Major changes - compatible with Alpine
This commit is contained in:
LinuxSquare
parent
1d84bfacfc
commit
63872a229f
4 changed files with 65 additions and 6 deletions
|
|
@ -1,4 +1,5 @@
|
||||||
|
state_verbose: False
|
||||||
file_client: local
|
file_client: local
|
||||||
file_roots:
|
file_roots:
|
||||||
base:
|
base:
|
||||||
- /srv/salt/salt-statetree
|
- /srv/salt
|
||||||
|
|
|
||||||
23
system/files/firewall_rules.v4.jinja
Normal file
23
system/files/firewall_rules.v4.jinja
Normal file
|
|
@ -0,0 +1,23 @@
|
||||||
|
# This file is managed by Saltstack. (State {{ STATE }})
|
||||||
|
|
||||||
|
*filter
|
||||||
|
|
||||||
|
:INPUT DROP [0:0]
|
||||||
|
:FORWARD DROP [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
|
||||||
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
|
||||||
|
-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
|
||||||
|
|
||||||
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
|
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
|
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
||||||
|
|
||||||
|
{% for port in ALLOWED_PORTS %}
|
||||||
|
-A INPUT -p tcp --dport {{ port }} -j ACCEPT
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
COMMIT
|
||||||
38
system/firewall.sls
Normal file
38
system/firewall.sls
Normal file
|
|
@ -0,0 +1,38 @@
|
||||||
|
system_firewall_pkgs:
|
||||||
|
pkg.installed:
|
||||||
|
- pkgs:
|
||||||
|
- iptables
|
||||||
|
|
||||||
|
system_firewall_rules:
|
||||||
|
file.managed:
|
||||||
|
- name: /etc/iptables/rules-save
|
||||||
|
- source: salt://{{ tpldir }}/files/firewall_rules.v4.jinja
|
||||||
|
- template: jinja
|
||||||
|
- context:
|
||||||
|
STATE: {{ sls }}
|
||||||
|
ALLOWED_PORTS: [442, 25565]
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: '0600'
|
||||||
|
- makedirs: true
|
||||||
|
- require:
|
||||||
|
- system_firewall_pkgs
|
||||||
|
|
||||||
|
system_firewall_service_enable:
|
||||||
|
service.enabled:
|
||||||
|
- name: iptables
|
||||||
|
- require:
|
||||||
|
- system_firewall_pkgs
|
||||||
|
- system_firewall_rules
|
||||||
|
|
||||||
|
system_firewall_service_reload:
|
||||||
|
service.running:
|
||||||
|
- name: iptables
|
||||||
|
- enable: true
|
||||||
|
- reload: true
|
||||||
|
- watch:
|
||||||
|
- file: /etc/iptables/rules-save
|
||||||
|
- require:
|
||||||
|
- system_firewall_pkgs
|
||||||
|
- system_firewall_service_reload
|
||||||
|
|
||||||
|
|
@ -5,11 +5,8 @@ system_packages_install:
|
||||||
pkg.installed:
|
pkg.installed:
|
||||||
- pkgs:
|
- pkgs:
|
||||||
- podman
|
- podman
|
||||||
- cockpit-podman
|
- mariadb
|
||||||
- podman-docker
|
- openjdk17-jre-headless
|
||||||
- podman-compose
|
|
||||||
- mariadb-server
|
|
||||||
- java-latest-openjdk-headless
|
|
||||||
- jq
|
- jq
|
||||||
- require:
|
- require:
|
||||||
- system_btrfs_create_podman_data_dir
|
- system_btrfs_create_podman_data_dir
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue