Add PAM config for base-session
c199f2b52e
.
Also:
- Use TOML as inventory format (to disgust YAML ^-^)
- Adjust TODO list:
- drop go-audit (unmaintained upstream)
- add turnstile (more interesting than pam-rundir)
- Drop waydroid role as upstream system config script is a mess
This commit is contained in:
parent
bc8bc72c98
commit
fb9c5ebaed
8
TODO.md
8
TODO.md
|
@ -7,18 +7,18 @@ Stuff that are planned to be changed.
|
|||
- [ ] /etc/security/access.conf (maybe?)
|
||||
- [ ] snapper / btrbk (rootfs=btrfs)
|
||||
- [ ] sanoid (rootfs=zfs)
|
||||
- [ ] auditd / go-audit
|
||||
- [ ] auditd
|
||||
- [ ] incron
|
||||
- [ ] bees
|
||||
- [ ] Option for other bootloaders (refind / efistub / limine / zfsbootmenu)
|
||||
- [ ] Refactor grub role
|
||||
- [ ] Option for other bootloaders (refind / efistub / limine / zfsbootmenu / gummiboot (a.k.a systemd-boot))
|
||||
- [ ] Option for other dhcp clients (kea)
|
||||
- [ ] Option for other initramfs generators (booster, dracut)
|
||||
- [ ] `i915.enable_guc=3` (/etc/modprobe.d/kms.conf)
|
||||
- [ ] turnstile as an alternative to pam-rundir/elogind
|
||||
|
||||
## Cosmetic
|
||||
|
||||
- [ ] Packer + Terraform / Pulumi (zfs + btrfs VMs) for testing
|
||||
- [ ] Self-built kernels (e.g. RT kernels)
|
||||
- [ ] ZFS on root
|
||||
- [ ] EFI secure boot (also sign fwupd efi binary)
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
[defaults]
|
||||
inventory = ./inventory
|
||||
inventory = ./inventory.toml
|
||||
gathering = explicit
|
||||
display_skipped_hosts = False
|
||||
host_key_checking = False
|
||||
|
|
|
@ -28,8 +28,6 @@ acpid_daemon: busybox
|
|||
|
||||
device_manager: mdevd
|
||||
|
||||
audit_daemon: auditd
|
||||
|
||||
crond_provider: cronie
|
||||
|
||||
syslog_provider: busybox
|
||||
|
@ -130,11 +128,6 @@ earlyoom:
|
|||
mem_min_percent: 5,2
|
||||
swap_min_percent: 10,5
|
||||
|
||||
# Configure waydroid base image
|
||||
waydroid:
|
||||
rom_type: lineage # lineage, bliss
|
||||
system_type: VANILLA # FOSS, GAPPS, VANILLA
|
||||
|
||||
# Secrets encrypted with ansible-vault ────────────────────────────────────────
|
||||
|
||||
password: '{{ vault_password }}'
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
[local.hosts]
|
||||
localhost = { ansible_connection = "local" }
|
|
@ -3,6 +3,7 @@ bootloader:
|
|||
- grub
|
||||
- limine
|
||||
- efistub
|
||||
- gummiboot
|
||||
|
||||
initramfs_generator:
|
||||
- mkinitfs
|
||||
|
@ -49,10 +50,6 @@ dhcp_client:
|
|||
- connman
|
||||
- kea
|
||||
|
||||
audit_daemon:
|
||||
- auditd
|
||||
- go-audit
|
||||
|
||||
crond_provider:
|
||||
- busybox
|
||||
- cronie
|
||||
|
|
|
@ -41,3 +41,12 @@
|
|||
enabled: true
|
||||
state: started
|
||||
when: seat_manager == 'seatd'
|
||||
|
||||
# For XDG_RUNTIME_DIR env
|
||||
- name: Set "login" PAM to use to base-session instead of base-session-noninteractive
|
||||
community.general.pamd:
|
||||
name: login
|
||||
type: session
|
||||
control: include
|
||||
module_path: base-session-noninteractive
|
||||
new_module_path: base-session
|
||||
|
|
|
@ -1,26 +0,0 @@
|
|||
---
|
||||
# TODO: work out nftables firewall rules (should be on upstream)
|
||||
- name: waydroid | Install waydroid
|
||||
community.general.apk:
|
||||
name: waydroid
|
||||
state: present
|
||||
|
||||
- name: waydroid | Download base image and initialize
|
||||
command:
|
||||
cmd: 'waydroid init -s {{ waydroid.system_type }} -r {{ waydroid.rom_type }}'
|
||||
creates: /var/lib/waydroid/image/system.img
|
||||
|
||||
- name: waydroid | Add apparmor rules
|
||||
blockinfile:
|
||||
block: |
|
||||
@{run}/waydroid-lxc/ r,
|
||||
@{run}/waydroid-lxc/* rw,
|
||||
marker: '# {mark} WAYDROID BLOCK'
|
||||
path: /etc/apparmor.d/local/usr.sbin.dnsmasq
|
||||
|
||||
- name: waydroid | Start container service on runlevel 'default'
|
||||
service:
|
||||
name: waydroid-container
|
||||
runlevel: default
|
||||
state: started
|
||||
enabled: true
|
Reference in New Issue