fix: Switch to space-separated sources.conf format

- Change from colon to space separation to avoid URL parsing issues - Update sources.conf format: TYPE NAME URL VERSION BUILD_FUNCTION [EXTRA] - Implement awk-based parsing for reliable field extraction - Fix firmware package list (remove unavailable linux-firmware-marvell)
2025-08-31 13:26:05 +02:00
parent e8d0d486d8
commit ed98e24503
1103 changed files with 332715 additions and 48 deletions
--- a/initramfs/usr/lib/sysctl.d/00-alpine.conf
+++ b/initramfs/usr/lib/sysctl.d/00-alpine.conf
@@ -0,0 +1,40 @@
+# Prevents SYN DOS attacks. Applies to ipv6 as well, despite name.
+net.ipv4.tcp_syncookies = 1
+
+# Prevents ip spoofing.
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 1
+
+# Only groups within this id range can use ping.
+net.ipv4.ping_group_range=999 59999
+
+# Redirects can potentially be used to maliciously alter hosts
+# routing tables.
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 1
+net.ipv6.conf.all.accept_redirects = 0
+
+# The source routing feature includes some known vulnerabilities.
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv6.conf.all.accept_source_route = 0
+
+# See RFC 1337
+net.ipv4.tcp_rfc1337 = 1
+
+## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041)
+net.ipv6.conf.default.use_tempaddr = 2
+net.ipv6.conf.all.use_tempaddr = 2
+
+# Restarts computer after 120 seconds after kernel panic
+kernel.panic = 120
+
+# Users should not be able to create soft or hard links to files
+# which they do not own. This mitigates several privilege
+# escalation vulnerabilities.
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+
+# Disable unprivileged use of the bpf(2) syscall.
+# Allowing unprivileged use of the bpf(2) syscall may allow a
+# malicious user to compromise the machine.
+kernel.unprivileged_bpf_disabled = 1