From 5aa48092fae5cf0eec65a595b6e0c94304555fbf Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Wed, 14 May 2025 17:41:40 -0700 Subject: add pi config files --- README.md | 12 ++++--- pi_configs/etc/modules-load.d/wireguard.conf | 1 + pi_configs/etc/nftables.conf | 40 ++++++++++++++++++++++ .../Spartan_Racing_Charger/.config/labwc/autostart | 1 + 4 files changed, 50 insertions(+), 4 deletions(-) create mode 100644 pi_configs/etc/modules-load.d/wireguard.conf create mode 100644 pi_configs/etc/nftables.conf create mode 100644 pi_configs/home/Spartan_Racing_Charger/.config/labwc/autostart diff --git a/README.md b/README.md index 1a88c1e..40c81b0 100644 --- a/README.md +++ b/README.md @@ -19,10 +19,15 @@ remote_plot -d 10.0.0.7 remote_plot -l ``` -Infrastructure configs not included in the repo, not included exactally, or maybe inclulded in other url: +Infrastructure configs, some maybe included in pi_config dir +- I prefer manage infrastructure configs using my [cfg](https://git.flylightning.xyz/fsh/tree/sh/cfg) script, but that script is my personal project and I don't want to force people to use that, so I include those config files in this repo and I did not manage it with my cfg script on raspberry pi. - raspberry pi - - file in ~/.config/labwc/autostart dir autostart remote_plot locally + - ~/.config/labwc/autostart autostart remote_plot locally - + - /etc/wireguard/wg0.conf wireguard config + - /etc/NetworkManager/system-connections/wg0.nmconnection, networkmanager wireguard config imported from wireguard config + - /etc/modules-load.d/wireguard.conf autostart load wireguard kernel module, see + - /etc/nftables.conf nftables firewall configs - server and laptop: - wireguard related configs - files in /etc/wireguard, see below @@ -30,7 +35,6 @@ Infrastructure configs not included in the repo, not included exactally, or mayb - /etc/nftables.conf nftables firewall configs - server: - laptop: - - example code from another device but applicable to raspberry pi: wireguard laptop configuration ``` @@ -66,7 +70,7 @@ PresharedKey = AllowedIPs = 10.0.0.9/32, fdc9:281f:04d7:9ee9::9/128 ``` -wireguard raspberry pi configuration +wireguard raspberry pi configuration (/etc/wireguard/wg0.conf) ``` [Interface] Address = 10.0.0.9/24, fdc9:281f:04d7:9ee9::9/64 diff --git a/pi_configs/etc/modules-load.d/wireguard.conf b/pi_configs/etc/modules-load.d/wireguard.conf new file mode 100644 index 0000000..a82c63a --- /dev/null +++ b/pi_configs/etc/modules-load.d/wireguard.conf @@ -0,0 +1 @@ +wireguard diff --git a/pi_configs/etc/nftables.conf b/pi_configs/etc/nftables.conf new file mode 100644 index 0000000..9c3532d --- /dev/null +++ b/pi_configs/etc/nftables.conf @@ -0,0 +1,40 @@ +#!/usr/bin/nft -f + +# IPv4/IPv6 Simple & Safe firewall ruleset. +# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. + +# some codes from https://wiki.archlinux.org/title/Nftables + +# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` +flush ruleset + +table inet my_table { + + chain my_input { + type filter hook input priority filter + policy drop + + ct state invalid drop comment "early drop of invalid connections" + ct state {established, related} accept comment "allow tracked connections" + iifname lo accept comment "allow from loopback" + ip protocol icmp accept + meta l4proto ipv6-icmp accept + + tcp dport ssh accept + + pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited + counter comment "count any other traffic" + } + + chain my_forward { + type filter hook forward priority filter + policy drop + # Drop everything forwarded to us. We do not forward. That is routers job. + } + + chain my_output { + type filter hook output priority filter + policy accept + # Accept every outbound connection + } +} diff --git a/pi_configs/home/Spartan_Racing_Charger/.config/labwc/autostart b/pi_configs/home/Spartan_Racing_Charger/.config/labwc/autostart new file mode 100644 index 0000000..c1ff693 --- /dev/null +++ b/pi_configs/home/Spartan_Racing_Charger/.config/labwc/autostart @@ -0,0 +1 @@ +/usr/local/bin/remote_plot -l & -- cgit v1.2.3-70-g09d2