Fixing up roles
This commit is contained in:
		
							parent
							
								
									9975b95880
								
							
						
					
					
						commit
						4de7935469
					
				
					 78 changed files with 514 additions and 155 deletions
				
			
		
							
								
								
									
										8
									
								
								development.yaml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								development.yaml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,8 @@ | ||||||
|  | - name: Configure Fedora 41 Gnome Template | ||||||
|  |   hosts: 127.0.0.1 | ||||||
|  |   connection: local | ||||||
|  |   tasks: | ||||||
|  |     - ansible.builtin.include_role: | ||||||
|  |       name: 'baseline' | ||||||
|  |       vars: | ||||||
|  |         umask_changes: 'false' | ||||||
							
								
								
									
										17
									
								
								fedora-41-gnome.yaml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								fedora-41-gnome.yaml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,17 @@ | ||||||
|  | - name: Configure Fedora 41 Gnome Template | ||||||
|  |   hosts: 127.0.0.1 | ||||||
|  |   connection: local | ||||||
|  |   tasks: | ||||||
|  |     - ansible.builtin.include_role: | ||||||
|  |       name: 'baseline' | ||||||
|  |       vars: | ||||||
|  |         umask_changes: false | ||||||
|  |         manage_network: true | ||||||
|  |     - ansible.builtin.include_role: | ||||||
|  |       name: gnome | ||||||
|  |     - ansible.builtin.include_role: | ||||||
|  |       name: sudo-dom0-prompt | ||||||
|  |     - ansible.builtin.include-role: | ||||||
|  |       name: trivalent | ||||||
|  |     - ansible.builtin.include-role: | ||||||
|  |       name: arkenfox | ||||||
							
								
								
									
										2
									
								
								roles/baseline/defaults/main.yaml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								roles/baseline/defaults/main.yaml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,2 @@ | ||||||
|  | umask_changes: false | ||||||
|  | manage_network: true | ||||||
							
								
								
									
										2
									
								
								roles/baseline/files/etc/environment
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								roles/baseline/files/etc/environment
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,2 @@ | ||||||
|  | JavaScriptCoreUseJIT=0 | ||||||
|  | GJS_DISABLE_JIT=1 | ||||||
							
								
								
									
										115
									
								
								roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										115
									
								
								roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,115 @@ | ||||||
|  | # unused network protocols | ||||||
|  | install dccp /bin/false | ||||||
|  | install sctp /bin/false | ||||||
|  | install rds /bin/false | ||||||
|  | install tipc /bin/false | ||||||
|  | install n-hdlc /bin/false | ||||||
|  | install ax25 /bin/false | ||||||
|  | install netrom /bin/false | ||||||
|  | install x25 /bin/false | ||||||
|  | install rose /bin/false | ||||||
|  | install decnet /bin/false | ||||||
|  | install econet /bin/false | ||||||
|  | install af_802154 /bin/false | ||||||
|  | install ipx /bin/false | ||||||
|  | install appletalk /bin/false | ||||||
|  | install psnap /bin/false | ||||||
|  | install p8023 /bin/false | ||||||
|  | install p8022 /bin/false | ||||||
|  | install can /bin/false | ||||||
|  | install atm /bin/false | ||||||
|  | 
 | ||||||
|  | # firewire and thunderbolt | ||||||
|  | install firewire-core /bin/false | ||||||
|  | install firewire_core /bin/false | ||||||
|  | install firewire-ohci /bin/false | ||||||
|  | install firewire_ohci /bin/false | ||||||
|  | install firewire_sbp2 /bin/false | ||||||
|  | install firewire-sbp2 /bin/false | ||||||
|  | install firewire-net /bin/false | ||||||
|  | install thunderbolt /bin/false | ||||||
|  | install ohci1394 /bin/false | ||||||
|  | install sbp2 /bin/false | ||||||
|  | install dv1394 /bin/false | ||||||
|  | install raw1394 /bin/false | ||||||
|  | install video1394 /bin/false | ||||||
|  | 
 | ||||||
|  | # unused filesystems | ||||||
|  | install cramfs /bin/false | ||||||
|  | install freevxfs /bin/false | ||||||
|  | install jffs2 /bin/false | ||||||
|  | # I think blacklisting hfs or hfsplus breaks USBs, but not sure | ||||||
|  | install hfs /bin/false | ||||||
|  | install hfsplus /bin/false | ||||||
|  | install squashfs /bin/false | ||||||
|  | install udf /bin/false | ||||||
|  | install cifs /bin/false | ||||||
|  | install nfs /bin/false | ||||||
|  | install nfsv3 /bin/false | ||||||
|  | install nfsv4 /bin/false | ||||||
|  | install ksmbd /bin/false | ||||||
|  | install gfs2 /bin/false | ||||||
|  | install reiserfs /bin/false | ||||||
|  | install kafs /bin/false | ||||||
|  | install orangefs /bin/false | ||||||
|  | install 9p /bin/false | ||||||
|  | install adfs /bin/false | ||||||
|  | install affs /bin/false | ||||||
|  | install afs /bin/false | ||||||
|  | install befs /bin/false | ||||||
|  | install ceph /bin/false | ||||||
|  | install coda /bin/false | ||||||
|  | install ecryptfs /bin/false | ||||||
|  | install erofs /bin/false | ||||||
|  | install jfs /bin/false | ||||||
|  | install minix /bin/false | ||||||
|  | install netfs /bin/false | ||||||
|  | install nilfs2 /bin/false | ||||||
|  | install ocfs2 /bin/false | ||||||
|  | install romfs /bin/false | ||||||
|  | install ubifs /bin/false | ||||||
|  | install zonefs /bin/false | ||||||
|  | install sysv /bin/false | ||||||
|  | install ufs /bin/false | ||||||
|  | 
 | ||||||
|  | # disable vivid | ||||||
|  | install vivid /bin/false | ||||||
|  | 
 | ||||||
|  | # disable GNSS | ||||||
|  | install gnss /bin/false | ||||||
|  | install gnss-mtk /bin/false | ||||||
|  | install gnss-serial /bin/false | ||||||
|  | install gnss-sirf /bin/false | ||||||
|  | install gnss-usb /bin/false | ||||||
|  | install gnss-ubx /bin/false | ||||||
|  | 
 | ||||||
|  | # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns | ||||||
|  | install bluetooth /bin/false | ||||||
|  | install btusb /bin/false | ||||||
|  | 
 | ||||||
|  | # blacklist ath_pci | ||||||
|  | blacklist ath_pci | ||||||
|  | 
 | ||||||
|  | # blacklist cdrom | ||||||
|  | blacklist cdrom | ||||||
|  | blacklist sr_mod | ||||||
|  | 
 | ||||||
|  | # blacklist framebuffer drivers | ||||||
|  | # source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf | ||||||
|  | blacklist cyber2000fb | ||||||
|  | blacklist cyblafb | ||||||
|  | blacklist gx1fb | ||||||
|  | blacklist hgafb | ||||||
|  | blacklist kyrofb | ||||||
|  | blacklist lxfb | ||||||
|  | blacklist matroxfb_base | ||||||
|  | blacklist neofb | ||||||
|  | blacklist nvidiafb | ||||||
|  | blacklist pm2fb | ||||||
|  | blacklist s1d13xxxfb | ||||||
|  | blacklist sisfb | ||||||
|  | blacklist tdfxfb | ||||||
|  | blacklist vesafb | ||||||
|  | blacklist vfb | ||||||
|  | blacklist vt8623fb | ||||||
|  | blacklist udlfb | ||||||
|  | @ -1,6 +1,4 @@ | ||||||
| - name: Configure Fedora 41 Gnome Template | - name: Baseline hardening for all templates | ||||||
|   hosts: 127.0.0.1 |  | ||||||
|   connection: local |  | ||||||
|   tasks: |   tasks: | ||||||
|    - name: Kill debug-shell service |    - name: Kill debug-shell service | ||||||
|      ansible.builtin.systemd_service: |      ansible.builtin.systemd_service: | ||||||
|  | @ -10,6 +8,7 @@ | ||||||
|      ansible.builtin.systemd_service: |      ansible.builtin.systemd_service: | ||||||
|        name: kdump.service |        name: kdump.service | ||||||
|        masked: true |        masked: true | ||||||
|  | 
 | ||||||
|    - name: Set umask to 077 |    - name: Set umask to 077 | ||||||
|      shell: umask 077 |      shell: umask 077 | ||||||
|    - name: Set umask to 077 in login.defs |    - name: Set umask to 077 in login.defs | ||||||
|  | @ -17,18 +16,22 @@ | ||||||
|        path: /etc/login.defs |        path: /etc/login.defs | ||||||
|        regexp: '^UMASK.*' |        regexp: '^UMASK.*' | ||||||
|        replace: 'UMASK 077' |        replace: 'UMASK 077' | ||||||
|  |      when: umask_changes == true | ||||||
| 
 | 
 | ||||||
|    - name: Set umask to 077 in logins.defs |    - name: Set umask to 077 in logins.defs | ||||||
|      ansible.builtin.replace: |      ansible.builtin.replace: | ||||||
|        path: /etc/login.defs |        path: /etc/login.defs | ||||||
|        regexp: '^HOME_MODE' |        regexp: '^HOME_MODE' | ||||||
|        replace: '#HOME_MODE' |        replace: '#HOME_MODE' | ||||||
|  |      when: umask_changes == true | ||||||
| 
 | 
 | ||||||
|    - name: Set umask to 077 in bashrc |    - name: Set umask to 077 in bashrc | ||||||
|      ansible.builtin.replace: |      ansible.builtin.replace: | ||||||
|        path: /etc/bashrc |        path: /etc/bashrc | ||||||
|        regexp: 'umask 022' |        regexp: 'umask 022' | ||||||
|        replace: 'umask 077' |        replace: 'umask 077' | ||||||
|  |      when: umask_changes == true | ||||||
|  | 
 | ||||||
| 
 | 
 | ||||||
|    - name: Make home directory private |    - name: Make home directory private | ||||||
|      ansible.builtin.file: |      ansible.builtin.file: | ||||||
|  | @ -36,6 +39,7 @@ | ||||||
|        state: directory |        state: directory | ||||||
|        recurse: true |        recurse: true | ||||||
|        mode: '0700' |        mode: '0700' | ||||||
|  |      when: umask_changes == true | ||||||
| 
 | 
 | ||||||
|    - name: Harden SSH, add kernel blacklist and hardening |    - name: Harden SSH, add kernel blacklist and hardening | ||||||
|      ansible.builtin.copy: |      ansible.builtin.copy: | ||||||
|  | @ -72,6 +76,15 @@ | ||||||
|        path: '/etc/systemd/system/NetworkManager.service.d' |        path: '/etc/systemd/system/NetworkManager.service.d' | ||||||
|        state: 'directory' |        state: 'directory' | ||||||
|        mode: '0755' |        mode: '0755' | ||||||
|  |      when: manage_network == true | ||||||
|  | 
 | ||||||
|  |    - name: Copy dconf files + xdg-desktop-portals fix + Network manager | ||||||
|  |      ansible.builtin.copy: | ||||||
|  |       src: 'etc/systemd/system/NetworkManager.service.d/99-brace.conf' | ||||||
|  |       dest: '/etc/systemd/system/NetworkManager.service.d/99-brace.conf' | ||||||
|  |       mode: '0644' | ||||||
|  |      when: manage_network == true | ||||||
|  | 
 | ||||||
|    - name: Copy dconf files + xdg-desktop-portals fix + Network manager |    - name: Copy dconf files + xdg-desktop-portals fix + Network manager | ||||||
|      ansible.builtin.copy: |      ansible.builtin.copy: | ||||||
|       src: '{{ item }}' |       src: '{{ item }}' | ||||||
|  | @ -80,29 +93,29 @@ | ||||||
|      loop: |      loop: | ||||||
|       - 'etc/security/limits.d/30-disable-coredump.conf' |       - 'etc/security/limits.d/30-disable-coredump.conf' | ||||||
|       - 'etc/systemd/coredump.conf.d/disable.conf' |       - 'etc/systemd/coredump.conf.d/disable.conf' | ||||||
|       - 'etc/dconf/db/local.d/locks/automount-disable' |  | ||||||
|       - 'etc/dconf/db/local.d/locks/privacy' |       - 'etc/dconf/db/local.d/locks/privacy' | ||||||
|       - 'etc/dconf/db/local.d/adw-gtk3-dark' |  | ||||||
|       - 'etc/dconf/db/local.d/automount-disable' |  | ||||||
|       - 'etc/dconf/db/local.d/prefer-dark' |  | ||||||
|       - 'etc/dconf/db/local.d/privacy' |       - 'etc/dconf/db/local.d/privacy' | ||||||
|       - 'etc/xdg-desktop-portal/portals.conf' |  | ||||||
|       - 'etc/systemd/system/NetworkManager.service.d/99-brace.conf' |  | ||||||
| 
 | 
 | ||||||
|    - name: Update dconf |    - name: Update dconf | ||||||
|      shell: sudo dconf update |      shell: sudo dconf update | ||||||
| 
 | 
 | ||||||
|    - name: Setup ZRAM, flatpak updater and environment variables to disable GJS, WebkitGTK JIT, and fix GNOME env variable |    - name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT | ||||||
|      ansible.builtin.copy: |      ansible.builtin.copy: | ||||||
|       src: '{{ item }}' |       src: '{{ item }}' | ||||||
|       dest: '/{{ item }}' |       dest: '/{{ item }}' | ||||||
|       mode: '0600' |       mode: '0644' | ||||||
|      loop: |      loop: | ||||||
|       - 'etc/systemd/zram-generator.conf' |       - 'etc/systemd/zram-generator.conf' | ||||||
|       - 'etc/systemd/user/update-user-flatpaks.service' |       - 'etc/systemd/user/update-user-flatpaks.service' | ||||||
|       - 'etc/systemd/user/update-user-flatpaks.timer' |       - 'etc/systemd/user/update-user-flatpaks.timer' | ||||||
|       - 'etc/environment'  |       - 'etc/environment'  | ||||||
| 
 | 
 | ||||||
|  |    - name: Drop flathub script to homedir for any new appvms created based on this template | ||||||
|  |      ansible.builtin.copy: | ||||||
|  |       src: 'etc/skel/flathub.sh' | ||||||
|  |       dest: '/etc/skel/flathub.sh' | ||||||
|  |       mode: '0700' | ||||||
|  | 
 | ||||||
|    - name: Upgrade all packages |    - name: Upgrade all packages | ||||||
|      ansible.builtin.dnf5: |      ansible.builtin.dnf5: | ||||||
|        name: "*" |        name: "*" | ||||||
|  | @ -111,84 +124,6 @@ | ||||||
|    - name: Mark packages as manually installed to avoid removal |    - name: Mark packages as manually installed to avoid removal | ||||||
|      shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' |      shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' | ||||||
| 
 | 
 | ||||||
|    - name: Remove unnecessary stuff from the template |  | ||||||
|      ansible.builtin.dnf5: |  | ||||||
|        name: |  | ||||||
|         - '@Container Management' |  | ||||||
|         - '@Desktop Accessibility' |  | ||||||
|         - '@Guest Desktop Agents' |  | ||||||
|         - '@Printing Support' |  | ||||||
|         - 'gnome-software' |  | ||||||
|         - 'httpd' |  | ||||||
|         - 'keepassxc' |  | ||||||
|         - 'thunderbird' |  | ||||||
