mirror of
https://github.com/tommytran732/Fedora-CoreOS-Ignition
synced 2024-11-09 11:41:34 -05:00
Firewalld lockdown mode
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
fdb0e8aac1
commit
1a4336a20f
@ -201,6 +201,11 @@
|
|||||||
"enabled": true,
|
"enabled": true,
|
||||||
"name": "postinst.service"
|
"name": "postinst.service"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||||
|
"enabled": true,
|
||||||
|
"name": "postinst2.service"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n",
|
"contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n",
|
||||||
"enabled": true,
|
"enabled": true,
|
||||||
|
@ -66,6 +66,23 @@ systemd:
|
|||||||
ExecStart=/usr/bin/touch /var/lib/%N.stamp
|
ExecStart=/usr/bin/touch /var/lib/%N.stamp
|
||||||
ExecStart=/usr/bin/systemctl --no-block reboot
|
ExecStart=/usr/bin/systemctl --no-block reboot
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
- name: postinst2.service
|
||||||
|
enabled: true
|
||||||
|
contents: |
|
||||||
|
[Unit]
|
||||||
|
Description=Initial System Setup Part 2
|
||||||
|
# We run this after the packages have been overlayed
|
||||||
|
After=network-online.target
|
||||||
|
ConditionPathExists=!/var/lib/%N.stamp
|
||||||
|
ConditionPathExists=/var/lib/postinst.stamp
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/bin/firewall-cmd --lockdown-on
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
- name: setsebool.service
|
- name: setsebool.service
|
||||||
|
@ -195,7 +195,7 @@
|
|||||||
"name": "postinst.service"
|
"name": "postinst.service"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule \"0 15 0 * * 0\"\nExecStart=/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target\n",
|
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule \"0 15 0 * * 0\"\nExecStart=/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||||
"enabled": true,
|
"enabled": true,
|
||||||
"name": "postinst2.service"
|
"name": "postinst2.service"
|
||||||
},
|
},
|
||||||
|
@ -81,6 +81,7 @@ systemd:
|
|||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/bin/firewall-cmd --lockdown-on
|
||||||
ExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule "0 15 0 * * 0"
|
ExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped --runtime=runc -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule "0 15 0 * * 0"
|
||||||
ExecStart=/bin/touch /var/lib/%N.stamp
|
ExecStart=/bin/touch /var/lib/%N.stamp
|
||||||
|
|
||||||
|
5
UTM.ign
5
UTM.ign
@ -180,6 +180,11 @@
|
|||||||
"enabled": true,
|
"enabled": true,
|
||||||
"name": "postinst.service"
|
"name": "postinst.service"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||||
|
"enabled": true,
|
||||||
|
"name": "postinst2.service"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n",
|
"contents": "[Service]\nType=oneshot\nExecStart=/usr/sbin/setsebool container_use_cephfs off\nExecStart=/usr/sbin/setsebool virt_use_nfs off\nExecStart=/usr/sbin/setsebool virt_use_samba off\nRemainAfterExit=yes\n[Install]\nWantedBy=multi-user.target\n",
|
||||||
"enabled": true,
|
"enabled": true,
|
||||||
|
17
UTM.yml
17
UTM.yml
@ -67,6 +67,23 @@ systemd:
|
|||||||
ExecStart=/usr/bin/touch /var/lib/%N.stamp
|
ExecStart=/usr/bin/touch /var/lib/%N.stamp
|
||||||
ExecStart=/usr/bin/systemctl --no-block reboot
|
ExecStart=/usr/bin/systemctl --no-block reboot
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
- name: postinst2.service
|
||||||
|
enabled: true
|
||||||
|
contents: |
|
||||||
|
[Unit]
|
||||||
|
Description=Initial System Setup Part 2
|
||||||
|
# We run this after the packages have been overlayed
|
||||||
|
After=network-online.target
|
||||||
|
ConditionPathExists=!/var/lib/%N.stamp
|
||||||
|
ConditionPathExists=/var/lib/postinst.stamp
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/bin/firewall-cmd --lockdown-on
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
- name: setsebool.service
|
- name: setsebool.service
|
||||||
|
Loading…
Reference in New Issue
Block a user