Updates

SETUP.md

@@ -30,9 +30,11 @@ reboot
 
 FIRST. Make sure your public key is configured for SSH! Else, next step will LOCK YOU OUT SSH!
 
-Then, run install.sh by getting it from the internet (wget is in busybox):
+Then, run setup.sh by getting it from the internet (wget is in busybox):
 ```sh
 wget https://git.plabble.org/Maurice/alpine-server-setup/raw/branch/main/setup.sh
 chmod +x setup.sh
 ./setup.sh
-```
+```
+
+This will install git, clone this repository and run the installation scripts.

services/caddy/update.sh

@@ -1,3 +1,7 @@
 #!/bin/sh
 mkdir -p /home/podman/caddy
-ln -sf ./Caddyfile /home/podman/caddy/Caddyfile
+ln -sf ./Caddyfile /home/podman/caddy/Caddyfile
+
+if [ "$1" = "reload" ]; then
+  podman exec caddy caddy reload -c /etc/caddy/Caddyfile
+fi

services/firewall/install.sh

@@ -3,4 +3,15 @@ echo "Setting up firewall..."
 
 apk add nftables
 rc-update add nftables boot
+
+cat << EOF > /etc/nftables.nft
+#!/usr/sbin/nft -f
+
+# The state of stateful objects saved on the nftables service stop.
+include "/var/lib/nftables/*.nft"
+
+# Rules
+include "/etc/nftables.d/*.nft"
+EOF
+
 rc-service nftables start

services/firewall/rules.nft

@@ -1,3 +1,4 @@
+#!/usr/sbin/nft -f
 flush ruleset
 
 define wan = eth0
@@ -36,16 +37,10 @@ define icmpv6_slaac = {
 define lan_clients = { 10.0.0.3 }
 
 table inet firewall {
-  # chain prerouting {
-  #   type nat hook prerouting priority 0;
-  #   # Example of port forwarding HTTP (80) from specific LAN clients to a local server
-  #   ip saddr 10.0.0.4 ip daddr $self tcp dport 80 dnat to $self:9999
-  # }
-
   chain postrouting {
     type nat hook postrouting priority 100;
 
-    # Masquerade WireGuard VPN traffic to LAN subnet
+    # Masquerade WireGuard VPN WAN traffic to LAN subnet
     oifname $wan ip saddr $vpn_net masquerade
   }
 
@@ -71,12 +66,11 @@ table inet firewall {
     ip saddr $lan_net tcp dport 22 accept                 # Allow SSH from LAN network
 
     # AdGuard admin access (8888) only from LAN and VPN
-    ip saddr $lan_net tcp dport 8888 accept
+    ip saddr { $lan_net, $vpn_net } tcp dport 8888 accept
-    ip saddr $vpn_net tcp dport 8888 accept
 
-    # AdGuard DNS, DHCP, DoT, DoQ ports only from LAN
+    # AdGuard DNS, DHCP, DoT, DoQ ports only from LAN and VPN
-    ip saddr $lan_net udp dport { 53, 67, 68, 784 } accept
+    ip saddr { $lan_net, $vpn_net}  udp dport { 53, 67, 68, 784 } accept
-    ip saddr $lan_net tcp dport { 53, 853 } accept
+    ip saddr { $lan_net, $vpn_net} tcp dport { 53, 853 } accept
 
     # Rules for WAN interface only
     iifname $wan udp dport 51820 accept                   # Allow Wireguard incoming from WAN

services/firewall/update.sh

@@ -2,4 +2,4 @@
 ln -sf ./rules.nft /etc/nftables.d/firewall.nft
 
 echo "Reloading firewall rules..."
-nft -f /etc/nftables.d/firewall.nft
+nft -f /etc/nftables.nft

services/ssh/update.sh

@@ -1,2 +1,6 @@
 #!/bin/sh
-ln -sf ./sshd_config /etc/ssh/sshd_config
+ln -sf ./sshd_config /etc/ssh/sshd_config
+
+if [ "$1" = "reload" ]; then
+  rc-service sshd restart
+fi

services/wireguard/add_client.sh

@@ -30,6 +30,7 @@ cat <<EOF > /etc/wireguard/clients/$CLIENT_NAME.conf
 [Interface]
 Address = $NEXT_IP/24
 PrivateKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.priv.key)
+DNS = 10.0.0.1 # DNS via the VPN
 
 # $CLIENT_NAME configuration
 [Peer]

services/wireguard/install.sh

@@ -12,6 +12,7 @@ cat <<EOF > /etc/wireguard/wg0.conf
 PrivateKey = $(cat /etc/wireguard/server_priv.key)
 Address = 10.0.0.1/24 # Server has IP in the wg network
 ListenPort = 51820
+DNS = 192.168.2.22    # AdGuard DNS server IP
 EOF
 
 # Enable IP forwarding, persistent

services/wireguard/update.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+if [ "$1" = "reload" ]; then
+  rc-service wg-quick.wg0 restart
+fi

update.sh

@@ -17,7 +17,7 @@ for service in "./services"/*/; do
 
   # Run update.sh if present
   if [ -f "update.sh" ]; then
-    source ./update.sh
+    source ./update.sh "$1"
   fi
 
   # Symlink all caddy configs