Last active
April 30, 2024 03:28
-
-
Save sudocarlos/49982cd4928abd4153da64900a268d81 to your computer and use it in GitHub Desktop.
Download, configure and run Cloudflare tunnels for Start9 services
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Warn and prompt | |
| read -p "Note, this script is reckless! You should not be exposing your Start9 the | |
| Internet like this. This will allow Cloudflare to read all processed data. | |
| Do you really want to continue?? [Y/N]" -n 1 -r | |
| if [[ $REPLY =~ ^[Yy]$ ]]; then | |
| # Variables | |
| TUNNEL_NAME=start9 | |
| TUNNEL_CONFIG=${HOME}/${TUNNEL_NAME}_tunnel.yml | |
| CLOUDFLARED_DIR=${HOME}/.cloudflared | |
| BOLD=$(tput bold) # Start bold text | |
| NORMAL=$(tput sgr0) # Stop bold text; turn off all attributes | |
| # Place each domain.name_cert.pem in $HOME, example: | |
| # | |
| # $ ls $HOME | |
| # domain1.com_cert.pem domain2.com_cert.pem | |
| DOMAINS=('domain1.com' 'domain2.com') | |
| # SERVICES_FILE is a csv file, example: | |
| # | |
| # services.csv | |
| # ----- | |
| # service,public_hostname,protocol,port | |
| # btcpayserver,btcpay.domain1.com,http, | |
| # mempool,mempool.domain2.com,http,8080 | |
| # nostr,nostr.domain1.com,http,8080 | |
| # nostr,nostr.domain2.com,http,8080 | |
| SERVICES_FILE=${HOME}/services.csv | |
| # download and install cloudflared | |
| curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && | |
| sudo dpkg -i cloudflared.deb | |
| # This section deals with stopping cloudflared and removing installed services | |
| ## Stop cloudflared service | |
| sudo systemctl stop cloudflared 2> /dev/null | |
| ## Remove cloudflared service | |
| sudo cloudflared service uninstall 2> /dev/null | |
| ## Kill all clourdflared processes by id | |
| CLOUDFLARED_PIDS=$(pidof cloudflared) | |
| if [[ -n $CLOUDFLARED_PIDS ]]; then sudo kill $CLOUDFLARED_PIDS; fi | |
| # Check if cert files exists for each domain | |
| for DOMAIN in ${DOMAINS[@]}; do | |
| if [[ -e ${HOME}/${DOMAIN}_cert.pem ]]; then | |
| echo "INFO: ${HOME}/${DOMAIN}_cert.pem exists." | |
| else | |
| echo "${BOLD}WARN: ${HOME}/${DOMAIN}_cert.pem does not exist${NORMAL}. Running \`cloudflared tunnel login\`.." | |
| sleep 5 | |
| rm -fv ${CLOUDFLARED_DIR}/cert.pem | |
| cloudflared tunnel login | |
| echo "INFO: Copying ${CLOUDFLARED_DIR}/cert.pem to ${HOME}/${DOMAIN}_cert.pem" | |
| cp -fv ${CLOUDFLARED_DIR}/cert.pem ${HOME}/${DOMAIN}_cert.pem | |
| fi | |
| ## List and delete existing tunnels | |
| echo "INFO: List and delete existing tunnels..." | |
| EXISTING_TUNNELS=$(cloudflared tunnel --origincert ${HOME}/${DOMAIN}_cert.pem list | grep -ve 'You\|CREATED' | awk '{print $1}' | xargs) | |
| for TUNNEL in $EXISTING_TUNNELS; do | |
| cloudflared tunnel --origincert ${HOME}/${DOMAIN}_cert.pem info $TUNNEL | |
| cloudflared tunnel --origincert ${HOME}/${DOMAIN}_cert.pem delete $TUNNEL | |
| done | |
| done | |
| # Create tunnel and set TUNNEL_ID | |
| TUNNEL_ID=$(cloudflared tunnel --origincert ${HOME}/${DOMAINS[0]}_cert.pem create ${TUNNEL_NAME} | grep Created | awk '{print $NF}') | |
| # Begin creating tunnel config | |
| echo "tunnel: ${TUNNEL_ID}" > ${TUNNEL_CONFIG} | |
| echo -e "credentials-file: ${HOME}/${TUNNEL_ID}.json\n\ningress:" >> ${TUNNEL_CONFIG} | |
| # Read the SERVICES_FILE and ignore the first line | |
| { | |
| read | |
| while IFS=, read -r SERVICE PUBLIC_HOSTNAME PROTOCOL PORT; do | |
| # Set SERVICE_ADDRESS according to empty/non-empty PORT | |
| if [[ -n ${PORT} ]]; then | |
| SERVICE_ADDRESS="${PROTOCOL}://${SERVICE}.embassy:${PORT}" | |
| else | |
| SERVICE_ADDRESS="${PROTOCOL}://${SERVICE}.embassy" | |
| fi | |
| # Write ingress rule entries to tunnels config | |
| echo " - hostname: ${PUBLIC_HOSTNAME}" >> ${TUNNEL_CONFIG} | |
| echo " service: ${SERVICE_ADDRESS}" >> ${TUNNEL_CONFIG} | |
| # Add PUBLIC_HOSTNAME to tunnel routes using the correct domain certificate | |
| for DOMAIN in ${DOMAINS[@]}; do | |
| if [[ ${PUBLIC_HOSTNAME} == *"${DOMAIN}"* ]]; then | |
| echo "INFO: Adding ${PUBLIC_HOSTNAME} to tunnel routes..." | |
| cloudflared tunnel --origincert ${HOME}/${DOMAIN}_cert.pem route dns -f ${TUNNEL_ID} $PUBLIC_HOSTNAME | |
| fi | |
| done | |
| done | |
| } < $SERVICES_FILE | |
| # Finish writing tunnel config | |
| echo " - service: http_status:404" >> ${TUNNEL_CONFIG} | |
| # Delete possible conflicting configuration | |
| sudo rm -fv /etc/cloudflared/config.yml | |
| # Install cloudflared service to systemctl | |
| sudo cloudflared --config ${TUNNEL_CONFIG} -f service install | |
| # Restart cloudflared service and display the status | |
| sudo systemctl restart cloudflared.service | |
| sudo systemctl status cloudflared.service | |
| fi |
No apologies necessary, it means that my script could be more clear
Stop using this
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Oh I see, sorry my mistake.