diff --git a/.pct-helpers b/.pct-helpers index e8792ac..c859ebe 100644 --- a/.pct-helpers +++ b/.pct-helpers @@ -221,6 +221,7 @@ xread(){ # # xreadYes MSG VAR # +# XXX make VAR optional... xreadYes(){ # XXX check DFL_..??? if [[ "${!2}" == "SKIP" ]] ; then @@ -252,6 +253,10 @@ xreadYes(){ fi [ $SCRIPTING ] \ && echo "$2=${!2}" + + if [ -z ${!2} ] ; then + return 1 + fi } # diff --git a/host/make.sh b/host/make.sh new file mode 100644 index 0000000..d3b33ef --- /dev/null +++ b/host/make.sh @@ -0,0 +1,53 @@ +#!/usr/bin/bash +#---------------------------------------------------------------------- + +cd $(dirname $0) +PATH=$PATH:$(dirname "$(pwd)") + + +#---------------------------------------------------------------------- + +source ../.pct-helpers + + +#---------------------------------------------------------------------- + +readConfig + + +SOFTWARE=( + make + w3m links + qrencode + htop iftop iotop + tmux +) + + +#---------------------------------------------------------------------- + +# Tools +if xreadYes "# Update system?" UPDATE ; then + @ apt update + @ apt upgrade +fi +if xreadYes "# Install additional apps?" APPS ; then + @ apt install $(SOFTWARE[@]) +fi + +# Networking +if xreadYes "# Create bridges?" BRIDGES ; then + echo +fi + +# Firewall +# XXX this should be done after the setup process... +if xreadYes "# Update firewall rules?" BRIDGES ; then + echo +fi + + + + +#---------------------------------------------------------------------- +# vim:set ts=4 sw=4 : diff --git a/host/templates/etc/firewall/cluster.fw b/host/templates/etc/firewall/cluster.fw new file mode 100644 index 0000000..1c8e892 --- /dev/null +++ b/host/templates/etc/firewall/cluster.fw @@ -0,0 +1,30 @@ +[OPTIONS] + +enable: 1 + +[IPSET management] + + +[RULES] + +IN ACCEPT -i vmbr3 -log nolog # STUB +IN REJECT -i vmbr0 -p udp -dport 68 -sport 68 -log nolog # dhcp +IN REJECT -i vmbr0 -p udp -dport 67 -sport 67 -log nolog # dhcp +OUT REJECT -i vmbr0 -p udp -dport 68 -sport 68 -log nolog # dhcp +OUT REJECT -i vmbr0 -p udp -dport 67 -sport 67 -log nolog # dhcp +IN DHCPfwd(REJECT) -i vmbr0 -log nolog +OUT DHCPfwd(REJECT) -i vmbr0 -log nolog +IN DNS(ACCEPT) -i vmbr0 -log nolog +IN Ping(ACCEPT) -i vmbr0 -log nolog +IN SSH(ACCEPT) -i vmbr0 -log nolog +IN OpenVPN(ACCEPT) -i vmbr0 -log nolog +IN Web(ACCEPT) -i vmbr0 -log nolog +IN ACCEPT -i vmbr0 -p udp -dport 22027 -log nolog # syncthing +IN ACCEPT -i vmbr0 -p udp -dport 22000 -log nolog # syncthing +IN ACCEPT -i vmbr0 -p tcp -dport 22000 -log nolog # syncthing +IN SMB(ACCEPT) -i vmbr0 -log nolog +IN Git(ACCEPT) -i vmbr0 -log nolog +|IN Rsync(ACCEPT) -i vmbr0 -log nolog +|IN REJECT -i vmbr0 -log nolog # ALL + +[group landings] diff --git a/nextcloud/make.sh b/nextcloud/make.sh index 9dceaa9..96cb957 100755 --- a/nextcloud/make.sh +++ b/nextcloud/make.sh @@ -94,12 +94,15 @@ echo "# Updating config..." sed -i \ -e \"/trusted_domains/i\\ 'trusted_proxies' =>\\n array (\\n '${GATE_LAN_IP/\/*}\\/32',\\n ),\" \ /var/www/nextcloud/config/config.php" + # add self IP to trusted_domains -- enable setup from local network... -IP=$([ -z $DRY_RUN ] && lxc-attach $ID -- hostname -I) -@ lxc-attach $ID -- bash -c "\ - sed -z -i \ - -e \"s/\\(trusted_domains[^)]*\\)/\\1 2 => '${IP/ *}',\\n /\" \ - /var/www/nextcloud/config/config.php" +# XXX is this actually needed??? +#IP=$([ -z $DRY_RUN ] && lxc-attach $ID -- hostname -I) +#@ lxc-attach $ID -- bash -c "\ +# sed -z -i \ +# -e \"s/\\(trusted_domains[^)]*\\)/\\1 2 => '${IP/ *}',\\n /\" \ +# /var/www/nextcloud/config/config.php" + # remove /index.php from urls... # for more info see: # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#pretty-urls