feat(infra): production host bootstrap and bare-metal Stalwart scaffolding
Host provisioning for the single-server production target: SSH + firewall hardening (nftables allowlist), k3s node registration, bare-metal Stalwart install with systemd units and TLS cert-sync from the cluster secret, and Restic encrypted backup/restore (primary + DR) with timer units. Host-specific secrets live in config.env (gitignored); config.env.example is the template. Also gitignores MemPalace per-project files.
This commit is contained in:
Ronni Baslund
@@ -0,0 +1,27 @@
|
||||
# Dezky host firewall — loads ONLY our table on boot.
|
||||
#
|
||||
# Deliberately does NOT use the distro 'nftables.service', whose default
|
||||
# config starts with `flush ruleset` and would wipe k3s's tables. This unit
|
||||
# applies /etc/nftables.d/dezky-fw.nft, which only (re)creates inet dezky_fw.
|
||||
#
|
||||
# Ordering: runs early (before k3s) so the box is never briefly exposed.
|
||||
# k3s adds its own tables independently afterwards.
|
||||
|
||||
[Unit]
|
||||
Description=Dezky host firewall (nftables, k3s-safe)
|
||||
Wants=network-pre.target
|
||||
Before=network-pre.target k3s.service
|
||||
DefaultDependencies=no
|
||||
Conflicts=shutdown.target
|
||||
Before=shutdown.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/sbin/nft -f /etc/nftables.d/dezky-fw.nft
|
||||
ExecReload=/usr/sbin/nft -f /etc/nftables.d/dezky-fw.nft
|
||||
# On stop, remove only our table — leave k3s networking intact.
|
||||
ExecStop=/usr/sbin/nft destroy table inet dezky_fw
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user