feat: Disable telemetry and advertising for corporate deployments

Derek · Derek · commit 0a0c9ffb7d6f · 2025-12-10T12:53:12.000+11:00
Ubuntu:
- Disable apt ESM/Pro advertising hooks
- Disable MOTD news fetching (Canonical ads)
- Disable Apport crash reporting
- Stop Whoopsie error reporting service
- Opt out of Ubuntu Report telemetry

Fedora:
- Disable ABRT crash reporting services (5 services)

GNOME (both):
- Disable problem reporting
- Disable software usage stats

Also fixed include_tasks apply:tags for utilities.yml to ensure
child tasks run when --tags utilities is used.
diff --git a/ansible/roles/dfe_developer/tasks/main.yml b/ansible/roles/dfe_developer/tasks/main.yml
@@ -25,6 +25,8 @@
 - name: Install development utilities
   ansible.builtin.include_tasks:
     file: utilities.yml
+    apply:
+      tags: ['utilities']
   tags: ['utilities']
 
 - name: Install Python development tools
diff --git a/ansible/roles/dfe_developer/tasks/utilities.yml b/ansible/roles/dfe_developer/tasks/utilities.yml
@@ -171,12 +171,17 @@
     - dfe_has_gnome | default(false)
 
 # ============================================================================
-# DISABLE UBUNTU PRO/ESM ADVERTISING (Ubuntu only)
+# DISABLE TELEMETRY AND ADVERTISING (Corporate deployment)
 # ============================================================================
-# Removes promotional messages from apt output and MOTD
+# Removes promotional messages, crash reporting, and telemetry for privacy
+# and to prevent data leakage in corporate environments.
 
-- name: Disable Ubuntu Pro advertising
+# -----------------------------------------------------------------------------
+# UBUNTU: Disable Ubuntu Pro/ESM advertising and telemetry
+# -----------------------------------------------------------------------------
+- name: Disable Ubuntu advertising and telemetry
   block:
+    # --- Ubuntu Pro/ESM Advertising ---
     - name: Disable apt ESM hook (removes apt upgrade messages)
       ansible.builtin.file:
         path: /etc/apt/apt.conf.d/20apt-esm-hook.conf
@@ -194,8 +199,94 @@
       changed_when: "'Successfully' in pro_apt_news.stdout"
       failed_when: false
 
+    # --- MOTD Advertising (Canonical news/ads) ---
+    - name: Disable MOTD news fetching
+      ansible.builtin.lineinfile:
+        path: /etc/default/motd-news
+        regexp: '^ENABLED='
+        line: 'ENABLED=0'
+        create: true
+        mode: '0644'
+
+    # --- Apport (crash reporting to Canonical) ---
+    - name: Disable Apport crash reporting
+      ansible.builtin.lineinfile:
+        path: /etc/default/apport
+        regexp: '^enabled='
+        line: 'enabled=0'
+
+    - name: Stop and disable Apport service
+      ansible.builtin.systemd:
+        name: apport
+        state: stopped
+        enabled: false
+      failed_when: false
+
+    # --- Whoopsie (error reporting daemon) ---
+    - name: Stop and disable Whoopsie error reporting
+      ansible.builtin.systemd:
+        name: whoopsie
+        state: stopped
+        enabled: false
+      failed_when: false
+
+    # --- Ubuntu Report (first-run telemetry) ---
+    - name: Opt out of Ubuntu Report telemetry
+      ansible.builtin.command:
+        cmd: ubuntu-report send no
+      register: ubuntu_report
+      changed_when: ubuntu_report.rc == 0
+      failed_when: false
+
   when: ansible_distribution == 'Ubuntu'
 
+# -----------------------------------------------------------------------------
+# FEDORA: Disable ABRT and telemetry
+# -----------------------------------------------------------------------------
+- name: Disable Fedora telemetry
+  block:
+    # --- ABRT (crash reporting to Red Hat) ---
+    - name: Disable ABRT crash reporting services
+      ansible.builtin.systemd:
+        name: "{{ item }}"
+        state: stopped
+        enabled: false
+      loop:
+        - abrt-journal-core
+        - abrt-oops
+        - abrt-xorg
+        - abrt-vmcore
+        - abrt-pstoreoops
+      failed_when: false
+
+    # --- Fedora Third Party Repos (optional, keep enabled for Chrome etc) ---
+    # Not disabling fedora-third-party as it's useful for Chrome, Steam, etc.
+
+  when: ansible_distribution == 'Fedora'
+
+# -----------------------------------------------------------------------------
+# GNOME: Disable desktop telemetry (both distros)
+# -----------------------------------------------------------------------------
+- name: Disable GNOME telemetry
+  block:
+    - name: Disable GNOME problem reporting
+      community.general.dconf:
+        key: "/org/gnome/desktop/privacy/report-technical-problems"
+        value: "false"
+        state: present
+      become: false
+
+    - name: Disable GNOME software usage stats
+      community.general.dconf:
+        key: "/org/gnome/desktop/privacy/send-software-usage-stats"
+        value: "false"
+        state: present
+      become: false
+
+  when:
+    - ansible_distribution in ['Fedora', 'Ubuntu']
+    - dfe_has_gnome | default(false)
+
 # ============================================================================
 # DFE ADMIN TOOLS
 # ============================================================================
