mirror of
https://github.com/tommytran732/Fedora-CoreOS-Ignition
synced 2024-11-22 09:21:32 -05:00
Compare commits
7 Commits
c8611cf3dd
...
e5f1e9d988
| Author | SHA1 | Date | |
|---|---|---|---|
e5f1e9d988
|
|||
|
0ed3ff3b7f
|
|||
|
a6f5adde00
|
|||
|
3f9d70c9f1
|
|||
|
bb9719eff6
|
|||
|
472dd72cc6
|
|||
|
baf5ca9334
|
@ -143,7 +143,7 @@
|
||||
{
|
||||
"path": "/etc/security/limits.d/30-disable-coredump.conf",
|
||||
"contents": {
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/security/limits.d/30-disable-coredump.conf"
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf"
|
||||
}
|
||||
},
|
||||
{
|
||||
@ -164,6 +164,20 @@
|
||||
"contents": {
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf"
|
||||
}
|
||||
},
|
||||
{
|
||||
"overwrite": true,
|
||||
"path": "/etc/issue",
|
||||
"contents": {
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/issue"
|
||||
}
|
||||
},
|
||||
{
|
||||
"overwrite": true,
|
||||
"path": "/etc/issue.net",
|
||||
"contents": {
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/issue"
|
||||
}
|
||||
}
|
||||
],
|
||||
"links": [
|
||||
@ -192,7 +206,7 @@
|
||||
"systemd": {
|
||||
"units": [
|
||||
{
|
||||
"contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree install firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/rpm-ostree override remove bind-license bind-libs bind-utils cifs-utils containerd containers-common-extra crun-wasm crun dnsmasq e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 libwbclient samba-common-libs samba-common samba-client-libs libsmbclient moby-engine podman podman-plugins runc sssd-ipa sssd-common sssd-nfs-idmap sssd-ldap sssd-ad sssd-krb5 sssd-client sssd-common-pac sssd-krb5-common toolbox\nExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sed -i '$ a\\allow 10.0.2.2/32' /etc/chrony.conf\nExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree install firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/rpm-ostree override bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools\nExecStart=/usr/bin/sed -i 's/\\s+nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sed -i '$ a\\allow 10.0.2.2/32' /etc/chrony.conf\nExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"enabled": true,
|
||||
"name": "postinst.service"
|
||||
},
|
||||
|
||||
@ -42,8 +42,8 @@ systemd:
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/bin/rpm-ostree install firewalld qemu-guest-agent tuned unbound
|
||||
ExecStart=/usr/bin/rpm-ostree override remove bind-license bind-libs bind-utils cifs-utils containerd containers-common-extra crun-wasm crun dnsmasq e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 libwbclient samba-common-libs samba-common samba-client-libs libsmbclient moby-engine podman podman-plugins runc sssd-ipa sssd-common sssd-nfs-idmap sssd-ldap sssd-ad sssd-krb5 sssd-client sssd-common-pac sssd-krb5-common toolbox
|
||||
ExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth
|
||||
ExecStart=/usr/bin/rpm-ostree override bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools
|
||||
ExecStart=/usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
|
||||
ExecStart=/usr/bin/sed -i '$ a\allow 10.0.2.2/32' /etc/chrony.conf
|
||||
ExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
|
||||
ExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
|
||||
@ -152,7 +152,7 @@ storage:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/zram-generator.conf
|
||||
- path: /etc/security/limits.d/30-disable-coredump.conf
|
||||
contents:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/security/limits.d/30-disable-coredump.conf
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf
|
||||
- path: /etc/sysconfig/chronyd
|
||||
overwrite: true
|
||||
contents:
|
||||
@ -163,6 +163,14 @@ storage:
|
||||
- path: /etc/systemd/system/unbound.service.d/override.conf
|
||||
contents:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf
|
||||
- path: /etc/issue
|
||||
overwrite: true
|
||||
contents:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/issue
|
||||
- path: /etc/issue.net
|
||||
overwrite: true
|
||||
contents:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/issue
|
||||
links:
|
||||
- path: /etc/localtime
|
||||
target: ../usr/share/zoneinfo/America/Phoenix
|
||||
|
||||
5
etc/issue
Normal file
5
etc/issue
Normal file
@ -0,0 +1,5 @@
|
||||
You are accessing Thien Tran's information system that is provided for authorized uses only.
|
||||
|
||||
ALL ACTIVITY MAY BE MONITORED AND REPORTED. UNAUTHORIZED USES SHALL BE PROSECUTED TO THE FULLEST EXTENT OF THE LAW.
|
||||
|
||||
To report a potential security concern, please contact contact@tommytran.io.
|
||||
@ -1 +0,0 @@
|
||||
* hard core 0
|
||||
@ -5,6 +5,6 @@ strategy = "periodic"
|
||||
time_zone = "localtime"
|
||||
|
||||
[[updates.periodic.window]]
|
||||
days = [ "Sun" ]
|
||||
days = [ "Fri" ]
|
||||
start_time = "0:00"
|
||||
length_minutes = 60
|
||||
@ -157,7 +157,7 @@
|
||||
{
|
||||
"path": "/etc/security/limits.d/30-disable-coredump.conf",
|
||||
"contents": {
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/security/limits.d/30-disable-coredump.conf"
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf"
|
||||
}
|
||||
},
|
||||
{
|
||||
@ -178,6 +178,20 @@
|
||||
"contents": {
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf"
|
||||
}
|
||||
},
|
||||
{
|
||||
"overwrite": true,
|
||||
"path": "/etc/issue",
|
||||
"contents": {
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/issue"
|
||||
}
|
||||
},
|
||||
{
|
||||
"overwrite": true,
|
||||
"path": "/etc/issue.net",
|
||||
"contents": {
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/issue"
|
||||
}
|
||||
}
|
||||
],
|
||||
"links": [
|
||||
@ -206,7 +220,7 @@
|
||||
"systemd": {
|
||||
"units": [
|
||||
{
|
||||
"contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree override remove bind-license bind-libs bind-utils cifs-utils containerd containers-common-extra crun-wasm crun dnsmasq e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 libwbclient samba-common-libs samba-common samba-client-libs libsmbclient moby-engine podman podman-plugins runc sssd-ipa sssd-common sssd-nfs-idmap sssd-ldap sssd-ad sssd-krb5 sssd-client sssd-common-pac sssd-krb5-common toolbox\nExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools\nExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/sed -i 's/\\s+nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"enabled": true,
|
||||
"name": "postinst.service"
|
||||
},
|
||||
@ -42,9 +42,9 @@ systemd:
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/bin/rpm-ostree override remove bind-license bind-libs bind-utils cifs-utils containerd containers-common-extra crun-wasm crun dnsmasq e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 libwbclient samba-common-libs samba-common samba-client-libs libsmbclient moby-engine podman podman-plugins runc sssd-ipa sssd-common sssd-nfs-idmap sssd-ldap sssd-ad sssd-krb5 sssd-client sssd-common-pac sssd-krb5-common toolbox
|
||||
ExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools
|
||||
ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld qemu-guest-agent tuned unbound
|
||||
ExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth
|
||||
ExecStart=/usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
|
||||
ExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
|
||||
ExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
|
||||
ExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf
|
||||
@ -210,7 +210,7 @@ storage:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/zram-generator.conf
|
||||
- path: /etc/security/limits.d/30-disable-coredump.conf
|
||||
contents:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/security/limits.d/30-disable-coredump.conf
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf
|
||||
- path: /etc/sysconfig/chronyd
|
||||
overwrite: true
|
||||
contents:
|
||||
@ -221,6 +221,14 @@ storage:
|
||||
- path: /etc/systemd/system/unbound.service.d/override.conf
|
||||
contents:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf
|
||||
- path: /etc/issue
|
||||
overwrite: true
|
||||
contents:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/issue
|
||||
- path: /etc/issue.net
|
||||
overwrite: true
|
||||
contents:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/issue
|
||||
links:
|
||||
- path: /etc/localtime
|
||||
target: ../usr/share/zoneinfo/America/Phoenix
|
||||
Loading…
Reference in New Issue
Block a user