From 3cb92532c184689d16f4f5766b763064acc9aa46 Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sat, 27 Oct 2018 17:35:35 -0700
Subject: [PATCH 01/19] convert to local config

---
 hosts     | 4 +---
 local.yml | 7 +++++++
 site.yml  | 4 ----
 3 files changed, 8 insertions(+), 7 deletions(-)
 create mode 100644 local.yml
 delete mode 100644 site.yml

diff --git a/hosts b/hosts
index 48e148f..533c237 100644
--- a/hosts
+++ b/hosts
@@ -1,3 +1 @@
-cloverfield ansible_host=192.168.1.153
-clovermine  ansible_host=192.168.1.154
-clovermill  ansible_host=192.168.1.149
+localhost   ansible_connection=local
diff --git a/local.yml b/local.yml
new file mode 100644
index 0000000..a44eb5e
--- /dev/null
+++ b/local.yml
@@ -0,0 +1,7 @@
+---
+- name: Raspberry Pi self configuration
+  hosts: localhost
+  user: root
+  connection: local
+  roles:
+    - common
diff --git a/site.yml b/site.yml
deleted file mode 100644
index 48485e3..0000000
--- a/site.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-- hosts: all
-  roles:
-    - role: common

From c2c4b4cb1eee4d3ed842601b2b5966d2ca66ddce Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sat, 27 Oct 2018 19:44:25 -0700
Subject: [PATCH 02/19] break out logic into separate files; improve data
 structure that maps localhost to system-specific settings

---
 roles/common/tasks/main.yml     | 99 ++++++---------------------------
 roles/common/tasks/software.yml | 31 +++++++++++
 roles/common/tasks/users.yml    | 41 ++++++++++++++
 roles/common/vars/main.yml      |  9 ++-
 4 files changed, 94 insertions(+), 86 deletions(-)
 create mode 100644 roles/common/tasks/software.yml
 create mode 100644 roles/common/tasks/users.yml

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 436204d..9f1e4c9 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,27 +1,25 @@
 ---
-### Switch to non-default user as soon as possible if possible
-#- name: does primary login user exist?
-#  local_action: "command ssh -q -o ConnectTimeout=3 -l {{ create_users[0].name }} {{ inventory_hostname }} /bin/true"
-#  register: user_exists
-#  ignore_errors: true
-#  changed_when: false
-#
-#- name: switch remote_user if possible
-#  remote_user: "{{ user_exists | success | ternary(omit, create_users[0].name) }}"
-#  command: "/bin/true"
-#  changed_when: false
 
-### Set hostname
+# Basic hostname setup
+
+- name: Get MAC address
+  debug: msg="{{ hostvars[inventory_hostname].ansible_default_ipv4.macaddress }}"
+
+- name: store MAC address
+  set_fact:
+    my_macaddr: "{{ hostvars[inventory_hostname].ansible_default_ipv4.macaddress }}"
+
 - name: set hostname
-  hostname: name={{ inventory_hostname }}
-  when: inventory_hostname is defined and ansible_nodename is defined
+  hostname: name={{ macaddrs[my_macaddr].hostname }}
+  when: my_macaddr in macaddrs
 
 - name: update /etc/hosts with new hostname
   lineinfile:
     dest=/etc/hosts
     regexp="^{{ ansible_default_ipv4.address }}"
-    line="{{ ansible_default_ipv4.address }}{{'\t'}}{{ inventory_hostname }}.local{{'\t'}}{{ inventory_hostname }}"
+    line="{{ ansible_default_ipv4.address }}{{'\t'}}{{ macaddrs[my_macaddr].hostname }}.local{{'\t'}}{{ macaddrs[my_macaddr].hostname }}"
     state=present
+  when: my_macaddr in macaddrs
 
 - name: get rid of default 127.0.1.1 binding
   lineinfile:
@@ -29,16 +27,8 @@
     regexp="^127.0.1.1"
     state=absent
 
-### Configure /etc/hosts
-- name: ensure that all local hosts are in /etc/hosts
-  lineinfile:
-    dest=/etc/hosts
-    line="{{ item.ip }}{{'\t'}}{{ item.name }}.local{{'\t'}}{{ item.name }}"
-    state=present
-  with_items: "{{etc_hosts_contents}}"
-
-### Set timezone
-- name: set /etc/timezone to America/Los_Angeles
+# Set timezone
+- name: set /etc/timezone
   copy: src=etc/timezone
         dest=/etc/timezone
         owner=root
@@ -48,59 +38,6 @@
   notify:
       - changed timezone
 
-### Uninstall Raspbian bloat
-- name: remove raspbian bloat
-  apt:
-    name="{{ item }}"
-    state=absent
-  with_items:
-    - wolfram-engine
-    - libreoffice*
-    - scratch
-    - minecraft-pi
-    - python-minecraftpi 
-    - python3-minecraftpi
-    - sonic-pi
-    - dillo
-    - gpiciew
-    - penguinspuzzle
-
-### Install required software
-- name: install basic software environment
-  apt:
-    name="{{ item }}"
-    state=present
-    update_cache=yes
-  with_items:
-    - vim
-    - git
-    - python-pip
-
-### Create user accounts
-- name: create users
-  user: name="{{ item.name }}"
-        comment="{{ item.comment }}"
-        group="{{ item.group }}"
-        groups="{{ item.groups }}"
-        uid="{{ item.uid }}"
-        state=present
-        shell=/bin/bash
-  with_items: "{{ create_users }}"
-  tags: [ 'users' ]
-
-- name: install ssh pubkeys for new users
-  authorized_key: user="{{ item.name }}"
-                  key="{{ item.pubkey }}"
-                  state=present
-  with_items: "{{ create_users }}"
-  tags: [ 'users' ]
-
-### disable the 'pi' user's ability to login in with password
-### if you enable this, you may lock yourself out--you must make sure another
-### user has been added with both sudo privileges and a password by which
-### sudo can be authenticated
-#- name: disable 'pi' user
-#  user: name="pi"
-#        password="*"
-#        state=present
-#  tags: [ 'users' ]
+# Other tasks
+- include: software.yml
+- include: users.yml
diff --git a/roles/common/tasks/software.yml b/roles/common/tasks/software.yml
new file mode 100644
index 0000000..193ad11
--- /dev/null
+++ b/roles/common/tasks/software.yml
@@ -0,0 +1,31 @@
+---
+
+### Uninstall Raspbian bloat
+- name: remove raspbian bloat
+  apt:
+    name="{{ packages }}"
+    state=absent
+  vars:
+    packages:
+      - wolfram-engine
+      - libreoffice*
+      - scratch
+      - minecraft-pi
+      - python-minecraftpi 
+      - python3-minecraftpi
+      - sonic-pi
+      - dillo
+      - gpiciew
+      - penguinspuzzle
+
+### Install required software
+- name: install basic software environment
+  apt:
+    name="{{ packages }}"
+    state=present
+    update_cache=yes
+  vars:
+    packages:
+      - vim
+      - git
+      - python-pip
diff --git a/roles/common/tasks/users.yml b/roles/common/tasks/users.yml
new file mode 100644
index 0000000..8f5ad0f
--- /dev/null
+++ b/roles/common/tasks/users.yml
@@ -0,0 +1,41 @@
+---
+### Switch to non-default user as soon as possible if possible
+#- name: does primary login user exist?
+#  local_action: "command ssh -q -o ConnectTimeout=3 -l {{ create_users[0].name }} {{ inventory_hostname }} /bin/true"
+#  register: user_exists
+#  ignore_errors: true
+#  changed_when: false
+#
+#- name: switch remote_user if possible
+#  remote_user: "{{ user_exists | success | ternary(omit, create_users[0].name) }}"
+#  command: "/bin/true"
+#  changed_when: false
+
+### Create user accounts
+- name: create users
+  user: name="{{ item.name }}"
+        comment="{{ item.comment }}"
+        group="{{ item.group }}"
+        groups="{{ item.groups }}"
+        uid="{{ item.uid }}"
+        state=present
+        shell=/bin/bash
+  with_items: "{{ create_users }}"
+  tags: [ 'users' ]
+
+- name: install ssh pubkeys for new users
+  authorized_key: user="{{ item.name }}"
+                  key="{{ item.pubkey }}"
+                  state=present
+  with_items: "{{ create_users }}"
+  tags: [ 'users' ]
+
+### disable the 'pi' user's ability to login in with password
+### if you enable this, you may lock yourself out--you must make sure another
+### user has been added with both sudo privileges and a password by which
+### sudo can be authenticated
+#- name: disable 'pi' user
+#  user: name="pi"
+#        password="*"
+#        state=present
+#  tags: [ 'users' ]
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
index 2dc79f2..66fa321 100644
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -1,9 +1,8 @@
 ---
-### Hosts that must be present in /etc/hosts
-etc_hosts_contents:
-  - { name: 'clovermill',  ip: '192.168.1.149' }
-  - { name: 'cloverfield', ip: '192.168.1.153' }
-  - { name: 'clovermine',  ip: '192.168.1.154' }
+macaddrs:
+    b8:27:eb:39:d7:57:
+        hostname: "clovermine"
+        ip: "192.168.1.154"
 
 ### Users that must be present on the system
 create_users:

From 8b859b877c67b79bb829ed3f5f144d5319694c6b Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sat, 27 Oct 2018 19:54:12 -0700
Subject: [PATCH 03/19] enable uart (but not necessarily the console)

---
 roles/common/tasks/hardware.yml | 8 ++++++++
 roles/common/tasks/main.yml     | 1 +
 2 files changed, 9 insertions(+)
 create mode 100644 roles/common/tasks/hardware.yml

diff --git a/roles/common/tasks/hardware.yml b/roles/common/tasks/hardware.yml
new file mode 100644
index 0000000..badf0b0
--- /dev/null
+++ b/roles/common/tasks/hardware.yml
@@ -0,0 +1,8 @@
+---
+
+- name: enable uart on boot
+  lineinfile:
+    dest=/boot/config.txt
+    regexp="^enable_uart="
+    line="enable_uart=1"
+    state=present
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 9f1e4c9..6a5a111 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -41,3 +41,4 @@
 # Other tasks
 - include: software.yml
 - include: users.yml
+- include: hardware.yml

From 99915605fae6cb806b271d13dd078887ab6b279c Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 08:54:24 -0700
Subject: [PATCH 04/19] added cloverleaf

---
 roles/common/vars/main.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
index 66fa321..a671efd 100644
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -3,6 +3,8 @@ macaddrs:
     b8:27:eb:39:d7:57:
         hostname: "clovermine"
         ip: "192.168.1.154"
+    b8:27:eb:ff:35:c7:
+        hostname: "cloverleaf"
 
 ### Users that must be present on the system
 create_users:

From 4181ca6030a0c8ba13941991687f5862eb262177 Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 18:49:08 +0000
Subject: [PATCH 05/19] use raspi-config to collect facts

---
 .gitignore                         |   2 +-
 roles/common/handlers/main.yml     |   3 -
 roles/common/tasks/linux-facts.yml |   9 ++
 roles/common/tasks/main.yml        |  39 ++++++---
 roles/common/tasks/raspi-facts.yml | 135 +++++++++++++++++++++++++++++
 roles/common/vars/main.yml         |   7 +-
 6 files changed, 177 insertions(+), 18 deletions(-)
 delete mode 100644 roles/common/handlers/main.yml
 create mode 100644 roles/common/tasks/linux-facts.yml
 create mode 100644 roles/common/tasks/raspi-facts.yml

diff --git a/.gitignore b/.gitignore
index d939922..c192331 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-site.retry
+local.retry
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
deleted file mode 100644
index 7d98a99..0000000
--- a/roles/common/handlers/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-- name: changed timezone
-  command: dpkg-reconfigure --frontend noninteractive tzdata
diff --git a/roles/common/tasks/linux-facts.yml b/roles/common/tasks/linux-facts.yml
new file mode 100644
index 0000000..43c4712
--- /dev/null
+++ b/roles/common/tasks/linux-facts.yml
@@ -0,0 +1,9 @@
+---
+- name: get timezone via timedatectl
+  shell: timedatectl | grep "Time zone" | cut -d: -f2 | cut -d'(' -f1 | sed -Ee 's/(^ *| *$)//g'
+  register: linux_tz
+  changed_when: False
+
+- name: set linux-config facts
+  set_fact:
+    linux_tz: linux_tz.stdout
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 6a5a111..37a6296 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,7 +1,10 @@
 ---
 
-# Basic hostname setup
+# Gather facts specific to the Raspberry Pi platform
+- include: raspi-facts.yml
+- include: linux-facts.yml
 
+# Basic hostname setup
 - name: Get MAC address
   debug: msg="{{ hostvars[inventory_hostname].ansible_default_ipv4.macaddress }}"
 
@@ -10,14 +13,14 @@
     my_macaddr: "{{ hostvars[inventory_hostname].ansible_default_ipv4.macaddress }}"
 
 - name: set hostname
-  hostname: name={{ macaddrs[my_macaddr].hostname }}
-  when: my_macaddr in macaddrs
+  shell: "raspi-config nonint do_hostname {{ macaddrs[my_macaddr].hostname }}"
+  when: raspi_hostname != macaddrs[my_macaddr].hostname
 
 - name: update /etc/hosts with new hostname
   lineinfile:
     dest=/etc/hosts
     regexp="^{{ ansible_default_ipv4.address }}"
-    line="{{ ansible_default_ipv4.address }}{{'\t'}}{{ macaddrs[my_macaddr].hostname }}.local{{'\t'}}{{ macaddrs[my_macaddr].hostname }}"
+    line="{{ ansible_default_ipv4.address }}{{'\t'}}{{ macaddrs[my_macaddr].hostname }}.{{ macaddrs[my_macaddr].domain }}{{'\t'}}{{ macaddrs[my_macaddr].hostname }}"
     state=present
   when: my_macaddr in macaddrs
 
@@ -28,15 +31,25 @@
     state=absent
 
 # Set timezone
-- name: set /etc/timezone
-  copy: src=etc/timezone
-        dest=/etc/timezone
-        owner=root
-        group=root
-        mode=0644
-        backup=yes
-  notify:
-      - changed timezone
+- name: set timezone
+  shell: "timedatectl set-timezone {{ macaddrs[my_macaddr].timezone }}"
+  when: linux_tz != macaddrs[my_macaddr].timezone
+
+# Set locale
+- name: set locale
+  shell: "raspi-config nonint do_change_locale {{ macaddrs[my_macaddr].locale }}"
+  when: raspi_locale != macaddrs[my_macaddr].locale
+
+# Enable sshd
+- name: forbid login via 'pi' user via ssh
+  lineinfile:
+    dest=/etc/ssh/sshd_config
+    line="DenyUsers pi"
+    state=present
+
+- name: enable SSH
+  shell: "raspi-config nonint do_ssh 0"
+  when: raspi_ssh_disabled != '0'
 
 # Other tasks
 - include: software.yml
diff --git a/roles/common/tasks/raspi-facts.yml b/roles/common/tasks/raspi-facts.yml
new file mode 100644
index 0000000..074601a
--- /dev/null
+++ b/roles/common/tasks/raspi-facts.yml
@@ -0,0 +1,135 @@
+---
+- name: get Raspberry Pi model type
+  shell: "raspi-config nonint get_pi_type"
+  register: raspi_type
+  changed_when: False
+
+- name: get hostname via raspi-config
+  shell: "raspi-config nonint get_hostname"
+  register: raspi_hostname
+  changed_when: False
+
+- name: get boot-to-gui setting 
+  shell: "raspi-config nonint get_boot_cli" # 0 == "boot to cli"; 1 == "boot to gui"
+  register: raspi_boot_gui
+  changed_when: False
+
+- name: get autologin setting
+  shell: "raspi-config nonint get_autologin" # 0 == "enable autologin"; 1 == "disable autologin"
+  register: raspi_noautologin
+  changed_when: False
+
+- name: get wait-for-network-on-boot setting 
+  shell: "raspi-config nonint get_boot_wait" # 0 == "wait"; 1 == "don't wait"
+  register: raspi_boot_nowait
+  changed_when: False
+
+- name: get wifi country
+  shell: "raspi-config nonint get_wifi_country"
+  register: raspi_wifi_country
+  changed_when: False
+
+- name: get camera status
+  shell: "raspi-config nonint get_camera" # 0 == "camera enabled"; 1 == "camera disabled"
+  register: raspi_camera_disabled
+  changed_when: False
+
+- name: get ssh enabled status
+  shell: "raspi-config nonint get_ssh"
+  register: raspi_ssh_disabled
+  changed_when: False
+
+- name: get VNC enabled status
+  shell: "raspi-config nonint get_vnc"
+  register: raspi_vnc_disabled
+  changed_when: False
+
+- name: get SPI enabled status
+  shell: "raspi-config nonint get_spi"
+  register: raspi_spi_disabled
+  changed_when: False
+
+- name: get I2C enabled status
+  shell: "raspi-config nonint get_i2c"
+  register: raspi_i2c_disabled
+  changed_when: False
+
+- name: get serial enabled status
+  shell: "raspi-config nonint get_serial"
+  register: raspi_serial_disabled
+  changed_when: False
+
+- name: get hardware serial enabled status
+  shell: "raspi-config nonint get_serial_hw"
+  register: raspi_serial_hw_disabled
+  changed_when: False
+
+- name: get onewire enabled status
+  shell: "raspi-config nonint get_onewire"
+  register: raspi_onewire_disabled
+  changed_when: False
+
+- name: get remote gpio enabled status
+  shell: "raspi-config nonint get_rgpio"
+  register: raspi_rgpio_disabled
+  changed_when: False
+
+- name: get overclock state 
+  shell: "raspi-config nonint get_config_var arm_freq /boot/config.txt"
+  register: raspi_overclock
+  changed_when: False
+
+- name: get fs expandability
+  shell: "raspi-config nonint get_can_expand"
+  register: raspi_fs_unexpandable
+  changed_when: False
+
+- name: get overscan setting
+  shell: "raspi-config nonint get_overscan"
+  register: raspi_overscan
+  changed_when: False
+
+- name: get GPU memory split
+  shell: "raspi-config nonint get_config_var gpu_mem /boot/config.txt"
+  register: raspi_gpu_mem
+  changed_when: False
+
+- name: get GPU memory split 256
+  shell: "raspi-config nonint get_config_var gpu_mem_256 /boot/config.txt"
+  register: raspi_gpu_mem_256
+  changed_when: False
+
+- name: get GPU memory split 512
+  shell: "raspi-config nonint get_config_var gpu_mem_512 /boot/config.txt"
+  register: raspi_gpu_mem_512
+  changed_when: False
+
+- name: get GPU memory split 1024
+  shell: "raspi-config nonint get_config_var gpu_mem_1024 /boot/config.txt"
+  register: raspi_gpu_mem_1024
+  changed_when: False
+
+- name: set raspi-config facts
+  set_fact:
+    raspi_type: raspi_type.stdout
+    raspi_hostname: raspi_hostname.stdout
+    raspi_boot_gui: raspi_boot_gui.stdout
+    raspi_noautologin: raspi_noautologin.stdout
+    raspi_boot_nowait: raspi_boot_nowait.stdout
+    raspi_wifi_country: raspi_wifi_country.stdout
+    raspi_camera_disabled: raspi_camera_disabled.stdout
+    raspi_ssh_disabled: raspi_ssh_disabled.stdout
+    raspi_vnc_disabled: raspi_vnc_disabled.stdout
+    raspi_spi_disabled: raspi_spi_disabled.stdout
+    raspi_i2c_disabled: raspi_i2c_disabled.stdout
+    raspi_serial_disabled: raspi_serial_disabled.stdout
+    raspi_serial_hw_disabled: raspi_serial_hw_disabled.stdout
+    raspi_onewire_disabled: raspi_onewire_disabled.stdout
+    raspi_rpgio_disabled: raspi_rpgio_disabled.stdout
+    raspi_overclock: raspi_overclock.stdout
+    raspi_fs_unexpandable: raspi_fs_unexpandable.stdout
+    raspi_overscan: raspi_overscan.stdout
+    raspi_gpu_mem: raspi_gpu_mem.stdout
+    raspi_gpu_mem_256: raspi_gpu_mem_256.stdout
+    raspi_gpu_mem_512: raspi_gpu_mem_512.stdout
+    raspi_gpu_mem_1024: raspi_gpu_mem_1024.stdout
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
index a671efd..1b70667 100644
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -2,9 +2,14 @@
 macaddrs:
     b8:27:eb:39:d7:57:
         hostname: "clovermine"
-        ip: "192.168.1.154"
+        domain: "local"
+        locale: "en_US.UTF-8"
+        timezone: "America/Los_Angeles"
     b8:27:eb:ff:35:c7:
         hostname: "cloverleaf"
+        domain: "local"
+        locale: "en_US.UTF-8"
+        timezone: "America/Los_Angeles"
 
