Add 4 and update 2 files

2025-09-08 17:46:34 +12:00
parent 308e0e3bc6
commit 6880a0e321
6 changed files with 392 additions and 173 deletions
--- a/tailscale/emergency_access.sh
+++ b/tailscale/emergency_access.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+# Emergency access script - maintains a reverse SSH tunnel as backup
+# Only use this if you have a reliable jump server
+
+# Configuration (set these in service.env)
+JUMP_SERVER="${EMERGENCY_JUMP_SERVER:-}"
+JUMP_USER="${EMERGENCY_JUMP_USER:-}"
+JUMP_PORT="${EMERGENCY_JUMP_PORT:-22}"
+LOCAL_SSH_PORT="${LOCAL_SSH_PORT:-22}"
+TUNNEL_PORT="${EMERGENCY_TUNNEL_PORT:-}"  # Port on jump server
+
+if [ -z "$JUMP_SERVER" ] || [ -z "$TUNNEL_PORT" ]; then
+    echo "Emergency access not configured. Skipping."
+    exit 0
+fi
+
+echo "Setting up emergency SSH reverse tunnel..."
+
+# Create systemd service for persistent reverse tunnel
+cat << EOF | sudo tee /etc/systemd/system/emergency-tunnel.service
+[Unit]
+Description=Emergency SSH Reverse Tunnel
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/ssh -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -N -R ${TUNNEL_PORT}:localhost:${LOCAL_SSH_PORT} ${JUMP_USER}@${JUMP_SERVER} -p ${JUMP_PORT}
+Restart=always
+RestartSec=30
+User=root
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+sudo systemctl daemon-reload
+sudo systemctl enable emergency-tunnel.service
+sudo systemctl start emergency-tunnel.service
+
+echo "Emergency tunnel service configured."
+echo "In case of emergency, SSH to jump server and then:"
+echo "  ssh -p ${TUNNEL_PORT} localhost"