fix iptables rules. update ipfs.service. init cloud-init folder with first sample configuration
This commit is contained in:
parent
93cbb1c341
commit
dbca83ff52
5 changed files with 79 additions and 12 deletions
65
cloud-init/swarm-manager.yml
Normal file
65
cloud-init/swarm-manager.yml
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
#cloud-config
|
||||||
|
|
||||||
|
ssh_genkeytypes: [ecdsa, ed25519]
|
||||||
|
|
||||||
|
# upgrade system
|
||||||
|
package_update: true
|
||||||
|
package_upgrade: true
|
||||||
|
|
||||||
|
# various dependencies
|
||||||
|
packages:
|
||||||
|
- ca-certificates
|
||||||
|
- curl
|
||||||
|
- gnupg
|
||||||
|
- lsb-release
|
||||||
|
|
||||||
|
write_files:
|
||||||
|
- path: /etc/iptables/rules.v4
|
||||||
|
permissions: 0644
|
||||||
|
owner: root:root
|
||||||
|
content: |
|
||||||
|
*filter
|
||||||
|
:INPUT DROP [0:0]
|
||||||
|
:FORWARD DROP [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -o lo -j ACCEPT
|
||||||
|
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
COMMIT
|
||||||
|
- path: /etc/iptables/rules.v6
|
||||||
|
permissions: 0644
|
||||||
|
owner: root:root
|
||||||
|
content: |
|
||||||
|
*filter
|
||||||
|
:INPUT DROP [0:0]
|
||||||
|
:FORWARD DROP [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
-A INPUT -i tun0 -j ACCEPT
|
||||||
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
-A OUTPUT -o tun0 -j ACCEPT
|
||||||
|
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp6-port-unreachable
|
||||||
|
COMMIT
|
||||||
|
|
||||||
|
runcmd:
|
||||||
|
- [mkdir, -p, /usr/local/apt-keys]
|
||||||
|
- [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
|
||||||
|
- 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
|
||||||
|
- "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
|
||||||
|
- [apt-get, update]
|
||||||
|
- [apt-get, install, -y, yggdrasil]
|
||||||
|
- [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf]
|
||||||
|
- [systemctl, enable, --now, yggdrasil]
|
||||||
|
|
||||||
|
- [mkdir, -p, /etc/apt/keyrings]
|
||||||
|
- "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
|
||||||
|
- 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null'
|
||||||
|
- [chmod, a+r, /etc/apt/keyrings/docker.gpg]
|
||||||
|
- [apt-get, update]
|
||||||
|
- 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin'
|
|
@ -33,8 +33,8 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||||
LimitNOFILE=8192
|
LimitNOFILE=8192
|
||||||
#LimitNice=10
|
#LimitNice=10
|
||||||
MemoryAccounting=true
|
MemoryAccounting=true
|
||||||
MemoryHigh=768M
|
#MemoryHigh=768M
|
||||||
MemoryMax=1024M
|
#MemoryMax=1024M
|
||||||
MemorySwapMax=0
|
MemorySwapMax=0
|
||||||
CPUAccounting=true
|
CPUAccounting=true
|
||||||
CPUQuota=40%
|
CPUQuota=40%
|
||||||
|
@ -48,7 +48,9 @@ ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate
|
||||||
User=ipfs
|
User=ipfs
|
||||||
Group=ipfs
|
Group=ipfs
|
||||||
StateDirectory=ipfs
|
StateDirectory=ipfs
|
||||||
Restart=on-failure
|
Restart=always
|
||||||
|
RestartSec=60
|
||||||
|
KillMode=process
|
||||||
KillSignal=SIGINT
|
KillSignal=SIGINT
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
*filter
|
*filter
|
||||||
:INPUT DROP [4414218:211789180]
|
:INPUT DROP [0:0]
|
||||||
:FORWARD ACCEPT [0:0]
|
:FORWARD DROP [0:0]
|
||||||
:OUTPUT ACCEPT [17973:1146056]
|
:OUTPUT ACCEPT [0:0]
|
||||||
:f2b-sshd - [0:0]
|
:f2b-sshd - [0:0]
|
||||||
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
|
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
|
||||||
-A INPUT -i lo -j ACCEPT
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
*filter
|
*filter
|
||||||
:INPUT DROP [4414218:211789180]
|
:INPUT DROP [0:0]
|
||||||
:FORWARD ACCEPT [0:0]
|
:FORWARD DROP [0:0]
|
||||||
:OUTPUT ACCEPT [17973:1146056]
|
:OUTPUT ACCEPT [0:0]
|
||||||
-A INPUT -i lo -j ACCEPT
|
-A INPUT -i lo -j ACCEPT
|
||||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
*filter
|
*filter
|
||||||
:INPUT DROP [4414218:211789180]
|
:INPUT DROP [0:0]
|
||||||
:FORWARD ACCEPT [0:0]
|
:FORWARD DROP [0:0]
|
||||||
:OUTPUT ACCEPT [17973:1146056]
|
:OUTPUT ACCEPT [0:0]
|
||||||
-A INPUT -i lo -j ACCEPT
|
-A INPUT -i lo -j ACCEPT
|
||||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
|
Loading…
Reference in a new issue