fix: remove use of sudo to allow running from root shell for repeat runs

roles/baseline/tasks/main.yaml

@@ -100,7 +100,7 @@
   - 'etc/dconf/db/local.d/privacy'
 
 - name: Update dconf
-  shell: sudo dconf update
+  shell: 'dconf update'
 
 - name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
   ansible.builtin.copy:
@@ -125,10 +125,10 @@
     state: latest
 
 - name: Mark packages as manually installed to avoid removal
-  shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
+  shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'
 
 - name: Enable hardened_malloc COPR
-  shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
+  shell: 'dnf copr enable secureblue/hardened_malloc -y'
 
 - name: Install hardened_malloc
   ansible.builtin.dnf5:
@@ -153,7 +153,7 @@
   when: use_hardened_malloc == true
 
 - name: Enable hardened_malloc for system wide flatpak
-  shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
+  shell: 'flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
   when: use_hardened_malloc == true
 
 - name: Enable hardened_malloc for user flatpak # has to be run per APP VM

roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2

@@ -44,7 +44,7 @@ kernel.unprivileged_userns_clone = 1
 
 # Disable ptrace. Not needed on workstations.
 {% if allow_ptrace %}
-kernel.yama.ptrace_scope = 2
+kernel.yama.ptrace_scope = 1
 {% else %}
 kernel.yama.ptrace_scope = 3
 {% endif %}

roles/gnome/tasks/main.yaml

@@ -9,7 +9,7 @@
     state: latest
 
 - name: Mark packages as manually installed to avoid removal
-  shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
+  shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'
 
 - name: Remove unnecessary stuff from the template
   ansible.builtin.dnf5:

roles/trivalent/tasks/main.yaml

@@ -12,10 +12,10 @@
     mode: '0644'
 
 - name: Enable codecs and stuff
-  shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
+  shell: 'dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
 
 - name: Update codecs
-  shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
+  shell: 'dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
 
 - name: Update all
   ansible.builtin.dnf5: