Working on qubes playbook

inventory.yaml

@@ -3,3 +3,23 @@ myhosts:
     golden-image:
       ansible_host: 10.0.1.11
       ansible_user: root
+    forgejo:
+      ansible_host: 10.0.1.5
+      ansible_user: root
+    office:
+      ansible_host: 10.0.1.3
+      ansible_user: root
+    synapse:
+      ansible_host: 10.0.1.2
+      ansible_user: root
+remotehosts:
+  hosts:
+    VPS:
+      ansible_host: 31.220.42.40
+      ansible_user: root
+
+inferencehosts:
+  hosts:
+    laptop:
+      ansible_host: 10.20.40.2
+      ansible_user: root

qubes-config/etc/modprobe.d/workstation-blacklist.conf

@@ -0,0 +1,114 @@
+# unused network protocols
+install dccp /bin/false
+install sctp /bin/false
+install rds /bin/false
+install tipc /bin/false
+install n-hdlc /bin/false
+install ax25 /bin/false
+install netrom /bin/false
+install x25 /bin/false
+install rose /bin/false
+install decnet /bin/false
+install econet /bin/false
+install af_802154 /bin/false
+install ipx /bin/false
+install appletalk /bin/false
+install psnap /bin/false
+install p8023 /bin/false
+install p8022 /bin/false
+install can /bin/false
+install atm /bin/false
+
+# firewire and thunderbolt
+install firewire-core /bin/false
+install firewire_core /bin/false
+install firewire-ohci /bin/false
+install firewire_ohci /bin/false
+install firewire_sbp2 /bin/false
+install firewire-sbp2 /bin/false
+install firewire-net /bin/false
+install thunderbolt /bin/false
+install ohci1394 /bin/false
+install sbp2 /bin/false
+install dv1394 /bin/false
+install raw1394 /bin/false
+install video1394 /bin/false
+
+# unused filesystems
+install cramfs /bin/false
+install freevxfs /bin/false
+install jffs2 /bin/false
+install hfs /bin/false
+install hfsplus /bin/false
+install squashfs /bin/false
+install udf /bin/false
+install cifs /bin/false
+install nfs /bin/false
+install nfsv3 /bin/false
+install nfsv4 /bin/false
+install ksmbd /bin/false
+install gfs2 /bin/false
+install reiserfs /bin/false
+install kafs /bin/false
+install orangefs /bin/false
+install 9p /bin/false
+install adfs /bin/false
+install affs /bin/false
+install afs /bin/false
+install befs /bin/false
+install ceph /bin/false
+install coda /bin/false
+install ecryptfs /bin/false
+install erofs /bin/false
+install jfs /bin/false
+install minix /bin/false
+install netfs /bin/false
+install nilfs2 /bin/false
+install ocfs2 /bin/false
+install romfs /bin/false
+install ubifs /bin/false
+install zonefs /bin/false
+install sysv /bin/false
+install ufs /bin/false
+
+# disable vivid
+install vivid /bin/false
+
+# disable GNSS
+install gnss /bin/false
+install gnss-mtk /bin/false
+install gnss-serial /bin/false
+install gnss-sirf /bin/false
+install gnss-usb /bin/false
+install gnss-ubx /bin/false
+
+# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
+install bluetooth /bin/false
+install btusb /bin/false
+
+# blacklist ath_pci
+blacklist ath_pci
+
+# blacklist cdrom
+blacklist cdrom
+blacklist sr_mod
+
+# blacklist framebuffer drivers
+# source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf
+blacklist cyber2000fb
+blacklist cyblafb
+blacklist gx1fb
+blacklist hgafb
+blacklist kyrofb
+blacklist lxfb
+blacklist matroxfb_base
+blacklist neofb
+blacklist nvidiafb
+blacklist pm2fb
+blacklist s1d13xxxfb
+blacklist sisfb
+blacklist tdfxfb
+blacklist vesafb
+blacklist vfb
+blacklist vt8623fb
+blacklist udlfb

qubes-config/etc/ssh/ssh_config.d/10-custom.conf

@@ -0,0 +1,2 @@
+GSSAPIAuthentication no
+VerifyHostKeyDNS yes

qubes-config/etc/sysctl.d/99-workstation.conf

@@ -0,0 +1,119 @@
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+dev.tty.ldisc_autoload = 0
+
+# https://access.redhat.com/solutions/1985633
+# Seems dangerous.
+# Roseta need this though, so if you use it change it to 1.
+fs.binfmt_misc.status = 0
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
+# Enable fs.protected sysctls.
+fs.protected_regular = 2
+fs.protected_fifos = 2
+fs.protected_symlinks = 1
+fs.protected_hardlinks = 1
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
+# Disable coredumps.
+# For additional safety, disable coredumps using ulimit and systemd too.
+kernel.core_pattern=|/bin/false
+fs.suid_dumpable = 0
+
+# Restrict dmesg to CAP_SYS_LOG.
+# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+kernel.dmesg_restrict = 1
+
+# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
+# Restrict access to /proc.
+kernel.kptr_restrict = 2
+
+# Not needed, I don't do livepatching and reboot regularly.
+# On a workstation, this shouldn't be used at all. Don't live patch, just reboot.
+kernel.kexec_load_disabled = 1
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+# Basically, restrict eBPF to CAP_BPF.
+kernel.unprivileged_bpf_disabled = 1
+net.core.bpf_jit_harden = 2
+
+# Needed for Flatpak and Bubblewrap.
+kernel.unprivileged_userns_clone = 1
+
+# Disable ptrace. Not needed on workstations.
+kernel.yama.ptrace_scope = 3
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+# Restrict performance events from unprivileged users as much as possible.
+# We are using 4 here, since Ubuntu supports such a level.
+# Official Linux kernel documentation only says >= so it probably will work.
+kernel.perf_event_paranoid = 4
+
+# Disable io_uring
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
+# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
+# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
+# on a Proxmox node.
+kernel.io_uring_disabled = 2
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# Disable sysrq.
+kernel.sysrq = 0
+
+# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
+# Not running a router here, so no redirects.
+net.ipv4.conf.*.send_redirects = 0
+net.ipv4.conf.*.accept_redirects = 0
+net.ipv6.conf.*.accept_redirects = 0
+
+# Check if the source of the IP address is reachable through the same interface it came in
+# Basic IP spoofing mitigation.
+net.ipv4.conf.*.rp_filter = 1
+
+# Do not respond to ICMP.
+net.ipv4.icmp_echo_ignore_all = 1
+net.ipv6.icmp.echo_ignore_all = 1
+
+# Ignore Bogus ICMP responses.
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Enable IP Forwarding.
+# Needed for VM networking and whatnot.
+net.ipv4.ip_forward = 1
+net.ipv6.conf.all.forwarding = 1
+
+# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
+# Ignore bogus icmp response.
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Protection against time-wait assasination attacks.
+net.ipv4.tcp_rfc1337 = 1
+
+# Enable SYN cookies.
+# Basic SYN flood mitigation.
+net.ipv4.tcp_syncookies = 1 
+
+# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+# Make sure TCP timestamp is enabled.
+net.ipv4.tcp_timestamps = 1
+
+# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+# Disable TCP SACK.
+# We have good networking :)
+net.ipv4.tcp_sack = 0
+
+# No SACK, therefore no Duplicated SACK.
+net.ipv4.tcp_dsack = 0
+
+# Improve ALSR effectiveness for mmap.
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# Restrict userfaultfd to CAP_SYS_PTRACE.
+# https://bugs.archlinux.org/task/62780
+# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
+# probably not used in the real world at all.
+vm.unprivileged_userfaultfd = 0

tasks/fedora-41-template.yaml

@@ -0,0 +1,293 @@
+- name: Configure Fedora 41 Gnome Template
+  hosts: 127.0.0.1
+  connection: local
+  tasks:
+   - name: Kill debug-shell service
+     ansible.builtin.systemd_service:
+       name: debug-shell.service
+       masked: true
+   - name: Kill kdump service
+     ansible.builtin.systemd_service:
+       name: kdump.service
+       masked: true
+
+   - name: Set umask to 077
+     shell: umask 077
+   - name: Set umask to 077 in login.defs
+     ansible.builtin.replace:
+      path: /etc/login.defs
+      regexp: '^UMASK.*'
+      replace: 'UMASK 077'
+
+   - name: Set umask to 077 in logins.defs
+     ansible.builtin.replace:
+      path: /etc/login.defs
+      regexp: '^HOME_MODE'
+      replace: '#HOME_MODE'
+
+   - name: Set umask to 077 in bashrc
+     ansible.builtin.replace:
+       path: /etc/bashrc
+       regexp: 'umask 022'
+       replace: 'umask 077'
+
+   - name: Make home directory private
+     ansible.builtin.file:
+       path: /home
+       state: directory
+       recurse: true
+       mode: '0700'
+
+   - name: Harden SSH
+     ansible.builtin.copy:
+       src: ../qubes-config/etc/ssh/ssh_config.d/10-custom.conf
+       dest: /etc/ssh/ssh_config.d/10-custom.conf
+       mode: '0644'
+
+   - name: Kernel blacklist
+     ansible.builtin.copy:
+       src: ../qubes-config/etc/modprobe.d/workstation-blacklist.conf
+       dest: /etc/modprobe.d/workstation-blacklist.conf
+       mode: '0644'
+
+   - name: Kernel hardening
+     ansible.builtin.copy:
+       src: ../qubes-config/etc/sysctl.d/99-workstation.conf
+       dest: /etc/sysctl.d/99-workstation.conf
+       mode: '0644'
+
+   - name: Reload sysctl
+     shell: 'sysctl -p'
+
+   - name: Disable coredump
+     ansible.builtin.copy:
+       src: '/etc/security/limits.d/30-disable-coredump.conf'
+       dest: '/etc/security/limits.d/30-disable-coredump.conf'
+       mode: '0644'
+   - name: Create coredump.conf.d  
+     ansible.builtin.file:
+       path: '/etc/systemd/coredump.conf.d'
+       state: 'directory'
+       mode: '0755'
+   - name: Copy disable.conf
+     ansible.builtin.copy:
+       src: '/etc/systemd/coredump.conf.d/disable.conf'
+       dest: '/etc/systemd/coredump.conf.d/disable.conf'
+       mode: '0644'
+   - name: Make locks dir for dconf
+     ansible.builtin.file:
+       path: '/etc/dconf/db/local.d/locks'
+       state: 'directory'
+       mode: '0755'
+   - name: copy dconf file 1
+     ansible.builtin.copy:
+       src: '../qubes-config/etc/dconf/db/local.d/locks/automount-disable'
+       dest: '/etc/dconf/db/local.d/locks/automount-disable'
+       mode: '0644'
+   - name: copy dconf file 2
+     ansible.builtin.copy:
+       src: '../qubes-config/etc/dconf/db/local.d/locks/privacy'
+       dest: '/etc/dconf/db/local.d/locks/privacy'
+       mode: '0644'
+   - name: copy dconf file 3
+     ansible.builtin.copy:
+       src: '../qubes-config/etc/dconf/db/local.d/adw-gtk3-dark'
+       dest: '/etc/dconf/db/local.d/adw-gtk3-dark'
+       mode: '0644'
+   - name: copy dconf file 4
+     ansible.builtin.copy:
+       src: '../qubes-config/etc/dconf/db/local.d/automount-disable'
+       dest: '/etc/dconf/db/local.d/automount-disable'
+       mode: '0644'
+   - name: copy dconf file 5
+     ansible.builtin.copy:
+       src: '../qubes-config/etc/dconf/db/local.d/prefer-dark'
+       dest: '/etc/dconf/db/local.d/prefer-dark'
+       mode: '0644'
+   - name: copy dconf file 6
+     ansible.builtin.copy:
+       src: '../qubes-config/etc/dconf/db/local.d/privacy'
+       dest: '/etc/dconf/db/local.d/privacy'
+       mode: '0644'
+   - name: Update dconf
+     shell: sudo dconf update
+
+   - name: Setup ZRAM
+     ansible.builtin.copy:
+       src: '../qubes-config/etc/systemd/zram-generator.conf'
+       dest: '/etc/systemd/zram-generator.conf'
+       mode: '0600'
+
+
+   - name: Flatpak update service
+     ansible.builtin.copy:
+       src: '../qubes-config/etc/systemd/user/update-user-flatpaks.service'
+       dest: '/etc/systemd/user/update-user-flatpaks.service'
+       mode: '0600'
+   - name: Flatpak update timer
+     ansible.builtin.copy:
+       src: '../qubes-config/etc/systemd/user/update-user-flatpaks.timer'
+       dest: '/etc/systemd/user/update-user-flatpaks.timer'
+       mode: '0600'
+
+   - name: Set environment variables to disable GJS, WebkitGTK JIT, as well as fix GNOME env variable
+     ansible.builtin.copy:
+       src: '../qubes-config/etc/environment'
+       dest: '/etc/environment'
+       mode: '0600'
+
+   - name: Mark packages as manually installed to avoid removal
+     shell: 'sudo dnf mark install flatpak gnome-menus qubes-menus'
+
+   - name: Remove unwanted groups as well as unnecessary stuff from the template
+     ansible.builtin.dnf:
+       name:
+         - '@Container Management'
+         - '@Desktop Accessibility'
+         - '@Firefox Web Browser'
+         - 'gnome-software'
+         - 'httpd'
+         - 'keepassxc'
+         - 'thunderbird'
+         - 'fedora-bookmarks'
+         - 'fedora-chromium-config'
+         - 'firefox'
+         - 'mozilla-filesystem'
+         - 'avahi'
+         - 'cifs*'
+         - '*cups'
+         - 'dmidecode'
+         - 'dnsmasq'
+         - 'geolite2*'
+         - 'mtr'
+         - 'net-snmp-libs'
+         - 'net-tools'
+         - 'nfs-utils'
+         - 'nmap-ncat'
+         - 'opensc'
+         - 'openssh-server'
+         - 'rsync'
+         - 'rygel'
+         - 'sgpio'
+         - 'tcpdump'
+         - 'teamd'
+         - 'traceroute'
+         - 'usb_modeswitch'
+         -  '*anthy*'
+         - '*hangul*'
+         - 'ibus-typing-booster'
+         - '*m17n*'
+         - '*pinyin*'
+         - '*speech*'
+         - 'texlive-libs'
+         - ' words'
+         - '*zhuyin*'
+         - 'openh264'
+         - 'ImageMagick*'
+         - 'sane*'
+         - 'simple-scan'
+         -  'sssd*'
+         - 'realmd'
+         - 'cyrus-sasl-gssapi'
+         - 'quota*'
+         - 'dos2unix'
+         - 'kpartx'
+         - 'sos'
+         - 'samba-client'
+         - 'gvfs-smb'
+         - 'NetworkManager-pptp-gnome'
+         - 'NetworkManager-ssh-gnome'
+         - 'NetworkManager-openconnect-gnome'
+         - 'NetworkManager-openvpn-gnome'
+         - 'NetworkManager-vpnc-gnome'
+         - 'ppp*'
+         - 'ModemManager'
+         - 'baobab'
+         - 'chrome-gnome-shell'
+         - 'eog'
+         - 'gnome-boxes'
+         - 'gnome-calculator'
+         - 'gnome-calendar'
+         - 'gnome-characters'
+         - 'gnome-classic*'
+         - 'gnome-clocks'
+         - 'gnome-color-manager'
+         - 'gnome-connections'
+         - 'gnome-contacts'
+         - 'gnome-disk-utility'
+         - 'gnome-font-viewer'
+         - 'gnome-logs'
+         - 'gnome-maps'
+         - 'gnome-photos'
+         - 'gnome-remote-desktop'
+         - 'gnome-screenshot'
+         - 'gnome-shell-extension-apps-menu'
+         - 'gnome-shell-extension-background-logo'
+         - 'gnome-shell-extension-launch-new-instance'
+         - 'gnome-shell-extension-places-menu'
+         - 'gnome-shell-extension-window-list'
+         - 'gnome-text-editor'
+         - 'gnome-themes-extra'
+         - 'gnome-tour'
+         - 'gnome-user*'
+         - 'gnome-weather'
+         - 'loupe'
+         - 'snapshot'
+         - 'totem'
+         - 'abrt*'
+         - 'cheese'
+         - 'evince'
+         - 'file-roller*'
+         - 'libreoffice*'
+         - 'mediawriter'
+         - 'rhythmbox'
+         - 'yelp'
+         - 'lvm2'
+         - 'rng-tools'
+         - 'thermald'
+         - '*perl*'
+
+
+       state: 'absent'
+       autoremove: true
+
+   - name: Disable openh264 repo (y tho?)
+     community.general.dnf_config_manager:
+     name: 'fedora-cisco-openh264'
+     state: disabled
+
+   - name: Install custom packages
+     ansible.builtin.dnf:
+     name:
+       - 'qubes-ctap'
+       - 'qubes-gpg-split'
+       - 'adw-gtk3-theme'
+       - 'ncurses'
+       - 'gnome-shell'
+       - 'ptyxis'
+     state: 'present'
+   - Enable hardened_malloc COPR
+     community.general.copr:
+       name: 'secureblue/hardened_malloc'
+       state: 'enabled'
+   - name: Install hardened_malloc
+     ansible.builtin.dnf:
+     name: 'hardened_malloc'
+     state: 'present'
+
+   - name: Enable hardened_malloc
+     ansible.builtin.copy:
+       src: '../qubes-config/etc/ld.so.preload'
+       dest: '/etc/ld.so.preload'
+       mode: '0644'
+   - name: Enable hardened_malloc for system wide flatpak
+     shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
+   - name: Enable hardened_malloc for user flatpak
+     shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
+   - name: Setup dnf repos
+     ansible.builtin.copy:
+       src: '../qubes-config/etc/dnf/dnf.conf'
+       dest: '/etc/dnf/dnf.conf'
+       mode: '0644'
+
+

tasks/golden_image.yaml

@@ -26,6 +26,11 @@
          - wireguard-tools
          - qemu-guest-agent
        state: latest
+   - name: Uninstall cockpit
+     ansible.builtin.dnf:
+       name: cockpit
+       state: absent
+       autoremove: yes
    - name: Enable QEMU guest agent service
      ansible.builtin.systemd_service:
        name: qemu-guest-agent

tasks/ssh_config.yaml

@@ -1,21 +1,13 @@
-- name: My first play
+- name: Configure SSH
-  hosts: myhosts
+  hosts: inferencehosts
   tasks:
-#   - name: Ping my hosts
-#     ansible.builtin.ping:
-#   - name: Reboot machine
-#     ansible.builtin.reboot:
-#       msg: "Rebooting machine..."
-#   - name: Print message
-#     ansible.builtin.debug:
-#       msg: Hello world
    - name: Set authorized key taken from file
      ansible.posix.authorized_key:
-       user: root
+       user: joyeuse
-       key: "{{  lookup('file', './config/id_ed25519.pub')  }}"
+       key: "{{  lookup('file', '../config/id_ed25519.pub')  }}"
    - name: Copy over SSHD config file
      ansible.builtin.copy:
-       src: ./config/sshd_config
+       src: ../config/sshd_config
        dest: /etc/ssh/sshd_config
        owner: root
        group: root