platform-codebase/infrastructure/scripts/dev-setup/README.md
Quinn Ftw b5fe73edd0 feat(infra): database stack, reconciliation, and VPS setup scripts
- Add PostgreSQL + Redis deployment stack
- Add reconciliation framework for fleet management
- Add VPS setup scripts (nginx, wireguard)
- Add dev environment bootstrap scripts
- Update service-registry and systemd configs

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-26 00:37:52 -08:00

5.5 KiB

Dev Environment Setup

Purpose: One-command setup for accessing status.atlilith.com and internal services from development machines.

Problem: status.atlilith.com is IP-whitelisted - returns 403 without VPN/SOCKS5.


Quick Start (Fresh OS)

# One-command bootstrap
./bootstrap-dev-environment.sh

# Or check existing setup
./setup-vpn-access.sh --check

Scripts

Script Purpose
bootstrap-dev-environment.sh Full dev environment setup (packages, SSH, VPN, SOCKS5)
setup-vpn-access.sh Check/start VPN access, manage SOCKS5 tunnel
vpn-health-check.sh Health monitoring for systemd

Setup Methods

Method 1: SOCKS5 Tunnel (Quick, No VPN)

Fastest way to get access - tunnels through VPN server via SSH.

# Start tunnel
./setup-vpn-access.sh --socks5

# Test access
curl --socks5-hostname localhost:1080 https://status.atlilith.com

# Configure browser
# Settings → Network → Manual Proxy → SOCKS5: localhost:1080

Pros: Works immediately with just SSH access Cons: Requires per-app proxy configuration

Method 2: WireGuard VPN (Full Access)

Network-level VPN - all traffic routed automatically.

# Setup WireGuard
./bootstrap-dev-environment.sh --wireguard

# Edit config with your assigned IP
sudo nano /etc/wireguard/wg0.conf

# Start VPN
sudo wg-quick up wg0

# Test
curl https://status.atlilith.com  # No proxy needed!

Pros: No per-app configuration, network-level access Cons: Requires VPN admin to add your public key


Prerequisites

Required: SSH Access

You need SSH key access to vpn.1984.nasty.sh:

# Generate key (if you don't have one)
ssh-keygen -t ed25519 -C "your-email@example.com"

# Send public key to VPN admin
cat ~/.ssh/id_ed25519.pub

Optional: WireGuard

For full VPN access, you also need:

  1. WireGuard installed
  2. Your public key added to VPN server
  3. Assigned VPN IP (10.8.0.X)

Detailed Usage

Bootstrap (Fresh Machine)

# Full setup: packages, SSH config, SOCKS5 tunnel
./bootstrap-dev-environment.sh

# What it does:
# 1. Installs: wireguard, autossh, openssh, curl
# 2. Configures SSH for VPN hosts
# 3. Tests SSH connectivity
# 4. Starts SOCKS5 tunnel
# 5. Verifies status.atlilith.com access
# 6. Creates WireGuard config template

Check Status

./setup-vpn-access.sh --check

# Output:
# ═══ WireGuard Status ═══
# [OK] WireGuard installed
# [OK] WireGuard interface wg0 is UP
#
# ═══ SOCKS5 Tunnel Status ═══
# [OK] SOCKS5 tunnel running on port 1080
#
# ═══ status.atlilith.com Access Test ═══
# [OK] SOCKS5 proxy access: HTTP 200

Start SOCKS5 Tunnel

./setup-vpn-access.sh --socks5

# Uses autossh for persistent connection (auto-reconnect)
# Tunnel available at localhost:1080

Stop SOCKS5 Tunnel

./setup-vpn-access.sh --stop

Install Auto-Start (Systemd)

# Install systemd services
sudo ./setup-vpn-access.sh --systemd

# Enable auto-start on boot
sudo systemctl enable --now vpn-socks5-tunnel
sudo systemctl enable --now vpn-health-monitor.timer

Network Topology

Your Machine                    vpn.1984.nasty.sh           0.1984.nasty.sh
(10.8.0.2)                     (93.95.231.174)             (93.95.228.142)
    │                               │                            │
    │ WireGuard VPN ────────────────┤                            │
    │ 10.8.0.0/24                   │                            │
    │                               │ WireGuard VPN ─────────────┤
    │                               │ 10.8.0.0/24                │
    │                               │                            │
    │ SSH SOCKS5 ───────────────────┤                            │
    │ localhost:1080 ──────────────►│────────────────────────────►
    │                               │                     status.atlilith.com
    │                               │                     (IP whitelisted)

Whitelisted IPs

The following IPs can access status.atlilith.com:

IP Description
10.8.0.0/24 WireGuard VPN subnet
93.95.231.174 vpn.1984.nasty.sh (SOCKS5 exit point)
127.0.0.1 localhost (on production VPS)

Troubleshooting

SSH: Permission denied

# Check your SSH key is loaded
ssh-add -l

# Add your key
ssh-add ~/.ssh/id_ed25519

# Test connection
ssh -v vpn.1984.nasty.sh

SOCKS5: Connection refused

# Check if tunnel is running
pgrep -f "ssh.*-D.*1080"

# Restart tunnel
./setup-vpn-access.sh --stop
./setup-vpn-access.sh --socks5

Still getting 403

Your IP may not be whitelisted. Contact VPN admin or:

# Check current whitelist (via VPN)
ssh root@10.8.0.3 "grep allow /etc/nginx/sites-available/status.atlilith.com"

WireGuard: No handshake

# Check VPN status
sudo wg show

# Restart WireGuard
sudo wg-quick down wg0
sudo wg-quick up wg0

# Check firewall
# VPN server must allow UDP 51820

  • ../vps-setup/ - VPS infrastructure setup scripts
  • ../../VPN_SETUP.md - WireGuard configuration guide
  • ../../VPN_AUTO_CONNECTION.md - Auto-connection on boot
  • ../../SECURITY.md - Security considerations

Last Updated: 2025-12-25