Merge pull request 'refactor_for_fedora42' (#1) from refactor_for_fedora42 into main

Reviewed-on: #1
2025-09-19 03:57:21 +02:00 · 2025-09-19 03:57:21 +02:00 · 39f6e78dcb
commit 39f6e78dcb
parent ca0faf03c9 8d7c206cbb
79 changed files with 1732 additions and 1073 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -0,0 +1,3 @@
 [submodule "roles/devtools/files/dotfiles"]
 	path = roles/devtools/files/dotfiles
 	url = https://forgejoever.homelab0ne.xyz/mustard/dotfiles
--- a/README.md
+++ b/README.md
@ -1,3 +1,18 @@
 # Ansible playbooks
 Intended to make homelab management easier.
 Git clone this repo to the Fedora 42 GNOME template.
 Ensure prequisite packages are installed:
 ```
 sudo dnf install ansible
 ```
 Execute the playbook:
 ```
 sudo ansible-playbook fedora-42-gnome.yaml 
 ```
--- a/config/id_ed25519.pub
+++ b/config/id_ed25519.pub
@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJITevx5+lKqH9UdQiGoe08+ld3XIWGXxQ3sa2XL4PeN user@homelab-mgmt
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArO9Yty0QuX7jZhDeL6MrZwH+6dbbcidYWWo0qawivb user@homelab-mgmt
--- a/development.yaml
+++ b/development.yaml
@ -1,85 +0,0 @@
 - name: Configure Fedora 42 Gnome Template for development
  hosts: 127.0.0.1
  connection: local
  tasks:
    - name: 'Baseline hardening'
      ansible.builtin.include_role:
        name: 'baseline'
      vars:
        umask_changes: false
        manage_network: true
    - name: 'Gnome package stuff'
      ansible.builtin.include_role:
        name: gnome
 #   - name: 'Setup dom0 prompt for sudo'
 #     ansible.builtin.include_role:
 #       name: sudo-dom0-prompt
    - name: 'Install trivalent'
      ansible.builtin.include_role:
        name: trivalent
 #    - name: 'Setup arkenfox'
 #      ansible.builtin.include_role:
 #        name: arkenfox
    - name: 'Import VSCodium repo key'
      ansible.builtin.rpm_key:
        state: 'present'
        key: 'https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/raw/master/pub.gpg'
    - name: 'Import VSCodium repo'
      ansible.builtin.copy:
        src: 'etc/yum.repos.d/vscodium.repo'
        dest:  '/etc/yum.repos.d/vscodium.repo'
    - name: 'Setup docker repo'
      shell: 'sudo dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo -y'
    - name: 'Install vscode and docker'
      ansible.builtin.dnf5:
        name:
          - codium
  #        - docker-ce
  #        - docker-buildx-plugin
  #        - docker-compose-plugin
        state: 'present'
 #   - name: 'Enable docker service'
 #     ansible.builtin.systemd:
 #       name: 'docker'
 #       enabled: true
 #       state: 'started'
 #    - name: Add user to Docker group
 #      user:
 #        name: user
 #        group: docker
 #        append: yes
    - name: Create Qubes bind dirs directory
      file:
        path: /etc/qubes-bind-dirs.d
        state: directory
        mode: '0755'
    - name: Configure Qubes bind dirs
      lineinfile:
        path: /etc/qubes-bind-dirs.d/50_user.conf
        line: 'binds+=( "/var/lib/docker" )'
        state: present
        create: yes
    - name: 'Install wireguard-tools'
      ansible.builtin.dnf5:
        name:
          - wireguard-tools
          - make
          - ccache
          - binwalk
          - qemu-system-mipsel
          - hx
          - neovim
        state: 'present'
--- a/fedora-42-dev.yaml
+++ b/fedora-42-dev.yaml
@ -0,0 +1,42 @@
 - name: Configure Fedora 42 Gnome Template
  hosts: 127.0.0.1
  connection: local
  tasks:
    - name: 'Baseline hardening'
      ansible.builtin.include_role:
        name: 'baseline'
      vars:
        umask_changes: true
        manage_network: true
        allow_ptrace: true
        use_hardened_malloc: true
    - name: 'Gnome package stuff'
      ansible.builtin.include_role:
        name: gnome
    - name: 'Install trivalent'
      ansible.builtin.include_role:
        name: trivalent
    - name: 'Setup arkenfox'
      ansible.builtin.include_role:
        name: arkenfox
      vars:
        enable_webgl: false
    - name: 'Install wireguard-tools and neovim and gdb and podman and other devtools'
      ansible.builtin.dnf5:
        name:
          - wireguard-tools
          - neovim
          - gdb
          - podman
          - glibc-devel
          - opentofu
        state: 'present'
    - name: 'Handle SUID binaries'
      ansible.builtin.script:
        cmd: ./remove_suid.sh
--- a/fedora-42-gnome.yaml
+++ b/fedora-42-gnome.yaml
@ -8,15 +8,13 @@
      vars:
        umask_changes: true
        manage_network: true
-
+        allow_ptrace: false 
        use_hardened_malloc: true
    - name: 'Gnome package stuff'
      ansible.builtin.include_role:
        name: gnome
 #    - name: 'Setup dom0 prompt for sudo'
 #      ansible.builtin.include_role:
 #        name: sudo-dom0-prompt
    - name: 'Install trivalent'
      ansible.builtin.include_role:
        name: trivalent
@ -24,9 +22,16 @@
    - name: 'Setup arkenfox'
      ansible.builtin.include_role:
        name: arkenfox
      vars:
        enable_webgl: false
-    - name: 'Install wireguard-tools'
+    - name: 'Install wireguard-tools and neovim'
      ansible.builtin.dnf5:
        name:
          - wireguard-tools
          - neovim
        state: 'present'
    - name: 'Handle SUID binaries'
      ansible.builtin.script:
        cmd: ./remove_suid.sh
--- a/fedora-42-media.yaml
+++ b/fedora-42-media.yaml
@ -0,0 +1,39 @@
 - name: Configure Fedora 42 Gnome Template
  hosts: 127.0.0.1
  connection: local
  tasks:
    - name: 'Baseline hardening'
      ansible.builtin.include_role:
        name: 'baseline'
      vars:
        umask_changes: true
        manage_network: true
        allow_ptrace: false 
        use_hardened_malloc: false
    - name: 'Gnome package stuff'
      ansible.builtin.include_role:
        name: gnome
    - name: 'Install trivalent'
      ansible.builtin.include_role:
        name: trivalent
    - name: 'Setup arkenfox'
      ansible.builtin.include_role:
        name: arkenfox
      vars:
        enable_webgl: true
    - name: 'Install wireguard-tools and neovim and mpv'
      ansible.builtin.dnf5:
        name:
          - wireguard-tools
          - neovim
          - mpv
        state: 'present'
    - name: 'Handle SUID binaries'
      ansible.builtin.script:
        cmd: ./remove_suid.sh
--- a/remove_suid.sh
+++ b/remove_suid.sh
@ -0,0 +1,116 @@
 #!/usr/bin/env bash
 # Copied from The Secureblue Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software distributed under the License is
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and limitations under the License.
