Add usbguard role + refactor apk packages

README.md

@@ -42,7 +42,7 @@ This is an Ansible playbook to deploy my system configurations for desktop usage
 vagrant up
 
 # ssh into the VM (OpenSSH is required)
-# Alternatively run 'vagrant ssh-config' to get the machine IP address
+# Alternatively run 'vagrant ssh-config' to get the machine's IP address
 # and manually ssh into it, e.g. 'dbclient -y vagrant@<ip_address>'
 vagrant ssh
 

Vagrantfile

@@ -6,6 +6,7 @@ mkdir -pv /vagrant/host_vars
 echo \"vault_password: \'123456\'\" > /vagrant/host_vars/localhost.yml
 SCRIPT
 
+ENV['VAGRANT_DEFAULT_PROVIDER'] = 'libvirt'
 Vagrant.configure("2") do |config|
   config.vm.define :sysconfig do |sysconfig|
     sysconfig.vm.box = "generic/alpine315"
@@ -20,8 +21,8 @@ Vagrant.configure("2") do |config|
     end
 
     sysconfig.vm.provision "shell", inline: $provision_script
-  end
 
-  config.vm.synced_folder ".", "/vagrant", type: "rsync",
-    rsync__exclude: [".git/", "Vagrantfile", ".gitignore"]
+    sysconfig.vm.synced_folder ".", "/vagrant", type: "rsync",
+      rsync__exclude: [".git/", "Vagrantfile", ".gitignore"]
+  end
 end

roles/acpi/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
+# elogind also handles acpi events
 - block:
-    # elogind also handles acpi events
     - name: acpi | Do not run acpid service
       service:
         name: acpid

roles/apparmor/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: apparmor | Install apparmor
+  apk:
+    name: apparmor, apparmor-profiles
+    state: present
+
 - name: apparmor | Enable writing cache and faster DFA transition table compression
   lineinfile:
     path: /etc/apparmor/parser.conf

roles/cron/files/fstrim

@@ -1,5 +1,6 @@
 #!/bin/sh
 
-# This needs fstrim (which will be pulled by installing fish anyway)
-# For busybox's fstrim, using multiple 'fstrim /mount_point' is more feasible
+# This needs fstrim (which will be pulled by installing tlp anyway)
 /sbin/fstrim -a
+
+# For busybox's fstrim, using multiple 'fstrim /mount_point' is more feasible

roles/essential/tasks/main.yml

@@ -15,10 +15,7 @@
 
 - name: essential | Install common dependencies
   apk:
-    name: >-
-      doas, nftables, zstd, fish, dbus, terminus-font, apparmor-profiles,
-      apparmor, openresolv, libvirt-daemon, qemu-img, qemu-system-x86_64,
-      qemu-modules, shadow-login, unbound, dns-root-hints, eudev
+    name: zstd, dbus, terminus-font, shadow-login, eudev
     state: present
 
 - name: essential | Start services on runlevel 'default'

roles/libvirt/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: libvirt | Install libvirt and qemu
+  apk:
+    name: libvirt-daemon, qemu-img, qemu-system-x86_64, qemu-modules
+    state: present
+
 - name: libvirt | Allow IPv6 RA passthrough for libvirt NAT
   lineinfile:
     path: /etc/sysctl.d/custom.conf

roles/nftables/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: nftables | Install nftables
+  apk:
+    name: nftables
+    state: present
+
 - name: nftables | Copy firewall configuration
   copy:
     src: nftables.nft

roles/unbound/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: unbound | Install unbound, openresolv and dns-root-hints
+  apk:
+    name: openresolv, unbound, dns-root-hints
+    state: present
+
 - name: unbound | Create /dev directory inside unbound chroot
   file:
     path: /etc/unbound/dev

roles/usbguard/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: usbguard | Install usbguard
+  apk:
+    name: usbguard
+    state: present
+
+- name: usbguard | Allow normal user to control policy via IPC
+  lineinfile:
+    path: /etc/usbguard/usbguard-daemon.conf
+    regexp: '^IPCAllowedUsers='
+    line: 'IPCAllowedUsers=root {{ username }}'
+    state: present
+    owner: root
+    group: root
+    mode: 0644
+
+- name: usbguard | Start usbguard service on runlevel 'default'
+  service:
+    name: usbguard
+    runlevel: default
+    enabled: yes
+    state: started

roles/user/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: user | Install doas and fish
+  apk:
+    name: doas, fish
+    state: present
+
 - name: user | Create a normal user
   user:
     name: '{{ username }}'

setup.yml

@@ -41,6 +41,8 @@
       tags: [ laptop, tlp ]
     - role: unbound
       tags: unbound
+    - role: usbguard
+      tags: usbguard
     - role: zram
       tags: zram
     - role: user