Server Kitty revised this gist 17 hours ago. Go to revision
1 file changed, 19 insertions
pf.conf(file created)
| @@ -0,0 +1,19 @@ | |||
| 1 | + | ext_if = "em0" | |
| 2 | + | jail_net = "192.168.123.0/24" | |
| 3 | + | ||
| 4 | + | table <crowdsec-blacklists> persist | |
| 5 | + | table <crowdsec6-blacklists> persist | |
| 6 | + | ||
| 7 | + | set skip on lo | |
| 8 | + | ||
| 9 | + | # NAT so jails can access internet | |
| 10 | + | nat on $ext_if from $jail_net to any -> ($ext_if) | |
| 11 | + | ||
| 12 | + | # Forward Luanti ports to its jail | |
| 13 | + | rdr pass on $ext_if proto udp from any to any port 30000:40000 -> 192.168.123.11 port 30000:40000 | |
| 14 | + | ||
| 15 | + | block drop in quick from <crowdsec-blacklists> to any | |
| 16 | + | block drop in quick from <crowdsec6-blacklists> to any | |
| 17 | + | ||
| 18 | + | pass in all | |
| 19 | + | pass out all | |
Server Kitty revised this gist 17 hours ago. Go to revision
2 files changed, 148 insertions
jail.conf(file created)
| @@ -0,0 +1,93 @@ | |||
| 1 | + | # Global parameters | |
| 2 | + | exec.start = "/bin/sh /etc/rc"; | |
| 3 | + | #exec.start += "/sbin/ifconfig lo0 127.0.0.1 up"; | |
| 4 | + | #exec.start += "/sbin/ifconfig epair${nid}b 192.168.123.${nid}/24 up"; | |
| 5 | + | #exec.start += "/sbin/route add default 192.168.123.1"; | |
| 6 | + | exec.stop = "/bin/sh /etc/rc.shutdown"; | |
| 7 | + | exec.clean; | |
| 8 | + | mount.devfs; | |
| 9 | + | mount.procfs; | |
| 10 | + | mount.fstab = "/mnt/ssd/jail/${name}/etc/fstab"; | |
| 11 | + | ||
| 12 | + | devfs_ruleset = 5; | |
| 13 | + | allow.raw_sockets; | |
| 14 | + | allow.sysvipc; | |
| 15 | + | allow.mount; | |
| 16 | + | allow.mount.fusefs; | |
| 17 | + | allow.mount.devfs; | |
| 18 | + | allow.mount.procfs; | |
| 19 | + | enforce_statfs = 1; | |
| 20 | + | ||
| 21 | + | # VNET-specific parameters | |
| 22 | + | vnet; | |
| 23 | + | vnet.interface = "epair${nid}b"; | |
| 24 | + | exec.prestart = "ifconfig epair${nid} create up"; | |
| 25 | + | exec.prestart += "ifconfig epair${nid}a up"; | |
| 26 | + | exec.prestart += "ifconfig bridge1 addm epair${nid}a"; | |
| 27 | + | exec.poststop = "ifconfig epair${nid}a destroy"; | |
| 28 | + | ||
| 29 | + | # Path parameters | |
| 30 | + | path = "/mnt/ssd/jail/${name}"; | |
| 31 | + | host.hostname = "${name}.jail"; | |
| 32 | + | ||
| 33 | + | # NID 3, 4 is available now | |
| 34 | + | ||
| 35 | + | navidrome { | |
| 36 | + | $nid = 17; | |
| 37 | + | } | |
| 38 | + | ntfy { | |
| 39 | + | $nid = 16; | |
| 40 | + | } | |
| 41 | + | seafile { | |
| 42 | + | $nid = 15; | |
| 43 | + | } | |
| 44 | + | immich { | |
| 45 | + | # This is a Linux jail. | |
| 46 | + | $nid = 14; | |
| 47 | + | mount.procfs = 0; | |
| 48 | + | ||
| 49 | + | exec.start = "/bin/sh /sbin/swinit"; | |
| 50 | + | exec.stop = "/bin/sh /sbin/swshutdown"; | |
| 51 | + | } | |
| 52 | + | kanboard { | |
| 53 | + | $nid = 13; | |
| 54 | + | } | |
| 55 | + | authelia { | |
| 56 | + | $nid = 12; | |
| 57 | + | } | |
| 58 | + | freshrss { | |
| 59 | + | $nid = 11; | |
| 60 | + | } | |
| 61 | + | nextcloud { | |
| 62 | + | $nid = 10; | |
| 63 | + | } | |
| 64 | + | games { | |
| 65 | + | $nid = 9; | |
| 66 | + | } | |
| 67 | + | mastodon { | |
| 68 | + | $nid = 8; | |
| 69 | + | } | |
| 70 | + | matrix { | |
| 71 | + | $nid = 7; | |
| 72 | + | } | |
| 73 | + | ircbots { | |
| 74 | + | $nid = 6; | |
| 75 | + | } | |
| 76 | + | peertube { | |
| 77 | + | $nid = 5; | |
| 78 | + | } | |
| 79 | + | # { | |
| 80 | + | # $nid = 4; | |
| 81 | + | #} | |
| 82 | + | # { | |
| 83 | + | # $nid = 3; | |
| 84 | + | #} | |
| 85 | + | thelounge { | |
| 86 | + | $nid = 2; | |
| 87 | + | } | |
| 88 | + | forgejo { | |
| 89 | + | $nid = 1; | |
| 90 | + | } | |
| 91 | + | opengist { | |
| 92 | + | $nid = 0; | |
| 93 | + | } | |
rc.conf(file created)
| @@ -0,0 +1,55 @@ | |||
| 1 | + | # SYSTEM PROPERTIES ## | |
| 2 | + | hostname="oreo" | |
| 3 | + | dumpdev="AUTO" | |
| 4 | + | moused_nondefault_enable="NO" | |
| 5 | + | clear_tmp_enable="YES" | |
| 6 | + | syslogd_flags="-ss" | |
| 7 | + | ntpd_enable="YES" | |
| 8 | + | ntpd_sync_on_start="YES" | |
| 9 | + | smartd_enable="NO" | |
| 10 | + | powerd_enable="NO" | |
| 11 | + | linux_enable="YES" | |
| 12 | + | zfs_enable="YES" | |
| 13 | + | zfskeys_enable="YES" | |
| 14 | + | ||
| 15 | + | ## REMOTE ACCESS ## | |
| 16 | + | webmin_enable="YES" | |
| 17 | + | sshd_enable="YES" | |
| 18 | + | nginx_enable="YES" | |
| 19 | + | ||
| 20 | + | ## ETHERNET ## | |
| 21 | + | #ifconfig_em0="DHCP" | |
| 22 | + | ifconfig_em0="inet 10.0.0.86 netmask 255.255.255.0 up" | |
| 23 | + | ifconfig_em0_ipv6="inet6 accept_rtadv up" | |
| 24 | + | ipv6_activate_all_interfaces="YES" | |
| 25 | + | rtsold_enable="YES" | |
| 26 | + | defaultrouter="10.0.0.1" | |
| 27 | + | ||
| 28 | + | ## VPN ## | |
| 29 | + | wireguard_enable="YES" | |
| 30 | + | wireguard_interfaces="wg0" | |
| 31 | + | ||
| 32 | + | ## VMS AND CONTAINERS ## | |
| 33 | + | jail_enable="YES" | |
| 34 | + | ||
| 35 | + | vm_enable="YES" | |
| 36 | + | vm_dir="/mnt/ssd/vm" | |
| 37 | + | vm_list="haos" | |
| 38 | + | ||
| 39 | + | ## JAIL NETWORKING ## | |
| 40 | + | gateway_enable="YES" | |
| 41 | + | ||
| 42 | + | cloned_interfaces="bridge1" | |
| 43 | + | ifconfig_bridge1="inet 192.168.123.1/24 description jailnet up" | |
| 44 | + | ||
| 45 | + | pf_enable="YES" | |
| 46 | + | pf_rules="/etc/pf.conf" | |
| 47 | + | gateway_enable="YES" | |
| 48 | + | ||
| 49 | + | ## LOCAL SERVICES ## | |
| 50 | + | bootstrapsona_enable="YES" | |
| 51 | + | ||
| 52 | + | ## TO CATEGORIZE ## | |
| 53 | + | postgresql_enable="YES" | |
| 54 | + | valkey_enable="YES" | |
| 55 | + | kld_list="i915kms" | |
Newer
Older