#!/usr/bin/env bash set -euo pipefail AUTHKEY="" SSH_PUBKEY="" USERNAME="hermesops" HOSTNAME_SUFFIX="incident" while [[ $# -gt 0 ]]; do case "$1" in --authkey) AUTHKEY="$2"; shift 2 ;; --ssh-pubkey) SSH_PUBKEY="$2"; shift 2 ;; --username) USERNAME="$2"; shift 2 ;; --hostname-suffix) HOSTNAME_SUFFIX="$2"; shift 2 ;; *) echo "unknown arg: $1" >&2; exit 1 ;; esac done [[ -n "$AUTHKEY" ]] || { echo "missing --authkey" >&2; exit 1; } [[ -n "$SSH_PUBKEY" ]] || { echo "missing --ssh-pubkey" >&2; exit 1; } if ! command -v tailscale >/dev/null 2>&1; then curl -fsSL https://tailscale.com/install.sh | sh fi if command -v systemctl >/dev/null 2>&1; then systemctl enable --now tailscaled || true fi tailscale up --authkey "$AUTHKEY" --ssh=false --accept-routes=false --hostname "$(hostname)-${HOSTNAME_SUFFIX}" if ! id "$USERNAME" >/dev/null 2>&1; then useradd -m -s /bin/bash "$USERNAME" fi install -d -m 700 -o "$USERNAME" -g "$USERNAME" "/home/$USERNAME/.ssh" printf '%s ' "$SSH_PUBKEY" > "/home/$USERNAME/.ssh/authorized_keys" chown "$USERNAME:$USERNAME" "/home/$USERNAME/.ssh/authorized_keys" chmod 600 "/home/$USERNAME/.ssh/authorized_keys" if command -v apt-get >/dev/null 2>&1; then apt-get update DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server curl tar gzip util-linux pciutils usbutils smartmontools lm-sensors elif command -v dnf >/dev/null 2>&1; then dnf install -y openssh-server curl tar gzip util-linux pciutils usbutils smartmontools lm_sensors elif command -v yum >/dev/null 2>&1; then yum install -y openssh-server curl tar gzip util-linux pciutils usbutils smartmontools lm_sensors elif command -v zypper >/dev/null 2>&1; then zypper --non-interactive install openssh curl tar gzip util-linux pciutils usbutils smartmontools sensors fi systemctl enable --now ssh 2>/dev/null || systemctl enable --now sshd 2>/dev/null || true install -d -m 755 /opt/hermes-remote cat > /opt/hermes-remote/diagnose.sh <<'EOF' #!/usr/bin/env bash set -euo pipefail TS="$(date -u +%Y%m%dT%H%M%SZ)" HOST="$(hostname)" OUT="/tmp/hermes-diagnose-${HOST}-${TS}" mkdir -p "$OUT" run() { name="$1"; shift { echo "### $name" echo "### command: $*" "$@" 2>&1 || true } > "$OUT/$name.txt" } run uname uname -a run uptime uptime run date date -u run who who -a run last_reboot last reboot run df df -hT run free free -m run lsblk lsblk -a run mount mount run ip_addr ip addr run ip_route ip route run tailscale_status tailscale status run tailscale_netcheck tailscale netcheck run dmesg dmesg -T run journal_boot journalctl -b --no-pager run journal_prev journalctl -b -1 --no-pager run journal_errors journalctl --since "7 days ago" -p warning..alert --no-pager run systemctl_failed systemctl --failed run sensors sensors run lspci lspci -vv run lsusb lsusb run smartctl_scan smartctl --scan if command -v smartctl >/dev/null 2>&1; then while read -r dev rest; do base="$(basename "$dev" | tr '/' '_')" smartctl -a "$dev" > "$OUT/smartctl_${base}.txt" 2>&1 || true done < <(smartctl --scan | awk '{print $1}') fi a=0 for p in /var/crash /sys/fs/pstore; do if [[ -d "$p" ]]; then cp -a "$p" "$OUT/$(basename "$p")" 2>/dev/null || true fi done tar -C /tmp -czf "${OUT}.tar.gz" "$(basename "$OUT")" echo "${OUT}.tar.gz" EOF chmod 755 /opt/hermes-remote/diagnose.sh cat > /etc/sudoers.d/hermesops-diagnostics <<'EOF' hermesops ALL=(root) NOPASSWD: /opt/hermes-remote/diagnose.sh, /usr/bin/journalctl, /usr/bin/dmesg, /usr/sbin/smartctl, /usr/bin/systemctl, /usr/bin/tailscale EOF chmod 440 /etc/sudoers.d/hermesops-diagnostics echo "OK"