291 lines
10 KiB
Markdown
291 lines
10 KiB
Markdown
#!/bin/bash
|
|
# ==============================================================================
|
|
# NOTA DE SEGURANÇA E ARQUITETURA REAL (CONVENÇÃO ATUAL):
|
|
# 10.99.0.1 -> AMBIENTE DE PRODUÇÃO (Runtime Puro, Traefik, Monitoramento SOC)
|
|
# 10.99.0.3 -> BANCO DE DADOS DE PRODUÇÃO DEDICADO (PostgreSQL Bare-metal Appliance)
|
|
# 10.99.0.4 -> AMBIENTE DE DESENVOLVIMENTO, HOMOLOGAÇÃO & BUILDER DEPLOYS (GitOps)
|
|
# ==============================================================================
|
|
# ⚠️ CAUTION: ESTE SCRIPT REPLICA AS CONFIGURAÇÕES DE SEGURANÇA DA VPS 1 (HUB).
|
|
# CERTIFIQUE-SE DE QUE A "PRIVATEKEY" DO WIREGUARD DA VPS 10.99.0.4 ESTEJA DISPONÍVEL.
|
|
# ==============================================================================
|
|
# V8 BUNKER EXTREMO FINAL SUPREMA (VERSÃO DESENVOLVIMENTO, HOMOLOGAÇÃO & BUILDER DEPLOYS 10.99.0.4)
|
|
# AGENTE DE MONITORAMENTO (MÉTRICAS E LOGS ENVIADOS PARA A VPS 1)
|
|
# =========================================================
|
|
set -eo pipefail
|
|
|
|
echo "🚀 INICIANDO V8 BUNKER EXTREMO FINAL SUPREMA NA VPS 4 (DESENVOLVIMENTO & BUILDER)..."
|
|
|
|
# =========================
|
|
# 1. VARIÁVEIS DA INFRA
|
|
# =========================
|
|
USER_NAME="deploy"
|
|
PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzqvHpWO69vdujhyeFaKmOssT5leqIUQsknJiFzHKlK rui@DESKTOP-K5Q17QK"
|
|
SERVER_VPN_IP="10.99.0.4" # IP desta VPS na WireGuard
|
|
SERVER_GATEWAY_IP="10.99.0.1" # IP da VPS 1 (Hub do Monitoramento)
|
|
VPN_SUBNET="10.99.0.0/24"
|
|
WG_SERVER_PUBKEY="jUWnuc+82vQ6kLMSI7W1i7hBRBgQKcaSZ8yJy56QSUw="
|
|
WG_SERVER_ENDPOINT="158.220.109.237:51820" # IP Público da VPS 1
|
|
DOMAIN_APP="wa.clube67.com" # Domínio sugerido para gestão do WhatsApp
|
|
EMAIL="ruibto@gmail.com"
|
|
VPS2_DEV_PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKm085+8paXXj9AzUa00dhuB1IH2/Y4uTStU1zm2I7QZ deploy@vmi2797860"
|
|
|
|
# =========================
|
|
# 2. BASE & PACOTES
|
|
# =========================
|
|
echo "🚀 Atualizando sistema e instalando pacotes base..."
|
|
apt update && apt upgrade -y
|
|
apt install -y curl ufw fail2ban auditd apparmor apparmor-utils \
|
|
ca-certificates gnupg lsb-release htop jq acl wireguard
|
|
|
|
systemctl enable auditd || true
|
|
systemctl enable fail2ban || true
|
|
|
|
# =========================
|
|
# 3. USUÁRIO + SSH HARDEN + SUDO (NOPASSWD)
|
|
# =========================
|
|
echo "🚀 Criando usuário deploy e blindando SSH..."
|
|
id -u $USER_NAME &>/dev/null || adduser --disabled-password --gecos "" $USER_NAME
|
|
usermod -aG sudo,adm $USER_NAME
|
|
|
|
echo "$USER_NAME ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/$USER_NAME
|
|
chmod 0440 /etc/sudoers.d/$USER_NAME
|
|
|
|
mkdir -p /home/$USER_NAME/.ssh
|
|
echo "$PUBKEY" > /home/$USER_NAME/.ssh/authorized_keys
|
|
[[ -n "$VPS2_DEV_PUBKEY" ]] && grep -q "$VPS2_DEV_PUBKEY" /home/$USER_NAME/.ssh/authorized_keys || echo "$VPS2_DEV_PUBKEY" >> /home/$USER_NAME/.ssh/authorized_keys
|
|
chmod 700 /home/$USER_NAME/.ssh
|
|
chmod 600 /home/$USER_NAME/.ssh/authorized_keys
|
|
|
|
# 👉 Proteção: Só cria a chave se ela não existir
|
|
if [[ ! -f /home/$USER_NAME/.ssh/id_ed25519 ]]; then
|
|
echo "🚀 Replicando chave SSH privada..."
|
|
cat <<EOF > /home/$USER_NAME/.ssh/id_ed25519
|
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
|
QyNTUxOQAAACBwG0DcQ412wn2+/xm3K2AETCU4o4wao+T5aDMwkN53LgAAAJhUF47tVBeO
|
|
7QAAAAtzc2gtZWQyNTUxOQAAACBwG0DcQ412wn2+/xm3K2AETCU4o4wao+T5aDMwkN53Lg
|
|
AAAEAZh+6LoVaBZldCRv+wXl+L2gUJqm9x65rTGiTm7I/WTXAbQNxDjXbCfb7/GbcrYARM
|
|
JTijjBqj5PloMzCQ3ncuAAAAEWRlcGxveUB2bWkyODQ5Njc0AQIDBA==
|
|
-----END OPENSSH PRIVATE KEY-----
|
|
EOF
|
|
chmod 600 /home/$USER_NAME/.ssh/id_ed25519
|
|
chown -R $USER_NAME:$USER_NAME /home/$USER_NAME/.ssh
|
|
fi
|
|
|
|
su - $USER_NAME -c "[[ -f ~/.ssh/id_ed25519.pub ]] || ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pub"
|
|
|
|
sed -i 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
|
|
sed -i 's/^#\?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
|
|
grep -q "^AllowUsers" /etc/ssh/sshd_config || echo "AllowUsers $USER_NAME" >> /etc/ssh/sshd_config
|
|
|
|
# =========================
|
|
# 4. FIREWALL (UFW)
|
|
# =========================
|
|
echo "🚀 Configurando regras do Firewall (UFW)..."
|
|
ufw default deny incoming
|
|
ufw default allow outgoing
|
|
# O Baileys geralmente se comunica via portas variáveis, mas o container estará isolado.
|
|
# Expomos apenas o Dashboard/API se necessário (VPN ONLY).
|
|
ufw allow 80/tcp
|
|
ufw allow 443/tcp
|
|
ufw allow 52830/udp # Porta local do WG neste Peer
|
|
ufw allow from $VPN_SUBNET
|
|
|
|
# =========================
|
|
# 5. CONFIGURAÇÃO WIREGUARD (PEER)
|
|
# =========================
|
|
if [[ ! -f /etc/wireguard/wg0.conf ]]; then
|
|
echo "🚀 Criando configuração do WireGuard (Peer)..."
|
|
mkdir -p /etc/wireguard
|
|
cat <<EOF > /etc/wireguard/wg0.conf
|
|
[Interface]
|
|
Address = $SERVER_VPN_IP/24
|
|
PrivateKey = [COLOQUE_A_PRIVATE_KEY_DA_VPS4_AQUI]
|
|
ListenPort = 52830
|
|
|
|
[Peer]
|
|
PublicKey = $WG_SERVER_PUBKEY
|
|
AllowedIPs = $VPN_SUBNET
|
|
Endpoint = $WG_SERVER_ENDPOINT
|
|
PersistentKeepalive = 25
|
|
EOF
|
|
chmod 600 /etc/wireguard/wg0.conf
|
|
fi
|
|
systemctl enable wg-quick@wg0 || true
|
|
|
|
# =========================
|
|
# 6. SYSCTL HARDENING & NOEXEC
|
|
# =========================
|
|
echo "🚀 Aplicando Hardening no Kernel..."
|
|
grep -q "net.ipv4.ip_unprivileged_port_start" /etc/sysctl.conf || cat >> /etc/sysctl.conf <<EOF
|
|
kernel.kptr_restrict=2
|
|
kernel.yama.ptrace_scope=2
|
|
net.ipv4.ip_forward=1
|
|
net.ipv4.conf.all.accept_redirects=0
|
|
net.ipv4.conf.all.send_redirects=0
|
|
net.ipv4.conf.all.accept_source_route=0
|
|
net.ipv4.ip_unprivileged_port_start=80
|
|
EOF
|
|
|
|
# =========================
|
|
# 7. AGENTE DE MONITORAMENTO (SOC AGENT)
|
|
# =========================
|
|
echo "🚀 Preparando arquivos do Agente de Monitoramento..."
|
|
SOC_DIR="/opt/soc"
|
|
mkdir -p $SOC_DIR/promtail
|
|
|
|
cat > $SOC_DIR/promtail/config.yml <<EOF
|
|
server:
|
|
http_listen_port: 9080
|
|
positions:
|
|
filename: /tmp/positions.yaml
|
|
clients:
|
|
- url: http://$SERVER_GATEWAY_IP:3100/loki/api/v1/push
|
|
scrape_configs:
|
|
- job_name: falco_vps4
|
|
static_configs:
|
|
- targets: [localhost]
|
|
labels:
|
|
vps: vps4_whatsapp
|
|
job: falco
|
|
__path__: /var/log/falco.log
|
|
- job_name: varlogs_vps4
|
|
static_configs:
|
|
- targets: [localhost]
|
|
labels:
|
|
vps: vps4_whatsapp
|
|
job: varlogs
|
|
__path__: /var/log/*.log
|
|
EOF
|
|
|
|
# =========================
|
|
# 8. CROWDSEC & FALCO (EDR)
|
|
# =========================
|
|
echo "🚀 Configurando EDR: CrowdSec + Falco..."
|
|
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash
|
|
apt install -y crowdsec crowdsec-firewall-bouncer-nftables
|
|
|
|
curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add -
|
|
echo "deb https://download.falco.org/packages/deb stable main" > /etc/apt/sources.list.d/falco.list
|
|
apt update && apt install -y falco
|
|
|
|
mkdir -p /var/log
|
|
touch /var/log/falco.log
|
|
chmod 644 /var/log/falco.log
|
|
setfacl -R -m u:$USER_NAME:rx /var/log || true
|
|
|
|
# Script para enviar alertas para o Hub Central
|
|
cat > /usr/local/bin/falco-active-response.sh <<'EOF'
|
|
#!/bin/bash
|
|
LOG="/var/log/falco-response.log"
|
|
while read -r INPUT; do
|
|
PID=$(echo "$INPUT" | grep -oP 'pid=\K[0-9]+' | head -n1)
|
|
if [[ -n "$PID" ]]; then
|
|
kill -9 "$PID" 2>/dev/null
|
|
echo "[$(date)] PROCESSO MORTO PELO FALCO NA VPS 4: $PID" >> $LOG
|
|
fi
|
|
done
|
|
EOF
|
|
chmod +x /usr/local/bin/falco-active-response.sh
|
|
|
|
sed -i 's/^#file_output:/file_output:/g' /etc/falco/falco.yaml || true
|
|
grep -q "falco-active-response" /etc/falco/falco.yaml || cat >> /etc/falco/falco.yaml <<EOF
|
|
file_output:
|
|
enabled: true
|
|
filename: /var/log/falco.log
|
|
program_output:
|
|
enabled: true
|
|
keep_alive: true
|
|
program: "/usr/local/bin/falco-active-response.sh"
|
|
EOF
|
|
|
|
# =========================
|
|
# 10. DOCKER ROOTLESS & STACKS WHATSAPP
|
|
# =========================
|
|
echo "🚀 Instalando Docker Rootless..."
