From 3ee9f7c9d12d54cf69994d74ac018983ba293f59 Mon Sep 17 00:00:00 2001
From: Thien Tran <contact@tommytran.io>
Date: Tue, 15 Aug 2023 18:23:38 -0700
Subject: [PATCH] Setup Chrony seccomp filter

Signed-off-by: Thien Tran <contact@tommytran.io>
---
 Docker-Compose.ign |  8 ++++++++
 Docker-Compose.yml |  6 ++++++
 Generic.ign        | 10 +++++++++-
 Generic.yml        |  8 +++++++-
 4 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/Docker-Compose.ign b/Docker-Compose.ign
index 09cd356..8ed672f 100644
--- a/Docker-Compose.ign
+++ b/Docker-Compose.ign
@@ -115,6 +115,14 @@
           "source": "data:;base64,H4sIAAAAAAAC/4yQsU78MAyHdz9Fpf/cyxNkuL8OIVaO6oaqQ0hMz2pqB8cB+vYM1QmBGNh+0vf5GzwOTDbBCWtUKkbC/thM1mAUu6GkYKhwfDFUnyQuqIeK+kYR4RFfGylWz2jvoksvnInxYEFntC/84wzG874mGCqqVxGDe5VW9nkRXYjnEylGE928K8GuzsTtoT7KWqSiSzcD/t19YDxbUPOuVXXPxG4m60rLGX5h30N/1Vrp+gRPW0EvjPUqBjA+cLWQ8wSXwIbp/+bXlo36VlFvn/gMAAD//9CerLZjAQAA"
         }
       },
+      {
+        "overwrite": true,
+        "path": "/etc/sysconfig/chronyd",
+        "contents": {
+          "compression": "",
+          "source": "data:,%23%20Command-line%20options%20for%20chronyd%0AOPTIONS%3D%22-F%201%22%0A"
+        }
+      },
       {
         "overwrite": true,
         "path": "/etc/unbound/unbound.conf",
diff --git a/Docker-Compose.yml b/Docker-Compose.yml
index 713eba9..1a094ca 100644
--- a/Docker-Compose.yml
+++ b/Docker-Compose.yml
@@ -173,6 +173,12 @@ storage:
 
           [Install]
           WantedBy=multi-user.target
+    - path: /etc/sysconfig/chronyd
+      overwrite: true
+      contents:
+        inline: |
+          # Command-line options for chronyd
+          OPTIONS="-F 1"
     - path: /etc/unbound/unbound.conf
       overwrite: true
       contents:
diff --git a/Generic.ign b/Generic.ign
index 610f23b..d04ff80 100644
--- a/Generic.ign
+++ b/Generic.ign
@@ -108,12 +108,20 @@
           "source": "data:,GSSAPIAuthentication%20no%0AVerifyHostKeyDNS%20yes%0A"
         }
       },
+      {
+        "overwrite": true,
+        "path": "/etc/sysconfig/chronyd",
+        "contents": {
+          "compression": "",
+          "source": "data:,%23%20Command-line%20options%20for%20chronyd%0AOPTIONS%3D%22-F%201%22%0A"
+        }
+      },
       {
         "overwrite": true,
         "path": "/etc/unbound/unbound.conf",
         "contents": {
           "compression": "gzip",
-          "source": "data:;base64,H4sIAAAAAAAC/6xSQWvcPBC9768Q/s5jezfZ5MNQ6CWFQktL00uPE2lsD5ElZzTa1Pn1RbtdlyyFQqkNxp4373ne0ySSA0m3McaOEqN2pqo2G2MwawSVnBQw2DEK9OypM1VzQGk8PzQ5PMQcXFNY9SMt1caYV4TEQ0DPYejMQmljTOmER1ogUVAO5E9A4fkElkThIQdXftOQ2iYl35RqaiweYe7ZolKqreiZxfNIkjpTff7y6d37D3dv7r/df737eDQxsiMYVWfIiQRwoKDnYY4YuzKJLq+KRxMnD6/qB5LEMaxDOwoLYPhFRnEUAP0QwcXnMAg6ugA9ykDwlEmY0gUm1JMIephRxwssjfGYTp/4ZdXkIUQhsA56j2vKE36H7GY4dV61t7tSjC57AhtDz0NnqgN6dqhRDCtJeSnH9xRwIpg48MQJlWOApMJ2DS2HZwxKDoRmv4COQmmM3nVm256u0pQILM4J+ijAbs0rZh0ihwHm4mUmmVgLcXcNN/v91b70zCUEtav983dZm59CfZRnFAcvMVDZ2zJzZ6q6GDhjZTPynFQIp7PUGUPnpDPbuty7t//vr/5LZLOwLrX1MbveoxC4kGobp9/w2rr9C97upr3prm/b9vTottvtPxBp2z+L/AgAAP//qRxiA+IDAAA="
+          "source": "data:;base64,H4sIAAAAAAAC/6xSQWvcPBC9768Q/s5jezfZ5MNQ6CWFQktL00uPE2lsD5ElZzTa1Pn1RbtdlyyFQqkNxp4373ne0ySSA0m3McaOEqN2pqo2G2MwawSVnBQw2DEK9OypM1VzQGk8PzQ5PMQcXFNY9SMt1caYV4TEQ0DPYejMQmljTOmER1ogUVAO5E9A4fkElkThIQdXftOQ2iYl35RqaiweYe7ZolKqreiZxfNIkjpTff7y6d37D3dv7r/df737eDQxsiMYVWfIiQRwoKDnYY4YuzKJLq+KRxMnD6/qB5LEMaxDOwoLYPhFRnEUAP0QwcXnMAg6ugA9ykDwlEmY0gUm1JMIephRxwssjfGYTp/4ZdXkIUQhsA56j2vKE36H7GY4dV61t7tSjC57AhtDz0NnqgN6dqhRDCtJeSnH9xRwIpg48MQJlWOApMJ2DS2HZwxKDoRmv4COQmmM3nVm256u0pQILM4J+ijAbs0rZh0ihwHm4mUmmVgLcXcNN/v91b70zCUEtav983dZm59CfZRnFAcvMVDZ2zJzZ6q6GDhjZTPynFQIp7PUGUPnpDPbuty7t//vr/5LZLOwLrX1MbveoxC4kGobp9/w2rr9C97upr3prm/b9vTottvtPxBp2z+K9P3mRwAAAP//CV2iuOQDAAA="
         }
       },
       {
diff --git a/Generic.yml b/Generic.yml
index e5db572..6de9af5 100644
--- a/Generic.yml
+++ b/Generic.yml
@@ -171,6 +171,12 @@ storage:
         inline: |
           GSSAPIAuthentication no
           VerifyHostKeyDNS yes
+    - path: /etc/sysconfig/chronyd
+      overwrite: true
+      contents:
+        inline: |
+          # Command-line options for chronyd
+          OPTIONS="-F 1"
     - path: /etc/unbound/unbound.conf
       overwrite: true
       contents:
@@ -213,7 +219,7 @@ storage:
             forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
             forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
             forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
-            forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com
+            forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.comff
     - path: /etc/systemd/system/unbound.service.d/override.conf
       contents:
         inline: |