#!/bin/bash # ============================================================ # Agent Remote Support v5.8 — Installer # # One file. Run it, type your password, done. # # Usage: # sudo bash install-support.sh # Install # sudo bash install-support.sh --uninstall # Remove everything # # What it does: # 1. Installs support scripts (menu, enable, disable, update) # 2. Locks them down so they can't be tampered with # 3. Allows running them without a password in the future # 4. Creates one Bedrock Support desktop shortcut for easy access # # Security model: # - Scripts are root-owned and immutable (chattr +i) # This prevents accidental modification. It does NOT # prevent a root user from deliberately removing the flag. # - Passwordless sudo verified by SHA256 hash of each script # If the script content changes, sudo will refuse to run it. # - Support sessions (Level 1/2) auto-expire after 24 hours # - Level 2+ sessions log all sudo input/output for audit # - Your sudo password is NOT stored or transmitted anywhere # - Tailscale installed via package manager with GPG verification # ============================================================ set -euo pipefail INSTALL_DIR="/opt/agent-support" VERSION="5.8" SESSION_TIMEOUT_HOURS=24 AUDIT_LOG_DIR="/var/log/agent-support" AUDIT_LOG_FILE="$AUDIT_LOG_DIR/support.log" # --- Support Access Configuration --- # Tailscale auth keys are provided at support activation time. # Do not bake live auth keys into this installer. SSH_KEY_WILL="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1DKUbxe7idA3EFzip8qEgvnDPW574l085HB9w7ijpe will2381@marc-laptop" SSH_KEY_BROCK="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQ2X6kZEbMeOBxaQMk9A1vBbNN+INE4YZzRJMqxuPKL brock@bedrock-agent" SSH_KEY_WRENCH="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAMsS9ept3C7ITZqRxXrQeOu0u8CLnEFvVsTTOvpQtpk wrench@setup-Latitude-7320 support" ensure_audit_log() { mkdir -p "$AUDIT_LOG_DIR" chmod 750 "$AUDIT_LOG_DIR" touch "$AUDIT_LOG_FILE" chmod 640 "$AUDIT_LOG_FILE" } write_audit_log() { local event="$1" shift || true ensure_audit_log printf '%s | installer | event=%s' "$(date -Iseconds)" "$event" >> "$AUDIT_LOG_FILE" while [ "$#" -gt 0 ]; do printf ' | %s' "$1" >> "$AUDIT_LOG_FILE" shift done printf '\n' >> "$AUDIT_LOG_FILE" } # Colors GREEN='\033[0;32m'; RED='\033[0;31m'; YELLOW='\033[1;33m'; CYAN='\033[0;36m'; NC='\033[0m' # --- Helper: find primary user --- find_primary_user() { local user="" user=$(logname 2>/dev/null) || true if [ -z "$user" ] || [ "$user" = "root" ]; then user=$(who 2>/dev/null | head -1 | awk '{print $1}') || true fi if [ -z "$user" ] || [ "$user" = "root" ]; then user=$(getent passwd 1000 2>/dev/null | cut -d: -f1) || true fi if [ -z "$user" ]; then echo -e "${RED}Could not determine primary user. Specify with: PRIMARY_USER=username sudo bash $0${NC}" >&2 exit 1 fi echo "$user" } # --- Helper: generate agent ID --- generate_agent_id() { local id id=$(cat /etc/machine-id 2>/dev/null | sha256sum | cut -c1-6 | tr '[:lower:]' '[:upper:]') [ -z "$id" ] && id=$(cat /proc/sys/kernel/random/uuid 2>/dev/null | cut -c1-6 | tr '[:lower:]' '[:upper:]') echo "$id" } # --- Helper: install Tailscale via package manager --- install_tailscale() { # Try package manager first (with GPG key verification) if command -v apt-get &>/dev/null; then echo -e "${YELLOW}installing via apt...${NC}" mkdir -p --mode=0755 /usr/share/keyrings 2>/dev/null || true # Detect distro family (ubuntu vs debian vs other) local distro_family="ubuntu" local codename if [ -f /etc/os-release ]; then local os_id os_id_like os_id=$(. /etc/os-release && echo "$ID") os_id_like=$(. /etc/os-release && echo "$ID_LIKE") case "$os_id" in debian) distro_family="debian" ;; ubuntu) distro_family="ubuntu" ;; *) # Check ubuntu FIRST — derivatives like Mint report # ID_LIKE="ubuntu debian" and we need the ubuntu repo if echo "$os_id_like" | grep -q ubuntu; then distro_family="ubuntu" elif echo "$os_id_like" | grep -q debian; then distro_family="debian" fi ;; esac fi # For Ubuntu derivatives (Mint, Pop!_OS, etc.), use UBUNTU_CODENAME # which maps to the actual Ubuntu release, not the derivative's codename codename="" if [ "$distro_family" = "ubuntu" ] && [ -f /etc/os-release ]; then codename=$(. /etc/os-release && echo "${UBUNTU_CODENAME:-}") fi # Fall back to lsb_release, then hardcoded defaults if [ -z "$codename" ]; then codename=$(lsb_release -cs 2>/dev/null || echo "") fi if [ -z "$codename" ]; then [ "$distro_family" = "ubuntu" ] && codename="noble" || codename="bookworm" fi if ! curl -fsSL "https://pkgs.tailscale.com/stable/${distro_family}/${codename}.noarmor.gpg" \ -o /usr/share/keyrings/tailscale-archive-keyring.gpg; then return 1 fi echo "deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/${distro_family} ${codename} main" \ > /etc/apt/sources.list.d/tailscale.list apt-get update -qq 2>&1 | grep -v "^Hit\|^Get\|^Ign\|^Reading\|^Building" || true apt-get install -y tailscale return $? elif command -v dnf &>/dev/null; then echo -e "${YELLOW}installing via dnf...${NC}" dnf config-manager --add-repo https://pkgs.tailscale.com/stable/fedora/tailscale.repo 2>/dev/null dnf install -y tailscale 2>/dev/null return $? elif command -v pacman &>/dev/null; then echo -e "${YELLOW}installing via pacman...${NC}" pacman -Sy --noconfirm tailscale 2>/dev/null return $? fi return 1 } # Check root if [ "$EUID" -ne 0 ]; then echo -e "${RED}Please run with sudo:${NC}" echo " sudo bash install-support.sh" exit 1 fi # --- Uninstall mode --- if [ "${1:-}" = "--uninstall" ]; then echo "" echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo -e "${GREEN} Agent Remote Support — Uninstall ${NC}" echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo "" # Run support-off first if active if [ -f /var/lib/agent-support/session ]; then echo "Disabling active support session..." bash "$INSTALL_DIR/support-off.sh" --quiet 2>/dev/null || true fi echo -n "Removing scripts... " if [ -d "$INSTALL_DIR" ]; then find "$INSTALL_DIR" -maxdepth 1 -type f -exec chattr -i {} + 2>/dev/null || true chattr -i "$INSTALL_DIR" 2>/dev/null || true fi rm -rf "$INSTALL_DIR" echo "done" echo -n "Removing sudoers... " rm -f /etc/sudoers.d/agent-support /etc/sudoers.d/agent-support-diag echo "done" echo -n "Removing support user... " if id agent-support &>/dev/null; then pkill -u agent-support 2>/dev/null || true sleep 1 userdel -r agent-support 2>/dev/null || true fi echo "done" echo -n "Removing timer... " systemctl stop agent-support-timeout.timer 2>/dev/null || true systemctl disable agent-support-timeout.timer 2>/dev/null || true rm -f /etc/systemd/system/agent-support-timeout.timer rm -f /etc/systemd/system/agent-support-timeout.service systemctl daemon-reload 2>/dev/null || true echo "done" PRIMARY_USER=$(find_primary_user) USER_HOME=$(getent passwd "$PRIMARY_USER" | cut -d: -f6) echo -n "Removing shortcuts... " rm -f "$USER_HOME/support-on.sh" "$USER_HOME/support-off.sh" "$USER_HOME/support-update.sh" "$USER_HOME/support-rustdesk.sh" "$USER_HOME/bedrock-support.sh" rm -f "$USER_HOME/Desktop/Enable-Support.desktop" "$USER_HOME/Desktop/Disable-Support.desktop" "$USER_HOME/Desktop/Update-Support.desktop" "$USER_HOME/Desktop/Bedrock-Support.desktop" 2>/dev/null || true rm -f /usr/share/applications/agent-support-enable.desktop /usr/share/applications/agent-support-disable.desktop /usr/share/applications/agent-support-update.desktop /usr/share/applications/bedrock-support.desktop 2>/dev/null || true echo "done" echo -n "Cleaning state... " rm -rf /var/lib/agent-support echo "done" echo -n "Removing audit log... " rm -rf "$AUDIT_LOG_DIR" echo "done" echo "" echo -e "${GREEN} Agent Remote Support fully uninstalled.${NC}" echo "" exit 0 fi # --- Generate Agent ID --- AGENT_ID=$(generate_agent_id) # Preserve existing ID if reinstalling if [ -f "$INSTALL_DIR/agent-id" ]; then AGENT_ID=$(cat "$INSTALL_DIR/agent-id") fi echo "" echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo -e "${GREEN} Agent Remote Support — Installer v${VERSION} ${NC}" echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo "" echo -e " Agent ID: ${CYAN}${AGENT_ID}${NC}" echo "" ensure_audit_log write_audit_log "install_start" "version=$VERSION" "agent_id=$AGENT_ID" # Step 1: Create support-on.sh echo -n "Creating support scripts... " mkdir -p "$INSTALL_DIR" # Remove immutable flags if reinstalling. Prior versions locked the README too. if [ -d "$INSTALL_DIR" ]; then find "$INSTALL_DIR" -maxdepth 1 -type f -exec chattr -i {} + 2>/dev/null || true chattr -i "$INSTALL_DIR" 2>/dev/null || true fi # ---- BEGIN support-on.sh ---- cat > "$INSTALL_DIR/support-on.sh" << 'SUPPORT_ON_SCRIPT' #!/bin/bash set -euo pipefail AGENT_ID=$(cat /opt/agent-support/agent-id 2>/dev/null || echo "UNKNOWN") SSH_KEY_WILL="__SSH_KEY_WILL__" SSH_KEY_BROCK="__SSH_KEY_BROCK__" SSH_KEY_WRENCH="__SSH_KEY_WRENCH__" SESSION_TIMEOUT_HOURS="__SESSION_TIMEOUT_HOURS__" SUPPORT_MARKER="/var/lib/agent-support/session" SUPPORT_USER="agent-support" SUPPORT_TAILNET="upgradeya.com" SUPPORT_CHECK_NODES="100.79.12.6 100.98.223.56" AUDIT_LOG_DIR="__AUDIT_LOG_DIR__" AUDIT_LOG_FILE="__AUDIT_LOG_FILE__" GREEN='\033[0;32m'; RED='\033[0;31m'; YELLOW='\033[1;33m'; CYAN='\033[0;36m'; NC='\033[0m' ensure_audit_log() { mkdir -p "$AUDIT_LOG_DIR" chmod 750 "$AUDIT_LOG_DIR" 2>/dev/null || true touch "$AUDIT_LOG_FILE" chmod 640 "$AUDIT_LOG_FILE" 2>/dev/null || true } write_audit_log() { local event="$1" shift || true ensure_audit_log printf '%s | support-on | event=%s' "$(date -Iseconds)" "$event" >> "$AUDIT_LOG_FILE" while [ "$#" -gt 0 ]; do printf ' | %s' "$1" >> "$AUDIT_LOG_FILE" shift done printf '\n' >> "$AUDIT_LOG_FILE" } install_tailscale_for_activation() { if command -v apt-get &>/dev/null; then echo -e "${YELLOW}installing via apt...${NC}" mkdir -p --mode=0755 /usr/share/keyrings 2>/dev/null || true local distro_family="ubuntu" local codename="" if [ -f /etc/os-release ]; then local os_id os_id_like os_id=$(. /etc/os-release && echo "${ID:-}") os_id_like=$(. /etc/os-release && echo "${ID_LIKE:-}") case "$os_id" in debian) distro_family="debian" ;; ubuntu) distro_family="ubuntu" ;; *) if echo "$os_id_like" | grep -q ubuntu; then distro_family="ubuntu" elif echo "$os_id_like" | grep -q debian; then distro_family="debian" fi ;; esac if [ "$distro_family" = "ubuntu" ]; then codename=$(. /etc/os-release && echo "${UBUNTU_CODENAME:-}") fi fi if [ -z "$codename" ]; then codename=$(lsb_release -cs 2>/dev/null || echo "") fi if [ -z "$codename" ]; then [ "$distro_family" = "ubuntu" ] && codename="noble" || codename="bookworm" fi if ! curl -fsSL "https://pkgs.tailscale.com/stable/${distro_family}/${codename}.noarmor.gpg" \ -o /usr/share/keyrings/tailscale-archive-keyring.gpg; then return 1 fi echo "deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/${distro_family} ${codename} main" \ > /etc/apt/sources.list.d/tailscale.list apt-get update -qq 2>&1 | grep -v "^Hit\|^Get\|^Ign\|^Reading\|^Building" || true apt-get install -y tailscale return $? elif command -v dnf &>/dev/null; then echo -e "${YELLOW}installing via dnf...${NC}" dnf config-manager --add-repo https://pkgs.tailscale.com/stable/fedora/tailscale.repo 2>/dev/null || true dnf install -y tailscale return $? elif command -v pacman &>/dev/null; then echo -e "${YELLOW}installing via pacman...${NC}" pacman -Sy --noconfirm tailscale return $? fi return 1 } valid_support_key_format() { local key="${1:-}" # Tailscale auth keys issued by Bedrock should look like tskey-auth-... # This is a local sanity check only; Tailscale still performs final validation. [[ "$key" =~ ^tskey-auth-[A-Za-z0-9_-]{20,}$ ]] } confirm_support_key_received() { local key="${1:-}" if valid_support_key_format "$key"; then echo -e " ${GREEN}Key received - Valid${NC}" return 0 fi echo -e " ${RED}Data Received - Appears Invalid - Close this terminal and restart${NC}" echo -e " ${YELLOW}Expected a Bedrock support key beginning with tskey-auth-.${NC}" return 1 } is_tailscale_ssh_enabled() { tailscale debug prefs 2>/dev/null | grep -q '"RunSSH": true' } is_tailscale_shields_up() { tailscale debug prefs 2>/dev/null | grep -q '"ShieldsUp": true' } tailscale_tailnet_name() { tailscale status --json 2>/dev/null | python3 -c ' import json,sys try: data=json.load(sys.stdin) except Exception: print("unknown"); raise SystemExit(0) ct=data.get("CurrentTailnet") or {} print(ct.get("Name") or ct.get("MagicDNSSuffix") or "unknown") ' 2>/dev/null || echo "unknown" } show_active_support_status() { if [ ! -f "$SUPPORT_MARKER" ]; then return 1 fi local marker_session marker_tailnet marker_agent marker_level marker_ip marker_started marker_ssh_user live_ip current_tailnet marker_session=$(grep "^SUPPORT_SESSION=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2- || true) marker_tailnet=$(grep "^SUPPORT_TAILNET=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2- || true) marker_agent=$(grep "^AGENT_ID=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2- || true) marker_level=$(grep "^LEVEL=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2- || true) marker_ip=$(grep "^TAILSCALE_IP=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2- || true) marker_started=$(grep "^STARTED=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2- || true) marker_ssh_user=$(grep "^SSH_USER=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2- || true) # Do not treat old/stale markers or ordinary customer Tailscale sessions as Bedrock support. [ "$marker_session" = "bedrock-support" ] || return 1 [ "$marker_tailnet" = "$SUPPORT_TAILNET" ] || return 1 if ! command -v tailscale &>/dev/null || ! tailscale status &>/dev/null; then return 1 fi current_tailnet=$(tailscale_tailnet_name) [ "$current_tailnet" = "$SUPPORT_TAILNET" ] || return 1 live_ip=$(tailscale ip -4 2>/dev/null | head -1 || true) # If the machine has returned to another Tailscale identity/session, the live IP will not match # the Bedrock support session we created. In that case, show the normal support activation flow. [ -n "$marker_ip" ] && [ -n "$live_ip" ] && [ "$live_ip" = "$marker_ip" ] || return 1 echo "" echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo -e "${GREEN} Support Already Active ${NC}" echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo "" echo -e " Status: ${GREEN}Active Connection${NC}" echo -e " Agent ID: ${CYAN}${marker_agent:-$AGENT_ID}${NC}" echo -e " Connection IP: ${CYAN}${live_ip:-${marker_ip:-unknown}}${NC}" if is_tailscale_shields_up; then return 1 fi if is_tailscale_ssh_enabled; then echo -e " Tailscale SSH: ${GREEN}enabled${NC}" else return 1 fi echo -e " Support level: ${CYAN}${marker_level:-unknown}${NC}" echo -e " SSH user: ${CYAN}${marker_ssh_user:-unknown}${NC}" echo -e " Started: ${CYAN}${marker_started:-unknown}${NC}" echo "" echo -e " To disconnect: ${GREEN}sudo support-off.sh${NC}" echo "" return 0 } usage() { cat <] Options: --support-key Tailscale auth key provided by Bedrock for support activation -h, --help Show this help text EOF } SUPPORT_KEY="" while [[ $# -gt 0 ]]; do case "$1" in --support-key) if [ $# -lt 2 ]; then echo -e "${RED}Missing value for --support-key${NC}" usage exit 1 fi SUPPORT_KEY="$2" shift 2 ;; -h|--help) usage exit 0 ;; *) echo -e "${RED}Unknown argument: $1${NC}" usage exit 1 ;; esac done if [ "$EUID" -ne 0 ]; then echo -e "${RED}Please run with sudo:${NC}"; echo " sudo support-on.sh"; exit 1 fi if show_active_support_status; then exit 0 fi echo "" echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo -e "${GREEN} Agent Remote Support ${NC}" echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo "" echo -e " Agent ID: ${CYAN}${AGENT_ID}${NC}" echo "" echo -e " ${CYAN}Step 1:${NC} Message ${GREEN}@BedrockAgentSupportBot${NC} to start a support ticket." echo " Provide your Agent ID and the support code emailed to you." echo "" echo -e " ${CYAN}Step 2:${NC} Choose a support level:" echo "" echo -e " ${CYAN}1)${NC} Non-Admin Access" echo -e " Standard shell access for support review and triage." echo -e " ${GREEN}No sudo or administrative access.${NC}" echo -e " Auto-expires in ${SESSION_TIMEOUT_HOURS}h." echo "" echo -e " ${CYAN}2)${NC} Full Support" echo -e " Secure shell access with full administrative access." echo -e " ${YELLOW}Changes and fixes are allowed while support is active.${NC}" echo -e " Auto-expires in ${SESSION_TIMEOUT_HOURS}h. All actions logged." echo "" echo -e " ${CYAN}3)${NC} Ongoing Management" echo -e " Permanent connection for regular maintenance." echo -e " ${YELLOW}Access stays on until you disable it.${NC}" echo "" echo -e " ${CYAN}0)${NC} Cancel" echo "" read -r -p " Enter choice [1/2/3/0]: " LEVEL echo ""; echo "" if [ "$LEVEL" = "0" ] || [ -z "$LEVEL" ]; then echo "Cancelled."; exit 0; fi if [[ ! "$LEVEL" =~ ^[123]$ ]]; then echo -e "${RED}Invalid choice.${NC}"; exit 1; fi declare -A LEVEL_NAME LEVEL_NAME[1]="Non-Admin Access"; LEVEL_NAME[2]="Full Support"; LEVEL_NAME[3]="Ongoing Management" if [ -z "$SUPPORT_KEY" ]; then echo " Bedrock support requires a Tailscale auth key at activation time." echo " Paste the support key exactly as provided by Bedrock." echo "" read -r -p " Enter Bedrock support key: " SUPPORT_KEY echo "" fi SUPPORT_KEY="$(printf '%s' "$SUPPORT_KEY" | tr -d '[:space:]')" if [ -z "$SUPPORT_KEY" ]; then echo -e "${RED}No support key provided. Cancelling.${NC}" exit 1 fi if ! confirm_support_key_received "$SUPPORT_KEY"; then exit 1 fi write_audit_log "support_on_started" "agent_id=$AGENT_ID" write_audit_log "level_selected" "level=$LEVEL" "level_name=${LEVEL_NAME[$LEVEL]}" # Clean up previous session if upgrading if [ -f "$SUPPORT_MARKER" ]; then CURRENT_LEVEL=$(grep "^LEVEL=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2) if [ "${CURRENT_LEVEL:-}" = "$LEVEL" ]; then echo -e "${YELLOW}Level $LEVEL is already active.${NC}"; echo "Run support-off.sh to disconnect first."; exit 0 fi echo -e "${YELLOW}Upgrading from Level ${CURRENT_LEVEL:-?} to Level $LEVEL...${NC}" SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" bash "$SCRIPT_DIR/support-off.sh" --quiet 2>/dev/null || true fi # Tailscale echo -n "Checking Tailscale... " if ! command -v tailscale &>/dev/null; then echo -e "${YELLOW}not installed${NC}" echo -n "Installing Tailscale for this support session... " write_audit_log "tailscale_install_started" "source=support_on" if ! install_tailscale_for_activation; then write_audit_log "tailscale_install_failed" "source=support_on" echo -e "${RED}failed${NC}" echo -e " ${YELLOW}Automatic Tailscale install failed on this machine.${NC}" echo -e " ${YELLOW}Install manually from https://tailscale.com/download, then run Bedrock Support again with the same support key if it is still unused.${NC}" exit 1 fi systemctl enable --now tailscaled 2>/dev/null || true write_audit_log "tailscale_install_completed" "source=support_on" fi if ! command -v tailscale &>/dev/null; then echo -e "${RED}not available after install${NC}" exit 1 fi echo -e "${GREEN}ok${NC}" PREV_STATE="none"; PREV_TAILNET=""; RESTORE_ACTION="none" OUR_TAILNET="$SUPPORT_TAILNET" if tailscale status &>/dev/null; then PREV_STATE="connected" # Parse tailnet name: try python3, fall back to grep PREV_TAILNET=$( tailscale status --json 2>/dev/null | python3 -c \ "import sys,json; print(json.load(sys.stdin).get('CurrentTailnet',{}).get('Name','unknown'))" \ 2>/dev/null \ || tailscale status --json 2>/dev/null | grep -o '"MagicDNSSuffix":"[^"]*"' | head -1 | cut -d'"' -f4 \ || echo "unknown" ) if [ "$PREV_TAILNET" != "$OUR_TAILNET" ] && [ "$PREV_TAILNET" != "unknown" ]; then RESTORE_ACTION="manual_reauth" echo "" echo -e " ${YELLOW}Tailscale is already connected to: ${PREV_TAILNET}${NC}" echo -e " ${YELLOW}Enabling support will disconnect you from that network.${NC}" echo -e " ${YELLOW}When support ends, you may need to re-authenticate to restore it.${NC}" echo -e " ${YELLOW}Typical restore command: sudo tailscale up${NC}" echo "" read -p " Continue? [Y/n] " -n 1 -r; echo if [[ $REPLY =~ ^[Nn]$ ]]; then echo "Cancelled."; exit 0; fi elif [ "$PREV_TAILNET" = "$OUR_TAILNET" ]; then RESTORE_ACTION="return_to_support_tailnet" fi fi echo -n "Connecting to support network... " set +e TS_OUTPUT=$(tailscale up --reset --authkey="$SUPPORT_KEY" --force-reauth --ssh --shields-up=false --accept-risk=lose-ssh --accept-dns=false --accept-routes=false 2>&1) TS_EXIT=$? set -e if [ $TS_EXIT -ne 0 ]; then write_audit_log "tailscale_connect_failed" "level=$LEVEL" "exit=$TS_EXIT" echo -e "${RED}failed${NC}" echo -e " ${RED}$TS_OUTPUT${NC}" echo "" if echo "$TS_OUTPUT" | grep -qi "requires mentioning all non-default flags"; then echo -e " ${YELLOW}Tailscale refused the handoff because this machine already has non-default local settings.${NC}" echo -e " ${YELLOW}Retry after clearing or resetting local Tailscale options, then try support activation again.${NC}" else echo -e " ${YELLOW}The support auth key may be invalid, expired, already used, or rejected by local Tailscale state.${NC}" echo -e " ${YELLOW}Contact Bedrock for a fresh support key if the raw error above does not point to a local Tailscale setting.${NC}" fi exit 1 fi # Explicitly clear local settings that can make a successful login unreachable. tailscale set --ssh=true --shields-up=false 2>/dev/null || true sleep 2 write_audit_log "tailscale_connected" "level=$LEVEL" echo -e "${GREEN}connected${NC}" echo -n "Verifying local support connection... " SUPPORT_IP=$(tailscale ip -4 2>/dev/null | head -1 || echo "unknown") if ! tailscale status &>/dev/null; then echo -e "${RED}failed${NC}" write_audit_log "support_reachability_failed" "reason=tailscale_status_failed" "tailscale_ip=${SUPPORT_IP}" echo -e " ${RED}Tailscale login completed, but local Tailscale status is not healthy.${NC}" exit 1 fi if [ -z "$SUPPORT_IP" ] || [ "$SUPPORT_IP" = "unknown" ]; then echo -e "${RED}failed${NC}" write_audit_log "support_reachability_failed" "reason=no_tailscale_ip" "tailscale_ip=${SUPPORT_IP}" echo -e " ${RED}Tailscale login completed, but no support-network IP was assigned.${NC}" exit 1 fi if is_tailscale_shields_up; then echo -e "${RED}failed${NC}" write_audit_log "support_reachability_failed" "reason=shields_up" "tailscale_ip=${SUPPORT_IP}" echo -e " ${RED}Tailscale is connected, but Shields Up is blocking inbound support access.${NC}" exit 1 fi if ! is_tailscale_ssh_enabled; then echo -e "${RED}failed${NC}" write_audit_log "support_reachability_failed" "reason=tailscale_ssh_disabled" "tailscale_ip=${SUPPORT_IP}" echo -e " ${RED}Tailscale is connected, but Tailscale SSH is not enabled for support.${NC}" exit 1 fi echo -e "${GREEN}connected (${SUPPORT_IP})${NC}" write_audit_log "support_reachability_verified" "tailscale_ip=${SUPPORT_IP}" "method=local_tailscale_status_and_ssh" # Best-effort diagnostic only. Bedrock ACLs intentionally allow support nodes to reach # client devices without allowing client devices to initiate traffic back to support nodes. # A failed client-side ping here must not make the customer-facing activation look failed. REACHABLE_NODE="" for node in $SUPPORT_CHECK_NODES; do if tailscale ping --c=1 --timeout=3s "$node" >/tmp/agent-support-ping.out 2>&1; then REACHABLE_NODE="$node" break fi done rm -f /tmp/agent-support-ping.out 2>/dev/null || true if [ -z "$REACHABLE_NODE" ]; then write_audit_log "support_reachability_warning" "reason=no_client_to_support_node_ping" "tailscale_ip=${SUPPORT_IP}" else write_audit_log "support_node_ping_verified" "tailscale_ip=${SUPPORT_IP}" "support_node=${REACHABLE_NODE}" fi PRIMARY_USER=$(logname 2>/dev/null || true) if [ -z "${PRIMARY_USER:-}" ] || [ "$PRIMARY_USER" = "root" ]; then PRIMARY_USER=$(who 2>/dev/null | head -1 | awk '{print $1}') || true fi if [ -z "${PRIMARY_USER:-}" ] || [ "$PRIMARY_USER" = "root" ]; then PRIMARY_USER=$(getent passwd 1000 2>/dev/null | cut -d: -f1) || true fi USER_HOME=$(getent passwd "$PRIMARY_USER" 2>/dev/null | cut -d: -f6) # Create support user echo -n "Setting up support user... " if ! id "$SUPPORT_USER" &>/dev/null; then useradd -m -s /bin/bash "$SUPPORT_USER" 2>/dev/null; fi SSH_DIR="/home/$SUPPORT_USER/.ssh" mkdir -p "$SSH_DIR" echo "$SSH_KEY_WILL" > "$SSH_DIR/authorized_keys" echo "$SSH_KEY_BROCK" >> "$SSH_DIR/authorized_keys" echo "$SSH_KEY_WRENCH" >> "$SSH_DIR/authorized_keys" chmod 700 "$SSH_DIR"; chmod 600 "$SSH_DIR/authorized_keys" chown -R "$SUPPORT_USER:$SUPPORT_USER" "$SSH_DIR" echo -e "${GREEN}done${NC}" write_audit_log "support_user_ready" "user=$SUPPORT_USER" # Configure access level with sudoers validation echo -n "Configuring access... " SUDOERS_FILE="/etc/sudoers.d/agent-support-diag" rm -f "$SUDOERS_FILE" if [ "$LEVEL" -eq 1 ]; then echo -e "${GREEN}done (Level 1, no sudo)${NC}" write_audit_log "access_configured" "level=$LEVEL" "sudo=none" elif [ "$LEVEL" -ge 2 ]; then cat > "$SUDOERS_FILE" << SUDOERS # Agent Remote Support — Level $LEVEL (Full Access) # Created: $(date -Iseconds) # All sudo commands are logged to /var/log/sudo-io/ Defaults:$SUPPORT_USER log_input, log_output, iolog_dir=/var/log/sudo-io/%{user} $SUPPORT_USER ALL=(ALL) NOPASSWD: ALL SUDOERS chmod 440 "$SUDOERS_FILE" chown root:root "$SUDOERS_FILE" if ! visudo -c -f "$SUDOERS_FILE" &>/dev/null; then echo -e "${RED}sudoers validation failed — removing${NC}" rm -f "$SUDOERS_FILE" exit 1 fi echo -e "${GREEN}done (Level $LEVEL)${NC}" write_audit_log "access_configured" "level=$LEVEL" "sudo=full" "sudo_iolog=/var/log/sudo-io" fi SSH_USER="$SUPPORT_USER" echo -n "Checking Tailscale SSH... " if is_tailscale_ssh_enabled; then echo -e "${GREEN}enabled${NC}" write_audit_log "tailscale_ssh_enabled" "level=$LEVEL" else echo -e "${RED}not enabled${NC}" echo -e " ${YELLOW}Tailscale connected, but Tailscale SSH did not enable locally.${NC}" echo -e " ${YELLOW}Close this terminal, restart Bedrock Support, and try again with a fresh support key.${NC}" write_audit_log "tailscale_ssh_not_enabled" "level=$LEVEL" exit 1 fi # System OpenSSH is fallback only. Tailscale SSH is the primary support path. echo -n "Checking system SSH fallback... " if systemctl is-active --quiet ssh 2>/dev/null || systemctl is-active --quiet sshd 2>/dev/null; then echo -e "${GREEN}running${NC}" else if systemctl start ssh 2>/dev/null || systemctl start sshd 2>/dev/null; then echo -e "${GREEN}started${NC}" else echo -e "${YELLOW}not available (Tailscale SSH will be used)${NC}" if command -v apt-get &>/dev/null; then apt-get install -y -qq openssh-server 2>/dev/null || true elif command -v dnf &>/dev/null; then dnf install -y openssh-server 2>/dev/null || true elif command -v pacman &>/dev/null; then pacman -Sy --noconfirm openssh 2>/dev/null || true fi systemctl enable --now ssh 2>/dev/null || systemctl enable --now sshd 2>/dev/null || true if systemctl is-active --quiet ssh 2>/dev/null || systemctl is-active --quiet sshd 2>/dev/null; then echo -e " ${GREEN}System SSH fallback installed and running${NC}" else echo -e " ${YELLOW}System SSH fallback not active. Continuing with Tailscale SSH.${NC}" fi fi fi if command -v ufw &>/dev/null && ufw status 2>/dev/null | grep -q "Status: active"; then echo -n "Opening firewall... " ufw allow in on tailscale0 to any port 22 proto tcp comment 'Agent Remote Support' &>/dev/null || true echo -e "${GREEN}done${NC}" write_audit_log "firewall_updated" "rule=ssh_on_tailscale0" fi # Session timeout (Level 1/2 only) if [ "$LEVEL" -lt 3 ]; then echo -n "Setting ${SESSION_TIMEOUT_HOURS}h auto-expire... " cat > /etc/systemd/system/agent-support-timeout.service << TIMER_SVC [Unit] Description=Agent Remote Support — Auto-expire session [Service] Type=oneshot ExecStart=/opt/agent-support/support-off.sh --quiet TIMER_SVC cat > /etc/systemd/system/agent-support-timeout.timer << TIMER_UNIT [Unit] Description=Agent Remote Support — Session timeout [Timer] OnActiveSec=${SESSION_TIMEOUT_HOURS}h AccuracySec=1min [Install] WantedBy=timers.target TIMER_UNIT systemctl daemon-reload systemctl enable --now agent-support-timeout.timer 2>/dev/null echo -e "${GREEN}done${NC}" fi # Save session state (parsed safely — never sourced) mkdir -p /var/lib/agent-support chmod 700 /var/lib/agent-support cat > "$SUPPORT_MARKER" << EOF STARTED=$(date -Iseconds) SUPPORT_SESSION=bedrock-support SUPPORT_TAILNET=$OUR_TAILNET AGENT_ID=$AGENT_ID VERSION=__VERSION__ LEVEL=$LEVEL TAILSCALE_IP=$SUPPORT_IP TAILSCALE_SSH=true SSH_USER=$SSH_USER PRIMARY_USER=$PRIMARY_USER PREVIOUS_STATE=$PREV_STATE PREVIOUS_TAILNET=$PREV_TAILNET RESTORE_ACTION=$RESTORE_ACTION EOF chmod 600 "$SUPPORT_MARKER" write_audit_log "support_enabled" "level=$LEVEL" "ssh_user=$SSH_USER" "tailscale_ip=$SUPPORT_IP" echo "" echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo -e "${GREEN} Support Active — ${LEVEL_NAME[$LEVEL]}$(printf '%*s' $((18 - ${#LEVEL_NAME[$LEVEL]})) '')${NC}" echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo "" echo -e " Agent ID: ${CYAN}${AGENT_ID}${NC}" echo -e " Connection IP: ${CYAN}${SUPPORT_IP}${NC}" echo -e " Tailscale SSH: ${GREEN}enabled${NC}" echo -e " Tailscale SSH cmd: ${GREEN}tailscale ssh ${SSH_USER}@${SUPPORT_IP}${NC}" echo -e " System SSH fallback: ${GREEN}ssh ${SSH_USER}@${SUPPORT_IP}${NC}${YELLOW} (only if port 22 is available)${NC}" echo -e " Audit log: ${GREEN}${AUDIT_LOG_FILE}${NC}" if [ "$LEVEL" -lt 3 ]; then echo -e " Expires in: ${SESSION_TIMEOUT_HOURS} hours (auto)" fi echo "" echo -e " ${CYAN}Send the above in your support ticket if requested.