From 4de79354695ed0e429de48cf2d53afbd916a6a18 Mon Sep 17 00:00:00 2001 From: mustard Date: Tue, 4 Mar 2025 00:28:10 +0100 Subject: [PATCH] Fixing up roles --- development.yaml | 8 + fedora-41-gnome.yaml | 17 ++ .../tasks/main.yaml} | 0 roles/baseline/defaults/main.yaml | 2 + .../files/etc/dconf/db/local.d/adw-gtk3-dark | 0 .../etc/dconf/db/local.d/automount-disable | 0 .../dconf/db/local.d/locks/automount-disable | 0 .../files/etc/dconf/db/local.d/locks/privacy | 0 .../files/etc/dconf/db/local.d/prefer-dark | 0 .../files/etc/dconf/db/local.d/privacy | 0 .../{tasks => }/files/etc/dnf/dnf.conf | 0 roles/baseline/files/etc/environment | 2 + .../{tasks => }/files/etc/ld.so.preload | 0 .../etc/modprobe.d/workstation-blacklist.conf | 115 +++++++++++ .../limits.d/30-disable-coredump.conf | 0 .../{tasks => }/files/etc/skel/flathub.sh | 0 .../files/etc/ssh/ssh_config.d/10-custom.conf | 0 .../files/etc/sysctl.d/99-workstation.conf | 0 .../etc/systemd/coredump.conf.d/disable.conf | 0 .../NetworkManager.service.d/99-brace.conf | 0 .../systemd/user/update-user-flatpaks.service | 0 .../systemd/user/update-user-flatpaks.timer | 0 .../files/etc/systemd/zram-generator.conf | 0 .../files/etc/xdg-desktop-portal/portals.conf | 0 roles/baseline/tasks/main.yaml | 185 +++--------------- .../custom/sudo-dom0-prompt/system-auth | 0 .../files/etc/dconf/db/local.d/adw-gtk3-dark | 0 .../etc/dconf/db/local.d/automount-disable | 0 .../dconf/db/local.d/locks/automount-disable | 0 .../files/etc/dconf/db/local.d/locks/privacy | 0 .../files/etc/dconf/db/local.d/prefer-dark | 0 .../tasks/files/etc/dconf/db/local.d/privacy | 0 .../tasks/files/etc/dnf/dnf.conf | 0 .../tasks/files/etc/environment | 0 .../tasks/files/etc/ld.so.preload | 0 .../etc/modprobe.d/workstation-blacklist.conf | 0 .../limits.d/30-disable-coredump.conf | 0 .../tasks/files/etc/skel/flathub.sh | 0 .../files/etc/ssh/ssh_config.d/10-custom.conf | 0 .../tasks/files/etc/sudoers.d/qubes | 0 .../files/etc/sysctl.d/99-workstation.conf | 0 .../etc/systemd/coredump.conf.d/disable.conf | 0 .../NetworkManager.service.d/99-brace.conf | 0 .../systemd/user/update-user-flatpaks.service | 0 .../systemd/user/update-user-flatpaks.timer | 0 .../files/etc/systemd/zram-generator.conf | 0 .../files/etc/xdg-desktop-portal/portals.conf | 0 .../defaults/preferences/userjs-arkenfox.js | 0 .../defaults/preferences/userjs-brace.js | 0 roles/gnome/tasks/main.yaml | 91 +++++++++ roles/gnome/vars/main.yaml | 1 + roles/qubes-f41-gnome/tasks/main.yaml | 1 + .../custom/sudo-dom0-prompt/system-auth | 0 .../files/etc/dconf/db/local.d/adw-gtk3-dark | 2 + .../etc/dconf/db/local.d/automount-disable | 4 + .../dconf/db/local.d/locks/automount-disable | 3 + .../files/etc/dconf/db/local.d/locks/privacy | 14 ++ .../files/etc/dconf/db/local.d/prefer-dark | 2 + .../files/etc/dconf/db/local.d/privacy | 16 ++ roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf | 11 ++ .../{tasks => }/files/etc/environment | 0 .../sudo-dom0-prompt/files/etc/ld.so.preload | 1 + .../etc/modprobe.d/workstation-blacklist.conf | 0 .../limits.d/30-disable-coredump.conf | 1 + .../files/etc/skel/flathub.sh | 2 + .../files/etc/ssh/ssh_config.d/10-custom.conf | 2 + .../{tasks => }/files/etc/sudoers.d/qubes | 0 .../files/etc/sysctl.d/99-workstation.conf | 119 +++++++++++ .../etc/systemd/coredump.conf.d/disable.conf | 2 + .../NetworkManager.service.d/99-brace.conf | 28 +++ .../systemd/user/update-user-flatpaks.service | 6 + .../systemd/user/update-user-flatpaks.timer | 9 + .../files/etc/systemd/zram-generator.conf | 4 + .../files/etc/xdg-desktop-portal/portals.conf | 2 + .../defaults/preferences/userjs-arkenfox.js} | 0 .../defaults/preferences/userjs-brace.js | 0 roles/sudo-dom0-prompt/tasks/main.yaml | 2 - roles/trivalent/tasks/main.yaml | 17 ++ 78 files changed, 514 insertions(+), 155 deletions(-) create mode 100644 development.yaml create mode 100644 fedora-41-gnome.yaml rename roles/{baseline/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js => arkenfox/tasks/main.yaml} (100%) create mode 100644 roles/baseline/defaults/main.yaml rename roles/baseline/{tasks => }/files/etc/dconf/db/local.d/adw-gtk3-dark (100%) rename roles/baseline/{tasks => }/files/etc/dconf/db/local.d/automount-disable (100%) rename roles/baseline/{tasks => }/files/etc/dconf/db/local.d/locks/automount-disable (100%) rename roles/baseline/{tasks => }/files/etc/dconf/db/local.d/locks/privacy (100%) rename roles/baseline/{tasks => }/files/etc/dconf/db/local.d/prefer-dark (100%) rename roles/baseline/{tasks => }/files/etc/dconf/db/local.d/privacy (100%) rename roles/baseline/{tasks => }/files/etc/dnf/dnf.conf (100%) create mode 100644 roles/baseline/files/etc/environment rename roles/baseline/{tasks => }/files/etc/ld.so.preload (100%) create mode 100644 roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf rename roles/baseline/{tasks => }/files/etc/security/limits.d/30-disable-coredump.conf (100%) rename roles/baseline/{tasks => }/files/etc/skel/flathub.sh (100%) rename roles/baseline/{tasks => }/files/etc/ssh/ssh_config.d/10-custom.conf (100%) rename roles/baseline/{tasks => }/files/etc/sysctl.d/99-workstation.conf (100%) rename roles/baseline/{tasks => }/files/etc/systemd/coredump.conf.d/disable.conf (100%) rename roles/baseline/{tasks => }/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf (100%) rename roles/baseline/{tasks => }/files/etc/systemd/user/update-user-flatpaks.service (100%) rename roles/baseline/{tasks => }/files/etc/systemd/user/update-user-flatpaks.timer (100%) rename roles/baseline/{tasks => }/files/etc/systemd/zram-generator.conf (100%) rename roles/baseline/{tasks => }/files/etc/xdg-desktop-portal/portals.conf (100%) rename roles/{baseline => gnome}/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/dconf/db/local.d/automount-disable (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/dconf/db/local.d/locks/automount-disable (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/dconf/db/local.d/locks/privacy (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/dconf/db/local.d/prefer-dark (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/dconf/db/local.d/privacy (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/dnf/dnf.conf (100%) rename roles/{baseline => gnome}/tasks/files/etc/environment (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/ld.so.preload (100%) rename roles/{baseline => gnome}/tasks/files/etc/modprobe.d/workstation-blacklist.conf (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/security/limits.d/30-disable-coredump.conf (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/skel/flathub.sh (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/ssh/ssh_config.d/10-custom.conf (100%) rename roles/{baseline => gnome}/tasks/files/etc/sudoers.d/qubes (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/sysctl.d/99-workstation.conf (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/systemd/coredump.conf.d/disable.conf (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/systemd/user/update-user-flatpaks.service (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/systemd/user/update-user-flatpaks.timer (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/systemd/zram-generator.conf (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/etc/xdg-desktop-portal/portals.conf (100%) rename roles/{sudo-dom0-prompt => gnome}/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js (100%) rename roles/{baseline => gnome}/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js (100%) create mode 100644 roles/gnome/tasks/main.yaml create mode 100644 roles/gnome/vars/main.yaml rename roles/sudo-dom0-prompt/{tasks => }/files/etc/authselect/custom/sudo-dom0-prompt/system-auth (100%) create mode 100644 roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/adw-gtk3-dark create mode 100644 roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/automount-disable create mode 100644 roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/automount-disable create mode 100644 roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/privacy create mode 100644 roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/prefer-dark create mode 100644 roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/privacy create mode 100644 roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf rename roles/sudo-dom0-prompt/{tasks => }/files/etc/environment (100%) create mode 100644 roles/sudo-dom0-prompt/files/etc/ld.so.preload rename roles/sudo-dom0-prompt/{tasks => }/files/etc/modprobe.d/workstation-blacklist.conf (100%) create mode 100644 roles/sudo-dom0-prompt/files/etc/security/limits.d/30-disable-coredump.conf create mode 100644 roles/sudo-dom0-prompt/files/etc/skel/flathub.sh create mode 100644 roles/sudo-dom0-prompt/files/etc/ssh/ssh_config.d/10-custom.conf rename roles/sudo-dom0-prompt/{tasks => }/files/etc/sudoers.d/qubes (100%) create mode 100644 roles/sudo-dom0-prompt/files/etc/sysctl.d/99-workstation.conf create mode 100644 roles/sudo-dom0-prompt/files/etc/systemd/coredump.conf.d/disable.conf create mode 100644 roles/sudo-dom0-prompt/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf create mode 100644 roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.service create mode 100644 roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.timer create mode 100644 roles/sudo-dom0-prompt/files/etc/systemd/zram-generator.conf create mode 100644 roles/sudo-dom0-prompt/files/etc/xdg-desktop-portal/portals.conf rename roles/sudo-dom0-prompt/{tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js => files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js} (100%) create mode 100644 roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js create mode 100644 roles/trivalent/tasks/main.yaml diff --git a/development.yaml b/development.yaml new file mode 100644 index 0000000..cb51c54 --- /dev/null +++ b/development.yaml @@ -0,0 +1,8 @@ +- name: Configure Fedora 41 Gnome Template + hosts: 127.0.0.1 + connection: local + tasks: + - ansible.builtin.include_role: + name: 'baseline' + vars: + umask_changes: 'false' \ No newline at end of file diff --git a/fedora-41-gnome.yaml b/fedora-41-gnome.yaml new file mode 100644 index 0000000..51f5136 --- /dev/null +++ b/fedora-41-gnome.yaml @@ -0,0 +1,17 @@ +- name: Configure Fedora 41 Gnome Template + hosts: 127.0.0.1 + connection: local + tasks: + - ansible.builtin.include_role: + name: 'baseline' + vars: + umask_changes: false + manage_network: true + - ansible.builtin.include_role: + name: gnome + - ansible.builtin.include_role: + name: sudo-dom0-prompt + - ansible.builtin.include-role: + name: trivalent + - ansible.builtin.include-role: + name: arkenfox \ No newline at end of file diff --git a/roles/baseline/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js b/roles/arkenfox/tasks/main.yaml similarity index 100% rename from roles/baseline/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js rename to roles/arkenfox/tasks/main.yaml diff --git a/roles/baseline/defaults/main.yaml b/roles/baseline/defaults/main.yaml new file mode 100644 index 0000000..f2b9512 --- /dev/null +++ b/roles/baseline/defaults/main.yaml @@ -0,0 +1,2 @@ +umask_changes: false +manage_network: true \ No newline at end of file diff --git a/roles/baseline/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark b/roles/baseline/files/etc/dconf/db/local.d/adw-gtk3-dark similarity index 100% rename from roles/baseline/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark rename to roles/baseline/files/etc/dconf/db/local.d/adw-gtk3-dark diff --git a/roles/baseline/tasks/files/etc/dconf/db/local.d/automount-disable b/roles/baseline/files/etc/dconf/db/local.d/automount-disable similarity index 100% rename from roles/baseline/tasks/files/etc/dconf/db/local.d/automount-disable rename to roles/baseline/files/etc/dconf/db/local.d/automount-disable diff --git a/roles/baseline/tasks/files/etc/dconf/db/local.d/locks/automount-disable b/roles/baseline/files/etc/dconf/db/local.d/locks/automount-disable similarity index 100% rename from roles/baseline/tasks/files/etc/dconf/db/local.d/locks/automount-disable rename to roles/baseline/files/etc/dconf/db/local.d/locks/automount-disable diff --git a/roles/baseline/tasks/files/etc/dconf/db/local.d/locks/privacy b/roles/baseline/files/etc/dconf/db/local.d/locks/privacy similarity index 100% rename from roles/baseline/tasks/files/etc/dconf/db/local.d/locks/privacy rename to roles/baseline/files/etc/dconf/db/local.d/locks/privacy diff --git a/roles/baseline/tasks/files/etc/dconf/db/local.d/prefer-dark b/roles/baseline/files/etc/dconf/db/local.d/prefer-dark similarity index 100% rename from roles/baseline/tasks/files/etc/dconf/db/local.d/prefer-dark rename to roles/baseline/files/etc/dconf/db/local.d/prefer-dark diff --git a/roles/baseline/tasks/files/etc/dconf/db/local.d/privacy b/roles/baseline/files/etc/dconf/db/local.d/privacy similarity index 100% rename from roles/baseline/tasks/files/etc/dconf/db/local.d/privacy rename to roles/baseline/files/etc/dconf/db/local.d/privacy diff --git a/roles/baseline/tasks/files/etc/dnf/dnf.conf b/roles/baseline/files/etc/dnf/dnf.conf similarity index 100% rename from roles/baseline/tasks/files/etc/dnf/dnf.conf rename to roles/baseline/files/etc/dnf/dnf.conf diff --git a/roles/baseline/files/etc/environment b/roles/baseline/files/etc/environment new file mode 100644 index 0000000..22eebdc --- /dev/null +++ b/roles/baseline/files/etc/environment @@ -0,0 +1,2 @@ +JavaScriptCoreUseJIT=0 +GJS_DISABLE_JIT=1 \ No newline at end of file diff --git a/roles/baseline/tasks/files/etc/ld.so.preload b/roles/baseline/files/etc/ld.so.preload similarity index 100% rename from roles/baseline/tasks/files/etc/ld.so.preload rename to roles/baseline/files/etc/ld.so.preload diff --git a/roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf b/roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf new file mode 100644 index 0000000..6eaef74 --- /dev/null +++ b/roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf @@ -0,0 +1,115 @@ +# unused network protocols +install dccp /bin/false +install sctp /bin/false +install rds /bin/false +install tipc /bin/false +install n-hdlc /bin/false +install ax25 /bin/false +install netrom /bin/false +install x25 /bin/false +install rose /bin/false +install decnet /bin/false +install econet /bin/false +install af_802154 /bin/false +install ipx /bin/false +install appletalk /bin/false +install psnap /bin/false +install p8023 /bin/false +install p8022 /bin/false +install can /bin/false +install atm /bin/false + +# firewire and thunderbolt +install firewire-core /bin/false +install firewire_core /bin/false +install firewire-ohci /bin/false +install firewire_ohci /bin/false +install firewire_sbp2 /bin/false +install firewire-sbp2 /bin/false +install firewire-net /bin/false +install thunderbolt /bin/false +install ohci1394 /bin/false +install sbp2 /bin/false +install dv1394 /bin/false +install raw1394 /bin/false +install video1394 /bin/false + +# unused filesystems +install cramfs /bin/false +install freevxfs /bin/false +install jffs2 /bin/false +# I think blacklisting hfs or hfsplus breaks USBs, but not sure +install hfs /bin/false +install hfsplus /bin/false +install squashfs /bin/false +install udf /bin/false +install cifs /bin/false +install nfs /bin/false +install nfsv3 /bin/false +install nfsv4 /bin/false +install ksmbd /bin/false +install gfs2 /bin/false +install reiserfs /bin/false +install kafs /bin/false +install orangefs /bin/false +install 9p /bin/false +install adfs /bin/false +install affs /bin/false +install afs /bin/false +install befs /bin/false +install ceph /bin/false +install coda /bin/false +install ecryptfs /bin/false +install erofs /bin/false +install jfs /bin/false +install minix /bin/false +install netfs /bin/false +install nilfs2 /bin/false +install ocfs2 /bin/false +install romfs /bin/false +install ubifs /bin/false +install zonefs /bin/false +install sysv /bin/false +install ufs /bin/false + +# disable vivid +install vivid /bin/false + +# disable GNSS +install gnss /bin/false +install gnss-mtk /bin/false +install gnss-serial /bin/false +install gnss-sirf /bin/false +install gnss-usb /bin/false +install gnss-ubx /bin/false + +# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +install bluetooth /bin/false +install btusb /bin/false + +# blacklist ath_pci +blacklist ath_pci + +# blacklist cdrom +blacklist cdrom +blacklist sr_mod + +# blacklist framebuffer drivers +# source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf +blacklist cyber2000fb +blacklist cyblafb +blacklist gx1fb +blacklist hgafb +blacklist kyrofb +blacklist lxfb +blacklist matroxfb_base +blacklist neofb +blacklist nvidiafb +blacklist pm2fb +blacklist s1d13xxxfb +blacklist sisfb +blacklist tdfxfb +blacklist vesafb +blacklist vfb +blacklist vt8623fb +blacklist udlfb diff --git a/roles/baseline/tasks/files/etc/security/limits.d/30-disable-coredump.conf b/roles/baseline/files/etc/security/limits.d/30-disable-coredump.conf similarity index 100% rename from roles/baseline/tasks/files/etc/security/limits.d/30-disable-coredump.conf rename to roles/baseline/files/etc/security/limits.d/30-disable-coredump.conf diff --git a/roles/baseline/tasks/files/etc/skel/flathub.sh b/roles/baseline/files/etc/skel/flathub.sh similarity index 100% rename from roles/baseline/tasks/files/etc/skel/flathub.sh rename to roles/baseline/files/etc/skel/flathub.sh diff --git a/roles/baseline/tasks/files/etc/ssh/ssh_config.d/10-custom.conf b/roles/baseline/files/etc/ssh/ssh_config.d/10-custom.conf similarity index 100% rename from roles/baseline/tasks/files/etc/ssh/ssh_config.d/10-custom.conf rename to roles/baseline/files/etc/ssh/ssh_config.d/10-custom.conf diff --git a/roles/baseline/tasks/files/etc/sysctl.d/99-workstation.conf b/roles/baseline/files/etc/sysctl.d/99-workstation.conf similarity index 100% rename from roles/baseline/tasks/files/etc/sysctl.d/99-workstation.conf rename to roles/baseline/files/etc/sysctl.d/99-workstation.conf diff --git a/roles/baseline/tasks/files/etc/systemd/coredump.conf.d/disable.conf b/roles/baseline/files/etc/systemd/coredump.conf.d/disable.conf similarity index 100% rename from roles/baseline/tasks/files/etc/systemd/coredump.conf.d/disable.conf rename to roles/baseline/files/etc/systemd/coredump.conf.d/disable.conf diff --git a/roles/baseline/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf b/roles/baseline/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf similarity index 100% rename from roles/baseline/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf rename to roles/baseline/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf diff --git a/roles/baseline/tasks/files/etc/systemd/user/update-user-flatpaks.service b/roles/baseline/files/etc/systemd/user/update-user-flatpaks.service similarity index 100% rename from roles/baseline/tasks/files/etc/systemd/user/update-user-flatpaks.service rename to roles/baseline/files/etc/systemd/user/update-user-flatpaks.service diff --git a/roles/baseline/tasks/files/etc/systemd/user/update-user-flatpaks.timer b/roles/baseline/files/etc/systemd/user/update-user-flatpaks.timer similarity index 100% rename from roles/baseline/tasks/files/etc/systemd/user/update-user-flatpaks.timer rename to roles/baseline/files/etc/systemd/user/update-user-flatpaks.timer diff --git a/roles/baseline/tasks/files/etc/systemd/zram-generator.conf b/roles/baseline/files/etc/systemd/zram-generator.conf similarity index 100% rename from roles/baseline/tasks/files/etc/systemd/zram-generator.conf rename to roles/baseline/files/etc/systemd/zram-generator.conf diff --git a/roles/baseline/tasks/files/etc/xdg-desktop-portal/portals.conf b/roles/baseline/files/etc/xdg-desktop-portal/portals.conf similarity index 100% rename from roles/baseline/tasks/files/etc/xdg-desktop-portal/portals.conf rename to roles/baseline/files/etc/xdg-desktop-portal/portals.conf diff --git a/roles/baseline/tasks/main.yaml b/roles/baseline/tasks/main.yaml index 47eea0d..14d7daf 100644 --- a/roles/baseline/tasks/main.yaml +++ b/roles/baseline/tasks/main.yaml @@ -1,6 +1,4 @@ -- name: Configure Fedora 41 Gnome Template - hosts: 127.0.0.1 - connection: local +- name: Baseline hardening for all templates tasks: - name: Kill debug-shell service ansible.builtin.systemd_service: @@ -10,25 +8,30 @@ ansible.builtin.systemd_service: name: kdump.service masked: true + - name: Set umask to 077 shell: umask 077 - name: Set umask to 077 in login.defs ansible.builtin.replace: - path: /etc/login.defs - regexp: '^UMASK.*' - replace: 'UMASK 077' + path: /etc/login.defs + regexp: '^UMASK.*' + replace: 'UMASK 077' + when: umask_changes == true - name: Set umask to 077 in logins.defs ansible.builtin.replace: - path: /etc/login.defs - regexp: '^HOME_MODE' - replace: '#HOME_MODE' + path: /etc/login.defs + regexp: '^HOME_MODE' + replace: '#HOME_MODE' + when: umask_changes == true - name: Set umask to 077 in bashrc ansible.builtin.replace: path: /etc/bashrc regexp: 'umask 022' replace: 'umask 077' + when: umask_changes == true + - name: Make home directory private ansible.builtin.file: @@ -36,6 +39,7 @@ state: directory recurse: true mode: '0700' + when: umask_changes == true - name: Harden SSH, add kernel blacklist and hardening ansible.builtin.copy: @@ -72,6 +76,15 @@ path: '/etc/systemd/system/NetworkManager.service.d' state: 'directory' mode: '0755' + when: manage_network == true + + - name: Copy dconf files + xdg-desktop-portals fix + Network manager + ansible.builtin.copy: + src: 'etc/systemd/system/NetworkManager.service.d/99-brace.conf' + dest: '/etc/systemd/system/NetworkManager.service.d/99-brace.conf' + mode: '0644' + when: manage_network == true + - name: Copy dconf files + xdg-desktop-portals fix + Network manager ansible.builtin.copy: src: '{{ item }}' @@ -80,28 +93,28 @@ loop: - 'etc/security/limits.d/30-disable-coredump.conf' - 'etc/systemd/coredump.conf.d/disable.conf' - - 'etc/dconf/db/local.d/locks/automount-disable' - 'etc/dconf/db/local.d/locks/privacy' - - 'etc/dconf/db/local.d/adw-gtk3-dark' - - 'etc/dconf/db/local.d/automount-disable' - - 'etc/dconf/db/local.d/prefer-dark' - 'etc/dconf/db/local.d/privacy' - - 'etc/xdg-desktop-portal/portals.conf' - - 'etc/systemd/system/NetworkManager.service.d/99-brace.conf' - name: Update dconf shell: sudo dconf update - - name: Setup ZRAM, flatpak updater and environment variables to disable GJS, WebkitGTK JIT, and fix GNOME env variable + - name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT ansible.builtin.copy: src: '{{ item }}' dest: '/{{ item }}' - mode: '0600' + mode: '0644' loop: - 'etc/systemd/zram-generator.conf' - 'etc/systemd/user/update-user-flatpaks.service' - 'etc/systemd/user/update-user-flatpaks.timer' - - 'etc/environment' + - 'etc/environment' + + - name: Drop flathub script to homedir for any new appvms created based on this template + ansible.builtin.copy: + src: 'etc/skel/flathub.sh' + dest: '/etc/skel/flathub.sh' + mode: '0700' - name: Upgrade all packages ansible.builtin.dnf5: @@ -111,84 +124,6 @@ - name: Mark packages as manually installed to avoid removal shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' - - name: Remove unnecessary stuff from the template - ansible.builtin.dnf5: - name: - - '@Container Management' - - '@Desktop Accessibility' - - '@Guest Desktop Agents' - - '@Printing Support' - - 'gnome-software' - - 'httpd' - - 'keepassxc' - - 'thunderbird' - - 'fedora-bookmarks' - - 'fedora-chromium-config' - - 'samba-client' - - 'gvfs-smb' - - 'NetworkManager-pptp-gnome' - - 'NetworkManager-ssh-gnome' - - 'NetworkManager-openconnect-gnome' - - 'NetworkManager-openvpn-gnome' - - 'NetworkManager-vpnc-gnome' - - 'ppp*' - - 'ModemManager' - - 'baobab' - - 'chrome-gnome-shell' - - 'eog' - - 'gnome-boxes' - - 'gnome-calculator' - - 'gnome-calendar' - - 'gnome-characters' - - 'gnome-classic*' - - 'gnome-clocks' - - 'gnome-color-manager' - - 'gnome-connections' - - 'gnome-contacts' - - 'gnome-disk-utility' - - 'gnome-font-viewer' - - 'gnome-logs' - - 'gnome-maps' - - 'gnome-photos' - - 'gnome-remote-desktop' - - 'gnome-screenshot' - - 'gnome-shell-extension-apps-menu' - - 'gnome-shell-extension-background-logo' - - 'gnome-shell-extension-launch-new-instance' - - 'gnome-shell-extension-places-menu' - - 'gnome-shell-extension-window-list' - - 'gnome-text-editor' - - 'gnome-themes-extra' - - 'gnome-tour' - - 'gnome-user*' - - 'gnome-weather' - - 'loupe' - - 'snapshot' - - 'totem' - - 'cheese' - - 'evince' - - 'file-roller*' - - 'libreoffice*' - - 'mediawriter' - - 'rhythmbox' - - 'yelp' - - 'lvm2' - - 'rng-tools' - - 'thermald' - state: 'absent' - allowerasing: true - autoremove: true - - - name: Install custom packages - ansible.builtin.dnf5: - name: - - 'qubes-ctap' - - 'qubes-gpg-split' - - 'adw-gtk3-theme' - - 'ncurses' - - 'gnome-shell' - - 'ptyxis' - state: 'present' - name: Enable hardened_malloc COPR shell: 'sudo dnf copr enable secureblue/hardened_malloc -y' @@ -225,60 +160,4 @@ path: '{{ item.path }}' regexp: '^(metalink=.*)$' line: '\1&protocol=https' - loop: '{{ found_files.files }}' - - - name: Check that the sudo-dom0-prompt exists - stat: - path: '/etc/authselect/custom/sudo-dom0-prompt' - register: stat_result - - - name: Create authselect profile - shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam - when: not stat_result.stat.exists - - name: Copy authselect file - ansible.builtin.copy: - src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' - dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside' - mode: '0644' - - - - name: Copy authselect folder - ansible.builtin.copy: - src: '/etc/authselect/system-auth' - dest: '/etc/authselect/custom/sudo-dom0-prompt' - mode: '0755' - - - name: Copy authselect file - ansible.builtin.copy: - src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth' - dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' - mode: '0644' - - - - name: Select authselect profile - shell: authselect select custom/sudo-dom0-prompt - - - name: Fix sudoers.d - ansible.builtin.copy: - src: 'etc/sudoers.d/qubes' - dest: '/etc/sudoers.d/qubes' - mode: '0440' - - - name: Check that allow all rule doesn't exist - stat: - path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' - register: allow_all_result - - - name: Delete allow all rule - ansible.builtin.file: - path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' - state: 'absent' - when: allow_all_result.stat.exists - - - - - name: Drop flathub script to homedir for any new appvms created based on this template - ansible.builtin.copy: - src: 'etc/skel/flathub.sh' - dest: '/etc/skel/flathub.sh' - mode: '0700' \ No newline at end of file + loop: '{{ found_files.files }}' \ No newline at end of file diff --git a/roles/baseline/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth b/roles/gnome/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth similarity index 100% rename from roles/baseline/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth rename to roles/gnome/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark b/roles/gnome/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark rename to roles/gnome/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/dconf/db/local.d/automount-disable b/roles/gnome/tasks/files/etc/dconf/db/local.d/automount-disable similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/dconf/db/local.d/automount-disable rename to roles/gnome/tasks/files/etc/dconf/db/local.d/automount-disable diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/dconf/db/local.d/locks/automount-disable b/roles/gnome/tasks/files/etc/dconf/db/local.d/locks/automount-disable similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/dconf/db/local.d/locks/automount-disable rename to roles/gnome/tasks/files/etc/dconf/db/local.d/locks/automount-disable diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/dconf/db/local.d/locks/privacy b/roles/gnome/tasks/files/etc/dconf/db/local.d/locks/privacy similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/dconf/db/local.d/locks/privacy rename to roles/gnome/tasks/files/etc/dconf/db/local.d/locks/privacy diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/dconf/db/local.d/prefer-dark b/roles/gnome/tasks/files/etc/dconf/db/local.d/prefer-dark similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/dconf/db/local.d/prefer-dark rename to roles/gnome/tasks/files/etc/dconf/db/local.d/prefer-dark diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/dconf/db/local.d/privacy b/roles/gnome/tasks/files/etc/dconf/db/local.d/privacy similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/dconf/db/local.d/privacy rename to roles/gnome/tasks/files/etc/dconf/db/local.d/privacy diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/dnf/dnf.conf b/roles/gnome/tasks/files/etc/dnf/dnf.conf similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/dnf/dnf.conf rename to roles/gnome/tasks/files/etc/dnf/dnf.conf diff --git a/roles/baseline/tasks/files/etc/environment b/roles/gnome/tasks/files/etc/environment similarity index 100% rename from roles/baseline/tasks/files/etc/environment rename to roles/gnome/tasks/files/etc/environment diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/ld.so.preload b/roles/gnome/tasks/files/etc/ld.so.preload similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/ld.so.preload rename to roles/gnome/tasks/files/etc/ld.so.preload diff --git a/roles/baseline/tasks/files/etc/modprobe.d/workstation-blacklist.conf b/roles/gnome/tasks/files/etc/modprobe.d/workstation-blacklist.conf similarity index 100% rename from roles/baseline/tasks/files/etc/modprobe.d/workstation-blacklist.conf rename to roles/gnome/tasks/files/etc/modprobe.d/workstation-blacklist.conf diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/security/limits.d/30-disable-coredump.conf b/roles/gnome/tasks/files/etc/security/limits.d/30-disable-coredump.conf similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/security/limits.d/30-disable-coredump.conf rename to roles/gnome/tasks/files/etc/security/limits.d/30-disable-coredump.conf diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/skel/flathub.sh b/roles/gnome/tasks/files/etc/skel/flathub.sh similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/skel/flathub.sh rename to roles/gnome/tasks/files/etc/skel/flathub.sh diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/ssh/ssh_config.d/10-custom.conf b/roles/gnome/tasks/files/etc/ssh/ssh_config.d/10-custom.conf similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/ssh/ssh_config.d/10-custom.conf rename to roles/gnome/tasks/files/etc/ssh/ssh_config.d/10-custom.conf diff --git a/roles/baseline/tasks/files/etc/sudoers.d/qubes b/roles/gnome/tasks/files/etc/sudoers.d/qubes similarity index 100% rename from roles/baseline/tasks/files/etc/sudoers.d/qubes rename to roles/gnome/tasks/files/etc/sudoers.d/qubes diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/sysctl.d/99-workstation.conf b/roles/gnome/tasks/files/etc/sysctl.d/99-workstation.conf similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/sysctl.d/99-workstation.conf rename to roles/gnome/tasks/files/etc/sysctl.d/99-workstation.conf diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/systemd/coredump.conf.d/disable.conf b/roles/gnome/tasks/files/etc/systemd/coredump.conf.d/disable.conf similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/systemd/coredump.conf.d/disable.conf