make the firejail blacklist configurable

README.md

@@ -96,6 +96,13 @@ script looks for a profile with the same name in `~/.config/firejail`. If one
 is not found, it will create a profile that simply includes the system profile,
 as in the third example above. It will not modify any existing user profiles.
 
+### Blacklisting
+
+The `firejail.blacklist` variable is used to generate a list of blacklisted
+files and directories at `/usr/local/etc/firejail/disable-more.inc`. This file
+is included in most of the provided security profiles, causing those locations
+to be inaccessible to jailed programs.
+
 ## MAC Spoofing
 
 By default, the MAC address of all network interfaces is spoofed at boot,

group_vars/all

@@ -121,3 +121,16 @@ nameservers:
     - 74.82.42.42   # Hurricane Electric
 
 bluetooth: False
+
+firejail:
+    blacklist:
+        - ~/.calendars
+        - ~/.config/vdirsyncer
+        - ~/.contacts
+        - ~/.keys
+        - ~/.mbsyncrc
+        - ~/.offlineimap
+        - ~/.offlineimaprc
+        - ~/.password-store
+        - ~/.vdirsyncer
+        - ~/library/ledger

roles/firejail/tasks/main.yml

@@ -12,7 +12,7 @@
   file: path=/usr/local/etc/firejail state=directory
 
 - name: Push firejail blacklist include
-  copy: src=disable-more.inc dest=/usr/local/etc/firejail/disable-more.inc
+  template: src=disable-more.inc.j2 dest=/usr/local/etc/firejail/disable-more.inc
   tags:
     - firejail
 

roles/firejail/templates/disable-more.inc.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+{% for file in firejail.blacklist %}
+blacklist {{ file }}
+{% endfor %}