eac77ef7b4
Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
82 lines
2.6 KiB
Bash
Executable File
82 lines
2.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
# === METADATA ===
|
|
SCRIPT_NAME="$(basename "$0")"
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
|
|
|
|
# === CONFIGURATION ===
|
|
: "${DOMAIN:?DOMAIN required}"
|
|
: "${CF_ACCOUNT_ID:?CF_ACCOUNT_ID required}"
|
|
: "${NODE_NAME:=node-a}"
|
|
: "${TUNNEL_NAME:=$NODE_NAME-tunnel}"
|
|
: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
|
|
|
|
# === FUNCTIONS ===
|
|
log_info() { echo "[INFO] $(date -Iseconds) $*"; }
|
|
log_warn() { echo "[WARN] $(date -Iseconds) $*" >&2; }
|
|
|
|
main() {
|
|
log_info "Starting $SCRIPT_NAME (PLAN ONLY - no changes made)..."
|
|
|
|
echo ""
|
|
echo "============================================"
|
|
echo " CLOUDFLARE TUNNEL PLAN"
|
|
echo " Node: $NODE_NAME"
|
|
echo "============================================"
|
|
echo ""
|
|
|
|
echo "=== Tunnel Configuration ==="
|
|
echo " Tunnel Name: $TUNNEL_NAME"
|
|
echo " Account ID: $CF_ACCOUNT_ID"
|
|
echo " Credentials: ~/.cloudflared/$TUNNEL_NAME.json"
|
|
echo " Config: ~/.cloudflared/config-$TUNNEL_NAME.yml"
|
|
echo ""
|
|
|
|
echo "=== Proposed Ingress Rules ==="
|
|
echo " 1. ssh.$DOMAIN -> ssh://localhost:22"
|
|
echo " 2. *.$DOMAIN -> http://localhost:8080 (catch-all)"
|
|
echo " 3. (fallback) -> http_status:404"
|
|
echo ""
|
|
|
|
echo "=== DNS Records to Create ==="
|
|
echo " ssh.$DOMAIN CNAME -> $TUNNEL_NAME.cfargotunnel.com"
|
|
echo ""
|
|
|
|
echo "=== systemd Service ==="
|
|
echo " Unit: cloudflared@$TUNNEL_NAME.service (or user service)"
|
|
echo " Status: Will be enabled and started"
|
|
echo ""
|
|
|
|
echo "=== Security Notes ==="
|
|
echo " - Tunnel credentials will be stored locally"
|
|
echo " - Tunnel ID will be stored in pass (if available)"
|
|
echo " - No API token stored in config files"
|
|
echo ""
|
|
|
|
# Check for existing tunnel
|
|
if [[ -f "$HOME/.cloudflared/$TUNNEL_NAME.json" ]]; then
|
|
log_warn "Tunnel credentials already exist at ~/.cloudflared/$TUNNEL_NAME.json"
|
|
log_warn "Apply will reuse existing tunnel (idempotent)"
|
|
fi
|
|
|
|
# Check cloudflared login status
|
|
if [[ -f "$HOME/.cloudflared/cert.pem" ]]; then
|
|
log_info "Cloudflared certificate found - already authenticated"
|
|
else
|
|
log_warn "No cloudflared certificate found"
|
|
log_warn "You may need to run: cloudflared tunnel login"
|
|
fi
|
|
|
|
echo "============================================"
|
|
echo " To apply: ./scripts/21_tunnel_apply.sh"
|
|
echo " To abort: Do nothing"
|
|
echo " To rollback: ./scripts/rollback/undo_tunnel.sh"
|
|
echo "============================================"
|
|
|
|
log_info "Completed $SCRIPT_NAME"
|
|
}
|
|
|
|
[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"
|