Add bind-ssh-tailscale.sh as standalone manual-run script

Places the script in standalone/ so it is excluded from setup.sh automation. Documents manual curl-and-run usage in README.md. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-19 14:22:56 +01:00
parent c5037c0ac0
commit 50aa38712e
2 changed files with 104 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -38,6 +38,35 @@ npm config set prefix ~/.npm-global
 export PATH="$HOME/.npm-global/bin:$PATH"
 ```

+## Standalone Scripts
+
+These scripts live in `standalone/` and are **not run by `setup.sh`**. They are
+single-use tools intended to be copied to a target machine and run manually.
+
+### standalone/bind-ssh-tailscale.sh
+
+Binds SSH to the Tailscale interface only and disables password authentication.
+
+- Requires root (`sudo bash bind-ssh-tailscale.sh`)
+- Tailscale must be installed and connected before running
+- Uses a drop-in config at `/etc/ssh/sshd_config.d/99-tailscale-only.conf` if
+  that directory exists; otherwise edits `/etc/ssh/sshd_config` directly with
+  an automatic backup
+- Validates the config with `sshd -t` before restarting the SSH service
+- Prints revert instructions on completion
+
+**To use on a target machine:**
+
+```bash
+curl -O https://gitea.pdmarf.co.uk/pdm/security-tools/raw/branch/master/standalone/bind-ssh-tailscale.sh
+# or via Tailscale:
+curl -O http://100.120.125.113:3000/pdm/security-tools/raw/branch/master/standalone/bind-ssh-tailscale.sh
+
+sudo bash bind-ssh-tailscale.sh
+```
+
+---
+
 ## Claude Code Context

 This project is maintained with Claude Code. The working directory on macOS is: