1
0
mirror of https://github.com/tommytran732/Fedora-CoreOS-Ignition synced 2024-11-09 03:31:34 -05:00
Fedora-CoreOS-Ignition/Generic.yml

263 lines
11 KiB
YAML
Raw Normal View History

# Copyright (C) 2021-2024 Thien Tran
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.
2021-11-02 22:32:22 -04:00
variant: fcos
version: 1.5.0
2021-11-02 22:32:22 -04:00
passwd:
users:
- name: tomster
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkTKkJS7Id1WCyA5Klu/moLG9mP5hTC+v2qYqypMF1u contact@tommytran.io
2021-11-02 22:32:22 -04:00
groups:
- wheel
- sudo
- name: unpriv
2021-11-02 22:32:22 -04:00
systemd:
units:
- name: postinst.service
enabled: true
contents: |
[Unit]
Description=Initial System Setup
# We run after `systemd-machine-id-commit.service` to ensure that
# `ConditionFirstBoot=true` services won't rerun on the next boot.
After=systemd-machine-id-commit.service
After=network-online.target
# We run before `zincati.service` to avoid conflicting rpm-ostree
# transactions.
Before=zincati.service
ConditionPathExists=!/var/lib/%N.stamp
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/rpm-ostree override remove bind-license bind-libs bind-utils cifs-utils containerd containers-common-extra crun-wasm crun dnsmasq e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 libwbclient samba-common-libs samba-common samba-client-libs libsmbclient moby-engine podman podman-plugins runc ssd-ipa sssd-common sssd-nfs-idmap sssd-ldap sssd-ad sssd-krb5 sssd-client sssd-common-pac sssd-krb5-common toolbox
ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld qemu-guest-agent tuned unbound
ExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth
ExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
ExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
ExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf
ExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
ExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
ExecStart=/usr/bin/systemctl disable systemd-resolved
ExecStart=/usr/bin/touch /var/lib/%N.stamp
ExecStart=/usr/bin/systemctl --no-block reboot
2021-11-02 22:32:22 -04:00
[Install]
WantedBy=multi-user.target
- name: postinst2.service
enabled: true
contents: |
[Unit]
Description=Initial System Setup Part 2
# We run this after the packages have been overlayed
After=network-online.target
ConditionPathExists=!/var/lib/%N.stamp
ConditionPathExists=/var/lib/postinst.stamp
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/systemctl enable --now firewalld
ExecStart=/usr/bin/firewall-cmd --lockdown-on
2021-11-02 22:32:22 -04:00
2022-04-11 19:11:38 -04:00
[Install]
WantedBy=multi-user.target
- name: setsebool.service
enabled: true
contents: |
[Service]
Type=oneshot
2022-04-11 19:11:38 -04:00
ExecStart=/usr/sbin/setsebool container_use_cephfs off
ExecStart=/usr/sbin/setsebool virt_use_nfs off
ExecStart=/usr/sbin/setsebool virt_use_samba off
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- name: gvisor-downloader.service
enabled: true
contents: |
[Unit]
Description=Download gVisor
Requires=network-online.target
Before=docker.service
[Service]
User=unpriv
WorkingDirectory=/var/home/unpriv
Type=oneshot
ExecStart=/usr/bin/sleep 5
ExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc
ExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512
ExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1
ExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512
[Install]
WantedBy=multi-user.target
- name: gvisor-updater.service
enabled: true
contents: |
[Unit]
Description=Copy gVisor to the correct location
After=gvisor-downloader.service
[Service]
WorkingDirectory=/var/home/unpriv
Type=oneshot
ExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512
ExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512
ExecStart=/usr/bin/chown root:root runsc containerd-shim-runsc-v1
ExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1
ExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin
ExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc
[Install]
WantedBy=multi-user.target
- name: docker-compose-updater.service
enabled: false
contents: |
[Unit]
Description=Update containers with Docker-Compose
Requires=network-online.target
Requires=docker.service
[Service]
WorkingDirectory=/path/to/directory
Type=oneshot
