From 0632591996893fe136a1f2fe44d9b9f404f41f3e Mon Sep 17 00:00:00 2001 From: Harald Pfeiffer Date: Thu, 1 Nov 2018 13:30:58 +0100 Subject: Initial commit --- localfs/etc/NetworkManager/NetworkManager.conf | 52 +++++ localfs/etc/X11/xorg.conf.d/00-keyboard.conf | 9 + localfs/etc/X11/xorg.conf.d/20-displaylink.conf | 38 ++++ localfs/etc/X11/xorg.conf.d/20-intel.conf | 13 ++ localfs/etc/X11/xorg.conf.d/80-backlight.conf | 5 + localfs/etc/bashrc.delta | 3 + localfs/etc/crypttab | 2 + localfs/etc/default/grub | 18 ++ localfs/etc/dnf/dnf.conf | 7 + localfs/etc/dnf/protected.d/dnf.conf | 1 + localfs/etc/dnf/protected.d/rpm.conf | 1 + localfs/etc/dnf/protected.d/storage.conf | 3 + localfs/etc/firewalld/direct.xml | 8 + localfs/etc/firewalld/firewalld-server.conf | 57 ++++++ localfs/etc/firewalld/firewalld-standard.conf | 57 ++++++ localfs/etc/firewalld/firewalld-workstation.conf | 58 ++++++ localfs/etc/firewalld/firewalld.conf | 1 + localfs/etc/firewalld/lockdown-whitelist.xml | 7 + localfs/etc/firewalld/services/check_mk.xml | 9 + localfs/etc/firewalld/services/nfs.xml | 7 + localfs/etc/firewalld/zones/FedoraWorkstation.xml | 16 ++ .../etc/firewalld/zones/FedoraWorkstation.xml.old | 15 ++ localfs/etc/firewalld/zones/home.xml | 5 + localfs/etc/firewalld/zones/home.xml.old | 6 + localfs/etc/firewalld/zones/internal.xml | 5 + localfs/etc/firewalld/zones/internal.xml.old | 6 + localfs/etc/firewalld/zones/kvm.xml | 7 + localfs/etc/firewalld/zones/kvm.xml.old | 8 + localfs/etc/firewalld/zones/lokalhorst.xml | 8 + localfs/etc/firewalld/zones/lokalhorst.xml.old | 9 + localfs/etc/fstab | 25 +++ localfs/etc/httpd/conf.d/indexes | 1 + localfs/etc/httpd/conf.d/misc.conf | 7 + localfs/etc/httpd/conf.d/security.conf | 1 + localfs/etc/httpd/conf.d/security.d/csp.conf | 4 + localfs/etc/httpd/conf.d/security.d/hsts.conf | 4 + localfs/etc/httpd/conf.d/security.d/maxconns.conf | 1 + localfs/etc/httpd/conf.d/security.d/signature.conf | 3 + localfs/etc/httpd/conf.d/ssl.conf | 224 +++++++++++++++++++++ localfs/etc/httpd/conf.d/utf8.conf | 1 + localfs/etc/httpd/conf.d/vhosts.conf | 1 + localfs/etc/httpd/conf.d/vhosts.d/jango104.conf | 140 +++++++++++++ localfs/etc/httpd/conf.d/welcome.bak | 18 ++ localfs/etc/httpd/conf.modules.d/00-proxyhtml.conf | 3 + localfs/etc/httpd/conf.modules.d/10-geoip.conf | 1 + .../etc/httpd/conf.modules.d/10-limitipconn.conf | 15 ++ localfs/etc/httpd/run | 1 + localfs/etc/libvirt.key | 7 + localfs/etc/logrotate.d/clamav-update | 4 + localfs/etc/logrotate.d/httpd | 15 ++ localfs/etc/profile.d/netcatandquit.sh | 15 ++ localfs/etc/profile.d/shellhist.sh | 28 +++ localfs/etc/profile.d/taskd.sh | 1 + localfs/etc/samba/smb.conf | 33 +++ .../targeted/contexts/files/file_contexts.local | 15 ++ localfs/etc/ssh/sshd_config | 161 +++++++++++++++ localfs/etc/sssd/sssd.conf | 47 +++++ localfs/etc/sudoers.d/dnf | 1 + localfs/etc/sudoers.d/firewallcmd-completion | 2 + localfs/etc/sudoers.d/insults | 1 + localfs/etc/sudoers.d/inxi | 2 + localfs/etc/sudoers.d/network | 1 + localfs/etc/sudoers.d/shutdown | 1 + localfs/etc/sysconfig/network-scripts/.gitignore | 1 + .../sysconfig/network-scripts/ifcfg-CISCO-default | 20 ++ .../sysconfig/network-scripts/ifcfg-br0-default | 20 ++ .../sysconfig/network-scripts/ifcfg-br0-example1 | 20 ++ .../network-scripts/ifcfg-enp0s31f6-default | 9 + localfs/etc/sysconfig/network-scripts/ifcfg-lo | 9 + .../network-scripts/ifcfg-wlp1s0-Brueckengandalf | 12 ++ .../network-scripts/ifcfg-wlp1s0-dingeling | 19 ++ .../sysconfig/network-scripts/ifcfg-wlp1s0-hotspot | 19 ++ .../network-scripts/ifcfg-wlp1s0-peap-gtc | 23 +++ .../network-scripts/ifcfg-wlp1s0-peap-mschapv2 | 23 +++ .../network-scripts/ifcfg-wlp1s0-telekom-free | 18 ++ localfs/etc/sysctl.d/93-disable-ipv6.conf | 2 + localfs/etc/sysctl.d/94-bridgenotables.conf | 4 + localfs/etc/sysctl.d/95-forwarding.conf | 6 + localfs/etc/sysctl.d/96-noredir.conf | 4 + localfs/etc/sysctl.d/97-transmission.conf | 2 + localfs/etc/sysctl.d/99-sysctl.conf | 10 + .../etc/systemd/system/cluster-muromachi.target | 6 + localfs/etc/systemd/system/freshclam.service | 15 ++ localfs/etc/systemd/system/kvm-arch.service | 12 ++ localfs/etc/systemd/system/kvm-clustervm@.service | 31 +++ localfs/etc/systemd/system/kvm-debian.service | 12 ++ localfs/etc/systemd/system/kvm-firewall.service | 21 ++ localfs/etc/systemd/system/kvm-guestmount.service | 13 ++ localfs/etc/systemd/system/kvm-infravm@.service | 23 +++ localfs/etc/systemd/system/kvm-jango105.service | 12 ++ localfs/etc/systemd/system/kvm-opensuse.service | 12 ++ localfs/etc/yum.repos.d/_copr_gregw-i3desktop.repo | 10 + .../etc/yum.repos.d/_copr_markand-RetroArch.repo | 10 + .../yum.repos.d/_copr_plambri-desktop-apps.repo | 10 + localfs/etc/yum.repos.d/_copr_taw-Riot.repo | 10 + .../yum.repos.d/_copr_wyvie-compton-master.repo | 10 + localfs/etc/yum.repos.d/adobe-linux-x86_64.repo | 7 + localfs/etc/yum.repos.d/docker-ce-fallback.repo | 6 + localfs/etc/yum.repos.d/dotnetdev.repo | 6 + localfs/etc/yum.repos.d/home:zhonghuaren.repo | 7 + localfs/etc/yum.repos.d/keybase.repo | 7 + localfs/etc/yum.repos.d/skype-stable.repo | 6 + localfs/etc/yum.repos.d/telred-fedora-27.repo | 6 + .../etc/yum.repos.d/telred-fedora-27.repo.rpmsave | 6 + localfs/etc/yum.repos.d/telred-fedora-28.repo | 6 + localfs/etc/yum.repos.d/vivaldi.repo | 6 + 106 files changed, 1716 insertions(+) create mode 100644 localfs/etc/NetworkManager/NetworkManager.conf create mode 100644 localfs/etc/X11/xorg.conf.d/00-keyboard.conf create mode 100644 localfs/etc/X11/xorg.conf.d/20-displaylink.conf create mode 100644 localfs/etc/X11/xorg.conf.d/20-intel.conf create mode 100644 localfs/etc/X11/xorg.conf.d/80-backlight.conf create mode 100644 localfs/etc/bashrc.delta create mode 100644 localfs/etc/crypttab create mode 100644 localfs/etc/default/grub create mode 100644 localfs/etc/dnf/dnf.conf create mode 100644 localfs/etc/dnf/protected.d/dnf.conf create mode 100644 localfs/etc/dnf/protected.d/rpm.conf create mode 100644 localfs/etc/dnf/protected.d/storage.conf create mode 100644 localfs/etc/firewalld/direct.xml create mode 100644 localfs/etc/firewalld/firewalld-server.conf create mode 100644 localfs/etc/firewalld/firewalld-standard.conf create mode 100644 localfs/etc/firewalld/firewalld-workstation.conf create mode 120000 localfs/etc/firewalld/firewalld.conf create mode 100644 localfs/etc/firewalld/lockdown-whitelist.xml create mode 100644 localfs/etc/firewalld/services/check_mk.xml create mode 100644 localfs/etc/firewalld/services/nfs.xml create mode 100644 localfs/etc/firewalld/zones/FedoraWorkstation.xml create mode 100644 localfs/etc/firewalld/zones/FedoraWorkstation.xml.old create mode 100644 localfs/etc/firewalld/zones/home.xml create mode 100644 localfs/etc/firewalld/zones/home.xml.old create mode 100644 localfs/etc/firewalld/zones/internal.xml create mode 100644 localfs/etc/firewalld/zones/internal.xml.old create mode 100644 localfs/etc/firewalld/zones/kvm.xml create mode 100644 localfs/etc/firewalld/zones/kvm.xml.old create mode 100644 localfs/etc/firewalld/zones/lokalhorst.xml create mode 100644 localfs/etc/firewalld/zones/lokalhorst.xml.old create mode 100644 localfs/etc/fstab create mode 100644 localfs/etc/httpd/conf.d/indexes create mode 100644 localfs/etc/httpd/conf.d/misc.conf create mode 100644 localfs/etc/httpd/conf.d/security.conf create mode 100644 localfs/etc/httpd/conf.d/security.d/csp.conf create mode 100644 localfs/etc/httpd/conf.d/security.d/hsts.conf create mode 100644 localfs/etc/httpd/conf.d/security.d/maxconns.conf create mode 100644 localfs/etc/httpd/conf.d/security.d/signature.conf create mode 100644 localfs/etc/httpd/conf.d/ssl.conf create mode 100644 localfs/etc/httpd/conf.d/utf8.conf create mode 100644 localfs/etc/httpd/conf.d/vhosts.conf create mode 100644 localfs/etc/httpd/conf.d/vhosts.d/jango104.conf create mode 100644 localfs/etc/httpd/conf.d/welcome.bak create mode 100644 localfs/etc/httpd/conf.modules.d/00-proxyhtml.conf create mode 100644 localfs/etc/httpd/conf.modules.d/10-geoip.conf create mode 100644 localfs/etc/httpd/conf.modules.d/10-limitipconn.conf create mode 120000 localfs/etc/httpd/run create mode 100644 localfs/etc/libvirt.key create mode 100644 localfs/etc/logrotate.d/clamav-update create mode 100644 localfs/etc/logrotate.d/httpd create mode 100644 localfs/etc/profile.d/netcatandquit.sh create mode 100644 localfs/etc/profile.d/shellhist.sh create mode 100644 localfs/etc/profile.d/taskd.sh create mode 100644 localfs/etc/samba/smb.conf create mode 100644 localfs/etc/selinux/targeted/contexts/files/file_contexts.local create mode 100644 localfs/etc/ssh/sshd_config create mode 100644 localfs/etc/sssd/sssd.conf create mode 100644 localfs/etc/sudoers.d/dnf create mode 100644 localfs/etc/sudoers.d/firewallcmd-completion create mode 100644 localfs/etc/sudoers.d/insults create mode 100644 localfs/etc/sudoers.d/inxi create mode 100644 localfs/etc/sudoers.d/network create mode 100644 localfs/etc/sudoers.d/shutdown create mode 100644 localfs/etc/sysconfig/network-scripts/.gitignore create mode 100644 localfs/etc/sysconfig/network-scripts/ifcfg-CISCO-default create mode 100644 localfs/etc/sysconfig/network-scripts/ifcfg-br0-default create mode 100644 localfs/etc/sysconfig/network-scripts/ifcfg-br0-example1 create mode 100644 localfs/etc/sysconfig/network-scripts/ifcfg-enp0s31f6-default create mode 100644 localfs/etc/sysconfig/network-scripts/ifcfg-lo create mode 100644 localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-Brueckengandalf create mode 100644 localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-dingeling create mode 100644 localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-hotspot create mode 100644 localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-gtc create mode 100644 localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-mschapv2 create mode 100644 localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-telekom-free create mode 100644 localfs/etc/sysctl.d/93-disable-ipv6.conf create mode 100644 localfs/etc/sysctl.d/94-bridgenotables.conf create mode 100644 localfs/etc/sysctl.d/95-forwarding.conf create mode 100644 localfs/etc/sysctl.d/96-noredir.conf create mode 100644 localfs/etc/sysctl.d/97-transmission.conf create mode 100644 localfs/etc/sysctl.d/99-sysctl.conf create mode 100644 localfs/etc/systemd/system/cluster-muromachi.target create mode 100644 localfs/etc/systemd/system/freshclam.service create mode 100644 localfs/etc/systemd/system/kvm-arch.service create mode 100644 localfs/etc/systemd/system/kvm-clustervm@.service create mode 100644 localfs/etc/systemd/system/kvm-debian.service create mode 100644 localfs/etc/systemd/system/kvm-firewall.service create mode 100644 localfs/etc/systemd/system/kvm-guestmount.service create mode 100644 localfs/etc/systemd/system/kvm-infravm@.service create mode 100644 localfs/etc/systemd/system/kvm-jango105.service create mode 100644 localfs/etc/systemd/system/kvm-opensuse.service create mode 100644 localfs/etc/yum.repos.d/_copr_gregw-i3desktop.repo create mode 100644 localfs/etc/yum.repos.d/_copr_markand-RetroArch.repo create mode 100644 localfs/etc/yum.repos.d/_copr_plambri-desktop-apps.repo create mode 100644 localfs/etc/yum.repos.d/_copr_taw-Riot.repo create mode 100644 localfs/etc/yum.repos.d/_copr_wyvie-compton-master.repo create mode 100644 localfs/etc/yum.repos.d/adobe-linux-x86_64.repo create mode 100644 localfs/etc/yum.repos.d/docker-ce-fallback.repo create mode 100644 localfs/etc/yum.repos.d/dotnetdev.repo create mode 100644 localfs/etc/yum.repos.d/home:zhonghuaren.repo create mode 100644 localfs/etc/yum.repos.d/keybase.repo create mode 100644 localfs/etc/yum.repos.d/skype-stable.repo create mode 100644 localfs/etc/yum.repos.d/telred-fedora-27.repo create mode 100644 localfs/etc/yum.repos.d/telred-fedora-27.repo.rpmsave create mode 100644 localfs/etc/yum.repos.d/telred-fedora-28.repo create mode 100644 localfs/etc/yum.repos.d/vivaldi.repo (limited to 'localfs/etc') diff --git a/localfs/etc/NetworkManager/NetworkManager.conf b/localfs/etc/NetworkManager/NetworkManager.conf new file mode 100644 index 0000000..3b05c7a --- /dev/null +++ b/localfs/etc/NetworkManager/NetworkManager.conf @@ -0,0 +1,52 @@ +# Configuration file for NetworkManager. +# +# See "man 5 NetworkManager.conf" for details. +# +# The directories /usr/lib/NetworkManager/conf.d/ and /var/run/NetworkManager/conf.d/ +# can contain additional configuration snippets installed by packages. These files are +# read before NetworkManager.conf and have thus lowest priority. +# The directory /etc/NetworkManager/conf.d/ can contain additional configuration +# snippets. Those snippets are merged last and overwrite the settings from this main +# file. +# +# The files within one conf.d/ directory are read in asciibetical order. +# +# If /etc/NetworkManager/conf.d/ contains a file with the same name as +# /usr/lib/NetworkManager/conf.d/, the latter file is shadowed and thus ignored. +# Hence, to disable loading a file from /usr/lib/NetworkManager/conf.d/ you can +# put an empty file to /etc with the same name. The same applies with respect +# to the directory /var/run/NetworkManager/conf.d where files in /var/run shadow +# /usr/lib and are themselves shadowed by files under /etc. +# +# If two files define the same key, the one that is read afterwards will overwrite +# the previous one. + +[main] +#plugins=ifcfg-rh,ibft +#unmanaged-devices=interface-name:sosbr0;interface-name:clusbr0 +unmanaged-devices=interface-name:sosbr0-nic;interface-name:clusbr0 + + +[logging] +# When debugging NetworkManager, enabling debug logging is of great help. +# +# Logfiles contain no passwords and little sensitive information. But please +# check before posting the file online. You can also personally hand over the +# logfile to a NM developer to treat it confidential. Meet us on #nm on freenode. +# Please post full logfiles except minimal modifications of private data. +# +# You can also change the log-level at runtime via +# $ nmcli general logging level TRACE domains ALL +# However, usually it's cleaner to enable debug logging +# in the configuration and restart NetworkManager so that +# debug logging is enabled from the start. +# +# You will find the logfiles in syslog, for example via +# $ journalctl -u NetworkManager +# +# Note that debug logging of NetworkManager can be quite verbose. Some messages +# might be rate-limited by the logging daemon (see RateLimitIntervalSec, RateLimitBurst +# in man journald.conf). +# +#level=TRACE +#domains=ALL diff --git a/localfs/etc/X11/xorg.conf.d/00-keyboard.conf b/localfs/etc/X11/xorg.conf.d/00-keyboard.conf new file mode 100644 index 0000000..7e5c389 --- /dev/null +++ b/localfs/etc/X11/xorg.conf.d/00-keyboard.conf @@ -0,0 +1,9 @@ +# Written by systemd-localed(8), read by systemd-localed and Xorg. It's +# probably wise not to edit this file manually. Use localectl(1) to +# instruct systemd-localed to update it. +Section "InputClass" + Identifier "system-keyboard" + MatchIsKeyboard "on" + Option "XkbLayout" "de,ie,bg,de" + Option "XkbVariant" ",,phonetic,ru" +EndSection diff --git a/localfs/etc/X11/xorg.conf.d/20-displaylink.conf b/localfs/etc/X11/xorg.conf.d/20-displaylink.conf new file mode 100644 index 0000000..9d2cfa8 --- /dev/null +++ b/localfs/etc/X11/xorg.conf.d/20-displaylink.conf @@ -0,0 +1,38 @@ +Section "Device" + Identifier "intel" + Driver "modesetting" + Option "kmsdev" "/dev/dri/card0" + Option "PageFlip" "off" + Option "SWCursor" "on" + Option "ShadowFB" "true" +EndSection + +Section "Device" + Identifier "USB3" + BusID "USB" + Driver "modesetting" + Option "kmsdev" "/dev/dri/card1" + Option "PageFlip" "off" + Option "SWCursor" "on" + Option "ShadowFB" "true" +EndSection + +Section "Device" + Identifier "USB3" + BusID "USB" + Driver "modesetting" + Option "kmsdev" "/dev/dri/card2" + Option "PageFlip" "off" + Option "SWCursor" "on" + Option "ShadowFB" "true" +EndSection + +Section "Device" + Identifier "USB3" + BusID "USB" + Driver "modesetting" + Option "kmsdev" "/dev/dri/card3" + Option "PageFlip" "off" + Option "SWCursor" "on" + Option "ShadowFB" "true" +EndSection diff --git a/localfs/etc/X11/xorg.conf.d/20-intel.conf b/localfs/etc/X11/xorg.conf.d/20-intel.conf new file mode 100644 index 0000000..bbe28f3 --- /dev/null +++ b/localfs/etc/X11/xorg.conf.d/20-intel.conf @@ -0,0 +1,13 @@ +Section "Device" +Identifier "Intel Graphics" +Driver "Intel" +Option "AccelMethod" "sna" +Option "TearFree" "false" +Option "TripleBuffer" "true" +Option "MigrationHeuristic" "greedy" +Option "Tiling" "true" +Option "Pageflip" "true" +Option "ExaNoComposite" "false" +Option "Tiling" "true" +Option "Pageflip" "true" +EndSection diff --git a/localfs/etc/X11/xorg.conf.d/80-backlight.conf b/localfs/etc/X11/xorg.conf.d/80-backlight.conf new file mode 100644 index 0000000..0291612 --- /dev/null +++ b/localfs/etc/X11/xorg.conf.d/80-backlight.conf @@ -0,0 +1,5 @@ +Section "Device" + Identifier "Intel Graphics" + Driver "intel" + Option "Backlight" "/sys/class/backlight" +EndSection diff --git a/localfs/etc/bashrc.delta b/localfs/etc/bashrc.delta new file mode 100644 index 0000000..be173ed --- /dev/null +++ b/localfs/etc/bashrc.delta @@ -0,0 +1,3 @@ +# Add this line near the bottom: + +PROMPT_COMMAND="history -a;$PROMPT_COMMAND" diff --git a/localfs/etc/crypttab b/localfs/etc/crypttab new file mode 100644 index 0000000..0a68703 --- /dev/null +++ b/localfs/etc/crypttab @@ -0,0 +1,2 @@ +luks- UUID= none +libvirt UUID= /path/to/key luks diff --git a/localfs/etc/default/grub b/localfs/etc/default/grub new file mode 100644 index 0000000..b20578a --- /dev/null +++ b/localfs/etc/default/grub @@ -0,0 +1,18 @@ +GRUB_TIMEOUT=5 +GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" +GRUB_DEFAULT=saved +GRUB_DISABLE_SUBMENU=true +#GRUB_TERMINAL_OUTPUT="console" +## With plymouth: +#GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-6e954a90-4449-4697-a452-f70abc6bc87e rd.lvm.lv=system/root rd.lvm.lv=system/swap rd.lvm.lv=system/usr rhgb quiet" +## ...and without plymouth: +#GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-6e954a90-4449-4697-a452-f70abc6bc87e rd.lvm.lv=system/root rd.lvm.lv=system/swap rd.lvm.lv=system/usr quiet systemd.show_status=1 acpi_backlight=vendor" +# chipset is i915. if it doesn't do the trick, simply add nomodeset +GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-6e954a90-4449-4697-a452-f70abc6bc87e rd.lvm.lv=system/root rd.lvm.lv=system/swap rd.lvm.lv=system/usr quiet rhgb acpi_backlight=vendor" #i915.modeset=0" +GRUB_DISABLE_RECOVERY="true" +#GRUB_GFXMODE=2560x1440x32,1920x1080x32,16801050x32,1280x900x32,1280x1024x32m1024x768x24,800x600x24 +GRUB_GFXMODE=1920x1080x24,16801050x24,1280x900x24,1280x1024x24m1024x768x24,800x600x24 +#GRUB_GFXPAYLOAD=1920x1080x24 +GRUB_GFXPAYLOAD_LINUX=keep +GRUB_THEME="/boot/grub2/themes/elegant-grub2/theme.txt" +#GRUB_THEME="/boot/grub2/themes/breeze/theme.txt" diff --git a/localfs/etc/dnf/dnf.conf b/localfs/etc/dnf/dnf.conf new file mode 100644 index 0000000..4d5402b --- /dev/null +++ b/localfs/etc/dnf/dnf.conf @@ -0,0 +1,7 @@ +[main] +gpgcheck=1 +# Number of kernels to be kept on the system: +installonly_limit=2 +clean_requirements_on_remove=True + +fastestmirror=true diff --git a/localfs/etc/dnf/protected.d/dnf.conf b/localfs/etc/dnf/protected.d/dnf.conf new file mode 100644 index 0000000..6148f6c --- /dev/null +++ b/localfs/etc/dnf/protected.d/dnf.conf @@ -0,0 +1 @@ +dnf diff --git a/localfs/etc/dnf/protected.d/rpm.conf b/localfs/etc/dnf/protected.d/rpm.conf new file mode 100644 index 0000000..916f55d --- /dev/null +++ b/localfs/etc/dnf/protected.d/rpm.conf @@ -0,0 +1 @@ +rpm diff --git a/localfs/etc/dnf/protected.d/storage.conf b/localfs/etc/dnf/protected.d/storage.conf new file mode 100644 index 0000000..15d7117 --- /dev/null +++ b/localfs/etc/dnf/protected.d/storage.conf @@ -0,0 +1,3 @@ +device-mapper +lvm2 +cryptsetup diff --git a/localfs/etc/firewalld/direct.xml b/localfs/etc/firewalld/direct.xml new file mode 100644 index 0000000..dadd4df --- /dev/null +++ b/localfs/etc/firewalld/direct.xml @@ -0,0 +1,8 @@ + + + -m pkttype --pkt-type multicast -s 225.0.0.0/24 -d 225.0.0.0/24 -j ACCEPT + -I FORWARD -i br0 -j ACCEPT + -I FORWARD -o br0 -j ACCEPT + -I FORWARD -i sosbr0 -j ACCEPT + -I FORWARD -o sosbr0 -j ACCEPT + diff --git a/localfs/etc/firewalld/firewalld-server.conf b/localfs/etc/firewalld/firewalld-server.conf new file mode 100644 index 0000000..5a69506 --- /dev/null +++ b/localfs/etc/firewalld/firewalld-server.conf @@ -0,0 +1,57 @@ +# firewalld config file + +# default zone +# The default zone used if an empty zone string is used. +# Default: public +DefaultZone=FedoraServer + +# Minimal mark +# Marks up to this minimum are free for use for example in the direct +# interface. If more free marks are needed, increase the minimum +# Default: 100 +MinimalMark=100 + +# Clean up on exit +# If set to no or false the firewall configuration will not get cleaned up +# on exit or stop of firewalld +# Default: yes +CleanupOnExit=yes + +# Lockdown +# If set to enabled, firewall changes with the D-Bus interface will be limited +# to applications that are listed in the lockdown whitelist. +# The lockdown whitelist file is lockdown-whitelist.xml +# Default: no +Lockdown=no + +# IPv6_rpfilter +# Performs a reverse path filter test on a packet for IPv6. If a reply to the +# packet would be sent via the same interface that the packet arrived on, the +# packet will match and be accepted, otherwise dropped. +# The rp_filter for IPv4 is controlled using sysctl. +# Default: yes +IPv6_rpfilter=yes + +# IndividualCalls +# Do not use combined -restore calls, but individual calls. This increases the +# time that is needed to apply changes and to start the daemon, but is good for +# debugging. +# Default: no +IndividualCalls=no + +# LogDenied +# Add logging rules right before reject and drop rules in the INPUT, FORWARD +# and OUTPUT chains for the default rules and also final reject and drop rules +# in zones. Possible values are: all, unicast, broadcast, multicast and off. +# Default: off +LogDenied=off + +# AutomaticHelpers +# For the secure use of iptables and connection tracking helpers it is +# recommended to turn AutomaticHelpers off. But this might have side effects on +# other services using the netfilter helpers as the sysctl setting in +# /proc/sys/net/netfilter/nf_conntrack_helper will be changed. +# With the system setting, the default value set in the kernel or with sysctl +# will be used. Possible values are: yes, no and system. +# Default: system +AutomaticHelpers=system diff --git a/localfs/etc/firewalld/firewalld-standard.conf b/localfs/etc/firewalld/firewalld-standard.conf new file mode 100644 index 0000000..63df409 --- /dev/null +++ b/localfs/etc/firewalld/firewalld-standard.conf @@ -0,0 +1,57 @@ +# firewalld config file + +# default zone +# The default zone used if an empty zone string is used. +# Default: public +DefaultZone=public + +# Minimal mark +# Marks up to this minimum are free for use for example in the direct +# interface. If more free marks are needed, increase the minimum +# Default: 100 +MinimalMark=100 + +# Clean up on exit +# If set to no or false the firewall configuration will not get cleaned up +# on exit or stop of firewalld +# Default: yes +CleanupOnExit=yes + +# Lockdown +# If set to enabled, firewall changes with the D-Bus interface will be limited +# to applications that are listed in the lockdown whitelist. +# The lockdown whitelist file is lockdown-whitelist.xml +# Default: no +Lockdown=no + +# IPv6_rpfilter +# Performs a reverse path filter test on a packet for IPv6. If a reply to the +# packet would be sent via the same interface that the packet arrived on, the +# packet will match and be accepted, otherwise dropped. +# The rp_filter for IPv4 is controlled using sysctl. +# Default: yes +IPv6_rpfilter=yes + +# IndividualCalls +# Do not use combined -restore calls, but individual calls. This increases the +# time that is needed to apply changes and to start the daemon, but is good for +# debugging. +# Default: no +IndividualCalls=no + +# LogDenied +# Add logging rules right before reject and drop rules in the INPUT, FORWARD +# and OUTPUT chains for the default rules and also final reject and drop rules +# in zones. Possible values are: all, unicast, broadcast, multicast and off. +# Default: off +LogDenied=off + +# AutomaticHelpers +# For the secure use of iptables and connection tracking helpers it is +# recommended to turn AutomaticHelpers off. But this might have side effects on +# other services using the netfilter helpers as the sysctl setting in +# /proc/sys/net/netfilter/nf_conntrack_helper will be changed. +# With the system setting, the default value set in the kernel or with sysctl +# will be used. Possible values are: yes, no and system. +# Default: system +AutomaticHelpers=system diff --git a/localfs/etc/firewalld/firewalld-workstation.conf b/localfs/etc/firewalld/firewalld-workstation.conf new file mode 100644 index 0000000..a162039 --- /dev/null +++ b/localfs/etc/firewalld/firewalld-workstation.conf @@ -0,0 +1,58 @@ +# firewalld config file + +# default zone +# The default zone used if an empty zone string is used. +# Default: public +#DefaultZone=FedoraWorkstation +DefaultZone=lokalhorst + +# Minimal mark +# Marks up to this minimum are free for use for example in the direct +# interface. If more free marks are needed, increase the minimum +# Default: 100 +MinimalMark=100 + +# Clean up on exit +# If set to no or false the firewall configuration will not get cleaned up +# on exit or stop of firewalld +# Default: yes +CleanupOnExit=yes + +# Lockdown +# If set to enabled, firewall changes with the D-Bus interface will be limited +# to applications that are listed in the lockdown whitelist. +# The lockdown whitelist file is lockdown-whitelist.xml +# Default: no +Lockdown=no + +# IPv6_rpfilter +# Performs a reverse path filter test on a packet for IPv6. If a reply to the +# packet would be sent via the same interface that the packet arrived on, the +# packet will match and be accepted, otherwise dropped. +# The rp_filter for IPv4 is controlled using sysctl. +# Default: yes +IPv6_rpfilter=yes + +# IndividualCalls +# Do not use combined -restore calls, but individual calls. This increases the +# time that is needed to apply changes and to start the daemon, but is good for +# debugging. +# Default: no +IndividualCalls=no + +# LogDenied +# Add logging rules right before reject and drop rules in the INPUT, FORWARD +# and OUTPUT chains for the default rules and also final reject and drop rules +# in zones. Possible values are: all, unicast, broadcast, multicast and off. +# Default: off +LogDenied=all + +# AutomaticHelpers +# For the secure use of iptables and connection tracking helpers it is +# recommended to turn AutomaticHelpers off. But this might have side effects on +# other services using the netfilter helpers as the sysctl setting in +# /proc/sys/net/netfilter/nf_conntrack_helper will be changed. +# With the system setting, the default value set in the kernel or with sysctl +# will be used. Possible values are: yes, no and system. +# Default: system +AutomaticHelpers=system diff --git a/localfs/etc/firewalld/firewalld.conf b/localfs/etc/firewalld/firewalld.conf new file mode 120000 index 0000000..3adf742 --- /dev/null +++ b/localfs/etc/firewalld/firewalld.conf @@ -0,0 +1 @@ +firewalld-workstation.conf \ No newline at end of file diff --git a/localfs/etc/firewalld/lockdown-whitelist.xml b/localfs/etc/firewalld/lockdown-whitelist.xml new file mode 100644 index 0000000..65c03c5 --- /dev/null +++ b/localfs/etc/firewalld/lockdown-whitelist.xml @@ -0,0 +1,7 @@ + + + + + + + diff --git a/localfs/etc/firewalld/services/check_mk.xml b/localfs/etc/firewalld/services/check_mk.xml new file mode 100644 index 0000000..8990c3b --- /dev/null +++ b/localfs/etc/firewalld/services/check_mk.xml @@ -0,0 +1,9 @@ + + + Check_MK + All ports required for Check_MK to work with us being a monitored node only. + + + + + diff --git a/localfs/etc/firewalld/services/nfs.xml b/localfs/etc/firewalld/services/nfs.xml new file mode 100644 index 0000000..9d1c4bf --- /dev/null +++ b/localfs/etc/firewalld/services/nfs.xml @@ -0,0 +1,7 @@ + + + NFS3 + The NFS3 + + + diff --git a/localfs/etc/firewalld/zones/FedoraWorkstation.xml b/localfs/etc/firewalld/zones/FedoraWorkstation.xml new file mode 100644 index 0000000..a39d7e8 --- /dev/null +++ b/localfs/etc/firewalld/zones/FedoraWorkstation.xml @@ -0,0 +1,16 @@ + + + Fedora Workstation + Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed. + + + + + + + + + + + + diff --git a/localfs/etc/firewalld/zones/FedoraWorkstation.xml.old b/localfs/etc/firewalld/zones/FedoraWorkstation.xml.old new file mode 100644 index 0000000..5d04d82 --- /dev/null +++ b/localfs/etc/firewalld/zones/FedoraWorkstation.xml.old @@ -0,0 +1,15 @@ + + + Fedora Workstation + Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed. + + + + + + + + + + + diff --git a/localfs/etc/firewalld/zones/home.xml b/localfs/etc/firewalld/zones/home.xml new file mode 100644 index 0000000..f913db4 --- /dev/null +++ b/localfs/etc/firewalld/zones/home.xml @@ -0,0 +1,5 @@ + + + Home + For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + diff --git a/localfs/etc/firewalld/zones/home.xml.old b/localfs/etc/firewalld/zones/home.xml.old new file mode 100644 index 0000000..d5e38d3 --- /dev/null +++ b/localfs/etc/firewalld/zones/home.xml.old @@ -0,0 +1,6 @@ + + + Home + For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + + diff --git a/localfs/etc/firewalld/zones/internal.xml b/localfs/etc/firewalld/zones/internal.xml new file mode 100644 index 0000000..2dff2d4 --- /dev/null +++ b/localfs/etc/firewalld/zones/internal.xml @@ -0,0 +1,5 @@ + + + Internal + For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted. + diff --git a/localfs/etc/firewalld/zones/internal.xml.old b/localfs/etc/firewalld/zones/internal.xml.old new file mode 100644 index 0000000..f9f3d37 --- /dev/null +++ b/localfs/etc/firewalld/zones/internal.xml.old @@ -0,0 +1,6 @@ + + + Internal + For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted. + + diff --git a/localfs/etc/firewalld/zones/kvm.xml b/localfs/etc/firewalld/zones/kvm.xml new file mode 100644 index 0000000..f21de55 --- /dev/null +++ b/localfs/etc/firewalld/zones/kvm.xml @@ -0,0 +1,7 @@ + + + KVM + LOREM IPSUM HODOR + + + diff --git a/localfs/etc/firewalld/zones/kvm.xml.old b/localfs/etc/firewalld/zones/kvm.xml.old new file mode 100644 index 0000000..31c90e3 --- /dev/null +++ b/localfs/etc/firewalld/zones/kvm.xml.old @@ -0,0 +1,8 @@ + + + KVM + LOREM IPSUM HODOR + + + + diff --git a/localfs/etc/firewalld/zones/lokalhorst.xml b/localfs/etc/firewalld/zones/lokalhorst.xml new file mode 100644 index 0000000..d52a74c --- /dev/null +++ b/localfs/etc/firewalld/zones/lokalhorst.xml @@ -0,0 +1,8 @@ + + + lokalhorst + Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed. + + + + diff --git a/localfs/etc/firewalld/zones/lokalhorst.xml.old b/localfs/etc/firewalld/zones/lokalhorst.xml.old new file mode 100644 index 0000000..f948687 --- /dev/null +++ b/localfs/etc/firewalld/zones/lokalhorst.xml.old @@ -0,0 +1,9 @@ + + + lokalhorst + Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed. + + + + + diff --git a/localfs/etc/fstab b/localfs/etc/fstab new file mode 100644 index 0000000..8bd9c31 --- /dev/null +++ b/localfs/etc/fstab @@ -0,0 +1,25 @@ + +# +# /etc/fstab +# Created by anaconda on Fri Nov 24 11:18:27 2017 +# +# Accessible filesystems, by reference, are maintained under '/dev/disk' +# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info +# +/dev/mapper/system-root / ext4 defaults,x-systemd.device-timeout=0 1 1 +UUID=6c8ae617-7f34-4bef-9fa6-3735571b9c5c /boot ext4 defaults 1 2 +UUID=E68B-F495 /boot/efi vfat umask=0077,shortname=winnt 0 2 +/dev/mapper/system-home /home ext4 defaults,x-systemd.device-timeout=0 1 2 +/dev/mapper/system-tmp /tmp ext4 defaults,x-systemd.device-timeout=0 1 2 +/dev/mapper/system-usr /usr ext4 defaults,x-systemd.device-timeout=0 1 2 +/dev/mapper/system-var /var ext4 defaults,x-systemd.device-timeout=0 1 2 +/dev/mapper/system-varlog /var/log ext4 defaults,x-systemd.device-timeout=0 1 2 +/dev/mapper/system-swap swap swap defaults,x-systemd.device-timeout=0,pri=666 0 0 + +# USB GSCHWERDLS +UUID=5118-E220 /usb/padlock auto noauto,defaults,user,nosuid,nodev,nofail,utf8,uid=1557802663,gid=1557802663,umask=027 0 0 + +# HPE GSCHWERDLS +UUID=1AE87ABEE87A9829 /elitebook/Windows\040RE\040tools auto defaults,ro 0 0 +UUID=E2EA33EEEA33BD9B /elitebook/Recovery\040Image auto defaults,ro 0 0 +UUID=748F-B31A /elitebook/HP_TOOLS auto defaults,ro 0 0 diff --git a/localfs/etc/httpd/conf.d/indexes b/localfs/etc/httpd/conf.d/indexes new file mode 100644 index 0000000..19b122c --- /dev/null +++ b/localfs/etc/httpd/conf.d/indexes @@ -0,0 +1 @@ +IndexOptions NameWidth=* diff --git a/localfs/etc/httpd/conf.d/misc.conf b/localfs/etc/httpd/conf.d/misc.conf new file mode 100644 index 0000000..70e4fe8 --- /dev/null +++ b/localfs/etc/httpd/conf.d/misc.conf @@ -0,0 +1,7 @@ + header set X-Clacks-Overhead "GNU Terry Pratchett" + header set X-Klingons "Well, let me guess. You're either lost, or desperately searching for a good tailor." +# header set X-XRDS-Location "http://openid.lirion.de/xrds/Lirion" + header set X-HANDSHAKE "Scissors cuts paper, paper covers rock, rock crushes lizard, lizard poisons Spock, Spock smashes scissors, scissors decapitates lizard, lizard eats paper, paper disproves Spock, Spock vaporizes rock, and as it always has, rock crushes scissors." + header set X-Disclaimer "All Your Base Are Belong To Us" + header unset Server + header set Server "Woschdsopp/6.66" diff --git a/localfs/etc/httpd/conf.d/security.conf b/localfs/etc/httpd/conf.d/security.conf new file mode 100644 index 0000000..60b7bec --- /dev/null +++ b/localfs/etc/httpd/conf.d/security.conf @@ -0,0 +1 @@ +IncludeOptional conf.d/security.d/*.conf diff --git a/localfs/etc/httpd/conf.d/security.d/csp.conf b/localfs/etc/httpd/conf.d/security.d/csp.conf new file mode 100644 index 0000000..f26dbc0 --- /dev/null +++ b/localfs/etc/httpd/conf.d/security.d/csp.conf @@ -0,0 +1,4 @@ +Header set Content-Security-Policy: "default-src 'self' 'unsafe-inline'; frame-ancestors 'self' jango104 jango104.domain.de; script-src 'self' jango104 jango104.domain.de 'unsafe-inline'; img-src 'self' jango104 jango104.domain.de; child-src 'self' jango104 jango104.domain.de; font-src 'self' jango104 jango104.domain.de; object-src 'self' jango104 jango104.domain.de; connect-src 'self' jango104 jango104.domain.de;" +#Header always set Content-Security-Policy: "default-src https:; frame-ancestors *.lirion.de;" +#SSLUseStapling On +#SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768) diff --git a/localfs/etc/httpd/conf.d/security.d/hsts.conf b/localfs/etc/httpd/conf.d/security.d/hsts.conf new file mode 100644 index 0000000..3276a70 --- /dev/null +++ b/localfs/etc/httpd/conf.d/security.d/hsts.conf @@ -0,0 +1,4 @@ +# Do not use header always set, it would push HSTS to non-HTTPS even though it's in this tree... + + Header set Strict-Transport-Security "max-age=31556926;includeSubDomains;preload" + diff --git a/localfs/etc/httpd/conf.d/security.d/maxconns.conf b/localfs/etc/httpd/conf.d/security.d/maxconns.conf new file mode 100644 index 0000000..c88ca84 --- /dev/null +++ b/localfs/etc/httpd/conf.d/security.d/maxconns.conf @@ -0,0 +1 @@ +#MaxConnection all 10 diff --git a/localfs/etc/httpd/conf.d/security.d/signature.conf b/localfs/etc/httpd/conf.d/security.d/signature.conf new file mode 100644 index 0000000..5c8bc12 --- /dev/null +++ b/localfs/etc/httpd/conf.d/security.d/signature.conf @@ -0,0 +1,3 @@ +#SecServerSignature "Woschdsopp/6.66 mod-banana" +ServerTokens Prod +TraceEnable Off diff --git a/localfs/etc/httpd/conf.d/ssl.conf b/localfs/etc/httpd/conf.d/ssl.conf new file mode 100644 index 0000000..9891aca --- /dev/null +++ b/localfs/etc/httpd/conf.d/ssl.conf @@ -0,0 +1,224 @@ +# +# When we also provide SSL we have to listen to the +# standard HTTPS port in addition. +# +Listen 443 https + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/run/httpd/sslcache(512000) +SSLSessionCacheTimeout 300 + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec + +## +## SSL Virtual Host Context +## + + + +# General setup for the virtual host, inherited from global configuration +#DocumentRoot "/var/www/html" +#ServerName www.example.com:443 + +# Use separate log files for the SSL virtual host; note that LogLevel +# is not inherited from httpd.conf. +ErrorLog logs/ssl_error_log +TransferLog logs/ssl_access_log +LogLevel warn + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# List the protocol versions which clients are allowed to connect with. +# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be +# disabled as quickly as practical. By the end of 2016, only the TLSv1.2 +# protocol or later should remain in use. +#SSLProtocol all -SSLv3 +#SSLProxyProtocol all -SSLv3 +SSLProtocol -all +TLSv1.2 +SSLProxyProtocol -all +TLSv1.2 + +# User agents such as web browsers are not configured for the user's +# own preference of either security or performance, therefore this +# must be the prerogative of the web server administrator who manages +# cpu load versus confidentiality, so enforce the server's cipher order. +SSLHonorCipherOrder on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +# The OpenSSL system profile is configured by default. See +# update-crypto-policies(8) for more details. +#SSLCipherSuite PROFILE=SYSTEM +# Mozilla intermediate recommendation, 2016-09-06. After !DSS, some additional setup: +SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!AES128-SHA:!DES-CBC3-SHA:!AES256-SHA:!AES128-SHA256:!AES256-SHA256:!AES128-SHA256:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA +SSLProxyCipherSuite PROFILE=SYSTEM + +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that restarting httpd will prompt again. Keep +# in mind that if you have both an RSA and a DSA certificate you +# can configure both in parallel (to also allow the use of DSA +# ciphers, etc.) +# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) +# require an ECC certificate which can also be configured in +# parallel. +SSLCertificateFile /etc/pki/tls/certs/localhost.crt + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +# ECC keys, when in use, can also be configured in parallel +SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convenience. +#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +# +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is sent or allowed to be received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is sent and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + diff --git a/localfs/etc/httpd/conf.d/utf8.conf b/localfs/etc/httpd/conf.d/utf8.conf new file mode 100644 index 0000000..28ca6f8 --- /dev/null +++ b/localfs/etc/httpd/conf.d/utf8.conf @@ -0,0 +1 @@ +AddDefaultCharset UTF-8 diff --git a/localfs/etc/httpd/conf.d/vhosts.conf b/localfs/etc/httpd/conf.d/vhosts.conf new file mode 100644 index 0000000..ab7e544 --- /dev/null +++ b/localfs/etc/httpd/conf.d/vhosts.conf @@ -0,0 +1 @@ +IncludeOptional conf.d/vhosts.d/*.conf diff --git a/localfs/etc/httpd/conf.d/vhosts.d/jango104.conf b/localfs/etc/httpd/conf.d/vhosts.d/jango104.conf new file mode 100644 index 0000000..b3cade8 --- /dev/null +++ b/localfs/etc/httpd/conf.d/vhosts.d/jango104.conf @@ -0,0 +1,140 @@ +AddDefaultCharset UTF-8 + + ServerAdmin some.email@comain.de + DocumentRoot "/var/www/vhosts/jango104.domain.de" + ServerName jango104.domain.de + ServerAlias jango104.domain.world jango104.domain.de jango104 + ErrorLog "/var/log/httpd/jango104.domain.de-error.log" + CustomLog "/var/log/httpd/jango104.domain.de-access.log" common + RewriteEngine on + RewriteCond %{HTTPS} !=on + RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L] + + + ServerAdmin some.email@domain.de + DocumentRoot "/var/www/vhosts/jango104.domain.de" + ServerName jango104.domain.de + ServerAlias jango104.domain.world jango104.domain.de jango104 + Alias "/errors" "/var/www/errors" + ErrorLog "/var/log/httpd/jango104.domain.de-ssl-error.log" + CustomLog "/var/log/httpd/jango104.domain.de-ssl-access.log" common + ErrorDocument 401 "/errors/401.html" + ErrorDocument 403 "/errors/403.html" + ErrorDocument 404 "/errors/404.html" + + Options FollowSymLinks + AllowOverride none + + + Options -Indexes + AllowOverride None + + Require all granted + + + + Options Indexes FollowSymLinks MultiViews + IndexOptions +ShowForbidden +NameWidth=* + AllowOverride None + + Require all granted + + + + Options Indexes FollowSymlinks Multiviews + IndexOptions +ShowForbidden +Namewidth=* + AllowOverride all + + Require all granted + + + + Options Indexes FollowSymlinks Multiviews + IndexOptions +ShowForbidden +Namewidth=* + AllowOverride all + + Require all granted + + + + Options Indexes FollowSymlinks Multiviews + IndexOptions +ShowForbidden +Namewidth=* + AllowOverride all + + Require all granted + + + + Options Indexes FollowSymlinks Multiviews + IndexOptions +ShowForbidden +Namewidth=* + AllowOverride all + + Require all granted + + + + Options Indexes FollowSymlinks Multiviews + IndexOptions +ShowForbidden +Namewidth=* + AllowOverride all + + Require all granted + + + + Options Indexes FollowSymlinks Multiviews + IndexOptions +ShowForbidden +Namewidth=* + AllowOverride all + + Require all granted + + + + Options Indexes FollowSymlinks MultiViews + IndexOptions +NameWidth=* + AllowOverride None + AuthType Basic + AuthName "gibe login" + AuthBasicProvider file + AuthUserFile "/etc/httpd/htaccess.d/redhat" + + Require user company + Require valid-user + + + + Options Indexes FollowSymlinks MultiViews + IndexOptions +NameWidth=* + AllowOverride None + AuthType Basic + AuthName "gibe login" + AuthBasicProvider file + AuthUserFile "/etc/httpd/htaccess.d/redhat" + + Require user company + Require valid-user + + + SSLEngine on + SSLProtocol all -SSLv3 + SSLProxyProtocol all -SSLv3 + SSLHonorCipherOrder on + SSLCipherSuite PROFILE=SYSTEM + SSLProxyCipherSuite PROFILE=SYSTEM + + # Feck snakeoil. Root CA and Intermed CA from root server, cert is a) chained and b) set up with higher ciphers. + # (Although, admittedly, there's way worse snakeoils than on Fedora 27, but still it's snakeoil.) + SSLCertificateFile /etc/pki/tls/certs/jango104.crt + SSLCertificateKeyFile /etc/pki/tls/private/jango104.key + #SSLCertificateChainFile /etc/pki/tls/certs/jango104.crt + #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt + #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + diff --git a/localfs/etc/httpd/conf.d/welcome.bak b/localfs/etc/httpd/conf.d/welcome.bak new file mode 100644 index 0000000..5d1e452 --- /dev/null +++ b/localfs/etc/httpd/conf.d/welcome.bak @@ -0,0 +1,18 @@ +# +# This configuration file enables the default "Welcome" page if there +# is no default index page present for the root URL. To disable the +# Welcome page, comment out all the lines below. +# +# NOTE: if this file is removed, it will be restored on upgrades. +# + + Options -Indexes + ErrorDocument 403 /.noindex.html + + + + AllowOverride None + Require all granted + + +Alias /.noindex.html /usr/share/httpd/noindex/index.html diff --git a/localfs/etc/httpd/conf.modules.d/00-proxyhtml.conf b/localfs/etc/httpd/conf.modules.d/00-proxyhtml.conf new file mode 100644 index 0000000..9a9b107 --- /dev/null +++ b/localfs/etc/httpd/conf.modules.d/00-proxyhtml.conf @@ -0,0 +1,3 @@ +# This file configures mod_proxy_html and mod_xml2enc: +LoadModule xml2enc_module modules/mod_xml2enc.so +LoadModule proxy_html_module modules/mod_proxy_html.so diff --git a/localfs/etc/httpd/conf.modules.d/10-geoip.conf b/localfs/etc/httpd/conf.modules.d/10-geoip.conf new file mode 100644 index 0000000..1b70122 --- /dev/null +++ b/localfs/etc/httpd/conf.modules.d/10-geoip.conf @@ -0,0 +1 @@ +LoadModule geoip_module modules/mod_geoip.so diff --git a/localfs/etc/httpd/conf.modules.d/10-limitipconn.conf b/localfs/etc/httpd/conf.modules.d/10-limitipconn.conf new file mode 100644 index 0000000..545e9b2 --- /dev/null +++ b/localfs/etc/httpd/conf.modules.d/10-limitipconn.conf @@ -0,0 +1,15 @@ +# This module will not function unless mod_status is loaded and the +# "ExtendedStatus On" directive is set. So load only if mod_status is too. + + + # This is always needed + ExtendedStatus On + + # mod_limitipconn configuration + LoadModule limitipconn_module modules/mod_limitipconn.so + + # A global default configuration doesn't make much sense. See the README + # from the mod_limitipconn package for configuration examples. + + + diff --git a/localfs/etc/httpd/run b/localfs/etc/httpd/run new file mode 120000 index 0000000..ae7face --- /dev/null +++ b/localfs/etc/httpd/run @@ -0,0 +1 @@ +/run/httpd \ No newline at end of file diff --git a/localfs/etc/libvirt.key b/localfs/etc/libvirt.key new file mode 100644 index 0000000..838d666 --- /dev/null +++ b/localfs/etc/libvirt.key @@ -0,0 +1,7 @@ +This should be a file with sufficient urandom data to be added to the libvirt luks container. Result: +the libvirt LVM PV is encrypted, but will automatically unlocked once the parent OS is unlocked. +(Do NOT have the parent OS reside on an unencrypted drive, lel.) + +... + +Did you expect my luks key here? Better go to DXC for such disconcerting hurry-scurry ;) diff --git a/localfs/etc/logrotate.d/clamav-update b/localfs/etc/logrotate.d/clamav-update new file mode 100644 index 0000000..0de6062 --- /dev/null +++ b/localfs/etc/logrotate.d/clamav-update @@ -0,0 +1,4 @@ +/var/log/freshclam.log { + monthly + notifempty +} diff --git a/localfs/etc/logrotate.d/httpd b/localfs/etc/logrotate.d/httpd new file mode 100644 index 0000000..90c024d --- /dev/null +++ b/localfs/etc/logrotate.d/httpd @@ -0,0 +1,15 @@ +/var/log/httpd/*log { + daily + rotate 365 + missingok + notifempty + sharedscripts + delaycompress + compresscmd /bin/xz + compressext .xz + dateext + dateformat -%Y-%m-%d + postrotate + /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true + endscript +} diff --git a/localfs/etc/profile.d/netcatandquit.sh b/localfs/etc/profile.d/netcatandquit.sh new file mode 100644 index 0000000..5410051 --- /dev/null +++ b/localfs/etc/profile.d/netcatandquit.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +# Harald Pfeiffer, 2017-04-17 +# Quick helper to have an ncat command available which, similarly to netcat -z, +# terminates the ncat connection as soon as there's a successful establishment. +# +# tl;dr fek incomplete replacements 凸ಠ_ಠ)凸 + + +# Let's check whether "echo -e" outputs "echo -e", we then will quit +# (no escape sequences mean no escape, lel.) +echo -e "moo"|grep -- "-e moo" >/dev/null 2>&1 +[ "$?" -eq 0 ]&&exit 0 + +alias ncquit='echo -ne "\e[3;12r\e[3H"|ncat' diff --git a/localfs/etc/profile.d/shellhist.sh b/localfs/etc/profile.d/shellhist.sh new file mode 100644 index 0000000..4e377fd --- /dev/null +++ b/localfs/etc/profile.d/shellhist.sh @@ -0,0 +1,28 @@ +export HISTTIMEFORMAT="%F %T: " +export HISTSIZE=5000 +if [ -z "$PROMPT_COMMAND" ]; then + case $TERM in + xterm*|vte*) + if [ -e /etc/sysconfig/bash-prompt-xterm ]; then + PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm + elif [ "${VTE_VERSION:-0}" -ge 3405 ]; then + PROMPT_COMMAND="__vte_prompt_command" + else + PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"' + fi + ;; + screen*) + if [ -e /etc/sysconfig/bash-prompt-xterm ]; then + PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm + else + PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"' + fi + ;; + *) + [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default + ;; + esac +fi +# ...and now that we have the prompt, make sure history gets updated every time you fire away a command, +# not only on GRACEFUL session ends. +export PROMPT_COMMAND="history -a;history -c;history -r;$PROMPT_COMMAND" diff --git a/localfs/etc/profile.d/taskd.sh b/localfs/etc/profile.d/taskd.sh new file mode 100644 index 0000000..266737a --- /dev/null +++ b/localfs/etc/profile.d/taskd.sh @@ -0,0 +1 @@ +export TASKDDATA=/var/taskd diff --git a/localfs/etc/samba/smb.conf b/localfs/etc/samba/smb.conf new file mode 100644 index 0000000..2b779c1 --- /dev/null +++ b/localfs/etc/samba/smb.conf @@ -0,0 +1,33 @@ +[global] + server string = jango104 + security = user + map to guest = bad user + workgroup = streichelz00 + ; Ist auf Fedora eh nobody. + ;guest account = nobody + load printers = no + browseable = yes + writeable = yes + enable core files = no +[hodenkobold] + comment = Ich bin de Maik und de Trainer + path = /srv/samba/public + available = yes + read only = yes + browseable = yes + public = yes + writeable = yes + guest ok = yes + inherit acls = yes + hosts allow = 10.0.0.0/8 +[isos] + comment = ISO-Normung is the shit + path = /srv/samba/isos + available = yes + read only = yes + browseable = yes + public = yes + writeable = no + guest ok = yes + inherit acls = yes + hosts allow = 10.0.0.0/8 diff --git a/localfs/etc/selinux/targeted/contexts/files/file_contexts.local b/localfs/etc/selinux/targeted/contexts/files/file_contexts.local new file mode 100644 index 0000000..62db84e --- /dev/null +++ b/localfs/etc/selinux/targeted/contexts/files/file_contexts.local @@ -0,0 +1,15 @@ +# This file is auto-generated by libsemanage +# Do not edit directly. + +/usr/lib/chromium-browser system_u:object_r:bin_t:s0 +/usr/lib/chromium-browser/chromium-browser.sh system_u:object_r:bin_t:s0 +/usr/lib/chrome-sandbox system_u:object_r:chrome_sandbox_exec_t:s0 +/www/docs/jango104.domain.de(/.*)? system_u:object_r:httpd_sys_content_t:s0 +/usr/share/dnfdaemon/dnfdaemon-system system_u:object_r:rpm_exec_t:s0 +/var/srv/samba(/.*)? system_u:object_r:samba_share_t:s0 +/var/lib/libvirt/isos(/.*)? system_u:object_r:public_content_t:s0 +/var/srv/samba/public(/.*)? system_u:object_r:public_content_t:s0 +/var/srv/nfs(/.*)? system_u:object_r:public_content_t:s0 +/var/lib/nfs(/.*)? system_u:object_r:nfsd_fs_t:s0 +/var/srv/samba/redhat(/.*)? system_u:object_r:public_content_t:s0 +/var/srv/common(/.*)? system_u:object_r:public_content_t:s0 diff --git a/localfs/etc/ssh/sshd_config b/localfs/etc/ssh/sshd_config new file mode 100644 index 0000000..084402b --- /dev/null +++ b/localfs/etc/ssh/sshd_config @@ -0,0 +1,161 @@ +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# If you want to change the port on a SELinux system, you have to tell +# SELinux about this change. +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER +# +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# System-wide Crypto policy: +# If this system is following system-wide crypto policy, the changes to +# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any +# effect here. They will be overridden by command-line options passed on +# the server start up. +# To opt out, uncomment a line with redefinition of CRYPTO_POLICY= +# variable in /etc/sysconfig/sshd to overwrite the policy. +# For more information, see manual page for update-crypto-policies(8). + +# Logging +#SyslogFacility AUTH +SyslogFacility AUTHPRIV +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no +PasswordAuthentication no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no +#KerberosUseKuserok yes + +# GSSAPI options +GSSAPIAuthentication yes +GSSAPICleanupCredentials no +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no +#GSSAPIEnablek5users no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# problems. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#ShowPatchLevel no +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS + +# override default of no subsystems +Subsystem sftp /usr/libexec/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +# okay, yoda won't come in here, but we want this secure :) +Compression delayed +#Compression no +#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +# aes256-ctr for PuTTY :( +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com #,aes256-ctr +# hmac-sha2-256 for putty and Enterprise Linux :( +#MACs hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256 +MACs hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com +#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +#pubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512 +pubkeyacceptedkeytypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 diff --git a/localfs/etc/sssd/sssd.conf b/localfs/etc/sssd/sssd.conf new file mode 100644 index 0000000..7e86c46 --- /dev/null +++ b/localfs/etc/sssd/sssd.conf @@ -0,0 +1,47 @@ +[sssd] +domains = whatever.de +config_file_version = 2 +services = nss, pam +default_domain_suffix = WHATEVER.DE + +[domain/whatever.de] +ad_domain = whatever.de +krb5_realm = WHATEVER.DE +realmd_tags = manages-system joined-with-adcli +cache_credentials = True +id_provider = ad +krb5_store_password_if_offline = True +default_shell = /bin/bash +ldap_id_mapping = True +use_fully_qualified_names = True +access_provider = simple +dyndns_update = false +dyndns_refresh_interval = 43200 +dyndns_update_ptr = false +dyndns_ttl = 300 +simple_allow_users = ad_user1, ad_user2, ad_user3, ad_user4, ad_user5 +fallback_homedir = /home/%d/%u +#full_name_format = %1$s@%2$s +full_name_format = %1$s +override_homedir = /home/%u +enumerate = False +# do this if your Windows Admins are too lazy to properly +# configure AD round robin. I was in an environment where +# this was the case :( --> +ad_server = server1 +ad_backup_server = server2 + +[nss] +filter_groups = root +filter_users = root +reconnection_retries = 1 +entry_cache_timeout = 300 +entry_cache_nowait_percentage = 75 + +[pam] +reconnection_retries = 2 +# adjust the expiration to a proper value in the likes of +# offline_time + remote_work + windows_admins_laziness + mtbf +offline_credentials_expiration = 21 +offline_failed_login_attempts = 3 +offline_failed_login_delay = 5 diff --git a/localfs/etc/sudoers.d/dnf b/localfs/etc/sudoers.d/dnf new file mode 100644 index 0000000..1167684 --- /dev/null +++ b/localfs/etc/sudoers.d/dnf @@ -0,0 +1 @@ +%maint ALL=(ALL) NOPASSWD:/usr/bin/dnf needs-restarting -color true,/usr/bin/dnf needs-restarting -C --color true,/usr/bin/dnf --refresh -y upgrade --color true diff --git a/localfs/etc/sudoers.d/firewallcmd-completion b/localfs/etc/sudoers.d/firewallcmd-completion new file mode 100644 index 0000000..ecafb0d --- /dev/null +++ b/localfs/etc/sudoers.d/firewallcmd-completion @@ -0,0 +1,2 @@ +%wheel ALL=(ALL) NOPASSWD:/usr/bin/firewall-cmd --state +%wheel@implicit_files ALL=(ALL) NOPASSWD:/usr/bin/firewall-cmd --state diff --git a/localfs/etc/sudoers.d/insults b/localfs/etc/sudoers.d/insults new file mode 100644 index 0000000..8c445e5 --- /dev/null +++ b/localfs/etc/sudoers.d/insults @@ -0,0 +1 @@ +Defaults insults diff --git a/localfs/etc/sudoers.d/inxi b/localfs/etc/sudoers.d/inxi new file mode 100644 index 0000000..dfa1230 --- /dev/null +++ b/localfs/etc/sudoers.d/inxi @@ -0,0 +1,2 @@ +%wheel ALL=(ALL) NOPASSWD:/usr/bin/inxi -bmc24,/usr/bin/inxi -bmc7,/usr/bin/inxi -bmc12,/usr/bin/inxi -bmc5 +%wheel@implicit_files ALL=(ALL) NOPASSWD:/usr/bin/inxi -bmc24,/usr/bin/inxi -bmc7,/usr/bin/inxi -bmc12,/usr/bin/inxi -bmc5 diff --git a/localfs/etc/sudoers.d/network b/localfs/etc/sudoers.d/network new file mode 100644 index 0000000..8f293a2 --- /dev/null +++ b/localfs/etc/sudoers.d/network @@ -0,0 +1 @@ +%wheel ALL=(ALL) NOPASSWD:/bin/systemctl restart network NetworkManager,/bin/systemctl restart network*,/bin/systemctl restart NetworkManager* diff --git a/localfs/etc/sudoers.d/shutdown b/localfs/etc/sudoers.d/shutdown new file mode 100644 index 0000000..4fbe5bd --- /dev/null +++ b/localfs/etc/sudoers.d/shutdown @@ -0,0 +1 @@ +%wheel ALL=(ALL) NOPASSWD:/sbin/reboot,/sbin/poweroff,/bin/systemctl reboot,/bin/systemctl poweroff,/sbin/shutdown -r now,/sbin/shutdown -P now diff --git a/localfs/etc/sysconfig/network-scripts/.gitignore b/localfs/etc/sysconfig/network-scripts/.gitignore new file mode 100644 index 0000000..d238de3 --- /dev/null +++ b/localfs/etc/sysconfig/network-scripts/.gitignore @@ -0,0 +1 @@ +keys-* diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-CISCO-default b/localfs/etc/sysconfig/network-scripts/ifcfg-CISCO-default new file mode 100644 index 0000000..0db37f2 --- /dev/null +++ b/localfs/etc/sysconfig/network-scripts/ifcfg-CISCO-default @@ -0,0 +1,20 @@ +DEVICE=br0-cisco +STP=yes +BRIDGING_OPTS=priority=32768 +TYPE=Bridge +PROXY_METHOD=none +BROWSER_ONLY=no +BOOTPROTO=none +DEFROUTE=yes +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_FAILURE_FATAL=no +IPV6_ADDR_GEN_MODE=stable-privacy +NAME=br0-ciscodef +UUID=f61c4b46-fe22-4137-8849-18bd3c76fbc8 +ONBOOT=no +IPADDR=192.168.1.16 +PREFIX=24 +DELAY=9 diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-br0-default b/localfs/etc/sysconfig/network-scripts/ifcfg-br0-default new file mode 100644 index 0000000..2b2624c --- /dev/null +++ b/localfs/etc/sysconfig/network-scripts/ifcfg-br0-default @@ -0,0 +1,20 @@ +TYPE=Bridge +PROXY_METHOD=none +BROWSER_ONLY=no +BOOTPROTO=dhcp +DEFROUTE=yes +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_FAILURE_FATAL=no +IPV6_ADDR_GEN_MODE=stable-privacy +NAME=br0-default +UUID=af9c618a-4f14-4086-9c6e-aca123374161 +ONBOOT=yes +AUTOCONNECT_PRIORITY=1 +DEVICE=br0 +NM_CONTROLLED=yes +STP=yes +BRIDGING_OPTS=priority=32768 +ZONE=lokalhorst diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-br0-example1 b/localfs/etc/sysconfig/network-scripts/ifcfg-br0-example1 new file mode 100644 index 0000000..352fbb3 --- /dev/null +++ b/localfs/etc/sysconfig/network-scripts/ifcfg-br0-example1 @@ -0,0 +1,20 @@ +TYPE=Bridge +PROXY_METHOD=none +BROWSER_ONLY=no +BOOTPROTO=dhcp +DEFROUTE=yes +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_FAILURE_FATAL=no +IPV6_ADDR_GEN_MODE=stable-privacy +NAME=br0-example1 +UUID=56b3bc94-65f8-4688-8ba1-e6e0967137c5 +ONBOOT=no +AUTOCONNECT_PRIORITY=1 +DEVICE=br0 +NM_CONTROLLED=yes +STP=no +DOMAIN="domain1.local domain2.de" +ZONE=lokalhorst diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-enp0s31f6-default b/localfs/etc/sysconfig/network-scripts/ifcfg-enp0s31f6-default new file mode 100644 index 0000000..147f3a5 --- /dev/null +++ b/localfs/etc/sysconfig/network-scripts/ifcfg-enp0s31f6-default @@ -0,0 +1,9 @@ +TYPE=Ethernet +NAME=enp0s31f6-default +UUID=b1823a65-9f5e-4bfa-a0ea-835072f74308 +DEVICE=enp0s31f6 +ONBOOT=yes +BRIDGE_UUID=af9c618a-4f14-4086-9c6e-aca123374161 +BRIDGE=br0 +ZONE=FedoraWorkstation +NM_CONTROLLED=yes diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-lo b/localfs/etc/sysconfig/network-scripts/ifcfg-lo new file mode 100644 index 0000000..cb4f3f9 --- /dev/null +++ b/localfs/etc/sysconfig/network-scripts/ifcfg-lo @@ -0,0 +1,9 @@ +DEVICE=lo +IPADDR=127.0.0.1 +NETMASK=255.0.0.0 +NETWORK=127.0.0.0 +# If you're having problems with gated making 127.0.0.0/8 a martian, +# you can change this to something else (255.255.255.255, for example) +BROADCAST=127.255.255.255 +ONBOOT=yes +NAME=loopback diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-Brueckengandalf b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-Brueckengandalf new file mode 100644 index 0000000..66fc6ee --- /dev/null +++ b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-Brueckengandalf @@ -0,0 +1,12 @@ +ESSID=Gabbergandalf +MODE=Managed +KEY_MGMT=WPA-PSK +MAC_ADDRESS_RANDOMIZATION=default +TYPE=Wireless +NAME=wlp1s0-Brueckengandalf +UUID=7414be92-9eea-4d3a-ae6c-f8de93409467 +DEVICE=wlp1s0 +ONBOOT=yes +BRIDGE=wbr0 +BRIDGE_UUID=e4452e33-d9d9-42dd-b43e-188d704e03e3 +ZONE=lokalhorst diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-dingeling b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-dingeling new file mode 100644 index 0000000..62f28a7 --- /dev/null +++ b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-dingeling @@ -0,0 +1,19 @@ +ESSID=alivieskan-elaeimistoe +MODE=Managed +KEY_MGMT=WPA-PSK +MAC_ADDRESS_RANDOMIZATION=default +TYPE=Wireless +PROXY_METHOD=none +BROWSER_ONLY=no +BOOTPROTO=dhcp +DEFROUTE=yes +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_FAILURE_FATAL=no +IPV6_ADDR_GEN_MODE=stable-privacy +NAME=wlp1s0-dingeling +UUID=3edf5aaa-3f2a-4abf-bd51-510fa885bc6b +DEVICE=wlp1s0 +ONBOOT=no diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-hotspot b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-hotspot new file mode 100644 index 0000000..bebf891 --- /dev/null +++ b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-hotspot @@ -0,0 +1,19 @@ +DEVICE=wlp1s0 +ESSID=adesch1337_gabbergandalf +MODE=Ap +KEY_MGMT=WPA-PSK +WPA_ALLOW_WPA2=yes +CIPHER_PAIRWISE=CCMP +CIPHER_GROUP=CCMP +SSID_HIDDEN=yes +MAC_ADDRESS_RANDOMIZATION=default +TYPE=Wireless +PROXY_METHOD=none +BROWSER_ONLY=no +BOOTPROTO=shared +DEFROUTE=yes +IPV4_FAILURE_FATAL=no +IPV6INIT=no +NAME=wlp1s0-hotspot +UUID=7c06c296-cb84-4794-a11b-0d2aded13039 +ONBOOT=no diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-gtc b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-gtc new file mode 100644 index 0000000..68220ce --- /dev/null +++ b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-gtc @@ -0,0 +1,23 @@ +ESSID=hpeinternet +MODE=Managed +KEY_MGMT=WPA-EAP +MAC_ADDRESS_RANDOMIZATION=default +TYPE=Wireless +IEEE_8021X_EAP_METHODS=PEAP +IEEE_8021X_IDENTITY=some.address@hpe.com +IEEE_8021X_INNER_AUTH_METHODS=GTC +PROXY_METHOD=auto +BROWSER_ONLY=no +BOOTPROTO=dhcp +DEFROUTE=yes +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_FAILURE_FATAL=no +IPV6_PRIVACY=no +IPV6_ADDR_GEN_MODE=stable-privacy +NAME=wlp1s0-hpeinternet +UUID=8a48a95b-d227-45f3-a62b-37eb6ae05d76 +DEVICE=wlp1s0 +ONBOOT=no diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-mschapv2 b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-mschapv2 new file mode 100644 index 0000000..496e90e --- /dev/null +++ b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-mschapv2 @@ -0,0 +1,23 @@ +ESSID=MobD +MODE=Managed +KEY_MGMT=WPA-EAP +MAC_ADDRESS_RANDOMIZATION=default +TYPE=Wireless +IEEE_8021X_EAP_METHODS=PEAP +IEEE_8021X_IDENTITY=some.address@some.domain +IEEE_8021X_INNER_AUTH_METHODS=MSCHAPV2 +PROXY_METHOD=auto +BROWSER_ONLY=no +BOOTPROTO=dhcp +DEFROUTE=yes +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_FAILURE_FATAL=no +IPV6_PRIVACY=no +IPV6_ADDR_GEN_MODE=stable-privacy +NAME=wlp1s0-mobd +UUID=b437164d-fbeb-4b84-9c3c-7767696c0c0a +DEVICE=wlp1s0 +ONBOOT=no diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-telekom-free b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-telekom-free new file mode 100644 index 0000000..bc1a3b3 --- /dev/null +++ b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-telekom-free @@ -0,0 +1,18 @@ +ESSID=Telekom_free +MODE=Managed +MAC_ADDRESS_RANDOMIZATION=default +TYPE=Wireless +PROXY_METHOD=none +BROWSER_ONLY=no +BOOTPROTO=dhcp +DEFROUTE=yes +IPV4_FAILURE_FATAL=no +IPV6INIT=yes +IPV6_AUTOCONF=yes +IPV6_DEFROUTE=yes +IPV6_FAILURE_FATAL=no +IPV6_ADDR_GEN_MODE=stable-privacy +NAME=wlp1s0-telekom-free +UUID=2141a44d-1697-4142-8d17-f45f5047d403 +DEVICE=wlp1s0 +ONBOOT=no diff --git a/localfs/etc/sysctl.d/93-disable-ipv6.conf b/localfs/etc/sysctl.d/93-disable-ipv6.conf new file mode 100644 index 0000000..30b2d9b --- /dev/null +++ b/localfs/etc/sysctl.d/93-disable-ipv6.conf @@ -0,0 +1,2 @@ +net.ipv6.conf.all.disable_ipv6=1 +net.ipv6.conf.default.disable_ipv6=1 diff --git a/localfs/etc/sysctl.d/94-bridgenotables.conf b/localfs/etc/sysctl.d/94-bridgenotables.conf new file mode 100644 index 0000000..7b81020 --- /dev/null +++ b/localfs/etc/sysctl.d/94-bridgenotables.conf @@ -0,0 +1,4 @@ +# Those don't exist anymore +#net.bridge.bridge-nf-call-ip6tables=0 +#net.bridge.bridge-nf-call-iptables=0 +#net.bridge.bridge-nf-call-arptables=0 diff --git a/localfs/etc/sysctl.d/95-forwarding.conf b/localfs/etc/sysctl.d/95-forwarding.conf new file mode 100644 index 0000000..d0d7f8d --- /dev/null +++ b/localfs/etc/sysctl.d/95-forwarding.conf @@ -0,0 +1,6 @@ +net.ipv4.conf.all.forwarding=1 +net.ipv6.conf.all.forwarding=1 +net.ipv4.conf.all.mc_forwarding=1 +net.ipv6.conf.all.mc_forwarding=1 +# https://husse.in/uncategorized/setup-a-kvm-vps-host-lvm-on-software-raid1-and-a-virtual-pfsense-router/ +net.ipv4.tcp_ecn=0 diff --git a/localfs/etc/sysctl.d/96-noredir.conf b/localfs/etc/sysctl.d/96-noredir.conf new file mode 100644 index 0000000..ba999b2 --- /dev/null +++ b/localfs/etc/sysctl.d/96-noredir.conf @@ -0,0 +1,4 @@ +net.ipv4.conf.br0.send_redirects=0 +net.ipv4.conf.sosbr0.send_redirects=0 +net.ipv4.conf.clusbr0.send_redirects=0 +net.ipv4.conf.all.send_redirects=0 diff --git a/localfs/etc/sysctl.d/97-transmission.conf b/localfs/etc/sysctl.d/97-transmission.conf new file mode 100644 index 0000000..7862332 --- /dev/null +++ b/localfs/etc/sysctl.d/97-transmission.conf @@ -0,0 +1,2 @@ +net.core.wmem_max = 1048576 +net.core.rmem_max = 4194304 diff --git a/localfs/etc/sysctl.d/99-sysctl.conf b/localfs/etc/sysctl.d/99-sysctl.conf new file mode 100644 index 0000000..41c0c41 --- /dev/null +++ b/localfs/etc/sysctl.d/99-sysctl.conf @@ -0,0 +1,10 @@ +# sysctl settings are defined through files in +# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. +# +# Vendors settings live in /usr/lib/sysctl.d/. +# To override a whole file, create a new file with the same in +# /etc/sysctl.d/ and put new settings there. To override +# only specific settings, add a file with a lexically later +# name in /etc/sysctl.d/ and put new settings there. +# +# For more information, see sysctl.conf(5) and sysctl.d(5). diff --git a/localfs/etc/systemd/system/cluster-muromachi.target b/localfs/etc/systemd/system/cluster-muromachi.target new file mode 100644 index 0000000..ec63edc --- /dev/null +++ b/localfs/etc/systemd/system/cluster-muromachi.target @@ -0,0 +1,6 @@ +[Unit] +Description=Cluster "muromachi_cl" +BindsTo=kvm-clustervm@centoscl0.service kvm-clustervm@centoscl1.service kvm-clustervm@centoscl2.service + +[Install] +WantedBy=multi-user.target diff --git a/localfs/etc/systemd/system/freshclam.service b/localfs/etc/systemd/system/freshclam.service new file mode 100644 index 0000000..a14de83 --- /dev/null +++ b/localfs/etc/systemd/system/freshclam.service @@ -0,0 +1,15 @@ +[Unit] +Description=ClamAV database updater (freshclam) +Wants=network.target +Requires=network.target +After=network.target + +[Service] +Type=forking +ExecStart=/usr/local/sbin/freshclamd start +ExecStop=/usr/local/sbin/freshclamd stop +TimeoutStartSec=10s +TimeoutStopSec=30s + +[Install] +WantedBy=multi-user.target diff --git a/localfs/etc/systemd/system/kvm-arch.service b/localfs/etc/systemd/system/kvm-arch.service new file mode 100644 index 0000000..597548f --- /dev/null +++ b/localfs/etc/systemd/system/kvm-arch.service @@ -0,0 +1,12 @@ +[Unit] +Description=virtual machine triskel05 (Arch) +Requires=libvirtd.service libvirt-guests.service lvm2-lvmetad.service + +[Service] +Type=oneshot +ExecStart=/bin/virsh start arch +ExecStop=/bin/virsh shutdown arch +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/localfs/etc/systemd/system/kvm-clustervm@.service b/localfs/etc/systemd/system/kvm-clustervm@.service new file mode 100644 index 0000000..f21cbcd --- /dev/null +++ b/localfs/etc/systemd/system/kvm-clustervm@.service @@ -0,0 +1,31 @@ +# Work in progress: +# - Start needs to be more sophisticated in reaction to state of domains +# - Stop should not just do a post-sleep, but instead the post section should +# carry a script polling the state of the machine and hammering it into the +# coffing after a certain timeout +[Unit] +Description=VM %i (with cluster inside) +Wants=kvm-infravm@iscsi.service +After=kvm-infravm@iscsi.service +Wants=lvm2-monitor.service +Requires=libvirtd.service +Requires=kvm-firewall.service +Requires=kvm-network@sosaria05.service +Requires=kvm-network@san-cluster.service +After=kvm-firewall.service +After=libvirtd.service +After=lvm2-monitor.service +After=kvm-network@sosaria05.service +After=kvm-network@san-cluster.service +PartOf=cluster-muromachi.target + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/kvmhelper -q vm-start %i +ExecStop=/usr/local/bin/kvmhelper -q vm-stop %i +RemainAfterExit=yes +TimeoutStartSec=10s +TimeoutStopSec=60s + +[Install] +WantedBy=cluster-muromachi.target diff --git a/localfs/etc/systemd/system/kvm-debian.service b/localfs/etc/systemd/system/kvm-debian.service new file mode 100644 index 0000000..1347a0b --- /dev/null +++ b/localfs/etc/systemd/system/kvm-debian.service @@ -0,0 +1,12 @@ +[Unit] +Description=virtual machine balinorgel05 (Debian stable) +Requires=libvirtd.service libvirt-guests.service lvm2-lvmetad.service + +[Service] +Type=oneshot +ExecStart=/bin/virsh start debian +ExecStop=/bin/virsh shutdown debian +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/localfs/etc/systemd/system/kvm-firewall.service b/localfs/etc/systemd/system/kvm-firewall.service new file mode 100644 index 0000000..b68ede5 --- /dev/null +++ b/localfs/etc/systemd/system/kvm-firewall.service @@ -0,0 +1,21 @@ +[Unit] +Description=virtual machine cthulhu05 (Debian Firewall) +Wants=lvm2-monitor.service +Requires=libvirtd.service +Requires=kvm-network@sosaria05.service +Requires=kvm-network@san-cluster.service +After=libvirtd.service +After=lvm2-monitor.service +After=kvm-network@sosaria05.service +After=kvm-network@san-cluster.service + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/kvmhelper -q vm-start firewall +ExecStop=/usr/local/bin/kvmhelper -q vm-stop firewall +RemainAfterExit=yes +TimeoutStartSec=10s +TimeoutStopSec=60s + +[Install] +WantedBy=multi-user.target diff --git a/localfs/etc/systemd/system/kvm-guestmount.service