Major changes - compatible with Alpine
This commit is contained in:
LinuxSquare
parent
1d84bfacfc
commit
63872a229f
4 changed files with 65 additions and 6 deletions
|
|
@ -1,4 +1,5 @@
|
|||
state_verbose: False
|
||||
file_client: local
|
||||
file_roots:
|
||||
base:
|
||||
- /srv/salt/salt-statetree
|
||||
- /srv/salt
|
||||
|
|
|
|||
23
system/files/firewall_rules.v4.jinja
Normal file
23
system/files/firewall_rules.v4.jinja
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
# This file is managed by Saltstack. (State {{ STATE }})
|
||||
|
||||
*filter
|
||||
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
|
||||
-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
|
||||
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
||||
|
||||
{% for port in ALLOWED_PORTS %}
|
||||
-A INPUT -p tcp --dport {{ port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
|
||||
COMMIT
|
||||
38
system/firewall.sls
Normal file
38
system/firewall.sls
Normal file
|
|
@ -0,0 +1,38 @@
|
|||
system_firewall_pkgs:
|
||||
pkg.installed:
|
||||
- pkgs:
|
||||
- iptables
|
||||
|
||||
system_firewall_rules:
|
||||
file.managed:
|
||||
- name: /etc/iptables/rules-save
|
||||
- source: salt://{{ tpldir }}/files/firewall_rules.v4.jinja
|
||||
- template: jinja
|
||||
- context:
|
||||
STATE: {{ sls }}
|
||||
ALLOWED_PORTS: [442, 25565]
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: '0600'
|
||||
- makedirs: true
|
||||
- require:
|
||||
- system_firewall_pkgs
|
||||
|
||||
system_firewall_service_enable:
|
||||
service.enabled:
|
||||
- name: iptables
|
||||
- require:
|
||||
- system_firewall_pkgs
|
||||
- system_firewall_rules
|
||||
|
||||
system_firewall_service_reload:
|
||||
service.running:
|
||||
- name: iptables
|
||||
- enable: true
|
||||
- reload: true
|
||||
- watch:
|
||||
- file: /etc/iptables/rules-save
|
||||
- require:
|
||||
- system_firewall_pkgs
|
||||
- system_firewall_service_reload
|
||||
|
||||
|
|
@ -5,11 +5,8 @@ system_packages_install:
|
|||
pkg.installed:
|
||||
- pkgs:
|
||||
- podman
|
||||
- cockpit-podman
|
||||
- podman-docker
|
||||
- podman-compose
|
||||
- mariadb-server
|
||||
- java-latest-openjdk-headless
|
||||
- mariadb
|
||||
- openjdk17-jre-headless
|
||||
- jq
|
||||
- require:
|
||||
- system_btrfs_create_podman_data_dir
|
||||
|
|
|
|||
Loading…
Reference in a new issue