1  #!/bin/bash
 2  set -euo pipefail
 3  
 4  # Setup SSH access for CI runner on Alpha/Delta testnet nodes
 5  # Run as root on the new servers
 6  
 7  echo "=== Alpha/Delta Testnet Node SSH Setup ==="
 8  
 9  # Configuration
10  USER="devops"
11  CI_PUBKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCu09jlzaMOPmEVjJ3vTJGdZXL5HCIWAAhNI75IwW04Nni27vg6UO0JavPsBQbZwOzQtJoVUbdsR4LkEt8AdSmXUhKCaHqzmOfIXQR6RwG7vJaOSUAjJdRraie9IPiXCTlAeyM+FkWbZ02qUahLIH30cAFGKb6jSzaMKmkSAVO8FV6oE64XinxVbN4xPHmUHV73qAHVxr0EAFKNst4yIg08xN5ulF5bndfVcN/zjQALX9NbqoOQ3mqqrqR1HVveLPKyldkuhQIwTVAVKARHR7vaY8rrWClNkQJBiNExTnAFQKRG+Om8MKpUUzaU2pYywqLoDbgdwo/LReeEaNa7qtni4JMbKO0dtaDnGdEyAoOkVN0CtGOSjUBZN5NZIp0Uk8kAsWLzF8SxKqrxywWoaqliJOl3S2t3HpFCYsU11554nrlXjXiA+XXtadFZisuDVuv5nBrzPIF6Oc9Mlm2Vtv+RnTcTP5qbyICmAgLIJO2NB/YrAcEm6Ke+h4Ew1wU7eGE= devops@ci"
12  
13  # Check if running as root
14  if [ "$EUID" -ne 0 ]; then
15      echo "ERROR: Please run as root"
16      exit 1
17  fi
18  
19  echo "[1/6] Creating user '$USER' if not exists..."
20  if id "$USER" &>/dev/null; then
21      echo "  → User '$USER' already exists"
22  else
23      useradd -m -s /bin/bash "$USER"
24      echo "  → User '$USER' created"
25  fi
26  
27  echo "[2/6] Setting up passwordless sudo..."
28  if [ -f /etc/sudoers.d/$USER ]; then
29      echo "  → Sudo config already exists"
30  else
31      echo "$USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/$USER
32      chmod 0440 /etc/sudoers.d/$USER
33      echo "  → Passwordless sudo configured"
34  fi
35  
36  echo "[3/6] Creating .ssh directory..."
37  SSH_DIR="/home/$USER/.ssh"
38  mkdir -p "$SSH_DIR"
39  chmod 700 "$SSH_DIR"
40  chown $USER:$USER "$SSH_DIR"
41  echo "  → .ssh directory ready"
42  
43  echo "[4/6] Adding CI runner public key..."
44  AUTHORIZED_KEYS="$SSH_DIR/authorized_keys"
45  if grep -q "devops@ci" "$AUTHORIZED_KEYS" 2>/dev/null; then
46      echo "  → CI key already present"
47  else
48      echo "$CI_PUBKEY" >> "$AUTHORIZED_KEYS"
49      chmod 600 "$AUTHORIZED_KEYS"
50      chown $USER:$USER "$AUTHORIZED_KEYS"
51      echo "  → CI key added"
52  fi
53  
54  echo "[5/6] Configuring SSH daemon..."
55  SSHD_CONFIG="/etc/ssh/sshd_config"
56  # Backup original config
57  if [ ! -f "$SSHD_CONFIG.backup" ]; then
58      cp "$SSHD_CONFIG" "$SSHD_CONFIG.backup"
59  fi
60  
61  # Ensure pubkey authentication is enabled
62  grep -q "^PubkeyAuthentication yes" "$SSHD_CONFIG" || \
63      echo "PubkeyAuthentication yes" >> "$SSHD_CONFIG"
64  
65  # Optional hardening (uncomment if needed)
66  # sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' "$SSHD_CONFIG"
67  # sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' "$SSHD_CONFIG"
68  
69  echo "  → SSH config updated"
70  
71  echo "[6/6] Restarting SSH daemon..."
72  if systemctl is-active --quiet sshd; then
73      systemctl restart sshd
74      echo "  → sshd restarted"
75  elif systemctl is-active --quiet ssh; then
76      systemctl restart ssh
77      echo "  → ssh restarted"
78  else
79      echo "  ⚠ Could not detect SSH service name, please restart manually"
80  fi
81  
82  echo ""
83  echo "✓ Setup complete!"
84  echo ""
85  echo "Next steps:"
86  echo "  1. Test connection: ssh $USER@$(hostname -I | awk '{print $1}')"
87  echo "  2. Verify sudo: ssh $USER@$(hostname -I | awk '{print $1}') sudo whoami"
88  echo ""
89  echo "Server hostname: $(hostname)"
90  echo "Server IP: $(hostname -I | awk '{print $1}')"
91  echo ""