- name: Kill debug-shell service ansible.builtin.systemd_service: name: debug-shell.service masked: true - name: Kill kdump service ansible.builtin.systemd_service: name: kdump.service masked: true - name: Set umask to 077 shell: umask 077 - name: Set umask to 077 in login.defs ansible.builtin.replace: path: /etc/login.defs regexp: '^UMASK.*' replace: 'UMASK 077' when: umask_changes == true - name: Set umask to 077 in logins.defs ansible.builtin.replace: path: /etc/login.defs regexp: '^HOME_MODE' replace: '#HOME_MODE' when: umask_changes == true - name: Set umask to 077 in bashrc ansible.builtin.replace: path: /etc/bashrc regexp: 'umask 022' replace: 'umask 077' when: umask_changes == true - name: Make home directory private ansible.builtin.file: path: /home/* state: directory recurse: true mode: '0700' when: umask_changes == true - name: Harden SSH, add kernel blacklist and hardening ansible.builtin.copy: src: '{{ item }}' dest: '/{{ item }}' mode: '0644' loop: - 'etc/ssh/ssh_config.d/10-custom.conf' - 'etc/modprobe.d/workstation-blacklist.conf' - 'etc/sysctl.d/99-workstation.conf' - name: Reload sysctl shell: 'sysctl -p' - name: Create coredump.conf.d ansible.builtin.file: path: '/etc/systemd/coredump.conf.d' state: 'directory' mode: '0755' - name: Make locks dir for dconf ansible.builtin.file: path: '/etc/dconf/db/local.d/locks' state: 'directory' mode: '0755' - name: Create XDG portals directory ansible.builtin.file: path: '/etc/xdg-desktop-portal' state: 'directory' mode: '0755' - name: Create /etc/systemd/system/NetworkManager.service.d ansible.builtin.file: path: '/etc/systemd/system/NetworkManager.service.d' state: 'directory' mode: '0755' when: manage_network == true - name: Copy dconf files + xdg-desktop-portals fix + Network manager ansible.builtin.copy: src: 'etc/systemd/system/NetworkManager.service.d/99-brace.conf' dest: '/etc/systemd/system/NetworkManager.service.d/99-brace.conf' mode: '0644' when: manage_network == true - name: Copy dconf files + xdg-desktop-portals fix + Network manager ansible.builtin.copy: src: '{{ item }}' dest: '/{{ item }}' mode: '0644' loop: - 'etc/security/limits.d/30-disable-coredump.conf' - 'etc/systemd/coredump.conf.d/disable.conf' - 'etc/dconf/db/local.d/locks/privacy' - 'etc/dconf/db/local.d/privacy' - name: Update dconf shell: sudo dconf update - name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT ansible.builtin.copy: src: '{{ item }}' dest: '/{{ item }}' mode: '0644' loop: - 'etc/systemd/zram-generator.conf' - 'etc/systemd/user/update-user-flatpaks.service' - 'etc/systemd/user/update-user-flatpaks.timer' - 'etc/environment' - name: Drop flathub script to homedir for any new appvms created based on this template ansible.builtin.copy: src: 'etc/skel/flathub.sh' dest: '/etc/skel/flathub.sh' mode: '0700' - name: Upgrade all packages ansible.builtin.dnf5: name: "*" state: latest - name: Mark packages as manually installed to avoid removal shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' - name: Enable hardened_malloc COPR shell: 'sudo dnf copr enable secureblue/hardened_malloc -y' - name: Install hardened_malloc ansible.builtin.dnf5: name: 'hardened_malloc' state: 'present' - name: Enable hardened_malloc ansible.builtin.copy: src: 'etc/ld.so.preload' dest: '/etc/ld.so.preload' mode: '0644' - name: Enable hardened_malloc for system wide flatpak shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' - name: Enable hardened_malloc for user flatpak # has to be run per APP VM shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' - name: Setup dnf repos ansible.builtin.copy: src: 'etc/dnf/dnf.conf' dest: '/etc/dnf/dnf.conf' mode: '0644' - name: Get list of files ansible.builtin.find: paths: /etc/yum.repos.d/ recurse: true register: found_files - name: Replace text in those files ansible.builtin.lineinfile: backup: true backrefs: true path: '{{ item.path }}' regexp: '^(metalink=.*)$' line: '\1&protocol=https' loop: '{{ found_files.files }}'