Skip to content
This repository has been archived by the owner on Nov 20, 2023. It is now read-only.

Commit

Permalink
feat: make if so every file is already into this repo and disable boo…
Browse files Browse the repository at this point in the history 
…t services
  • Loading branch information
@tulilirockz
tulilirockz authored Aug 30, 2023
1 parent 0987ceb commit 915ff4d
Show file tree
Hide file tree
Showing 11 changed files with 64 additions and 28 deletions.
5 changes: 0 additions & 5 deletions recipe-dx.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ scripts:
- dx-extras.sh
rpm:
repos:
- https://terra.fyralabs.com/terra.repo
install:
- python3-pip
- libadwaita
Expand All @@ -34,10 +33,6 @@ rpm:
- libvirt
- qemu-img
- tmux
- code-insiders
- jetbrainsmono-nerd-fonts
- firacode-nerd-fonts
- firamono-nerd-fonts
remove:
- wpa_supplicant
firstboot:
Expand Down
2 changes: 0 additions & 2 deletions scripts/post/displaylink_remove.sh
View file

This file was deleted.

2 changes: 2 additions & 0 deletions scripts/post/faster_boot_less_services.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
#!/bin/sh
systemctl disable displaylink.service bazzite-hardware-setup.service flatpak-system-install.service
15 changes: 0 additions & 15 deletions scripts/post/hardening.sh
View file

This file was deleted.

0 scripts/pre/networkmanager-realtek.sh → scripts/post/networkmanager-realtek.sh
100755 → 100644
View file
File renamed without changes.
6 changes: 0 additions & 6 deletions scripts/post/silead_gsl-firmware.sh
View file

This file was deleted.

Binary file added usr/lib/firmware/silead/mssl1680.fw
View file
Binary file not shown.
Binary file added usr/lib/firmware/silead/silead.fw
View file
Binary file not shown.
Binary file added usr/lib/firmware/silead/silead_ts.fw
View file
Binary file not shown.
28 changes: 28 additions & 0 deletions usr/lib/systemd/NetworkManager.service.d/99-brace.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
[Service]
# Hardening
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
LockPersonality=true
MemoryDenyWriteExecute=true
#PrivateDevices=true #breaks tun usage
#ProtectProc=invisible
PrivateTmp=yes
ProtectClock=true
ProtectControlGroups=true
ProtectHome=read-only
ProtectKernelLogs=true
#ProtectKernelModules=true
#ProtectSystem=strict
ReadOnlyPaths=/etc/NetworkManager
ReadOnlyPaths=-/home
ReadWritePaths=-/etc/NetworkManager/system-connections
ReadWritePaths=-/etc/sysconfig/network-scripts
ReadWritePaths=/var/lib/NetworkManager
ReadWritePaths=-/var/run/NetworkManager
ReadWritePaths=-/run/NetworkManager
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
UMask=0077
34 changes: 34 additions & 0 deletions usr/lib/systemd/irqbalance.service.d/99-brace.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
[Service]
# Hardening
#CapabilityBoundingSet="CAP_SETPCAP"
LockPersonality=true
MemoryDenyWriteExecute=true
#NoNewPrivileges=true
PrivateDevices=true
#ProtectProc=invisible
PrivateTmp=yes
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadOnlyPaths=-/etc/default/irqbalance
ReadOnlyPaths=-/etc/sysconfig/irqbalance
ReadOnlyPaths=-/etc/irqbalance
ReadWritePaths=/proc/irq
ReadWritePaths=-/run/irqbalance
ReadWritePaths=-/var/run/irqbalance
RemoveIPC=true
RestrictAddressFamilies=~AF_INET
RestrictAddressFamilies=~AF_INET6
#RestrictAddressFamilies=~AF_NETLINK
RestrictAddressFamilies=~AF_PACKET
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
UMask=0077

0 comments on commit 915ff4d

Please sign in to comment.