Fix some regressions + tasks revision

DETAILS:
- consolefont: moved to essential role
- unbound: copy the config only after everything is set up correctly
  (or else the validation will complain trusted-key.key and the root
  hints are not in the chroot)
- essential: start dbus service before handling seat management (elogind
  and seatd services depend on dbus)
- use full-path for commands (avoid potential polluted PATH attack)
- apk: use '>-' for the package list. See NOTES

NOTES:
- '|' (literal) interprets new lines with a line break
- '>' (folded) produces a single line with a '\n' at the end
- '>-' (folded_strip) creates a single line without a line break in the
  end
- '>' (folded scalars) joins all the lines with a space (doesn't
  preserve numeric, boolean and other non-string types)

Check https://adminswerk.de/multi-line-string-yaml-ansible-II/ for some
problems on using multiple lines variables

group_vars/all.yml

@@ -28,7 +28,8 @@ libvirt_daemons:
   - virtqemud
   - virtstoraged
 
-# Secrets encrypted with ansible-vault
+# Secrets encrypted with ansible-vault ────────────────────────────────────────
+
 password: '{{ vault_password }}'
 
 

roles/apparmor/handlers/main.yml

@@ -1,3 +1,3 @@
 ---
 - name: Update grub config
-  command: grub-mkconfig -o /boot/grub/grub.cfg
+  command: /usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg

roles/apparmor/tasks/main.yml

@@ -19,7 +19,7 @@
     runlevel: boot
     enabled: yes
 
-- name: apparmor | Check whether apparmor is presented in grub boot command
+- name: apparmor | Check whether apparmor kernel parameters is presented in grub
   lineinfile:
     backup: yes
     path: /etc/default/grub

roles/consolefont/tasks/main.yml

@@ -1,17 +0,0 @@
----
-- name: consolefont | Change the console font to ter-h22b
-  lineinfile:
-    path: /etc/conf.d/consolefont
-    state: present
-    regexp: '^consolefont='
-    line: 'consolefont="ter-h22b.psf.gz"'
-    owner: root
-    group: root
-    mode: 0644
-
-- name: consolefont | Start consolefont service on runlevel 'boot'
-  service:
-    name: consolefont
-    runlevel: boot
-    enabled: yes
-    state: started

roles/cron/files/btrfs-scrub

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-btrfs scrub start /
+/sbin/btrfs scrub start /

roles/cron/files/empty-tmp

@@ -1,4 +1,4 @@
 #!/bin/sh
 
-find /var/tmp -type d -mindepth 1 -ctime +7 -exec rm -rf {} \;
-find /var/tmp -mindepth 1 -ctime +7 -exec rm -rf {} \;
+/usr/bin/find /var/tmp -type d -mindepth 1 -ctime +7 -exec rm -rf {} \;
+/usr/bin/find /var/tmp -mindepth 1 -ctime +7 -exec rm -rf {} \;

roles/essential/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Regenerate initramfs
-  command: 'mkinitfs -c /etc/mkinitfs/mkinitfs.conf {{ ansible_kernel }}'
+  command: '/sbin/mkinitfs -c /etc/mkinitfs/mkinitfs.conf {{ ansible_kernel }}'
 
 - name: Load custom sysctl settings
-  command: sysctl -p /etc/sysctl.d/custom.conf
+  command: /sbin/sysctl -p /etc/sysctl.d/custom.conf

roles/essential/tasks/main.yml

@@ -9,7 +9,7 @@
 
 - name: essential | Install common dependencies
   apk:
-    name: >
+    name: >-
       doas, nftables, zstd, fish, dbus, terminus-font, apparmor-profiles,
       apparmor, openresolv, libvirt-daemon, qemu-img, qemu-system-x86_64,
       qemu-modules, shadow-login, unbound, dns-root-hints
@@ -17,6 +17,14 @@
     update_cache: yes
     state: present
 
+- name: essential | Start some services on runlevel 'default'
+  service:
+    name: '{{ item }}'
+    runlevel: default
+    enabled: yes
+    state: started
+  loop: [ dbus, ntpd, cgroups ]
+
 - block:
     - name: essential | Install elogind and polkit-elogind
       apk:
@@ -84,17 +92,9 @@
         state: started
   when: seat_manager == 'seatd'
 
-- name: essential | Start other services on runlevel 'default'
-  service:
-    name: '{{ item }}'
-    runlevel: default
-    enabled: yes
-    state: started
-  loop: [ dbus, ntpd, cgroups ]
-
 - name: essential | Setup eudev
   command:
-    cmd: setup-udev
+    cmd: /sbin/setup-udev
     creates: /etc/runlevels/sysinit/udev
 
 - name: essential | Change the default motd
@@ -137,7 +137,7 @@
     group: root
     mode: 0644
 
-- name: sysctl | Create a custom sysctl file
+- name: essential | Create a custom sysctl file
   copy:
     src: custom.conf
     dest: /etc/sysctl.d/custom.conf
@@ -145,3 +145,20 @@
     group: root
     mode: 0644
   notify: Load custom sysctl settings
+
+- name: essential | Change the console font to ter-h22b
+  lineinfile:
+    path: /etc/conf.d/consolefont
+    state: present
+    regexp: '^consolefont='
+    line: 'consolefont="ter-h22b.psf.gz"'
+    owner: root
+    group: root
+    mode: 0644
+
+- name: essential | Start consolefont service on runlevel 'boot'
+  service:
+    name: consolefont
+    runlevel: boot
+    enabled: yes
+    state: started

roles/fstab/tasks/main.yml

@@ -27,7 +27,7 @@
     # Busybox's mount doesn't interpret group name in GID, so check it
     # wheel group on Alpine by default has GID=10
     - name: fstab | Check GID of group {{ proc_group }}
-      shell: getent group {{ proc_group }} | awk -F':' '{print $3}'
+      shell: /usr/bin/getent group {{ proc_group }} | awk -F':' '{print $3}'
       register: proc_gid
 
     - name: fstab | Restrict read access on /proc for {{ proc_group }} group

roles/libvirt/tasks/main.yml

@@ -1,5 +1,5 @@
 ---
-- name: libvirt | Allow IPv6 RA passthrough to libvirt NAT
+- name: libvirt | Allow IPv6 RA passthrough for libvirt NAT
   lineinfile:
     path: /etc/sysctl.d/custom.conf
     owner: root

roles/unbound/tasks/main.yml

@@ -1,13 +1,4 @@
 ---
-- name: unbound | Copy unbound config
-  template:
-    src: unbound.j2
-    dest: /etc/unbound/unbound.conf
-    owner: root
-    group: root
-    mode: 0644
-    validate: unbound-checkconf %s
-
 - name: unbound | Create /dev directory inside unbound chroot
   file:
     path: /etc/unbound/dev
@@ -20,7 +11,7 @@
 # copy module doesn't seem to work
 - name: unbound | Copy needed devices to unbound chroot
   command:
-    cmd: cp -a /dev/random /dev/urandom /dev/null /etc/unbound/dev/
+    cmd: /bin/cp -a /dev/random /dev/urandom /dev/null /etc/unbound/dev/
     creates: /etc/unbound/dev/random
 
 # unbound user needs write permission to the anchor file, and also for the
@@ -48,7 +39,7 @@
     group: unbound
     mode: 0644
 
-- name: unbound | Check package facts
+- name: unbound | Gather package facts
   package_facts:
     manager: 'apk'
 
@@ -77,7 +68,7 @@
     group: root
     mode: 0644
 
-- name: unbound | Inject cp command to dns-root-hints cron job
+- name: unbound | Let dns-root-hints cron job copy root hints to unbound chroot
   blockinfile:
     path: /etc/periodic/monthly/dns-root-hints
     block: |
@@ -94,6 +85,15 @@
     group: root
     mode: 0755
 
+- name: unbound | Copy unbound config
+  template:
+    src: unbound.j2
+    dest: /etc/unbound/unbound.conf
+    owner: root
+    group: root
+    mode: 0644
+    validate: /usr/sbin/unbound-checkconf %s
+
 - name: unbound | Add unbound service to runlevel 'default'
   service:
     name: unbound

roles/user/tasks/main.yml

@@ -72,7 +72,7 @@
     owner: root
     group: root
     mode: 0600
-    validate: doas -C %s
+    validate: /usr/bin/doas -C %s
 
 - name: user | Add pam_limits rules for audio group for running realtime processes
   copy:

setup.yml

@@ -25,8 +25,6 @@
       tags: nftables
     - role: apparmor
       tags: apparmor
-    - role: consolefont
-      tags: consolefont
     - role: cron
       tags: cron
     - role: grub