btrbk will be next \^*^/
Also:
- detect the root filesystem in play with `ansible_mounts` instead
of specifying it manually.
- dnscrypt: hardcode some privacy settings
More changes:
- Remove 'grub' role. We shouldn't touch anything related to the
bootloader here, as it's dangerous. I'll write docs for myself on
this.
- Fix linting here and there, so ansible-lint won't complain
- Refactor group_vars/all.yml to be more readable
c199f2b52e.
Also:
- Use TOML as inventory format (to disgust YAML ^-^)
- Adjust TODO list:
- drop go-audit (unmaintained upstream)
- add turnstile (more interesting than pam-rundir)
- Drop waydroid role as upstream system config script is a mess
pipewire 0.3.66 now ships /etc/security/limits.d/25-pw-rlimits.conf
which does the same thing. Also the Alpine package has post-install hook
to create "pipewire" group.
The task will fail if pipewire is not installed though :(
- Fix the incorrect use of rate limit on ICMP rule ('over' keyword
matched over the rate limit)
- Use dynamic sets to limit connections on opened ports
- Naively whitelist all libvirt bridges. This includes the whole
192.168.0.0/16 subnet, so it probably will clash with the internal LAN
network. I control my own router :) so I don't mind (just use
a different private IPv4 address space).
- container: role removed
- ansible:
- use FQDN module path community.general.packaging.os.apk
- use "true, false" instead of "yes, no" (stop being annoying, yamllint)
group_vars/ should be used for changeable variables.
Also rename `kernel_parameters` variable to `additional_kernel_parameters`
(expect other bootloaders configuration to come :v)
DETAILS:
- consolefont: moved to essential role
- unbound: copy the config only after everything is set up correctly
(or else the validation will complain trusted-key.key and the root
hints are not in the chroot)
- essential: start dbus service before handling seat management (elogind
and seatd services depend on dbus)
- use full-path for commands (avoid potential polluted PATH attack)
- apk: use '>-' for the package list. See NOTES
NOTES:
- '|' (literal) interprets new lines with a line break
- '>' (folded) produces a single line with a '\n' at the end
- '>-' (folded_strip) creates a single line without a line break in the
end
- '>' (folded scalars) joins all the lines with a space (doesn't
preserve numeric, boolean and other non-string types)
Check https://adminswerk.de/multi-line-string-yaml-ansible-II/ for some
problems on using multiple lines variables
- essential:
- make polkit optional
- move /etc/hosts file to unbound role
- libvirt:
- make libvirt daemons configurable
- delete the firewall patch. Hardcode the rules by default (for now)
so that the playbook is compatible with `ansible-core`
- user: add pam_limits file (moved from dotfiles repository)
- sysctl: role deleted. The task was moved to essential role
- fstab: new role for /run, /tmp, /proc mounts
- add seatd as a 'seat_manager' option
- cron: use find command to restraint deleted files in /var/tmp
Hoang Nguyen