#!/usr/bin/env bash # # install-simplex.sh # # Master installer for SimpleX relay deployment. Designed for cloud-init but # works as a standalone script. Fetches deployment scripts from git, runs the # complete setup sequence, and creates an initial encrypted backup. # # This script: # 1. Fetches deployment scripts from your git repo # 2. Runs harden-ssh.sh (PQ KEX, Ed25519, firewall) # 3. Runs deploy-simplex.sh (SMP + XFTP + Tor) # 4. Runs backup.sh with your age public key # 5. Cleans up CA keys from disk (they're now only in the encrypted backup) # 6. Reports final status and backup location # # Usage as cloud-init user-data: # #cloud-config # runcmd: # - | # curl -fsSL https://git.anomalous.dev/57_Wolve/automations/raw/branch/main/deployments/simplex/install-simplex.sh | \ # REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git \ # DOMAIN=relay.example.com \ # ACME_EMAIL=admin@example.com \ # XFTP_QUOTA=100gb \ # SSH_PORT=2222 \ # bash # # Usage as standalone script: # curl -fsSL https://git.anomalous.dev/57_Wolve/automations/raw/branch/main/deployments/simplex/install-simplex.sh > install-simplex.sh # REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git \ # DOMAIN=relay.example.com \ # ACME_EMAIL=admin@example.com \ # bash install-simplex.sh # # Required git repo structure (this monorepo): # automations/ # ├── scripts/ # │ └── harden-ssh.sh # generic, run-anywhere # ├── deployments/simplex/ # │ ├── deploy-simplex.sh # │ ├── backup.sh # │ └── restore.sh # optional # └── globals/ # └── age-pubkey.txt # your age public key(s), one per line set -euo pipefail # ============================================================================ # CONFIG # ============================================================================ # Git repository containing the deployment scripts and age public key : "${REPO_URL:=}" # REQUIRED: git repo URL # SimpleX deployment config : "${DOMAIN:=}" # REQUIRED: apex domain (uses smp.DOMAIN, xftp.DOMAIN) : "${ACME_EMAIL:=}" # REQUIRED: Let's Encrypt email : "${XFTP_QUOTA:=50gb}" # XFTP disk quota : "${SSH_PORT:=22}" # SSH port (recommend changing from default) : "${KEY_TYPE:=rsa4096}" # Caddy TLS key type : "${SMP_PASS:=}" # optional: SMP queue creation password : "${XFTP_PASS:=}" # optional: XFTP upload password # Git and installation options : "${REPO_BRANCH:=main}" # git branch to fetch : "${HARDEN_PATH:=scripts}" # path within repo to the generic harden-ssh.sh : "${SIMPLEX_PATH:=deployments/simplex}" # path within repo to the simplex scripts : "${AGE_PUBKEY_FILE:=globals/age-pubkey.txt}" # path within repo to age public key : "${INSTALL_DIR:=/opt/simplex-deploy}" # where to clone the repo : "${ALLOWED_IP:=}" # optional: IP to whitelist in sshguard : "${AUTO_BACKUP:=1}" # set to 0 to skip initial backup : "${REMOVE_CA_KEYS:=1}" # set to 0 to keep CA keys on disk # Behavior flags : "${SKIP_PROMPTS:=0}" # set to 1 for non-interactive operation : "${DEBUG:=0}" # set to 1 for verbose output # ============================================================================ log() { printf '\033[1;32m[+]\033[0m %s\n' "$*"; } warn() { printf '\033[1;33m[!]\033[0m %s\n' "$*" >&2; } die() { printf '\033[1;31m[x]\033[0m %s\n' "$*" >&2; exit 1; } [[ $EUID -eq 0 ]] || die "Run as root." [[ -f /etc/alpine-release ]] || die "This script targets Alpine Linux." if [[ "$DEBUG" == "1" ]]; then set -x fi # ---------------------------------------------------------------------------- # 1. Validate required parameters # ---------------------------------------------------------------------------- [[ -n "$REPO_URL" ]] || die "Set REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git" [[ -n "$DOMAIN" ]] || die "Set DOMAIN=your.domain.com" [[ -n "$ACME_EMAIL" ]] || die "Set ACME_EMAIL=admin@your.domain.com" log "SimpleX relay installer" log "Repo: $REPO_URL" log "Domain: $DOMAIN (will create smp.$DOMAIN, xftp.$DOMAIN)" log "SSH port: $SSH_PORT" if [[ "$SKIP_PROMPTS" != "1" ]]; then cat <