Files
57_Wolve e23557b4fb feat(firewall): add deny-by-default host firewall (harden-firewall.sh)
Add a reusable iptables baseline that hardens hosts with ICMP + SSH
defaults and lets deployments register the ports they need. INPUT is
deny-by-default (loopback, established, ICMP, SSH on the configured port,
plus registered ports); OUTPUT stays open and FORWARD is left untouched so
Docker container networking is unaffected.
Persistence is native -- no boot hook. Rules are saved and restored by the
distro's own package (iptables/ip6tables on Alpine, iptables-persistent on
Debian, iptables-services on Alma) via the new oslib helpers
install_iptables / fw_save_cmd / fw_enable_restore. The saved ruleset
carries the INPUT->sshguard jump, so brute-force protection survives reboot
without the old sshguard-iptables hook.
A self-contained /usr/local/sbin/firewall-apply rebuilds INPUT from
declarative drop-ins under /etc/firewall/ports.d and runs the native save,
so deployments add a port without needing the repo present:
  printf '80/tcp\n443/tcp\n' > /etc/firewall/ports.d/mystack.rule
  /usr/local/sbin/firewall-apply
- SSH port read live from sshd_config (custom bastion ports just work);
  FW_SSH_SOURCE restricts the source CIDR; FW_ALLOW_PING gates echo
- harden-ssh.sh / harden-jumphost.sh install it when ENABLE_FIREWALL=1
  (default) and skip the sshguard-only hook; ENABLE_FIREWALL=0 keeps it
- cloud-init base.yml / jumphost.yml forward the toggle
- the four stack deploy.sh open_web_ports() register 80/443 via the
  firewall (ufw/firewalld kept as fallback); Docker-published ports bypass
  INPUT, so this is belt-and-braces and self-documenting
- README + cloud-init/README document the mechanism, Docker caveat, and the
  `disable` recovery path
2026-06-12 17:06:25 -05:00

62 lines
2.7 KiB
YAML

#cloud-config
#
# Jump-host (bastion) bootstrap -- Alpine, Debian, or Alma Linux.
#
# Same base steps as base.yml, but applies the bastion hardening
# (scripts/harden-jumphost.sh) instead of plain SSH hardening:
# - ssh-admins : full shell for maintenance
# - ssh-jumpers : ProxyJump only, to the JUMP_TARGETS whitelist
#
# Fill in REPO_URL, HOST, and JUMP_TARGETS, then paste as instance user-data.
# Add jumper/admin users afterwards with the installed `sshuser` tool.
#
# NOTE: harden-jumphost.sh prints a freshly generated root private key to
# stdout (-> the cloud console/serial log). Capture it there, or rely on the
# keys seeded from globals/ and ignore it.
runcmd:
- |
set -e
# ===== config =====
REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git
REPO_BRANCH=main
HOST=ssh-1 # <svc>-<n>; "ssh" is the bastion service code
BASE_DOMAIN=srvno.de
DATACENTER="Globally Everywhere"
SSH_PORT=22
ALLOWED_IP= # optional: whitelist your client IP
ENABLE_FIREWALL=1 # deny-by-default host firewall (0 to skip)
JUMP_TARGETS="10.0.0.5:22 10.0.0.6:22" # hosts jumpers may ProxyJump to
# Optional login notifications (pam_exec -> ntfy). Leave NTFY_URL empty to
# skip. NTFY_REGION defaults to the region segment of this host's FQDN.
NTFY_URL=
NTFY_TOKEN= # bearer token; empty if unauth publish
NTFY_EMAIL=
NTFY_REGION=
# ==================
# Prerequisites (OS-agnostic).
if command -v apk >/dev/null 2>&1; then apk add --no-cache bash git curl
elif command -v apt-get >/dev/null 2>&1; then apt-get update -qq && apt-get install -y -qq bash git curl
elif command -v dnf >/dev/null 2>&1; then dnf install -y -q bash git curl
fi
git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /opt/automations
cd /opt/automations
# Hostname + shared MOTD.
HOST="$HOST" BASE_DOMAIN="$BASE_DOMAIN" DATACENTER="$DATACENTER" bash scripts/setup-host.sh
# Seed root's (ssh-admins) authorized_keys from globals/.
. scripts/lib.sh && load_globals \
&& install -d -m 700 /root/.ssh \
&& resolve_ssh_keys >> /root/.ssh/authorized_keys || true
sort -u /root/.ssh/authorized_keys -o /root/.ssh/authorized_keys 2>/dev/null || true
# Bastion hardening (admins shell + jumpers ProxyJump whitelist + optional
# login notifications).
SSH_PORT="$SSH_PORT" ALLOWED_IP="$ALLOWED_IP" JUMP_TARGETS="$JUMP_TARGETS" \
ENABLE_FIREWALL="$ENABLE_FIREWALL" \
NTFY_URL="$NTFY_URL" NTFY_TOKEN="$NTFY_TOKEN" NTFY_EMAIL="$NTFY_EMAIL" NTFY_REGION="$NTFY_REGION" \
FORCE=1 bash scripts/harden-jumphost.sh