chatreesept deployed

infrastructure/graduated/fedora/README.md

@@ -7,7 +7,10 @@
   - [Fail2Ban](#fail2ban)
   - [Automatic Updates](#automatic-updates)
   - [Disable Swap](#disable-swap)
+  - [Selinux](#selinux)
+  - [Firewalld](#firewalld)
   - [Extras](#extras)
+  - [Downgrading Kernel](#downgrading-kernel)
 
 <https://docs.fedoraproject.org/en-US/fedora-server/installation/postinstallation-tasks/#_manage_system_updates>
 
@@ -122,6 +125,8 @@ dnf install dnf-automatic -y
 systemctl enable --now dnf-automatic-install.timer
 ```
 
+Edit the configuration to only do security updates.
+
 ## Disable Swap
 
 ```bash
@@ -130,6 +135,37 @@ zramctl --reset /dev/zram0
 dnf -y remove zram-generator-defaults
 ```
 
+## Selinux
+
+By default selinux will be enforcing. You can set it to permissive with
+
+```bash
+setenforce 0
+```
+
+And then make it permanent by editing `/etc/selinux/config` and inserting `SELINUX=permissive`.
+
+## Firewalld
+
+Set the default firewalld zone to `public`
+
+```bash
+firewall-cmd --set-default-zone=public
+```
+
+Firewalld will be on and blocking by default. You can check the zone and allowed ports with:
+
+```bash
+firewall-cmd --zone=public --list-ports
+```
+
+Allow Cockpit with
+
+```
+firewall-cmd --permanent --zone=public --add-port=9090/tcp
+firewall-cmd --reload
+```
+
 ## Extras
 
 On the server:
@@ -165,3 +201,14 @@ EOF
 
 chsh -s $(which zsh) && chsh -s $(which zsh) ducoterra
 ```
+
+## Downgrading Kernel
+
+```bash
+dnf install koji
+
+# Note: format is kernel-version.fedora-version
+cd $(mktemp -d) && koji download-build --arch=x86_64 --arch=noarch kernel-6.11.3-300.fc41 && dnf install ./*
+
+reboot
+```