e23557b4fb
Add a reusable iptables baseline that hardens hosts with ICMP + SSH defaults and lets deployments register the ports they need. INPUT is deny-by-default (loopback, established, ICMP, SSH on the configured port, plus registered ports); OUTPUT stays open and FORWARD is left untouched so Docker container networking is unaffected. Persistence is native -- no boot hook. Rules are saved and restored by the distro's own package (iptables/ip6tables on Alpine, iptables-persistent on Debian, iptables-services on Alma) via the new oslib helpers install_iptables / fw_save_cmd / fw_enable_restore. The saved ruleset carries the INPUT->sshguard jump, so brute-force protection survives reboot without the old sshguard-iptables hook. A self-contained /usr/local/sbin/firewall-apply rebuilds INPUT from declarative drop-ins under /etc/firewall/ports.d and runs the native save, so deployments add a port without needing the repo present: printf '80/tcp\n443/tcp\n' > /etc/firewall/ports.d/mystack.rule /usr/local/sbin/firewall-apply - SSH port read live from sshd_config (custom bastion ports just work); FW_SSH_SOURCE restricts the source CIDR; FW_ALLOW_PING gates echo - harden-ssh.sh / harden-jumphost.sh install it when ENABLE_FIREWALL=1 (default) and skip the sshguard-only hook; ENABLE_FIREWALL=0 keeps it - cloud-init base.yml / jumphost.yml forward the toggle - the four stack deploy.sh open_web_ports() register 80/443 via the firewall (ufw/firewalld kept as fallback); Docker-published ports bypass INPUT, so this is belt-and-braces and self-documenting - README + cloud-init/README document the mechanism, Docker caveat, and the `disable` recovery path
62 lines
2.7 KiB
YAML
62 lines
2.7 KiB
YAML
#cloud-config
|
|
#
|
|
# Jump-host (bastion) bootstrap -- Alpine, Debian, or Alma Linux.
|
|
#
|
|
# Same base steps as base.yml, but applies the bastion hardening
|
|
# (scripts/harden-jumphost.sh) instead of plain SSH hardening:
|
|
# - ssh-admins : full shell for maintenance
|
|
# - ssh-jumpers : ProxyJump only, to the JUMP_TARGETS whitelist
|
|
#
|
|
# Fill in REPO_URL, HOST, and JUMP_TARGETS, then paste as instance user-data.
|
|
# Add jumper/admin users afterwards with the installed `sshuser` tool.
|
|
#
|
|
# NOTE: harden-jumphost.sh prints a freshly generated root private key to
|
|
# stdout (-> the cloud console/serial log). Capture it there, or rely on the
|
|
# keys seeded from globals/ and ignore it.
|
|
|
|
runcmd:
|
|
- |
|
|
set -e
|
|
# ===== config =====
|
|
REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git
|
|
REPO_BRANCH=main
|
|
HOST=ssh-1 # <svc>-<n>; "ssh" is the bastion service code
|
|
BASE_DOMAIN=srvno.de
|
|
DATACENTER="Globally Everywhere"
|
|
SSH_PORT=22
|
|
ALLOWED_IP= # optional: whitelist your client IP
|
|
ENABLE_FIREWALL=1 # deny-by-default host firewall (0 to skip)
|
|
JUMP_TARGETS="10.0.0.5:22 10.0.0.6:22" # hosts jumpers may ProxyJump to
|
|
# Optional login notifications (pam_exec -> ntfy). Leave NTFY_URL empty to
|
|
# skip. NTFY_REGION defaults to the region segment of this host's FQDN.
|
|
NTFY_URL=
|
|
NTFY_TOKEN= # bearer token; empty if unauth publish
|
|
NTFY_EMAIL=
|
|
NTFY_REGION=
|
|
# ==================
|
|
|
|
# Prerequisites (OS-agnostic).
|
|
if command -v apk >/dev/null 2>&1; then apk add --no-cache bash git curl
|
|
elif command -v apt-get >/dev/null 2>&1; then apt-get update -qq && apt-get install -y -qq bash git curl
|
|
elif command -v dnf >/dev/null 2>&1; then dnf install -y -q bash git curl
|
|
fi
|
|
|
|
git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /opt/automations
|
|
cd /opt/automations
|
|
|
|
# Hostname + shared MOTD.
|
|
HOST="$HOST" BASE_DOMAIN="$BASE_DOMAIN" DATACENTER="$DATACENTER" bash scripts/setup-host.sh
|
|
|
|
# Seed root's (ssh-admins) authorized_keys from globals/.
|
|
. scripts/lib.sh && load_globals \
|
|
&& install -d -m 700 /root/.ssh \
|
|
&& resolve_ssh_keys >> /root/.ssh/authorized_keys || true
|
|
sort -u /root/.ssh/authorized_keys -o /root/.ssh/authorized_keys 2>/dev/null || true
|
|
|
|
# Bastion hardening (admins shell + jumpers ProxyJump whitelist + optional
|
|
# login notifications).
|
|
SSH_PORT="$SSH_PORT" ALLOWED_IP="$ALLOWED_IP" JUMP_TARGETS="$JUMP_TARGETS" \
|
|
ENABLE_FIREWALL="$ENABLE_FIREWALL" \
|
|
NTFY_URL="$NTFY_URL" NTFY_TOKEN="$NTFY_TOKEN" NTFY_EMAIL="$NTFY_EMAIL" NTFY_REGION="$NTFY_REGION" \
|
|
FORCE=1 bash scripts/harden-jumphost.sh
|