mustard/ansible-playbooks
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request 'refactor_for_fedora42' (#1) from refactor_for_fedora42 into main

Browse source 
Reviewed-on: #1
This commit is contained in:
mustard 2025-09-19 03:57:21 +02:00
commit 39f6e78dcb
79 changed files with 1732 additions and 1073 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitmodules vendored Normal file
View file

@ -0,0 +1,3 @@
[submodule "roles/devtools/files/dotfiles"]
path = roles/devtools/files/dotfiles
url = https://forgejoever.homelab0ne.xyz/mustard/dotfiles

15
README.md
View file

@ -1,3 +1,18 @@
# Ansible playbooks
Intended to make homelab management easier.
Git clone this repo to the Fedora 42 GNOME template.
Ensure prequisite packages are installed:
```
sudo dnf install ansible
```
Execute the playbook:
```
sudo ansible-playbook fedora-42-gnome.yaml
```

2
config/id_ed25519.pub
View file

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJITevx5+lKqH9UdQiGoe08+ld3XIWGXxQ3sa2XL4PeN user@homelab-mgmt
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArO9Yty0QuX7jZhDeL6MrZwH+6dbbcidYWWo0qawivb user@homelab-mgmt

85
development.yaml
View file

@ -1,85 +0,0 @@
- name: Configure Fedora 42 Gnome Template for development
hosts: 127.0.0.1
connection: local
tasks:
- name: 'Baseline hardening'
ansible.builtin.include_role:
name: 'baseline'
vars:
umask_changes: false
manage_network: true
- name: 'Gnome package stuff'
ansible.builtin.include_role:
name: gnome
# - name: 'Setup dom0 prompt for sudo'
# ansible.builtin.include_role:
# name: sudo-dom0-prompt
- name: 'Install trivalent'
ansible.builtin.include_role:
name: trivalent
# - name: 'Setup arkenfox'
# ansible.builtin.include_role:
# name: arkenfox
- name: 'Import VSCodium repo key'
ansible.builtin.rpm_key:
state: 'present'
key: 'https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/raw/master/pub.gpg'
- name: 'Import VSCodium repo'
ansible.builtin.copy:
src: 'etc/yum.repos.d/vscodium.repo'
dest: '/etc/yum.repos.d/vscodium.repo'
- name: 'Setup docker repo'
shell: 'sudo dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo -y'
- name: 'Install vscode and docker'
ansible.builtin.dnf5:
name:
- codium
# - docker-ce
# - docker-buildx-plugin
# - docker-compose-plugin
state: 'present'
# - name: 'Enable docker service'
# ansible.builtin.systemd:
# name: 'docker'
# enabled: true
# state: 'started'
# - name: Add user to Docker group
# user:
# name: user
# group: docker
# append: yes
- name: Create Qubes bind dirs directory
file:
path: /etc/qubes-bind-dirs.d
state: directory
mode: '0755'
- name: Configure Qubes bind dirs
lineinfile:
path: /etc/qubes-bind-dirs.d/50_user.conf
line: 'binds+=( "/var/lib/docker" )'
state: present
create: yes
- name: 'Install wireguard-tools'
ansible.builtin.dnf5:
name:
- wireguard-tools
- make
- ccache
- binwalk
- qemu-system-mipsel
- hx
- neovim
state: 'present'

42
fedora-42-dev.yaml Normal file
View file

@ -0,0 +1,42 @@
- name: Configure Fedora 42 Gnome Template
hosts: 127.0.0.1
connection: local
tasks:
- name: 'Baseline hardening'
ansible.builtin.include_role:
name: 'baseline'
vars:
umask_changes: true
manage_network: true
allow_ptrace: true
use_hardened_malloc: true
- name: 'Gnome package stuff'
ansible.builtin.include_role:
name: gnome
- name: 'Install trivalent'
ansible.builtin.include_role:
name: trivalent
- name: 'Setup arkenfox'
ansible.builtin.include_role:
name: arkenfox
vars:
enable_webgl: false
- name: 'Install wireguard-tools and neovim and gdb and podman and other devtools'
ansible.builtin.dnf5:
name:
- wireguard-tools
- neovim
- gdb
- podman
- glibc-devel
- opentofu
state: 'present'
- name: 'Handle SUID binaries'
ansible.builtin.script:
cmd: ./remove_suid.sh

17
fedora-42-gnome.yaml
View file

@ -8,15 +8,13 @@
vars:
umask_changes: true
manage_network: true
allow_ptrace: false
use_hardened_malloc: true
- name: 'Gnome package stuff'
ansible.builtin.include_role:
name: gnome
# - name: 'Setup dom0 prompt for sudo'
# ansible.builtin.include_role:
# name: sudo-dom0-prompt
- name: 'Install trivalent'
ansible.builtin.include_role:
name: trivalent
@ -24,9 +22,16 @@
- name: 'Setup arkenfox'
ansible.builtin.include_role:
name: arkenfox
vars:
enable_webgl: false
- name: 'Install wireguard-tools'
- name: 'Install wireguard-tools and neovim'
ansible.builtin.dnf5:
name:
- wireguard-tools
- neovim
state: 'present'
- name: 'Handle SUID binaries'
ansible.builtin.script:
cmd: ./remove_suid.sh

39
fedora-42-media.yaml Normal file
View file

@ -0,0 +1,39 @@
- name: Configure Fedora 42 Gnome Template
hosts: 127.0.0.1
connection: local
tasks:
- name: 'Baseline hardening'
ansible.builtin.include_role:
name: 'baseline'
vars:
umask_changes: true
manage_network: true
allow_ptrace: false
use_hardened_malloc: false
- name: 'Gnome package stuff'
ansible.builtin.include_role:
name: gnome
- name: 'Install trivalent'
ansible.builtin.include_role:
name: trivalent
- name: 'Setup arkenfox'
ansible.builtin.include_role:
name: arkenfox
vars:
enable_webgl: true
- name: 'Install wireguard-tools and neovim and mpv'
ansible.builtin.dnf5:
name:
- wireguard-tools
- neovim
- mpv
state: 'present'
- name: 'Handle SUID binaries'
ansible.builtin.script:
cmd: ./remove_suid.sh

