updated recipes

make it even more insecure, to make it easier to debug
remove the post section to speed installation process
2025-12-11 20:50:24 +01:00 · 2025-12-11 20:50:13 +01:00 · 2025-12-11 20:49:29 +01:00 · 2025-12-10 21:31:31 +01:00 · 2025-12-10 21:31:01 +01:00 · 2025-12-10 21:30:19 +01:00
31 changed files with 70 additions and 144 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
 .aider*
 # dishes/
 # !dishes/
--- a/dishes/desktop-hypervisor-amdcpu.cfg
+++ b/dishes/desktop-hypervisor-amdcpu.cfg
@@ -3,7 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -16,10 +16,10 @@ network  --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate
 shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
-# Root password
+#Root password
-rootpw --iscrypted --lock locked
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved,libvirtd"
 # System timezone
--- a/dishes/desktop-hypervisor-intelcpu-intelgpu.cfg
+++ b/dishes/desktop-hypervisor-intelcpu-intelgpu.cfg
@@ -3,7 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -16,10 +16,10 @@ network  --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate
 shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
-# Root password
+#Root password
-rootpw --iscrypted --lock locked
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved,libvirtd"
 # System timezone
--- a/dishes/desktop-hypervisor-intelcpu.cfg
+++ b/dishes/desktop-hypervisor-intelcpu.cfg
@@ -3,7 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -16,10 +16,10 @@ network  --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate
 shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
-# Root password
+#Root password
-rootpw --iscrypted --lock locked
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved,libvirtd"
 # System timezone
--- a/dishes/desktop-hypervisor.cfg
+++ b/dishes/desktop-hypervisor.cfg
@@ -3,7 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -16,10 +16,10 @@ network  --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate
 shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
-# Root password
+#Root password
-rootpw --iscrypted --lock locked
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved,libvirtd"
 # System timezone
--- a/dishes/desktop.cfg
+++ b/dishes/desktop.cfg
@@ -3,7 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -16,10 +16,10 @@ network  --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate
 shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
-# Root password
+#Root password
-rootpw --iscrypted --lock locked
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved"
 # System timezone
--- a/dishes/live-desktop-hypervisor.cfg
+++ b/dishes/live-desktop-hypervisor.cfg
@@ -1,7 +1,7 @@
 # Generated by pykickstart v3.62
 #version=DEVEL
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -14,10 +14,10 @@ network  --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate
 shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
-# Root password
+#Root password
-rootpw --iscrypted --lock locked
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved,libvirtd"
 # System timezone
--- a/dishes/live-desktop.cfg
+++ b/dishes/live-desktop.cfg
@@ -1,7 +1,7 @@
 # Generated by pykickstart v3.62
 #version=DEVEL
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -14,10 +14,10 @@ network  --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate
 shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
-# Root password
+#Root password
-rootpw --iscrypted --lock locked
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved"
 # System timezone
--- a/dishes/live-server-hypervisor.cfg
+++ b/dishes/live-server-hypervisor.cfg
@@ -1,7 +1,7 @@
 # Generated by pykickstart v3.62
 #version=DEVEL
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -14,10 +14,10 @@ network  --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate
 shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
-# Root password
+#Root password
-rootpw --iscrypted --lock locked
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved,libvirtd"
 # System timezone
--- a/dishes/live-server.cfg
+++ b/dishes/live-server.cfg
@@ -1,7 +1,7 @@
 # Generated by pykickstart v3.62
 #version=DEVEL
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -14,10 +14,10 @@ network  --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate
 shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
-# Root password
+#Root password
-rootpw --iscrypted --lock locked
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved"
 # System timezone
--- a/dishes/virtual-desktop-hypervisor.cfg
+++ b/dishes/virtual-desktop-hypervisor.cfg
@@ -3,9 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled --service=ssh
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
 keyboard --xlayouts='ch (fr)'
 # System language
@@ -17,7 +15,7 @@ shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
 # Root password
-rootpw --iscrypted --lock locked
+rootpw --plaintext --allow-ssh 1234
 # SELinux configuration
 selinux --disabled
 # System services
@@ -39,27 +37,6 @@ part /boot/efi --fstype="efi" --size=2048 --fsoptions="umask=0077,shortname=winn
 part /boot --fstype="ext4" --size=512 --label=boot
 part / --fstype="ext4" --grow --label=root --mkfsoptions="-O encrypt,fast_commit"
 %post --logfile=/mnt/sysimage/root/post.log
 localectl set-keymap ch-fr # Set keymap to `ch-fr`. Alternatively, `us` can be picked.
