Initial commit
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
ci/woodpecker/cron/woodpecker Pipeline was successful

This commit is contained in:
nemunaire 2024-02-12 16:57:46 +01:00
commit 7bfd6a79e9
6 changed files with 331 additions and 0 deletions

20
.woodpecker.yml Normal file
View File

@ -0,0 +1,20 @@
---
when:
event:
exclude:
- pull_request
labels:
platform: linux/aarch64
steps:
docker-build-and-publish:
image: plugins/docker
settings:
registry: registry.nemunai.re
repo: registry.nemunai.re/hubdmz
auto_tag: true
username:
from_secret: docker_username
password:
from_secret: docker_password

15
Dockerfile Normal file
View File

@ -0,0 +1,15 @@
FROM alpine AS dhparams
RUN apk add --no-cache openssl && \
openssl dhparam -out /etc/ssl/dh4096.pem 4096
FROM nginx:stable-alpine
RUN apk add --no-cache nftables nftables-openrc
COPY --from=dhparams /etc/ssl/dh4096.pem /etc/nginx/dh4096.pem
ADD firewall.sh /docker-entrypoint.d/05-firewall.sh
ADD nftables.conf /etc/conf.d/nftables
ADD nftables.nft /etc/nftables.nft
ADD nginx.conf /etc/nginx/nginx.conf

3
firewall.sh Normal file
View File

@ -0,0 +1,3 @@
#!/bin/sh
/etc/init.d/nftables start

36
nftables.conf Normal file
View File

@ -0,0 +1,36 @@
# Configuration for /etc/init.d/nftables
# Location of the nftables rules file to load on the service start.
#rules_file="/etc/nftables.nft"
# Whether to save the state of stateful objects (or full ruleset, see
# $save_objects) on the service stopping.
#save_on_stop="no"
# File path where to save the nftables state on the service stopping.
# Defaults to $rules_file if $save_objects is "ruleset".
#save_file="/var/lib/nftables/state.nft"
# A space-separated list of stateful objects to save on the service stop.
#
# If you want to save the full ruleset, set it to "ruleset" (that's the default
# value, for backward compatibility). Please note that this is discouraged;
# it's highly recommended to write nftable rules by hand and organize them in
# files /etc/nftables.d/<name>.nft (included by /etc/nftables.nft).
save_objects="counters limits quotas"
# Options to pass to nft on save.
#save_options=""
# Enable IPv4/IPv6 forwarding with the rules?
# Note: If you want to enable forwarding only on selected interfaces,
# keep this disabled and enable forwarding using /etc/sysctl.conf.
enable_forwarding="yes"
# If you need to log nftables messages as soon as nftables starts,
# AND your logger does NOT depend on the network, then you may wish
# to uncomment the next line.
# If your logger depends on the network, and you uncomment this line
# you will create an unresolvable circular dependency during startup.
# After commenting or uncommenting this line, you must run 'rc-update -u'.
#rc_use="logger"

