Add PAM config for base-session
c199f2b52e
.
Also:
- Use TOML as inventory format (to disgust YAML ^-^)
- Adjust TODO list:
- drop go-audit (unmaintained upstream)
- add turnstile (more interesting than pam-rundir)
- Drop waydroid role as upstream system config script is a mess
This commit is contained in:
parent
bc8bc72c98
commit
fb9c5ebaed
8
TODO.md
8
TODO.md
|
@ -7,18 +7,18 @@ Stuff that are planned to be changed.
|
||||||
- [ ] /etc/security/access.conf (maybe?)
|
- [ ] /etc/security/access.conf (maybe?)
|
||||||
- [ ] snapper / btrbk (rootfs=btrfs)
|
- [ ] snapper / btrbk (rootfs=btrfs)
|
||||||
- [ ] sanoid (rootfs=zfs)
|
- [ ] sanoid (rootfs=zfs)
|
||||||
- [ ] auditd / go-audit
|
- [ ] auditd
|
||||||
- [ ] incron
|
- [ ] incron
|
||||||
- [ ] bees
|
- [ ] bees
|
||||||
- [ ] Option for other bootloaders (refind / efistub / limine / zfsbootmenu)
|
- [ ] Option for other bootloaders (refind / efistub / limine / zfsbootmenu / gummiboot (a.k.a systemd-boot))
|
||||||
- [ ] Refactor grub role
|
|
||||||
- [ ] Option for other dhcp clients (kea)
|
- [ ] Option for other dhcp clients (kea)
|
||||||
- [ ] Option for other initramfs generators (booster, dracut)
|
- [ ] Option for other initramfs generators (booster, dracut)
|
||||||
|
- [ ] `i915.enable_guc=3` (/etc/modprobe.d/kms.conf)
|
||||||
|
- [ ] turnstile as an alternative to pam-rundir/elogind
|
||||||
|
|
||||||
## Cosmetic
|
## Cosmetic
|
||||||
|
|
||||||
- [ ] Packer + Terraform / Pulumi (zfs + btrfs VMs) for testing
|
- [ ] Packer + Terraform / Pulumi (zfs + btrfs VMs) for testing
|
||||||
- [ ] Self-built kernels (e.g. RT kernels)
|
|
||||||
- [ ] ZFS on root
|
- [ ] ZFS on root
|
||||||
- [ ] EFI secure boot (also sign fwupd efi binary)
|
- [ ] EFI secure boot (also sign fwupd efi binary)
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
[defaults]
|
[defaults]
|
||||||
inventory = ./inventory
|
inventory = ./inventory.toml
|
||||||
gathering = explicit
|
gathering = explicit
|
||||||
display_skipped_hosts = False
|
display_skipped_hosts = False
|
||||||
host_key_checking = False
|
host_key_checking = False
|
||||||
|
|
|
@ -28,8 +28,6 @@ acpid_daemon: busybox
|
||||||
|
|
||||||
device_manager: mdevd
|
device_manager: mdevd
|
||||||
|
|
||||||
audit_daemon: auditd
|
|
||||||
|
|
||||||
crond_provider: cronie
|
crond_provider: cronie
|
||||||
|
|
||||||
syslog_provider: busybox
|
syslog_provider: busybox
|
||||||
|
@ -130,11 +128,6 @@ earlyoom:
|
||||||
mem_min_percent: 5,2
|
mem_min_percent: 5,2
|
||||||
swap_min_percent: 10,5
|
swap_min_percent: 10,5
|
||||||
|
|
||||||
# Configure waydroid base image
|
|
||||||
waydroid:
|
|
||||||
rom_type: lineage # lineage, bliss
|
|
||||||
system_type: VANILLA # FOSS, GAPPS, VANILLA
|
|
||||||
|
|
||||||
# Secrets encrypted with ansible-vault ────────────────────────────────────────
|
# Secrets encrypted with ansible-vault ────────────────────────────────────────
|
||||||
|
|
||||||
password: '{{ vault_password }}'
|
password: '{{ vault_password }}'
|
||||||
|
|
|
@ -0,0 +1,2 @@
|
||||||
|
[local.hosts]
|
||||||
|
localhost = { ansible_connection = "local" }
|
|
@ -3,6 +3,7 @@ bootloader:
|
||||||
- grub
|
- grub
|
||||||
- limine
|
- limine
|
||||||
- efistub
|
- efistub
|
||||||
|
- gummiboot
|
||||||
|
|
||||||
initramfs_generator:
|
initramfs_generator:
|
||||||
- mkinitfs
|
- mkinitfs
|
||||||
|
@ -49,10 +50,6 @@ dhcp_client:
|
||||||
- connman
|
- connman
|
||||||
- kea
|
- kea
|
||||||
|
|
||||||
audit_daemon:
|
|
||||||
- auditd
|
|
||||||
- go-audit
|
|
||||||
|
|
||||||
crond_provider:
|
crond_provider:
|
||||||
- busybox
|
- busybox
|
||||||
- cronie
|
- cronie
|
||||||
|
|
|
@ -41,3 +41,12 @@
|
||||||
enabled: true
|
enabled: true
|
||||||
state: started
|
state: started
|
||||||
when: seat_manager == 'seatd'
|
when: seat_manager == 'seatd'
|
||||||
|
|
||||||
|
# For XDG_RUNTIME_DIR env
|
||||||
|
- name: Set "login" PAM to use to base-session instead of base-session-noninteractive
|
||||||
|
community.general.pamd:
|
||||||
|
name: login
|
||||||
|
type: session
|
||||||
|
control: include
|
||||||
|
module_path: base-session-noninteractive
|
||||||
|
new_module_path: base-session
|
||||||
|
|
|
@ -1,26 +0,0 @@
|
||||||
---
|
|
||||||
# TODO: work out nftables firewall rules (should be on upstream)
|
|
||||||
- name: waydroid | Install waydroid
|
|
||||||
community.general.apk:
|
|
||||||
name: waydroid
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: waydroid | Download base image and initialize
|
|
||||||
command:
|
|
||||||
cmd: 'waydroid init -s {{ waydroid.system_type }} -r {{ waydroid.rom_type }}'
|
|
||||||
creates: /var/lib/waydroid/image/system.img
|
|
||||||
|
|
||||||
- name: waydroid | Add apparmor rules
|
|
||||||
blockinfile:
|
|
||||||
block: |
|
|
||||||
@{run}/waydroid-lxc/ r,
|
|
||||||
@{run}/waydroid-lxc/* rw,
|
|
||||||
marker: '# {mark} WAYDROID BLOCK'
|
|
||||||
path: /etc/apparmor.d/local/usr.sbin.dnsmasq
|
|
||||||
|
|
||||||
- name: waydroid | Start container service on runlevel 'default'
|
|
||||||
service:
|
|
||||||
name: waydroid-container
|
|
||||||
runlevel: default
|
|
||||||
state: started
|
|
||||||
enabled: true
|
|
Reference in New Issue