fix

Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>

.pct-helpers

@@ -221,6 +221,7 @@ xread(){
 #
 #	xreadYes MSG VAR
 #
+# XXX make VAR optional...
 xreadYes(){
 	# XXX check DFL_..???
 	if [[ "${!2}" == "SKIP" ]] ; then
@@ -252,6 +253,10 @@ xreadYes(){
 	fi
 	[ $SCRIPTING ] \
 		&& echo "$2=${!2}"
+
+	if [ -z ${!2} ] ; then
+		return 1
+	fi
 }
 
 #

host/make.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/bash
+#----------------------------------------------------------------------
+
+cd $(dirname $0)
+PATH=$PATH:$(dirname "$(pwd)")
+
+
+#----------------------------------------------------------------------
+
+source ../.pct-helpers
+
+
+#----------------------------------------------------------------------
+
+readConfig
+
+
+SOFTWARE=(
+	make
+	w3m links
+	qrencode
+	htop iftop iotop
+	tmux
+)
+
+
+#----------------------------------------------------------------------
+
+# Tools
+if xreadYes "# Update system?" UPDATE ; then
+	@ apt update
+	@ apt upgrade
+fi
+if xreadYes "# Install additional apps?" APPS ; then
+	@ apt install $(SOFTWARE[@])
+fi
+
+# Networking
+if xreadYes "# Create bridges?" BRIDGES ; then
+	echo
+fi
+
+# Firewall
+if xreadYes "# Update firewall rules?" FIREWALL ; then
+	@ cp --backup -i templates/etc/pve/firewall/cluster.fw /etc/pve/firewall/
+fi
+
+
+
+
+#----------------------------------------------------------------------
+# vim:set ts=4 sw=4 :

host/templates/pve/etc/firewall/cluster.fw

@@ -0,0 +1,30 @@
+[OPTIONS]
+
+enable: 1
+
+[IPSET management]
+
+
+[RULES]
+
+IN ACCEPT -i vmbr3 -log nolog # STUB
+IN REJECT -i vmbr0 -p udp -dport 68 -sport 68 -log nolog # dhcp
+IN REJECT -i vmbr0 -p udp -dport 67 -sport 67 -log nolog # dhcp
+OUT REJECT -i vmbr0 -p udp -dport 68 -sport 68 -log nolog # dhcp
+OUT REJECT -i vmbr0 -p udp -dport 67 -sport 67 -log nolog # dhcp
+IN DHCPfwd(REJECT) -i vmbr0 -log nolog
+OUT DHCPfwd(REJECT) -i vmbr0 -log nolog
+IN DNS(ACCEPT) -i vmbr0 -log nolog
+IN Ping(ACCEPT) -i vmbr0 -log nolog
+IN SSH(ACCEPT) -i vmbr0 -log nolog
+|IN OpenVPN(ACCEPT) -i vmbr0 -log nolog
+IN Web(ACCEPT) -i vmbr0 -log nolog
+IN ACCEPT -i vmbr0 -p udp -dport 22027 -log nolog # syncthing
+IN ACCEPT -i vmbr0 -p udp -dport 22000 -log nolog # syncthing
+IN ACCEPT -i vmbr0 -p tcp -dport 22000 -log nolog # syncthing
+IN SMB(ACCEPT) -i vmbr0 -log nolog
+IN Git(ACCEPT) -i vmbr0 -log nolog
+|IN Rsync(ACCEPT) -i vmbr0 -log nolog
+|IN REJECT -i vmbr0 -log nolog # ALL
+
+[group landings]

nextcloud/make.sh

@@ -94,12 +94,15 @@ echo "# Updating config..."
 	sed -i \
 		-e \"/trusted_domains/i\\  'trusted_proxies' =>\\n  array (\\n    '${GATE_LAN_IP/\/*}\\/32',\\n  ),\" \
 		/var/www/nextcloud/config/config.php"
+
 # add self IP to trusted_domains -- enable setup from local network...
-IP=$([ -z $DRY_RUN ] && lxc-attach $ID -- hostname -I)
-@ lxc-attach $ID -- bash -c "\
-	sed -z -i \
-		-e \"s/\\(trusted_domains[^)]*\\)/\\1  2 => '${IP/ *}',\\n  /\" \
-		/var/www/nextcloud/config/config.php"
+# XXX is this actually needed???
+#IP=$([ -z $DRY_RUN ] && lxc-attach $ID -- hostname -I)
+#@ lxc-attach $ID -- bash -c "\
+#	sed -z -i \
+#		-e \"s/\\(trusted_domains[^)]*\\)/\\1  2 => '${IP/ *}',\\n  /\" \
+#		/var/www/nextcloud/config/config.php"
+
 # remove /index.php from urls...
 # for more info see:
 #	https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#pretty-urls

syncthing/fw/ID.fw

@@ -0,0 +1,10 @@
+[OPTIONS]
+
+enable: 1
+
+[RULES]
+
+IN ACCEPT -i net1 -log nolog
+IN HTTPS(DROP) -i net0 -log nolog
+IN HTTP(DROP) -i net0 -log nolog
+

syncthing/make.sh

@@ -77,6 +77,9 @@ sleep ${TIMEOUT:=5}
 		-e 's/127\.0\.0\.1:8384/0.0.0.0:8384/g' \
 		-i /var/lib/syncthing/.config/syncthing/config.xml
 
+echo "# Setup: firewall..."
+@ cp --backup -i fw/ID.fw /etc/pve/firewall/$ID.fw
+
 echo "# Post config..."
 pctSet $ID "${OPTS_STAGE_2}" $REBOOT