vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eac77ef7b4b5a87f0a35a1181dacb4013b09b996
vm-skills/node-hardening/scripts/00_preflight.sh
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

79 lines
2.5 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
SCRIPT_NAME="$(basename "$0")"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
: "${BACKUP_DIR:=$OUTPUT_DIR/backups}"
log_info() { echo "[INFO] $(date -Iseconds) $*"; }
log_warn() { echo "[WARN] $(date -Iseconds) $*" >&2; }
log_error() { echo "[ERROR] $(date -Iseconds) $*" >&2; }
die() { log_error "$@"; exit 1; }
check_dependency() {
if command -v "$1" &>/dev/null; then
log_info "Found: $1 ($(command -v "$1"))"
return 0
else
log_warn "Missing: $1"
return 1
fi
}
is_ssh_session() {
[[ -n "${SSH_CONNECTION:-}" || -n "${SSH_CLIENT:-}" ]]
}
main() {
mkdir -p "$OUTPUT_DIR" "$BACKUP_DIR"
log_info "Starting $SCRIPT_NAME"
local missing=0
log_info "=== Required Dependencies ==="
check_dependency sudo || ((missing++))
check_dependency systemctl || ((missing++))
check_dependency ss || check_dependency netstat || log_warn "No ss/netstat (network inspection limited)"
check_dependency awk || ((missing++))
check_dependency sed || ((missing++))
check_dependency grep || ((missing++))
log_info "=== Hardening Tooling (may be installed during apply) ==="
check_dependency ufw || log_warn "ufw not installed (apply can install)"
check_dependency sshd || check_dependency ssh || log_warn "sshd binary not found (service may still exist)"
check_dependency fail2ban-client || log_warn "fail2ban not installed (apply can install)"
check_dependency auditctl || log_warn "auditd not installed (apply can install)"
log_info "=== Session Context ==="
if is_ssh_session; then
log_warn "Detected SSH session: ${SSH_CONNECTION:-${SSH_CLIENT:-unknown}}"
log_warn "Recommendation: keep a second session open before applying changes."
else
log_info "No SSH session detected (console/local run)"
fi
log_info "=== Privilege Check ==="
if sudo -n true 2>/dev/null; then
log_info "sudo is available without password prompt (non-interactive)"
else
log_info "sudo may prompt for password (interactive)"
fi
log_info "=== Parameters (defaults if unset) ==="
log_info "SSH_PORT=${SSH_PORT:-22}"
log_info "ALLOW_HTTP=${ALLOW_HTTP:-true}"
log_info "ALLOW_HTTPS=${ALLOW_HTTPS:-true}"
log_info "DRY_RUN=${DRY_RUN:-1} (apply scripts require DRY_RUN=0)"
if [[ $missing -gt 0 ]]; then
die "Missing $missing required dependencies. Install them before proceeding."
fi
log_info "Completed $SCRIPT_NAME"
}
[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"
Reference in New Issue View Git Blame Copy Permalink