Add more firewall rules

2025-05-17 22:18:15 -04:00
parent 4adfb4a2ef
commit d51297fec9
10 changed files with 35 additions and 7 deletions
--- a/files/rke-common/etc/NetworkManager/conf.d/rke2-canal.conf
+++ b/files/rke-common/etc/NetworkManager/conf.d/rke2-canal.conf
@@ -0,0 +1,2 @@
+[keyfile]
+unmanaged-devices=interface-name:flannel*;interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico;interface-name:vxlan-v6.calico;interface-name:wireguard.cali;interface-name:wg-v6.cali
--- a/files/rke-common/etc/firewalld/services/rke-common.xml
+++ b/files/rke-common/etc/firewalld/services/rke-common.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>RKE Common</short>
+  <description>Common ports for RKE services.</description>
+  <port protocol="tcp" port="10250"/>
+  <port protocol="tcp" start="30000" end="32767"/>
+  <port protocol="udp" port="8472"/>
+  <port protocol="tcp" port="9099"/>
+  <port protocol="udp" port="51820"/>
+  <port protocol="udp" port="51821"/>
+  <port protocol="tcp" port="179"/>
+  <port protocol="udp" port="4789"/>
+  <port protocol="tcp" port="5473"/>
+  <port protocol="tcp" port="9098"/>
+  <port protocol="tcp" port="9099"/>
+</service>
--- a/files/rke-common/etc/sudoers.d/99_rke2
+++ b/files/rke-common/etc/sudoers.d/99_rke2
@@ -0,0 +1,3 @@
+Cmnd_Alias RKE_CMDS = /usr/bin/chown, /usr/bin/chmod, /usr/bin/mkdir, /usr/bin/systemctl, /usr/bin/cp, /usr/bin/find, /usr/bin/ls, /usr/bin/reboot, /usr/bin/install, /usr/bin/rke2, /usr/bin/firewall-cmd
+
+rke ALL=(root) NOPASSWD: RKE_CMDS
--- a/files/rke-common/usr/lib/systemd/system/create_rke_user.service
+++ b/files/rke-common/usr/lib/systemd/system/create_rke_user.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Create 'rke' user and add to docker group
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/rke2/create_rke_user.sh
+
+# Mask the service after successful execution
+ExecStartPost=-/bin/systemctl mask create_rke_user.service
+
+[Install]
+WantedBy=multi-user.target
+
--- a/files/rke-common/usr/libexec/rke2/create_rke_user.sh
+++ b/files/rke-common/usr/libexec/rke2/create_rke_user.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Check if user 'rke' exists
+if ! id -u rke &> /dev/null; then
+    echo "Creating user 'rke'"
+    # Create user 'rke' with home directory using useradd
+    useradd --system -m -k /usr/libexec/rke2/skel/ rke
+fi
+
+# Add 'rke' to docker group
+echo "Adding 'rke' to docker group"
+usermod -aG docker rke
+usermod -aG systemd-journal rke
+
+echo "Done"
--- a/files/rke-common/usr/libexec/rke2/skel/.ssh/authorized_keys
+++ b/files/rke-common/usr/libexec/rke2/skel/.ssh/authorized_keys
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCv1FDb8gHmsrFg9pzsulBnKJoknHMzwRLQ/3eGoFHmZuNqVX2xOO0Ln7QW85JolwWaJsGpHCYKCa4WjouxgNr2w/RGjwWJB/HMEX6staBzlKQmVEB5WM2WH1U490ev1gmbGWGcCRO/K+dKkostcfGtXo6fy5ZlPaNdhmzsTCq0xbR0qG5E6mx2q+dopdVTl8t6lHVXNKPWATU456mrzg3XPOBw8c2wMISStQU76mFFlH2luLDJA9vEpNXWLX68YpF+3iRwI+Tt9S2FYjFENWwzNlv+OLJXTdpZS/DGyookpeHX8jYAPVXM39d7h1OduZiIySMi4RydcMtGFi8DpnkRGKVnfBbS+w6m/Vh/rCKXoO/x4YKdXY+J2gBwQfIL5wEqUQ16QmMdXZez9wiICM1CYxM8GCnJi36pKTp7r3Y78u9z5VUnpuTVS0ZyxYf8JZS7oPReH+v+Yb0J9rOZ9R7hnper1W4iQRwJII6s78zGBSw9pOv8cSwSCXsruzIrn10= admin@admin-machine
				`@@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCv1FDb8gHmsrFg9pzsulBnKJoknHMzwRLQ/3eGoFHmZuNqVX2xOO0Ln7QW85JolwWaJsGpHCYKCa4WjouxgNr2w/RGjwWJB/HMEX6staBzlKQmVEB5WM2WH1U490ev1gmbGWGcCRO/K+dKkostcfGtXo6fy5ZlPaNdhmzsTCq0xbR0qG5E6mx2q+dopdVTl8t6lHVXNKPWATU456mrzg3XPOBw8c2wMISStQU76mFFlH2luLDJA9vEpNXWLX68YpF+3iRwI+Tt9S2FYjFENWwzNlv+OLJXTdpZS/DGyookpeHX8jYAPVXM39d7h1OduZiIySMi4RydcMtGFi8DpnkRGKVnfBbS+w6m/Vh/rCKXoO/x4YKdXY+J2gBwQfIL5wEqUQ16QmMdXZez9wiICM1CYxM8GCnJi36pKTp7r3Y78u9z5VUnpuTVS0ZyxYf8JZS7oPReH+v+Yb0J9rOZ9R7hnper1W4iQRwJII6s78zGBSw9pOv8cSwSCXsruzIrn10= admin@admin-machine