infra-ansible

ansible script to ship alpine/ssh/wireguard
git clone https://9o.is/git/infra-ansible.git
nftables.conf.j2

(831B)
      1 #!/usr/sbin/nft -f
      2 
      3 flush ruleset
      4 
      5 table inet main {
      6     chain input {
      7         type filter hook input priority filter; policy drop;
      8 
      9         ct state invalid counter log prefix "MAIN INPUT INVALID " drop
     10         ct state established,related accept
     11         iifname lo accept
     12 
     13         iifname {{ static_interface }} ct state new jump public-input
     14         iifname wg0 ct state new jump wireguard-input
     15 
     16         counter log prefix "MAIN INPUT DROPPED "
     17     }
     18 
     19     chain forward {
     20         type filter hook forward priority filter; policy drop;
     21         counter log prefix "MAIN FORWARD DROPPED "
     22     }
     23 
     24     chain output {
     25         type filter hook output priority filter; policy accept;
     26     }
     27 
     28     chain public-input {
     29         udp dport {{ wireguard_port }} accept
     30     }
     31 
     32     chain wireguard-input {
     33         tcp dport ssh accept
     34     }
     35 }
     36