 ### Users that must be present on the system
 create_users:

From 429829f28f59c6529ca6e8d0eb7c9e90d495e340 Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 12:11:13 -0700
Subject: [PATCH 06/19] bugfixes from previous commit

---
 roles/common/tasks/linux-facts.yml | 11 ++++++--
 roles/common/tasks/main.yml        |  9 ++++--
 roles/common/tasks/raspi-facts.yml | 44 +++++++++++++++---------------
 3 files changed, 38 insertions(+), 26 deletions(-)

diff --git a/roles/common/tasks/linux-facts.yml b/roles/common/tasks/linux-facts.yml
index 43c4712..413720d 100644
--- a/roles/common/tasks/linux-facts.yml
+++ b/roles/common/tasks/linux-facts.yml
@@ -1,9 +1,16 @@
 ---
 - name: get timezone via timedatectl
-  shell: timedatectl | grep "Time zone" | cut -d: -f2 | cut -d'(' -f1 | sed -Ee 's/(^ *| *$)//g'
+  shell: "timedatectl | grep 'Time zone' | cut -d':' -f2 | cut -d'(' -f1 | sed -Ee 's/(^ *| *$)//g'"
   register: linux_tz
   changed_when: False
 
+- name: get locale
+  shell: "locale | grep ^LANG | cut -d= -f2"
+  register: linux_locale
+  changed_when: False
+
+
 - name: set linux-config facts
   set_fact:
-    linux_tz: linux_tz.stdout
+    linux_tz: "{{ linux_tz.stdout }}"
+    linux_locale: "{{ linux_locale.stdout }}"
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 37a6296..5877197 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -6,12 +6,17 @@
 
 # Basic hostname setup
 - name: Get MAC address
-  debug: msg="{{ hostvars[inventory_hostname].ansible_default_ipv4.macaddress }}"
+  debug: 
+    msg: "{{ hostvars[inventory_hostname].ansible_default_ipv4.macaddress }}"
 
 - name: store MAC address
   set_fact:
     my_macaddr: "{{ hostvars[inventory_hostname].ansible_default_ipv4.macaddress }}"
 
+- name: print configured hostname
+  debug: 
+    msg: "raspi-config hostname: {{ raspi_hostname }} vs. intended: {{ macaddrs[my_macaddr].hostname }}"
+
 - name: set hostname
   shell: "raspi-config nonint do_hostname {{ macaddrs[my_macaddr].hostname }}"
   when: raspi_hostname != macaddrs[my_macaddr].hostname
@@ -38,7 +43,7 @@
 # Set locale
 - name: set locale
   shell: "raspi-config nonint do_change_locale {{ macaddrs[my_macaddr].locale }}"
-  when: raspi_locale != macaddrs[my_macaddr].locale
+  when: linux_locale != macaddrs[my_macaddr].locale
 
 # Enable sshd
 - name: forbid login via 'pi' user via ssh
diff --git a/roles/common/tasks/raspi-facts.yml b/roles/common/tasks/raspi-facts.yml
index 074601a..e3c3809 100644
--- a/roles/common/tasks/raspi-facts.yml
+++ b/roles/common/tasks/raspi-facts.yml
@@ -111,25 +111,25 @@
 
 - name: set raspi-config facts
   set_fact:
-    raspi_type: raspi_type.stdout
-    raspi_hostname: raspi_hostname.stdout
-    raspi_boot_gui: raspi_boot_gui.stdout
-    raspi_noautologin: raspi_noautologin.stdout
-    raspi_boot_nowait: raspi_boot_nowait.stdout
-    raspi_wifi_country: raspi_wifi_country.stdout
-    raspi_camera_disabled: raspi_camera_disabled.stdout
-    raspi_ssh_disabled: raspi_ssh_disabled.stdout
-    raspi_vnc_disabled: raspi_vnc_disabled.stdout
-    raspi_spi_disabled: raspi_spi_disabled.stdout
-    raspi_i2c_disabled: raspi_i2c_disabled.stdout
-    raspi_serial_disabled: raspi_serial_disabled.stdout
-    raspi_serial_hw_disabled: raspi_serial_hw_disabled.stdout
-    raspi_onewire_disabled: raspi_onewire_disabled.stdout
-    raspi_rpgio_disabled: raspi_rpgio_disabled.stdout
-    raspi_overclock: raspi_overclock.stdout
-    raspi_fs_unexpandable: raspi_fs_unexpandable.stdout
-    raspi_overscan: raspi_overscan.stdout
-    raspi_gpu_mem: raspi_gpu_mem.stdout
-    raspi_gpu_mem_256: raspi_gpu_mem_256.stdout
-    raspi_gpu_mem_512: raspi_gpu_mem_512.stdout
-    raspi_gpu_mem_1024: raspi_gpu_mem_1024.stdout
+    raspi_type: "{{ raspi_type.stdout }}"
+    raspi_hostname: "{{ raspi_hostname.stdout }}"
+    raspi_boot_gui: "{{ raspi_boot_gui.stdout }}"
+    raspi_noautologin: "{{ raspi_noautologin.stdout }}"
+    raspi_boot_nowait: "{{ raspi_boot_nowait.stdout }}"
+    raspi_wifi_country: "{{ raspi_wifi_country.stdout }}"
+    raspi_camera_disabled: "{{ raspi_camera_disabled.stdout }}"
+    raspi_ssh_disabled: "{{ raspi_ssh_disabled.stdout }}"
+    raspi_vnc_disabled: "{{ raspi_vnc_disabled.stdout }}"
+    raspi_spi_disabled: "{{ raspi_spi_disabled.stdout }}"
+    raspi_i2c_disabled: "{{ raspi_i2c_disabled.stdout }}"
+    raspi_serial_disabled: "{{ raspi_serial_disabled.stdout }}"
+    raspi_serial_hw_disabled: "{{ raspi_serial_hw_disabled.stdout }}"
+    raspi_onewire_disabled: "{{ raspi_onewire_disabled.stdout }}"
+    raspi_rgpio_disabled: "{{ raspi_rgpio_disabled.stdout }}"
+    raspi_overclock: "{{ raspi_overclock.stdout }}"
+    raspi_fs_unexpandable: "{{ raspi_fs_unexpandable.stdout }}"
+    raspi_overscan: "{{ raspi_overscan.stdout }}"
+    raspi_gpu_mem: "{{ raspi_gpu_mem.stdout }}"
+    raspi_gpu_mem_256: "{{ raspi_gpu_mem_256.stdout }}"
+    raspi_gpu_mem_512: "{{ raspi_gpu_mem_512.stdout }}"
+    raspi_gpu_mem_1024: "{{ raspi_gpu_mem_1024.stdout }}"

From da6a1d4aa6a37cfc9e42d9f02dea36fabfabad73 Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 13:03:30 -0700
Subject: [PATCH 07/19] straighten out configuration nomenclature

