mirror of
https://github.com/tommytran732/Fedora-CoreOS-Ignition
synced 2024-12-22 14:42:16 -05:00
Firewalld lockdown mode
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
fdb0e8aac1
commit
1a4336a20f
@ -201,6 +201,11 @@
|
||||
"enabled": true,
|
||||
"name": "postinst.service"
|
||||
},
|
||||
{
|
||||
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"enabled": true,
|
||||
"name": "postinst2.service"
|
||||
},
|
||||
{
|
||||
"contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"enabled": true,
|
||||
|
@ -66,6 +66,23 @@ systemd:
|
||||
ExecStart=/usr/bin/touch /var/lib/%N.stamp
|
||||
ExecStart=/usr/bin/systemctl --no-block reboot
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
- name: postinst2.service
|
||||
enabled: true
|
||||
contents: |
|
||||
[Unit]
|
||||
Description=Initial System Setup Part 2
|
||||
# We run this after the packages have been overlayed
|
||||
After=network-online.target
|
||||
ConditionPathExists=!/var/lib/%N.stamp
|
||||
ConditionPathExists=/var/lib/postinst.stamp
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/bin/firewall-cmd --lockdown-on
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
- name: setsebool.service
|
||||
|
@ -195,7 +195,7 @@
|
||||
"name": "postinst.service"
|
||||
},
|
||||
{
|
||||
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule \"0 15 0 * * 0\"\nExecStart=/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule \"0 15 0 * * 0\"\nExecStart=/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"enabled": true,
|
||||
"name": "postinst2.service"
|
||||
},
|
||||
|
@ -81,6 +81,7 @@ systemd:
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/bin/firewall-cmd --lockdown-on
|
||||
ExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule "0 15 0 * * 0"
|
||||
ExecStart=/bin/touch /var/lib/%N.stamp
|
||||
|
||||
|
5
UTM.ign
5
UTM.ign
@ -180,6 +180,11 @@
|
||||
"enabled": true,
|
||||
"name": "postinst.service"
|
||||
},
|
||||
{
|
||||
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"enabled": true,
|
||||
"name": "postinst2.service"
|
||||
},
|
||||
{
|
||||
"contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"enabled": true,
|
||||
|
17
UTM.yml
17
UTM.yml
@ -67,6 +67,23 @@ systemd:
|
||||
ExecStart=/usr/bin/touch /var/lib/%N.stamp
|
||||
ExecStart=/usr/bin/systemctl --no-block reboot
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
- name: postinst2.service
|
||||
enabled: true
|
||||
contents: |
|
||||
[Unit]
|
||||
Description=Initial System Setup Part 2
|
||||
# We run this after the packages have been overlayed
|
||||
After=network-online.target
|
||||
ConditionPathExists=!/var/lib/%N.stamp
|
||||
ConditionPathExists=/var/lib/postinst.stamp
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/bin/firewall-cmd --lockdown-on
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
- name: setsebool.service
|
||||
|
Loading…
Reference in New Issue
Block a user