#!/bin/bash # Exit on any error set -e # Function to check if command executed successfully check_status() { if [ $? -eq 0 ]; then echo "✅ $1 completed successfully" else echo "❌ Error: $1 failed" exit 1 fi } # Function to determine SSH service name get_ssh_service() { if systemctl list-units --full -all | grep -Fq "ssh.service"; then echo "ssh" elif systemctl list-units --full -all | grep -Fq "sshd.service"; then echo "sshd" else echo "SSH service not found!" exit 1 fi } echo "Starting Tailscale setup for CloudPanel..." # 1. Update system packages echo "Updating system packages..." apt update && apt upgrade -y check_status "System update" # 2. Install required packages echo "Installing required packages..." apt install -y sqlite3 check_status "Required packages installation" # 3. Install Tailscale echo "Installing Tailscale..." curl -fsSL https://tailscale.com/install.sh | sh check_status "Tailscale installation" # 4. Start and authenticate Tailscale echo "Starting Tailscale..." tailscale up check_status "Tailscale startup" # 5. Get Tailscale IP TAILSCALE_IP=$(tailscale ip -4) echo "Tailscale IP: $TAILSCALE_IP" # 6. Backup original SSH configuration echo "Backing up SSH configuration..." cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup check_status "SSH config backup" # 7. Update SSH configuration to only listen on Tailscale IP echo "Updating SSH configuration..." cat > /etc/ssh/sshd_config << EOF # SSH Configuration Port 22 ListenAddress ${TAILSCALE_IP} PermitRootLogin yes PasswordAuthentication yes ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server EOF check_status "SSH config update" # 8. Restart SSH service SSH_SERVICE=$(get_ssh_service) echo "Restarting ${SSH_SERVICE} service..." systemctl restart ${SSH_SERVICE} check_status "SSH service restart" # 9. Update CloudPanel configuration echo "Updating CloudPanel configuration..." CLOUDPANEL_NGINX_CONF="/home/clp/services/nginx/sites-enabled/cloudpanel.conf" # Backup original nginx configuration cp "$CLOUDPANEL_NGINX_CONF" "${CLOUDPANEL_NGINX_CONF}.backup" check_status "CloudPanel nginx config backup" # Update nginx configuration to listen only on Tailscale IP sed -i "s/listen 8443 ssl http2;/listen ${TAILSCALE_IP}:8443 ssl http2;/" "$CLOUDPANEL_NGINX_CONF" check_status "CloudPanel nginx config update" # 10. Restart nginx echo "Restarting nginx..." systemctl restart clp-nginx check_status "Nginx service restart" # 11. Update CloudPanel firewall rules echo "Updating CloudPanel firewall rules..." CLOUDPANEL_DB="/home/clp/htdocs/app/data/db.sq3" # Backup the database cp "$CLOUDPANEL_DB" "${CLOUDPANEL_DB}.backup" check_status "Database backup" # Update firewall rules in the database sqlite3 "$CLOUDPANEL_DB" << EOF -- First, clear existing rules DELETE FROM firewall_rule; -- SSH (22) - Tailscale only INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES ('22', '${TAILSCALE_IP}/32', datetime('now'), datetime('now')); -- HTTP (80) - Open to all INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES ('80', '0.0.0.0/0', datetime('now'), datetime('now')); -- HTTPS (443) - Open to all INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES ('443', '0.0.0.0/0', datetime('now'), datetime('now')); -- CloudPanel UI (8443) - Tailscale only INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES ('8443', '${TAILSCALE_IP}/32', datetime('now'), datetime('now')); EOF check_status "Firewall rules update" # 12. Apply the new firewall rules echo "Applying new firewall rules..." systemctl restart ufw check_status "Firewall rules application" echo " ✨ Setup completed successfully! ✨ Your services are now configured as follows: - SSH (22): Only accessible via Tailscale (${TAILSCALE_IP}) - HTTP (80): Open to all traffic - HTTPS (443): Open to all traffic - CloudPanel UI (8443): Only accessible via Tailscale (${TAILSCALE_IP}) Important: Keep these backup files in case you need to revert: - SSH config: /etc/ssh/sshd_config.backup - CloudPanel nginx config: ${CLOUDPANEL_NGINX_CONF}.backup - CloudPanel database: ${CLOUDPANEL_DB}.backup To revert changes if needed: 1. For CloudPanel nginx: cp ${CLOUDPANEL_NGINX_CONF}.backup ${CLOUDPANEL_NGINX_CONF} systemctl restart clp-nginx 2. For CloudPanel database: cp ${CLOUDPANEL_DB}.backup ${CLOUDPANEL_DB} systemctl restart ufw 3. For SSH config: cp /etc/ssh/sshd_config.backup /etc/ssh/sshd_config systemctl restart ${SSH_SERVICE} ⚠️ Make sure you can still access your server before closing this session! "