ansible-playbooks/roles/qubes-f41-gnome/tasks/main.yaml

- name: Configure Fedora 41 Gnome Template
  hosts: 127.0.0.1
  connection: local
  tasks:
   - name: Kill debug-shell service
     ansible.builtin.systemd_service:
       name: debug-shell.service
       masked: true
   - name: Kill kdump service
     ansible.builtin.systemd_service:
       name: kdump.service
       masked: true
   - name: Set umask to 077
     shell: umask 077
   - name: Set umask to 077 in login.defs
     ansible.builtin.replace:
      path: /etc/login.defs
      regexp: '^UMASK.*'
      replace: 'UMASK 077'

   - name: Set umask to 077 in logins.defs
     ansible.builtin.replace:
      path: /etc/login.defs
      regexp: '^HOME_MODE'
      replace: '#HOME_MODE'

   - name: Set umask to 077 in bashrc
     ansible.builtin.replace:
       path: /etc/bashrc
       regexp: 'umask 022'
       replace: 'umask 077'

   - name: Make home directory private
     ansible.builtin.file:
       path: /home/*
       state: directory
       recurse: true
       mode: '0700'

   - name: Harden SSH, add kernel blacklist and hardening
     ansible.builtin.copy:
      src: '..{{ item }}'
      dest: '{{ item }}'
      mode: '0644'
     loop:
      - '/etc/ssh/ssh_config.d/10-custom.conf'
      - '/etc/modprobe.d/workstation-blacklist.conf'
      - '/etc/sysctl.d/99-workstation.conf'
  

   - name: Reload sysctl
     shell: 'sysctl -p'

   - name: Create coredump.conf.d
     ansible.builtin.file:
       path: '/etc/systemd/coredump.conf.d'
       state: 'directory'
       mode: '0755'
   - name: Make locks dir for dconf
     ansible.builtin.file:
       path: '../qubes-config/etc/dconf/db/local.d/locks'
       state: 'directory'
       mode: '0755'
   - name: Fix XDG portals
     ansible.builtin.file:
       path: '../qubes-config/etc/xdg-desktop-portal'
       state: 'directory'
       mode: '0755'

   - name: Copy dconf files + xdg-desktop-portals fix + Network manager
     ansible.builtin.copy:
      src: '..{{ item }}'
      dest: '{{ item }}'
      mode: '0644'
     loop:
      - '/etc/security/limits.d/30-disable-coredump.conf'
      - '/etc/systemd/coredump.conf.d/disable.conf'
      - '/etc/dconf/db/local.d/locks/automount-disable'
      - '/etc/dconf/db/local.d/locks/privacy'
      - '/etc/dconf/db/local.d/adw-gtk3-dark'
      - '/etc/dconf/db/local.d/automount-disable'
      - '/etc/dconf/db/local.d/prefer-dark'
      - '/etc/dconf/db/local.d/privacy'
      - '/etc/xdg-desktop-portal/portals.conf'
      - '/etc/systemd/system/NetworkManager.service.d/99-brace.conf'

   - name: Update dconf
     shell: sudo dconf update

   - name: Setup ZRAM, flatpak updater and environment variables to disable GJS, WebkitGTK JIT, and fix GNOME env variable
     ansible.builtin.copy:
      src: '..{{ item }}'
      dest: '{{ item }}'
      mode: '0600'
     loop:
      - '/etc/systemd/zram-generator.conf'
      - '/etc/systemd/user/update-user-flatpaks.service'
      - '/etc/systemd/user/update-user-flatpaks.timer'
      - '/etc/environment'

   - name: Upgrade all packages
     ansible.builtin.dnf5:
       name: "*"
       state: latest

   - name: Mark packages as manually installed to avoid removal
     shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'

   - name: Remove unnecessary stuff from the template
     ansible.builtin.dnf5:
       name: {{ packages_to_remove }}
       state: 'absent'
       allowerasing: true
       autoremove: true

   - name: Install custom packages
     ansible.builtin.dnf5:
       name:
         - 'qubes-ctap'
         - 'qubes-gpg-split'
         - 'adw-gtk3-theme'
         - 'ncurses'
         - 'gnome-shell'
         - 'ptyxis'
       state: 'present'
   - name: Enable hardened_malloc COPR
     shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'

   - name: Install hardened_malloc
     ansible.builtin.dnf5:
       name: 'hardened_malloc'
       state: 'present'

   - name: Enable hardened_malloc
     ansible.builtin.copy:
       src: '../qubes-config/etc/ld.so.preload'
       dest: '/etc/ld.so.preload'
       mode: '0644'
   - name: Enable hardened_malloc for system wide flatpak
     shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
   - name: Enable hardened_malloc for user flatpak # has to be run per APP VM
     shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
   - name: Setup dnf repos
     ansible.builtin.copy:
       src: '../qubes-config/etc/dnf/dnf.conf'
       dest: '/etc/dnf/dnf.conf'
       mode: '0644'

   - name: Get list of files
     ansible.builtin.find:
       paths: /etc/yum.repos.d/
       recurse: true
     register: found_files

   - name: Replace text in those files
     ansible.builtin.lineinfile:
       backup: true
       backrefs: true
       path: '{{ item.path }}'
       regexp: '^(metalink=.*)$'
       line: '\1&protocol=https'
     loop: '{{ found_files.files }}'