b/localfs/etc/systemd/system/kvm-guestmount.service new file mode 100644 index 0000000..fab979f --- /dev/null +++ b/localfs/etc/systemd/system/kvm-guestmount.service @@ -0,0 +1,13 @@ +[Unit] +Description=Mount KVM domains' boot partitions for direct boots +Requires=libvirtd.service lvm2-lvmetad.service + +[Service] +Type=oneshot +RemainAfterExit=yes +# Test phase, only using arch. Will do a script later on when the amount is > 1 +ExecStart=/usr/bin/guestmount -r -o allow_other -o ro -m /dev/sda2:/:acl,user_xattr -a /dev/libvirt/arch-boot /var/lib/libvirt/boot/arch +ExecStop=/usr/bin/guestunmount /var/lib/libvirt/boot/arch + +[Install] +WantedBy=multi-user.target diff --git a/localfs/etc/systemd/system/kvm-infravm@.service b/localfs/etc/systemd/system/kvm-infravm@.service new file mode 100644 index 0000000..29f8321 --- /dev/null +++ b/localfs/etc/systemd/system/kvm-infravm@.service @@ -0,0 +1,23 @@ +[Unit] +Description=Infrastructural VM %i +Wants=lvm2-monitor.service +Requires=libvirtd.service +Requires=kvm-firewall.service +Requires=kvm-network@sosaria05.service +Requires=kvm-network@san-cluster.service +After=kvm-firewall.service +After=libvirtd.service +After=lvm2-monitor.service +After=kvm-network@sosaria05.service +After=kvm-network@san-cluster.service + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/kvmhelper -q vm-start %i +ExecStop=/usr/local/bin/kvmhelper -q vm-stop %i +RemainAfterExit=yes +TimeoutStartSec=10s +TimeoutStopSec=60s + +[Install] +WantedBy=multi-user.target diff --git a/localfs/etc/systemd/system/kvm-jango105.service b/localfs/etc/systemd/system/kvm-jango105.service new file mode 100644 index 0000000..416c1af --- /dev/null +++ b/localfs/etc/systemd/system/kvm-jango105.service @@ -0,0 +1,12 @@ +[Unit] +Description=virtual machine jango105 (Windows 10) +Requires=libvirtd.service libvirt-guests.service lvm2-lvmetad.service + +[Service] +Type=oneshot +ExecStart=/bin/virsh start jango105 +ExecStop=/bin/virsh shutdown jango105 +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/localfs/etc/systemd/system/kvm-opensuse.service b/localfs/etc/systemd/system/kvm-opensuse.service new file mode 100644 index 0000000..217dbbe --- /dev/null +++ b/localfs/etc/systemd/system/kvm-opensuse.service @@ -0,0 +1,12 @@ +[Unit] +Description=virtual machine loukaniko05 (OpenSUSE Leap) +Requires=libvirtd.service libvirt-guests.service lvm2-lvmetad.service + +[Service] +Type=oneshot +ExecStart=/bin/virsh start opensuse +ExecStop=/bin/virsh shutdown opensuse +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/localfs/etc/yum.repos.d/_copr_gregw-i3desktop.repo b/localfs/etc/yum.repos.d/_copr_gregw-i3desktop.repo new file mode 100644 index 0000000..32e3a46 --- /dev/null +++ b/localfs/etc/yum.repos.d/_copr_gregw-i3desktop.repo @@ -0,0 +1,10 @@ +[gregw-i3desktop] +name=Copr repo for i3desktop owned by gregw +baseurl=https://copr-be.cloud.fedoraproject.org/results/gregw/i3desktop/fedora-$releasever-$basearch/ +type=rpm-md +skip_if_unavailable=True +gpgcheck=1 +gpgkey=https://copr-be.cloud.fedoraproject.org/results/gregw/i3desktop/pubkey.gpg +repo_gpgcheck=0 +enabled=1 +enabled_metadata=1 \ No newline at end of file diff --git a/localfs/etc/yum.repos.d/_copr_markand-RetroArch.repo b/localfs/etc/yum.repos.d/_copr_markand-RetroArch.repo new file mode 100644 index 0000000..10eab66 --- /dev/null +++ b/localfs/etc/yum.repos.d/_copr_markand-RetroArch.repo @@ -0,0 +1,10 @@ +[markand-RetroArch] +name=Copr repo for RetroArch owned by markand +baseurl=https://copr-be.cloud.fedoraproject.org/results/markand/RetroArch/fedora-$releasever-$basearch/ +type=rpm-md +skip_if_unavailable=True +gpgcheck=1 +gpgkey=https://copr-be.cloud.fedoraproject.org/results/markand/RetroArch/pubkey.gpg +repo_gpgcheck=0 +enabled=1 +enabled_metadata=1 \ No newline at end of file diff --git a/localfs/etc/yum.repos.d/_copr_plambri-desktop-apps.repo b/localfs/etc/yum.repos.d/_copr_plambri-desktop-apps.repo new file mode 100644 index 0000000..05115bd --- /dev/null +++ b/localfs/etc/yum.repos.d/_copr_plambri-desktop-apps.repo @@ -0,0 +1,10 @@ +[plambri-desktop-apps] +name=Copr repo for desktop-apps owned by plambri +baseurl=https://copr-be.cloud.fedoraproject.org/results/plambri/desktop-apps/fedora-$releasever-$basearch/ +type=rpm-md +skip_if_unavailable=True +gpgcheck=1 +gpgkey=https://copr-be.cloud.fedoraproject.org/results/plambri/desktop-apps/pubkey.gpg +repo_gpgcheck=0 +enabled=1 +enabled_metadata=1 \ No newline at end of file diff --git a/localfs/etc/yum.repos.d/_copr_taw-Riot.repo b/localfs/etc/yum.repos.d/_copr_taw-Riot.repo new file mode 100644 index 0000000..b72b0b8 --- /dev/null +++ b/localfs/etc/yum.repos.d/_copr_taw-Riot.repo @@ -0,0 +1,10 @@ +[taw-Riot] +name=Copr repo for Riot owned by taw +baseurl=https://copr-be.cloud.fedoraproject.org/results/taw/Riot/fedora-$releasever-$basearch/ +type=rpm-md +skip_if_unavailable=True +gpgcheck=1 +gpgkey=https://copr-be.cloud.fedoraproject.org/results/taw/Riot/pubkey.gpg +repo_gpgcheck=0 +enabled=1 +enabled_metadata=1 \ No newline at end of file diff --git a/localfs/etc/yum.repos.d/_copr_wyvie-compton-master.repo b/localfs/etc/yum.repos.d/_copr_wyvie-compton-master.repo new file mode 100644 index 0000000..c382d58 --- /dev/null +++ b/localfs/etc/yum.repos.d/_copr_wyvie-compton-master.repo @@ -0,0 +1,10 @@ +[wyvie-compton-master] +name=Copr repo for compton-master owned by wyvie +baseurl=https://copr-be.cloud.fedoraproject.org/results/wyvie/compton-master/fedora-$releasever-$basearch/ +type=rpm-md +skip_if_unavailable=True +gpgcheck=1 +gpgkey=https://copr-be.cloud.fedoraproject.org/results/wyvie/compton-master/pubkey.gpg +repo_gpgcheck=0 +enabled=1 +enabled_metadata=1 \ No newline at end of file diff --git a/localfs/etc/yum.repos.d/adobe-linux-x86_64.repo b/localfs/etc/yum.repos.d/adobe-linux-x86_64.repo new file mode 100644 index 0000000..4570c79 --- /dev/null +++ b/localfs/etc/yum.repos.d/adobe-linux-x86_64.repo @@ -0,0 +1,7 @@ +[adobe-linux-x86_64] +name=Adobe Systems Incorporated +baseurl=http://linuxdownload.adobe.com/linux/x86_64/ +enabled=1 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux + diff --git a/localfs/etc/yum.repos.d/docker-ce-fallback.repo b/localfs/etc/yum.repos.d/docker-ce-fallback.repo new file mode 100644 index 0000000..84385f5 --- /dev/null +++ b/localfs/etc/yum.repos.d/docker-ce-fallback.repo @@ -0,0 +1,6 @@ +[docker-ce-stable-26] +name=Docker CE Stable - Fed26 - $basearch +baseurl=https://download.docker.com/linux/fedora/26/$basearch/stable +enabled=1 +gpgcheck=1 +gpgkey=https://download.docker.com/linux/fedora/gpg diff --git a/localfs/etc/yum.repos.d/dotnetdev.repo b/localfs/etc/yum.repos.d/dotnetdev.repo new file mode 100644 index 0000000..531ba52 --- /dev/null +++ b/localfs/etc/yum.repos.d/dotnetdev.repo @@ -0,0 +1,6 @@ +[packages-microsoft-com-prod] +name=packages-microsoft-com-prod +baseurl=https://packages.microsoft.com/yumrepos/microsoft-rhel7.4-prod +enabled=1 +gpgcheck=1 +gpgkey=https://packages.microsoft.com/keys/microsoft.asc diff --git a/localfs/etc/yum.repos.d/home:zhonghuaren.repo b/localfs/etc/yum.repos.d/home:zhonghuaren.repo new file mode 100644 index 0000000..a5d5779 --- /dev/null +++ b/localfs/etc/yum.repos.d/home:zhonghuaren.repo @@ -0,0 +1,7 @@ +[home_zhonghuaren] +name=RPM Sphere (Fedora_26) +type=rpm-md +baseurl=http://download.opensuse.org/repositories/home:/zhonghuaren/Fedora_26/ +gpgcheck=1 +gpgkey=http://download.opensuse.org/repositories/home:/zhonghuaren/Fedora_26/repodata/repomd.xml.key +enabled=1 diff --git a/localfs/etc/yum.repos.d/keybase.repo b/localfs/etc/yum.repos.d/keybase.repo new file mode 100644 index 0000000..8c5094c --- /dev/null +++ b/localfs/etc/yum.repos.d/keybase.repo @@ -0,0 +1,7 @@ +[keybase] +name=keybase +baseurl=http://prerelease.keybase.io/rpm/x86_64 +enabled=1 +gpgcheck=1 +gpgkey=https://keybase.io/docs/server_security/code_signing_key.asc +metadata_expire=60 diff --git a/localfs/etc/yum.repos.d/skype-stable.repo b/localfs/etc/yum.repos.d/skype-stable.repo new file mode 100644 index 0000000..20e6469 --- /dev/null +++ b/localfs/etc/yum.repos.d/skype-stable.repo @@ -0,0 +1,6 @@ +[skype-stable] +name=skype (stable) +baseurl=https://repo.skype.com/rpm/stable/ +enabled=1 +gpgcheck=1 +gpgkey=https://repo.skype.com/data/SKYPE-GPG-KEY diff --git a/localfs/etc/yum.repos.d/telred-fedora-27.repo b/localfs/etc/yum.repos.d/telred-fedora-27.repo new file mode 100644 index 0000000..05c6c2d --- /dev/null +++ b/localfs/etc/yum.repos.d/telred-fedora-27.repo @@ -0,0 +1,6 @@ +[telred-fedora-27] +name=TEL.RED software repository for Fedora 27 +baseurl=https://tel.red/repos/fedora/27/ +enabled=1 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TELRED diff --git a/localfs/etc/yum.repos.d/telred-fedora-27.repo.rpmsave b/localfs/etc/yum.repos.d/telred-fedora-27.repo.rpmsave new file mode 100644 index 0000000..15c947f --- /dev/null +++ b/localfs/etc/yum.repos.d/telred-fedora-27.repo.rpmsave @@ -0,0 +1,6 @@ +[telred-fedora-27] +name=TEL.RED software repository for Fedora 28 +baseurl=https://tel.red/repos/fedora/28/ +enabled=1 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TELRED diff --git a/localfs/etc/yum.repos.d/telred-fedora-28.repo b/localfs/etc/yum.repos.d/telred-fedora-28.repo new file mode 100644 index 0000000..d292c00 --- /dev/null +++ b/localfs/etc/yum.repos.d/telred-fedora-28.repo @@ -0,0 +1,6 @@ +[telred-fedora-28] +name=TEL.RED software repository for Fedora 28 +baseurl=https://tel.red/repos/fedora/28/ +enabled=1 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TELRED diff --git a/localfs/etc/yum.repos.d/vivaldi.repo b/localfs/etc/yum.repos.d/vivaldi.repo new file mode 100644 index 0000000..d24e9e9 --- /dev/null +++ b/localfs/etc/yum.repos.d/vivaldi.repo @@ -0,0 +1,6 @@ +[vivaldi] +name=vivaldi +baseurl=http://repo.vivaldi.com/archive/rpm/x86_64 +enabled=1 +gpgcheck=1 +gpgkey=http://repo.vivaldi.com/archive/linux_signing_key.pub -- cgit v1.2.3