diff --git a/inventory.yaml b/inventory.yaml index b1f9eb9..c2866a0 100644 --- a/inventory.yaml +++ b/inventory.yaml @@ -3,3 +3,23 @@ myhosts: golden-image: ansible_host: 10.0.1.11 ansible_user: root + forgejo: + ansible_host: 10.0.1.5 + ansible_user: root + office: + ansible_host: 10.0.1.3 + ansible_user: root + synapse: + ansible_host: 10.0.1.2 + ansible_user: root +remotehosts: + hosts: + VPS: + ansible_host: 31.220.42.40 + ansible_user: root + +inferencehosts: + hosts: + laptop: + ansible_host: 10.20.40.2 + ansible_user: root diff --git a/qubes-config/etc/modprobe.d/workstation-blacklist.conf b/qubes-config/etc/modprobe.d/workstation-blacklist.conf new file mode 100644 index 0000000..8004687 --- /dev/null +++ b/qubes-config/etc/modprobe.d/workstation-blacklist.conf @@ -0,0 +1,114 @@ +# unused network protocols +install dccp /bin/false +install sctp /bin/false +install rds /bin/false +install tipc /bin/false +install n-hdlc /bin/false +install ax25 /bin/false +install netrom /bin/false +install x25 /bin/false +install rose /bin/false +install decnet /bin/false +install econet /bin/false +install af_802154 /bin/false +install ipx /bin/false +install appletalk /bin/false +install psnap /bin/false +install p8023 /bin/false +install p8022 /bin/false +install can /bin/false +install atm /bin/false + +# firewire and thunderbolt +install firewire-core /bin/false +install firewire_core /bin/false +install firewire-ohci /bin/false +install firewire_ohci /bin/false +install firewire_sbp2 /bin/false +install firewire-sbp2 /bin/false +install firewire-net /bin/false +install thunderbolt /bin/false +install ohci1394 /bin/false +install sbp2 /bin/false +install dv1394 /bin/false +install raw1394 /bin/false +install video1394 /bin/false + +# unused filesystems +install cramfs /bin/false +install freevxfs /bin/false +install jffs2 /bin/false +install hfs /bin/false +install hfsplus /bin/false +install squashfs /bin/false +install udf /bin/false +install cifs /bin/false +install nfs /bin/false +install nfsv3 /bin/false +install nfsv4 /bin/false +install ksmbd /bin/false +install gfs2 /bin/false +install reiserfs /bin/false +install kafs /bin/false +install orangefs /bin/false +install 9p /bin/false +install adfs /bin/false +install affs /bin/false +install afs /bin/false +install befs /bin/false +install ceph /bin/false +install coda /bin/false +install ecryptfs /bin/false +install erofs /bin/false +install jfs /bin/false +install minix /bin/false +install netfs /bin/false +install nilfs2 /bin/false +install ocfs2 /bin/false +install romfs /bin/false +install ubifs /bin/false +install zonefs /bin/false +install sysv /bin/false +install ufs /bin/false + +# disable vivid +install vivid /bin/false + +# disable GNSS +install gnss /bin/false +install gnss-mtk /bin/false +install gnss-serial /bin/false +install gnss-sirf /bin/false +install gnss-usb /bin/false +install gnss-ubx /bin/false + +# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +install bluetooth /bin/false +install btusb /bin/false + +# blacklist ath_pci +blacklist ath_pci + +# blacklist cdrom +blacklist cdrom +blacklist sr_mod + +# blacklist framebuffer drivers +# source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf +blacklist cyber2000fb +blacklist cyblafb +blacklist gx1fb +blacklist hgafb +blacklist kyrofb +blacklist lxfb +blacklist matroxfb_base +blacklist neofb +blacklist nvidiafb +blacklist pm2fb +blacklist s1d13xxxfb +blacklist sisfb +blacklist tdfxfb +blacklist vesafb +blacklist vfb +blacklist vt8623fb +blacklist udlfb diff --git a/qubes-config/etc/ssh/ssh_config.d/10-custom.conf b/qubes-config/etc/ssh/ssh_config.d/10-custom.conf new file mode 100644 index 0000000..440ccda --- /dev/null +++ b/qubes-config/etc/ssh/ssh_config.d/10-custom.conf @@ -0,0 +1,2 @@ +GSSAPIAuthentication no +VerifyHostKeyDNS yes diff --git a/qubes-config/etc/sysctl.d/99-workstation.conf b/qubes-config/etc/sysctl.d/99-workstation.conf new file mode 100644 index 0000000..bcd6bca --- /dev/null +++ b/qubes-config/etc/sysctl.d/99-workstation.conf @@ -0,0 +1,119 @@ + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl +dev.tty.ldisc_autoload = 0 + +# https://access.redhat.com/solutions/1985633 +# Seems dangerous. +# Roseta need this though, so if you use it change it to 1. +fs.binfmt_misc.status = 0 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace +# Enable fs.protected sysctls. +fs.protected_regular = 2 +fs.protected_fifos = 2 +fs.protected_symlinks = 1 +fs.protected_hardlinks = 1 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps +# Disable coredumps. +# For additional safety, disable coredumps using ulimit and systemd too. +kernel.core_pattern=|/bin/false +fs.suid_dumpable = 0 + +# Restrict dmesg to CAP_SYS_LOG. +# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt +kernel.dmesg_restrict = 1 + +# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +# Restrict access to /proc. +kernel.kptr_restrict = 2 + +# Not needed, I don't do livepatching and reboot regularly. +# On a workstation, this shouldn't be used at all. Don't live patch, just reboot. +kernel.kexec_load_disabled = 1 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl +# Basically, restrict eBPF to CAP_BPF. +kernel.unprivileged_bpf_disabled = 1 +net.core.bpf_jit_harden = 2 + +# Needed for Flatpak and Bubblewrap. +kernel.unprivileged_userns_clone = 1 + +# Disable ptrace. Not needed on workstations. +kernel.yama.ptrace_scope = 3 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl +# Restrict performance events from unprivileged users as much as possible. +# We are using 4 here, since Ubuntu supports such a level. +# Official Linux kernel documentation only says >= so it probably will work. +kernel.perf_event_paranoid = 4 + +# Disable io_uring +# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled +# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html +# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out +# on a Proxmox node. +kernel.io_uring_disabled = 2 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +# Disable sysrq. +kernel.sysrq = 0 + +# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911 +# Not running a router here, so no redirects. +net.ipv4.conf.*.send_redirects = 0 +net.ipv4.conf.*.accept_redirects = 0 +net.ipv6.conf.*.accept_redirects = 0 + +# Check if the source of the IP address is reachable through the same interface it came in +# Basic IP spoofing mitigation. +net.ipv4.conf.*.rp_filter = 1 + +# Do not respond to ICMP. +net.ipv4.icmp_echo_ignore_all = 1 +net.ipv6.icmp.echo_ignore_all = 1 + +# Ignore Bogus ICMP responses. +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Enable IP Forwarding. +# Needed for VM networking and whatnot. +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1 + +# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537 +# Ignore bogus icmp response. +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Protection against time-wait assasination attacks. +net.ipv4.tcp_rfc1337 = 1 + +# Enable SYN cookies. +# Basic SYN flood mitigation. +net.ipv4.tcp_syncookies = 1 + +# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +# Make sure TCP timestamp is enabled. +net.ipv4.tcp_timestamps = 1 + +# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +# Disable TCP SACK. +# We have good networking :) +net.ipv4.tcp_sack = 0 + +# No SACK, therefore no Duplicated SACK. +net.ipv4.tcp_dsack = 0 + +# Improve ALSR effectiveness for mmap. +vm.mmap_rnd_bits = 32 +vm.mmap_rnd_compat_bits = 16 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +# Restrict userfaultfd to CAP_SYS_PTRACE. +# https://bugs.archlinux.org/task/62780 +# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is +# probably not used in the real world at all. +vm.unprivileged_userfaultfd = 0 diff --git a/tasks/fedora-41-template.yaml b/tasks/fedora-41-template.yaml new file mode 100644 index 0000000..2ef6cf3 --- /dev/null +++ b/tasks/fedora-41-template.yaml @@ -0,0 +1,293 @@ +- name: Configure Fedora 41 Gnome Template + hosts: 127.0.0.1 + connection: local + tasks: + - name: Kill debug-shell service + ansible.builtin.systemd_service: + name: debug-shell.service + masked: true + - name: Kill kdump service + ansible.builtin.systemd_service: + name: kdump.service + masked: true + + - name: Set umask to 077 + shell: umask 077 + - name: Set umask to 077 in login.defs + ansible.builtin.replace: + path: /etc/login.defs + regexp: '^UMASK.*' + replace: 'UMASK 077' + + - name: Set umask to 077 in logins.defs + ansible.builtin.replace: + path: /etc/login.defs + regexp: '^HOME_MODE' + replace: '#HOME_MODE' + + - name: Set umask to 077 in bashrc + ansible.builtin.replace: + path: /etc/bashrc + regexp: 'umask 022' + replace: 'umask 077' + + - name: Make home directory private + ansible.builtin.file: + path: /home + state: directory + recurse: true + mode: '0700' + + - name: Harden SSH + ansible.builtin.copy: + src: ../qubes-config/etc/ssh/ssh_config.d/10-custom.conf + dest: /etc/ssh/ssh_config.d/10-custom.conf + mode: '0644' + + - name: Kernel blacklist + ansible.builtin.copy: + src: ../qubes-config/etc/modprobe.d/workstation-blacklist.conf + dest: /etc/modprobe.d/workstation-blacklist.conf + mode: '0644' + + - name: Kernel hardening + ansible.builtin.copy: + src: ../qubes-config/etc/sysctl.d/99-workstation.conf + dest: /etc/sysctl.d/99-workstation.conf + mode: '0644' + + - name: Reload sysctl + shell: 'sysctl -p' + + - name: Disable coredump + ansible.builtin.copy: + src: '/etc/security/limits.d/30-disable-coredump.conf' + dest: '/etc/security/limits.d/30-disable-coredump.conf' + mode: '0644' + - name: Create coredump.conf.d + ansible.builtin.file: + path: '/etc/systemd/coredump.conf.d' + state: 'directory' + mode: '0755' + - name: Copy disable.conf + ansible.builtin.copy: + src: '/etc/systemd/coredump.conf.d/disable.conf' + dest: '/etc/systemd/coredump.conf.d/disable.conf' + mode: '0644' + - name: Make locks dir for dconf + ansible.builtin.file: + path: '/etc/dconf/db/local.d/locks' + state: 'directory' + mode: '0755' + - name: copy dconf file 1 + ansible.builtin.copy: + src: '../qubes-config/etc/dconf/db/local.d/locks/automount-disable' + dest: '/etc/dconf/db/local.d/locks/automount-disable' + mode: '0644' + - name: copy dconf file 2 + ansible.builtin.copy: + src: '../qubes-config/etc/dconf/db/local.d/locks/privacy' + dest: '/etc/dconf/db/local.d/locks/privacy' + mode: '0644' + - name: copy dconf file 3 + ansible.builtin.copy: + src: '../qubes-config/etc/dconf/db/local.d/adw-gtk3-dark' + dest: '/etc/dconf/db/local.d/adw-gtk3-dark' + mode: '0644' + - name: copy dconf file 4 + ansible.builtin.copy: + src: '../qubes-config/etc/dconf/db/local.d/automount-disable' + dest: '/etc/dconf/db/local.d/automount-disable' + mode: '0644' + - name: copy dconf file 5 + ansible.builtin.copy: + src: '../qubes-config/etc/dconf/db/local.d/prefer-dark' + dest: '/etc/dconf/db/local.d/prefer-dark' + mode: '0644' + - name: copy dconf file 6 + ansible.builtin.copy: + src: '../qubes-config/etc/dconf/db/local.d/privacy' + dest: '/etc/dconf/db/local.d/privacy' + mode: '0644' + - name: Update dconf + shell: sudo dconf update + + - name: Setup ZRAM + ansible.builtin.copy: + src: '../qubes-config/etc/systemd/zram-generator.conf' + dest: '/etc/systemd/zram-generator.conf' + mode: '0600' + + + - name: Flatpak update service + ansible.builtin.copy: + src: '../qubes-config/etc/systemd/user/update-user-flatpaks.service' + dest: '/etc/systemd/user/update-user-flatpaks.service' + mode: '0600' + - name: Flatpak update timer + ansible.builtin.copy: + src: '../qubes-config/etc/systemd/user/update-user-flatpaks.timer' + dest: '/etc/systemd/user/update-user-flatpaks.timer' + mode: '0600' + + - name: Set environment variables to disable GJS, WebkitGTK JIT, as well as fix GNOME env variable + ansible.builtin.copy: + src: '../qubes-config/etc/environment' + dest: '/etc/environment' + mode: '0600' + + - name: Mark packages as manually installed to avoid removal + shell: 'sudo dnf mark install flatpak gnome-menus qubes-menus' + + - name: Remove unwanted groups as well as unnecessary stuff from the template + ansible.builtin.dnf: + name: + - '@Container Management' + - '@Desktop Accessibility' + - '@Firefox Web Browser' + - 'gnome-software' + - 'httpd' + - 'keepassxc' + - 'thunderbird' + - 'fedora-bookmarks' + - 'fedora-chromium-config' + - 'firefox' + - 