Default variable details

Some of debops-contrib.firejail default variables have more extensive configuration than simple strings or lists, here you can find documentation and examples for them.


The firejail__program_sandboxes and similar dictionaries allow you to configure program sandboxes using Firejail profiles (firejail-profile(5)). The dictionary key is the program name, the value is a dictionary with the following supported keys:


Optional, string. Should the program be sandboxed with firejail for all users of the system by creating a symlink under /usr/local/bin/{{ item.key }} with the firejail program binary file path as target. The directory path where the symlink is being created/removed (/usr/local/bin/) can be changed via firejail__system_local_bin_path. This option relies on the feature of firejail to be called via a different file path which causes firejail to act as a wrapper around the real program.

These options are supported:

The sandbox should be present system wide.
The sandbox should be present system wide but only if the program is installed (is found in PATH) on role run. This can be used to not make it look like the program is installed (by creating a symlink with the name in the PATH) and to avoid the case where a user tries to run the program and firejail complaining with "Error: cannot find the program in the path". If the program is not found, then the system wide sandbox will be made absent.
The sandbox should be absent system wide.

Defaults to firejail__global_profiles_system_wide_sandboxed. Refer to firejail(1) under "Desktop Integration" or Firejail 0.9.38 Release Announcement under "Symlink invocation".

Optional, dictionary. Use a provided profile by copying it from the Ansible controller into the firejail__config_path directory of the remote system using the Ansible copy module. profile is basically just passed to the module. Refer to it’s documentation for details with the exception that the state parameter is handled properly. state defaults to present but can be set to absent which will cause the profile on the remote systems to become absent. Refer to Examples for providing additional profiles for how this can be used.

Examples for sandboxing additional programs

Sandbox the given programs on all hosts even if Firejail does not yet ship with a profile for them:

  jq: {}
    system_wide_sandboxed: 'present'

The symlink for jq will only be created if jq is installed. The symlink for my_cool_program will be created regardless whether it has been found in the PATH.

Example to exclude a program from being sandboxed

Depending on the value of firejail__global_profiles_system_wide_sandboxed, the role might sandbox all programs which are installed and for which security profiles are defined. Check out the following example in case you want to exclude programs from being sandboxed system wide:

    # Less can’t possibly have an issue with parsing untrusted input (TM).
    # I know what I am doing! Don’t sandbox it!
    system_wide_sandboxed: 'absent'

Examples for providing additional profiles

Copy Firejail security profiles from the Ansible controller to all remote systems:

      src: '/home/user/.config/firejail/smplayer.profile'

      ## `content` can be used alternatively to `src` to provide the profile inlined
      ## (supports Jinja templating as usual):
      # content: |
      #   # {{ ansible_managed }}
      #   # smplyer security profile.
      #   noblacklist ${HOME}/.config/smplayer
      #   # And so on.

      ## `state` can be used to make the profile absent:
      # state: 'absent'

This will create /etc/firejail/smplayer.profile on all remote systems.