diff --git a/qubes-config/etc/modprobe.d/workstation-blacklist.conf b/roles/qubes-f41-gnome/etc/modprobe.d/workstation-blacklist.conf similarity index 100% rename from qubes-config/etc/modprobe.d/workstation-blacklist.conf rename to roles/qubes-f41-gnome/etc/modprobe.d/workstation-blacklist.conf diff --git a/qubes-config/etc/ssh/ssh_config.d/10-custom.conf b/roles/qubes-f41-gnome/etc/ssh/ssh_config.d/10-custom.conf similarity index 100% rename from qubes-config/etc/ssh/ssh_config.d/10-custom.conf rename to roles/qubes-f41-gnome/etc/ssh/ssh_config.d/10-custom.conf diff --git a/qubes-config/etc/sysctl.d/99-workstation.conf b/roles/qubes-f41-gnome/etc/sysctl.d/99-workstation.conf similarity index 100% rename from qubes-config/etc/sysctl.d/99-workstation.conf rename to roles/qubes-f41-gnome/etc/sysctl.d/99-workstation.conf diff --git a/roles/qubes-f41-gnome/etc/systemd/system/NetworkManager.service.d/99-brace.conf b/roles/qubes-f41-gnome/etc/systemd/system/NetworkManager.service.d/99-brace.conf new file mode 100644 index 0000000..d3ad4a4 --- /dev/null +++ b/roles/qubes-f41-gnome/etc/systemd/system/NetworkManager.service.d/99-brace.conf @@ -0,0 +1,28 @@ +[Service] +# Hardening +CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT +LockPersonality=true +MemoryDenyWriteExecute=true +#PrivateDevices=true #breaks tun usage +#ProtectProc=invisible +PrivateTmp=yes +ProtectClock=true +ProtectControlGroups=true +ProtectHome=read-only +ProtectKernelLogs=true +#ProtectKernelModules=true +#ProtectSystem=strict +#ReadOnlyPaths=/etc/NetworkManager +ReadOnlyPaths=-/home +#ReadWritePaths=-/etc/NetworkManager/system-connections +ReadWritePaths=-/etc/sysconfig/network-scripts +ReadWritePaths=/var/lib/NetworkManager +ReadWritePaths=-/var/run/NetworkManager +ReadWritePaths=-/run/NetworkManager +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +UMask=0077 diff --git a/roles/qubes-f41-gnome/etc/xdg-desktop-portal/portals.conf b/roles/qubes-f41-gnome/etc/xdg-desktop-portal/portals.conf new file mode 100644 index 0000000..e7ae6e3 --- /dev/null +++ b/roles/qubes-f41-gnome/etc/xdg-desktop-portal/portals.conf @@ -0,0 +1,2 @@ +[preferred] +default=gtk; diff --git a/roles/qubes-f41-gnome/tasks/main.yaml b/roles/qubes-f41-gnome/tasks/main.yaml new file mode 100644 index 0000000..204da1a --- /dev/null +++ b/roles/qubes-f41-gnome/tasks/main.yaml @@ -0,0 +1,162 @@ +- name: Configure Fedora 41 Gnome Template + hosts: 127.0.0.1 + connection: local + tasks: + - name: Kill debug-shell service + ansible.builtin.systemd_service: + name: debug-shell.service + masked: true + - name: Kill kdump service + ansible.builtin.systemd_service: + name: kdump.service + masked: true + - name: Set umask to 077 + shell: umask 077 + - name: Set umask to 077 in login.defs + ansible.builtin.replace: + path: /etc/login.defs + regexp: '^UMASK.*' + replace: 'UMASK 077' + + - name: Set umask to 077 in logins.defs + ansible.builtin.replace: + path: /etc/login.defs + regexp: '^HOME_MODE' + replace: '#HOME_MODE' + + - name: Set umask to 077 in bashrc + ansible.builtin.replace: + path: /etc/bashrc + regexp: 'umask 022' + replace: 'umask 077' + + - name: Make home directory private + ansible.builtin.file: + path: /home/* + state: directory + recurse: true + mode: '0700' + + - name: Harden SSH, add kernel blacklist and hardening + ansible.builtin.copy: + src: '..{{ item }}' + dest: '{{ item }}' + mode: '0644' + loop: + - '/etc/ssh/ssh_config.d/10-custom.conf' + - '/etc/modprobe.d/workstation-blacklist.conf' + - '/etc/sysctl.d/99-workstation.conf' + + + - name: Reload sysctl + shell: 'sysctl -p' + + - name: Create coredump.conf.d + ansible.builtin.file: + path: '/etc/systemd/coredump.conf.d' + state: 'directory' + mode: '0755' + - name: Make locks dir for dconf + ansible.builtin.file: + path: '../qubes-config/etc/dconf/db/local.d/locks' + state: 'directory' + mode: '0755' + - name: Fix XDG portals + ansible.builtin.file: + path: '../qubes-config/etc/xdg-desktop-portal' + state: 'directory' + mode: '0755' + + - name: Copy dconf files + xdg-desktop-portals fix + Network manager + ansible.builtin.copy: + src: '..{{ item }}' + dest: '{{ item }}' + mode: '0644' + loop: + - '/etc/security/limits.d/30-disable-coredump.conf' + - '/etc/systemd/coredump.conf.d/disable.conf' + - '/etc/dconf/db/local.d/locks/automount-disable' + - '/etc/dconf/db/local.d/locks/privacy' + - '/etc/dconf/db/local.d/adw-gtk3-dark' + - '/etc/dconf/db/local.d/automount-disable' + - '/etc/dconf/db/local.d/prefer-dark' + - '/etc/dconf/db/local.d/privacy' + - '/etc/xdg-desktop-portal/portals.conf' + - '/etc/systemd/system/NetworkManager.service.d/99-brace.conf' + + - name: Update dconf + shell: sudo dconf update + + - name: Setup ZRAM, flatpak updater and environment variables to disable GJS, WebkitGTK JIT, and fix GNOME env variable + ansible.builtin.copy: + src: '..