${NC}" echo "" echo -e " ${YELLOW}─────────────────────────────────────────${NC}" echo -e " ${CYAN}Agent Support${NC}" echo -e " ${GREEN}bedrockadvisorygroup.com/agent-support/bedrock-mnm${NC}" echo -e " ${YELLOW}─────────────────────────────────────────${NC}" echo "" if [ "$LEVEL" -lt 3 ]; then echo -e " To disconnect early: ${GREEN}sudo support-off.sh${NC}"; fi if [ "$LEVEL" -eq 1 ]; then echo ""; echo -e " Need more help? Run this script again"; echo -e " and choose Level 2 for full support."; fi echo "" SUPPORT_ON_SCRIPT # ---- BEGIN support-off.sh ---- cat > "$INSTALL_DIR/support-off.sh" << 'SUPPORT_OFF_SCRIPT' #!/bin/bash set -euo pipefail SUPPORT_MARKER="/var/lib/agent-support/session" SUPPORT_USER="agent-support" SUPPORT_TAILNET="upgradeya.com" AUDIT_LOG_DIR="__AUDIT_LOG_DIR__" AUDIT_LOG_FILE="__AUDIT_LOG_FILE__" QUIET=false while [[ $# -gt 0 ]]; do case $1 in --quiet|-q) QUIET=true; shift ;; *) shift ;; esac; done GREEN='\033[0;32m'; RED='\033[0;31m'; YELLOW='\033[1;33m'; NC='\033[0m' ensure_audit_log() { mkdir -p "$AUDIT_LOG_DIR" chmod 750 "$AUDIT_LOG_DIR" 2>/dev/null || true touch "$AUDIT_LOG_FILE" chmod 640 "$AUDIT_LOG_FILE" 2>/dev/null || true } write_audit_log() { local event="$1" shift || true ensure_audit_log printf '%s | support-off | event=%s' "$(date -Iseconds)" "$event" >> "$AUDIT_LOG_FILE" while [ "$#" -gt 0 ]; do printf ' | %s' "$1" >> "$AUDIT_LOG_FILE" shift done printf '\n' >> "$AUDIT_LOG_FILE" } if [ "$QUIET" = false ]; then echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo -e "${GREEN} Agent Remote Support — Disconnect ${NC}" echo -e "${GREEN}═══════════════════════════════════════════${NC}"; echo "" fi if [ "$EUID" -ne 0 ]; then echo -e "${RED}Please run with sudo${NC}"; exit 1; fi # Parse marker safely (never source it) LEVEL=0; PRIMARY_USER=""; PREV_STATE="none"; PREV_TAILNET=""; RESTORE_ACTION="none" if [ -f "$SUPPORT_MARKER" ]; then LEVEL=$(grep "^LEVEL=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2 || echo "0") PRIMARY_USER=$(grep "^PRIMARY_USER=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2 || echo "") PREV_STATE=$(grep "^PREVIOUS_STATE=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2 || echo "none") PREV_TAILNET=$(grep "^PREVIOUS_TAILNET=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2 || echo "") RESTORE_ACTION=$(grep "^RESTORE_ACTION=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2 || echo "none") fi write_audit_log "support_off_started" "level=${LEVEL:-0}" "previous_state=$PREV_STATE" if [ "${LEVEL:-0}" -eq 0 ] && [ "$QUIET" = false ]; then echo -e "${YELLOW}No active support session found.${NC}" read -p "Clean up anyway? [y/N] " -n 1 -r; echo if [[ ! $REPLY =~ ^[Yy]$ ]]; then exit 0; fi fi # Stop session timeout timer [ "$QUIET" = false ] && echo -n "Stopping timeout timer... " systemctl stop agent-support-timeout.timer 2>/dev/null || true systemctl disable agent-support-timeout.timer 2>/dev/null || true [ "$QUIET" = false ] && echo -e "${GREEN}done${NC}" tailscale_tailnet_name() { tailscale status --json 2>/dev/null | python3 -c 'import json,sys; data=json.load(sys.stdin); ct=data.get("CurrentTailnet") or {}; print(ct.get("Name") or ct.get("MagicDNSSuffix") or "unknown")' 2>/dev/null || echo "unknown" } truthful_support_access_state() { # Return 0 when live local Tailscale state shows Bedrock support access is active. # The marker file is bookkeeping only; live Tailscale access is the authority. local tailnet ip runssh status_text status_text=$(tailscale status 2>&1 || true) tailnet=$(tailscale_tailnet_name) ip=$(tailscale ip -4 2>/dev/null | head -1 || true) runssh="false" shieldsup="false" tailscale debug prefs 2>/dev/null | grep -q '"RunSSH": true' && runssh="true" tailscale debug prefs 2>/dev/null | grep -q '"ShieldsUp": true' && shieldsup="true" [ "$tailnet" = "$SUPPORT_TAILNET" ] || return 1 [ "$shieldsup" = "true" ] && return 1 [ "$runssh" = "true" ] && return 0 echo "$status_text" | grep -qi 'Funnel on' && return 0 return 1 } # Disconnect Tailscale and verify the live access state is inactive before reporting success. [ "$QUIET" = false ] && echo -n "Disconnecting from support network... " tailscale set --ssh=false --shields-up=true 2>/dev/null || true tailscale down 2>/dev/null || true # Support keys are temporary. Log out when this session was on the support tailnet so cached keys cannot keep access alive. if [ "$PREV_TAILNET" = "$SUPPORT_TAILNET" ] || [ "$PREV_STATE" = "connected" ] || truthful_support_access_state; then tailscale logout 2>/dev/null || true fi systemctl restart tailscaled 2>/dev/null || service tailscaled restart 2>/dev/null || true sleep 2 if truthful_support_access_state; then [ "$QUIET" = false ] && echo -e "${RED}failed verification${NC}" write_audit_log "tailscale_disconnect_verification_failed" echo -e "${RED}Support is still active. Automatic disconnect did not complete.${NC}" echo -e "${YELLOW}Run: sudo tailscale set --ssh=false --shields-up=true && sudo tailscale logout && sudo systemctl restart tailscaled${NC}" exit 1 fi [ "$QUIET" = false ] && echo -e "${GREEN}verified off${NC}" write_audit_log "tailscale_disconnected_verified" # Remove support user and all associated access if id "$SUPPORT_USER" &>/dev/null; then [ "$QUIET" = false ] && echo -n "Removing support user... " pkill -u "$SUPPORT_USER" 2>/dev/null || true sleep 1 userdel -r "$SUPPORT_USER" 2>/dev/null || true [ "$QUIET" = false ] && echo -e "${GREEN}removed${NC}" fi write_audit_log "support_user_removed" "user=$SUPPORT_USER" # Remove sudoers and access rules [ "$QUIET" = false ] && echo -n "Removing access rules... " rm -f /etc/sudoers.d/agent-support-diag [ "$QUIET" = false ] && echo -e "${GREEN}done${NC}" write_audit_log "access_rules_removed" # Clean SSH keys from primary user (safety net) if [ -n "$PRIMARY_USER" ]; then USER_HOME=$(getent passwd "$PRIMARY_USER" 2>/dev/null | cut -d: -f6) AUTH_KEYS="${USER_HOME:-/dev/null}/.ssh/authorized_keys" if [ -f "$AUTH_KEYS" ]; then [ "$QUIET" = false ] && echo -n "Removing support SSH keys... " sed -i '/will2381@marc-laptop/d' "$AUTH_KEYS" 2>/dev/null sed -i '/brock@bedrock-agent/d' "$AUTH_KEYS" 