Files
57_Wolve e23557b4fb feat(firewall): add deny-by-default host firewall (harden-firewall.sh)
Add a reusable iptables baseline that hardens hosts with ICMP + SSH
defaults and lets deployments register the ports they need. INPUT is
deny-by-default (loopback, established, ICMP, SSH on the configured port,
plus registered ports); OUTPUT stays open and FORWARD is left untouched so
Docker container networking is unaffected.
Persistence is native -- no boot hook. Rules are saved and restored by the
distro's own package (iptables/ip6tables on Alpine, iptables-persistent on
Debian, iptables-services on Alma) via the new oslib helpers
install_iptables / fw_save_cmd / fw_enable_restore. The saved ruleset
carries the INPUT->sshguard jump, so brute-force protection survives reboot
without the old sshguard-iptables hook.
A self-contained /usr/local/sbin/firewall-apply rebuilds INPUT from
declarative drop-ins under /etc/firewall/ports.d and runs the native save,
so deployments add a port without needing the repo present:
  printf '80/tcp\n443/tcp\n' > /etc/firewall/ports.d/mystack.rule
  /usr/local/sbin/firewall-apply
- SSH port read live from sshd_config (custom bastion ports just work);
  FW_SSH_SOURCE restricts the source CIDR; FW_ALLOW_PING gates echo
- harden-ssh.sh / harden-jumphost.sh install it when ENABLE_FIREWALL=1
  (default) and skip the sshguard-only hook; ENABLE_FIREWALL=0 keeps it
- cloud-init base.yml / jumphost.yml forward the toggle
- the four stack deploy.sh open_web_ports() register 80/443 via the
  firewall (ufw/firewalld kept as fallback); Docker-published ports bypass
  INPUT, so this is belt-and-braces and self-documenting
- README + cloud-init/README document the mechanism, Docker caveat, and the
  `disable` recovery path
2026-06-12 17:06:25 -05:00
..

webfinger

A single Caddy container that serves /.well-known/webfinger at an apex domain (for OIDC issuer discovery — used by Tailscale and others) and 301-redirects everything else to a target URL.

Required .env values

Variable Notes
BASE_DOMAIN Apex domain to serve from (e.g. example.com).
ISSUER_URL OIDC issuer for the WebFinger response (your pocket-id).
REDIRECT_URL Where non-WebFinger traffic is redirected (path + query preserved).
ACME_EMAIL Let's Encrypt registration email.

See .env.example.

Deploy

./automations.sh        # Deploy on this host → deploy: webfinger

Or build + run the self-contained artifact:

./build.sh
scp deploy.sh root@host:
ssh root@host 'bash deploy.sh'
# non-interactive:
#   BASE_DOMAIN=example.com ISSUER_URL=https://auth.example.com \
#   REDIRECT_URL=https://example.org ACME_EMAIL=me@example.com SKIP_PROMPTS=1 bash deploy.sh

Unattended provisioning: cloud-init.yml.

Notes

  • Standalone: binds 80/443 itself, so don't co-locate with another stack that wants those ports.
  • DNS for BASE_DOMAIN must resolve to the host and 80/443 be reachable before deploy.