 dnf update -y # Update the system 
 %end
 %post --nochroot --logfile=/mnt/sysimage/root/base-initial-setup-gnome.log
 truncate -s 0 /mnt/sysimage/usr/share/gnome-initial-setup/vendor.conf # remove content of vendor.conf so that all options are made available
 ## Append lines to existing vendor.conf file, so that options are skipped upon reboot
 cat >> /mnt/sysimage/usr/share/gnome-initial-setup/vendor.conf<< EOF
 [pages]
 skip=privacy
 [goa]
 providers=local-first!
 EOF
 %end
 %post --nochroot --logfile=/mnt/sysimage/root/base-desktop-gnome.log
 # cat >> /mnt/sysimage/usr/share/glib-2.0/schemas/org.gnome.desktop.background.gschema.override<< EOF
@@ -250,7 +227,6 @@ generic-release-notes
 glibc
 gnome-backgrounds.noarch
 gnome-control-center
 gnome-initial-setup
 gnome-shell
 gnome-terminal
 hostname
--- a/dishes/virtual-desktop.cfg
+++ b/dishes/virtual-desktop.cfg
@@ -3,9 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled --service=ssh
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
 keyboard --xlayouts='ch (fr)'
 # System language
@@ -17,7 +15,7 @@ shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
 # Root password
-rootpw --iscrypted --lock locked
+rootpw --plaintext --allow-ssh 1234
 # SELinux configuration
 selinux --disabled
 # System services
@@ -39,27 +37,6 @@ part /boot/efi --fstype="efi" --size=2048 --fsoptions="umask=0077,shortname=winn
 part /boot --fstype="ext4" --size=512 --label=boot
 part / --fstype="ext4" --grow --label=root --mkfsoptions="-O encrypt,fast_commit"
 %post --logfile=/mnt/sysimage/root/post.log
 localectl set-keymap ch-fr # Set keymap to `ch-fr`. Alternatively, `us` can be picked.
 dnf update -y # Update the system 
 %end
 %post --nochroot --logfile=/mnt/sysimage/root/base-initial-setup-gnome.log
 truncate -s 0 /mnt/sysimage/usr/share/gnome-initial-setup/vendor.conf # remove content of vendor.conf so that all options are made available
 ## Append lines to existing vendor.conf file, so that options are skipped upon reboot
 cat >> /mnt/sysimage/usr/share/gnome-initial-setup/vendor.conf<< EOF
 [pages]
 skip=privacy
 [goa]
 providers=local-first!
 EOF
 %end
 %post --nochroot --logfile=/mnt/sysimage/root/base-desktop-gnome.log
 # cat >> /mnt/sysimage/usr/share/glib-2.0/schemas/org.gnome.desktop.background.gschema.override<< EOF
@@ -157,7 +134,6 @@ generic-release-notes
 glibc
 gnome-backgrounds.noarch
 gnome-control-center
 gnome-initial-setup
 gnome-shell
 gnome-terminal
 hostname
--- a/dishes/virtual-server-hypervisor.cfg
+++ b/dishes/virtual-server-hypervisor.cfg
@@ -3,9 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled --service=ssh
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
 keyboard --xlayouts='ch (fr)'
 # System language
@@ -17,7 +15,7 @@ shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
 # Root password
-rootpw --iscrypted --lock locked
+rootpw --plaintext --allow-ssh 1234
 # SELinux configuration
 selinux --disabled
 # System services
@@ -37,13 +35,6 @@ part /boot/efi --fstype="efi" --size=2048 --fsoptions="umask=0077,shortname=winn
 part /boot --fstype="ext4" --size=512 --label=boot
 part / --fstype="ext4" --grow --label=root --mkfsoptions="-O encrypt,fast_commit"
 %post --logfile=/mnt/sysimage/root/post.log
 localectl set-keymap ch-fr # Set keymap to `ch-fr`. Alternatively, `us` can be picked.
 dnf update -y # Update the system 
 %end
 %post --nochroot --logfile=/mnt/sysimage/root/base-hypervisor.log
 # Load kernel modules by adding vfio, vfio_pci, vfio_iommu_type1, vfio_virqfd
@@ -98,7 +89,6 @@ generic-release-common
 generic-release-notes
 glibc
 hostname
 initial-setup
 iproute
 iputils
 kbd
--- a/dishes/virtual-server.cfg
+++ b/dishes/virtual-server.cfg
@@ -3,9 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled --service=ssh
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
 keyboard --xlayouts='ch (fr)'
 # System language
@@ -17,7 +15,7 @@ shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
 # Root password
-rootpw --iscrypted --lock locked
+rootpw --plaintext --allow-ssh 1234
 # SELinux configuration
 selinux --disabled
 # System services
@@ -37,13 +35,6 @@ part /boot/efi --fstype="efi" --size=2048 --fsoptions="umask=0077,shortname=winn
 part /boot --fstype="ext4" --size=512 --label=boot
 part / --fstype="ext4" --grow --label=root --mkfsoptions="-O encrypt,fast_commit"
 %post --logfile=/mnt/sysimage/root/post.log
 localectl set-keymap ch-fr # Set keymap to `ch-fr`. Alternatively, `us` can be picked.
 dnf update -y # Update the system 
 %end
 %packages --exclude-weakdeps
 NetworkManager
 NetworkManager-config-connectivity-fedora
@@ -68,7 +59,6 @@ generic-release-common
 generic-release-notes
 glibc
 hostname
 initial-setup
 iproute
 iputils
 kbd
--- a/ingredients/core-initial-setup-desktop.cfg
+++ b/ingredients/core-initial-setup-desktop.cfg
@@ -1,4 +1,4 @@
-firstboot --reconfig # Initial Setup will start after the first reboot
+firstboot --enable --reconfig # Initial Setup will start after the first reboot
 %packages --exclude-weakdeps # Beginning of the packages section. Do not include weak dependencies.
--- a/ingredients/core-initial-setup-server.cfg
+++ b/ingredients/core-initial-setup-server.cfg
@@ -1,4 +1,4 @@
-firstboot --reconfig # Enable the Setup Agent to start at boot time in reconfiguration mode. This mode enables the language, mouse, keyboard, root password, security level, time zone, and networking configuration options in addition to the default ones
+firstboot --enable --reconfig # Enable the Setup Agent to start at boot time in reconfiguration mode. This mode enables the language, mouse, keyboard, root password, security level, time zone, and networking configuration options in addition to the default ones
 %packages --exclude-weakdeps # Beginning of the packages section. Do not include weak dependencies
--- a/ingredients/core-security-off.cfg
+++ b/ingredients/core-security-off.cfg
@@ -1,3 +1,3 @@
-rootpw --lock --iscrypted locked # Lock the root account. Can still be undone by end-user during initial setup
+rootpw --plaintext 1234 --allow-ssh # Root account is enabled with weak password and allow ssh
-selinux --disabled # Disable SELinux ; other option: --enable
+selinux --disabled # Disable SELinux
-firewall --disabled # Disable firewall
+firewall --enabled --ssh # Reject incoming connections that are not in response to outbound requests except SSH
--- a/ingredients/core-security-on.cfg
+++ b/ingredients/core-security-on.cfg
@@ -1,3 +1,3 @@
-rootpw --lock --iscrypted locked # Lock the root account. Can still be undone by end-user during initial setup
+rootpw --lock # No root login from the console
-selinux --enabled # Enable SELinux ; other option: --disabled
+selinux --enforcing # Set SELinux to enforcing mode
 firewall --enabled # Enable firewall
--- a/recipes/desktop-hypervisor-amdcpu.cfg
+++ b/recipes/desktop-hypervisor-amdcpu.cfg
@@ -11,7 +11,7 @@
 %include ../ingredients/core-storage.cfg # Storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 
--- a/recipes/desktop-hypervisor-intelcpu-intelgpu.cfg
+++ b/recipes/desktop-hypervisor-intelcpu-intelgpu.cfg
@@ -12,7 +12,7 @@
 %include ../ingredients/core-storage.cfg # ext4-based storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 
--- a/recipes/desktop-hypervisor-intelcpu.cfg
+++ b/recipes/desktop-hypervisor-intelcpu.cfg
@@ -11,7 +11,7 @@
 %include ../ingredients/core-storage.cfg # ext4-based storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 
--- a/recipes/desktop-hypervisor.cfg
+++ b/recipes/desktop-hypervisor.cfg
@@ -11,7 +11,7 @@
 %include ../ingredients/core-storage.cfg # ext4-based storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 
--- a/recipes/desktop.cfg
+++ b/recipes/desktop.cfg
@@ -11,7 +11,7 @@
 %include ../ingredients/core-storage.cfg # ext4-based storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 
--- a/recipes/live-desktop-hypervisor.cfg
+++ b/recipes/live-desktop-hypervisor.cfg
@@ -11,7 +11,7 @@
 %include ../ingredients/live-core-storage.cfg # For live systems only
 %include ../ingredients/live-core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 
--- a/recipes/live-desktop.cfg
+++ b/recipes/live-desktop.cfg
@@ -11,7 +11,7 @@
 %include ../ingredients/live-core-storage.cfg # For live systems only
 %include ../ingredients/live-core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 
--- a/recipes/live-server-hypervisor.cfg
+++ b/recipes/live-server-hypervisor.cfg
@@ -11,7 +11,7 @@
 %include ../ingredients/live-core-storage.cfg # For live systems only
 %include ../ingredients/live-core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 
--- a/recipes/live-server.cfg
+++ b/recipes/live-server.cfg
@@ -11,7 +11,7 @@
 %include ../ingredients/live-core-storage.cfg # For live systems only
 %include ../ingredients/live-core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 
--- a/recipes/virtual-desktop-hypervisor.cfg
+++ b/recipes/virtual-desktop-hypervisor.cfg
@@ -5,20 +5,18 @@
 #  / .___/_/ /_/\__, /_/_/\____/_/ /_/ /_/\___/   \____//____/
 # /_/          /____/
-# A recipe for virtual desktop hypervisor
+# Unsafe. Development-only. A recipe for a virtual desktop hypervisor
 %include ../ingredients/core.cfg # Text mode
 %include ../ingredients/core-storage.cfg # ext4-based storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-off.cfg # Enable root account, disable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 
 %include ../ingredients/core-packages-default.cfg # Default but not necessary packages
 %include ../ingredients/core-fedora-repo-43.cfg # Offical repositories for Fedora
 %include ../ingredients/core-post.cfg # Triggered after the installation
 %include ../ingredients/core-initial-setup-desktop.cfg # OEM setup for GNOME Shell
 %include ../ingredients/base-desktop-gnome.cfg # A GNOME Shell-based desktop environment
 %include ../ingredients/base-desktop-virtual-machine-manager.cfg # Virtual Machine Manager
 %include ../ingredients/base-hypervisor.cfg # Base hypervisor
--- a/recipes/virtual-desktop.cfg
+++ b/recipes/virtual-desktop.cfg
@@ -5,19 +5,17 @@
 #  / .___/_/ /_/\__, /_/_/\____/_/ /_/ /_/\___/   \____//____/
 # /_/          /____/
-# A recipe for a virtual desktop
+# Unsafe. Development-only. A recipe for a virtual desktop
 %include ../ingredients/core.cfg # Text mode
 %include ../ingredients/core-storage.cfg # ext4-based storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-off.cfg # Enable root account, disable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 
 %include ../ingredients/core-packages-default.cfg # Default but not necessary packages
 %include ../ingredients/core-fedora-repo-43.cfg # Offical repositories for Fedora
 %include ../ingredients/core-post.cfg # Triggered after the installation
 %include ../ingredients/core-initial-setup-desktop.cfg # OEM setup for GNOME Shell
 %include ../ingredients/base-desktop-gnome.cfg # A GNOME Shell-based desktop environment
 %include ../ingredients/base-guest-agents.cfg # Guest agents
--- a/recipes/virtual-server-hypervisor.cfg
+++ b/recipes/virtual-server-hypervisor.cfg
@@ -5,19 +5,17 @@
 #  / .___/_/ /_/\__, /_/_/\____/_/ /_/ /_/\___/   \____//____/
 # /_/          /____/
-# A recipe for a virtual headless hypervisor
+# # Unsafe. Development-only. A recipe for a virtual headless hypervisor
 %include ../ingredients/core.cfg # Text mode
 %include ../ingredients/core-storage.cfg # ext4-based storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-off.cfg # Enable root account, disable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 
 %include ../ingredients/core-packages-default.cfg # Default but not necessary packages
 %include ../ingredients/core-fedora-repo-43.cfg # Offical repositories for Fedora
