From 7bfd6a79e94b77c9a725a31025d706cde62890d4 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Mon, 12 Feb 2024 16:57:46 +0100
Subject: [PATCH] Initial commit

---
 .woodpecker.yml |  20 +++++++
 Dockerfile      |  15 +++++
 firewall.sh     |   3 +
 nftables.conf   |  36 ++++++++++++
 nftables.nft    | 149 ++++++++++++++++++++++++++++++++++++++++++++++++
 nginx.conf      | 108 +++++++++++++++++++++++++++++++++++
 6 files changed, 331 insertions(+)
 create mode 100644 .woodpecker.yml
 create mode 100644 Dockerfile
 create mode 100644 firewall.sh
 create mode 100644 nftables.conf
 create mode 100644 nftables.nft
 create mode 100644 nginx.conf

diff --git a/.woodpecker.yml b/.woodpecker.yml
new file mode 100644
index 0000000..10dfa6e
--- /dev/null
+++ b/.woodpecker.yml
@@ -0,0 +1,20 @@
+---
+when:
+  event:
+    exclude:
+      - pull_request
+
+labels:
+  platform: linux/aarch64
+
+steps:
+  docker-build-and-publish:
+    image: plugins/docker
+    settings:
+      registry: registry.nemunai.re
+      repo: registry.nemunai.re/hubdmz
+      auto_tag: true
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..7521e71
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,15 @@
+FROM alpine AS dhparams
+
+RUN apk add --no-cache openssl && \
+    openssl dhparam -out /etc/ssl/dh4096.pem 4096
+
+
+FROM nginx:stable-alpine
+
+RUN apk add --no-cache nftables nftables-openrc
+
+COPY --from=dhparams /etc/ssl/dh4096.pem /etc/nginx/dh4096.pem
+ADD firewall.sh /docker-entrypoint.d/05-firewall.sh
+ADD nftables.conf /etc/conf.d/nftables
+ADD nftables.nft /etc/nftables.nft
+ADD nginx.conf /etc/nginx/nginx.conf
diff --git a/firewall.sh b/firewall.sh
new file mode 100644
index 0000000..473a0c7
--- /dev/null
+++ b/firewall.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/etc/init.d/nftables start
diff --git a/nftables.conf b/nftables.conf
new file mode 100644
index 0000000..ef61ab1
--- /dev/null
+++ b/nftables.conf
@@ -0,0 +1,36 @@
+# Configuration for /etc/init.d/nftables
+
+# Location of the nftables rules file to load on the service start.
+#rules_file="/etc/nftables.nft"
+
+# Whether to save the state of stateful objects (or full ruleset, see
+# $save_objects) on the service stopping.
+#save_on_stop="no"
+
+# File path where to save the nftables state on the service stopping.
+# Defaults to $rules_file if $save_objects is "ruleset".
+#save_file="/var/lib/nftables/state.nft"
+
+# A space-separated list of stateful objects to save on the service stop.
+#
+# If you want to save the full ruleset, set it to "ruleset" (that's the default
+# value, for backward compatibility). Please note that this is discouraged;
+# it's highly recommended to write nftable rules by hand and organize them in
+# files /etc/nftables.d/<name>.nft (included by /etc/nftables.nft).
+save_objects="counters limits quotas"
+
+# Options to pass to nft on save.
+#save_options=""
+
+# Enable IPv4/IPv6 forwarding with the rules?
+# Note: If you want to enable forwarding only on selected interfaces,
+# keep this disabled and enable forwarding using /etc/sysctl.conf.
+enable_forwarding="yes"
+
+# If you need to log nftables messages as soon as nftables starts,
+# AND your logger does NOT depend on the network, then you may wish
+# to uncomment the next line.
+# If your logger depends on the network, and you uncomment this line
+# you will create an unresolvable circular dependency during startup.
+# After commenting or uncommenting this line, you must run 'rc-update -u'.
+#rc_use="logger"
diff --git a/nftables.nft b/nftables.nft
new file mode 100644
index 0000000..99f1b3f
--- /dev/null
+++ b/nftables.nft
@@ -0,0 +1,149 @@
+#!/usr/sbin/nft -f
+# vim: set ts=4 sw=4:
+# You can find examples in /usr/share/nftables/.
