KDE

roles/baseline/tasks/files/etc/systemd/coredump.conf.d/disable.conf

@@ -0,0 +1,2 @@
+[Coredump]
+Storage=none

roles/baseline/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf

@@ -0,0 +1,28 @@
+[Service]
+# Hardening
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+LockPersonality=true
+MemoryDenyWriteExecute=true
+#PrivateDevices=true #breaks tun usage
+#ProtectProc=invisible
+PrivateTmp=yes
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=read-only
+ProtectKernelLogs=true
+#ProtectKernelModules=true
+#ProtectSystem=strict
+#ReadOnlyPaths=/etc/NetworkManager
+ReadOnlyPaths=-/home
+#ReadWritePaths=-/etc/NetworkManager/system-connections
+ReadWritePaths=-/etc/sysconfig/network-scripts
+ReadWritePaths=/var/lib/NetworkManager
+ReadWritePaths=-/var/run/NetworkManager
+ReadWritePaths=-/run/NetworkManager
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+UMask=0077

roles/baseline/tasks/files/etc/systemd/user/update-user-flatpaks.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Update user Flatpaks
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/flatpak --user update -y

roles/baseline/tasks/files/etc/systemd/user/update-user-flatpaks.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Update user Flatpaks daily
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target

roles/baseline/tasks/files/etc/systemd/zram-generator.conf

@@ -0,0 +1,4 @@
+[zram0]
+zram-fraction = 1
+max-zram-size = 8192
+compression-algorithm = zstd