#!/usr/bin/env bash # PUBLIC stage-0 onboarding — served verbatim by the enroll Cloudflare Worker. # Contains NO secrets. Joins the NetBird mesh, then runs the master-served # enroll.sh over the mesh. # # Run in a fresh container, as root: # curl -fsSL https://enroll.cloud.bendavies.space | sudo bash -s -- --role project-vm --project blog # The NetBird key is prompted (hidden) unless --key or NB_SETUP_KEY is given. set -euo pipefail ROLE="project-vm" PROJECT="unassigned" KEY="${NB_SETUP_KEY:-}" ENROLL_URL="http://100.85.203.248:8080/enroll.sh" while [ $# -gt 0 ]; do case "$1" in --role) [ $# -ge 2 ] || { echo "$1 requires a value" >&2; exit 2; } ROLE="$2"; shift 2;; --project) [ $# -ge 2 ] || { echo "$1 requires a value" >&2; exit 2; } PROJECT="$2"; shift 2;; --key) [ $# -ge 2 ] || { echo "$1 requires a value" >&2; exit 2; } KEY="$2"; shift 2;; --enroll-url) [ $# -ge 2 ] || { echo "$1 requires a value" >&2; exit 2; } ENROLL_URL="$2"; shift 2;; *) echo "unknown arg: $1" >&2; exit 2;; esac done [ "$(id -u)" -eq 0 ] || { echo "run as root" >&2; exit 1; } have(){ command -v "$1" >/dev/null 2>&1; } have curl || { echo "curl is required" >&2; exit 1; } have ip || { echo "iproute2 (ip) is required" >&2; exit 1; } # Prompt for the key from the terminal (stdin is the piped script under curl|bash). if [ -z "$KEY" ]; then printf 'NetBird setup key: ' > /dev/tty read -rs KEY < /dev/tty printf '\n' > /dev/tty fi [ -n "$KEY" ] || { echo "no NetBird setup key provided" >&2; exit 1; } if ! have netbird; then echo "==> installing NetBird" curl -fsSL https://pkgs.netbird.io/install.sh | sh fi echo "==> joining the mesh" netbird up --setup-key "$KEY" echo "==> waiting for the mesh interface" for _ in $(seq 1 30); do ip -4 -o addr show wt0 2>/dev/null | grep -q 'inet ' && break sleep 2 done ip -4 -o addr show wt0 2>/dev/null | grep -q 'inet ' \ || { echo "not on the mesh (wt0 has no IP) — check the setup key" >&2; exit 1; } echo "==> enrolling with the Salt master" tmp_enroll="$(mktemp)" curl -fsSL "$ENROLL_URL" -o "$tmp_enroll" || { echo "could not reach the enroll endpoint ${ENROLL_URL} — is the master up on the mesh?" >&2; exit 1; } bash "$tmp_enroll" --role "$ROLE" --project "$PROJECT" || { echo "enrolment failed (the endpoint ${ENROLL_URL} was reachable, but enroll.sh errored)" >&2; rm -f "$tmp_enroll"; exit 1; } rm -f "$tmp_enroll"