 %include ../ingredients/core-post.cfg # Triggered after the installation
 %include ../ingredients/core-initial-setup-server.cfg # For headless systems
 %include ../ingredients/base-hypervisor.cfg # Base hypervisor
 %include ../ingredients/base-guest-agents.cfg # Guest agents
--- a/recipes/virtual-server.cfg
+++ b/recipes/virtual-server.cfg
@@ -5,18 +5,16 @@
 #  / .___/_/ /_/\__, /_/_/\____/_/ /_/ /_/\___/   \____//____/
 # /_/          /____/
-# A recipe for a virtual desktop
+# # Unsafe. Development-only. A recipe for a virtual server
 %include ../ingredients/core.cfg # Text mode
 %include ../ingredients/core-storage.cfg # ext4-based storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-off.cfg # Enable root account, disable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 
 %include ../ingredients/core-packages-default.cfg # Default but not necessary packages
 %include ../ingredients/core-fedora-repo-43.cfg # Offical repositories for Fedora
 %include ../ingredients/core-post.cfg # Triggered after the installation
 %include ../ingredients/core-initial-setup-server.cfg # For headless systems
 %include ../ingredients/base-guest-agents.cfg # Guest agents
Author	SHA1	Message	Date
Lukas Greve	e018870d0e	updated recipes	2025-12-11 20:50:24 +01:00
Lukas Greve	0c76e7626d	make it even more insecure, to make it easier to debug	2025-12-11 20:50:13 +01:00
Lukas Greve	28c390f1b4	remove the post section to speed installation process	2025-12-11 20:49:29 +01:00
Lukas Greve	ebd35f0b1f	virtual dishes are for development-only	2025-12-10 21:31:31 +01:00
Lukas Greve	6832142907	add allow ssh incoming connection	2025-12-10 21:31:01 +01:00
Lukas Greve	eae12100a8	correct an awful regression. SELinux is either disabled or in enforcing mode. The enable switch does not work	2025-12-10 21:30:19 +01:00
Lukas Greve	bc5f156cd9	All non-virtual dishes / recipes are meant to be shipped with sane security defaults	2025-12-10 21:29:25 +01:00
Lukas Greve	8245bdf3b9	revert back gitignore to include dishes	2025-12-10 21:27:45 +01:00
Lukas Greve	674b34d441	Merge pull request 'add fast_commit and encrypt filesystem feature for ext4. Encrypt is a prerequisite for fscrypt support. Fast_commit is a faster journaling method.' (#2 ) from ext4-improvement into main Reviewed-on: #2	2025-12-10 16:18:33 +00:00
Lukas Greve	de5acaf289	Merge branch 'main' into ext4-improvement	2025-12-10 16:18:25 +00:00
Lukas Greve	b028260090	weak security to enable easier debugging	2025-12-09 22:33:51 +01:00
Lukas Greve	1fbe496b6a	the proper syntax for firstboot enabling	2025-12-09 22:33:15 +01:00
Lukas Greve	ae4ffdc64d	updated gitignore. Let's not track changes to complete kickstart files. It goes in the way	2025-12-09 22:32:40 +01:00
Lukas Greve	8cc2c13c66	Merge pull request 'tweak the security settings, to allow root login for debuging purposes (i.e. when initial-setup does not work)' (#1 ) from lax-security-settings into main Reviewed-on: #1	2025-12-09 21:22:45 +00:00
Lukas Greve	35deff93b3	tweak the security settings, to allow root login for debuging purposes (i.e. when initial-setup does not work)	2025-12-09 22:20:47 +01:00
`@@ -1,4 +1,4 @@`
	`firstboot --reconfig # Initial Setup will start after the first reboot`	`firstboot --enable --reconfig # Initial Setup will start after the first reboot`

	`%packages --exclude-weakdeps # Beginning of the packages section. Do not include weak dependencies.`	`%packages --exclude-weakdeps # Beginning of the packages section. Do not include weak dependencies.`
`@@ -1,4 +1,4 @@`
	`firstboot --reconfig # Enable the Setup Agent to start at boot time in reconfiguration mode. This mode enables the language, mouse, keyboard, root password, security level, time zone, and networking configuration options in addition to the default ones`	`firstboot --enable --reconfig # Enable the Setup Agent to start at boot time in reconfiguration mode. This mode enables the language, mouse, keyboard, root password, security level, time zone, and networking configuration options in addition to the default ones`

	`%packages --exclude-weakdeps # Beginning of the packages section. Do not include weak dependencies`	`%packages --exclude-weakdeps # Beginning of the packages section. Do not include weak dependencies`