1
0
mirror of https://github.com/tommytran732/Fedora-CoreOS-Ignition synced 2024-11-08 11:21:33 -05:00
Fedora-CoreOS-Ignition/Generic.yml
2022-04-11 19:11:38 -04:00

173 lines
6.3 KiB
YAML

variant: fcos
version: 1.4.0
passwd:
users:
- name: tomster
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcmfm4RKkVC02QrF6ajGVVlbO3+AiVVyfoO4jbUjNbBNarVNgOHNC2lyxo3DJG33uKg74/e6fwj2mr2qW7Bq/yefmMqZrwY6ZyBDOOnkmsaMjX3Q5dJVRvHaYDShseJEBVtALVZFPyYQhdCdCEI/pO1Oeh+bDgLFinWoKAx6Fau8ArjbCsU4WfmgTUQae8AkE5e+uj+2T7Nq195CgfWEnAcKTKEYTr+6Y5a8L/w6ugto41bXvbwWhgogMT7epkcsfSF14M5hi0kBTawmzSi6HsqnAs4PWadaN0IMtfZJ/ZdpNw2QjdDKReGc3AcvEUQU9840RgVmXLp0JT5kdHJZabYcpPaDRwTw3A/oNIEZCzOKve8j4aFrf003etUn7Vq5wchyqyRrk2KRnK61v8BOtF7REs5jw/hQ1PdbsGewhxmGQy3gJ670BS1apQDvrZVHUqIsl3SGcykBBQvLu0F5erZ3ENPAk0wb++ygBtqsoF0wV9rv+L/VEh7233/TUQbH6K2ggZg5SvQnjUA4JqnBcSPf8kMlEGCU+8yeGSF086vL3gpVF6VpvUa34Sh+RbLGtNPVcoTSa2yLwSHdU0NmA9Lj/0M3+ty+uK4pBU86zIIAmyB9NBN/TcpeR7PVi3J991EbVLZgwzAK7S/LAmE6vWLG1IoQbDDN7QCB9XWiFiaQ==
groups:
- wheel
- sudo
systemd:
units:
- name: postinst.service
enabled: true
contents: |
[Unit]
Description=Initial System Setup
# We run after `systemd-machine-id-commit.service` to ensure that
# `ConditionFirstBoot=true` services won't rerun on the next boot.
After=systemd-machine-id-commit.service
After=network-online.target
# We run before `zincati.service` to avoid conflicting rpm-ostree
# transactions.
Before=zincati.service
ConditionPathExists=!/var/lib/%N.stamp
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/rpm-ostree install fail2ban firewalld prelockd tuned qemu-guest-agent
ExecStart=/bin/touch /var/lib/%N.stamp
ExecStart=/usr/bin/sed 's/nullok//g' /etc/pam.d/system-auth
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
ExecStart=/bin/systemctl --no-block reboot
[Install]
WantedBy=multi-user.target
- name: postinst2.service
enabled: true
contents: |
[Unit]
Description=Initial System Setup Part 2
# We run this after the packages have been overlayed
After=network-online.target
ConditionPathExists=!/var/lib/%N.stamp
ConditionPathExists=/var/lib/postinst.stamp
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/docker run --detach --privileged --name watchtower --restart unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /etc/localtime:/etc/localtime:ro containrrr/watchtower --schedule "0 5 0 * * 1"
ExecStart=/bin/touch /var/lib/%N.stamp
[Install]
WantedBy=multi-user.target
- name: setsebool.service
enabled: true
contents: |
[Service]
Type=oneshot
ExecStart=/usr/sbin/setsebool container_use_cephfs off
ExecStart=/usr/sbin/setsebool virt_use_nfs off
ExecStart=/usr/sbin/setsebool virt_use_samba off
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- name: docker.service
enabled: true
- name: fstrim.timer
enabled: true
- name: systemd-oomd.service
enabled: true
- name: rpm-ostree-countme.timer
enabled: false
mask: true
storage:
files:
- path: /etc/zincati/config.d/51-rollout-wariness.toml
contents:
inline: |
[identity]
rollout_wariness = 1
- path: /etc/zincati/config.d/55-updates-strategy.toml
contents:
inline: |
[updates]
strategy = "periodic"
[updates.periodic]
time_zone = "localtime"
[[updates.periodic.window]]
days = [ "Sun" ]
start_time = "0:00"
length_minutes = 60
- path: /etc/fail2ban/jail.local
contents:
inline: |
[DEFAULT]
# Maximum 3 failures:
maxentry = 3
# Ban hosts for one hour:
bantime = 3600
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
[sshd]
enabled = true
- path: /etc/tuned/active_profile
overwrite: true
contents:
inline: |
virtual-guest
- path: /etc/tuned/profile_mode
overwrite: true
contents:
inline: |
manual
- path: /etc/systemd/zram-generator.conf
overwrite: true
contents:
inline: |
# This config file enables a /dev/zram0 device with the default settings
[zram0]
zram-fraction = 1
max-zram-size = 8192
- path: /etc/security/limits.d/30-disable-coredump.conf
overwrite: true
contents:
inline: |
* hard core 0
- path: /etc/ssh/ssh_config.d/60-disable-GSSAPI.conf
overwrite: true
contents:
inline: |
GSSAPIAuthentication no
- path: /etc/sysctl.d/20-silence-audit.conf
contents:
inline: |
# Raise console message logging level from DEBUG (7) to WARNING (4)
# so that audit messages don't get interspersed on the console that
# may frustrate a user trying to interactively log in.
kernel.printk=4
links:
- path: /etc/localtime
target: ../usr/share/zoneinfo/America/New_York
- path: /etc/systemd/system/multi-user.target.wants/tuned.service
target: /usr/lib/systemd/system/tuned.service
- path: /etc/systemd/system/multi-user.target.wants/prelockd.service
target: /usr/lib/systemd/system/prelockd.service
- path: /etc/systemd/system/multi-user.target.wants/fail2ban.service
target: /usr/lib/systemd/system/fail2ban.service
- path: /etc/systemd/system/kdump.service.target
target: /dev/null
kernel_arguments:
should_exist:
- kvm.nx_huge_pages=force
- random.trust_cpu=off
- kernel.dmesg_restrict=1
- fs.protected_fifos=2
- fs.protected_regular=2
- fs.protected_symlinks=1
- fs.protected_hardlinks=1
- net.core.bpf_jit_harden=2
- kernel.kexec_load_disabled=1
- kernel.kptr_restrict=2
- vm.mmap_rnd_bits=32
- vm.mmap_rnd_compat_bits=16
- kernel.yama.ptrace_scope=2
- fs.suid_dumpable=0
- net.ipv4.tcp_rfc1337=1
- kernel.perf_event_paranoid=3
- kernel.randomize_va_space=2
- net.ipv4.icmp_ignore_bogus_error_responses=1
- net.ipv4.conf.all.log_martians=1