From d9c19397d0f91bb4720d66abffcb893871d591be Mon Sep 17 00:00:00 2001 From: hhf Date: Sun, 1 Dec 2024 19:02:26 +0530 Subject: [PATCH] Add cloudpanel-tailscale.sh --- cloudpanel-tailscale.sh | 163 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 cloudpanel-tailscale.sh diff --git a/cloudpanel-tailscale.sh b/cloudpanel-tailscale.sh new file mode 100644 index 0000000..b09569a --- /dev/null +++ b/cloudpanel-tailscale.sh @@ -0,0 +1,163 @@ +#!/bin/bash + +# Exit on any error +set -e + +# Function to check if command executed successfully +check_status() { + if [ $? -eq 0 ]; then + echo "✅ $1 completed successfully" + else + echo "❌ Error: $1 failed" + exit 1 + fi +} + +# Function to determine SSH service name +get_ssh_service() { + if systemctl list-units --full -all | grep -Fq "ssh.service"; then + echo "ssh" + elif systemctl list-units --full -all | grep -Fq "sshd.service"; then + echo "sshd" + else + echo "SSH service not found!" + exit 1 + fi +} + +echo "Starting Tailscale setup for CloudPanel..." + +# 1. Update system packages +echo "Updating system packages..." +apt update && apt upgrade -y +check_status "System update" + +# 2. Install required packages +echo "Installing required packages..." +apt install -y sqlite3 +check_status "Required packages installation" + +# 3. Install Tailscale +echo "Installing Tailscale..." +curl -fsSL https://tailscale.com/install.sh | sh +check_status "Tailscale installation" + +# 4. Start and authenticate Tailscale +echo "Starting Tailscale..." +tailscale up +check_status "Tailscale startup" + +# 5. Get Tailscale IP +TAILSCALE_IP=$(tailscale ip -4) +echo "Tailscale IP: $TAILSCALE_IP" + +# 6. Backup original SSH configuration +echo "Backing up SSH configuration..." +cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup +check_status "SSH config backup" + +# 7. Update SSH configuration to only listen on Tailscale IP +echo "Updating SSH configuration..." +cat > /etc/ssh/sshd_config << EOF +# SSH Configuration +Port 22 +ListenAddress ${TAILSCALE_IP} +PermitRootLogin prohibit-password +PasswordAuthentication no +ChallengeResponseAuthentication no +UsePAM yes +X11Forwarding yes +PrintMotd no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server +EOF +check_status "SSH config update" + +# 8. Restart SSH service +SSH_SERVICE=$(get_ssh_service) +echo "Restarting ${SSH_SERVICE} service..." +systemctl restart ${SSH_SERVICE} +check_status "SSH service restart" + +# 9. Update CloudPanel configuration +echo "Updating CloudPanel configuration..." +CLOUDPANEL_NGINX_CONF="/home/clp/services/nginx/sites-enabled/cloudpanel.conf" + +# Backup original nginx configuration +cp "$CLOUDPANEL_NGINX_CONF" "${CLOUDPANEL_NGINX_CONF}.backup" +check_status "CloudPanel nginx config backup" + +# Update nginx configuration to listen only on Tailscale IP +sed -i "s/listen 8443 ssl http2;/listen ${TAILSCALE_IP}:8443 ssl http2;/" "$CLOUDPANEL_NGINX_CONF" +check_status "CloudPanel nginx config update" + +# 10. Restart nginx +echo "Restarting nginx..." +systemctl restart clp-nginx +check_status "Nginx service restart" + +# 11. Update CloudPanel firewall rules +echo "Updating CloudPanel firewall rules..." +CLOUDPANEL_DB="/home/clp/htdocs/app/data/db.sq3" + +# Backup the database +cp "$CLOUDPANEL_DB" "${CLOUDPANEL_DB}.backup" +check_status "Database backup" + +# Update firewall rules in the database +sqlite3 "$CLOUDPANEL_DB" << EOF +-- First, clear existing rules +DELETE FROM firewall_rule; + +-- SSH (22) - Tailscale only +INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES +('22', '${TAILSCALE_IP}/32', datetime('now'), datetime('now')); + +-- HTTP (80) - Open to all +INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES +('80', '0.0.0.0/0', datetime('now'), datetime('now')); + +-- HTTPS (443) - Open to all +INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES +('443', '0.0.0.0/0', datetime('now'), datetime('now')); + +-- CloudPanel UI (8443) - Tailscale only +INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES +('8443', '${TAILSCALE_IP}/32', datetime('now'), datetime('now')); +EOF +check_status "Firewall rules update" + +# 12. Apply the new firewall rules +echo "Applying new firewall rules..." +systemctl restart ufw +check_status "Firewall rules application" + +echo " +✨ Setup completed successfully! ✨ + +Your services are now configured as follows: +- SSH (22): Only accessible via Tailscale (${TAILSCALE_IP}) +- HTTP (80): Open to all traffic +- HTTPS (443): Open to all traffic +- CloudPanel UI (8443): Only accessible via Tailscale (${TAILSCALE_IP}) + +Important: Keep these backup files in case you need to revert: +- SSH config: /etc/ssh/sshd_config.backup +- CloudPanel nginx config: ${CLOUDPANEL_NGINX_CONF}.backup +- CloudPanel database: ${CLOUDPANEL_DB}.backup + +To revert changes if needed: +1. For CloudPanel nginx: + cp ${CLOUDPANEL_NGINX_CONF}.backup ${CLOUDPANEL_NGINX_CONF} + systemctl restart clp-nginx + +2. For CloudPanel database: + cp ${CLOUDPANEL_DB}.backup ${CLOUDPANEL_DB} + systemctl restart ufw + +3. For SSH config: + cp /etc/ssh/sshd_config.backup /etc/ssh/sshd_config + systemctl restart ${SSH_SERVICE} + +⚠️ Make sure you can still access your server before closing this session! +" \ No newline at end of file