2>/dev/null sed -i '/wrench@setup-Latitude-7320 support/d' "$AUTH_KEYS" 2>/dev/null [ "$QUIET" = false ] && echo -e "${GREEN}removed${NC}" fi else # Scan all users as fallback for user_home in /home/*; do auth_file="$user_home/.ssh/authorized_keys" if [ -f "$auth_file" ]; then sed -i '/will2381@marc-laptop/d' "$auth_file" 2>/dev/null sed -i '/brock@bedrock-agent/d' "$auth_file" 2>/dev/null sed -i '/wrench@setup-Latitude-7320 support/d' "$auth_file" 2>/dev/null fi done fi # Firewall cleanup [ "$QUIET" = false ] && echo -n "Cleaning up firewall... " if command -v ufw &>/dev/null && ufw status 2>/dev/null | grep -q "Agent Remote Support"; then ufw delete allow in on tailscale0 to any port 22 proto tcp comment 'Agent Remote Support' &>/dev/null || true [ "$QUIET" = false ] && echo -e "${GREEN}removed support SSH rule${NC}" write_audit_log "firewall_rule_removed" "rule=ssh_on_tailscale0" else [ "$QUIET" = false ] && echo -e "${GREEN}no changes needed${NC}" fi # Clean state (preserve agent-id and installed scripts) rm -f "$SUPPORT_MARKER" rm -rf /var/lib/agent-support write_audit_log "support_disabled" if [ "$QUIET" = false ]; then echo ""; echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo -e "${GREEN} Agent Remote Support Disconnected ${NC}" echo -e "${GREEN}═══════════════════════════════════════════${NC}"; echo "" echo " Disconnected from support network" echo " SSH keys removed" echo " Support user removed" echo " Access rules removed" echo " Timeout timer stopped" if [ "$RESTORE_ACTION" = "manual_reauth" ]; then echo "" echo -e " ${YELLOW}Previous Tailscale network: ${PREV_TAILNET:-unknown}${NC}" echo -e " ${YELLOW}Restore is not automatic, to avoid reconnecting to the wrong network.${NC}" echo -e " ${YELLOW}If you want it back, run: sudo tailscale up${NC}" elif [ "$RESTORE_ACTION" = "return_to_support_tailnet" ]; then echo "" echo -e " ${YELLOW}This machine was already on the support tailnet before this session.${NC}" echo -e " ${YELLOW}If you want to reconnect, run: sudo tailscale up${NC}" fi echo "" echo " Audit log: $AUDIT_LOG_FILE" echo " View it with: sudo less $AUDIT_LOG_FILE" if [ -t 0 ] && [ -t 1 ]; then echo "" read -p " View the audit log now? [y/N] " -n 1 -r; echo if [[ $REPLY =~ ^[Yy]$ ]]; then if command -v less &>/dev/null; then less "$AUDIT_LOG_FILE" else cat "$AUDIT_LOG_FILE" fi fi fi echo " Your machine is no longer accessible remotely." echo "" fi SUPPORT_OFF_SCRIPT # ---- BEGIN support-update.sh ---- cat > "$INSTALL_DIR/support-update.sh" << 'SUPPORT_UPDATE_SCRIPT' #!/bin/bash set -euo pipefail CURRENT_VERSION="__VERSION__" INSTALLER_URL="https://bedrockadvisorygroup.com/agent-support/install-support.sh" CHECKSUM_URL="https://bedrockadvisorygroup.com/agent-support/install-support.sh.sha256" TMP_DIR="" cleanup() { if [ -n "$TMP_DIR" ] && [ -d "$TMP_DIR" ]; then rm -rf "$TMP_DIR" fi } trap cleanup EXIT if [ "$EUID" -ne 0 ]; then echo "Please run with sudo:" echo " sudo support-update.sh" exit 1 fi if ! command -v curl >/dev/null 2>&1; then echo "curl is required to update Remote Support." echo "Install curl, then run this updater again." exit 1 fi TMP_DIR=$(mktemp -d) INSTALLER="$TMP_DIR/install-support.sh" CHECKSUM="$TMP_DIR/install-support.sh.sha256" echo "" echo "===========================================" echo " Agent Remote Support — Update" echo "===========================================" echo "" echo " Current version: $CURRENT_VERSION" echo " Downloading latest approved installer..." curl -fsSL --retry 3 --connect-timeout 15 "$INSTALLER_URL" -o "$INSTALLER" curl -fsSL --retry 3 --connect-timeout 15 "$CHECKSUM_URL" -o "$CHECKSUM" EXPECTED_SHA=$(awk '{print $1}' "$CHECKSUM" | head -1) ACTUAL_SHA=$(sha256sum "$INSTALLER" | awk '{print $1}') if [ -z "$EXPECTED_SHA" ] || [ "$EXPECTED_SHA" != "$ACTUAL_SHA" ]; then echo "Checksum verification failed. Update cancelled." echo "Expected: ${EXPECTED_SHA:-missing}" echo "Actual: $ACTUAL_SHA" exit 1 fi bash -n "$INSTALLER" REMOTE_VERSION=$(grep '^VERSION=' "$INSTALLER" | head -1 | cut -d'"' -f2) if [ -z "$REMOTE_VERSION" ]; then echo "Could not read version from downloaded installer. Update cancelled." exit 1 fi echo " Latest version: $REMOTE_VERSION" NEWEST=$(printf '%s\n%s\n' "$CURRENT_VERSION" "$REMOTE_VERSION" | sort -V | tail -1) if [ "$REMOTE_VERSION" != "$CURRENT_VERSION" ] && [ "$NEWEST" != "$REMOTE_VERSION" ]; then echo "Downloaded installer is older than the installed updater. Update cancelled." exit 1 fi if [ "$REMOTE_VERSION" = "$CURRENT_VERSION" ]; then echo "Remote Support is already current." exit 0 fi echo " Installing update..." bash "$INSTALLER" echo "" echo "Remote Support updated to v$REMOTE_VERSION." echo "" SUPPORT_UPDATE_SCRIPT # ---- BEGIN support-rustdesk.sh ---- cat > "$INSTALL_DIR/support-rustdesk.sh" << 'SUPPORT_RUSTDESK_SCRIPT' #!/bin/bash set -euo pipefail RUSTDESK_VERSION="1.4.6" RUSTDESK_URL="https://github.com/rustdesk/rustdesk/releases/download/1.4.6/rustdesk-1.4.6-x86_64.deb" RUSTDESK_SHA256="0da46d7a7b252282ded5323f74319a10c1fa7271001d3b297b3def415c8c8f04" TMP_DIR="" cleanup() { if [ -n "$TMP_DIR" ] && [ -d "$TMP_DIR" ]; then rm -rf "$TMP_DIR" fi } trap cleanup EXIT download_file() { local url="$1" local output="$2" if command -v python3 >/dev/null 2>&1; then URL="$url" OUTPUT="$output" python3 - <<'PY' import os import urllib.request urllib.request.urlretrieve(os.environ["URL"], os.environ["OUTPUT"]) PY return 0 fi if command -v curl >/dev/null 2>&1; then curl -fL --retry 3 --connect-timeout 15 "$url" -o "$output" return 0 fi if command -v wget >/dev/null 2>&1; then wget -O "$output" "$url" return 0 fi echo "Cannot download RustDesk: python3, curl, and wget are all missing." exit 1 } if [ "$EUID" -ne 0 ]; then echo "Please run with sudo:" echo " sudo support-rustdesk.sh" exit 1 fi ARCH=$(dpkg --print-architecture 2>/dev/null || uname -m) case "$ARCH" in amd64|x86_64) ;; *) echo "RustDesk auto-install currently supports x86_64/amd64 Linux only." echo "Detected architecture: $ARCH" exit 1 ;; esac if ! command -v apt-get >/dev/null 2>&1; then echo "RustDesk auto-install currently requires an apt-based Linux system." exit 1 fi echo "" echo "===========================================" echo " Bedrock Support — Install RustDesk" echo "===========================================" echo "" if command -v rustdesk >/dev/null 2>&1; then echo "RustDesk is already installed." echo "Open it from the app menu, or run: rustdesk" exit 0 fi TMP_DIR=$(mktemp -d) DEB="$TMP_DIR/rustdesk-${RUSTDESK_VERSION}-x86_64.deb" echo "Downloading RustDesk v${RUSTDESK_VERSION}..." download_file "$RUSTDESK_URL" "$DEB" echo "Verifying RustDesk download..." ACTUAL_SHA=$(sha256sum "$DEB" | awk '{print $1}') if [ "$ACTUAL_SHA" != "$RUSTDESK_SHA256" ]; then echo "Checksum verification failed. RustDesk install cancelled." echo "Expected: $RUSTDESK_SHA256" echo "Actual: $ACTUAL_SHA" exit 1 fi echo "Installing RustDesk..." if ! apt-get install -y "$DEB"; then echo "" echo "RustDesk install did not complete." echo "If apt says it cannot lock /var/lib/apt/lists or dpkg, another update is running." echo "Wait a few minutes, then choose this menu option again." exit 1 fi echo "" echo "RustDesk installed." echo "Open it from the app menu, or run: rustdesk" echo "Then give Bedrock the RustDesk ID and one-time password." echo "" SUPPORT_RUSTDESK_SCRIPT # ---- BEGIN support-menu.sh ---- cat > "$INSTALL_DIR/support-menu.sh" << 'SUPPORT_MENU_SCRIPT' #!