208 lines
5.2 KiB
YAML
208 lines
5.2 KiB
YAML
---
|
|
- name: Kill debug-shell service
|
|
ansible.builtin.systemd_service:
|
|
name: debug-shell.service
|
|
masked: true
|
|
- name: Kill kdump service
|
|
ansible.builtin.systemd_service:
|
|
name: kdump.service
|
|
masked: true
|
|
|
|
- name: Set umask to 077
|
|
shell: umask 077
|
|
- name: Set umask to 077 in login.defs
|
|
ansible.builtin.replace:
|
|
path: /etc/login.defs
|
|
regexp: '^UMASK.*'
|
|
replace: 'UMASK 077'
|
|
when: umask_changes == true
|
|
|
|
- name: Set umask to 077 in logins.defs
|
|
ansible.builtin.replace:
|
|
path: /etc/login.defs
|
|
regexp: '^HOME_MODE'
|
|
replace: '#HOME_MODE'
|
|
when: umask_changes == true
|
|
|
|
- name: Set umask to 077 in bashrc
|
|
ansible.builtin.replace:
|
|
path: /etc/bashrc
|
|
regexp: 'umask 022'
|
|
replace: 'umask 077'
|
|
when: umask_changes == true
|
|
|
|
- name: Make home directory private
|
|
ansible.builtin.file:
|
|
path: /home/*
|
|
state: directory
|
|
recurse: true
|
|
mode: '0700'
|
|
when: umask_changes == true
|
|
|
|
- name: Harden SSH, add kernel blacklist and hardening
|
|
ansible.builtin.copy:
|
|
src: '{{ item }}'
|
|
dest: '/{{ item }}'
|
|
mode: '0644'
|
|
loop:
|
|
- 'etc/ssh/ssh_config.d/10-custom.conf'
|
|
- 'etc/modprobe.d/workstation-blacklist.conf'
|
|
- 'etc/crypto-policies/back-ends/openssh.config'
|
|
- 'etc/sysctl.d/100-vm-zram-parameters.conf'
|
|
|
|
- name: Install sysctl and flatpak
|
|
ansible.builtin.dnf5:
|
|
name:
|
|
- 'procps-ng'
|
|
- 'flatpak'
|
|
state: 'present'
|
|
|
|
- name: Install various packages allowing for template to manage sys-net, sys-usb, and sys-firewall. Also, basic debug tools
|
|
ansible.builtin.dnf5:
|
|
name:
|
|
- tree
|
|
- qubes-core-agent-networking
|
|
- iproute
|
|
- qubes-core-agent-dom0-updates
|
|
- qubes-core-agent-network-manager
|
|
- NetworkManager-wifi
|
|
- network-manager-applet
|
|
- notification-daemon
|
|
- gnome-keyring
|
|
- polkit
|
|
- '@fonts'
|
|
- '@hardware-support'
|
|
- nmap
|
|
- qubes-usb-proxy
|
|
- qubes-input-proxy-sender
|
|
- dnsutils
|
|
- iputils
|
|
- traceroute
|
|
- nautilus
|
|
- qubes-core-agent-nautilus
|
|
|
|
- name: Kernel sysctl config
|
|
ansible.builtin.template:
|
|
src: 'etc/sysctl.d/99-workstation.conf.j2'
|
|
dest: '/etc/sysctl.d/99-workstation.conf'
|
|
mode: '0644'
|
|
|
|
- name: Reload sysctl
|
|
shell: 'sysctl -p'
|
|
|
|
- name: Create coredump.conf.d
|
|
ansible.builtin.file:
|
|
path: '/etc/systemd/coredump.conf.d'
|
|
state: 'directory'
|
|
mode: '0755'
|
|
- name: Make locks dir for dconf
|
|
ansible.builtin.file:
|
|
path: '/etc/dconf/db/local.d/locks'
|
|
state: 'directory'
|
|
mode: '0755'
|
|
- name: Create XDG portals directory
|
|
ansible.builtin.file:
|
|
path: '/etc/xdg-desktop-portal'
|
|
state: 'directory'
|
|
mode: '0755'
|
|
|
|
- name: Create /etc/systemd/system/NetworkManager.service.d
|
|
ansible.builtin.file:
|
|
path: '/etc/systemd/system/NetworkManager.service.d'
|
|
state: 'directory'
|
|
mode: '0755'
|
|
when: manage_network == true
|
|
|
|
- name: Harden Network manager using brace config
|
|
ansible.builtin.copy:
|
|
src: 'etc/systemd/system/NetworkManager.service.d/99-brace.conf'
|
|
dest: '/etc/systemd/system/NetworkManager.service.d/99-brace.conf'
|
|
mode: '0644'
|
|
when: manage_network == true
|
|
|
|
- name: Disable coredump + GNOME telemetry
|
|
ansible.builtin.copy:
|
|
src: '{{ item }}'
|
|
dest: '/{{ item }}'
|
|
mode: '0644'
|
|
loop:
|
|
- 'etc/security/limits.d/30-disable-coredump.conf'
|
|
- 'etc/systemd/coredump.conf.d/disable.conf'
|
|
- 'etc/dconf/db/local.d/locks/privacy'
|
|
- 'etc/dconf/db/local.d/privacy'
|
|
|
|
- name: Fix dconf perms
|
|
ansible.builtin.file:
|
|
path: '/etc/dconf'
|
|
state: 'directory'
|
|
mode: '0755'
|
|
|
|
- name: Update dconf
|
|
shell: 'dconf update'
|
|
|
|
- name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
|
|
ansible.builtin.copy:
|
|
src: '{{ item }}'
|
|
dest: '/{{ item }}'
|
|
mode: '0644'
|
|
loop:
|
|
- 'etc/systemd/zram-generator.conf'
|
|
- 'etc/systemd/user/update-user-flatpaks.service'
|
|
- 'etc/systemd/user/update-user-flatpaks.timer'
|
|
- 'etc/environment'
|
|
|
|
- name: Drop flathub script to homedir for any new appvms created based on this template
|
|
ansible.builtin.copy:
|
|
src: 'etc/skel/flathub.sh'
|
|
dest: '/etc/skel/flathub.sh'
|
|
mode: '0700'
|
|
|
|
- name: Upgrade all packages
|
|
ansible.builtin.dnf5:
|
|
name: "*"
|
|
state: latest
|
|
|
|
- name: Mark packages as manually installed to avoid removal
|
|
shell: 'dnf mark user flatpak -y && source /etc/environment'
|
|
|
|
- name: Install custom packages
|
|
ansible.builtin.dnf5:
|
|
name:
|
|
- 'qubes-ctap'
|
|
- 'qubes-gpg-split'
|
|
- 'flatpak'
|
|
- 'ncurses'
|
|
- 'xdg-desktop-portal-gtk'
|
|
- 'qubes-video-companion'
|
|
|
|
- name: Setup dnf repos
|
|
ansible.builtin.copy:
|
|
src: 'etc/dnf/dnf.conf'
|
|
dest: '/etc/dnf/dnf.conf'
|
|
mode: '0644'
|
|
|
|
#- name: Get list of files
|
|
# ansible.builtin.find:
|
|
# paths: /etc/yum.repos.d/
|
|
# recurse: true
|
|
# register: found_files
|
|
#
|
|
#- name: Replace text in those files
|
|
# ansible.builtin.lineinfile:
|
|
# backup: true
|
|
# backrefs: true
|
|
# path: '{{ item.path }}'
|
|
# regexp: '^(metalink=.*)$'
|
|
# line: '\1&protocol=https'
|
|
# loop: '{{ found_files.files }}'
|
|
|
|
- name: 'Disable non zram swap'
|
|
ansible.builtin.command:
|
|
cmd: 'swapoff /dev/xvdc1'
|
|
changed_when: true
|
|
|
|
- name: 'Install zram'
|
|
ansible.builtin.dnf5:
|
|
name:
|
|
- zram-generator
|
|
- zram-generator-defaults
|