116
remove_suid.sh Executable file
View file

@ -0,0 +1,116 @@
#!/usr/bin/env bash
# Copied from The Secureblue Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and limitations under the License.
set -oue pipefail
# Reference: https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#usrbinchage
whitelist=(
# Need to allowlist qrexec binaries to ensure qubes templates (hopefully) don't break, not sure why they're duplicated in /usr/bin and /usr/sbin
"/usr/bin/qfile-unpacker"
"/usr/sbin/qfile-unpacker"
"/usr/lib/qubes/qfile-unpacker"
"/usr/bin/qrexec-client-vm"
"/usr/sbin/qrexec-client-vm"
"/usr/bin/qrexec-fork-server"
"/usr/sbin/qrexec-fork-server"
"/usr/bin/qrexec-legacy-convert"
"/usr/sbin/qrexec-legacy-convert"
"/usr/bin/qrexec-policy"
"/usr/sbin/qrexec-policy"
"/usr/bin/qrexec-policy-agent"
"/usr/sbin/qrexec-policy-agent"
"/usr/bin/qrexec-policy-daemon"
"/usr/sbin/qrexec-policy-daemon"
"/usr/bin/qrexec-policy-exec"
"/usr/sbin/qrexec-policy-exec"
"/usr/bin/qrexec-policy-graph"
"/usr/sbin/qrexec-policy-graph"
"/usr/bin/qrexec-policy-restore"
"/usr/sbin/qrexec-policy-restore"
# Required for nvidia closed driver images
"/usr/bin/nvidia-modprobe"
# https://gitlab.freedesktop.org/polkit/polkit/-/issues/168
"/usr/lib/polkit-1/polkit-agent-helper-1"
# https://github.com/secureblue/secureblue/issues/119
# Required for hardened_malloc to be used by suid-root processes
"/usr/lib64/libhardened_malloc-light.so"
"/usr/lib64/libhardened_malloc-pkey.so"
"/usr/lib64/libhardened_malloc.so"
"/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-light.so"
"/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-pkey.so"
"/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc.so"
"/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-light.so"
"/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-pkey.so"
"/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc.so"
"/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-light.so"
"/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-pkey.so"
"/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so"
"/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-light.so"
"/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-pkey.so"
"/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc.so"
)
is_in_whitelist() {
local binary="$1"
for allowed_binary in "${whitelist[@]}"; do
if [ "$binary" = "$allowed_binary" ]; then
return 0
fi
done
return 1
}
passwd -l root
dnf remove sudo-python-plugin
find /usr -type f -perm /4000 |
while IFS= read -r binary; do
if ! is_in_whitelist "$binary"; then
echo "Removing SUID bit from $binary"
chmod u-s "$binary"
echo "Removed SUID bit from $binary"
fi
done
find /usr -type f -perm /2000 |
while IFS= read -r binary; do
if ! is_in_whitelist "$binary"; then
echo "Removing SGID bit from $binary"
chmod g-s "$binary"
echo "Removed SGID bit from $binary"
fi
done
rm -f /usr/bin/chsh
rm -f /usr/bin/chfn
rm -f /usr/bin/pkexec
rm -f /usr/bin/sudo
rm -f /usr/bin/su
rm -f /usr/bin/run0
set_caps_if_present() {
local caps="$1"
local binary_path="$2"
if [ -f "$binary_path" ]; then
echo "Setting caps $caps on $binary_path"
setcap "$caps" "$binary_path"
echo "Set caps $caps on $binary_path"
fi
}
set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/bin/chage"
set_caps_if_present "cap_sys_admin=ep" "/usr/bin/fusermount3"
set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/sbin/unix_chkpwd"

1
roles/arkenfox/files/usr/lib64/firefox/distribution/policies.json
View file

@ -1,6 +1,5 @@
{
"policies": {
"CaptivePortal": false,
"Cookies": {
"Behavior": "reject-tracker-and-partition-foreign",
"BehaviorPrivateBrowsing": "reject-tracker-and-partition-foreign"

16
roles/arkenfox/tasks/main.yaml
View file

@ -4,7 +4,15 @@
dest: '/{{ item }}'
mode: '0644'
loop:
- 'usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js'
- 'usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js'
- 'usr/lib64/firefox/browser/defaults/preferences/userjs-override.js'
- 'usr/lib64/firefox/distribution/policies.json'
- 'usr/lib64/firefox/distribution/policies.json'
- name: Copy arkenfox template
ansible.builtin.template:
src: 'userjs.j2'
dest: '/usr/lib64/firefox/browser/defaults/preferences/user.js'
mode: '0644'
- name: 'Remove default Fedora project homepage'
ansible.builtin.lineinfile:
path: '/usr/lib64/firefox/browser/defaults/preferences/firefox-redhat-default-prefs.js'
state: 'absent'
regexp: '/browser.newtabpage.pinned/'

1309
roles/arkenfox/templates/userjs-arkenfox.js.j2 Normal file
View file

File diff suppressed because it is too large Load diff

55
roles/arkenfox/templates/userjs-brace.js.j2 Normal file
View file

@ -0,0 +1,55 @@
//Look
pref("browser.ctrlTab.recentlyUsedOrder", false);
pref("browser.privatebrowsing.vpnpromourl", "");
pref("browser.vpn_promo.enabled", false);
pref("browser.tabs.drawInTitlebar", true);
pref("devtools.netmonitor.persistlog", true);
pref("devtools.webconsole.persistlog", true);
pref("general.smoothScroll", false);
pref("widget.allow-client-side-decoration", true);
pref("mailnews.start_page.enabled", false);
pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{}"); //BRACE-KEEP_FOR_NOW
pref("browser.library.activity-stream.enabled", false); //BRACE-UNCOMMENTED
//Privacy
pref("privacy.globalprivacycontrol.enabled", true);
pref("browser.snippets.enabled", false);
pref("browser.snippets.firstrunHomepage.enabled", false);
pref("browser.snippets.syncPromo.enabled", false);
pref("browser.snippets.updateUrl", "");
pref("general.useragent.updates.enabled", false);
pref("network.negotiate-auth.trusted-uris", "");
pref("network.dns.native_https_query", true);
pref("network.trr.uri", "https://dns.quad9.net/dns-query");
pref("network.trr.custom_uri", "https://dns.quad9.net/dns-query");
pref("plugin.expose_full_path", false);
pref("extensions.enigmail.autoWkdLookup", 0);
pref("messenger.status.reportIdle", false);
pref("media.gmp-widevinecdm.visible", false); //BRACE-KEEP_FOR_NOW: proprietary
pref("network.manage-offline-status", false);
pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false);
pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
pref("browser.urlbar.quicksuggest.dataCollection.enabled", false);
pref("mailnews.headers.sendUserAgent", false);
pref("mail.sanitize_date_header", true);
pref("dom.private-attribution.submission.enabled", false);
//Security
pref("browser.gnome-search-provider.enabled", false);
pref("fission.autostart", true); //MULL-COMMENT_ME
pref("security.webauth.u2f", true); //MULL-COMMENT_ME
pref("security.tls.enable_kyber", true);
pref("network.http.http3.enable_kyber", true);
pref("mail.phishing.detection.enabled", true);
pref("mailnews.message_display.disable_remote_image", true);
//Disable Pocket
pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
pref("extensions.pocket.enabled", false);
//Disable Sync
pref("identity.fxaccounts.enabled", false);
//Fix IPv6 when using DoH
pref("network.dns.preferIPv6", true); //BRACE-KEEP_FOR_NOW

19
roles/arkenfox/templates/userjs-override.js.j2 Normal file
View file

@ -0,0 +1,19 @@
pref("privacy.resistFingerprinting.letterboxing", false); // disable letterboxing because it's very annoying
pref("javascript.options.wasm", true); // enable WASM because element and proton need it
pref("general.smoothScroll", true); // why do I have this set?
pref("browser.bookmarks.restore_default_bookmarks", false); // remove Fedora's default bookmarks because I never use them
pref("browser.bookmarks.file", '');
// override blank homepage
pref("browser.startup.page", 1);
pref("browser.startup.homepage", "about:home");
pref("browser.newtabpage.enabled", true);
{% if enable_webgl %}
pref("webgl.disabled", false);
{% else %}
pref("webgl.disabled", true);
{% endif %}

3
roles/arkenfox/templates/userjs.j2 Normal file
View file

@ -0,0 +1,3 @@
{% include './userjs-arkenfox.js.j2' %}
{% include './userjs-brace.js.j2' %}
{% include './userjs-override.js.j2' %}

3
roles/baseline/defaults/main.yaml
View file

@ -1,2 +1,3 @@
umask_changes: false
manage_network: true
manage_network: true
allow_ptrace: false

8
roles/baseline/files/etc/crypto-policies/back-ends/openssh.config Normal file
View file

@ -0,0 +1,8 @@
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
RequiredRSASize 2048

2
roles/baseline/files/etc/dconf/db/local.d/adw-gtk3-dark
View file

@ -1,2 +0,0 @@
[org/gnome/desktop/interface]
gtk-theme='adw-gtk3-dark'

2
roles/baseline/files/etc/dconf/db/local.d/prefer-dark
View file

@ -1,2 +0,0 @@
[org/gnome/desktop/interface]
color-scheme='prefer-dark'

4
roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf
View file

@ -39,8 +39,8 @@ install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
# I think blacklisting hfs or hfsplus breaks USBs, but not sure
install hfs /bin/false
install hfsplus /bin/false
# install hfs /bin/false
# install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false
install cifs /bin/false

34
roles/baseline/tasks/main.yaml
View file

@ -31,7 +31,6 @@
replace: 'umask 077'
when: umask_changes == true
- name: Make home directory private
ansible.builtin.file:
path: /home/*
@ -48,8 +47,13 @@
loop:
- 'etc/ssh/ssh_config.d/10-custom.conf'
- 'etc/modprobe.d/workstation-blacklist.conf'
- 'etc/sysctl.d/99-workstation.conf'
- 'etc/crypto-policies/back-ends/openssh.config'
- name: Kernel sysctl config
ansible.builtin.template:
src: 'etc/sysctl.d/99-workstation.conf.j2'
dest: '/etc/sysctl.d/99-workstation.conf'
mode: '0644'
- name: Reload sysctl
shell: 'sysctl -p'
@ -96,7 +100,7 @@
- 'etc/dconf/db/local.d/privacy'
- name: Update dconf
shell: sudo dconf update
shell: 'dconf update'
- name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
ansible.builtin.copy:
@ -121,25 +125,41 @@
state: latest
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Enable hardened_malloc COPR
shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
shell: 'dnf copr enable secureblue/hardened_malloc -y'
- name: Install hardened_malloc
ansible.builtin.dnf5:
name: 'hardened_malloc'
state: 'present'
when: use_hardened_malloc == true
- name: Install custom packages
ansible.builtin.dnf5:
name:
- 'qubes-ctap'
- 'qubes-gpg-split'
- 'flatpak'
- 'ncurses'
- 'xdg-desktop-portal-gtk'
- 'qubes-video-companion'
- name: Enable hardened_malloc
ansible.builtin.copy:
src: 'etc/ld.so.preload'
dest: '/etc/ld.so.preload'
mode: '0644'
when: use_hardened_malloc == true
- name: Enable hardened_malloc for system wide flatpak
shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
shell: 'flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
when: use_hardened_malloc == true
- name: Enable hardened_malloc for user flatpak # has to be run per APP VM
shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
when: use_hardened_malloc == true
- name: Setup dnf repos
ansible.builtin.copy:
src: 'etc/dnf/dnf.conf'
@ -159,4 +179,4 @@
path: '{{ item.path }}'
regexp: '^(metalink=.*)$'
line: '\1&protocol=https'
loop: '{{ found_files.files }}'
loop: '{{ found_files.files }}'

7
roles/sudo-dom0-prompt/files/etc/sysctl.d/99-workstation.conf → roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2
View file

@ -43,12 +43,15 @@ net.core.bpf_jit_harden = 2
kernel.unprivileged_userns_clone = 1
# Disable ptrace. Not needed on workstations.
{% if allow_ptrace %}
kernel.yama.ptrace_scope = 1
{% else %}
kernel.yama.ptrace_scope = 3
{% endif %}
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
# Restrict performance events from unprivileged users as much as possible.
# We are using 4 here, since Ubuntu supports such a level.
# Official Linux kernel documentation only says >= so it probably will work.
# Official/ Linux kernel documentation only says >= so it probably will work.
kernel.perf_event_paranoid = 4
# Disable io_uring

1
roles/devtools/files/dotfiles Submodule

@ -0,0 +1 @@
Subproject commit 8cb281f4362ef3d473d787557a1d11ff134829e0

7
roles/gnome/tasks/main.yaml
View file

@ -9,7 +9,7 @@
state: latest
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Remove unnecessary stuff from the template
ansible.builtin.dnf5:
@ -21,7 +21,6 @@
- 'gnome-software'
- 'httpd'
- 'keepassxc'
- 'thunderbird'
- 'fedora-bookmarks'
- 'fedora-chromium-config'
- 'samba-client'
@ -82,9 +81,9 @@
- name: Install custom packages
ansible.builtin.dnf5:
name:
# - 'qubes-ctap'
- 'qubes-ctap'
- 'qubes-gpg-split'
- 'ncurses'
# - 'gnome-shell'
- 'xdg-desktop-portal-gtk'
- 'ptyxis'
state: 'present'

20
roles/qubes-f41-gnome/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth
View file

@ -1,20 +0,0 @@
# Generated by authselect
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
auth requisite pam_deny.so
auth required pam_permit.so
account required pam_unix.so
password requisite pam_pwquality.so
password sufficient pam_unix.so yescrypt shadow nullok use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

2
roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark
View file

@ -1,2 +0,0 @@
[org/gnome/desktop/interface]
gtk-theme='adw-gtk3-dark'

4
roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/automount-disable
View file

@ -1,4 +0,0 @@
[org/gnome/desktop/media-handling]
automount=false
automount-open=false
autorun-never=true

3
roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/automount-disable
View file

@ -1,3 +0,0 @@
org/gnome/desktop/media-handling/automount
org/gnome/desktop/media-handling/automount-open
/org/gnome/desktop/media-handling/autorun-never

14
roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/privacy
View file

@ -1,14 +0,0 @@
/org/gnome/system/location/enabled
/org/gnome/desktop/privacy/remember-recent-files
/org/gnome/desktop/privacy/remove-old-trash-files
/org/gnome/desktop/privacy/remove-old-temp-files
/org/gnome/desktop/privacy/report-technical-problems
/org/gnome/desktop/privacy/send-software-usage-stats
/org/gnome/desktop/privacy/remember-app-usage
/org/gnome/online-accounts/whitelisted-providers
/org/gnome/desktop/remote-desktop/rdp/enable
/org/gnome/desktop/remote-desktop/vnc/enable

2
roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/prefer-dark
View file

@ -1,2 +0,0 @@
[org/gnome/desktop/interface]
color-scheme='prefer-dark'

16
roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/privacy
View file

@ -1,16 +0,0 @@
[org/gnome/system/location]
enabled=false
[org/gnome/desktop/privacy]
remember-recent-files=false
remove-old-trash-files=true
remove-old-temp-files=true
report-technical-problems=false
send-software-usage-stats=false
remember-app-usage=false
[org/gnome/desktop/remote-desktop/rdp]
enable=false
[org/gnome/desktop/remote-desktop/vnc]
enable=false

11
roles/qubes-f41-gnome/tasks/files/etc/dnf/dnf.conf
View file

@ -1,11 +0,0 @@
[main]
gpgcheck=True
installonly_limit=3
clean_requirements_on_remove=True
best=False
skip_if_unavailable=True
max_parallel_downloads=10
deltarpm=False
defaultyes=True
install_weak_deps=False
countme=False

3
roles/qubes-f41-gnome/tasks/files/etc/environment
View file

@ -1,3 +0,0 @@
JavaScriptCoreUseJIT=0
GJS_DISABLE_JIT=1
XDG_CURRENT_DESKTOP=GNOME

1
roles/qubes-f41-gnome/tasks/files/etc/ld.so.preload
View file

@ -1 +0,0 @@
libhardened_malloc.so

114
roles/qubes-f41-gnome/tasks/files/etc/modprobe.d/workstation-blacklist.conf
View file

@ -1,114 +0,0 @@
# unused network protocols
install dccp /bin/false
install sctp /bin/false
install rds /bin/false
install tipc /bin/false
install n-hdlc /bin/false
install ax25 /bin/false
install netrom /bin/false
install x25 /bin/false
install rose /bin/false
install decnet /bin/false
install econet /bin/false
install af_802154 /bin/false
install ipx /bin/false
install appletalk /bin/false
install psnap /bin/false
install p8023 /bin/false
install p8022 /bin/false
install can /bin/false
install atm /bin/false
# firewire and thunderbolt
install firewire-core /bin/false
install firewire_core /bin/false
install firewire-ohci /bin/false
install firewire_ohci /bin/false
install firewire_sbp2 /bin/false
install firewire-sbp2 /bin/false
install firewire-net /bin/false
install thunderbolt /bin/false
install ohci1394 /bin/false
install sbp2 /bin/false
install dv1394 /bin/false
install raw1394 /bin/false
install video1394 /bin/false
# unused filesystems
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false
install cifs /bin/false
install nfs /bin/false
install nfsv3 /bin/false
install nfsv4 /bin/false
install ksmbd /bin/false
install gfs2 /bin/false
install reiserfs /bin/false
install kafs /bin/false
install orangefs /bin/false
install 9p /bin/false
install adfs /bin/false
install affs /bin/false
install afs /bin/false
install befs /bin/false
install ceph /bin/false
install coda /bin/false
install ecryptfs /bin/false
install erofs /bin/false
install jfs /bin/false
install minix /bin/false
install netfs /bin/false
install nilfs2 /bin/false
install ocfs2 /bin/false
install romfs /bin/false
install ubifs /bin/false
install zonefs /bin/false
install sysv /bin/false
install ufs /bin/false
# disable vivid
install vivid /bin/false
# disable GNSS
install gnss /bin/false
install gnss-mtk /bin/false
install gnss-serial /bin/false
install gnss-sirf /bin/false
install gnss-usb /bin/false
install gnss-ubx /bin/false
# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
install bluetooth /bin/false
install btusb /bin/false
# blacklist ath_pci
blacklist ath_pci
# blacklist cdrom
blacklist cdrom
blacklist sr_mod
# blacklist framebuffer drivers
# source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf
blacklist cyber2000fb
blacklist cyblafb
blacklist gx1fb
blacklist hgafb
blacklist kyrofb
blacklist lxfb
blacklist matroxfb_base
blacklist neofb
blacklist nvidiafb
blacklist pm2fb
blacklist s1d13xxxfb
blacklist sisfb
blacklist tdfxfb
blacklist vesafb
blacklist vfb
blacklist vt8623fb
blacklist udlfb

1
roles/qubes-f41-gnome/tasks/files/etc/security/limits.d/30-disable-coredump.conf
View file

@ -1 +0,0 @@
* hard core 0

2
roles/qubes-f41-gnome/tasks/files/etc/skel/flathub.sh
View file

@ -1,2 +0,0 @@
flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo
systemctl enable --user --now update-user-flatpaks.timer

2
roles/qubes-f41-gnome/tasks/files/etc/ssh/ssh_config.d/10-custom.conf
View file

@ -1,2 +0,0 @@
GSSAPIAuthentication no
VerifyHostKeyDNS yes

4
roles/qubes-f41-gnome/tasks/files/etc/sudoers.d/qubes
View file

@ -1,4 +0,0 @@
Defaults !requiretty
user ALL=(ALL) ALL
# vim: ft=sudoers

119
roles/qubes-f41-gnome/tasks/files/etc/sysctl.d/99-workstation.conf
View file

@ -1,119 +0,0 @@
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
dev.tty.ldisc_autoload = 0
# https://access.redhat.com/solutions/1985633
# Seems dangerous.
# Roseta need this though, so if you use it change it to 1.
fs.binfmt_misc.status = 0
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
# Enable fs.protected sysctls.
fs.protected_regular = 2
fs.protected_fifos = 2
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
# Disable coredumps.
# For additional safety, disable coredumps using ulimit and systemd too.
kernel.core_pattern=|/bin/false
fs.suid_dumpable = 0
# Restrict dmesg to CAP_SYS_LOG.
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
kernel.dmesg_restrict = 1
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
# Restrict access to /proc.
kernel.kptr_restrict = 2
# Not needed, I don't do livepatching and reboot regularly.
# On a workstation, this shouldn't be used at all. Don't live patch, just reboot.
kernel.kexec_load_disabled = 1
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
# Basically, restrict eBPF to CAP_BPF.
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2
# Needed for Flatpak and Bubblewrap.
kernel.unprivileged_userns_clone = 1
# Disable ptrace. Not needed on workstations.
kernel.yama.ptrace_scope = 3
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
# Restrict performance events from unprivileged users as much as possible.
# We are using 4 here, since Ubuntu supports such a level.
# Official Linux kernel documentation only says >= so it probably will work.
kernel.perf_event_paranoid = 4
# Disable io_uring
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
# on a Proxmox node.
kernel.io_uring_disabled = 2
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Disable sysrq.
kernel.sysrq = 0
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
# Not running a router here, so no redirects.
net.ipv4.conf.*.send_redirects = 0
net.ipv4.conf.*.accept_redirects = 0
net.ipv6.conf.*.accept_redirects = 0
# Check if the source of the IP address is reachable through the same interface it came in
# Basic IP spoofing mitigation.
net.ipv4.conf.*.rp_filter = 1
# Do not respond to ICMP.
net.ipv4.icmp_echo_ignore_all = 1
net.ipv6.icmp.echo_ignore_all = 1
# Ignore Bogus ICMP responses.
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable IP Forwarding.
# Needed for VM networking and whatnot.
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
# Ignore bogus icmp response.
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Protection against time-wait assasination attacks.
net.ipv4.tcp_rfc1337 = 1
# Enable SYN cookies.
# Basic SYN flood mitigation.
net.ipv4.tcp_syncookies = 1
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
# Make sure TCP timestamp is enabled.
net.ipv4.tcp_timestamps = 1
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
# Disable TCP SACK.
# We have good networking :)
net.ipv4.tcp_sack = 0
# No SACK, therefore no Duplicated SACK.
net.ipv4.tcp_dsack = 0
# Improve ALSR effectiveness for mmap.
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Restrict userfaultfd to CAP_SYS_PTRACE.
# https://bugs.archlinux.org/task/62780
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
# probably not used in the real world at all.
vm.unprivileged_userfaultfd = 0

2
roles/qubes-f41-gnome/tasks/files/etc/systemd/coredump.conf.d/disable.conf
View file

@ -1,2 +0,0 @@
[Coredump]
Storage=none

28
roles/qubes-f41-gnome/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf
View file

@ -1,28 +0,0 @@
[Service]
# Hardening
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
LockPersonality=true
MemoryDenyWriteExecute=true
#PrivateDevices=true #breaks tun usage
#ProtectProc=invisible
PrivateTmp=yes
ProtectClock=true
ProtectControlGroups=true
ProtectHome=read-only
ProtectKernelLogs=true
#ProtectKernelModules=true
#ProtectSystem=strict
#ReadOnlyPaths=/etc/NetworkManager
ReadOnlyPaths=-/home
#ReadWritePaths=-/etc/NetworkManager/system-connections
ReadWritePaths=-/etc/sysconfig/network-scripts
ReadWritePaths=/var/lib/NetworkManager
ReadWritePaths=-/var/run/NetworkManager
ReadWritePaths=-/run/NetworkManager
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
UMask=0077

6
roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.service
View file

@ -1,6 +0,0 @@
[Unit]
Description=Update user Flatpaks
[Service]
Type=oneshot
ExecStart=/usr/bin/flatpak --user update -y

9
roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.timer
View file

@ -1,9 +0,0 @@
[Unit]
Description=Update user Flatpaks daily
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target

4
roles/qubes-f41-gnome/tasks/files/etc/systemd/zram-generator.conf
View file

@ -1,4 +0,0 @@
[zram0]
zram-fraction = 1
max-zram-size = 8192
compression-algorithm = zstd

2
roles/qubes-f41-gnome/tasks/files/etc/xdg-desktop-portal/portals.conf
View file

@ -1,2 +0,0 @@
[preferred]
default=gtk;

0
roles/qubes-f41-gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js
View file

0
roles/qubes-f41-gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js
View file

