From 8af1cd0fb4e2569eae101e52c7a76a5f7de5a5a4 Mon Sep 17 00:00:00 2001
From: root <root@goolinux.org>
Date: Sat, 8 Mar 2025 20:44:03 -0500
Subject: [PATCH] Add a stub to start docker services.

---
 main.go                             | 29 ++++++++++++++--
 services/firewall/netavark.template |  2 ++
 services/firewall/nftables.template | 52 +++++++++++++++++++++++++++++
 services/firewall/system.json       | 10 ++++++
 4 files changed, 91 insertions(+), 2 deletions(-)
 create mode 100644 services/firewall/netavark.template
 create mode 100644 services/firewall/nftables.template
 create mode 100644 services/firewall/system.json

diff --git a/main.go b/main.go
index 91aea4d..fe51750 100644
--- a/main.go
+++ b/main.go
@@ -152,8 +152,7 @@ func main() {
 			return
 		}
 
-		f, _ = strings.CutSuffix(f, ".json")
-		fd, _ := os.Create(f + ".yaml")
+		fd, _ := os.Create(strings.TrimSuffix(f, ".json") + ".yaml")
 		defer fd.Close()
 		fd.Chmod(0444)
 		fd.Write(y)
@@ -165,6 +164,7 @@ func main() {
 	// ...
 
 	// Install packages
+	fmt.Println("Installing packages")
 	var installString = []string{"add", "--no-interactive", "--no-progress"}
 	var testArgs, args []string
 	var out []byte
@@ -190,4 +190,29 @@ func main() {
 		fmt.Println("Error installing packages")
 		return
 	}
+
+	// (Re)start services
+
+	// Handle docker services
+	fmt.Println("Starting docker services")
+	servicesPath = "/config/services/docker/"
+	dirents, err = os.ReadDir(servicesPath)
+	for _, d := range dirents {
+		if d.IsDir() == true { continue }
+		if strings.HasSuffix(d.Name(), ".yaml") != true { continue }
+		f := servicesPath + d.Name()
+
+		fmt.Println(" Starting:", d.Name())
+		var cmd = "/usr/bin/podman-compose"
+		var args = []string{"-f", f, "up", "-d"}
+		out, err := exec.Command(cmd, args...).CombinedOutput()
+		if err != nil {
+			fmt.Println("===")
+			fmt.Println(err)
+			fmt.Println(string(out))
+			fmt.Println("===")
+			fmt.Println("Error starting service:" + d.Name())
+			return
+		}
+	}
 }
diff --git a/services/firewall/netavark.template b/services/firewall/netavark.template
new file mode 100644
index 0000000..7c521e1
--- /dev/null
+++ b/services/firewall/netavark.template
@@ -0,0 +1,2 @@
+[network]
+firewall_driver="nftables"
diff --git a/services/firewall/nftables.template b/services/firewall/nftables.template
new file mode 100644
index 0000000..0b8e536
--- /dev/null
+++ b/services/firewall/nftables.template
@@ -0,0 +1,52 @@
+# https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
+
+flush ruleset
+
+table inet firewall {
+    chain inbound_ipv4 {
+        # accepting ping (icmp-echo-request) for diagnostic purposes.
+        # However, it also lets probes discover this host is alive.
+        # This sample accepts them within a certain rate limit:
+        #
+        # icmp type echo-request limit rate 5/second accept
+    }
+
+    chain inbound_ipv6 {
+        # accept neighbour discovery otherwise connectivity breaks
+        #
+        icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+
+        # accepting ping (icmpv6-echo-request) for diagnostic purposes.
+        # However, it also lets probes discover this host is alive.
+        # This sample accepts them within a certain rate limit:
+        #
+        # icmpv6 type echo-request limit rate 5/second accept
+    }
+
+    chain inbound {
+        # By default, drop all traffic unless it meets a filter
+        # criteria specified by the rules that follow below.
+        type filter hook input priority 0; policy drop;
+
+        # Allow traffic from established and related packets, drop invalid
+        ct state vmap { established : accept, related : accept, invalid : drop }
+
+        # Allow loopback traffic.
+        iifname lo accept
+
+        # Jump to chain according to layer 3 protocol using a verdict map
+        meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
+
+        # Allow SSH on port TCP/22 and allow HTTP(S) TCP/80 and TCP/443
+        # for IPv4 and IPv6.
+        tcp dport { 22, 80, 443 } accept
+
+        # Uncomment to enable logging of denied inbound traffic
+        # log prefix "[nftables] Inbound Denied: " counter drop
+    }
+
+    chain forward {
+        # Drop everything (assumes this device is not a router)
+        # type filter hook forward priority 0; policy drop;
+    }
+}
diff --git a/services/firewall/system.json b/services/firewall/system.json
new file mode 100644
index 0000000..cee5e19
--- /dev/null
+++ b/services/firewall/system.json
@@ -0,0 +1,10 @@
+{
+enable:		"true",
+
+provider:	"system",
+packages:	["nftables"],
+configFiles:	[
+	"nftables.template:/etc/nftables.nft",
+	"netavark.template:/etc/containers/containers.conf.d/50-netavark-nftables.conf",
+],
+}