---
 roles/common/tasks/raspi-config.yml | 22 ++++++++++++++++++++++
 roles/common/tasks/raspi-facts.yml  | 24 ++++++++++++------------
 roles/common/vars/main.yml          | 12 ++++++++++++
 3 files changed, 46 insertions(+), 12 deletions(-)
 create mode 100644 roles/common/tasks/raspi-config.yml

diff --git a/roles/common/tasks/raspi-config.yml b/roles/common/tasks/raspi-config.yml
new file mode 100644
index 0000000..2963cba
--- /dev/null
+++ b/roles/common/tasks/raspi-config.yml
@@ -0,0 +1,22 @@
+---
+
+# Handle boot and autologin settings
+- name: enable cli only
+  command: "raspi-config nonint do_boot_behaviour B1"
+  when: not macaddrs[my_macaddr].enable_gui and not macaddrs[my_macaddr].enable_autologin and (raspi_gui_enabled or raspi_autologin_enabled)
+
+- name: enable cli with autologin
+  command: "raspi-config nonint do_boot_behaviour B2"
+  when: not macaddrs[my_macaddr].enable_gui and macaddrs[my_macaddr].enable_autologin and (raspi_gui_enabled or not raspi_autologin_enabled)
+
+- name: enable desktop gui
+  command: "raspi-config nonint do_boot_behaviour B3"
+  when: macaddrs[my_macaddr].enable_gui and not macaddrs[my_macaddr].enable_autologin and (not raspi_gui_enabled or raspi_autologin_enabled)
+
+- name: enable desktop gui with autologin
+  command: "raspi-config nonint do_boot_behaviour B4"
+  when: macaddrs[my_macaddr].enable_gui and macaddrs[my_macaddr].enable_autologin and (not raspi_gui_enabled or raspi_autologin_enabled)
+
+#- name: set bootwait option
+#  command: "raspi-config nonint do_boot_wait {{ not macaddrs[my_macaddr].raspi_bootwait }}"
+#when: macaddrs[my_macaddr].raspi_boot_nowait
diff --git a/roles/common/tasks/raspi-facts.yml b/roles/common/tasks/raspi-facts.yml
index e3c3809..ba13716 100644
--- a/roles/common/tasks/raspi-facts.yml
+++ b/roles/common/tasks/raspi-facts.yml
@@ -113,19 +113,19 @@
   set_fact:
     raspi_type: "{{ raspi_type.stdout }}"
     raspi_hostname: "{{ raspi_hostname.stdout }}"
-    raspi_boot_gui: "{{ raspi_boot_gui.stdout }}"
-    raspi_noautologin: "{{ raspi_noautologin.stdout }}"
-    raspi_boot_nowait: "{{ raspi_boot_nowait.stdout }}"
     raspi_wifi_country: "{{ raspi_wifi_country.stdout }}"
-    raspi_camera_disabled: "{{ raspi_camera_disabled.stdout }}"
-    raspi_ssh_disabled: "{{ raspi_ssh_disabled.stdout }}"
-    raspi_vnc_disabled: "{{ raspi_vnc_disabled.stdout }}"
-    raspi_spi_disabled: "{{ raspi_spi_disabled.stdout }}"
-    raspi_i2c_disabled: "{{ raspi_i2c_disabled.stdout }}"
-    raspi_serial_disabled: "{{ raspi_serial_disabled.stdout }}"
-    raspi_serial_hw_disabled: "{{ raspi_serial_hw_disabled.stdout }}"
-    raspi_onewire_disabled: "{{ raspi_onewire_disabled.stdout }}"
-    raspi_rgpio_disabled: "{{ raspi_rgpio_disabled.stdout }}"
+    raspi_gui_enabled: "{{ raspi_boot_gui.stdout != '0' }}"
+    raspi_autologin_enabled: "{{ raspi_noautologin.stdout == '0' }}"
+    raspi_bootwait_enabled: "{{ raspi_boot_nowait.stdout == '0' }}"
+    raspi_camera_enabled: "{{ raspi_camera_disabled.stdout == '0' }}"
+    raspi_ssh_enabled: "{{ raspi_ssh_disabled.stdout == '0' }}"
+    raspi_vnc_enabled: "{{ raspi_vnc_disabled.stdout == '0' }}"
+    raspi_spi_enabled: "{{ raspi_spi_disabled.stdout == '0' }}"
+    raspi_i2c_enabled: "{{ raspi_i2c_disabled.stdout == '0' }}"
+    raspi_serial_enabled: "{{ raspi_serial_disabled.stdout == '0' }}"
+    raspi_serial_hw_enabled: "{{ raspi_serial_hw_disabled.stdout == '0' }}"
+    raspi_onewire_enabled: "{{ raspi_onewire_disabled.stdout == '0' }}"
+    raspi_rgpio_enabled: "{{ raspi_rgpio_disabled.stdout == '0' }}"
     raspi_overclock: "{{ raspi_overclock.stdout }}"
     raspi_fs_unexpandable: "{{ raspi_fs_unexpandable.stdout }}"
     raspi_overscan: "{{ raspi_overscan.stdout }}"
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
index 1b70667..ef9b8ed 100644
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -5,6 +5,18 @@ macaddrs:
         domain: "local"
         locale: "en_US.UTF-8"
         timezone: "America/Los_Angeles"
+        enable_gui: True
+        enable_autologin: False
+        enable_bootwait: True
+        enable_camera: False
+        enable_vnc: False
+        enable_spi: False
+        enable_i2c: False
+        enable_serial: True
+        enable_serial_hw: True
+        enable_onewire: False
+        enable_rgpio: False
+        expand_fs: True
     b8:27:eb:ff:35:c7:
         hostname: "cloverleaf"
         domain: "local"

From c9155a967cd4d61c9bff009d08803ebe88765df6 Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 13:40:59 -0700
Subject: [PATCH 08/19] incremental improvements; support the 'raspi' tag

---
 roles/common/tasks/hardware.yml     |  8 ----
 roles/common/tasks/linux-facts.yml  |  4 +-
 roles/common/tasks/main.yml         | 20 ++++----
 roles/common/tasks/raspi-config.yml | 22 +++++++--
 roles/common/tasks/raspi-facts.yml  | 71 ++++++++++++++++++++++++++++-
 roles/common/tasks/software.yml     |  4 ++
 roles/common/vars/main.yml          | 14 +++++-
 7 files changed, 120 insertions(+), 23 deletions(-)
 delete mode 100644 roles/common/tasks/hardware.yml

diff --git a/roles/common/tasks/hardware.yml b/roles/common/tasks/hardware.yml
deleted file mode 100644
index badf0b0..0000000
--- a/roles/common/tasks/hardware.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-
-- name: enable uart on boot
-  lineinfile:
-    dest=/boot/config.txt
-    regexp="^enable_uart="
-    line="enable_uart=1"
-    state=present
diff --git a/roles/common/tasks/linux-facts.yml b/roles/common/tasks/linux-facts.yml
index 413720d..71754e0 100644
--- a/roles/common/tasks/linux-facts.yml
+++ b/roles/common/tasks/linux-facts.yml
@@ -3,14 +3,16 @@
   shell: "timedatectl | grep 'Time zone' | cut -d':' -f2 | cut -d'(' -f1 | sed -Ee 's/(^ *| *$)//g'"
   register: linux_tz
   changed_when: False
+  check_mode: no
 
 - name: get locale
   shell: "locale | grep ^LANG | cut -d= -f2"
   register: linux_locale
   changed_when: False
-
+  check_mode: no
 
 - name: set linux-config facts
   set_fact:
     linux_tz: "{{ linux_tz.stdout }}"
     linux_locale: "{{ linux_locale.stdout }}"
+  check_mode: no
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 5877197..5e83b60 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -8,14 +8,14 @@
 - name: Get MAC address
   debug: 
     msg: "{{ hostvars[inventory_hostname].ansible_default_ipv4.macaddress }}"
+  tags:
+    - raspi
 
 - name: store MAC address
   set_fact:
     my_macaddr: "{{ hostvars[inventory_hostname].ansible_default_ipv4.macaddress }}"
-
-- name: print configured hostname
-  debug: 
-    msg: "raspi-config hostname: {{ raspi_hostname }} vs. intended: {{ macaddrs[my_macaddr].hostname }}"
+  tags:
+    - raspi
 
 - name: set hostname
   shell: "raspi-config nonint do_hostname {{ macaddrs[my_macaddr].hostname }}"
@@ -46,17 +46,21 @@
   when: linux_locale != macaddrs[my_macaddr].locale
 
 # Enable sshd
-- name: forbid login via 'pi' user via ssh
+- name: disable ssh login for user pi
   lineinfile:
     dest=/etc/ssh/sshd_config
     line="DenyUsers pi"
     state=present
+  tags:
+    - raspi
 
-- name: enable SSH
+- name: enable SSH via raspi-config
   shell: "raspi-config nonint do_ssh 0"
-  when: raspi_ssh_disabled != '0'
+  when: not raspi_ssh_enabled
+  tags:
+    - raspi
 
 # Other tasks
 - include: software.yml
 - include: users.yml
-- include: hardware.yml
+- include: raspi-config.yml
diff --git a/roles/common/tasks/raspi-config.yml b/roles/common/tasks/raspi-config.yml
index 2963cba..f5eeb67 100644
--- a/roles/common/tasks/raspi-config.yml
+++ b/roles/common/tasks/raspi-config.yml
@@ -4,19 +4,35 @@
 - name: enable cli only
   command: "raspi-config nonint do_boot_behaviour B1"
   when: not macaddrs[my_macaddr].enable_gui and not macaddrs[my_macaddr].enable_autologin and (raspi_gui_enabled or raspi_autologin_enabled)
+  tags:
+    - raspi
 
 - name: enable cli with autologin
   command: "raspi-config nonint do_boot_behaviour B2"
   when: not macaddrs[my_macaddr].enable_gui and macaddrs[my_macaddr].enable_autologin and (raspi_gui_enabled or not raspi_autologin_enabled)
+  tags:
+    - raspi
 
 - name: enable desktop gui
   command: "raspi-config nonint do_boot_behaviour B3"
   when: macaddrs[my_macaddr].enable_gui and not macaddrs[my_macaddr].enable_autologin and (not raspi_gui_enabled or raspi_autologin_enabled)
+  tags:
+    - raspi
 
 - name: enable desktop gui with autologin
   command: "raspi-config nonint do_boot_behaviour B4"
   when: macaddrs[my_macaddr].enable_gui and macaddrs[my_macaddr].enable_autologin and (not raspi_gui_enabled or raspi_autologin_enabled)
+  tags:
+    - raspi
 
-#- name: set bootwait option
-#  command: "raspi-config nonint do_boot_wait {{ not macaddrs[my_macaddr].raspi_bootwait }}"
-#when: macaddrs[my_macaddr].raspi_boot_nowait
+- name: set bootwait option
+  command: "raspi-config nonint do_boot_wait {{ 1 if not macaddrs[my_macaddr].enable_bootwait else 0 }}"
+  when: macaddrs[my_macaddr].enable_bootwait != raspi_bootwait_enabled
+  tags:
+    - raspi
+
+- name: expand file system
+  command: "raspi-config nonint do_expand_rootfs"
+  when: raspi_fs_expandable
+  tags:
+    - raspi
diff --git a/roles/common/tasks/raspi-facts.yml b/roles/common/tasks/raspi-facts.yml
index ba13716..3c7d213 100644
--- a/roles/common/tasks/raspi-facts.yml
+++ b/roles/common/tasks/raspi-facts.yml
@@ -3,111 +3,177 @@
   shell: "raspi-config nonint get_pi_type"
   register: raspi_type
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get hostname via raspi-config
   shell: "raspi-config nonint get_hostname"
   register: raspi_hostname
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get boot-to-gui setting 
   shell: "raspi-config nonint get_boot_cli" # 0 == "boot to cli"; 1 == "boot to gui"
   register: raspi_boot_gui
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get autologin setting
   shell: "raspi-config nonint get_autologin" # 0 == "enable autologin"; 1 == "disable autologin"
   register: raspi_noautologin
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get wait-for-network-on-boot setting 
   shell: "raspi-config nonint get_boot_wait" # 0 == "wait"; 1 == "don't wait"
   register: raspi_boot_nowait
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get wifi country
   shell: "raspi-config nonint get_wifi_country"
   register: raspi_wifi_country
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get camera status
   shell: "raspi-config nonint get_camera" # 0 == "camera enabled"; 1 == "camera disabled"
   register: raspi_camera_disabled
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get ssh enabled status
   shell: "raspi-config nonint get_ssh"
   register: raspi_ssh_disabled
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get VNC enabled status
   shell: "raspi-config nonint get_vnc"
   register: raspi_vnc_disabled
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get SPI enabled status
   shell: "raspi-config nonint get_spi"
   register: raspi_spi_disabled
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get I2C enabled status
   shell: "raspi-config nonint get_i2c"
   register: raspi_i2c_disabled
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get serial enabled status
   shell: "raspi-config nonint get_serial"
   register: raspi_serial_disabled
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get hardware serial enabled status
   shell: "raspi-config nonint get_serial_hw"
   register: raspi_serial_hw_disabled
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get onewire enabled status
   shell: "raspi-config nonint get_onewire"
   register: raspi_onewire_disabled
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get remote gpio enabled status
   shell: "raspi-config nonint get_rgpio"
   register: raspi_rgpio_disabled
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get overclock state 
   shell: "raspi-config nonint get_config_var arm_freq /boot/config.txt"
   register: raspi_overclock
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get fs expandability
   shell: "raspi-config nonint get_can_expand"
   register: raspi_fs_unexpandable
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get overscan setting
   shell: "raspi-config nonint get_overscan"
   register: raspi_overscan
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get GPU memory split
   shell: "raspi-config nonint get_config_var gpu_mem /boot/config.txt"
   register: raspi_gpu_mem
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get GPU memory split 256
   shell: "raspi-config nonint get_config_var gpu_mem_256 /boot/config.txt"
   register: raspi_gpu_mem_256
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get GPU memory split 512
   shell: "raspi-config nonint get_config_var gpu_mem_512 /boot/config.txt"
   register: raspi_gpu_mem_512
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: get GPU memory split 1024
   shell: "raspi-config nonint get_config_var gpu_mem_1024 /boot/config.txt"
   register: raspi_gpu_mem_1024
   changed_when: False
+  check_mode: no
+  tags:
+    - raspi
 
 - name: set raspi-config facts
   set_fact:
@@ -127,9 +193,12 @@
     raspi_onewire_enabled: "{{ raspi_onewire_disabled.stdout == '0' }}"
     raspi_rgpio_enabled: "{{ raspi_rgpio_disabled.stdout == '0' }}"
     raspi_overclock: "{{ raspi_overclock.stdout }}"
-    raspi_fs_unexpandable: "{{ raspi_fs_unexpandable.stdout }}"
+    raspi_fs_expandable: "{{ raspi_fs_unexpandable.stdout == '0' }}"
     raspi_overscan: "{{ raspi_overscan.stdout }}"
     raspi_gpu_mem: "{{ raspi_gpu_mem.stdout }}"
     raspi_gpu_mem_256: "{{ raspi_gpu_mem_256.stdout }}"
     raspi_gpu_mem_512: "{{ raspi_gpu_mem_512.stdout }}"
     raspi_gpu_mem_1024: "{{ raspi_gpu_mem_1024.stdout }}"
+  check_mode: no
+  tags:
+    - raspi
diff --git a/roles/common/tasks/software.yml b/roles/common/tasks/software.yml
index 193ad11..816ec2b 100644
--- a/roles/common/tasks/software.yml
+++ b/roles/common/tasks/software.yml
@@ -17,6 +17,8 @@
       - dillo
       - gpiciew
       - penguinspuzzle
+  tags:
+    - sw
 
 ### Install required software
 - name: install basic software environment
@@ -29,3 +31,5 @@
       - vim
       - git
       - python-pip
+  tags:
+    - sw
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
index ef9b8ed..681068f 100644
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -7,7 +7,7 @@ macaddrs:
         timezone: "America/Los_Angeles"
         enable_gui: True
         enable_autologin: False
-        enable_bootwait: True
+        enable_bootwait: False
         enable_camera: False
         enable_vnc: False
         enable_spi: False
@@ -16,12 +16,22 @@ macaddrs:
         enable_serial_hw: True
         enable_onewire: False
         enable_rgpio: False
-        expand_fs: True
     b8:27:eb:ff:35:c7:
         hostname: "cloverleaf"
         domain: "local"
         locale: "en_US.UTF-8"
         timezone: "America/Los_Angeles"
+        enable_gui: False
+        enable_autologin: False
+        enable_bootwait: True
+        enable_camera: False
+        enable_vnc: False
+        enable_spi: False
+        enable_i2c: False
+        enable_serial: True
+        enable_serial_hw: True
+        enable_onewire: False
+        enable_rgpio: False
 
 ### Users that must be present on the system
 create_users:

From 8a50e960cc56c8b65bd0b5fadb440115b13579ba Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 13:49:57 -0700
Subject: [PATCH 09/19] working bootsplash and bootwait options

---
 roles/common/tasks/raspi-config.yml | 8 +++++++-
 roles/common/tasks/raspi-facts.yml  | 9 +++++++++
 roles/common/vars/main.yml          | 2 ++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/roles/common/tasks/raspi-config.yml b/roles/common/tasks/raspi-config.yml
index f5eeb67..185d9d5 100644
--- a/roles/common/tasks/raspi-config.yml
+++ b/roles/common/tasks/raspi-config.yml
@@ -27,7 +27,13 @@
 
 - name: set bootwait option
   command: "raspi-config nonint do_boot_wait {{ 1 if not macaddrs[my_macaddr].enable_bootwait else 0 }}"
-  when: macaddrs[my_macaddr].enable_bootwait != raspi_bootwait_enabled
+  when: "'enable_bootwait' in macaddrs[my_macaddr] and macaddrs[my_macaddr].enable_bootwait != raspi_bootwait_enabled"
+  tags:
+    - raspi
+
+- name: set boot splash option
+  command: "raspi-config nonint do_boot_splash {{ 1 if not macaddrs[my_macaddr].enable_bootsplash else 0 }}"
+  when: "'enable_bootsplash' in macaddrs[my_macaddr] and macaddrs[my_macaddr].enable_bootsplash != raspi_bootsplash_enabled"
   tags:
     - raspi
 
diff --git a/roles/common/tasks/raspi-facts.yml b/roles/common/tasks/raspi-facts.yml
index 3c7d213..973b915 100644
--- a/roles/common/tasks/raspi-facts.yml
+++ b/roles/common/tasks/raspi-facts.yml
@@ -39,6 +39,14 @@
   tags:
     - raspi
 
