first commit

etc/NetworkManager/conf.d/00-macrandomize.conf

@@ -0,0 +1,6 @@
+[device]
+wifi.scan-rand-mac-address=yes
+[connection]
+wifi.cloned-mac-address=random
+ethernet.cloned-mac-address=random
+connection.stable-id=${CONNECTION}/${BOOT}

etc/NetworkManager/conf.d/01-transient-hostname.conf

@@ -0,0 +1,2 @@
+[main]
+hostname-mode=none

etc/apt/apt.conf.d/99sane-upgrades

@@ -0,0 +1,6 @@
+Update-Manager::Always-Include-Phased-Updates "true";
+APT::Get::Always-Include-Phased-Updates "true";
+APT::Get::Upgrade-Allow-New "true";
+APT::Install-Recommends "false";
+APT::Install-Suggests "false";
+APT::Get::AutomaticRemove "true";

etc/apt/sources.list.d/docker.sources

@@ -0,0 +1,5 @@
+Types: deb
+URIs: https://download.docker.com/linux/ubuntu
+Suites: noble
+Components: stable
+Signed-By: /usr/share/keyrings/docker.asc

etc/apt/sources.list.d/element-io.sources

@@ -0,0 +1,5 @@
+Types: deb
+URIs: https://packages.element.io/debian/
+Suites: default
+Components: main
+Signed-By: /usr/share/keyrings/element-io-archive-keyring.gpg

etc/apt/sources.list.d/mariadb.sources

@@ -0,0 +1,21 @@
+Types: deb
+URIs: https://dlm.mariadb.com/repo/mariadb-server/11.4/repo/ubuntu
+Suites: noble
+Components: main
+Signed-By: /usr/share/keyrings/mariadb-keyring-2019.gpg
+Architectures: amd64 arm64
+
+# The jammy part is not a typo. They just haven't released it for noble yet.
+Types: deb
+URIs: https://dlm.mariadb.com/repo/maxscale/latest/apt
+Suites: jammy
+Components: main
+Signed-By: /usr/share/keyrings/mariadb-keyring-2019.gpg
+Architectures: amd64 arm64
+
+Types: deb
+URIs: http://downloads.mariadb.com/Tools/ubuntu
+Suites: noble
+Components: main
+Signed-By: /usr/share/keyrings/mariadb-keyring-2019.gpg
+Architectures: amd64

etc/apt/sources.list.d/microsoft-edge.sources

@@ -0,0 +1,6 @@
+Types: deb
+URIs: https://packages.microsoft.com/repos/edge
+Suites: stable
+Components: main
+Signed-By: /usr/share/keyrings/microsoft.gpg
+Architectures: amd64

etc/apt/sources.list.d/nginx.sources

@@ -0,0 +1,5 @@
+Types: deb
+URIs: http://nginx.org/packages/mainline/ubuntu
+Suites: noble
+Components: nginx
+Signed-By: /usr/share/keyrings/nginx-archive-keyring.gpg

etc/apt/sources.list.d/rosetta.sources

@@ -0,0 +1,27 @@
+Types: deb
+URIs: http://ports.ubuntu.com/ubuntu-ports/
+Suites: noble noble-updates noble-backports
+Components: main restricted universe multiverse
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
+Architectures: arm64
+
+Types: deb
+URIs: http://ports.ubuntu.com/ubuntu-ports/
+Suites: noble-security
+Components: main restricted universe multiverse
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
+Architectures: arm64
+
+Types: deb
+URIs: http://archive.ubuntu.com/ubuntu/
+Suites: noble noble-updates noble-backports
+Components: main restricted universe multiverse
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
+Architectures: amd64
+
+Types: deb
+URIs: http://archive.ubuntu.com/ubuntu/
+Suites: noble-security
+Components: main restricted universe multiverse
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
+Architectures: amd64

etc/apt/sources.list.d/vscode.sources

@@ -0,0 +1,5 @@
+Types: deb
+URIs: https://packages.microsoft.com/repos/code
+Suites: stable
+Components: main
+Signed-By: /usr/share/keyrings/microsoft.gpg

etc/dconf/db/local.d/adw-gtk3-dark

@@ -0,0 +1,2 @@
+[org/gnome/desktop/interface]
+gtk-theme='adw-gtk3-dark'

etc/dconf/db/local.d/apport-disable

@@ -0,0 +1,2 @@
+[com/ubuntu/update-notifier]
+show-apport-crashes=false

etc/dconf/db/local.d/automount-disable

@@ -0,0 +1,4 @@
+[org/gnome/desktop/media-handling]
+automount=false
+automount-open=false
+autorun-never=true

etc/dconf/db/local.d/button-layout

@@ -0,0 +1,2 @@
+[org/gnome/desktop/wm/preferences]
+button-layout='appmenu:minimize,maximize,close'

etc/dconf/db/local.d/locks/apport-disable

@@ -0,0 +1 @@
+com/ubuntu/update-notifier/show-apport-crashes

etc/dconf/db/local.d/locks/automount-disable

@@ -0,0 +1,3 @@
+org/gnome/desktop/media-handling/automount
+org/gnome/desktop/media-handling/automount-open
+/org/gnome/desktop/media-handling/autorun-never

etc/dconf/db/local.d/locks/privacy

@@ -0,0 +1,14 @@
+/org/gnome/system/location/enabled
+
+/org/gnome/desktop/privacy/remember-recent-files
+/org/gnome/desktop/privacy/remove-old-trash-files
+/org/gnome/desktop/privacy/remove-old-temp-files
+/org/gnome/desktop/privacy/report-technical-problems
+/org/gnome/desktop/privacy/send-software-usage-stats
+/org/gnome/desktop/privacy/remember-app-usage
+
+/org/gnome/online-accounts/whitelisted-providers
+
+/org/gnome/desktop/remote-desktop/rdp/enable
+
+/org/gnome/desktop/remote-desktop/vnc/enable

etc/dconf/db/local.d/prefer-dark

@@ -0,0 +1,2 @@
+[org/gnome/desktop/interface]
+color-scheme='prefer-dark'

etc/dconf/db/local.d/privacy

@@ -0,0 +1,16 @@
+[org/gnome/system/location]
+enabled=false
+
+[org/gnome/desktop/privacy]
+remember-recent-files=false
+remove-old-trash-files=true
+remove-old-temp-files=true
+report-technical-problems=false
+send-software-usage-stats=false
+remember-app-usage=false
+
+[org/gnome/desktop/remote-desktop/rdp]
+enable=false
+
+[org/gnome/desktop/remote-desktop/vnc]
+enable=false

etc/dconf/db/local.d/touchpad

@@ -0,0 +1,5 @@
+[org/gnome/desktop/peripherals/touchpad]
+click-method='areas'
+disable-while-typing=false
+tap-to-click=true
+to-finger-scrolling-enabled=false

etc/dnf/dnf.conf

@@ -0,0 +1,11 @@
+[main]
+gpgcheck=True
+installonly_limit=3
+clean_requirements_on_remove=True
+best=False
+skip_if_unavailable=True
+max_parallel_downloads=10
+deltarpm=False
+defaultyes=True
+install_weak_deps=False
+countme=False

etc/environment

@@ -0,0 +1,2 @@
+JavaScriptCoreUseJIT=0
+GJS_DISABLE_JIT=1

etc/issue

@@ -0,0 +1,6 @@
+You are accessing Lukas Raub's information system that is provided for authorized uses only.
+
+ALL ACTIVITY MAY BE MONITORED AND REPORTED. UNAUTHORIZED USES SHALL BE PROSECUTED TO THE FULLEST EXTENT OF THE LAW.
+
+To report a potential security concern, please contact titanz@pm.me.
+

etc/security/limits.d/30-disable-coredump.conf

@@ -0,0 +1 @@
+* hard core 0

etc/ssh/ssh_config.d/10-custom.conf

@@ -0,0 +1,2 @@
+GSSAPIAuthentication no
+VerifyHostKeyDNS yes

etc/ssh/sshd_config.d/10-custom.conf

@@ -0,0 +1,43 @@
+# Encryption hardening
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKeyAlgorithms ssh-ed25519
+KexAlgorithms sntrup761x25519-sha512@openssh.com
+PubkeyAcceptedKeyTypes ssh-ed25519
+Ciphers aes256-gcm@openssh.com
+MACs -*
+
+# Security hardening
+AuthenticationMethods publickey
+AuthorizedKeysFile .ssh/authorized_keys
+Compression no
+DisableForwarding yes
+LoginGraceTime 15s
+MaxAuthTries 1
+PermitUserEnvironment no
+PermitUserRC no
+StrictModes yes
+UseDNS no
+
+# Use KeepAlive over SSH instead of with TCP to prevent spoofing
+TCPKeepAlive no
+ClientAliveInterval 15
+ClientAliveCountMax 4
+
+## Use PAM for session checks here but authentication is disabled below
+## Also, this prevents running sshd as non-root
+UsePAM yes
+
+# Disabling unused authentication methods
+ChallengeResponseAuthentication no
+GSSAPIAuthentication no
+HostbasedAuthentication no
+PasswordAuthentication no
+PermitRootLogin no
+PermitEmptyPasswords no
+KbdInteractiveAuthentication no
+KerberosAuthentication no
+
+# Displaying info
+Banner /etc/issue.net
+PrintLastLog yes
+PrintMotd yes