+
+define ra_prefix	= 2a01:e0a:518:830::/64
+define ra_prefix_max	= 2a01:e0a:518:830::/56
+
+define masr_prefix	= 2a01:e0a:2b:2250::/64
+define masr_ouaset	= 2a01:e0a:2b:2250::b
+define masr_rhakotis	= 2a01:e0a:2b:2250::c
+
+define serekh_ankh_prefix	= 2a01:cb05:4bd:5000::/64
+define serekh_ankh	= 2a01:cb05:4bd:5000::d
+
+define serekh_prefix	= fd42:507b:9d4d:71ea::/64
+
+define logger_host = geb.ra.nemunai.re
+define ntp_host = geb.ra.nemunai.re
+
+# Clear all prior state
+flush ruleset
+
+table ip nat {
+	chain prerouting {
+		type nat hook prerouting priority 0; policy accept;
+		ip daddr 82.64.151.41 tcp dport ssh dnat 192.168.0.52:22
+		ip daddr 82.64.151.41 tcp dport imaps dnat 192.168.0.3:imaps
+		ip daddr 82.64.151.41 tcp dport pop3s dnat 192.168.0.3:pop3s
+		ip daddr 82.64.151.41 tcp dport 2772 dnat 192.168.0.250:2772
+		ip daddr 192.168.0.2 tcp dport 2772 dnat 192.168.0.250:2772
+		ip daddr 82.64.151.41 tcp dport 3478 dnat 192.168.0.54:3478
+		ip daddr 82.64.151.41 udp dport 3478 dnat 192.168.0.54:3478
+		ip daddr 82.64.151.41 tcp dport 6224 dnat 192.168.0.4:22
+	}
+
+	chain postrouting {
+		type nat hook postrouting priority 0; policy accept;
+		ip daddr 192.168.0.52 tcp dport ssh masquerade
+		ip daddr 192.168.0.4 tcp dport imaps masquerade
+		ip daddr 192.168.0.250 tcp dport 2772 masquerade
+		ip daddr 192.168.0.54 tcp dport 3478 masquerade
+		ip daddr 192.168.0.54 udp dport 3478 masquerade
+		ip daddr 192.168.0.4 tcp dport ssh masquerade
+	}
+}
+
+table ip6 nat {
+	chain prerouting {
+		type nat hook prerouting priority 0; policy accept;
+		#tcp dport ssh dnat sekhmet2.ra.nemunai.re:22
+		#tcp dport 8448 dnat rhakotis.masr.nemunai.re:8448
+	}
+
+	chain postrouting {
+		type nat hook postrouting priority 0; policy accept;
+		ip6 daddr sekhmet2.ra.nemunai.re tcp dport 22 masquerade
+		#ip6 daddr rhakotis.masr.nemunai.re tcp dport 8448 masquerade
+	}
+}
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+
+		iifname lo accept \
+		comment "Accept any localhost traffic"
+
+		ct state { established, related } accept \
+		comment "Accept traffic originated from us"
+
+		ct state invalid drop \
+		comment "Drop invalid connections"
+
+		tcp dport 113 reject with icmpx type port-unreachable \
+		comment "Reject AUTH to make it fail fast"
+
+		# ICMPv4
+
+		ip protocol icmp icmp type {
+			echo-reply,  # type 0
+			destination-unreachable,  # type 3
+			echo-request,  # type 8
+			time-exceeded,  # type 11
+			parameter-problem,  # type 12
+		} accept \
+		comment "Accept ICMP"
+
+		# ICMPv6
+
+		ip6 nexthdr icmpv6 icmpv6 type {
+			destination-unreachable,  # type 1
+			packet-too-big,  # type 2
+			time-exceeded,  # type 3
+			parameter-problem,  # type 4
+			echo-request,  # type 128
+			echo-reply,  # type 129
+		} accept \
+		comment "Accept basic IPv6 functionality"
+
+		ip6 nexthdr icmpv6 icmpv6 type {
+			nd-router-solicit,  # type 133
+			nd-router-advert,  # type 134
+			nd-neighbor-solicit,  # type 135
+			nd-neighbor-advert,  # type 136
+		} ip6 hoplimit 255 accept \
+		comment "Allow IPv6 SLAAC"
+
+		ip6 nexthdr icmpv6 icmpv6 type {
+			mld-listener-query,  # type 130
+			mld-listener-report,  # type 131
+			mld-listener-reduction,  # type 132
+			mld2-listener-report,  # type 143
+		} ip6 saddr fe80::/10 accept \
+		comment "Allow IPv6 multicast listener discovery on link-local"
+
+		ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \
+		comment "Accept DHCPv6 replies from IPv6 link-local addresses"
+
+		udp sport domain accept
+		udp dport domain accept
+
+		counter log prefix "Filtered INPUT "
+	}
+
+	chain forward {
+		type filter hook forward priority 0; policy drop;
+		ct state invalid counter log prefix "Filtered INVALID FORWARD " drop
+		ct state { established, related } accept
+
+		ip daddr . tcp dport {	\
+			192.168.0.52 . ssh,	\
+			192.168.0.3 . imaps,	\
+			192.168.0.52 . 3478,	\
+			192.168.0.4 . ssh	\
+		} accept
+
+		counter log prefix "Filtered FORWARD "
+	}
+
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+}
+
+# The state of stateful objects saved on the nftables service stop.
+include "/var/lib/nftables/*.nft"
+
+# Rules
+include "/etc/nftables.d/*.nft"
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..62b7913
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,108 @@
+# /etc/nginx/nginx.conf
+
+user nginx;
+
+# Set number of worker processes automatically based on number of CPU cores.
+worker_processes auto;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Configures default error logger.
+error_log /var/log/nginx/error.log warn;
+
+# Includes files with directives to load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+# Include files with config snippets into the root context.
+include /etc/nginx/conf.d/*.conf;
+
+events {
+	# The maximum number of simultaneous connections that can be opened by
+	# a worker process.
+	worker_connections 1024;
+}
+
+http {
+# BEGIN ANSIBLE MANAGED BLOCK storage_nemunaire
+upstream storage_nemunaire {
+    server storage0.nemunai.re:9000;
+    server storage1.nemunai.re:9000 backup;
+}
+# END ANSIBLE MANAGED BLOCK storage_nemunaire
+	# Includes mapping of file name extensions to MIME types of responses
+	# and defines the default type.
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	# Name servers used to resolve names of upstream servers into addresses.
+	# It's also needed when using tcpsocket and udpsocket in Lua modules.
+	#resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
+
+	# Don't tell nginx version to the clients. Default is 'on'.
+	server_tokens off;
+
+	# Specifies the maximum accepted body size of a client request, as
+	# indicated by the request header Content-Length. If the stated content
+	# length is greater than this size, then the client receives the HTTP
+	# error code 413. Set to 0 to disable. Default is '1m'.
+	client_max_body_size 1m;
+
+	# Sendfile copies data between one FD and other from within the kernel,
+	# which is more efficient than read() + write(). Default is off.
+	sendfile on;
+
+	# Causes nginx to attempt to send its HTTP response head in one packet,
+	# instead of using partial frames. Default is 'off'.
+	tcp_nopush on;
+
+
+	# Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2.
+	# TIP: If you're not obligated to support ancient clients, remove TLSv1.1.
+	ssl_protocols TLSv1.2 TLSv1.3;
+
+	# Path of the file with Diffie-Hellman parameters for EDH ciphers.
+	# TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048`
+	ssl_dhparam /etc/nginx/dh4096.pem;
+
+	# Specifies that our cipher suits should be preferred over client ciphers.
+	# Default is 'off'.
+	ssl_prefer_server_ciphers on;
+
+	# Enables a shared SSL cache with size that can hold around 8000 sessions.
+	# Default is 'none'.
+	ssl_session_cache shared:SSL:2m;
+
+	# Specifies a time during which a client may reuse the session parameters.
+	# Default is '5m'.
+	ssl_session_timeout 1h;
+
+	# Disable TLS session tickets (they are insecure). Default is 'on'.
+	ssl_session_tickets off;
+
+
+	# Enable gzipping of responses.
+	#gzip on;
+
+	# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
+	gzip_vary on;
+
+
+	# Helper variable for proxying websockets.
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		'' close;
+	}
+
+
+	# Specifies the main log format.
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+			'$status $body_bytes_sent "$http_referer" '
+			'"$http_user_agent" "$http_x_forwarded_for"';
+
+	# Sets the path, format, and configuration for a buffered log write.
+	access_log /var/log/nginx/access.log main;
+
+	# Includes virtual hosts configs.
+	include /etc/nginx/http.d/*.conf;
+}