From daf383d981a79be1a673d22d8d0adad14c8876d6 Mon Sep 17 00:00:00 2001 From: mustard Date: Sat, 13 Sep 2025 20:09:40 +0200 Subject: [PATCH 1/2] fix: swap out SSH key --- config/id_ed25519.pub | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/id_ed25519.pub b/config/id_ed25519.pub index 460a4af..dd21536 100644 --- a/config/id_ed25519.pub +++ b/config/id_ed25519.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJITevx5+lKqH9UdQiGoe08+ld3XIWGXxQ3sa2XL4PeN user@homelab-mgmt +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArO9Yty0QuX7jZhDeL6MrZwH+6dbbcidYWWo0qawivb user@homelab-mgmt From d01bbd1aa31bf9a410c5b6923a66c15a9705cffc Mon Sep 17 00:00:00 2001 From: mustard Date: Mon, 15 Sep 2025 19:06:19 +0200 Subject: [PATCH 2/2] wip: fixing baseline role --- fedora-42-gnome.yaml | 20 +- roles/baseline/defaults/main.yaml | 3 +- .../crypto-policies/back-ends/openssh.config | 8 + .../files/etc/dconf/db/local.d/adw-gtk3-dark | 2 - .../files/etc/dconf/db/local.d/prefer-dark | 2 - .../etc/modprobe.d/workstation-blacklist.conf | 4 +- roles/baseline/tasks/main.yaml | 19 +- .../etc/sysctl.d/99-workstation.conf.j2} | 7 +- roles/gnome/tasks/main.yaml | 5 +- .../custom/sudo-dom0-prompt/system-auth | 20 -- .../files/etc/dconf/db/local.d/adw-gtk3-dark | 2 - .../etc/dconf/db/local.d/automount-disable | 4 - .../dconf/db/local.d/locks/automount-disable | 3 - .../files/etc/dconf/db/local.d/locks/privacy | 14 - .../files/etc/dconf/db/local.d/prefer-dark | 2 - .../tasks/files/etc/dconf/db/local.d/privacy | 16 - .../tasks/files/etc/dnf/dnf.conf | 11 - .../tasks/files/etc/environment | 3 - .../tasks/files/etc/ld.so.preload | 1 - .../etc/modprobe.d/workstation-blacklist.conf | 114 ------- .../limits.d/30-disable-coredump.conf | 1 - .../tasks/files/etc/skel/flathub.sh | 2 - .../files/etc/ssh/ssh_config.d/10-custom.conf | 2 - .../tasks/files/etc/sudoers.d/qubes | 4 - .../files/etc/sysctl.d/99-workstation.conf | 119 -------- .../etc/systemd/coredump.conf.d/disable.conf | 2 - .../NetworkManager.service.d/99-brace.conf | 28 -- .../systemd/user/update-user-flatpaks.service | 6 - .../systemd/user/update-user-flatpaks.timer | 9 - .../files/etc/systemd/zram-generator.conf | 4 - .../files/etc/xdg-desktop-portal/portals.conf | 2 - .../defaults/preferences/userjs-arkenfox.js | 0 .../defaults/preferences/userjs-brace.js | 0 roles/qubes-f41-gnome/tasks/main.yaml | 285 ------------------ roles/qubes-f41-gnome/vars/main.yaml | 1 - .../custom/sudo-dom0-prompt/system-auth | 20 -- .../files/etc/dconf/db/local.d/adw-gtk3-dark | 2 - .../etc/dconf/db/local.d/automount-disable | 4 - .../dconf/db/local.d/locks/automount-disable | 3 - .../files/etc/dconf/db/local.d/locks/privacy | 14 - .../files/etc/dconf/db/local.d/prefer-dark | 2 - .../files/etc/dconf/db/local.d/privacy | 16 - roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf | 11 - roles/sudo-dom0-prompt/files/etc/environment | 3 - .../sudo-dom0-prompt/files/etc/ld.so.preload | 1 - .../etc/modprobe.d/workstation-blacklist.conf | 114 ------- .../limits.d/30-disable-coredump.conf | 1 - .../files/etc/skel/flathub.sh | 2 - .../files/etc/ssh/ssh_config.d/10-custom.conf | 2 - .../files/etc/sudoers.d/qubes | 4 - .../etc/systemd/coredump.conf.d/disable.conf | 2 - .../NetworkManager.service.d/99-brace.conf | 28 -- .../systemd/user/update-user-flatpaks.service | 6 - .../systemd/user/update-user-flatpaks.timer | 9 - .../files/etc/systemd/zram-generator.conf | 4 - .../files/etc/xdg-desktop-portal/portals.conf | 2 - .../defaults/preferences/userjs-arkenfox.js | 0 .../defaults/preferences/userjs-brace.js | 0 roles/sudo-dom0-prompt/tasks/main.yaml | 49 --- roles/suid_role/tasks/main.yaml | 7 + roles/trivalent/tasks/main.yaml | 1 + 61 files changed, 58 insertions(+), 974 deletions(-) create mode 100644 roles/baseline/files/etc/crypto-policies/back-ends/openssh.config delete mode 100644 roles/baseline/files/etc/dconf/db/local.d/adw-gtk3-dark delete mode 100644 roles/baseline/files/etc/dconf/db/local.d/prefer-dark rename roles/{sudo-dom0-prompt/files/etc/sysctl.d/99-workstation.conf => baseline/templates/etc/sysctl.d/99-workstation.conf.j2} (96%) delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/automount-disable delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/automount-disable delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/privacy delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/prefer-dark delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/privacy delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/dnf/dnf.conf delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/environment delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/ld.so.preload delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/modprobe.d/workstation-blacklist.conf delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/security/limits.d/30-disable-coredump.conf delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/skel/flathub.sh delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/ssh/ssh_config.d/10-custom.conf delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/sudoers.d/qubes delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/sysctl.d/99-workstation.conf delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/systemd/coredump.conf.d/disable.conf delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.service delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.timer delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/systemd/zram-generator.conf delete mode 100644 roles/qubes-f41-gnome/tasks/files/etc/xdg-desktop-portal/portals.conf delete mode 100644 roles/qubes-f41-gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js delete mode 100644 roles/qubes-f41-gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js delete mode 100644 roles/qubes-f41-gnome/tasks/main.yaml delete mode 100644 roles/qubes-f41-gnome/vars/main.yaml delete mode 100644 roles/sudo-dom0-prompt/files/etc/authselect/custom/sudo-dom0-prompt/system-auth delete mode 100644 roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/adw-gtk3-dark delete mode 100644 roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/automount-disable delete mode 100644 roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/automount-disable delete mode 100644 roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/privacy delete mode 100644 roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/prefer-dark delete mode 100644 roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/privacy delete mode 100644 roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf delete mode 100644 roles/sudo-dom0-prompt/files/etc/environment delete mode 100644 roles/sudo-dom0-prompt/files/etc/ld.so.preload delete mode 100644 roles/sudo-dom0-prompt/files/etc/modprobe.d/workstation-blacklist.conf delete mode 100644 roles/sudo-dom0-prompt/files/etc/security/limits.d/30-disable-coredump.conf delete mode 100644 roles/sudo-dom0-prompt/files/etc/skel/flathub.sh delete mode 100644 roles/sudo-dom0-prompt/files/etc/ssh/ssh_config.d/10-custom.conf delete mode 100644 roles/sudo-dom0-prompt/files/etc/sudoers.d/qubes delete mode 100644 roles/sudo-dom0-prompt/files/etc/systemd/coredump.conf.d/disable.conf delete mode 100644 roles/sudo-dom0-prompt/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf delete mode 100644 roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.service delete mode 100644 roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.timer delete mode 100644 roles/sudo-dom0-prompt/files/etc/systemd/zram-generator.conf delete mode 100644 roles/sudo-dom0-prompt/files/etc/xdg-desktop-portal/portals.conf delete mode 100644 roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js delete mode 100644 roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js delete mode 100644 roles/sudo-dom0-prompt/tasks/main.yaml create mode 100644 roles/suid_role/tasks/main.yaml diff --git a/fedora-42-gnome.yaml b/fedora-42-gnome.yaml index 344ff68..1f65559 100644 --- a/fedora-42-gnome.yaml +++ b/fedora-42-gnome.yaml @@ -8,15 +8,12 @@ vars: umask_changes: true manage_network: true + allow_ptrace: false # turn off for gvisor - name: 'Gnome package stuff' ansible.builtin.include_role: name: gnome -# - name: 'Setup dom0 prompt for sudo' -# ansible.builtin.include_role: -# name: sudo-dom0-prompt - - name: 'Install trivalent' ansible.builtin.include_role: name: trivalent @@ -25,8 +22,21 @@ ansible.builtin.include_role: name: arkenfox - - name: 'Install wireguard-tools' + - name: 'Install wireguard-tools and neovim' ansible.builtin.dnf5: name: - wireguard-tools + - neovim state: 'present' + + - name: 'Install devtools' + ansible.builtin.include_role: + name: devtools + + - name: 'Handle SUID binaries' + ansible.builtin.include_role: + name: suid_role + vars: + allow_run0: true + + diff --git a/roles/baseline/defaults/main.yaml b/roles/baseline/defaults/main.yaml index f2b9512..719815a 100644 --- a/roles/baseline/defaults/main.yaml +++ b/roles/baseline/defaults/main.yaml @@ -1,2 +1,3 @@ umask_changes: false -manage_network: true \ No newline at end of file +manage_network: true +allow_ptrace: false diff --git a/roles/baseline/files/etc/crypto-policies/back-ends/openssh.config b/roles/baseline/files/etc/crypto-policies/back-ends/openssh.config new file mode 100644 index 0000000..e155e68 --- /dev/null +++ b/roles/baseline/files/etc/crypto-policies/back-ends/openssh.config @@ -0,0 +1,8 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/roles/baseline/files/etc/dconf/db/local.d/adw-gtk3-dark b/roles/baseline/files/etc/dconf/db/local.d/adw-gtk3-dark deleted file mode 100644 index c6a1e1f..0000000 --- a/roles/baseline/files/etc/dconf/db/local.d/adw-gtk3-dark +++ /dev/null @@ -1,2 +0,0 @@ -[org/gnome/desktop/interface] -gtk-theme='adw-gtk3-dark' \ No newline at end of file diff --git a/roles/baseline/files/etc/dconf/db/local.d/prefer-dark b/roles/baseline/files/etc/dconf/db/local.d/prefer-dark deleted file mode 100644 index ba1d69f..0000000 --- a/roles/baseline/files/etc/dconf/db/local.d/prefer-dark +++ /dev/null @@ -1,2 +0,0 @@ -[org/gnome/desktop/interface] -color-scheme='prefer-dark' \ No newline at end of file diff --git a/roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf b/roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf index 6eaef74..eb04e55 100644 --- a/roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf +++ b/roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf @@ -39,8 +39,8 @@ install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false # I think blacklisting hfs or hfsplus breaks USBs, but not sure -install hfs /bin/false -install hfsplus /bin/false +# install hfs /bin/false +# install hfsplus /bin/false install squashfs /bin/false install udf /bin/false install cifs /bin/false diff --git a/roles/baseline/tasks/main.yaml b/roles/baseline/tasks/main.yaml index 6d66c89..2ec89cc 100644 --- a/roles/baseline/tasks/main.yaml +++ b/roles/baseline/tasks/main.yaml @@ -31,7 +31,6 @@ replace: 'umask 077' when: umask_changes == true - - name: Make home directory private ansible.builtin.file: path: /home/* @@ -48,8 +47,13 @@ loop: - 'etc/ssh/ssh_config.d/10-custom.conf' - 'etc/modprobe.d/workstation-blacklist.conf' - - 'etc/sysctl.d/99-workstation.conf' + - 'etc/crypto-policies/back-ends/openssh.config' +- name: Kernel sysctl config + ansible.builtin.template: + src: 'etc/sysctl.d/99-workstation.conf' + dest: '/etc/sysctl.d/99-workstation.conf' + mode: '0644' - name: Reload sysctl shell: 'sysctl -p' @@ -131,6 +135,15 @@ name: 'hardened_malloc' state: 'present' +- name: Install custom packages + ansible.builtin.dnf5: + name: + - 'qubes-ctap' + - 'qubes-gpg-split' + - 'flatpak' + - 'ncurses' + - 'xdg-desktop-portal-gtk' + - name: Enable hardened_malloc ansible.builtin.copy: src: 'etc/ld.so.preload' @@ -159,4 +172,4 @@ path: '{{ item.path }}' regexp: '^(metalink=.*)$' line: '\1&protocol=https' - loop: '{{ found_files.files }}' \ No newline at end of file + loop: '{{ found_files.files }}' diff --git a/roles/sudo-dom0-prompt/files/etc/sysctl.d/99-workstation.conf b/roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2 similarity index 96% rename from roles/sudo-dom0-prompt/files/etc/sysctl.d/99-workstation.conf rename to roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2 index bcd6bca..c75e83f 100644 --- a/roles/sudo-dom0-prompt/files/etc/sysctl.d/99-workstation.conf +++ b/roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2 @@ -43,12 +43,15 @@ net.core.bpf_jit_harden = 2 kernel.unprivileged_userns_clone = 1 # Disable ptrace. Not needed on workstations. +{% if allow_ptrace %} +kernel.yama.ptrace_scope = 2 +{% else %} kernel.yama.ptrace_scope = 3 - +{% endif %} # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl # Restrict performance events from unprivileged users as much as possible. # We are using 4 here, since Ubuntu supports such a level. -# Official Linux kernel documentation only says >= so it probably will work. +# Official/ Linux kernel documentation only says >= so it probably will work. kernel.perf_event_paranoid = 4 # Disable io_uring diff --git a/roles/gnome/tasks/main.yaml b/roles/gnome/tasks/main.yaml index 16c41e7..879ed01 100644 --- a/roles/gnome/tasks/main.yaml +++ b/roles/gnome/tasks/main.yaml @@ -21,7 +21,6 @@ - 'gnome-software' - 'httpd' - 'keepassxc' - - 'thunderbird' - 'fedora-bookmarks' - 'fedora-chromium-config' - 'samba-client' @@ -82,9 +81,9 @@ - name: Install custom packages ansible.builtin.dnf5: name: -# - 'qubes-ctap' + - 'qubes-ctap' - 'qubes-gpg-split' - 'ncurses' -# - 'gnome-shell' + - 'xdg-desktop-portal-gtk' - 'ptyxis' state: 'present' diff --git a/roles/qubes-f41-gnome/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth b/roles/qubes-f41-gnome/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth deleted file mode 100644 index 3b1195e..