further cleanup and securing

scripts/setup_router.py

@@ -2,19 +2,22 @@
 
 import hashlib
 import subprocess
+import sys
 
-ETH     = "enp5s0"
-IPV4    = "192.168.1.69"
+DP_LEN  = 64 # xfinity delegated prefix length
+WRT_ULA = "fd16:8f4d:f516::" # OpenWrt random
+WG_ULA  = "fd32:76a6:ec61:577a::" # WireGuard random
+IPV4    = "192.168.1.69" # OpenWrt default
 IPV6    = "69"
-WG_IPV4 = "192.168.2.1"
-WG_IPV6 = "fd32:76a6:ec61:577a::1"
+WG_IPV4 = "192.168.2.1" # WireGuard chosen
+WG_IPV6 = WG_ULA + "1"
 
 def run(cmds):
     # ssh-keygen -t ed25519
     subprocess.run(["ssh", "root@OpenWrt.lan", ";".join(cmds)], check=True)
 
-def mac():
-    return open(f"/sys/class/net/{ETH}/address", "r").read().strip()
+def mac(eth):
+    return open(f"/sys/class/net/{eth}/address", "r").read().strip()
 
 def duid():
     # adapted from https://github.com/mss/nm-duid
@@ -27,16 +30,21 @@ def key():
     return (pub.decode("utf-8"), priv.decode("utf-8"))
 
 if __name__ == "__main__":
-    # prevent access using WAN addresses
+    ETH = sys.argv[1] # e.g. enp5s0
+
+    # basic setup
     run([
+        f"uci set network.globals.ula_prefix='{WRT_ULA}/48'"
         "uci set dropbear.main.Interface='lan'",
+        "uci commit network",
+        "uci commit dropbear",
     ])
 
     # static IP
     run([
         "uci add dhcp host",
         "uci set dhcp.@host[-1].name='matt-ryzen'",
-        f"uci set dhcp.@host[-1].mac='{mac()}'",
+        f"uci set dhcp.@host[-1].mac='{mac(ETH)}'",
         f"uci set dhcp.@host[-1].ip='{IPV4}'",
         f"uci set dhcp.@host[-1].duid='{duid()}'",
         f"uci set dhcp.@host[-1].hostid='{IPV6}'",
@@ -75,7 +83,7 @@ if __name__ == "__main__":
             f"uci set firewall.@rule[-1].name='allow-{name}'",
             "uci set firewall.@rule[-1].src='wan'",
             "uci set firewall.@rule[-1].dest='lan'",
-            f"uci set firewall.@rule[-1].dest_ip='::{IPV6}/-64'", # xfinity provides /64 => /-64 match
+            f"uci set firewall.@rule[-1].dest_ip='::{IPV6}/{DP_LEN-128}'",
             f"uci set firewall.@rule[-1].dest_port='{PORTS[name]}'",
             "uci set firewall.@rule[-1].target='ACCEPT'",
         ])
@@ -85,6 +93,7 @@ if __name__ == "__main__":
     ])
 
     # wireguard setup
+    # TODO configure NAT66 to fix tunneling IPv6 traffic
     pub, priv = key()
     run([
         # install packages

scripts/setup_server.py

@@ -4,7 +4,6 @@ import json
 import os
 import subprocess
 from pathlib import Path
-from setup_router import WG_IPV4, WG_IPV6
 
 def run(cmd, capture=False):
     if capture:
@@ -15,30 +14,60 @@ def run(cmd, capture=False):
 if __name__ == "__main__":
     # install dependencies and configure
     run("apt update")
-    run("apt upgrade")
-    run("apt install -y avahi-daemon btrfs-progs python-is-python3 python3-pip wireguard zip")
-    if run("ufw status", capture=True) == b"Status: inactive\n":
-        run("ufw enable")
-        run("ufw allow OpenSSH")
-    with open("/etc/sysctl.conf", "a+") as f:
+    run("apt upgrade -y")
+    run("apt install -y avahi-daemon btrfs-progs openssh-server python-is-python3 python3-pip wireguard zip")
+    with open("/etc/sysctl.conf", "a+") as f: # enable huge pages for local mining
         f.seek(0)
-        if "vm.nr_hugepages=3072\n" not in f.readlines():
-            f.write("vm.nr_hugepages=3072\n") # enable huge pages
+        if "vm.nr_hugepages=1280\n" not in f.readlines():
+            f.write("vm.nr_hugepages=1280\n")
+    file = Path("/etc/ssh/sshd_config.d/restrict.conf") # only allow public key login
+    if not file.exists():
+        with file.open("w") as f:
+            f.write("PasswordAuthentication no\n")
 
     # install docker and configure
     run("snap install docker")
     run("addgroup --system docker")
     run(f"adduser {os.getlogin()} docker")
-    run("snap disable docker")
-    run("snap enable docker")
     with open("/var/snap/docker/current/config/daemon.json", "r+") as f:
         cfg = json.load(f)
         cfg["ipv6"] = True
-        cfg["fixed-cidr-v6"] = "fd3a:138e:8fd0:0000::/64"
+        cfg["fixed-cidr-v6"] = "fd3a:138e:8fd0:0000::/64" # Docker ULA
         f.seek(0)
         json.dump(cfg, f, indent=4)
     run("systemctl restart snap.docker.dockerd.service")
 
+    # restrict network access from containers
+    file = Path("/etc/systemd/system/docker-restrict.service")
+    if not file.exists():
+        with file.open("w") as f:
+            f.writelines(s + "\n" for s in [
+                "[Unit]",
+                "Description=Restrict Docker network access",
+                "Before=network.target",
+                "After=network-pre.target",
+                "",
+                "[Service]",
+                "Type=oneshot",
+                "ExecStart=/opt/docker-restrict.sh",
+                "RemainAfterExit=yes",
+                "",
+                "[Install]",
+                "WantedBy=multi-user.target",
+            ])
+    file = Path("/opt/docker-restrict.sh")
+    if not file.exists():
+        with file.open("w") as f:
+            f.writelines(s + "\n" for s in [
+                "#!/bin/sh",
+                "iptables  -N DOCKER-USER || true",
+                "iptables  -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH
+                "ip6tables -N DOCKER-USER || true",
+                "ip6tables -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH
+            ])
+        file.chmod(0o755)
+    run("systemctl enable docker-restrict.service")
+
     # TODO modify /etc/crypttab instead once Ubuntu fixed
     file = Path("/etc/systemd/system/luks.service")
     if not file.exists():