Initial commit, squashed

roles/firewall_master/files/accept-fri.nft

@@ -0,0 +1,16 @@
+table inet filter {
+    set fri {
+        typeof ip saddr; flags interval
+        elements = { 10.32.0.0/14, 192.168.0.0/16, 141.255.211.0/24, 193.2.76.0/24 }
+    }
+
+    set fri/6 {
+        typeof ip6 saddr; flags interval
+        elements = { 2001:1470:fffd::/48 }
+    }
+
+    chain input {
+        ip saddr @fri tcp dport { ssh, http, https } accept
+        ip6 saddr @fri/6 tcp dport { ssh, http, https } accept
+    }
+}

roles/firewall_master/files/friwall.ini

@@ -0,0 +1,16 @@
+[uwsgi]
+uid = friwall
+gid = friwall
+
+socket = /run/friwall.socket
+chown-socket = friwall:nginx
+chmod-socket = 660
+
+plugin = python3
+chdir = /srv/friwall/app
+mount = /=wsgi:app
+env = PYTHONUSERBASE=/srv/friwall/.local
+env = HOME=/srv/friwall
+
+# Microsoft OIDC endpoint sends some fat‐ass headers.
+buffer-size = 16384

roles/firewall_master/files/pusher.initd

@@ -0,0 +1,18 @@
+#!/sbin/openrc-run
+
+command="/srv/friwall/app/$RC_SVCNAME"
+command_background="yes"
+command_user="friwall"
+command_group="nogroup"
+directory="/srv/friwall"
+pidfile="/run/$RC_SVCNAME.pid"
+
+depend() {
+	need net
+}
+
+stop() {
+	ebegin "Stopping $RC_SVCNAME"
+	pkill -INT -g $(cat "$pidfile") && rm -f "$pidfile"
+	eend $?
+}

roles/firewall_master/files/uwsgi.ini

@@ -0,0 +1,2 @@
+[uwsgi]
+emperor = /etc/uwsgi/conf.d