feat: add baseline and arkenfox role

roles/arkenfox/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js

@@ -0,0 +1,55 @@
+//Look
+pref("browser.ctrlTab.recentlyUsedOrder", false);
+pref("browser.privatebrowsing.vpnpromourl", "");
+pref("browser.vpn_promo.enabled", false);
+pref("browser.tabs.drawInTitlebar", true);
+pref("devtools.netmonitor.persistlog", true);
+pref("devtools.webconsole.persistlog", true);
+pref("general.smoothScroll", false);
+pref("widget.allow-client-side-decoration", true);
+pref("mailnews.start_page.enabled", false);
+pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{}"); //BRACE-KEEP_FOR_NOW
+pref("browser.library.activity-stream.enabled", false); //BRACE-UNCOMMENTED
+
+//Privacy
+pref("privacy.globalprivacycontrol.enabled", true);
+pref("browser.snippets.enabled", false);
+pref("browser.snippets.firstrunHomepage.enabled", false);
+pref("browser.snippets.syncPromo.enabled", false);
+pref("browser.snippets.updateUrl", "");
+pref("general.useragent.updates.enabled", false);
+pref("network.negotiate-auth.trusted-uris", "");
+pref("network.dns.native_https_query", true);
+pref("network.trr.uri", "https://dns.quad9.net/dns-query");
+pref("network.trr.custom_uri", "https://dns.quad9.net/dns-query");
+pref("plugin.expose_full_path", false);
+pref("extensions.enigmail.autoWkdLookup", 0);
+pref("messenger.status.reportIdle", false);
+pref("media.gmp-widevinecdm.visible", false); //BRACE-KEEP_FOR_NOW: proprietary
+pref("network.manage-offline-status", false);
+pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false);
+pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
+pref("browser.urlbar.quicksuggest.dataCollection.enabled", false);
+pref("mailnews.headers.sendUserAgent", false);
+pref("mail.sanitize_date_header", true);
+pref("dom.private-attribution.submission.enabled", false);
+
+//Security
+pref("browser.gnome-search-provider.enabled", false);
+pref("fission.autostart", true); //MULL-COMMENT_ME
+pref("security.webauth.u2f", true); //MULL-COMMENT_ME
+pref("security.tls.enable_kyber", true);
+pref("network.http.http3.enable_kyber", true);
+pref("mail.phishing.detection.enabled", true);
+pref("mailnews.message_display.disable_remote_image", true);
+
+//Disable Pocket
+pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
+pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
+pref("extensions.pocket.enabled", false);
+
+//Disable Sync
+pref("identity.fxaccounts.enabled", false);
+
+//Fix IPv6 when using DoH
+pref("network.dns.preferIPv6", true); //BRACE-KEEP_FOR_NOW

roles/arkenfox/files/usr/lib64/firefox/browser/defaults/preferences/userjs-override.js

@@ -0,0 +1,11 @@
+pref("privacy.resistFingerprinting.letterboxing", false); // disable letterboxing because it's very annoying
+pref("javascript.options.wasm", true); // enable WASM because element and proton need it
+pref("general.smoothScroll", true); // why do I have this set?
+
+pref("browser.bookmarks.restore_default_bookmarks", false); // remove Fedora's default bookmarks because I never use them
+pref("browser.bookmarks.file", '');
+
+// override blank homepage
+pref("browser.startup.page", 1);
+pref("browser.startup.homepage", "about:home");
+pref("browser.newtabpage.enabled", true);

