fix: Add Bitwarden and change Flatpak apps to system-wide installation

Derek · Derek · commit 57c7be2d1706 · 2025-12-31T15:05:22.000+11:00
- Add Bitwarden GUI (Flatpak/Homebrew) and CLI (binary/Homebrew)
- Change all Flatpak apps to method: system (Slack, Remmina, Freelens)
- Remove user-level Flathub repository setup
diff --git a/ansible/roles/dfe_developer/tasks/k8s.yml b/ansible/roles/dfe_developer/tasks/k8s.yml
@@ -152,14 +152,11 @@
 
 # Freelens - Flatpak (GUI only)
 
-- name: Install Freelens
+- name: Install Freelens (system-wide)
   community.general.flatpak:
     name: app.freelens.Freelens
     state: present
-    method: user
-  become: false
-  environment:
-    FLATPAK_TTY_PROGRESS: "0"
+    method: system
   when:
     - ansible_distribution in ['Fedora', 'Ubuntu']
     - dfe_has_gnome | default(false)
diff --git a/ansible/roles/dfe_developer/tasks/utilities.yml b/ansible/roles/dfe_developer/tasks/utilities.yml
@@ -23,17 +23,6 @@
     method: system
   when: ansible_distribution in ['Fedora', 'Ubuntu']
 
-# Configure Flathub for user-level installations (for apps like Freelens, Slack)
-- name: Add Flathub repository (user-level)
-  community.general.flatpak_remote:
-    name: flathub
-    state: present
-    flatpakrepo_url: https://flathub.org/repo/flathub.flatpakrepo
-    method: user
-  become: false
-  when:
-    - ansible_distribution in ['Fedora', 'Ubuntu']
-    - dfe_has_gnome | default(false)
 
 # Common development utilities
 - name: Install development utilities (Fedora)
@@ -176,14 +165,11 @@
 # Remmina - Remote Desktop Client (Linux GUI only)
 # Using Flatpak for latest version (PPA discontinued as of 2025)
 # Flatpak provides better updates and cross-distro compatibility
-- name: Install Remmina via Flatpak (user-specific)
+- name: Install Remmina via Flatpak (system-wide)
   community.general.flatpak:
     name: org.remmina.Remmina
     state: present
-    method: user
-  become: false
-  environment:
-    FLATPAK_TTY_PROGRESS: "0"
+    method: system
   when:
     - ansible_distribution in ['Fedora', 'Ubuntu']
     - dfe_has_gnome | default(false)
diff --git a/ansible/roles/dfe_developer_core/tasks/bitwarden.yml b/ansible/roles/dfe_developer_core/tasks/bitwarden.yml
@@ -0,0 +1,73 @@
+---
+# Bitwarden password manager installation (GUI + CLI)
+# GUI: Flatpak for Linux, Homebrew Cask for macOS
+# CLI: Binary download for Linux, Homebrew for macOS
+
+# ============================================================================
+# LINUX - GUI via Flatpak (system-wide)
+# ============================================================================
+
+- name: Install Bitwarden GUI via Flatpak (system-wide)
+  community.general.flatpak:
+    name: com.bitwarden.desktop
+    state: present
+    method: system
+  when:
+    - ansible_distribution in ['Fedora', 'Ubuntu']
+    - dfe_has_gnome
+
+# ============================================================================
+# LINUX - CLI via binary download from GitHub releases
+# ============================================================================
+
+- name: Install Bitwarden CLI (Linux)
+  block:
+    - name: Get latest Bitwarden CLI version from GitHub API
+      ansible.builtin.uri:
+        url: https://api.github.com/repos/bitwarden/clients/releases
+        return_content: true
+      register: bw_releases
+
+    - name: Set Bitwarden CLI version fact
+      ansible.builtin.set_fact:
+        bw_cli_version: "{{ bw_releases.json | selectattr('tag_name', 'match', '^cli-v') | map(attribute='tag_name') | first | regex_replace('^cli-v', '') }}"
+
+    - name: Download Bitwarden CLI binary
+      ansible.builtin.get_url:
+        url: "https://github.com/bitwarden/clients/releases/download/cli-v{{ bw_cli_version }}/bw-linux-{{ bw_cli_version }}.zip"
+        dest: /tmp/bw-linux.zip
+        mode: '0644'
+
+    - name: Extract Bitwarden CLI binary
+      ansible.builtin.unarchive:
+        src: /tmp/bw-linux.zip
+        dest: /usr/local/bin
+        remote_src: true
+        mode: '0755'
+
+    - name: Remove Bitwarden CLI installation file
+      ansible.builtin.file:
+        path: /tmp/bw-linux.zip
+        state: absent
+
+  when: ansible_distribution in ['Fedora', 'Ubuntu']
+
+# ============================================================================
+# MACOS - GUI via Homebrew Cask, CLI via Homebrew
+# ============================================================================
+
+- name: Install Bitwarden GUI (macOS)
+  community.general.homebrew_cask:
+    name: bitwarden
+    state: present
+  become: false
+  environment: "{{ homebrew_cask_env }}"
+  when: ansible_distribution == 'MacOSX'
+
+- name: Install Bitwarden CLI (macOS)
+  community.general.homebrew:
+    name: bitwarden-cli
+    state: present
+  become: false
+  environment: "{{ homebrew_env }}"
+  when: ansible_distribution == 'MacOSX'
diff --git a/ansible/roles/dfe_developer_core/tasks/main.yml b/ansible/roles/dfe_developer_core/tasks/main.yml
@@ -44,6 +44,11 @@
   tags: ['betterbird', 'email']
   when: ansible_distribution in ['Fedora', 'Ubuntu']
 
+- name: Install Bitwarden
+  ansible.builtin.include_tasks:
+    file: bitwarden.yml
+  tags: ['bitwarden', 'security']
+
 - name: Install OpenVPN 3
   ansible.builtin.include_tasks:
     file: openvpn.yml
diff --git a/ansible/roles/dfe_developer_core/tasks/slack.yml b/ansible/roles/dfe_developer_core/tasks/slack.yml
@@ -3,13 +3,11 @@
 
 # Linux (Fedora/Ubuntu) - via Flatpak
 
-- name: Install Slack via Flatpak (user-specific)
+- name: Install Slack via Flatpak (system-wide)
   community.general.flatpak:
     name: com.slack.Slack
     state: present
-    method: user
-  become: false
-  become_user: "{{ dfe_actual_user }}"
+    method: system
   when:
     - ansible_distribution in ['Fedora', 'Ubuntu']
     - dfe_has_gnome