{{ item }}' + dest: '{{ item }}' + mode: '0600' + loop: + - '/etc/systemd/zram-generator.conf' + - '/etc/systemd/user/update-user-flatpaks.service' + - '/etc/systemd/user/update-user-flatpaks.timer' + - '/etc/environment' + + - name: Upgrade all packages + ansible.builtin.dnf5: + name: "*" + state: latest + + - name: Mark packages as manually installed to avoid removal + shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' + + - name: Remove unnecessary stuff from the template + ansible.builtin.dnf5: + name: {{ packages_to_remove }} + state: 'absent' + allowerasing: true + autoremove: true + + - name: Install custom packages + ansible.builtin.dnf5: + name: + - 'qubes-ctap' + - 'qubes-gpg-split' + - 'adw-gtk3-theme' + - 'ncurses' + - 'gnome-shell' + - 'ptyxis' + state: 'present' + - name: Enable hardened_malloc COPR + shell: 'sudo dnf copr enable secureblue/hardened_malloc -y' + + - name: Install hardened_malloc + ansible.builtin.dnf5: + name: 'hardened_malloc' + state: 'present' + + - name: Enable hardened_malloc + ansible.builtin.copy: + src: '../qubes-config/etc/ld.so.preload' + dest: '/etc/ld.so.preload' + mode: '0644' + - name: Enable hardened_malloc for system wide flatpak + shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' + - name: Enable hardened_malloc for user flatpak # has to be run per APP VM + shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' + - name: Setup dnf repos + ansible.builtin.copy: + src: '../qubes-config/etc/dnf/dnf.conf' + dest: '/etc/dnf/dnf.conf' + mode: '0644' + + - name: Get list of files + ansible.builtin.find: + paths: /etc/yum.repos.d/ + recurse: true + register: found_files + + - name: Replace text in those files + ansible.builtin.lineinfile: + backup: true + backrefs: true + path: '{{ item.path }}' + regexp: '^(metalink=.*)$' + line: '\1&protocol=https' + loop: '{{ found_files.files }}' diff --git a/roles/qubes-f41-gnome/vars/main.yaml b/roles/qubes-f41-gnome/vars/main.yaml new file mode 100644 index 0000000..73bd1d6 --- /dev/null +++ b/roles/qubes-f41-gnome/vars/main.yaml @@ -0,0 +1,102 @@ +packages_to_remove: + - '@Container Management' + - '@Desktop Accessibility' + - '@Guest Desktop Agents' + - '@Printing Support' + - 'gnome-software' + - 'httpd' + - 'keepassxc' + - 'thunderbird' + - 'fedora-bookmarks' + - 'fedora-chromium-config' + - 'avahi' + - 'cifs*' + - '*cups' + - 'dmidecode' + - 'dnsmasq' + - 'geolite2*' + - 'mtr' + - 'net-snmp-libs' + - 'net-tools' + - 'nfs-utils' + - 'nmap-ncat' + - 'opensc' + - 'openssh-server' + - 'rsync' + - 'rygel' + - 'sgpio' + - 'tcpdump' + - 'teamd' + - 'traceroute' + - 'usb_modeswitch' + - '*anthy*' + - '*hangul*' + - 'ibus-typing-booster' + - '*m17n*' + - '*pinyin*' + - '*speech*' + - ' words' + - '*zhuyin*' + - 'ImageMagick*' + - 'sane*' + - 'simple-scan' + - 'sssd*' + - 'realmd' + - 'cyrus-sasl-gssapi' + - 'quota*' + - 'dos2unix' + - 'kpartx' + - 'sos' + - 'samba-client' + - 'gvfs-smb' + - 'NetworkManager-pptp-gnome' + - 'NetworkManager-ssh-gnome' + - 'NetworkManager-openconnect-gnome' + - 'NetworkManager-openvpn-gnome' + - 'NetworkManager-vpnc-gnome' + - 'ppp*' + - 'ModemManager' + - 'baobab' + - 'chrome-gnome-shell' + - 'eog' + - 'gnome-boxes' + - 'gnome-calculator' + - 'gnome-calendar' + - 'gnome-characters' + - 'gnome-classic*' + - 'gnome-clocks' + - 'gnome-color-manager' + - 'gnome-connections' + - 'gnome-contacts' + - 'gnome-disk-utility' + - 'gnome-font-viewer' + - 'gnome-logs' + - 'gnome-maps' + - 'gnome-photos' + - 'gnome-remote-desktop' + - 'gnome-screenshot' + - 'gnome-shell-extension-apps-menu' + - 'gnome-shell-extension-background-logo' + - 'gnome-shell-extension-launch-new-instance' + - 'gnome-shell-extension-places-menu' + - 'gnome-shell-extension-window-list' + - 'gnome-text-editor' + - 'gnome-themes-extra' + - 'gnome-tour' + - 'gnome-user*' + - 'gnome-weather' + - 'loupe' + - 'snapshot' + - 'totem' + - 'abrt*' + - 'cheese' + - 'evince' + - 'file-roller*' + - 'libreoffice*' + - 'mediawriter' + - 'rhythmbox' + - 'yelp' + - 'lvm2' + - 'rng-tools' + - 'thermald' + - '*perl*' \ No newline at end of file diff --git a/tasks/dconf.yaml b/tasks/dconf.yaml new file mode 100644 index 0000000..e69de29 diff --git a/tasks/remove-packages.yaml b/tasks/remove-packages.yaml new file mode 100644 index 0000000..e69de29