From: Frank Brehm Date: Fri, 9 Apr 2021 04:25:03 +0000 (+0200) Subject: daily autocommit X-Git-Url: https://git.uhu-banane.org/?a=commitdiff_plain;h=2225ca36313804bd5067bffcddc26c4757603e24;p=config%2Fhelga-hetzner%2Fetc.git daily autocommit --- diff --git a/.etckeeper b/.etckeeper index 9a95435..1153063 100755 --- a/.etckeeper +++ b/.etckeeper @@ -855,7 +855,6 @@ maybe chmod 0644 'mysql/mariadb.conf.d/50-client.cnf' maybe chmod 0644 'mysql/mariadb.conf.d/50-mysql-clients.cnf' maybe chmod 0644 'mysql/mariadb.conf.d/50-mysqld_safe.cnf' maybe chmod 0644 'mysql/mariadb.conf.d/50-server.cnf' -maybe chmod 0644 'mysql/my.cnf' maybe chmod 0644 'mysql/my.cnf.2021.04.08.22.02.11' maybe chmod 0644 'mysql/my.cnf.fallback' maybe chmod 0644 'nanorc' @@ -879,6 +878,7 @@ maybe chmod 0755 'network/interfaces.d' maybe chmod 0644 'network/interfaces.d/50-cloud-init' maybe chmod 0644 'networks' maybe chmod 0755 'nftables.conf' +maybe chmod 0755 'nftables.conf.2021.04.08.22.02.11' maybe chmod 0755 'nginx' maybe chmod 0755 'nginx/conf-available' maybe chmod 0644 'nginx/conf-available/0-general.conf' diff --git a/motd b/motd index e3be971..c13b34f 100644 --- a/motd +++ b/motd @@ -6,9 +6,8 @@ Debian GNU/Linux 10 (buster) |_| |_|\___|_|\__, |\__,_| |___/ -Mathematik, die auf Konviktion, Überführung ausgeht, weshalb -gute Köpfe sich an ihr ärgern. - -- Goethe, Maximen und Reflektionen, Nr. 1339 +Wer für Harmonie ist, muß auch bereit sein, das Harmonium zu spielen. + -- Franz Josef Strauß -Today is Pungenday, the 25th day of Discord in the YOLD 3187 +Today is Prickle-Prickle, the 26th day of Discord in the YOLD 3187 diff --git a/mysql/my.cnf b/mysql/my.cnf deleted file mode 100644 index 94d8f10..0000000 --- a/mysql/my.cnf +++ /dev/null @@ -1,23 +0,0 @@ -# The MariaDB configuration file -# -# The MariaDB/MySQL tools read configuration files in the following order: -# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults, -# 2. "/etc/mysql/conf.d/*.cnf" to set global options. -# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options. -# 4. "~/.my.cnf" to set user-specific options. -# -# If the same option is defined multiple times, the last one will apply. -# -# One can use all long options that the program supports. -# Run program with --help to get a list of available options and with -# --print-defaults to see which it would actually understand and use. - -# -# This group is read both both by the client and the server -# use it for options that affect everything -# -[client-server] - -# Import all .cnf files from configuration directory -!includedir /etc/mysql/conf.d/ -!includedir /etc/mysql/mariadb.conf.d/ diff --git a/mysql/my.cnf b/mysql/my.cnf new file mode 120000 index 0000000..18bea13 --- /dev/null +++ b/mysql/my.cnf @@ -0,0 +1 @@ +/etc/alternatives/my.cnf \ No newline at end of file diff --git a/nftables.conf b/nftables.conf index a58f4ce..fc8c269 100755 --- a/nftables.conf +++ b/nftables.conf @@ -2,14 +2,56 @@ flush ruleset +# `inet` applies to both IPv4 and IPv6. table inet filter { - chain input { - type filter hook input priority 0; - } - chain forward { - type filter hook forward priority 0; - } - chain output { - type filter hook output priority 0; - } + chain input { + type filter hook input priority 0; + + # accept any localhost traffic + iif lo accept + + # no ping floods: + ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop + ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop + + # accept traffic originated from us + ct state established,related accept + + # accept ICMP & IGMP + ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept + ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept + ip protocol igmp accept + + # ssh + tcp dport 22 accept + + # http/https + tcp dport 80 accept + tcp dport 443 accept + + # smtp/submission + tcp dport 25 accept + tcp dport 587 accept + + # pop3/pop3s + tcp dport 110 accept + tcp dport 995 accept + + # imap/imaps + tcp dport 143 accept + tcp dport 993 accept + + # count and drop any other traffic + counter drop + } + + chain output { + type filter hook output priority 0; + policy accept; + } + + chain forward { + type filter hook forward priority 0; + policy drop; + } } diff --git a/nftables.conf.2021.04.08.22.02.11 b/nftables.conf.2021.04.08.22.02.11 new file mode 100755 index 0000000..a58f4ce --- /dev/null +++ b/nftables.conf.2021.04.08.22.02.11 @@ -0,0 +1,15 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; + } + chain forward { + type filter hook forward priority 0; + } + chain output { + type filter hook output priority 0; + } +} diff --git a/systemd/system/sysinit.target.wants/nftables.service b/systemd/system/sysinit.target.wants/nftables.service new file mode 120000 index 0000000..508bc9a --- /dev/null +++ b/systemd/system/sysinit.target.wants/nftables.service @@ -0,0 +1 @@ +/lib/systemd/system/nftables.service \ No newline at end of file