mustard/ansible-playbooks
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Role debugging

Browse source
This commit is contained in:
mustard 2025-03-04 00:36:34 +01:00
parent d19581319e
commit 49952e4195
4 changed files with 288 additions and 292 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

299
roles/baseline/tasks/main.yaml
View file

@ -1,163 +1,162 @@
- name: Baseline hardening for all templates
tasks:
- name: Kill debug-shell service
ansible.builtin.systemd_service:
name: debug-shell.service
masked: true
- name: Kill kdump service
ansible.builtin.systemd_service:
name: kdump.service
masked: true
tasks:
- name: Kill debug-shell service
ansible.builtin.systemd_service:
name: debug-shell.service
masked: true
- name: Kill kdump service
ansible.builtin.systemd_service:
name: kdump.service
masked: true
- name: Set umask to 077
shell: umask 077
- name: Set umask to 077 in login.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^UMASK.*'
replace: 'UMASK 077'
when: umask_changes == true
- name: Set umask to 077
shell: umask 077
- name: Set umask to 077 in login.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^UMASK.*'
replace: 'UMASK 077'
when: umask_changes == true
- name: Set umask to 077 in logins.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^HOME_MODE'
replace: '#HOME_MODE'
when: umask_changes == true
- name: Set umask to 077 in logins.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^HOME_MODE'
replace: '#HOME_MODE'
when: umask_changes == true
- name: Set umask to 077 in bashrc
ansible.builtin.replace:
path: /etc/bashrc
regexp: 'umask 022'
replace: 'umask 077'
when: umask_changes == true
- name: Set umask to 077 in bashrc
ansible.builtin.replace:
path: /etc/bashrc
regexp: 'umask 022'
replace: 'umask 077'
when: umask_changes == true
- name: Make home directory private
ansible.builtin.file:
path: /home/*
state: directory
recurse: true
mode: '0700'
when: umask_changes == true
- name: Harden SSH, add kernel blacklist and hardening
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/ssh/ssh_config.d/10-custom.conf'
- 'etc/modprobe.d/workstation-blacklist.conf'
- 'etc/sysctl.d/99-workstation.conf'
- name: Reload sysctl
shell: 'sysctl -p'
- name: Create coredump.conf.d
ansible.builtin.file:
path: '/etc/systemd/coredump.conf.d'
state: 'directory'
mode: '0755'
- name: Make locks dir for dconf
ansible.builtin.file:
path: '/etc/dconf/db/local.d/locks'
state: 'directory'
mode: '0755'
- name: Create XDG portals directory
ansible.builtin.file:
path: '/etc/xdg-desktop-portal'
state: 'directory'
mode: '0755'
- name: Create /etc/systemd/system/NetworkManager.service.d
ansible.builtin.file:
path: '/etc/systemd/system/NetworkManager.service.d'
state: 'directory'
mode: '0755'
when: manage_network == true
- name: Copy dconf files + xdg-desktop-portals fix + Network manager
ansible.builtin.copy:
src: 'etc/systemd/system/NetworkManager.service.d/99-brace.conf'
dest: '/etc/systemd/system/NetworkManager.service.d/99-brace.conf'
mode: '0644'
when: manage_network == true
- name: Copy dconf files + xdg-desktop-portals fix + Network manager
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/security/limits.d/30-disable-coredump.conf'
- 'etc/systemd/coredump.conf.d/disable.conf'
- 'etc/dconf/db/local.d/locks/privacy'
- 'etc/dconf/db/local.d/privacy'
- name: Update dconf
shell: sudo dconf update
- name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/systemd/zram-generator.conf'
- 'etc/systemd/user/update-user-flatpaks.service'
- 'etc/systemd/user/update-user-flatpaks.timer'
- 'etc/environment'
- name: Drop flathub script to homedir for any new appvms created based on this template
ansible.builtin.copy:
src: 'etc/skel/flathub.sh'
dest: '/etc/skel/flathub.sh'
- name: Make home directory private
ansible.builtin.file:
path: /home/*
state: directory
recurse: true
mode: '0700'
when: umask_changes == true
- name: Upgrade all packages
