163 lines
No EOL
4.7 KiB
Bash
163 lines
No EOL
4.7 KiB
Bash
#!/bin/bash
|
|
|
|
# Exit on any error
|
|
set -e
|
|
|
|
# Function to check if command executed successfully
|
|
check_status() {
|
|
if [ $? -eq 0 ]; then
|
|
echo "✅ $1 completed successfully"
|
|
else
|
|
echo "❌ Error: $1 failed"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
# Function to determine SSH service name
|
|
get_ssh_service() {
|
|
if systemctl list-units --full -all | grep -Fq "ssh.service"; then
|
|
echo "ssh"
|
|
elif systemctl list-units --full -all | grep -Fq "sshd.service"; then
|
|
echo "sshd"
|
|
else
|
|
echo "SSH service not found!"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
echo "Starting Tailscale setup for CloudPanel..."
|
|
|
|
# 1. Update system packages
|
|
echo "Updating system packages..."
|
|
apt update && apt upgrade -y
|
|
check_status "System update"
|
|
|
|
# 2. Install required packages
|
|
echo "Installing required packages..."
|
|
apt install -y sqlite3
|
|
check_status "Required packages installation"
|
|
|
|
# 3. Install Tailscale
|
|
echo "Installing Tailscale..."
|
|
curl -fsSL https://tailscale.com/install.sh | sh
|
|
check_status "Tailscale installation"
|
|
|
|
# 4. Start and authenticate Tailscale
|
|
echo "Starting Tailscale..."
|
|
tailscale up
|
|
check_status "Tailscale startup"
|
|
|
|
# 5. Get Tailscale IP
|
|
TAILSCALE_IP=$(tailscale ip -4)
|
|
echo "Tailscale IP: $TAILSCALE_IP"
|
|
|
|
# 6. Backup original SSH configuration
|
|
echo "Backing up SSH configuration..."
|
|
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
|
|
check_status "SSH config backup"
|
|
|
|
# 7. Update SSH configuration to only listen on Tailscale IP
|
|
echo "Updating SSH configuration..."
|
|
cat > /etc/ssh/sshd_config << EOF
|
|
# SSH Configuration
|
|
Port 22
|
|
ListenAddress ${TAILSCALE_IP}
|
|
PermitRootLogin yes
|
|
PasswordAuthentication yes
|
|
ChallengeResponseAuthentication no
|
|
UsePAM yes
|
|
X11Forwarding yes
|
|
PrintMotd no
|
|
AcceptEnv LANG LC_*
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
EOF
|
|
check_status "SSH config update"
|
|
|
|
# 8. Restart SSH service
|
|
SSH_SERVICE=$(get_ssh_service)
|
|
echo "Restarting ${SSH_SERVICE} service..."
|
|
systemctl restart ${SSH_SERVICE}
|
|
check_status "SSH service restart"
|
|
|
|
# 9. Update CloudPanel configuration
|
|
echo "Updating CloudPanel configuration..."
|
|
CLOUDPANEL_NGINX_CONF="/home/clp/services/nginx/sites-enabled/cloudpanel.conf"
|
|
|
|
# Backup original nginx configuration
|
|
cp "$CLOUDPANEL_NGINX_CONF" "${CLOUDPANEL_NGINX_CONF}.backup"
|
|
check_status "CloudPanel nginx config backup"
|
|
|
|
# Update nginx configuration to listen only on Tailscale IP
|
|
sed -i "s/listen 8443 ssl http2;/listen ${TAILSCALE_IP}:8443 ssl http2;/" "$CLOUDPANEL_NGINX_CONF"
|
|
check_status "CloudPanel nginx config update"
|
|
|
|
# 10. Restart nginx
|
|
echo "Restarting nginx..."
|
|
systemctl restart clp-nginx
|
|
check_status "Nginx service restart"
|
|
|
|
# 11. Update CloudPanel firewall rules
|
|
echo "Updating CloudPanel firewall rules..."
|
|
CLOUDPANEL_DB="/home/clp/htdocs/app/data/db.sq3"
|
|
|
|
# Backup the database
|
|
cp "$CLOUDPANEL_DB" "${CLOUDPANEL_DB}.backup"
|
|
check_status "Database backup"
|
|
|
|
# Update firewall rules in the database
|
|
sqlite3 "$CLOUDPANEL_DB" << EOF
|
|
-- First, clear existing rules
|
|
DELETE FROM firewall_rule;
|
|
|
|
-- SSH (22) - Tailscale only
|
|
INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES
|
|
('22', '${TAILSCALE_IP}/32', datetime('now'), datetime('now'));
|
|
|
|
-- HTTP (80) - Open to all
|
|
INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES
|
|
('80', '0.0.0.0/0', datetime('now'), datetime('now'));
|
|
|
|
-- HTTPS (443) - Open to all
|
|
INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES
|
|
('443', '0.0.0.0/0', datetime('now'), datetime('now'));
|
|
|
|
-- CloudPanel UI (8443) - Tailscale only
|
|
INSERT INTO firewall_rule (port_range, source, created_at, updated_at) VALUES
|
|
('8443', '${TAILSCALE_IP}/32', datetime('now'), datetime('now'));
|
|
EOF
|
|
check_status "Firewall rules update"
|
|
|
|
# 12. Apply the new firewall rules
|
|
echo "Applying new firewall rules..."
|
|
systemctl restart ufw
|
|
check_status "Firewall rules application"
|
|
|
|
echo "
|
|
✨ Setup completed successfully! ✨
|
|
|
|
Your services are now configured as follows:
|
|
- SSH (22): Only accessible via Tailscale (${TAILSCALE_IP})
|
|
- HTTP (80): Open to all traffic
|
|
- HTTPS (443): Open to all traffic
|
|
- CloudPanel UI (8443): Only accessible via Tailscale (${TAILSCALE_IP})
|
|
|
|
Important: Keep these backup files in case you need to revert:
|
|
- SSH config: /etc/ssh/sshd_config.backup
|
|
- CloudPanel nginx config: ${CLOUDPANEL_NGINX_CONF}.backup
|
|
- CloudPanel database: ${CLOUDPANEL_DB}.backup
|
|
|
|
To revert changes if needed:
|
|
1. For CloudPanel nginx:
|
|
cp ${CLOUDPANEL_NGINX_CONF}.backup ${CLOUDPANEL_NGINX_CONF}
|
|
systemctl restart clp-nginx
|
|
|
|
2. For CloudPanel database:
|
|
cp ${CLOUDPANEL_DB}.backup ${CLOUDPANEL_DB}
|
|
systemctl restart ufw
|
|
|
|
3. For SSH config:
|
|
cp /etc/ssh/sshd_config.backup /etc/ssh/sshd_config
|
|
systemctl restart ${SSH_SERVICE}
|
|
|
|
⚠️ Make sure you can still access your server before closing this session!
|
|
" |