Initial commit

2025-08-20 17:11:32 +02:00
commit 8c2f438749
21 changed files with 392 additions and 0 deletions
--- a/services/basic/global.policy.json
+++ b/services/basic/global.policy.json
@@ -0,0 +1,11 @@
+{
+    "description": "Restrict all internet access",
+    "variable": { "internet_if": "eth0" },
+    "zone": {
+        "internet": { "iface": "$internet_if" }
+    },
+    "policy": [
+        { "in": "internet", "action": "drop" },
+        { "action": "reject" }
+    ]
+}
--- a/services/basic/icmp.policy.json
+++ b/services/basic/icmp.policy.json
@@ -0,0 +1,11 @@
+{
+    "description": "Allow ping-pong",
+    "filter": [
+        {
+            "in": "internet",
+            "service": "ping",
+            "action": "accept",
+            "flow-limit": { "count": 10, "interval": 6 }
+        }
+    ]
+}
--- a/services/basic/outgoing.policy.json
+++ b/services/basic/outgoing.policy.json
@@ -0,0 +1,11 @@
+{
+    "description": "Allow outgoing connections for http/https, dns, ssh, ntp, ssh and ping",
+    "filter": [
+        {
+            "in": "_fw",
+            "out": "internet",
+            "service": ["http", "https", "dns", "ssh", "ntp", "ping"],
+            "action": "accept"
+        }
+    ]
+}
--- a/services/caddy/config/Caddyfile
+++ b/services/caddy/config/Caddyfile
@@ -0,0 +1,62 @@
+# https://hackviser.com/tactics/hardening/caddy
+{
+	auto_https disable_redirects
+
+	# Do not write access logs to journald.
+	log {
+		exclude http.log.access
+	}
+
+	# Write access logs to the logs volume in json
+	# format. Only keep logs for the last 30 days.
+	log access {
+		format json
+		output file /data/logs/access.log {
+			roll_keep_for 720h
+		}
+	}
+}
+
+# Block with default http config that accepts requests on
+# fd/3 and redirects to https.
+(https-redir) {
+	bind fd/3 {
+		protocols h1
+	}
+	redir https://{host}{uri} 308
+}
+
+# Block with default https config that accepts requests on
+# fd/4 and fdgram/5.
+(https) {
+	bind fd/4 {
+		protocols h1 h2
+	}
+	bind fdgram/5 {
+		protocols h3
+	}
+}
+
+# Block with compression configuration.
+(compression) {
+	encode zstd gzip
+}
+
+# Block with headers that should be used by most
+# sites. Add HSTS and some other security headers.
+# Remove the server header because without it caddy
+# leaks the backend server version.
+# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+# https://scotthelme.co.uk/content-security-policy-an-introduction/
+(default-headers) {
+	header {
+		Strict-Transport-Security max-age=31536000; includeSubDomains; preload
+		X-Content-Type-Options nosniff
+		X-Frame-Options sameorigin
+		Content-Security-Policy default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline';
+		Referrer-Policy: same-origin
+		-Server
+	}
+}
+
+import *.caddy
--- a/services/caddy/http.policy.json
+++ b/services/caddy/http.policy.json
@@ -0,0 +1,11 @@
+{
+    "description": "Allow incoming http (TCP 80 & 443) ports",
+    "filter": [
+        {
+            "in": "internet",
+            "out": "_fw",
+            "service": ["http", "https"],
+            "action": "accept"
+        }
+    ]
+}
--- a/services/caddy/service.toml
+++ b/services/caddy/service.toml
@@ -0,0 +1,33 @@
+user = "podman"
+capabilities = ["NET_BIND_SERVICE"]
+
+[service]
+name = "caddy"
+image = "caddy:alpine"
+
+[[mounts]]
+typ = "bind"
+source = "$HOME/caddy"
+target = "/etc/caddy"
+read_only = true
+
+[[volumes]]
+source = "caddy-logs"
+target = "/data/logs"
+create = true
+
+[[volumes]]
+source = "caddy-data"
+target = "/data/caddy"
+create = true
+
+[[ports]]
+host = 80
+container = 80
+
+[[ports]]
+host = 443
+container = 443
+
+[[networks]]
+group = "caddy"
--- a/services/caddy/update.sh
+++ b/services/caddy/update.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# Symlink config files in base dir
+find "$base_dir" -name "*.caddy" -exec ln -sf {} "./config" \;
+
+# Symlink config dir
+mkdir -p /home/podman/caddy
+ln -sf ./config /home/podman/caddy
--- a/services/ssh/ssh.caddy
+++ b/services/ssh/ssh.caddy
@@ -0,0 +1 @@
+test
--- a/services/ssh/ssh.policy.json
+++ b/services/ssh/ssh.policy.json
@@ -0,0 +1,12 @@
+{
+    "description": "Allow limited incoming SSH access (TCP/22)",
+    "filter": [
+        {
+            "in": "internet",
+            "out": "_fw",
+            "service": "ssh",
+            "action": "accept",
+	        "conn-limit": { "count": 3, "interval": 30 }
+        }
+    ]
+}
--- a/services/ssh/sshd_config
+++ b/services/ssh/sshd_config
@@ -0,0 +1,25 @@
+# SSHD config. See https://man.openbsd.org/sshd_config
+# https://hackviser.com/tactics/hardening/ssh
+
+# Protocol 2 is more secure
+Protocol 2
+
+# No root login or passwords
+PermitRootLogin no
+PasswordAuthentication no
+AuthenticationMethods publickey
+
+# Allow tunneling, but not with option R (remote)
+AllowTcpForwarding local
+GatewayPorts yes
+
+# override default of no subsystems
+Subsystem	sftp	internal-sftp
+
+# Only allow users that are listed
+AllowUsers admin
+
+# Only allow secure ciphers
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,mlkem768x25519-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+MACs hmac-sha2-256,hmac-sha2-512
--- a/services/ssh/update.sh
+++ b/services/ssh/update.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+ln -sf ./sshd_config /etc/ssh/sshd_config