- auditd: migrate rules using deprecated syntax (`-w`, `-p` and `-k`).
Also clean them up.
- nftables: remove the usage of nexthdr for matching ipv6 packets. Also
allow DHCP client traffic, IGMP and multicast DNS.
btrbk will be next \^*^/
Also:
- detect the root filesystem in play with `ansible_mounts` instead
of specifying it manually.
- dnscrypt: hardcode some privacy settings
More changes:
- Remove 'grub' role. We shouldn't touch anything related to the
bootloader here, as it's dangerous. I'll write docs for myself on
this.
- Fix linting here and there, so ansible-lint won't complain
- Refactor group_vars/all.yml to be more readable
c199f2b52e.
Also:
- Use TOML as inventory format (to disgust YAML ^-^)
- Adjust TODO list:
- drop go-audit (unmaintained upstream)
- add turnstile (more interesting than pam-rundir)
- Drop waydroid role as upstream system config script is a mess
- Fix the incorrect use of rate limit on ICMP rule ('over' keyword
matched over the rate limit)
- Use dynamic sets to limit connections on opened ports
- Naively whitelist all libvirt bridges. This includes the whole
192.168.0.0/16 subnet, so it probably will clash with the internal LAN
network. I control my own router :) so I don't mind (just use
a different private IPv4 address space).
- container: role removed
- ansible:
- use FQDN module path community.general.packaging.os.apk
- use "true, false" instead of "yes, no" (stop being annoying, yamllint)
Hoang Nguyen