From: Christian Heller Date: Fri, 7 Feb 2020 17:39:06 +0000 (+0100) Subject: Prepare introduction of PeerTube setup script. X-Git-Url: https://plomlompom.com/repos/te"st.html?a=commitdiff_plain;h=3fdac7e14c99aa61c089f73fa11a1b1cb2a5febf;p=config Prepare introduction of PeerTube setup script. --- diff --git a/buster/apt-mark/peertube b/buster/apt-mark/peertube new file mode 100644 index 0000000..4e4c19a --- /dev/null +++ b/buster/apt-mark/peertube @@ -0,0 +1,15 @@ +nginx-light +ffmpeg +postgresql +postgresql-contrib +openssl +redis-server +python-dev +# only needed for setup +g++ +make +git +curl +unzip +libncurses5 +pwgen diff --git a/buster/apt-mark/pleroma b/buster/apt-mark/pleroma index 643aee2..eadc572 100644 --- a/buster/apt-mark/pleroma +++ b/buster/apt-mark/pleroma @@ -1,4 +1,3 @@ -# might need nginx-standard instead nginx-light # for SSL certbot diff --git a/buster/etc_files/pleroma/etc/nftables.conf b/buster/etc_files/pleroma/etc/nftables.conf deleted file mode 100755 index ec6732a..0000000 --- a/buster/etc_files/pleroma/etc/nftables.conf +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/sbin/nft -f - -flush ruleset - -table inet filter { - chain input { - type filter hook input priority 0; policy drop; - iif lo accept comment "accept localhost traffic" - ct state invalid drop comment "drop invalid connections" - ct state established, related accept comment "accept traffic originated from us" - tcp dport 22 accept comment "accept SSH on default port" - tcp dport 80 accept comment "accept HTTP on default port" - tcp dport 443 accept comment "accept HTTPS on default port" - ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging" - } - chain forward { - type filter hook forward priority 0; policy drop; - } - chain output { - type filter hook output priority 0; policy accept; - } -} diff --git a/buster/etc_files/web/etc/nftables.conf b/buster/etc_files/web/etc/nftables.conf new file mode 100755 index 0000000..ec6732a --- /dev/null +++ b/buster/etc_files/web/etc/nftables.conf @@ -0,0 +1,22 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + iif lo accept comment "accept localhost traffic" + ct state invalid drop comment "drop invalid connections" + ct state established, related accept comment "accept traffic originated from us" + tcp dport 22 accept comment "accept SSH on default port" + tcp dport 80 accept comment "accept HTTP on default port" + tcp dport 443 accept comment "accept HTTPS on default port" + ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging" + } + chain forward { + type filter hook forward priority 0; policy drop; + } + chain output { + type filter hook output priority 0; policy accept; + } +} diff --git a/buster/setup_scripts/setup_pleroma.sh b/buster/setup_scripts/setup_pleroma.sh index f4d0d43..9fb937a 100755 --- a/buster/setup_scripts/setup_pleroma.sh +++ b/buster/setup_scripts/setup_pleroma.sh @@ -12,7 +12,7 @@ mail="$2" # Install dependencies, set up firewall. config_tree_prefix="${HOME}/config/buster" ./install_for_target.sh pleroma -./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" pleroma +./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" web nft -f /etc/nftables.conf # Set up letsencrypt certificate. TODO: Is it auto-renewed?