Files
57_Wolve 8fbeb8f6b0 feat: unified launcher, multi-OS hardening, login alerts & auto-updates
Restructure around a single entry point (automations.sh) with a Gum wizard and
a self-extracting bundle for repo-less installs. Add scripts/oslib.sh so the
provisioning scripts (setup-host, harden-ssh, harden-jumphost, sshuser) run on
Alpine/Debian/Alma; seed root keys from globals/.
- ntfy SSH-login alerts (user, source IP, key, region, jump target) via pam_exec
- daily auto-updates: AUTO_REBOOT=idle reboots only when no SSH active; opt-in
  Alpine stable-branch upgrades (ALLOW_RELEASE_UPGRADE)
- cloud-init: generic base/jumphost + per-deployment, which harden SSH by
  default on fresh VMs
- pocket-id: optional WebFinger block (BASE_DOMAIN), tag v2.8.0
- headscale: fix oidc.expiry schema for 0.28 so the container starts
- Gitea release workflow on tag (TOKEN_GITEA); repo URLs -> Gitea
- README/LICENSE/.gitignore/.gitattributes (force LF)
2026-06-12 15:24:30 -05:00

38 lines
1.4 KiB
YAML

#cloud-config
#
# Beszel (monitoring hub) — harden SSH, then deploy, on a fresh Alpine host.
#
# Fill in REPO_URL and the values in the runcmd block, then paste this as the
# instance user-data. DNS for BESZEL_DOMAIN must point at this host and ports
# 80/443 must be reachable before boot, or the LE cert request fails.
# OIDC sign-in is configured afterwards in the Beszel admin UI.
packages:
- git
runcmd:
- hostnamectl set-hostname beszel || true
- |
set -e
REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git
REPO_BRANCH=main
HARDEN_SSH=1 # harden SSH on this fresh VM (set 0 to skip)
SSH_PORT=22
ALLOWED_IP= # optional: whitelist your client IP in sshguard
git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /opt/automations
cd /opt/automations
# Harden SSH on this fresh VM: PQ KEX, key-only auth, sshguard. Seeds root
# from globals/authorized_keys (or SSH_KEYS_URL). NOTE: harden-ssh also
# prints a generated root key to the serial console — capture it, or rely
# on the seeded keys.
if [ "$HARDEN_SSH" = 1 ]; then
SSH_PORT="$SSH_PORT" ALLOWED_IP="$ALLOWED_IP" SKIP_PROMPTS=1 FORCE=1 \
bash scripts/harden-ssh.sh
fi
BESZEL_DOMAIN=monitoring.example.com \
ACME_EMAIL=admin@example.com \
SKIP_PROMPTS=1 \
bash deployments/beszel/deploy.sh