Compare commits

..

No commits in common. "f79017fd3ee0d58f6b97fe57c3552e55d5ddd94c" and "fa060e74d86cc7407d83e29bb6982980ddb0c6ce" have entirely different histories.

16 changed files with 750 additions and 219 deletions

View File

@ -2,7 +2,8 @@
Ignition configurations for Fedora CoreOS<br /> Ignition configurations for Fedora CoreOS<br />
# Notes # Notes
These configurations are tailored for Metropolis.nexus environment: 1. These are the configs I personally use on my systems. You **MUST** edit the files before you use them. At the very least, you should add your SSH keys or password hash.<br />
- Firewalling is handled by Proxmox (not the individual VMs) 2. Only ED25519 SSH keys are accepted with the SSHD hardening configuration. If you do not use ED25519 keys, you will need to adjust the `/etc/ssh/sshd_config.d/10-custom.conf` file accordingly.
- DNSSEC validation is done by either OPNsense or a central VM dedicated to running the DNS resolver 3. If you create a passwordless user that requires administrative privileges, ensure that it is part of the `sudo` group (CoreOS allows this group to use sudo without a password) as the configs will disable empty password system authentication.
- Podman will be used for deployment, not Docker 4. These configurations are made with a VPS in mind. You should adapt it for a bare metal deployment if that is what you are using (adding additional kernel parameters, configuring drive encryption, configuring storage, etc). You should also change the tuned profile from `virtual-guest` appropriately.
5. The docker-compose-updater@.timer can be enabled to have automatic updates for your containers created by Docker Compose.

View File

@ -0,0 +1,20 @@
{
"default-runtime": "runsc-systrap",
"runtimes": {
"runsc-systrap": {
"path": "/usr/local/bin/runsc",
"runtimeArgs": [
"--platform=systrap",
"--network=host"
]
},
"runsc-systrap --host-uds=open": {
"path": "/usr/local/bin/runsc",
"runtimeArgs": [
"--platform=systrap",
"--network=host",
"--host-uds=open"
]
}
}
}

View File

@ -0,0 +1,24 @@
{
"default-runtime": "runsc-systrap",
"runtimes": {
"runsc-systrap": {
"path": "/usr/local/bin/runsc",
"runtimeArgs": [
"--platform=systrap",
"--network=host"
]
},
"runsc-systrap --host-uds=open": {
"path": "/usr/local/bin/runsc",
"runtimeArgs": [
"--platform=systrap",
"--network=host",
"--host-uds=open"
]
}
},
"default-address-pools": [
{ "base": "242.242.0.0/16", "size": 24 }
],
"dns" : [ "242.242.0.1" ]
}

1
etc/tuned/active_profile Normal file
View File

@ -0,0 +1 @@
virtual-guest

1
etc/tuned/profile_mode Normal file
View File

@ -0,0 +1 @@
manual

45
etc/unbound/unbound.conf Normal file
View File

@ -0,0 +1,45 @@
server:
chroot: ""
auto-trust-anchor-file: "/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
tls-ciphers: "PROFILE=SYSTEM"
hide-http-user-agent: yes
hide-identity: yes
hide-trustanchor: yes
hide-version: yes
deny-any: yes
harden-algo-downgrade: yes
harden-large-queries: yes
harden-referral-path: yes
harden-short-bufsize: yes
ignore-cd-flag: yes
max-udp-size: 3072
module-config: "validator iterator"
qname-minimisation-strict: yes
unwanted-reply-threshold: 10000000
use-caps-for-id: yes
outgoing-port-permit: 1024-65535
prefetch: yes
prefetch-key: yes
ip-transparent: yes
interface: 127.0.0.1
interface: ::1
interface: 242.242.0.1
access-control: 242.242.0.0/16 allow
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com

View File

@ -0,0 +1,10 @@
[copr:copr.fedorainfracloud.org:secureblue:hardened_malloc]
name=Copr repo for hardened_malloc owned by secureblue
baseurl=https://download.copr.fedorainfracloud.org/results/secureblue/hardened_malloc/fedora-$releasever-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://download.copr.fedorainfracloud.org/results/secureblue/hardened_malloc/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

View File

@ -0,0 +1,62 @@
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-stable-debuginfo]
name=Docker CE Stable - Debuginfo $basearch
baseurl=https://download.docker.com/linux/fedora/$releasever/debug-$basearch/stable
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-stable-source]
name=Docker CE Stable - Sources
baseurl=https://download.docker.com/linux/fedora/$releasever/source/stable
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-test]
name=Docker CE Test - $basearch
baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-test-debuginfo]
name=Docker CE Test - Debuginfo $basearch
baseurl=https://download.docker.com/linux/fedora/$releasever/debug-$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-test-source]
name=Docker CE Test - Sources
baseurl=https://download.docker.com/linux/fedora/$releasever/source/test
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-nightly]
name=Docker CE Nightly - $basearch
baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-nightly-debuginfo]
name=Docker CE Nightly - Debuginfo $basearch
baseurl=https://download.docker.com/linux/fedora/$releasever/debug-$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-nightly-source]
name=Docker CE Nightly - Sources
baseurl=https://download.docker.com/linux/fedora/$releasever/source/nightly
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg

View File

@ -0,0 +1,2 @@
[identity]
rollout_wariness = 0

View File

@ -0,0 +1,10 @@
[updates]
strategy = "periodic"
[updates.periodic]
time_zone = "localtime"
[[updates.periodic.window]]
days = [ "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun" ]
start_time = "3:00"
length_minutes = 60

