Working on qubes playbook
This commit is contained in:
		
							parent
							
								
									ae63be1df6
								
							
						
					
					
						commit
						ed68d23c6c
					
				
					 7 changed files with 558 additions and 13 deletions
				
			
		|  | @ -3,3 +3,23 @@ myhosts: | |||
|     golden-image: | ||||
|       ansible_host: 10.0.1.11 | ||||
|       ansible_user: root | ||||
|     forgejo: | ||||
|       ansible_host: 10.0.1.5 | ||||
|       ansible_user: root | ||||
|     office: | ||||
|       ansible_host: 10.0.1.3 | ||||
|       ansible_user: root | ||||
|     synapse: | ||||
|       ansible_host: 10.0.1.2 | ||||
|       ansible_user: root | ||||
| remotehosts: | ||||
|   hosts: | ||||
|     VPS: | ||||
|       ansible_host: 31.220.42.40 | ||||
|       ansible_user: root | ||||
| 
 | ||||
| inferencehosts: | ||||
|   hosts: | ||||
|     laptop: | ||||
|       ansible_host: 10.20.40.2 | ||||
|       ansible_user: root | ||||
|  |  | |||
							
								
								
									
										114
									
								
								qubes-config/etc/modprobe.d/workstation-blacklist.conf
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										114
									
								
								qubes-config/etc/modprobe.d/workstation-blacklist.conf
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,114 @@ | |||
| # unused network protocols | ||||
| install dccp /bin/false | ||||
| install sctp /bin/false | ||||
| install rds /bin/false | ||||
| install tipc /bin/false | ||||
| install n-hdlc /bin/false | ||||
| install ax25 /bin/false | ||||
| install netrom /bin/false | ||||
| install x25 /bin/false | ||||
| install rose /bin/false | ||||
| install decnet /bin/false | ||||
| install econet /bin/false | ||||
| install af_802154 /bin/false | ||||
| install ipx /bin/false | ||||
| install appletalk /bin/false | ||||
| install psnap /bin/false | ||||
| install p8023 /bin/false | ||||
| install p8022 /bin/false | ||||
| install can /bin/false | ||||
| install atm /bin/false | ||||
| 
 | ||||
| # firewire and thunderbolt | ||||
| install firewire-core /bin/false | ||||
| install firewire_core /bin/false | ||||
| install firewire-ohci /bin/false | ||||
| install firewire_ohci /bin/false | ||||
| install firewire_sbp2 /bin/false | ||||
| install firewire-sbp2 /bin/false | ||||
| install firewire-net /bin/false | ||||
| install thunderbolt /bin/false | ||||
| install ohci1394 /bin/false | ||||
| install sbp2 /bin/false | ||||
| install dv1394 /bin/false | ||||
| install raw1394 /bin/false | ||||
| install video1394 /bin/false | ||||
| 
 | ||||
| # unused filesystems | ||||
| install cramfs /bin/false | ||||
| install freevxfs /bin/false | ||||
| install jffs2 /bin/false | ||||
| install hfs /bin/false | ||||
| install hfsplus /bin/false | ||||
| install squashfs /bin/false | ||||
| install udf /bin/false | ||||
| install cifs /bin/false | ||||
| install nfs /bin/false | ||||
| install nfsv3 /bin/false | ||||
| install nfsv4 /bin/false | ||||
| install ksmbd /bin/false | ||||
| install gfs2 /bin/false | ||||
| install reiserfs /bin/false | ||||
| install kafs /bin/false | ||||
| install orangefs /bin/false | ||||
| install 9p /bin/false | ||||
| install adfs /bin/false | ||||
| install affs /bin/false | ||||
| install afs /bin/false | ||||
| install befs /bin/false | ||||
| install ceph /bin/false | ||||
| install coda /bin/false | ||||
| install ecryptfs /bin/false | ||||
| install erofs /bin/false | ||||
| install jfs /bin/false | ||||
| install minix /bin/false | ||||
| install netfs /bin/false | ||||
| install nilfs2 /bin/false | ||||
| install ocfs2 /bin/false | ||||
| install romfs /bin/false | ||||
| install ubifs /bin/false | ||||
| install zonefs /bin/false | ||||
| install sysv /bin/false | ||||
| install ufs /bin/false | ||||
| 
 | ||||
| # disable vivid | ||||
| install vivid /bin/false | ||||
| 
 | ||||
| # disable GNSS | ||||
| install gnss /bin/false | ||||
| install gnss-mtk /bin/false | ||||
| install gnss-serial /bin/false | ||||
| install gnss-sirf /bin/false | ||||
| install gnss-usb /bin/false | ||||
| install gnss-ubx /bin/false | ||||
| 
 | ||||
| # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns | ||||
| install bluetooth /bin/false | ||||
| install btusb /bin/false | ||||
| 
 | ||||
| # blacklist ath_pci | ||||
| blacklist ath_pci | ||||
| 
 | ||||
| # blacklist cdrom | ||||
| blacklist cdrom | ||||
| blacklist sr_mod | ||||
| 
 | ||||
| # blacklist framebuffer drivers | ||||
| # source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf | ||||
| blacklist cyber2000fb | ||||
| blacklist cyblafb | ||||
| blacklist gx1fb | ||||
| blacklist hgafb | ||||
| blacklist kyrofb | ||||
| blacklist lxfb | ||||
| blacklist matroxfb_base | ||||
| blacklist neofb | ||||
| blacklist nvidiafb | ||||
| blacklist pm2fb | ||||
| blacklist s1d13xxxfb | ||||
| blacklist sisfb | ||||
| blacklist tdfxfb | ||||
| blacklist vesafb | ||||
| blacklist vfb | ||||
| blacklist vt8623fb | ||||
| blacklist udlfb | ||||
							
