fix: remove use of sudo to allow running from root shell for repeat runs

fedora-42-dev.yaml

@@ -25,13 +25,15 @@
       vars:
         enable_webgl: false
 
-    - name: 'Install wireguard-tools and neovim and gdb and podman'
+    - name: 'Install wireguard-tools and neovim and gdb and podman and other devtools'
       ansible.builtin.dnf5:
         name:
           - wireguard-tools
           - neovim
           - gdb
           - podman
+          - glibc-devel
+          - opentofu
         state: 'present'
   
     - name: 'Handle SUID binaries'

remove_suid.sh

@@ -73,8 +73,8 @@ is_in_whitelist() {
     return 1
 }
 
-sudo passwd -l root
+passwd -l root
-sudo dnf remove sudo-python-plugin
+dnf remove sudo-python-plugin
 
 find /usr -type f -perm /4000 |
     while IFS= read -r binary; do

roles/baseline/tasks/main.yaml

@@ -100,7 +100,7 @@
   - 'etc/dconf/db/local.d/privacy'
 
 - name: Update dconf
-  shell: sudo dconf update
+  shell: 'dconf update'
 
 - name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
   ansible.builtin.copy:
@@ -125,10 +125,10 @@
     state: latest
 
 - name: Mark packages as manually installed to avoid removal
-  shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
+  shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'
 
 - name: Enable hardened_malloc COPR
-  shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
+  shell: 'dnf copr enable secureblue/hardened_malloc -y'
 
 - name: Install hardened_malloc
   ansible.builtin.dnf5:
@@ -153,7 +153,7 @@
   when: use_hardened_malloc == true
 
 - name: Enable hardened_malloc for system wide flatpak
-  shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
+  shell: 'flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
   when: use_hardened_malloc == true
 
 - name: Enable hardened_malloc for user flatpak # has to be run per APP VM

roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2

@@ -44,7 +44,7 @@ kernel.unprivileged_userns_clone = 1
 
 # Disable ptrace. Not needed on workstations.
 {% if allow_ptrace %}
-kernel.yama.ptrace_scope = 2
+kernel.yama.ptrace_scope = 1
 {% else %}
 kernel.yama.ptrace_scope = 3
 {% endif %}

roles/gnome/tasks/main.yaml

@@ -9,7 +9,7 @@
     state: latest
 
 - name: Mark packages as manually installed to avoid removal
-  shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
+  shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'
 
 - name: Remove unnecessary stuff from the template
   ansible.builtin.dnf5:

roles/trivalent/tasks/main.yaml

@@ -12,10 +12,10 @@
     mode: '0644'
 
 - name: Enable codecs and stuff
-  shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
+  shell: 'dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
 
 - name: Update codecs
-  shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
+  shell: 'dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
 
 - name: Update all
   ansible.builtin.dnf5: