sysconfig/roles/fstab/tasks/main.yml

---
# pyenv, doom (cli of Doom Emacs), ... need exec inside /tmp
- name: fstab | Harden mount options for /tmp
  lineinfile:
    path: /etc/fstab
    state: present
    regexp: '^tmpfs[ \t]+/tmp[ \t]+tmpfs'
    line: tmpfs    /tmp    tmpfs    rw,nosuid,nodev,size=4G,mode=1777    0    0
    owner: root
    group: root
    mode: 0644

# /run is mounted with exec by default
- name: fstab | Harden mount options for /run
  lineinfile:
    path: /etc/fstab
    state: present
    regexp: '^tmpfs[ \t]+/run[ \t]+tmpfs'
    line: tmpfs    /run    tmpfs    rw,nosuid,nodev,noexec,size=1G,mode=0755    0    0
    owner: root
    group: root
    mode: 0644

# polkit daemon obviously needs access to /proc to work
# Note: Add the normal user to polkitd group afterward
- block:
    # Busybox's mount doesn't interpret group name in GID, so check it
    # wheel group on Alpine by default has GID=10
    - name: fstab | Check GID of group {{ proc_group }}
      shell: getent group {{ proc_group }} | awk -F':' '{print $3}'
      register: proc_gid

    - name: fstab | Restrict read access on /proc for {{ proc_group }} group
      lineinfile:
        path: /etc/fstab
        state: present
        regexp: '^proc[ \t]+/proc[ \t]+proc'
        line: 'proc    /proc    proc    rw,nosuid,nodev,noexec,hidepid=2,gid={{ proc_gid.stdout }}    0    0'
        owner: root
        group: root
        mode: 0644
  vars:
    proc_group: '{{ use_polkit | ternary("polkitd", "wheel") }}'
Big chunk of changes - essential: - make polkit optional - move /etc/hosts file to unbound role - libvirt: - make libvirt daemons configurable - delete the firewall patch. Hardcode the rules by default (for now) so that the playbook is compatible with `ansible-core` - user: add pam_limits file (moved from dotfiles repository) - sysctl: role deleted. The task was moved to essential role - fstab: new role for /run, /tmp, /proc mounts - add seatd as a 'seat_manager' option - cron: use find command to restraint deleted files in /var/tmp 2022-02-11 18:39:35 +01:00			`---`
			`# pyenv, doom (cli of Doom Emacs), ... need exec inside /tmp`
			`- name: fstab \| Harden mount options for /tmp`
			`lineinfile:`
			`path: /etc/fstab`
			`state: present`
			`regexp: '^tmpfs[ \t]+/tmp[ \t]+tmpfs'`
fstab: remove noatime option The default value is 'relatime' flatpak errors out (permission denied mounting proc on /newroot/proc) 2022-02-11 19:26:23 +01:00			`line: tmpfs /tmp tmpfs rw,nosuid,nodev,size=4G,mode=1777 0 0`
Big chunk of changes - essential: - make polkit optional - move /etc/hosts file to unbound role - libvirt: - make libvirt daemons configurable - delete the firewall patch. Hardcode the rules by default (for now) so that the playbook is compatible with `ansible-core` - user: add pam_limits file (moved from dotfiles repository) - sysctl: role deleted. The task was moved to essential role - fstab: new role for /run, /tmp, /proc mounts - add seatd as a 'seat_manager' option - cron: use find command to restraint deleted files in /var/tmp 2022-02-11 18:39:35 +01:00			`owner: root`
			`group: root`
			`mode: 0644`

			`# /run is mounted with exec by default`
			`- name: fstab \| Harden mount options for /run`
			`lineinfile:`
			`path: /etc/fstab`
			`state: present`
			`regexp: '^tmpfs[ \t]+/run[ \t]+tmpfs'`
fstab: remove noatime option The default value is 'relatime' flatpak errors out (permission denied mounting proc on /newroot/proc) 2022-02-11 19:26:23 +01:00			`line: tmpfs /run tmpfs rw,nosuid,nodev,noexec,size=1G,mode=0755 0 0`
Big chunk of changes - essential: - make polkit optional - move /etc/hosts file to unbound role - libvirt: - make libvirt daemons configurable - delete the firewall patch. Hardcode the rules by default (for now) so that the playbook is compatible with `ansible-core` - user: add pam_limits file (moved from dotfiles repository) - sysctl: role deleted. The task was moved to essential role - fstab: new role for /run, /tmp, /proc mounts - add seatd as a 'seat_manager' option - cron: use find command to restraint deleted files in /var/tmp 2022-02-11 18:39:35 +01:00			`owner: root`
			`group: root`
			`mode: 0644`

			`# polkit daemon obviously needs access to /proc to work`
			`# Note: Add the normal user to polkitd group afterward`
			`- block:`
			`# Busybox's mount doesn't interpret group name in GID, so check it`
			`# wheel group on Alpine by default has GID=10`
			`- name: fstab \| Check GID of group {{ proc_group }}`
			`shell: getent group {{ proc_group }} \| awk -F':' '{print $3}'`
			`register: proc_gid`

			`- name: fstab \| Restrict read access on /proc for {{ proc_group }} group`
			`lineinfile:`
			`path: /etc/fstab`
			`state: present`
			`regexp: '^proc[ \t]+/proc[ \t]+proc'`
fstab: remove noatime option The default value is 'relatime' flatpak errors out (permission denied mounting proc on /newroot/proc) 2022-02-11 19:26:23 +01:00			`line: 'proc /proc proc rw,nosuid,nodev,noexec,hidepid=2,gid={{ proc_gid.stdout }} 0 0'`
Big chunk of changes - essential: - make polkit optional - move /etc/hosts file to unbound role - libvirt: - make libvirt daemons configurable - delete the firewall patch. Hardcode the rules by default (for now) so that the playbook is compatible with `ansible-core` - user: add pam_limits file (moved from dotfiles repository) - sysctl: role deleted. The task was moved to essential role - fstab: new role for /run, /tmp, /proc mounts - add seatd as a 'seat_manager' option - cron: use find command to restraint deleted files in /var/tmp 2022-02-11 18:39:35 +01:00			`owner: root`
			`group: root`
			`mode: 0644`
			`vars:`
			`proc_group: '{{ use_polkit \| ternary("polkitd", "wheel") }}'`