135 lines
4.6 KiB
Bash
135 lines
4.6 KiB
Bash
#!/bin/bash
|
|
# install.sh - Automated deployment of Network Lab Server with ContainerLab
|
|
# Usage: curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/netlab/install.sh | bash
|
|
|
|
set -euo pipefail
|
|
|
|
# Colors for logging
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
NC='\033[0m'
|
|
|
|
log_info() { echo -e "${GREEN}[INFO]${NC} $1"; }
|
|
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
|
|
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
|
|
|
|
# Pre-flight checks
|
|
check_root() {
|
|
if [[ $EUID -eq 0 ]]; then
|
|
log_error "Do not run as root directly. Use a user with sudo privileges."
|
|
exit 1
|
|
fi
|
|
if ! sudo -v; then
|
|
log_error "User must have sudo privileges."
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
check_debian() {
|
|
if ! grep -qi debian /etc/os-release 2>/dev/null; then
|
|
log_warn "This script is optimized for Debian. Continuing anyway..."
|
|
fi
|
|
}
|
|
|
|
# Configuration variables (can be overridden via environment)
|
|
HOSTNAME="${NETLAB_HOSTNAME:-netlab}"
|
|
SSH_PORT="${SSH_PORT:-15222}"
|
|
TIMEZONE="${TZ:-Europe/Paris}"
|
|
|
|
main() {
|
|
log_info "=== Network Lab Server Deployment ==="
|
|
|
|
check_root
|
|
check_debian
|
|
|
|
log_info "Setting hostname to: $HOSTNAME"
|
|
echo "$HOSTNAME" | sudo tee /etc/hostname > /dev/null
|
|
sudo hostnamectl set-hostname "$HOSTNAME"
|
|
|
|
log_info "Installing base packages..."
|
|
sudo apt update -qq
|
|
sudo apt install -y -qq vim ca-certificates curl gnupg lsb-release fail2ban unattended-upgrades at > /dev/null
|
|
|
|
log_info "Installing Tailscale..."
|
|
curl -fsSL https://tailscale.com/install.sh | sh
|
|
|
|
log_info "Connecting to Tailscale..."
|
|
sudo tailscale up --ssh --advertise-exit-node
|
|
|
|
log_info "Configuring sysctl for exit-node and containerlab support..."
|
|
cat << EOF | sudo tee /etc/sysctl.d/99-netlab.conf > /dev/null
|
|
# IP forwarding for Tailscale exit-node
|
|
net.ipv4.ip_forward = 1
|
|
net.ipv6.conf.all.forwarding = 1
|
|
# Recommended for containerlab
|
|
net.bridge.bridge-nf-call-iptables = 0
|
|
net.bridge.bridge-nf-call-ip6tables = 0
|
|
EOF
|
|
sudo sysctl -p /etc/sysctl.d/99-netlab.conf > /dev/null 2>&1 || true
|
|
|
|
log_info "Installing ContainerLab (includes Docker)..."
|
|
# Disable sshd modification by containerlab setup script (we handle it ourselves)
|
|
export SETUP_SSHD="false"
|
|
curl -sL https://containerlab.dev/setup | sudo -E bash -s "all"
|
|
|
|
log_info "Adding current user to docker group..."
|
|
sudo usermod -aG docker "$USER"
|
|
|
|
log_info "Configuring SSH on port $SSH_PORT..."
|
|
# Create drop-in config for custom SSH port
|
|
sudo mkdir -p /etc/ssh/sshd_config.d
|
|
cat << EOF | sudo tee /etc/ssh/sshd_config.d/99-netlab.conf > /dev/null
|
|
# Custom SSH port for public access
|
|
Port $SSH_PORT
|
|
# Increase MaxAuthTries for containerlab nodes with many SSH keys
|
|
MaxAuthTries 20
|
|
EOF
|
|
sudo systemctl restart ssh
|
|
|
|
log_info "Configuring UFW firewall..."
|
|
sudo ufw --force reset > /dev/null
|
|
sudo ufw default deny incoming > /dev/null
|
|
sudo ufw default allow outgoing > /dev/null
|
|
# Allow custom SSH port from public internet
|
|
sudo ufw allow ${SSH_PORT}/tcp > /dev/null
|
|
# Allow all traffic on Tailscale interface
|
|
sudo ufw allow in on tailscale0 > /dev/null
|
|
# Temporarily allow SSH port 22 during setup (safety net)
|
|
sudo ufw allow 22/tcp > /dev/null
|
|
sudo ufw --force enable > /dev/null
|
|
|
|
# Schedule SSH port 22 rule removal in 5 minutes
|
|
log_warn "SSH port 22 temporarily open for 5 minutes (safety net)."
|
|
log_warn "Verify Tailscale SSH or custom port ${SSH_PORT} works, then wait or run: sudo ufw delete allow 22/tcp"
|
|
echo "sudo ufw delete allow 22/tcp && logger 'UFW: SSH port 22 closed by scheduled task'" | sudo at now + 5 minutes 2>/dev/null || {
|
|
log_warn "Could not schedule automatic SSH cleanup. Run manually after verification:"
|
|
log_warn " sudo ufw delete allow 22/tcp"
|
|
}
|
|
|
|
# Get Tailscale IP for final message
|
|
TS_IP=$(tailscale ip -4)
|
|
|
|
echo ""
|
|
log_info "=========================================="
|
|
log_info "Deployment complete!"
|
|
log_info "=========================================="
|
|
echo ""
|
|
echo "Access:"
|
|
echo " - Public SSH: ssh -p ${SSH_PORT} ${USER}@<public-ip>"
|
|
echo " - Tailscale SSH: ssh ${USER}@${TS_IP} (or use Tailscale SSH)"
|
|
echo ""
|
|
echo "ContainerLab is ready. Example usage:"
|
|
echo " containerlab deploy -t mylab.clab.yml"
|
|
echo " containerlab inspect"
|
|
echo " containerlab destroy -t mylab.clab.yml"
|
|
echo ""
|
|
echo "Note: Log out and back in (or run 'newgrp docker') to use docker without sudo"
|
|
echo ""
|
|
log_warn "SSH port 22 will be closed in 5 minutes."
|
|
log_warn "To cancel: sudo atq (list jobs) then sudo atrm <job-number>"
|
|
echo ""
|
|
}
|
|
|
|
main "$@"
|