mustard/ansible-playbooks
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Working on qubes playbook

Browse source
This commit is contained in:
mustard 2024-12-22 17:55:26 +01:00
parent ae63be1df6
commit ed68d23c6c
7 changed files with 558 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

293
tasks/fedora-41-template.yaml Normal file
View file

@ -0,0 +1,293 @@
- name: Configure Fedora 41 Gnome Template
hosts: 127.0.0.1
connection: local
tasks:
- name: Kill debug-shell service
ansible.builtin.systemd_service:
name: debug-shell.service
masked: true
- name: Kill kdump service
ansible.builtin.systemd_service:
name: kdump.service
masked: true
- name: Set umask to 077
shell: umask 077
- name: Set umask to 077 in login.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^UMASK.*'
replace: 'UMASK 077'
- name: Set umask to 077 in logins.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^HOME_MODE'
replace: '#HOME_MODE'
- name: Set umask to 077 in bashrc
ansible.builtin.replace:
path: /etc/bashrc
regexp: 'umask 022'
replace: 'umask 077'
- name: Make home directory private
ansible.builtin.file:
path: /home
state: directory
recurse: true
mode: '0700'
- name: Harden SSH
ansible.builtin.copy:
src: ../qubes-config/etc/ssh/ssh_config.d/10-custom.conf
dest: /etc/ssh/ssh_config.d/10-custom.conf
mode: '0644'
- name: Kernel blacklist
ansible.builtin.copy:
src: ../qubes-config/etc/modprobe.d/workstation-blacklist.conf
dest: /etc/modprobe.d/workstation-blacklist.conf
mode: '0644'
- name: Kernel hardening
ansible.builtin.copy:
src: ../qubes-config/etc/sysctl.d/99-workstation.conf
dest: /etc/sysctl.d/99-workstation.conf
mode: '0644'
- name: Reload sysctl
shell: 'sysctl -p'
- name: Disable coredump
ansible.builtin.copy:
src: '/etc/security/limits.d/30-disable-coredump.conf'
dest: '/etc/security/limits.d/30-disable-coredump.conf'
mode: '0644'
- name: Create coredump.conf.d
ansible.builtin.file:
path: '/etc/systemd/coredump.conf.d'
state: 'directory'
mode: '0755'
- name: Copy disable.conf
ansible.builtin.copy:
src: '/etc/systemd/coredump.conf.d/disable.conf'
dest: '/etc/systemd/coredump.conf.d/disable.conf'
mode: '0644'
- name: Make locks dir for dconf
ansible.builtin.file:
path: '/etc/dconf/db/local.d/locks'
state: 'directory'
mode: '0755'
- name: copy dconf file 1
ansible.builtin.copy:
src: '../qubes-config/etc/dconf/db/local.d/locks/automount-disable'
dest: '/etc/dconf/db/local.d/locks/automount-disable'
mode: '0644'
- name: copy dconf file 2
ansible.builtin.copy:
src: '../qubes-config/etc/dconf/db/local.d/locks/privacy'
dest: '/etc/dconf/db/local.d/locks/privacy'
mode: '0644'
- name: copy dconf file 3
ansible.builtin.copy:
src: '../qubes-config/etc/dconf/db/local.d/adw-gtk3-dark'
dest: '/etc/dconf/db/local.d/adw-gtk3-dark'
mode: '0644'
- name: copy dconf file 4
ansible.builtin.copy:
src: '../qubes-config/etc/dconf/db/local.d/automount-disable'
dest: '/etc/dconf/db/local.d/automount-disable'
mode: '0644'
- name: copy dconf file 5
ansible.builtin.copy:
src: '../qubes-config/etc/dconf/db/local.d/prefer-dark'
dest: '/etc/dconf/db/local.d/prefer-dark'
mode: '0644'
- name: copy dconf file 6
ansible.builtin.copy:
src: '../qubes-config/etc/dconf/db/local.d/privacy'
dest: '/etc/dconf/db/local.d/privacy'
mode: '0644'
- name: Update dconf
shell: sudo dconf update
- name: Setup ZRAM
ansible.builtin.copy:
src: '../qubes-config/etc/systemd/zram-generator.conf'
dest: '/etc/systemd/zram-generator.conf'
mode: '0600'
- name: Flatpak update service
ansible.builtin.copy:
src: '../qubes-config/etc/systemd/user/update-user-flatpaks.service'
dest: '/etc/systemd/user/update-user-flatpaks.service'
mode: '0600'
- name: Flatpak update timer
ansible.builtin.copy:
src: '../qubes-config/etc/systemd/user/update-user-flatpaks.timer'
dest: '/etc/systemd/user/update-user-flatpaks.timer'
mode: '0600'
- name: Set environment variables to disable GJS, WebkitGTK JIT, as well as fix GNOME env variable
ansible.builtin.copy:
src: '../qubes-config/etc/environment'
dest: '/etc/environment'
mode: '0600'
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark install flatpak gnome-menus qubes-menus'
- name: Remove unwanted groups as well as unnecessary stuff from the template
ansible.builtin.dnf:
name:
- '@Container Management'
- '@Desktop Accessibility'
- '@Firefox Web Browser'
- 'gnome-software'
- 'httpd'
- 'keepassxc'
- 'thunderbird'
- 'fedora-bookmarks'
- 'fedora-chromium-config'
- 'firefox'
- 'mozilla-filesystem'
- 'avahi'
- 'cifs*'
- '*cups'
- 'dmidecode'
- 'dnsmasq'
- 'geolite2*'
- 'mtr'
- 'net-snmp-libs'
- 'net-tools'
- 'nfs-utils'
- 'nmap-ncat'
- 'opensc'
- 'openssh-server'
- 'rsync'
- 'rygel'
- 'sgpio'
- 'tcpdump'
- 'teamd'
- 'traceroute'
- 'usb_modeswitch'
- '*anthy*'
- '*hangul*'
- 'ibus-typing-booster'
- '*m17n*'
- '*pinyin*'
- '*speech*'
- 'texlive-libs'
- ' words'
- '*zhuyin*'
- 'openh264'
- 'ImageMagick*'
- 'sane*'
- 'simple-scan'
- 'sssd*'
- 'realmd'
- 'cyrus-sasl-gssapi'
- 'quota*'
- 'dos2unix'
- 'kpartx'
- 'sos'
- 'samba-client'
- 'gvfs-smb'
- 'NetworkManager-pptp-gnome'
- 'NetworkManager-ssh-gnome'
- 'NetworkManager-openconnect-gnome'
- 'NetworkManager-openvpn-gnome'
- 'NetworkManager-vpnc-gnome'
- 'ppp*'
- 'ModemManager'
- 'baobab'
- 'chrome-gnome-shell'
- 'eog'
- 'gnome-boxes'
- 'gnome-calculator'
- 'gnome-calendar'
- 'gnome-characters'
- 'gnome-classic*'
- 'gnome-clocks'
- 'gnome-color-manager'
- 'gnome-connections'
- 'gnome-contacts'
- 'gnome-disk-utility'
- 'gnome-font-viewer'
- 'gnome-logs'
- 'gnome-maps'
- 'gnome-photos'
- 'gnome-remote-desktop'
- 'gnome-screenshot'
- 'gnome-shell-extension-apps-menu'
- 'gnome-shell-extension-background-logo'
- 'gnome-shell-extension-launch-new-instance'
- 'gnome-shell-extension-places-menu'
- 'gnome-shell-extension-window-list'
- 'gnome-text-editor'
- 'gnome-themes-extra'
- 'gnome-tour'
- 'gnome-user*'
- 'gnome-weather'
- 'loupe'
- 'snapshot'
- 'totem'
- 'abrt*'
- 'cheese'
- 'evince'
- 'file-roller*'
- 'libreoffice*'
- 'mediawriter'
- 'rhythmbox'
- 'yelp'
- 'lvm2'
- 'rng-tools'
- 'thermald'
- '*perl*'
state: 'absent'
autoremove: true
- name: Disable openh264 repo (y tho?)
community.general.dnf_config_manager:
name: 'fedora-cisco-openh264'
state: disabled
- name: Install custom packages
ansible.builtin.dnf:
name:
- 'qubes-ctap'
- 'qubes-gpg-split'
- 'adw-gtk3-theme'
- 'ncurses'
- 'gnome-shell'
- 'ptyxis'
state: 'present'
- Enable hardened_malloc COPR
community.general.copr:
name: 'secureblue/hardened_malloc'
state: 'enabled'
- name: Install hardened_malloc
ansible.builtin.dnf:
name: 'hardened_malloc'
state: 'present'
- name: Enable hardened_malloc
ansible.builtin.copy:
src: '../qubes-config/etc/ld.so.preload'
dest: '/etc/ld.so.preload'
mode: '0644'
- name: Enable hardened_malloc for system wide flatpak
shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Enable hardened_malloc for user flatpak
shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Setup dnf repos
ansible.builtin.copy:
src: '../qubes-config/etc/dnf/dnf.conf'
dest: '/etc/dnf/dnf.conf'
mode: '0644'

5
tasks/golden_image.yaml
View file

@ -26,6 +26,11 @@
- wireguard-tools
- qemu-guest-agent
state: latest
- name: Uninstall cockpit
ansible.builtin.dnf:
name: cockpit
state: absent
autoremove: yes
- name: Enable QEMU guest agent service
ansible.builtin.systemd_service:
name: qemu-guest-agent

18
tasks/ssh_config.yaml
View file

@ -1,21 +1,13 @@
- name: My first play
hosts: myhosts
- name: Configure SSH
hosts: inferencehosts
tasks:
# - name: Ping my hosts
# ansible.builtin.ping:
# - name: Reboot machine
# ansible.builtin.reboot:
# msg: "Rebooting machine..."
# - name: Print message
# ansible.builtin.debug:
# msg: Hello world
- name: Set authorized key taken from file
ansible.posix.authorized_key:
user: root
key: "{{ lookup('file', './config/id_ed25519.pub') }}"
user: joyeuse
key: "{{ lookup('file', '../config/id_ed25519.pub') }}"
- name: Copy over SSHD config file
ansible.builtin.copy:
src: ./config/sshd_config
src: ../config/sshd_config
dest: /etc/ssh/sshd_config
owner: root
group: root