roles/arkenfox/files/usr/lib64/firefox/distribution/policies.json

@@ -0,0 +1,62 @@
+{
+	"policies": {
+		"Cookies": {
+			"Behavior": "reject-tracker-and-partition-foreign",
+			"BehaviorPrivateBrowsing": "reject-tracker-and-partition-foreign"
+		},
+		"DisableFirefoxAccounts": true,
+		"DisableFirefoxStudies": true,
+		"DisablePocket": true,
+		"DisableSecurityBypass": false,
+		"DisableTelemetry": true,
+		"EnableTrackingProtection": {
+			"Value": true,
+			"Locked": false,
+			"Cryptomining": true,
+			"Fingerprinting": true,
+			"EmailTracking": true
+		},
+		"DNSOverHTTPS": {
+			"Enabled": true,
+			"Locked": false,
+			"Fallback": false,
+			"ProviderURL": "https://dns.quad9.net/dns-query"
+		},
+		"Extensions": {
+			"Install": [
+				"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
+				]
+		},
+		"ExtensionSettings": {
+			},
+			"uBlock0@raymondhill.net": {
+				"installation_mode": "force_installed",
+				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/uBlock0@raymondhill.net/latest.xpi"
+
+		},
+		"FirefoxHome": {
+			"Search": true,
+			"TopSites": false,
+			"SponsoredTopSites": false,
+			"Highlights": false,
+			"Pocket": false,
+			"SponsoredPocket": false,
+			"Snippets": false,
+			"Locked": false
+		},
+		"FirefoxSuggest": {
+			"WebSuggestions": false,
+			"SponsoredSuggestions": false,
+			"ImproveSuggest": false,
+			"Locked": false
+		},
+		"NetworkPrediction": false,
+		"OverrideFirstRunPage": "about:home",
+		"UserMessaging": {
+			"WhatsNew": false,
+			"ExtensionRecommendations": false,
+			"FeatureRecommendations": false,
+			"SkipOnboarding": false
+		}
+	}
+}

roles/arkenfox/tasks/main.yaml

@@ -0,0 +1,23 @@
+- name: Copy arkenfox files
+  ansible.builtin.copy:
+    src: '{{ item }}'
+    dest: '/{{ item }}'
+    mode: '0644'
+  loop:
+    - 'usr/lib64/firefox/distribution/policies.json'
+- name: Copy arkenfox template
+  ansible.builtin.template:
+    src: 'userjs.j2' 
+    dest: '/usr/lib64/firefox/browser/defaults/preferences/user.js'
+    mode: '0644'
+
+- name: 'Remove default Fedora project homepage'
+  ansible.builtin.lineinfile:
+    path: '/usr/lib64/firefox/browser/defaults/preferences/firefox-redhat-default-prefs.js'
+    state: 'absent'
+    regexp: '/browser.newtabpage.pinned/'
+
+- name: 'Delete Fedora default settings'
+  ansible.builtin.file:
+    path: '/usr/lib64/firefox/browser/defaults/preferences/firefox-redhat-default-prefs.js'
+    state: 'absent'

roles/arkenfox/templates/userjs-brace.js.j2

@@ -0,0 +1,55 @@
+//Look
+pref("browser.ctrlTab.recentlyUsedOrder", false);
+pref("browser.privatebrowsing.vpnpromourl", "");
+pref("browser.vpn_promo.enabled", false);
+pref("browser.tabs.drawInTitlebar", true);
+pref("devtools.netmonitor.persistlog", true);
+pref("devtools.webconsole.persistlog", true);
+pref("general.smoothScroll", false);
+pref("widget.allow-client-side-decoration", true);
+pref("mailnews.start_page.enabled", false);
+pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{}"); //BRACE-KEEP_FOR_NOW
+pref("browser.library.activity-stream.enabled", false); //BRACE-UNCOMMENTED
+
+//Privacy
+pref("privacy.globalprivacycontrol.enabled", true);
+pref("browser.snippets.enabled", false);
+pref("browser.snippets.firstrunHomepage.enabled", false);
+pref("browser.snippets.syncPromo.enabled", false);
+pref("browser.snippets.updateUrl", "");
+pref("general.useragent.updates.enabled", false);
+pref("network.negotiate-auth.trusted-uris", "");
+pref("network.dns.native_https_query", true);
+pref("network.trr.uri", "https://dns.quad9.net/dns-query");
+pref("network.trr.custom_uri", "https://dns.quad9.net/dns-query");
+pref("plugin.expose_full_path", false);
+pref("extensions.enigmail.autoWkdLookup", 0);
+pref("messenger.status.reportIdle", false);
+pref("media.gmp-widevinecdm.visible", false); //BRACE-KEEP_FOR_NOW: proprietary
+pref("network.manage-offline-status", false);
+pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false);
+pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
+pref("browser.urlbar.quicksuggest.dataCollection.enabled", false);
+pref("mailnews.headers.sendUserAgent", false);
+pref("mail.sanitize_date_header", true);
+pref("dom.private-attribution.submission.enabled", false);
+
+//Security
+pref("browser.gnome-search-provider.enabled", false);
+pref("fission.autostart", true); //MULL-COMMENT_ME
+pref("security.webauth.u2f", true); //MULL-COMMENT_ME
+pref("security.tls.enable_kyber", true);
+pref("network.http.http3.enable_kyber", true);
+pref("mail.phishing.detection.enabled", true);
+pref("mailnews.message_display.disable_remote_image", true);
+
+//Disable Pocket
+pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
+pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
+pref("extensions.pocket.enabled", false);
+
+//Disable Sync
+pref("identity.fxaccounts.enabled", false);
+
+//Fix IPv6 when using DoH
+pref("network.dns.preferIPv6", true); //BRACE-KEEP_FOR_NOW

roles/arkenfox/templates/userjs-override.js.j2

@@ -0,0 +1,19 @@
+pref("privacy.resistFingerprinting.letterboxing", false); // disable letterboxing because it's very annoying
+pref("javascript.options.wasm", true); // enable WASM because element and proton need it
+pref("general.smoothScroll", true); // why do I have this set?
+
+pref("browser.bookmarks.restore_default_bookmarks", false); // remove Fedora's default bookmarks because I never use them
+pref("browser.bookmarks.file", '');
+
+// override blank homepage
+pref("browser.startup.page", 1);
+pref("browser.startup.homepage", "about:home");
+pref("browser.newtabpage.enabled", true);
+
+{% if enable_webgl %}
+pref("webgl.disabled", false);
+{% else %}
+pref("webgl.disabled", true);
+{% endif %}
+
+

roles/arkenfox/templates/userjs.j2

@@ -0,0 +1,3 @@
+{% include './userjs-arkenfox.js.j2' %}
+{% include './userjs-brace.js.j2' %}   
+{% include './userjs-override.js.j2' %}

roles/baseline/defaults/main.yaml

@@ -0,0 +1,3 @@
+umask_changes: false
+manage_network: true
+allow_ptrace: false

roles/baseline/files/etc/crypto-policies/back-ends/openssh.config

@@ -0,0 +1,8 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048

roles/baseline/files/etc/dconf/db/local.d/automount-disable

@@ -0,0 +1,4 @@
+[org/gnome/desktop/media-handling]
+automount=false
+automount-open=false
+autorun-never=true

roles/baseline/files/etc/dconf/db/local.d/locks/automount-disable

@@ -0,0 +1,3 @@
+org/gnome/desktop/media-handling/automount
+org/gnome/desktop/media-handling/automount-open
+/org/gnome/desktop/media-handling/autorun-never

roles/baseline/files/etc/dconf/db/local.d/locks/privacy

@@ -0,0 +1,14 @@
+/org/gnome/system/location/enabled
+
+/org/gnome/desktop/privacy/remember-recent-files
+/org/gnome/desktop/privacy/remove-old-trash-files
+/org/gnome/desktop/privacy/remove-old-temp-files
+/org/gnome/desktop/privacy/report-technical-problems
+/org/gnome/desktop/privacy/send-software-usage-stats
+/org/gnome/desktop/privacy/remember-app-usage
+
+/org/gnome/online-accounts/whitelisted-providers
+
+/org/gnome/desktop/remote-desktop/rdp/enable
+
+/org/gnome/desktop/remote-desktop/vnc/enable

roles/baseline/files/etc/dconf/db/local.d/privacy

@@ -0,0 +1,16 @@
+[org/gnome/system/location]
+enabled=false
+
+[org/gnome/desktop/privacy]
+remember-recent-files=false
+remove-old-trash-files=true
+remove-old-temp-files=true
+report-technical-problems=false
+send-software-usage-stats=false
+remember-app-usage=false
+
+[org/gnome/desktop/remote-desktop/rdp]
+enable=false
+
+[org/gnome/desktop/remote-desktop/vnc]
+enable=false

roles/baseline/files/etc/dnf/dnf.conf

@@ -0,0 +1,11 @@
+[main]
+gpgcheck=True
+installonly_limit=3
+clean_requirements_on_remove=True
+best=False
+skip_if_unavailable=True
+max_parallel_downloads=10
+deltarpm=False
+defaultyes=True
+install_weak_deps=False
+countme=False

roles/baseline/files/etc/environment

@@ -0,0 +1,2 @@
+JavaScriptCoreUseJIT=0
+GJS_DISABLE_JIT=1

roles/baseline/files/etc/ld.so.preload

@@ -0,0 +1 @@
+libhardened_malloc.so

roles/baseline/files/etc/modprobe.d/workstation-blacklist.conf

@@ -0,0 +1,115 @@
+# unused network protocols
+install dccp /bin/false
+install sctp /bin/false
+install rds /bin/false
+install tipc /bin/false
+install n-hdlc /bin/false
+install ax25 /bin/false
+install netrom /bin/false
+install x25 /bin/false
+install rose /bin/false
+install decnet /bin/false
+install econet /bin/false
+install af_802154 /bin/false
+install ipx /bin/false
+install appletalk /bin/false
+install psnap /bin/false
+install p8023 /bin/false
+install p8022 /bin/false
+install can /bin/false
+install atm /bin/false
+
+# firewire and thunderbolt
+install firewire-core /bin/false
+install firewire_core /bin/false
+install firewire-ohci /bin/false
+install firewire_ohci /bin/false
+install firewire_sbp2 /bin/false
+install firewire-sbp2 /bin/false
+install firewire-net /bin/false
+install thunderbolt /bin/false
+install ohci1394 /bin/false
+install sbp2 /bin/false
+install dv1394 /bin/false
+install raw1394 /bin/false
+install video1394 /bin/false
+
+# unused filesystems
+install cramfs /bin/false
+install freevxfs /bin/false
+install jffs2 /bin/false
+# I think blacklisting hfs or hfsplus breaks USBs, but not sure
+# install hfs /bin/false
+# install hfsplus /bin/false
+install squashfs /bin/false
+install udf /bin/false
+install cifs /bin/false
+install nfs /bin/false
+install nfsv3 /bin/false
+install nfsv4 /bin/false
+install ksmbd /bin/false
+install gfs2 /bin/false
+install reiserfs /bin/false
+install kafs /bin/false
+install orangefs /bin/false
+install 9p /bin/false
+install adfs /bin/false
+install affs /bin/false
+install afs /bin/false
+install befs /bin/false
+install ceph /bin/false
+install coda /bin/false
+install ecryptfs /bin/false
+install erofs /bin/false
+install jfs /bin/false
+install minix /bin/false
+install netfs /bin/false
+install nilfs2 /bin/false
+install ocfs2 /bin/false
+install romfs /bin/false
+install ubifs /bin/false
+install zonefs /bin/false
+install sysv /bin/false
+install ufs /bin/false
+
+# disable vivid
+install vivid /bin/false
+
+# disable GNSS
+install gnss /bin/false
+install gnss-mtk /bin/false
+install gnss-serial /bin/false
+install gnss-sirf /bin/false
+install gnss-usb /bin/false
+install gnss-ubx /bin/false
+
+# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
+install bluetooth /bin/false
+install btusb /bin/false
+
+# blacklist ath_pci
+blacklist ath_pci
+
+# blacklist cdrom
+blacklist cdrom
+blacklist sr_mod
+
+# blacklist framebuffer drivers
+# source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf
+blacklist cyber2000fb
+blacklist cyblafb
+blacklist gx1fb
+blacklist hgafb
+blacklist kyrofb
+blacklist lxfb
+blacklist matroxfb_base
+blacklist neofb
+blacklist nvidiafb
+blacklist pm2fb
+blacklist s1d13xxxfb
+blacklist sisfb
+blacklist tdfxfb
+blacklist vesafb
+blacklist vfb
+blacklist vt8623fb
+blacklist udlfb

roles/baseline/files/etc/security/limits.d/30-disable-coredump.conf

@@ -0,0 +1 @@
+* hard core 0

roles/baseline/files/etc/skel/flathub.sh

@@ -0,0 +1,2 @@
+flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo
+systemctl enable --user --now update-user-flatpaks.timer

roles/baseline/files/etc/ssh/ssh_config.d/10-custom.conf

@@ -0,0 +1,2 @@
+GSSAPIAuthentication no
+VerifyHostKeyDNS yes

roles/baseline/files/etc/sysctl.d/99-workstation.conf

@@ -0,0 +1,119 @@
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+dev.tty.ldisc_autoload = 0
+
+# https://access.redhat.com/solutions/1985633
+# Seems dangerous.
+# Roseta need this though, so if you use it change it to 1.
+fs.binfmt_misc.status = 0
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
+# Enable fs.protected sysctls.
+fs.protected_regular = 2
+fs.protected_fifos = 2
+fs.protected_symlinks = 1
+fs.protected_hardlinks = 1
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
+# Disable coredumps.
+# For additional safety, disable coredumps using ulimit and systemd too.
+kernel.core_pattern=|/bin/false
+fs.suid_dumpable = 0
+
+# Restrict dmesg to CAP_SYS_LOG.
+# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+kernel.dmesg_restrict = 1
+
+# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
+# Restrict access to /proc.
+kernel.kptr_restrict = 2
+
+# Not needed, I don't do livepatching and reboot regularly.
+# On a workstation, this shouldn't be used at all. Don't live patch, just reboot.
+kernel.kexec_load_disabled = 1
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+# Basically, restrict eBPF to CAP_BPF.
+kernel.unprivileged_bpf_disabled = 1
+net.core.bpf_jit_harden = 2
+
+# Needed for Flatpak and Bubblewrap.
+kernel.unprivileged_userns_clone = 1
+
+# Disable ptrace. Not needed on workstations.
+kernel.yama.ptrace_scope = 3
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+# Restrict performance events from unprivileged users as much as possible.
+# We are using 4 here, since Ubuntu supports such a level.
+# Official Linux kernel documentation only says >= so it probably will work.
+kernel.perf_event_paranoid = 4
+
+# Disable io_uring
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
+# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
+# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
+# on a Proxmox node.
+kernel.io_uring_disabled = 2
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# Disable sysrq.
+kernel.sysrq = 0
+
+# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
+# Not running a router here, so no redirects.
+net.ipv4.conf.*.send_redirects = 0
+net.ipv4.conf.*.accept_redirects = 0
+net.ipv6.conf.*.accept_redirects = 0
+
+# Check if the source of the IP address is reachable through the same interface it came in
+# Basic IP spoofing mitigation.
+net.ipv4.conf.*.rp_filter = 1
+
+# Do not respond to ICMP.
+net.ipv4.icmp_echo_ignore_all = 1
+net.ipv6.icmp.echo_ignore_all = 1
+
+# Ignore Bogus ICMP responses.
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Enable IP Forwarding.
+# Needed for VM networking and whatnot.
+net.ipv4.ip_forward = 1
+net.ipv6.conf.all.forwarding = 1
+
+# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
+# Ignore bogus icmp response.
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Protection against time-wait assasination attacks.
+net.ipv4.tcp_rfc1337 = 1
+
+# Enable SYN cookies.
+# Basic SYN flood mitigation.
+net.ipv4.tcp_syncookies = 1 
+
+# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+# Make sure TCP timestamp is enabled.
+net.ipv4.tcp_timestamps = 1
+
+# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+# Disable TCP SACK.
+# We have good networking :)
+net.ipv4.tcp_sack = 0
+
+# No SACK, therefore no Duplicated SACK.
+net.ipv4.tcp_dsack = 0
+
+# Improve ALSR effectiveness for mmap.
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# Restrict userfaultfd to CAP_SYS_PTRACE.
+# https://bugs.archlinux.org/task/62780
+# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
+# probably not used in the real world at all.
+vm.unprivileged_userfaultfd = 0

roles/baseline/files/etc/systemd/coredump.conf.d/disable.conf

@@ -0,0 +1,2 @@
+[Coredump]
+Storage=none

roles/baseline/files/etc/systemd/system/NetworkManager.service.d/99-brace.conf

@@ -0,0 +1,28 @@
+[Service]
+# Hardening
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+LockPersonality=true
+MemoryDenyWriteExecute=true
+#PrivateDevices=true #breaks tun usage
+#ProtectProc=invisible
+PrivateTmp=yes
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=read-only
+ProtectKernelLogs=true
+#ProtectKernelModules=true
+#ProtectSystem=strict
+#ReadOnlyPaths=/etc/NetworkManager
+ReadOnlyPaths=-/home
+#ReadWritePaths=-/etc/NetworkManager/system-connections
+ReadWritePaths=-/etc/sysconfig/network-scripts
+ReadWritePaths=/var/lib/NetworkManager
+ReadWritePaths=-/var/run/NetworkManager
+ReadWritePaths=-/run/NetworkManager
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+UMask=0077

roles/baseline/files/etc/systemd/user/update-user-flatpaks.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Update user Flatpaks
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/flatpak --user update -y

roles/baseline/files/etc/systemd/user/update-user-flatpaks.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Update user Flatpaks daily
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target

roles/baseline/files/etc/systemd/zram-generator.conf

@@ -0,0 +1,4 @@
+[zram0]
+zram-fraction = 1
+max-zram-size = 8192
+compression-algorithm = zstd

roles/baseline/files/etc/xdg-desktop-portal/portals.conf

@@ -0,0 +1,2 @@
+[preferred]
+default=gtk;

roles/baseline/tasks/main.yaml

@@ -0,0 +1,194 @@
+---
+- name: Kill debug-shell service
+  ansible.builtin.systemd_service:
+    name: debug-shell.service
+    masked: true
+- name: Kill kdump service
+  ansible.builtin.systemd_service:
+    name: kdump.service
+    masked: true
+
+- name: Set umask to 077
+  shell: umask 077
+- name: Set umask to 077 in login.defs
+  ansible.builtin.replace:
+    path: /etc/login.defs
+    regexp: '^UMASK.*'
+    replace: 'UMASK 077'
+  when: umask_changes == true
+
+- name: Set umask to 077 in logins.defs
+  ansible.builtin.replace:
+    path: /etc/login.defs
+    regexp: '^HOME_MODE'
+    replace: '#HOME_MODE'
+  when: umask_changes == true
+
+- name: Set umask to 077 in bashrc
+  ansible.builtin.replace:
+    path: /etc/bashrc
+    regexp: 'umask 022'
+    replace: 'umask 077'
+  when: umask_changes == true
+
+- name: Make home directory private
+  ansible.builtin.file:
+    path: /home/*
+    state: directory
+    recurse: true
+    mode: '0700'
+  when: umask_changes == true
+
+- name: Harden SSH, add kernel blacklist and hardening
+  ansible.builtin.copy:
+    src: '{{ item }}'
+    dest: '/{{ item }}'
+    mode: '0644'
+  loop:
+  - 'etc/ssh/ssh_config.d/10-custom.conf'
+  - 'etc/modprobe.d/workstation-blacklist.conf'
+  - 'etc/crypto-policies/back-ends/openssh.config'
+
+- name: Kernel sysctl config
+  ansible.builtin.template:
+    src: 'etc/sysctl.d/99-workstation.conf.j2' 
+    dest: '/etc/sysctl.d/99-workstation.conf'
+    mode: '0644'
+
+- name: Reload sysctl
+  shell: 'sysctl -p'
+
+- name: Create coredump.conf.d
+  ansible.builtin.file:
+    path: '/etc/systemd/coredump.conf.d'
+    state: 'directory'
+    mode: '0755'
+- name: Make locks dir for dconf
+  ansible.builtin.file:
+    path: '/etc/dconf/db/local.d/locks'
+    state: 'directory'
+    mode: '0755'
+- name: Create XDG portals directory
+  ansible.builtin.file:
+    path: '/etc/xdg-desktop-portal'
+    state: 'directory'
+    mode: '0755'
+
+- name: Create /etc/systemd/system/NetworkManager.service.d
+  ansible.builtin.file:
+    path: '/etc/systemd/system/NetworkManager.service.d'
+    state: 'directory'
+    mode: '0755'
+  when: manage_network == true
+
+- name: Harden Network manager using brace config
+  ansible.builtin.copy:
+    src: 'etc/systemd/system/NetworkManager.service.d/99-brace.conf'
+    dest: '/etc/systemd/system/NetworkManager.service.d/99-brace.conf'
+    mode: '0644'
+  when: manage_network == true
+
+- name: Disable coredump + GNOME telemetry
+  ansible.builtin.copy:
+    src: '{{ item }}'
+    dest: '/{{ item }}'
+    mode: '0644'
+  loop:
+  - 'etc/security/limits.d/30-disable-coredump.conf'
+  - 'etc/systemd/coredump.conf.d/disable.conf'
+  - 'etc/dconf/db/local.d/locks/privacy'
+  - 'etc/dconf/db/local.d/privacy'
+
+- name: Fix dconf perms
+  ansible.builtin.file:
+    path: '/etc/dconf'
+    state: 'directory'
+    mode: '0755'
+
+- name: Update dconf
+  shell: 'dconf update'
+
+- name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
+  ansible.builtin.copy:
+    src: '{{ item }}'
+    dest: '/{{ item }}'
+    mode: '0644'
+  loop:
+  - 'etc/systemd/zram-generator.conf'
+  - 'etc/systemd/user/update-user-flatpaks.service'
+  - 'etc/systemd/user/update-user-flatpaks.timer'
+  - 'etc/environment' 
+
+- name: Drop flathub script to homedir for any new appvms created based on this template
+  ansible.builtin.copy:
+    src: 'etc/skel/flathub.sh'
+    dest: '/etc/skel/flathub.sh'
+    mode: '0700'
+
+- name: Upgrade all packages
+  ansible.builtin.dnf5:
+    name: "*"
+    state: latest
+
+- name: Mark packages as manually installed to avoid removal
+  shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'
+
+- name: Enable hardened_malloc COPR
+  shell: 'dnf copr enable secureblue/hardened_malloc -y'
+
+- name: Install hardened_malloc
+  ansible.builtin.dnf5:
+    name: 'hardened_malloc'
+    state: 'present'
+  when: use_hardened_malloc == true
+- name: Install custom packages
+  ansible.builtin.dnf5:
+    name:
+      - 'qubes-ctap'
+      - 'qubes-gpg-split'
+      - 'flatpak'
+      - 'ncurses'
+      - 'xdg-desktop-portal-gtk'
+      - 'qubes-video-companion'
+
+- name: Enable hardened_malloc
+  ansible.builtin.copy:
+    src: 'etc/ld.so.preload'
+    dest: '/etc/ld.so.preload'
+    mode: '0644'
+  when: use_hardened_malloc == true
+
+- name: Enable hardened_malloc for system wide flatpak
+  shell: 'flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
+  when: use_hardened_malloc == true
+
+- name: Enable hardened_malloc for user flatpak # has to be run per APP VM
+  shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
+  when: use_hardened_malloc == true
+
+- name: Setup dnf repos
+  ansible.builtin.copy:
+    src: 'etc/dnf/dnf.conf'
+    dest: '/etc/dnf/dnf.conf'
+    mode: '0644'
+
+- name: Get list of files
+  ansible.builtin.find:
+    paths: /etc/yum.repos.d/
+    recurse: true
+  register: found_files
+
+- name: Replace text in those files
+  ansible.builtin.lineinfile:
+    backup: true
+    backrefs: true
+    path: '{{ item.path }}'
+    regexp: '^(metalink=.*)$'
+    line: '\1&protocol=https'
+  loop: '{{ found_files.files }}'
+
+- name: 'Install zram'
+  ansible.builtin.dnf5:
+    name:
+      - zram-generator
+      - zram-generator-defaults

roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2

@@ -0,0 +1,122 @@
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+dev.tty.ldisc_autoload = 0
+
+# https://access.redhat.com/solutions/1985633
+# Seems dangerous.
+# Roseta need this though, so if you use it change it to 1.
+fs.binfmt_misc.status = 0
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
+# Enable fs.protected sysctls.
+fs.protected_regular = 2
+fs.protected_fifos = 2
+fs.protected_symlinks = 1
+fs.protected_hardlinks = 1
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
+# Disable coredumps.
+# For additional safety, disable coredumps using ulimit and systemd too.
+kernel.core_pattern=|/bin/false
+fs.suid_dumpable = 0
+
+# Restrict dmesg to CAP_SYS_LOG.
+# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+kernel.dmesg_restrict = 1
+
+# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
+# Restrict access to /proc.
+kernel.kptr_restrict = 2
+
+# Not needed, I don't do livepatching and reboot regularly.
+# On a workstation, this shouldn't be used at all. Don't live patch, just reboot.
+kernel.kexec_load_disabled = 1
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+# Basically, restrict eBPF to CAP_BPF.
+kernel.unprivileged_bpf_disabled = 1
+net.core.bpf_jit_harden = 2
+
+# Needed for Flatpak and Bubblewrap.
+kernel.unprivileged_userns_clone = 1
+
+# Disable ptrace. Not needed on workstations.
+{% if allow_ptrace %}
+kernel.yama.ptrace_scope = 1
+{% else %}
+kernel.yama.ptrace_scope = 3
+{% endif %}
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+# Restrict performance events from unprivileged users as much as possible.
+# We are using 4 here, since Ubuntu supports such a level.
+# Official/ Linux kernel documentation only says >= so it probably will work.
+kernel.perf_event_paranoid = 4
+
+# Disable io_uring
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
+# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
+# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
+# on a Proxmox node.
+kernel.io_uring_disabled = 2
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# Disable sysrq.
+kernel.sysrq = 0
+
+# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
+# Not running a router here, so no redirects.
+net.ipv4.conf.*.send_redirects = 0
+net.ipv4.conf.*.accept_redirects = 0
+net.ipv6.conf.*.accept_redirects = 0
+
+# Check if the source of the IP address is reachable through the same interface it came in
+# Basic IP spoofing mitigation.
+net.ipv4.conf.*.rp_filter = 1
+
+# Do not respond to ICMP.
+net.ipv4.icmp_echo_ignore_all = 1
+net.ipv6.icmp.echo_ignore_all = 1
+
+# Ignore Bogus ICMP responses.
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Enable IP Forwarding.
+# Needed for VM networking and whatnot.
+net.ipv4.ip_forward = 1
+net.ipv6.conf.all.forwarding = 1
+
+# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
+# Ignore bogus icmp response.
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Protection against time-wait assasination attacks.
+net.ipv4.tcp_rfc1337 = 1
+
+# Enable SYN cookies.
+# Basic SYN flood mitigation.
+net.ipv4.tcp_syncookies = 1 
+
+# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+# Make sure TCP timestamp is enabled.
+net.ipv4.tcp_timestamps = 1
+
+# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+# Disable TCP SACK.
+# We have good networking :)
+net.ipv4.tcp_sack = 0
+
+# No SACK, therefore no Duplicated SACK.
+net.ipv4.tcp_dsack = 0
+
+# Improve ALSR effectiveness for mmap.
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# Restrict userfaultfd to CAP_SYS_PTRACE.
+# https://bugs.archlinux.org/task/62780
+# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
+# probably not used in the real world at all.
+vm.unprivileged_userfaultfd = 0