diff --git a/etc/pki/rpm-gpg/RPM-GPG-KEY-divested b/etc/pki/rpm-gpg/RPM-GPG-KEY-divested new file mode 100644 index 0000000..6e009f4 --- /dev/null +++ b/etc/pki/rpm-gpg/RPM-GPG-KEY-divested @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF/La4cBEADGUgoiPUJcEs0DRpWgmmpnMtgRxOiqT4b2R1d9cwtWpMOqQ3eN +OJqSBdzmN+aNwt61XWi4MUAseN5O3L3C+UXIk8HptOmalNySSHcGXk6Kn250Tmy5 +O+ZGHlPng1zqOMBBZs1kNYw9aXuxQFCRk1rfFcePreyF+rHuBx0K2EGJPQ7udEf0 +znq8gRZ29wFz3TzqGmKVv5cWkdGSUUkQc9ecZX89yBMfuqRXUG/ucojD0gLaQyTy +cjfS/0RE+Bje8Mpe8wswR+hg2qZDO+n9uMY/7dmdctKGU/kdxEBPqe0dak1sJ16M +0bawI+Rq/5RqPYwgEcfTg4VQotvpENUN/uAqi1b0IRLcPE46kXGpY9HIukFkzRKD +N1WMz8D6sVNimV99KucKvXzD/1VvyawChPWJsGCow4OoYrvHTU5f8J7PHStLQ61O +pVjWRbRonpjGBvz3hP0vkwCgy21AkYnRWaSKztwSkIJ36NCqsU24WIH1XgWzxsrf +kniQdXP6+sMCAxV+u6ig671BdtqYqaIGxb15j/wPXuju92myrTGa4rk0uUTur+VV +v0ethh3S8c9yisuRjkV+K/xpoJjGv7MsZf6hkcyIT826cv4Jr8LbtSMVD/pQB93i +olhizs8U0ph+RMnNPC4ZiroPgjDhYDZcIPuWw8WETHrUQDaEj6XgYm8P2QARAQAB +tEhEaXZlc3RlZCBSZWxlYXNlIFNpZ25pbmcgKDIwMjAgIzEpIDxzdXBwb3J0K3Jl +bGVhc2VzaWduaW5nQGRpdmVzdGVkLmRldj6JAk4EEwEIADgWIQRjlfyZEe3NYVhx +Lfe638q92/W2lAUCX8trhwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC6 +38q92/W2lH49D/9F4f1pGf5ZWZjs7LiW4BQgAOx0NiKsvFTXBAhhUSJwTseB3vnK +ZGx3qoUCI0pk+4Z/YHhY91QTopJHcg/QW8tj/shjtRbzmfBB6dwFQkZtOHofXHMV +DowoY2MXZRd9dRIBhwLRvktZA9yKO1iH0M0vSqxuh8ALkvUlDgfzy0QBsAHjsUTB +FoxGemxT+70zDNx+xL0PusRA25AOn7EXzrjk6E1653KL1sRojqGZ/XzWWw+6dZyM +4Aap3CGrS7+YrXhJTMokOC/OfariDaN02YtlRizztWYEhkJ5SB0kIIlzgrGmY659 +b0ENjjHAVK16LfRoDprb1PpC3du2QAVFtBRDqD2zwXBmELjyOpAnSYDuJVPgv4T8 +Oty5be+U84lKVIgG5N60VrJzkwi5J+FSx2hTJl0C5BZyKChDXXvlnJI2Y4Qrwjyz +7mx5gjFLZra/yKrVKnfxp5AJ7DxHxNOYn0dcceWBBVC1L5sniim9z4Q5fNRErJT8 +ayf77gecLuCVt+LhCH1rFejeIZrl0QEw+udrTYrPt3BWUK2OOIzF8PqLHfyUF+7W +ZuLgMxj0nGLMqOlPSszrQ6RxmL//GmXkmE3CeDNXV+7SpmMYe07pHzycg8+d/tNq +EajUfLQJqUYj3m51MnKW2r+QUKjkIYsn4iFfk+2aeY5HX1RalWJ7d4NHJQ== +=qpX+ \ No newline at end of file diff --git a/etc/yum.repos.d/divested-release.repo b/etc/yum.repos.d/divested-release.repo new file mode 100644 index 0000000..bfe0c84 --- /dev/null +++ b/etc/yum.repos.d/divested-release.repo @@ -0,0 +1,12 @@ +[divested] +name=Divested RPM Repository +#baseurl=https://divested.dev/rpm/fedora +metalink=https://divested.dev/rpm/fedora/metalink.metalink +enabled=1 +metadata_expire=7d +repo_gpgcheck=1 +type=rpm +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-divested +skip_if_unavailable=True +includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc \ No newline at end of file diff --git a/x86-QEMU-Docker.ign b/x86-v3-QEMU-Docker.ign similarity index 87% rename from x86-QEMU-Docker.ign rename to x86-v3-QEMU-Docker.ign index 4df8e0f..2f69fb6 100644 --- a/x86-QEMU-Docker.ign +++ b/x86-v3-QEMU-Docker.ign @@ -74,6 +74,18 @@ "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json" } }, + { + "path": "/etc/yum.repos.d/divested-release.repo", + "contents": { + "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/divested-release.repo" + } + }, + { + "path": "/etc/pki/rpm-gpg/RPM-GPG-KEY-divested", + "contents": { + "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/pki/rpm-gpg/RPM-GPG-KEY-divested" + } + }, { "overwrite": true, "path": "/etc/chrony.conf", @@ -219,12 +231,12 @@ "systemd": { "units": [ { - "contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools\nExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/sed -i 's/\\s+nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n", + "contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools\nExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld hardened_malloc qemu-guest-agent tuned unbound\nExecStart=/usr/bin/sed -i 's/\\s+nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n", "enabled": true, "name": "postinst.service" }, { - "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n", + "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/echo \"/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so\" | tee /etc/ld.so.preload\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n", "enabled": true, "name": "postinst2.service" }, diff --git a/x86-QEMU-Docker.yml b/x86-v3-QEMU-Docker.yml similarity index 95% rename from x86-QEMU-Docker.yml rename to x86-v3-QEMU-Docker.yml index 10d6db4..bf7a86a 100644 --- a/x86-QEMU-Docker.yml +++ b/x86-v3-QEMU-Docker.yml @@ -43,7 +43,7 @@ systemd: Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools - ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld qemu-guest-agent tuned unbound + ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld hardened_malloc qemu-guest-agent tuned unbound ExecStart=/usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth ExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf ExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf @@ -69,8 +69,10 @@ systemd: [Service] Type=oneshot RemainAfterExit=yes + ExecStart=/usr/bin/echo "/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so" | tee /etc/ld.so.preload ExecStart=/usr/bin/systemctl enable --now firewalld ExecStart=/usr/bin/firewall-cmd --lockdown-on + ExecStart=/usr/bin/systemctl --no-block reboot [Install] WantedBy=multi-user.target @@ -168,6 +170,12 @@ storage: - path: /etc/docker/daemon.json contents: source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json + - path: /etc/yum.repos.d/divested-release.repo + contents: + source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/divested-release.repo + - path: /etc/pki/rpm-gpg/RPM-GPG-KEY-divested + contents: + source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/pki/rpm-gpg/RPM-GPG-KEY-divested - path: /etc/chrony.conf contents: source: https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf