V8.00.000.2025.06.17
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -23,13 +23,13 @@ installer:
|
||||
# APT settings
|
||||
################################################################################################################################
|
||||
apt:
|
||||
contrib: true # Optionally install contrib software.
|
||||
contrib: true # Optionally, install contrib software.
|
||||
deb_sources: true # Optionally includes deb-src entries for source repositories.
|
||||
default_list: true # By default, source repositories are listed in '/etc/apt/sources.list'. This MUST be "true".
|
||||
full_upgrade: true # Whether to upgrade packages after debootstrap.
|
||||
install_recommends: true # Configure APT to not install recommended packages by default.
|
||||
non_free: true # Optionally install non-free software.
|
||||
non_free_firmware: true # Optionally install non-free firmware. MUST be "true" for microcode updates.
|
||||
non_free: true # Optionally, install non-free software.
|
||||
non_free_firmware: true # Optionally, install non-free firmware. MUST be "true" for microcode updates.
|
||||
sec: "security.debian.org" # Debian Security Updates Archive.
|
||||
|
||||
##############################################################################################################################
|
||||
@@ -77,7 +77,7 @@ apt:
|
||||
################################################################################################################################
|
||||
# Basic settings
|
||||
################################################################################################################################
|
||||
architecture: "amd64" # MUST be one of "amd64", "intel64" or "arm64".
|
||||
architecture: "amd64" # MUST be one of "amd64" or "arm64".
|
||||
debootstrap: # Provide a mirror for downloading the Debian packages for debootstrap.
|
||||
# Specify the packages to be included in the debootstrapping process. Include a comma-separated
|
||||
# list of official Debian packages.
|
||||
@@ -249,7 +249,7 @@ grub_parameter:
|
||||
# attacks (SMoTHER, MDS, L1TF, TAA, Snoop-assisted).
|
||||
# Why is 'mitigations=auto,nosmt' better than setting everything manually?
|
||||
# Automatically adjusted: Depending on CPU family, stepping, microcode.
|
||||
# Consistency guaranteed: No contradictions between flags possible
|
||||
# Consistency guaranteed: No contradictions between flags are possible
|
||||
# (e.g., spec_store_bypass_disable=on vs. nospec_store_bypass_disable=off).
|
||||
# Future-proof: Even new features (e.g., bhi=flush or srbds) are automatically activated without having to know about them.
|
||||
##############################################################################################################################
|
||||
@@ -282,7 +282,7 @@ grub_parameter:
|
||||
|
||||
##############################################################################################################################
|
||||
# If mitigations=auto,nosmt is set, see before, then these flags should not be set individually because they are redundant.
|
||||
# Enable mitigations for the MDS vulnerability through clearing buffer cache and disabling SMT.
|
||||
# Enable mitigations for the MDS vulnerability through clearing the buffer cache and disabling SMT.
|
||||
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
|
||||
##############################################################################################################################
|
||||
#- "mds=full,nosmt"
|
||||
@@ -328,7 +328,7 @@ grub_parameter:
|
||||
# Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with Return Instructions) vulnerability and disable
|
||||
# SMT. If 'mitigations=auto,nosmt' is set, the kernel already activates all retbleed-relevant mitigations, provided the CPU
|
||||
# is affected; 'retbleed=auto,nosmt' explicitly overrides the internal assessment and forces full protection. If maximum
|
||||
# hardening is required, and one does not want to rely on "auto-detection" then it is recommended to additionally set
|
||||
# hardening is required, and one does not want to rely on "auto-detection", then it is recommended to additionally set
|
||||
# 'retbleed=auto,nosmt' otherwise, 'mitigations=auto,nosmt' is sufficient.
|
||||
# https://www.suse.com/support/kb/doc/?id=000020693
|
||||
##############################################################################################################################
|
||||
@@ -353,8 +353,8 @@ grub_parameter:
|
||||
- "rodata=on"
|
||||
|
||||
##############################################################################################################################
|
||||
# Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety error detector. KFENCE detects heap
|
||||
# out-of-bounds access, use-after-free, and invalid-free errors. KFENCE is designed to be enabled in production kernels, and
|
||||
# Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety error detector. KFENCE detects a heap of
|
||||
# out-of-bounds access, use-after-free, and invalid-free errors. KFENCE is designed to be enabled in production kernels and
|
||||
# has near zero performance overhead. Compared to KASAN, KFENCE trades performance for precision. The main motivation behind
|
||||
# KFENCE design is that with enough total uptime, KFENCE will detect bugs in code paths not typically exercised by
|
||||
# non-production test workloads. One way to quickly achieve a large enough total uptime is when the tool is deployed across a
|
||||
@@ -431,7 +431,7 @@ grub:
|
||||
# GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically
|
||||
# when powered on. However, you may prefer to disable this behavior and avoid changes to your
|
||||
# boot configuration. For example, if your NVRAM variables have been set up such that your
|
||||
# system contacts a PXE server on every boot, this would preserve that behavior.
|
||||
# the system contacts a PXE server on every boot, this would preserve that behavior.
|
||||
|
||||
################################################################################################################################
|
||||
# Locale settings set language, country, locale, keyboard map and timezone
|
||||
@@ -597,9 +597,8 @@ software:
|
||||
# cryptsetup
|
||||
# cryptsetup-initramfs
|
||||
##############################################################################################################################
|
||||
### Installed by 4230_update_grub.sh
|
||||
### Installed by 4230_installation_grub.sh
|
||||
##############################################################################################################################
|
||||
# grub2
|
||||
# grub2-common
|
||||
# grub-efi-amd64 || grub-efi-arm64 || grub-efi-ia32
|
||||
##############################################################################################################################
|
||||
@@ -772,8 +771,8 @@ user:
|
||||
description: "Root user with full system access and administrative privileges."
|
||||
sudo: false # Whether the user can escalate to root using sudo.
|
||||
system: true # Whether this is a low-UID system user (e.g., for automation).
|
||||
restricted: false # If true, user is limited in scope (e.g., no login, no file access, --no-create-home)
|
||||
shell: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
|
||||
restricted: false # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
|
||||
shell: true # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
|
||||
|
||||
##############################################################################################################################
|
||||
# Primary administrative user with full sudo access
|
||||
@@ -802,8 +801,8 @@ user:
|
||||
description: "Primary admin user with full sudo access and interactive login."
|
||||
sudo: true # Whether the user can escalate to root using sudo.
|
||||
system: false # Whether this is a low-UID system user (e.g., for automation).
|
||||
restricted: false # If true, user is limited in scope (e.g., no login, no file access, --no-create-home)
|
||||
shell: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
|
||||
restricted: false # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
|
||||
shell: true # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
|
||||
|
||||
##############################################################################################################################
|
||||
# ansible – System user for automation, no interactive shell
|
||||
@@ -832,7 +831,7 @@ user:
|
||||
description: "Automation user without interactive shell and no sudo."
|
||||
sudo: true # Whether the user can escalate to root using sudo.
|
||||
system: true # Whether this is a low-UID system user (e.g., for automation).
|
||||
restricted: false # If true, user is limited in scope (e.g., no login, no file access, --no-create-home)
|
||||
shell: false # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
|
||||
restricted: false # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
|
||||
shell: false # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
||||
|
||||
Reference in New Issue
Block a user