## Features
-* Automatic provisioning for Debian guests.
+* Automatic provisioning for Debian-based guests.
* Serial console support.
* QEMU monitor support.
* Easily copy files or SSH into the guest.
# Use a stacked window manager to reduce browser fingerprinting
$APT_INSTALL openbox gmrun
-apps/metadot/metadot load openbox
-sed -i -e 's/^WINDOW_MANAGER=.*$/WINDOW_MANAGER="openbox"/' $HOME/.custom/xsession
+
+# Dotfiles configuration
+if [ -x "$HOME/apps/metadot/metadot" ]; then
+ $HOME/apps/metadot/metadot load openbox
+fi
+
+# Custom xsession config
+if [ -f "$HOME/.custom/xsession" ]; then
+ sed -i -e 's/^WINDOW_MANAGER=.*$/WINDOW_MANAGER="openbox"/' $HOME/.custom/xsession
+fi
+++ /dev/null
-# -*- shell-script -*-
-#
-# Configuration file for ferm(1).
-#
-# V: 0.1
-#
-# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html
-# Blog post: https://blog.ipredator.se/linux-firewall-howto.html
-#
-
-# Really make sure that these modules exist and are loaded.
-@hook pre "/sbin/modprobe nf_conntrack_ftp";
-@hook pre "/sbin/modprobe nfnetlink_log";
-
-# Network interfaces.
-#@def $DEV_LAN = eth0;
-@def $DEV_LAN = ens3;
-@def $DEV_LOOPBACK = lo0;
-@def $DEV_VPN = tun0;
-
-# Network definition for the loopback device. This is needed to allow
-# DNS resolution on Ubuntu Linux where the local resolver is bound
-# to 127.0.1.1 - as opposed to the default 127.0.0.1.
-@def $NET_LOOPBACK = 127.0.0.0/8;
-
-# Common application ports.
-@def $PORT_DNS = 53;
-@def $PORT_FTP = ( 20 21 );
-@def $PORT_NTP = 123;
-@def $PORT_SSH = 22;
-@def $PORT_WEB = ( 80 443 );
-
-# The ports we allow OpenVPN to connect to. IPredator allows you
-# to connect on _any_ port. Simply add more ports if desired but
-# stick to only those that you really need.
-@def $PORT_OPENVPN = (1194 1234 1337 2342 5060);
-
-# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html
-# Ports Transmission is allowed to use.
-@def $PORT_TRANSMISSION = 16384:65535;
-
-# Public DNS servers and those that are only reachable via VPN.
-# DNS servers are specified in the outbound DNS rules to prevent DNS leaks
-# (https://www.dnsleaktest.com/). The public DNS servers configured on your
-# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns),
-# but you need to verify this.
-#
-@def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32);
-
-# Add your ISP name server to this object if you want to restrict
-# which DNS servers can be queried.
-@def $IP_DNS_PUBLIC = 0.0.0.0/0;
-
-# DNS server available within the VPN.
-@def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 );
-
-# Make sure to use the proper VPN interface (e.g. tun0 in this case).
-# Note: You cannot reference $DEV_VPN here, substition does not take
-# place for commands passed to a sub shell.
-@def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`;
-
-# VPN interface conditional. If true the following rules are loaded.
-@if $VPN_ACTIVE {
- domain ip {
- table filter {
- chain INPUT {
- interface $DEV_VPN {
- proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT;
- }
- }
- chain OUTPUT {
- # Default allowed outbound services on the VPN interface.
- # If you need more simply add your rules here.
- outerface $DEV_VPN {
- proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT;
- proto tcp dport $PORT_FTP ACCEPT;
- proto udp dport $PORT_NTP ACCEPT;
- proto tcp dport $PORT_SSH ACCEPT;
- proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT;
- proto tcp dport $PORT_WEB ACCEPT;
- }
- }
- }
- }
-}
-
-# The main IPv4 rule set.
-domain ip {
- table filter {
- chain INPUT {
- # The default policy for the chain. Usually ACCEPT or DROP or REJECT.
- policy DROP;
-
- # Connection tracking.
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
-
- # Allow local traffic to loopback interface.
- daddr $NET_LOOPBACK ACCEPT;
-
- # Allow inbound SSH on your LAN interface _only_.
- interface $DEV_LAN {
- proto tcp dport $PORT_SSH ACCEPT;
- }
-
- # Respond to ping ... makes debugging easier.
- proto icmp icmp-type echo-request ACCEPT;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
-
- chain OUTPUT {
- policy DROP;
-
- # Connection tracking.
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
-
- # Allow local traffic from the loopback interface.
- saddr $NET_LOOPBACK ACCEPT;
-
- # Respond to ping.
- proto icmp icmp-type echo-request ACCEPT;
-
- # Allowed services on the LAN interface.
- outerface $DEV_LAN {
- proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT;
- proto udp dport $PORT_NTP ACCEPT;
- proto (tcp udp) dport $PORT_OPENVPN ACCEPT;
- proto tcp dport $PORT_SSH ACCEPT;
- }
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
-
- chain FORWARD {
- policy DROP;
-
- # If you use your machine to route traffic eg.
- # from a VM you have to add rules here!
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- }
-}
-
-# IPv6 is generally disabled, communication on the loopback device is allowed.
-domain ip6 {
- table filter {
- chain INPUT {
- policy DROP;
-
- # Allow local traffic.
- interface $DEV_LOOPBACK ACCEPT;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- chain OUTPUT {
- policy DROP;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- chain FORWARD {
- policy DROP;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- }
-}
+++ /dev/null
-KERNEL=="tun0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add"
-KERNEL=="tun0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove"
+++ /dev/null
-#!/bin/bash
-#
-# fermreload.sh
-# V: 0.1
-#
-# Reloads the ferm firewall ruleset and is invoked by
-# the udev via /etc/udev/rules.d/81-vpn-firewall.rules.
-#
-# IPredator 2014
-# Released under the Kopimi license.
-#
-# Blog post: https://blog.ipredator.se/linux-firewall-howto.html
-#
-
-LOGGER=/usr/bin/logger
-LOGGER_TAG=$0
-
-UDEV_ACTION=$1
-
-FERM=/usr/sbin/ferm
-FERM_CONF=/etc/ferm/ferm.conf
-
-MSG_FW_RULE_ADD="Adding VPN firewall rules."
-MSG_FW_RULE_REMOVE="Removing VPN firewall rules."
-MSG_UDEV_ACTION_UNKNOWN="Unknown udev action."
-
-case "$UDEV_ACTION" in
- add)
- $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD
- $FERM $FERM_CONF
- ;;
- remove)
- $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE
- $FERM $FERM_CONF
- ;;
- *)
- $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN
- exit 1
-esac
+++ /dev/null
-# -*- shell-script -*-
-#
-# Configuration file for ferm(1).
-#
-# V: 0.1
-#
-# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html
-# Blog post: https://blog.ipredator.se/linux-firewall-howto.html
-#
-
-# Really make sure that these modules exist and are loaded.
-@hook pre "/sbin/modprobe nf_conntrack_ftp";
-@hook pre "/sbin/modprobe nfnetlink_log";
-
-# Network interfaces.
-#@def $DEV_LAN = eth0;
-@def $DEV_LAN = ens3;
-@def $DEV_LOOPBACK = lo0;
-@def $DEV_VPN = wg0;
-
-# Network definition for the loopback device. This is needed to allow
-# DNS resolution on Ubuntu Linux where the local resolver is bound
-# to 127.0.1.1 - as opposed to the default 127.0.0.1.
-@def $NET_LOOPBACK = 127.0.0.0/8;
-
-# Common application ports.
-@def $PORT_DNS = 53;
-@def $PORT_FTP = ( 20 21 );
-@def $PORT_NTP = 123;
-@def $PORT_SSH = 22;
-@def $PORT_WEB = ( 80 443 );
-
-# The ports we allow to connect to.
-@def $PORT_WIREGUARD = ( 51820 );
-
-# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html
-# Ports Transmission is allowed to use.
-@def $PORT_TRANSMISSION = 16384:65535;
-
-# Public DNS servers and those that are only reachable via VPN.
-# DNS servers are specified in the outbound DNS rules to prevent DNS leaks
-# (https://www.dnsleaktest.com/). The public DNS servers configured on your
-# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns),
-# but you need to verify this.
-#
-@def $IP_DNS_IPR_PUBLIC = ( 95.215.19.53/32 );
-
-# Add your ISP name server to this object if you want to restrict
-# which DNS servers can be queried.
-@def $IP_DNS_PUBLIC = 0.0.0.0/0;
-
-# DNS server available within the VPN.
-@def $IP_DNS_VPN = ( 95.215.19.53/32 );
-
-# Make sure to use the proper VPN interface (e.g. wg0 in this case).
-# Note: You cannot reference $DEV_VPN here, substition does not take
-# place for commands passed to a sub shell.
-@def $VPN_ACTIVE = `ip link show wg0 >/dev/null 2>/dev/null && echo 1 || echo`;
-
-# VPN interface conditional. If true the following rules are loaded.
-@if $VPN_ACTIVE {
- domain ip {
- table filter {
- chain INPUT {
- interface $DEV_VPN {
- proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT;
- }
- }
- chain OUTPUT {
- # Default allowed outbound services on the VPN interface.
- # If you need more simply add your rules here.
- outerface $DEV_VPN {
- proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT;
- proto tcp dport $PORT_FTP ACCEPT;
- proto udp dport $PORT_NTP ACCEPT;
- proto tcp dport $PORT_SSH ACCEPT;
- proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT;
- proto tcp dport $PORT_WEB ACCEPT;
- }
- }
- }
- }
-}
-
-# The main IPv4 rule set.
-domain ip {
- table filter {
- chain INPUT {
- # The default policy for the chain. Usually ACCEPT or DROP or REJECT.
- policy DROP;
-
- # Connection tracking.
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
-
- # Allow local traffic to loopback interface.
- daddr $NET_LOOPBACK ACCEPT;
-
- # Allow inbound SSH on your LAN interface _only_.
- interface $DEV_LAN {
- proto tcp dport $PORT_SSH ACCEPT;
- }
-
- # Respond to ping ... makes debugging easier.
- proto icmp icmp-type echo-request ACCEPT;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
-
- chain OUTPUT {
- policy DROP;
-
- # Connection tracking.
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
-
- # Allow local traffic from the loopback interface.
- saddr $NET_LOOPBACK ACCEPT;
-
- # Respond to ping.
- proto icmp icmp-type echo-request ACCEPT;
-
- # Allowed services on the LAN interface.
- outerface $DEV_LAN {
- proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT;
- proto udp dport $PORT_NTP ACCEPT;
- proto (tcp udp) dport $PORT_WIREGUARD ACCEPT;
- proto tcp dport $PORT_SSH ACCEPT;
- }
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
-
- chain FORWARD {
- policy DROP;
-
- # If you use your machine to route traffic eg.
- # from a VM you have to add rules here!
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- }
-}
-
-# IPv6 is generally disabled, communication on the loopback device is allowed.
-domain ip6 {
- table filter {
- chain INPUT {
- policy DROP;
-
- # Allow local traffic.
- interface $DEV_LOOPBACK ACCEPT;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- chain OUTPUT {
- policy DROP;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- chain FORWARD {
- policy DROP;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- }
-}
+++ /dev/null
-KERNEL=="wg0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add"
-KERNEL=="wg0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove"
+++ /dev/null
-#!/bin/bash
-#
-# fermreload.sh
-# V: 0.1
-#
-# Reloads the ferm firewall ruleset and is invoked by
-# the udev via /etc/udev/rules.d/81-vpn-firewall.rules.
-#
-# IPredator 2014
-# Released under the Kopimi license.
-#
-# Blog post: https://blog.ipredator.se/linux-firewall-howto.html
-#
-
-LOGGER=/usr/bin/logger
-LOGGER_TAG=$0
-
-UDEV_ACTION=$1
-
-FERM=/usr/sbin/ferm
-FERM_CONF=/etc/ferm/ferm.conf
-
-MSG_FW_RULE_ADD="Adding VPN firewall rules."
-MSG_FW_RULE_REMOVE="Removing VPN firewall rules."
-MSG_UDEV_ACTION_UNKNOWN="Unknown udev action."
-
-case "$UDEV_ACTION" in
- add)
- $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD
- $FERM $FERM_CONF
- ;;
- remove)
- $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE
- $FERM $FERM_CONF
- ;;
- *)
- $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN
- exit 1
-esac
+++ /dev/null
-#!/usr/bin/env bash
-#
-# Full desktop provision example
-#
-# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published
-# by the Free Software Foundation, either version 3 of the License,
-# or any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-# Parameters
-DIRNAME="`dirname $0`"
-BASENAME="`basename $0`"
-HOSTNAME="$1"
-DOMAIN="$2"
-MIRROR="$3"
-APT_INSTALL="sudo LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y"
-
-# Provision the basic stuff
-$DIRNAME/openvpn $HOSTNAME $DOMAIN $MIRROR
-
-# Firewall
-$APT_INSTALL ferm ulogd2 ulogd2-pcap
-sudo cp $DIRNAME/files/njalla-openvpn/etc/ferm/ferm.conf /etc/ferm
-sudo cp $DIRNAME/files/njalla-openvpn/etc/udev/rules.d/81-vpn-firewall.rules /etc/udev/rules.d
-sudo cp $DIRNAME/files/njalla-openvpn/usr/local/bin/fermreload.sh /usr/local/bin
-sudo chmod 555 /usr/local/bin/fermreload.sh
-sudo sed -i -e 's/^ENABLED=.*$/ENABLED="yes"/' /etc/default/ferm
-sudo service ferm restart
-
-# Njalla
-#sudo cp $DIRNAME/files/njalla/etc/openvpn/njalla.conf /etc/openvpn
-#sudo touch /etc/openvpn/njalla.auth
-#sudo chown root:root /etc/openvpn/njalla.conf
-#sudo chown root:root /etc/openvpn/njalla.auth
-#sudo chmod 400 /etc/openvpn/njalla.conf
-#sudo chmod 400 /etc/openvpn/njalla.auth
-#echo "Please set user/password at /etc/openvpn/njalla.auth"
-echo "Please configure /etc/openvpn/njalla.conf"
+++ /dev/null
-#!/usr/bin/env bash
-#
-# Full desktop provision example
-#
-# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published
-# by the Free Software Foundation, either version 3 of the License,
-# or any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-# Parameters
-DIRNAME="`dirname $0`"
-BASENAME="`basename $0`"
-HOSTNAME="$1"
-DOMAIN="$2"
-MIRROR="$3"
-APT_INSTALL="sudo LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y"
-
-# Provision the basic stuff
-$DIRNAME/wireguard $HOSTNAME $DOMAIN $MIRROR
-
-# Firewall
-$APT_INSTALL ferm ulogd2 ulogd2-pcap
-sudo cp $DIRNAME/files/njalla-wireguard/etc/ferm/ferm.conf /etc/ferm
-sudo cp $DIRNAME/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules /etc/udev/rules.d
-sudo cp $DIRNAME/files/njalla-wireguard/usr/local/bin/fermreload.sh /usr/local/bin
-sudo chmod 555 /usr/local/bin/fermreload.sh
-sudo sed -i -e 's/^ENABLED=.*$/ENABLED="yes"/' /etc/default/ferm
-sudo service ferm restart
-
-# Njalla
-echo "Please configure /etc/wireguard/ng0.conf"
projects / kvmx.git / commitdiff