Merge branch 'master' into 3573-feature-introduce-distributed-semaphore-base-on-redis

2026-03-01 12:44:43 +00:00 · 2025-12-03 17:11:22 +01:00 · 2025-12-03 17:11:22 +01:00 · 7cfe44f6b5
commit 7cfe44f6b5
parent 7a7566625d f2ad3a49f6
2 changed files with 33 additions and 23 deletions
--- a/deployment/hetzner_cloud/cloudConfig.yaml
+++ b/deployment/hetzner_cloud/cloudConfig.yaml
@ -24,24 +24,24 @@ packages:
  - expect
 package_update: true
 package_upgrade: true
-
+write_files:
+  - path: /etc/ssh/sshd_config.d/ssh-hardening.conf
+    content: |
+      PermitRootLogin yes
+      PasswordAuthentication no
+      KbdInteractiveAuthentication no
+      ChallengeResponseAuthentication no
+      MaxAuthTries 3
+      AllowTcpForwarding no
+      X11Forwarding no
+      AllowAgentForwarding no
+      AuthorizedKeysFile .ssh/authorized_keys
+      AllowUsers gradido root
 runcmd:
 - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
 - systemctl enable fail2ban
-
 - ufw allow OpenSSH
 - ufw allow http
 - ufw allow https
 - ufw enable
-
- sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)KbdInteractiveAuthentication/s/^.*$/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 3/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
- sed -i '$a AllowUsers gradido root' /etc/ssh/sshd_config
-
 - reboot
--- a/deployment/hetzner_cloud/install.sh
+++ b/deployment/hetzner_cloud/install.sh
@ -124,17 +124,27 @@ sudo systemctl daemon-reload
 # setup https with certbot
 certbot certonly --nginx --non-interactive --agree-tos --domains $COMMUNITY_HOST --email $COMMUNITY_SUPPORT_MAIL

-# Install node 18
-sudo -u gradido bash -c 'curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash'
-# Close and reopen your terminal to start using nvm or run the following to use it now:
-sudo -u gradido bash -c 'export NVM_DIR="$HOME/.nvm" && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"'
-sudo -u gradido bash -c '. $HOME/.nvm/nvm.sh && nvm install v18.20.7' # first installed version will be set to default automatic
+# run as gradido user (until EOF)
+sudo -u gradido bash <<'EOF'
+    export NVM_DIR="/home/gradido/.nvm"
+    NODE_VERSION="v18.20.7"
+    export NVM_DIR
+    # Install nvm if it doesn't exist
+    if [ ! -d "$NVM_DIR" ]; then
+        curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
+    fi
+    # Load nvm 
+    [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"

-# Install yarn
-sudo -u gradido bash -c '. $HOME/.nvm/nvm.sh && npm i -g yarn'
-
-# Install pm2
-sudo -u gradido bash -c '. $HOME/.nvm/nvm.sh && npm i -g pm2 && pm2 startup'
+    # Install Node if not already installed
+    if ! nvm ls $NODE_VERSION >/dev/null 2>&1; then
+        nvm install $NODE_VERSION
+    fi
+    # Install yarn and pm2
+    npm i -g yarn pm2 
+    # start pm2
+    pm2 startup
+EOF

 # Install logrotate
 envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $SCRIPT_PATH/logrotate/gradido.conf.template > $SCRIPT_PATH/logrotate/gradido.conf