Split out configs

Signed-off-by: Tommy <contact@tommytran.io>

etc/docker/daemon.json

@@ -0,0 +1,55 @@
+{
+    "default-runtime": "runsc-systrap",
+    "runtimes": {
+        "runsc-kvm": {
+            "path": "/usr/local/bin/runsc",
+            "runtimeArgs": [
+                "--platform=kvm",
+                "--network=host"
+            ]
+        },
+        "runsc-systrap": {
+            "path": "/usr/local/bin/runsc",
+            "runtimeArgs": [
+                "--platform=systrap",
+                "--network=host"
+            ]
+        },
+        "runsc-kvm --host-uds=open": {
+            "path": "/usr/local/bin/runsc",
+            "runtimeArgs": [
+                "--platform=kvm",
+                "--network=host",
+                "--host-uds=open"
+            ]
+        },
+        "runsc-systrap --host-uds=open": {
+            "path": "/usr/local/bin/runsc",
+            "runtimeArgs": [
+                "--platform=systrap",
+                "--network=host",
+                "--host-uds=open"
+            ]
+        },
+        "runsc-kvm-debug": {
+            "path": "/usr/local/bin/runsc",
+            "runtimeArgs": [
+                "--platform=kvm",
+                "--network=host",
+                "--debug-log=/tmp/runsc-kvm/",
+                "--debug",
+                "--strace"
+            ]
+        },
+        "runsc-systrap-debug": {
+            "path": "/usr/local/bin/runsc",
+            "runtimeArgs": [
+                "--platform=systrap",
+                "--network=host",
+                "--debug-log=/tmp/runsc-systrap/",
+                "--debug",
+                "--strace"
+            ]
+        }
+    }
+}

etc/security/limits.d/30-disable-coredump.conf

@@ -0,0 +1 @@
+* hard core 0

etc/systemd/system/unbound.service.d/override.conf

@@ -0,0 +1,19 @@
+[Service]
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
+ProtectKernelTunables=true
+ProtectProc=invisible
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictSUIDSGID=yes

etc/systemd/zram-generator.conf

@@ -0,0 +1,4 @@
+[zram0]
+zram-fraction = 1
+max-zram-size = 8192
+compression-algorithm = zstd

etc/tuned/active_profile

@@ -0,0 +1 @@
+virtual-guest

etc/tuned/profile_mode

@@ -0,0 +1 @@
+manual

etc/unbound/unbound.conf

@@ -0,0 +1,39 @@
+server:
+  chroot: ""
+
+  auto-trust-anchor-file: "/var/lib/unbound/root.key"
+  trust-anchor-signaling: yes
+  root-key-sentinel: yes
+
+  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+  tls-ciphers: "PROFILE=SYSTEM"
+
+  hide-http-user-agent: yes
+  hide-identity: yes
+  hide-trustanchor: yes
+  hide-version: yes
+
+  deny-any: yes
+  harden-algo-downgrade: yes
+  harden-large-queries: yes
+  harden-referral-path: yes
+  harden-short-bufsize: yes
+  ignore-cd-flag: yes
+  max-udp-size: 3072
+  module-config: "validator iterator"
+  qname-minimisation-strict: yes
+  unwanted-reply-threshold: 10000000
+  use-caps-for-id: yes
+
+  outgoing-port-permit: 1024-65535
+
+  prefetch: yes
+  prefetch-key: yes
+
+forward-zone:
+  name: "."
+  forward-tls-upstream: yes
+  forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
+  forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
+  forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
+  forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com

etc/yum.repos.d/docker-ce.repo

@@ -0,0 +1,62 @@
+[docker-ce-stable]
+name=Docker CE Stable - $basearch
+baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/stable
+enabled=1
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/fedora/gpg
+
+[docker-ce-stable-debuginfo]
+name=Docker CE Stable - Debuginfo $basearch
+baseurl=https://download.docker.com/linux/fedora/$releasever/debug-$basearch/stable
+enabled=0
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/fedora/gpg
+
+[docker-ce-stable-source]
+name=Docker CE Stable - Sources
+baseurl=https://download.docker.com/linux/fedora/$releasever/source/stable
+enabled=0
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/fedora/gpg
+
+[docker-ce-test]
+name=Docker CE Test - $basearch
+baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/test
+enabled=0
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/fedora/gpg
+
+[docker-ce-test-debuginfo]
+name=Docker CE Test - Debuginfo $basearch
+baseurl=https://download.docker.com/linux/fedora/$releasever/debug-$basearch/test
+enabled=0
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/fedora/gpg
+
+[docker-ce-test-source]
+name=Docker CE Test - Sources
+baseurl=https://download.docker.com/linux/fedora/$releasever/source/test
+enabled=0
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/fedora/gpg
+
+[docker-ce-nightly]
+name=Docker CE Nightly - $basearch
+baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/nightly
+enabled=0
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/fedora/gpg
+
+[docker-ce-nightly-debuginfo]
+name=Docker CE Nightly - Debuginfo $basearch
+baseurl=https://download.docker.com/linux/fedora/$releasever/debug-$basearch/nightly
+enabled=0
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/fedora/gpg
+
+[docker-ce-nightly-source]
+name=Docker CE Nightly - Sources
+baseurl=https://download.docker.com/linux/fedora/$releasever/source/nightly
+enabled=0
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/fedora/gpg

etc/zincati/config.d/51-rollout-wariness.toml

@@ -0,0 +1,2 @@
+[identity]
+rollout_wariness = 0

etc/zincati/config.d/55-updates-strategy.toml

@@ -0,0 +1,8 @@
+[updates]
+strategy = "periodic"
+[updates.periodic]
+time_zone = "localtime"
+[[updates.periodic.window]]
+days = [ "Sun" ]
+start_time = "0:00"
+length_minutes = 60