atlilith/scripts/setup-tunnel.sh

#!/usr/bin/env bash
# Establish the SSH reverse tunnel from black → vps-0.
# Black exposes its postgres ports (25440 platform, 25441 messenger) on
# vps-0's localhost so apps on vps-0 can reach black's DBs without
# black accepting inbound connections from the public internet.
#
# Run from BLACK. Typically systemd-managed (see scripts/setup-tunnel.service).
#
# Tunnel direction: initiated FROM black (the secure LAN side), so vps-0
# cannot pivot back into LAN if vps-0 is compromised.

set -euo pipefail

VPS0_HOST="${VPS0_HOST:-vps-0}"
VPS0_USER="${VPS0_USER:-lilith}"
TUNNEL_KEY="${TUNNEL_KEY:-$HOME/.ssh/id_ed25519_atlilith_tunnel}"

# Forwarded ports (vps-0:localhost:PORT → black:PORT)
FWD_PORTS=(
    "25440"  # platform-db (PG)
    "25441"  # messenger-db (PG)
    "25443"  # analytics-db (TimescaleDB)
)

# Build the -R argument list
SSH_R_ARGS=()
for p in "${FWD_PORTS[@]}"; do
    SSH_R_ARGS+=(-R "${p}:localhost:${p}")
done

if [ ! -f "$TUNNEL_KEY" ]; then
    echo "ERROR: tunnel key not found at $TUNNEL_KEY" >&2
    echo "Generate one with:  ssh-keygen -t ed25519 -f $TUNNEL_KEY -N ''" >&2
    echo "Then install on vps-0:  ssh-copy-id -i ${TUNNEL_KEY}.pub ${VPS0_USER}@${VPS0_HOST}" >&2
    exit 1
fi

# autossh handles reconnect-on-drop; install with `apt install autossh`.
if ! command -v autossh &>/dev/null; then
    echo "WARNING: autossh not installed — tunnel won't auto-reconnect" >&2
    echo "         install with: sudo dnf install autossh" >&2
    SSH_BIN=ssh
else
    SSH_BIN=autossh
    export AUTOSSH_GATETIME=0
    export AUTOSSH_POLL=30
fi

echo "starting tunnel: black → ${VPS0_USER}@${VPS0_HOST}"
for p in "${FWD_PORTS[@]}"; do echo "  -R ${p}:localhost:${p}"; done

exec "$SSH_BIN" -N \
    -i "$TUNNEL_KEY" \
    -o ServerAliveInterval=30 \
    -o ServerAliveCountMax=3 \
    -o ExitOnForwardFailure=yes \
    -o StrictHostKeyChecking=accept-new \
    "${SSH_R_ARGS[@]}" \
    "${VPS0_USER}@${VPS0_HOST}"