 set -oue pipefail
 # Reference: https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#usrbinchage
 whitelist=(
 # Need to allowlist qrexec binaries to ensure qubes templates (hopefully) don't break, not sure why they're duplicated in /usr/bin and /usr/sbin
    "/usr/bin/qfile-unpacker"
    "/usr/sbin/qfile-unpacker"
    "/usr/lib/qubes/qfile-unpacker"
    "/usr/bin/qrexec-client-vm"
    "/usr/sbin/qrexec-client-vm"
    "/usr/bin/qrexec-fork-server"
    "/usr/sbin/qrexec-fork-server"
    "/usr/bin/qrexec-legacy-convert"
    "/usr/sbin/qrexec-legacy-convert"
    "/usr/bin/qrexec-policy"
    "/usr/sbin/qrexec-policy"
    "/usr/bin/qrexec-policy-agent"
    "/usr/sbin/qrexec-policy-agent"
    "/usr/bin/qrexec-policy-daemon"
    "/usr/sbin/qrexec-policy-daemon"
    "/usr/bin/qrexec-policy-exec"
    "/usr/sbin/qrexec-policy-exec"
    "/usr/bin/qrexec-policy-graph"
    "/usr/sbin/qrexec-policy-graph"   
    "/usr/bin/qrexec-policy-restore"
    "/usr/sbin/qrexec-policy-restore"
    # Required for nvidia closed driver images
    "/usr/bin/nvidia-modprobe"
    # https://gitlab.freedesktop.org/polkit/polkit/-/issues/168
    "/usr/lib/polkit-1/polkit-agent-helper-1"
    # https://github.com/secureblue/secureblue/issues/119
    # Required for hardened_malloc to be used by suid-root processes
    "/usr/lib64/libhardened_malloc-light.so"
    "/usr/lib64/libhardened_malloc-pkey.so"
    "/usr/lib64/libhardened_malloc.so"
    "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-light.so"
    "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-pkey.so"
    "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc.so"
    "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-light.so"
    "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-pkey.so"
    "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc.so"
    "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-light.so"
    "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-pkey.so"
    "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so"
    "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-light.so"
    "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-pkey.so"
    "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc.so"
 )
 is_in_whitelist() {
    local binary="$1"
    for allowed_binary in "${whitelist[@]}"; do
        if [ "$binary" = "$allowed_binary" ]; then
            return 0
        fi
    done
    return 1
 }
 passwd -l root
 dnf remove sudo-python-plugin
 find /usr -type f -perm /4000 |
    while IFS= read -r binary; do
        if ! is_in_whitelist "$binary"; then
            echo "Removing SUID bit from $binary"
            chmod u-s "$binary"
            echo "Removed SUID bit from $binary"
        fi
    done
 find /usr -type f -perm /2000 |
    while IFS= read -r binary; do
        if ! is_in_whitelist "$binary"; then
            echo "Removing SGID bit from $binary"
            chmod g-s "$binary"
            echo "Removed SGID bit from $binary"
        fi
    done
 rm -f /usr/bin/chsh
 rm -f /usr/bin/chfn
 rm -f /usr/bin/pkexec
 rm -f /usr/bin/sudo
 rm -f /usr/bin/su
 rm -f /usr/bin/run0
 set_caps_if_present() {
    local caps="$1"
    local binary_path="$2"
    if [ -f "$binary_path" ]; then
        echo "Setting caps $caps on $binary_path"
        setcap "$caps" "$binary_path"
        echo "Set caps $caps on $binary_path"
    fi
 }
 set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/bin/chage"
 set_caps_if_present "cap_sys_admin=ep" "/usr/bin/fusermount3"
 set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/sbin/unix_chkpwd"
--- a/roles/arkenfox/files/usr/lib64/firefox/distribution/policies.json
+++ b/roles/arkenfox/files/usr/lib64/firefox/distribution/policies.json
@ -1,6 +1,5 @@
 {
 	"policies": {
 		"CaptivePortal": false,
 		"Cookies": {
 			"Behavior": "reject-tracker-and-partition-foreign",
 			"BehaviorPrivateBrowsing": "reject-tracker-and-partition-foreign"
--- a/roles/arkenfox/tasks/main.yaml
+++ b/roles/arkenfox/tasks/main.yaml
@ -4,7 +4,15 @@
    dest: '/{{ item }}'
    mode: '0644'
  loop:
-    - 'usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js'
+    - 'usr/lib64/firefox/distribution/policies.json'
-    - 'usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js'  
+- name: Copy arkenfox template
-    - 'usr/lib64/firefox/browser/defaults/preferences/userjs-override.js'
+  ansible.builtin.template:
-    - 'usr/lib64/firefox/distribution/policies.json'
+    src: 'userjs.j2' 
    dest: '/usr/lib64/firefox/browser/defaults/preferences/user.js'
    mode: '0644'
 - name: 'Remove default Fedora project homepage'
  ansible.builtin.lineinfile:
    path: '/usr/lib64/firefox/browser/defaults/preferences/firefox-redhat-default-prefs.js'
    state: 'absent'
    regexp: '/browser.newtabpage.pinned/'
--- a/roles/arkenfox/templates/userjs-arkenfox.js.j2
+++ b/roles/arkenfox/templates/userjs-arkenfox.js.j2
--- a/roles/arkenfox/templates/userjs-brace.js.j2
+++ b/roles/arkenfox/templates/userjs-brace.js.j2
@ -0,0 +1,55 @@
 //Look
 pref("browser.ctrlTab.recentlyUsedOrder", false);
 pref("browser.privatebrowsing.vpnpromourl", "");
 pref("browser.vpn_promo.enabled", false);
 pref("browser.tabs.drawInTitlebar", true);
 pref("devtools.netmonitor.persistlog", true);
 pref("devtools.webconsole.persistlog", true);
 pref("general.smoothScroll", false);
 pref("widget.allow-client-side-decoration", true);
 pref("mailnews.start_page.enabled", false);
 pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{}"); //BRACE-KEEP_FOR_NOW
 pref("browser.library.activity-stream.enabled", false); //BRACE-UNCOMMENTED
 //Privacy
 pref("privacy.globalprivacycontrol.enabled", true);
 pref("browser.snippets.enabled", false);
 pref("browser.snippets.firstrunHomepage.enabled", false);
 pref("browser.snippets.syncPromo.enabled", false);
 pref("browser.snippets.updateUrl", "");
 pref("general.useragent.updates.enabled", false);
 pref("network.negotiate-auth.trusted-uris", "");
 pref("network.dns.native_https_query", true);
 pref("network.trr.uri", "https://dns.quad9.net/dns-query");
 pref("network.trr.custom_uri", "https://dns.quad9.net/dns-query");
 pref("plugin.expose_full_path", false);
 pref("extensions.enigmail.autoWkdLookup", 0);
 pref("messenger.status.reportIdle", false);
 pref("media.gmp-widevinecdm.visible", false); //BRACE-KEEP_FOR_NOW: proprietary
 pref("network.manage-offline-status", false);
 pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false);
 pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
 pref("browser.urlbar.quicksuggest.dataCollection.enabled", false);
 pref("mailnews.headers.sendUserAgent", false);
 pref("mail.sanitize_date_header", true);
 pref("dom.private-attribution.submission.enabled", false);
 //Security
 pref("browser.gnome-search-provider.enabled", false);
 pref("fission.autostart", true); //MULL-COMMENT_ME
 pref("security.webauth.u2f", true); //MULL-COMMENT_ME
 pref("security.tls.enable_kyber", true);
 pref("network.http.http3.enable_kyber", true);
 pref("mail.phishing.detection.enabled", true);
 pref("mailnews.message_display.disable_remote_image", true);
 //Disable Pocket
 pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
 pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
 pref("extensions.pocket.enabled", false);
 //Disable Sync
 pref("identity.fxaccounts.enabled", false);
 //Fix IPv6 when using DoH
 pref("network.dns.preferIPv6", true); //BRACE-KEEP_FOR_NOW
--- a/roles/arkenfox/templates/userjs-override.js.j2
+++ b/roles/arkenfox/templates/userjs-override.js.j2
@ -0,0 +1,19 @@
 pref("privacy.resistFingerprinting.letterboxing", false); // disable letterboxing because it's very annoying
 pref("javascript.options.wasm", true); // enable WASM because element and proton need it
 pref("general.smoothScroll", true); // why do I have this set?
 pref("browser.bookmarks.restore_default_bookmarks", false); // remove Fedora's default bookmarks because I never use them
 pref("browser.bookmarks.file", '');
 // override blank homepage
 pref("browser.startup.page", 1);
 pref("browser.startup.homepage", "about:home");
 pref("browser.newtabpage.enabled", true);
 {% if enable_webgl %}
 pref("webgl.disabled", false);
 {% else %}
 pref("webgl.disabled", true);
 {% endif %}
--- a/roles/arkenfox/templates/userjs.j2
+++ b/roles/arkenfox/templates/userjs.j2
@ -0,0 +1,3 @@
 {% include './userjs-arkenfox.js.j2' %}
 {% include './userjs-brace.js.j2' %}   
 {% include './userjs-override.js.j2' %}
--- a/roles/baseline/defaults/main.yaml
+++ b/roles/baseline/defaults/main.yaml
@ -1,2 +1,3 @@
 umask_changes: false
-manage_network: true
+manage_network: true
 allow_ptrace: false
--- a/roles/baseline/files/etc/crypto-policies/back-ends/openssh.config
+++ b/roles/baseline/files/etc/crypto-policies/back-ends/openssh.config
@ -0,0 +1,8 @@
 Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
 MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
 GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
 KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
 PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
 HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
 CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
 RequiredRSASize 2048
--- a/roles/baseline/files/etc/dconf/db/local.d/adw-gtk3-dark
+++ b/roles/baseline/files/etc/dconf/db/local.d/adw-gtk3-dark
@ -1,2 +0,0 @@
 [org/gnome/desktop/interface]
 gtk-theme='adw-gtk3-dark'
--- a/roles/baseline/files/etc/dconf/db/local.d/prefer-dark
+++ b/roles/baseline/files/etc/dconf/db/local.d/prefer-dark
@ -1,2 +0,0 @@
 [org/gnome/desktop/interface]
 color-scheme='prefer-dark'
--- a/roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf
+++ b/roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf
@ -39,8 +39,8 @@ install cramfs /bin/false
 install freevxfs /bin/false
 install jffs2 /bin/false
 # I think blacklisting hfs or hfsplus breaks USBs, but not sure
-install hfs /bin/false
+# install hfs /bin/false
-install hfsplus /bin/false
+# install hfsplus /bin/false
 install squashfs /bin/false
 install udf /bin/false
 install cifs /bin/false
--- a/roles/baseline/tasks/main.yaml
+++ b/roles/baseline/tasks/main.yaml
@ -31,7 +31,6 @@
    replace: 'umask 077'
  when: umask_changes == true
 - name: Make home directory private
  ansible.builtin.file:
    path: /home/*
@ -48,8 +47,13 @@
  loop:
  - 'etc/ssh/ssh_config.d/10-custom.conf'
  - 'etc/modprobe.d/workstation-blacklist.conf'
-  - 'etc/sysctl.d/99-workstation.conf'
+  - 'etc/crypto-policies/back-ends/openssh.config'
 - name: Kernel sysctl config
  ansible.builtin.template:
    src: 'etc/sysctl.d/99-workstation.conf.j2' 
    dest: '/etc/sysctl.d/99-workstation.conf'
    mode: '0644'
 - name: Reload sysctl
  shell: 'sysctl -p'
@ -96,7 +100,7 @@
  - 'etc/dconf/db/local.d/privacy'
 - name: Update dconf
-  shell: sudo dconf update
+  shell: 'dconf update'
 - name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
  ansible.builtin.copy:
@ -121,25 +125,41 @@
    state: latest
 - name: Mark packages as manually installed to avoid removal
-  shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
+  shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'
 - name: Enable hardened_malloc COPR
-  shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
+  shell: 'dnf copr enable secureblue/hardened_malloc -y'
 - name: Install hardened_malloc
  ansible.builtin.dnf5:
    name: 'hardened_malloc'
    state: 'present'
  when: use_hardened_malloc == true
 - name: Install custom packages
  ansible.builtin.dnf5:
    name:
      - 'qubes-ctap'
      - 'qubes-gpg-split'
      - 'flatpak'
      - 'ncurses'
      - 'xdg-desktop-portal-gtk'
      - 'qubes-video-companion'
 - name: Enable hardened_malloc
  ansible.builtin.copy:
    src: 'etc/ld.so.preload'
    dest: '/etc/ld.so.preload'
    mode: '0644'
  when: use_hardened_malloc == true
 - name: Enable hardened_malloc for system wide flatpak
-  shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
+  shell: 'flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
  when: use_hardened_malloc == true
 - name: Enable hardened_malloc for user flatpak # has to be run per APP VM
  shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
  when: use_hardened_malloc == true
 - name: Setup dnf repos
  ansible.builtin.copy:
    src: 'etc/dnf/dnf.conf'
@ -159,4 +179,4 @@
    path: '{{ item.path }}'
    regexp: '^(metalink=.*)$'
    line: '\1&protocol=https'
-  loop: '{{ found_files.files }}'
+  loop: '{{ found_files.files }}'
--- a/roles/sudo-dom0-prompt/files/etc/sysctl.d/99-workstation.conf
+++ b/roles/sudo-dom0-prompt/files/etc/sysctl.d/99-workstation.conf
@ -43,12 +43,15 @@ net.core.bpf_jit_harden = 2
 kernel.unprivileged_userns_clone = 1
 # Disable ptrace. Not needed on workstations.
 {% if allow_ptrace %}
 kernel.yama.ptrace_scope = 1
 {% else %}
 kernel.yama.ptrace_scope = 3
-
+{% endif %}
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
 # Restrict performance events from unprivileged users as much as possible.
 # We are using 4 here, since Ubuntu supports such a level.
-# Official Linux kernel documentation only says >= so it probably will work.
+# Official/ Linux kernel documentation only says >= so it probably will work.
 kernel.perf_event_paranoid = 4
 # Disable io_uring
--- a/roles/devtools/files/dotfiles
+++ b/roles/devtools/files/dotfiles
@ -0,0 +1 @@
 Subproject commit 8cb281f4362ef3d473d787557a1d11ff134829e0
--- a/roles/gnome/tasks/main.yaml
+++ b/roles/gnome/tasks/main.yaml
@ -9,7 +9,7 @@
    state: latest
 - name: Mark packages as manually installed to avoid removal
-  shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
+  shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'
 - name: Remove unnecessary stuff from the template
  ansible.builtin.dnf5:
@ -21,7 +21,6 @@
      - 'gnome-software'
      - 'httpd'
      - 'keepassxc'
      - 'thunderbird'
      - 'fedora-bookmarks'
      - 'fedora-chromium-config'
      - 'samba-client'
@ -82,9 +81,9 @@
 - name: Install custom packages
  ansible.builtin.dnf5:
    name:
-#      - 'qubes-ctap'
+      - 'qubes-ctap'
      - 'qubes-gpg-split'
      - 'ncurses'
-#         - 'gnome-shell'
+      - 'xdg-desktop-portal-gtk'
      - 'ptyxis'
    state: 'present'
--- a/roles/qubes-f41-gnome/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth
+++ b/roles/qubes-f41-gnome/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth
@ -1,20 +0,0 @@
 # Generated by authselect
 # Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
 # You can stop authselect from managing your configuration by calling 'authselect opt-out'.
 # See authselect(8) for more details.
 auth        [success=1 default=ignore]                   pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
 auth        requisite                                    pam_deny.so
 auth        required                                     pam_permit.so
 account     required                                     pam_unix.so
 password    requisite                                    pam_pwquality.so
 password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
 password    required                                     pam_deny.so
 session     optional                                     pam_keyinit.so revoke
 session     required                                     pam_limits.so
 -session    optional                                     pam_systemd.so
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
 session     required                                     pam_unix.so
--- a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark
+++ b/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark
@ -1,2 +0,0 @@
 [org/gnome/desktop/interface]
 gtk-theme='adw-gtk3-dark'
--- a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/automount-disable
+++ b/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/automount-disable
@ -1,4 +0,0 @@
 [org/gnome/desktop/media-handling]
 automount=false
 automount-open=false
 autorun-never=true
--- a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/automount-disable
+++ b/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/automount-disable
@ -1,3 +0,0 @@
 org/gnome/desktop/media-handling/automount
 org/gnome/desktop/media-handling/automount-open
 /org/gnome/desktop/media-handling/autorun-never
--- a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/privacy
+++ b/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/privacy
@ -1,14 +0,0 @@
 /org/gnome/system/location/enabled
 /org/gnome/desktop/privacy/remember-recent-files
 /org/gnome/desktop/privacy/remove-old-trash-files
 /org/gnome/desktop/privacy/remove-old-temp-files
 /org/gnome/desktop/privacy/report-technical-problems
 /org/gnome/desktop/privacy/send-software-usage-stats
 /org/gnome/desktop/privacy/remember-app-usage
 /org/gnome/online-accounts/whitelisted-providers
 /org/gnome/desktop/remote-desktop/rdp/enable
 /org/gnome/desktop/remote-desktop/vnc/enable
--- a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/prefer-dark
+++ b/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/prefer-dark
@ -1,2 +0,0 @@
 [org/gnome/desktop/interface]
 color-scheme='prefer-dark'
--- a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/privacy
+++ b/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/privacy
@ -1,16 +0,0 @@
 [org/gnome/system/location]
 enabled=false
 [org/gnome/desktop/privacy]
 remember-recent-files=false
 remove-old-trash-files=true
 remove-old-temp-files=true
 report-technical-problems=false
 send-software-usage-stats=false
 remember-app-usage=false
 [org/gnome/desktop/remote-desktop/rdp]
 enable=false
 [org/gnome/desktop/remote-desktop/vnc]
 enable=false
--- a/roles/qubes-f41-gnome/tasks/files/etc/dnf/dnf.conf
+++ b/roles/qubes-f41-gnome/tasks/files/etc/dnf/dnf.conf
@ -1,11 +0,0 @@
 [main]
 gpgcheck=True
 installonly_limit=3
 clean_requirements_on_remove=True
 best=False
 skip_if_unavailable=True
 max_parallel_downloads=10
 deltarpm=False
 defaultyes=True
 install_weak_deps=False
 countme=False
--- a/roles/qubes-f41-gnome/tasks/files/etc/environment
+++ b/roles/qubes-f41-gnome/tasks/files/etc/environment
@ -1,3 +0,0 @@
 JavaScriptCoreUseJIT=0
 GJS_DISABLE_JIT=1
 XDG_CURRENT_DESKTOP=GNOME
--- a/roles/qubes-f41-gnome/tasks/files/etc/ld.so.preload
+++ b/roles/qubes-f41-gnome/tasks/files/etc/ld.so.preload
@ -1 +0,0 @@
 libhardened_malloc.so
--- a/roles/qubes-f41-gnome/tasks/files/etc/modprobe.d/workstation-blacklist.conf
+++ b/roles/qubes-f41-gnome/tasks/files/etc/modprobe.d/workstation-blacklist.conf
@ -1,114 +0,0 @@
 # unused network protocols
 install dccp /bin/false
 install sctp /bin/false
 install rds /bin/false
 install tipc /bin/false
 install n-hdlc /bin/false
 install ax25 /bin/false
 install netrom /bin/false
 install x25 /bin/false
 install rose /bin/false
 install decnet /bin/false
 install econet /bin/false
 install af_802154 /bin/false
 install ipx /bin/false
 install appletalk /bin/false
 install psnap /bin/false
 install p8023 /bin/false
 install p8022 /bin/false
 install can /bin/false
 install atm /bin/false
 # firewire and thunderbolt
 install firewire-core /bin/false
 install firewire_core /bin/false
 install firewire-ohci /bin/false
 install firewire_ohci /bin/false
 install firewire_sbp2 /bin/false
 install firewire-sbp2 /bin/false
 install firewire-net /bin/false
 install thunderbolt /bin/false
 install ohci1394 /bin/false
 install sbp2 /bin/false
 install dv1394 /bin/false
 install raw1394 /bin/false
 install video1394 /bin/false
 # unused filesystems
 install cramfs /bin/false
 install freevxfs /bin/false
 install jffs2 /bin/false
 install hfs /bin/false
 install hfsplus /bin/false
 install squashfs /bin/false
 install udf /bin/false
 install cifs /bin/false
 install nfs /bin/false
 install nfsv3 /bin/false
 install nfsv4 /bin/false
 install ksmbd /bin/false
 install gfs2 /bin/false
 install reiserfs /bin/false
 install kafs /bin/false
 install orangefs /bin/false
 install 9p /bin/false
 install adfs /bin/false
 install affs /bin/false
 install afs /bin/false
 install befs /bin/false
 install ceph /bin/false
 install coda /bin/false
 install ecryptfs /bin/false
 install erofs /bin/false
 install jfs /bin/false
 install minix /bin/false
 install netfs /bin/false
 install nilfs2 /bin/false
 install ocfs2 /bin/false
 install romfs /bin/false
 install ubifs /bin/false
 install zonefs /bin/false
 install sysv /bin/false
 install ufs /bin/false
 # disable vivid
 install vivid /bin/false
 # disable GNSS
 install gnss /bin/false
 install gnss-mtk /bin/false
 install gnss-serial /bin/false
 install gnss-sirf /bin/false
 install gnss-usb /bin/false
 install gnss-ubx /bin/false
 # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
 install bluetooth /bin/false
 install btusb /bin/false
 # blacklist ath_pci
 blacklist ath_pci
 # blacklist cdrom
 blacklist cdrom
 blacklist sr_mod
 # blacklist framebuffer drivers
 # source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf
 blacklist cyber2000fb
 blacklist cyblafb
 blacklist gx1fb
 blacklist hgafb
 blacklist kyrofb
 blacklist lxfb
 blacklist matroxfb_base
 blacklist neofb
 blacklist nvidiafb
 blacklist pm2fb
 blacklist s1d13xxxfb
 blacklist sisfb
 blacklist tdfxfb
 blacklist vesafb
 blacklist vfb
 blacklist vt8623fb
 blacklist udlfb
--- a/roles/qubes-f41-gnome/tasks/files/etc/security/limits.d/30-disable-coredump.conf
+++ b/roles/qubes-f41-gnome/tasks/files/etc/security/limits.d/30-disable-coredump.conf
@ -1 +0,0 @@
 * hard core 0
--- a/roles/qubes-f41-gnome/tasks/files/etc/skel/flathub.sh
+++ b/roles/qubes-f41-gnome/tasks/files/etc/skel/flathub.sh
@ -1,2 +0,0 @@
 flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo
 systemctl enable --user --now update-user-flatpaks.timer
--- a/roles/qubes-f41-gnome/tasks/files/etc/ssh/ssh_config.d/10-custom.conf
+++ b/roles/qubes-f41-gnome/tasks/files/etc/ssh/ssh_config.d/10-custom.conf
@ -1,2 +0,0 @@
 GSSAPIAuthentication no
 VerifyHostKeyDNS yes
--- a/roles/qubes-f41-gnome/tasks/files/etc/sudoers.d/qubes
+++ b/roles/qubes-f41-gnome/tasks/files/etc/sudoers.d/qubes
@ -1,4 +0,0 @@
 Defaults !requiretty
 user ALL=(ALL) ALL
 # vim: ft=sudoers
--- a/roles/qubes-f41-gnome/tasks/files/etc/sysctl.d/99-workstation.conf
+++ b/roles/qubes-f41-gnome/tasks/files/etc/sysctl.d/99-workstation.conf
@ -1,119 +0,0 @@
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
 dev.tty.ldisc_autoload = 0
 # https://access.redhat.com/solutions/1985633
 # Seems dangerous.
 # Roseta need this though, so if you use it change it to 1.
 fs.binfmt_misc.status = 0
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
 # Enable fs.protected sysctls.
 fs.protected_regular = 2
 fs.protected_fifos = 2
 fs.protected_symlinks = 1
 fs.protected_hardlinks = 1
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
 # Disable coredumps.
 # For additional safety, disable coredumps using ulimit and systemd too.
 kernel.core_pattern=|/bin/false
 fs.suid_dumpable = 0
 # Restrict dmesg to CAP_SYS_LOG.
 # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
 kernel.dmesg_restrict = 1
 # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
 # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
 # Restrict access to /proc.
 kernel.kptr_restrict = 2
 # Not needed, I don't do livepatching and reboot regularly.
 # On a workstation, this shouldn't be used at all. Don't live patch, just reboot.
 kernel.kexec_load_disabled = 1
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
 # Basically, restrict eBPF to CAP_BPF.
 kernel.unprivileged_bpf_disabled = 1
 net.core.bpf_jit_harden = 2
 # Needed for Flatpak and Bubblewrap.
 kernel.unprivileged_userns_clone = 1
 # Disable ptrace. Not needed on workstations.
 kernel.yama.ptrace_scope = 3
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
 # Restrict performance events from unprivileged users as much as possible.
 # We are using 4 here, since Ubuntu supports such a level.
 # Official Linux kernel documentation only says >= so it probably will work.
 kernel.perf_event_paranoid = 4
 # Disable io_uring
 # https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
 # https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
 # Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
 # on a Proxmox node.
 kernel.io_uring_disabled = 2
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
 # Disable sysrq.
 kernel.sysrq = 0
 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
 # Not running a router here, so no redirects.
 net.ipv4.conf.*.send_redirects = 0
 net.ipv4.conf.*.accept_redirects = 0
 net.ipv6.conf.*.accept_redirects = 0
 # Check if the source of the IP address is reachable through the same interface it came in
 # Basic IP spoofing mitigation.
 net.ipv4.conf.*.rp_filter = 1
 # Do not respond to ICMP.
 net.ipv4.icmp_echo_ignore_all = 1
 net.ipv6.icmp.echo_ignore_all = 1
 # Ignore Bogus ICMP responses.
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 # Enable IP Forwarding.
 # Needed for VM networking and whatnot.
 net.ipv4.ip_forward = 1
 net.ipv6.conf.all.forwarding = 1
 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
 # Ignore bogus icmp response.
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 # Protection against time-wait assasination attacks.
 net.ipv4.tcp_rfc1337 = 1
 # Enable SYN cookies.
 # Basic SYN flood mitigation.
 net.ipv4.tcp_syncookies = 1 
 # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
 # Make sure TCP timestamp is enabled.
 net.ipv4.tcp_timestamps = 1
 # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
 # Disable TCP SACK.
 # We have good networking :)
 net.ipv4.tcp_sack = 0
 # No SACK, therefore no Duplicated SACK.
 net.ipv4.tcp_dsack = 0
 # Improve ALSR effectiveness for mmap.
 vm.mmap_rnd_bits = 32
 vm.mmap_rnd_compat_bits = 16
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
 # Restrict userfaultfd to CAP_SYS_PTRACE.
 # https://bugs.archlinux.org/task/62780
 # Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
 # probably not used in the real world at all.
 vm.unprivileged_userfaultfd = 0
--- a/roles/qubes-f41-gnome/tasks/files/etc/systemd/coredump.conf.d/disable.conf
+++ b/roles/qubes-f41-gnome/tasks/files/etc/systemd/coredump.conf.d/disable.conf
@ -1,2 +0,0 @@
 [Coredump]
 Storage=none
--- a/roles/qubes-f41-gnome/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf
+++ b/roles/qubes-f41-gnome/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf
@ -1,28 +0,0 @@
 [Service]
 # Hardening
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
 LockPersonality=true
 MemoryDenyWriteExecute=true
 #PrivateDevices=true #breaks tun usage
 #ProtectProc=invisible
 PrivateTmp=yes
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=read-only
 ProtectKernelLogs=true
 #ProtectKernelModules=true
 #ProtectSystem=strict
 #ReadOnlyPaths=/etc/NetworkManager
 ReadOnlyPaths=-/home
 #ReadWritePaths=-/etc/NetworkManager/system-connections
 ReadWritePaths=-/etc/sysconfig/network-scripts
 ReadWritePaths=/var/lib/NetworkManager
 ReadWritePaths=-/var/run/NetworkManager
 ReadWritePaths=-/run/NetworkManager
 RemoveIPC=true
 RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 UMask=0077
--- a/roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.service
+++ b/roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.service
@ -1,6 +0,0 @@
 [Unit]
 Description=Update user Flatpaks
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/flatpak --user update -y
--- a/roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.timer
+++ b/roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.timer
@ -1,9 +0,0 @@
 [Unit]
 Description=Update user Flatpaks daily
 [Timer]
 OnCalendar=daily
 Persistent=true
 [Install]
 WantedBy=timers.target
--- a/roles/qubes-f41-gnome/tasks/files/etc/systemd/zram-generator.conf
+++ b/roles/qubes-f41-gnome/tasks/files/etc/systemd/zram-generator.conf
@ -1,4 +0,0 @@
 [zram0]
 zram-fraction = 1
 max-zram-size = 8192
 compression-algorithm = zstd
--- a/roles/qubes-f41-gnome/tasks/files/etc/xdg-desktop-portal/portals.conf
+++ b/roles/qubes-f41-gnome/tasks/files/etc/xdg-desktop-portal/portals.conf
@ -1,2 +0,0 @@
 [preferred]
 default=gtk;
--- a/roles/qubes-f41-gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js
+++ b/roles/qubes-f41-gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js
--- a/roles/qubes-f41-gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js
+++ b/roles/qubes-f41-gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js
--- a/roles/qubes-f41-gnome/tasks/main.yaml
+++ b/roles/qubes-f41-gnome/tasks/main.yaml
@ -1,285 +0,0 @@
 - name: Configure Fedora 41 Gnome Template
  hosts: 127.0.0.1
  connection: local
  tasks:
   - name: Kill debug-shell service
     ansible.builtin.systemd_service:
       name: debug-shell.service
       masked: true
   - name: Kill kdump service
     ansible.builtin.systemd_service:
       name: kdump.service
       masked: true
   - name: Set umask to 077
     shell: umask 077
   - name: Set umask to 077 in login.defs
     ansible.builtin.replace:
      path: /etc/login.defs
      regexp: '^UMASK.*'
      replace: 'UMASK 077'
   - name: Set umask to 077 in logins.defs
     ansible.builtin.replace:
      path: /etc/login.defs
      regexp: '^HOME_MODE'
      replace: '#HOME_MODE'
   - name: Set umask to 077 in bashrc
     ansible.builtin.replace:
