dropshell-templates/tailscale/emergency_access.sh

#!/bin/bash
# Emergency access script - maintains a reverse SSH tunnel as backup
# Only use this if you have a reliable jump server

# Configuration (set these in service.env)
JUMP_SERVER="${EMERGENCY_JUMP_SERVER:-}"
JUMP_USER="${EMERGENCY_JUMP_USER:-}"
JUMP_PORT="${EMERGENCY_JUMP_PORT:-22}"
LOCAL_SSH_PORT="${LOCAL_SSH_PORT:-22}"
TUNNEL_PORT="${EMERGENCY_TUNNEL_PORT:-}"  # Port on jump server

if [ -z "$JUMP_SERVER" ] || [ -z "$TUNNEL_PORT" ]; then
    echo "Emergency access not configured. Skipping."
    exit 0
fi

echo "Setting up emergency SSH reverse tunnel..."

# Create systemd service for persistent reverse tunnel
cat << EOF | sudo tee /etc/systemd/system/emergency-tunnel.service
[Unit]
Description=Emergency SSH Reverse Tunnel
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/ssh -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -N -R ${TUNNEL_PORT}:localhost:${LOCAL_SSH_PORT} ${JUMP_USER}@${JUMP_SERVER} -p ${JUMP_PORT}
Restart=always
RestartSec=30
User=root

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable emergency-tunnel.service
sudo systemctl start emergency-tunnel.service

echo "Emergency tunnel service configured."
echo "In case of emergency, SSH to jump server and then:"
echo "  ssh -p ${TUNNEL_PORT} localhost"