- name: Configure Fedora 41 Gnome Template hosts: 127.0.0.1 connection: local tasks: - name: Kill debug-shell service ansible.builtin.systemd_service: name: debug-shell.service masked: true - name: Kill kdump service ansible.builtin.systemd_service: name: kdump.service masked: true - name: Set umask to 077 shell: umask 077 - name: Set umask to 077 in login.defs ansible.builtin.replace: path: /etc/login.defs regexp: '^UMASK.*' replace: 'UMASK 077' - name: Set umask to 077 in logins.defs ansible.builtin.replace: path: /etc/login.defs regexp: '^HOME_MODE' replace: '#HOME_MODE' - name: Set umask to 077 in bashrc ansible.builtin.replace: path: /etc/bashrc regexp: 'umask 022' replace: 'umask 077' - name: Make home directory private ansible.builtin.file: path: /home/* state: directory recurse: true mode: '0700' - name: Harden SSH ansible.builtin.copy: src: ../qubes-config/etc/ssh/ssh_config.d/10-custom.conf dest: /etc/ssh/ssh_config.d/10-custom.conf mode: '0644' - name: Kernel blacklist ansible.builtin.copy: src: ../qubes-config/etc/modprobe.d/workstation-blacklist.conf dest: /etc/modprobe.d/workstation-blacklist.conf mode: '0644' - name: Kernel hardening ansible.builtin.copy: src: ../qubes-config/etc/sysctl.d/99-workstation.conf dest: /etc/sysctl.d/99-workstation.conf mode: '0644' - name: Reload sysctl shell: 'sysctl -p' - name: Disable coredump ansible.builtin.copy: src: '../qubes-config/etc/security/limits.d/30-disable-coredump.conf' dest: '/etc/security/limits.d/30-disable-coredump.conf' mode: '0644' - name: Create coredump.conf.d ansible.builtin.file: path: '/etc/systemd/coredump.conf.d' state: 'directory' mode: '0755' - name: Copy disable.conf ansible.builtin.copy: src: '../qubes-config/etc/systemd/coredump.conf.d/disable.conf' dest: '/etc/systemd/coredump.conf.d/disable.conf' mode: '0644' - name: Make locks dir for dconf ansible.builtin.file: path: '../qubes-config/etc/dconf/db/local.d/locks' state: 'directory' mode: '0755' - name: copy dconf file 1 ansible.builtin.copy: src: '../qubes-config/etc/dconf/db/local.d/locks/automount-disable' dest: '/etc/dconf/db/local.d/locks/automount-disable' mode: '0644' - name: copy dconf file 2 ansible.builtin.copy: src: '../qubes-config/etc/dconf/db/local.d/locks/privacy' dest: '/etc/dconf/db/local.d/locks/privacy' mode: '0644' - name: copy dconf file 3 ansible.builtin.copy: src: '../qubes-config/etc/dconf/db/local.d/adw-gtk3-dark' dest: '/etc/dconf/db/local.d/adw-gtk3-dark' mode: '0644' - name: copy dconf file 4 ansible.builtin.copy: src: '../qubes-config/etc/dconf/db/local.d/automount-disable' dest: '/etc/dconf/db/local.d/automount-disable' mode: '0644' - name: copy dconf file 5 ansible.builtin.copy: src: '../qubes-config/etc/dconf/db/local.d/prefer-dark' dest: '/etc/dconf/db/local.d/prefer-dark' mode: '0644' - name: copy dconf file 6 ansible.builtin.copy: src: '../qubes-config/etc/dconf/db/local.d/privacy' dest: '/etc/dconf/db/local.d/privacy' mode: '0644' - name: Update dconf shell: sudo dconf update - name: Setup ZRAM ansible.builtin.copy: src: '../qubes-config/etc/systemd/zram-generator.conf' dest: '/etc/systemd/zram-generator.conf' mode: '0600' - name: Flatpak update service ansible.builtin.copy: src: '../qubes-config/etc/systemd/user/update-user-flatpaks.service' dest: '/etc/systemd/user/update-user-flatpaks.service' mode: '0600' - name: Flatpak update timer ansible.builtin.copy: src: '../qubes-config/etc/systemd/user/update-user-flatpaks.timer' dest: '/etc/systemd/user/update-user-flatpaks.timer' mode: '0600' - name: Set environment variables to disable GJS, WebkitGTK JIT, as well as fix GNOME env variable ansible.builtin.copy: src: '../qubes-config/etc/environment' dest: '/etc/environment' mode: '0600' - name: Upgrade all packages ansible.builtin.dnf5: name: "*" state: latest - name: Mark packages as manually installed to avoid removal shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' - name: Remove unnecessary stuff from the template ansible.builtin.dnf5: name: - '@Container Management' - '@Desktop Accessibility' - '@Firefox Web Browser' - '@Guest Desktop Agents' - '@Libreoffice' - '@Printing Support' - 'gnome-software' - 'httpd' - 'keepassxc' - 'thunderbird' - 'fedora-bookmarks' - 'fedora-chromium-config' - 'firefox' - 'mozilla-filesystem' - 'avahi' - 'cifs*' - '*cups' - 'dmidecode' - 'dnsmasq' - 'geolite2*' - 'mtr' - 'net-snmp-libs' - 'net-tools' - 'nfs-utils' - 'nmap-ncat' - 'opensc' - 'openssh-server' - 'rsync' - 'rygel' - 'sgpio' - 'tcpdump' - 'teamd' - 'traceroute' - 'usb_modeswitch' - '*anthy*' - '*hangul*' - 'ibus-typing-booster' - '*m17n*' - '*pinyin*' - '*speech*' - 'texlive-libs' - ' words' - '*zhuyin*' - 'openh264' - 'ImageMagick*' - 'sane*' - 'simple-scan' - 'sssd*' - 'realmd' - 'cyrus-sasl-gssapi' - 'quota*' - 'dos2unix' - 'kpartx' - 'sos' - 'samba-client' - 'gvfs-smb' - 'NetworkManager-pptp-gnome' - 'NetworkManager-ssh-gnome' - 'NetworkManager-openconnect-gnome' - 'NetworkManager-openvpn-gnome' - 'NetworkManager-vpnc-gnome' - 'ppp*' - 'ModemManager' - 'baobab' - 'chrome-gnome-shell' - 'eog' - 'gnome-boxes' - 'gnome-calculator' - 'gnome-calendar' - 'gnome-characters' - 'gnome-classic*' - 'gnome-clocks' - 'gnome-color-manager' - 'gnome-connections' - 'gnome-contacts' - 'gnome-disk-utility' - 'gnome-font-viewer' - 'gnome-logs' - 'gnome-maps' - 'gnome-photos' - 'gnome-remote-desktop' - 'gnome-screenshot' - 'gnome-shell-extension-apps-menu' - 'gnome-shell-extension-background-logo' - 'gnome-shell-extension-launch-new-instance' - 'gnome-shell-extension-places-menu' - 'gnome-shell-extension-window-list' - 'gnome-text-editor' - 'gnome-themes-extra' - 'gnome-tour' - 'gnome-user*' - 'gnome-weather' - 'loupe' - 'snapshot' - 'totem' - 'abrt*' - 'cheese' - 'evince' - 'file-roller*' - 'libreoffice*' - 'mediawriter' - 'rhythmbox' - 'yelp' - 'lvm2' - 'rng-tools' - 'thermald' - '*perl*' state: 'absent' allowerasing: true autoremove: true - name: Disable openh264 repo (y tho?) shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=0' # community.general.dnf_config_manager: # name: 'fedora-cisco-openh264' # state: disabled - name: Install custom packages ansible.builtin.dnf5: name: - 'qubes-ctap' - 'qubes-gpg-split' - 'adw-gtk3-theme' - 'ncurses' - 'gnome-shell' - 'ptyxis' state: 'present' - name: Enable hardened_malloc COPR shell: 'sudo dnf copr enable secureblue/hardened_malloc -y' # # name: 'secureblue/hardened_malloc' # state: 'enabled' - name: Install hardened_malloc ansible.builtin.dnf5: name: 'hardened_malloc' state: 'present' - name: Enable hardened_malloc ansible.builtin.copy: src: '../qubes-config/etc/ld.so.preload' dest: '/etc/ld.so.preload' mode: '0644' - name: Enable hardened_malloc for system wide flatpak shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' - name: Enable hardened_malloc for user flatpak shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' - name: Setup dnf repos ansible.builtin.copy: src: '../qubes-config/etc/dnf/dnf.conf' dest: '/etc/dnf/dnf.conf' mode: '0644' - name: Get list of files ansible.builtin.find: paths: /etc/yum.repos.d/ recurse: true register: found_files - name: Replace text in those files ansible.builtin.lineinfile: backup: true backrefs: true path: '{{ item.path }}' regexp: '^(metalink=.*)$' line: '\1&protocol=https' loop: '{{ found_files.files }}'