first version
This commit is contained in:
Solene Rapenne
parent
8225284941
commit
cc919a9bfa
60
README.md
60
README.md
|
|
@ -1,2 +1,62 @@
|
|||
# gearbsd
|
||||
|
||||
This repo will eventually turn into a collection of parametrized templates to easily deploy services or environments on $system.
|
||||
|
||||
# Examples
|
||||
|
||||
- Deploying a pf.conf on OpenBSD
|
||||
- Enabling Gnome3 on OpenBSD (requires enabling many services, modifying /etc/login.conf and /etc/gdm.conf)
|
||||
|
||||
# Why?
|
||||
|
||||
Most of the time we need to do the same things over and over, using simple templates with parameters allow easy reproducibles configuration.
|
||||
|
||||
# How to use
|
||||
|
||||
You need [(R)?ex](https://rexify.org/) installed, cd into a directory to find a `Rexfile`, look at the self explanatory variables at the top of the file to adapt your needs and run `rex -H destination configure`, on localhost you can run it as root like `rex configure` or `rex -H localhost configure` if you have a localhost root access by ssh. You will need root access through ssh when using Rex over the network.
|
||||
|
||||
# Improvements
|
||||
|
||||
- Allow to use sudo instead of direct root access
|
||||
- Allow to use doas (but this will require changes in Rex)
|
||||
- Maintain a list of applied modules to keep track of used modules
|
||||
|
||||
# Template example
|
||||
|
||||
In the `openbsd/pf` module, these variables will define the generation of the pf.conf file.
|
||||
|
||||
- TCPports: [22, 80, 443]
|
||||
- UDPports: [53, "2000:20010"]
|
||||
- allow_icmp: 1
|
||||
- nat: 0
|
||||
- nat_from_interface: "wg0"
|
||||
- nat_to_interface: "em0
|
||||
|
||||
This set of values will produce the following file and load it into pf:
|
||||
```
|
||||
services_tcp="{ 22 80 443 }"
|
||||
services_udp="{ 53 2000:20010 }"
|
||||
|
||||
set skip on lo
|
||||
set block-policy drop
|
||||
|
||||
# block incoming by default
|
||||
block return log
|
||||
pass out quick
|
||||
|
||||
# allow TCP
|
||||
pass in on egress inet proto tcp from any to (egress) port $services_tcp
|
||||
|
||||
# allow UDP
|
||||
pass in on egress inet proto udp from any to (egress) port $services_udp
|
||||
|
||||
# allow ICMP (over ipv4)
|
||||
pass in on egress inet proto icmp from any to (egress)
|
||||
|
||||
# <-- default rules --->
|
||||
# By default, do not permit remote connections to X11
|
||||
block return in on ! lo0 proto tcp to port 6000:6010
|
||||
|
||||
## Port build user does not need network
|
||||
block return out log proto {tcp udp} user _pbuild
|
||||
```
|
||||
|
|
|
|||
Loading…
Reference in New Issue