file:
     path: "{{ home }}/.ssh/keys"
     state: directory
+    owner: "{{ username }}"
     mode: "0700"
 
 - name: Setup context public key
@@ -39,5 +52,6 @@
   ansible.builtin.copy:
     content: "{{ context.git.signing_key }}"
     dest: "{{ home }}/.ssh/keys/github-{{ name }}.pub"
+    owner: "{{ username }}"
     mode: "0644"
   when: "'git' in context and 'signing_key' in context.git"

playbooks/roles/software_nvim/nvim.yml

@@ -1,22 +0,0 @@
----
-- name: Configure neovim
-  tags:
-    - config
-    - nvim
-  ansible.builtin.git:
-    repo: https://github.com/morten-olsen/nvim
-    dest: "{{ home }}/.config/nvim"
-    accept_newhostkey: true
-    clone: true
-    update: true
-    force: true
-
-- name: Prepare neovim
-  tags:
-    - config
-    - nvim
-  register: nviminstall
-  changed_when: nviminstall.stdout != ''
-  ansible.builtin.shell: nvim --headless +q
-  args:
-    executable: /bin/bash

playbooks/roles/software_nvim/tasks/main.yml

@@ -14,6 +14,7 @@
   ansible.builtin.file:
     mode: "{{ item.mode }}"
     path: "{{ home }}/{{ item.path }}"
+    owner: "{{ username }}"
     state: directory
   with_community.general.filetree:
     - ../files
@@ -21,7 +22,7 @@
     label: "{{ item.path }}"
   when: item.state == 'directory'
 
-- name: Copy config {{ context }}
+- name: Copy config
   tags:
     - nvim
     - config
@@ -29,6 +30,7 @@
     src: "{{ item.src }}"
     dest: "{{ home }}/{{ item.path }}"
     mode: "{{ item.mode }}"
+    owner: "{{ username }}"
   with_community.general.filetree:
     - ../files
   loop_control:
@@ -39,6 +41,8 @@
   tags:
     - config
     - nvim
+  become: true
+  become_user: "{{ username }}"
   ansible.builtin.git:
     repo: https://github.com/morten-olsen/nvim
     dest: "{{ home }}/Projects/private/nvim"
@@ -53,6 +57,7 @@
     - nvim
   ansible.builtin.file:
     path: "{{ home }}/.config"
+    owner: "{{ username }}"
     state: directory
     mode: "0755"
 
@@ -63,12 +68,15 @@
   ansible.builtin.file:
     src: "{{ home }}/Projects/private/nvim"
     dest: "{{ home }}/.config/nvim"
+    owner: "{{ username }}"
     state: link
 
 - name: Prepare neovim
   tags:
     - config
     - nvim
+  become: true
+  become_user: "{{ username }}"
   register: nviminstall
   changed_when: nviminstall.stdout != ''
   ansible.builtin.shell: nvim --headless +q

playbooks/roles/software_nvm/tasks/main.yml

@@ -7,6 +7,8 @@
 - name: Clone nvm
   tags:
     - install
+  become_user: "{{ username }}"
+  become: true
   ansible.builtin.git:
     accept_newhostkey: true
     clone: true
@@ -18,6 +20,7 @@
 - name: Install node and set version
   tags:
     - config
+  become_user: "{{ username }}"
   register: nodeinstall
   ansible.builtin.shell: source {{ home }}/.nvm/nvm.sh && nvm install 22
   changed_when: "'is already installed' not in nodeinstall.stderr"
@@ -30,6 +33,7 @@
   ansible.builtin.file:
     mode: "{{ item.mode }}"
     path: "{{ home }}/{{ item.path }}"
+    owner: "{{ username }}"
     state: directory
   with_community.general.filetree:
     - ../files
@@ -44,6 +48,7 @@
     src: "{{ item.src }}"
     dest: "{{ home }}/{{ item.path }}"
     mode: "{{ item.mode }}"
+    owner: "{{ username }}"
   with_community.general.filetree:
     - ../files
   loop_control:

playbooks/roles/software_ssh/tasks/main.yml

@@ -5,6 +5,7 @@
   ansible.builtin.file:
     mode: "{{ item.mode }}"
     path: "{{ home }}/{{ item.path }}"
+    owner: "{{ username }}"
     state: directory
   with_community.general.filetree:
     - ../files
@@ -20,6 +21,7 @@
     src: "{{ item.src }}"
     dest: "{{ home }}/{{ item.path }}"
     mode: "{{ item.mode }}"
+    owner: "{{ username }}"
   with_community.general.filetree:
     - ../files
   loop_control:

playbooks/roles/software_starship/tasks/main.yml

@@ -22,7 +22,8 @@
   tags: always
   ansible.builtin.file:
     mode: "0755"
-    path: "{{ home }}/.scripts"
+    path: "{{ home }}/.local/bin"
+    owner: "{{ username }}"
     state: directory
 
 - name: Move bin
@@ -30,5 +31,6 @@
   ansible.builtin.copy:
     remote_src: true
     mode: "0755"
+    owner: "{{ username }}"
     src: "{{ software_starship_unpack_file }}"
     dest: "{{ home }}/.local/bin/starship"

playbooks/roles/software_tmux/tasks/main.yml

@@ -5,6 +5,7 @@
   ansible.builtin.file:
     mode: "{{ item.mode }}"
     path: "{{ home }}/{{ item.path }}"
+    owner: "{{ username }}"
     state: directory
   with_community.general.filetree:
     - ../files
@@ -19,6 +20,7 @@
     src: "{{ item.src }}"
     dest: "{{ home }}/{{ item.path | regex_replace('\\.j2$', '') }}"
     mode: "{{ item.mode }}"
+    owner: "{{ username }}"
   with_community.general.filetree:
     - ../templates
   loop_control:
@@ -32,6 +34,7 @@
     src: "{{ item.src }}"
     dest: "{{ home }}/{{ item.path }}"
     mode: "{{ item.mode }}"
+    owner: "{{ username }}"
   with_community.general.filetree:
     - ../files
   loop_control:

playbooks/roles/software_zsh/tasks/main.yml

@@ -20,6 +20,7 @@
   ansible.builtin.file:
     mode: "{{ item.mode }}"
     path: "{{ home }}/{{ item.path }}"
+    owner: "{{ username }}"
     state: directory
   with_community.general.filetree:
     - ../files
@@ -34,6 +35,7 @@
     src: "{{ item.src }}"
     dest: "{{ home }}/{{ item.path | regex_replace('\\.j2$', '') }}"
     mode: "{{ item.mode }}"
+    owner: "{{ username }}"
   with_community.general.filetree:
     - ../templates
   loop_control:
@@ -47,6 +49,7 @@
     src: "{{ item.src }}"
     dest: "{{ home }}/{{ item.path }}"
     mode: "{{ item.mode }}"
+    owner: "{{ username }}"
   with_community.general.filetree:
     - ../files
   loop_control: