mustard/ansible-playbooks
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ansible-playbooks/tasks/fedora-41-qubes-gnome.yaml
mustard 528bc75280 Fixing regex and other stuff
2024-12-29 14:25:53 +01:00

315 lines
9.3 KiB
YAML
Raw Blame History

- name: Configure Fedora 41 Gnome Template
hosts: 127.0.0.1
connection: local
tasks:
- name: Kill debug-shell service
ansible.builtin.systemd_service:
name: debug-shell.service
masked: true
- name: Kill kdump service
ansible.builtin.systemd_service:
name: kdump.service
masked: true
- name: Set umask to 077
shell: umask 077
- name: Set umask to 077 in login.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^UMASK.*'
replace: 'UMASK 077'
- name: Set umask to 077 in logins.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^HOME_MODE'
replace: '#HOME_MODE'
- name: Set umask to 077 in bashrc
ansible.builtin.replace:
path: /etc/bashrc
regexp: 'umask 022'
replace: 'umask 077'
- name: Make home directory private
ansible.builtin.file:
path: /home/*
state: directory
recurse: true
mode: '0700'
- name: Harden SSH
ansible.builtin.copy:
src: ../qubes-config/etc/ssh/ssh_config.d/10-custom.conf
dest: /etc/ssh/ssh_config.d/10-custom.conf
mode: '0644'
- name: Kernel blacklist
ansible.builtin.copy:
src: ../qubes-config/etc/modprobe.d/workstation-blacklist.conf
dest: /etc/modprobe.d/workstation-blacklist.conf
mode: '0644'
- name: Kernel hardening
ansible.builtin.copy:
src: ../qubes-config/etc/sysctl.d/99-workstation.conf
dest: /etc/sysctl.d/99-workstation.conf
mode: '0644'
- name: Reload sysctl
shell: 'sysctl -p'
- name: Disable coredump
ansible.builtin.copy:
src: '../qubes-config/etc/security/limits.d/30-disable-coredump.conf'
dest: '/etc/security/limits.d/30-disable-coredump.conf'
mode: '0644'
- name: Create coredump.conf.d
ansible.builtin.file:
path: '/etc/systemd/coredump.conf.d'
state: 'directory'
mode: '0755'
- name: Copy disable.conf
ansible.builtin.copy:
src: '../qubes-config/etc/systemd/coredump.conf.d/disable.conf'
dest: '/etc/systemd/coredump.conf.d/disable.conf'
mode: '0644'
- name: Make locks dir for dconf
ansible.builtin.file:
path: '../qubes-config/etc/dconf/db/local.d/locks'
state: 'directory'
mode: '0755'
- name: copy dconf file 1
ansible.builtin.copy:
src: '../qubes-config/etc/dconf/db/local.d/locks/automount-disable'
dest: '/etc/dconf/db/local.d/locks/automount-disable'
mode: '0644'
- name: copy dconf file 2
ansible.builtin.copy:
src: '../qubes-config/etc/dconf/db/local.d/locks/privacy'
dest: '/etc/dconf/db/local.d/locks/privacy'
mode: '0644'
- name: copy dconf file 3
ansible.builtin.copy:
src: '../qubes-config/etc/dconf/db/local.d/adw-gtk3-dark'
dest: '/etc/dconf/db/local.d/adw-gtk3-dark'
mode: '0644'
- name: copy dconf file 4
ansible.builtin.copy:
src: '../qubes-config/etc/dconf/db/local.d/automount-disable'
dest: '/etc/dconf/db/local.d/automount-disable'
mode: '0644'
- name: copy dconf file 5
ansible.builtin.copy:
src: '../qubes-config/etc/dconf/db/local.d/prefer-dark'
dest: '/etc/dconf/db/local.d/prefer-dark'
mode: '0644'
- name: copy dconf file 6
ansible.builtin.copy:
src: '../qubes-config/etc/dconf/db/local.d/privacy'
dest: '/etc/dconf/db/local.d/privacy'
mode: '0644'
- name: Update dconf
shell: sudo dconf update
- name: Setup ZRAM
ansible.builtin.copy:
src: '../qubes-config/etc/systemd/zram-generator.conf'
dest: '/etc/systemd/zram-generator.conf'
mode: '0600'
- name: Flatpak update service
ansible.builtin.copy:
src: '../qubes-config/etc/systemd/user/update-user-flatpaks.service'
dest: '/etc/systemd/user/update-user-flatpaks.service'
mode: '0600'
- name: Flatpak update timer
ansible.builtin.copy:
src: '../qubes-config/etc/systemd/user/update-user-flatpaks.timer'
dest: '/etc/systemd/user/update-user-flatpaks.timer'
mode: '0600'
- name: Set environment variables to disable GJS, WebkitGTK JIT, as well as fix GNOME env variable
ansible.builtin.copy:
src: '../qubes-config/etc/environment'
dest: '/etc/environment'
mode: '0600'
- name: Upgrade all packages
ansible.builtin.dnf5:
name: "*"
state: latest
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Remove unnecessary stuff from the template
ansible.builtin.dnf5:
name:
- '@Container Management'
- '@Desktop Accessibility'
- '@Firefox Web Browser'
- '@Guest Desktop Agents'
- '@Libreoffice'
- '@Printing Support'
- 'gnome-software'
- 'httpd'
- 'keepassxc'
- 'thunderbird'
- 'fedora-bookmarks'
- 'fedora-chromium-config'
- 'firefox'
- 'mozilla-filesystem'
- 'avahi'
- 'cifs*'
- '*cups'
- 'dmidecode'
- 'dnsmasq'
- 'geolite2*'
- 'mtr'
- 'net-snmp-libs'
- 'net-tools'
- 'nfs-utils'
- 'nmap-ncat'
- 'opensc'
- 'openssh-server'
- 'rsync'
- 'rygel'
- 'sgpio'
- 'tcpdump'
- 'teamd'
- 'traceroute'
- 'usb_modeswitch'
- '*anthy*'
- '*hangul*'
- 'ibus-typing-booster'
- '*m17n*'
- '*pinyin*'
- '*speech*'
- 'texlive-libs'
- ' words'
- '*zhuyin*'
- 'openh264'
- 'ImageMagick*'
- 'sane*'
- 'simple-scan'
- 'sssd*'
- 'realmd'
- 'cyrus-sasl-gssapi'
- 'quota*'
- 'dos2unix'
- 'kpartx'
- 'sos'
- 'samba-client'
- 'gvfs-smb'
- 'NetworkManager-pptp-gnome'
- 'NetworkManager-ssh-gnome'
- 'NetworkManager-openconnect-gnome'
- 'NetworkManager-openvpn-gnome'
- 'NetworkManager-vpnc-gnome'
- 'ppp*'
- 'ModemManager'
- 'baobab'
- 'chrome-gnome-shell'
- 'eog'
- 'gnome-boxes'
- 'gnome-calculator'
- 'gnome-calendar'
- 'gnome-characters'
- 'gnome-classic*'
- 'gnome-clocks'
- 'gnome-color-manager'
- 'gnome-connections'
- 'gnome-contacts'
- 'gnome-disk-utility'
- 'gnome-font-viewer'
- 'gnome-logs'
- 'gnome-maps'
- 'gnome-photos'
- 'gnome-remote-desktop'
- 'gnome-screenshot'
- 'gnome-shell-extension-apps-menu'
- 'gnome-shell-extension-background-logo'
- 'gnome-shell-extension-launch-new-instance'
- 'gnome-shell-extension-places-menu'
- 'gnome-shell-extension-window-list'
- 'gnome-text-editor'
- 'gnome-themes-extra'
- 'gnome-tour'
- 'gnome-user*'
- 'gnome-weather'
- 'loupe'
- 'snapshot'
- 'totem'
- 'abrt*'
- 'cheese'
- 'evince'
- 'file-roller*'
- 'libreoffice*'
- 'mediawriter'
- 'rhythmbox'
- 'yelp'
- 'lvm2'
- 'rng-tools'
- 'thermald'
- '*perl*'
state: 'absent'
allowerasing: true
autoremove: true
- name: Disable openh264 repo (y tho?)
shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=0'
# community.general.dnf_config_manager:
# name: 'fedora-cisco-openh264'
# state: disabled
- name: Install custom packages
ansible.builtin.dnf5:
name:
- 'qubes-ctap'
- 'qubes-gpg-split'
- 'adw-gtk3-theme'
- 'ncurses'
- 'gnome-shell'
- 'ptyxis'
state: 'present'
- name: Enable hardened_malloc COPR
shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
#
# name: 'secureblue/hardened_malloc'
# state: 'enabled'
- name: Install hardened_malloc
ansible.builtin.dnf5:
name: 'hardened_malloc'
state: 'present'
- name: Enable hardened_malloc
ansible.builtin.copy:
src: '../qubes-config/etc/ld.so.preload'
dest: '/etc/ld.so.preload'
mode: '0644'
- name: Enable hardened_malloc for system wide flatpak
shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Enable hardened_malloc for user flatpak
shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Setup dnf repos
ansible.builtin.copy:
src: '../qubes-config/etc/dnf/dnf.conf'
dest: '/etc/dnf/dnf.conf'
mode: '0644'
- name: Get list of files
ansible.builtin.find:
paths: /etc/yum.repos.d/
recurse: true
register: found_files
- name: Replace text in those files
ansible.builtin.lineinfile:
backup: true
backrefs: true
path: '{{ item.path }}'
regexp: '^(metalink=.*)$'
line: '\1&protocol=https'
loop: '{{ found_files.files }}'
Reference in a new issue View git blame Copy permalink