285
roles/qubes-f41-gnome/tasks/main.yaml
View file

@ -1,285 +0,0 @@
- name: Configure Fedora 41 Gnome Template
hosts: 127.0.0.1
connection: local
tasks:
- name: Kill debug-shell service
ansible.builtin.systemd_service:
name: debug-shell.service
masked: true
- name: Kill kdump service
ansible.builtin.systemd_service:
name: kdump.service
masked: true
- name: Set umask to 077
shell: umask 077
- name: Set umask to 077 in login.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^UMASK.*'
replace: 'UMASK 077'
- name: Set umask to 077 in logins.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^HOME_MODE'
replace: '#HOME_MODE'
- name: Set umask to 077 in bashrc
ansible.builtin.replace:
path: /etc/bashrc
regexp: 'umask 022'
replace: 'umask 077'
- name: Make home directory private
ansible.builtin.file:
path: /home/*
state: directory
recurse: true
mode: '0700'
- name: Harden SSH, add kernel blacklist and hardening
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/ssh/ssh_config.d/10-custom.conf'
- 'etc/modprobe.d/workstation-blacklist.conf'
- 'etc/sysctl.d/99-workstation.conf'
- name: Reload sysctl
shell: 'sysctl -p'
- name: Create coredump.conf.d
ansible.builtin.file:
path: '/etc/systemd/coredump.conf.d'
state: 'directory'
mode: '0755'
- name: Make locks dir for dconf
ansible.builtin.file:
path: '/etc/dconf/db/local.d/locks'
state: 'directory'
mode: '0755'
- name: Create XDG portals directory
ansible.builtin.file:
path: '/etc/xdg-desktop-portal'
state: 'directory'
mode: '0755'
- name: Create /etc/systemd/system/NetworkManager.service.d
ansible.builtin.file:
path: '/etc/systemd/system/NetworkManager.service.d'
state: 'directory'
mode: '0755'
- name: Copy dconf files + xdg-desktop-portals fix + Network manager
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/security/limits.d/30-disable-coredump.conf'
- 'etc/systemd/coredump.conf.d/disable.conf'
- 'etc/dconf/db/local.d/locks/automount-disable'
- 'etc/dconf/db/local.d/locks/privacy'
- 'etc/dconf/db/local.d/adw-gtk3-dark'
- 'etc/dconf/db/local.d/automount-disable'
- 'etc/dconf/db/local.d/prefer-dark'
- 'etc/dconf/db/local.d/privacy'
- 'etc/xdg-desktop-portal/portals.conf'
- 'etc/systemd/system/NetworkManager.service.d/99-brace.conf'
- name: Update dconf
shell: sudo dconf update
- name: Setup ZRAM, flatpak updater and environment variables to disable GJS, WebkitGTK JIT, and fix GNOME env variable
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0600'
loop:
- 'etc/systemd/zram-generator.conf'
- 'etc/systemd/user/update-user-flatpaks.service'
- 'etc/systemd/user/update-user-flatpaks.timer'
- 'etc/environment'
- name: Upgrade all packages
ansible.builtin.dnf5:
name: "*"
state: latest
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Remove unnecessary stuff from the template
ansible.builtin.dnf5:
name:
- '@Container Management'
- '@Desktop Accessibility'
- '@Guest Desktop Agents'
- '@Printing Support'
- 'gnome-software'
- 'httpd'
- 'keepassxc'
- 'thunderbird'
- 'fedora-bookmarks'
- 'fedora-chromium-config'
- 'samba-client'
- 'gvfs-smb'
- 'NetworkManager-pptp-gnome'
- 'NetworkManager-ssh-gnome'
- 'NetworkManager-openconnect-gnome'
- 'NetworkManager-openvpn-gnome'
- 'NetworkManager-vpnc-gnome'
- 'ppp*'
- 'ModemManager'
- 'baobab'
- 'chrome-gnome-shell'
- 'eog'
- 'gnome-boxes'
- 'gnome-calculator'
- 'gnome-calendar'
- 'gnome-characters'
- 'gnome-classic*'
- 'gnome-clocks'
- 'gnome-color-manager'
- 'gnome-connections'
- 'gnome-contacts'
- 'gnome-disk-utility'
- 'gnome-font-viewer'
- 'gnome-logs'
- 'gnome-maps'
- 'gnome-photos'
- 'gnome-remote-desktop'
- 'gnome-screenshot'
- 'gnome-shell-extension-apps-menu'
- 'gnome-shell-extension-background-logo'
- 'gnome-shell-extension-launch-new-instance'
- 'gnome-shell-extension-places-menu'
- 'gnome-shell-extension-window-list'
- 'gnome-text-editor'
- 'gnome-themes-extra'
- 'gnome-tour'
- 'gnome-user*'
- 'gnome-weather'
- 'loupe'
- 'snapshot'
- 'totem'
- 'cheese'
- 'evince'
- 'file-roller*'
- 'libreoffice*'
- 'mediawriter'
- 'rhythmbox'
- 'yelp'
- 'lvm2'
- 'rng-tools'
- 'thermald'
state: 'absent'
allowerasing: true
autoremove: true
- name: Install custom packages
ansible.builtin.dnf5:
name:
- 'qubes-ctap'
- 'qubes-gpg-split'
- 'adw-gtk3-theme'
- 'ncurses'
- 'gnome-shell'
- 'ptyxis'
state: 'present'
- name: Enable hardened_malloc COPR
shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
- name: Install hardened_malloc
ansible.builtin.dnf5:
name: 'hardened_malloc'
state: 'present'
- name: Enable hardened_malloc
ansible.builtin.copy:
src: 'etc/ld.so.preload'
dest: '/etc/ld.so.preload'
mode: '0644'
- name: Enable hardened_malloc for system wide flatpak
shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Enable hardened_malloc for user flatpak # has to be run per APP VM
shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Setup dnf repos
ansible.builtin.copy:
src: 'etc/dnf/dnf.conf'
dest: '/etc/dnf/dnf.conf'
mode: '0644'
- name: Get list of files
ansible.builtin.find:
paths: /etc/yum.repos.d/
recurse: true
register: found_files
- name: Replace text in those files
ansible.builtin.lineinfile:
backup: true
backrefs: true
path: '{{ item.path }}'
regexp: '^(metalink=.*)$'
line: '\1&protocol=https'
loop: '{{ found_files.files }}'
- name: Check that the sudo-dom0-prompt exists
stat:
path: '/etc/authselect/custom/sudo-dom0-prompt'
register: stat_result
- name: Create authselect profile
shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam
when: not stat_result.stat.exists
- name: Copy authselect file
ansible.builtin.copy:
src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside'
mode: '0644'
- name: Copy authselect folder
ansible.builtin.copy:
src: '/etc/authselect/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt'
mode: '0755'
- name: Copy authselect file
ansible.builtin.copy:
src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
mode: '0644'
- name: Select authselect profile
shell: authselect select custom/sudo-dom0-prompt
- name: Fix sudoers.d
ansible.builtin.copy:
src: 'etc/sudoers.d/qubes'
dest: '/etc/sudoers.d/qubes'
mode: '0440'
- name: Check that allow all rule doesn't exist
stat:
path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
register: allow_all_result
- name: Delete allow all rule
ansible.builtin.file:
path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
state: 'absent'
when: allow_all_result.stat.exists
- name: Drop flathub script to homedir for any new appvms created based on this template
ansible.builtin.copy:
src: 'etc/skel/flathub.sh'
dest: '/etc/skel/flathub.sh'
mode: '0700'

1
roles/qubes-f41-gnome/vars/main.yaml
View file

@ -1 +0,0 @@
packages_to_remove:

20
roles/sudo-dom0-prompt/files/etc/authselect/custom/sudo-dom0-prompt/system-auth
View file

@ -1,20 +0,0 @@
# Generated by authselect
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.
auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
auth requisite pam_deny.so
auth required pam_permit.so
account required pam_unix.so
password requisite pam_pwquality.so
password sufficient pam_unix.so yescrypt shadow nullok use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

2
roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/adw-gtk3-dark
View file

@ -1,2 +0,0 @@
[org/gnome/desktop/interface]
gtk-theme='adw-gtk3-dark'

4
roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/automount-disable
View file

@ -1,4 +0,0 @@
[org/gnome/desktop/media-handling]
automount=false
automount-open=false
autorun-never=true

3
roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/automount-disable
View file

@ -1,3 +0,0 @@
org/gnome/desktop/media-handling/automount
org/gnome/desktop/media-handling/automount-open
/org/gnome/desktop/media-handling/autorun-never

14
roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/privacy
View file

@ -1,14 +0,0 @@
/org/gnome/system/location/enabled
/org/gnome/desktop/privacy/remember-recent-files
/org/gnome/desktop/privacy/remove-old-trash-files
/org/gnome/desktop/privacy/remove-old-temp-files
/org/gnome/desktop/privacy/report-technical-problems
/org/gnome/desktop/privacy/send-software-usage-stats
/org/gnome/desktop/privacy/remember-app-usage
/org/gnome/online-accounts/whitelisted-providers
/org/gnome/desktop/remote-desktop/rdp/enable
/org/gnome/desktop/remote-desktop/vnc/enable

2
roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/prefer-dark
View file

@ -1,2 +0,0 @@
[org/gnome/desktop/interface]
color-scheme='prefer-dark'

16
roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/privacy
View file

@ -1,16 +0,0 @@
[org/gnome/system/location]
enabled=false
[org/gnome/desktop/privacy]
remember-recent-files=false
remove-old-trash-files=true
remove-old-temp-files=true
report-technical-problems=false
send-software-usage-stats=false
remember-app-usage=false
[org/gnome/desktop/remote-desktop/rdp]
enable=false
[org/gnome/desktop/remote-desktop/vnc]
enable=false

11
roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf
View file

@ -1,11 +0,0 @@
[main]
gpgcheck=True
installonly_limit=3
clean_requirements_on_remove=True
best=False
skip_if_unavailable=True
max_parallel_downloads=10
deltarpm=False
defaultyes=True
install_weak_deps=False
countme=False

3
roles/sudo-dom0-prompt/files/etc/environment
View file

@ -1,3 +0,0 @@
JavaScriptCoreUseJIT=0
GJS_DISABLE_JIT=1
XDG_CURRENT_DESKTOP=GNOME

1
roles/sudo-dom0-prompt/files/etc/ld.so.preload
View file

@ -1 +0,0 @@
libhardened_malloc.so

114
roles/sudo-dom0-prompt/files/etc/modprobe.d/workstation-blacklist.conf
View file

@ -1,114 +0,0 @@
# unused network protocols
install dccp /bin/false
install sctp /bin/false
install rds /bin/false
install tipc /bin/false
install n-hdlc /bin/false
install ax25 /bin/false
install netrom /bin/false
install x25 /bin/false
install rose /bin/false
install decnet /bin/false
install econet /bin/false
install af_802154 /bin/false
install ipx /bin/false
install appletalk /bin/false
install psnap /bin/false
install p8023 /bin/false
install p8022 /bin/false
install can /bin/false
install atm /bin/false
# firewire and thunderbolt
install firewire-core /bin/false
install firewire_core /bin/false
install firewire-ohci /bin/false
install firewire_ohci /bin/false
install firewire_sbp2 /bin/false
install firewire-sbp2 /bin/false
install firewire-net /bin/false
install thunderbolt /bin/false
install ohci1394 /bin/false
install sbp2 /bin/false
install dv1394 /bin/false
install raw1394 /bin/false
install video1394 /bin/false
# unused filesystems
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false
install cifs /bin/false
install nfs /bin/false
install nfsv3 /bin/false
install nfsv4 /bin/false
install ksmbd /bin/false
install gfs2 /bin/false
install reiserfs /bin/false
install kafs /bin/false
install orangefs /bin/false
install 9p /bin/false
install adfs /bin/false
install affs /bin/false
install afs /bin/false
install befs /bin/false
install ceph /bin/false
install coda /bin/false
install ecryptfs /bin/false
install erofs /bin/false
install jfs /bin/false
install minix /bin/false
install netfs /bin/false
install nilfs2 /bin/false
install ocfs2 /bin/false
install romfs /bin/false
install ubifs /bin/false
install zonefs /bin/false
install sysv /bin/false
install ufs /bin/false
# disable vivid
install vivid /bin/false
# disable GNSS
install gnss /bin/false
install gnss-mtk /bin/false
install gnss-serial /bin/false
install gnss-sirf /bin/false
install gnss-usb /bin/false
install gnss-ubx /bin/false
# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
install bluetooth /bin/false
install btusb /bin/false
# blacklist ath_pci
blacklist ath_pci
# blacklist cdrom
blacklist cdrom
blacklist sr_mod
# blacklist framebuffer drivers
# source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf
blacklist cyber2000fb
blacklist cyblafb
blacklist gx1fb
blacklist hgafb
blacklist kyrofb
blacklist lxfb
blacklist matroxfb_base
blacklist neofb
blacklist nvidiafb
blacklist pm2fb
blacklist s1d13xxxfb
blacklist sisfb
blacklist tdfxfb
blacklist vesafb
blacklist vfb
blacklist vt8623fb
blacklist udlfb

1
roles/sudo-dom0-prompt/files/etc/security/limits.d/30-disable-coredump.conf
View file

@ -1 +0,0 @@
* hard core 0

2
roles/sudo-dom0-prompt/files/etc/skel/flathub.sh
View file

@ -1,2 +0,0 @@
flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo
systemctl enable --user --now update-user-flatpaks.timer

2
roles/sudo-dom0-prompt/files/etc/ssh/ssh_config.d/10-custom.conf
View file

@ -1,2 +0,0 @@
GSSAPIAuthentication no
VerifyHostKeyDNS yes

4
roles/sudo-dom0-prompt/files/etc/sudoers.d/qubes
View file

@ -1,4 +0,0 @@
Defaults !requiretty
user ALL=(ALL) ALL
# vim: ft=sudoers

2
roles/sudo-dom0-prompt/files/etc/systemd/coredump.conf.d/disable.conf
View file

@ -1,2 +0,0 @@
[Coredump]
Storage=none

28
roles/sudo-dom0-prompt/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf
View file

@ -1,28 +0,0 @@
[Service]
# Hardening
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
LockPersonality=true
MemoryDenyWriteExecute=true
#PrivateDevices=true #breaks tun usage
#ProtectProc=invisible
PrivateTmp=yes
ProtectClock=true
ProtectControlGroups=true
ProtectHome=read-only
ProtectKernelLogs=true
#ProtectKernelModules=true
#ProtectSystem=strict
#ReadOnlyPaths=/etc/NetworkManager
ReadOnlyPaths=-/home
#ReadWritePaths=-/etc/NetworkManager/system-connections
ReadWritePaths=-/etc/sysconfig/network-scripts
ReadWritePaths=/var/lib/NetworkManager
ReadWritePaths=-/var/run/NetworkManager
ReadWritePaths=-/run/NetworkManager
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
UMask=0077

6
roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.service
View file

@ -1,6 +0,0 @@
[Unit]
Description=Update user Flatpaks
[Service]
Type=oneshot
ExecStart=/usr/bin/flatpak --user update -y

9
roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.timer
View file

@ -1,9 +0,0 @@
[Unit]
Description=Update user Flatpaks daily
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target

4
roles/sudo-dom0-prompt/files/etc/systemd/zram-generator.conf
View file

@ -1,4 +0,0 @@
[zram0]
zram-fraction = 1
max-zram-size = 8192
compression-algorithm = zstd

2
roles/sudo-dom0-prompt/files/etc/xdg-desktop-portal/portals.conf
View file

@ -1,2 +0,0 @@
[preferred]
default=gtk;

0
roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js
View file

0
roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js
View file

49
roles/sudo-dom0-prompt/tasks/main.yaml
View file

@ -1,49 +0,0 @@
---
- name: Check that the sudo-dom0-prompt exists
stat:
path: '/etc/authselect/custom/sudo-dom0-prompt'
register: stat_result
- name: Create authselect profile
shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam
when: not stat_result.stat.exists
- name: Copy authselect file
ansible.builtin.copy:
src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside'
mode: '0644'
- name: Copy authselect folder
ansible.builtin.copy:
src: '/etc/authselect/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt'
mode: '0755'
- name: Copy authselect file
ansible.builtin.copy:
src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
mode: '0644'
- name: Select authselect profile
shell: authselect select custom/sudo-dom0-prompt
- name: Fix sudoers.d
ansible.builtin.copy:
src: 'etc/sudoers.d/qubes'
dest: '/etc/sudoers.d/qubes'
mode: '0440'
- name: Check that allow all rule doesn't exist
stat:
path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
register: allow_all_result
- name: Delete allow all rule
ansible.builtin.file:
path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
state: 'absent'
when: allow_all_result.stat.exists

7
roles/suid_role/tasks/main.yaml Normal file
View file

@ -0,0 +1,7 @@
---
- name: Check that the sudo-dom0-prompt exists
stat:
path: '/etc/authselect/custom/sudo-dom0-prompt'
register: stat_result

1
roles/trivalent/files/etc/skel/trivalent.sh Normal file
View file

@ -0,0 +1 @@
systemctl enable --now --user pactl.service

12
roles/trivalent/files/etc/systemd/system/pactl.service Normal file
View file

@ -0,0 +1,12 @@
[Unit]
Description=Run pactl to work around edge audio bug
After=pipewire-pulse.socket
Requires=pipewire-pulse.socket
[Service]
Type=oneshot
ExecStart=/usr/bin/pactl info
[Install]
WantedBy=default.target

12
roles/trivalent/files/etc/systemd/user/pactl.service Normal file
View file

@ -0,0 +1,12 @@
[Unit]
Description=Run pactl to work around edge audio bug
After=pipewire-pulse.socket
Requires=pipewire-pulse.socket
[Service]
Type=oneshot
ExecStart=/usr/bin/pactl info
[Install]
WantedBy=default.target

9
roles/trivalent/files/etc/trivalent/policies/managed/managed_policies.json Normal file
View file

@ -0,0 +1,9 @@
{
"ExtensionInstallForcelist": [
"ddkjiahejlhfcafbddmgiahcphecmpfh"
],
"DefaultSearchProviderEnabled": true,
"DefaultSearchProviderName": "No AI DuckDuckGo",
"DefaultSearchProviderSearchURL": "https://noai.duckduckgo.com/?t=h_&q={searchTerms}&ia=web"
}

20
roles/trivalent/tasks/main.yaml
View file

@ -12,16 +12,17 @@
mode: '0644'
- name: Enable codecs and stuff
shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
shell: 'dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
- name: Update codecs
shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
shell: 'dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
- name: Update all
ansible.builtin.dnf5:
name:
- '*'
state: 'latest'
- name: Install trivalent/ffmpeg packages
ansible.builtin.dnf5:
name:
@ -29,3 +30,18 @@
- trivalent
state: 'present'
allowerasing: true
- name: Set trivalent enterprise policies
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/trivalent/policies/managed/managed_policies.json'
- name: Drop flathub script to homedir for any new appvms created based on this template
ansible.builtin.copy:
src: 'etc/skel/trivalent.sh'
dest: '/etc/skel/trivalent.sh'
mode: '0700'