Updates

installation/podman.sh

@@ -16,6 +16,9 @@ su -c "podman system migrate" podman
 # Get rid of podman compose docker warning
 touch /etc/containers/nodocker
 
+# Use netavark and nftables
+sed -i '/^\[network\]/a network_backend = "netavark"\nfirewall_driver = "nftables"' /etc/containers/containers.conf
+
 # Fix shared mount with local service
 cat << EOF > /etc/local.d/mount-rshared.start
 #!/bin/sh 

services/adguard/service.toml

@@ -1,5 +1,4 @@
-user = "podman"
+capabilities = ["NET_RAW", "NET_ADMIN"]
-capabilities = ["NET_BIND_SERVICE", "NET_RAW", "NET_ADMIN"]
 
 [service]
 name = "adguard"
@@ -16,12 +15,12 @@ target = "/opt/adguardhome/certificates"
 create = true
 
 [[volumes]]
-source = "$HOME/adguard"
+source = "/var/containers/adguard"
 target = "/opt/adguardhome/conf"
 
 [[ports]]
 host = 8888
-container = 8080
+container = 3000
 
 # DNS ports
 [[ports]]

services/adguard/update.sh

@@ -1,3 +1,3 @@
 #!/bin/sh
-mkdir -p /home/podman/adguard
+mkdir -p /var/containers/adguard
-ln -sf ./AdGuardHome.yaml /home/podman/adguard/AdGuardHome.yaml
+ln -sf $(pwd)/AdGuardHome.yaml /var/containers/adguard/AdGuardHome.yaml

services/caddy/service.toml

@@ -7,7 +7,7 @@ image = "caddy:alpine"
 
 [[mounts]]
 typ = "bind"
-source = "$HOME/caddy"
+source = "/var/containers/caddy"
 target = "/etc/caddy"
 read_only = true
 

services/caddy/update.sh

@@ -1,6 +1,7 @@
 #!/bin/sh
-mkdir -p /home/podman/caddy
+mkdir -p /var/containers/caddy
-ln -sf ./Caddyfile /home/podman/caddy/Caddyfile
+ln -sf $(pwd)/Caddyfile /var/containers/caddy/Caddyfile
+chown -R podman:podman /var/containers/caddy
 
 if [ "$1" = "reload" ]; then
   podman exec caddy caddy reload -c /etc/caddy/Caddyfile

services/firewall/rules.nft

@@ -7,6 +7,9 @@ define vpn_net = 10.0.0.0/24
 define lan_net = 192.168.2.0/24
 define self = 192.168.2.22
 
+# delegated prefix is 2a02:a45e:ce93::/48
+define lan_net6 = 2a02:a45e:ce93:0::/64
+
 define icmpv4_basic = {
   echo-reply, # type 0 / ping
   echo-request, # type 8 / ping
@@ -50,7 +53,7 @@ table inet firewall {
     type filter hook input priority 0; policy drop;
 
     ct state invalid drop                                 # early drop of invalid packets
-    ct state {established, related} accept                # allow established/related connections
+    ct state { established, related } accept                # allow established/related connections
 
     iif lo accept                                         # allow traffic from loopback interface
 
@@ -67,10 +70,13 @@ table inet firewall {
 
     # AdGuard admin access (8888) only from LAN and VPN
     ip saddr { $lan_net, $vpn_net } tcp dport 8888 accept
+    ip6 saddr $lan_net6 tcp dport 8888 accept
 
-    # AdGuard DNS, DHCP, DoT, DoQ ports only from LAN and VPN
+    # Adguard DNS, DHCP, DoT, DoQ ports only from LAN and VPN
-    ip saddr { $lan_net, $vpn_net}  udp dport { 53, 67, 68, 784 } accept
+    ip saddr { $lan_net, $vpn_net} udp dport { 53, 67, 68, 784 } accept
     ip saddr { $lan_net, $vpn_net} tcp dport { 53, 853 } accept
+    ip6 saddr $lan_net6 udp dport { 53, 67, 68, 784 } accept
+    ip6 saddr $lan_net6 tcp dport { 53, 853 } accept
 
     # Rules for WAN interface only
     iifname $wan udp dport 51820 accept                   # Allow Wireguard incoming from WAN

services/firewall/update.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-ln -sf ./rules.nft /etc/nftables.d/firewall.nft
+ln -sf $(pwd)/rules.nft /etc/nftables.d/firewall.nft
 
 echo "Reloading firewall rules..."
 nft -f /etc/nftables.nft

services/ssh/update.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-ln -sf ./sshd_config /etc/ssh/sshd_config
+ln -sf $(pwd)/sshd_config /etc/ssh/sshd_config
 
 if [ "$1" = "reload" ]; then
   rc-service sshd restart

services/wireguard/install.sh

@@ -15,6 +15,10 @@ ListenPort = 51820
 DNS = 192.168.2.22    # AdGuard DNS server IP
 EOF
 
+# Kernel module
+modprobe wireguard
+echo wireguard >> /etc/modules
+
 # Enable IP forwarding, persistent
 echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf
 echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/ip_forward.conf