summaryrefslogtreecommitdiffstats
path: root/files
diff options
context:
space:
mode:
Diffstat (limited to 'files')
-rw-r--r--files/etc/apt/listchanges.conf9
-rw-r--r--files/etc/nftables.conf59
-rw-r--r--files/etc/ssh/sshd_config.d/local.conf10
-rw-r--r--files/etc/systemd/resolved.conf.d/local.conf3
-rw-r--r--files/etc/systemd/timesyncd.conf.d/local.conf2
5 files changed, 83 insertions, 0 deletions
diff --git a/files/etc/apt/listchanges.conf b/files/etc/apt/listchanges.conf
new file mode 100644
index 0000000..96910a0
--- /dev/null
+++ b/files/etc/apt/listchanges.conf
@@ -0,0 +1,9 @@
+[apt]
+frontend=mail
+which=news
+email_address=root
+email_format=text
+confirm=false
+headers=false
+reverse=false
+save_seen=/var/lib/apt/listchanges.db
diff --git a/files/etc/nftables.conf b/files/etc/nftables.conf
new file mode 100644
index 0000000..e8784ab
--- /dev/null
+++ b/files/etc/nftables.conf
@@ -0,0 +1,59 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet raw {
+ chain PREROUTING-stateless {
+ # XXX can't add that to the ingress hook as that happens before IP defragmentation
+ # so we don't have the TCP header in later fragments (we don't want to drop IP
+ # fragments, see https://blog.cloudflare.com/ip-fragmentation-is-broken/ )
+ type filter hook prerouting priority -399 # > NF_IP_PRI_CONNTRACK_DEFRAG (-400)
+ policy accept
+
+ # stateless filter for bogus TCP packets
+ tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # null packet
+ tcp flags & (fin|psh|urg) == fin|psh|urg counter drop # XMAS packet
+ tcp flags & (syn|rst) == syn|rst counter drop
+ tcp flags & (fin|rst) == fin|rst counter drop
+ tcp flags & (fin|syn) == fin|syn counter drop
+ tcp flags & (fin|psh|ack) == fin|psh counter drop
+ }
+
+ chain PREROUTING {
+ type filter hook prerouting priority -199 # > NF_IP_PRI_CONNTRACK (-200)
+ policy accept
+
+ # stateful filter
+ ct state invalid counter drop
+ }
+}
+
+table inet filter {
+ chain input {
+ type filter hook input priority 0
+ policy drop
+
+ iif lo accept
+
+ ct state related,established accept
+ meta l4proto { icmp, icmpv6 } counter accept
+
+ tcp dport 22 ct state new counter accept
+ }
+
+ chain output {
+ type filter hook output priority 0
+ policy drop
+
+ oif lo accept
+ ct state related,established accept
+ meta l4proto { icmp, icmpv6 } counter accept
+
+ ct state new counter accept
+
+ # graceful reject
+ meta l4proto tcp counter reject with tcp reset
+ meta l4proto udp counter reject
+ counter reject
+ }
+}
diff --git a/files/etc/ssh/sshd_config.d/local.conf b/files/etc/ssh/sshd_config.d/local.conf
new file mode 100644
index 0000000..3a5323f
--- /dev/null
+++ b/files/etc/ssh/sshd_config.d/local.conf
@@ -0,0 +1,10 @@
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+PermitRootLogin no
+AllowGroups ssh-login
+
+PasswordAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+X11Forwarding no
diff --git a/files/etc/systemd/resolved.conf.d/local.conf b/files/etc/systemd/resolved.conf.d/local.conf
new file mode 100644
index 0000000..812e6b5
--- /dev/null
+++ b/files/etc/systemd/resolved.conf.d/local.conf
@@ -0,0 +1,3 @@
+[Resolve]
+# Quad9
+DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
diff --git a/files/etc/systemd/timesyncd.conf.d/local.conf b/files/etc/systemd/timesyncd.conf.d/local.conf
new file mode 100644
index 0000000..632cd3f
--- /dev/null
+++ b/files/etc/systemd/timesyncd.conf.d/local.conf
@@ -0,0 +1,2 @@
+[Time]
+NTP=ntp.hetzner.com