etc/sysconfig/chronyd

@@ -0,0 +1,2 @@
+# Command-line options for chronyd
+OPTIONS="-F 1"

etc/sysctl.d/99-server.conf

@@ -0,0 +1,115 @@
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+dev.tty.ldisc_autoload = 0
+
+# https://access.redhat.com/solutions/1985633
+# Seems dangerous.
+fs.binfmt_misc.status = 0
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
+# Enable fs.protected sysctls.
+fs.protected_regular = 2
+fs.protected_fifos = 2
+fs.protected_symlinks = 1
+fs.protected_hardlinks = 1
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
+# Disable coredumps.
+# For additional safety, disable coredumps using ulimit and systemd too.
+kernel.core_pattern=|/bin/false
+fs.suid_dumpable = 0
+
+# Restrict dmesg to CAP_SYS_LOG.
+# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+kernel.dmesg_restrict = 1
+
+# Disable io_uring
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
+# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
+# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
+# on a Proxmox node.
+kernel.io_uring_disabled = 2
+
+# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
+# Restrict access to /proc.
+kernel.kptr_restrict = 2
+
+# Not needed, I don't do livepatching and reboot regularly.
+# On Ubuntu LTS just sed this to be 0 if you use livepatch.
+kernel.kexec_load_disabled = 1
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+# Basically, restrict eBPF to CAP_BPF.
+kernel.unprivileged_bpf_disabled = 1
+net.core.bpf_jit_harden = 2
+
+# Docker running as root do not require unpriv user ns, which is dangerous, so we disabe it.
+kernel.unprivileged_userns_clone = 0
+
+# Needed for gVisor, which is used on almost all of my servers.
+kernel.yama.ptrace_scope = 1
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+# Restrict performance events from unprivileged users as much as possible.
+# We are using 4 here, since Ubuntu supports such a level.
+# Official Linux kernel documentation only says >= so it probably will work.
+kernel.perf_event_paranoid = 4
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# Disable sysrq.
+kernel.sysrq = 0
+
+# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
+# Not running a router here, so no redirects.
+net.ipv4.conf.*.send_redirects = 0
+net.ipv4.conf.*.accept_redirects = 0
+net.ipv6.conf.*.accept_redirects = 0
+
+# Check if the source of the IP address is reachable through the same interface it came in.
+# Basic IP spoofing mitigation.
+net.ipv4.conf.*.rp_filter = 1
+
+# Respond to ICMP
+net.ipv4.icmp_echo_ignore_all = 0
+net.ipv6.icmp.echo_ignore_all = 0
+
+# Enable IP Forwarding.
+# Almost all of my servers run Docker anyways, and Docker absolutely requires this.
+net.ipv4.ip_forward = 1
+net.ipv6.conf.all.forwarding = 1
+
+# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
+# Ignore bogus icmp response.
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Protection against time-wait assasination attacks.
+net.ipv4.tcp_rfc1337 = 1
+
+# Enable SYN cookies.
+# Basic SYN flood mitigation.
+net.ipv4.tcp_syncookies = 1 
+
+# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+# Make sure TCP timestamp is enabled.
+net.ipv4.tcp_timestamps = 1
+
+# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+# Disable TCP SACK.
+# We have good networking :)
+net.ipv4.tcp_sack = 0
+
+# No SACK, therefore no Duplicated SACK.
+net.ipv4.tcp_dsack = 0
+
+# Improve ALSR effectiveness for mmap.
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# Restrict userfaultfd to CAP_SYS_PTRACE.
+# https://bugs.archlinux.org/task/62780
+# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
+# probably not used in the real world at all.
+vm.unprivileged_userfaultfd = 0

etc/sysctl.d/99-workstation.conf

@@ -0,0 +1,116 @@
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+dev.tty.ldisc_autoload = 0
+
+# https://access.redhat.com/solutions/1985633
+# Seems dangerous.
+# Roseta need this though, so if you use it change it to 1.
+fs.binfmt_misc.status = 0
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
+# Enable fs.protected sysctls.
+fs.protected_regular = 2
+fs.protected_fifos = 2
+fs.protected_symlinks = 1
+fs.protected_hardlinks = 1
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
+# Disable coredumps.
+# For additional safety, disable coredumps using ulimit and systemd too.
+kernel.core_pattern=|/bin/false
+fs.suid_dumpable = 0
+
+# Restrict dmesg to CAP_SYS_LOG.
+# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+kernel.dmesg_restrict = 1
+
+# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
+# Restrict access to /proc.
+kernel.kptr_restrict = 2
+
+# Not needed, I don't do livepatching and reboot regularly.
+# On a workstation, this shouldn't be used at all. Don't live patch, just reboot.
+kernel.kexec_load_disabled = 1
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+# Basically, restrict eBPF to CAP_BPF.
+kernel.unprivileged_bpf_disabled = 1
+net.core.bpf_jit_harden = 2
+
+# Needed for Flatpak and Bubblewrap.
+kernel.unprivileged_userns_clone = 1
+
+# Disable ptrace. Not needed on workstations.
+kernel.yama.ptrace_scope = 3
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
+# Restrict performance events from unprivileged users as much as possible.
+# We are using 4 here, since Ubuntu supports such a level.
+# Official Linux kernel documentation only says >= so it probably will work.
+kernel.perf_event_paranoid = 4
+
+# Disable io_uring
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
+# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
+# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
+# on a Proxmox node.
+kernel.io_uring_disabled = 2
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# Disable sysrq.
+kernel.sysrq = 0
+
+# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
+# Not running a router here, so no redirects.
+net.ipv4.conf.*.send_redirects = 0
+net.ipv4.conf.*.accept_redirects = 0
+net.ipv6.conf.*.accept_redirects = 0
+
+# Check if the source of the IP address is reachable through the same interface it came in
+# Basic IP spoofing mitigation.
+net.ipv4.conf.*.rp_filter = 1
+
+# Do not respond to ICMP.
+net.ipv4.icmp_echo_ignore_all = 1
+net.ipv6.icmp.echo_ignore_all = 1
+
+# Enable IP Forwarding.
+# Needed for VM networking and whatnot.
+net.ipv4.ip_forward = 1
+net.ipv6.conf.all.forwarding = 1
+
+# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
+# Ignore bogus icmp response.
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Protection against time-wait assasination attacks.
+net.ipv4.tcp_rfc1337 = 1
+
+# Enable SYN cookies.
+# Basic SYN flood mitigation.
+net.ipv4.tcp_syncookies = 1 
+
+# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+# Make sure TCP timestamp is enabled.
+net.ipv4.tcp_timestamps = 1
+
+# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
+# Disable TCP SACK.
+# We have good networking :)
+net.ipv4.tcp_sack = 0
+
+# No SACK, therefore no Duplicated SACK.
+net.ipv4.tcp_dsack = 0
+
+# Improve ALSR effectiveness for mmap.
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16
+
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+# Restrict userfaultfd to CAP_SYS_PTRACE.
+# https://bugs.archlinux.org/task/62780
+# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
+# probably not used in the real world at all.
+vm.unprivileged_userfaultfd = 0

etc/systemd/coredump.conf.d/disable.conf

@@ -0,0 +1,2 @@
+[Coredump]
+Storage=none

etc/systemd/system/fwupd-refresh.service.d/override.conf

@@ -0,0 +1,2 @@
+[Service]
+ExecStart=/usr/bin/fwupdmgr update

etc/systemd/system/unbound.service.d/override-chroot.conf

@@ -0,0 +1,35 @@
+[Service]
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+# This breaks using socket options like 'so-rcvbuf'.
+ProtectKernelTunables=true
+ProtectProc=invisible
+# ProtectSystem with strict does not work - need further testing.
+ProtectSystem=full
+#RuntimeDirectory=unbound
+#ConfigurationDirectory=unbound
+#StateDirectory=unbound
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictSUIDSGID=yes
+ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
+
+# Below rules are needed when chroot is enabled (usually it's enabled by default).
+# If chroot is disabled like chroot: "" then they may be safely removed.
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
+BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
+BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
+BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log

etc/systemd/system/unbound.service.d/override.conf

@@ -0,0 +1,26 @@
+[Service]
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_DAC_OVERRIDE
+MemoryDenyWriteExecute=true
+#NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+# This breaks using socket options like 'so-rcvbuf'.
+ProtectKernelTunables=true
+ProtectProc=invisible
+# ProtectSystem with strict does not work - need further testing.
+ProtectSystem=full
+#RuntimeDirectory=unbound
+#ConfigurationDirectory=unbound
+#StateDirectory=unbound
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictSUIDSGID=yes

etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf

@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/gnome-shell --no-x11

etc/systemd/zram-generator.conf

@@ -0,0 +1,4 @@
+[zram0]
+zram-fraction = 1
+max-zram-size = 8192
+compression-algorithm = zstd

etc/yum.repos.d/nginx.repo

@@ -0,0 +1,15 @@
+[nginx-stable]
+name=nginx stable repo
+baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
+gpgcheck=1
+enabled=0
+gpgkey=https://nginx.org/keys/nginx_signing.key
+module_hotfixes=true
+
+[nginx-mainline]
+name=nginx mainline repo
+baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
+gpgcheck=1
+enabled=1
+gpgkey=https://nginx.org/keys/nginx_signing.key
+module_hotfixes=true