								
								
									
										2
									
								
								qubes-config/etc/ssh/ssh_config.d/10-custom.conf
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								qubes-config/etc/ssh/ssh_config.d/10-custom.conf
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,2 @@ | |||
| GSSAPIAuthentication no | ||||
| VerifyHostKeyDNS yes | ||||
							
								
								
									
										119
									
								
								qubes-config/etc/sysctl.d/99-workstation.conf
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										119
									
								
								qubes-config/etc/sysctl.d/99-workstation.conf
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,119 @@ | |||
| 
 | ||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl | ||||
| dev.tty.ldisc_autoload = 0 | ||||
| 
 | ||||
| # https://access.redhat.com/solutions/1985633 | ||||
| # Seems dangerous. | ||||
| # Roseta need this though, so if you use it change it to 1. | ||||
| fs.binfmt_misc.status = 0 | ||||
| 
 | ||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace | ||||
| # Enable fs.protected sysctls. | ||||
| fs.protected_regular = 2 | ||||
| fs.protected_fifos = 2 | ||||
| fs.protected_symlinks = 1 | ||||
| fs.protected_hardlinks = 1 | ||||
| 
 | ||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps | ||||
| # Disable coredumps. | ||||
| # For additional safety, disable coredumps using ulimit and systemd too. | ||||
| kernel.core_pattern=|/bin/false | ||||
| fs.suid_dumpable = 0 | ||||
| 
 | ||||
| # Restrict dmesg to CAP_SYS_LOG. | ||||
| # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt | ||||
| kernel.dmesg_restrict = 1 | ||||
| 
 | ||||
| # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt | ||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel | ||||
| # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak | ||||
| # Restrict access to /proc. | ||||
| kernel.kptr_restrict = 2 | ||||
| 
 | ||||
| # Not needed, I don't do livepatching and reboot regularly. | ||||
| # On a workstation, this shouldn't be used at all. Don't live patch, just reboot. | ||||
| kernel.kexec_load_disabled = 1 | ||||
| 
 | ||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl | ||||
| # Basically, restrict eBPF to CAP_BPF. | ||||
| kernel.unprivileged_bpf_disabled = 1 | ||||
| net.core.bpf_jit_harden = 2 | ||||
| 
 | ||||
| # Needed for Flatpak and Bubblewrap. | ||||
| kernel.unprivileged_userns_clone = 1 | ||||
| 
 | ||||
| # Disable ptrace. Not needed on workstations. | ||||
| kernel.yama.ptrace_scope = 3 | ||||
| 
 | ||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl | ||||
| # Restrict performance events from unprivileged users as much as possible. | ||||
| # We are using 4 here, since Ubuntu supports such a level. | ||||
| # Official Linux kernel documentation only says >= so it probably will work. | ||||
| kernel.perf_event_paranoid = 4 | ||||
| 
 | ||||
| # Disable io_uring | ||||
| # https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled | ||||
| # https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html | ||||
| # Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out | ||||
| # on a Proxmox node. | ||||
| kernel.io_uring_disabled = 2 | ||||
| 
 | ||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel | ||||
| # Disable sysrq. | ||||
| kernel.sysrq = 0 | ||||
| 
 | ||||
| # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911 | ||||
| # Not running a router here, so no redirects. | ||||
| net.ipv4.conf.*.send_redirects = 0 | ||||
| net.ipv4.conf.*.accept_redirects = 0 | ||||
| net.ipv6.conf.*.accept_redirects = 0 | ||||
| 
 | ||||
| # Check if the source of the IP address is reachable through the same interface it came in | ||||
| # Basic IP spoofing mitigation. | ||||
| net.ipv4.conf.*.rp_filter = 1 | ||||
| 
 | ||||
| # Do not respond to ICMP. | ||||
| net.ipv4.icmp_echo_ignore_all = 1 | ||||
| net.ipv6.icmp.echo_ignore_all = 1 | ||||
| 
 | ||||
| # Ignore Bogus ICMP responses. | ||||
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | ||||
| 
 | ||||
| # Enable IP Forwarding. | ||||
| # Needed for VM networking and whatnot. | ||||
| net.ipv4.ip_forward = 1 | ||||
| net.ipv6.conf.all.forwarding = 1 | ||||
| 
 | ||||
| # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537 | ||||
| # Ignore bogus icmp response. | ||||
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | ||||
| 
 | ||||
| # Protection against time-wait assasination attacks. | ||||
| net.ipv4.tcp_rfc1337 = 1 | ||||
| 
 | ||||
| # Enable SYN cookies. | ||||
| # Basic SYN flood mitigation. | ||||
| net.ipv4.tcp_syncookies = 1  | ||||
| 
 | ||||
| # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf | ||||
| # Make sure TCP timestamp is enabled. | ||||
| net.ipv4.tcp_timestamps = 1 | ||||
| 
 | ||||
| # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf | ||||
| # Disable TCP SACK. | ||||
| # We have good networking :) | ||||
| net.ipv4.tcp_sack = 0 | ||||
| 
 | ||||
| # No SACK, therefore no Duplicated SACK. | ||||
| net.ipv4.tcp_dsack = 0 | ||||
| 
 | ||||
| # Improve ALSR effectiveness for mmap. | ||||
| vm.mmap_rnd_bits = 32 | ||||
| vm.mmap_rnd_compat_bits = 16 | ||||
| 
 | ||||
| # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel | ||||
| # Restrict userfaultfd to CAP_SYS_PTRACE. | ||||
| # https://bugs.archlinux.org/task/62780 | ||||
| # Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is | ||||
| # probably not used in the real world at all. | ||||
| vm.unprivileged_userfaultfd = 0 | ||||
							
								
								
									
										293
									
								
								tasks/fedora-41-template.yaml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										293
									
								
								tasks/fedora-41-template.yaml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,293 @@ | |||
| - name: Configure Fedora 41 Gnome Template | ||||
|   hosts: 127.0.0.1 | ||||
|   connection: local | ||||
|   tasks: | ||||
|    - name: Kill debug-shell service | ||||
|      ansible.builtin.systemd_service: | ||||
|        name: debug-shell.service | ||||
|        masked: true | ||||
|    - name: Kill kdump service | ||||
|      ansible.builtin.systemd_service: | ||||
|        name: kdump.service | ||||
|        masked: true | ||||
| 
 | ||||
|    - name: Set umask to 077 | ||||
|      shell: umask 077 | ||||
|    - name: Set umask to 077 in login.defs | ||||
|      ansible.builtin.replace: | ||||
|       path: /etc/login.defs | ||||
|       regexp: '^UMASK.*' | ||||
|       replace: 'UMASK 077' | ||||
| 
 | ||||
|    - name: Set umask to 077 in logins.defs | ||||
|      ansible.builtin.replace: | ||||
|       path: /etc/login.defs | ||||
|       regexp: '^HOME_MODE' | ||||
|       replace: '#HOME_MODE' | ||||
| 
 | ||||
|    - name: Set umask to 077 in bashrc | ||||
|      ansible.builtin.replace: | ||||
|        path: /etc/bashrc | ||||
|        regexp: 'umask 022' | ||||
|        replace: 'umask 077' | ||||
| 
 | ||||
|    - name: Make home directory private | ||||
|      ansible.builtin.file: | ||||
|        path: /home | ||||
|        state: directory | ||||
|        recurse: true | ||||
|        mode: '0700' | ||||
| 
 | ||||
|    - name: Harden SSH | ||||
|      ansible.builtin.copy: | ||||
|        src: ../qubes-config/etc/ssh/ssh_config.d/10-custom.conf | ||||
|        dest: /etc/ssh/ssh_config.d/10-custom.conf | ||||
|        mode: '0644' | ||||
| 
 | ||||
|    - name: Kernel blacklist | ||||
|      ansible.builtin.copy: | ||||
|        src: ../qubes-config/etc/modprobe.d/workstation-blacklist.conf | ||||
|        dest: /etc/modprobe.d/workstation-blacklist.conf | ||||
|        mode: '0644' | ||||
| 
 | ||||
|    - name: Kernel hardening | ||||
|      ansible.builtin.copy: | ||||
|        src: ../qubes-config/etc/sysctl.d/99-workstation.conf | ||||
|        dest: /etc/sysctl.d/99-workstation.conf | ||||
|        mode: '0644' | ||||
| 
 | ||||
|    - name: Reload sysctl | ||||
|      shell: 'sysctl -p' | ||||
| 
 | ||||
|    - name: Disable coredump | ||||
|      ansible.builtin.copy: | ||||
|        src: '/etc/security/limits.d/30-disable-coredump.conf' | ||||
|        dest: '/etc/security/limits.d/30-disable-coredump.conf' | ||||
|        mode: '0644' | ||||
|    - name: Create coredump.conf.d   | ||||
|      ansible.builtin.file: | ||||
|        path: '/etc/systemd/coredump.conf.d' | ||||
|        state: 'directory' | ||||
|        mode: '0755' | ||||
|    - name: Copy disable.conf | ||||
|      ansible.builtin.copy: | ||||
|        src: '/etc/systemd/coredump.conf.d/disable.conf' | ||||
|        dest: '/etc/systemd/coredump.conf.d/disable.conf' | ||||
|        mode: '0644' | ||||
|    - name: Make locks dir for dconf | ||||
|      ansible.builtin.file: | ||||
|        path: '/etc/dconf/db/local.d/locks' | ||||
|        state: 'directory' | ||||
|        mode: '0755' | ||||
|    - name: copy dconf file 1 | ||||
|      ansible.builtin.copy: | ||||
|        src: '../qubes-config/etc/dconf/db/local.d/locks/automount-disable' | ||||
|        dest: '/etc/dconf/db/local.d/locks/automount-disable' | ||||
|        mode: '0644' | ||||
|    - name: copy dconf file 2 | ||||
|      ansible.builtin.copy: | ||||
|        src: '../qubes-config/etc/dconf/db/local.d/locks/privacy' | ||||
|        dest: '/etc/dconf/db/local.d/locks/privacy' | ||||
|        mode: '0644' | ||||
|    - name: copy dconf file 3 | ||||
|      ansible.builtin.copy: | ||||
|        src: '../qubes-config/etc/dconf/db/local.d/adw-gtk3-dark' | ||||
|        dest: '/etc/dconf/db/local.d/adw-gtk3-dark' | ||||
|        mode: '0644' | ||||
|    - name: copy dconf file 4 | ||||
|      ansible.builtin.copy: | ||||
|        src: '../qubes-config/etc/dconf/db/local.d/automount-disable' | ||||
|        dest: '/etc/dconf/db/local.d/automount-disable' | ||||
|        mode: '0644' | ||||
|    - name: copy dconf file 5 | ||||
|      ansible.builtin.copy: | ||||
|        src: '../qubes-config/etc/dconf/db/local.d/prefer-dark' | ||||
|        dest: '/etc/dconf/db/local.d/prefer-dark' | ||||
|        mode: '0644' | ||||
|    - name: copy dconf file 6 | ||||
|      ansible.builtin.copy: | ||||
|        src: '../qubes-config/etc/dconf/db/local.d/privacy' | ||||
|        dest: '/etc/dconf/db/local.d/privacy' | ||||
|        mode: '0644' | ||||
|    - name: Update dconf | ||||
|      shell: sudo dconf update | ||||
| 
 | ||||
|    - name: Setup ZRAM | ||||
|      ansible.builtin.copy: | ||||
|        src: '../qubes-config/etc/systemd/zram-generator.conf' | ||||
|        dest: '/etc/systemd/zram-generator.conf' | ||||
|        mode: '0600' | ||||
| 
 | ||||
| 
 | ||||
|    - name: Flatpak update service | ||||
|      ansible.builtin.copy: | ||||
|        src: '../qubes-config/etc/systemd/user/update-user-flatpaks.service' | ||||
|        dest: '/etc/systemd/user/update-user-flatpaks.service' | ||||
|        mode: '0600' | ||||
|    - name: Flatpak update timer | ||||
|      ansible.builtin.copy: | ||||
|        src: '../qubes-config/etc/systemd/user/update-user-flatpaks.timer' | ||||
|        dest: '/etc/systemd/user/update-user-flatpaks.timer' | ||||
|        mode: '0600' | ||||
| 
 | ||||
|    - name: Set environment variables to disable GJS, WebkitGTK JIT, as well as fix GNOME env variable | ||||
|      ansible.builtin.copy: | ||||
|        src: '../qubes-config/etc/environment' | ||||
|        dest: '/etc/environment' | ||||
|        mode: '0600' | ||||
| 
 | ||||
|    - name: Mark packages as manually installed to avoid removal | ||||
|      shell: 'sudo dnf mark install flatpak gnome-menus qubes-menus' | ||||
| 
 | ||||
|    - name: Remove unwanted groups as well as unnecessary stuff from the template | ||||
|      ansible.builtin.dnf: | ||||
|        name: | ||||
|          - '@Container Management' | ||||
|          - '@Desktop Accessibility' | ||||
|          - '@Firefox Web Browser' | ||||
|          - 'gnome-software' | ||||
|          - 'httpd' | ||||
|          - 'keepassxc' | ||||
|          - 'thunderbird' | ||||
|          - 'fedora-bookmarks' | ||||
