Files
57_Wolve 7faa9098de feat: unified launcher, multi-OS hardening, login alerts & auto-updates
Restructure around a single entry point (automations.sh) with a Gum wizard and
a self-extracting bundle for repo-less installs. Add scripts/oslib.sh so the
provisioning scripts (setup-host, harden-ssh, harden-jumphost, sshuser) run on
Alpine/Debian/Alma; seed root keys from globals/.

- ntfy SSH-login alerts (user, source IP, key, region, jump target) via pam_exec
- daily auto-updates with AUTO_REBOOT=idle (reboots only when no SSH active) and
  opt-in Alpine stable-branch upgrades
- generic + per-deployment cloud-init; Gitea release workflow on tag
- README/LICENSE/.gitignore/.gitattributes (force LF); repo URLs -> Gitea
2026-06-12 14:56:02 -05:00

99 lines
3.0 KiB
YAML

#cloud-config
#
# SimpleX Chat Relay Server - Cloud-Init Configuration
#
# This cloud-init configuration deploys a complete SimpleX relay server
# on Alpine Linux with:
# - Post-quantum SSH hardening
# - SMP + XFTP servers with Tor hidden services
# - Caddy reverse proxy with Let's Encrypt
# - awall firewall with minimal attack surface
# - Encrypted backup of all server keys
#
# Customize the environment variables below, then use this as user-data
# when creating your cloud instance.
# Use Alpine Linux (most cloud providers support it)
# Recommended: Alpine 3.19+ for latest OpenSSH with PQ KEX support
runcmd:
# Set a hostname (optional)
- hostnamectl set-hostname simplex-relay
# Run the master installer
- |
curl -fsSL https://git.anomalous.dev/57_Wolve/automations/raw/branch/main/deployments/simplex/install-simplex.sh | \
REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git \
DOMAIN=relay.yourdomain.com \
ACME_EMAIL=admin@yourdomain.com \
XFTP_QUOTA=100gb \
SSH_PORT=2222 \
ALLOWED_IP=your.client.ip.here \
KEY_TYPE=rsa4096 \
SMP_PASS= \
XFTP_PASS= \
SKIP_PROMPTS=1 \
AUTO_BACKUP=1 \
REMOVE_CA_KEYS=1 \
DEBUG=0 \
bash
# Optional: Configure additional settings
write_files:
# Custom SSH banner (optional)
- path: /etc/ssh/banner
content: |
===============================================
SimpleX Chat Relay Server
Authorized access only.
All connections are logged and monitored.
===============================================
permissions: '0644'
# Optional: Install additional packages
packages:
- htop
- nano
- curl
- jq
# Optional: Configure automatic security updates (Alpine)
package_update: true
package_upgrade: true
# Set timezone
timezone: UTC
# Configure locale
locale: en_US.UTF-8
# Configure SSH (these will be overridden by harden-ssh.sh)
ssh_pwauth: true # Will be disabled by harden-ssh.sh
disable_root: false # Keep root enabled for harden-ssh.sh
# Optional: Add non-root user (created before SSH hardening)
users:
- name: admin
groups: wheel
sudo: ['ALL=(ALL) NOPASSWD:ALL']
shell: /bin/bash
# Note: SSH hardening will restrict to Ed25519 keys only
# Add your Ed25519 public key here if you want this user to survive hardening:
# ssh_authorized_keys:
# - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... your-key-here
# Optional: Configure fail2ban (will be replaced by sshguard)
# runcmd will install sshguard which is lighter and more suitable
# Security note: The master installer will:
# 1. Generate fresh SSH keys and disable password auth
# 2. Create an encrypted backup containing all private keys
# 3. Remove CA keys from disk (they exist only in the backup)
# 4. Lock down the firewall to required ports only
#
# Make sure to:
# 1. Download the encrypted backup immediately after deployment
# 2. Save the SSH private key from the installer output
# 3. Test SSH access before deploying to production