7faa9098de
Restructure around a single entry point (automations.sh) with a Gum wizard and a self-extracting bundle for repo-less installs. Add scripts/oslib.sh so the provisioning scripts (setup-host, harden-ssh, harden-jumphost, sshuser) run on Alpine/Debian/Alma; seed root keys from globals/. - ntfy SSH-login alerts (user, source IP, key, region, jump target) via pam_exec - daily auto-updates with AUTO_REBOOT=idle (reboots only when no SSH active) and opt-in Alpine stable-branch upgrades - generic + per-deployment cloud-init; Gitea release workflow on tag - README/LICENSE/.gitignore/.gitattributes (force LF); repo URLs -> Gitea
99 lines
3.0 KiB
YAML
99 lines
3.0 KiB
YAML
#cloud-config
|
|
#
|
|
# SimpleX Chat Relay Server - Cloud-Init Configuration
|
|
#
|
|
# This cloud-init configuration deploys a complete SimpleX relay server
|
|
# on Alpine Linux with:
|
|
# - Post-quantum SSH hardening
|
|
# - SMP + XFTP servers with Tor hidden services
|
|
# - Caddy reverse proxy with Let's Encrypt
|
|
# - awall firewall with minimal attack surface
|
|
# - Encrypted backup of all server keys
|
|
#
|
|
# Customize the environment variables below, then use this as user-data
|
|
# when creating your cloud instance.
|
|
|
|
# Use Alpine Linux (most cloud providers support it)
|
|
# Recommended: Alpine 3.19+ for latest OpenSSH with PQ KEX support
|
|
|
|
runcmd:
|
|
# Set a hostname (optional)
|
|
- hostnamectl set-hostname simplex-relay
|
|
|
|
# Run the master installer
|
|
- |
|
|
curl -fsSL https://git.anomalous.dev/57_Wolve/automations/raw/branch/main/deployments/simplex/install-simplex.sh | \
|
|
REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git \
|
|
DOMAIN=relay.yourdomain.com \
|
|
ACME_EMAIL=admin@yourdomain.com \
|
|
XFTP_QUOTA=100gb \
|
|
SSH_PORT=2222 \
|
|
ALLOWED_IP=your.client.ip.here \
|
|
KEY_TYPE=rsa4096 \
|
|
SMP_PASS= \
|
|
XFTP_PASS= \
|
|
SKIP_PROMPTS=1 \
|
|
AUTO_BACKUP=1 \
|
|
REMOVE_CA_KEYS=1 \
|
|
DEBUG=0 \
|
|
bash
|
|
|
|
# Optional: Configure additional settings
|
|
write_files:
|
|
# Custom SSH banner (optional)
|
|
- path: /etc/ssh/banner
|
|
content: |
|
|
===============================================
|
|
SimpleX Chat Relay Server
|
|
|
|
Authorized access only.
|
|
All connections are logged and monitored.
|
|
===============================================
|
|
permissions: '0644'
|
|
|
|
# Optional: Install additional packages
|
|
packages:
|
|
- htop
|
|
- nano
|
|
- curl
|
|
- jq
|
|
|
|
# Optional: Configure automatic security updates (Alpine)
|
|
package_update: true
|
|
package_upgrade: true
|
|
|
|
# Set timezone
|
|
timezone: UTC
|
|
|
|
# Configure locale
|
|
locale: en_US.UTF-8
|
|
|
|
# Configure SSH (these will be overridden by harden-ssh.sh)
|
|
ssh_pwauth: true # Will be disabled by harden-ssh.sh
|
|
disable_root: false # Keep root enabled for harden-ssh.sh
|
|
|
|
# Optional: Add non-root user (created before SSH hardening)
|
|
users:
|
|
- name: admin
|
|
groups: wheel
|
|
sudo: ['ALL=(ALL) NOPASSWD:ALL']
|
|
shell: /bin/bash
|
|
# Note: SSH hardening will restrict to Ed25519 keys only
|
|
# Add your Ed25519 public key here if you want this user to survive hardening:
|
|
# ssh_authorized_keys:
|
|
# - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... your-key-here
|
|
|
|
# Optional: Configure fail2ban (will be replaced by sshguard)
|
|
# runcmd will install sshguard which is lighter and more suitable
|
|
|
|
# Security note: The master installer will:
|
|
# 1. Generate fresh SSH keys and disable password auth
|
|
# 2. Create an encrypted backup containing all private keys
|
|
# 3. Remove CA keys from disk (they exist only in the backup)
|
|
# 4. Lock down the firewall to required ports only
|
|
#
|
|
# Make sure to:
|
|
# 1. Download the encrypted backup immediately after deployment
|
|
# 2. Save the SSH private key from the installer output
|
|
# 3. Test SSH access before deploying to production
|