From 31d1e3ffa1fb0c56c9921141ee31620725484795 Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Thu, 3 Apr 2025 09:00:38 +0200
Subject: [PATCH] Fix.

---
 bookworm/etc/server/nftables.conf      | 40 ++++++++++++++++++++++++++
 bookworm/scripts/setup_server.sh       |  7 +++--
 testing/scripts/_setup_secrets_user.sh |  2 +-
 3 files changed, 45 insertions(+), 4 deletions(-)
 create mode 100755 bookworm/etc/server/nftables.conf

diff --git a/bookworm/etc/server/nftables.conf b/bookworm/etc/server/nftables.conf
new file mode 100755
index 0000000..73193eb
--- /dev/null
+++ b/bookworm/etc/server/nftables.conf
@@ -0,0 +1,40 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter \
+            hook input \
+            priority 0;
+        policy drop;
+        iif lo \
+            accept \
+            comment "accept localhost traffic";
+        ct state invalid \
+            drop \
+            comment "drop invalid connections";
+        ct state established, related \
+            accept \
+            comment "accept traffic originated from us";
+        tcp dport 22 \
+            accept \
+            comment "accept SSH on default port";
+        ip protocol icmp \
+            icmp type echo-request \
+            accept \
+            comment "accept ICMP for pinging";
+    }
+    chain forward {
+        type filter \
+            hook forward \
+            priority 0;
+        policy drop;
+    }
+    chain output {
+        type filter \
+            hook output \
+            priority 0;
+        policy accept;
+    }
+}
diff --git a/bookworm/scripts/setup_server.sh b/bookworm/scripts/setup_server.sh
index b79920e..305fb36 100755
--- a/bookworm/scripts/setup_server.sh
+++ b/bookworm/scripts/setup_server.sh
@@ -36,11 +36,12 @@ echo '\nSetting Berlin localtime.'
 ln -sf /usr/share/zoneinfo/Europe/Berlin "${PATH_ETC}/localtime"
 ntpdate-debian
 
-setup_users "${MIN_TAGS}" ""
+setup_users "${MIN_TAGS}" ''
 
+echo '\nMoving SSH data from root to user.'
 mkdir -p "${PATH_USER_SSH}"
 mv "/root/${PATH_REL_SSH}/authorized_keys" "${PATH_USER_SSH}/"
 chown -R "${USERNAME}:${USERNAME}" "${PATH_USER_SSH}"
 
-# # Enable firewall.
-# systemctl enable nftables.service
+echo '\nEnabling the firewall.'
+systemctl enable nftables.service
diff --git a/testing/scripts/_setup_secrets_user.sh b/testing/scripts/_setup_secrets_user.sh
index b896498..990f330 100644
--- a/testing/scripts/_setup_secrets_user.sh
+++ b/testing/scripts/_setup_secrets_user.sh
@@ -32,7 +32,7 @@ while true; do
     echo ''
     stty -echo
     set +e
-    ssh-add
+    ssh-add -q
     RESULT=$?
     set -e
     stty echo
-- 
2.30.2