ansible.builtin.dnf5:
name: "*"
state: latest
- name: Harden SSH, add kernel blacklist and hardening
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/ssh/ssh_config.d/10-custom.conf'
- 'etc/modprobe.d/workstation-blacklist.conf'
- 'etc/sysctl.d/99-workstation.conf'
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Enable hardened_malloc COPR
shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
- name: Reload sysctl
shell: 'sysctl -p'
- name: Install hardened_malloc
ansible.builtin.dnf5:
name: 'hardened_malloc'
state: 'present'
- name: Create coredump.conf.d
ansible.builtin.file:
path: '/etc/systemd/coredump.conf.d'
state: 'directory'
mode: '0755'
- name: Make locks dir for dconf
ansible.builtin.file:
path: '/etc/dconf/db/local.d/locks'
state: 'directory'
mode: '0755'
- name: Create XDG portals directory
ansible.builtin.file:
path: '/etc/xdg-desktop-portal'
state: 'directory'
mode: '0755'
- name: Enable hardened_malloc
ansible.builtin.copy:
src: 'etc/ld.so.preload'
dest: '/etc/ld.so.preload'
mode: '0644'
- name: Enable hardened_malloc for system wide flatpak
shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Enable hardened_malloc for user flatpak # has to be run per APP VM
shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Setup dnf repos
ansible.builtin.copy:
src: 'etc/dnf/dnf.conf'
dest: '/etc/dnf/dnf.conf'
mode: '0644'
- name: Create /etc/systemd/system/NetworkManager.service.d
ansible.builtin.file:
path: '/etc/systemd/system/NetworkManager.service.d'
state: 'directory'
mode: '0755'
when: manage_network == true
- name: Get list of files
ansible.builtin.find:
paths: /etc/yum.repos.d/
recurse: true
register: found_files
- name: Copy dconf files + xdg-desktop-portals fix + Network manager
ansible.builtin.copy:
src: 'etc/systemd/system/NetworkManager.service.d/99-brace.conf'
dest: '/etc/systemd/system/NetworkManager.service.d/99-brace.conf'
mode: '0644'
when: manage_network == true
- name: Replace text in those files
ansible.builtin.lineinfile:
backup: true
backrefs: true
path: '{{ item.path }}'
regexp: '^(metalink=.*)$'
line: '\1&protocol=https'
loop: '{{ found_files.files }}'
- name: Copy dconf files + xdg-desktop-portals fix + Network manager
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/security/limits.d/30-disable-coredump.conf'
- 'etc/systemd/coredump.conf.d/disable.conf'
- 'etc/dconf/db/local.d/locks/privacy'
- 'etc/dconf/db/local.d/privacy'
- name: Update dconf
shell: sudo dconf update
- name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/systemd/zram-generator.conf'
- 'etc/systemd/user/update-user-flatpaks.service'
- 'etc/systemd/user/update-user-flatpaks.timer'
- 'etc/environment'
- name: Drop flathub script to homedir for any new appvms created based on this template
ansible.builtin.copy:
src: 'etc/skel/flathub.sh'
dest: '/etc/skel/flathub.sh'
mode: '0700'
- name: Upgrade all packages
ansible.builtin.dnf5:
name: "*"
state: latest
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Enable hardened_malloc COPR
shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
- name: Install hardened_malloc
ansible.builtin.dnf5:
name: 'hardened_malloc'
state: 'present'
- name: Enable hardened_malloc
ansible.builtin.copy:
src: 'etc/ld.so.preload'
dest: '/etc/ld.so.preload'
mode: '0644'
- name: Enable hardened_malloc for system wide flatpak
shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Enable hardened_malloc for user flatpak # has to be run per APP VM
shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Setup dnf repos
ansible.builtin.copy:
src: 'etc/dnf/dnf.conf'
dest: '/etc/dnf/dnf.conf'
mode: '0644'
- name: Get list of files
ansible.builtin.find:
paths: /etc/yum.repos.d/
recurse: true
register: found_files
- name: Replace text in those files
ansible.builtin.lineinfile:
backup: true
backrefs: true
path: '{{ item.path }}'
regexp: '^(metalink=.*)$'
line: '\1&protocol=https'
loop: '{{ found_files.files }}'

