From bbd2e01bac4c61b3dbd0d117835b07161a5c775e Mon Sep 17 00:00:00 2001
From: mustard <sussybaka@homelab0ne.xyz>
Date: Thu, 18 Sep 2025 02:39:42 +0200
Subject: [PATCH] fix: remove use of sudo to allow running from root shell for
 repeat runs

---
 fedora-42-dev.yaml                                        | 4 +++-
 remove_suid.sh                                            | 4 ++--
 roles/baseline/tasks/main.yaml                            | 8 ++++----
 .../templates/etc/sysctl.d/99-workstation.conf.j2         | 2 +-
 roles/gnome/tasks/main.yaml                               | 2 +-
 roles/trivalent/tasks/main.yaml                           | 4 ++--
 6 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/fedora-42-dev.yaml b/fedora-42-dev.yaml
index 4005c96..b77c3a7 100644
--- a/fedora-42-dev.yaml
+++ b/fedora-42-dev.yaml
@@ -25,13 +25,15 @@
       vars:
         enable_webgl: false
 
-    - name: 'Install wireguard-tools and neovim and gdb and podman'
+    - name: 'Install wireguard-tools and neovim and gdb and podman and other devtools'
       ansible.builtin.dnf5:
         name:
           - wireguard-tools
           - neovim
           - gdb
           - podman
+          - glibc-devel
+          - opentofu
         state: 'present'
   
     - name: 'Handle SUID binaries'
diff --git a/remove_suid.sh b/remove_suid.sh
index 82b6e0a..a10dc56 100755
--- a/remove_suid.sh
+++ b/remove_suid.sh
@@ -73,8 +73,8 @@ is_in_whitelist() {
     return 1
 }
 
-sudo passwd -l root
-sudo dnf remove sudo-python-plugin
+passwd -l root
+dnf remove sudo-python-plugin
 
 find /usr -type f -perm /4000 |
     while IFS= read -r binary; do
diff --git a/roles/baseline/tasks/main.yaml b/roles/baseline/tasks/main.yaml
index 3d4b265..b522c4b 100644
--- a/roles/baseline/tasks/main.yaml
+++ b/roles/baseline/tasks/main.yaml
@@ -100,7 +100,7 @@
   - 'etc/dconf/db/local.d/privacy'
 
 - name: Update dconf
-  shell: sudo dconf update
+  shell: 'dconf update'
 
 - name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
   ansible.builtin.copy:
@@ -125,10 +125,10 @@
     state: latest
 
 - name: Mark packages as manually installed to avoid removal
-  shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
+  shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'
 
 - name: Enable hardened_malloc COPR
-  shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
+  shell: 'dnf copr enable secureblue/hardened_malloc -y'
 
 - name: Install hardened_malloc
   ansible.builtin.dnf5:
@@ -153,7 +153,7 @@
   when: use_hardened_malloc == true
 
 - name: Enable hardened_malloc for system wide flatpak
-  shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
+  shell: 'flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
   when: use_hardened_malloc == true
 
 - name: Enable hardened_malloc for user flatpak # has to be run per APP VM
diff --git a/roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2 b/roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2
index c75e83f..9f85134 100644
--- a/roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2
+++ b/roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2
@@ -44,7 +44,7 @@ kernel.unprivileged_userns_clone = 1
 
 # Disable ptrace. Not needed on workstations.
 {% if allow_ptrace %}
-kernel.yama.ptrace_scope = 2
+kernel.yama.ptrace_scope = 1
 {% else %}
 kernel.yama.ptrace_scope = 3
 {% endif %}
diff --git a/roles/gnome/tasks/main.yaml b/roles/gnome/tasks/main.yaml
index 879ed01..c9048a3 100644
--- a/roles/gnome/tasks/main.yaml
+++ b/roles/gnome/tasks/main.yaml
@@ -9,7 +9,7 @@
     state: latest
 
 - name: Mark packages as manually installed to avoid removal
-  shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
+  shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'
 
 - name: Remove unnecessary stuff from the template
   ansible.builtin.dnf5:
diff --git a/roles/trivalent/tasks/main.yaml b/roles/trivalent/tasks/main.yaml
index 6aa5136..dc28d77 100644
--- a/roles/trivalent/tasks/main.yaml
+++ b/roles/trivalent/tasks/main.yaml
@@ -12,10 +12,10 @@
     mode: '0644'
 
 - name: Enable codecs and stuff
-  shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
+  shell: 'dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
 
 - name: Update codecs
-  shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
+  shell: 'dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
 
 - name: Update all
   ansible.builtin.dnf5: