Hoang Nguyen
149a69d85a
networking: add IPv6 stable privacy address
...
Also move 'iwd' service to runlevel 'default', so that sysctl settings
are applied correctly before it starts.
2023-04-22 00:00:00 +07:00
Hoang Nguyen
1b13b408a0
Move IPv6 privacy extension settings to 'networking' role
...
Also set privacy extension to 'preferred' in connman.
2023-04-22 00:00:00 +07:00
Hoang Nguyen
9ec9793663
fcron: remove fcron-pam package
...
Removed from the repository.
2023-04-15 00:00:00 +07:00
Hoang Nguyen
fde3e055c9
ntpsec: lower maxclock by 1
...
To align with recommendation from the ntpsec docs.
2023-04-07 00:00:00 +07:00
Hoang Nguyen
d288c9ecfa
auditd: filter out ntp time adjust event
2023-04-06 00:00:00 +07:00
Hoang Nguyen
9e12ff1ffb
ntpd: fix ntpsec config
...
ntpsec daemon didn't run, since minsane was greater than the default
minclock (4 > 3).
Also calculate maxclock option of ntpsec more effectively, and rename
terminus-font package.
2023-04-06 00:00:00 +07:00
Hoang Nguyen
ec72f75587
Add 'ntpd' and 'auditd' roles
...
More changes:
- Remove 'grub' role. We shouldn't touch anything related to the
bootloader here, as it's dangerous. I'll write docs for myself on
this.
- Fix linting here and there, so ansible-lint won't complain
- Refactor group_vars/all.yml to be more readable
2023-04-06 00:00:00 +07:00
Hoang Nguyen
fb9c5ebaed
Add PAM config for base-session
...
c199f2b52e
.
Also:
- Use TOML as inventory format (to disgust YAML ^-^)
- Adjust TODO list:
- drop go-audit (unmaintained upstream)
- add turnstile (more interesting than pam-rundir)
- Drop waydroid role as upstream system config script is a mess
2023-04-01 00:00:00 +07:00
Hoang Nguyen
bc8bc72c98
connman: supervise-daemon
2023-02-25 11:00:00 +07:00
Hoang Nguyen
c5b2d1c5d8
networking: forgot connman-resolvconf service and --nodnsproxy
2023-02-19 01:10:33 +07:00
Hoang Nguyen
df578407df
networking: add connman as an option for DHCP
...
Also:
- refactor /etc/network/interfaces
- remove Vagrantfile (not used regularly and doesn't work anymore)
2023-02-19 00:58:13 +07:00
Hoang Nguyen
fe6807553c
Expose user groups as configurable variable
2023-02-18 18:00:35 +07:00
Hoang Nguyen
45e6591322
user: remove setting up realtime group
...
pipewire 0.3.66 now ships /etc/security/limits.d/25-pw-rlimits.conf
which does the same thing. Also the Alpine package has post-install hook
to create "pipewire" group.
The task will fail if pipewire is not installed though :(
2023-02-18 17:49:56 +07:00
Hoang Nguyen
2ead123781
Minor adjustments
...
- Add seedrng service to 'boot' runlevel
- Move nftables, iwd services to 'boot' runlevel (`before net`)
- Change APK mirror
- Remove custom pam_rundir entry (it is presented in linux-pam package now)
2023-01-24 23:29:06 +07:00
Hoang Nguyen
3a9e64f503
iwd: clean up config
...
Also add network address randomization
2022-12-13 19:43:02 +07:00
Hoang Nguyen
6e8d994bc3
community.general.packaging.* is deprecated
2022-11-26 23:09:24 +07:00
Hoang Nguyen
330418490d
networking: suport both iwd and eiwd
2022-11-20 19:05:41 +07:00
Hoang Nguyen
72f10a2bdc
cron: fix things (mostly about fcron)
...
Document PATH behavior for each crond implementation.
2022-11-18 22:53:50 +07:00
Hoang Nguyen
583f8ee265
nftables: fix jinja2 indent
2022-11-14 08:57:36 +07:00
Hoang Nguyen
385332e312
nftables: do some fancy stuff with sets
...
- Fix the incorrect use of rate limit on ICMP rule ('over' keyword
matched over the rate limit)
- Use dynamic sets to limit connections on opened ports
- Naively whitelist all libvirt bridges. This includes the whole
192.168.0.0/16 subnet, so it probably will clash with the internal LAN
network. I control my own router :) so I don't mind (just use
a different private IPv4 address space).
2022-11-05 11:21:19 +07:00
Hoang Nguyen
4d1dd6cd7a
cron: add other implementations of crond
...
Supports cronie, fcron and busybox's crond.
2022-10-30 00:35:50 +07:00
Hoang Nguyen
b9f11723de
waydroid: small simplification
2022-10-23 01:29:06 +07:00
Hoang Nguyen
39f736f34c
Small changes here and there
...
- container: role removed
- ansible:
- use FQDN module path community.general.packaging.os.apk
- use "true, false" instead of "yes, no" (stop being annoying, yamllint)
2022-10-16 17:41:04 +07:00
Hoang Nguyen
8e61893c93
Some beginning works for component customization
2022-10-01 21:15:29 +07:00
Hoang Nguyen
7bc355fef6
acpi: use the original way to suspend
...
zzz is not shipped with acpid package by default anymore
2022-09-14 22:27:52 +07:00
Hoang Nguyen
302b3d2946
TODO: take note on sanoid
...
A ZFS auto snapshotting tool
2022-09-03 23:19:56 +07:00
Hoang Nguyen
b2abb4cfd6
README: move TODO section out
2022-09-03 17:30:52 +07:00
Hoang Nguyen
4dcca81110
fstab: add switch to enable/disable efivarfs mount
...
Don't use noefi kernel parameter here as we want to switch on the fly
2022-08-21 15:48:37 +07:00
Hoang Nguyen
90ba790ee7
Move hardcoded variable use_polkit to main playbook
...
group_vars/ should be used for changeable variables.
Also rename `kernel_parameters` variable to `additional_kernel_parameters`
(expect other bootloaders configuration to come :v)
2022-08-18 19:56:44 +07:00
Hoang Nguyen
b2c004e662
acpi: supervise normal acpid service
2022-08-08 11:44:59 +07:00
Hoang Nguyen
eababf0fa2
acpi: add normal acpid variant
...
Busybox's acpid doesn't support netlink
2022-08-07 16:33:21 +07:00
Hoang Nguyen
8d151d727f
earlyoom: remove earlyoom.enabled config
...
I forgot that --skip-tags exists.
2022-07-24 22:55:12 +07:00
Hoang Nguyen
b2f0cd6808
roles: add earlyoom role
2022-07-23 18:43:38 +07:00
Hoang Nguyen
b72db7e5fa
dns: add cloudflare
...
Sometimes cloudflare has better latency than quad9 (for me)
2022-07-19 22:36:13 +07:00
Hoang Nguyen
e85c23d954
dns: update resolvconf command path
...
Ref: 94fb0ed84b
2022-07-04 00:31:01 +07:00
Hoang Nguyen
0063c13a4d
cron: add logrotate (and cpulimit) package
2022-06-21 23:44:16 +07:00
Hoang Nguyen
0b9a54783e
Tons of cool things
...
- unbound: rename role to 'dns', add dnscrypt-proxy tasks
- devd: add sample udev rules
- apparmor: move kernel parameters to group_vars
2022-06-20 01:29:26 +07:00
Hoang Nguyen
dd644617f8
devd: fix tasks order
2022-05-22 17:55:52 +07:00
Hoang Nguyen
be19369633
roles: add devd role
...
Make device_manager configurable on setup (mdev, mdevd, udev) utilizing
the new introduced 'setup-devd' script.
2022-05-20 23:56:47 +07:00
Hoang Nguyen
fbef64fdf8
user: make shell configurable, update new realtime config
2022-05-16 16:24:58 +07:00
Hoang Nguyen
40923b16ab
roles: add waydroid; nftables: refactor firewall rules
2022-05-10 23:18:19 +07:00
Hoang Nguyen
26a97d88d4
README: update link to dotfiles
2022-04-17 21:03:47 +07:00
Hoang Nguyen
68d4ac38eb
Yep yep
...
- nftables: don't masquerade on IPv6 addresses as SNAT doesn't exist in
IPv6 realm (yet?)
- use `pamd`, `sysctl`, `kernel_blacklist`, `pam_limits`, `mount` Ansible
modules instead of copying files to the right places
- zram: use loops to dynamically configure zram devices
2022-04-17 19:02:21 +07:00
Hoang Nguyen
3764a538ed
Convert networking stuff to templates
...
- unbound: add `network_interfaces` variable to control
/etc/network/interfaces (check interfaces(5))
- nftables: add `libvirt_bridges` and `opened_ports` to
dynamically generate firewall rules
2022-04-04 13:34:07 +07:00
Hoang Nguyen
f737a21719
roles: add 'container' role with podman/nerdctl option
...
Also enable cgroup v2 explicitly for openrc
2022-03-29 01:15:28 +07:00
Hoang Nguyen
f89d1e6d8b
usbguard: restart the service after applying policies
2022-03-28 22:36:44 +07:00
Hoang Nguyen
81c89d0ecb
usbguard: generate policy for connected devices
...
Also nftables: don't start the service right away (the nftables module
might not be loaded immediately)
2022-03-22 00:23:24 +07:00
Hoang Nguyen
a3595c7e21
unbound: delete 'trust-ad' option of resolv.conf
...
It is glibc specific.
2022-03-08 23:31:38 +07:00
Hoang Nguyen
de212d9c3e
user: remove the user from kvm group
...
Comply with the previous commit
2022-03-05 21:48:31 +07:00
Hoang Nguyen
fb1174d0bd
libvirt: allow normal user alone is enough
2022-03-05 16:46:57 +07:00