fix iptables rules. update ipfs.service. init cloud-init folder with first sample configuration #16

Merged
claudiomaradonna merged 2 commits from master into master 2022-08-03 16:30:44 +02:00
4 changed files with 226 additions and 7 deletions
Showing only changes of commit c45346ac4c - Show all commits

View file

@ -0,0 +1,73 @@
#cloud-config
ssh_genkeytypes: [ecdsa, ed25519]
# upgrade system
package_update: true
package_upgrade: true
# various dependencies
packages:
- ca-certificates
- curl
- gnupg
- lsb-release
- fail2ban
- nginx
- certbot
- python3-certbot-nginx
- iptables-persistent
write_files:
- path: /etc/iptables/rules.v4
permissions: 0644
owner: root:root
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8448 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
COMMIT
- path: /etc/systemd/journald.conf.d/size.conf
permissions: 0644
owner: root:root
content: |
[Journal]
SystemMaxUse=250M
SystemMaxFileSize=50M
- path: /etc/fstab
append: true
content: |
/swapfile swap swap defaults 0 0
runcmd:
- 'iptables-restore < /etc/iptables/rules.v4'
- [systemctl, enable, --now, fail2ban]
- 'fallocate -l 3G /swapfile'
- 'chmod 600 /swapfile'
- 'mkswap /swapfile'
- 'swapon /swapfile'
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
- [systemctl, restart, ssh]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
- [sysctl, -p]
- [timedatectl, set-timezone, Europe/Rome]

View file

@ -13,6 +13,7 @@ packages:
- gnupg - gnupg
- lsb-release - lsb-release
- fail2ban - fail2ban
- iptables-persistent
write_files: write_files:
- path: /etc/iptables/rules.v4 - path: /etc/iptables/rules.v4
@ -27,6 +28,13 @@ write_files:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 2376 -j ACCEPT -m comment --comment "Docker Swarm"
-A INPUT -p tcp --dport 2377 -j ACCEPT -m comment --comment "Docker Swarm"
-A INPUT -p tcp -m tcp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT
-A INPUT -p udp -m udp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT
-A INPUT -p udp -m udp --dport 4789 -m comment --comment "Docker Swarm" -j ACCEPT
-A INPUT -i $SPECIFY_INTERFACE -p tcp --dport 24007 -j ACCEPT -m comment --comment "GlusterFS Management"
-A INPUT -i $SPECIFY_INTERFACE -p tcp -m tcp --dport 49152:60999 -m comment --comment "GlusterFS Bricks" -j ACCEPT
-A OUTPUT -o lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
@ -40,14 +48,23 @@ write_files:
:INPUT DROP [0:0] :INPUT DROP [0:0]
:FORWARD DROP [0:0] :FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -i tun0 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp6-port-unreachable -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp6-port-unreachable
COMMIT COMMIT
- path: /etc/systemd/journald.conf.d/size.conf
permissions: 0644
owner: root:root
content: |
[Journal]
SystemMaxUse=250M
SystemMaxFileSize=50M
- path: /etc/fstab
append: true
content: |
/swapfile swap swap defaults 0 0
runcmd: runcmd:
- 'iptables-restore < /etc/iptables/rules.v4' - 'iptables-restore < /etc/iptables/rules.v4'
@ -55,6 +72,11 @@ runcmd:
- [systemctl, enable, --now, fail2ban] - [systemctl, enable, --now, fail2ban]
- 'fallocate -l 2G /swapfile'
- 'chmod 600 /swapfile'
- 'mkswap /swapfile'
- 'swapon /swapfile'
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf] - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
- [systemctl, restart, ssh] - [systemctl, restart, ssh]
@ -64,20 +86,24 @@ runcmd:
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf] - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf] - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf]
- [sysctl, -p] - [sysctl, -p]
- [mkdir, -p, /usr/local/apt-keys] - [mkdir, -p, /usr/local/apt-keys]
- [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt] - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
- 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null' - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
- "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list" - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
- [apt-get, update]
- [apt-get, install, -y, yggdrasil]
- [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf]
- [systemctl, enable, --now, yggdrasil]
- [mkdir, -p, /etc/apt/keyrings] - [mkdir, -p, /etc/apt/keyrings]
- "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" - "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
- 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null' - 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null'
- [chmod, a+r, /etc/apt/keyrings/docker.gpg] - [chmod, a+r, /etc/apt/keyrings/docker.gpg]
- [apt-get, update] - [apt-get, update]
- 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin' - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin yggdrasil'
- [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf]
- [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
#- [systemctl, enable, --now, yggdrasil]
- [timedatectl, set-timezone, Europe/Rome]

115
cloud-init/swarm-worker.yml Normal file
View file

@ -0,0 +1,115 @@
#cloud-config
ssh_genkeytypes: [ecdsa, ed25519]
# upgrade system
package_update: true
package_upgrade: true
# various dependencies
packages:
- ca-certificates
- curl
- gnupg
- lsb-release
- fail2ban
- iptables-persistent
- glusterfs-client
write_files:
- path: /etc/iptables/rules.v4
permissions: 0644
owner: root:root
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 2376 -j ACCEPT -m comment --comment "Docker Swarm"
-A INPUT -p tcp -m tcp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT
-A INPUT -p udp -m udp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT
-A INPUT -p udp -m udp --dport 4789 -m comment --comment "Docker Swarm" -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
COMMIT
- path: /etc/iptables/rules.v6
permissions: 0644
owner: root:root
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp6-port-unreachable
COMMIT
- path: /etc/systemd/journald.conf.d/size.conf
permissions: 0644
owner: root:root
content: |
[Journal]
SystemMaxUse=250M
SystemMaxFileSize=50M
- path: /etc/fstab
append: true
content: |
/swapfile swap swap defaults 0 0
- path: /etc/hosts
append: true
content: |
192.168.178.2 swarm-manager-1
192.168.178.3 swarm-manager-2
192.168.178.4 swarm-manager-3
runcmd:
- 'iptables-restore < /etc/iptables/rules.v4'
- 'ip6tables-restore < /etc/iptables/rules.v6'
- [systemctl, enable, --now, fail2ban]
- 'fallocate -l 2G /swapfile'
- 'chmod 600 /swapfile'
- 'mkswap /swapfile'
- 'swapon /swapfile'
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
- [systemctl, restart, ssh]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf]
- [sysctl, -p]
- [mkdir, -p, /usr/local/apt-keys]
- [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
- 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
- "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
- [mkdir, -p, /etc/apt/keyrings]
- "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
- 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null'
- [chmod, a+r, /etc/apt/keyrings/docker.gpg]
- [apt-get, update]
- 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin yggdrasil'
- [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf]
- [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
#- [systemctl, enable, --now, yggdrasil]
- [timedatectl, set-timezone, Europe/Rome]
- [mkdir, /mnt/swarm-data]

View file

@ -0,0 +1,5 @@
net.ipv4.conf.all.forwarding=1
net.ipv6.conf.eth0.accept_ra=2
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1