diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000..879acf0 Binary files /dev/null and b/.DS_Store differ diff --git a/SETUP-WORKSTATION.md b/SETUP-WORKSTATION.md index d8a369b..c6613a6 100644 --- a/SETUP-WORKSTATION.md +++ b/SETUP-WORKSTATION.md @@ -2,4 +2,5 @@ chronyd takes care of keeping the system clock in sync. When the system boots, chronyd will block start-up until it has resolved the time. This is useful on systems without a hardware clock (to avoid the system booting as 1970-01-01), but annoying for this setup. -This behaviour can be disabled by editing /etc/conf.d/chronyd and setting FAST_STARTUP=yes. \ No newline at end of file +This behaviour can be disabled by editing /etc/conf.d/chronyd and setting FAST_STARTUP=yes. + diff --git a/install.sh b/install.sh index 7dae1a3..69078f9 100755 --- a/install.sh +++ b/install.sh @@ -18,5 +18,5 @@ source ./firewall.sh cd "$base_dir" -# Run update script -source ./update.sh \ No newline at end of file +# Run update script with install argument to set up services +source ./update.sh install \ No newline at end of file diff --git a/installation/podman.sh b/installation/podman.sh index 6a16ee0..9ec117d 100644 --- a/installation/podman.sh +++ b/installation/podman.sh @@ -24,5 +24,6 @@ EOF chmod +x /etc/local.d/mount-rshared.start -# Allow ports >= 53 to be rootless bound -sysctl net.ipv4.ip_unprivileged_port_start=53 \ No newline at end of file +# Allow ports >= 53 to be rootless bound, persistent +echo "net.ipv4.ip_unprivileged_port_start=53" >> /etc/sysctl.d/podman.conf +sysctl -p /etc/sysctl.d/podman.conf \ No newline at end of file diff --git a/services/basic/global.policy.json b/services/basic/global.policy.json index 2198fe0..a58c8a6 100644 --- a/services/basic/global.policy.json +++ b/services/basic/global.policy.json @@ -1,11 +1,16 @@ { "description": "Restrict all internet access", - "variable": { "internet_if": "eth0" }, "zone": { - "internet": { "iface": "$internet_if" } + "WAN": { "iface": "eth0" }, + "LAN": { "iface": "eth1" }, + "VPN": { "iface": "tun+" } }, "policy": [ - { "in": "internet", "action": "drop" }, + { "in": "VPN", "action": "accept" }, + { "out": "VPN", "action": "accept" }, + { "in": "LAN", "action": "accept" }, + { "out": "LAN", "action": "accept" }, + { "in": "WAN", "action": "drop" }, { "action": "reject" } ] } \ No newline at end of file diff --git a/services/basic/icmp.policy.json b/services/basic/icmp.policy.json index 3d3370c..1436f7e 100644 --- a/services/basic/icmp.policy.json +++ b/services/basic/icmp.policy.json @@ -2,7 +2,8 @@ "description": "Allow ping-pong", "filter": [ { - "in": "internet", + "in": "WAN", + "out": "_fw", "service": "ping", "action": "accept", "flow-limit": { "count": 10, "interval": 6 } diff --git a/services/basic/outgoing.policy.json b/services/basic/outgoing.policy.json index 82cd1e3..1e45c66 100644 --- a/services/basic/outgoing.policy.json +++ b/services/basic/outgoing.policy.json @@ -3,7 +3,7 @@ "filter": [ { "in": "_fw", - "out": "internet", + "out": "WAN", "service": ["http", "https", "dns", "ssh", "ntp", "ping"], "action": "accept" } diff --git a/services/caddy/http.policy.json b/services/caddy/http.policy.json index 24ffb7f..0e6626d 100644 --- a/services/caddy/http.policy.json +++ b/services/caddy/http.policy.json @@ -2,7 +2,7 @@ "description": "Allow incoming http (TCP 80 & 443) ports", "filter": [ { - "in": "internet", + "in": "WAN", "out": "_fw", "service": ["http", "https"], "action": "accept" diff --git a/services/openvpn/config/openvpn.conf b/services/openvpn/config/openvpn.conf new file mode 100644 index 0000000..e1846ef --- /dev/null +++ b/services/openvpn/config/openvpn.conf @@ -0,0 +1,7 @@ +port 1194 +proto udp +dev tun + +topology subnet + +# TODO \ No newline at end of file diff --git a/services/openvpn/install.sh b/services/openvpn/install.sh new file mode 100644 index 0000000..236f2ee --- /dev/null +++ b/services/openvpn/install.sh @@ -0,0 +1,11 @@ +#!/bin/sh +echo "Setting up OpenVPN..." +apk add openvpn + +rc-update add openvpn +modprobe tun +echo tun >> /etc/modules-load.d/tun.conf + +# Enable IP forwarding, persistent +echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf +sysctl -p /etc/sysctl.d/ip_forward.conf diff --git a/services/openvpn/openvpn.policy.json b/services/openvpn/openvpn.policy.json new file mode 100644 index 0000000..c11f732 --- /dev/null +++ b/services/openvpn/openvpn.policy.json @@ -0,0 +1,14 @@ +{ + "description": "Allow OpenVPN server access from the internet", + "service": { + "openvpn": { "port": 1194, "proto": "udp" } + }, + "filter": [ + { + "in": "WAN", + "out": "_fw", + "service": "openvpn", + "action": "accept" + } + ] +} diff --git a/services/openvpn/update.sh b/services/openvpn/update.sh new file mode 100644 index 0000000..c2862a7 --- /dev/null +++ b/services/openvpn/update.sh @@ -0,0 +1,2 @@ +#!/bin/sh +ln -sf ./config/openvpn.conf /etc/openvpn/openvpn.conf \ No newline at end of file diff --git a/services/ssh/ssh.policy.json b/services/ssh/ssh.policy.json index d5c2238..98092a3 100644 --- a/services/ssh/ssh.policy.json +++ b/services/ssh/ssh.policy.json @@ -2,7 +2,7 @@ "description": "Allow limited incoming SSH access (TCP/22)", "filter": [ { - "in": "internet", + "in": "WAN", "out": "_fw", "service": "ssh", "action": "accept", diff --git a/update.sh b/update.sh index 0f3d84d..9a17586 100644 --- a/update.sh +++ b/update.sh @@ -9,6 +9,11 @@ for service in "./services"/*/; do [ -d "$service" ] || continue cd "$service" || continue + # Run install.sh if installing for the first time (if $1 is "install") + if [ "$1" = "install" ] && [ -f "install.sh" ]; then + source ./install.sh + fi + # Run update.sh if present if [ -f "update.sh" ]; then source ./update.sh