#ExecStart=/usr/bin/git pull
ExecStart=/usr/bin/docker compose pull
ExecStart=/usr/bin/docker compose up -d
2021-11-02 22:32:22 -04:00
[Install]
WantedBy=multi-user.target
- name: docker.service
enabled: true
- name: fstrim.timer
enabled: true
- name: systemd-oomd.service
enabled: true
- name: rpm-ostree-countme.timer
enabled: false
mask: true
- name: sshd.service
enabled: false
- name: sshd.socket
enabled: true
2021-11-02 22:32:22 -04:00
storage:
files:
- path: /etc/zincati/config.d/51-rollout-wariness.toml
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/zincati/config.d/51-rollout-wariness.toml
2021-11-02 22:32:22 -04:00
- path: /etc/zincati/config.d/55-updates-strategy.toml
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/zincati/config.d/55-updates-strategy.toml
- path: /etc/yum.repos.d/docker-ce.repo
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/docker-ce.repo
- path: /etc/docker/daemon.json
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json
- path: /etc/chrony.conf
contents:
source: https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf
2021-11-02 22:32:22 -04:00
overwrite: true
- path: /etc/modprobe.d/30_security-misc.conf
contents:
source: https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf
- path: /etc/sysctl.d/990-security-misc.conf
contents:
source: https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf
- path: /etc/sysctl.d/30_silent-kernel-printk.conf
contents:
source: https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf
- path: /etc/sysctl.d/30_security-misc_kexec-disable.conf
contents:
source: https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
- path: /etc/systemd/system/NetworkManager.service.d/99-brace.conf
contents:
source: https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf
- path: /etc/systemd/system/irqbalance.service.d/99-brace.conf
contents:
source: https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf
- path: /etc/ssh/sshd_config.d/10-custom.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf
- path: /etc/ssh/ssh_config.d/10-custom.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf
- path: /etc/systemd/system/sshd.service.d/local.conf
contents:
source: https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf
- path: /etc/tuned/active_profile
2021-11-02 22:32:22 -04:00
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/tuned/active_profile
2021-11-02 22:32:22 -04:00
- path: /etc/tuned/profile_mode
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/tuned/profile_mode
2021-11-02 22:32:22 -04:00
- path: /etc/systemd/zram-generator.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/zram-generator.conf
2021-11-02 22:32:22 -04:00
- path: /etc/security/limits.d/30-disable-coredump.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/security/limits.d/30-disable-coredump.conf
- path: /etc/sysconfig/chronyd
overwrite: true
contents:
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd
- path: /etc/unbound/unbound.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/unbound/unbound.conf
- path: /etc/systemd/system/unbound.service.d/override.conf
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf
2021-11-02 22:32:22 -04:00
links:
- path: /etc/localtime
target: ../usr/share/zoneinfo/America/Phoenix
- path: /etc/systemd/system/multi-user.target.wants/unbound.service
target: /usr/lib/systemd/system/unbound.service
2021-11-02 22:32:22 -04:00
- path: /etc/systemd/system/multi-user.target.wants/tuned.service
target: /usr/lib/systemd/system/tuned.service
- path: /etc/systemd/system/kdump.service
2021-11-02 22:32:22 -04:00
target: /dev/null
- path: /etc/systemd/system/debug-shell.service
target: /dev/null
2021-11-02 22:32:22 -04:00
kernel_arguments:
should_exist:
- mitigations=auto,nosmt
- spectre_v2=on
- spec_store_bypass_disable=on
- tsx=off
2021-11-02 22:32:22 -04:00
- kvm.nx_huge_pages=force
- nosmt=force
- l1d_flush=on
- spec_rstack_overflow=safe-ret
- random.trust_bootloader=off
- random.trust_cpu=off
- intel_iommu=on
- amd_iommu=force_isolation
- efi=disable_early_pci_dma
- iommu=force
- iommu.passthrough=0
- iommu.strict=1
- slab_nomerge
- init_on_alloc=1
- init_on_free=1
- pti=on
- vsyscall=none
- ia32_emulation=0
- page_alloc.shuffle=1
- randomize_kstack_offset=on
- extra_latent_entropy
- debugfs=off