- nftables: don't masquerade on IPv6 addresses as SNAT doesn't exist in
IPv6 realm (yet?)
- use `pamd`, `sysctl`, `kernel_blacklist`, `pam_limits`, `mount` Ansible
modules instead of copying files to the right places
- zram: use loops to dynamically configure zram devices
Some regressions from the previous commit. I missed these files.
'echo' is a shell's built-in so leave it be.
Also:
- doas: only allow the user instead of wheel group (there is only me on
my machine anyway)
DETAILS:
- consolefont: moved to essential role
- unbound: copy the config only after everything is set up correctly
(or else the validation will complain trusted-key.key and the root
hints are not in the chroot)
- essential: start dbus service before handling seat management (elogind
and seatd services depend on dbus)
- use full-path for commands (avoid potential polluted PATH attack)
- apk: use '>-' for the package list. See NOTES
NOTES:
- '|' (literal) interprets new lines with a line break
- '>' (folded) produces a single line with a '\n' at the end
- '>-' (folded_strip) creates a single line without a line break in the
end
- '>' (folded scalars) joins all the lines with a space (doesn't
preserve numeric, boolean and other non-string types)
Check https://adminswerk.de/multi-line-string-yaml-ansible-II/ for some
problems on using multiple lines variables
- essential:
- make polkit optional
- move /etc/hosts file to unbound role
- libvirt:
- make libvirt daemons configurable
- delete the firewall patch. Hardcode the rules by default (for now)
so that the playbook is compatible with `ansible-core`
- user: add pam_limits file (moved from dotfiles repository)
- sysctl: role deleted. The task was moved to essential role
- fstab: new role for /run, /tmp, /proc mounts
- add seatd as a 'seat_manager' option
- cron: use find command to restraint deleted files in /var/tmp