From 9a0277a48d20b78d26eb77955aec38b499e61c02 Mon Sep 17 00:00:00 2001 From: Maurice Date: Tue, 30 Sep 2025 13:04:56 +0200 Subject: [PATCH] Updates --- SETUP.md | 6 ++++-- services/caddy/update.sh | 6 +++++- services/firewall/install.sh | 11 +++++++++++ services/firewall/rules.nft | 18 ++++++------------ services/firewall/update.sh | 2 +- services/ssh/update.sh | 6 +++++- services/wireguard/add_client.sh | 1 + services/wireguard/install.sh | 1 + services/wireguard/update.sh | 4 ++++ update.sh | 2 +- 10 files changed, 39 insertions(+), 18 deletions(-) create mode 100644 services/wireguard/update.sh diff --git a/SETUP.md b/SETUP.md index e3b8bc3..b6d4e28 100644 --- a/SETUP.md +++ b/SETUP.md @@ -30,9 +30,11 @@ reboot FIRST. Make sure your public key is configured for SSH! Else, next step will LOCK YOU OUT SSH! -Then, run install.sh by getting it from the internet (wget is in busybox): +Then, run setup.sh by getting it from the internet (wget is in busybox): ```sh wget https://git.plabble.org/Maurice/alpine-server-setup/raw/branch/main/setup.sh chmod +x setup.sh ./setup.sh -``` \ No newline at end of file +``` + +This will install git, clone this repository and run the installation scripts. \ No newline at end of file diff --git a/services/caddy/update.sh b/services/caddy/update.sh index be7ed21..286f46e 100644 --- a/services/caddy/update.sh +++ b/services/caddy/update.sh @@ -1,3 +1,7 @@ #!/bin/sh mkdir -p /home/podman/caddy -ln -sf ./Caddyfile /home/podman/caddy/Caddyfile \ No newline at end of file +ln -sf ./Caddyfile /home/podman/caddy/Caddyfile + +if [ "$1" = "reload" ]; then + podman exec caddy caddy reload -c /etc/caddy/Caddyfile +fi \ No newline at end of file diff --git a/services/firewall/install.sh b/services/firewall/install.sh index f9c81dd..e56f2e8 100644 --- a/services/firewall/install.sh +++ b/services/firewall/install.sh @@ -3,4 +3,15 @@ echo "Setting up firewall..." apk add nftables rc-update add nftables boot + +cat << EOF > /etc/nftables.nft +#!/usr/sbin/nft -f + +# The state of stateful objects saved on the nftables service stop. +include "/var/lib/nftables/*.nft" + +# Rules +include "/etc/nftables.d/*.nft" +EOF + rc-service nftables start \ No newline at end of file diff --git a/services/firewall/rules.nft b/services/firewall/rules.nft index be0af02..5f3738c 100644 --- a/services/firewall/rules.nft +++ b/services/firewall/rules.nft @@ -1,3 +1,4 @@ +#!/usr/sbin/nft -f flush ruleset define wan = eth0 @@ -36,16 +37,10 @@ define icmpv6_slaac = { define lan_clients = { 10.0.0.3 } table inet firewall { - # chain prerouting { - # type nat hook prerouting priority 0; - # # Example of port forwarding HTTP (80) from specific LAN clients to a local server - # ip saddr 10.0.0.4 ip daddr $self tcp dport 80 dnat to $self:9999 - # } - chain postrouting { type nat hook postrouting priority 100; - # Masquerade WireGuard VPN traffic to LAN subnet + # Masquerade WireGuard VPN WAN traffic to LAN subnet oifname $wan ip saddr $vpn_net masquerade } @@ -71,12 +66,11 @@ table inet firewall { ip saddr $lan_net tcp dport 22 accept # Allow SSH from LAN network # AdGuard admin access (8888) only from LAN and VPN - ip saddr $lan_net tcp dport 8888 accept - ip saddr $vpn_net tcp dport 8888 accept + ip saddr { $lan_net, $vpn_net } tcp dport 8888 accept - # AdGuard DNS, DHCP, DoT, DoQ ports only from LAN - ip saddr $lan_net udp dport { 53, 67, 68, 784 } accept - ip saddr $lan_net tcp dport { 53, 853 } accept + # AdGuard DNS, DHCP, DoT, DoQ ports only from LAN and VPN + ip saddr { $lan_net, $vpn_net} udp dport { 53, 67, 68, 784 } accept + ip saddr { $lan_net, $vpn_net} tcp dport { 53, 853 } accept # Rules for WAN interface only iifname $wan udp dport 51820 accept # Allow Wireguard incoming from WAN diff --git a/services/firewall/update.sh b/services/firewall/update.sh index a1c6205..4333d37 100644 --- a/services/firewall/update.sh +++ b/services/firewall/update.sh @@ -2,4 +2,4 @@ ln -sf ./rules.nft /etc/nftables.d/firewall.nft echo "Reloading firewall rules..." -nft -f /etc/nftables.d/firewall.nft \ No newline at end of file +nft -f /etc/nftables.nft \ No newline at end of file diff --git a/services/ssh/update.sh b/services/ssh/update.sh index bd67ed2..d0112f2 100644 --- a/services/ssh/update.sh +++ b/services/ssh/update.sh @@ -1,2 +1,6 @@ #!/bin/sh -ln -sf ./sshd_config /etc/ssh/sshd_config \ No newline at end of file +ln -sf ./sshd_config /etc/ssh/sshd_config + +if [ "$1" = "reload" ]; then + rc-service sshd restart +fi \ No newline at end of file diff --git a/services/wireguard/add_client.sh b/services/wireguard/add_client.sh index d1c560d..04dcc62 100644 --- a/services/wireguard/add_client.sh +++ b/services/wireguard/add_client.sh @@ -30,6 +30,7 @@ cat < /etc/wireguard/clients/$CLIENT_NAME.conf [Interface] Address = $NEXT_IP/24 PrivateKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.priv.key) +DNS = 10.0.0.1 # DNS via the VPN # $CLIENT_NAME configuration [Peer] diff --git a/services/wireguard/install.sh b/services/wireguard/install.sh index e2cd5bd..0088286 100644 --- a/services/wireguard/install.sh +++ b/services/wireguard/install.sh @@ -12,6 +12,7 @@ cat < /etc/wireguard/wg0.conf PrivateKey = $(cat /etc/wireguard/server_priv.key) Address = 10.0.0.1/24 # Server has IP in the wg network ListenPort = 51820 +DNS = 192.168.2.22 # AdGuard DNS server IP EOF # Enable IP forwarding, persistent diff --git a/services/wireguard/update.sh b/services/wireguard/update.sh new file mode 100644 index 0000000..2f0bb73 --- /dev/null +++ b/services/wireguard/update.sh @@ -0,0 +1,4 @@ +#!/bin/sh +if [ "$1" = "reload" ]; then + rc-service wg-quick.wg0 restart +fi \ No newline at end of file diff --git a/update.sh b/update.sh index 20e22a6..e5a604e 100644 --- a/update.sh +++ b/update.sh @@ -17,7 +17,7 @@ for service in "./services"/*/; do # Run update.sh if present if [ -f "update.sh" ]; then - source ./update.sh + source ./update.sh "$1" fi # Symlink all caddy configs