|
|
apt install -y uidmap dbus-user-session docker-compose-plugin
|
|
su - $USER_NAME -c "[[ -f ~/bin/dockerd ]] || curl -fsSL https://get.docker.com/rootless | sh"
|
|
loginctl enable-linger $USER_NAME
|
|
|
|
DEPLOY_UID=$(id -u $USER_NAME)
|
|
mkdir -p /home/$USER_NAME/stack/{whatsapp,soc,backup}
|
|
|
|
# Agent SOC Stack
|
|
cat > /home/$USER_NAME/stack/soc/docker-compose.yml <<EOF
|
|
services:
|
|
promtail:
|
|
image: grafana/promtail:2.9.0
|
|
restart: always
|
|
volumes:
|
|
- /var/log:/var/log:ro
|
|
- /opt/soc/promtail:/etc/promtail:ro
|
|
command: -config.file=/etc/promtail/config.yml
|
|
networks:
|
|
- soc
|
|
node-exporter:
|
|
image: prom/node-exporter:latest
|
|
restart: always
|
|
volumes:
|
|
- /proc:/host/proc:ro
|
|
- /sys:/host/sys:ro
|
|
- /:/rootfs:ro
|
|
command:
|
|
- '--path.procfs=/host/proc'
|
|
- '--path.rootfs=/rootfs'
|
|
- '--path.sysfs=/host/sys'
|
|
- '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
|
|
networks:
|
|
- soc
|
|
networks:
|
|
soc:
|
|
external: true
|
|
EOF
|
|
|
|
chown -R $USER_NAME:$USER_NAME /home/$USER_NAME/stack
|
|
|
|
# =========================
|
|
# 12. SELAGEM DO BUNKER (SEM REBOOT)
|
|
# =========================
|
|
echo "🚀 Aplicando configurações de segurança..."
|
|
|
|
systemctl restart ssh
|
|
sysctl -p || true
|
|
ufw --force enable
|
|
systemctl enable crowdsec || true
|
|
systemctl start crowdsec || true
|
|
systemctl restart falco || true
|
|
systemctl restart wg-quick@wg0 || true
|
|
|
|
# Subindo stacks rootless
|
|
su - $USER_NAME <<'EOSU'
|
|
export XDG_RUNTIME_DIR="/run/user/$(id -u)"
|
|
export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock"
|
|
systemctl --user enable --now docker || true
|
|
docker network create soc || true
|
|
cd $HOME/stack/soc && docker compose up -d
|
|
EOSU
|
|
|
|
# =========================
|
|
# 13. TELA FINAL
|
|
# =========================
|
|
clear
|
|
echo "*******************************************************************************"
|
|
echo "* 🚀 INSTALAÇÃO VPS 4 (WHATSAPP/BACKUP) CONCLUÍDA! *"
|
|
echo "*******************************************************************************"
|
|
echo "⚙️ AMBIENTE: WHATSAPP/BAILEYS (PROTEÇÃO BUNKER ATIVA)"
|
|
echo "-------------------------------------------------------------------------------"
|
|
echo "👉 Usuário: $USER_NAME"
|
|
echo "👉 SSH: ssh $USER_NAME@$SERVER_VPN_IP"
|
|
echo ""
|
|
echo "📊 MONITORAMENTO AGENTE"
|
|
echo "-------------------------------------------------------------------------------"
|
|
echo "👉 Métricas enviadas para Hub 10.99.0.1"
|
|
echo ""
|
|
echo "⚠️ ATENÇÃO: O reboot automático foi omitido para preservar sessões."
|
|
echo " RECOMENDAÇÃO: Reinicie manualmente em janelas de manutenção."
|
|
echo "*******************************************************************************"
|
|
echo "👉 Todas as chaves SSH e configurações WG originais foram preservadas."
|
|
echo "*******************************************************************************"
|
|
echo ""
|
|
echo "FIM DO SETUP V8 BUNKER NA VPS 4."
|