Add usbguard role + refactor apk packages
This commit is contained in:
parent
74bad76431
commit
d1bc71e7f7
12 changed files with 59 additions and 11 deletions
|
@ -42,7 +42,7 @@ This is an Ansible playbook to deploy my system configurations for desktop usage
|
|||
vagrant up
|
||||
|
||||
# ssh into the VM (OpenSSH is required)
|
||||
# Alternatively run 'vagrant ssh-config' to get the machine IP address
|
||||
# Alternatively run 'vagrant ssh-config' to get the machine's IP address
|
||||
# and manually ssh into it, e.g. 'dbclient -y vagrant@<ip_address>'
|
||||
vagrant ssh
|
||||
|
||||
|
|
7
Vagrantfile
vendored
7
Vagrantfile
vendored
|
@ -6,6 +6,7 @@ mkdir -pv /vagrant/host_vars
|
|||
echo \"vault_password: \'123456\'\" > /vagrant/host_vars/localhost.yml
|
||||
SCRIPT
|
||||
|
||||
ENV['VAGRANT_DEFAULT_PROVIDER'] = 'libvirt'
|
||||
Vagrant.configure("2") do |config|
|
||||
config.vm.define :sysconfig do |sysconfig|
|
||||
sysconfig.vm.box = "generic/alpine315"
|
||||
|
@ -20,8 +21,8 @@ Vagrant.configure("2") do |config|
|
|||
end
|
||||
|
||||
sysconfig.vm.provision "shell", inline: $provision_script
|
||||
end
|
||||
|
||||
config.vm.synced_folder ".", "/vagrant", type: "rsync",
|
||||
rsync__exclude: [".git/", "Vagrantfile", ".gitignore"]
|
||||
sysconfig.vm.synced_folder ".", "/vagrant", type: "rsync",
|
||||
rsync__exclude: [".git/", "Vagrantfile", ".gitignore"]
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# elogind also handles acpi events
|
||||
- block:
|
||||
# elogind also handles acpi events
|
||||
- name: acpi | Do not run acpid service
|
||||
service:
|
||||
name: acpid
|
||||
|
|
|
@ -1,4 +1,9 @@
|
|||
---
|
||||
- name: apparmor | Install apparmor
|
||||
apk:
|
||||
name: apparmor, apparmor-profiles
|
||||
state: present
|
||||
|
||||
- name: apparmor | Enable writing cache and faster DFA transition table compression
|
||||
lineinfile:
|
||||
path: /etc/apparmor/parser.conf
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
#!/bin/sh
|
||||
|
||||
# This needs fstrim (which will be pulled by installing fish anyway)
|
||||
# For busybox's fstrim, using multiple 'fstrim /mount_point' is more feasible
|
||||
# This needs fstrim (which will be pulled by installing tlp anyway)
|
||||
/sbin/fstrim -a
|
||||
|
||||
# For busybox's fstrim, using multiple 'fstrim /mount_point' is more feasible
|
||||
|
|
|
@ -15,10 +15,7 @@
|
|||
|
||||
- name: essential | Install common dependencies
|
||||
apk:
|
||||
name: >-
|
||||
doas, nftables, zstd, fish, dbus, terminus-font, apparmor-profiles,
|
||||
apparmor, openresolv, libvirt-daemon, qemu-img, qemu-system-x86_64,
|
||||
qemu-modules, shadow-login, unbound, dns-root-hints, eudev
|
||||
name: zstd, dbus, terminus-font, shadow-login, eudev
|
||||
state: present
|
||||
|
||||
- name: essential | Start services on runlevel 'default'
|
||||
|
|
|
@ -1,4 +1,9 @@
|
|||
---
|
||||
- name: libvirt | Install libvirt and qemu
|
||||
apk:
|
||||
name: libvirt-daemon, qemu-img, qemu-system-x86_64, qemu-modules
|
||||
state: present
|
||||
|
||||
- name: libvirt | Allow IPv6 RA passthrough for libvirt NAT
|
||||
lineinfile:
|
||||
path: /etc/sysctl.d/custom.conf
|
||||
|
|
|
@ -1,4 +1,9 @@
|
|||
---
|
||||
- name: nftables | Install nftables
|
||||
apk:
|
||||
name: nftables
|
||||
state: present
|
||||
|
||||
- name: nftables | Copy firewall configuration
|
||||
copy:
|
||||
src: nftables.nft
|
||||
|
|
|
@ -1,4 +1,9 @@
|
|||
---
|
||||
- name: unbound | Install unbound, openresolv and dns-root-hints
|
||||
apk:
|
||||
name: openresolv, unbound, dns-root-hints
|
||||
state: present
|
||||
|
||||
- name: unbound | Create /dev directory inside unbound chroot
|
||||
file:
|
||||
path: /etc/unbound/dev
|
||||
|
|
22
roles/usbguard/tasks/main.yml
Normal file
22
roles/usbguard/tasks/main.yml
Normal file
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
- name: usbguard | Install usbguard
|
||||
apk:
|
||||
name: usbguard
|
||||
state: present
|
||||
|
||||
- name: usbguard | Allow normal user to control policy via IPC
|
||||
lineinfile:
|
||||
path: /etc/usbguard/usbguard-daemon.conf
|
||||
regexp: '^IPCAllowedUsers='
|
||||
line: 'IPCAllowedUsers=root {{ username }}'
|
||||
state: present
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: usbguard | Start usbguard service on runlevel 'default'
|
||||
service:
|
||||
name: usbguard
|
||||
runlevel: default
|
||||
enabled: yes
|
||||
state: started
|
|
@ -1,4 +1,9 @@
|
|||
---
|
||||
- name: user | Install doas and fish
|
||||
apk:
|
||||
name: doas, fish
|
||||
state: present
|
||||
|
||||
- name: user | Create a normal user
|
||||
user:
|
||||
name: '{{ username }}'
|
||||
|
|
|
@ -41,6 +41,8 @@
|
|||
tags: [ laptop, tlp ]
|
||||
- role: unbound
|
||||
tags: unbound
|
||||
- role: usbguard
|
||||
tags: usbguard
|
||||
- role: zram
|
||||
tags: zram
|
||||
- role: user
|
||||
|
|
Reference in a new issue