|         - 'fedora-bookmarks' |  | ||||||
|         - 'fedora-chromium-config' |  | ||||||
|         - 'samba-client' |  | ||||||
|         - 'gvfs-smb' |  | ||||||
|         - 'NetworkManager-pptp-gnome' |  | ||||||
|         - 'NetworkManager-ssh-gnome' |  | ||||||
|         - 'NetworkManager-openconnect-gnome' |  | ||||||
|         - 'NetworkManager-openvpn-gnome' |  | ||||||
|         - 'NetworkManager-vpnc-gnome' |  | ||||||
|         - 'ppp*' |  | ||||||
|         - 'ModemManager' |  | ||||||
|         - 'baobab' |  | ||||||
|         - 'chrome-gnome-shell' |  | ||||||
|         - 'eog' |  | ||||||
|         - 'gnome-boxes' |  | ||||||
|         - 'gnome-calculator' |  | ||||||
|         - 'gnome-calendar' |  | ||||||
|         - 'gnome-characters' |  | ||||||
|         - 'gnome-classic*' |  | ||||||
|         - 'gnome-clocks' |  | ||||||
|         - 'gnome-color-manager' |  | ||||||
|         - 'gnome-connections' |  | ||||||
|         - 'gnome-contacts' |  | ||||||
|         - 'gnome-disk-utility' |  | ||||||
|         - 'gnome-font-viewer' |  | ||||||
|         - 'gnome-logs' |  | ||||||
|         - 'gnome-maps' |  | ||||||
|         - 'gnome-photos' |  | ||||||
|         - 'gnome-remote-desktop' |  | ||||||
|         - 'gnome-screenshot' |  | ||||||
|         - 'gnome-shell-extension-apps-menu' |  | ||||||
|         - 'gnome-shell-extension-background-logo' |  | ||||||
|         - 'gnome-shell-extension-launch-new-instance' |  | ||||||
|         - 'gnome-shell-extension-places-menu' |  | ||||||
|         - 'gnome-shell-extension-window-list' |  | ||||||
|         - 'gnome-text-editor' |  | ||||||
|         - 'gnome-themes-extra' |  | ||||||
|         - 'gnome-tour' |  | ||||||
|         - 'gnome-user*' |  | ||||||
|         - 'gnome-weather' |  | ||||||
|         - 'loupe' |  | ||||||
|         - 'snapshot' |  | ||||||
|         - 'totem' |  | ||||||
|         - 'cheese' |  | ||||||
|         - 'evince' |  | ||||||
|         - 'file-roller*' |  | ||||||
|         - 'libreoffice*' |  | ||||||
|         - 'mediawriter' |  | ||||||
|         - 'rhythmbox' |  | ||||||
|         - 'yelp' |  | ||||||
|         - 'lvm2' |  | ||||||
|         - 'rng-tools' |  | ||||||
|         - 'thermald' |  | ||||||
|        state: 'absent' |  | ||||||
|        allowerasing: true |  | ||||||
|        autoremove: true |  | ||||||
| 
 |  | ||||||
|    - name: Install custom packages |  | ||||||
|      ansible.builtin.dnf5: |  | ||||||
|        name: |  | ||||||
|          - 'qubes-ctap' |  | ||||||
|          - 'qubes-gpg-split' |  | ||||||
|          - 'adw-gtk3-theme' |  | ||||||
|          - 'ncurses' |  | ||||||
|          - 'gnome-shell' |  | ||||||
|          - 'ptyxis' |  | ||||||
|        state: 'present' |  | ||||||
|    - name: Enable hardened_malloc COPR |    - name: Enable hardened_malloc COPR | ||||||
|      shell: 'sudo dnf copr enable secureblue/hardened_malloc -y' |      shell: 'sudo dnf copr enable secureblue/hardened_malloc -y' | ||||||
| 
 | 
 | ||||||
|  | @ -226,59 +161,3 @@ | ||||||
|        regexp: '^(metalink=.*)$' |        regexp: '^(metalink=.*)$' | ||||||
|        line: '\1&protocol=https' |        line: '\1&protocol=https' | ||||||
|      loop: '{{ found_files.files }}' |      loop: '{{ found_files.files }}' | ||||||
| 
 |  | ||||||
|    - name: Check that the sudo-dom0-prompt exists |  | ||||||
|      stat: |  | ||||||
|        path: '/etc/authselect/custom/sudo-dom0-prompt' |  | ||||||
|      register: stat_result |  | ||||||
| 
 |  | ||||||
|    - name: Create authselect profile |  | ||||||
|      shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam |  | ||||||
|      when: not stat_result.stat.exists |  | ||||||
|    - name: Copy authselect file |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|       src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' |  | ||||||
|       dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside' |  | ||||||
|       mode: '0644' |  | ||||||
|       |  | ||||||
| 
 |  | ||||||
|    - name: Copy authselect folder |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|       src: '/etc/authselect/system-auth' |  | ||||||
|       dest: '/etc/authselect/custom/sudo-dom0-prompt' |  | ||||||
|       mode: '0755' |  | ||||||
| 
 |  | ||||||
|    - name: Copy authselect file |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|       src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth' |  | ||||||
|       dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' |  | ||||||
|       mode: '0644' |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
|    - name: Select authselect profile |  | ||||||
|      shell: authselect select custom/sudo-dom0-prompt |  | ||||||
| 
 |  | ||||||
|    - name: Fix sudoers.d |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|       src: 'etc/sudoers.d/qubes' |  | ||||||
|       dest: '/etc/sudoers.d/qubes' |  | ||||||
|       mode: '0440' |  | ||||||
| 
 |  | ||||||
|    - name: Check that allow all rule doesn't exist |  | ||||||
|      stat: |  | ||||||
|        path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' |  | ||||||
|      register: allow_all_result |  | ||||||
| 
 |  | ||||||
|    - name: Delete allow all rule |  | ||||||
|      ansible.builtin.file: |  | ||||||
|       path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' |  | ||||||
|       state: 'absent' |  | ||||||
|      when: allow_all_result.stat.exists |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
|    - name: Drop flathub script to homedir for any new appvms created based on this template |  | ||||||
|      ansible.builtin.copy: |  | ||||||
|       src: 'etc/skel/flathub.sh' |  | ||||||
|       dest: '/etc/skel/flathub.sh' |  | ||||||
|       mode: '0700' |  | ||||||
							
								
								
									
										91
									
								
								roles/gnome/tasks/main.yaml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										91
									
								
								roles/gnome/tasks/main.yaml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,91 @@ | ||||||
|  | - name: Configure Fedora 41 Gnome Template | ||||||
|  |   tasks: | ||||||
|  |     - name: Fix GNOME environment variable | ||||||
|  |       ansible.builtin.lineinfile: | ||||||
|  |         dest: '/etc/environment' | ||||||
|  |         line: 'XDG_CURRENT_DESKTOP=GNOME' | ||||||
|  |     - name: Upgrade all packages | ||||||
|  |       ansible.builtin.dnf5: | ||||||
|  |         name: "*" | ||||||
|  |         state: latest | ||||||
|  | 
 | ||||||
|  |     - name: Mark packages as manually installed to avoid removal | ||||||
|  |       shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' | ||||||
|  | 
 | ||||||
|  |     - name: Remove unnecessary stuff from the template | ||||||
|  |       ansible.builtin.dnf5: | ||||||
|  |         name: | ||||||
|  |          - '@Container Management' | ||||||
|  |          - '@Desktop Accessibility' | ||||||
|  |          - '@Guest Desktop Agents' | ||||||
|  |          - '@Printing Support' | ||||||
|  |          - 'gnome-software' | ||||||
|  |          - 'httpd' | ||||||
|  |          - 'keepassxc' | ||||||
|  |          - 'thunderbird' | ||||||
|  |          - 'fedora-bookmarks' | ||||||
|  |          - 'fedora-chromium-config' | ||||||
|  |          - 'samba-client' | ||||||
|  |          - 'gvfs-smb' | ||||||
|  |          - 'NetworkManager-pptp-gnome' | ||||||
|  |          - 'NetworkManager-ssh-gnome' | ||||||
|  |          - 'NetworkManager-openconnect-gnome' | ||||||
|  |          - 'NetworkManager-openvpn-gnome' | ||||||
|  |          - 'NetworkManager-vpnc-gnome' | ||||||
|  |          - 'ppp*' | ||||||
|  |          - 'ModemManager' | ||||||
|  |          - 'baobab' | ||||||
|  |          - 'chrome-gnome-shell' | ||||||
|  |          - 'eog' | ||||||
|  |          - 'gnome-boxes' | ||||||
|  |          - 'gnome-calculator' | ||||||
|  |          - 'gnome-calendar' | ||||||
|  |          - 'gnome-characters' | ||||||
|  |          - 'gnome-classic*' | ||||||
|  |          - 'gnome-clocks' | ||||||
|  |          - 'gnome-color-manager' | ||||||
|  |          - 'gnome-connections' | ||||||
|  |          - 'gnome-contacts' | ||||||
|  |          - 'gnome-disk-utility' | ||||||
|  |          - 'gnome-font-viewer' | ||||||
|  |          - 'gnome-logs' | ||||||
|  |          - 'gnome-maps' | ||||||
|  |          - 'gnome-photos' | ||||||
|  |          - 'gnome-remote-desktop' | ||||||
|  |          - 'gnome-screenshot' | ||||||
|  |          - 'gnome-shell-extension-apps-menu' | ||||||
|  |          - 'gnome-shell-extension-background-logo' | ||||||
|  |          - 'gnome-shell-extension-launch-new-instance' | ||||||
|  |          - 'gnome-shell-extension-places-menu' | ||||||
|  |          - 'gnome-shell-extension-window-list' | ||||||
|  |          - 'gnome-text-editor' | ||||||
|  |          - 'gnome-themes-extra' | ||||||
|  |          - 'gnome-tour' | ||||||
|  |          - 'gnome-user*' | ||||||
|  |          - 'gnome-weather' | ||||||
|  |          - 'loupe' | ||||||
|  |          - 'snapshot' | ||||||
|  |          - 'totem' | ||||||
|  |          - 'cheese' | ||||||
|  |          - 'evince' | ||||||
|  |          - 'file-roller*' | ||||||
|  |          - 'libreoffice*' | ||||||
|  |          - 'mediawriter' | ||||||
|  |          - 'rhythmbox' | ||||||
|  |          - 'yelp' | ||||||
|  |          - 'lvm2' | ||||||
|  |          - 'rng-tools' | ||||||
|  |          - 'thermald' | ||||||
|  |         state: 'absent' | ||||||
|  |         allowerasing: true | ||||||
|  |         autoremove: true | ||||||
|  | 
 | ||||||
|  |     - name: Install custom packages | ||||||
|  |       ansible.builtin.dnf5: | ||||||
|  |         name: | ||||||
|  |           - 'qubes-ctap' | ||||||
|  |           - 'qubes-gpg-split' | ||||||
|  |           - 'ncurses' | ||||||
|  |  #         - 'gnome-shell' | ||||||
|  |           - 'ptyxis' | ||||||
|  |         state: 'present' | ||||||
							
								
								
									
										1
									
								
								roles/gnome/vars/main.yaml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								roles/gnome/vars/main.yaml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1 @@ | ||||||
|  | packages_to_remove: | ||||||
|  | @ -10,6 +10,7 @@ | ||||||
|      ansible.builtin.systemd_service: |      ansible.builtin.systemd_service: | ||||||
|        name: kdump.service |        name: kdump.service | ||||||
|        masked: true |        masked: true | ||||||
|  |         | ||||||
|    - name: Set umask to 077 |    - name: Set umask to 077 | ||||||
|      shell: umask 077 |      shell: umask 077 | ||||||
|    - name: Set umask to 077 in login.defs |    - name: Set umask to 077 in login.defs | ||||||
|  |  | ||||||
|  | @ -0,0 +1,2 @@ | ||||||
|  | [org/gnome/desktop/interface] | ||||||
|  | gtk-theme='adw-gtk3-dark' | ||||||
|  | @ -0,0 +1,4 @@ | ||||||
|  | [org/gnome/desktop/media-handling] | ||||||
|  | automount=false | ||||||
|  | automount-open=false | ||||||
|  | autorun-never=true | ||||||
|  | @ -0,0 +1,3 @@ | ||||||
|  | org/gnome/desktop/media-handling/automount | ||||||
|  | org/gnome/desktop/media-handling/automount-open | ||||||
|  | /org/gnome/desktop/media-handling/autorun-never | ||||||
|  | @ -0,0 +1,14 @@ | ||||||
|  | /org/gnome/system/location/enabled | ||||||
|  | 
 | ||||||
|  | /org/gnome/desktop/privacy/remember-recent-files | ||||||
|  | /org/gnome/desktop/privacy/remove-old-trash-files | ||||||
|  | /org/gnome/desktop/privacy/remove-old-temp-files | ||||||
|  | /org/gnome/desktop/privacy/report-technical-problems | ||||||
|  | /org/gnome/desktop/privacy/send-software-usage-stats | ||||||
|  | /org/gnome/desktop/privacy/remember-app-usage | ||||||
|  | 
 | ||||||
|  | /org/gnome/online-accounts/whitelisted-providers | ||||||
|  | 
 | ||||||
|  | /org/gnome/desktop/remote-desktop/rdp/enable | ||||||
|  | 
 | ||||||
|  | /org/gnome/desktop/remote-desktop/vnc/enable | ||||||
|  | @ -0,0 +1,2 @@ | ||||||
|  | [org/gnome/desktop/interface] | ||||||
|  | color-scheme='prefer-dark' | ||||||
							
								
								
									
										16
									
								
								roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/privacy
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/privacy
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,16 @@ | ||||||
|  | [org/gnome/system/location] | ||||||
|  | enabled=false | ||||||
|  | 
 | ||||||
|  | [org/gnome/desktop/privacy] | ||||||
|  | remember-recent-files=false | ||||||
|  | remove-old-trash-files=true | ||||||
|  | remove-old-temp-files=true | ||||||
|  | report-technical-problems=false | ||||||
|  | send-software-usage-stats=false | ||||||
|  | remember-app-usage=false | ||||||
|  | 
 | ||||||
|  | [org/gnome/desktop/remote-desktop/rdp] | ||||||
|  | enable=false | ||||||
|  | 
 | ||||||
|  | [org/gnome/desktop/remote-desktop/vnc] | ||||||
|  | enable=false | ||||||
							
								
								
									
										11
									
								
								roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										11
									
								
								roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,11 @@ | ||||||
|  | [main] | ||||||
|  | gpgcheck=True | ||||||
|  | installonly_limit=3 | ||||||
|  | clean_requirements_on_remove=True | ||||||
|  | best=False | ||||||
|  | skip_if_unavailable=True | ||||||
|  | max_parallel_downloads=10 | ||||||
|  | deltarpm=False | ||||||
|  | defaultyes=True | ||||||
|  | install_weak_deps=False | ||||||
|  | countme=False | ||||||
							
								
								
									
										1
									
								
								roles/sudo-dom0-prompt/files/etc/ld.so.preload
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								roles/sudo-dom0-prompt/files/etc/ld.so.preload
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1 @@ | ||||||
|  | libhardened_malloc.so | ||||||
|  | @ -0,0 +1 @@ | ||||||
|  | * hard core 0 | ||||||
							
								
								
									
										2
									
								
								roles/sudo-dom0-prompt/files/etc/skel/flathub.sh
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								roles/sudo-dom0-prompt/files/etc/skel/flathub.sh
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,2 @@ | ||||||
|  | flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo | ||||||
|  | systemctl enable --user --now update-user-flatpaks.timer | ||||||
|  | @ -0,0 +1,2 @@ | ||||||
|  | GSSAPIAuthentication no | ||||||
|  | VerifyHostKeyDNS yes | ||||||
							
								
								
									
										119
									
								
								roles/sudo-dom0-prompt/files/etc/sysctl.d/99-workstation.conf
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										119
									
								
								roles/sudo-dom0-prompt/files/etc/sysctl.d/99-workstation.conf
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,119 @@ | ||||||
|  | 
 | ||||||
|  | # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl | ||||||
|  | dev.tty.ldisc_autoload = 0 | ||||||
|  | 
 | ||||||
|  | # https://access.redhat.com/solutions/1985633 | ||||||
|  | # Seems dangerous. | ||||||
|  | # Roseta need this though, so if you use it change it to 1. | ||||||
|  | fs.binfmt_misc.status = 0 | ||||||
|  | 
 | ||||||
|  | # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace | ||||||
|  | # Enable fs.protected sysctls. | ||||||
|  | fs.protected_regular = 2 | ||||||
|  | fs.protected_fifos = 2 | ||||||
|  | fs.protected_symlinks = 1 | ||||||
|  | fs.protected_hardlinks = 1 | ||||||
|  | 
 | ||||||
|  | # https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps | ||||||
|  | # Disable coredumps. | ||||||
|  | # For additional safety, disable coredumps using ulimit and systemd too. | ||||||
|  | kernel.core_pattern=|/bin/false | ||||||
|  | fs.suid_dumpable = 0 | ||||||
|  | 
 | ||||||
|  | # Restrict dmesg to CAP_SYS_LOG. | ||||||
|  | # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt | ||||||
|  | kernel.dmesg_restrict = 1 | ||||||
|  | 
 | ||||||
|  | # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt | ||||||
|  | # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel | ||||||
|  | # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak | ||||||
|  | # Restrict access to /proc. | ||||||
|  | kernel.kptr_restrict = 2 | ||||||
|  | 
 | ||||||
|  | # Not needed, I don't do livepatching and reboot regularly. | ||||||
|  | # On a workstation, this shouldn't be used at all. Don't live patch, just reboot. | ||||||
|  | kernel.kexec_load_disabled = 1 | ||||||
|  | 
 | ||||||
|  | # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl | ||||||
|  | # Basically, restrict eBPF to CAP_BPF. | ||||||
|  | kernel.unprivileged_bpf_disabled = 1 | ||||||
|  | net.core.bpf_jit_harden = 2 | ||||||
|  | 
 | ||||||
|  | # Needed for Flatpak and Bubblewrap. | ||||||
|  | kernel.unprivileged_userns_clone = 1 | ||||||
|  | 
 | ||||||
|  | # Disable ptrace. Not needed on workstations. | ||||||
|  | kernel.yama.ptrace_scope = 3 | ||||||
|  | 
 | ||||||
|  | # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl | ||||||
|  | # Restrict performance events from unprivileged users as much as possible. | ||||||
|  | # We are using 4 here, since Ubuntu supports such a level. | ||||||
|  | # Official Linux kernel documentation only says >= so it probably will work. | ||||||
|  | kernel.perf_event_paranoid = 4 | ||||||
|  | 
 | ||||||
|  | # Disable io_uring | ||||||
|  | # https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled | ||||||
|  | # https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html | ||||||
|  | # Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out | ||||||
|  | # on a Proxmox node. | ||||||
|  | kernel.io_uring_disabled = 2 | ||||||
|  | 
 | ||||||
|  | # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel | ||||||
|  | # Disable sysrq. | ||||||
|  | kernel.sysrq = 0 | ||||||
|  | 
 | ||||||
|  | # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911 | ||||||
|  | # Not running a router here, so no redirects. | ||||||
|  | net.ipv4.conf.*.send_redirects = 0 | ||||||
|  | net.ipv4.conf.*.accept_redirects = 0 | ||||||
|  | net.ipv6.conf.*.accept_redirects = 0 | ||||||
|  | 
 | ||||||
|  | # Check if the source of the IP address is reachable through the same interface it came in | ||||||
|  | # Basic IP spoofing mitigation. | ||||||
|  | net.ipv4.conf.*.rp_filter = 1 | ||||||
|  | 
 | ||||||
|  | # Do not respond to ICMP. | ||||||
|  | net.ipv4.icmp_echo_ignore_all = 1 | ||||||
|  | net.ipv6.icmp.echo_ignore_all = 1 | ||||||
|  | 
 | ||||||
|  | # Ignore Bogus ICMP responses. | ||||||
|  | net.ipv4.icmp_ignore_bogus_error_responses = 1 | ||||||
|  | 
 | ||||||
|  | # Enable IP Forwarding. | ||||||
|  | # Needed for VM networking and whatnot. | ||||||
|  | net.ipv4.ip_forward = 1 | ||||||
|  | net.ipv6.conf.all.forwarding = 1 | ||||||
|  | 
 | ||||||
|  | # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537 | ||||||
|  | # Ignore bogus icmp response. | ||||||
|  | net.ipv4.icmp_ignore_bogus_error_responses = 1 | ||||||
|  | 
 | ||||||
|  | # Protection against time-wait assasination attacks. | ||||||
|  | net.ipv4.tcp_rfc1337 = 1 | ||||||
|  | 
 | ||||||
|  | # Enable SYN cookies. | ||||||
|  | # Basic SYN flood mitigation. | ||||||
|  | net.ipv4.tcp_syncookies = 1  | ||||||
|  | 
 | ||||||
|  | # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf | ||||||
|  | # Make sure TCP timestamp is enabled. | ||||||
|  | net.ipv4.tcp_timestamps = 1 | ||||||
|  | 
 | ||||||
|  | # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf | ||||||
|  | # Disable TCP SACK. | ||||||
|  | # We have good networking :) | ||||||
|  | net.ipv4.tcp_sack = 0 | ||||||
|  | 
 | ||||||
|  | # No SACK, therefore no Duplicated SACK. | ||||||
|  | net.ipv4.tcp_dsack = 0 | ||||||
|  | 
 | ||||||
|  | # Improve ALSR effectiveness for mmap. | ||||||
|  | vm.mmap_rnd_bits = 32 | ||||||
|  | vm.mmap_rnd_compat_bits = 16 | ||||||
|  | 
 | ||||||
|  | # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel | ||||||
|  | # Restrict userfaultfd to CAP_SYS_PTRACE. | ||||||
|  | # https://bugs.archlinux.org/task/62780 | ||||||
|  | # Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is | ||||||
|  | # probably not used in the real world at all. | ||||||
|  | vm.unprivileged_userfaultfd = 0 | ||||||
|  | @ -0,0 +1,2 @@ | ||||||
|  | [Coredump] | ||||||
|  | Storage=none | ||||||
|  | @ -0,0 +1,28 @@ | ||||||
|  | [Service] | ||||||
|  | # Hardening | ||||||
|  | CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT | ||||||
|  | LockPersonality=true | ||||||
|  | MemoryDenyWriteExecute=true | ||||||
|  | #PrivateDevices=true #breaks tun usage | ||||||
|  | #ProtectProc=invisible | ||||||
|  | PrivateTmp=yes | ||||||
|  | ProtectClock=true | ||||||
|  | ProtectControlGroups=true | ||||||
|  | ProtectHome=read-only | ||||||
|  | ProtectKernelLogs=true | ||||||
|  | #ProtectKernelModules=true | ||||||
|  | #ProtectSystem=strict | ||||||
|  | #ReadOnlyPaths=/etc/NetworkManager | ||||||
|  | ReadOnlyPaths=-/home | ||||||
|  | #ReadWritePaths=-/etc/NetworkManager/system-connections | ||||||
|  | ReadWritePaths=-/etc/sysconfig/network-scripts | ||||||
|  | ReadWritePaths=/var/lib/NetworkManager | ||||||
|  | ReadWritePaths=-/var/run/NetworkManager | ||||||
|  | ReadWritePaths=-/run/NetworkManager | ||||||
|  | RemoveIPC=true | ||||||
|  | RestrictNamespaces=true | ||||||
|  | RestrictRealtime=true | ||||||
|  | RestrictSUIDSGID=true | ||||||
|  | SystemCallArchitectures=native | ||||||
|  | SystemCallFilter=@system-service | ||||||
|  | UMask=0077 | ||||||
|  | @ -0,0 +1,6 @@ | ||||||
|  | [Unit] | ||||||
|  | Description=Update user Flatpaks | ||||||
|  | 
 | ||||||
|  | [Service] | ||||||
|  | Type=oneshot | ||||||
|  | ExecStart=/usr/bin/flatpak --user update -y | ||||||
|  | @ -0,0 +1,9 @@ | ||||||
|  | [Unit] | ||||||
|  | Description=Update user Flatpaks daily | ||||||
|  | 
 | ||||||
|  | [Timer] | ||||||
|  | OnCalendar=daily | ||||||
|  | Persistent=true | ||||||
|  | 
 | ||||||
|  | [Install] | ||||||
|  | WantedBy=timers.target | ||||||
|  | @ -0,0 +1,4 @@ | ||||||
|  | [zram0] | ||||||
|  | zram-fraction = 1 | ||||||
|  | max-zram-size = 8192 | ||||||
|  | compression-algorithm = zstd | ||||||
|  | @ -0,0 +1,2 @@ | ||||||
|  | [preferred] | ||||||
|  | default=gtk; | ||||||
|  | @ -1,6 +1,4 @@ | ||||||
| - name: Setup passwordless sudo | - name: Setup passwordless sudo | ||||||
|   hosts: 127.0.0.1 |  | ||||||
|   connection: local |  | ||||||
|   tasks: |   tasks: | ||||||
|    - name: Check that the sudo-dom0-prompt exists |    - name: Check that the sudo-dom0-prompt exists | ||||||
|      stat: |      stat: | ||||||
|  |  | ||||||
							
								
								
									
										17
									
								
								roles/trivalent/tasks/main.yaml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								roles/trivalent/tasks/main.yaml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,17 @@ | ||||||
|  | - name: Install trivalent browser | ||||||
|  |   tasks: | ||||||
|  |     - name: Enable hardened_malloc COPR | ||||||
|  |       shell: 'sudo dnf copr enable secureblue/trivalent -y' | ||||||
|  | 
 | ||||||
|  |     - name: Enable codecs and stuff | ||||||
|  |       shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1' | ||||||
|  | 
 | ||||||
|  |     - name: Update codecs | ||||||
|  |       shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin' | ||||||
|  | 
 | ||||||
|  |     - name: Install hardened_malloc | ||||||
|  |       ansible.builtin.dnf5: | ||||||
|  |         name:  | ||||||
|  |           - ffmpeg | ||||||
|  |           - trivalent | ||||||
|  |         state: 'present' | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 mustard
						mustard