diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 32bd88a..1c4f274 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -6,6 +6,9 @@ on: jobs: lint: runs-on: ubuntu-latest + env: + HTTP_PROXY: http://100.70.115.1:8118 + HTTPS_PROXY: http://100.70.115.1:8118 steps: - name: Checkout run: | @@ -18,6 +21,9 @@ jobs: security: runs-on: ubuntu-latest + env: + HTTP_PROXY: http://100.70.115.1:8118 + HTTPS_PROXY: http://100.70.115.1:8118 steps: - name: Checkout run: | @@ -35,6 +41,9 @@ jobs: deploy: needs: [lint, security] runs-on: ubuntu-latest + env: + HTTP_PROXY: http://100.70.115.1:8118 + HTTPS_PROXY: http://100.70.115.1:8118 steps: - name: Checkout run: | diff --git a/harden.sh b/harden.sh new file mode 100644 index 0000000..bb798c1 --- /dev/null +++ b/harden.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# VPS Hardening Script for oracle-tokyo +# Based on Security Audit 2026-02-14 + +set -e + +echo "Starting VPS hardening..." + +# 1. Disable X11Forwarding in SSH +if grep -q "^X11Forwarding yes" /etc/ssh/sshd_config; then + echo "Disabling X11Forwarding..." + sudo sed -i 's/^X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config + sudo systemctl restart ssh +else + echo "X11Forwarding already disabled." +fi + +# 2. Restrict Xray config permissions +XRAY_CONFIG="/usr/local/etc/xray/config.json" +if [ -f "$XRAY_CONFIG" ]; then + CURRENT_PERMS=$(stat -c "%a" "$XRAY_CONFIG") + if [ "$CURRENT_PERMS" != "600" ]; then + echo "Restricting permissions on $XRAY_CONFIG to 600..." + sudo chmod 600 "$XRAY_CONFIG" + else + echo "Xray config permissions already restricted." + fi +else + echo "Xray config not found at $XRAY_CONFIG, skipping." +fi + +# 3. Close port 80 in iptables if open +if sudo iptables -L INPUT -n | grep -q "dpt:80"; then + echo "Closing port 80 in iptables..." + sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT || true +else + echo "Port 80 already closed in iptables." +fi + +# 4. Disable shells for default cloud users (opc, ubuntu) +for user in opc ubuntu; do + if id "$user" &>/dev/null; then + CURRENT_SHELL=$(getent passwd "$user" | cut -d: -f7) + if [ "$CURRENT_SHELL" != "/usr/sbin/nologin" ]; then + echo "Disabling shell for user $user..." + sudo usermod -s /usr/sbin/nologin "$user" + else + echo "Shell for $user already disabled." + fi + fi +done + +# 5. AdGuard Home - Ensure bound to private interfaces (Tailscale/Local) +AGH_CONFIG="/opt/AdGuardHome/AdGuardHome.yaml" +if [ -f "$AGH_CONFIG" ]; then + if grep -q "0.0.0.0" "$AGH_CONFIG" | grep -A 5 "bind_hosts"; then + echo "WARNING: AdGuard Home might be bound to 0.0.0.0. Manual check recommended in $AGH_CONFIG." + # Automatic fix is risky with YAML parsing in bash, so we just warn + else + echo "AdGuard Home bind hosts check: OK (not 0.0.0.0)." + fi +fi + +echo "Hardening complete." diff --git a/setup-tailscale-exit-node.sh b/setup-tailscale-exit-node.sh new file mode 100644 index 0000000..4620979 --- /dev/null +++ b/setup-tailscale-exit-node.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# Tailscale Exit Node Setup Script +# Automates UFW and IP forwarding requirements + +set -e + +echo "Setting up Tailscale exit node requirements..." + +# 1. Enable IP Forwarding in sysctl +if ! grep -q "^net.ipv4.ip_forward=1" /etc/sysctl.conf; then + echo "Enabling IPv4 forwarding in sysctl..." + echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf + echo "net.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf + sudo sysctl -p +else + echo "IPv4 forwarding already enabled." +fi + +# 2. Update UFW default forward policy +UFW_DEFAULT="/etc/default/ufw" +if grep -q 'DEFAULT_FORWARD_POLICY="DROP"' "$UFW_DEFAULT"; then + echo "Updating UFW default forward policy to ACCEPT..." + sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' "$UFW_DEFAULT" + sudo ufw reload +else + echo "UFW default forward policy is already ACCEPT." +fi + +# 3. Add NAT MASQUERADE to UFW before.rules +UFW_BEFORE="/etc/ufw/before.rules" +if ! grep -q "POSTROUTING -s 100.64.0.0/10 -o ens3 -j MASQUERADE" "$UFW_BEFORE"; then + echo "Adding NAT MASQUERADE rule to $UFW_BEFORE..." + # This is a bit tricky to automate safely without ruining the file. + # We look for the *filter line and insert before it. + sudo sed -i '/\*filter/i # NAT rules\n*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 100.64.0.0/10 -o ens3 -j MASQUERADE\nCOMMIT\n' "$UFW_BEFORE" + sudo ufw reload +else + echo "NAT MASQUERADE rule already exists in $UFW_BEFORE." +fi + +echo "Tailscale exit node setup complete." diff --git a/uptime-check.sh b/uptime-check.sh new file mode 100644 index 0000000..4f90821 --- /dev/null +++ b/uptime-check.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +# Simple Uptime & Service Health Check for VPS +# Checks Xray, AdGuard Home, Tailscale, and WireGuard + +SERVICES=("xray" "AdGuardHome" "tailscaled" "wg-quick@wg0") + +echo "--- Service Health Check ($(date)) ---" + +for svc in "${SERVICES[@]}"; do + if systemctl is-active --quiet "$svc"; then + echo "[OK] $svc is running" + else + echo "[ERROR] $svc is NOT running!" + # Optional: Attempt restart + # sudo systemctl restart "$svc" + fi +done + +# Check if Xray is listening on 443 +if ss -tuln | grep -q ":443 "; then + echo "[OK] Port 443 is listening (Xray)" +else + echo "[ERROR] Port 443 is NOT listening!" +fi + +# Check if AdGuard Home is listening on 53 (Tailscale IP) +TAILSCALE_IP="100.70.115.1" +if ss -tuln | grep -q "$TAILSCALE_IP:53 "; then + echo "[OK] AdGuard Home is listening on $TAILSCALE_IP:53" +else + echo "[WARNING] AdGuard Home is NOT listening on $TAILSCALE_IP:53" +fi + +echo "--- Check Complete ---"