Initial commit, squashed

roles/firewall/files/conntrackd.conf

@@ -0,0 +1,2 @@
+# The init script for conntrackd wants this, not sure about conntrackd itself.
+net.netfilter.nf_conntrack_tcp_be_liberal = 1

roles/firewall/files/sshd_config.friwall

@@ -0,0 +1,15 @@
+# This is used by sshd in default VRF to receive configuration updates. Lock
+# down to only allow executing the update script.
+
+# Only allow pubkey auth.
+KbdInteractiveAuthentication no
+PasswordAuthentication no
+PermitRootLogin prohibit-password
+
+# Disable what we can.
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+
+# And then disable everything else.
+ForceCommand /usr/local/bin/update

roles/firewall/files/update

@@ -0,0 +1,34 @@
+#!/bin/sh
+
+apply() {
+	cp -R /opt/config/etc/nftables.d /etc || return 1
+	nft -I /etc/nftables.d -f /etc/nftables.nft || return 2
+	cp -R /opt/config/etc/wireguard /etc || return 3
+	wg syncconf wg /etc/wireguard/wg.conf || return 4
+}
+
+cleanup() {
+	rm -fr /opt/config
+}
+
+# clean now and on exit
+cleanup
+trap cleanup EXIT
+
+mkdir -p /opt/config
+tar xz -C /opt/config --warning=no-timestamp
+
+current="$(cat /opt/version 2>/dev/null || echo -1)"
+next="$(cat /opt/config/version 2>/dev/null || echo -1)"
+echo "Updating config from v${current} to v${next}"
+if [ "${next:-0}" -ne "${current:-0}" ] ; then
+	echo "Applying config v${next}"
+	if apply ; then
+		echo "${next}" > /opt/version
+		echo "Applied config v${next}"
+	else
+		error="$?"
+		echo "Could not apply config v${next}, error ${error}"
+		exit "${error}"
+	fi
+fi