Update kernel lockdown

common/etc/tmpfiles.d/common.conf

@@ -1 +0,0 @@
-w- /sys/kernel/security/lockdown - - - - confidentiality

ignition/home-gw.bu

@@ -33,3 +33,6 @@ passwd:
       ssh_authorized_keys:
         - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey"
         - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c"
+kernel_arguments:
+  should_exist:
+    - lockdown=confidentiality

setup-gpu.sh

@@ -1,10 +1,10 @@
 #!/bin/bash
 set -euo pipefail
 cp -R desktop/* gpu/* /
-sh setup-desktop.sh
+bash setup-desktop.sh
+bash setup-ostree.sh
 rpm-ostree install --idempotent akmod-nvidia nvidia-container-toolkit rpmfusion-free-release rpmfusion-nonfree-release xorg-x11-drv-nvidia xorg-x11-drv-nvidia-cuda
 systemctl enable --now podman-auto-update.timer sshd
-systemctl disable auditd
 sed "s/SUB_UID_COUNT.*/SUB_UID_COUNT 16777216/" -i /etc/login.defs
 sed "s/SUB_GID_COUNT.*/SUB_GID_COUNT 16777216/" -i /etc/login.defs
 useradd -M containers || true

setup-home.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 set -euo pipefail
 cp -R home/* /
-sh setup-server.sh
+bash setup-server.sh

setup-infra.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 set -euo pipefail
 cp -R infra/* /
-sh setup-server.sh
+bash setup-server.sh

setup-laptop.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -euo pipefail
 cp -R desktop/* laptop/* /
-sh setup-desktop.sh
-systemctl disable auditd
+bash setup-desktop.sh
+bash setup-ostree.sh
 flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo
 flatpak install com.github.tchx84.Flatseal com.github.wwmm.easyeffects com.github.xournalpp.xournalpp com.moonlight_stream.Moonlight com.spotify.Client com.valvesoftware.Steam com.vscodium.codium com.yubico.yubioath im.riot.Riot io.mpv.Mpv net.lutris.Lutris org.chromium.Chromium org.gimp.GIMP org.gnome.Calculator org.gnome.Evince org.gnome.Evolution org.gnome.FileRoller org.gnome.Snapshot org.gnome.TextEditor org.libreoffice.LibreOffice org.mozilla.firefox org.remmina.Remmina org.torproject.torbrowser-launcher org.virt_manager.virt-manager

setup-ostree.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -euo pipefail
+rpm-ostree kargs --append-if-missing=lockdown=confidentiality
+systemctl disable auditd

setup-qubes-fedora.sh

@@ -7,6 +7,6 @@ dnf config-manager setopt rpmfusion-free.enabled=true
 dnf config-manager setopt rpmfusion-free-updates.enabled=true
 dnf install --allowerasing bash-color-prompt bash-completion borgbackup bind-utils butane default-fonts fcitx5-anthy fcitx5-autostart fedora-flathub-remote ffmpeg file-roller fuse-sshfs gcc gcc-gdb-plugin glibc-all-langpacks helm htop kubernetes-client nautilus netcat nodejs-npm pipx qubes-ctap ShellCheck toolbox wireguard-tools whois xdg-desktop-portal-gtk yt-dlp
 dnf remove cheese evolution-data-server firefox gnome-software gnome-weather PackageKit-command-not-found rpmfusion-nonfree-release thunderbird totem
-sh setup-desktop.sh
+bash setup-desktop.sh
 all_proxy=127.0.0.1:8082 flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo
 all_proxy=127.0.0.1:8082 flatpak install com.github.tchx84.Flatseal com.github.xournalpp.xournalpp com.moonlight_stream.Moonlight com.yubico.yubioath im.riot.Riot io.mpv.Mpv org.chromium.Chromium org.freedesktop.Platform.ffmpeg-full/x86_64/23.08 org.gimp.GIMP org.gnome.Evolution org.libreoffice.LibreOffice org.mozilla.firefox

setup-qubes.sh

@@ -7,3 +7,4 @@ qvm-features dom0 gui-default-secure-paste-sequence Ctrl-Mod4-v
 sudo qubes-dom0-update bash-completion kernel-latest-qubes-vm pipewire pipewire-pulseaudio qubes-ctap-dom0 qubes-screenshot-helper
 sudo dnf remove kernel-qubes-vm
 qvm-features sys-net ipv6 1
+qvm-prefs fedora-41 kernelopts "swiotlb=2048 lockdown=confidentiality"

setup-sandbox.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
 set -euo pipefail
 cp -R sandbox/* /
-sh setup-server.sh
+bash setup-server.sh
 systemctl enable --now podman.socket

setup-server.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -euo pipefail
 cp -R server/* /
-systemctl disable auditd
+bash setup-ostree.sh
 systemctl disable --now docker.socket rpm-ostree-countme.timer
 systemctl enable --now podman-auto-update.timer
 systemctl enable --global podman-auto-update.timer

setup-vps.sh

@@ -2,4 +2,4 @@
 set -euo pipefail
 cp -R vps/* /
 ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
-sh setup-server.sh
+bash setup-server.sh

setup.sh

@@ -6,29 +6,29 @@ if [ "$USER" != root ]; then
   exit 1
 fi
 if [ -f /etc/qubes-release ]; then
-  sh setup-qubes.sh
+  bash setup-qubes.sh
   exit
 fi
 if [ ! -f /etc/fedora-release ]; then
   exit
 fi
-sh setup-common.sh
+bash setup-common.sh
 if [ -f /usr/share/qubes/marker-vm ]; then
-  sh setup-qubes-fedora.sh
+  bash setup-qubes-fedora.sh
 elif [ -d /usr/lib/coreos ]; then
   if [ "$1" = vps ]; then
-    sh setup-vps.sh
+    bash setup-vps.sh
   elif [ "$1" = home ]; then
-    sh setup-home.sh
+    bash setup-home.sh
   elif [ "$1" = sandbox ]; then
-    sh setup-sandbox.sh
+    bash setup-sandbox.sh
   elif [ "$1" = infra ]; then
-    sh setup-infra.sh
+    bash setup-infra.sh
   fi
 elif [ -d /ostree ]; then
   if [ "$1" = laptop ]; then
-    sh setup-laptop.sh
+    bash setup-laptop.sh
   elif [ "$1" = gpu ]; then
-    sh setup-gpu.sh
+    bash setup-gpu.sh
   fi
 fi

sync-changes.sh

@@ -5,3 +5,4 @@ ssh infra "cd /var/lib/system-config; git pull; ./setup.sh infra"
 ssh home "cd /var/lib/system-config; git pull; ./setup.sh home"
 ssh sandbox "cd /var/lib/system-config; git pull; ./setup.sh sandbox"
 ssh vps "cd /var/lib/system-config; git pull; ./setup.sh vps"
+ssh gpu "cd /var/lib/system-config; git pull; ./setup.sh gpu"