-
Notifications
You must be signed in to change notification settings - Fork 43
/
Copy pathhuman-config.yaml
104 lines (98 loc) · 3.17 KB
/
human-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
variant: flatcar
version: 1.0.0
storage:
files:
- path: /var/lib/iptables/rules-save
mode: 0644
contents:
inline: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 41641 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -i eth0 -o tailscale0 -j ACCEPT
-A FORWARD -i tailscale0 -o eth0 -j ACCEPT
COMMIT
- path: /etc/flatcar/update.conf
overwrite: true
contents:
inline: |
REBOOT_STRATEGY=reboot
LOCKSMITHD_REBOOT_WINDOW_START=02:00
LOCKSMITHD_REBOOT_WINDOW_LENGTH=1h
mode: 0420
links:
- path: /etc/localtime
overwrite: true
target: /usr/share/zoneinfo/Etc/UTC
systemd:
units:
- name: tailscale.service
enabled: true
contents: |
[Unit]
Description=Tailscale Docker Container
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/bin/docker run \
--name tailscale \
--rm \
--hostname vpn-server \
--network host \
--label com.centurylinklabs.watchtower.enable=true \
-e TS_AUTHKEY=ENTER_TAILSCALE_AUTH_KEY_HERE \
-e TS_STATE_DIR=/var/lib/tailscale \
-e TS_USERSPACE=false \
-e TS_EXTRA_ARGS="--advertise-exit-node" \
-e TS_TAILSCALED_EXTRA_ARGS="--port=41641 --no-logs-no-support" \
-v tailscale:/var/lib/tailscale \
--device=/dev/net/tun:/dev/net/tun \
--cap-add=NET_ADMIN \
ghcr.io/tailscale/tailscale:latest
ExecStop=/usr/bin/docker stop tailscale
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
- name: watchtower.service
enabled: true
contents: |
[Unit]
Description=Watchtower Docker Container Auto-Updater
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/bin/docker run \
--name watchtower \
--rm \
--label com.centurylinklabs.watchtower.enable=true \
-e WATCHTOWER_LABEL_ENABLE=true \
-e WATCHTOWER_CLEANUP=true \
-e WATCHTOWER_NO_RESTART=true \
-v /var/run/docker.sock:/var/run/docker.sock \
ghcr.io/containrrr/watchtower:latest
ExecStop=/usr/bin/docker stop watchtower
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
- name: iptables-restore.service
enabled: true
contents: |
[Unit]
Description=Restore iptables rules
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore -n /var/lib/iptables/rules-save
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target