       path: /etc/bashrc
       regexp: 'umask 022'
       replace: 'umask 077'
   - name: Make home directory private
     ansible.builtin.file:
       path: /home/*
       state: directory
       recurse: true
       mode: '0700'
   - name: Harden SSH, add kernel blacklist and hardening
     ansible.builtin.copy:
      src: '{{ item }}'
      dest: '/{{ item }}'
      mode: '0644'
     loop:
      - 'etc/ssh/ssh_config.d/10-custom.conf'
      - 'etc/modprobe.d/workstation-blacklist.conf'
      - 'etc/sysctl.d/99-workstation.conf'
   - name: Reload sysctl
     shell: 'sysctl -p'
   - name: Create coredump.conf.d
     ansible.builtin.file:
       path: '/etc/systemd/coredump.conf.d'
       state: 'directory'
       mode: '0755'
   - name: Make locks dir for dconf
     ansible.builtin.file:
       path: '/etc/dconf/db/local.d/locks'
       state: 'directory'
       mode: '0755'
   - name: Create XDG portals directory
     ansible.builtin.file:
       path: '/etc/xdg-desktop-portal'
       state: 'directory'
       mode: '0755'
   - name: Create /etc/systemd/system/NetworkManager.service.d
     ansible.builtin.file:
       path: '/etc/systemd/system/NetworkManager.service.d'
       state: 'directory'
       mode: '0755'
   - name: Copy dconf files + xdg-desktop-portals fix + Network manager
     ansible.builtin.copy:
      src: '{{ item }}'
      dest: '/{{ item }}'
      mode: '0644'
     loop:
      - 'etc/security/limits.d/30-disable-coredump.conf'
      - 'etc/systemd/coredump.conf.d/disable.conf'
      - 'etc/dconf/db/local.d/locks/automount-disable'
      - 'etc/dconf/db/local.d/locks/privacy'
      - 'etc/dconf/db/local.d/adw-gtk3-dark'
      - 'etc/dconf/db/local.d/automount-disable'
      - 'etc/dconf/db/local.d/prefer-dark'
      - 'etc/dconf/db/local.d/privacy'
      - 'etc/xdg-desktop-portal/portals.conf'
      - 'etc/systemd/system/NetworkManager.service.d/99-brace.conf'
   - name: Update dconf
     shell: sudo dconf update
   - name: Setup ZRAM, flatpak updater and environment variables to disable GJS, WebkitGTK JIT, and fix GNOME env variable
     ansible.builtin.copy:
      src: '{{ item }}'
      dest: '/{{ item }}'
      mode: '0600'
     loop:
      - 'etc/systemd/zram-generator.conf'
      - 'etc/systemd/user/update-user-flatpaks.service'
      - 'etc/systemd/user/update-user-flatpaks.timer'
      - 'etc/environment'
   - name: Upgrade all packages
     ansible.builtin.dnf5:
       name: "*"
       state: latest
   - name: Mark packages as manually installed to avoid removal
     shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
   - name: Remove unnecessary stuff from the template
     ansible.builtin.dnf5:
       name:
        - '@Container Management'
        - '@Desktop Accessibility'
        - '@Guest Desktop Agents'
        - '@Printing Support'
        - 'gnome-software'
        - 'httpd'
        - 'keepassxc'
        - 'thunderbird'
        - 'fedora-bookmarks'
        - 'fedora-chromium-config'
        - 'samba-client'
        - 'gvfs-smb'
        - 'NetworkManager-pptp-gnome'
        - 'NetworkManager-ssh-gnome'
        - 'NetworkManager-openconnect-gnome'
        - 'NetworkManager-openvpn-gnome'
        - 'NetworkManager-vpnc-gnome'
        - 'ppp*'
        - 'ModemManager'
        - 'baobab'
        - 'chrome-gnome-shell'
        - 'eog'
        - 'gnome-boxes'
        - 'gnome-calculator'
        - 'gnome-calendar'
        - 'gnome-characters'
        - 'gnome-classic*'
        - 'gnome-clocks'
        - 'gnome-color-manager'
        - 'gnome-connections'
        - 'gnome-contacts'
        - 'gnome-disk-utility'
        - 'gnome-font-viewer'
        - 'gnome-logs'
        - 'gnome-maps'
        - 'gnome-photos'
        - 'gnome-remote-desktop'
        - 'gnome-screenshot'
        - 'gnome-shell-extension-apps-menu'
        - 'gnome-shell-extension-background-logo'
        - 'gnome-shell-extension-launch-new-instance'
        - 'gnome-shell-extension-places-menu'
        - 'gnome-shell-extension-window-list'
        - 'gnome-text-editor'
        - 'gnome-themes-extra'
        - 'gnome-tour'
        - 'gnome-user*'
        - 'gnome-weather'
        - 'loupe'
        - 'snapshot'
        - 'totem'
        - 'cheese'
        - 'evince'
        - 'file-roller*'
        - 'libreoffice*'
        - 'mediawriter'
        - 'rhythmbox'
        - 'yelp'
        - 'lvm2'
        - 'rng-tools'
        - 'thermald'
       state: 'absent'
       allowerasing: true
       autoremove: true
   - name: Install custom packages
     ansible.builtin.dnf5:
       name:
         - 'qubes-ctap'
         - 'qubes-gpg-split'
         - 'adw-gtk3-theme'
         - 'ncurses'
         - 'gnome-shell'
         - 'ptyxis'
       state: 'present'
   - name: Enable hardened_malloc COPR
     shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
   - name: Install hardened_malloc
     ansible.builtin.dnf5:
       name: 'hardened_malloc'
       state: 'present'
   - name: Enable hardened_malloc
     ansible.builtin.copy:
       src: 'etc/ld.so.preload'
       dest: '/etc/ld.so.preload'
       mode: '0644'
   - name: Enable hardened_malloc for system wide flatpak
     shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
   - name: Enable hardened_malloc for user flatpak # has to be run per APP VM
     shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
   - name: Setup dnf repos
     ansible.builtin.copy:
       src: 'etc/dnf/dnf.conf'
       dest: '/etc/dnf/dnf.conf'
       mode: '0644'
   - name: Get list of files
     ansible.builtin.find:
       paths: /etc/yum.repos.d/
       recurse: true
     register: found_files
   - name: Replace text in those files
     ansible.builtin.lineinfile:
       backup: true
       backrefs: true
       path: '{{ item.path }}'
       regexp: '^(metalink=.*)$'
       line: '\1&protocol=https'
     loop: '{{ found_files.files }}'
   - name: Check that the sudo-dom0-prompt exists
     stat:
       path: '/etc/authselect/custom/sudo-dom0-prompt'
     register: stat_result
   - name: Create authselect profile
     shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam
     when: not stat_result.stat.exists
   - name: Copy authselect file
     ansible.builtin.copy:
      src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
      dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside'
      mode: '0644'
   - name: Copy authselect folder
     ansible.builtin.copy:
      src: '/etc/authselect/system-auth'
      dest: '/etc/authselect/custom/sudo-dom0-prompt'
      mode: '0755'
   - name: Copy authselect file
     ansible.builtin.copy:
      src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth'
      dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
      mode: '0644'
   - name: Select authselect profile
     shell: authselect select custom/sudo-dom0-prompt
   - name: Fix sudoers.d
     ansible.builtin.copy:
      src: 'etc/sudoers.d/qubes'
      dest: '/etc/sudoers.d/qubes'
      mode: '0440'
   - name: Check that allow all rule doesn't exist
     stat:
       path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
     register: allow_all_result
   - name: Delete allow all rule
     ansible.builtin.file:
      path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
      state: 'absent'
     when: allow_all_result.stat.exists
   - name: Drop flathub script to homedir for any new appvms created based on this template
     ansible.builtin.copy:
      src: 'etc/skel/flathub.sh'
      dest: '/etc/skel/flathub.sh'
      mode: '0700'
--- a/roles/qubes-f41-gnome/vars/main.yaml
+++ b/roles/qubes-f41-gnome/vars/main.yaml
@ -1 +0,0 @@
 packages_to_remove:
--- a/roles/sudo-dom0-prompt/files/etc/authselect/custom/sudo-dom0-prompt/system-auth
+++ b/roles/sudo-dom0-prompt/files/etc/authselect/custom/sudo-dom0-prompt/system-auth
@ -1,20 +0,0 @@
 # Generated by authselect
 # Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
 # You can stop authselect from managing your configuration by calling 'authselect opt-out'.
 # See authselect(8) for more details.
 auth        [success=1 default=ignore]                   pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
 auth        requisite                                    pam_deny.so
 auth        required                                     pam_permit.so
 account     required                                     pam_unix.so
 password    requisite                                    pam_pwquality.so
 password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
 password    required                                     pam_deny.so
 session     optional                                     pam_keyinit.so revoke
 session     required                                     pam_limits.so
 -session    optional                                     pam_systemd.so
 session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
 session     required                                     pam_unix.so
--- a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/adw-gtk3-dark
+++ b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/adw-gtk3-dark
@ -1,2 +0,0 @@
 [org/gnome/desktop/interface]
 gtk-theme='adw-gtk3-dark'
--- a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/automount-disable
+++ b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/automount-disable
@ -1,4 +0,0 @@
 [org/gnome/desktop/media-handling]
 automount=false
 automount-open=false
 autorun-never=true
--- a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/automount-disable
+++ b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/automount-disable
@ -1,3 +0,0 @@
 org/gnome/desktop/media-handling/automount
 org/gnome/desktop/media-handling/automount-open
 /org/gnome/desktop/media-handling/autorun-never
--- a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/privacy
+++ b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/privacy
@ -1,14 +0,0 @@
 /org/gnome/system/location/enabled
 /org/gnome/desktop/privacy/remember-recent-files
 /org/gnome/desktop/privacy/remove-old-trash-files
 /org/gnome/desktop/privacy/remove-old-temp-files
 /org/gnome/desktop/privacy/report-technical-problems
 /org/gnome/desktop/privacy/send-software-usage-stats
 /org/gnome/desktop/privacy/remember-app-usage
 /org/gnome/online-accounts/whitelisted-providers
 /org/gnome/desktop/remote-desktop/rdp/enable
 /org/gnome/desktop/remote-desktop/vnc/enable
--- a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/prefer-dark
+++ b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/prefer-dark
@ -1,2 +0,0 @@
 [org/gnome/desktop/interface]
 color-scheme='prefer-dark'
--- a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/privacy
+++ b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/privacy
@ -1,16 +0,0 @@
 [org/gnome/system/location]
 enabled=false
 [org/gnome/desktop/privacy]
 remember-recent-files=false
 remove-old-trash-files=true
 remove-old-temp-files=true
 report-technical-problems=false
 send-software-usage-stats=false
 remember-app-usage=false
 [org/gnome/desktop/remote-desktop/rdp]
 enable=false
 [org/gnome/desktop/remote-desktop/vnc]
 enable=false
--- a/roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf
+++ b/roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf
@ -1,11 +0,0 @@
 [main]
 gpgcheck=True
 installonly_limit=3
 clean_requirements_on_remove=True
 best=False
 skip_if_unavailable=True
 max_parallel_downloads=10
 deltarpm=False
 defaultyes=True
 install_weak_deps=False
 countme=False
--- a/roles/sudo-dom0-prompt/files/etc/environment
+++ b/roles/sudo-dom0-prompt/files/etc/environment
@ -1,3 +0,0 @@
 JavaScriptCoreUseJIT=0
 GJS_DISABLE_JIT=1
 XDG_CURRENT_DESKTOP=GNOME
--- a/roles/sudo-dom0-prompt/files/etc/ld.so.preload
+++ b/roles/sudo-dom0-prompt/files/etc/ld.so.preload
@ -1 +0,0 @@
 libhardened_malloc.so
--- a/roles/sudo-dom0-prompt/files/etc/modprobe.d/workstation-blacklist.conf
+++ b/roles/sudo-dom0-prompt/files/etc/modprobe.d/workstation-blacklist.conf
@ -1,114 +0,0 @@
 # unused network protocols
 install dccp /bin/false
 install sctp /bin/false
 install rds /bin/false
 install tipc /bin/false
 install n-hdlc /bin/false
 install ax25 /bin/false
 install netrom /bin/false
 install x25 /bin/false
 install rose /bin/false
 install decnet /bin/false
 install econet /bin/false
 install af_802154 /bin/false
 install ipx /bin/false
 install appletalk /bin/false
 install psnap /bin/false
 install p8023 /bin/false
 install p8022 /bin/false
 install can /bin/false
 install atm /bin/false
 # firewire and thunderbolt
 install firewire-core /bin/false
 install firewire_core /bin/false
 install firewire-ohci /bin/false
 install firewire_ohci /bin/false
 install firewire_sbp2 /bin/false
 install firewire-sbp2 /bin/false
 install firewire-net /bin/false
 install thunderbolt /bin/false
 install ohci1394 /bin/false
 install sbp2 /bin/false
 install dv1394 /bin/false
 install raw1394 /bin/false
 install video1394 /bin/false
 # unused filesystems
 install cramfs /bin/false
 install freevxfs /bin/false
 install jffs2 /bin/false
 install hfs /bin/false
 install hfsplus /bin/false
 install squashfs /bin/false
 install udf /bin/false
 install cifs /bin/false
 install nfs /bin/false
 install nfsv3 /bin/false
 install nfsv4 /bin/false
 install ksmbd /bin/false
 install gfs2 /bin/false
 install reiserfs /bin/false
 install kafs /bin/false
 install orangefs /bin/false
 install 9p /bin/false
 install adfs /bin/false
 install affs /bin/false
 install afs /bin/false
 install befs /bin/false
 install ceph /bin/false
 install coda /bin/false
 install ecryptfs /bin/false
 install erofs /bin/false
 install jfs /bin/false
 install minix /bin/false
 install netfs /bin/false
 install nilfs2 /bin/false
 install ocfs2 /bin/false
 install romfs /bin/false
 install ubifs /bin/false
 install zonefs /bin/false
 install sysv /bin/false
 install ufs /bin/false
 # disable vivid
 install vivid /bin/false
 # disable GNSS
 install gnss /bin/false
 install gnss-mtk /bin/false
 install gnss-serial /bin/false
 install gnss-sirf /bin/false
 install gnss-usb /bin/false
 install gnss-ubx /bin/false
 # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
 install bluetooth /bin/false
 install btusb /bin/false
 # blacklist ath_pci
 blacklist ath_pci
 # blacklist cdrom
 blacklist cdrom
 blacklist sr_mod
 # blacklist framebuffer drivers
 # source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf
 blacklist cyber2000fb
 blacklist cyblafb
 blacklist gx1fb
 blacklist hgafb
 blacklist kyrofb
 blacklist lxfb
 blacklist matroxfb_base
 blacklist neofb
 blacklist nvidiafb
 blacklist pm2fb
 blacklist s1d13xxxfb
 blacklist sisfb
 blacklist tdfxfb
 blacklist vesafb
 blacklist vfb
 blacklist vt8623fb
 blacklist udlfb
--- a/roles/sudo-dom0-prompt/files/etc/security/limits.d/30-disable-coredump.conf
+++ b/roles/sudo-dom0-prompt/files/etc/security/limits.d/30-disable-coredump.conf
@ -1 +0,0 @@
 * hard core 0
--- a/roles/sudo-dom0-prompt/files/etc/skel/flathub.sh
+++ b/roles/sudo-dom0-prompt/files/etc/skel/flathub.sh
@ -1,2 +0,0 @@
 flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo
 systemctl enable --user --now update-user-flatpaks.timer
--- a/roles/sudo-dom0-prompt/files/etc/ssh/ssh_config.d/10-custom.conf
+++ b/roles/sudo-dom0-prompt/files/etc/ssh/ssh_config.d/10-custom.conf
@ -1,2 +0,0 @@
 GSSAPIAuthentication no
 VerifyHostKeyDNS yes
--- a/roles/sudo-dom0-prompt/files/etc/sudoers.d/qubes
+++ b/roles/sudo-dom0-prompt/files/etc/sudoers.d/qubes
@ -1,4 +0,0 @@
 Defaults !requiretty
 user ALL=(ALL) ALL
 # vim: ft=sudoers
--- a/roles/sudo-dom0-prompt/files/etc/systemd/coredump.conf.d/disable.conf
+++ b/roles/sudo-dom0-prompt/files/etc/systemd/coredump.conf.d/disable.conf
@ -1,2 +0,0 @@
 [Coredump]
 Storage=none
--- a/roles/sudo-dom0-prompt/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf
+++ b/roles/sudo-dom0-prompt/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf
@ -1,28 +0,0 @@
 [Service]
 # Hardening
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
 LockPersonality=true
 MemoryDenyWriteExecute=true
 #PrivateDevices=true #breaks tun usage
 #ProtectProc=invisible
 PrivateTmp=yes
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=read-only
 ProtectKernelLogs=true
 #ProtectKernelModules=true
 #ProtectSystem=strict
 #ReadOnlyPaths=/etc/NetworkManager
 ReadOnlyPaths=-/home
 #ReadWritePaths=-/etc/NetworkManager/system-connections
 ReadWritePaths=-/etc/sysconfig/network-scripts
 ReadWritePaths=/var/lib/NetworkManager
 ReadWritePaths=-/var/run/NetworkManager
 ReadWritePaths=-/run/NetworkManager
 RemoveIPC=true
 RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 UMask=0077
--- a/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.service
+++ b/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.service
@ -1,6 +0,0 @@
 [Unit]
 Description=Update user Flatpaks
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/flatpak --user update -y
--- a/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.timer
+++ b/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.timer
@ -1,9 +0,0 @@
 [Unit]
 Description=Update user Flatpaks daily
 [Timer]
 OnCalendar=daily
 Persistent=true
 [Install]
 WantedBy=timers.target
--- a/roles/sudo-dom0-prompt/files/etc/systemd/zram-generator.conf
+++ b/roles/sudo-dom0-prompt/files/etc/systemd/zram-generator.conf
@ -1,4 +0,0 @@
 [zram0]
 zram-fraction = 1
 max-zram-size = 8192
 compression-algorithm = zstd
--- a/roles/sudo-dom0-prompt/files/etc/xdg-desktop-portal/portals.conf
+++ b/roles/sudo-dom0-prompt/files/etc/xdg-desktop-portal/portals.conf
@ -1,2 +0,0 @@
 [preferred]
 default=gtk;
--- a/roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js
+++ b/roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js
--- a/roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js
+++ b/roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js
--- a/roles/sudo-dom0-prompt/tasks/main.yaml
+++ b/roles/sudo-dom0-prompt/tasks/main.yaml
@ -1,49 +0,0 @@
 ---
 - name: Check that the sudo-dom0-prompt exists
  stat:
    path: '/etc/authselect/custom/sudo-dom0-prompt'
  register: stat_result
 - name: Create authselect profile
  shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam
  when: not stat_result.stat.exists
 - name: Copy authselect file
  ansible.builtin.copy:
    src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
    dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside'
    mode: '0644'
 - name: Copy authselect folder
  ansible.builtin.copy:
    src: '/etc/authselect/system-auth'
    dest: '/etc/authselect/custom/sudo-dom0-prompt'
    mode: '0755'
 - name: Copy authselect file
  ansible.builtin.copy:
    src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth'
    dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
    mode: '0644'
 - name: Select authselect profile
  shell: authselect select custom/sudo-dom0-prompt
 - name: Fix sudoers.d
  ansible.builtin.copy:
    src: 'etc/sudoers.d/qubes'
    dest: '/etc/sudoers.d/qubes'
    mode: '0440'
 - name: Check that allow all rule doesn't exist
  stat:
    path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
  register: allow_all_result
 - name: Delete allow all rule
  ansible.builtin.file:
    path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
    state: 'absent'
  when: allow_all_result.stat.exists
--- a/roles/suid_role/tasks/main.yaml
+++ b/roles/suid_role/tasks/main.yaml
@ -0,0 +1,7 @@
 ---
 - name: Check that the sudo-dom0-prompt exists
  stat:
    path: '/etc/authselect/custom/sudo-dom0-prompt'
  register: stat_result
--- a/roles/trivalent/files/etc/skel/trivalent.sh
+++ b/roles/trivalent/files/etc/skel/trivalent.sh
@ -0,0 +1 @@
 systemctl enable --now --user pactl.service
--- a/roles/trivalent/files/etc/systemd/system/pactl.service
+++ b/roles/trivalent/files/etc/systemd/system/pactl.service
@ -0,0 +1,12 @@
 [Unit]
 Description=Run pactl to work around edge audio bug
 After=pipewire-pulse.socket
 Requires=pipewire-pulse.socket
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/pactl info
 [Install]
 WantedBy=default.target
--- a/roles/trivalent/files/etc/systemd/user/pactl.service
+++ b/roles/trivalent/files/etc/systemd/user/pactl.service
@ -0,0 +1,12 @@
 [Unit]
 Description=Run pactl to work around edge audio bug
 After=pipewire-pulse.socket
 Requires=pipewire-pulse.socket
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/pactl info
 [Install]
 WantedBy=default.target
--- a/roles/trivalent/files/etc/trivalent/policies/managed/managed_policies.json
+++ b/roles/trivalent/files/etc/trivalent/policies/managed/managed_policies.json
@ -0,0 +1,9 @@
 {
  "ExtensionInstallForcelist": [
    "ddkjiahejlhfcafbddmgiahcphecmpfh"  
  ],
  "DefaultSearchProviderEnabled": true,
  "DefaultSearchProviderName": "No AI DuckDuckGo",
  "DefaultSearchProviderSearchURL": "https://noai.duckduckgo.com/?t=h_&q={searchTerms}&ia=web"
 }
--- a/roles/trivalent/tasks/main.yaml
+++ b/roles/trivalent/tasks/main.yaml
@ -12,16 +12,17 @@
    mode: '0644'
 - name: Enable codecs and stuff
-  shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
+  shell: 'dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
 - name: Update codecs
-  shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
+  shell: 'dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
 - name: Update all
  ansible.builtin.dnf5:
    name:
      - '*'
    state: 'latest'
 - name: Install trivalent/ffmpeg packages
  ansible.builtin.dnf5:
    name:
@ -29,3 +30,18 @@
      - trivalent
    state: 'present'
    allowerasing: true
 - name: Set trivalent enterprise policies
  ansible.builtin.copy:
    src: '{{ item }}'
    dest: '/{{ item }}'
    mode: '0644'
  loop:
  - 'etc/trivalent/policies/managed/managed_policies.json'
 - name: Drop flathub script to homedir for any new appvms created based on this template
  ansible.builtin.copy:   
    src: 'etc/skel/trivalent.sh'
    dest: '/etc/skel/trivalent.sh'
    mode: '0700'
`@ -1 +1 @@`
	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJITevx5+lKqH9UdQiGoe08+ld3XIWGXxQ3sa2XL4PeN user@homelab-mgmt`	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArO9Yty0QuX7jZhDeL6MrZwH+6dbbcidYWWo0qawivb user@homelab-mgmt`
		`@ -1,2 +0,0 @@`
			`[org/gnome/desktop/interface]`
			`gtk-theme='adw-gtk3-dark'`
		`@ -1,2 +0,0 @@`
			`[org/gnome/desktop/interface]`
			`color-scheme='prefer-dark'`
		`@ -0,0 +1 @@`
							`Subproject commit 8cb281f4362ef3d473d787557a1d11ff134829e0`
		`@ -1,2 +0,0 @@`
			`flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo`
			`systemctl enable --user --now update-user-flatpaks.timer`
		`@ -1,2 +0,0 @@`
			`GSSAPIAuthentication no`
			`VerifyHostKeyDNS yes`