Update kernel lockdown
All checks were successful
ShellCheck / shellcheck (push) Successful in 17s

This commit is contained in:
Mathieu Strypsteen 2025-01-21 11:41:56 +01:00
parent 65cd162537
commit 5e947beb2a
Signed by: mathieu
GPG key ID: 782A42E461BC6824
14 changed files with 28 additions and 20 deletions

View file

@ -1 +0,0 @@
w- /sys/kernel/security/lockdown - - - - confidentiality

View file

@ -33,3 +33,6 @@ passwd:
ssh_authorized_keys: ssh_authorized_keys:
- "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey"
- "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c"
kernel_arguments:
should_exist:
- lockdown=confidentiality

View file

@ -1,10 +1,10 @@
#!/bin/bash #!/bin/bash
set -euo pipefail set -euo pipefail
cp -R desktop/* gpu/* / cp -R desktop/* gpu/* /
sh setup-desktop.sh bash setup-desktop.sh
bash setup-ostree.sh
rpm-ostree install --idempotent akmod-nvidia nvidia-container-toolkit rpmfusion-free-release rpmfusion-nonfree-release xorg-x11-drv-nvidia xorg-x11-drv-nvidia-cuda rpm-ostree install --idempotent akmod-nvidia nvidia-container-toolkit rpmfusion-free-release rpmfusion-nonfree-release xorg-x11-drv-nvidia xorg-x11-drv-nvidia-cuda
systemctl enable --now podman-auto-update.timer sshd systemctl enable --now podman-auto-update.timer sshd
systemctl disable auditd
sed "s/SUB_UID_COUNT.*/SUB_UID_COUNT 16777216/" -i /etc/login.defs sed "s/SUB_UID_COUNT.*/SUB_UID_COUNT 16777216/" -i /etc/login.defs
sed "s/SUB_GID_COUNT.*/SUB_GID_COUNT 16777216/" -i /etc/login.defs sed "s/SUB_GID_COUNT.*/SUB_GID_COUNT 16777216/" -i /etc/login.defs
useradd -M containers || true useradd -M containers || true

View file

@ -1,4 +1,4 @@
#!/bin/bash #!/bin/bash
set -euo pipefail set -euo pipefail
cp -R home/* / cp -R home/* /
sh setup-server.sh bash setup-server.sh

View file

@ -1,4 +1,4 @@
#!/bin/bash #!/bin/bash
set -euo pipefail set -euo pipefail
cp -R infra/* / cp -R infra/* /
sh setup-server.sh bash setup-server.sh

View file

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
set -euo pipefail set -euo pipefail
cp -R desktop/* laptop/* / cp -R desktop/* laptop/* /
sh setup-desktop.sh bash setup-desktop.sh
systemctl disable auditd bash setup-ostree.sh
flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo
flatpak install com.github.tchx84.Flatseal com.github.wwmm.easyeffects com.github.xournalpp.xournalpp com.moonlight_stream.Moonlight com.spotify.Client com.valvesoftware.Steam com.vscodium.codium com.yubico.yubioath im.riot.Riot io.mpv.Mpv net.lutris.Lutris org.chromium.Chromium org.gimp.GIMP org.gnome.Calculator org.gnome.Evince org.gnome.Evolution org.gnome.FileRoller org.gnome.Snapshot org.gnome.TextEditor org.libreoffice.LibreOffice org.mozilla.firefox org.remmina.Remmina org.torproject.torbrowser-launcher org.virt_manager.virt-manager flatpak install com.github.tchx84.Flatseal com.github.wwmm.easyeffects com.github.xournalpp.xournalpp com.moonlight_stream.Moonlight com.spotify.Client com.valvesoftware.Steam com.vscodium.codium com.yubico.yubioath im.riot.Riot io.mpv.Mpv net.lutris.Lutris org.chromium.Chromium org.gimp.GIMP org.gnome.Calculator org.gnome.Evince org.gnome.Evolution org.gnome.FileRoller org.gnome.Snapshot org.gnome.TextEditor org.libreoffice.LibreOffice org.mozilla.firefox org.remmina.Remmina org.torproject.torbrowser-launcher org.virt_manager.virt-manager

4
setup-ostree.sh Normal file
View file

@ -0,0 +1,4 @@
#!/bin/bash
set -euo pipefail
rpm-ostree kargs --append-if-missing=lockdown=confidentiality
systemctl disable auditd

View file

@ -7,6 +7,6 @@ dnf config-manager setopt rpmfusion-free.enabled=true
dnf config-manager setopt rpmfusion-free-updates.enabled=true dnf config-manager setopt rpmfusion-free-updates.enabled=true
dnf install --allowerasing bash-color-prompt bash-completion borgbackup bind-utils butane default-fonts fcitx5-anthy fcitx5-autostart fedora-flathub-remote ffmpeg file-roller fuse-sshfs gcc gcc-gdb-plugin glibc-all-langpacks helm htop kubernetes-client nautilus netcat nodejs-npm pipx qubes-ctap ShellCheck toolbox wireguard-tools whois xdg-desktop-portal-gtk yt-dlp dnf install --allowerasing bash-color-prompt bash-completion borgbackup bind-utils butane default-fonts fcitx5-anthy fcitx5-autostart fedora-flathub-remote ffmpeg file-roller fuse-sshfs gcc gcc-gdb-plugin glibc-all-langpacks helm htop kubernetes-client nautilus netcat nodejs-npm pipx qubes-ctap ShellCheck toolbox wireguard-tools whois xdg-desktop-portal-gtk yt-dlp
dnf remove cheese evolution-data-server firefox gnome-software gnome-weather PackageKit-command-not-found rpmfusion-nonfree-release thunderbird totem dnf remove cheese evolution-data-server firefox gnome-software gnome-weather PackageKit-command-not-found rpmfusion-nonfree-release thunderbird totem
sh setup-desktop.sh bash setup-desktop.sh
all_proxy=127.0.0.1:8082 flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo all_proxy=127.0.0.1:8082 flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo
all_proxy=127.0.0.1:8082 flatpak install com.github.tchx84.Flatseal com.github.xournalpp.xournalpp com.moonlight_stream.Moonlight com.yubico.yubioath im.riot.Riot io.mpv.Mpv org.chromium.Chromium org.freedesktop.Platform.ffmpeg-full/x86_64/23.08 org.gimp.GIMP org.gnome.Evolution org.libreoffice.LibreOffice org.mozilla.firefox all_proxy=127.0.0.1:8082 flatpak install com.github.tchx84.Flatseal com.github.xournalpp.xournalpp com.moonlight_stream.Moonlight com.yubico.yubioath im.riot.Riot io.mpv.Mpv org.chromium.Chromium org.freedesktop.Platform.ffmpeg-full/x86_64/23.08 org.gimp.GIMP org.gnome.Evolution org.libreoffice.LibreOffice org.mozilla.firefox

View file

@ -7,3 +7,4 @@ qvm-features dom0 gui-default-secure-paste-sequence Ctrl-Mod4-v
sudo qubes-dom0-update bash-completion kernel-latest-qubes-vm pipewire pipewire-pulseaudio qubes-ctap-dom0 qubes-screenshot-helper sudo qubes-dom0-update bash-completion kernel-latest-qubes-vm pipewire pipewire-pulseaudio qubes-ctap-dom0 qubes-screenshot-helper
sudo dnf remove kernel-qubes-vm sudo dnf remove kernel-qubes-vm
qvm-features sys-net ipv6 1 qvm-features sys-net ipv6 1
qvm-prefs fedora-41 kernelopts "swiotlb=2048 lockdown=confidentiality"

View file

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
set -euo pipefail set -euo pipefail
cp -R sandbox/* / cp -R sandbox/* /
sh setup-server.sh bash setup-server.sh
systemctl enable --now podman.socket systemctl enable --now podman.socket

View file

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
set -euo pipefail set -euo pipefail
cp -R server/* / cp -R server/* /
systemctl disable auditd bash setup-ostree.sh
systemctl disable --now docker.socket rpm-ostree-countme.timer systemctl disable --now docker.socket rpm-ostree-countme.timer
systemctl enable --now podman-auto-update.timer systemctl enable --now podman-auto-update.timer
systemctl enable --global podman-auto-update.timer systemctl enable --global podman-auto-update.timer

View file

@ -2,4 +2,4 @@
set -euo pipefail set -euo pipefail
cp -R vps/* / cp -R vps/* /
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
sh setup-server.sh bash setup-server.sh

View file

@ -6,29 +6,29 @@ if [ "$USER" != root ]; then
exit 1 exit 1
fi fi
if [ -f /etc/qubes-release ]; then if [ -f /etc/qubes-release ]; then
sh setup-qubes.sh bash setup-qubes.sh
exit exit
fi fi
if [ ! -f /etc/fedora-release ]; then if [ ! -f /etc/fedora-release ]; then
exit exit
fi fi
sh setup-common.sh bash setup-common.sh
if [ -f /usr/share/qubes/marker-vm ]; then if [ -f /usr/share/qubes/marker-vm ]; then
sh setup-qubes-fedora.sh bash setup-qubes-fedora.sh
elif [ -d /usr/lib/coreos ]; then elif [ -d /usr/lib/coreos ]; then
if [ "$1" = vps ]; then if [ "$1" = vps ]; then
sh setup-vps.sh bash setup-vps.sh
elif [ "$1" = home ]; then elif [ "$1" = home ]; then
sh setup-home.sh bash setup-home.sh
elif [ "$1" = sandbox ]; then elif [ "$1" = sandbox ]; then
sh setup-sandbox.sh bash setup-sandbox.sh
elif [ "$1" = infra ]; then elif [ "$1" = infra ]; then
sh setup-infra.sh bash setup-infra.sh
fi fi
elif [ -d /ostree ]; then elif [ -d /ostree ]; then
if [ "$1" = laptop ]; then if [ "$1" = laptop ]; then
sh setup-laptop.sh bash setup-laptop.sh
elif [ "$1" = gpu ]; then elif [ "$1" = gpu ]; then
sh setup-gpu.sh bash setup-gpu.sh
fi fi
fi fi

View file

@ -5,3 +5,4 @@ ssh infra "cd /var/lib/system-config; git pull; ./setup.sh infra"
ssh home "cd /var/lib/system-config; git pull; ./setup.sh home" ssh home "cd /var/lib/system-config; git pull; ./setup.sh home"
ssh sandbox "cd /var/lib/system-config; git pull; ./setup.sh sandbox" ssh sandbox "cd /var/lib/system-config; git pull; ./setup.sh sandbox"
ssh vps "cd /var/lib/system-config; git pull; ./setup.sh vps" ssh vps "cd /var/lib/system-config; git pull; ./setup.sh vps"
ssh gpu "cd /var/lib/system-config; git pull; ./setup.sh gpu"