Add cloudpanel-tailscale.sh

cloudpanel-tailscale.sh

@@ -0,0 +1,163 @@
+#!/bin/bash
+
+# Exit on any error
+set -e
+
+# Function to check if command executed successfully
+check_status() {
+    if [ $? -eq 0 ]; then
+        echo "✅ $1 completed successfully"
+    else
+        echo "❌ Error: $1 failed"
+        exit 1
+    fi
+}
+
+# Function to determine SSH service name
+get_ssh_service() {
+    if systemctl list-units --full -all | grep -Fq "ssh.service"; then
+        echo "ssh"
+    elif systemctl list-units --full -all | grep -Fq "sshd.service"; then
+        echo "sshd"
+    else
+        echo "SSH service not found!"
+        exit 1
+    fi
+}
+
+echo "Starting Tailscale setup for CloudPanel..."
+
+# 1. Update system packages
+echo "Updating system packages..."
+apt update && apt upgrade -y
+check_status "System update"
+
+# 2. Install required packages
+echo "Installing required packages..."
+apt install -y sqlite3
+check_status "Required packages installation"
+
+# 3. Install Tailscale
+echo "Installing Tailscale..."
+curl -fsSL https://tailscale.com/install.sh | sh
+check_status "Tailscale installation"
+
+# 4. Start and authenticate Tailscale
+echo "Starting Tailscale..."
+tailscale up
+check_status "Tailscale startup"
+
+# 5. Get Tailscale IP
+TAILSCALE_IP=$(tailscale ip -4)
+echo "Tailscale IP: $TAILSCALE_IP"
+
+# 6. Backup original SSH configuration
+echo "Backing up SSH configuration..."
+cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
+check_status "SSH config backup"
+
+# 7. Update SSH configuration to only listen on Tailscale IP
+echo "Updating SSH configuration..."
+cat > /etc/ssh/sshd_config << EOF
+# SSH Configuration
+Port 22
+ListenAddress ${TAILSCALE_IP}
+PermitRootLogin prohibit-password
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+UsePAM yes
+X11Forwarding yes
+PrintMotd no
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server
+EOF
+check_status "SSH config update"
+
+# 8. Restart SSH service
+SSH_SERVICE=$(get_ssh_service)
+echo "Restarting ${SSH_SERVICE} service..."
+systemctl restart ${SSH_SERVICE}
+check_status "SSH service restart"
+
+# 9. Update CloudPanel configuration
+echo "Updating CloudPanel configuration..."
+CLOUDPANEL_NGINX_CONF="/home/clp/services/nginx/sites-enabled/cloudpanel.conf"
+
+# Backup original nginx configuration
+cp "$CLOUDPANEL_NGINX_CONF" "${CLOUDPANEL_NGINX_CONF}.backup"
+check_status "CloudPanel nginx config backup"
+
+# Update nginx configuration to listen only on Tailscale IP
+sed -i "s/listen 8443 ssl http2;/listen ${TAILSCALE_IP}:8443 ssl http2;/" "$CLOUDPANEL_NGINX_CONF"
+check_status "CloudPanel nginx config update"
+
+# 10. Restart nginx
+echo "Restarting nginx..."
+systemctl restart clp-nginx
+check_status "Nginx service restart"
+
+# 11. Update CloudPanel firewall rules
+echo "Updating CloudPanel firewall rules..."
+CLOUDPANEL_DB="/home/clp/htdocs/app/data/db.sq3"
+
+# Backup the database
+cp "$CLOUDPANEL_DB" "${CLOUDPANEL_DB}.backup"
+check_status "Database backup"
+
+# Update firewall rules in the database
+sqlite3 "$CLOUDPANEL_DB" << EOF
+-- First, clear existing rules
+DELETE FROM firewall_rule;
+
+-- SSH (22) - Tailscale only
+INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES 
+('22', '${TAILSCALE_IP}/32', datetime('now'), datetime('now'));
+
+-- HTTP (80) - Open to all
+INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES 
+('80', '0.0.0.0/0', datetime('now'), datetime('now'));
+
+-- HTTPS (443) - Open to all
+INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES 
+('443', '0.0.0.0/0', datetime('now'), datetime('now'));
+
+-- CloudPanel UI (8443) - Tailscale only
+INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES 
+('8443', '${TAILSCALE_IP}/32', datetime('now'), datetime('now'));
+EOF
+check_status "Firewall rules update"
+
+# 12. Apply the new firewall rules
+echo "Applying new firewall rules..."
+systemctl restart ufw
+check_status "Firewall rules application"
+
+echo "
+✨ Setup completed successfully! ✨
+
+Your services are now configured as follows:
+- SSH (22): Only accessible via Tailscale (${TAILSCALE_IP})
+- HTTP (80): Open to all traffic
+- HTTPS (443): Open to all traffic
+- CloudPanel UI (8443): Only accessible via Tailscale (${TAILSCALE_IP})
+
+Important: Keep these backup files in case you need to revert:
+- SSH config: /etc/ssh/sshd_config.backup
+- CloudPanel nginx config: ${CLOUDPANEL_NGINX_CONF}.backup
+- CloudPanel database: ${CLOUDPANEL_DB}.backup
+
+To revert changes if needed:
+1. For CloudPanel nginx:
+   cp ${CLOUDPANEL_NGINX_CONF}.backup ${CLOUDPANEL_NGINX_CONF}
+   systemctl restart clp-nginx
+
+2. For CloudPanel database:
+   cp ${CLOUDPANEL_DB}.backup ${CLOUDPANEL_DB}
+   systemctl restart ufw
+
+3. For SSH config:
+   cp /etc/ssh/sshd_config.backup /etc/ssh/sshd_config
+   systemctl restart ${SSH_SERVICE}
+
+⚠️  Make sure you can still access your server before closing this session!
+"