+- name: get splash screen setting 
+  shell: "raspi-config nonint get_boot_splash" # 0 == "wait"; 1 == "don't wait"
+  register: raspi_boot_splash
+  changed_when: False
+  check_mode: no
+  tags:
+    - raspi
+
 - name: get wifi country
   shell: "raspi-config nonint get_wifi_country"
   register: raspi_wifi_country
@@ -183,6 +191,7 @@
     raspi_gui_enabled: "{{ raspi_boot_gui.stdout != '0' }}"
     raspi_autologin_enabled: "{{ raspi_noautologin.stdout == '0' }}"
     raspi_bootwait_enabled: "{{ raspi_boot_nowait.stdout == '0' }}"
+    raspi_bootsplash_enabled: "{{ raspi_boot_splash.stdout == '0' }}"
     raspi_camera_enabled: "{{ raspi_camera_disabled.stdout == '0' }}"
     raspi_ssh_enabled: "{{ raspi_ssh_disabled.stdout == '0' }}"
     raspi_vnc_enabled: "{{ raspi_vnc_disabled.stdout == '0' }}"
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
index 681068f..34eddfb 100644
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -8,6 +8,7 @@ macaddrs:
         enable_gui: True
         enable_autologin: False
         enable_bootwait: False
+        enable_bootsplash: False
         enable_camera: False
         enable_vnc: False
         enable_spi: False
@@ -24,6 +25,7 @@ macaddrs:
         enable_gui: False
         enable_autologin: False
         enable_bootwait: True
+        enable_bootsplash: False
         enable_camera: False
         enable_vnc: False
         enable_spi: False

From 815eaf938472c59d34074583f365a482f06fc8db Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 14:13:15 -0700
Subject: [PATCH 10/19] enable setting of most raspi-config options

---
 roles/common/tasks/linux-facts.yml  |  7 +++
 roles/common/tasks/main.yml         | 31 +++++++++----
 roles/common/tasks/raspi-config.yml | 70 +++++++++++++++++++++++++----
 roles/common/vars/main.yml          |  3 ++
 4 files changed, 95 insertions(+), 16 deletions(-)

diff --git a/roles/common/tasks/linux-facts.yml b/roles/common/tasks/linux-facts.yml
index 71754e0..59c3602 100644
--- a/roles/common/tasks/linux-facts.yml
+++ b/roles/common/tasks/linux-facts.yml
@@ -11,8 +11,15 @@
   changed_when: False
   check_mode: no
 
+- name: get x keyboard layout
+  shell: "localectl | awk '/X11 Layout/ {print $3}'"
+  register: linux_xkblayout
+  changed_when: False
+  check_mode: no
+
 - name: set linux-config facts
   set_fact:
     linux_tz: "{{ linux_tz.stdout }}"
     linux_locale: "{{ linux_locale.stdout }}"
+    linux_xkblayout: "{{ linux_xkblayout }}"
   check_mode: no
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 5e83b60..7d08d84 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -17,17 +17,22 @@
   tags:
     - raspi
 
+- name: store system configuration
+  set_fact:
+    myconfig: "{{ macaddrs[my_macaddr] }}"
+  tags:
+    - raspi
+
 - name: set hostname
-  shell: "raspi-config nonint do_hostname {{ macaddrs[my_macaddr].hostname }}"
-  when: raspi_hostname != macaddrs[my_macaddr].hostname
+  shell: "raspi-config nonint do_hostname {{ myconfig.hostname }}"
+  when: raspi_hostname != myconfig.hostname
 
 - name: update /etc/hosts with new hostname
   lineinfile:
     dest=/etc/hosts
     regexp="^{{ ansible_default_ipv4.address }}"
-    line="{{ ansible_default_ipv4.address }}{{'\t'}}{{ macaddrs[my_macaddr].hostname }}.{{ macaddrs[my_macaddr].domain }}{{'\t'}}{{ macaddrs[my_macaddr].hostname }}"
+    line="{{ ansible_default_ipv4.address }}{{'\t'}}{{ myconfig.hostname }}.{{ myconfig.domain }}{{'\t'}}{{ myconfig.hostname }}"
     state=present
-  when: my_macaddr in macaddrs
 
 - name: get rid of default 127.0.1.1 binding
   lineinfile:
@@ -37,13 +42,23 @@
 
 # Set timezone
 - name: set timezone
-  shell: "timedatectl set-timezone {{ macaddrs[my_macaddr].timezone }}"
-  when: linux_tz != macaddrs[my_macaddr].timezone
+  command: "timedatectl set-timezone {{ myconfig.timezone }}"
+  when: linux_tz != myconfig.timezone
 
 # Set locale
 - name: set locale
-  shell: "raspi-config nonint do_change_locale {{ macaddrs[my_macaddr].locale }}"
-  when: linux_locale != macaddrs[my_macaddr].locale
+  command: "raspi-config nonint do_change_locale {{ myconfig.locale }}"
+  when: "'locale' in myconfig and linux_locale != myconfig.locale"
+
+# Set X keyboard layout
+- name: set X11 keyboard layout
+  command: "raspi-config nonint do_configure_keyboard {{ myconfig.xkblayout }}"
+  when: "'xkblayout' in myconfig and myconfig.xkblayout != linux_xkblayout"
+
+# Set wifi country
+- name: set wifi country
+  command: "raspiconfig nonint do_wifi_country {{ myconfig.wifi_country }}"
+  when: "'wifi_country' in myconfig and myconfig.wifi_country != raspi_wifi_country"
 
 # Enable sshd
 - name: disable ssh login for user pi
diff --git a/roles/common/tasks/raspi-config.yml b/roles/common/tasks/raspi-config.yml
index 185d9d5..dfde754 100644
--- a/roles/common/tasks/raspi-config.yml
+++ b/roles/common/tasks/raspi-config.yml
@@ -3,37 +3,91 @@
 # Handle boot and autologin settings
 - name: enable cli only
   command: "raspi-config nonint do_boot_behaviour B1"
-  when: not macaddrs[my_macaddr].enable_gui and not macaddrs[my_macaddr].enable_autologin and (raspi_gui_enabled or raspi_autologin_enabled)
+  when: not myconfig.enable_gui and not myconfig.enable_autologin and (raspi_gui_enabled or raspi_autologin_enabled)
   tags:
     - raspi
 
 - name: enable cli with autologin
   command: "raspi-config nonint do_boot_behaviour B2"
-  when: not macaddrs[my_macaddr].enable_gui and macaddrs[my_macaddr].enable_autologin and (raspi_gui_enabled or not raspi_autologin_enabled)
+  when: not myconfig.enable_gui and myconfig.enable_autologin and (raspi_gui_enabled or not raspi_autologin_enabled)
   tags:
     - raspi
 
 - name: enable desktop gui
   command: "raspi-config nonint do_boot_behaviour B3"
-  when: macaddrs[my_macaddr].enable_gui and not macaddrs[my_macaddr].enable_autologin and (not raspi_gui_enabled or raspi_autologin_enabled)
+  when: myconfig.enable_gui and not myconfig.enable_autologin and (not raspi_gui_enabled or raspi_autologin_enabled)
   tags:
     - raspi
 
 - name: enable desktop gui with autologin
   command: "raspi-config nonint do_boot_behaviour B4"
-  when: macaddrs[my_macaddr].enable_gui and macaddrs[my_macaddr].enable_autologin and (not raspi_gui_enabled or raspi_autologin_enabled)
+  when: myconfig.enable_gui and myconfig.enable_autologin and (not raspi_gui_enabled or raspi_autologin_enabled)
   tags:
     - raspi
 
 - name: set bootwait option
-  command: "raspi-config nonint do_boot_wait {{ 1 if not macaddrs[my_macaddr].enable_bootwait else 0 }}"
-  when: "'enable_bootwait' in macaddrs[my_macaddr] and macaddrs[my_macaddr].enable_bootwait != raspi_bootwait_enabled"
+  command: "raspi-config nonint do_boot_wait {{ 0 if myconfig.enable_bootwait else 1 }}"
+  when: "'enable_bootwait' in myconfig and myconfig.enable_bootwait != raspi_bootwait_enabled"
   tags:
     - raspi
 
