From c9d134a510f441057f7395228a3310b74a7835a4 Mon Sep 17 00:00:00 2001 From: wvr Date: Sun, 15 Feb 2026 16:55:33 -0600 Subject: [PATCH] add caddy --- caddy/edit.sh | 4 ++ caddy/iptables/disable_iptables.sh | 9 ++++ caddy/iptables/iptables-caddy.sh | 67 ++++++++++++++++++++++++++++++ caddy/restart.sh | 5 +++ caddy/update.sh | 3 ++ 5 files changed, 88 insertions(+) create mode 100755 caddy/edit.sh create mode 100755 caddy/iptables/disable_iptables.sh create mode 100755 caddy/iptables/iptables-caddy.sh create mode 100755 caddy/restart.sh create mode 100755 caddy/update.sh diff --git a/caddy/edit.sh b/caddy/edit.sh new file mode 100755 index 0000000..eb31601 --- /dev/null +++ b/caddy/edit.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +nvim /etc/caddy/Caddyfile + diff --git a/caddy/iptables/disable_iptables.sh b/caddy/iptables/disable_iptables.sh new file mode 100755 index 0000000..28fdfc0 --- /dev/null +++ b/caddy/iptables/disable_iptables.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +iptables -F +iptables -X +iptables -P INPUT ACCEPT +iptables -P OUTPUT ACCEPT +iptables -P FORWARD ACCEPT + +exit 0 diff --git a/caddy/iptables/iptables-caddy.sh b/caddy/iptables/iptables-caddy.sh new file mode 100755 index 0000000..dd317b7 --- /dev/null +++ b/caddy/iptables/iptables-caddy.sh @@ -0,0 +1,67 @@ +#!/bin/sh +# +# mitchs iptables skeleton config +# ------------------------------------------- + +# -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +# variables +# -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +SUBNET=192.168.100 +PIHOLE=$SUBNET.200 +# =/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/= + +# flush +iptables -F + +# deny all default +iptables -P OUTPUT DROP +iptables -P INPUT DROP +iptables -P FORWARD DROP + +# ======================================================================== +# CADDY IPTABLES CONFIG +# +# permit any traffic on local lan +iptables -A OUTPUT -j ACCEPT -d $SUBNET.0/24 -p tcp -m state --state NEW +iptables -A OUTPUT -j ACCEPT -d $SUBNET.0/24 -p udp -m state --state NEW + +# permit 443 inbound from outside +iptables -A INPUT -j ACCEPT -p tcp --dport 443 -m state --state NEW,ESTABLISHED +####iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW,ESTABLISHED +# ======================================================================== + +# dns to pihole +iptables -A OUTPUT -j ACCEPT -d $PIHOLE/24 -p tcp --dport 53 -m state --state NEW +iptables -A OUTPUT -j ACCEPT -d $PIHOLE/24 -p udp --dport 53 -m state --state NEW + +# permit local ssh +iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport ssh -m state --state NEW +iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --sport ssh -m state --state NEW +iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport ssh -m state --state ESTABLISHED +iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --dport ssh -m state --state ESTABLISHED + +# permit outgoing http,https,ftp as well for updates and things +iptables -A OUTPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW,ESTABLISHED +iptables -A OUTPUT -j ACCEPT -p tcp --dport 443 -m state --state NEW,ESTABLISHED +iptables -A OUTPUT -j ACCEPT -p tcp --dport 21 -m state --state NEW,ESTABLISHED + +# permit loopback +iptables -A OUTPUT -j ACCEPT -o lo + +# permit established +iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED + +# save +if command -v systemctl >/dev/null 2>&1 ; then + # redhat + if [ -f /etc/sysconfig/iptables ] ; then + iptables-save -f /etc/sysconfig/iptables + # arch + elif [ -f /etc/iptables/iptables.rules ] ; then + iptables-save -f /etc/iptables/iptables.rules + fi + # alpine +elif command -v rc-service >/dev/null 2>&1 ; then + /etc/init.d/iptables save +fi + diff --git a/caddy/restart.sh b/caddy/restart.sh new file mode 100755 index 0000000..10af254 --- /dev/null +++ b/caddy/restart.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +rc-service caddy stop +rc-service caddy start + diff --git a/caddy/update.sh b/caddy/update.sh new file mode 100755 index 0000000..80dd6b3 --- /dev/null +++ b/caddy/update.sh @@ -0,0 +1,3 @@ +#!/bin/sh -e +apk update +apk upgrade --force-missing-repositories