also get rid fo avahi-daemon

brabster · brabster · commit 0445454ea3be · 2025-09-18T10:55:32.000Z
diff --git a/AGENTS.md b/AGENTS.md
@@ -24,11 +24,15 @@ Specific principles we prioritise:
 
 ## Role Modularity and Guards
 
+- All automation should use modular Ansible roles, with each role responsible for a distinct area of system configuration (e.g., `ufw`, `networking`, `clamav`).
+- Roles that require elevated privileges, interact with system-level services, or are known to fail in CI (GitHub Actions) must be guarded using `when: not is_gh_actions` in playbooks.
+- If there is any doubt about CI compatibility, attempt a CI run before excluding the role.
+- The guard pattern (`when: not is_gh_actions`) is the standard and should be used unless evidence suggests a different approach is required.
+- Always document the rationale for excluding a role from CI in both the changelog and code comments.
 
-### Example: cleanup_services role
 
-- The `cleanup_services` role demonstrates modular automation for disabling/removing unnecessary services (e.g., ModemManager) and uses the standard CI guard (`when: not is_gh_actions`). Rationale and compliance impacts are documented in the changelog and code comments.
 
+## Compliance Requirements
 
 - UK Cyber Essentials is the primary compliance framework for this project.
 - Automation and configuration choices (e.g., enabling firewalls by default) must be justified with reference to UK Cyber Essentials requirements where relevant.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,16 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## [Disable and Remove ModemManager by Default](https://github.com/brabster/xubuntu-workstation/pull/45)
+## [Disable and remove unneeded services by default](https://github.com/brabster/xubuntu-workstation/pull/45)
 
 ### Added
 
-- **ModemManager Disabled and Removed**: The cleanup role now disables the ModemManager service and removes the modemmanager package by default. This ensures the service is not running after reboot and the package is not present unless explicitly required.
+- **Unnecessary services disabled and removed**: The cleanup role now disables the ModemManager and avahi-daemon services and removes the associated packages by default. This ensures the services are not running after reboot and the packages are not present unless explicitly required.
 
 ### Security
 
 - **Threat Model Assessment**: This change **reduces the attack surface and supports compliance with UK Cyber Essentials requirements**.
-    - **Rationale**: ModemManager is not required for most workstation use cases and represents an unnecessary service and software package. Disabling and removing it aligns with the principle of least functionality, as mandated by UK Cyber Essentials, and reduces the risk of exploitation via unused system components.
+    - **Rationale**: Services are not required for most workstation use cases and represents an unnecessary service and software package. Disabling and removing it aligns with the principle of least functionality, as mandated by UK Cyber Essentials, and reduces the risk of exploitation via unused system components.
     - **Benefit**: Ensures only necessary services are present and running, improving overall system security and regulatory compliance.
 
 ## [Enable UFW Firewall by Default](https://github.com/brabster/xubuntu-workstation/pull/44)
diff --git a/README.md b/README.md
@@ -88,13 +88,17 @@ This install uses **ClamAV** as its antivirus solution. [CHANGELOG](CHANGELOG.md
 
 
 ### Playbook
+- [sudo](roles/sudo) remove sudo timeout - you need to put your password in each time
+- [sudo](roles/sudo) restrict sudo commands to essential tasks
     - applying updates,
     - preparing installation media for the next update
     - temporarily starting and stopping rarely-needed services
+- [clamav](roles/clamav) install clamav and freshclam, add custom context menu to scan in Thunar file manager, notes versions and signature update version/date in update script
+- [updates](roles/updates)
     - update all known supply chains, incl. OS, firmware, snap, pip, clamav
     - apply system-level updates as root
     - su to user to apply user updates
- [cleanup_services](roles/cleanup_services): disables and removes unnecessary system services (e.g., ModemManager) to reduce attack surface and meet UK Cyber Essentials requirements. This role is excluded from CI by default using the standard guard pattern (`when: not is_gh_actions`).
+- [firefox](roles/firefox), [chrome](roles/chrome-browser) apply security settings by policy
 
 ## Testing
 
diff --git a/roles/cleanup_services/tasks/main.yml b/roles/cleanup_services/tasks/main.yml
@@ -19,3 +19,24 @@
     autoremove: true
     update_cache: true
   when: not is_gh_actions
+
+# Remove and disable avahi-daemon to reduce attack surface (UK Cyber Essentials: unnecessary services)
+- name: Stop avahi-daemon
+  ansible.builtin.systemd:
+    name: avahi-daemon
+    state: stopped
+  when: not is_gh_actions  # Guard: requires elevated privileges, not CI-compatible
+
+- name: Disable avahi-daemon
+  ansible.builtin.systemd:
+    name: avahi-daemon
+    enabled: false
+  when: not is_gh_actions
+
+- name: Remove avahi-daemon package
+  ansible.builtin.package:
+    name: avahi-daemon
+    state: absent
+    autoremove: true
+    update_cache: true
+  when: not is_gh_actions