149
nftables.nft Normal file
View File

@ -0,0 +1,149 @@
#!/usr/sbin/nft -f
# vim: set ts=4 sw=4:
# You can find examples in /usr/share/nftables/.
define ra_prefix = 2a01:e0a:518:830::/64
define ra_prefix_max = 2a01:e0a:518:830::/56
define masr_prefix = 2a01:e0a:2b:2250::/64
define masr_ouaset = 2a01:e0a:2b:2250::b
define masr_rhakotis = 2a01:e0a:2b:2250::c
define serekh_ankh_prefix = 2a01:cb05:4bd:5000::/64
define serekh_ankh = 2a01:cb05:4bd:5000::d
define serekh_prefix = fd42:507b:9d4d:71ea::/64
define logger_host = geb.ra.nemunai.re
define ntp_host = geb.ra.nemunai.re
# Clear all prior state
flush ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
ip daddr 82.64.151.41 tcp dport ssh dnat 192.168.0.52:22
ip daddr 82.64.151.41 tcp dport imaps dnat 192.168.0.3:imaps
ip daddr 82.64.151.41 tcp dport pop3s dnat 192.168.0.3:pop3s
ip daddr 82.64.151.41 tcp dport 2772 dnat 192.168.0.250:2772
ip daddr 192.168.0.2 tcp dport 2772 dnat 192.168.0.250:2772
ip daddr 82.64.151.41 tcp dport 3478 dnat 192.168.0.54:3478
ip daddr 82.64.151.41 udp dport 3478 dnat 192.168.0.54:3478
ip daddr 82.64.151.41 tcp dport 6224 dnat 192.168.0.4:22
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
ip daddr 192.168.0.52 tcp dport ssh masquerade
ip daddr 192.168.0.4 tcp dport imaps masquerade
ip daddr 192.168.0.250 tcp dport 2772 masquerade
ip daddr 192.168.0.54 tcp dport 3478 masquerade
ip daddr 192.168.0.54 udp dport 3478 masquerade
ip daddr 192.168.0.4 tcp dport ssh masquerade
}
}
table ip6 nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
#tcp dport ssh dnat sekhmet2.ra.nemunai.re:22
#tcp dport 8448 dnat rhakotis.masr.nemunai.re:8448
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
ip6 daddr sekhmet2.ra.nemunai.re tcp dport 22 masquerade
#ip6 daddr rhakotis.masr.nemunai.re tcp dport 8448 masquerade
}
}
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname lo accept \
comment "Accept any localhost traffic"
ct state { established, related } accept \
comment "Accept traffic originated from us"
ct state invalid drop \
comment "Drop invalid connections"
tcp dport 113 reject with icmpx type port-unreachable \
comment "Reject AUTH to make it fail fast"
# ICMPv4
ip protocol icmp icmp type {
echo-reply, # type 0
destination-unreachable, # type 3
echo-request, # type 8
time-exceeded, # type 11
parameter-problem, # type 12
} accept \
comment "Accept ICMP"
# ICMPv6
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
parameter-problem, # type 4
echo-request, # type 128
echo-reply, # type 129
} accept \
comment "Accept basic IPv6 functionality"
ip6 nexthdr icmpv6 icmpv6 type {
nd-router-solicit, # type 133
nd-router-advert, # type 134
nd-neighbor-solicit, # type 135
nd-neighbor-advert, # type 136
} ip6 hoplimit 255 accept \
comment "Allow IPv6 SLAAC"
ip6 nexthdr icmpv6 icmpv6 type {
mld-listener-query, # type 130
mld-listener-report, # type 131
mld-listener-reduction, # type 132
mld2-listener-report, # type 143
} ip6 saddr fe80::/10 accept \
comment "Allow IPv6 multicast listener discovery on link-local"
ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \
comment "Accept DHCPv6 replies from IPv6 link-local addresses"
udp sport domain accept
udp dport domain accept
counter log prefix "Filtered INPUT "
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state invalid counter log prefix "Filtered INVALID FORWARD " drop
ct state { established, related } accept
ip daddr . tcp dport { \
192.168.0.52 . ssh, \
192.168.0.3 . imaps, \
192.168.0.52 . 3478, \
192.168.0.4 . ssh \
} accept
counter log prefix "Filtered FORWARD "
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# The state of stateful objects saved on the nftables service stop.
include "/var/lib/nftables/*.nft"
# Rules
include "/etc/nftables.d/*.nft"

108
nginx.conf Normal file
View File

@ -0,0 +1,108 @@
# /etc/nginx/nginx.conf
user nginx;
# Set number of worker processes automatically based on number of CPU cores.
worker_processes auto;
# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;
# Configures default error logger.
error_log /var/log/nginx/error.log warn;
# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;
# Include files with config snippets into the root context.
include /etc/nginx/conf.d/*.conf;
events {
# The maximum number of simultaneous connections that can be opened by
# a worker process.
worker_connections 1024;
}
http {
# BEGIN ANSIBLE MANAGED BLOCK storage_nemunaire
upstream storage_nemunaire {
server storage0.nemunai.re:9000;
server storage1.nemunai.re:9000 backup;
}
# END ANSIBLE MANAGED BLOCK storage_nemunaire
# Includes mapping of file name extensions to MIME types of responses
# and defines the default type.
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Name servers used to resolve names of upstream servers into addresses.
# It's also needed when using tcpsocket and udpsocket in Lua modules.
#resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
# Don't tell nginx version to the clients. Default is 'on'.
server_tokens off;
# Specifies the maximum accepted body size of a client request, as
# indicated by the request header Content-Length. If the stated content
# length is greater than this size, then the client receives the HTTP
# error code 413. Set to 0 to disable. Default is '1m'.
client_max_body_size 1m;
# Sendfile copies data between one FD and other from within the kernel,
# which is more efficient than read() + write(). Default is off.
sendfile on;
# Causes nginx to attempt to send its HTTP response head in one packet,
# instead of using partial frames. Default is 'off'.
tcp_nopush on;
# Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2.
# TIP: If you're not obligated to support ancient clients, remove TLSv1.1.
ssl_protocols TLSv1.2 TLSv1.3;
# Path of the file with Diffie-Hellman parameters for EDH ciphers.
# TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048`
ssl_dhparam /etc/nginx/dh4096.pem;
# Specifies that our cipher suits should be preferred over client ciphers.
# Default is 'off'.
ssl_prefer_server_ciphers on;
# Enables a shared SSL cache with size that can hold around 8000 sessions.
# Default is 'none'.
ssl_session_cache shared:SSL:2m;
# Specifies a time during which a client may reuse the session parameters.
# Default is '5m'.
ssl_session_timeout 1h;
# Disable TLS session tickets (they are insecure). Default is 'on'.
ssl_session_tickets off;
# Enable gzipping of responses.
#gzip on;
# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
gzip_vary on;
# Helper variable for proxying websockets.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Specifies the main log format.
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Sets the path, format, and configuration for a buffered log write.
access_log /var/log/nginx/access.log main;
# Includes virtual hosts configs.
include /etc/nginx/http.d/*.conf;
}