fix: Add RDP role, GNOME defaults, package lock protection, and CI workflow

- Replace dfe_rdp_optimizer with streamlined dfe_rdp role
- Add system-wide GNOME dconf defaults (dark theme, fonts, dock)
- Stop automatic updates during playbook to prevent lock conflicts
- Re-enable automatic updates in cleanup role
- Add APT/DNF lock wait protection to cleanup tasks
- Add semantic-release GitHub Actions workflow for automated versioning
- Add remmina RDP client via Flatpak

Author: Derek

.github/workflows/semantic-release.yml

@@ -0,0 +1,70 @@
+# Project:      DFE Developer
+# File:         .github/workflows/semantic-release.yml
+# Purpose:      Create version tags using semantic-release
+# License:      MIT
+# Copyright:    (c) 2025 HyperSec Pty Ltd
+
+name: Semantic Release
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  release:
+    name: Create Version and Tag
+    runs-on: ${{ vars.GH_RUNNER_DEFAULT || 'ubuntu-latest' }}
+
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Install semantic-release
+        run: |
+          npm install -g \
+            semantic-release@latest \
+            @semantic-release/changelog@latest \
+            @semantic-release/commit-analyzer@latest \
+            @semantic-release/release-notes-generator@latest \
+            @semantic-release/exec@latest \
+            @semantic-release/git@latest \
+            @semantic-release/github@latest \
+            conventional-changelog-conventionalcommits@latest
+
+      - name: Run semantic-release
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          semantic-release
+
+          # Check if a version was created
+          if [ -f VERSION ]; then
+            VERSION=$(cat VERSION)
+            echo "Released version: ${VERSION}"
+          else
+            echo "No version created (no releasable commits)"
+          fi

ansible/playbooks/main.yml

@@ -21,6 +21,74 @@
           Python: {{ ansible_python_version }}
       tags: ['always']
 
+    # Wait for package manager locks (handles automatic updates in progress)
+    - name: Wait for APT lock to be released (Ubuntu)
+      ansible.builtin.shell: |
+        while fuser /var/lib/dpkg/lock-frontend >/dev/null 2>&1 || fuser /var/lib/apt/lists/lock >/dev/null 2>&1; do
+          echo "Waiting for APT lock..."
+          sleep 5
+        done
+        echo "APT lock released"
+      args:
+        executable: /bin/bash
+      register: apt_lock_wait
+      changed_when: false
+      when: ansible_distribution == 'Ubuntu'
+      retries: 30
+      delay: 10
+      until: apt_lock_wait.rc == 0
+      tags: ['always']
+
+    - name: Wait for DNF lock to be released (Fedora)
+      ansible.builtin.shell: |
+        while pgrep -x dnf >/dev/null 2>&1 || [ -f /var/run/dnf.pid ]; do
+          echo "Waiting for DNF lock..."
+          sleep 5
+        done
+        echo "DNF lock released"
+      args:
+        executable: /bin/bash
+      register: dnf_lock_wait
+      changed_when: false
+      when: ansible_distribution == 'Fedora'
+      retries: 30
+      delay: 10
+      until: dnf_lock_wait.rc == 0
+      tags: ['always']
+
+    # Stop automatic updates during playbook to prevent lock conflicts
+    - name: Stop unattended-upgrades service (Ubuntu)
+      ansible.builtin.systemd:
+        name: unattended-upgrades
+        state: stopped
+      when: ansible_distribution == 'Ubuntu'
+      become: true
+      failed_when: false
+      tags: ['always']
+
+    - name: Stop apt-daily services (Ubuntu)
+      ansible.builtin.systemd:
+        name: "{{ item }}"
+        state: stopped
+      loop:
+        - apt-daily.service
+        - apt-daily-upgrade.service
+        - apt-daily.timer
+        - apt-daily-upgrade.timer
+      when: ansible_distribution == 'Ubuntu'
+      become: true
+      failed_when: false
+      tags: ['always']
+
+    - name: Stop dnf-automatic timer (Fedora)
+      ansible.builtin.systemd:
+        name: dnf-automatic.timer
+        state: stopped
+      when: ansible_distribution == 'Fedora'
+      become: true
+      failed_when: false
+      tags: ['always']
+
     - name: Validate supported operating system
       ansible.builtin.fail:
         msg: "Unsupported OS: {{ ansible_distribution }} {{ ansible_distribution_version }}. Supported: Fedora 42+, Ubuntu 24.04+, macOS"
@@ -90,9 +158,9 @@
       become: "{{ ansible_distribution != 'MacOSX' }}"
       tags: ['vm', 'optimizer']
 
-    - role: dfe_rdp_optimizer
+    - role: dfe_rdp
       become: "{{ ansible_distribution != 'MacOSX' }}"
-      tags: ['rdp', 'optimizer']
+      tags: ['rdp']
 
     - role: dfe_system_cleanup
       become: "{{ ansible_distribution != 'MacOSX' }}"

ansible/roles/dfe_developer/defaults/main.yml

@@ -17,6 +17,10 @@ dfe_min_ubuntu_version: "24.04"
 # Ghostty installation
 dfe_install_ghostty: true
 
+# GNOME Shell customizations (Dash to Panel, system monitor, dark theme, etc.)
+# Set to false to keep vanilla Ubuntu/Fedora GNOME experience
+dfe_customize_gnome_shell: true
+
 # Docker configuration
 dfe_docker_users:
   - "{{ ansible_user_id }}"