175
roles/gnome/tasks/main.yaml
View file

@ -1,91 +1,90 @@
- name: Configure Fedora 41 Gnome Template
tasks:
- name: Fix GNOME environment variable
ansible.builtin.lineinfile:
dest: '/etc/environment'
line: 'XDG_CURRENT_DESKTOP=GNOME'
- name: Upgrade all packages
ansible.builtin.dnf5:
name: "*"
state: latest
tasks:
- name: Fix GNOME environment variable
ansible.builtin.lineinfile:
dest: '/etc/environment'
line: 'XDG_CURRENT_DESKTOP=GNOME'
- name: Upgrade all packages
ansible.builtin.dnf5:
name: "*"
state: latest
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Remove unnecessary stuff from the template
ansible.builtin.dnf5:
name:
- '@Container Management'
- '@Desktop Accessibility'
- '@Guest Desktop Agents'
- '@Printing Support'
- 'gnome-software'
- 'httpd'
- 'keepassxc'
- 'thunderbird'
- 'fedora-bookmarks'
- 'fedora-chromium-config'
- 'samba-client'
- 'gvfs-smb'
- 'NetworkManager-pptp-gnome'
- 'NetworkManager-ssh-gnome'
- 'NetworkManager-openconnect-gnome'
- 'NetworkManager-openvpn-gnome'
- 'NetworkManager-vpnc-gnome'
- 'ppp*'
- 'ModemManager'
- 'baobab'
- 'chrome-gnome-shell'
- 'eog'
- 'gnome-boxes'
- 'gnome-calculator'
- 'gnome-calendar'
- 'gnome-characters'
- 'gnome-classic*'
- 'gnome-clocks'
- 'gnome-color-manager'
- 'gnome-connections'
- 'gnome-contacts'
- 'gnome-disk-utility'
- 'gnome-font-viewer'
- 'gnome-logs'
- 'gnome-maps'
- 'gnome-photos'
- 'gnome-remote-desktop'
- 'gnome-screenshot'
- 'gnome-shell-extension-apps-menu'
- 'gnome-shell-extension-background-logo'
- 'gnome-shell-extension-launch-new-instance'
- 'gnome-shell-extension-places-menu'
- 'gnome-shell-extension-window-list'
- 'gnome-text-editor'
- 'gnome-themes-extra'
- 'gnome-tour'
- 'gnome-user*'
- 'gnome-weather'
- 'loupe'
- 'snapshot'
- 'totem'
- 'cheese'
- 'evince'
- 'file-roller*'
- 'libreoffice*'
- 'mediawriter'
- 'rhythmbox'
- 'yelp'
- 'lvm2'
- 'rng-tools'
- 'thermald'
state: 'absent'
allowerasing: true
autoremove: true
- name: Remove unnecessary stuff from the template
ansible.builtin.dnf5:
name:
- '@Container Management'
- '@Desktop Accessibility'
- '@Guest Desktop Agents'
- '@Printing Support'
- 'gnome-software'
- 'httpd'
- 'keepassxc'
- 'thunderbird'
- 'fedora-bookmarks'
- 'fedora-chromium-config'
- 'samba-client'
- 'gvfs-smb'
- 'NetworkManager-pptp-gnome'
- 'NetworkManager-ssh-gnome'
- 'NetworkManager-openconnect-gnome'
- 'NetworkManager-openvpn-gnome'
- 'NetworkManager-vpnc-gnome'
- 'ppp*'
- 'ModemManager'
- 'baobab'
- 'chrome-gnome-shell'
- 'eog'
- 'gnome-boxes'
- 'gnome-calculator'
- 'gnome-calendar'
- 'gnome-characters'
- 'gnome-classic*'
- 'gnome-clocks'
- 'gnome-color-manager'
- 'gnome-connections'
- 'gnome-contacts'
- 'gnome-disk-utility'
- 'gnome-font-viewer'
- 'gnome-logs'
- 'gnome-maps'
- 'gnome-photos'
- 'gnome-remote-desktop'
- 'gnome-screenshot'
- 'gnome-shell-extension-apps-menu'
- 'gnome-shell-extension-background-logo'
- 'gnome-shell-extension-launch-new-instance'
- 'gnome-shell-extension-places-menu'
- 'gnome-shell-extension-window-list'
- 'gnome-text-editor'
- 'gnome-themes-extra'
- 'gnome-tour'
- 'gnome-user*'
- 'gnome-weather'
- 'loupe'
- 'snapshot'
- 'totem'
- 'cheese'
- 'evince'
- 'file-roller*'
- 'libreoffice*'
- 'mediawriter'
- 'rhythmbox'
- 'yelp'
- 'lvm2'
- 'rng-tools'
- 'thermald'
state: 'absent'
allowerasing: true
autoremove: true
- name: Install custom packages
ansible.builtin.dnf5:
name:
- 'qubes-ctap'
- 'qubes-gpg-split'
- 'ncurses'
# - 'gnome-shell'
- 'ptyxis'
state: 'present'
- name: Install custom packages
ansible.builtin.dnf5:
name:
- 'qubes-ctap'
- 'qubes-gpg-split'
- 'ncurses'
# - 'gnome-shell'
- 'ptyxis'
state: 'present'

79
roles/sudo-dom0-prompt/tasks/main.yaml
View file

@ -1,49 +1,48 @@
- name: Setup passwordless sudo
tasks:
- name: Check that the sudo-dom0-prompt exists
stat:
path: '/etc/authselect/custom/sudo-dom0-prompt'
register: stat_result
tasks:
- name: Check that the sudo-dom0-prompt exists
stat:
path: '/etc/authselect/custom/sudo-dom0-prompt'
register: stat_result
- name: Create authselect profile
shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam
when: not stat_result.stat.exists
- name: Copy authselect file
ansible.builtin.copy:
src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside'
mode: '0644'
- name: Create authselect profile
shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam
when: not stat_result.stat.exists
- name: Copy authselect file
ansible.builtin.copy:
src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside'
mode: '0644'
- name: Copy authselect folder
ansible.builtin.copy:
src: '/etc/authselect/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt'
mode: '0755'
- name: Copy authselect folder
ansible.builtin.copy:
src: '/etc/authselect/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt'
mode: '0755'
- name: Copy authselect file
ansible.builtin.copy:
src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
mode: '0644'
- name: Copy authselect file
ansible.builtin.copy:
src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
mode: '0644'
- name: Select authselect profile
shell: authselect select custom/sudo-dom0-prompt
- name: Select authselect profile
shell: authselect select custom/sudo-dom0-prompt
- name: Fix sudoers.d
ansible.builtin.copy:
src: 'etc/sudoers.d/qubes'
dest: '/etc/sudoers.d/qubes'
mode: '0440'
- name: Fix sudoers.d
ansible.builtin.copy:
src: 'etc/sudoers.d/qubes'
dest: '/etc/sudoers.d/qubes'
mode: '0440'
- name: Check that allow all rule doesn't exist
stat:
path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
register: allow_all_result
- name: Delete allow all rule
ansible.builtin.file:
- name: Check that allow all rule doesn't exist
stat:
path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
state: 'absent'
when: allow_all_result.stat.exists
register: allow_all_result
- name: Delete allow all rule
ansible.builtin.file:
path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
state: 'absent'
when: allow_all_result.stat.exists

27
roles/trivalent/tasks/main.yaml
View file

@ -1,17 +1,16 @@
- name: Install trivalent browser
tasks:
- name: Enable hardened_malloc COPR
shell: 'sudo dnf copr enable secureblue/trivalent -y'
tasks:
- name: Enable hardened_malloc COPR
shell: 'sudo dnf copr enable secureblue/trivalent -y'
- name: Enable codecs and stuff
shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
- name: Enable codecs and stuff
shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
- name: Update codecs
shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
- name: Update codecs
shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
- name: Install hardened_malloc
ansible.builtin.dnf5:
name:
- ffmpeg
- trivalent
state: 'present'
- name: Install hardened_malloc
ansible.builtin.dnf5:
name:
- ffmpeg
- trivalent
state: 'present'