From 618c5b477a91b6b88f50c0ee83858774e2e973a2 Mon Sep 17 00:00:00 2001 From: einhornimmond Date: Wed, 3 Dec 2025 14:32:06 +0100 Subject: [PATCH 1/4] update cloud config, make install.sh more robust --- deployment/hetzner_cloud/cloudConfig.yaml | 26 +++++++++++------------ deployment/hetzner_cloud/install.sh | 25 ++++++++++++++++------ 2 files changed, 31 insertions(+), 20 deletions(-) diff --git a/deployment/hetzner_cloud/cloudConfig.yaml b/deployment/hetzner_cloud/cloudConfig.yaml index 84658705f..e6970cf9c 100644 --- a/deployment/hetzner_cloud/cloudConfig.yaml +++ b/deployment/hetzner_cloud/cloudConfig.yaml @@ -24,24 +24,24 @@ packages: - expect package_update: true package_upgrade: true - +write_files: + - path: /etc/ssh/sshd_config.d/ssh-hardening.conf + content: | + PermitRootLogin yes + PasswordAuthentication no + KbdInteractiveAuthentication no + ChallengeResponseAuthentication no + MaxAuthTries 3 + AllowTcpForwarding no + X11Forwarding no + AllowAgentForwarding no + AuthorizedKeysFile .ssh/authorized_keys + AllowUsers gradido root runcmd: - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local - systemctl enable fail2ban - - ufw allow OpenSSH - ufw allow http - ufw allow https - ufw enable - -- sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config -- sed -i -e '/^\(#\|\)KbdInteractiveAuthentication/s/^.*$/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config -- sed -i -e '/^\(#\|\)ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config -- sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 3/' /etc/ssh/sshd_config -- sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config -- sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config -- sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config -- sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config -- sed -i '$a AllowUsers gradido root' /etc/ssh/sshd_config - - reboot \ No newline at end of file diff --git a/deployment/hetzner_cloud/install.sh b/deployment/hetzner_cloud/install.sh index ac43c6421..2471bc24c 100755 --- a/deployment/hetzner_cloud/install.sh +++ b/deployment/hetzner_cloud/install.sh @@ -124,17 +124,28 @@ sudo systemctl daemon-reload # setup https with certbot certbot certonly --nginx --non-interactive --agree-tos --domains $COMMUNITY_HOST --email $COMMUNITY_SUPPORT_MAIL -# Install node 18 -sudo -u gradido bash -c 'curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash' -# Close and reopen your terminal to start using nvm or run the following to use it now: -sudo -u gradido bash -c 'export NVM_DIR="$HOME/.nvm" && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"' -sudo -u gradido bash -c '. $HOME/.nvm/nvm.sh && nvm install v18.20.7' # first installed version will be set to default automatic +# Variables +NVM_DIR="/home/gradido/.nvm" +NODE_VERSION="v18.20.7" + +# Install nvm if it doesn't exist +if [ ! -d "$NVM_DIR" ]; then + sudo -u gradido bash -c 'curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash' +fi + +# Load nvm +sudo -u gradido bash -c 'export NVM_DIR="$NVM_DIR" && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"' + +# Install Node if not already installed +if ! sudo -u gradido bash -c "source $NVM_DIR/nvm.sh && nvm ls $NODE_VERSION >/dev/null 2>&1"; then + sudo -u gradido bash -c "source $NVM_DIR/nvm.sh && nvm install $NODE_VERSION" +fi # Install yarn -sudo -u gradido bash -c '. $HOME/.nvm/nvm.sh && npm i -g yarn' +sudo -u gradido bash -c 'source $NVM_DIR/nvm.sh && npm i -g yarn' # Install pm2 -sudo -u gradido bash -c '. $HOME/.nvm/nvm.sh && npm i -g pm2 && pm2 startup' +sudo -u gradido bash -c 'source $NVM_DIR/nvm.sh && npm i -g pm2 && pm2 startup' # Install logrotate envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $SCRIPT_PATH/logrotate/gradido.conf.template > $SCRIPT_PATH/logrotate/gradido.conf From b30ebd5082c64ebee5d2c1cf7aa0e102221741e7 Mon Sep 17 00:00:00 2001 From: einhornimmond Date: Wed, 3 Dec 2025 14:39:03 +0100 Subject: [PATCH 2/4] test other shell command --- deployment/hetzner_cloud/install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/hetzner_cloud/install.sh b/deployment/hetzner_cloud/install.sh index 2471bc24c..fc01cf2b6 100755 --- a/deployment/hetzner_cloud/install.sh +++ b/deployment/hetzner_cloud/install.sh @@ -137,8 +137,8 @@ fi sudo -u gradido bash -c 'export NVM_DIR="$NVM_DIR" && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"' # Install Node if not already installed -if ! sudo -u gradido bash -c "source $NVM_DIR/nvm.sh && nvm ls $NODE_VERSION >/dev/null 2>&1"; then - sudo -u gradido bash -c "source $NVM_DIR/nvm.sh && nvm install $NODE_VERSION" +if ! sudo -u gradido bash -c "$NVM_DIR/nvm.sh ls $NODE_VERSION >/dev/null 2>&1"; then + sudo -u gradido bash -c "$NVM_DIR/nvm.sh install $NODE_VERSION" fi # Install yarn From 6a60e037773349b07c23c740a3c7e44e3b65c461 Mon Sep 17 00:00:00 2001 From: einhornimmond Date: Wed, 3 Dec 2025 14:52:19 +0100 Subject: [PATCH 3/4] fix nvm & node install --- deployment/hetzner_cloud/install.sh | 34 ++++++++++++++--------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/deployment/hetzner_cloud/install.sh b/deployment/hetzner_cloud/install.sh index fc01cf2b6..43d5872ad 100755 --- a/deployment/hetzner_cloud/install.sh +++ b/deployment/hetzner_cloud/install.sh @@ -128,24 +128,24 @@ certbot certonly --nginx --non-interactive --agree-tos --domains $COMMUNITY_HOST NVM_DIR="/home/gradido/.nvm" NODE_VERSION="v18.20.7" -# Install nvm if it doesn't exist -if [ ! -d "$NVM_DIR" ]; then - sudo -u gradido bash -c 'curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash' -fi +# run as gradido user (until EOF) +sudo -u gradido bash <<'EOF' + # Install nvm if it doesn't exist + if [ ! -d "$NVM_DIR" ]; then + curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash + fi + # Load nvm + [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" -# Load nvm -sudo -u gradido bash -c 'export NVM_DIR="$NVM_DIR" && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"' - -# Install Node if not already installed -if ! sudo -u gradido bash -c "$NVM_DIR/nvm.sh ls $NODE_VERSION >/dev/null 2>&1"; then - sudo -u gradido bash -c "$NVM_DIR/nvm.sh install $NODE_VERSION" -fi - -# Install yarn -sudo -u gradido bash -c 'source $NVM_DIR/nvm.sh && npm i -g yarn' - -# Install pm2 -sudo -u gradido bash -c 'source $NVM_DIR/nvm.sh && npm i -g pm2 && pm2 startup' + # Install Node if not already installed + if ! nvm ls $NODE_VERSION >/dev/null 2>&1; then + nvm install $NODE_VERSION + fi + # Install yarn and pm2 + npm i -g yarn pm2 + # start pm2 + pm2 startup +EOF # Install logrotate envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $SCRIPT_PATH/logrotate/gradido.conf.template > $SCRIPT_PATH/logrotate/gradido.conf From 371fd1acbb96f790ce7f1d594ede8e4b5a4139bc Mon Sep 17 00:00:00 2001 From: einhornimmond Date: Wed, 3 Dec 2025 14:58:41 +0100 Subject: [PATCH 4/4] move envs into correct context --- deployment/hetzner_cloud/install.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/deployment/hetzner_cloud/install.sh b/deployment/hetzner_cloud/install.sh index 43d5872ad..e5fe29f81 100755 --- a/deployment/hetzner_cloud/install.sh +++ b/deployment/hetzner_cloud/install.sh @@ -124,12 +124,11 @@ sudo systemctl daemon-reload # setup https with certbot certbot certonly --nginx --non-interactive --agree-tos --domains $COMMUNITY_HOST --email $COMMUNITY_SUPPORT_MAIL -# Variables -NVM_DIR="/home/gradido/.nvm" -NODE_VERSION="v18.20.7" - # run as gradido user (until EOF) sudo -u gradido bash <<'EOF' + export NVM_DIR="/home/gradido/.nvm" + NODE_VERSION="v18.20.7" + export NVM_DIR # Install nvm if it doesn't exist if [ ! -d "$NVM_DIR" ]; then curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash