mustard/ansible-playbooks
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Role debugging

Browse source
This commit is contained in:
mustard 2025-03-04 00:36:34 +01:00
parent d19581319e
commit 49952e4195
4 changed files with 288 additions and 292 deletions
Download patch file Download diff file Expand all files Collapse all files

299
roles/baseline/tasks/main.yaml
View file

@ -1,163 +1,162 @@
- name: Baseline hardening for all templates tasks:
tasks: - name: Kill debug-shell service
- name: Kill debug-shell service ansible.builtin.systemd_service:
ansible.builtin.systemd_service: name: debug-shell.service
name: debug-shell.service masked: true
masked: true - name: Kill kdump service
- name: Kill kdump service ansible.builtin.systemd_service:
ansible.builtin.systemd_service: name: kdump.service
name: kdump.service masked: true
masked: true
- name: Set umask to 077 - name: Set umask to 077
shell: umask 077 shell: umask 077
- name: Set umask to 077 in login.defs - name: Set umask to 077 in login.defs
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/login.defs path: /etc/login.defs
regexp: '^UMASK.*' regexp: '^UMASK.*'
replace: 'UMASK 077' replace: 'UMASK 077'
when: umask_changes == true when: umask_changes == true
- name: Set umask to 077 in logins.defs - name: Set umask to 077 in logins.defs
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/login.defs path: /etc/login.defs
regexp: '^HOME_MODE' regexp: '^HOME_MODE'
replace: '#HOME_MODE' replace: '#HOME_MODE'
when: umask_changes == true when: umask_changes == true
- name: Set umask to 077 in bashrc - name: Set umask to 077 in bashrc
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/bashrc path: /etc/bashrc
regexp: 'umask 022' regexp: 'umask 022'
replace: 'umask 077' replace: 'umask 077'
when: umask_changes == true when: umask_changes == true
- name: Make home directory private - name: Make home directory private
ansible.builtin.file: ansible.builtin.file:
path: /home/* path: /home/*
state: directory state: directory
recurse: true recurse: true
mode: '0700'
when: umask_changes == true
- name: Harden SSH, add kernel blacklist and hardening
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/ssh/ssh_config.d/10-custom.conf'
- 'etc/modprobe.d/workstation-blacklist.conf'
- 'etc/sysctl.d/99-workstation.conf'
- name: Reload sysctl
shell: 'sysctl -p'
- name: Create coredump.conf.d
ansible.builtin.file:
path: '/etc/systemd/coredump.conf.d'
state: 'directory'
mode: '0755'
- name: Make locks dir for dconf
ansible.builtin.file:
path: '/etc/dconf/db/local.d/locks'
state: 'directory'
mode: '0755'
- name: Create XDG portals directory
ansible.builtin.file:
path: '/etc/xdg-desktop-portal'
state: 'directory'
mode: '0755'
- name: Create /etc/systemd/system/NetworkManager.service.d
ansible.builtin.file:
path: '/etc/systemd/system/NetworkManager.service.d'
state: 'directory'
mode: '0755'
when: manage_network == true
- name: Copy dconf files + xdg-desktop-portals fix + Network manager
ansible.builtin.copy:
src: 'etc/systemd/system/NetworkManager.service.d/99-brace.conf'
dest: '/etc/systemd/system/NetworkManager.service.d/99-brace.conf'
mode: '0644'
when: manage_network == true
- name: Copy dconf files + xdg-desktop-portals fix + Network manager
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/security/limits.d/30-disable-coredump.conf'
- 'etc/systemd/coredump.conf.d/disable.conf'
- 'etc/dconf/db/local.d/locks/privacy'
- 'etc/dconf/db/local.d/privacy'
- name: Update dconf
shell: sudo dconf update
- name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/systemd/zram-generator.conf'
- 'etc/systemd/user/update-user-flatpaks.service'
- 'etc/systemd/user/update-user-flatpaks.timer'
- 'etc/environment'
- name: Drop flathub script to homedir for any new appvms created based on this template
ansible.builtin.copy:
src: 'etc/skel/flathub.sh'
dest: '/etc/skel/flathub.sh'
mode: '0700' mode: '0700'
when: umask_changes == true
- name: Upgrade all packages - name: Harden SSH, add kernel blacklist and hardening
ansible.builtin.dnf5: ansible.builtin.copy:
name: "*" src: '{{ item }}'
state: latest dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/ssh/ssh_config.d/10-custom.conf'
- 'etc/modprobe.d/workstation-blacklist.conf'
- 'etc/sysctl.d/99-workstation.conf'
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Enable hardened_malloc COPR - name: Reload sysctl
shell: 'sudo dnf copr enable secureblue/hardened_malloc -y' shell: 'sysctl -p'
- name: Install hardened_malloc - name: Create coredump.conf.d
ansible.builtin.dnf5: ansible.builtin.file:
name: 'hardened_malloc' path: '/etc/systemd/coredump.conf.d'
state: 'present' state: 'directory'
mode: '0755'
- name: Make locks dir for dconf
ansible.builtin.file:
path: '/etc/dconf/db/local.d/locks'
state: 'directory'
mode: '0755'
- name: Create XDG portals directory
ansible.builtin.file:
path: '/etc/xdg-desktop-portal'
state: 'directory'
mode: '0755'
- name: Enable hardened_malloc - name: Create /etc/systemd/system/NetworkManager.service.d
ansible.builtin.copy: ansible.builtin.file:
src: 'etc/ld.so.preload' path: '/etc/systemd/system/NetworkManager.service.d'
dest: '/etc/ld.so.preload' state: 'directory'
mode: '0644' mode: '0755'
- name: Enable hardened_malloc for system wide flatpak when: manage_network == true
shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Enable hardened_malloc for user flatpak # has to be run per APP VM
shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Setup dnf repos
ansible.builtin.copy:
src: 'etc/dnf/dnf.conf'
dest: '/etc/dnf/dnf.conf'
mode: '0644'
- name: Get list of files - name: Copy dconf files + xdg-desktop-portals fix + Network manager
ansible.builtin.find: ansible.builtin.copy:
paths: /etc/yum.repos.d/ src: 'etc/systemd/system/NetworkManager.service.d/99-brace.conf'
recurse: true dest: '/etc/systemd/system/NetworkManager.service.d/99-brace.conf'
register: found_files mode: '0644'
when: manage_network == true
- name: Replace text in those files - name: Copy dconf files + xdg-desktop-portals fix + Network manager
ansible.builtin.lineinfile: ansible.builtin.copy:
backup: true src: '{{ item }}'
backrefs: true dest: '/{{ item }}'
path: '{{ item.path }}' mode: '0644'
regexp: '^(metalink=.*)$' loop:
line: '\1&protocol=https' - 'etc/security/limits.d/30-disable-coredump.conf'
loop: '{{ found_files.files }}' - 'etc/systemd/coredump.conf.d/disable.conf'
- 'etc/dconf/db/local.d/locks/privacy'
- 'etc/dconf/db/local.d/privacy'
- name: Update dconf
shell: sudo dconf update
- name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
mode: '0644'
loop:
- 'etc/systemd/zram-generator.conf'
- 'etc/systemd/user/update-user-flatpaks.service'
- 'etc/systemd/user/update-user-flatpaks.timer'
- 'etc/environment'
- name: Drop flathub script to homedir for any new appvms created based on this template
ansible.builtin.copy:
src: 'etc/skel/flathub.sh'
dest: '/etc/skel/flathub.sh'
mode: '0700'
- name: Upgrade all packages
ansible.builtin.dnf5:
name: "*"
state: latest
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Enable hardened_malloc COPR
shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
- name: Install hardened_malloc
ansible.builtin.dnf5:
name: 'hardened_malloc'
state: 'present'
- name: Enable hardened_malloc
ansible.builtin.copy:
src: 'etc/ld.so.preload'
dest: '/etc/ld.so.preload'
mode: '0644'
- name: Enable hardened_malloc for system wide flatpak
shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Enable hardened_malloc for user flatpak # has to be run per APP VM
shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Setup dnf repos
ansible.builtin.copy:
src: 'etc/dnf/dnf.conf'
dest: '/etc/dnf/dnf.conf'
mode: '0644'
- name: Get list of files
ansible.builtin.find:
paths: /etc/yum.repos.d/
recurse: true
register: found_files
- name: Replace text in those files
ansible.builtin.lineinfile:
backup: true
backrefs: true
path: '{{ item.path }}'
regexp: '^(metalink=.*)$'
line: '\1&protocol=https'
loop: '{{ found_files.files }}'

175
roles/gnome/tasks/main.yaml
View file

@ -1,91 +1,90 @@
- name: Configure Fedora 41 Gnome Template tasks:
tasks: - name: Fix GNOME environment variable
- name: Fix GNOME environment variable ansible.builtin.lineinfile:
ansible.builtin.lineinfile: dest: '/etc/environment'
dest: '/etc/environment' line: 'XDG_CURRENT_DESKTOP=GNOME'
line: 'XDG_CURRENT_DESKTOP=GNOME' - name: Upgrade all packages
- name: Upgrade all packages ansible.builtin.dnf5:
ansible.builtin.dnf5: name: "*"
name: "*" state: latest
state: latest
- name: Mark packages as manually installed to avoid removal - name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Remove unnecessary stuff from the template - name: Remove unnecessary stuff from the template
ansible.builtin.dnf5: ansible.builtin.dnf5:
name: name:
- '@Container Management' - '@Container Management'
- '@Desktop Accessibility' - '@Desktop Accessibility'
- '@Guest Desktop Agents' - '@Guest Desktop Agents'
- '@Printing Support' - '@Printing Support'
- 'gnome-software' - 'gnome-software'
- 'httpd' - 'httpd'
- 'keepassxc' - 'keepassxc'
- 'thunderbird' - 'thunderbird'
- 'fedora-bookmarks' - 'fedora-bookmarks'
- 'fedora-chromium-config' - 'fedora-chromium-config'
- 'samba-client' - 'samba-client'
- 'gvfs-smb' - 'gvfs-smb'
- 'NetworkManager-pptp-gnome' - 'NetworkManager-pptp-gnome'
- 'NetworkManager-ssh-gnome' - 'NetworkManager-ssh-gnome'
- 'NetworkManager-openconnect-gnome' - 'NetworkManager-openconnect-gnome'
- 'NetworkManager-openvpn-gnome' - 'NetworkManager-openvpn-gnome'
- 'NetworkManager-vpnc-gnome' - 'NetworkManager-vpnc-gnome'
- 'ppp*' - 'ppp*'
- 'ModemManager' - 'ModemManager'
- 'baobab' - 'baobab'
- 'chrome-gnome-shell' - 'chrome-gnome-shell'
- 'eog' - 'eog'
- 'gnome-boxes' - 'gnome-boxes'
- 'gnome-calculator' - 'gnome-calculator'
- 'gnome-calendar' - 'gnome-calendar'
- 'gnome-characters' - 'gnome-characters'
- 'gnome-classic*' - 'gnome-classic*'
- 'gnome-clocks' - 'gnome-clocks'
- 'gnome-color-manager' - 'gnome-color-manager'
- 'gnome-connections' - 'gnome-connections'
- 'gnome-contacts' - 'gnome-contacts'
- 'gnome-disk-utility' - 'gnome-disk-utility'
- 'gnome-font-viewer' - 'gnome-font-viewer'
- 'gnome-logs' - 'gnome-logs'
- 'gnome-maps' - 'gnome-maps'
- 'gnome-photos' - 'gnome-photos'
- 'gnome-remote-desktop' - 'gnome-remote-desktop'
- 'gnome-screenshot' - 'gnome-screenshot'
- 'gnome-shell-extension-apps-menu' - 'gnome-shell-extension-apps-menu'
- 'gnome-shell-extension-background-logo' - 'gnome-shell-extension-background-logo'
- 'gnome-shell-extension-launch-new-instance' - 'gnome-shell-extension-launch-new-instance'
- 'gnome-shell-extension-places-menu' - 'gnome-shell-extension-places-menu'
- 'gnome-shell-extension-window-list' - 'gnome-shell-extension-window-list'
- 'gnome-text-editor' - 'gnome-text-editor'
- 'gnome-themes-extra' - 'gnome-themes-extra'
- 'gnome-tour' - 'gnome-tour'
- 'gnome-user*' - 'gnome-user*'
- 'gnome-weather' - 'gnome-weather'
- 'loupe' - 'loupe'
- 'snapshot' - 'snapshot'
- 'totem' - 'totem'
- 'cheese' - 'cheese'
- 'evince' - 'evince'
- 'file-roller*' - 'file-roller*'
- 'libreoffice*' - 'libreoffice*'
- 'mediawriter' - 'mediawriter'
- 'rhythmbox' - 'rhythmbox'
- 'yelp' - 'yelp'
- 'lvm2' - 'lvm2'
- 'rng-tools' - 'rng-tools'
- 'thermald' - 'thermald'
state: 'absent' state: 'absent'
allowerasing: true allowerasing: true
autoremove: true autoremove: true
- name: Install custom packages - name: Install custom packages
ansible.builtin.dnf5: ansible.builtin.dnf5:
name: name:
- 'qubes-ctap' - 'qubes-ctap'
- 'qubes-gpg-split' - 'qubes-gpg-split'
- 'ncurses' - 'ncurses'
# - 'gnome-shell' # - 'gnome-shell'
- 'ptyxis' - 'ptyxis'
state: 'present' state: 'present'

79
roles/sudo-dom0-prompt/tasks/main.yaml
View file

@ -1,49 +1,48 @@
- name: Setup passwordless sudo tasks:
tasks: - name: Check that the sudo-dom0-prompt exists
- name: Check that the sudo-dom0-prompt exists stat:
stat: path: '/etc/authselect/custom/sudo-dom0-prompt'
path: '/etc/authselect/custom/sudo-dom0-prompt' register: stat_result
register: stat_result
- name: Create authselect profile - name: Create authselect profile
shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam
when: not stat_result.stat.exists when: not stat_result.stat.exists
- name: Copy authselect file - name: Copy authselect file
ansible.builtin.copy: ansible.builtin.copy:
src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside' dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside'
mode: '0644' mode: '0644'
- name: Copy authselect folder - name: Copy authselect folder
ansible.builtin.copy: ansible.builtin.copy:
src: '/etc/authselect/system-auth' src: '/etc/authselect/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt' dest: '/etc/authselect/custom/sudo-dom0-prompt'
mode: '0755' mode: '0755'
- name: Copy authselect file - name: Copy authselect file
ansible.builtin.copy: ansible.builtin.copy:
src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth' src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
mode: '0644' mode: '0644'
- name: Select authselect profile - name: Select authselect profile
shell: authselect select custom/sudo-dom0-prompt shell: authselect select custom/sudo-dom0-prompt
- name: Fix sudoers.d - name: Fix sudoers.d
ansible.builtin.copy: ansible.builtin.copy:
src: 'etc/sudoers.d/qubes' src: 'etc/sudoers.d/qubes'
dest: '/etc/sudoers.d/qubes' dest: '/etc/sudoers.d/qubes'
mode: '0440' mode: '0440'
- name: Check that allow all rule doesn't exist - name: Check that allow all rule doesn't exist
stat: stat:
path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
register: allow_all_result
- name: Delete allow all rule
ansible.builtin.file:
path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
state: 'absent' register: allow_all_result
when: allow_all_result.stat.exists
- name: Delete allow all rule
ansible.builtin.file:
path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
state: 'absent'
when: allow_all_result.stat.exists

27
roles/trivalent/tasks/main.yaml
View file

@ -1,17 +1,16 @@
- name: Install trivalent browser tasks:
tasks: - name: Enable hardened_malloc COPR
- name: Enable hardened_malloc COPR shell: 'sudo dnf copr enable secureblue/trivalent -y'
shell: 'sudo dnf copr enable secureblue/trivalent -y'
- name: Enable codecs and stuff - name: Enable codecs and stuff
shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1' shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
- name: Update codecs - name: Update codecs
shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin' shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
- name: Install hardened_malloc - name: Install hardened_malloc
ansible.builtin.dnf5: ansible.builtin.dnf5:
name: name:
- ffmpeg - ffmpeg
- trivalent - trivalent
state: 'present' state: 'present'