1
0
mirror of https://github.com/tommytran732/Fedora-CoreOS-Ignition synced 2024-11-09 11:41:34 -05:00

Firewalld lockdown mode

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2023-12-12 07:40:17 -07:00
parent fdb0e8aac1
commit 1a4336a20f
No known key found for this signature in database
GPG Key ID: D30DEC268D3FEB17
6 changed files with 46 additions and 1 deletions

View File

@ -201,6 +201,11 @@
"enabled": true, "enabled": true,
"name": "postinst.service" "name": "postinst.service"
}, },
{
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n",
"enabled": true,
"name": "postinst2.service"
},
{ {
"contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n", "contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n",
"enabled": true, "enabled": true,

View File

@ -66,6 +66,23 @@ systemd:
ExecStart=/usr/bin/touch /var/lib/%N.stamp ExecStart=/usr/bin/touch /var/lib/%N.stamp
ExecStart=/usr/bin/systemctl --no-block reboot ExecStart=/usr/bin/systemctl --no-block reboot
[Install]
WantedBy=multi-user.target
- name: postinst2.service
enabled: true
contents: |
[Unit]
Description=Initial System Setup Part 2
# We run this after the packages have been overlayed
After=network-online.target
ConditionPathExists=!/var/lib/%N.stamp
ConditionPathExists=/var/lib/postinst.stamp
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/firewall-cmd --lockdown-on
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
- name: setsebool.service - name: setsebool.service

View File

@ -195,7 +195,7 @@
"name": "postinst.service" "name": "postinst.service"
}, },
{ {
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule \"0 15 0 * * 0\"\nExecStart=/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target\n", "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule \"0 15 0 * * 0\"\nExecStart=/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target\n",
"enabled": true, "enabled": true,
"name": "postinst2.service" "name": "postinst2.service"
}, },

View File

@ -81,6 +81,7 @@ systemd:
[Service] [Service]
Type=oneshot Type=oneshot
RemainAfterExit=yes RemainAfterExit=yes
ExecStart=/usr/bin/firewall-cmd --lockdown-on
ExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule "0 15 0 * * 0" ExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule "0 15 0 * * 0"
ExecStart=/bin/touch /var/lib/%N.stamp ExecStart=/bin/touch /var/lib/%N.stamp

View File

@ -180,6 +180,11 @@
"enabled": true, "enabled": true,
"name": "postinst.service" "name": "postinst.service"
}, },
{
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n",
"enabled": true,
"name": "postinst2.service"
},
{ {
"contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n", "contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n",
"enabled": true, "enabled": true,

17
UTM.yml
View File

@ -67,6 +67,23 @@ systemd:
ExecStart=/usr/bin/touch /var/lib/%N.stamp ExecStart=/usr/bin/touch /var/lib/%N.stamp
ExecStart=/usr/bin/systemctl --no-block reboot ExecStart=/usr/bin/systemctl --no-block reboot
[Install]
WantedBy=multi-user.target
- name: postinst2.service
enabled: true
contents: |
[Unit]
Description=Initial System Setup Part 2
# We run this after the packages have been overlayed
After=network-online.target
ConditionPathExists=!/var/lib/%N.stamp
ConditionPathExists=/var/lib/postinst.stamp
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/firewall-cmd --lockdown-on
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
- name: setsebool.service - name: setsebool.service