rename to roles/gnome/tasks/files/etc/systemd/coredump.conf.d/disable.conf diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf b/roles/gnome/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf rename to roles/gnome/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/systemd/user/update-user-flatpaks.service b/roles/gnome/tasks/files/etc/systemd/user/update-user-flatpaks.service similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/systemd/user/update-user-flatpaks.service rename to roles/gnome/tasks/files/etc/systemd/user/update-user-flatpaks.service diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/systemd/user/update-user-flatpaks.timer b/roles/gnome/tasks/files/etc/systemd/user/update-user-flatpaks.timer similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/systemd/user/update-user-flatpaks.timer rename to roles/gnome/tasks/files/etc/systemd/user/update-user-flatpaks.timer diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/systemd/zram-generator.conf b/roles/gnome/tasks/files/etc/systemd/zram-generator.conf similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/systemd/zram-generator.conf rename to roles/gnome/tasks/files/etc/systemd/zram-generator.conf diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/xdg-desktop-portal/portals.conf b/roles/gnome/tasks/files/etc/xdg-desktop-portal/portals.conf similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/xdg-desktop-portal/portals.conf rename to roles/gnome/tasks/files/etc/xdg-desktop-portal/portals.conf diff --git a/roles/sudo-dom0-prompt/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js b/roles/gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js rename to roles/gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js diff --git a/roles/baseline/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js b/roles/gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js similarity index 100% rename from roles/baseline/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js rename to roles/gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js diff --git a/roles/gnome/tasks/main.yaml b/roles/gnome/tasks/main.yaml new file mode 100644 index 0000000..8424f35 --- /dev/null +++ b/roles/gnome/tasks/main.yaml @@ -0,0 +1,91 @@ +- name: Configure Fedora 41 Gnome Template + tasks: + - name: Fix GNOME environment variable + ansible.builtin.lineinfile: + dest: '/etc/environment' + line: 'XDG_CURRENT_DESKTOP=GNOME' + - name: Upgrade all packages + ansible.builtin.dnf5: + name: "*" + state: latest + + - name: Mark packages as manually installed to avoid removal + shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' + + - name: Remove unnecessary stuff from the template + ansible.builtin.dnf5: + name: + - '@Container Management' + - '@Desktop Accessibility' + - '@Guest Desktop Agents' + - '@Printing Support' + - 'gnome-software' + - 'httpd' + - 'keepassxc' + - 'thunderbird' + - 'fedora-bookmarks' + - 'fedora-chromium-config' + - 'samba-client' + - 'gvfs-smb' + - 'NetworkManager-pptp-gnome' + - 'NetworkManager-ssh-gnome' + - 'NetworkManager-openconnect-gnome' + - 'NetworkManager-openvpn-gnome' + - 'NetworkManager-vpnc-gnome' + - 'ppp*' + - 'ModemManager' + - 'baobab' + - 'chrome-gnome-shell' + - 'eog' + - 'gnome-boxes' + - 'gnome-calculator' + - 'gnome-calendar' + - 'gnome-characters' + - 'gnome-classic*' + - 'gnome-clocks' + - 'gnome-color-manager' + - 'gnome-connections' + - 'gnome-contacts' + - 'gnome-disk-utility' + - 'gnome-font-viewer' + - 'gnome-logs' + - 'gnome-maps' + - 'gnome-photos' + - 'gnome-remote-desktop' + - 'gnome-screenshot' + - 'gnome-shell-extension-apps-menu' + - 'gnome-shell-extension-background-logo' + - 'gnome-shell-extension-launch-new-instance' + - 'gnome-shell-extension-places-menu' + - 'gnome-shell-extension-window-list' + - 'gnome-text-editor' + - 'gnome-themes-extra' + - 'gnome-tour' + - 'gnome-user*' + - 'gnome-weather' + - 'loupe' + - 'snapshot' + - 'totem' + - 'cheese' + - 'evince' + - 'file-roller*' + - 'libreoffice*' + - 'mediawriter' + - 'rhythmbox' + - 'yelp' + - 'lvm2' + - 'rng-tools' + - 'thermald' + state: 'absent' + allowerasing: true + autoremove: true + + - name: Install custom packages + ansible.builtin.dnf5: + name: + - 'qubes-ctap' + - 'qubes-gpg-split' + - 'ncurses' + # - 'gnome-shell' + - 'ptyxis' + state: 'present' \ No newline at end of file diff --git a/roles/gnome/vars/main.yaml b/roles/gnome/vars/main.yaml new file mode 100644 index 0000000..e353fb5 --- /dev/null +++ b/roles/gnome/vars/main.yaml @@ -0,0 +1 @@ +packages_to_remove: \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/main.yaml b/roles/qubes-f41-gnome/tasks/main.yaml index 47eea0d..cfcb6c1 100644 --- a/roles/qubes-f41-gnome/tasks/main.yaml +++ b/roles/qubes-f41-gnome/tasks/main.yaml @@ -10,6 +10,7 @@ ansible.builtin.systemd_service: name: kdump.service masked: true + - name: Set umask to 077 shell: umask 077 - name: Set umask to 077 in login.defs diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth b/roles/sudo-dom0-prompt/files/etc/authselect/custom/sudo-dom0-prompt/system-auth similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth rename to roles/sudo-dom0-prompt/files/etc/authselect/custom/sudo-dom0-prompt/system-auth diff --git a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/adw-gtk3-dark b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/adw-gtk3-dark new file mode 100644 index 0000000..c6a1e1f --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/adw-gtk3-dark @@ -0,0 +1,2 @@ +[org/gnome/desktop/interface] +gtk-theme='adw-gtk3-dark' \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/automount-disable b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/automount-disable new file mode 100644 index 0000000..a0d778c --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/automount-disable @@ -0,0 +1,4 @@ +[org/gnome/desktop/media-handling] +automount=false +automount-open=false +autorun-never=true \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/automount-disable b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/automount-disable new file mode 100644 index 0000000..345c536 --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/automount-disable @@ -0,0 +1,3 @@ +org/gnome/desktop/media-handling/automount +org/gnome/desktop/media-handling/automount-open +/org/gnome/desktop/media-handling/autorun-never \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/privacy b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/privacy new file mode 100644 index 0000000..f342bad --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/privacy @@ -0,0 +1,14 @@ +/org/gnome/system/location/enabled + +/org/gnome/desktop/privacy/remember-recent-files +/org/gnome/desktop/privacy/remove-old-trash-files +/org/gnome/desktop/privacy/remove-old-temp-files +/org/gnome/desktop/privacy/report-technical-problems +/org/gnome/desktop/privacy/send-software-usage-stats +/org/gnome/desktop/privacy/remember-app-usage + +/org/gnome/online-accounts/whitelisted-providers + +/org/gnome/desktop/remote-desktop/rdp/enable + +/org/gnome/desktop/remote-desktop/vnc/enable \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/prefer-dark b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/prefer-dark new file mode 100644 index 0000000..ba1d69f --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/prefer-dark @@ -0,0 +1,2 @@ +[org/gnome/desktop/interface] +color-scheme='prefer-dark' \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/privacy b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/privacy new file mode 100644 index 0000000..131e18b --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/privacy @@ -0,0 +1,16 @@ +[org/gnome/system/location] +enabled=false + +[org/gnome/desktop/privacy] +remember-recent-files=false +remove-old-trash-files=true +remove-old-temp-files=true +report-technical-problems=false +send-software-usage-stats=false +remember-app-usage=false + +[org/gnome/desktop/remote-desktop/rdp] +enable=false + +[org/gnome/desktop/remote-desktop/vnc] +enable=false \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf b/roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf new file mode 100644 index 0000000..b1ebaf6 --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf @@ -0,0 +1,11 @@ +[main] +gpgcheck=True +installonly_limit=3 +clean_requirements_on_remove=True +best=False +skip_if_unavailable=True +max_parallel_downloads=10 +deltarpm=False +defaultyes=True +install_weak_deps=False +countme=False diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/environment b/roles/sudo-dom0-prompt/files/etc/environment similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/environment rename to roles/sudo-dom0-prompt/files/etc/environment diff --git a/roles/sudo-dom0-prompt/files/etc/ld.so.preload b/roles/sudo-dom0-prompt/files/etc/ld.so.preload new file mode 100644 index 0000000..96c875c --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/ld.so.preload @@ -0,0 +1 @@ +libhardened_malloc.so \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/modprobe.d/workstation-blacklist.conf b/roles/sudo-dom0-prompt/files/etc/modprobe.d/workstation-blacklist.conf similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/modprobe.d/workstation-blacklist.conf rename to roles/sudo-dom0-prompt/files/etc/modprobe.d/workstation-blacklist.conf diff --git a/roles/sudo-dom0-prompt/files/etc/security/limits.d/30-disable-coredump.conf b/roles/sudo-dom0-prompt/files/etc/security/limits.d/30-disable-coredump.conf new file mode 100644 index 0000000..527b136 --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/security/limits.d/30-disable-coredump.conf @@ -0,0 +1 @@ +* hard core 0 \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/skel/flathub.sh b/roles/sudo-dom0-prompt/files/etc/skel/flathub.sh new file mode 100644 index 0000000..bffb01a --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/skel/flathub.sh @@ -0,0 +1,2 @@ +flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo +systemctl enable --user --now update-user-flatpaks.timer \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/ssh/ssh_config.d/10-custom.conf b/roles/sudo-dom0-prompt/files/etc/ssh/ssh_config.d/10-custom.conf new file mode 100644 index 0000000..440ccda --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/ssh/ssh_config.d/10-custom.conf @@ -0,0 +1,2 @@ +GSSAPIAuthentication no +VerifyHostKeyDNS yes diff --git a/roles/sudo-dom0-prompt/tasks/files/etc/sudoers.d/qubes b/roles/sudo-dom0-prompt/files/etc/sudoers.d/qubes similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/etc/sudoers.d/qubes rename to roles/sudo-dom0-prompt/files/etc/sudoers.d/qubes diff --git a/roles/sudo-dom0-prompt/files/etc/sysctl.d/99-workstation.conf b/roles/sudo-dom0-prompt/files/etc/sysctl.d/99-workstation.conf new file mode 100644 index 0000000..bcd6bca --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/sysctl.d/99-workstation.conf @@ -0,0 +1,119 @@ + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl +dev.tty.ldisc_autoload = 0 + +# https://access.redhat.com/solutions/1985633 +# Seems dangerous. +# Roseta need this though, so if you use it change it to 1. +fs.binfmt_misc.status = 0 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace +# Enable fs.protected sysctls. +fs.protected_regular = 2 +fs.protected_fifos = 2 +fs.protected_symlinks = 1 +fs.protected_hardlinks = 1 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps +# Disable coredumps. +# For additional safety, disable coredumps using ulimit and systemd too. +kernel.core_pattern=|/bin/false +fs.suid_dumpable = 0 + +# Restrict dmesg to CAP_SYS_LOG. +# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt +kernel.dmesg_restrict = 1 + +# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +# Restrict access to /proc. +kernel.kptr_restrict = 2 + +# Not needed, I don't do livepatching and reboot regularly. +# On a workstation, this shouldn't be used at all. Don't live patch, just reboot. +kernel.kexec_load_disabled = 1 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl +# Basically, restrict eBPF to CAP_BPF. +kernel.unprivileged_bpf_disabled = 1 +net.core.bpf_jit_harden = 2 + +# Needed for Flatpak and Bubblewrap. +kernel.unprivileged_userns_clone = 1 + +# Disable ptrace. Not needed on workstations. +kernel.yama.ptrace_scope = 3 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl +# Restrict performance events from unprivileged users as much as possible. +# We are using 4 here, since Ubuntu supports such a level. +# Official Linux kernel documentation only says >= so it probably will work. +kernel.perf_event_paranoid = 4 + +# Disable io_uring +# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled +# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html +# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out +# on a Proxmox node. +kernel.io_uring_disabled = 2 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +# Disable sysrq. +kernel.sysrq = 0 + +# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911 +# Not running a router here, so no redirects. +net.ipv4.conf.*.send_redirects = 0 +net.ipv4.conf.*.accept_redirects = 0 +net.ipv6.conf.*.accept_redirects = 0 + +# Check if the source of the IP address is reachable through the same interface it came in +# Basic IP spoofing mitigation. +net.ipv4.conf.*.rp_filter = 1 + +# Do not respond to ICMP. +net.ipv4.icmp_echo_ignore_all = 1 +net.ipv6.icmp.echo_ignore_all = 1 + +# Ignore Bogus ICMP responses. +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Enable IP Forwarding. +# Needed for VM networking and whatnot. +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1 + +# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537 +# Ignore bogus icmp response. +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Protection against time-wait assasination attacks. +net.ipv4.tcp_rfc1337 = 1 + +# Enable SYN cookies. +# Basic SYN flood mitigation. +net.ipv4.tcp_syncookies = 1 + +# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +# Make sure TCP timestamp is enabled. +net.ipv4.tcp_timestamps = 1 + +# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +# Disable TCP SACK. +# We have good networking :) +net.ipv4.tcp_sack = 0 + +# No SACK, therefore no Duplicated SACK. +net.ipv4.tcp_dsack = 0 + +# Improve ALSR effectiveness for mmap. +vm.mmap_rnd_bits = 32 +vm.mmap_rnd_compat_bits = 16 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +# Restrict userfaultfd to CAP_SYS_PTRACE. +# https://bugs.archlinux.org/task/62780 +# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is +# probably not used in the real world at all. +vm.unprivileged_userfaultfd = 0 diff --git a/roles/sudo-dom0-prompt/files/etc/systemd/coredump.conf.d/disable.conf b/roles/sudo-dom0-prompt/files/etc/systemd/coredump.conf.d/disable.conf new file mode 100644 index 0000000..4cfe0f8 --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/systemd/coredump.conf.d/disable.conf @@ -0,0 +1,2 @@ +[Coredump] +Storage=none \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf b/roles/sudo-dom0-prompt/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf new file mode 100644 index 0000000..d3ad4a4 --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf @@ -0,0 +1,28 @@ +[Service] +# Hardening +CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT +LockPersonality=true +MemoryDenyWriteExecute=true +#PrivateDevices=true #breaks tun usage +#ProtectProc=invisible +PrivateTmp=yes +ProtectClock=true +ProtectControlGroups=true +ProtectHome=read-only +ProtectKernelLogs=true +#ProtectKernelModules=true +#ProtectSystem=strict +#ReadOnlyPaths=/etc/NetworkManager +ReadOnlyPaths=-/home +#ReadWritePaths=-/etc/NetworkManager/system-connections +ReadWritePaths=-/etc/sysconfig/network-scripts +ReadWritePaths=/var/lib/NetworkManager +ReadWritePaths=-/var/run/NetworkManager +ReadWritePaths=-/run/NetworkManager +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +UMask=0077 diff --git a/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.service b/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.service new file mode 100644 index 0000000..dc97615 --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.service @@ -0,0 +1,6 @@ +[Unit] +Description=Update user Flatpaks + +[Service] +Type=oneshot +ExecStart=/usr/bin/flatpak --user update -y \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.timer b/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.timer new file mode 100644 index 0000000..d530fe7 --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Update user Flatpaks daily + +[Timer] +OnCalendar=daily +Persistent=true + +[Install] +WantedBy=timers.target \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/systemd/zram-generator.conf b/roles/sudo-dom0-prompt/files/etc/systemd/zram-generator.conf new file mode 100644 index 0000000..f41f8ca --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/systemd/zram-generator.conf @@ -0,0 +1,4 @@ +[zram0] +zram-fraction = 1 +max-zram-size = 8192 +compression-algorithm = zstd \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/xdg-desktop-portal/portals.conf b/roles/sudo-dom0-prompt/files/etc/xdg-desktop-portal/portals.conf new file mode 100644 index 0000000..e7ae6e3 --- /dev/null +++ b/roles/sudo-dom0-prompt/files/etc/xdg-desktop-portal/portals.conf @@ -0,0 +1,2 @@ +[preferred] +default=gtk; diff --git a/roles/sudo-dom0-prompt/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js b/roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js similarity index 100% rename from roles/sudo-dom0-prompt/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js rename to roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js diff --git a/roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js b/roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js new file mode 100644 index 0000000..e69de29 diff --git a/roles/sudo-dom0-prompt/tasks/main.yaml b/roles/sudo-dom0-prompt/tasks/main.yaml index cd7c7dc..f08520f 100644 --- a/roles/sudo-dom0-prompt/tasks/main.yaml +++ b/roles/sudo-dom0-prompt/tasks/main.yaml @@ -1,6 +1,4 @@ - name: Setup passwordless sudo - hosts: 127.0.0.1 - connection: local tasks: - name: Check that the sudo-dom0-prompt exists stat: diff --git a/roles/trivalent/tasks/main.yaml b/roles/trivalent/tasks/main.yaml new file mode 100644 index 0000000..d2050db --- /dev/null +++ b/roles/trivalent/tasks/main.yaml @@ -0,0 +1,17 @@ +- name: Install trivalent browser + tasks: + - name: Enable hardened_malloc COPR + shell: 'sudo dnf copr enable secureblue/trivalent -y' + + - name: Enable codecs and stuff + shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1' + + - name: Update codecs + shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin' + + - name: Install hardened_malloc + ansible.builtin.dnf5: + name: + - ffmpeg + - trivalent + state: 'present' \ No newline at end of file