first commit

etc/systemd/coredump.conf.d/disable.conf

@@ -0,0 +1,2 @@
+[Coredump]
+Storage=none

etc/systemd/system/fwupd-refresh.service.d/override.conf

@@ -0,0 +1,2 @@
+[Service]
+ExecStart=/usr/bin/fwupdmgr update

etc/systemd/system/unbound.service.d/override-chroot.conf

@@ -0,0 +1,35 @@
+[Service]
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+# This breaks using socket options like 'so-rcvbuf'.
+ProtectKernelTunables=true
+ProtectProc=invisible
+# ProtectSystem with strict does not work - need further testing.
+ProtectSystem=full
+#RuntimeDirectory=unbound
+#ConfigurationDirectory=unbound
+#StateDirectory=unbound
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictSUIDSGID=yes
+ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
+
+# Below rules are needed when chroot is enabled (usually it's enabled by default).
+# If chroot is disabled like chroot: "" then they may be safely removed.
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
+BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
+BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
+BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log

etc/systemd/system/unbound.service.d/override.conf

@@ -0,0 +1,26 @@
+[Service]
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_DAC_OVERRIDE
+MemoryDenyWriteExecute=true
+#NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+# This breaks using socket options like 'so-rcvbuf'.
+ProtectKernelTunables=true
+ProtectProc=invisible
+# ProtectSystem with strict does not work - need further testing.
+ProtectSystem=full
+#RuntimeDirectory=unbound
+#ConfigurationDirectory=unbound
+#StateDirectory=unbound
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictSUIDSGID=yes

etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf

@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/gnome-shell --no-x11

etc/systemd/zram-generator.conf

@@ -0,0 +1,4 @@
+[zram0]
+zram-fraction = 1
+max-zram-size = 8192
+compression-algorithm = zstd