docs/posts/03-security-improvements.md: update

Added Void Linux compatibility.
collapse into one blog page
2025-08-28 21:48:03 +02:00 · 2025-08-28 21:29:58 +02:00
13 changed files with 98 additions and 58 deletions
--- a/docs/desktop-os/.authors.yml
+++ b/docs/desktop-os/.authors.yml
--- a/docs/desktop-os/index.md
+++ b/docs/desktop-os/index.md
@ -1,5 +0,0 @@
-# Desktop operating-system Blog
-
-The blog page of the topics particularly related to desktop operating systems. 
-
---
--- a/docs/index.md
+++ b/docs/index.md
@ -1,9 +1,3 @@
---
-hide:
-  - navigation
-  - toc
---
-
 # Welcome to the blog of the Ampel organisation

-Here we blog about various topics related to desktop and server operating systems. From base system installs to particular configuration of top level software. Always striving for simplicity, minimalism and security in each of these layers.
+Here we blog about various topics related to desktop and server operating systems. From base system installs to particular configuration of top level software. Always striving for simplicity, minimalism and security in each of these layers.
--- a/docs/desktop-os/posts/01-void-install.md
+++ b/docs/desktop-os/posts/01-void-install.md
--- a/docs/server-os/posts/01-alpine-install.md
+++ b/docs/server-os/posts/01-alpine-install.md
--- a/docs/server-os/posts/02-security-improvements.md
+++ b/docs/server-os/posts/02-security-improvements.md
@ -9,6 +9,7 @@ authors:
 tags:
    - Alpine Linux
    - Gentoo Linux
+    - Void Linux
 categories:
    - Security
 ---
@ -23,9 +24,24 @@ Linux Security Modules (LSM) is a framework that allows the implementation of va

 These security modules may be enabled by adding them to the kernel `cmdline`:

-``` shell title="/etc/kernel/cmdline"
-... lsm=landlock,lockdown,yama,integrity ...
-```
+=== "Alpine Linux"
+
+    ``` shell title="/etc/kernel-hooks.d/secureboot.conf"
+    cmdline="... lsm=landlock,lockdown,yama,integrity ..."
+    ```
+
+=== "Gentoo Linux"
+
+    ``` shell title="/etc/kernel/cmdline"
+    ... lsm=landlock,lockdown,yama,integrity ...
+    ```
+
+=== "Void Linux"
+
+    ``` shell title="/etc/dracut.conf.d/cmdline.conf"
+    kernel_cmdline="... lsm=landlock,lockdown,yama,integrity ..."
+    ```
+

 ### Landlock

@ -69,23 +85,55 @@ AppArmor is a security module that provides a simpler alternative to SELinux. It
    sh# apk add apparmor apparmor-utils apparmor-profiles
    ```

+    and add it to the boot runlevel:
+
+    ``` shell-session
+    sh# rc-update add apparmor boot
+    ```
+
 === "Gentoo Linux"

    ``` shell-session
    sh# emerge -a apparmor apparmor-utils apparmor-profiles
    ```
+    
+    and add it to the boot runlevel:

-and add it to the boot runlevel:
+    ``` shell-session
+    sh# rc-update add apparmor boot
+    ```

-``` shell-session
-sh# rc-update add apparmor boot
-```
+=== "Void Linux"
+
+    ``` shell-session
+    sh# xbps-install apparmor apparmor-utils apparmor-profiles
+    ```
+
+    and add the service:
+
+    ``` shell-session
+    sh# ln -s /etc/sv/apparmor /var/service
+    ```

 Add `apparmor` to the kernel `cmdline` to make it operational:

-``` shell title="/etc/kernel/cmdline"
-... lsm=...,apparmor apparmor=1 ...
-```
+=== "Alpine Linux"
+
+    ``` shell title="/etc/kernel-hooks.d/secureboot.conf"
+    cmdline="... lsm=...,apparmor apparmor=1 ..."
+    ```
+
+=== "Gentoo Linux"
+
+    ``` shell title="/etc/kernel/cmdline"
+    ... lsm=...,apparmor apparmor=1 ...
+    ```
+
+=== "Void Linux"
+
+    ``` shell title="/etc/dracut.conf.d/cmdline.conf"
+    kernel_cmdline="... lsm=...,apparmor apparmor=1 ..."
+    ```

 Then reconfigure the `kernel`:

@ -101,6 +149,12 @@ Then reconfigure the `kernel`:
    sh# emerge --config gentoo-kernel
    ```

+=== "Void Linux"
+
+    ``` shell-session
+    sh# xbps-reconfigure -f linux<version>
+    ```
+
 You can check the status of `apparmor` with `apparmor-utils`:

 ``` shell-session
@ -111,9 +165,23 @@ sh# aa-status

 Boot parameters configure the bootloader to parse the relevant settings to the kernel at boot. Hardening the boot process will improve the overall security of the system. The listed boot parameters in this chapter can be parsed into the kernel `cmdline`:

-``` shell title="/etc/kernel/cmdline"
-... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on ...
-```
+=== "Alpine Linux"
+
+    ``` shell title="/etc/kernel-hooks.d/secureboot.conf"
+    cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on ..."
+    ```
+
+=== "Gentoo Linux"
+
+    ``` shell title="/etc/kernel/cmdline"
+    ... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on ...
+    ```
+
+=== "Void Linux"
+
+    ``` shell title="/etc/dracut.conf.d/cmdline.conf"
+    kernel_cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on ..."
+    ```

 ### Mitigations of system vulnerabilities

@ -275,6 +343,12 @@ The default memory allocator of `musl` is already reasonably secure but not as s
    sh# emerge -a hardened-malloc
    ```

+=== "Void Linux"
+
+    ``` shell-session
+    sh# xbps-install hardened-malloc
+    ```
+
 and set it to system-wide edit:

 ``` shell title="/etc/ld-musl-x86_64.path"
@ -308,8 +382,14 @@ Improve the security of the system by increasing the entropy with the `jitterent
    sh# emerge -a jitterentropy
    ```

+=== "Void Linux"
+
+    ``` shell-session
+    sh# xbps-install jitterentropy
+    ```
+
 and make sure that the module gets loaded:

 ``` shell title="/etc/modules-load.d/entropy.conf"
 jitterentropy_rng
-```
+```
--- a/docs/server-os/posts/03-container-management-podman-runit.md
+++ b/docs/server-os/posts/03-container-management-podman-runit.md
--- a/docs/desktop-os/posts/02-gentoo-openrc-install.md
+++ b/docs/desktop-os/posts/02-gentoo-openrc-install.md
--- a/docs/server-os/posts/04-maintaining-zfs-system.md
+++ b/docs/server-os/posts/04-maintaining-zfs-system.md
--- a/docs/desktop-os/posts/03-minimal-gui-river-pipewire-openrc.md
+++ b/docs/desktop-os/posts/03-minimal-gui-river-pipewire-openrc.md
--- a/docs/server-os/.authors.yml
+++ b/docs/server-os/.authors.yml
@ -1,13 +0,0 @@
-authors:
-  luc:
-    name: "Luc"
-    description: ""
-    avatar: "https://git.ampel.dev/avatars/cbd8e77b1f18b62a6a8dc56124238153?size=512"
-    slug: "luc"
-    url: "https://git.ampel.dev/luc"
-  nils:
-    name: "Nils"
-    description: ""
-    avatar: "https://git.ampel.dev/avatars/caa9d4634a522b6e874804a280ce6d1001e4213b5e9db9ec965641269f862623?size=512"
-    slug: "nils"
-    url: "https://git.ampel.dev/nils"
--- a/docs/server-os/index.md
+++ b/docs/server-os/index.md
@ -1,5 +0,0 @@
-# Server operating-system Blog
-
-The blog page of the topics particularly related to server operating systems. 
-
---
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -13,8 +13,6 @@ theme:
  features:
    - navigation.instant
    - navigation.instant.progress
-    - navigation.indexes
-    - navigation.tabs
    - navigation.sections
    - toc.follow
    - search.suggest
@ -23,8 +21,8 @@ theme:
    - content.tabs.link
    - content.code.copy
    - content.code.annotate 
-#  logo: assets/ampel-logo.png
-#  favicon: assets/ampel-logo.png
+  #logo: assets/ampel-logo.png
+  #favicon: assets/ampel-logo.png
  palette:  
    - media: "(prefers-color-scheme: light)"
      scheme: default
@ -60,13 +58,4 @@ plugins:
  - search
  - tags
  - blog:
-      blog_dir: desktop-os
-  - blog:
-      blog_dir: server-os
-
-nav:
-  - 'Home': index.md
-  - 'Desktop OS':
-    - desktop-os/index.md
-  - 'Server OS':
-    - server-os/index.md
+      blog_dir: .
Author	SHA1	Message	Date
luc	dfd09dbcb6	docs/posts/03-security-improvements.md: update Added Void Linux compatibility.	2025-08-28 21:48:03 +02:00
luc	b5e73a228d	collapse into one blog page	2025-08-28 21:29:58 +02:00