Merge pull request #10 from brabster/enhanced-chrome-security-settings

Update chrome-prefs.json
brabster · Mar 16, 2024 · ef8f8e6 · ef8f8e6
2 parents d65e442 + c418a49
commit ef8f8e6
Show file tree

Hide file tree

Showing 30 changed files with 101 additions and 83 deletions.
diff --git a/.github/workflows/test_install.yml b/.github/workflows/test_install.yml
@@ -34,7 +34,7 @@ jobs:
         run: |
           cd $GITHUB_WORKSPACE
           cp ${GITHUB_WORKSPACE}/.github/test_vars.yml ${GITHUB_WORKSPACE}/.vars.yml
-          ansible-playbook -e in_container=true workstation.yml 
+          ansible-playbook -e in_container=true -i inventory workstation.yml 
       - name: check
         shell: bash -l {0}
         run: |

diff --git a/bootstrap.sh b/bootstrap.sh
@@ -8,7 +8,6 @@ echo "=== Updating packages and installing git & ansible"
 sudo sh -c 'apt-get -y update && apt-get -y upgrade && apt-get -y install git ansible'
 
 echo "=== Running playbook"
-ansible-playbook workstation.yml
+ansible-playbook -i inventory workstation.yml
 
 echo "=== Log out and in again, no need to reboot."
-
diff --git a/inventory b/inventory
@@ -0,0 +1 @@
+localhost ansible_connection=local
diff --git a/roles/bin/tasks/main.yml b/roles/bin/tasks/main.yml
@@ -3,7 +3,7 @@
 - name: Create ~/bin directory
   become: yes
   become_user: '{{ username }}'
-  file:
+  ansible.builtin.file:
     path: '{{ user_home }}/.local/bin'
     state: directory
     mode: '0755'

diff --git a/roles/chrome-browser/README.md b/roles/chrome-browser/README.md
@@ -0,0 +1,2 @@
+https://support.google.com/chrome/a/answer/9027408?hl=en
+https://chromeenterprise.google/policies/
diff --git a/roles/chrome-browser/files/chrome-prefs.json b/roles/chrome-browser/files/chrome-prefs.json
@@ -2,8 +2,13 @@
     "AutoFillEnabled": false,
     "PasswordManagerEnabled": false,
     "DefaultBrowserSettingEnabled": false,
+    "HttpsOnlyMode": "force_enabled",
+    "AdvancedProtectionAllowed": true,
+    "DownloadRestrictions": 4,
+    "SafeBrowsingProtectionLevel": 2,
+    "DefaultJavaScriptJitSetting": 2,
     "ExtensionInstallForcelist": [
         "nngceckbapebfimnlniiiahkandclblb",
         "aeblfdkhhhdcdjpifhhbdiojplfjncoa"
     ]
-}
+}
diff --git a/roles/chrome-browser/tasks/main.yml b/roles/chrome-browser/tasks/main.yml
@@ -1,9 +1,10 @@
 ---
 # tasks file for chrome-browser
 - name: Check that chrome not already installed
-  stat:
+  ansible.builtin.stat:
     path: '/usr/bin/google-chrome'
   register: chrome
 
-- include: tasks.yml
+- name: Run Playbook
+  ansible.builtin.import_tasks: tasks.yml
   when: not chrome.stat.exists
diff --git a/roles/chrome-browser/tasks/tasks.yml b/roles/chrome-browser/tasks/tasks.yml
@@ -1,23 +1,23 @@
 ---
 # tasks file for chrome-browser
 - name: Fetch Chrome Browser
-  get_url:
+  ansible.builtin.get_url:
     url: https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
     dest: /tmp/google-chrome.deb
 
 - name: Install Chrome
-  apt:
+  ansible.builtin.apt:
     deb: /tmp/google-chrome.deb
 
 - name: Ensures Chrome policy dir exists
-  file:
-    path: /etc/opt/chrome/policies/managed
+  ansible.builtin.file:
+    path: /etc/opt/chrome/policies/recommended
     state: directory
 
 - name: Configure Chrome Browser
-  copy:
+  ansible.builtin.copy:
     src: chrome-prefs.json
-    dest: /etc/opt/chrome/policies/managed/prefs.json
+    dest: /etc/opt/chrome/policies/recommended/prefs.json
 
 
 
diff --git a/roles/clamav/tasks/main.yml b/roles/clamav/tasks/main.yml
@@ -1,14 +1,12 @@
 ---
 - name: Install clamav
-  package:
+  ansible.builtin.package:
     name:
       - clamav
       - clamav-daemon
     state: present
 
 - name: Note ClamAV version and sig versions when running updates
-  become: yes
-  become_user: '{{ username }}'
-  lineinfile:
-    path: '{{ user_update_script }}'
-    line: clamscan --version
+  ansible.builtin.lineinfile:
+    path: '{{ update_script }}'
+    line: freshclam && clamscan --version
diff --git a/roles/cleanup/tasks/main.yml b/roles/cleanup/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: Remove unneeded packages
-  package:
+  ansible.builtin.package:
     name:
       - thunderbird
     state: absent

diff --git a/roles/dev/tasks/main.yml b/roles/dev/tasks/main.yml
@@ -1,28 +1,28 @@
 ---
 # tasks file for dev
 - name: Configure file watchers for IDEs, build tooling
-  sysctl:
+  ansible.builtin.sysctl:
     name: fs.inotify.max_user_watches
     value: '528288'
     state: present
 
 - name: Create SSH dir
   become: yes
   become_user: '{{ username }}'
-  file:
+  ansible.builtin.file:
     path: "{{ user_home }}/.ssh"
     state: directory
     mode: '0700'
 
 - name: Generate SSH key
   become: yes
   become_user: '{{ username }}'
-  openssh_keypair:
+  ansible.builtin.openssh_keypair:
     path: "{{ user_home }}/.ssh/id_ssh"
     type: ed25519
 
 - name: Install general cli tools
-  package:
+  ansible.builtin.package:
     name:
       - jq
       - httpie

diff --git a/roles/docker-rootless/tasks/main.yml b/roles/docker-rootless/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 # tasks file for docker-rootless
 - name: Add docker GPG key and repo
-  shell: 
+  ansible.builtin.shell: 
     creates: /usr/share/keyrings/docker-archive-keyring.gpg
     cmd: |
       curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
@@ -10,7 +10,7 @@
       apt-get update
 
 - name: Install pre-reqs
-  package:
+  ansible.builtin.package:
     name:
       - uidmap
       - dbus-user-session
@@ -23,17 +23,17 @@
       - containerd.io
 
 - name: Disable system docker
-  shell: systemctl disable --now docker.service docker.socket
+  ansible.builtin.shell: systemctl disable --now docker.service docker.socket
   when: in_container is not defined
 
 - name: Find user UID
-  command: 'id -u {{ username }}'
+  ansible.builtin.command: 'id -u {{ username }}'
   register: the_user_uid
   check_mode: no
   changed_when: false
 
 - name: Determine XDG_RUNTIME_DIR
-  set_fact:
+  ansible.builtin.set_fact:
     xdg_runtime_dir: '/run/user/{{ the_user_uid.stdout }}'
   changed_when: false
 
@@ -42,15 +42,15 @@
   become_user: '{{ username }}'
   environment:
     XDG_RUNTIME_DIR: '{{ xdg_runtime_dir }}'
-  shell: |
+  ansible.builtin.shell: |
     dockerd-rootless-setuptool.sh install
     systemctl --user enable docker
   when: in_container is not defined
 
 - name: Set environment variables
   become: yes
   become_user: '{{ username }}'
-  blockinfile:
+  ansible.builtin.blockinfile:
     path: '{{ user_profile }}'
     marker: '# {mark} ANSIBLE_DOCKER'
     block: |

diff --git a/roles/expressvpn/tasks/main.yml b/roles/expressvpn/tasks/main.yml
@@ -1,10 +1,11 @@
 ---
 # tasks file for lastpass
 - name: Check that expressvpn not already installed
-  stat:
+  ansible.builtin.stat:
     path: '{{ user_home }}/.experessvpn_is_installed'
   register: expressvpn
 
-- include: tasks.yml
+- name: Run Playbook
+  ansible.builtin.import_tasks: tasks.yml
   when: not expressvpn.stat.exists
 
diff --git a/roles/expressvpn/tasks/tasks.yml b/roles/expressvpn/tasks/tasks.yml
@@ -1,25 +1,25 @@
 ---
 # tasks file for lastpass
 - name: Fetch download page
-  get_url:
+  ansible.builtin.get_url:
     url: https://vlycgtx.com/latest#linux
     dest: /tmp/expressvpn.html
 
 - name: "Figure out where the latest ExpressVPN .deb is"
-  shell: cat /tmp/expressvpn.html | sed -rn 's/^.*<option .+ value="(.*)">Ubuntu 64-bit.*$/\1/p'
+  ansible.builtin.shell: cat /tmp/expressvpn.html | sed -rn 's/^.*<option .+ value="(.*)">Ubuntu 64-bit.*$/\1/p'
   register: expressvpn_deb_url
 
 - name: "Fetch latest ExpressVPN Linux install"
-  get_url:
+  ansible.builtin.get_url:
     url: "{{ expressvpn_deb_url.stdout }}"
     dest: /tmp/expressvpn.deb
 
 - name: "Install VPN client"
-  apt:
+  ansible.builtin.apt:
     deb: /tmp/expressvpn.deb
 
 - name: Mark installed
-  file:
+  ansible.builtin.file:
     path: '{{ user_home }}/.experessvpn_is_installed'
     state: touch
 
diff --git a/roles/firefox/tasks/main.yml b/roles/firefox/tasks/main.yml
@@ -1,11 +1,11 @@
 ---
 # tasks file for firefox
 - name: Ensure policy directory exists
-  file:
+  ansible.builtin.file:
     path: /etc/firefox/policies
     state: directory
 
 - name: Setup default preferences
-  copy:
+  ansible.builtin.copy:
     src: policies.json
     dest: /etc/firefox/policies/policies.json
diff --git a/roles/gcloud/tasks/main.yml b/roles/gcloud/tasks/main.yml
@@ -1,8 +1,5 @@
 ---
-# tasks file for gcloud
 - name: Install gcloud
-  snap:
-    name: google-cloud-sdk
-    classic: yes
+  ansible.builtin.command: snap install google-cloud-sdk --classic
   when: in_container is not defined
 
diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml
@@ -2,12 +2,12 @@
 - name: Setup git username and email
   become: yes
   become_user: '{{ username }}'
-  template:
+  ansible.builtin.template:
     src: files/.gitconfig.j2
     dest: '{{ user_home }}/.gitconfig'
 
 - name: Enable cli completion
-  blockinfile:
+  ansible.builtin.blockinfile:
     path: '{{ user_bashrc }}'
     marker: '# {mark} ANSIBLE_GIT'
     block: |
@@ -16,7 +16,7 @@
 - name: Setup bash aliases
   become: yes
   become_user: '{{ username }}'
-  blockinfile:
+  ansible.builtin.blockinfile:
     path: '{{ user_bashrc }}'
     marker: '# {mark} GIT_ALIAS'
     block: |

diff --git a/roles/lastpass/tasks/main.yml b/roles/lastpass/tasks/main.yml
@@ -1,9 +1,10 @@
 ---
 # tasks file for lastpass
 - name: Check that lastpass not already installed
-  stat:
+  ansible.builtin.stat:
     path: '{{ user_home }}/.lastpass_is_installed'
   register: lastpass
 
-- include: tasks.yml
+- name: Run Playbook
+  import_tasks: tasks.yml
   when: not lastpass.stat.exists
diff --git a/roles/lastpass/tasks/tasks.yml b/roles/lastpass/tasks/tasks.yml
@@ -1,26 +1,26 @@
 ---
 # tasks file for lastpass
-- name: "Fetch latest LastPass Linux install"
-  get_url:
+- name: Fetch latest LastPass Linux install
+  ansible.builtin.get_url:
     url: https://download.cloud.lastpass.com/linux/lplinux.tar.bz2
     dest: /tmp/lplinux.tar.bz2
 
 - name: Create LastPass extract dir
-  file:
+  ansible.builtin.file:
     path: /tmp/lplinux
     state: directory
 
 - name: Decompress LastPass archive
-  unarchive:
+  ansible.builtin.unarchive:
     src: /tmp/lplinux.tar.bz2
     dest: /tmp/lplinux
 
 - name: Install LastPass plugins
-  command: ./install_lastpass.sh
+  ansible.builtin.command: ./install_lastpass.sh
   args:
     chdir: /tmp/lplinux
 
 - name: Mark installed
-  file:
+  ansible.builtin.file:
     path: '{{ user_home }}/.lastpass_is_installed'
     state: touch
diff --git a/roles/obs/tasks/main.yml b/roles/obs/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Setup OBS Repository
+  ansible.builtin.apt_repository:
+    repo: ppa:obsproject/obs-studio
+
+- name: Install OBS
+  ansible.builtin.package:
+    name:
+      - obs-studio
diff --git a/roles/pipenv/tasks/main.yml b/roles/pipenv/tasks/main.yml
@@ -2,14 +2,14 @@
 - name: pipenv install
   become: yes
   become_user: '{{ username }}'
-  shell: |
+  ansible.builtin.shell: |
     . {{ user_profile }}
     pipx install pipenv
 
 - name: Setup environment
   become: yes
   become_user: '{{ username }}'
-  blockinfile:
+  ansible.builtin.blockinfile:
     path: '{{ user_profile }}'
     marker: '# {mark} ANSIBLE_PIPENV'
     block: |

diff --git a/roles/pipx/tasks/main.yml b/roles/pipx/tasks/main.yml
@@ -2,14 +2,14 @@
 - name: pipx install
   become: yes
   become_user: '{{ username }}'
-  shell: |
+  ansible.builtin.shell: |
     . {{ user_profile }}
     pip install --user pipx
 
 - name: pipx update
   become: yes
   become_user: '{{ username }}'
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: '{{ user_update_script }}'
     line: pipx upgrade-all