From d1bc71e7f700cda419d5a93f500a2169c48ed4ed Mon Sep 17 00:00:00 2001 From: FollieHiyuki Date: Sun, 27 Feb 2022 23:00:01 +0700 Subject: [PATCH] Add usbguard role + refactor apk packages --- README.md | 2 +- Vagrantfile | 7 ++++--- roles/acpi/tasks/main.yml | 2 +- roles/apparmor/tasks/main.yml | 5 +++++ roles/cron/files/fstrim | 5 +++-- roles/essential/tasks/main.yml | 5 +---- roles/libvirt/tasks/main.yml | 5 +++++ roles/nftables/tasks/main.yml | 5 +++++ roles/unbound/tasks/main.yml | 5 +++++ roles/usbguard/tasks/main.yml | 22 ++++++++++++++++++++++ roles/user/tasks/main.yml | 5 +++++ setup.yml | 2 ++ 12 files changed, 59 insertions(+), 11 deletions(-) create mode 100644 roles/usbguard/tasks/main.yml diff --git a/README.md b/README.md index d186bae..e897589 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ This is an Ansible playbook to deploy my system configurations for desktop usage vagrant up # ssh into the VM (OpenSSH is required) -# Alternatively run 'vagrant ssh-config' to get the machine IP address +# Alternatively run 'vagrant ssh-config' to get the machine's IP address # and manually ssh into it, e.g. 'dbclient -y vagrant@' vagrant ssh diff --git a/Vagrantfile b/Vagrantfile index 2da2749..fbdfc80 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -6,6 +6,7 @@ mkdir -pv /vagrant/host_vars echo \"vault_password: \'123456\'\" > /vagrant/host_vars/localhost.yml SCRIPT +ENV['VAGRANT_DEFAULT_PROVIDER'] = 'libvirt' Vagrant.configure("2") do |config| config.vm.define :sysconfig do |sysconfig| sysconfig.vm.box = "generic/alpine315" @@ -20,8 +21,8 @@ Vagrant.configure("2") do |config| end sysconfig.vm.provision "shell", inline: $provision_script - end - config.vm.synced_folder ".", "/vagrant", type: "rsync", - rsync__exclude: [".git/", "Vagrantfile", ".gitignore"] + sysconfig.vm.synced_folder ".", "/vagrant", type: "rsync", + rsync__exclude: [".git/", "Vagrantfile", ".gitignore"] + end end diff --git a/roles/acpi/tasks/main.yml b/roles/acpi/tasks/main.yml index 5715879..9caabb8 100644 --- a/roles/acpi/tasks/main.yml +++ b/roles/acpi/tasks/main.yml @@ -1,6 +1,6 @@ --- +# elogind also handles acpi events - block: - # elogind also handles acpi events - name: acpi | Do not run acpid service service: name: acpid diff --git a/roles/apparmor/tasks/main.yml b/roles/apparmor/tasks/main.yml index 5101251..38d61d4 100644 --- a/roles/apparmor/tasks/main.yml +++ b/roles/apparmor/tasks/main.yml @@ -1,4 +1,9 @@ --- +- name: apparmor | Install apparmor + apk: + name: apparmor, apparmor-profiles + state: present + - name: apparmor | Enable writing cache and faster DFA transition table compression lineinfile: path: /etc/apparmor/parser.conf diff --git a/roles/cron/files/fstrim b/roles/cron/files/fstrim index 5c8f2b2..f84a807 100644 --- a/roles/cron/files/fstrim +++ b/roles/cron/files/fstrim @@ -1,5 +1,6 @@ #!/bin/sh -# This needs fstrim (which will be pulled by installing fish anyway) -# For busybox's fstrim, using multiple 'fstrim /mount_point' is more feasible +# This needs fstrim (which will be pulled by installing tlp anyway) /sbin/fstrim -a + +# For busybox's fstrim, using multiple 'fstrim /mount_point' is more feasible diff --git a/roles/essential/tasks/main.yml b/roles/essential/tasks/main.yml index 3031fe2..0d83211 100644 --- a/roles/essential/tasks/main.yml +++ b/roles/essential/tasks/main.yml @@ -15,10 +15,7 @@ - name: essential | Install common dependencies apk: - name: >- - doas, nftables, zstd, fish, dbus, terminus-font, apparmor-profiles, - apparmor, openresolv, libvirt-daemon, qemu-img, qemu-system-x86_64, - qemu-modules, shadow-login, unbound, dns-root-hints, eudev + name: zstd, dbus, terminus-font, shadow-login, eudev state: present - name: essential | Start services on runlevel 'default' diff --git a/roles/libvirt/tasks/main.yml b/roles/libvirt/tasks/main.yml index b7b4719..793d7d2 100644 --- a/roles/libvirt/tasks/main.yml +++ b/roles/libvirt/tasks/main.yml @@ -1,4 +1,9 @@ --- +- name: libvirt | Install libvirt and qemu + apk: + name: libvirt-daemon, qemu-img, qemu-system-x86_64, qemu-modules + state: present + - name: libvirt | Allow IPv6 RA passthrough for libvirt NAT lineinfile: path: /etc/sysctl.d/custom.conf diff --git a/roles/nftables/tasks/main.yml b/roles/nftables/tasks/main.yml index 6223828..1d6209f 100644 --- a/roles/nftables/tasks/main.yml +++ b/roles/nftables/tasks/main.yml @@ -1,4 +1,9 @@ --- +- name: nftables | Install nftables + apk: + name: nftables + state: present + - name: nftables | Copy firewall configuration copy: src: nftables.nft diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 42c17b6..4b7926d 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -1,4 +1,9 @@ --- +- name: unbound | Install unbound, openresolv and dns-root-hints + apk: + name: openresolv, unbound, dns-root-hints + state: present + - name: unbound | Create /dev directory inside unbound chroot file: path: /etc/unbound/dev diff --git a/roles/usbguard/tasks/main.yml b/roles/usbguard/tasks/main.yml new file mode 100644 index 0000000..2fb6f94 --- /dev/null +++ b/roles/usbguard/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- name: usbguard | Install usbguard + apk: + name: usbguard + state: present + +- name: usbguard | Allow normal user to control policy via IPC + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: '^IPCAllowedUsers=' + line: 'IPCAllowedUsers=root {{ username }}' + state: present + owner: root + group: root + mode: 0644 + +- name: usbguard | Start usbguard service on runlevel 'default' + service: + name: usbguard + runlevel: default + enabled: yes + state: started diff --git a/roles/user/tasks/main.yml b/roles/user/tasks/main.yml index 3fe7d0e..d3ab9b4 100644 --- a/roles/user/tasks/main.yml +++ b/roles/user/tasks/main.yml @@ -1,4 +1,9 @@ --- +- name: user | Install doas and fish + apk: + name: doas, fish + state: present + - name: user | Create a normal user user: name: '{{ username }}' diff --git a/setup.yml b/setup.yml index 679ea35..7f21b56 100644 --- a/setup.yml +++ b/setup.yml @@ -41,6 +41,8 @@ tags: [ laptop, tlp ] - role: unbound tags: unbound + - role: usbguard + tags: usbguard - role: zram tags: zram - role: user