ospab/ospab.network
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a7ec878518f2fe77d780cc6b7f125a50d0517810
ospab.network/dist/linux-x64/deploy.sh
ospab a7ec878518 feat(enrollment): implement token-based enrollment flow 
Changes:
1.  Updated SHA256SUMS with new ostp-server binary
2.  Made oncp-master optional in deploy.sh (two deployment modes)
3.  Added enrollment_token support to ostp-server
4.  Updated config examples with token field

Deployment Modes:
- Mode 1 (Standalone): Connect to existing master with enrollment token
- Mode 2 (Full Stack): Deploy both master + server on one host

ostp-server Enrollment Flow:
1. Admin generates token on master: \oncp-master node token --expiry 60\
2. Node submits enrollment with token in config (psk: 'AUTO')
3. Master validates token (silent drop if invalid - security)
4. Admin approves node: \oncp-master node approve <node-id>\
5. Node receives PSK + IP from 10.X.0.0/16 pool
6. Update config with PSK, restart server

deploy.sh Features:
- Interactive mode selection
- Conditional oncp-master installation
- Automated token generation (full stack mode)
- Enrollment submission (standalone mode)

Config Examples:
- server.json.example: Full stack with local master
- server-enrollment.json.example: Standalone with token

Security:
- Token validation before enrollment acceptance
- Silent drop on invalid token (prevents enumeration)
- One-time use tokens with expiration
- IPAM automatic IP allocation from pool

Documentation:
- Updated README with deployment modes
- Added enrollment workflow explanation
- Security features documented
- CLI examples for both modes
2026-01-02 03:36:20 +03:00

281 lines
9.0 KiB
Bash
Raw Blame History

#!/bin/bash
set -e
# OSTP Server - Automated Deployment Script
# Version: 0.1.0
# Requires: root/sudo access
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m' # No Color
echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║ OSTP Server Deployment Script ║${NC}"
echo -e "${GREEN}║ Version 0.1.0 ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
echo
# Check if running as root
if [[ $EUID -ne 0 ]]; then
echo -e "${RED}Error: This script must be run as root${NC}"
echo "Usage: sudo ./deploy.sh"
exit 1
fi
# Check if binaries exist
if [ ! -f "ostp-server" ] || [ ! -f "oncp-master" ]; then
echo -e "${RED}Error: Binaries not found in current directory${NC}"
exit 1
fi
# Verify checksums
echo -e "${YELLOW}${NC} Verifying integrity..."
if sha256sum -c SHA256SUMS > /dev/null 2>&1; then
echo -e "${GREEN}${NC} Checksums verified"
else
echo -e "${RED}${NC} Checksum verification failed!"
read -p "Continue anyway? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
exit 1
fi
fi
# Configuration prompts
echo
echo -e "${YELLOW}═══ Configuration ═══${NC}"
echo "Deployment mode:"
echo " 1) Standalone server (connect to existing Master Node)"
echo " 2) Full stack (ostp-server + oncp-master on this host)"
read -p "Select mode (1 or 2, default 2): " DEPLOY_MODE
DEPLOY_MODE=${DEPLOY_MODE:-2}
if [ "$DEPLOY_MODE" = "1" ]; then
read -p "Master Node URL (e.g., http://master.example.com:8080): " MASTER_URL
read -p "Enrollment token: " ENROLL_TOKEN
NETWORK_OCTET=0 # Will be assigned by master
else
read -p "Network octet (10.X.0.0/16, default 42): " NETWORK_OCTET
NETWORK_OCTET=${NETWORK_OCTET:-42}
read -p "oncp-master listen port (default 8080): " ONCP_PORT
ONCP_PORT=${ONCP_PORT:-8080}
fi
read -p "ostp-server listen port (default 443): " OSTP_PORT
OSTP_PORT=${OSTP_PORT:-443}
read -p "Install directory (default /usr/local/bin): " INSTALL_DIR
INSTALL_DIR=${INSTALL_DIR:-/usr/local/bin}
read -p "Config directory (default /etc/ostp): " CONFIG_DIR
CONFIG_DIR=${CONFIG_DIR:-/etc/ostp}
read -p "Database directory (default /var/lib/ostp): " DATA_DIR
DATA_DIR=${DATA_DIR:-/var/lib/ostp}
# Generate PSK (only for full stack mode)
if [ "$DEPLOY_MODE" = "2" ]; then
echo
echo -e "${YELLOW}${NC} Generating PSK..."
PSK=$(openssl rand -hex 32)
echo -e "${GREEN}${NC} PSK generated: ${YELLOW}${PSK}${NC}"
echo -e "${RED}⚠ SAVE THIS PSK! It will be stored in ${CONFIG_DIR}/server.json${NC}"
else
PSK="AUTO" # Will be assigned by master after approval
fi
# Create directories
echo
echo -e "${YELLOW}${NC} Creating directories..."
mkdir -p "$INSTALL_DIR"
mkdir -p "$CONFIG_DIR"
mkdir -p "$DATA_DIR"
mkdir -p /var/log/ostp
# Install binaries
echo -e "${YELLOW}${NC} Installing binaries..."
cp ostp-server oncp-master "$INSTALL_DIR/"
chmod +x "$INSTALL_DIR/ostp-server" "$INSTALL_DIR/oncp-master"
echo -e "${GREEN}${NC} Binaries installed to $INSTALL_DIR"
# Create ostp-server config
if [ "$DEPLOY_MODE" = "1" ]; then
# Standalone mode - enrollment config
cat > "$CONFIG_DIR/server.json" <<EOF
{
"listen": "0.0.0.0:${OSTP_PORT}",
"psk": "${PSK}",
"master_node_url": "${MASTER_URL}",
"enrollment_token": "${ENROLL_TOKEN}",
"node_name": "$(hostname)",
"country_code": "US",
"max_connections": 1000
}
EOF
else
# Full stack mode
cat > "$CONFIG_DIR/server.json" <<EOF
{
"listen": "0.0.0.0:${OSTP_PORT}",
"psk": "${PSK}",
"master_node_url": "http://127.0.0.1:${ONCP_PORT}",
"country_code": "US",
"max_connections": 1000
}
EOF
fi
chmod 600 "$CONFIG_DIR/server.json"
echo -e "${GREEN}${NC} Configuration saved to $CONFIG_DIR/server.json"
# Create systemd service for oncp-master (only in full stack mode)
if [ "$DEPLOY_MODE" = "2" ]; then
cat > /etc/systemd/system/oncp-master.service <<EOF
[Unit]
Description=ONCP Master Node - Control Plane API
After=network.target
[Service]
Type=simple
User=root
WorkingDirectory=${DATA_DIR}
Environment="ONCP_DATABASE=${DATA_DIR}/oncp.db"
Environment="ONCP_NETWORK_OCTET=${NETWORK_OCTET}"
ExecStart=${INSTALL_DIR}/oncp-master serve --listen 0.0.0.0:${ONCP_PORT} --network-octet ${NETWORK_OCTET}
Restart=on-failure
RestartSec=5s
StandardOutput=append:/var/log/ostp/oncp-master.log
StandardError=append:/var/log/ostp/oncp-master.log
# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=${DATA_DIR} /var/log/ostp
[Install]
WantedBy=multi-user.target
EOF
fi
# Create systemd service for ostp-server
cat > /etc/systemd/system/ostp-server.service <<EOF
[Unit]
Description=OSTP VPN Server
After=network.target
# Requires oncp-master.service only in full stack mode
[Service]
Type=simple
User=root
WorkingDirectory=${CONFIG_DIR}
ExecStart=${INSTALL_DIR}/ostp-server -c ${CONFIG_DIR}/server.json
Restart=on-failure
RestartSec=5s
StandardOutput=append:/var/log/ostp/ostp-server.log
StandardError=append:/var/log/ostp/ostp-server.log
# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log/ostp
# Resource limits
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
echo -e "${GREEN}${NC} Systemd services created"
# Reload systemd
systemctl daemon-reload
# Configure firewall (if ufw is available)
if command -v ufw &> /dev/null; then
echo -e "${YELLOW}${NC} Configuring firewall..."
ufw allow ${OSTP_PORT}/tcp comment "OSTP VPN Server"
echo -e "${GREEN}${NC} Firewall rule added for port ${OSTP_PORT}"
echo -e "${YELLOW}${NC} Note: Port ${ONCP_PORT} (oncp-master) not exposed. Restrict to internal network in production!"
fi
# Enable and start services
echo
echo -e "${YELLOW}${NC} Starting services..."
if [ "$DEPLOY_MODE" = "2" ]; then
# Full stack mode
systemctl enable oncp-master ostp-server
systemctl start oncp-master
# Wait for oncp-master to start
sleep 2
# Generate enrollment token
echo -e "${YELLOW}${NC} Generating enrollment token..."
TOKEN=$(${INSTALL_DIR}/oncp-master node token --expiry 60 2>/dev/null | grep -A1 "Token:" | tail -1 | xargs)
echo -e "${GREEN}${NC} Enrollment token (60 min): ${YELLOW}${TOKEN}${NC}"
# Start ostp-server
systemctl start ostp-server
else
# Standalone mode - just enable and start ostp-server
systemctl enable ostp-server
systemctl start ostp-server
TOKEN="N/A (using enrollment token from config)"
fi
echo
echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║ Deployment Complete! ✓ ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
echo
echo -e "${YELLOW}Services Status:${NC}"
if [ "$DEPLOY_MODE" = "2" ]; then
systemctl status oncp-master --no-pager -l || true
fi
systemctl status ostp-server --no-pager -l || true
echo
echo -e "${YELLOW}Important Information:${NC}"
if [ "$DEPLOY_MODE" = "2" ]; then
echo -e " • Mode: ${GREEN}Full Stack (Master + Server)${NC}"
echo -e " • Network: ${GREEN}10.${NETWORK_OCTET}.0.0/16${NC}"
echo -e " • Master IP: ${GREEN}10.${NETWORK_OCTET}.0.1${NC}"
echo -e " • PSK: ${YELLOW}${PSK}${NC}"
echo -e " • Enrollment Token: ${YELLOW}${TOKEN}${NC} (expires in 60 minutes)"
echo -e " • Database: ${DATA_DIR}/oncp.db"
else
echo -e " • Mode: ${GREEN}Standalone Server${NC}"
echo -e " • Master URL: ${GREEN}${MASTER_URL}${NC}"
echo -e " • Status: ${YELLOW}Waiting for approval${NC}"
fi
echo -e " • Listen: ${GREEN}0.0.0.0:${OSTP_PORT}${NC}"
echo -e " • Config: ${CONFIG_DIR}/server.json"
echo -e " • Logs: /var/log/ostp/"
echo
if [ "$DEPLOY_MODE" = "2" ]; then
echo -e "${YELLOW}Next Steps (Master Node):${NC}"
echo -e " 1. Approve nodes: ${GREEN}oncp-master node pending${NC}${GREEN}oncp-master node approve <id>${NC}"
echo -e " 2. Create users: ${GREEN}oncp-master user create --quota 100 --days 30${NC}"
echo -e " 3. Monitor logs: ${GREEN}journalctl -u oncp-master -f${NC}"
else
echo -e "${YELLOW}Next Steps (Standalone Server):${NC}"
echo -e " 1. Ask admin to approve node on master"
echo -e " 2. Check approval status: ${GREEN}journalctl -u ostp-server -f${NC}"
echo -e " 3. After approval, server will auto-restart with assigned PSK and IP"
fi
echo -e " 4. Monitor server: ${GREEN}journalctl -u ostp-server -f${NC}"
echo
echo -e "${RED}⚠ Security Reminder:${NC}"
echo -e " • Save PSK in password manager"
echo -e " • Restrict port ${ONCP_PORT} to internal network"
echo -e " • Set up SSL/TLS reverse proxy for production"
echo -e " • Configure log rotation"
echo
exit 0
Reference in New Issue View Git Blame Copy Permalink