 - name: set boot splash option
-  command: "raspi-config nonint do_boot_splash {{ 1 if not macaddrs[my_macaddr].enable_bootsplash else 0 }}"
-  when: "'enable_bootsplash' in macaddrs[my_macaddr] and macaddrs[my_macaddr].enable_bootsplash != raspi_bootsplash_enabled"
+  command: "raspi-config nonint do_boot_splash {{ 0 if myconfig.enable_bootsplash else 1 }}"
+  when: "'enable_bootsplash' in myconfig and myconfig.enable_bootsplash != raspi_bootsplash_enabled"
+  tags:
+    - raspi
+
+- name: enable/disable camera
+  command: "raspi-config nonint do_camera {{ 0 if myconfig.enable_camera else 1 }}"
+  when: "'enable_camera' in myconfig and myconfig.enable_camera != raspi_camera_enabled"
+  tags:
+    - raspi
+
+- name: enable/disable VNC server
+  command: "raspi-config nonint do_vnc {{ 0 if myconfig.enable_vnc else 1 }}"
+  when: "'enable_vnc' in myconfig and myconfig.enable_vnc != raspi_vnc_enabled"
+  tags:
+    - raspi
+
+- name: enable/disable SPI
+  command: "raspi-config nonint do_spi {{ 0 if myconfig.enable_spi else 1 }}"
+  when: "'enable_spi' in myconfig and myconfig.enable_spi != raspi_spi_enabled"
+  tags:
+    - raspi
+
+- name: enable/disable I2C
+  command: "raspi-config nonint do_i2c {{ 0 if myconfig.enable_i2c else 1 }}"
+  when: "'enable_i2c' in myconfig and myconfig.enable_i2c != raspi_i2c_enabled"
+  tags:
+    - raspi
+
+- name: enable/disable serial
+  command: "raspi-config nonint do_serial {{ 0 if myconfig.enable_serial else 1 }}"
+  when: "'enable_serial' in myconfig and myconfig.enable_serial != raspi_serial_enabled"
+  tags:
+    - raspi
+
+- name: enable/disable hardware serial
+  command: "raspi-config nonint do_serial_hw {{ 0 if myconfig.enable_serial_hw else 1 }}"
+  when: "'enable_serial_hw' in myconfig and myconfig.enable_serial_hw != raspi_serial_hw_enabled"
+  tags:
+    - raspi
+
+- name: enable/disable onewire
+  command: "raspi-config nonint do_onewire {{ 0 if myconfig.enable_onewire else 1 }}"
+  when: "'enable_onewire' in myconfig and myconfig.enable_onewire != raspi_onewire_enabled"
+  tags:
+    - raspi
+
+- name: enable/disable remote GPIO
+  command: "raspi-config nonint do_rgpio {{ 0 if myconfig.enable_rgpio else 1 }}"
+  when: "'enable_rgpio' in myconfig and myconfig.enable_rgpio != raspi_rgpio_enabled"
+  tags:
+    - raspi
+
+- name: enable/disable HDMI overscan
+  command: "raspi-config nonint do_overscan {{ 0 if myconfig.enable_overscan else 1 }}"
+  when: "'enable_overscan' in myconfig and myconfig.enable_overscan != raspi_overscan_enabled"
   tags:
     - raspi
 
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
index 34eddfb..7c3d1eb 100644
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -5,6 +5,8 @@ macaddrs:
         domain: "local"
         locale: "en_US.UTF-8"
         timezone: "America/Los_Angeles"
+        xkblayout: "us"
+        wifi_country: "US"
         enable_gui: True
         enable_autologin: False
         enable_bootwait: False
@@ -22,6 +24,7 @@ macaddrs:
         domain: "local"
         locale: "en_US.UTF-8"
         timezone: "America/Los_Angeles"
+        xkblayout: "us"
         enable_gui: False
         enable_autologin: False
         enable_bootwait: True

From a1fd2bd75a34e7136d571c8b112e2bf44e482887 Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 14:22:12 -0700
Subject: [PATCH 11/19] update documentation

---
 README.md | 54 ++++++++++++++++++++++++------------------------------
 1 file changed, 24 insertions(+), 30 deletions(-)

diff --git a/README.md b/README.md
index 317b2dc..e70cd7f 100644
--- a/README.md
+++ b/README.md
@@ -1,52 +1,46 @@
 # Raspberry Pi Ansible
 
-Glenn K. Lockwood, August 2017
+Glenn K. Lockwood, October 2018
 
 ## Introduction
 
 This is an Ansible configuration that configures a fresh Raspbian installation
-on Raspberry Pi.  This is very much a work in progress and not intended to be
-used by anyone but me.
+on Raspberry Pi.  It is intended to be run in local (pull) mode, where ansible
+is running on the same Raspberry Pi to be configured.
 
 ## Bootstrapping on Raspbian
 
-If you want to use these playbooks to make a Raspberry Pi self-configure,
-install Ansible by doing the following:
+You will need ansible installed on the Raspberry Pi being configured.
 
-    $ pip install --user ansible
-    $ ssh-keygen
-    $ ssh-copy-id localhost
+    $ sudo apt-get install ansible
 
-If not bootstrapping from the Raspberry Pi itself, you can instead do
+## Configuration
 
-    $ ssh-copy-id pi@raspberrypi
+The `macaddrs` structure in _roles/common/vars/main.yml_ maps the MAC address of
+a Raspberry Pi to its intended configuration state.  Add your Raspberry Pi's MAC
+address to that structure and set its configuration accordingly.
 
-and authenticate using the default `raspberry` password.  This will enable
-key-based authentication to the remote Raspberry Pi to be configured.
+## Running the playbook
 
-You can ensure that Ansible is able to configure using the following:
-
-    $ ansible -i hosts all -m ping
-
-You can also ensure that authentication also works.
+Then run the playbook:
 
-    $ ansible -i hosts -u pi --sudo-user root all -a "/usr/bin/id -u"
+    $ sudo ansible-playbook local.yml 
 
-## Running the Playbook
+The playbook will self-discover its settings, then idempotently configure the
+Raspberry Pi.
 
-This playbook will deactivate password authentication for the `pi` user since
-it assumes that you have key-based authentication configured _before_ the
-playbook is executed.  Be sure that is the case or you may be locked out of
-your Raspberry Pi altogether.
+## After running the playbook
 
-Then run the playbook:
+This playbook purposely requires a few manual steps _after_ running the playbook
+to ensure that it does not lock you out of your Raspberry Pi.
 
-    $ ansible-playbook --inventory-file hosts --limit cloverfield --user pi --sudo site.yml
+1. While logged in as pi, `sudo passwd glock` (or whatever username you created)
+   to set a password for that user.  This is _not_ required to log in as that
+   user, but it _is_ required to `sudo` as that user.  You may also choose to
+   set a password for the pi and/or root users.
 
-or
+2. `usermod --lock pi` to ensure that the default user is completely disabled.
 
-    $ ansible-playbook -i hosts -l clovermine -u pi -s site.yml
+## Acknowledgment
 
-Raspbian should allow the `pi` user to sudo without a password.  If not, run
-using `--ask-become-pass` (or `-K`) and enter the sudo password (default would
-be `raspberry`) for the remote user (`pi`).
+I stole a lot of knowledge from https://github.com/giuaig/ansible-raspi-config/.

From e9829272671c592fc6fbea8da436c04101539b08 Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 15:03:56 -0700
Subject: [PATCH 12/19] bone up VNC status checking

---
 roles/common/tasks/raspi-facts.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/roles/common/tasks/raspi-facts.yml b/roles/common/tasks/raspi-facts.yml
index 973b915..f33fa1a 100644
--- a/roles/common/tasks/raspi-facts.yml
+++ b/roles/common/tasks/raspi-facts.yml
@@ -79,6 +79,15 @@
   tags:
     - raspi
 
+- name: get VNC installed status
+  command: systemctl status vncserver-x11-serviced
+  register: systemctl_vnc_status
+  failed_when: "not systemctl_vnc_status.stdout and 'failed' not in systemctl_vnc_status.stderr and 'found' not in systemctl_vnc_status.stderr"
+  changed_when: False
+  check_mode: no
+  tags:
+    - raspi
+
 - name: get SPI enabled status
   shell: "raspi-config nonint get_spi"
   register: raspi_spi_disabled
@@ -194,7 +203,7 @@
     raspi_bootsplash_enabled: "{{ raspi_boot_splash.stdout == '0' }}"
     raspi_camera_enabled: "{{ raspi_camera_disabled.stdout == '0' }}"
     raspi_ssh_enabled: "{{ raspi_ssh_disabled.stdout == '0' }}"
-    raspi_vnc_enabled: "{{ raspi_vnc_disabled.stdout == '0' }}"
+    raspi_vnc_enabled: "{{ raspi_vnc_disabled.stdout == '0' or (systemctl_vnc_status|failed and ('find' in systemctl_vnc_status.stderr or 'found' in systemctl_vnc_status.stderr)) }}"
     raspi_spi_enabled: "{{ raspi_spi_disabled.stdout == '0' }}"
     raspi_i2c_enabled: "{{ raspi_i2c_disabled.stdout == '0' }}"
     raspi_serial_enabled: "{{ raspi_serial_disabled.stdout == '0' }}"

From 76197fefda9a431a94922f580154477434bf233e Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 21:27:28 -0700
Subject: [PATCH 13/19] fix detection of vnc server

---
 roles/common/tasks/raspi-facts.yml | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/roles/common/tasks/raspi-facts.yml b/roles/common/tasks/raspi-facts.yml
index f33fa1a..f32d309 100644
--- a/roles/common/tasks/raspi-facts.yml
+++ b/roles/common/tasks/raspi-facts.yml
@@ -79,15 +79,6 @@
   tags:
     - raspi
 
