variant: fcos version: 1.4.0 passwd: users: - name: tomster ssh_authorized_keys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcmfm4RKkVC02QrF6ajGVVlbO3+AiVVyfoO4jbUjNbBNarVNgOHNC2lyxo3DJG33uKg74/e6fwj2mr2qW7Bq/yefmMqZrwY6ZyBDOOnkmsaMjX3Q5dJVRvHaYDShseJEBVtALVZFPyYQhdCdCEI/pO1Oeh+bDgLFinWoKAx6Fau8ArjbCsU4WfmgTUQae8AkE5e+uj+2T7Nq195CgfWEnAcKTKEYTr+6Y5a8L/w6ugto41bXvbwWhgogMT7epkcsfSF14M5hi0kBTawmzSi6HsqnAs4PWadaN0IMtfZJ/ZdpNw2QjdDKReGc3AcvEUQU9840RgVmXLp0JT5kdHJZabYcpPaDRwTw3A/oNIEZCzOKve8j4aFrf003etUn7Vq5wchyqyRrk2KRnK61v8BOtF7REs5jw/hQ1PdbsGewhxmGQy3gJ670BS1apQDvrZVHUqIsl3SGcykBBQvLu0F5erZ3ENPAk0wb++ygBtqsoF0wV9rv+L/VEh7233/TUQbH6K2ggZg5SvQnjUA4JqnBcSPf8kMlEGCU+8yeGSF086vL3gpVF6VpvUa34Sh+RbLGtNPVcoTSa2yLwSHdU0NmA9Lj/0M3+ty+uK4pBU86zIIAmyB9NBN/TcpeR7PVi3J991EbVLZgwzAK7S/LAmE6vWLG1IoQbDDN7QCB9XWiFiaQ== groups: - wheel - sudo systemd: units: - name: postinst.service enabled: true contents: | [Unit] Description=Initial System Setup # We run after `systemd-machine-id-commit.service` to ensure that # `ConditionFirstBoot=true` services won't rerun on the next boot. After=systemd-machine-id-commit.service After=network-online.target # We run before `zincati.service` to avoid conflicting rpm-ostree # transactions. Before=zincati.service ConditionPathExists=!/var/lib/%N.stamp [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/rpm-ostree install fail2ban firewalld prelockd tuned qemu-guest-agent ExecStart=/bin/touch /var/lib/%N.stamp ExecStart=/usr/bin/sed 's/nullok//g' /etc/pam.d/system-auth ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf ExecStart=/bin/systemctl --no-block reboot [Install] WantedBy=multi-user.target - name: postinst2.service enabled: true contents: | [Unit] Description=Initial System Setup Part 2 # We run this after the packages have been overlayed After=network-online.target ConditionPathExists=!/var/lib/%N.stamp ConditionPathExists=/var/lib/postinst.stamp [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule "0 5 0 * * 1" ExecStart=/bin/touch /var/lib/%N.stamp [Install] WantedBy=multi-user.target - name: setsebool.service enabled: true contents: | [Service] Type=oneshot ExecStart=/usr/sbin/setsebool container_use_cephfs off ExecStart=/usr/sbin/setsebool virt_use_nfs off ExecStart=/usr/sbin/setsebool virt_use_samba off RemainAfterExit=yes [Install] WantedBy=multi-user.target - name: docker.service enabled: true - name: fstrim.timer enabled: true - name: systemd-oomd.service enabled: true - name: rpm-ostree-countme.timer enabled: false mask: true storage: files: - path: /etc/zincati/config.d/51-rollout-wariness.toml contents: inline: | [identity] rollout_wariness = 1 - path: /etc/zincati/config.d/55-updates-strategy.toml contents: inline: | [updates] strategy = "periodic" [updates.periodic] time_zone = "localtime" [[updates.periodic.window]] days = [ "Sun" ] start_time = "0:00" length_minutes = 60 - path: /etc/fail2ban/jail.local contents: inline: | [DEFAULT] # Maximum 3 failures: maxentry = 3 # Ban hosts for one hour: bantime = 3600 # Override /etc/fail2ban/jail.d/00-firewalld.conf: banaction = iptables-multiport [sshd] enabled = true - path: /etc/tuned/active_profile overwrite: true contents: inline: | virtual-guest - path: /etc/tuned/profile_mode overwrite: true contents: inline: | manual - path: /etc/systemd/zram-generator.conf overwrite: true contents: inline: | # This config file enables a /dev/zram0 device with the default settings [zram0] zram-fraction = 1 max-zram-size = 8192 - path: /etc/security/limits.d/30-disable-coredump.conf overwrite: true contents: inline: | * hard core 0 - path: /etc/ssh/ssh_config.d/60-disable-GSSAPI.conf overwrite: true contents: inline: | GSSAPIAuthentication no - path: /etc/sysctl.d/20-silence-audit.conf contents: inline: | # Raise console message logging level from DEBUG (7) to WARNING (4) # so that audit messages don't get interspersed on the console that # may frustrate a user trying to interactively log in. kernel.printk=4 links: - path: /etc/localtime target: ../usr/share/zoneinfo/America/New_York - path: /etc/systemd/system/multi-user.target.wants/tuned.service target: /usr/lib/systemd/system/tuned.service - path: /etc/systemd/system/multi-user.target.wants/prelockd.service target: /usr/lib/systemd/system/prelockd.service - path: /etc/systemd/system/multi-user.target.wants/fail2ban.service target: /usr/lib/systemd/system/fail2ban.service - path: /etc/systemd/system/kdump.service.target target: /dev/null kernel_arguments: should_exist: - kvm.nx_huge_pages=force - random.trust_cpu=off - kernel.dmesg_restrict=1 - fs.protected_fifos=2 - fs.protected_regular=2 - fs.protected_symlinks=1 - fs.protected_hardlinks=1 - net.core.bpf_jit_harden=2 - kernel.kexec_load_disabled=1 - kernel.kptr_restrict=2 - vm.mmap_rnd_bits=32 - vm.mmap_rnd_compat_bits=16 - kernel.yama.ptrace_scope=2 - fs.suid_dumpable=0 - net.ipv4.tcp_rfc1337=1 - kernel.perf_event_paranoid=3 - kernel.randomize_va_space=2 - net.ipv4.icmp_ignore_bogus_error_responses=1 - net.ipv4.conf.all.log_martians=1