Initial commit

init/configure-firewalld.service

@@ -0,0 +1,14 @@
+# Enabled by install-additional-packages.service to run after first reboot
+[Unit]
+After=network-online.target
+Wants=network-online.target
+ConditionPathExists=!/var/lib/configure-firewalld
+
+[Service]
+Type=oneshot
+ExecStart=/opt/bin/configure-firewalld.sh
+ExecStartPost=/usr/bin/touch /var/lib/configure-firewalld
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target

init/configure-firewalld.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+set -o errexit -o pipefail -o noclobber -o nounset -o errtrace -o functrace
+
+# Run after first reboot when firewalld and fail2ban are installed
+systemctl enable --now firewalld
+
+firewall-cmd --zone=internal --add-source=192.168.0.0/16 --add-source=172.16.0.0/12 --add-source=10.0.0.0/8 --permanent
+firewall-cmd --zone=internal --add-service=ssh --permanent
+firewall-cmd --zone=internal --add-service=dns --permanent
+firewall-cmd --zone=internal --add-service=samba --permanent
+firewall-cmd --zone=internal --add-port=5335/tcp --permanent
+firewall-cmd --zone=internal --add-port=5335/udp --permanent
+firewall-cmd --zone=internal --add-port=3129/tcp --permanent
+firewall-cmd --zone=internal --add-port=3129/udp --permanent
+firewall-cmd --zone=internal --add-port=9090/tcp --permanent
+firewall-cmd --zone=internal --add-port=9090/udp --permanent
+firewall-cmd --zone=internal --add-port=2222/tcp --permanent
+
+firewall-cmd --add-service=http --permanent
+firewall-cmd --add-service=https --permanent
+firewall-cmd --add-port=8080/tcp --permanent
+firewall-cmd --add-port=8080/udp --permanent
+firewall-cmd --add-port=4443/tcp --permanent
+firewall-cmd --add-port=4443/udp --permanent
+firewall-cmd --add-port=6881/tcp --permanent
+firewall-cmd --zone=internal --add-service=http --permanent
+firewall-cmd --zone=internal --add-service=https --permanent
+firewall-cmd --zone=internal --add-port=8080/tcp --permanent
+firewall-cmd --zone=internal --add-port=8080/udp --permanent
+firewall-cmd --zone=internal --add-port=4443/tcp --permanent
+firewall-cmd --zone=internal --add-port=4443/udp --permanent
+firewall-cmd --zone=internal --add-port=6881/tcp --permanent
+
+firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
+firewall-cmd --add-forward-port=port=80:proto=udp:toport=8080 --permanent
+firewall-cmd --add-forward-port=port=443:proto=tcp:toport=4443 --permanent
+firewall-cmd --add-forward-port=port=443:proto=udp:toport=4443 --permanent
+firewall-cmd --zone=internal --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
+firewall-cmd --zone=internal --add-forward-port=port=80:proto=udp:toport=8080 --permanent
+firewall-cmd --zone=internal --add-forward-port=port=443:proto=tcp:toport=4443 --permanent
+firewall-cmd --zone=internal --add-forward-port=port=443:proto=udp:toport=4443 --permanent
+
+firewall-cmd --reload
+
+mv /root/jail.local /etc/fail2ban/jail.local
+restorecon -v /etc/fail2ban/jail.local
+
+systemctl enable --now fail2ban

init/enable-all-quadlets.service

@@ -0,0 +1,15 @@
+[Unit]
+After=systemd-user-sessions.service
+After=network-online.target
+Wants=network-online.target
+Wants=systemd-user-sessions.service
+ConditionPathExists=!/var/lib/quadlets-enabled
+
+[Service]
+Type=oneshot
+ExecStart=/opt/bin/enable-all-quadlets.sh
+ExecStartPost=/usr/bin/touch /var/lib/quadlets-enabled
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target

init/enable-all-quadlets.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+set -o errexit -o pipefail -o noclobber -o nounset -o errtrace -o functrace
+
+setsebool -P container_use_devices on
+setsebool -P openvpn_run_unconfined on
+semanage fcontext -a -t container_file_t "/mnt/nas(/.*)?"
+#semanage fcontext -a -t container_file_t "/mnt/nas/containers/.*/storage/.*(/.*)?"
+restorecon -vR /mnt/nas
+
+users=("gitea" "homeassistant" "jdownloader" "kiwix" "komga" "navidrome" "nextcloud" "nginx" "pairdrop" "paperless" "pihole" "qbittorrent" "synapse" "wallabag")
+for user in "${users[@]}"; do
+  chown -R "${user}:${user}" "/var/home/${user}"
+  secrets_file="/var/home/${user}/.secrets"
+  if [[ -f "${secrets_file}" ]];then
+    sudo -u "${user}" /opt/bin/add-secrets.sh "${secrets_file}"
+  fi
+  systemctl --user -M "${user}@" daemon-reload
+  systemctl --user -M "${user}@" enable --now "podman-auto-update.timer" || true
+  systemctl --user -M "${user}@" stop "${user}.service" || true
+  systemctl --user -M "${user}@" start "${user}.service"
+  echo "${user} done"
+done
+systemctl --user -M "arr@" daemon-reload
+systemctl --user -M "arr@" start "overseerr.service"
+systemctl --user -M "tga@" daemon-reload
+systemctl --user -M "tga@" enable --now "update-dyndns.timer"
+
+systemctl --user -M "kiwix@" enable --now "clone-zim-updater.service"
+systemctl --user -M "nextcloud@" enable --now "pre-generate-preview.timer"
+systemctl --user -M "pihole@" enable --now "update-hints.timer"
+systemctl --user -M "pihole@" enable --now "update-root.timer"
+
+/opt/bin/add-secrets.sh /root/.secrets
+systemctl daemon-reload
+systemctl start samba.service