-- name: get VNC installed status
-  command: systemctl status vncserver-x11-serviced
-  register: systemctl_vnc_status
-  failed_when: "not systemctl_vnc_status.stdout and 'failed' not in systemctl_vnc_status.stderr and 'found' not in systemctl_vnc_status.stderr"
-  changed_when: False
-  check_mode: no
-  tags:
-    - raspi
-
 - name: get SPI enabled status
   shell: "raspi-config nonint get_spi"
   register: raspi_spi_disabled
@@ -203,7 +194,7 @@
     raspi_bootsplash_enabled: "{{ raspi_boot_splash.stdout == '0' }}"
     raspi_camera_enabled: "{{ raspi_camera_disabled.stdout == '0' }}"
     raspi_ssh_enabled: "{{ raspi_ssh_disabled.stdout == '0' }}"
-    raspi_vnc_enabled: "{{ raspi_vnc_disabled.stdout == '0' or (systemctl_vnc_status|failed and ('find' in systemctl_vnc_status.stderr or 'found' in systemctl_vnc_status.stderr)) }}"
+    raspi_vnc_enabled: "{{ raspi_vnc_disabled.stdout == '0' and 'find' not in raspi_vnc_disabled.stderr and 'found' not in raspi_vnc_disabled.stderr }}"
     raspi_spi_enabled: "{{ raspi_spi_disabled.stdout == '0' }}"
     raspi_i2c_enabled: "{{ raspi_i2c_disabled.stdout == '0' }}"
     raspi_serial_enabled: "{{ raspi_serial_disabled.stdout == '0' }}"

From 94dcac94aaae02531e7a7420dde8a3aa441e57b2 Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 21:42:37 -0700
Subject: [PATCH 14/19] check to see if the fs is already expanded

---
 roles/common/tasks/raspi-facts.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/roles/common/tasks/raspi-facts.yml b/roles/common/tasks/raspi-facts.yml
index f32d309..40d9ac4 100644
--- a/roles/common/tasks/raspi-facts.yml
+++ b/roles/common/tasks/raspi-facts.yml
@@ -183,6 +183,14 @@
   tags:
     - raspi
 
+- name: determine last allocated disk sector
+  shell: "parted /dev/mmcblk0 -ms unit s p | tail -n1 | awk -F':' '{ print $3 + 0 }'"
+  register: raspi_last_alloced_sector
+  changed_when: False
+  check_mode: no
+  tags:
+    - raspi
+
 - name: set raspi-config facts
   set_fact:
     raspi_type: "{{ raspi_type.stdout }}"
@@ -202,7 +210,7 @@
     raspi_onewire_enabled: "{{ raspi_onewire_disabled.stdout == '0' }}"
     raspi_rgpio_enabled: "{{ raspi_rgpio_disabled.stdout == '0' }}"
     raspi_overclock: "{{ raspi_overclock.stdout }}"
-    raspi_fs_expandable: "{{ raspi_fs_unexpandable.stdout == '0' }}"
+    raspi_fs_expandable: "{{ raspi_fs_unexpandable.stdout == '0' and (raspi_last_alloced_sector.stdout + 1) < ansible_devices.mmcblk0.sectors }}"
     raspi_overscan: "{{ raspi_overscan.stdout }}"
     raspi_gpu_mem: "{{ raspi_gpu_mem.stdout }}"
     raspi_gpu_mem_256: "{{ raspi_gpu_mem_256.stdout }}"

From d62408a9aae0c1f6f05f10ca64daed7a36cc7f68 Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 21:50:32 -0700
Subject: [PATCH 15/19] updated the debug test instead of the production one,
 whoops

---
 roles/common/tasks/raspi-facts.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/common/tasks/raspi-facts.yml b/roles/common/tasks/raspi-facts.yml
index 40d9ac4..09ba2b0 100644
--- a/roles/common/tasks/raspi-facts.yml
+++ b/roles/common/tasks/raspi-facts.yml
@@ -210,7 +210,7 @@
     raspi_onewire_enabled: "{{ raspi_onewire_disabled.stdout == '0' }}"
     raspi_rgpio_enabled: "{{ raspi_rgpio_disabled.stdout == '0' }}"
     raspi_overclock: "{{ raspi_overclock.stdout }}"
-    raspi_fs_expandable: "{{ raspi_fs_unexpandable.stdout == '0' and (raspi_last_alloced_sector.stdout + 1) < ansible_devices.mmcblk0.sectors }}"
+    raspi_fs_expandable: "{{ raspi_fs_unexpandable.stdout == '0' and (raspi_last_alloced_sector.stdout|int + 1) < ansible_devices.mmcblk0.sectors|int }}"
     raspi_overscan: "{{ raspi_overscan.stdout }}"
     raspi_gpu_mem: "{{ raspi_gpu_mem.stdout }}"
     raspi_gpu_mem_256: "{{ raspi_gpu_mem_256.stdout }}"

From bd52fd5733c34a85981a61a917a8812af80a3e2e Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 22:18:51 -0700
Subject: [PATCH 16/19] add firewall configuration

---
 roles/common/tasks/main.yml     | 23 +++++++++++++++++++++++
 roles/common/tasks/software.yml |  1 +
 2 files changed, 24 insertions(+)

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 7d08d84..49e2c96 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -79,3 +79,26 @@
 - include: software.yml
 - include: users.yml
 - include: raspi-config.yml
+
+# Configure firewall
+- name: allow SSH through UFW
+  ufw:
+    rule: allow
+    port: ssh
+    proto: tcp
+    log: yes
+
+- name: set default incoming UFW policy to deny
+  ufw:
+    direction: incoming
+    policy: deny
+
+- name: set default outgoing UFW policy to deny
+  ufw:
+    direction: outgoing
+    policy: allow
+
+- name: enable UFW
+  ufw:
+    state: enabled
+    logging: yes
diff --git a/roles/common/tasks/software.yml b/roles/common/tasks/software.yml
index 816ec2b..077387a 100644
--- a/roles/common/tasks/software.yml
+++ b/roles/common/tasks/software.yml
@@ -31,5 +31,6 @@
       - vim
       - git
       - python-pip
+      - ufw
   tags:
     - sw

From 943e8e5228231b41475c82f0ec73e9640e645823 Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 22:19:01 -0700
Subject: [PATCH 17/19] fix bug in x11 keyboard layout

---
 roles/common/tasks/linux-facts.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/common/tasks/linux-facts.yml b/roles/common/tasks/linux-facts.yml
index 59c3602..7075d5a 100644
--- a/roles/common/tasks/linux-facts.yml
+++ b/roles/common/tasks/linux-facts.yml
@@ -21,5 +21,5 @@
   set_fact:
     linux_tz: "{{ linux_tz.stdout }}"
     linux_locale: "{{ linux_locale.stdout }}"
-    linux_xkblayout: "{{ linux_xkblayout }}"
+    linux_xkblayout: "{{ linux_xkblayout.stdout }}"
   check_mode: no

From 59764fee10c8065d4b99408e901abbd93a2b5e2d Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 22:25:11 -0700
Subject: [PATCH 18/19] enable system-specific software installation

---
 roles/common/tasks/software.yml | 13 +++++++++++--
 roles/common/vars/main.yml      |  2 ++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/roles/common/tasks/software.yml b/roles/common/tasks/software.yml
index 077387a..d42c892 100644
--- a/roles/common/tasks/software.yml
+++ b/roles/common/tasks/software.yml
@@ -1,6 +1,6 @@
 ---
 
-### Uninstall Raspbian bloat
+# Uninstall Raspbian bloat
 - name: remove raspbian bloat
   apt:
     name="{{ packages }}"
@@ -20,7 +20,7 @@
   tags:
     - sw
 
-### Install required software
+# Install required software
 - name: install basic software environment
   apt:
     name="{{ packages }}"
@@ -34,3 +34,12 @@
       - ufw
   tags:
     - sw
+
+- name: install additional software
+  apt:
+    name="{{ myconfig.extra_software }}"
+    state=present
+    update_cache=yes
+  when: "'extra_software' in myconfig"
+  tags:
+    - sw
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
index 7c3d1eb..b9e521b 100644
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -37,6 +37,8 @@ macaddrs:
         enable_serial_hw: True
         enable_onewire: False
         enable_rgpio: False
+        extra_software:
+          - w3m
 
 ### Users that must be present on the system
 create_users:

From aea19fbaad67338de91bcaa4496391f26147dd8d Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Mon, 29 Oct 2018 00:30:05 -0700
Subject: [PATCH 19/19] update software for cloverleaf

---
 roles/common/tasks/main.yml | 3 +++
 roles/common/vars/main.yml  | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 49e2c96..342eb00 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -10,18 +10,21 @@
     msg: "{{ hostvars[inventory_hostname].ansible_default_ipv4.macaddress }}"
   tags:
     - raspi
+    - sw
 
 - name: store MAC address
   set_fact:
     my_macaddr: "{{ hostvars[inventory_hostname].ansible_default_ipv4.macaddress }}"
   tags:
     - raspi
+    - sw
 
 - name: store system configuration
   set_fact:
     myconfig: "{{ macaddrs[my_macaddr] }}"
   tags:
     - raspi
+    - sw
 
 - name: set hostname
   shell: "raspi-config nonint do_hostname {{ myconfig.hostname }}"
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
index b9e521b..0c19be7 100644
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -38,7 +38,9 @@ macaddrs:
         enable_onewire: False
         enable_rgpio: False
         extra_software:
-          - w3m
+          - "w3m"
+          - "irssi"
+          - "screen"
 
 ### Users that must be present on the system
 create_users: