Initial commit
This commit is contained in:
118
image-recipe/scripts/harden-alpine.sh
Executable file
118
image-recipe/scripts/harden-alpine.sh
Executable file
@@ -0,0 +1,118 @@
|
||||
#!/bin/bash
|
||||
# Alpine Linux Hardening Script for Archipelago Bitcoin Node OS
|
||||
# This script applies security hardening to the Alpine base image
|
||||
|
||||
set -e
|
||||
|
||||
echo "🔒 Starting Alpine Linux hardening..."
|
||||
|
||||
# Disable unnecessary services
|
||||
systemctl disable bluetooth || true
|
||||
systemctl disable avahi-daemon || true
|
||||
|
||||
# Configure kernel parameters for security
|
||||
cat >> /etc/sysctl.conf <<EOF
|
||||
|
||||
# Archipelago Security Hardening
|
||||
# Disable IP forwarding
|
||||
net.ipv4.ip_forward = 0
|
||||
net.ipv6.conf.all.forwarding = 0
|
||||
|
||||
# Enable SYN flood protection
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
|
||||
# Disable source routing
|
||||
net.ipv4.conf.all.accept_source_route = 0
|
||||
net.ipv4.conf.default.accept_source_route = 0
|
||||
net.ipv6.conf.all.accept_source_route = 0
|
||||
net.ipv6.conf.default.accept_source_route = 0
|
||||
|
||||
# Disable ICMP redirects
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv6.conf.all.accept_redirects = 0
|
||||
net.ipv6.conf.default.accept_redirects = 0
|
||||
|
||||
# Disable send redirects
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.default.send_redirects = 0
|
||||
|
||||
# Log martian packets
|
||||
net.ipv4.conf.all.log_martians = 1
|
||||
net.ipv4.conf.default.log_martians = 1
|
||||
|
||||
# Ignore ICMP ping requests (can be enabled if needed)
|
||||
# net.ipv4.icmp_echo_ignore_all = 1
|
||||
|
||||
# Ignore ICMP ping broadcasts
|
||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||
|
||||
# Ignore bogus ICMP errors
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
|
||||
# Enable RFC-recommended source validation
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.conf.default.rp_filter = 1
|
||||
|
||||
# Disable IPv6 if not needed (uncomment if IPv6 not required)
|
||||
# net.ipv6.conf.all.disable_ipv6 = 1
|
||||
# net.ipv6.conf.default.disable_ipv6 = 1
|
||||
EOF
|
||||
|
||||
# Configure SSH (if installed)
|
||||
if [ -f /etc/ssh/sshd_config ]; then
|
||||
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config || true
|
||||
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config || true
|
||||
sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config || true
|
||||
fi
|
||||
|
||||
# Set up fail2ban basic configuration
|
||||
if [ -f /etc/fail2ban/jail.conf ]; then
|
||||
cat > /etc/fail2ban/jail.local <<EOF
|
||||
[DEFAULT]
|
||||
bantime = 3600
|
||||
findtime = 600
|
||||
maxretry = 5
|
||||
destemail = root@localhost
|
||||
sendername = Fail2Ban
|
||||
action = %(action_)s
|
||||
|
||||
[sshd]
|
||||
enabled = true
|
||||
port = ssh
|
||||
logpath = %(sshd_log)s
|
||||
backend = %(sshd_backend)s
|
||||
EOF
|
||||
fi
|
||||
|
||||
# Configure automatic security updates
|
||||
cat > /etc/periodic/daily/archipelago-security-updates <<'EOF'
|
||||
#!/bin/sh
|
||||
# Automatic security updates for Archipelago
|
||||
apk update && apk upgrade -u || true
|
||||
EOF
|
||||
chmod +x /etc/periodic/daily/archipelago-security-updates
|
||||
|
||||
# Set restrictive file permissions
|
||||
chmod 700 /var/lib/archipelago/secrets
|
||||
chmod 755 /var/lib/archipelago/apps
|
||||
chmod 755 /var/lib/archipelago/logs
|
||||
|
||||
# Create log directory with proper permissions
|
||||
mkdir -p /var/log/archipelago
|
||||
chmod 755 /var/log/archipelago
|
||||
|
||||
# Configure log rotation for archipelago logs
|
||||
cat > /etc/logrotate.d/archipelago <<EOF
|
||||
/var/log/archipelago/*.log {
|
||||
daily
|
||||
rotate 30
|
||||
compress
|
||||
delaycompress
|
||||
missingok
|
||||
notifempty
|
||||
create 0644 root root
|
||||
}
|
||||
EOF
|
||||
|
||||
echo "✅ Alpine Linux hardening complete!"
|
||||
59
image-recipe/scripts/install-podman.sh
Executable file
59
image-recipe/scripts/install-podman.sh
Executable file
@@ -0,0 +1,59 @@
|
||||
#!/bin/bash
|
||||
# Podman Installation and Configuration Script for Archipelago
|
||||
# Configures Podman for rootless operation
|
||||
|
||||
set -e
|
||||
|
||||
echo "🐳 Configuring Podman for rootless operation..."
|
||||
|
||||
# Ensure archipelago user exists
|
||||
if ! id "archipelago" &>/dev/null; then
|
||||
echo "Creating archipelago user..."
|
||||
adduser -D -s /bin/bash archipelago
|
||||
fi
|
||||
|
||||
# Create Podman configuration directories
|
||||
mkdir -p /home/archipelago/.config/containers
|
||||
mkdir -p /home/archipelago/.local/share/containers/storage
|
||||
|
||||
# Configure storage
|
||||
cat > /home/archipelago/.config/containers/storage.conf <<EOF
|
||||
[storage]
|
||||
driver = "overlay"
|
||||
runroot = "/run/user/$(id -u archipelago)/containers"
|
||||
graphroot = "/home/archipelago/.local/share/containers/storage"
|
||||
EOF
|
||||
|
||||
# Configure registries (use Docker Hub and quay.io)
|
||||
mkdir -p /home/archipelago/.config/containers/registries.conf.d
|
||||
cat > /home/archipelago/.config/containers/registries.conf.d/000-shortnames.conf <<EOF
|
||||
[registries.search]
|
||||
registries = ['docker.io', 'quay.io', 'ghcr.io']
|
||||
|
||||
[registries.insecure]
|
||||
registries = []
|
||||
|
||||
[registries.block]
|
||||
registries = []
|
||||
EOF
|
||||
|
||||
# Set up subuid and subgid for rootless containers
|
||||
if ! grep -q "^archipelago:" /etc/subuid; then
|
||||
echo "archipelago:100000:65536" >> /etc/subuid
|
||||
fi
|
||||
|
||||
if ! grep -q "^archipelago:" /etc/subgid; then
|
||||
echo "archipelago:100000:65536" >> /etc/subgid
|
||||
fi
|
||||
|
||||
# Create systemd user service directory
|
||||
mkdir -p /home/archipelago/.config/systemd/user
|
||||
|
||||
# Enable lingering for archipelago user (allows user services to run without login)
|
||||
loginctl enable-linger archipelago || true
|
||||
|
||||
# Set proper permissions
|
||||
chown -R archipelago:archipelago /home/archipelago/.config
|
||||
chown -R archipelago:archipelago /home/archipelago/.local
|
||||
|
||||
echo "✅ Podman configuration complete!"
|
||||
Reference in New Issue
Block a user