Add usbguard role + refactor apk packages
This commit is contained in:
parent
74bad76431
commit
d1bc71e7f7
|
@ -42,7 +42,7 @@ This is an Ansible playbook to deploy my system configurations for desktop usage
|
||||||
vagrant up
|
vagrant up
|
||||||
|
|
||||||
# ssh into the VM (OpenSSH is required)
|
# ssh into the VM (OpenSSH is required)
|
||||||
# Alternatively run 'vagrant ssh-config' to get the machine IP address
|
# Alternatively run 'vagrant ssh-config' to get the machine's IP address
|
||||||
# and manually ssh into it, e.g. 'dbclient -y vagrant@<ip_address>'
|
# and manually ssh into it, e.g. 'dbclient -y vagrant@<ip_address>'
|
||||||
vagrant ssh
|
vagrant ssh
|
||||||
|
|
||||||
|
|
7
Vagrantfile
vendored
7
Vagrantfile
vendored
|
@ -6,6 +6,7 @@ mkdir -pv /vagrant/host_vars
|
||||||
echo \"vault_password: \'123456\'\" > /vagrant/host_vars/localhost.yml
|
echo \"vault_password: \'123456\'\" > /vagrant/host_vars/localhost.yml
|
||||||
SCRIPT
|
SCRIPT
|
||||||
|
|
||||||
|
ENV['VAGRANT_DEFAULT_PROVIDER'] = 'libvirt'
|
||||||
Vagrant.configure("2") do |config|
|
Vagrant.configure("2") do |config|
|
||||||
config.vm.define :sysconfig do |sysconfig|
|
config.vm.define :sysconfig do |sysconfig|
|
||||||
sysconfig.vm.box = "generic/alpine315"
|
sysconfig.vm.box = "generic/alpine315"
|
||||||
|
@ -20,8 +21,8 @@ Vagrant.configure("2") do |config|
|
||||||
end
|
end
|
||||||
|
|
||||||
sysconfig.vm.provision "shell", inline: $provision_script
|
sysconfig.vm.provision "shell", inline: $provision_script
|
||||||
end
|
|
||||||
|
|
||||||
config.vm.synced_folder ".", "/vagrant", type: "rsync",
|
sysconfig.vm.synced_folder ".", "/vagrant", type: "rsync",
|
||||||
rsync__exclude: [".git/", "Vagrantfile", ".gitignore"]
|
rsync__exclude: [".git/", "Vagrantfile", ".gitignore"]
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
|
# elogind also handles acpi events
|
||||||
- block:
|
- block:
|
||||||
# elogind also handles acpi events
|
|
||||||
- name: acpi | Do not run acpid service
|
- name: acpi | Do not run acpid service
|
||||||
service:
|
service:
|
||||||
name: acpid
|
name: acpid
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
---
|
---
|
||||||
|
- name: apparmor | Install apparmor
|
||||||
|
apk:
|
||||||
|
name: apparmor, apparmor-profiles
|
||||||
|
state: present
|
||||||
|
|
||||||
- name: apparmor | Enable writing cache and faster DFA transition table compression
|
- name: apparmor | Enable writing cache and faster DFA transition table compression
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/apparmor/parser.conf
|
path: /etc/apparmor/parser.conf
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
# This needs fstrim (which will be pulled by installing fish anyway)
|
# This needs fstrim (which will be pulled by installing tlp anyway)
|
||||||
# For busybox's fstrim, using multiple 'fstrim /mount_point' is more feasible
|
|
||||||
/sbin/fstrim -a
|
/sbin/fstrim -a
|
||||||
|
|
||||||
|
# For busybox's fstrim, using multiple 'fstrim /mount_point' is more feasible
|
||||||
|
|
|
@ -15,10 +15,7 @@
|
||||||
|
|
||||||
- name: essential | Install common dependencies
|
- name: essential | Install common dependencies
|
||||||
apk:
|
apk:
|
||||||
name: >-
|
name: zstd, dbus, terminus-font, shadow-login, eudev
|
||||||
doas, nftables, zstd, fish, dbus, terminus-font, apparmor-profiles,
|
|
||||||
apparmor, openresolv, libvirt-daemon, qemu-img, qemu-system-x86_64,
|
|
||||||
qemu-modules, shadow-login, unbound, dns-root-hints, eudev
|
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: essential | Start services on runlevel 'default'
|
- name: essential | Start services on runlevel 'default'
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
---
|
---
|
||||||
|
- name: libvirt | Install libvirt and qemu
|
||||||
|
apk:
|
||||||
|
name: libvirt-daemon, qemu-img, qemu-system-x86_64, qemu-modules
|
||||||
|
state: present
|
||||||
|
|
||||||
- name: libvirt | Allow IPv6 RA passthrough for libvirt NAT
|
- name: libvirt | Allow IPv6 RA passthrough for libvirt NAT
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/sysctl.d/custom.conf
|
path: /etc/sysctl.d/custom.conf
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
---
|
---
|
||||||
|
- name: nftables | Install nftables
|
||||||
|
apk:
|
||||||
|
name: nftables
|
||||||
|
state: present
|
||||||
|
|
||||||
- name: nftables | Copy firewall configuration
|
- name: nftables | Copy firewall configuration
|
||||||
copy:
|
copy:
|
||||||
src: nftables.nft
|
src: nftables.nft
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
---
|
---
|
||||||
|
- name: unbound | Install unbound, openresolv and dns-root-hints
|
||||||
|
apk:
|
||||||
|
name: openresolv, unbound, dns-root-hints
|
||||||
|
state: present
|
||||||
|
|
||||||
- name: unbound | Create /dev directory inside unbound chroot
|
- name: unbound | Create /dev directory inside unbound chroot
|
||||||
file:
|
file:
|
||||||
path: /etc/unbound/dev
|
path: /etc/unbound/dev
|
||||||
|
|
22
roles/usbguard/tasks/main.yml
Normal file
22
roles/usbguard/tasks/main.yml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
---
|
||||||
|
- name: usbguard | Install usbguard
|
||||||
|
apk:
|
||||||
|
name: usbguard
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: usbguard | Allow normal user to control policy via IPC
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/usbguard/usbguard-daemon.conf
|
||||||
|
regexp: '^IPCAllowedUsers='
|
||||||
|
line: 'IPCAllowedUsers=root {{ username }}'
|
||||||
|
state: present
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: usbguard | Start usbguard service on runlevel 'default'
|
||||||
|
service:
|
||||||
|
name: usbguard
|
||||||
|
runlevel: default
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
|
@ -1,4 +1,9 @@
|
||||||
---
|
---
|
||||||
|
- name: user | Install doas and fish
|
||||||
|
apk:
|
||||||
|
name: doas, fish
|
||||||
|
state: present
|
||||||
|
|
||||||
- name: user | Create a normal user
|
- name: user | Create a normal user
|
||||||
user:
|
user:
|
||||||
name: '{{ username }}'
|
name: '{{ username }}'
|
||||||
|
|
Reference in a new issue