#!/usr/bin/env bash set -euo pipefail ## echo "== Fetch Source Code (from git)" # We store all initial configs in the /srv location cd /srv # Clone if not yet cloned if [ ! -d .git ]; then git clone --depth 1 https://code.tjo.space/tjo-cloud/ingress.git . else git pull fi ## echo "== Configure Metadata" SERVICE_NAME="ingress.tjo.cloud" SERVICE_VERSION="$(git describe --tags --always --dirty)" CLOUD_REGION="$(hostname -s)" SERVICE_ACCOUNT_USERNAME=$(jq -r ".service_account.username" /etc/tjo.cloud/meta.json) SERVICE_ACCOUNT_PASSWORD=$(jq -r ".service_account.password" /etc/tjo.cloud/meta.json) TAILSCALE_AUTH_KEY=$(jq -r ".tailscale.auth_key" /etc/tjo.cloud/meta.json) ## echo "== Install Dependencies" apt update -y apt install -y \ gpg \ git \ ufw \ nginx \ nginx-extras \ libnginx-mod-http-geoip2 \ libnginx-mod-stream-geoip2 # Grafana Alloy mkdir -p /etc/apt/keyrings/ wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor >/etc/apt/keyrings/grafana.gpg echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" >/etc/apt/sources.list.d/grafana.list apt update -y apt install -y alloy # Tailscale curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.noarmor.gpg >/usr/share/keyrings/tailscale-archive-keyring.gpg curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.tailscale-keyring.list >/etc/apt/sources.list.d/tailscale.list apt update -y apt install -y tailscale ## echo "== Ensure services are enabled" systemctl enable --now nginx alloy tailscaled ## echo "== Configure Grafana Alloy" cp -r root/etc/alloy/* /etc/alloy/ cp -r root/etc/default/alloy /etc/default/alloy # Set Attributes ATTRIBUTES="" ATTRIBUTES+="service.name=${SERVICE_NAME}," ATTRIBUTES+="service.version=${SERVICE_VERSION}," ATTRIBUTES+="cloud.region=${CLOUD_REGION}" echo "OTEL_RESOURCE_ATTRIBUTES=${ATTRIBUTES}" >>/etc/default/alloy # Set Credentials { echo "ALLOY_USERNAME=${SERVICE_ACCOUNT_USERNAME}" echo "ALLOY_PASSWORD=${SERVICE_ACCOUNT_PASSWORD}" } >>/etc/default/alloy systemctl restart alloy ## echo "== Configure Tailscale" if tailscale status --json | jq -e -r '.BackendState != "Running"' >/dev/null; then tailscale up \ --ssh=true \ --accept-routes=true \ --accept-dns=false \ --advertise-tags="tag:ingress-tjo-cloud" \ --hostname="$(hostname -f | sed 's/\./-/g')" \ --authkey="${TAILSCALE_AUTH_KEY}" else echo "Tailscale is already running" fi ## echo "== Configure SSH" cat </etc/ssh/sshd_config.d/port-2222.conf Port 2222 EOF systemctl restart ssh ## echo "== Configure UFW" # Should basically match nginx.conf ufw default deny incoming ufw default allow outgoing ufw allow in on tailscale0 ufw allow 22 # GIT ufw allow 25 # EMAIL ufw allow 143 # EMAIL ufw allow 443 # HTTPS ufw allow 465 # EMAIL ufw allow 587 # EMAIL ufw allow 993 # EMAIL ufw allow 4190 # EMAIL ufw --force enable systemctl enable ufw ## echo "== Configure NGINX" cp assets/dbip-city-lite-2023-07.mmdb /var/geoip.mmdb cp -r root/etc/nginx/* /etc/nginx/ systemctl reload nginx