diff --git a/roles/baseline/tasks/main.yaml b/roles/baseline/tasks/main.yaml index 14d7daf..7874d7c 100644 --- a/roles/baseline/tasks/main.yaml +++ b/roles/baseline/tasks/main.yaml @@ -1,163 +1,162 @@ -- name: Baseline hardening for all templates - tasks: - - name: Kill debug-shell service - ansible.builtin.systemd_service: - name: debug-shell.service - masked: true - - name: Kill kdump service - ansible.builtin.systemd_service: - name: kdump.service - masked: true +tasks: + - name: Kill debug-shell service + ansible.builtin.systemd_service: + name: debug-shell.service + masked: true + - name: Kill kdump service + ansible.builtin.systemd_service: + name: kdump.service + masked: true - - name: Set umask to 077 - shell: umask 077 - - name: Set umask to 077 in login.defs - ansible.builtin.replace: - path: /etc/login.defs - regexp: '^UMASK.*' - replace: 'UMASK 077' - when: umask_changes == true + - name: Set umask to 077 + shell: umask 077 + - name: Set umask to 077 in login.defs + ansible.builtin.replace: + path: /etc/login.defs + regexp: '^UMASK.*' + replace: 'UMASK 077' + when: umask_changes == true - - name: Set umask to 077 in logins.defs - ansible.builtin.replace: - path: /etc/login.defs - regexp: '^HOME_MODE' - replace: '#HOME_MODE' - when: umask_changes == true + - name: Set umask to 077 in logins.defs + ansible.builtin.replace: + path: /etc/login.defs + regexp: '^HOME_MODE' + replace: '#HOME_MODE' + when: umask_changes == true - - name: Set umask to 077 in bashrc - ansible.builtin.replace: - path: /etc/bashrc - regexp: 'umask 022' - replace: 'umask 077' - when: umask_changes == true + - name: Set umask to 077 in bashrc + ansible.builtin.replace: + path: /etc/bashrc + regexp: 'umask 022' + replace: 'umask 077' + when: umask_changes == true - - name: Make home directory private - ansible.builtin.file: - path: /home/* - state: directory - recurse: true - mode: '0700' - when: umask_changes == true - - - name: Harden SSH, add kernel blacklist and hardening - ansible.builtin.copy: - src: '{{ item }}' - dest: '/{{ item }}' - mode: '0644' - loop: - - 'etc/ssh/ssh_config.d/10-custom.conf' - - 'etc/modprobe.d/workstation-blacklist.conf' - - 'etc/sysctl.d/99-workstation.conf' - - - - name: Reload sysctl - shell: 'sysctl -p' - - - name: Create coredump.conf.d - ansible.builtin.file: - path: '/etc/systemd/coredump.conf.d' - state: 'directory' - mode: '0755' - - name: Make locks dir for dconf - ansible.builtin.file: - path: '/etc/dconf/db/local.d/locks' - state: 'directory' - mode: '0755' - - name: Create XDG portals directory - ansible.builtin.file: - path: '/etc/xdg-desktop-portal' - state: 'directory' - mode: '0755' - - - name: Create /etc/systemd/system/NetworkManager.service.d - ansible.builtin.file: - path: '/etc/systemd/system/NetworkManager.service.d' - state: 'directory' - mode: '0755' - when: manage_network == true - - - name: Copy dconf files + xdg-desktop-portals fix + Network manager - ansible.builtin.copy: - src: 'etc/systemd/system/NetworkManager.service.d/99-brace.conf' - dest: '/etc/systemd/system/NetworkManager.service.d/99-brace.conf' - mode: '0644' - when: manage_network == true - - - name: Copy dconf files + xdg-desktop-portals fix + Network manager - ansible.builtin.copy: - src: '{{ item }}' - dest: '/{{ item }}' - mode: '0644' - loop: - - 'etc/security/limits.d/30-disable-coredump.conf' - - 'etc/systemd/coredump.conf.d/disable.conf' - - 'etc/dconf/db/local.d/locks/privacy' - - 'etc/dconf/db/local.d/privacy' - - - name: Update dconf - shell: sudo dconf update - - - name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT - ansible.builtin.copy: - src: '{{ item }}' - dest: '/{{ item }}' - mode: '0644' - loop: - - 'etc/systemd/zram-generator.conf' - - 'etc/systemd/user/update-user-flatpaks.service' - - 'etc/systemd/user/update-user-flatpaks.timer' - - 'etc/environment' - - - name: Drop flathub script to homedir for any new appvms created based on this template - ansible.builtin.copy: - src: 'etc/skel/flathub.sh' - dest: '/etc/skel/flathub.sh' + - name: Make home directory private + ansible.builtin.file: + path: /home/* + state: directory + recurse: true mode: '0700' + when: umask_changes == true - - name: Upgrade all packages - ansible.builtin.dnf5: - name: "*" - state: latest + - name: Harden SSH, add kernel blacklist and hardening + ansible.builtin.copy: + src: '{{ item }}' + dest: '/{{ item }}' + mode: '0644' + loop: + - 'etc/ssh/ssh_config.d/10-custom.conf' + - 'etc/modprobe.d/workstation-blacklist.conf' + - 'etc/sysctl.d/99-workstation.conf' - - name: Mark packages as manually installed to avoid removal - shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' - - name: Enable hardened_malloc COPR - shell: 'sudo dnf copr enable secureblue/hardened_malloc -y' + - name: Reload sysctl + shell: 'sysctl -p' - - name: Install hardened_malloc - ansible.builtin.dnf5: - name: 'hardened_malloc' - state: 'present' + - name: Create coredump.conf.d + ansible.builtin.file: + path: '/etc/systemd/coredump.conf.d' + state: 'directory' + mode: '0755' + - name: Make locks dir for dconf + ansible.builtin.file: + path: '/etc/dconf/db/local.d/locks' + state: 'directory' + mode: '0755' + - name: Create XDG portals directory + ansible.builtin.file: + path: '/etc/xdg-desktop-portal' + state: 'directory' + mode: '0755' - - name: Enable hardened_malloc - ansible.builtin.copy: - src: 'etc/ld.so.preload' - dest: '/etc/ld.so.preload' - mode: '0644' - - name: Enable hardened_malloc for system wide flatpak - shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' - - name: Enable hardened_malloc for user flatpak # has to be run per APP VM - shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' - - name: Setup dnf repos - ansible.builtin.copy: - src: 'etc/dnf/dnf.conf' - dest: '/etc/dnf/dnf.conf' - mode: '0644' + - name: Create /etc/systemd/system/NetworkManager.service.d + ansible.builtin.file: + path: '/etc/systemd/system/NetworkManager.service.d' + state: 'directory' + mode: '0755' + when: manage_network == true - - name: Get list of files - ansible.builtin.find: - paths: /etc/yum.repos.d/ - recurse: true - register: found_files + - name: Copy dconf files + xdg-desktop-portals fix + Network manager + ansible.builtin.copy: + src: 'etc/systemd/system/NetworkManager.service.d/99-brace.conf' + dest: '/etc/systemd/system/NetworkManager.service.d/99-brace.conf' + mode: '0644' + when: manage_network == true - - name: Replace text in those files - ansible.builtin.lineinfile: - backup: true - backrefs: true - path: '{{ item.path }}' - regexp: '^(metalink=.*)$' - line: '\1&protocol=https' - loop: '{{ found_files.files }}' \ No newline at end of file + - name: Copy dconf files + xdg-desktop-portals fix + Network manager + ansible.builtin.copy: + src: '{{ item }}' + dest: '/{{ item }}' + mode: '0644' + loop: + - 'etc/security/limits.d/30-disable-coredump.conf' + - 'etc/systemd/coredump.conf.d/disable.conf' + - 'etc/dconf/db/local.d/locks/privacy' + - 'etc/dconf/db/local.d/privacy' + + - name: Update dconf + shell: sudo dconf update + + - name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT + ansible.builtin.copy: + src: '{{ item }}' + dest: '/{{ item }}' + mode: '0644' + loop: + - 'etc/systemd/zram-generator.conf' + - 'etc/systemd/user/update-user-flatpaks.service' + - 'etc/systemd/user/update-user-flatpaks.timer' + - 'etc/environment' + + - name: Drop flathub script to homedir for any new appvms created based on this template + ansible.builtin.copy: + src: 'etc/skel/flathub.sh' + dest: '/etc/skel/flathub.sh' + mode: '0700' + + - name: Upgrade all packages + ansible.builtin.dnf5: + name: "*" + state: latest + + - name: Mark packages as manually installed to avoid removal + shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' + + - name: Enable hardened_malloc COPR + shell: 'sudo dnf copr enable secureblue/hardened_malloc -y' + + - name: Install hardened_malloc + ansible.builtin.dnf5: + name: 'hardened_malloc' + state: 'present' + + - name: Enable hardened_malloc + ansible.builtin.copy: + src: 'etc/ld.so.preload' + dest: '/etc/ld.so.preload' + mode: '0644' + - name: Enable hardened_malloc for system wide flatpak + shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' + - name: Enable hardened_malloc for user flatpak # has to be run per APP VM + shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' + - name: Setup dnf repos + ansible.builtin.copy: + src: 'etc/dnf/dnf.conf' + dest: '/etc/dnf/dnf.conf' + mode: '0644' + + - name: Get list of files + ansible.builtin.find: + paths: /etc/yum.repos.d/ + recurse: true + register: found_files + + - name: Replace text in those files + ansible.builtin.lineinfile: + backup: true + backrefs: true + path: '{{ item.path }}' + regexp: '^(metalink=.*)$' + line: '\1&protocol=https' + loop: '{{ found_files.files }}' \ No newline at end of file diff --git a/roles/gnome/tasks/main.yaml b/roles/gnome/tasks/main.yaml index 8424f35..8669767 100644 --- a/roles/gnome/tasks/main.yaml +++ b/roles/gnome/tasks/main.yaml @@ -1,91 +1,90 @@ -- name: Configure Fedora 41 Gnome Template - tasks: - - name: Fix GNOME environment variable - ansible.builtin.lineinfile: - dest: '/etc/environment' - line: 'XDG_CURRENT_DESKTOP=GNOME' - - name: Upgrade all packages - ansible.builtin.dnf5: - name: "*" - state: latest +tasks: + - name: Fix GNOME environment variable + ansible.builtin.lineinfile: + dest: '/etc/environment' + line: 'XDG_CURRENT_DESKTOP=GNOME' + - name: Upgrade all packages + ansible.builtin.dnf5: + name: "*" + state: latest - - name: Mark packages as manually installed to avoid removal - shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' + - name: Mark packages as manually installed to avoid removal + shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' - - name: Remove unnecessary stuff from the template - ansible.builtin.dnf5: - name: - - '@Container Management' - - '@Desktop Accessibility' - - '@Guest Desktop Agents' - - '@Printing Support' - - 'gnome-software' - - 'httpd' - - 'keepassxc' - - 'thunderbird' - - 'fedora-bookmarks' - - 'fedora-chromium-config' - - 'samba-client' - - 'gvfs-smb' - - 'NetworkManager-pptp-gnome' - - 'NetworkManager-ssh-gnome' - - 'NetworkManager-openconnect-gnome' - - 'NetworkManager-openvpn-gnome' - - 'NetworkManager-vpnc-gnome' - - 'ppp*' - - 'ModemManager' - - 'baobab' - - 'chrome-gnome-shell' - - 'eog' - - 'gnome-boxes' - - 'gnome-calculator' - - 'gnome-calendar' - - 'gnome-characters' - - 'gnome-classic*' - - 'gnome-clocks' - - 'gnome-color-manager' - - 'gnome-connections' - - 'gnome-contacts' - - 'gnome-disk-utility' - - 'gnome-font-viewer' - - 'gnome-logs' - - 'gnome-maps' - - 'gnome-photos' - - 'gnome-remote-desktop' - - 'gnome-screenshot' - - 'gnome-shell-extension-apps-menu' - - 'gnome-shell-extension-background-logo' - - 'gnome-shell-extension-launch-new-instance' - - 'gnome-shell-extension-places-menu' - - 'gnome-shell-extension-window-list' - - 'gnome-text-editor' - - 'gnome-themes-extra' - - 'gnome-tour' - - 'gnome-user*' - - 'gnome-weather' - - 'loupe' - - 'snapshot' - - 'totem' - - 'cheese' - - 'evince' - - 'file-roller*' - - 'libreoffice*' - - 'mediawriter' - - 'rhythmbox' - - 'yelp' - - 'lvm2' - - 'rng-tools' - - 'thermald' - state: 'absent' - allowerasing: true - autoremove: true + - name: Remove unnecessary stuff from the template + ansible.builtin.dnf5: + name: + - '@Container Management' + - '@Desktop Accessibility' + - '@Guest Desktop Agents' + - '@Printing Support' + - 'gnome-software' + - 'httpd' + - 'keepassxc' + - 'thunderbird' + - 'fedora-bookmarks' + - 'fedora-chromium-config' + - 'samba-client' + - 'gvfs-smb' + - 'NetworkManager-pptp-gnome' + - 'NetworkManager-ssh-gnome' + - 'NetworkManager-openconnect-gnome' + - 'NetworkManager-openvpn-gnome' + - 'NetworkManager-vpnc-gnome' + - 'ppp*' + - 'ModemManager' + - 'baobab' + - 'chrome-gnome-shell' + - 'eog' + - 'gnome-boxes' + - 'gnome-calculator' + - 'gnome-calendar' + - 'gnome-characters' + - 'gnome-classic*' + - 'gnome-clocks' + - 'gnome-color-manager' + - 'gnome-connections' + - 'gnome-contacts' + - 'gnome-disk-utility' + - 'gnome-font-viewer' + - 'gnome-logs' + - 'gnome-maps' + - 'gnome-photos' + - 'gnome-remote-desktop' + - 'gnome-screenshot' + - 'gnome-shell-extension-apps-menu' + - 'gnome-shell-extension-background-logo' + - 'gnome-shell-extension-launch-new-instance' + - 'gnome-shell-extension-places-menu' + - 'gnome-shell-extension-window-list' + - 'gnome-text-editor' + - 'gnome-themes-extra' + - 'gnome-tour' + - 'gnome-user*' + - 'gnome-weather' + - 'loupe' + - 'snapshot' + - 'totem' + - 'cheese' + - 'evince' + - 'file-roller*' + - 'libreoffice*' + - 'mediawriter' + - 'rhythmbox' + - 'yelp' + - 'lvm2' + - 'rng-tools' + - 'thermald' + state: 'absent' + allowerasing: true + autoremove: true - - name: Install custom packages - ansible.builtin.dnf5: - name: - - 