further secure containers

scripts/backup.py

@@ -9,6 +9,5 @@ if __name__ == "__main__":
         "terraria/worlds",
         "terraria/password.txt",
         "website/gitea",
-        "website/certbot",
         "website/sendgrid.key",
     ], check=True)

scripts/setup_drive.py

@@ -1,5 +1,7 @@
 #!/usr/bin/sudo /usr/bin/python3
 
+import os
+import shutil
 import subprocess
 import sys
 from pathlib import Path
@@ -27,7 +29,8 @@ if __name__ == "__main__":
     run(f"cryptsetup luksOpen --key-file={key} /dev/{drive} {drive}_luks")
     run(f"mkfs.btrfs /dev/mapper/{drive}_luks")
     run(f"mount /dev/mapper/{drive}_luks {mount}")
-    mount.chmod(0o777)
+    shutil.chown(mount, os.getlogin(), "nas")
+    mount.chmod(0o770)
 
     # TODO modify /etc/crypttab instead once Ubuntu fixed
     with open("/opt/luks.sh", "a") as f:

scripts/setup_repo.py

@@ -1,18 +1,27 @@
 #!/usr/bin/env python3
 
+import shutil
 from pathlib import Path
 
 if __name__ == "__main__":
-    # create folders with same UID/GID as user so containers have access
-    PATHS = [
-        "website/certbot",
-        "website/gitea/config",
-        "website/gitea/data",
-        "monerod/.bitmonero",
-        "p2pool/cache",
-        "minecraft/worlds",
-        "minecraft_bedrock/worlds",
-        "terraria/worlds",
-    ]
-    for p in PATHS:
-        Path(p).mkdir(parents=True, exist_ok=True)
+    # create folders in group "web" so containers have access
+    PATHS = {
+        "web": [
+            "website/certbot",
+            "website/gitea/config",
+            "website/gitea/data",
+        ],
+        "monero": [
+            "monerod/.bitmonero",
+            "p2pool/cache",
+        ],
+        "game": [
+            "minecraft/worlds",
+            "minecraft_bedrock/worlds",
+            "terraria/worlds",
+        ]
+    }
+    for group in PATHS:
+        for p in PATHS[group]:
+            Path(p).mkdir(parents=True, exist_ok=True)
+            shutil.chown(p, group=group)

scripts/setup_server.py

@@ -24,6 +24,17 @@ if __name__ == "__main__":
     if not file.exists():
         with file.open("w") as f:
             f.write("PasswordAuthentication no\n")
+    try:
+        run("addgroup --gid 2000 web")
+        run("addgroup --gid 2001 monero")
+        run("addgroup --gid 2002 game")
+        run("addgroup --gid 2003 nas")
+        run(f"adduser {os.getlogin()} web")
+        run(f"adduser {os.getlogin()} monero")
+        run(f"adduser {os.getlogin()} game")
+        run(f"adduser {os.getlogin()} nas")
+    except:
+        pass
 
     # install docker and configure
     run("snap install docker")
@@ -61,6 +72,7 @@ if __name__ == "__main__":
             f.writelines(s + "\n" for s in [
                 "#!/bin/sh",
                 "iptables  -N DOCKER-USER || true",
+                "iptables  -I DOCKER-USER -d 10.0.0.0/8     -j DROP", # xfinity gateway
                 "iptables  -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH
                 "ip6tables -N DOCKER-USER || true",
                 "ip6tables -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH