8fbeb8f6b0
Restructure around a single entry point (automations.sh) with a Gum wizard and a self-extracting bundle for repo-less installs. Add scripts/oslib.sh so the provisioning scripts (setup-host, harden-ssh, harden-jumphost, sshuser) run on Alpine/Debian/Alma; seed root keys from globals/. - ntfy SSH-login alerts (user, source IP, key, region, jump target) via pam_exec - daily auto-updates: AUTO_REBOOT=idle reboots only when no SSH active; opt-in Alpine stable-branch upgrades (ALLOW_RELEASE_UPGRADE) - cloud-init: generic base/jumphost + per-deployment, which harden SSH by default on fresh VMs - pocket-id: optional WebFinger block (BASE_DOMAIN), tag v2.8.0 - headscale: fix oidc.expiry schema for 0.28 so the container starts - Gitea release workflow on tag (TOKEN_GITEA); repo URLs -> Gitea - README/LICENSE/.gitignore/.gitattributes (force LF)
39 lines
1.4 KiB
YAML
39 lines
1.4 KiB
YAML
#cloud-config
|
|
#
|
|
# WebFinger + redirect — harden SSH, then deploy, on a fresh Alpine host.
|
|
#
|
|
# Fill in REPO_URL and the values in the runcmd block, then paste this as the
|
|
# instance user-data. DNS for BASE_DOMAIN must point at this host and ports
|
|
# 80/443 must be reachable before boot, or the LE cert request fails.
|
|
|
|
packages:
|
|
- git
|
|
|
|
runcmd:
|
|
- hostnamectl set-hostname webfinger || true
|
|
- |
|
|
set -e
|
|
REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git
|
|
REPO_BRANCH=main
|
|
HARDEN_SSH=1 # harden SSH on this fresh VM (set 0 to skip)
|
|
SSH_PORT=22
|
|
ALLOWED_IP= # optional: whitelist your client IP in sshguard
|
|
git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /opt/automations
|
|
cd /opt/automations
|
|
|
|
# Harden SSH on this fresh VM: PQ KEX, key-only auth, sshguard. Seeds root
|
|
# from globals/authorized_keys (or SSH_KEYS_URL). NOTE: harden-ssh also
|
|
# prints a generated root key to the serial console — capture it, or rely
|
|
# on the seeded keys.
|
|
if [ "$HARDEN_SSH" = 1 ]; then
|
|
SSH_PORT="$SSH_PORT" ALLOWED_IP="$ALLOWED_IP" SKIP_PROMPTS=1 FORCE=1 \
|
|
bash scripts/harden-ssh.sh
|
|
fi
|
|
|
|
BASE_DOMAIN=example.com \
|
|
ISSUER_URL=https://auth.example.com \
|
|
REDIRECT_URL=https://example.org \
|
|
ACME_EMAIL=admin@example.com \
|
|
SKIP_PROMPTS=1 \
|
|
bash deployments/webfinger/deploy.sh
|