Cradicle Explorer
alpha-delta-context
/ tools / setup-testnet-server.sh
setup-testnet-server.sh
  1  #!/bin/bash
  2  # Automated Testnet Server Setup Script
  3  # Sets up passwordless SSH, firewall rules, and security checks
  4  # Version: 1.0.0
  5  
  6  set -e
  7  
  8  # Colors for output
  9  RED='\033[0;31m'
 10  GREEN='\033[0;32m'
 11  YELLOW='\033[1;33m'
 12  NC='\033[0m' # No Color
 13  
 14  log_info() {
 15      echo -e "${GREEN}[INFO]${NC} $1"
 16  }
 17  
 18  log_warn() {
 19      echo -e "${YELLOW}[WARN]${NC} $1"
 20  }
 21  
 22  log_error() {
 23      echo -e "${RED}[ERROR]${NC} $1"
 24  }
 25  
 26  # Check arguments
 27  if [ $# -lt 1 ]; then
 28      log_error "Usage: $0 <server-url> [ssh-port]"
 29      log_error "Example: $0 testnet001.ac-dc.network"
 30      log_error "Example: $0 testnet001.ac-dc.network 2584"
 31      exit 1
 32  fi
 33  
 34  SERVER_URL=$1
 35  SSH_PORT=${2:-22}  # Default to port 22, will be changed to 2584
 36  TARGET_SSH_PORT=2584
 37  SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 38  SECURITY_SCRIPT="$SCRIPT_DIR/testnet-security-check.sh"
 39  
 40  log_info "=== Testnet Server Setup ==="
 41  log_info "Server: $SERVER_URL"
 42  log_info "Current SSH Port: $SSH_PORT"
 43  log_info "Target SSH Port: $TARGET_SSH_PORT"
 44  echo ""
 45  
 46  # Check if security script exists
 47  if [ ! -f "$SECURITY_SCRIPT" ]; then
 48      log_error "Security check script not found: $SECURITY_SCRIPT"
 49      exit 1
 50  fi
 51  
 52  # Step 1: Add server to known hosts if needed
 53  log_info "Step 1: Adding server to known hosts..."
 54  ssh-keyscan -p "$SSH_PORT" "$SERVER_URL" >> ~/.ssh/known_hosts 2>/dev/null || true
 55  log_info "✓ Server added to known hosts"
 56  echo ""
 57  
 58  # Step 2: Check if we can connect
 59  log_info "Step 2: Testing SSH connection..."
 60  if ! ssh -p "$SSH_PORT" -o ConnectTimeout=5 "$SERVER_URL" "echo 'Connection test'" &>/dev/null; then
 61      log_error "Cannot connect to $SERVER_URL on port $SSH_PORT"
 62      log_error "Please ensure:"
 63      log_error "  1. Server is reachable"
 64      log_error "  2. You have SSH credentials"
 65      log_error "  3. Port $SSH_PORT is accessible"
 66      exit 1
 67  fi
 68  log_info "✓ SSH connection successful"
 69  echo ""
 70  
 71  # Step 3: Setup passwordless SSH
 72  log_info "Step 3: Setting up passwordless SSH..."
 73  
 74  # Generate SSH key if it doesn't exist
 75  if [ ! -f ~/.ssh/id_rsa ]; then
 76      log_info "Generating SSH key..."
 77      ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N "" -C "devops@alpha-delta-testnet"
 78  fi
 79  
 80  # Copy SSH key to server
 81  log_info "Copying SSH public key to server..."
 82  ssh-copy-id -p "$SSH_PORT" "$SERVER_URL" 2>/dev/null || {
 83      log_warn "ssh-copy-id failed, trying manual method..."
 84      cat ~/.ssh/id_rsa.pub | ssh -p "$SSH_PORT" "$SERVER_URL" "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
 85  }
 86  
 87  # Test passwordless connection
 88  if ssh -p "$SSH_PORT" -o PasswordAuthentication=no "$SERVER_URL" "echo 'Passwordless auth works'" &>/dev/null; then
 89      log_info "✓ Passwordless SSH configured"
 90  else
 91      log_error "Passwordless SSH setup failed"
 92      exit 1
 93  fi
 94  echo ""
 95  
 96  # Step 4: Copy security script to server
 97  log_info "Step 4: Installing security check script..."
 98  scp -P "$SSH_PORT" "$SECURITY_SCRIPT" "$SERVER_URL:/tmp/testnet-security-check.sh"
 99  ssh -p "$SSH_PORT" "$SERVER_URL" "sudo mv /tmp/testnet-security-check.sh /usr/local/bin/testnet-security-check.sh && \
100                                     sudo chmod +x /usr/local/bin/testnet-security-check.sh"
101  log_info "✓ Security script installed to /usr/local/bin/"
102  echo ""
103  
104  # Step 5: Create systemd service for boot-time execution
105  log_info "Step 5: Creating systemd service..."
106  ssh -p "$SSH_PORT" "$SERVER_URL" "sudo bash -c 'cat > /etc/systemd/system/testnet-security-check.service' << 'EOF'
107  [Unit]
108  Description=Testnet Security Check and Auto-Fix
109  After=network.target
110  Before=alphaos-validator.service deltaos-validator.service
111  
112  [Service]
113  Type=oneshot
114  ExecStart=/usr/local/bin/testnet-security-check.sh
115  RemainAfterExit=yes
116  StandardOutput=journal
117  StandardError=journal
118  
119  [Install]
120  WantedBy=multi-user.target
121  EOF"
122  
123  ssh -p "$SSH_PORT" "$SERVER_URL" "sudo systemctl daemon-reload && \
124                                     sudo systemctl enable testnet-security-check.service"
125  log_info "✓ Systemd service created and enabled"
126  echo ""
127  
128  # Step 6: Configure swap memory and OOM protection
129  log_info "Step 6: Configuring swap memory (32GB) and OOM protection..."
130  
131  ssh -p "$SSH_PORT" "$SERVER_URL" "sudo bash -c '
132      # Check if swap already exists
133      if ! swapon --show | grep -q /swapfile; then
134          echo \"Creating 32GB swap file...\"
135          fallocate -l 32G /swapfile
136          chmod 600 /swapfile
137          mkswap /swapfile
138          swapon /swapfile
139  
140          # Make swap persistent
141          if ! grep -q \"/swapfile\" /etc/fstab; then
142              echo \"/swapfile none swap sw 0 0\" >> /etc/fstab
143          fi
144  
145          # Set swappiness to 10 (prefer RAM but use swap when needed)
146          sysctl vm.swappiness=10
147          if ! grep -q \"vm.swappiness\" /etc/sysctl.conf; then
148              echo \"vm.swappiness=10\" >> /etc/sysctl.conf
149          fi
150  
151          echo \"✓ Swap configured: 32GB, swappiness=10\"
152      else
153          echo \"Swap already configured\"
154      fi
155  
156      # Display swap status
157      echo \"Swap status:\"
158      swapon --show
159      free -h | grep -E \"Mem:|Swap:\"
160  '"
161  
162  log_info "✓ Swap memory configured"
163  log_info "  - 32GB swap file prevents OOM crashes during load spikes"
164  log_info "  - Swappiness=10 (prefer RAM, use swap as emergency buffer)"
165  echo ""
166  
167  # Step 7: Change SSH port to 2584 if currently on 22
168  if [ "$SSH_PORT" = "22" ]; then
169      log_info "Step 6: Changing SSH port from 22 to $TARGET_SSH_PORT..."
170  
171      ssh -p "$SSH_PORT" "$SERVER_URL" "sudo bash -c '
172          # Backup sshd_config
173          cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
174  
175          # Update SSH port
176          sed -i \"s/^#*Port.*/Port $TARGET_SSH_PORT/\" /etc/ssh/sshd_config
177  
178          # Ensure Port directive exists
179          if ! grep -q \"^Port $TARGET_SSH_PORT\" /etc/ssh/sshd_config; then
180              echo \"Port $TARGET_SSH_PORT\" >> /etc/ssh/sshd_config
181          fi
182  
183          # Allow new port in firewall before restarting SSH
184          ufw allow ${TARGET_SSH_PORT}/tcp comment \"SSH\"
185  
186          # Disable socket activation if it exists (it overrides Port directive)
187          if systemctl is-enabled ssh.socket >/dev/null 2>&1; then
188              systemctl disable ssh.socket
189              systemctl stop ssh.socket
190          fi
191  
192          # Restart SSH service directly
193          systemctl restart ssh || systemctl restart sshd
194      '"
195  
196      log_info "✓ SSH port changed to $TARGET_SSH_PORT"
197      log_warn "Waiting 5 seconds for SSH to restart..."
198      sleep 5
199  
200      # Test new port
201      if ssh -p "$TARGET_SSH_PORT" -o ConnectTimeout=5 "$SERVER_URL" "echo 'New port works'" &>/dev/null; then
202          log_info "✓ SSH accessible on port $TARGET_SSH_PORT"
203          log_warn "Note: Port 22 is still allowed in firewall for safety"
204          log_warn "Remove manually after confirming 2584 works: sudo ufw delete allow 22/tcp"
205      else
206          log_error "Cannot connect on new port $TARGET_SSH_PORT"
207          log_error "Server may still be accessible on port 22"
208          exit 1
209      fi
210  else
211      log_info "Step 7: SSH already on port $SSH_PORT (skipping port change)"
212  fi
213  echo ""
214  
215  # Determine final SSH port
216  FINAL_PORT=$TARGET_SSH_PORT
217  if [ "$SSH_PORT" != "22" ]; then
218      FINAL_PORT=$SSH_PORT
219  fi
220  
221  # Step 8: Run security check to configure firewall
222  log_info "Step 8: Running security check to configure firewall..."
223  ssh -p "$FINAL_PORT" "$SERVER_URL" "sudo /usr/local/bin/testnet-security-check.sh"
224  log_info "✓ Firewall configured and enabled"
225  echo ""
226  
227  # Step 9: Final verification
228  log_info "Step 9: Final verification..."
229  
230  ssh -p "$FINAL_PORT" "$SERVER_URL" "sudo ufw status numbered"
231  echo ""
232  
233  # Summary
234  log_info "=== Setup Complete ==="
235  log_info "Server: $SERVER_URL"
236  log_info "SSH Port: $FINAL_PORT"
237  log_info "Security Script: /usr/local/bin/testnet-security-check.sh"
238  log_info "Systemd Service: testnet-security-check.service"
239  echo ""
240  log_info "Next Steps:"
241  log_info "  1. Connect: ssh -p $FINAL_PORT $SERVER_URL"
242  log_info "  2. Check security: sudo systemctl status testnet-security-check"
243  log_info "  3. View logs: sudo cat /var/log/testnet-security-check.log"
244  log_info "  4. Deploy validator: Use deploy-testnet-services.sh"
245  echo ""
246  log_info "The server will automatically check and fix firewall rules on every boot."