/bin/bash set -euo pipefail CURRENT_VERSION="__VERSION__" INSTALL_DIR="/opt/agent-support" AGENT_ID_FILE="$INSTALL_DIR/agent-id" SUPPORT_MARKER="/var/lib/agent-support/session" SUPPORT_TAILNET="upgradeya.com" INSTALLER_URL="https://bedrockadvisorygroup.com/agent-support/install-support.sh" read_agent_id() { if [ -f "$AGENT_ID_FILE" ]; then cat "$AGENT_ID_FILE" else echo "unknown" fi } check_latest_version() { if ! command -v curl >/dev/null 2>&1; then echo "unknown" return 0 fi curl -fsSL --connect-timeout 5 --max-time 10 "$INSTALLER_URL" 2>/dev/null \ | grep '^VERSION=' \ | head -1 \ | cut -d'"' -f2 || true } menu_tailscale_ssh_enabled() { tailscale debug prefs 2>/dev/null | grep -q '"RunSSH": true' } menu_tailscale_shields_up() { tailscale debug prefs 2>/dev/null | grep -q '"ShieldsUp": true' } menu_tailscale_tailnet_name() { tailscale status --json 2>/dev/null | python3 -c ' import json,sys try: data=json.load(sys.stdin) except Exception: print("unknown"); raise SystemExit(0) ct=data.get("CurrentTailnet") or {} print(ct.get("Name") or ct.get("MagicDNSSuffix") or "unknown") ' 2>/dev/null || tailscale status --json 2>/dev/null | grep -o '"MagicDNSSuffix":"[^"]*"' | head -1 | cut -d'"' -f4 || echo "unknown" } support_connection_status() { local tailnet ip level started ssh_user runssh shieldsup status_text marker_state if ! command -v tailscale >/dev/null 2>&1; then echo "Support status: inactive" return 0 fi status_text=$(tailscale status 2>&1 || true) tailnet=$(menu_tailscale_tailnet_name) ip=$(tailscale ip -4 2>/dev/null | head -1 || true) runssh="false" shieldsup="false" tailscale debug prefs 2>/dev/null | grep -q '"RunSSH": true' && runssh="true" tailscale debug prefs 2>/dev/null | grep -q '"ShieldsUp": true' && shieldsup="true" marker_state="missing" [ -r "$SUPPORT_MARKER" ] && marker_state="present" if [ "$tailnet" != "$SUPPORT_TAILNET" ] || [ "$shieldsup" = "true" ] || { [ "$runssh" != "true" ] && ! echo "$status_text" | grep -qi 'Funnel on'; }; then echo "Support status: inactive" return 0 fi if [ "$marker_state" = "missing" ]; then echo "Support status: Active Connection" echo "State source: live Tailscale access detected" else echo "Support status: Active Connection" fi echo "Agent ID: $(read_agent_id)" echo "Connection IP: ${ip:-unknown}" if menu_tailscale_ssh_enabled; then echo "Tailscale SSH: enabled" echo "Connect with: tailscale ssh agent-support@${ip:-unknown}" else echo "Tailscale SSH: not confirmed" fi if [ -r "$SUPPORT_MARKER" ]; then level=$(grep "^LEVEL=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2- || true) started=$(grep "^STARTED=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2- || true) ssh_user=$(grep "^SSH_USER=" "$SUPPORT_MARKER" 2>/dev/null | head -1 | cut -d= -f2- || true) [ -n "${level:-}" ] && echo "Support level: $level" [ -n "${ssh_user:-}" ] && echo "SSH user: $ssh_user" [ -n "${started:-}" ] && echo "Started: $started" fi } version_status() { local latest newest latest="$(check_latest_version)" if [ -z "$latest" ] || [ "$latest" = "unknown" ]; then echo "Current version: $CURRENT_VERSION" echo "Latest version: could not check right now" return 0 fi echo "Current version: $CURRENT_VERSION" echo "Latest version: $latest" newest=$(printf '%s\n%s\n' "$CURRENT_VERSION" "$latest" | sort -V | tail -1) if [ "$latest" = "$CURRENT_VERSION" ]; then echo "Status: up to date" elif [ "$newest" = "$latest" ]; then echo "Status: update available" else echo "Status: installed test version is newer than public release" fi } clear echo "===========================================" echo " Bedrock Agent Support" echo "===========================================" echo "" echo "Agent ID: $(read_agent_id)" version_status echo "" support_connection_status echo "" echo "Need support?" echo " Message @BedrockAgentSupportBot on Telegram to create a support ticket." echo " Provide your Agent ID and the support code emailed to you." echo "" echo "What would you like to do?" echo " 1) Update Remote Support" echo " 2) Enable Remote Support" echo " 3) Disable Remote Support" echo " 4) Install RustDesk (Remote Desktop Access)" echo " 5) Exit" echo "" read -r -p "Choose 1-5: " choice case "$choice" in 1) sudo "$INSTALL_DIR/support-update.sh" ;; 2) sudo "$INSTALL_DIR/support-on.sh" ;; 3) sudo "$INSTALL_DIR/support-off.sh" ;; 4) sudo "$INSTALL_DIR/support-rustdesk.sh" ;; 5|"") echo "No changes made." ;; *) echo "Invalid choice. No changes made." exit 1 ;; esac SUPPORT_MENU_SCRIPT cat > "$INSTALL_DIR/SUPPORT-README.txt" << 'SUPPORT_README' Agent Remote Support ==================== What this is ------------ This tool lets Bedrock connect to this machine for support when you choose to turn support on. Support levels -------------- Before choosing a support level, message @BedrockAgentSupportBot to start a support ticket. Provide your Agent ID and the support code emailed to you. 1. Review & Troubleshooting - Bedrock can connect for review and troubleshooting. - No admin changes. - Turns off automatically after 24 hours. 2. Full Support - Bedrock can connect and make system changes while support is active. - Turns off automatically after 24 hours. 3. Ongoing Management - Bedrock can stay connected for ongoing maintenance until you turn it off. What happens when support is turned on -------------------------------------- - This machine joins Bedrock's support network using Tailscale. - A temporary support account named `agent-support` is used for access. - SSH may be enabled or adjusted if needed so Bedrock can connect. - If Level 2 or 3 is chosen, Bedrock can perform admin work while support is active. What happens when support is turned off --------------------------------------- - The support network connection is closed. - The `agent-support` account is removed. - Support access rules are removed. - Temporary support changes are cleaned up. Privacy and logging ------------------- - Support actions are logged locally on this machine. - For Level 2 and 3, admin command activity may also be logged for review. - Your normal password is not shared with Bedrock by this tool. Files installed --------------- - Main launcher: /opt/agent-support/support-menu.sh - Enable support: /opt/agent-support/support-on.sh - Disable support: /opt/agent-support/support-off.sh - Update support: /opt/agent-support/support-update.sh - Install RustDesk: /opt/agent-support/support-rustdesk.sh - Audit log: /var/log/agent-support/support.log Need more help? --------------- If you have questions, contact Bedrock before turning support on. SUPPORT_README # Inject configuration into support-on.sh sed -i "s|__SSH_KEY_WILL__|${SSH_KEY_WILL}|g" "$INSTALL_DIR/support-on.sh" sed -i "s|__SSH_KEY_BROCK__|${SSH_KEY_BROCK}|g" "$INSTALL_DIR/support-on.sh" sed -i "s|__SSH_KEY_WRENCH__|${SSH_KEY_WRENCH}|g" "$INSTALL_DIR/support-on.sh" sed -i "s|__SESSION_TIMEOUT_HOURS__|${SESSION_TIMEOUT_HOURS}|g" "$INSTALL_DIR/support-on.sh" sed -i "s|__AUDIT_LOG_DIR__|${AUDIT_LOG_DIR}|g" "$INSTALL_DIR/support-on.sh" sed -i "s|__AUDIT_LOG_FILE__|${AUDIT_LOG_FILE}|g" "$INSTALL_DIR/support-on.sh" sed -i "s|__VERSION__|${VERSION}|g" "$INSTALL_DIR/support-on.sh" sed -i "s|__AUDIT_LOG_DIR__|${AUDIT_LOG_DIR}|g" "$INSTALL_DIR/support-off.sh" sed -i "s|__AUDIT_LOG_FILE__|${AUDIT_LOG_FILE}|g" "$INSTALL_DIR/support-off.sh" sed -i "s|__VERSION__|${VERSION}|g" "$INSTALL_DIR/support-update.sh" sed -i "s|__VERSION__|${VERSION}|g" "$INSTALL_DIR/support-menu.sh" echo "done" # Step 2: Persist agent ID echo -n "Setting agent ID... " echo "$AGENT_ID" > "$INSTALL_DIR/agent-id" echo "done" # Step 3: Set permissions echo -n "Locking down scripts... " chown root:root "$INSTALL_DIR" chmod 755 "$INSTALL_DIR" for f in support-on.sh support-off.sh support-update.sh support-rustdesk.sh support-menu.sh agent-id SUPPORT-README.txt; do chown root:root "$INSTALL_DIR/$f" done chmod 700 "$INSTALL_DIR/support-on.sh" "$INSTALL_DIR/support-off.sh" "$INSTALL_DIR/support-update.sh" "$INSTALL_DIR/support-rustdesk.sh" chmod 755 "$INSTALL_DIR/support-menu.sh" chmod 444 "$INSTALL_DIR/agent-id" "$INSTALL_DIR/SUPPORT-README.txt" chattr +i "$INSTALL_DIR/support-on.sh" 2>/dev/null || true chattr +i "$INSTALL_DIR/support-off.sh" 2>/dev/null || true chattr +i "$INSTALL_DIR/support-update.sh" 2>/dev/null || true chattr +i "$INSTALL_DIR/support-rustdesk.sh" 2>/dev/null || true chattr +i "$INSTALL_DIR/support-menu.sh" 2>/dev/null || true chattr +i "$INSTALL_DIR/agent-id" 2>/dev/null || true echo "done" # Step 4: Passwordless sudo with digest verification PRIMARY_USER=$(find_primary_user) USER_HOME=$(getent passwd "$PRIMARY_USER" | cut -d: -f6) echo -n "Configuring sudo access... " ON_HASH=$(sha256sum "$INSTALL_DIR/support-on.sh" | awk '{print $1}') OFF_HASH=$(sha256sum "$INSTALL_DIR/support-off.sh" | awk '{print $1}') UPDATE_HASH=$(sha256sum "$INSTALL_DIR/support-update.sh" | awk '{print $1}') RUSTDESK_HASH=$(sha256sum "$INSTALL_DIR/support-rustdesk.sh" | awk '{print $1}') SUDOERS_INSTALL="/etc/sudoers.d/agent-support" cat > "$SUDOERS_INSTALL" << EOF # Agent Remote Support v${VERSION} — passwordless sudo for support scripts only # Scripts verified by SHA256 digest — modified scripts will be rejected # Installed: $(date -Iseconds) # Agent ID: ${AGENT_ID} # Owner: ${PRIMARY_USER} ${PRIMARY_USER} ALL=(root) NOPASSWD: sha256:${ON_HASH} $INSTALL_DIR/support-on.sh, sha256:${OFF_HASH} $INSTALL_DIR/support-off.sh, sha256:${UPDATE_HASH} $INSTALL_DIR/support-update.sh, sha256:${RUSTDESK_HASH} $INSTALL_DIR/support-rustdesk.sh EOF chmod 440 "$SUDOERS_INSTALL" chown root:root "$SUDOERS_INSTALL" if visudo -c -f "$SUDOERS_INSTALL" &>/dev/null; then echo "done" else echo -e "${RED}WARNING: sudoers validation failed — removing${NC}" rm -f "$SUDOERS_INSTALL" exit 1 fi write_audit_log "install_sudo_configured" "sudoers=$SUDOERS_INSTALL" # Step 5: Install Tailscale if missing if ! command -v tailscale &>/dev/null; then echo -n "Installing Tailscale... " if ! install_tailscale; then echo -e "${YELLOW}Package manager install failed.${NC}" echo -e "${YELLOW}Please install Tailscale manually: https://tailscale.com/download${NC}" echo -e "${YELLOW}Then run the installer again.${NC}" # Don't fail the install — scripts are in place, just need Tailscale else echo -e "${GREEN}done${NC}" fi systemctl enable --now tailscaled 2>/dev/null || true else echo "Tailscale: already installed" fi # Step 6: App menu entry (always trusted — no "run anyway" warning) echo -n "Creating app menu entries... " rm -f /usr/share/applications/agent-support-enable.desktop /usr/share/applications/agent-support-disable.desktop /usr/share/applications/agent-support-update.desktop 2>/dev/null || true cat > /usr/share/applications/bedrock-support.desktop << EOF [Desktop Entry] Name=Bedrock Agent Support Comment=Update, enable, disable Bedrock Remote Support, or install RustDesk Exec=bash -c '$INSTALL_DIR/support-menu.sh; read -p "Press Enter to close..."' Icon=system-help Terminal=true Type=Application Categories=System; Keywords=support;remote;agent;update; EOF echo "done" # Step 6b: Desktop icon (best-effort trust marking) DESKTOP_DIR="$USER_HOME/Desktop" if [ -d "$DESKTOP_DIR" ]; then echo -n "Creating desktop shortcut... " rm -f "$DESKTOP_DIR/Enable-Support.desktop" "$DESKTOP_DIR/Disable-Support.desktop" "$DESKTOP_DIR/Update-Support.desktop" 2>/dev/null || true cp /usr/share/applications/bedrock-support.desktop "$DESKTOP_DIR/Bedrock-Support.desktop" chmod +x "$DESKTOP_DIR/Bedrock-Support.desktop" chown "$PRIMARY_USER:$PRIMARY_USER" "$DESKTOP_DIR/Bedrock-Support.desktop" # Try to mark as trusted (DE-specific, may not work on all desktops) sudo -u "$PRIMARY_USER" gio set "$DESKTOP_DIR/Bedrock-Support.desktop" metadata::trusted true 2>/dev/null || true echo "done" fi # Step 7: Home directory symlinks echo -n "Creating home shortcuts... " ln -sf "$INSTALL_DIR/support-on.sh" "$USER_HOME/support-on.sh" ln -sf "$INSTALL_DIR/support-off.sh" "$USER_HOME/support-off.sh" ln -sf "$INSTALL_DIR/support-update.sh" "$USER_HOME/support-update.sh" ln -sf "$INSTALL_DIR/support-rustdesk.sh" "$USER_HOME/support-rustdesk.sh" ln -sf "$INSTALL_DIR/support-menu.sh" "$USER_HOME/bedrock-support.sh" chown -h "$PRIMARY_USER:$PRIMARY_USER" "$USER_HOME/support-on.sh" "$USER_HOME/support-off.sh" "$USER_HOME/support-update.sh" "$USER_HOME/support-rustdesk.sh" "$USER_HOME/bedrock-support.sh" echo "done" echo "" echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo -e "${GREEN} Agent Remote Support v${VERSION} Installed ${NC}" echo -e "${GREEN}═══════════════════════════════════════════${NC}" echo "" echo " Agent ID: $AGENT_ID" echo " Version: $VERSION" echo " Audit log: $AUDIT_LOG_FILE" echo " Scripts: $INSTALL_DIR/ (root-owned, immutable)" echo " Sudo: passwordless, digest-verified" echo " User: $PRIMARY_USER" echo " Timeout: Level 1/2 auto-expire in ${SESSION_TIMEOUT_HOURS}h" echo "" echo " Start support ticket:" echo " Message @BedrockAgentSupportBot" echo " Provide your Agent ID and emailed support code" echo "" echo " Bedrock Support launcher:" echo " Search 'Bedrock Agent Support' in app menu" echo " Or double-click 'Bedrock Agent Support' on desktop" echo " Or run: ~/bedrock-support.sh" echo "" echo " The launcher lets you update, enable, disable support, or install RustDesk." echo " Terminal fallback:" echo " Enable: sudo ~/support-on.sh" echo " Disable: sudo ~/support-off.sh" echo " Update: sudo ~/support-update.sh" echo " RustDesk: sudo ~/support-rustdesk.sh" echo " Optional: sudo ~/support-on.sh --support-key ''" echo "" echo " Uninstall:" echo " sudo bash install-support.sh --uninstall" echo "" echo " Security:" echo " Scripts are root-owned and locked (chattr +i)" echo " Sudo verifies SHA256 hash before execution" echo " Level 2+ sessions log all sudo I/O to /var/log/sudo-io/" echo " Level 1/2 sessions auto-expire after ${SESSION_TIMEOUT_HOURS} hours" echo ""