1
x86-metropolis-nexus.ign Normal file

File diff suppressed because one or more lines are too long

269
x86-metropolis-nexus.yml Normal file
View File

@ -0,0 +1,269 @@
# Copyright (C) 2021-2025 Thien Tran
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.
variant: fcos
version: 1.6.0
passwd:
users:
- name: tomster
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkTKkJS7Id1WCyA5Klu/moLG9mP5hTC+v2qYqypMF1u contact@tommytran.io
groups:
- wheel
- sudo
- name: unpriv
systemd:
units:
- name: postinst.service
enabled: true
contents: |
[Unit]
Description=Initial System Setup
# We run after `systemd-machine-id-commit.service` to ensure that
# `ConditionFirstBoot=true` services won't rerun on the next boot.
After=systemd-machine-id-commit.service
After=network-online.target
# We run before `zincati.service` to avoid conflicting rpm-ostree
# transactions.
Before=zincati.service
ConditionPathExists=!/var/lib/%N.stamp
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/restorecon -R /var
ExecStart=/usr/sbin/setsebool -P container_use_cephfs off
ExecStart=/usr/sbin/setsebool -P virt_use_nfs off
ExecStart=/usr/sbin/setsebool -P virt_use_samba off
ExecStart=/usr/bin/rpm-ostree override remove containerd docker-cli dnsmasq google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs moby-engine runc systemd-resolved
ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin hardened_malloc qemu-guest-agent tuned
ExecStart=/usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
ExecStart=/usr/bin/systemctl disable systemd-resolved
ExecStart=/usr/bin/rm /etc/resolv.conf
ExecStart=/usr/bin/touch /var/lib/%N.stamp
ExecStart=/usr/bin/echo 'libhardened_malloc.so' > /etc/ld.so.preload
ExecStart=/usr/bin/systemctl --no-block reboot
[Install]
WantedBy=multi-user.target
- name: gvisor-updater.service
enabled: true
contents: |
[Unit]
Description=Update gVisor
Requires=network-online.target
After=network-online.target
Before=docker.service
[Service]
Type=oneshot
RuntimeDirectory=gvisor-updater
WorkingDirectory=/run/gvisor-updater
ExecStart=/usr/bin/sleep 5
ExecStart=curl -sS --remote-name-all 'https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc' 'https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512' 'https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1' 'https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512'
ExecStart=sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512
ExecStart=+chown root:root runsc containerd-shim-runsc-v1
ExecStart=+chmod a+rx runsc containerd-shim-runsc-v1
ExecStart=+mv -Z runsc containerd-shim-runsc-v1 /usr/local/bin/
DynamicUser=true
CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateIPC=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
RuntimeDirectoryMode=700
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@obsolete
[Install]
WantedBy=multi-user.target
- name: docker-compose-updater@.service
enabled: false
contents: |
[Unit]
Description=Docker Compose Updater for /srv/%I
Requires=network-online.target
Requisite=docker.service
After=network-online.target
After=docker.service
[Service]
Type=oneshot
User=root
Group=root
WorkingDirectory=/srv/%i
ExecStart=/usr/bin/docker image prune -f -a --filter 'until=240h'
#ExecStart=/usr/bin/git pull
ExecStart=/usr/bin/docker compose pull
ExecStart=/usr/bin/docker compose up -d
- name: docker-compose-updater@.timer
enabled: false
contents: |
[Unit]
Description=Run docker-compose-updater for /srv/%I daily, 15 mintues after OS updates
[Timer]
OnCalendar=*-*-* 03:15
Persistent=true
[Install]
WantedBy=timers.target
- name: docker.service
enabled: true
- name: fstrim.timer
enabled: true
- name: systemd-oomd.service
enabled: true
- name: rpm-ostree-countme.timer
enabled: false
mask: true
- name: sshd.service
enabled: false
- name: sshd.socket
enabled: true
- name: kdump.service
enabled: false
mask: true
- name: debug-shell.service
enabled: false
mask: true
storage:
files:
- path: /etc/zincati/config.d/51-rollout-wariness.toml
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/zincati/config.d/51-rollout-wariness.toml
- path: /etc/zincati/config.d/55-updates-strategy.toml
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/zincati/config.d/55-updates-strategy.toml
- path: /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo
- path: /etc/yum.repos.d/docker-ce.repo
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/docker-ce.repo
- path: /etc/docker/daemon.json
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon-metropolis-nexus.json
- path: /etc/chrony.conf
contents:
source: https://raw.githubusercontent.com/GrapheneOS/infrastructure/refs/heads/main/etc/chrony.conf
overwrite: true
- path: /etc/modprobe.d/server-blacklist.conf
contents:
source: https://raw.githubusercontent.com/secureblue/secureblue/refs/heads/live/files/system/etc/modprobe.d/blacklist.conf
- path: /etc/sysctl.d/99-server.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf
- path: /etc/systemd/system/NetworkManager.service.d/99-brace.conf
contents:
source: https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf
- path: /etc/systemd/system/irqbalance.service.d/99-brace.conf
contents:
source: https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf
- path: /etc/ssh/sshd_config.d/10-custom.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf
- path: /etc/ssh/ssh_config.d/10-custom.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf
- path: /etc/systemd/system/sshd.service.d/override.conf
contents:
source: https://raw.githubusercontent.com/GrapheneOS/infrastructure/refs/heads/main/etc/systemd/system/sshd.service.d/override.conf
- path: /etc/tuned/active_profile
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/tuned/active_profile
- path: /etc/tuned/profile_mode
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/tuned/profile_mode
- path: /etc/systemd/zram-generator.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/zram-generator.conf
- path: /etc/security/limits.d/30-disable-coredump.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf
- path: /etc/systemd/coredump.conf.d
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf
- path: /etc/sysconfig/chronyd
overwrite: true
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd
- path: /etc/issue
overwrite: true
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue
- path: /etc/issue.net
overwrite: true
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue
links:
- path: /etc/localtime
target: ../usr/share/zoneinfo/Etc/UTC
- path: /etc/systemd/system/multi-user.target.wants/tuned.service
target: /usr/lib/systemd/system/tuned.service
kernel_arguments:
should_exist:
- mitigations=auto,nosmt
- spectre_v2=on
- spectre_bhi=on
- spec_store_bypass_disable=on
- tsx=off
- kvm.nx_huge_pages=force
- nosmt=force
- l1d_flush=on
- l1tf=full,force
- kvm-intel.vmentry_l1d_flush=always
- spec_rstack_overflow=safe-ret
- gather_data_sampling=force
- reg_file_data_sampling=on
- random.trust_bootloader=off
- random.trust_cpu=off
- intel_iommu=on
- amd_iommu=force_isolation
- efi=disable_early_pci_dma
- iommu=force
- iommu.passthrough=0
- iommu.strict=1
- slab_nomerge
- init_on_alloc=1
- init_on_free=1
- pti=on
- vsyscall=none
- ia32_emulation=0
- page_alloc.shuffle=1
- randomize_kstack_offset=on
- debugfs=off
- lockdown=confidentiality
- module.sig_enforce=1
- console=tty0
- console=ttyS0,115200

1
x86-unbound.ign Normal file

File diff suppressed because one or more lines are too long

299
x86-unbound.yml Normal file
View File

@ -0,0 +1,299 @@
# Copyright (C) 2021-2025 Thien Tran
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.
variant: fcos
version: 1.6.0
passwd:
users:
- name: tomster
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkTKkJS7Id1WCyA5Klu/moLG9mP5hTC+v2qYqypMF1u contact@tommytran.io
groups:
- wheel
- sudo
- name: unpriv
systemd:
units:
- name: postinst.service
enabled: true
contents: |
[Unit]
Description=Initial System Setup
# We run after `systemd-machine-id-commit.service` to ensure that
# `ConditionFirstBoot=true` services won't rerun on the next boot.
After=systemd-machine-id-commit.service
After=network-online.target
# We run before `zincati.service` to avoid conflicting rpm-ostree
# transactions.
Before=zincati.service
ConditionPathExists=!/var/lib/%N.stamp
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/restorecon -R /var
ExecStart=/usr/sbin/setsebool -P container_use_cephfs off
ExecStart=/usr/sbin/setsebool -P virt_use_nfs off
ExecStart=/usr/sbin/setsebool -P virt_use_samba off
ExecStart=/usr/bin/rpm-ostree override remove containerd docker-cli dnsmasq google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs moby-engine runc systemd-resolved
ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld hardened_malloc qemu-guest-agent tuned unbound
ExecStart=/usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
ExecStart=/usr/bin/systemctl disable systemd-resolved
ExecStart=/usr/bin/rm /etc/resolv.conf
ExecStart=/usr/bin/touch /var/lib/%N.stamp
ExecStart=/usr/bin/systemctl --no-block reboot
[Install]
WantedBy=multi-user.target
- name: postinst2.service
enabled: true
contents: |
[Unit]
Description=Initial System Setup Part 2
# We run this after the packages have been overlayed
After=network-online.target
ConditionPathExists=!/var/lib/%N.stamp
ConditionPathExists=/var/lib/postinst.stamp
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/echo 'libhardened_malloc.so' > /etc/ld.so.preload
ExecStart=/usr/bin/systemctl enable --now firewalld
ExecStart=/usr/bin/firewall-cmd --lockdown-on
ExecStart=/usr/bin/firewall-cmd --permanent --remove-service=mds
ExecStart=/usr/bin/rm /etc/unbound/unbound_control.key
ExecStart=/usr/bin/touch /var/lib/%N.stamp
ExecStart=/usr/bin/systemctl --no-block reboot
[Install]
WantedBy=multi-user.target
- name: gvisor-updater.service
enabled: true
contents: |
[Unit]
Description=Update gVisor
Requires=network-online.target
After=network-online.target
Before=docker.service
[Service]
Type=oneshot
RuntimeDirectory=gvisor-updater
WorkingDirectory=/run/gvisor-updater
ExecStart=/usr/bin/sleep 5
ExecStart=curl -sS --remote-name-all 'https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc' 'https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512' 'https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1' 'https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512'
ExecStart=sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512
ExecStart=+chown root:root runsc containerd-shim-runsc-v1
ExecStart=+chmod a+rx runsc containerd-shim-runsc-v1
ExecStart=+mv -Z runsc containerd-shim-runsc-v1 /usr/local/bin/
DynamicUser=true
CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateIPC=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
RuntimeDirectoryMode=700
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@obsolete
[Install]
WantedBy=multi-user.target
- name: docker-compose-updater@.service
enabled: false
contents: |
[Unit]
Description=Docker Compose Updater for /srv/%I
Requires=network-online.target
Requisite=docker.service
After=network-online.target
After=docker.service
[Service]
Type=oneshot
User=root
Group=root
WorkingDirectory=/srv/%i
ExecStart=/usr/bin/docker image prune -f -a --filter 'until=240h'
#ExecStart=/usr/bin/git pull
ExecStart=/usr/bin/docker compose pull
ExecStart=/usr/bin/docker compose up -d
- name: docker-compose-updater@.timer
enabled: false
contents: |
[Unit]
Description=Run docker-compose-updater for /srv/%I daily, 15 mintues after OS updates
[Timer]
OnCalendar=*-*-* 03:15
Persistent=true
[Install]
WantedBy=timers.target
- name: docker.service
enabled: true
- name: fstrim.timer
enabled: true
- name: systemd-oomd.service
enabled: true
- name: rpm-ostree-countme.timer
enabled: false
mask: true
- name: sshd.service
enabled: false
- name: sshd.socket
enabled: true
- name: kdump.service
enabled: false
mask: true
- name: debug-shell.service
enabled: false
mask: true
storage:
files:
- path: /etc/zincati/config.d/51-rollout-wariness.toml
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/zincati/config.d/51-rollout-wariness.toml
- path: /etc/zincati/config.d/55-updates-strategy.toml
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/zincati/config.d/55-updates-strategy.toml
- path: /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo
- path: /etc/yum.repos.d/docker-ce.repo
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/docker-ce.repo
- path: /etc/docker/daemon.json
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon-unbound.json
- path: /etc/chrony.conf
contents:
source: https://raw.githubusercontent.com/GrapheneOS/infrastructure/refs/heads/main/etc/chrony.conf
overwrite: true
- path: /etc/modprobe.d/server-blacklist.conf
contents:
source: https://raw.githubusercontent.com/secureblue/secureblue/refs/heads/live/files/system/etc/modprobe.d/blacklist.conf
- path: /etc/sysctl.d/99-server.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf
- path: /etc/systemd/system/NetworkManager.service.d/99-brace.conf
contents:
source: https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf
- path: /etc/systemd/system/irqbalance.service.d/99-brace.conf
contents:
source: https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf
- path: /etc/ssh/sshd_config.d/10-custom.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf
- path: /etc/ssh/ssh_config.d/10-custom.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf
- path: /etc/systemd/system/sshd.service.d/override.conf
contents:
source: https://raw.githubusercontent.com/GrapheneOS/infrastructure/refs/heads/main/etc/systemd/system/sshd.service.d/override.conf
- path: /etc/tuned/active_profile
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/tuned/active_profile
- path: /etc/tuned/profile_mode
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/tuned/profile_mode
- path: /etc/systemd/zram-generator.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/zram-generator.conf
- path: /etc/security/limits.d/30-disable-coredump.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf
- path: /etc/systemd/coredump.conf.d
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf
- path: /etc/sysconfig/chronyd
overwrite: true
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd
- path: /etc/unbound/unbound.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/unbound/unbound.conf
- path: /etc/systemd/system/unbound.service.d/override.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/unbound.service.d/override.conf
- path: /etc/issue
overwrite: true
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue
- path: /etc/issue.net
overwrite: true
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue
links:
- path: /etc/localtime
target: ../usr/share/zoneinfo/Etc/UTC
- path: /etc/systemd/system/multi-user.target.wants/unbound.service
target: /usr/lib/systemd/system/unbound.service
- path: /etc/systemd/system/multi-user.target.wants/tuned.service
target: /usr/lib/systemd/system/tuned.service
kernel_arguments:
should_exist:
- mitigations=auto,nosmt
- spectre_v2=on
- spectre_bhi=on
- spec_store_bypass_disable=on
- tsx=off
- kvm.nx_huge_pages=force
- nosmt=force
- l1d_flush=on
- l1tf=full,force
- kvm-intel.vmentry_l1d_flush=always
- spec_rstack_overflow=safe-ret
- gather_data_sampling=force
- reg_file_data_sampling=on
- random.trust_bootloader=off
- random.trust_cpu=off
- intel_iommu=on
- amd_iommu=force_isolation
- efi=disable_early_pci_dma
- iommu=force
- iommu.passthrough=0
- iommu.strict=1
- slab_nomerge
- init_on_alloc=1
- init_on_free=1
- pti=on
- vsyscall=none
- ia32_emulation=0
- page_alloc.shuffle=1
- randomize_kstack_offset=on
- debugfs=off
- lockdown=confidentiality
- module.sig_enforce=1
- console=tty0
- console=ttyS0,115200

File diff suppressed because one or more lines are too long

214
x86.yml
View File

@ -1,214 +0,0 @@
# Copyright (C) 2021-2025 Thien Tran
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.
variant: fcos
version: 1.6.0
passwd:
users:
- name: tomster
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkTKkJS7Id1WCyA5Klu/moLG9mP5hTC+v2qYqypMF1u contact@tommytran.io
groups:
- wheel
- sudo
systemd:
units:
- name: postinst.service
enabled: true
contents: |
[Unit]
Description=Initial System Setup
# We run after `systemd-machine-id-commit.service` to ensure that
# `ConditionFirstBoot=true` services won't rerun on the next boot.
After=systemd-machine-id-commit.service
After=network-online.target
# We run before `zincati.service` to avoid conflicting rpm-ostree
# transactions.
Before=zincati.service
ConditionPathExists=!/var/lib/%N.stamp
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/restorecon -R /var
ExecStart=/usr/sbin/setsebool -P container_use_cephfs off
ExecStart=/usr/sbin/setsebool -P virt_use_nfs off
ExecStart=/usr/sbin/setsebool -P virt_use_samba off
ExecStart=/usr/bin/rpm-ostree install hardened_malloc qemu-guest-agent tuned
ExecStart=/usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
ExecStart=/usr/bin/systemctl disable systemd-resolved
ExecStart=/usr/bin/rm /etc/resolv.conf
ExecStart=/usr/bin/touch /var/lib/%N.stamp
ExecStart=/usr/bin/echo 'libhardened_malloc.so' > /etc/ld.so.preload
ExecStart=/usr/bin/systemctl --no-block reboot
[Install]
WantedBy=multi-user.target
- name: debug-shell.service
enabled: false
mask: true
- name: docker.service
enabled: false
- name: rpm-ostree-countme.timer
enabled: false
mask: true
- name: irqbalance.service
enabled: false
mask: true
- name: kdump.service
enabled: false
mask: true
storage:
files:
- path: /etc/chrony.conf
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/chrony.conf
overwrite: true
- path: /etc/sysconfig/chronyd
overwrite: true
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/sysconfig/chronyd
- path: /etc/containers/containers.conf
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/containers/containers.conf
- path: /etc/docker/daemon.json
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/docker/daemon.json
- path: /etc/issue
overwrite: true
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/issue
- path: /etc/issue.net
overwrite: true
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/issue
- path: /etc/modprobe.d/server-blacklist.conf
contents:
source: https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/etc/modprobe.d/blacklist.conf
- path: /etc/security/limits.d/30-disable-coredump.conf
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/security/limits.d/30-disable-coredump.conf
- path: /etc/ssh/sshd_config.d/10-custom.conf
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/ssh/sshd_config.d/10-custom.conf
- path: /etc/ssh/ssh_config.d/10-custom.conf
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/ssh/ssh_config.d/10-custom.conf
- path: /etc/systemd/system/sshd.service.d/override.conf
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/systemd/system/sshd.service.d/override.conf
- path: /etc/sysctl.d/99-server.conf
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/sysctl.d/99-server.conf
- path: /etc/systemd/coredump.conf.d
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/systemd/coredump.conf.d/disable.conf
- path: /etc/systemd/system/gvisor-updater.service
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/systemd/system/gvisor-updater.service
# Annoying AGPL3 license
- path: /etc/systemd/system/NetworkManager.service.d/99-brace.conf
contents:
source: https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf
- path: /etc/systemd/zram-generator.conf
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/systemd/zram-generator.conf
- path: /etc/tuned/active_profile
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/tuned/active_profile
- path: /etc/tuned/profile_mode
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/tuned/profile_mode
- path: /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo
overwrite: true
- path: /etc/zincati/config.d/51-rollout-wariness.toml
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/zincati/config.d/51-rollout-wariness.toml
- path: /etc/zincati/config.d/55-updates-strategy.toml
contents:
source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/zincati/config.d/55-updates-strategy.toml
links:
- path: /etc/systemd/system/multi-user.target.wants/gvisor-updater.service
target: /etc/systemd/system/gvisor-updater.service
- path: /etc/systemd/system/multi-user.target.wants/tuned.service
target: /usr/lib/systemd/system/tuned.service
kernel_arguments:
should_exist:
# CPU vulnerabilities
- mitigations=auto,nosmt
- nosmt=force
- spectre_v2=on
- spectre_bhi=on
- spec_store_bypass_disable=on
- tsx=off
- l1d_flush=on
- l1tf=full,force
- kvm-intel.vmentry_l1d_flush=always
- spec_rstack_overflow=safe-ret
- gather_data_sampling=force
- reg_file_data_sampling=on
- kvm.nx_huge_pages=force
# DMA protection
- amd_iommu=force_isolation
- intel_iommu=on
- iommu=force
- iommu.strict=1
- iommu.passthrough=0
- efi=disable_early_pci_dma
# Memory protection
- slab_nomerge
- init_on_alloc=1
- init_on_free=1
- page_alloc.shuffle=1
- pti=on
- randomize_kstack_offset=on
# ASR
- lockdown=confidentiality
- module.sig_enforce=1
- oops=panic
- vsyscall=none
- ia32_emulation=0
- debugfs=off
# Entropy
- random.trust_bootloader=off
- random.trust_cpu=off
# Serial support for Proxmox
- console=tty0
- console=ttyS0,115200