scripts/node_setup.sh at main · JungleVPN/scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/usr/bin/env bash
# =============================================================================
# node_setup.sh — VPS node hardening: apt, SSH, UFW firewall
#
# Usage (standalone):
#   bash node_setup.sh
#   bash <(curl -Ls https://raw.githubusercontent.com/JungleVPN/scripts/main/node_setup.sh)
# =============================================================================
set -euo pipefail

RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; CYAN='\033[0;36m'
GRAY='\033[38;5;8m'; BOLD='\033[1m'; NC='\033[0m'

SEP="${GRAY}$(printf '─%.0s' $(seq 1 54))${NC}"

info() { echo -e "${GREEN}[INFO]${NC}  $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC}  $*"; }
die()  { echo -e "${RED}[ERROR]${NC} $*" >&2; exit 1; }
step() { echo -e "\n${CYAN}▶${NC} ${BOLD}$*${NC}"; }

JUNGLE_ENV="/etc/profile.d/jungle-node.sh"
REPO="https://raw.githubusercontent.com/JungleVPN/scripts/main"

# Resolve lib: local file when running from disk, curl when piped
if [[ -f "${BASH_SOURCE[0]:-}" ]]; then
    SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
    _NODE_CONFIG="${SCRIPT_DIR}/lib/node_config.sh"
else
    _NODE_CONFIG="$(mktemp)"
    curl -Ls "$REPO/lib/node_config.sh" -o "$_NODE_CONFIG"
    trap "rm -f $_NODE_CONFIG" EXIT
fi

# ── Header ────────────────────────────────────────────────────────────────────
clear
echo -e "${CYAN}${BOLD}"
cat <<'BANNER'
  ╔════════════════════════════════════════════════════════╗
  ║             The Jungle — Node Setup                    ║
  ║         apt update · SSH hardening · UFW               ║
  ╚════════════════════════════════════════════════════════╝
BANNER
echo -e "${NC}"

# ── Load saved vars ───────────────────────────────────────────────────────────
[[ -f "$JUNGLE_ENV" ]] && source "$JUNGLE_ENV"

# ── Collect all inputs upfront ────────────────────────────────────────────────
source "$_NODE_CONFIG"
collect_node_config
read -rp "Start node setup? [y/N] " _ans
[[ "${_ans,,}" == "y" ]] || { info "Aborted."; exit 0; }

SSHD_CONFIG="/etc/ssh/sshd_config"

# ── Execute ───────────────────────────────────────────────────────────────────

step "Saving config to $JUNGLE_ENV"
mkdir -p /etc/profile.d
sed -i '/# === jungle-init ===/,/# === \/jungle-init ===/d' "$JUNGLE_ENV" 2>/dev/null || true
cat >> "$JUNGLE_ENV" <<EOF
# === jungle-init ===
export JUNGLE_SSH_PORT="${SSH_PORT}"
export JUNGLE_PANEL_IP="${PANEL_IP}"
export JUNGLE_BESZEL_PORT="${BESZEL_PORT}"
export JUNGLE_NODE_PORT="${NODE_PORT}"
export JUNGLE_XHTTP_PORT="${XHTTP_PORT}"
export JUNGLE_GRPC_PORT="${GRPC_PORT}"
# === /jungle-init ===
EOF
info "Saved"

step "Updating system packages"
apt update -y
apt upgrade -y

step "Installing required packages"
apt install -y curl unattended-upgrades ufw

step "Enabling unattended upgrades"
dpkg-reconfigure -f noninteractive unattended-upgrades

step "Switching SSH socket → service"
systemctl stop ssh.socket    || true
systemctl disable ssh.socket || true
systemctl enable ssh.service
systemctl restart ssh.service

step "Hardening SSH (port $SSH_PORT, password auth off)"
sed -i "s/#Port 22/Port $SSH_PORT/"    "$SSHD_CONFIG"
sed -i "s/Port 22/Port $SSH_PORT/"     "$SSHD_CONFIG"
sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/" "$SSHD_CONFIG"
sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/"  "$SSHD_CONFIG"
systemctl restart ssh

step "Configuring UFW firewall"
ufw --force reset
ufw default deny incoming
ufw default allow outgoing

# Core ports
ufw allow "$SSH_PORT/tcp"    comment 'SSH'
ufw allow 80/tcp             comment 'HTTP'
ufw allow 443/tcp            comment 'HTTPS'
ufw allow 443/udp            comment 'HTTPS/UDP'
ufw allow "$XHTTP_PORT/tcp"  comment 'XHTTP'
ufw allow "$GRPC_PORT/tcp"   comment 'gRPC'
ufw allow "$BESZEL_PORT/tcp" comment 'Beszel'

# Node port — restrict to panel IP if provided
if [[ -n "$PANEL_IP" ]]; then
    ufw allow from "$PANEL_IP" to any port "$NODE_PORT" proto tcp comment 'Node (panel only)'
else
    ufw allow "$NODE_PORT/tcp" comment 'Node'
    warn "No PANEL_IP set — NODE_PORT $NODE_PORT is open to everyone"
fi

ufw --force enable
ufw status verbose

echo ""
echo -e "$SEP"
info "Node setup complete."
info "SSH is now on port ${BOLD}$SSH_PORT${NC}."
info "Firewall is active (UFW)."
echo -e "$SEP"