8fbeb8f6b0
Restructure around a single entry point (automations.sh) with a Gum wizard and a self-extracting bundle for repo-less installs. Add scripts/oslib.sh so the provisioning scripts (setup-host, harden-ssh, harden-jumphost, sshuser) run on Alpine/Debian/Alma; seed root keys from globals/. - ntfy SSH-login alerts (user, source IP, key, region, jump target) via pam_exec - daily auto-updates: AUTO_REBOOT=idle reboots only when no SSH active; opt-in Alpine stable-branch upgrades (ALLOW_RELEASE_UPGRADE) - cloud-init: generic base/jumphost + per-deployment, which harden SSH by default on fresh VMs - pocket-id: optional WebFinger block (BASE_DOMAIN), tag v2.8.0 - headscale: fix oidc.expiry schema for 0.28 so the container starts - Gitea release workflow on tag (TOKEN_GITEA); repo URLs -> Gitea - README/LICENSE/.gitignore/.gitattributes (force LF)
42 lines
1.5 KiB
YAML
42 lines
1.5 KiB
YAML
#cloud-config
|
|
#
|
|
# Headscale (Tailscale control server) — harden SSH, then deploy, on fresh Alpine.
|
|
#
|
|
# Fill in REPO_URL and the values in the runcmd block, then paste this as the
|
|
# instance user-data. DNS for HEADSCALE_DOMAIN must point at this host and
|
|
# ports 80/443 reachable before boot. Requires an OIDC client pre-registered
|
|
# in your pocket-id with redirect URI https://HEADSCALE_DOMAIN/oidc/callback.
|
|
|
|
packages:
|
|
- git
|
|
|
|
runcmd:
|
|
- hostnamectl set-hostname headscale || true
|
|
- |
|
|
set -e
|
|
REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git
|
|
REPO_BRANCH=main
|
|
HARDEN_SSH=1 # harden SSH on this fresh VM (set 0 to skip)
|
|
SSH_PORT=22
|
|
ALLOWED_IP= # optional: whitelist your client IP in sshguard
|
|
git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /opt/automations
|
|
cd /opt/automations
|
|
|
|
# Harden SSH on this fresh VM: PQ KEX, key-only auth, sshguard. Seeds root
|
|
# from globals/authorized_keys (or SSH_KEYS_URL). NOTE: harden-ssh also
|
|
# prints a generated root key to the serial console — capture it, or rely
|
|
# on the seeded keys.
|
|
if [ "$HARDEN_SSH" = 1 ]; then
|
|
SSH_PORT="$SSH_PORT" ALLOWED_IP="$ALLOWED_IP" SKIP_PROMPTS=1 FORCE=1 \
|
|
bash scripts/harden-ssh.sh
|
|
fi
|
|
|
|
HEADSCALE_DOMAIN=hs.example.com \
|
|
ACME_EMAIL=admin@example.com \
|
|
TAILNET_DOMAIN=tail.example.com \
|
|
POCKETID_DOMAIN=auth.example.com \
|
|
OIDC_CLIENT_ID=changeme \
|
|
OIDC_CLIENT_SECRET=changeme \
|
|
SKIP_PROMPTS=1 \
|
|
bash deployments/headscale/deploy.sh
|