fix(seedbox): add --accept-routes and secure SSH via Tailnet only
Some checks failed
Deploy Seedbox / Deploy Seedbox Stacks (push) Failing after 27s
Some checks failed
Deploy Seedbox / Deploy Seedbox Stacks (push) Failing after 27s
- Add --accept-routes flag to tailscale up for subnet routing - Schedule SSH lockdown via 'at' to avoid cutting access during setup - SSH will only be accessible via Tailscale interface after 2 minutes
This commit is contained in:
@@ -76,12 +76,15 @@ main() {
|
|||||||
git \
|
git \
|
||||||
> /dev/null
|
> /dev/null
|
||||||
|
|
||||||
|
# Ensure atd service is running (needed for delayed SSH lockdown)
|
||||||
|
sudo systemctl enable --now atd
|
||||||
|
|
||||||
# Step 4: Install Tailscale
|
# Step 4: Install Tailscale
|
||||||
log_info "Installing Tailscale..."
|
log_info "Installing Tailscale..."
|
||||||
curl -fsSL https://tailscale.com/install.sh | sh
|
curl -fsSL https://tailscale.com/install.sh | sh
|
||||||
|
|
||||||
log_info "Connecting to Tailscale (without SSH management)..."
|
log_info "Connecting to Tailscale with --accept-routes..."
|
||||||
sudo tailscale up
|
sudo tailscale up --accept-routes
|
||||||
|
|
||||||
# Get Tailscale hostname for display
|
# Get Tailscale hostname for display
|
||||||
TS_FQDN=$(tailscale status --json 2>/dev/null | awk -F'"' '
|
TS_FQDN=$(tailscale status --json 2>/dev/null | awk -F'"' '
|
||||||
@@ -117,24 +120,36 @@ EOF
|
|||||||
log_info "Adding current user to docker group..."
|
log_info "Adding current user to docker group..."
|
||||||
sudo usermod -aG docker "$USER"
|
sudo usermod -aG docker "$USER"
|
||||||
|
|
||||||
# Step 7: Configure UFW firewall
|
# Step 7: Configure UFW firewall (initial - SSH still open on public)
|
||||||
log_info "Configuring UFW firewall..."
|
log_info "Configuring UFW firewall (initial setup)..."
|
||||||
sudo ufw --force reset > /dev/null
|
sudo ufw --force reset > /dev/null
|
||||||
sudo ufw default deny incoming > /dev/null
|
sudo ufw default deny incoming > /dev/null
|
||||||
sudo ufw default allow outgoing > /dev/null
|
sudo ufw default allow outgoing > /dev/null
|
||||||
|
# SSH temporarily on all interfaces (will be locked down after Tailscale is confirmed)
|
||||||
|
sudo ufw allow 22/tcp > /dev/null
|
||||||
# BitTorrent peer port (public)
|
# BitTorrent peer port (public)
|
||||||
sudo ufw allow 51413/tcp > /dev/null
|
sudo ufw allow 51413/tcp > /dev/null
|
||||||
sudo ufw allow 51413/udp > /dev/null
|
sudo ufw allow 51413/udp > /dev/null
|
||||||
# Allow all traffic on Tailscale interface (including SSH)
|
# Allow all traffic on Tailscale interface
|
||||||
sudo ufw allow in on tailscale0 > /dev/null
|
sudo ufw allow in on tailscale0 > /dev/null
|
||||||
sudo ufw --force enable > /dev/null
|
sudo ufw --force enable > /dev/null
|
||||||
|
|
||||||
# Step 8: Create directory structure
|
# Step 8: Schedule SSH lockdown via 'at' (2 minutes delay for safety)
|
||||||
|
log_info "Scheduling SSH lockdown to Tailscale-only in 2 minutes..."
|
||||||
|
log_warn "IMPORTANT: Reconnect via Tailscale SSH within 2 minutes!"
|
||||||
|
log_warn " ssh ${USER}@${TS_FQDN}"
|
||||||
|
|
||||||
|
echo "sudo ufw delete allow 22/tcp" | at now + 2 minutes 2>/dev/null || {
|
||||||
|
log_warn "Failed to schedule SSH lockdown via 'at'. Manual lockdown required."
|
||||||
|
log_warn "Run manually after confirming Tailscale access: sudo ufw delete allow 22/tcp"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Step 9: Create directory structure
|
||||||
log_info "Creating directory structure..."
|
log_info "Creating directory structure..."
|
||||||
sudo mkdir -p "$SEEDBOX_DIR"
|
sudo mkdir -p "$SEEDBOX_DIR"
|
||||||
sudo chown -R "$USER:$USER" "$SEEDBOX_DIR"
|
sudo chown -R "$USER:$USER" "$SEEDBOX_DIR"
|
||||||
|
|
||||||
# Step 9: Configure NFS mount (if NFS_SERVER provided)
|
# Step 10: Configure NFS mount (if NFS_SERVER provided)
|
||||||
if [[ -n "$NFS_SERVER" ]]; then
|
if [[ -n "$NFS_SERVER" ]]; then
|
||||||
log_info "Configuring NFS mount..."
|
log_info "Configuring NFS mount..."
|
||||||
sudo mkdir -p "$NFS_MOUNT_MEDIA"
|
sudo mkdir -p "$NFS_MOUNT_MEDIA"
|
||||||
@@ -149,7 +164,7 @@ EOF
|
|||||||
log_warn "NFS_SERVER not set. NFS mount skipped. Set it later if needed."
|
log_warn "NFS_SERVER not set. NFS mount skipped. Set it later if needed."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Step 10: Clone repository
|
# Step 11: Clone repository
|
||||||
log_info "Cloning infra-scripts repository..."
|
log_info "Cloning infra-scripts repository..."
|
||||||
if [[ -d "${SEEDBOX_DIR}/.git" ]]; then
|
if [[ -d "${SEEDBOX_DIR}/.git" ]]; then
|
||||||
cd "$SEEDBOX_DIR"
|
cd "$SEEDBOX_DIR"
|
||||||
@@ -166,7 +181,7 @@ EOF
|
|||||||
git checkout -b main --track origin/main -- seedbox/ 2>/dev/null || true
|
git checkout -b main --track origin/main -- seedbox/ 2>/dev/null || true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Step 11: Configure MOTD
|
# Step 12: Configure MOTD
|
||||||
log_info "Configuring MOTD..."
|
log_info "Configuring MOTD..."
|
||||||
sudo chmod -x /etc/update-motd.d/* 2>/dev/null || true
|
sudo chmod -x /etc/update-motd.d/* 2>/dev/null || true
|
||||||
|
|
||||||
@@ -188,7 +203,7 @@ echo ""
|
|||||||
echo "Docker Seedbox Server"
|
echo "Docker Seedbox Server"
|
||||||
echo "─────────────────────────────────────────"
|
echo "─────────────────────────────────────────"
|
||||||
echo "Access:"
|
echo "Access:"
|
||||||
echo " • SSH : ${TS_FQDN}"
|
echo " • SSH : ${TS_FQDN} (Tailscale only)"
|
||||||
echo " • Seeding : Public port 51413"
|
echo " • Seeding : Public port 51413"
|
||||||
echo ""
|
echo ""
|
||||||
echo "Services: (via Tailscale)"
|
echo "Services: (via Tailscale)"
|
||||||
@@ -208,9 +223,14 @@ MOTD
|
|||||||
|
|
||||||
# Final summary
|
# Final summary
|
||||||
echo ""
|
echo ""
|
||||||
log_info "=========================================="
|
log_info "==========================================="
|
||||||
log_info "Server setup complete!"
|
log_info "Server setup complete!"
|
||||||
log_info "=========================================="
|
log_info "==========================================="
|
||||||
|
echo ""
|
||||||
|
log_warn "⚠️ SSH LOCKDOWN SCHEDULED IN 2 MINUTES!"
|
||||||
|
log_warn " Reconnect NOW via Tailscale:"
|
||||||
|
echo ""
|
||||||
|
echo " ssh ${USER}@${TS_FQDN}"
|
||||||
echo ""
|
echo ""
|
||||||
echo "Server accessible at:"
|
echo "Server accessible at:"
|
||||||
echo " SSH: ssh user@${TS_FQDN}"
|
echo " SSH: ssh user@${TS_FQDN}"
|
||||||
@@ -232,9 +252,10 @@ MOTD
|
|||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
echo "Next steps:"
|
echo "Next steps:"
|
||||||
echo " 1. Configure Gitea secrets (see README.md)"
|
echo " 1. Reconnect via Tailscale SSH IMMEDIATELY"
|
||||||
echo " 2. Push to main branch to trigger deployment"
|
echo " 2. Configure Gitea secrets (see README.md)"
|
||||||
echo " 3. Services will be available at <service>.taila5ad8.ts.net"
|
echo " 3. Push to main branch to trigger deployment"
|
||||||
|
echo " 4. Services will be available at <service>.taila5ad8.ts.net"
|
||||||
echo ""
|
echo ""
|
||||||
log_info "SSH access via Tailscale: ssh user@${TS_FQDN}"
|
log_info "SSH access via Tailscale: ssh user@${TS_FQDN}"
|
||||||
echo ""
|
echo ""
|
||||||
|
|||||||
Reference in New Issue
Block a user