vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vm-skills/hetzner-bootstrap/scripts/10_plan.sh
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

42 lines
1.6 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "$SCRIPT_DIR/_common.sh"
: "${SERVER_IP:=}"
: "${NODE_NAME:=}"
: "${SOVEREIGN_USER:=sovereign}"
: "${SSH_PUBLIC_KEY:=}"
: "${SSH_PORT:=}" # optional: if unset, apply auto-detects current sshd port (fallback 22)
: "${ALLOW_SSH_FALLBACK_22:=true}"# safety: keep 22 open if SSH_PORT != 22
: "${WG_PORT:=51820}"
: "${INSTALL_CLOUDFLARED:=true}"
: "${INSTALL_WIREGUARD:=true}"
main() {
require_root
[[ -n "$NODE_NAME" ]] || die "NODE_NAME required"
[[ -n "$SSH_PUBLIC_KEY" ]] || die "SSH_PUBLIC_KEY required"
echo "[PLAN] $(date -Iseconds) hetzner-bootstrap"
echo "[PLAN] Server IP: ${SERVER_IP:-<unknown>}"
echo "[PLAN] Hostname: $NODE_NAME"
echo "[PLAN] Sovereign user: $SOVEREIGN_USER"
echo "[PLAN] SSH port allowance:"
if [[ -n "$SSH_PORT" ]]; then
echo " - Will allow SSH_PORT=${SSH_PORT}/tcp"
if [[ "$ALLOW_SSH_FALLBACK_22" == "true" && "$SSH_PORT" != "22" ]]; then
echo " - Safety fallback: also allow 22/tcp"
fi
else
echo " - SSH_PORT not set: apply will auto-detect current sshd port (fallback 22) and allow it"
fi
echo "[PLAN] UFW: allow SSH port(s) + allow ${WG_PORT}/udp BEFORE enable; default deny incoming"
echo "[PLAN] SSH hardening: PermitRootLogin no, PasswordAuthentication no, validate with sshd -t, reload ssh service"
echo "[PLAN] cloudflared install: $INSTALL_CLOUDFLARED"
echo "[PLAN] wireguard package install: $INSTALL_WIREGUARD"
echo
echo "[PLAN] Next: export DRY_RUN=0 && ./scripts/11_apply.sh"
}
main "$@"
Reference in New Issue View Git Blame Copy Permalink