diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2020-12-13 10:25:19 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2020-12-13 10:25:19 -0300 |
| commit | 7799e36e0f057625f29bba0394597da5645fcc30 (patch) | |
| tree | ae294d1c763f38f9d0b007f71291aa22b9f7e846 /share | |
| parent | 71e615a3faae973342ae5debdd76b28a33430817 (diff) | |
| download | kvmx-7799e36e0f057625f29bba0394597da5645fcc30.tar.gz kvmx-7799e36e0f057625f29bba0394597da5645fcc30.tar.bz2 | |
Fix: provision cleanup and organize
Diffstat (limited to 'share')
| -rwxr-xr-x | share/provision/debian/basic (renamed from share/provision/basic) | 0 | ||||
| -rwxr-xr-x | share/provision/debian/desktop-basic (renamed from share/provision/desktop-basic) | 0 | ||||
| -rwxr-xr-x | share/provision/debian/desktop-full (renamed from share/provision/desktop-full) | 0 | ||||
| -rwxr-xr-x | share/provision/debian/development (renamed from share/provision/development) | 0 | ||||
| -rw-r--r-- | share/provision/debian/files/desktop-basic/etc/default/keyboard (renamed from share/provision/files/desktop-basic/etc/default/keyboard) | 0 | ||||
| -rw-r--r-- | share/provision/debian/files/desktop-basic/etc/lightdm/lightdm.conf (renamed from share/provision/files/desktop-basic/etc/lightdm/lightdm.conf) | 0 | ||||
| -rw-r--r-- | share/provision/debian/files/desktop-basic/home/user/.custom/xsession (renamed from share/provision/files/desktop-basic/home/user/.custom/xsession) | 0 | ||||
| -rwxr-xr-x | share/provision/debian/lsd (renamed from share/provision/lsd) | 0 | ||||
| -rwxr-xr-x | share/provision/debian/messenger (renamed from share/provision/messenger) | 0 | ||||
| -rwxr-xr-x | share/provision/debian/openbox (renamed from share/provision/openbox) | 12 | ||||
| -rwxr-xr-x | share/provision/debian/openvpn (renamed from share/provision/openvpn) | 0 | ||||
| -rwxr-xr-x | share/provision/debian/tor-browser (renamed from share/provision/tor-browser) | 0 | ||||
| -rwxr-xr-x | share/provision/debian/trashman (renamed from share/provision/trashman) | 0 | ||||
| -rwxr-xr-x | share/provision/debian/web-basic (renamed from share/provision/web-basic) | 0 | ||||
| -rwxr-xr-x | share/provision/debian/web-full (renamed from share/provision/web-full) | 0 | ||||
| -rwxr-xr-x | share/provision/debian/webserver (renamed from share/provision/webserver) | 0 | ||||
| -rwxr-xr-x | share/provision/debian/wireguard (renamed from share/provision/wireguard) | 0 | ||||
| -rw-r--r-- | share/provision/files/njalla-openvpn/etc/ferm/ferm.conf | 181 | ||||
| -rw-r--r-- | share/provision/files/njalla-openvpn/etc/udev/rules.d/81-vpn-firewall.rules | 2 | ||||
| -rwxr-xr-x | share/provision/files/njalla-openvpn/usr/local/bin/fermreload.sh | 39 | ||||
| -rw-r--r-- | share/provision/files/njalla-wireguard/etc/ferm/ferm.conf | 179 | ||||
| -rw-r--r-- | share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules | 2 | ||||
| -rwxr-xr-x | share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh | 39 | ||||
| -rwxr-xr-x | share/provision/njalla-openvpn | 49 | ||||
| -rwxr-xr-x | share/provision/njalla-wireguard | 42 |
25 files changed, 10 insertions, 535 deletions
diff --git a/share/provision/basic b/share/provision/debian/basic index 11a4d7d..11a4d7d 100755 --- a/share/provision/basic +++ b/share/provision/debian/basic diff --git a/share/provision/desktop-basic b/share/provision/debian/desktop-basic index ec49414..ec49414 100755 --- a/share/provision/desktop-basic +++ b/share/provision/debian/desktop-basic diff --git a/share/provision/desktop-full b/share/provision/debian/desktop-full index b4dce46..b4dce46 100755 --- a/share/provision/desktop-full +++ b/share/provision/debian/desktop-full diff --git a/share/provision/development b/share/provision/debian/development index bb2f890..bb2f890 100755 --- a/share/provision/development +++ b/share/provision/debian/development diff --git a/share/provision/files/desktop-basic/etc/default/keyboard b/share/provision/debian/files/desktop-basic/etc/default/keyboard index f18fc73..f18fc73 100644 --- a/share/provision/files/desktop-basic/etc/default/keyboard +++ b/share/provision/debian/files/desktop-basic/etc/default/keyboard diff --git a/share/provision/files/desktop-basic/etc/lightdm/lightdm.conf b/share/provision/debian/files/desktop-basic/etc/lightdm/lightdm.conf index 7614cc2..7614cc2 100644 --- a/share/provision/files/desktop-basic/etc/lightdm/lightdm.conf +++ b/share/provision/debian/files/desktop-basic/etc/lightdm/lightdm.conf diff --git a/share/provision/files/desktop-basic/home/user/.custom/xsession b/share/provision/debian/files/desktop-basic/home/user/.custom/xsession index ee206e0..ee206e0 100644 --- a/share/provision/files/desktop-basic/home/user/.custom/xsession +++ b/share/provision/debian/files/desktop-basic/home/user/.custom/xsession diff --git a/share/provision/lsd b/share/provision/debian/lsd index 2b4a35e..2b4a35e 100755 --- a/share/provision/lsd +++ b/share/provision/debian/lsd diff --git a/share/provision/messenger b/share/provision/debian/messenger index bdd8f7e..bdd8f7e 100755 --- a/share/provision/messenger +++ b/share/provision/debian/messenger diff --git a/share/provision/openbox b/share/provision/debian/openbox index 26a6db0..df47622 100755 --- a/share/provision/openbox +++ b/share/provision/debian/openbox @@ -28,5 +28,13 @@ APT_INSTALL="sudo LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y" # Use a stacked window manager to reduce browser fingerprinting $APT_INSTALL openbox gmrun -apps/metadot/metadot load openbox -sed -i -e 's/^WINDOW_MANAGER=.*$/WINDOW_MANAGER="openbox"/' $HOME/.custom/xsession + +# Dotfiles configuration +if [ -x "$HOME/apps/metadot/metadot" ]; then + $HOME/apps/metadot/metadot load openbox +fi + +# Custom xsession config +if [ -f "$HOME/.custom/xsession" ]; then + sed -i -e 's/^WINDOW_MANAGER=.*$/WINDOW_MANAGER="openbox"/' $HOME/.custom/xsession +fi diff --git a/share/provision/openvpn b/share/provision/debian/openvpn index 5722c3e..5722c3e 100755 --- a/share/provision/openvpn +++ b/share/provision/debian/openvpn diff --git a/share/provision/tor-browser b/share/provision/debian/tor-browser index afbab58..afbab58 100755 --- a/share/provision/tor-browser +++ b/share/provision/debian/tor-browser diff --git a/share/provision/trashman b/share/provision/debian/trashman index b1f7bc5..b1f7bc5 100755 --- a/share/provision/trashman +++ b/share/provision/debian/trashman diff --git a/share/provision/web-basic b/share/provision/debian/web-basic index 11a94b5..11a94b5 100755 --- a/share/provision/web-basic +++ b/share/provision/debian/web-basic diff --git a/share/provision/web-full b/share/provision/debian/web-full index a21a15d..a21a15d 100755 --- a/share/provision/web-full +++ b/share/provision/debian/web-full diff --git a/share/provision/webserver b/share/provision/debian/webserver index 650452f..650452f 100755 --- a/share/provision/webserver +++ b/share/provision/debian/webserver diff --git a/share/provision/wireguard b/share/provision/debian/wireguard index 0aad2c9..0aad2c9 100755 --- a/share/provision/wireguard +++ b/share/provision/debian/wireguard diff --git a/share/provision/files/njalla-openvpn/etc/ferm/ferm.conf b/share/provision/files/njalla-openvpn/etc/ferm/ferm.conf deleted file mode 100644 index a25a3d2..0000000 --- a/share/provision/files/njalla-openvpn/etc/ferm/ferm.conf +++ /dev/null @@ -1,181 +0,0 @@ -# -*- shell-script -*- -# -# Configuration file for ferm(1). -# -# V: 0.1 -# -# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -# Really make sure that these modules exist and are loaded. -@hook pre "/sbin/modprobe nf_conntrack_ftp"; -@hook pre "/sbin/modprobe nfnetlink_log"; - -# Network interfaces. -#@def $DEV_LAN = eth0; -@def $DEV_LAN = ens3; -@def $DEV_LOOPBACK = lo0; -@def $DEV_VPN = tun0; - -# Network definition for the loopback device. This is needed to allow -# DNS resolution on Ubuntu Linux where the local resolver is bound -# to 127.0.1.1 - as opposed to the default 127.0.0.1. -@def $NET_LOOPBACK = 127.0.0.0/8; - -# Common application ports. -@def $PORT_DNS = 53; -@def $PORT_FTP = ( 20 21 ); -@def $PORT_NTP = 123; -@def $PORT_SSH = 22; -@def $PORT_WEB = ( 80 443 ); - -# The ports we allow OpenVPN to connect to. IPredator allows you -# to connect on _any_ port. Simply add more ports if desired but -# stick to only those that you really need. -@def $PORT_OPENVPN = (1194 1234 1337 2342 5060); - -# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html -# Ports Transmission is allowed to use. -@def $PORT_TRANSMISSION = 16384:65535; - -# Public DNS servers and those that are only reachable via VPN. -# DNS servers are specified in the outbound DNS rules to prevent DNS leaks -# (https://www.dnsleaktest.com/). The public DNS servers configured on your -# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns), -# but you need to verify this. -# -@def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32); - -# Add your ISP name server to this object if you want to restrict -# which DNS servers can be queried. -@def $IP_DNS_PUBLIC = 0.0.0.0/0; - -# DNS server available within the VPN. -@def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 ); - -# Make sure to use the proper VPN interface (e.g. tun0 in this case). -# Note: You cannot reference $DEV_VPN here, substition does not take -# place for commands passed to a sub shell. -@def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`; - -# VPN interface conditional. If true the following rules are loaded. -@if $VPN_ACTIVE { - domain ip { - table filter { - chain INPUT { - interface $DEV_VPN { - proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT; - } - } - chain OUTPUT { - # Default allowed outbound services on the VPN interface. - # If you need more simply add your rules here. - outerface $DEV_VPN { - proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT; - proto tcp dport $PORT_FTP ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT; - proto tcp dport $PORT_WEB ACCEPT; - } - } - } - } -} - -# The main IPv4 rule set. -domain ip { - table filter { - chain INPUT { - # The default policy for the chain. Usually ACCEPT or DROP or REJECT. - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic to loopback interface. - daddr $NET_LOOPBACK ACCEPT; - - # Allow inbound SSH on your LAN interface _only_. - interface $DEV_LAN { - proto tcp dport $PORT_SSH ACCEPT; - } - - # Respond to ping ... makes debugging easier. - proto icmp icmp-type echo-request ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain OUTPUT { - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic from the loopback interface. - saddr $NET_LOOPBACK ACCEPT; - - # Respond to ping. - proto icmp icmp-type echo-request ACCEPT; - - # Allowed services on the LAN interface. - outerface $DEV_LAN { - proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto (tcp udp) dport $PORT_OPENVPN ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - } - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain FORWARD { - policy DROP; - - # If you use your machine to route traffic eg. - # from a VM you have to add rules here! - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} - -# IPv6 is generally disabled, communication on the loopback device is allowed. -domain ip6 { - table filter { - chain INPUT { - policy DROP; - - # Allow local traffic. - interface $DEV_LOOPBACK ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain OUTPUT { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain FORWARD { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} diff --git a/share/provision/files/njalla-openvpn/etc/udev/rules.d/81-vpn-firewall.rules b/share/provision/files/njalla-openvpn/etc/udev/rules.d/81-vpn-firewall.rules deleted file mode 100644 index 64d8bd1..0000000 --- a/share/provision/files/njalla-openvpn/etc/udev/rules.d/81-vpn-firewall.rules +++ /dev/null @@ -1,2 +0,0 @@ -KERNEL=="tun0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add" -KERNEL=="tun0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove" diff --git a/share/provision/files/njalla-openvpn/usr/local/bin/fermreload.sh b/share/provision/files/njalla-openvpn/usr/local/bin/fermreload.sh deleted file mode 100755 index cebf7cc..0000000 --- a/share/provision/files/njalla-openvpn/usr/local/bin/fermreload.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -# -# fermreload.sh -# V: 0.1 -# -# Reloads the ferm firewall ruleset and is invoked by -# the udev via /etc/udev/rules.d/81-vpn-firewall.rules. -# -# IPredator 2014 -# Released under the Kopimi license. -# -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -LOGGER=/usr/bin/logger -LOGGER_TAG=$0 - -UDEV_ACTION=$1 - -FERM=/usr/sbin/ferm -FERM_CONF=/etc/ferm/ferm.conf - -MSG_FW_RULE_ADD="Adding VPN firewall rules." -MSG_FW_RULE_REMOVE="Removing VPN firewall rules." -MSG_UDEV_ACTION_UNKNOWN="Unknown udev action." - -case "$UDEV_ACTION" in - add) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD - $FERM $FERM_CONF - ;; - remove) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE - $FERM $FERM_CONF - ;; - *) - $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN - exit 1 -esac diff --git a/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf b/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf deleted file mode 100644 index 9ef8208..0000000 --- a/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf +++ /dev/null @@ -1,179 +0,0 @@ -# -*- shell-script -*- -# -# Configuration file for ferm(1). -# -# V: 0.1 -# -# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -# Really make sure that these modules exist and are loaded. -@hook pre "/sbin/modprobe nf_conntrack_ftp"; -@hook pre "/sbin/modprobe nfnetlink_log"; - -# Network interfaces. -#@def $DEV_LAN = eth0; -@def $DEV_LAN = ens3; -@def $DEV_LOOPBACK = lo0; -@def $DEV_VPN = wg0; - -# Network definition for the loopback device. This is needed to allow -# DNS resolution on Ubuntu Linux where the local resolver is bound -# to 127.0.1.1 - as opposed to the default 127.0.0.1. -@def $NET_LOOPBACK = 127.0.0.0/8; - -# Common application ports. -@def $PORT_DNS = 53; -@def $PORT_FTP = ( 20 21 ); -@def $PORT_NTP = 123; -@def $PORT_SSH = 22; -@def $PORT_WEB = ( 80 443 ); - -# The ports we allow to connect to. -@def $PORT_WIREGUARD = ( 51820 ); - -# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html -# Ports Transmission is allowed to use. -@def $PORT_TRANSMISSION = 16384:65535; - -# Public DNS servers and those that are only reachable via VPN. -# DNS servers are specified in the outbound DNS rules to prevent DNS leaks -# (https://www.dnsleaktest.com/). The public DNS servers configured on your -# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns), -# but you need to verify this. -# -@def $IP_DNS_IPR_PUBLIC = ( 95.215.19.53/32 ); - -# Add your ISP name server to this object if you want to restrict -# which DNS servers can be queried. -@def $IP_DNS_PUBLIC = 0.0.0.0/0; - -# DNS server available within the VPN. -@def $IP_DNS_VPN = ( 95.215.19.53/32 ); - -# Make sure to use the proper VPN interface (e.g. wg0 in this case). -# Note: You cannot reference $DEV_VPN here, substition does not take -# place for commands passed to a sub shell. -@def $VPN_ACTIVE = `ip link show wg0 >/dev/null 2>/dev/null && echo 1 || echo`; - -# VPN interface conditional. If true the following rules are loaded. -@if $VPN_ACTIVE { - domain ip { - table filter { - chain INPUT { - interface $DEV_VPN { - proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT; - } - } - chain OUTPUT { - # Default allowed outbound services on the VPN interface. - # If you need more simply add your rules here. - outerface $DEV_VPN { - proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT; - proto tcp dport $PORT_FTP ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT; - proto tcp dport $PORT_WEB ACCEPT; - } - } - } - } -} - -# The main IPv4 rule set. -domain ip { - table filter { - chain INPUT { - # The default policy for the chain. Usually ACCEPT or DROP or REJECT. - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic to loopback interface. - daddr $NET_LOOPBACK ACCEPT; - - # Allow inbound SSH on your LAN interface _only_. - interface $DEV_LAN { - proto tcp dport $PORT_SSH ACCEPT; - } - - # Respond to ping ... makes debugging easier. - proto icmp icmp-type echo-request ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain OUTPUT { - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic from the loopback interface. - saddr $NET_LOOPBACK ACCEPT; - - # Respond to ping. - proto icmp icmp-type echo-request ACCEPT; - - # Allowed services on the LAN interface. - outerface $DEV_LAN { - proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto (tcp udp) dport $PORT_WIREGUARD ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - } - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain FORWARD { - policy DROP; - - # If you use your machine to route traffic eg. - # from a VM you have to add rules here! - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} - -# IPv6 is generally disabled, communication on the loopback device is allowed. -domain ip6 { - table filter { - chain INPUT { - policy DROP; - - # Allow local traffic. - interface $DEV_LOOPBACK ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain OUTPUT { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain FORWARD { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} diff --git a/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules b/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules deleted file mode 100644 index 8c9d744..0000000 --- a/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules +++ /dev/null @@ -1,2 +0,0 @@ -KERNEL=="wg0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add" -KERNEL=="wg0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove" diff --git a/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh b/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh deleted file mode 100755 index cebf7cc..0000000 --- a/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -# -# fermreload.sh -# V: 0.1 -# -# Reloads the ferm firewall ruleset and is invoked by -# the udev via /etc/udev/rules.d/81-vpn-firewall.rules. -# -# IPredator 2014 -# Released under the Kopimi license. -# -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -LOGGER=/usr/bin/logger -LOGGER_TAG=$0 - -UDEV_ACTION=$1 - -FERM=/usr/sbin/ferm -FERM_CONF=/etc/ferm/ferm.conf - -MSG_FW_RULE_ADD="Adding VPN firewall rules." -MSG_FW_RULE_REMOVE="Removing VPN firewall rules." -MSG_UDEV_ACTION_UNKNOWN="Unknown udev action." - -case "$UDEV_ACTION" in - add) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD - $FERM $FERM_CONF - ;; - remove) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE - $FERM $FERM_CONF - ;; - *) - $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN - exit 1 -esac diff --git a/share/provision/njalla-openvpn b/share/provision/njalla-openvpn deleted file mode 100755 index eb8d1f4..0000000 --- a/share/provision/njalla-openvpn +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env bash -# -# Full desktop provision example -# -# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published -# by the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# - -# Parameters -DIRNAME="`dirname $0`" -BASENAME="`basename $0`" -HOSTNAME="$1" -DOMAIN="$2" -MIRROR="$3" -APT_INSTALL="sudo LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y" - -# Provision the basic stuff -$DIRNAME/openvpn $HOSTNAME $DOMAIN $MIRROR - -# Firewall -$APT_INSTALL ferm ulogd2 ulogd2-pcap -sudo cp $DIRNAME/files/njalla-openvpn/etc/ferm/ferm.conf /etc/ferm -sudo cp $DIRNAME/files/njalla-openvpn/etc/udev/rules.d/81-vpn-firewall.rules /etc/udev/rules.d -sudo cp $DIRNAME/files/njalla-openvpn/usr/local/bin/fermreload.sh /usr/local/bin -sudo chmod 555 /usr/local/bin/fermreload.sh -sudo sed -i -e 's/^ENABLED=.*$/ENABLED="yes"/' /etc/default/ferm -sudo service ferm restart - -# Njalla -#sudo cp $DIRNAME/files/njalla/etc/openvpn/njalla.conf /etc/openvpn -#sudo touch /etc/openvpn/njalla.auth -#sudo chown root:root /etc/openvpn/njalla.conf -#sudo chown root:root /etc/openvpn/njalla.auth -#sudo chmod 400 /etc/openvpn/njalla.conf -#sudo chmod 400 /etc/openvpn/njalla.auth -#echo "Please set user/password at /etc/openvpn/njalla.auth" -echo "Please configure /etc/openvpn/njalla.conf" diff --git a/share/provision/njalla-wireguard b/share/provision/njalla-wireguard deleted file mode 100755 index df364bf..0000000 --- a/share/provision/njalla-wireguard +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/env bash -# -# Full desktop provision example -# -# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published -# by the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# - -# Parameters -DIRNAME="`dirname $0`" -BASENAME="`basename $0`" -HOSTNAME="$1" -DOMAIN="$2" -MIRROR="$3" -APT_INSTALL="sudo LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y" - -# Provision the basic stuff -$DIRNAME/wireguard $HOSTNAME $DOMAIN $MIRROR - -# Firewall -$APT_INSTALL ferm ulogd2 ulogd2-pcap -sudo cp $DIRNAME/files/njalla-wireguard/etc/ferm/ferm.conf /etc/ferm -sudo cp $DIRNAME/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules /etc/udev/rules.d -sudo cp $DIRNAME/files/njalla-wireguard/usr/local/bin/fermreload.sh /usr/local/bin -sudo chmod 555 /usr/local/bin/fermreload.sh -sudo sed -i -e 's/^ENABLED=.*$/ENABLED="yes"/' /etc/default/ferm -sudo service ferm restart - -# Njalla -echo "Please configure /etc/wireguard/ng0.conf" |