From dbca83ff52e08dec8e9eeee81614bb7c17818358 Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Wed, 3 Aug 2022 16:29:06 +0200 Subject: [PATCH] fix iptables rules. update ipfs.service. init cloud-init folder with first sample configuration --- cloud-init/swarm-manager.yml | 65 ++++++++++++++++++++++++++++ ipfs/lib/systemd/system/ipfs.service | 8 ++-- iptables/iptables-http-full-f2b.fw | 6 +-- iptables/iptables-http-full.fw | 6 +-- iptables/iptables-ssh-only.fw | 6 +-- 5 files changed, 79 insertions(+), 12 deletions(-) create mode 100644 cloud-init/swarm-manager.yml diff --git a/cloud-init/swarm-manager.yml b/cloud-init/swarm-manager.yml new file mode 100644 index 0000000..b27d58d --- /dev/null +++ b/cloud-init/swarm-manager.yml @@ -0,0 +1,65 @@ +#cloud-config + +ssh_genkeytypes: [ecdsa, ed25519] + +# upgrade system +package_update: true +package_upgrade: true + +# various dependencies +packages: + - ca-certificates + - curl + - gnupg + - lsb-release + +write_files: + - path: /etc/iptables/rules.v4 + permissions: 0644 + owner: root:root + content: | + *filter + :INPUT DROP [0:0] + :FORWARD DROP [0:0] + :OUTPUT ACCEPT [0:0] + -A INPUT -i lo -j ACCEPT + -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + -A INPUT -m conntrack --ctstate INVALID -j DROP + -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -o lo -j ACCEPT + -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable + COMMIT + - path: /etc/iptables/rules.v6 + permissions: 0644 + owner: root:root + content: | + *filter + :INPUT DROP [0:0] + :FORWARD DROP [0:0] + :OUTPUT ACCEPT [0:0] + -A INPUT -i tun0 -j ACCEPT + -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + -A INPUT -m conntrack --ctstate INVALID -j DROP + -A OUTPUT -o tun0 -j ACCEPT + -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp6-port-unreachable + COMMIT + +runcmd: + - [mkdir, -p, /usr/local/apt-keys] + - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt] + - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null' + - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list" + - [apt-get, update] + - [apt-get, install, -y, yggdrasil] + - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf] + - [systemctl, enable, --now, yggdrasil] + + - [mkdir, -p, /etc/apt/keyrings] + - "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" + - 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null' + - [chmod, a+r, /etc/apt/keyrings/docker.gpg] + - [apt-get, update] + - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin' diff --git a/ipfs/lib/systemd/system/ipfs.service b/ipfs/lib/systemd/system/ipfs.service index 20ac290..e256157 100644 --- a/ipfs/lib/systemd/system/ipfs.service +++ b/ipfs/lib/systemd/system/ipfs.service @@ -33,8 +33,8 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE LimitNOFILE=8192 #LimitNice=10 MemoryAccounting=true -MemoryHigh=768M -MemoryMax=1024M +#MemoryHigh=768M +#MemoryMax=1024M MemorySwapMax=0 CPUAccounting=true CPUQuota=40% @@ -48,7 +48,9 @@ ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate User=ipfs Group=ipfs StateDirectory=ipfs -Restart=on-failure +Restart=always +RestartSec=60 +KillMode=process KillSignal=SIGINT [Install] diff --git a/iptables/iptables-http-full-f2b.fw b/iptables/iptables-http-full-f2b.fw index 45db85a..377d871 100644 --- a/iptables/iptables-http-full-f2b.fw +++ b/iptables/iptables-http-full-f2b.fw @@ -1,7 +1,7 @@ *filter -:INPUT DROP [4414218:211789180] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [17973:1146056] +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] :f2b-sshd - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A INPUT -i lo -j ACCEPT diff --git a/iptables/iptables-http-full.fw b/iptables/iptables-http-full.fw index 6b2a30b..b1a0ad2 100644 --- a/iptables/iptables-http-full.fw +++ b/iptables/iptables-http-full.fw @@ -1,7 +1,7 @@ *filter -:INPUT DROP [4414218:211789180] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [17973:1146056] +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP diff --git a/iptables/iptables-ssh-only.fw b/iptables/iptables-ssh-only.fw index 42ec8dc..a0ae6e0 100644 --- a/iptables/iptables-ssh-only.fw +++ b/iptables/iptables-ssh-only.fw @@ -1,7 +1,7 @@ *filter -:INPUT DROP [4414218:211789180] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [17973:1146056] +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP