forked from sagnik/Project_Velocity
103 lines
2.5 KiB
Bash
103 lines
2.5 KiB
Bash
#!/bin/bash
|
|
set -euxo pipefail
|
|
|
|
exec > >(tee /var/log/desineuron-ingress-bootstrap.log | logger -t user-data -s 2>/dev/console) 2>&1
|
|
|
|
dnf update -y
|
|
dnf install -y curl tar gzip unzip jq policycoreutils-python-utils
|
|
|
|
systemctl enable amazon-ssm-agent
|
|
systemctl restart amazon-ssm-agent
|
|
|
|
useradd --system --home /var/lib/caddy --shell /sbin/nologin caddy || true
|
|
install -d -o caddy -g caddy -m 0755 /etc/caddy /var/lib/caddy /var/log/caddy
|
|
install -d -m 0755 /etc/rathole /opt/rathole
|
|
|
|
cat >/etc/ssh/sshd_config.d/10-desineuron-hardening.conf <<'EOF'
|
|
PasswordAuthentication no
|
|
KbdInteractiveAuthentication no
|
|
PermitRootLogin no
|
|
PubkeyAuthentication yes
|
|
EOF
|
|
systemctl restart sshd
|
|
|
|
CADDY_VERSION="v2.10.2"
|
|
CADDY_URL="https://github.com/caddyserver/caddy/releases/download/${CADDY_VERSION}/caddy_2.10.2_linux_arm64.tar.gz"
|
|
RATHOLE_VERSION="v0.4.3"
|
|
RATHOLE_URL="https://github.com/rapiz1/rathole/releases/download/${RATHOLE_VERSION}/rathole-aarch64-unknown-linux-musl.zip"
|
|
|
|
tmp_dir="$(mktemp -d)"
|
|
cd "$tmp_dir"
|
|
curl -fL "$CADDY_URL" -o caddy.tar.gz
|
|
tar -xzf caddy.tar.gz
|
|
install -m 0755 caddy /usr/local/bin/caddy
|
|
setcap cap_net_bind_service=+ep /usr/local/bin/caddy || true
|
|
|
|
curl -fL "$RATHOLE_URL" -o rathole.zip
|
|
python3 - <<'PY'
|
|
import zipfile
|
|
z = zipfile.ZipFile("rathole.zip")
|
|
z.extractall(".")
|
|
PY
|
|
install -m 0755 rathole /usr/local/bin/rathole
|
|
rm -rf "$tmp_dir"
|
|
|
|
cat >/etc/systemd/system/caddy.service <<'EOF'
|
|
[Unit]
|
|
Description=Caddy
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
User=caddy
|
|
Group=caddy
|
|
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
|
|
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
|
|
TimeoutStopSec=5s
|
|
LimitNOFILE=1048576
|
|
PrivateTmp=true
|
|
ProtectSystem=full
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
NoNewPrivileges=true
|
|
Restart=on-failure
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
|
|
cat >/etc/systemd/system/rathole-server.service <<'EOF'
|
|
[Unit]
|
|
Description=Desineuron Rathole Server
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart=/usr/local/bin/rathole /etc/rathole/server.toml
|
|
Restart=always
|
|
RestartSec=5
|
|
User=root
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
|
|
cat >/etc/logrotate.d/caddy <<'EOF'
|
|
/var/log/caddy/*.log {
|
|
daily
|
|
rotate 14
|
|
compress
|
|
missingok
|
|
notifempty
|
|
copytruncate
|
|
}
|
|
EOF
|
|
|
|
touch /etc/caddy/Caddyfile
|
|
touch /etc/rathole/server.toml
|
|
|
|
systemctl daemon-reload
|
|
systemctl enable caddy.service
|
|
systemctl enable rathole-server.service
|