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/authselect/custom/sudo-dom0-prompt/system-auth +++ /dev/null @@ -1,20 +0,0 @@ -# Generated by authselect -# Do not modify this file manually, use authselect instead. Any user changes will be overwritten. -# You can stop authselect from managing your configuration by calling 'authselect opt-out'. -# See authselect(8) for more details. - - -auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ -auth requisite pam_deny.so -auth required pam_permit.so -account required pam_unix.so - -password requisite pam_pwquality.so -password sufficient pam_unix.so yescrypt shadow nullok use_authtok -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so diff --git a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark b/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark deleted file mode 100644 index c6a1e1f..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/adw-gtk3-dark +++ /dev/null @@ -1,2 +0,0 @@ -[org/gnome/desktop/interface] -gtk-theme='adw-gtk3-dark' \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/automount-disable b/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/automount-disable deleted file mode 100644 index a0d778c..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/automount-disable +++ /dev/null @@ -1,4 +0,0 @@ -[org/gnome/desktop/media-handling] -automount=false -automount-open=false -autorun-never=true \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/automount-disable b/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/automount-disable deleted file mode 100644 index 345c536..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/automount-disable +++ /dev/null @@ -1,3 +0,0 @@ -org/gnome/desktop/media-handling/automount -org/gnome/desktop/media-handling/automount-open -/org/gnome/desktop/media-handling/autorun-never \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/privacy b/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/privacy deleted file mode 100644 index f342bad..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/locks/privacy +++ /dev/null @@ -1,14 +0,0 @@ -/org/gnome/system/location/enabled - -/org/gnome/desktop/privacy/remember-recent-files -/org/gnome/desktop/privacy/remove-old-trash-files -/org/gnome/desktop/privacy/remove-old-temp-files -/org/gnome/desktop/privacy/report-technical-problems -/org/gnome/desktop/privacy/send-software-usage-stats -/org/gnome/desktop/privacy/remember-app-usage - -/org/gnome/online-accounts/whitelisted-providers - -/org/gnome/desktop/remote-desktop/rdp/enable - -/org/gnome/desktop/remote-desktop/vnc/enable \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/prefer-dark b/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/prefer-dark deleted file mode 100644 index ba1d69f..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/prefer-dark +++ /dev/null @@ -1,2 +0,0 @@ -[org/gnome/desktop/interface] -color-scheme='prefer-dark' \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/privacy b/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/privacy deleted file mode 100644 index 131e18b..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/dconf/db/local.d/privacy +++ /dev/null @@ -1,16 +0,0 @@ -[org/gnome/system/location] -enabled=false - -[org/gnome/desktop/privacy] -remember-recent-files=false -remove-old-trash-files=true -remove-old-temp-files=true -report-technical-problems=false -send-software-usage-stats=false -remember-app-usage=false - -[org/gnome/desktop/remote-desktop/rdp] -enable=false - -[org/gnome/desktop/remote-desktop/vnc] -enable=false \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/dnf/dnf.conf b/roles/qubes-f41-gnome/tasks/files/etc/dnf/dnf.conf deleted file mode 100644 index b1ebaf6..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/dnf/dnf.conf +++ /dev/null @@ -1,11 +0,0 @@ -[main] -gpgcheck=True -installonly_limit=3 -clean_requirements_on_remove=True -best=False -skip_if_unavailable=True -max_parallel_downloads=10 -deltarpm=False -defaultyes=True -install_weak_deps=False -countme=False diff --git a/roles/qubes-f41-gnome/tasks/files/etc/environment b/roles/qubes-f41-gnome/tasks/files/etc/environment deleted file mode 100644 index a7fd553..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/environment +++ /dev/null @@ -1,3 +0,0 @@ -JavaScriptCoreUseJIT=0 -GJS_DISABLE_JIT=1 -XDG_CURRENT_DESKTOP=GNOME \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/ld.so.preload b/roles/qubes-f41-gnome/tasks/files/etc/ld.so.preload deleted file mode 100644 index 96c875c..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/ld.so.preload +++ /dev/null @@ -1 +0,0 @@ -libhardened_malloc.so \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/modprobe.d/workstation-blacklist.conf b/roles/qubes-f41-gnome/tasks/files/etc/modprobe.d/workstation-blacklist.conf deleted file mode 100644 index 8004687..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/modprobe.d/workstation-blacklist.conf +++ /dev/null @@ -1,114 +0,0 @@ -# unused network protocols -install dccp /bin/false -install sctp /bin/false -install rds /bin/false -install tipc /bin/false -install n-hdlc /bin/false -install ax25 /bin/false -install netrom /bin/false -install x25 /bin/false -install rose /bin/false -install decnet /bin/false -install econet /bin/false -install af_802154 /bin/false -install ipx /bin/false -install appletalk /bin/false -install psnap /bin/false -install p8023 /bin/false -install p8022 /bin/false -install can /bin/false -install atm /bin/false - -# firewire and thunderbolt -install firewire-core /bin/false -install firewire_core /bin/false -install firewire-ohci /bin/false -install firewire_ohci /bin/false -install firewire_sbp2 /bin/false -install firewire-sbp2 /bin/false -install firewire-net /bin/false -install thunderbolt /bin/false -install ohci1394 /bin/false -install sbp2 /bin/false -install dv1394 /bin/false -install raw1394 /bin/false -install video1394 /bin/false - -# unused filesystems -install cramfs /bin/false -install freevxfs /bin/false -install jffs2 /bin/false -install hfs /bin/false -install hfsplus /bin/false -install squashfs /bin/false -install udf /bin/false -install cifs /bin/false -install nfs /bin/false -install nfsv3 /bin/false -install nfsv4 /bin/false -install ksmbd /bin/false -install gfs2 /bin/false -install reiserfs /bin/false -install kafs /bin/false -install orangefs /bin/false -install 9p /bin/false -install adfs /bin/false -install affs /bin/false -install afs /bin/false -install befs /bin/false -install ceph /bin/false -install coda /bin/false -install ecryptfs /bin/false -install erofs /bin/false -install jfs /bin/false -install minix /bin/false -install netfs /bin/false -install nilfs2 /bin/false -install ocfs2 /bin/false -install romfs /bin/false -install ubifs /bin/false -install zonefs /bin/false -install sysv /bin/false -install ufs /bin/false - -# disable vivid -install vivid /bin/false - -# disable GNSS -install gnss /bin/false -install gnss-mtk /bin/false -install gnss-serial /bin/false -install gnss-sirf /bin/false -install gnss-usb /bin/false -install gnss-ubx /bin/false - -# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/false -install btusb /bin/false - -# blacklist ath_pci -blacklist ath_pci - -# blacklist cdrom -blacklist cdrom -blacklist sr_mod - -# blacklist framebuffer drivers -# source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf -blacklist cyber2000fb -blacklist cyblafb -blacklist gx1fb -blacklist hgafb -blacklist kyrofb -blacklist lxfb -blacklist matroxfb_base -blacklist neofb -blacklist nvidiafb -blacklist pm2fb -blacklist s1d13xxxfb -blacklist sisfb -blacklist tdfxfb -blacklist vesafb -blacklist vfb -blacklist vt8623fb -blacklist udlfb diff --git a/roles/qubes-f41-gnome/tasks/files/etc/security/limits.d/30-disable-coredump.conf b/roles/qubes-f41-gnome/tasks/files/etc/security/limits.d/30-disable-coredump.conf deleted file mode 100644 index 527b136..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/security/limits.d/30-disable-coredump.conf +++ /dev/null @@ -1 +0,0 @@ -* hard core 0 \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/skel/flathub.sh b/roles/qubes-f41-gnome/tasks/files/etc/skel/flathub.sh deleted file mode 100644 index bffb01a..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/skel/flathub.sh +++ /dev/null @@ -1,2 +0,0 @@ -flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo -systemctl enable --user --now update-user-flatpaks.timer \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/ssh/ssh_config.d/10-custom.conf b/roles/qubes-f41-gnome/tasks/files/etc/ssh/ssh_config.d/10-custom.conf deleted file mode 100644 index 440ccda..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/ssh/ssh_config.d/10-custom.conf +++ /dev/null @@ -1,2 +0,0 @@ -GSSAPIAuthentication no -VerifyHostKeyDNS yes diff --git a/roles/qubes-f41-gnome/tasks/files/etc/sudoers.d/qubes b/roles/qubes-f41-gnome/tasks/files/etc/sudoers.d/qubes deleted file mode 100644 index 1359f03..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/sudoers.d/qubes +++ /dev/null @@ -1,4 +0,0 @@ -Defaults !requiretty -user ALL=(ALL) ALL - -# vim: ft=sudoers \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/sysctl.d/99-workstation.conf b/roles/qubes-f41-gnome/tasks/files/etc/sysctl.d/99-workstation.conf deleted file mode 100644 index bcd6bca..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/sysctl.d/99-workstation.conf +++ /dev/null @@ -1,119 +0,0 @@ - -# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl -dev.tty.ldisc_autoload = 0 - -# https://access.redhat.com/solutions/1985633 -# Seems dangerous. -# Roseta need this though, so if you use it change it to 1. -fs.binfmt_misc.status = 0 - -# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace -# Enable fs.protected sysctls. -fs.protected_regular = 2 -fs.protected_fifos = 2 -fs.protected_symlinks = 1 -fs.protected_hardlinks = 1 - -# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps -# Disable coredumps. -# For additional safety, disable coredumps using ulimit and systemd too. -kernel.core_pattern=|/bin/false -fs.suid_dumpable = 0 - -# Restrict dmesg to CAP_SYS_LOG. -# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt -kernel.dmesg_restrict = 1 - -# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt -# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel -# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak -# Restrict access to /proc. -kernel.kptr_restrict = 2 - -# Not needed, I don't do livepatching and reboot regularly. -# On a workstation, this shouldn't be used at all. Don't live patch, just reboot. -kernel.kexec_load_disabled = 1 - -# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl -# Basically, restrict eBPF to CAP_BPF. -kernel.unprivileged_bpf_disabled = 1 -net.core.bpf_jit_harden = 2 - -# Needed for Flatpak and Bubblewrap. -kernel.unprivileged_userns_clone = 1 - -# Disable ptrace. Not needed on workstations. -kernel.yama.ptrace_scope = 3 - -# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl -# Restrict performance events from unprivileged users as much as possible. -# We are using 4 here, since Ubuntu supports such a level. -# Official Linux kernel documentation only says >= so it probably will work. -kernel.perf_event_paranoid = 4 - -# Disable io_uring -# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled -# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html -# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out -# on a Proxmox node. -kernel.io_uring_disabled = 2 - -# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel -# Disable sysrq. -kernel.sysrq = 0 - -# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911 -# Not running a router here, so no redirects. -net.ipv4.conf.*.send_redirects = 0 -net.ipv4.conf.*.accept_redirects = 0 -net.ipv6.conf.*.accept_redirects = 0 - -# Check if the source of the IP address is reachable through the same interface it came in -# Basic IP spoofing mitigation. -net.ipv4.conf.*.rp_filter = 1 - -# Do not respond to ICMP. -net.ipv4.icmp_echo_ignore_all = 1 -net.ipv6.icmp.echo_ignore_all = 1 - -# Ignore Bogus ICMP responses. -net.ipv4.icmp_ignore_bogus_error_responses = 1 - -# Enable IP Forwarding. -# Needed for VM networking and whatnot. -net.ipv4.ip_forward = 1 -net.ipv6.conf.all.forwarding = 1 - -# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537 -# Ignore bogus icmp response. -net.ipv4.icmp_ignore_bogus_error_responses = 1 - -# Protection against time-wait assasination attacks. -net.ipv4.tcp_rfc1337 = 1 - -# Enable SYN cookies. -# Basic SYN flood mitigation. -net.ipv4.tcp_syncookies = 1 - -# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf -# Make sure TCP timestamp is enabled. -net.ipv4.tcp_timestamps = 1 - -# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf -# Disable TCP SACK. -# We have good networking :) -net.ipv4.tcp_sack = 0 - -# No SACK, therefore no Duplicated SACK. -net.ipv4.tcp_dsack = 0 - -# Improve ALSR effectiveness for mmap. -vm.mmap_rnd_bits = 32 -vm.mmap_rnd_compat_bits = 16 - -# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel -# Restrict userfaultfd to CAP_SYS_PTRACE. -# https://bugs.archlinux.org/task/62780 -# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is -# probably not used in the real world at all. -vm.unprivileged_userfaultfd = 0 diff --git a/roles/qubes-f41-gnome/tasks/files/etc/systemd/coredump.conf.d/disable.conf b/roles/qubes-f41-gnome/tasks/files/etc/systemd/coredump.conf.d/disable.conf deleted file mode 100644 index 4cfe0f8..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/systemd/coredump.conf.d/disable.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Coredump] -Storage=none \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf b/roles/qubes-f41-gnome/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf deleted file mode 100644 index d3ad4a4..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf +++ /dev/null @@ -1,28 +0,0 @@ -[Service] -# Hardening -CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT -LockPersonality=true -MemoryDenyWriteExecute=true -#PrivateDevices=true #breaks tun usage -#ProtectProc=invisible -PrivateTmp=yes -ProtectClock=true -ProtectControlGroups=true -ProtectHome=read-only -ProtectKernelLogs=true -#ProtectKernelModules=true -#ProtectSystem=strict -#ReadOnlyPaths=/etc/NetworkManager -ReadOnlyPaths=-/home -#ReadWritePaths=-/etc/NetworkManager/system-connections -ReadWritePaths=-/etc/sysconfig/network-scripts -ReadWritePaths=/var/lib/NetworkManager -ReadWritePaths=-/var/run/NetworkManager -ReadWritePaths=-/run/NetworkManager -RemoveIPC=true -RestrictNamespaces=true -RestrictRealtime=true -RestrictSUIDSGID=true -SystemCallArchitectures=native -SystemCallFilter=@system-service -UMask=0077 diff --git a/roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.service b/roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.service deleted file mode 100644 index dc97615..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.service +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -Description=Update user Flatpaks - -[Service] -Type=oneshot -ExecStart=/usr/bin/flatpak --user update -y \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.timer b/roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.timer deleted file mode 100644 index d530fe7..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/systemd/user/update-user-flatpaks.timer +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Update user Flatpaks daily - -[Timer] -OnCalendar=daily -Persistent=true - -[Install] -WantedBy=timers.target \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/systemd/zram-generator.conf b/roles/qubes-f41-gnome/tasks/files/etc/systemd/zram-generator.conf deleted file mode 100644 index f41f8ca..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/systemd/zram-generator.conf +++ /dev/null @@ -1,4 +0,0 @@ -[zram0] -zram-fraction = 1 -max-zram-size = 8192 -compression-algorithm = zstd \ No newline at end of file diff --git a/roles/qubes-f41-gnome/tasks/files/etc/xdg-desktop-portal/portals.conf b/roles/qubes-f41-gnome/tasks/files/etc/xdg-desktop-portal/portals.conf deleted file mode 100644 index e7ae6e3..0000000 --- a/roles/qubes-f41-gnome/tasks/files/etc/xdg-desktop-portal/portals.conf +++ /dev/null @@ -1,2 +0,0 @@ -[preferred] -default=gtk; diff --git a/roles/qubes-f41-gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js b/roles/qubes-f41-gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js deleted file mode 100644 index e69de29..0000000 diff --git a/roles/qubes-f41-gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js b/roles/qubes-f41-gnome/tasks/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js deleted file mode 100644 index e69de29..0000000 diff --git a/roles/qubes-f41-gnome/tasks/main.yaml b/roles/qubes-f41-gnome/tasks/main.yaml deleted file mode 100644 index cfcb6c1..0000000 --- a/roles/qubes-f41-gnome/tasks/main.yaml +++ /dev/null @@ -1,285 +0,0 @@ -- name: Configure Fedora 41 Gnome Template - hosts: 127.0.0.1 - connection: local - tasks: - - name: Kill debug-shell service - ansible.builtin.systemd_service: - name: debug-shell.service - masked: true - - name: Kill kdump service - ansible.builtin.systemd_service: - name: kdump.service - masked: true - - - name: Set umask to 077 - shell: umask 077 - - name: Set umask to 077 in login.defs - ansible.builtin.replace: - path: /etc/login.defs - regexp: '^UMASK.*' - replace: 'UMASK 077' - - - name: Set umask to 077 in logins.defs - ansible.builtin.replace: - path: /etc/login.defs - regexp: '^HOME_MODE' - replace: '#HOME_MODE' - - - name: Set umask to 077 in bashrc - ansible.builtin.replace: - path: /etc/bashrc - regexp: 'umask 022' - replace: 'umask 077' - - - name: Make home directory private - ansible.builtin.file: - path: /home/* - state: directory - recurse: true - mode: '0700' - - - name: Harden SSH, add kernel blacklist and hardening - ansible.builtin.copy: - src: '{{ item }}' - dest: '/{{ item }}' - mode: '0644' - loop: - - 'etc/ssh/ssh_config.d/10-custom.conf' - - 'etc/modprobe.d/workstation-blacklist.conf' - - 'etc/sysctl.d/99-workstation.conf' - - - - name: Reload sysctl - shell: 'sysctl -p' - - - name: Create coredump.conf.d - ansible.builtin.file: - path: '/etc/systemd/coredump.conf.d' - state: 'directory' - mode: '0755' - - name: Make locks dir for dconf - ansible.builtin.file: - path: '/etc/dconf/db/local.d/locks' - state: 'directory' - mode: '0755' - - name: Create XDG portals directory - ansible.builtin.file: - path: '/etc/xdg-desktop-portal' - state: 'directory' - mode: '0755' - - - name: Create /etc/systemd/system/NetworkManager.service.d - ansible.builtin.file: - path: '/etc/systemd/system/NetworkManager.service.d' - state: 'directory' - mode: '0755' - - name: Copy dconf files + xdg-desktop-portals fix + Network manager - ansible.builtin.copy: - src: '{{ item }}' - dest: '/{{ item }}' - mode: '0644' - loop: - - 'etc/security/limits.d/30-disable-coredump.conf' - - 'etc/systemd/coredump.conf.d/disable.conf' - - 'etc/dconf/db/local.d/locks/automount-disable' - - 'etc/dconf/db/local.d/locks/privacy' - - 'etc/dconf/db/local.d/adw-gtk3-dark' - - 'etc/dconf/db/local.d/automount-disable' - - 'etc/dconf/db/local.d/prefer-dark' - - 'etc/dconf/db/local.d/privacy' - - 'etc/xdg-desktop-portal/portals.conf' - - 'etc/systemd/system/NetworkManager.service.d/99-brace.conf' - - - name: Update dconf - shell: sudo dconf update - - - name: Setup ZRAM, flatpak updater and environment variables to disable GJS, WebkitGTK JIT, and fix GNOME env variable - ansible.builtin.copy: - src: '{{ item }}' - dest: '/{{ item }}' - mode: '0600' - loop: - - 'etc/systemd/zram-generator.conf' - - 'etc/systemd/user/update-user-flatpaks.service' - - 'etc/systemd/user/update-user-flatpaks.timer' - - 'etc/environment' - - - name: Upgrade all packages - ansible.builtin.dnf5: - name: "*" - state: latest - - - name: Mark packages as manually installed to avoid removal - shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' - - - name: Remove unnecessary stuff from the template - ansible.builtin.dnf5: - name: - - '@Container Management' - - '@Desktop Accessibility' - - '@Guest Desktop Agents' - - '@Printing Support' - - 'gnome-software' - - 'httpd' - - 'keepassxc' - - 'thunderbird' - - 'fedora-bookmarks' - - 'fedora-chromium-config' - - 'samba-client' - - 'gvfs-smb' - - 'NetworkManager-pptp-gnome' - - 'NetworkManager-ssh-gnome' - - 'NetworkManager-openconnect-gnome' - - 'NetworkManager-openvpn-gnome' - - 'NetworkManager-vpnc-gnome' - - 'ppp*' - - 'ModemManager' - - 'baobab' - - 'chrome-gnome-shell' - - 'eog' - - 'gnome-boxes' - - 'gnome-calculator' - - 'gnome-calendar' - - 'gnome-characters' - - 'gnome-classic*' - - 'gnome-clocks' - - 'gnome-color-manager' - - 'gnome-connections' - - 'gnome-contacts' - - 'gnome-disk-utility' - - 'gnome-font-viewer' - - 'gnome-logs' - - 'gnome-maps' - - 'gnome-photos' - - 'gnome-remote-desktop' - - 'gnome-screenshot' - - 'gnome-shell-extension-apps-menu' - - 'gnome-shell-extension-background-logo' - - 'gnome-shell-extension-launch-new-instance' - - 'gnome-shell-extension-places-menu' - - 'gnome-shell-extension-window-list' - - 'gnome-text-editor' - - 'gnome-themes-extra' - - 'gnome-tour' - - 'gnome-user*' - - 'gnome-weather' - - 'loupe' - - 'snapshot' - - 'totem' - - 'cheese' - - 'evince' - - 'file-roller*' - - 'libreoffice*' - - 'mediawriter' - - 'rhythmbox' - - 'yelp' - - 'lvm2' - - 'rng-tools' - - 'thermald' - state: 'absent' - allowerasing: true - autoremove: true - - - name: Install custom packages - ansible.builtin.dnf5: - name: - - 'qubes-ctap' - - 'qubes-gpg-split' - - 'adw-gtk3-theme' - - 'ncurses' - - 'gnome-shell' - - 'ptyxis' - state: 'present' - - name: Enable hardened_malloc COPR - shell: 'sudo dnf copr enable secureblue/hardened_malloc -y' - - - name: Install hardened_malloc - ansible.builtin.dnf5: - name: 'hardened_malloc' - state: 'present' - - - name: Enable hardened_malloc - ansible.builtin.copy: - src: 'etc/ld.so.preload' - dest: '/etc/ld.so.preload' - mode: '0644' - - name: Enable hardened_malloc for system wide flatpak - shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' - - name: Enable hardened_malloc for user flatpak # has to be run per APP VM - shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' - - name: Setup dnf repos - ansible.builtin.copy: - src: 'etc/dnf/dnf.conf' - dest: '/etc/dnf/dnf.conf' - mode: '0644' - - - name: Get list of files - ansible.builtin.find: - paths: /etc/yum.repos.d/ - recurse: true - register: found_files - - - name: Replace text in those files - ansible.builtin.lineinfile: - backup: true - backrefs: true - path: '{{ item.path }}' - regexp: '^(metalink=.*)$' - line: '\1&protocol=https' - loop: '{{ found_files.files }}' - - - name: Check that the sudo-dom0-prompt exists - stat: - path: '/etc/authselect/custom/sudo-dom0-prompt' - register: stat_result - - - name: Create authselect profile - shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam - when: not stat_result.stat.exists - - name: Copy authselect file - ansible.builtin.copy: - src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' - dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside' - mode: '0644' - - - - name: Copy authselect folder - ansible.builtin.copy: - src: '/etc/authselect/system-auth' - dest: '/etc/authselect/custom/sudo-dom0-prompt' - mode: '0755' - - - name: Copy authselect file - ansible.builtin.copy: - src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth' - dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' - mode: '0644' - - - - name: Select authselect profile - shell: authselect select custom/sudo-dom0-prompt - - - name: Fix sudoers.d - ansible.builtin.copy: - src: 'etc/sudoers.d/qubes' - dest: '/etc/sudoers.d/qubes' - mode: '0440' - - - name: Check that allow all rule doesn't exist - stat: - path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' - register: allow_all_result - - - name: Delete allow all rule - ansible.builtin.file: - path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' - state: 'absent' - when: allow_all_result.stat.exists - - - - - name: Drop flathub script to homedir for any new appvms created based on this template - ansible.builtin.copy: - src: 'etc/skel/flathub.sh' - dest: '/etc/skel/flathub.sh' - mode: '0700' \ No newline at end of file diff --git a/roles/qubes-f41-gnome/vars/main.yaml b/roles/qubes-f41-gnome/vars/main.yaml deleted file mode 100644 index e353fb5..0000000 --- a/roles/qubes-f41-gnome/vars/main.yaml +++ /dev/null @@ -1 +0,0 @@ -packages_to_remove: \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/authselect/custom/sudo-dom0-prompt/system-auth b/roles/sudo-dom0-prompt/files/etc/authselect/custom/sudo-dom0-prompt/system-auth deleted file mode 100644 index 3b1195e..0000000 --- a/roles/sudo-dom0-prompt/files/etc/authselect/custom/sudo-dom0-prompt/system-auth +++ /dev/null @@ -1,20 +0,0 @@ -# Generated by authselect -# Do not modify this file manually, use authselect instead. Any user changes will be overwritten. -# You can stop authselect from managing your configuration by calling 'authselect opt-out'. -# See authselect(8) for more details. - - -auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ -auth requisite pam_deny.so -auth required pam_permit.so -account required pam_unix.so - -password requisite pam_pwquality.so -password sufficient pam_unix.so yescrypt shadow nullok use_authtok -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so diff --git a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/adw-gtk3-dark b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/adw-gtk3-dark deleted file mode 100644 index c6a1e1f..0000000 --- a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/adw-gtk3-dark +++ /dev/null @@ -1,2 +0,0 @@ -[org/gnome/desktop/interface] -gtk-theme='adw-gtk3-dark' \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/automount-disable b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/automount-disable deleted file mode 100644 index a0d778c..0000000 --- a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/automount-disable +++ /dev/null @@ -1,4 +0,0 @@ -[org/gnome/desktop/media-handling] -automount=false -automount-open=false -autorun-never=true \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/automount-disable b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/automount-disable deleted file mode 100644 index 345c536..0000000 --- a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/automount-disable +++ /dev/null @@ -1,3 +0,0 @@ -org/gnome/desktop/media-handling/automount -org/gnome/desktop/media-handling/automount-open -/org/gnome/desktop/media-handling/autorun-never \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/privacy b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/privacy deleted file mode 100644 index f342bad..0000000 --- a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/locks/privacy +++ /dev/null @@ -1,14 +0,0 @@ -/org/gnome/system/location/enabled - -/org/gnome/desktop/privacy/remember-recent-files -/org/gnome/desktop/privacy/remove-old-trash-files -/org/gnome/desktop/privacy/remove-old-temp-files -/org/gnome/desktop/privacy/report-technical-problems -/org/gnome/desktop/privacy/send-software-usage-stats -/org/gnome/desktop/privacy/remember-app-usage - -/org/gnome/online-accounts/whitelisted-providers - -/org/gnome/desktop/remote-desktop/rdp/enable - -/org/gnome/desktop/remote-desktop/vnc/enable \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/prefer-dark b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/prefer-dark deleted file mode 100644 index ba1d69f..0000000 --- a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/prefer-dark +++ /dev/null @@ -1,2 +0,0 @@ -[org/gnome/desktop/interface] -color-scheme='prefer-dark' \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/privacy b/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/privacy deleted file mode 100644 index 131e18b..0000000 --- a/roles/sudo-dom0-prompt/files/etc/dconf/db/local.d/privacy +++ /dev/null @@ -1,16 +0,0 @@ -[org/gnome/system/location] -enabled=false - -[org/gnome/desktop/privacy] -remember-recent-files=false -remove-old-trash-files=true -remove-old-temp-files=true -report-technical-problems=false -send-software-usage-stats=false -remember-app-usage=false - -[org/gnome/desktop/remote-desktop/rdp] -enable=false - -[org/gnome/desktop/remote-desktop/vnc] -enable=false \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf b/roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf deleted file mode 100644 index b1ebaf6..0000000 --- a/roles/sudo-dom0-prompt/files/etc/dnf/dnf.conf +++ /dev/null @@ -1,11 +0,0 @@ -[main] -gpgcheck=True -installonly_limit=3 -clean_requirements_on_remove=True -best=False -skip_if_unavailable=True -max_parallel_downloads=10 -deltarpm=False -defaultyes=True -install_weak_deps=False -countme=False diff --git a/roles/sudo-dom0-prompt/files/etc/environment b/roles/sudo-dom0-prompt/files/etc/environment deleted file mode 100644 index a7fd553..0000000 --- a/roles/sudo-dom0-prompt/files/etc/environment +++ /dev/null @@ -1,3 +0,0 @@ -JavaScriptCoreUseJIT=0 -GJS_DISABLE_JIT=1 -XDG_CURRENT_DESKTOP=GNOME \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/ld.so.preload b/roles/sudo-dom0-prompt/files/etc/ld.so.preload deleted file mode 100644 index 96c875c..0000000 --- a/roles/sudo-dom0-prompt/files/etc/ld.so.preload +++ /dev/null @@ -1 +0,0 @@ -libhardened_malloc.so \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/modprobe.d/workstation-blacklist.conf b/roles/sudo-dom0-prompt/files/etc/modprobe.d/workstation-blacklist.conf deleted file mode 100644 index 8004687..0000000 --- a/roles/sudo-dom0-prompt/files/etc/modprobe.d/workstation-blacklist.conf +++ /dev/null @@ -1,114 +0,0 @@ -# unused network protocols -install dccp /bin/false -install sctp /bin/false -install rds /bin/false -install tipc /bin/false -install n-hdlc /bin/false -install ax25 /bin/false -install netrom /bin/false -install x25 /bin/false -install rose /bin/false -install decnet /bin/false -install econet /bin/false -install af_802154 /bin/false -install ipx /bin/false -install appletalk /bin/false -install psnap /bin/false -install p8023 /bin/false -install p8022 /bin/false -install can /bin/false -install atm /bin/false - -# firewire and thunderbolt -install firewire-core /bin/false -install firewire_core /bin/false -install firewire-ohci /bin/false -install firewire_ohci /bin/false -install firewire_sbp2 /bin/false -install firewire-sbp2 /bin/false -install firewire-net /bin/false -install thunderbolt /bin/false -install ohci1394 /bin/false -install sbp2 /bin/false -install dv1394 /bin/false -install raw1394 /bin/false -install video1394 /bin/false - -# unused filesystems -install cramfs /bin/false -install freevxfs /bin/false -install jffs2 /bin/false -install hfs /bin/false -install hfsplus /bin/false -install squashfs /bin/false -install udf /bin/false -install cifs /bin/false -install nfs /bin/false -install nfsv3 /bin/false -install nfsv4 /bin/false -install ksmbd /bin/false -install gfs2 /bin/false -install reiserfs /bin/false -install kafs /bin/false -install orangefs /bin/false -install 9p /bin/false -install adfs /bin/false -install affs /bin/false -install afs /bin/false -install befs /bin/false -install ceph /bin/false -install coda /bin/false -install ecryptfs /bin/false -install erofs /bin/false -install jfs /bin/false -install minix /bin/false -install netfs /bin/false -install nilfs2 /bin/false -install ocfs2 /bin/false -install romfs /bin/false -install ubifs /bin/false -install zonefs /bin/false -install sysv /bin/false -install ufs /bin/false - -# disable vivid -install vivid /bin/false - -# disable GNSS -install gnss /bin/false -install gnss-mtk /bin/false -install gnss-serial /bin/false -install gnss-sirf /bin/false -install gnss-usb /bin/false -install gnss-ubx /bin/false - -# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/false -install btusb /bin/false - -# blacklist ath_pci -blacklist ath_pci - -# blacklist cdrom -blacklist cdrom -blacklist sr_mod - -# blacklist framebuffer drivers -# source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf -blacklist cyber2000fb -blacklist cyblafb -blacklist gx1fb -blacklist hgafb -blacklist kyrofb -blacklist lxfb -blacklist matroxfb_base -blacklist neofb -blacklist nvidiafb -blacklist pm2fb -blacklist s1d13xxxfb -blacklist sisfb -blacklist tdfxfb -blacklist vesafb -blacklist vfb -blacklist vt8623fb -blacklist udlfb diff --git a/roles/sudo-dom0-prompt/files/etc/security/limits.d/30-disable-coredump.conf b/roles/sudo-dom0-prompt/files/etc/security/limits.d/30-disable-coredump.conf deleted file mode 100644 index 527b136..0000000 --- a/roles/sudo-dom0-prompt/files/etc/security/limits.d/30-disable-coredump.conf +++ /dev/null @@ -1 +0,0 @@ -* hard core 0 \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/skel/flathub.sh b/roles/sudo-dom0-prompt/files/etc/skel/flathub.sh deleted file mode 100644 index bffb01a..0000000 --- a/roles/sudo-dom0-prompt/files/etc/skel/flathub.sh +++ /dev/null @@ -1,2 +0,0 @@ -flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo -systemctl enable --user --now update-user-flatpaks.timer \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/ssh/ssh_config.d/10-custom.conf b/roles/sudo-dom0-prompt/files/etc/ssh/ssh_config.d/10-custom.conf deleted file mode 100644 index 440ccda..0000000 --- a/roles/sudo-dom0-prompt/files/etc/ssh/ssh_config.d/10-custom.conf +++ /dev/null @@ -1,2 +0,0 @@ -GSSAPIAuthentication no -VerifyHostKeyDNS yes diff --git a/roles/sudo-dom0-prompt/files/etc/sudoers.d/qubes b/roles/sudo-dom0-prompt/files/etc/sudoers.d/qubes deleted file mode 100644 index 1359f03..0000000 --- a/roles/sudo-dom0-prompt/files/etc/sudoers.d/qubes +++ /dev/null @@ -1,4 +0,0 @@ -Defaults !requiretty -user ALL=(ALL) ALL - -# vim: ft=sudoers \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/systemd/coredump.conf.d/disable.conf b/roles/sudo-dom0-prompt/files/etc/systemd/coredump.conf.d/disable.conf deleted file mode 100644 index 4cfe0f8..0000000 --- a/roles/sudo-dom0-prompt/files/etc/systemd/coredump.conf.d/disable.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Coredump] -Storage=none \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf b/roles/sudo-dom0-prompt/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf deleted file mode 100644 index d3ad4a4..0000000 --- a/roles/sudo-dom0-prompt/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf +++ /dev/null @@ -1,28 +0,0 @@ -[Service] -# Hardening -CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT -LockPersonality=true -MemoryDenyWriteExecute=true -#PrivateDevices=true #breaks tun usage -#ProtectProc=invisible -PrivateTmp=yes -ProtectClock=true -ProtectControlGroups=true -ProtectHome=read-only -ProtectKernelLogs=true -#ProtectKernelModules=true -#ProtectSystem=strict -#ReadOnlyPaths=/etc/NetworkManager -ReadOnlyPaths=-/home -#ReadWritePaths=-/etc/NetworkManager/system-connections -ReadWritePaths=-/etc/sysconfig/network-scripts -ReadWritePaths=/var/lib/NetworkManager -ReadWritePaths=-/var/run/NetworkManager -ReadWritePaths=-/run/NetworkManager -RemoveIPC=true -RestrictNamespaces=true -RestrictRealtime=true -RestrictSUIDSGID=true -SystemCallArchitectures=native -SystemCallFilter=@system-service -UMask=0077 diff --git a/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.service b/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.service deleted file mode 100644 index dc97615..0000000 --- a/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.service +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -Description=Update user Flatpaks - -[Service] -Type=oneshot -ExecStart=/usr/bin/flatpak --user update -y \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.timer b/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.timer deleted file mode 100644 index d530fe7..0000000 --- a/roles/sudo-dom0-prompt/files/etc/systemd/user/update-user-flatpaks.timer +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Update user Flatpaks daily - -[Timer] -OnCalendar=daily -Persistent=true - -[Install] -WantedBy=timers.target \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/systemd/zram-generator.conf b/roles/sudo-dom0-prompt/files/etc/systemd/zram-generator.conf deleted file mode 100644 index f41f8ca..0000000 --- a/roles/sudo-dom0-prompt/files/etc/systemd/zram-generator.conf +++ /dev/null @@ -1,4 +0,0 @@ -[zram0] -zram-fraction = 1 -max-zram-size = 8192 -compression-algorithm = zstd \ No newline at end of file diff --git a/roles/sudo-dom0-prompt/files/etc/xdg-desktop-portal/portals.conf b/roles/sudo-dom0-prompt/files/etc/xdg-desktop-portal/portals.conf deleted file mode 100644 index e7ae6e3..0000000 --- a/roles/sudo-dom0-prompt/files/etc/xdg-desktop-portal/portals.conf +++ /dev/null @@ -1,2 +0,0 @@ -[preferred] -default=gtk; diff --git a/roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js b/roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js deleted file mode 100644 index e69de29..0000000 diff --git a/roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js b/roles/sudo-dom0-prompt/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js deleted file mode 100644 index e69de29..0000000 diff --git a/roles/sudo-dom0-prompt/tasks/main.yaml b/roles/sudo-dom0-prompt/tasks/main.yaml deleted file mode 100644 index 1c5e670..0000000 --- a/roles/sudo-dom0-prompt/tasks/main.yaml +++ /dev/null @@ -1,49 +0,0 @@ ---- -- name: Check that the sudo-dom0-prompt exists - stat: - path: '/etc/authselect/custom/sudo-dom0-prompt' - register: stat_result - -- name: Create authselect profile - shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam - when: not stat_result.stat.exists - -- name: Copy authselect file - ansible.builtin.copy: - src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' - dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside' - mode: '0644' - -- name: Copy authselect folder - ansible.builtin.copy: - src: '/etc/authselect/system-auth' - dest: '/etc/authselect/custom/sudo-dom0-prompt' - mode: '0755' - -- name: Copy authselect file - ansible.builtin.copy: - src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth' - dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth' - mode: '0644' - - -- name: Select authselect profile - shell: authselect select custom/sudo-dom0-prompt - -- name: Fix sudoers.d - ansible.builtin.copy: - src: 'etc/sudoers.d/qubes' - dest: '/etc/sudoers.d/qubes' - mode: '0440' - -- name: Check that allow all rule doesn't exist - stat: - path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' - register: allow_all_result - -- name: Delete allow all rule - ansible.builtin.file: - path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules' - state: 'absent' - when: allow_all_result.stat.exists - diff --git a/roles/suid_role/tasks/main.yaml b/roles/suid_role/tasks/main.yaml new file mode 100644 index 0000000..fc0990b --- /dev/null +++ b/roles/suid_role/tasks/main.yaml @@ -0,0 +1,7 @@ +--- +- name: Check that the sudo-dom0-prompt exists + stat: + path: '/etc/authselect/custom/sudo-dom0-prompt' + register: stat_result + + diff --git a/roles/trivalent/tasks/main.yaml b/roles/trivalent/tasks/main.yaml index 2d0771f..29b1894 100644 --- a/roles/trivalent/tasks/main.yaml +++ b/roles/trivalent/tasks/main.yaml @@ -22,6 +22,7 @@ name: - '*' state: 'latest' + - name: Install trivalent/ffmpeg packages ansible.builtin.dnf5: name: