From c45346ac4cc312b81fe38ccdf1b59567a1759d75 Mon Sep 17 00:00:00 2001
From: Claudio Maradonna <claudio@unitoo.pw>
Date: Tue, 23 Aug 2022 10:06:44 +0200
Subject: [PATCH] fix swarm configs. add new file

---
 cloud-init/matrix-synapse.yml     |  73 +++++++++++++++++++
 cloud-init/swarm-manager.yml      |  40 +++++++++--
 cloud-init/swarm-worker.yml       | 115 ++++++++++++++++++++++++++++++
 sysctl/etc/sysctl.d/99-swarm.conf |   5 ++
 4 files changed, 226 insertions(+), 7 deletions(-)
 create mode 100644 cloud-init/matrix-synapse.yml
 create mode 100644 cloud-init/swarm-worker.yml
 create mode 100644 sysctl/etc/sysctl.d/99-swarm.conf

diff --git a/cloud-init/matrix-synapse.yml b/cloud-init/matrix-synapse.yml
new file mode 100644
index 0000000..5b77802
--- /dev/null
+++ b/cloud-init/matrix-synapse.yml
@@ -0,0 +1,73 @@
+#cloud-config
+
+ssh_genkeytypes: [ecdsa, ed25519]
+
+# upgrade system
+package_update: true
+package_upgrade: true
+
+# various dependencies
+packages:
+  - ca-certificates
+  - curl
+  - gnupg
+  - lsb-release
+  - fail2ban
+  - nginx
+  - certbot
+  - python3-certbot-nginx
+  - iptables-persistent
+
+write_files:
+  - path: /etc/iptables/rules.v4
+    permissions: 0644
+    owner: root:root
+    content: |
+      *filter
+      :INPUT DROP [0:0]
+      :FORWARD DROP [0:0]
+      :OUTPUT ACCEPT [0:0]
+      -A INPUT -i lo -j ACCEPT
+      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+      -A INPUT -m conntrack --ctstate INVALID -j DROP
+      -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+      -A INPUT -p tcp -m tcp --dport 8448 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+      -A OUTPUT -o lo -j ACCEPT
+      -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+      -A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+      -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
+      COMMIT
+  - path: /etc/systemd/journald.conf.d/size.conf
+    permissions: 0644
+    owner: root:root
+    content: |
+      [Journal]
+      SystemMaxUse=250M
+      SystemMaxFileSize=50M
+  - path: /etc/fstab
+    append: true
+    content: |
+      /swapfile swap swap defaults 0 0
+
+runcmd:
+  - 'iptables-restore < /etc/iptables/rules.v4'
+
+  - [systemctl, enable, --now, fail2ban]
+
+  - 'fallocate -l 3G /swapfile'
+  - 'chmod 600 /swapfile'
+  - 'mkswap /swapfile'
+  - 'swapon /swapfile'
+
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
+  - [systemctl, restart, ssh]
+
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf]
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf]
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf]
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
+
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
+  - [sysctl, -p]
+
+  - [timedatectl, set-timezone, Europe/Rome]
diff --git a/cloud-init/swarm-manager.yml b/cloud-init/swarm-manager.yml
index 22dbc2e..676f8bc 100644
--- a/cloud-init/swarm-manager.yml
+++ b/cloud-init/swarm-manager.yml
@@ -13,6 +13,7 @@ packages:
   - gnupg
   - lsb-release
   - fail2ban
+  - iptables-persistent
 
 write_files:
   - path: /etc/iptables/rules.v4
@@ -27,6 +28,13 @@ write_files:
       -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
       -A INPUT -m conntrack --ctstate INVALID -j DROP
       -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+      -A INPUT -p tcp --dport 2376 -j ACCEPT -m comment --comment "Docker Swarm"
+      -A INPUT -p tcp --dport 2377 -j ACCEPT -m comment --comment "Docker Swarm"
+      -A INPUT -p tcp -m tcp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT
+      -A INPUT -p udp -m udp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT
+      -A INPUT -p udp -m udp --dport 4789 -m comment --comment "Docker Swarm" -j ACCEPT
+      -A INPUT -i $SPECIFY_INTERFACE -p tcp --dport 24007 -j ACCEPT -m comment --comment "GlusterFS Management"
+      -A INPUT -i $SPECIFY_INTERFACE -p tcp -m tcp --dport 49152:60999 -m comment --comment "GlusterFS Bricks" -j ACCEPT
       -A OUTPUT -o lo -j ACCEPT
       -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
       -A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
@@ -40,14 +48,23 @@ write_files:
       :INPUT DROP [0:0]
       :FORWARD DROP [0:0]
       :OUTPUT ACCEPT [0:0]
-      -A INPUT -i tun0 -j ACCEPT
       -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
       -A INPUT -m conntrack --ctstate INVALID -j DROP
       -A OUTPUT -o tun0 -j ACCEPT
       -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
       -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp6-port-unreachable
       COMMIT
-
+  - path: /etc/systemd/journald.conf.d/size.conf
+    permissions: 0644
+    owner: root:root
+    content: |
+      [Journal]
+      SystemMaxUse=250M
+      SystemMaxFileSize=50M
+  - path: /etc/fstab
+    append: true
+    content: |
+      /swapfile swap swap defaults 0 0
 
 runcmd:
   - 'iptables-restore < /etc/iptables/rules.v4'
@@ -55,6 +72,11 @@ runcmd:
 
   - [systemctl, enable, --now, fail2ban]
 
+  - 'fallocate -l 2G /swapfile'
+  - 'chmod 600 /swapfile'
+  - 'mkswap /swapfile'
+  - 'swapon /swapfile'
+
   - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
   - [systemctl, restart, ssh]
 
@@ -64,20 +86,24 @@ runcmd:
   - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
 
   - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf]
   - [sysctl, -p]
 
   - [mkdir, -p, /usr/local/apt-keys]
   - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
   - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
   - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
-  - [apt-get, update]
-  - [apt-get, install, -y, yggdrasil]
-  - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n  ]/', /etc/yggdrasil.conf]
-  - [systemctl, enable, --now, yggdrasil]
 
   - [mkdir, -p, /etc/apt/keyrings]
   - "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
   - 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null'
   - [chmod, a+r, /etc/apt/keyrings/docker.gpg]
+
   - [apt-get, update]
-  - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin'
+  - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin yggdrasil'
+
+  - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n  ]/', /etc/yggdrasil.conf]
+  - [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
+  #- [systemctl, enable, --now, yggdrasil]
+
+  - [timedatectl, set-timezone, Europe/Rome]
diff --git a/cloud-init/swarm-worker.yml b/cloud-init/swarm-worker.yml
new file mode 100644
index 0000000..cfbdcb1
--- /dev/null
+++ b/cloud-init/swarm-worker.yml
@@ -0,0 +1,115 @@
+#cloud-config
+
+ssh_genkeytypes: [ecdsa, ed25519]
+
+# upgrade system
+package_update: true
+package_upgrade: true
+
+# various dependencies
+packages:
+  - ca-certificates
+  - curl
+  - gnupg
+  - lsb-release
+  - fail2ban
+  - iptables-persistent
+  - glusterfs-client
+
+write_files:
+  - path: /etc/iptables/rules.v4
+    permissions: 0644
+    owner: root:root
+    content: |
+      *filter
+      :INPUT DROP [0:0]
+      :FORWARD DROP [0:0]
+      :OUTPUT ACCEPT [0:0]
+      -A INPUT -i lo -j ACCEPT
+      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+      -A INPUT -m conntrack --ctstate INVALID -j DROP
+      -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+      -A INPUT -p tcp --dport 2376 -j ACCEPT -m comment --comment "Docker Swarm"
+      -A INPUT -p tcp -m tcp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT
+      -A INPUT -p udp -m udp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT
+      -A INPUT -p udp -m udp --dport 4789 -m comment --comment "Docker Swarm" -j ACCEPT
+      -A OUTPUT -o lo -j ACCEPT
+      -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+      -A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+      -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
+      COMMIT
+  - path: /etc/iptables/rules.v6
+    permissions: 0644
+    owner: root:root
+    content: |
+      *filter
+      :INPUT DROP [0:0]
+      :FORWARD DROP [0:0]
+      :OUTPUT ACCEPT [0:0]
+      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+      -A INPUT -m conntrack --ctstate INVALID -j DROP
+      -A OUTPUT -o tun0 -j ACCEPT
+      -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+      -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp6-port-unreachable
+      COMMIT
+  - path: /etc/systemd/journald.conf.d/size.conf
+    permissions: 0644
+    owner: root:root
+    content: |
+      [Journal]
+      SystemMaxUse=250M
+      SystemMaxFileSize=50M
+  - path: /etc/fstab
+    append: true
+    content: |
+      /swapfile swap swap defaults 0 0
+  - path: /etc/hosts
+    append: true
+    content: |
+      192.168.178.2 swarm-manager-1
+      192.168.178.3 swarm-manager-2
+      192.168.178.4 swarm-manager-3
+
+runcmd:
+  - 'iptables-restore < /etc/iptables/rules.v4'
+  - 'ip6tables-restore < /etc/iptables/rules.v6'
+
+  - [systemctl, enable, --now, fail2ban]
+
+  - 'fallocate -l 2G /swapfile'
+  - 'chmod 600 /swapfile'
+  - 'mkswap /swapfile'
+  - 'swapon /swapfile'
+
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
+  - [systemctl, restart, ssh]
+
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf]
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf]
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf]
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
+
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf]
+  - [sysctl, -p]
+
+  - [mkdir, -p, /usr/local/apt-keys]
+  - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
+  - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
+  - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
+
+  - [mkdir, -p, /etc/apt/keyrings]
+  - "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
+  - 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null'
+  - [chmod, a+r, /etc/apt/keyrings/docker.gpg]
+
+  - [apt-get, update]
+  - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin yggdrasil'
+
+  - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n  ]/', /etc/yggdrasil.conf]
+  - [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
+  #- [systemctl, enable, --now, yggdrasil]
+
+  - [timedatectl, set-timezone, Europe/Rome]
+
+  - [mkdir, /mnt/swarm-data]
diff --git a/sysctl/etc/sysctl.d/99-swarm.conf b/sysctl/etc/sysctl.d/99-swarm.conf
new file mode 100644
index 0000000..cadc575
--- /dev/null
+++ b/sysctl/etc/sysctl.d/99-swarm.conf
@@ -0,0 +1,5 @@
+net.ipv4.conf.all.forwarding=1
+
+net.ipv6.conf.eth0.accept_ra=2
+net.ipv6.conf.all.forwarding=1
+net.ipv6.conf.default.forwarding=1