#!/bin/bash set -euo pipefail TYVERN_API="https://api.tyvern.com" RELEASES_URL="https://releases.tyvern.com" INSTALL_DIR="/usr/bin" CONFIG_DIR="/etc/hydragate" DATA_DIR="/var/lib/hydragate" LOG_DIR="/var/log/hydragate" RED='\033[0;31m' GREEN='\033[0;32m' CYAN='\033[0;36m' BOLD='\033[1m' NC='\033[0m' info() { printf "${CYAN} ▸${NC} %s\n" "$1"; } success() { printf "${GREEN} ✓${NC} %s\n" "$1"; } fail() { printf "${RED} ✗ %s${NC}\n" "$1"; exit 1; } echo "" printf "${BOLD}${CYAN}" echo " ╔═══════════════════════════════════════════════╗" echo " ║ HydraGate Installer ║" echo " ║ by Tyvern, Inc. ║" echo " ╚═══════════════════════════════════════════════╝" printf "${NC}" echo "" TOKEN="" while [ $# -gt 0 ]; do case "$1" in --token) TOKEN="$2"; shift 2 ;; --token=*) TOKEN="${1#*=}"; shift ;; --help|-h) echo "Usage: install.sh --token "; exit 0 ;; *) fail "Unknown option: $1" ;; esac done [ -z "$TOKEN" ] && fail "Enrollment token required. Usage: install.sh --token " [ "$(id -u)" -ne 0 ] && fail "Must be run as root (use sudo)" [ "$(uname -s)" != "Linux" ] && fail "HydraGate requires Linux" ARCH="$(uname -m)" [ "$ARCH" != "x86_64" ] && fail "Unsupported architecture: $ARCH" success "Linux $(uname -r) on $ARCH" info "Validating enrollment token..." RESP=$(curl -sSf -X POST -H "Content-Type: application/json" \ -d "{\"token\": \"$TOKEN\"}" \ "$TYVERN_API/v1/enroll/validate" 2>/dev/null) || fail "Cannot reach Tyvern cloud. Check your network." if echo "$RESP" | grep -q '"error"'; then ERR=$(echo "$RESP" | grep -o '"error":"[^"]*"' | cut -d'"' -f4) fail "Token validation failed: $ERR" fi AGENT_ID=$(echo "$RESP" | grep -o '"agent_id":"[^"]*"' | cut -d'"' -f4) AGENT_KEY=$(echo "$RESP" | grep -o '"agent_key":"[^"]*"' | cut -d'"' -f4) [ -z "$AGENT_ID" ] && fail "Failed to parse agent credentials" success "Agent registered: $AGENT_ID" info "Downloading HydraGate gateway..." TMPDIR=$(mktemp -d) trap 'rm -rf "$TMPDIR"' EXIT curl -sSf -o "$TMPDIR/hydragate-gateway" \ "$RELEASES_URL/latest/x86_64-unknown-linux-gnu/hydragate-gateway" || fail "Download failed" chmod +x "$TMPDIR/hydragate-gateway" success "Downloaded hydragate-gateway" info "Installing..." install -m 0755 "$TMPDIR/hydragate-gateway" "$INSTALL_DIR/hydragate-gateway" id -u hydragate >/dev/null 2>&1 || useradd -r -s /bin/false -d "$DATA_DIR" hydragate mkdir -p "$CONFIG_DIR/certs" "$CONFIG_DIR/policies" "$DATA_DIR/honeypots" "$LOG_DIR" cat > "$CONFIG_DIR/config.toml" << TOMLEOF [cloud] api_url = "$TYVERN_API" agent_id = "$AGENT_ID" agent_key = "$AGENT_KEY" heartbeat_interval = "10s" telemetry_interval = "5s" [beacon] interval = "3s" epoch_duration = "30s" port = 41414 [vdf] min_difficulty = 1000 max_difficulty = 100000 time_cost_ms = 50 memory_cost_kib = 1024 parallelism = 1 cache_size = 10000 cache_ttl = "300s" [transport] listen_addr = "0.0.0.0:0" quic_versions = ["v1"] max_connections = 10000 idle_timeout = "300s" keep_alive = "30s" [risk] baseline_difficulty = 5000 suspicious_threshold = 30 lockdown_threshold = 70 decay_rate = 0.1 assessment_interval = "60s" ml_enabled = false [policy] default_policies = ["basic-security"] policy_directory = "$CONFIG_DIR/policies" reload_interval = "300s" cache_enabled = true [api] listen_addr = "127.0.0.1:8080" tls_enabled = false cors_origins = ["*"] rate_limit = 100 [deception] enabled = true honeypot_dir = "$DATA_DIR/honeypots" default_type = "tarpit" response_delay_ms = [100, 5000] max_connections_per_source = 10 tarpit_chunk_size = 1 tarpit_delay = "100ms" [logging] level = "info" format = "json" syslog = false TOMLEOF chown -R hydragate:hydragate "$CONFIG_DIR" "$DATA_DIR" "$LOG_DIR" chmod 0640 "$CONFIG_DIR/config.toml" success "Configuration written" cat > /etc/systemd/system/hydragate.service << SVCEOF [Unit] Description=HydraGate Gateway After=network-online.target Wants=network-online.target [Service] Type=simple User=hydragate Group=hydragate ExecStart=$INSTALL_DIR/hydragate-gateway --config $CONFIG_DIR/config.toml Restart=on-failure RestartSec=5s MemoryMax=2G ProtectSystem=strict ProtectHome=true PrivateTmp=true NoNewPrivileges=true ReadWritePaths=$DATA_DIR $LOG_DIR $CONFIG_DIR [Install] WantedBy=multi-user.target SVCEOF systemctl daemon-reload systemctl enable hydragate.service --quiet 2>/dev/null systemctl start hydragate.service || true sleep 2 success "HydraGate Gateway installed" success "Connected to Tyvern dashboard" success "All ports now invisible — 0 visible to scanners" echo "" printf "${BOLD}${GREEN}" echo " ╔═══════════════════════════════════════════════╗" echo " ║ HydraGate is now active ║" echo " ╚═══════════════════════════════════════════════╝" printf "${NC}" echo "" info "Agent ID: $AGENT_ID" info "Config: $CONFIG_DIR/config.toml" info "Dashboard: https://tyvern.com/profile" echo ""