Every one-liner Sproobo publishes
Four scripts, each served straight off the control plane and meant to be piped into a shell. All four are idempotent — re-running any of them is safe.
Enroll bootstrap
dl/bootstrap.sh — the script behind Getting started. The dashboard (or sproobo enroll <name> -y) prints it with your server's enroll token already filled in:
SPROOBO_ENROLL_TOKEN='<your-token>' bash -c "$(curl -fsSL 'https://cp.sproobo.com/dl/bootstrap.sh')"Run as root on the target server. It performs nine idempotent steps:
- Detect OS family, architecture, root/sudo, and free disk space.
- Detect whether a foreign process already holds :80/:443.
- Install Docker CE, containerd, buildx, and the compose plugin.
- Configure the Docker daemon (userland-proxy=false) so host firewall rules apply to published container ports.
- Set up the host: the unprivileged sproobo data-owner user and the /var/lib/sproobo tree.
- Install the checksum-verified agent binary and its systemd unit; stage the enroll token.
- Apply the firewall baseline: allow SSH (22) first, then default-deny inbound, then allow 80/443, then enable — SSH is open before the deny ever applies.
- Create the sproobo-int Docker network and start the shared Caddy proxy — unless step 2 found a foreign process on those ports, in which case it steps aside instead of fighting for them.
- Enable and start the agent service, which dials the control plane and enrolls with the staged token.
The token is single-use — it's burned on the first successful enroll. Re-running the same one-liner later is safe — it self-heals a partial bootstrap instead of erroring or duplicating work, since every step checks current state before acting.
First-hour hardening
dl/harden.sh — the host-owner security baseline. It complements bootstrap rather than overlapping it: bootstrap owns Docker and the agent, this script owns SSH, the firewall baseline, and the rest of the host-security posture. Its firewall rules are rule-for-rule identical to bootstrap's, so running both — in either order — never produces conflicting or duplicate rules.
curl -fsSL https://cp.sproobo.com/dl/harden.sh | bashOn a brand-new box, patch it first:
curl -fsSL https://cp.sproobo.com/dl/harden.sh | bash -s -- --upgradeFlags:
- --upgrade — run a full dist-upgrade first. Off by default so an already-live server is never surprise-upgraded.
- --create-admin NAME — create a NOPASSWD-sudo admin user, seeded with root's authorized keys.
- --auto-reboot — let unattended-upgrades reboot at 04:00 when a patch requires it.
- --no-swap — skip swapfile creation.
What it hardens:
- SSH, key-only — with two lockout guards: password auth is disabled only once an authorized_keys is confirmed for root or a sudoer, and the merged config is validated with sshd -t before a reload (never a restart), with rollback if validation fails.
- Firewall (ufw) — SSH allowed first, then 80/443, then default-deny inbound. Identical rule set to bootstrap's.
- fail2ban — an sshd jail over the systemd journal.
- Kernel sysctls — spoofing/redirect/martian hardening, without touching IP forwarding (Docker needs it).
- Unattended security upgrades — security-origin packages only, no automatic reboot unless --auto-reboot.
- Swap — a swapfile sized to the box's RAM (capped) when none exists.
- journald cap — bounded log storage so logs can't fill the disk.
Debian-family only (Ubuntu 22.04/24.04/26.04, Debian 12/13) — fails loud elsewhere.
CLI installer
cli/install.sh — installs the sproobo CLI.
curl -fsSL https://cp.sproobo.com/cli/install.sh | shResolves the latest version from the control plane's manifest, downloads the binary for your OS and architecture, and verifies its sha256 against the published checksums before installing it.
Agent Skill installer
skill/install.sh — installs the Sproobo Agent Skill, which teaches a coding agent to drive the CLI directly.
curl -fsSL https://cp.sproobo.com/skill/install.sh | shFlags:
- --tool claude|codex|cursor — which agent tool to install for (default: claude).
- --project — install into the current repo (./.<tool>/skills/) instead of your home directory.
Re-run any time to update — it overwrites the skill files in place.
Next
- Walk the full enroll-to-deploy flow on Getting started.
- See what the CLI and the agent skill can do once installed — CLI & AI connectors.