diff --git a/proxy/install.sh b/proxy/install.sh new file mode 100644 index 0000000..a8994c3 --- /dev/null +++ b/proxy/install.sh @@ -0,0 +1,126 @@ +#!/bin/bash +# install.sh - Automated deployment of Proxy Server with Tailscale + Nginx Proxy Manager +# Usage: curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/proxy/install.sh | bash + +set -euo pipefail + +# Colors for logging +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' + +log_info() { echo -e "${GREEN}[INFO]${NC} $1"; } +log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; } +log_error() { echo -e "${RED}[ERROR]${NC} $1"; } + +# Pre-flight checks +check_root() { + if [[ $EUID -eq 0 ]]; then + log_error "Do not run as root directly. Use a user with sudo privileges." + exit 1 + fi + if ! sudo -v; then + log_error "User must have sudo privileges." + exit 1 + fi +} + +check_debian() { + if ! grep -qi debian /etc/os-release 2>/dev/null; then + log_warn "This script is optimized for Debian. Continuing anyway..." + fi +} + +# Configuration variables (can be overridden via environment) +HOSTNAME="${PROXY_HOSTNAME:-proxy}" +NPM_DIR="$HOME/npm" +TIMEZONE="${TZ:-Europe/Paris}" + +main() { + log_info "=== Proxy Server Deployment ===" + + check_root + check_debian + + log_info "Setting hostname to: $HOSTNAME" + echo "$HOSTNAME" | sudo tee /etc/hostname > /dev/null + sudo hostnamectl set-hostname "$HOSTNAME" + + log_info "Installing base packages..." + sudo apt update -qq + sudo apt install -y -qq vim ca-certificates curl gnupg lsb-release fail2ban unattended-upgrades > /dev/null + + log_info "Installing Tailscale..." + curl -fsSL https://tailscale.com/install.sh | sh + + log_info "Connecting to Tailscale..." + sudo tailscale up --ssh --advertise-exit-node + + log_info "Configuring sysctl for exit-node support..." + echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/99-tailscale.conf > /dev/null + echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf > /dev/null + sudo sysctl -p /etc/sysctl.d/99-tailscale.conf > /dev/null + + log_info "Installing Docker..." + sudo mkdir -m 0755 -p /etc/apt/keyrings + curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg + echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null + sudo apt update -qq + sudo apt install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin > /dev/null + + log_info "Configuring UFW firewall..." + sudo ufw --force reset > /dev/null + sudo ufw default deny incoming > /dev/null + sudo ufw default allow outgoing > /dev/null + # Allow HTTP/HTTPS from public internet + sudo ufw allow 80/tcp > /dev/null + sudo ufw allow 443/tcp > /dev/null + # Allow all traffic on Tailscale interface (SSH, admin, etc.) + sudo ufw allow in on tailscale0 > /dev/null + sudo ufw --force enable > /dev/null + + log_info "Creating NPM stack..." + mkdir -p "$NPM_DIR" + cat > "$NPM_DIR/docker-compose.yml" << EOF +services: + npm: + image: jc21/nginx-proxy-manager:latest + container_name: nginx-proxy-manager + restart: unless-stopped + ports: + # Public ports for reverse proxy + - "80:80" + - "443:443" + # Admin port bound to localhost only (exposed via Tailscale serve) + - "127.0.0.1:81:81" + volumes: + - ./data:/data + - ./letsencrypt:/etc/letsencrypt + environment: + - TZ=${TIMEZONE} +EOF + + log_info "Starting Nginx Proxy Manager..." + cd "$NPM_DIR" + docker compose up -d + + log_info "Exposing NPM admin panel via Tailscale..." + sudo tailscale serve --bg http://localhost:81 + + # Get Tailscale hostname for final message + TS_HOSTNAME=$(tailscale status --json | grep -o '"DNSName":"[^"]*' | head -1 | cut -d'"' -f4 | sed 's/\.$//') + + echo "" + log_info "==========================================" + log_info "Deployment complete!" + log_info "==========================================" + echo "" + echo "Access NPM admin panel at: https://${TS_HOSTNAME}" + echo "Default login: admin@example.com / changeme" + echo "" + echo "Note: Approve exit-node in Tailscale admin console if needed" + echo "" +} + +main "$@"