e23557b4fb
Add a reusable iptables baseline that hardens hosts with ICMP + SSH defaults and lets deployments register the ports they need. INPUT is deny-by-default (loopback, established, ICMP, SSH on the configured port, plus registered ports); OUTPUT stays open and FORWARD is left untouched so Docker container networking is unaffected. Persistence is native -- no boot hook. Rules are saved and restored by the distro's own package (iptables/ip6tables on Alpine, iptables-persistent on Debian, iptables-services on Alma) via the new oslib helpers install_iptables / fw_save_cmd / fw_enable_restore. The saved ruleset carries the INPUT->sshguard jump, so brute-force protection survives reboot without the old sshguard-iptables hook. A self-contained /usr/local/sbin/firewall-apply rebuilds INPUT from declarative drop-ins under /etc/firewall/ports.d and runs the native save, so deployments add a port without needing the repo present: printf '80/tcp\n443/tcp\n' > /etc/firewall/ports.d/mystack.rule /usr/local/sbin/firewall-apply - SSH port read live from sshd_config (custom bastion ports just work); FW_SSH_SOURCE restricts the source CIDR; FW_ALLOW_PING gates echo - harden-ssh.sh / harden-jumphost.sh install it when ENABLE_FIREWALL=1 (default) and skip the sshguard-only hook; ENABLE_FIREWALL=0 keeps it - cloud-init base.yml / jumphost.yml forward the toggle - the four stack deploy.sh open_web_ports() register 80/443 via the firewall (ufw/firewalld kept as fallback); Docker-published ports bypass INPUT, so this is belt-and-braces and self-documenting - README + cloud-init/README document the mechanism, Docker caveat, and the `disable` recovery path
31 lines
1.7 KiB
Markdown
31 lines
1.7 KiB
Markdown
# cloud-init/
|
|
|
|
Generic, distro-agnostic cloud-init templates for standing up a **base host**
|
|
or a **bastion** from scratch. They run on Alpine, Debian, or Alma — the
|
|
runcmd prelude detects the package manager and installs `bash`/`git`/`curl`
|
|
before invoking the scripts.
|
|
|
|
| Template | What it does |
|
|
|----------|--------------|
|
|
| [`base.yml`](base.yml) | Hostname (per the schema) + shared MOTD + seed root keys from `globals/` + SSH hardening (`harden-ssh.sh`) + deny-by-default host firewall (`harden-firewall.sh`, `ENABLE_FIREWALL=1`). |
|
|
| [`jumphost.yml`](jumphost.yml) | Same base, but bastion hardening (`harden-jumphost.sh`) with an `ssh-admins`/`ssh-jumpers` split and a ProxyJump whitelist; same host firewall. |
|
|
|
|
These are for the **host itself**. To stand up a Docker stack on a host,
|
|
use the per-deployment `cloud-init.yml` under `deployments/<name>/` instead
|
|
(those clone the repo and run the stack's `deploy.sh`).
|
|
|
|
## Usage
|
|
|
|
1. Copy the template, fill in `REPO_URL`, `HOST` (`<svc>-<n>`, e.g. `sto-1`),
|
|
and the other values at the top of the `runcmd` block.
|
|
2. Paste it as the instance's **user-data** when creating the VM.
|
|
3. On first boot the host names itself, installs the MOTD, seeds admin keys
|
|
from `globals/`, hardens SSH, and brings up the deny-by-default firewall.
|
|
|
|
Hostnames follow [`../globals/Network Domain Name Schema.md`](../globals/Network%20Domain%20Name%20Schema.md);
|
|
our VMs skip the region code and use `srvno.de` as the base.
|
|
|
|
> The harden scripts print a generated root private key to stdout, which lands
|
|
> in the cloud provider's serial/console log. Capture it there, or rely on the
|
|
> keys seeded from `globals/authorized_keys` (or `SSH_KEYS_URL`) and ignore it.
|