Oliver/cc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixes

Browse Source
This commit is contained in:
Oliver
2025-08-24 20:24:37 +02:00
parent 6de8bd9564
commit 29a9892ca6
26 changed files with 107 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
alpine/template
View File

@@ -5,37 +5,57 @@ if [ "$#" -ne 2 ]; then
exit 1 exit 1
fi fi
keys=(NEBULA_CA API_KEY HOSTNAME NEBULA_CRT NEBULA_KEY SSH_PRIVATE SSH_PUBLIC)
NEBULA_CA=$(<"$host_vars_dir/ca.crt")
localfile="$1" localfile="$1"
remotefile="$2" remotefile="$2"
remotetmp="/var/tmp/4server" remotetmp_base="/var/tmp/4server"
while read -r host; do while read -r host; do
echo "Processing host: $host" echo "Processing host: $host"
host_env_file="$host_vars_dir/$host" host_env_file="$host_vars_dir/$host/$host.env"
if [ ! -f "$host_env_file" ]; then if [ ! -f "$host_env_file" ]; then
echo "Warning: env file for host '$host' not found at $host_env_file. Skipping." echo "Warning: env file for host '$host' not found at $host_env_file. Skipping."
continue continue
fi fi
declare -A vars=() # Load host environment variables (supports multi-line)
while IFS='=' read -r key value; do set -a
[[ -z "$key" || -z "$value" ]] && continue source "$host_env_file"
vars["$key"]="$value" set +a
done < "$host_env_file"
content=$(cat "$localfile")
for key in "${!vars[@]}"; do NEBULA_KEY=$(<"$host_vars_dir/$host/$host.key")
content=$(echo "$content" | sed "s|{$key}|${vars[$key]}|g") NEBULA_CRT=$(<"$host_vars_dir/$host/$host.crt")
done
SSH_PRIVATE=$(<"$host_vars_dir/$host/$host")
SSH_PUBLIC=$(<"$host_vars_dir/$host/$host.pub")
content=$(<"$localfile")
for key in "${keys[@]}"; do
value="${!key}" # indirect reference
# Replace placeholder {{KEY}} with value using Bash's parameter expansion
content="${content//\{\{$key\}\}/$value}"
done
# Copy content to remote temporary file
remotetmp="${remotetmp_base}_${host}"
echo "Copying to $host:$remotefile" echo "Copying to $host:$remotefile"
echo "$content" | ssh "$host" "cat > $remotetmp" echo "$content" | ssh "$host" "cat > '$remotetmp'"
rex doas mv $remotetmp $remotefile
# Move temporary file to final location with doas
ssh "$host" "doas mv '$remotetmp' '$remotefile'"
done < "$hosts_file" done < "$hosts_file"

30
app/etc/certs/dev.crt
View File

@@ -1,30 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFNzCCAx+gAwIBAgIUCIJuU/7oPy1PrksppEPukIs4MfgwDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHKi5sb2NhbDAeFw0yNTA4MDgyMTMyMzlaFw0yNjA4MDgy
MTMyMzlaMBIxEDAOBgNVBAMMByoubG9jYWwwggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQC+uBU5mo8h8LK00Hrw9AtaPI2yXBaVh5S8KrAJ0eoUSxc0gg7q
dwsD9+boyaDbiePcllTLvmIKqX8K2TbiucEaqNGzJauop0+UZjjCQrzuq+cD6xPh
+1bzcWN+oLubUtv4wi3mRNCtP56YyM4c72OweXB9Mhi9Z8e2caTjCLdcCS10i5Oy
NWYZFhnjBxXJoElTt4HZFLDj60Iqi9thVGO4virv7VBwOvAKaCgOOuagPtISgHO7
1t1hV9TNTHRcE37xpOZT6moPsEBitkszwPx24SgATGrG5J8UbDJ5EdY+kA4wD0mU
hi9pUWaRlKWQjqRRszvsSnbQUPHORHSUFFpycworeNUBCmTs5jm0/+RqI4TLTUX6
ZbJ6azgGpgbJtMbMlywW1Yuy9ACrSP/jncKekiR+0uQ5s+y2crT+aeuzHsyMtUUn
TI1ExsOE/QWGH7MV298D+jvSSWg4WTf3dzAiFsDxP4JtDZ1NmDwm6Pjmano1Y57g
uU++4RvYN6YKxDnkcWXIZFpUvW+dr7oLZaOcqwCx4KVCFo4e2qqigYgWgz8r05iE
ngj7UZO70n3dZrkL4Iu2tFATHLBy1SYZIu3ewZodOeK54q63bYtVFj7ECAE4Eb7J
6DgjOtN3GH9E2aKMjzFRvWzItRufLWIycPN/tAOh6dOPuX9oZQf71sxe3wIDAQAB
o4GEMIGBMB0GA1UdDgQWBBSGznETTeVc5FVFEGbdVUzR5jfQADAfBgNVHSMEGDAW
gBSGznETTeVc5FVFEGbdVUzR5jfQADAPBgNVHRMBAf8EBTADAQH/MC4GA1UdEQQn
MCWCCWFwcC5sb2NhbIIJYXBpLmxvY2Fsgg10cmFlZmlrLmxvY2FsMA0GCSqGSIb3
DQEBCwUAA4ICAQCl+LRB+6Rz0EJFbZnhLWvumY2KegS+QkB6YUDycJIuq/2Q9RWB
Z0yV94asZcvHE21/BHhnMk4Qa2PsQn8gQIGCAhj+/2DVt5mGwWVgoes1gtAg6okH
YYKhTljjfpMFqyp/lyzanzF4VdnhzDKpaRLxKwuCf0xe9V03S4/fri/tVjxpjUyc
eaTgfDlzJgQu2rZZz8dG7fltCEhl9gBGbQ3WWaSDYOW49UXqS3LR0eBZ4s/RAG7Z
LiBIKzOFQjLplaODsCOpOguzRfL6O2WXDADbuh7XAQmmhkfsuruPvP/5E1G1hb6K
khsKyiYo4WLpdGJACezN/jmQVcqULz8iLI/jRaoT5g3dwvBkzyolIF+A6a33D3Ph
vQd5ta6BT/EWTBp4T5MSyvd03rkqV0oCHeF+wTQ3iR4b5jrxlVtqCFlsK32NrB9e
ZAboJitgxLgs6ZKXhoxCGjtZdpgYyxqgEOtJazzNitNxB8Xyb3hCc2t7VPpRUfUa
gyddQFd1yZmhPZqhugXI+LL7xO7HHyrz+CwqeWkObJNDRIe6Me4Rxo9H0ZQfjLa1
fAgxubtAsGr0AwQSg3X/PamEhVdjvCBCtadgHQZQLaP7ilPBcER/xBQ1jbI1LYzF
BTCypCFykXbDxxbOwzhwRLoUHzWS2XAYT7vOHE60AokMKwArz9s3Hu+wUg==
-----END CERTIFICATE-----

52
app/etc/certs/dev.key
View File

@@ -1,52 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC+uBU5mo8h8LK0
0Hrw9AtaPI2yXBaVh5S8KrAJ0eoUSxc0gg7qdwsD9+boyaDbiePcllTLvmIKqX8K
2TbiucEaqNGzJauop0+UZjjCQrzuq+cD6xPh+1bzcWN+oLubUtv4wi3mRNCtP56Y
yM4c72OweXB9Mhi9Z8e2caTjCLdcCS10i5OyNWYZFhnjBxXJoElTt4HZFLDj60Iq
i9thVGO4virv7VBwOvAKaCgOOuagPtISgHO71t1hV9TNTHRcE37xpOZT6moPsEBi
tkszwPx24SgATGrG5J8UbDJ5EdY+kA4wD0mUhi9pUWaRlKWQjqRRszvsSnbQUPHO
RHSUFFpycworeNUBCmTs5jm0/+RqI4TLTUX6ZbJ6azgGpgbJtMbMlywW1Yuy9ACr
SP/jncKekiR+0uQ5s+y2crT+aeuzHsyMtUUnTI1ExsOE/QWGH7MV298D+jvSSWg4
WTf3dzAiFsDxP4JtDZ1NmDwm6Pjmano1Y57guU++4RvYN6YKxDnkcWXIZFpUvW+d
r7oLZaOcqwCx4KVCFo4e2qqigYgWgz8r05iEngj7UZO70n3dZrkL4Iu2tFATHLBy
1SYZIu3ewZodOeK54q63bYtVFj7ECAE4Eb7J6DgjOtN3GH9E2aKMjzFRvWzItRuf
LWIycPN/tAOh6dOPuX9oZQf71sxe3wIDAQABAoICAFzKl5kVN/qdb3VF0esV8cgP
miljYKGT+6upYUkF1svU1Q95D+TH0pY1sSUlpJvr9O9IPS18DZt+aA9RK8EX+3oL
FSwCcgh2juN28LqjWeUNwjJH176lWOLNEklzzpN9twTLBSX56UXBpFpVqOKvHmOo
UjC3hQ3yRlrf5AeKIBwpYvJHTq7wCCLAfAvXUKRu1f5jVEvYI1BhECo/LZenRXWH
IMDnR7GzG0MU9hgmVDs3FWJnGOgVXFSWNTVFs39xBNxxDJdbgAruCAV/CAvAI5V7
asjqZTEr3rJDCjOZmBGMaTq81WHr/3lQX4UJO5yfqhcOC2OlvzUPjPZ8m/PIC1C4
rOg6EqEA5X+VOspxbJGQVlsA1R1CkI499s5CERWQ8Z9Gb5kr4/SzKBnp8DAbngNR
rZxuT4pch7rHZgEDiW8h18aRN3LDvjUPF2pvowEKPRmdQJ6xTi22GuyL3pl3M8Wg
3snIl0sdfsnarWTV545bm1nIZ+4agfIzRjIc+Z4ACx3k9NBObkHxdq3Grscgl+cr
OtuQYt7T0EDfPOGqXgZ2/imdtovIYOz7BHzlchZGIFmgtSFfgZCGcWQWiXdlGmOC
EJQ9gwqLmCG4i1V8UIb2NQXPF77rHpOz/psptCxj7gvTwp8yFURL6hdqoUpzl7l+
H3QGUAl1N6vvCJry0HLBAoIBAQDmue87L+x6BBg+0g2SAO0Ivl5w2Q4KKGZREgld
7CGVyDCcZGs1EHsATZgNPUH0L9rjegTtSzarGdLPSTnDdc6mataS++3YdmWRYKxo
8so3L074FLW3acisP8YdsH99jrwkrYAm130whIkk8cEZAlSYd3uVj7RypN/WDDWm
UOmGWrQYBduGF3/JvnFbLIbassfzc7Yx2jgFDyFpQur6ZNDK3YUbjGALe07D/TO6
k4AN7NUg8J8e/nF5J2HOtGUTlHScouz3AhJFbBtGJMh2zPburR7iAU4oSCAwbiiG
3AsVqndt1iTUqkEeHUBogx9OiXfLccXxdZkXNz42Tv7ezYePAoIBAQDTnEJJV/sm
NDhMkPjKFLprdpP7n6nNlECXrNogHGTTOiXMUcgVl/CuX8cfOc7ExfJ91Bh2XqN2
H9tgOzlTWEcRORFAJv2ZRSBTfVQAboL1ncZTMXlDR3SqPVC7GC53gk4IAbm2Rs59
jqHqZJdGMHAK747zQAPO8c5qCUgDAO8hP7mrdBU9+Tj9lA0vNyGq4uUqoepUvado
Suk3CggsVjcVffzBIm8u0QHNHVUg3hVHycJTQwSIyWbej/eCx1ZD5/9olO6aREHS
lKr0Bm4+1AdlkXgJE/eoABQa1fiUgEjPbi9q4ORjpFbMbcvnb9Z6sf2VvTZn/wj6
K4JtX50o+YuxAoIBAQCa/RvvLmo0LLv8ty3Wfji8PuVB+QytViYlH3CbXxvQegHt
jKdXphJ6SaVyf0vmtJ7dYAIfRP8cQOSTyiS7YE/JCsvJQOKtHhtsZPxsI2wjVew+
Sesnoi/jRZPYLc/2kANiwAnuDaNTDDT0VFHacu5Q3TJvbXFR8d9K8ji32HKGhjek
S4sDsJVu+Dc9f9O25ZHbwEcLhgNLorZW91TRjxeSruvTbaC3FcX7cgNlud+zevxQ
fFLnhxTCxem16Qhc9sS+09NKumF7sPtBS0Q+ScE246RzPV07QfgdkGI49Weczj4b
0lY7ZYMIr62shyhooX+PcoX9hXmpVrq70KT1FiuRAoIBAQDAN8Gys9usIWU+j7We
guOvuB/GQotQ9akS3e2pm4EuqjQpe+Q/USxMiS3sPGuJLLIQAHhUFbVwGJICwOla
vuaXS3pTBtf3wOYTUNXcKoaFK9M6QMeBCMh914Kc4ONcpZ3SAhc67uik/soviz4q
gNdV57O3XF/ZPKcehN3H9LJDRoqWprSg/eD53uF3ESJhAwfeCQQ+A6SsxNdBqrgv
5gTVXgMZQPkz0qFLO6jXWUSFWE1PqqHUyvXJl4biYcYHmxbTXe27beNIsMj1L143
bgxmA5TA0kV1ctTQZ6sM4dbBrboe4Lg1ltNNkTLWQS3XeBT8Tsq7/tudu6YXSfIN
hViRAoIBAHGypG9v+vToWta0AT4CC3eOvNjzKGtr26oycFsXqQE8Q6ZKohcG0UNj
QnfawjyVhSdq2hS0O0uZuhyeea9nBtL8y8u120rvS10C71er7hG2ywscdJ4Hr5WX
D27RC+U7AwMbcqEy3Vs9vo2c5cBivLGWf/R3SgCecwxX8APysuSXod7DKhNviS4P
f8t8Tui//+PkNV6brOLvu0kITypoFhp9qAexgAuLTXOPNEILugcsfusBwPEjSdAR
LBh1fxSrGPCcRqo+8N4qorki1IE0l/bJBj3p2vREgItmq+OC0KT47Ye0BVJJtrrU
YV/U3ImFkT12e6nwfgrMRfQCZrRsp9g=
-----END PRIVATE KEY-----

11
app/firewall Normal file
View File

@@ -0,0 +1,11 @@
#! ----------- install ufe
rex doas rc-update add ufw
rex doas rc-service ufw start
rex doas ufw default deny incoming
rex doas ufw default allow outgoing
rex doas ufw allow 80/tcp
rex doas ufw allow 443/tcp
rex doas ufw enable
rex doas ufw status verbose

0
app/host_vars/vault/boston → app/host_vars/boston
View File

5
app/host_vars/ca.crt Normal file
View File

@@ -0,0 +1,5 @@
-----BEGIN NEBULA CERTIFICATE-----
Cj8KDU9ET080cHJvamVjdHMoqNOhvgYwqKTJogg6IDv7w4DxfOvLDJ6WgjE3V8MZ
k1I6t5GjmBmnyd0Wf0UqQAESQAzBFnjUsemshOlFCJisKbXdqBR83/Fl5aS0xSQj
ZcDIpmgPnslBHTo8oPJLWeuU0Qd9IHNfdQvam2j6YnzVQAE=
-----END NEBULA CERTIFICATE-----

4
app/host_vars/dev
View File

@@ -1,4 +0,0 @@
API_KEY=4h6lDzAOVksuCqmhEB3
hostname="dev"
nebula_key="123"
nebula_cert="456"

0
app/host_vars/dev/dev Normal file
View File

6
app/host_vars/dev/dev.crt Normal file
View File

@@ -0,0 +1,6 @@
-----BEGIN NEBULA CERTIFICATE-----
CmYKA2RldhIKk5KghQyA/v//DyIDYmVlKI+YrcUGMKekyaIIOiAXY9FKiA1V6ayD
Vx9Ce9UK3YcCF93DNP68WPixdl9LZUognXOojuxdSXZ4IG4v3A8HJ/77YSYnV/il
ywmZ6V2khEESQHUVytAPARrJ0KxKPolUot6cl+UNMo5HOMqg2kxiRZBIUTp5XIME
WfrYcdjlS9af7I34439r6gs4bA2LDGaaMQs=
-----END NEBULA CERTIFICATE-----

2
app/host_vars/dev/dev.env Normal file
View File

@@ -0,0 +1,2 @@
API_KEY=4h6lDzAOVksuCqmhEB3
HOSTNAME="dev"

3
app/host_vars/dev/dev.key Normal file
View File

@@ -0,0 +1,3 @@
-----BEGIN NEBULA X25519 PRIVATE KEY-----
96/m6SrUsGWzT6atNvnopzygGhIAaXbBCXT8KAvwKp8=
-----END NEBULA X25519 PRIVATE KEY-----

0
app/host_vars/dev/dev.pub Normal file
View File

0
app/host_vars/vault/london → app/host_vars/london
View File

0
app/host_vars/vault/mumbai → app/host_vars/mumbai
View File

0
app/host_vars/vault/saopaulo → app/host_vars/saopaulo
View File

38
app/onboarding
View File

@@ -1,23 +1,27 @@
#!/bin/bash #!/bin/bash
template templates/hosthostname /etc/hostname template templates/hostname /etc/hostname
rex doas apk update
rex doas apk add bash doas openssh
# ass swap file ???? # ass swap file ????
# ------ create user 4server
# ------ disable root user and login # ------ disable root user and login
# ----- install nabula # ----- install nabula
echo "prsync nebula bin" echo "prsync nebula bin"
prsync -h "$hosts_file" -avz ./templates/nebula/nebula /4server/nebula prsync -h "$hosts_file" -avz ./sbin/nebula /4server/nebula
rex doas mv /4server/nebula /usr/bin/ rex doas mv /4server/nebula /usr/bin/
rex doas mkdir -p /etc/nebula rex doas mkdir -p /etc/nebula
rex doas chmod 700 /etc/nebula rex doas chmod 700 /etc/nebula
template templates/nebula/nebula.yml /etc/nebula/config.yml template templates/nebula/config.yml /etc/nebula/config.yml
template templates/nebula/host.key /etc/nebula/host.key template templates/nebula/host.key /etc/nebula/host.key
template templates/nebula/host.crt /etc/nebula/host.crt template templates/nebula/host.crt /etc/nebula/host.crt
template templates/nebula/ca.crt /etc/nebula/ca.crt
rex doas chmod 700 /etc/nebula rex doas chmod 700 /etc/nebula
@@ -34,6 +38,22 @@ rex doas rc-update add ping_service default
rex doas rc-service ping_service restart rex doas rc-service ping_service restart
#! ----------- install ufe # ADD USER 4SERVER
- ssh, 8080 only on nebula rex doas adduser -D -s /bin/bash 4server
- only 80, 443 to the world
SSH_DIR="/home/4server/.ssh"
rex doas mkdir -p "$SSH_DIR"
rex doas chmod 700 "$SSH_DIR"
rex doas chown 4server:4server "$SSH_DIR"
template templates/ssh/id_ed25519 /home/4server/.ssh/id_ed25519
template templates/ssh/id_ed25519.pub /home/4server/.ssh/id_ed25519.pub
rex "doas bash -c 'chmod 700 /home/4server/.ssh/*'"
rex "doas bash -c 'chown -R 4server:4server /home/4server/.ssh/*'"
template templates/.bashrc /home/4server/.bashrc
rex doas mkdir -p /etc/doas.d
rex "doas sh -c 'grep -q \"permit nopass 4server as root\" /etc/doas.d/4server.conf 2>/dev/null || echo \"permit nopass 4server as root\" | tee -a /etc/doas.d/4server.conf > /dev/null'"

8
app/templates/.bashrc Normal file
View File

@@ -0,0 +1,8 @@
# ~/.bashrc
echo "Server {{HOSTNAME}}"
export PS1="\[\e[32m\]\h:\w\$\[\e[0m\] "
df -h .

2
app/templates/hostname
View File

@@ -1 +1 @@
{{hostname}} {{HOSTNAME}}

0
app/templates/init.d/ping_check → app/templates/init.d/ping_service
View File

1
app/templates/nebula/ca.crt Normal file
View File

@@ -0,0 +1 @@
{{NEBULA_CA}}

2
app/templates/nebula/config.yml
View File

@@ -20,7 +20,7 @@ relay:
tun: tun:
disabled: false disabled: false
dev: nebula1 dev: nebula2
drop_local_broadcast: false drop_local_broadcast: false
drop_multicast: false drop_multicast: false
tx_queue: 500 tx_queue: 500

1
app/templates/nebula/host.crt Normal file
View File

@@ -0,0 +1 @@
{{NEBULA_CRT}}

1
app/templates/nebula/host.key Normal file
View File

@@ -0,0 +1 @@
{{NEBULA_KEY}}

1
app/templates/ssh/id_ed25519 Normal file
View File

@@ -0,0 +1 @@
{{SSH_PRIVATE}}

1
app/templates/ssh/id_ed25519.pub Normal file
View File

@@ -0,0 +1 @@
{{ssh_public}}

2
app/update
View File

@@ -10,7 +10,7 @@ template templates/hosts /etc/hosts
### PACKAGES ### PACKAGES
template templates/repositories /etc/apk/repositories template templates/repositories /etc/apk/repositories
rex doas apk update && upgrade rex doas apk update && upgrade
rex doas apk add python3 build-base python3-dev linux-headers py3-pip gcc g++ musl-dev libffi-dev make jq rsync mc vim docker docker-compose htop linux-lts sqlite bash postgresql16-client rex doas apk add openssh ufw python3 build-base python3-dev linux-headers py3-pip gcc g++ musl-dev libffi-dev make jq rsync mc vim docker docker-compose htop linux-lts sqlite bash postgresql16-client
rex doas pip install --break-system-packages --no-cache-dir "uvicorn[standard]" fastapi pydantic psutil rex doas pip install --break-system-packages --no-cache-dir "uvicorn[standard]" fastapi pydantic psutil