From 1a4336a20ffb2e10a7106dfb3a5a0a20d6bc5bf8 Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 12 Dec 2023 07:40:17 -0700 Subject: [PATCH] Firewalld lockdown mode Signed-off-by: Tommy --- Docker-Compose.ign | 5 +++++ Docker-Compose.yml | 17 +++++++++++++++++ Generic.ign | 2 +- Generic.yml | 1 + UTM.ign | 5 +++++ UTM.yml | 17 +++++++++++++++++ 6 files changed, 46 insertions(+), 1 deletion(-) diff --git a/Docker-Compose.ign b/Docker-Compose.ign index bc64517..e7c7c18 100644 --- a/Docker-Compose.ign +++ b/Docker-Compose.ign @@ -201,6 +201,11 @@ "enabled": true, "name": "postinst.service" }, + { + "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n", + "enabled": true, + "name": "postinst2.service" + }, { "contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n", "enabled": true, diff --git a/Docker-Compose.yml b/Docker-Compose.yml index ef8ad99..caa6ab7 100644 --- a/Docker-Compose.yml +++ b/Docker-Compose.yml @@ -66,6 +66,23 @@ systemd: ExecStart=/usr/bin/touch /var/lib/%N.stamp ExecStart=/usr/bin/systemctl --no-block reboot + [Install] + WantedBy=multi-user.target + - name: postinst2.service + enabled: true + contents: | + [Unit] + Description=Initial System Setup Part 2 + # We run this after the packages have been overlayed + After=network-online.target + ConditionPathExists=!/var/lib/%N.stamp + ConditionPathExists=/var/lib/postinst.stamp + + [Service] + Type=oneshot + RemainAfterExit=yes + ExecStart=/usr/bin/firewall-cmd --lockdown-on + [Install] WantedBy=multi-user.target - name: setsebool.service diff --git a/Generic.ign b/Generic.ign index 169fc65..c893c85 100644 --- a/Generic.ign +++ b/Generic.ign @@ -195,7 +195,7 @@ "name": "postinst.service" }, { - "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule \"0 15 0 * * 0\"\nExecStart=/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target\n", + "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule \"0 15 0 * * 0\"\nExecStart=/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target\n", "enabled": true, "name": "postinst2.service" }, diff --git a/Generic.yml b/Generic.yml index 6dfb743..475a1c6 100644 --- a/Generic.yml +++ b/Generic.yml @@ -81,6 +81,7 @@ systemd: [Service] Type=oneshot RemainAfterExit=yes + ExecStart=/usr/bin/firewall-cmd --lockdown-on ExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule "0 15 0 * * 0" ExecStart=/bin/touch /var/lib/%N.stamp diff --git a/UTM.ign b/UTM.ign index 332a9d0..956fab0 100644 --- a/UTM.ign +++ b/UTM.ign @@ -180,6 +180,11 @@ "enabled": true, "name": "postinst.service" }, + { + "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n", + "enabled": true, + "name": "postinst2.service" + }, { "contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n", "enabled": true, diff --git a/UTM.yml b/UTM.yml index d5575a3..369c9f3 100644 --- a/UTM.yml +++ b/UTM.yml @@ -67,6 +67,23 @@ systemd: ExecStart=/usr/bin/touch /var/lib/%N.stamp ExecStart=/usr/bin/systemctl --no-block reboot + [Install] + WantedBy=multi-user.target + - name: postinst2.service + enabled: true + contents: | + [Unit] + Description=Initial System Setup Part 2 + # We run this after the packages have been overlayed + After=network-online.target + ConditionPathExists=!/var/lib/%N.stamp + ConditionPathExists=/var/lib/postinst.stamp + + [Service] + Type=oneshot + RemainAfterExit=yes + ExecStart=/usr/bin/firewall-cmd --lockdown-on + [Install] WantedBy=multi-user.target - name: setsebool.service