|          - 'fedora-chromium-config' | ||||
|          - 'firefox' | ||||
|          - 'mozilla-filesystem' | ||||
|          - 'avahi' | ||||
|          - 'cifs*' | ||||
|          - '*cups' | ||||
|          - 'dmidecode' | ||||
|          - 'dnsmasq' | ||||
|          - 'geolite2*' | ||||
|          - 'mtr' | ||||
|          - 'net-snmp-libs' | ||||
|          - 'net-tools' | ||||
|          - 'nfs-utils' | ||||
|          - 'nmap-ncat' | ||||
|          - 'opensc' | ||||
|          - 'openssh-server' | ||||
|          - 'rsync' | ||||
|          - 'rygel' | ||||
|          - 'sgpio' | ||||
|          - 'tcpdump' | ||||
|          - 'teamd' | ||||
|          - 'traceroute' | ||||
|          - 'usb_modeswitch' | ||||
|          -  '*anthy*' | ||||
|          - '*hangul*' | ||||
|          - 'ibus-typing-booster' | ||||
|          - '*m17n*' | ||||
|          - '*pinyin*' | ||||
|          - '*speech*' | ||||
|          - 'texlive-libs' | ||||
|          - ' words' | ||||
|          - '*zhuyin*' | ||||
|          - 'openh264' | ||||
|          - 'ImageMagick*' | ||||
|          - 'sane*' | ||||
|          - 'simple-scan' | ||||
|          -  'sssd*' | ||||
|          - 'realmd' | ||||
|          - 'cyrus-sasl-gssapi' | ||||
|          - 'quota*' | ||||
|          - 'dos2unix' | ||||
|          - 'kpartx' | ||||
|          - 'sos' | ||||
|          - 'samba-client' | ||||
|          - 'gvfs-smb' | ||||
|          - 'NetworkManager-pptp-gnome' | ||||
|          - 'NetworkManager-ssh-gnome' | ||||
|          - 'NetworkManager-openconnect-gnome' | ||||
|          - 'NetworkManager-openvpn-gnome' | ||||
|          - 'NetworkManager-vpnc-gnome' | ||||
|          - 'ppp*' | ||||
|          - 'ModemManager' | ||||
|          - 'baobab' | ||||
|          - 'chrome-gnome-shell' | ||||
|          - 'eog' | ||||
|          - 'gnome-boxes' | ||||
|          - 'gnome-calculator' | ||||
|          - 'gnome-calendar' | ||||
|          - 'gnome-characters' | ||||
|          - 'gnome-classic*' | ||||
|          - 'gnome-clocks' | ||||
|          - 'gnome-color-manager' | ||||
|          - 'gnome-connections' | ||||
|          - 'gnome-contacts' | ||||
|          - 'gnome-disk-utility' | ||||
|          - 'gnome-font-viewer' | ||||
|          - 'gnome-logs' | ||||
|          - 'gnome-maps' | ||||
|          - 'gnome-photos' | ||||
|          - 'gnome-remote-desktop' | ||||
|          - 'gnome-screenshot' | ||||
|          - 'gnome-shell-extension-apps-menu' | ||||
|          - 'gnome-shell-extension-background-logo' | ||||
|          - 'gnome-shell-extension-launch-new-instance' | ||||
|          - 'gnome-shell-extension-places-menu' | ||||
|          - 'gnome-shell-extension-window-list' | ||||
|          - 'gnome-text-editor' | ||||
|          - 'gnome-themes-extra' | ||||
|          - 'gnome-tour' | ||||
|          - 'gnome-user*' | ||||
|          - 'gnome-weather' | ||||
|          - 'loupe' | ||||
|          - 'snapshot' | ||||
|          - 'totem' | ||||
|          - 'abrt*' | ||||
|          - 'cheese' | ||||
|          - 'evince' | ||||
|          - 'file-roller*' | ||||
|          - 'libreoffice*' | ||||
|          - 'mediawriter' | ||||
|          - 'rhythmbox' | ||||
|          - 'yelp' | ||||
|          - 'lvm2' | ||||
|          - 'rng-tools' | ||||
|          - 'thermald' | ||||
|          - '*perl*' | ||||
| 
 | ||||
| 
 | ||||
|        state: 'absent' | ||||
|        autoremove: true | ||||
| 
 | ||||
|    - name: Disable openh264 repo (y tho?) | ||||
|      community.general.dnf_config_manager: | ||||
|      name: 'fedora-cisco-openh264' | ||||
|      state: disabled | ||||
| 
 | ||||
|    - name: Install custom packages | ||||
|      ansible.builtin.dnf: | ||||
|      name: | ||||
|        - 'qubes-ctap' | ||||
|        - 'qubes-gpg-split' | ||||
|        - 'adw-gtk3-theme' | ||||
|        - 'ncurses' | ||||
|        - 'gnome-shell' | ||||
|        - 'ptyxis' | ||||
|      state: 'present' | ||||
|    - Enable hardened_malloc COPR | ||||
|      community.general.copr: | ||||
|        name: 'secureblue/hardened_malloc' | ||||
|        state: 'enabled' | ||||
|    - name: Install hardened_malloc | ||||
|      ansible.builtin.dnf: | ||||
|      name: 'hardened_malloc' | ||||
|      state: 'present' | ||||
| 
 | ||||
|    - name: Enable hardened_malloc | ||||
|      ansible.builtin.copy: | ||||
|        src: '../qubes-config/etc/ld.so.preload' | ||||
|        dest: '/etc/ld.so.preload' | ||||
|        mode: '0644' | ||||
|    - name: Enable hardened_malloc for system wide flatpak | ||||
|      shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' | ||||
|    - name: Enable hardened_malloc for user flatpak | ||||
|      shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' | ||||
|    - name: Setup dnf repos | ||||
|      ansible.builtin.copy: | ||||
|        src: '../qubes-config/etc/dnf/dnf.conf' | ||||
|        dest: '/etc/dnf/dnf.conf' | ||||
|        mode: '0644' | ||||
| 
 | ||||
| 
 | ||||
|  | @ -26,6 +26,11 @@ | |||
|          - wireguard-tools | ||||
|          - qemu-guest-agent | ||||
|        state: latest | ||||
|    - name: Uninstall cockpit | ||||
|      ansible.builtin.dnf: | ||||
|        name: cockpit | ||||
|        state: absent | ||||
|        autoremove: yes | ||||
|    - name: Enable QEMU guest agent service | ||||
|      ansible.builtin.systemd_service: | ||||
|        name: qemu-guest-agent | ||||
|  |  | |||
|  | @ -1,21 +1,13 @@ | |||
| - name: My first play | ||||
|   hosts: myhosts | ||||
| - name: Configure SSH | ||||
|   hosts: inferencehosts | ||||
|   tasks: | ||||
| #   - name: Ping my hosts | ||||
| #     ansible.builtin.ping: | ||||
| #   - name: Reboot machine | ||||
| #     ansible.builtin.reboot: | ||||
| #       msg: "Rebooting machine..." | ||||
| #   - name: Print message | ||||
| #     ansible.builtin.debug: | ||||
| #       msg: Hello world | ||||
|    - name: Set authorized key taken from file | ||||
|      ansible.posix.authorized_key: | ||||
|        user: root | ||||
|        key: "{{  lookup('file', './config/id_ed25519.pub')  }}" | ||||
|        user: joyeuse | ||||
|        key: "{{  lookup('file', '../config/id_ed25519.pub')  }}" | ||||
|    - name: Copy over SSHD config file | ||||
|      ansible.builtin.copy: | ||||
|        src: ./config/sshd_config | ||||
|        src: ../config/sshd_config | ||||
|        dest: /etc/ssh/sshd_config | ||||
|        owner: root | ||||
|        group: root | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 mustard
						mustard