Built the Sentinel Tab
This commit is contained in:
Sagnik
102
infrastructure/desineuron_ingress/user_data.sh
Normal file
102
infrastructure/desineuron_ingress/user_data.sh
Normal file
@@ -0,0 +1,102 @@
|
||||
#!/bin/bash
|
||||
set -euxo pipefail
|
||||
|
||||
exec > >(tee /var/log/desineuron-ingress-bootstrap.log | logger -t user-data -s 2>/dev/console) 2>&1
|
||||
|
||||
dnf update -y
|
||||
dnf install -y curl tar gzip unzip jq policycoreutils-python-utils
|
||||
|
||||
systemctl enable amazon-ssm-agent
|
||||
systemctl restart amazon-ssm-agent
|
||||
|
||||
useradd --system --home /var/lib/caddy --shell /sbin/nologin caddy || true
|
||||
install -d -o caddy -g caddy -m 0755 /etc/caddy /var/lib/caddy /var/log/caddy
|
||||
install -d -m 0755 /etc/rathole /opt/rathole
|
||||
|
||||
cat >/etc/ssh/sshd_config.d/10-desineuron-hardening.conf <<'EOF'
|
||||
PasswordAuthentication no
|
||||
KbdInteractiveAuthentication no
|
||||
PermitRootLogin no
|
||||
PubkeyAuthentication yes
|
||||
EOF
|
||||
systemctl restart sshd
|
||||
|
||||
CADDY_VERSION="v2.10.2"
|
||||
CADDY_URL="https://github.com/caddyserver/caddy/releases/download/${CADDY_VERSION}/caddy_2.10.2_linux_arm64.tar.gz"
|
||||
RATHOLE_VERSION="v0.4.3"
|
||||
RATHOLE_URL="https://github.com/rapiz1/rathole/releases/download/${RATHOLE_VERSION}/rathole-aarch64-unknown-linux-musl.zip"
|
||||
|
||||
tmp_dir="$(mktemp -d)"
|
||||
cd "$tmp_dir"
|
||||
curl -fL "$CADDY_URL" -o caddy.tar.gz
|
||||
tar -xzf caddy.tar.gz
|
||||
install -m 0755 caddy /usr/local/bin/caddy
|
||||
setcap cap_net_bind_service=+ep /usr/local/bin/caddy || true
|
||||
|
||||
curl -fL "$RATHOLE_URL" -o rathole.zip
|
||||
python3 - <<'PY'
|
||||
import zipfile
|
||||
z = zipfile.ZipFile("rathole.zip")
|
||||
z.extractall(".")
|
||||
PY
|
||||
install -m 0755 rathole /usr/local/bin/rathole
|
||||
rm -rf "$tmp_dir"
|
||||
|
||||
cat >/etc/systemd/system/caddy.service <<'EOF'
|
||||
[Unit]
|
||||
Description=Caddy
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
User=caddy
|
||||
Group=caddy
|
||||
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
|
||||
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
|
||||
TimeoutStopSec=5s
|
||||
LimitNOFILE=1048576
|
||||
PrivateTmp=true
|
||||
ProtectSystem=full
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
NoNewPrivileges=true
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
|
||||
cat >/etc/systemd/system/rathole-server.service <<'EOF'
|
||||
[Unit]
|
||||
Description=Desineuron Rathole Server
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/local/bin/rathole /etc/rathole/server.toml
|
||||
Restart=always
|
||||
RestartSec=5
|
||||
User=root
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
|
||||
cat >/etc/logrotate.d/caddy <<'EOF'
|
||||
/var/log/caddy/*.log {
|
||||
daily
|
||||
rotate 14
|
||||
compress
|
||||
missingok
|
||||
notifempty
|
||||
copytruncate
|
||||
}
|
||||
EOF
|
||||
|
||||
touch /etc/caddy/Caddyfile
|
||||
touch /etc/rathole/server.toml
|
||||
|
||||
systemctl daemon-reload
|
||||
systemctl enable caddy.service
|
||||
systemctl enable rathole-server.service
|
||||
Reference in New Issue
Block a user