M builds/system-config/APKBUILD => builds/system-config/APKBUILD +2 -1
@@ 1,6 1,6 @@
# Maintainer: Damien Tardy-Panis <damien.dev@tardypad.me>
pkgname="system-config"
-pkgver=7
+pkgver=8
pkgrel=0
pkgdesc="System configurations"
url="https://sr.ht/~tardypad/alpine-system/"
@@ 12,6 12,7 @@ depends="doas
git
jargon-gemini
linux-firmware-none
+ nftables
radicale
rsync
tardypad.me
A builds/system-config/files/etc/nftables.nft => builds/system-config/files/etc/nftables.nft +43 -0
@@ 0,0 1,43 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+ chain input {
+ type filter hook input priority 0; policy drop;
+
+ iifname lo accept \
+ comment "Accept any localhost traffic"
+
+ ct state { established, related } accept \
+ comment "Accept traffic originated from us"
+
+ ct state invalid drop \
+ comment "Early drop of invalid connections"
+
+ ip protocol icmp icmp type {
+ echo-reply, # type 0
+ destination-unreachable, # type 3
+ echo-request, # type 8
+ time-exceeded, # type 11
+ parameter-problem, # type 12
+ } accept \
+ comment "Accept some ICMP types"
+
+ tcp dport 11235 accept \
+ comment "Accept SSH on non default port"
+
+ tcp dport { http, https } accept \
+ comment "Accept HTTP"
+
+ tcp dport 1965 accept \
+ comment "Accept Gemini"
+
+ udp dport 51820 accept \
+ comment "Accept WireGuard"
+ }
+
+ chain forward {
+ type filter hook forward priority 0; policy drop;
+ }
+}
M builds/system-config/system-config.post-install => builds/system-config/system-config.post-install +3 -0
@@ 15,4 15,7 @@ chown -R radicale:radicale /home/damien/radicale
rc-update add radicale default
rc-service radicale restart
+rc-update add nftables default
+rc-service nftables start
+
list_manual_updates