Add PAM config for base-session

c199f2b52e.

Also:
- Use TOML as inventory format (to disgust YAML ^-^)
- Adjust TODO list:
  - drop go-audit (unmaintained upstream)
  - add turnstile (more interesting than pam-rundir)
- Drop waydroid role as upstream system config script is a mess

TODO.md

@@ -7,18 +7,18 @@ Stuff that are planned to be changed.
 - [ ] /etc/security/access.conf (maybe?)
 - [ ] snapper / btrbk (rootfs=btrfs)
 - [ ] sanoid (rootfs=zfs)
-- [ ] auditd / go-audit
+- [ ] auditd
 - [ ] incron
 - [ ] bees
-- [ ] Option for other bootloaders (refind / efistub / limine / zfsbootmenu)
-  - [ ] Refactor grub role
+- [ ] Option for other bootloaders (refind / efistub / limine / zfsbootmenu / gummiboot (a.k.a systemd-boot))
 - [ ] Option for other dhcp clients (kea)
 - [ ] Option for other initramfs generators (booster, dracut)
+- [ ] `i915.enable_guc=3` (/etc/modprobe.d/kms.conf)
+- [ ] turnstile as an alternative to pam-rundir/elogind
 
 ## Cosmetic
 
 - [ ] Packer + Terraform / Pulumi (zfs + btrfs VMs) for testing
-- [ ] Self-built kernels (e.g. RT kernels)
 - [ ] ZFS on root
 - [ ] EFI secure boot (also sign fwupd efi binary)
 

ansible.cfg

@@ -1,5 +1,5 @@
 [defaults]
-inventory = ./inventory
+inventory = ./inventory.toml
 gathering = explicit
 display_skipped_hosts = False
 host_key_checking = False

group_vars/all.yml

@@ -28,8 +28,6 @@ acpid_daemon: busybox
 
 device_manager: mdevd
 
-audit_daemon: auditd
-
 crond_provider: cronie
 
 syslog_provider: busybox
@@ -130,11 +128,6 @@ earlyoom:
   mem_min_percent: 5,2
   swap_min_percent: 10,5
 
-# Configure waydroid base image
-waydroid:
-  rom_type: lineage # lineage, bliss
-  system_type: VANILLA # FOSS, GAPPS, VANILLA
-
 # Secrets encrypted with ansible-vault ────────────────────────────────────────
 
 password: '{{ vault_password }}'

inventory

@@ -1,5 +0,0 @@
----
-local:
-  hosts:
-    localhost:
-      ansible_connection: local

inventory.toml

@@ -0,0 +1,2 @@
+[local.hosts]
+localhost = { ansible_connection = "local" }

requirements/accepted_variables.yml

@@ -3,6 +3,7 @@ bootloader:
   - grub
   - limine
   - efistub
+  - gummiboot
 
 initramfs_generator:
   - mkinitfs
@@ -49,10 +50,6 @@ dhcp_client:
   - connman
   - kea
 
-audit_daemon:
-  - auditd
-  - go-audit
-
 crond_provider:
   - busybox
   - cronie

roles/seat/tasks/main.yml

@@ -41,3 +41,12 @@
         enabled: true
         state: started
   when: seat_manager == 'seatd'
+
+# For XDG_RUNTIME_DIR env
+- name: Set "login" PAM to use to base-session instead of base-session-noninteractive
+  community.general.pamd:
+    name: login
+    type: session
+    control: include
+    module_path: base-session-noninteractive
+    new_module_path: base-session

roles/waydroid/tasks/main.yml

@@ -1,26 +0,0 @@
----
-# TODO: work out nftables firewall rules (should be on upstream)
-- name: waydroid | Install waydroid
-  community.general.apk:
-    name: waydroid
-    state: present
-
-- name: waydroid | Download base image and initialize
-  command:
-    cmd: 'waydroid init -s {{ waydroid.system_type }} -r {{ waydroid.rom_type }}'
-    creates: /var/lib/waydroid/image/system.img
-
-- name: waydroid | Add apparmor rules
-  blockinfile:
-    block: |
-      @{run}/waydroid-lxc/ r,
-      @{run}/waydroid-lxc/* rw,
-    marker: '# {mark} WAYDROID BLOCK'
-    path: /etc/apparmor.d/local/usr.sbin.dnsmasq
-
-- name: waydroid | Start container service on runlevel 'default'
-  service:
-    name: waydroid-container
-    runlevel: default
-    state: started
-    enabled: true

setup.yml

@@ -64,5 +64,3 @@
       tags: earlyoom
     - role: user
       tags: user
-    - role: waydroid
-      tags: [waydroid, never]