'qubes-ctap' - - 'qubes-gpg-split' - - 'ncurses' - # - 'gnome-shell' - - 'ptyxis' - state: 'present' \ No newline at end of file + - name: Install custom packages + ansible.builtin.dnf5: + name: + - 'qubes-ctap' + - 'qubes-gpg-split' + - 'ncurses' +# - 'gnome-shell' + - 'ptyxis' + state: 'present' \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/tasks/main.yaml b/roles/sudo-dom0-prompt/tasks/main.yaml index f08520f..f51c5d8 100644 --- a/roles/sudo-dom0-prompt/tasks/main.yaml +++ b/roles/sudo-dom0-prompt/tasks/main.yaml @@ -1,49 +1,48 @@ -- name: Setup passwordless sudo - tasks: - - name: Check that the sudo-dom0-prompt exists - stat: - path: '/etc/authselect/custom/sudo-dom0-prompt' - register: stat_result +tasks: + - name: Check that the sudo-dom0-prompt exists + stat: + path: '/etc/authselect/custom/sudo-dom0-prompt' + register: stat_result - - name: Create authselect profile - shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam - when: not stat_result.stat.exists - - name: Copy authselect file - ansible.builtin.copy: - src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' - dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside' - mode: '0644' + - name: Create authselect profile + shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam + when: not stat_result.stat.exists + - name: Copy authselect file + ansible.builtin.copy: + src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' + dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside' + mode: '0644' - - name: Copy authselect folder - ansible.builtin.copy: - src: '/etc/authselect/system-auth' - dest: '/etc/authselect/custom/sudo-dom0-prompt' - mode: '0755' + - name: Copy authselect folder + ansible.builtin.copy: + src: '/etc/authselect/system-auth' + dest: '/etc/authselect/custom/sudo-dom0-prompt' + mode: '0755' - - name: Copy authselect file - ansible.builtin.copy: - src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth' - dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' - mode: '0644' + - name: Copy authselect file + ansible.builtin.copy: + src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth' + dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' + mode: '0644' - - name: Select authselect profile - shell: authselect select custom/sudo-dom0-prompt + - name: Select authselect profile + shell: authselect select custom/sudo-dom0-prompt - - name: Fix sudoers.d - ansible.builtin.copy: - src: 'etc/sudoers.d/qubes' - dest: '/etc/sudoers.d/qubes' - mode: '0440' + - name: Fix sudoers.d + ansible.builtin.copy: + src: 'etc/sudoers.d/qubes' + dest: '/etc/sudoers.d/qubes' + mode: '0440' - - name: Check that allow all rule doesn't exist - stat: - path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' - register: allow_all_result - - - name: Delete allow all rule - ansible.builtin.file: + - name: Check that allow all rule doesn't exist + stat: path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' - state: 'absent' - when: allow_all_result.stat.exists + register: allow_all_result + + - name: Delete allow all rule + ansible.builtin.file: + path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' + state: 'absent' + when: allow_all_result.stat.exists diff --git a/roles/trivalent/tasks/main.yaml b/roles/trivalent/tasks/main.yaml index d2050db..33f4f51 100644 --- a/roles/trivalent/tasks/main.yaml +++ b/roles/trivalent/tasks/main.yaml @@ -1,17 +1,16 @@ -- name: Install trivalent browser - tasks: - - name: Enable hardened_malloc COPR - shell: 'sudo dnf copr enable secureblue/trivalent -y' +tasks: + - name: Enable hardened_malloc COPR + shell: 'sudo dnf copr enable secureblue/trivalent -y' - - name: Enable codecs and stuff - shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1' + - name: Enable codecs and stuff + shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1' - - name: Update codecs - shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin' + - name: Update codecs + shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin' - - name: Install hardened_malloc - ansible.builtin.dnf5: - name: - - ffmpeg - - trivalent - state: 'present' \ No newline at end of file + - name: Install hardened_malloc + ansible.builtin.dnf5: + name: + - ffmpeg + - trivalent + state: 'present' \ No newline at end of file