'mozilla-filesystem' + - 'avahi' + - 'cifs*' + - '*cups' + - 'dmidecode' + - 'dnsmasq' + - 'geolite2*' + - 'mtr' + - 'net-snmp-libs' + - 'net-tools' + - 'nfs-utils' + - 'nmap-ncat' + - 'opensc' + - 'openssh-server' + - 'rsync' + - 'rygel' + - 'sgpio' + - 'tcpdump' + - 'teamd' + - 'traceroute' + - 'usb_modeswitch' + - '*anthy*' + - '*hangul*' + - 'ibus-typing-booster' + - '*m17n*' + - '*pinyin*' + - '*speech*' + - 'texlive-libs' + - ' words' + - '*zhuyin*' + - 'openh264' + - 'ImageMagick*' + - 'sane*' + - 'simple-scan' + - 'sssd*' + - 'realmd' + - 'cyrus-sasl-gssapi' + - 'quota*' + - 'dos2unix' + - 'kpartx' + - 'sos' + - 'samba-client' + - 'gvfs-smb' + - 'NetworkManager-pptp-gnome' + - 'NetworkManager-ssh-gnome' + - 'NetworkManager-openconnect-gnome' + - 'NetworkManager-openvpn-gnome' + - 'NetworkManager-vpnc-gnome' + - 'ppp*' + - 'ModemManager' + - 'baobab' + - 'chrome-gnome-shell' + - 'eog' + - 'gnome-boxes' + - 'gnome-calculator' + - 'gnome-calendar' + - 'gnome-characters' + - 'gnome-classic*' + - 'gnome-clocks' + - 'gnome-color-manager' + - 'gnome-connections' + - 'gnome-contacts' + - 'gnome-disk-utility' + - 'gnome-font-viewer' + - 'gnome-logs' + - 'gnome-maps' + - 'gnome-photos' + - 'gnome-remote-desktop' + - 'gnome-screenshot' + - 'gnome-shell-extension-apps-menu' + - 'gnome-shell-extension-background-logo' + - 'gnome-shell-extension-launch-new-instance' + - 'gnome-shell-extension-places-menu' + - 'gnome-shell-extension-window-list' + - 'gnome-text-editor' + - 'gnome-themes-extra' + - 'gnome-tour' + - 'gnome-user*' + - 'gnome-weather' + - 'loupe' + - 'snapshot' + - 'totem' + - 'abrt*' + - 'cheese' + - 'evince' + - 'file-roller*' + - 'libreoffice*' + - 'mediawriter' + - 'rhythmbox' + - 'yelp' + - 'lvm2' + - 'rng-tools' + - 'thermald' + - '*perl*' + + + state: 'absent' + autoremove: true + + - name: Disable openh264 repo (y tho?) + community.general.dnf_config_manager: + name: 'fedora-cisco-openh264' + state: disabled + + - name: Install custom packages + ansible.builtin.dnf: + name: + - 'qubes-ctap' + - 'qubes-gpg-split' + - 'adw-gtk3-theme' + - 'ncurses' + - 'gnome-shell' + - 'ptyxis' + state: 'present' + - Enable hardened_malloc COPR + community.general.copr: + name: 'secureblue/hardened_malloc' + state: 'enabled' + - name: Install hardened_malloc + ansible.builtin.dnf: + name: 'hardened_malloc' + state: 'present' + + - name: Enable hardened_malloc + ansible.builtin.copy: + src: '../qubes-config/etc/ld.so.preload' + dest: '/etc/ld.so.preload' + mode: '0644' + - name: Enable hardened_malloc for system wide flatpak + shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' + - name: Enable hardened_malloc for user flatpak + shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' + - name: Setup dnf repos + ansible.builtin.copy: + src: '../qubes-config/etc/dnf/dnf.conf' + dest: '/etc/dnf/dnf.conf' + mode: '0644' + + diff --git a/tasks/golden_image.yaml b/tasks/golden_image.yaml index e9d142a..02ea3e3 100644 --- a/tasks/golden_image.yaml +++ b/tasks/golden_image.yaml @@ -26,6 +26,11 @@ - wireguard-tools - qemu-guest-agent state: latest + - name: Uninstall cockpit + ansible.builtin.dnf: + name: cockpit + state: absent + autoremove: yes - name: Enable QEMU guest agent service ansible.builtin.systemd_service: name: qemu-guest-agent diff --git a/tasks/ssh_config.yaml b/tasks/ssh_config.yaml index b4c9f13..80b4335 100644 --- a/tasks/ssh_config.yaml +++ b/tasks/ssh_config.yaml @@ -1,21 +1,13 @@ -- name: My first play - hosts: myhosts +- name: Configure SSH + hosts: inferencehosts tasks: -# - name: Ping my hosts -# ansible.builtin.ping: -# - name: Reboot machine -# ansible.builtin.reboot: -# msg: "Rebooting machine..." -# - name: Print message -# ansible.builtin.debug: -# msg: Hello world - name: Set authorized key taken from file ansible.posix.authorized_key: - user: root - key: "{{ lookup('file', './config/id_ed25519.pub') }}" + user: joyeuse + key: "{{ lookup('file', '../config/id_ed25519.pub') }}" - name: Copy over SSHD config file ansible.builtin.copy: - src: ./config/sshd_config + src: ../config/sshd_config dest: /etc/ssh/sshd_config owner: root group: root