aaronrene / knowtation public
user-data.sh.tpl
83 lines 2.5 KB
Raw
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor ⚠ breaking 1 day ago
1 #!/bin/bash
2 ######################################################################
3 # Paperclip first-boot user-data
4 #
5 # Runs ONCE on first boot of the EC2 instance.
6 # - Sets hostname
7 # - Installs Tailscale and joins the Tailnet using the supplied auth key
8 # - Installs git + curl + AWS CLI prerequisites
9 # - Clones the knowtation repo into /opt/paperclip-repo (deploy artifacts only — no vault data)
10 # - Hands control to install.sh which the operator runs manually after SSH-ing in
11 #
12 # DOES NOT install Paperclip itself — that's install.sh, run by the operator after SSH.
13 # Reason: install.sh prompts for confirmation on a few steps; user-data has no TTY.
14 ######################################################################
15
16 set -euo pipefail
17
18 exec > >(tee -a /var/log/paperclip-user-data.log) 2>&1
19 echo "[$(date -u +%FT%TZ)] user-data starting on $(hostname)"
20
21 ############
22 # Hostname
23 ############
24 hostnamectl set-hostname "${hostname}"
25 echo "127.0.1.1 ${hostname}" >> /etc/hosts
26
27 #####################
28 # OS package updates
29 #####################
30 export DEBIAN_FRONTEND=noninteractive
31 apt-get update
32 apt-get upgrade -y
33 apt-get install -y \
34 ca-certificates \
35 curl \
36 git \
37 gnupg \
38 jq \
39 unzip \
40 ufw
41
42 ############
43 # AWS CLI
44 ############
45 curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o /tmp/awscliv2.zip
46 unzip -q /tmp/awscliv2.zip -d /tmp
47 /tmp/aws/install || /tmp/aws/install --update
48 rm -rf /tmp/awscliv2.zip /tmp/aws
49
50 ############
51 # Tailscale
52 ############
53 curl -fsSL https://tailscale.com/install.sh | sh
54
55 # Join the Tailnet. Tags from the auth key apply automatically.
56 # --ssh enables Tailscale SSH on this node (alongside the EC2 SG rule).
57 # --hostname pins the node name so 'ssh ubuntu@paperclip-prod' works immediately.
58 tailscale up \
59 --auth-key="${tailscale_auth_key}" \
60 --hostname="${hostname}" \
61 --ssh \
62 --accept-routes
63
64 ############
65 # Optional UFW (Tailscale handles most of this; double-belt approach)
66 ############
67 ufw default deny incoming
68 ufw default allow outgoing
69 ufw allow OpenSSH
70 ufw allow 41641/udp comment 'Tailscale'
71 ufw allow 80/tcp comment 'Lets Encrypt HTTP-01'
72 ufw --force enable || true
73
74 #######################
75 # Clone deploy artifacts
76 #######################
77 mkdir -p /opt
78 chown -R ubuntu:ubuntu /opt
79
80 # install.sh and friends are pulled by the operator after SSH-ing in.
81 # The repo URL is configured by the operator in install.sh.
82
83 echo "[$(date -u +%FT%TZ)] user-data finished. SSH in via 'ssh ubuntu@${hostname}' and run install.sh next."
File History 2 commits
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor 1 day ago
sha256:9103f98c89257ed2b01c237cea895dabb3e85ea337dccb1161c175e4422355b6 docs: accept Calendar Events v0 spec with Phase 0 security … Human 1 day ago