137 lines
3.5 KiB
Bash
Executable file
137 lines
3.5 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
##
|
|
echo "== Fetch Source Code (from git)"
|
|
# We store all initial configs in the /srv location
|
|
cd /srv
|
|
# Clone if not yet cloned
|
|
if [ ! -d .git ]; then
|
|
git clone \
|
|
--depth 1 \
|
|
--no-checkout \
|
|
--filter=tree:0 \
|
|
https://github.com/tjo-space/tjo-cloud-infrastructure.git .
|
|
git sparse-checkout set --no-cone /ingress.tjo.cloud
|
|
git checkout
|
|
else
|
|
git pull --depth=1 --rebase
|
|
fi
|
|
# Enter ingress directory
|
|
cd /srv/ingress.tjo.cloud
|
|
|
|
##
|
|
echo "== Configure Metadata"
|
|
SERVICE_NAME="ingress.tjo.cloud"
|
|
SERVICE_VERSION="$(git describe --tags --always --dirty)"
|
|
CLOUD_REGION="$(hostname -s)"
|
|
|
|
SERVICE_ACCOUNT_USERNAME=$(jq -r ".service_account.username" /etc/tjo.cloud/meta.json)
|
|
SERVICE_ACCOUNT_PASSWORD=$(jq -r ".service_account.password" /etc/tjo.cloud/meta.json)
|
|
|
|
TAILSCALE_AUTH_KEY=$(jq -r ".tailscale.auth_key" /etc/tjo.cloud/meta.json)
|
|
|
|
DIGITALOCEAN_TOKEN=$(jq -r ".digitalocean.token" /etc/tjo.cloud/meta.json)
|
|
|
|
##
|
|
echo "== Install Dependencies"
|
|
apt update -y
|
|
|
|
apt install -y \
|
|
gpg \
|
|
git \
|
|
ufw \
|
|
nginx \
|
|
nginx-extras \
|
|
libnginx-mod-http-geoip2 \
|
|
libnginx-mod-stream-geoip2
|
|
|
|
# Grafana Alloy
|
|
mkdir -p /etc/apt/keyrings/
|
|
wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor >/etc/apt/keyrings/grafana.gpg
|
|
echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" >/etc/apt/sources.list.d/grafana.list
|
|
apt update -y
|
|
apt install -y alloy
|
|
|
|
# Tailscale
|
|
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.noarmor.gpg >/usr/share/keyrings/tailscale-archive-keyring.gpg
|
|
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.tailscale-keyring.list >/etc/apt/sources.list.d/tailscale.list
|
|
apt update -y
|
|
apt install -y tailscale
|
|
|
|
##
|
|
echo "== Configure Grafana Alloy"
|
|
cp -r root/etc/alloy/* /etc/alloy/
|
|
cp -r root/etc/default/alloy /etc/default/alloy
|
|
# Set Attributes
|
|
ATTRIBUTES=""
|
|
ATTRIBUTES+="service.name=${SERVICE_NAME},"
|
|
ATTRIBUTES+="service.version=${SERVICE_VERSION},"
|
|
ATTRIBUTES+="cloud.region=${CLOUD_REGION}"
|
|
echo "OTEL_RESOURCE_ATTRIBUTES=${ATTRIBUTES}" >>/etc/default/alloy
|
|
# set credentials
|
|
{
|
|
echo "alloy_username=${SERVICE_ACCOUNT_USERNAME}"
|
|
echo "alloy_password=${SERVICE_ACCOUNT_PASSWORD}"
|
|
} >>/etc/default/alloy
|
|
systemctl enable --now alloy
|
|
systemctl restart alloy
|
|
|
|
##
|
|
echo "== Configure Dyndns"
|
|
cp -r root/etc/default/dyndns /etc/default/dyndns
|
|
{
|
|
echo "DIGITALOCEAN_TOKEN=${DIGITALOCEAN_TOKEN}"
|
|
echo "NAME=${CLOUD_REGION}"
|
|
} >>/etc/default/dyndns
|
|
systemctl enable --now dyndns
|
|
systemctl restart dyndns
|
|
|
|
##
|
|
echo "== Configure Tailscale"
|
|
systemctl enable --now tailscaled
|
|
if tailscale status --json | jq -e -r '.BackendState != "Running"' >/dev/null; then
|
|
tailscale up \
|
|
--ssh=true \
|
|
--accept-routes=true \
|
|
--accept-dns=false \
|
|
--advertise-tags="tag:ingress-tjo-cloud" \
|
|
--hostname="$(hostname -f | sed 's/\./-/g')" \
|
|
--authkey="${TAILSCALE_AUTH_KEY}"
|
|
else
|
|
echo "Tailscale is already running"
|
|
fi
|
|
|
|
##
|
|
echo "== Configure SSH"
|
|
cat <<EOF >/etc/ssh/sshd_config.d/port-2222.conf
|
|
Port 2222
|
|
EOF
|
|
systemctl restart ssh
|
|
|
|
##
|
|
echo "== Configure UFW"
|
|
# Should basically match nginx.conf
|
|
ufw default deny incoming
|
|
ufw default allow outgoing
|
|
|
|
ufw allow in on tailscale0
|
|
|
|
ufw allow 22 # GIT
|
|
ufw allow 25 # EMAIL
|
|
ufw allow 143 # EMAIL
|
|
ufw allow 443 # HTTPS
|
|
ufw allow 465 # EMAIL
|
|
ufw allow 587 # EMAIL
|
|
ufw allow 993 # EMAIL
|
|
ufw allow 4190 # EMAIL
|
|
|
|
ufw --force enable
|
|
systemctl enable ufw
|
|
|
|
##
|
|
echo "== Configure NGINX"
|
|
cp assets/dbip-city-lite-2023-07.mmdb /var/geoip.mmdb
|
|
cp -r root/etc/nginx/* /etc/nginx/
|
|
systemctl enable --now nginx
|
|
systemctl reload nginx
|