MakiseKurisu/espressobin.sh

## espressobin.sh
# Install dependency for yay
su << EOF
root
pacman-key --init
pacman-key --populate archlinuxarm
pacman -Syu base-devel git go --noconfirm --needed
echo "alarm ALL=(ALL) ALL" >> /etc/sudoers
EOF

# Install yay
git clone https://aur.archlinux.org/yay.git
cd yay

# This command need to be run along as it requires manual input for sudo, use default password: alarm
makepkg -si

cd ..
rm -rf yay

# Install additional packages
yay -S wget ddclient sslh btrfs-progs nginx-mainline certbot certbot-nginx --noconfirm

# Add your SSH key for passwordless login
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "<Your Public Key>" >>  ~/.ssh/authorized_keys

su << EOF
root

# Delete default nginx pages
rm /usr/share/nginx/html/*

# Set up ddclient
cat > /etc/ddclient/ddclient.conf << EOF2
daemon=300                              # check every 300 seconds
syslog=yes                              # log update msgs to syslog
mail=root                               # mail all msgs to root
mail-failure=root                       # mail failed update msgs to root
pid=/var/run/ddclient.pid               # record PID in file.
ssl=yes                                 # use ssl-support.  Works with
                                        # ssl-library
use=web, web=now-dns.com/ip             # get ip from server.
protocol=dyndns2                        # default protocol
server=now-dns.com                    	# default server
login=<email>                           # default login
password=<password>                     # default password
server=now-dns.com, \
<your hostname>
EOF2

# Create scrub services
cat > /etc/systemd/system/btrfs-scrub@.service << EOF2
[Unit]
Description=Btrfs scrub on %f
[Service]
Nice=19
IOSchedulingClass=idle
KillSignal=SIGINT
ExecStart=/usr/bin/btrfs scrub start -B %f
EOF2

cat > /etc/systemd/system/btrfs-scrub@.timer << EOF2
[Unit]
Description=Monthly Btrfs scrub on %f
[Timer]
OnCalendar=monthly
AccuracySec=1d
RandomizedDelaySec=1w
Persistent=true
[Install]
WantedBy=multi-user.target
EOF2

# Set up sshd
sed -i "s/#GatewayPorts no/GatewayPorts yes/" /etc/ssh/sshd_config
sed -i "s/#PasswordAuthentication yes/#asswordAuthentication no/" /etc/ssh/sshd_config
echo "Match address 192.168.1.0/24" >> /etc/ssh/sshd_config
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config

# Set up delayed reboot
cat > /etc/systemd/system/reboot.service << EOF2
[Unit]
Description=Reboot system
[Service]
ExecStart=/bin/reboot
EOF2

cat > /etc/systemd/system/reboot.timer << EOF2
[Unit]
Description=Periodically reboot system
[Timer]
OnCalendar=Mon *-*-* 06:00:00
[Install]
WantedBy=timers.target
EOF2

# Set up Let's Encrypt auto renewal
cat > /etc/systemd/system/certbot.service << EOF2
[Unit]
Description=Let's Encrypt renewal
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos --deploy-hook "systemctl reload nginx.service"
EOF2

cat > /etc/systemd/system/certbot.timer << EOF2
[Unit]
Description=Twice daily renewal of Let's Encrypt's certificates
[Timer]
OnCalendar=0/12:00:00
RandomizedDelaySec=1h
Persistent=true
[Install]
WantedBy=timers.target
EOF2

# Set up time
timedatectl set-timezone America/Chicago

# Enable configured services
systemctl enable ddclient sslh-select btrfs-scrub@-.timer nginx certbot.timer
EOF

# Update the field with your own info
sudo nano /etc/ddclient/ddclient.conf

# Set up Let's Encrypt
sudo certbot --nginx -n --agree-tos -m <email address> --domains <domains>

# Set up reverse proxy for Jellyfin
su << EOF
root

mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat > /etc/nginx/nginx.conf << EOF2
events {
    worker_connections  1024;
}

http {
    server {
        listen 80;
        return 301 https://\$host\$request_uri;
    }

    server {
        listen 8443 ssl http2;
        port_in_redirect off;
        error_page 403 404 = @fallback;

        ssl_certificate /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
        ssl_stapling on;
        ssl_stapling_verify on;

        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";
        add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

        location / {
            root /usr/share/nginx/html;
            try_files $uri $uri/ =404;
        }

        location @fallback {
            return 444;
        }

        location /jellyfin/ {
            proxy_pass http://SERVER_IP_ADDRESS:8096/jellyfin/;
            proxy_pass_request_headers on;
            proxy_set_header Host \$host;
            proxy_set_header Upgrade \$http_upgrade;
            proxy_set_header Connection \$http_connection;
            proxy_set_header X-Real-IP \$remote_addr;
            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto \$scheme;
            proxy_set_header X-Forwarded-Host \$http_host;
            proxy_buffering off;
        }

        location /jellyfin/socket {
            proxy_pass http://SERVER_IP_ADDRESS:8096/jellyfin/socket;
            proxy_http_version 1.1;
            proxy_set_header Host \$host;
            proxy_set_header Upgrade \$http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP \$remote_addr;
            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto \$scheme;
            proxy_set_header X-Forwarded-Host \$http_host;
        }
    }
}
EOF2

EOF
sudo sed -i "s/DOMAIN_NAME/DOMAIN_NAME/" /etc/nginx/nginx.conf
sudo sed -i "s/SERVER_IP_ADDRESS/SERVER_IP_ADDRESS/" /etc/nginx/nginx.conf


# Change password
passwd
sudo passwd

# Reboot to allow new configuration to be applied
sudo reboot

# Change user name, need to login as root
# usermod -l <new_name> alarm
# sed -i "s/alarm/new_name/" /etc/sudoers
	# Install dependency for yay
	su << EOF
	root
	pacman-key --init
	pacman-key --populate archlinuxarm
	pacman -Syu base-devel git go --noconfirm --needed
	echo "alarm ALL=(ALL) ALL" >> /etc/sudoers
	EOF

	# Install yay
	git clone https://aur.archlinux.org/yay.git
	cd yay

	# This command need to be run along as it requires manual input for sudo, use default password: alarm
	makepkg -si

	cd ..
	rm -rf yay

	# Install additional packages
	yay -S wget ddclient sslh btrfs-progs nginx-mainline certbot certbot-nginx --noconfirm

	# Add your SSH key for passwordless login
	mkdir -p ~/.ssh
	chmod 700 ~/.ssh
	echo "<Your Public Key>" >> ~/.ssh/authorized_keys

	su << EOF
	root

	# Delete default nginx pages
	rm /usr/share/nginx/html/*

	# Set up ddclient
	cat > /etc/ddclient/ddclient.conf << EOF2
	daemon=300 # check every 300 seconds
	syslog=yes # log update msgs to syslog
	mail=root # mail all msgs to root
	mail-failure=root # mail failed update msgs to root
	pid=/var/run/ddclient.pid # record PID in file.
	ssl=yes # use ssl-support. Works with
	# ssl-library
	use=web, web=now-dns.com/ip # get ip from server.
	protocol=dyndns2 # default protocol
	server=now-dns.com # default server
	login=<email> # default login
	password=<password> # default password
	server=now-dns.com, \
	<your hostname>
	EOF2

	# Create scrub services
	cat > /etc/systemd/system/btrfs-scrub@.service << EOF2
	[Unit]
	Description=Btrfs scrub on %f
	[Service]
	Nice=19
	IOSchedulingClass=idle
	KillSignal=SIGINT
	ExecStart=/usr/bin/btrfs scrub start -B %f
	EOF2

	cat > /etc/systemd/system/btrfs-scrub@.timer << EOF2
	[Unit]
	Description=Monthly Btrfs scrub on %f
	[Timer]
	OnCalendar=monthly
	AccuracySec=1d
	RandomizedDelaySec=1w
	Persistent=true
	[Install]
	WantedBy=multi-user.target
	EOF2

	# Set up sshd
	sed -i "s/#GatewayPorts no/GatewayPorts yes/" /etc/ssh/sshd_config
	sed -i "s/#PasswordAuthentication yes/#asswordAuthentication no/" /etc/ssh/sshd_config
	echo "Match address 192.168.1.0/24" >> /etc/ssh/sshd_config
	echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config

	# Set up delayed reboot
	cat > /etc/systemd/system/reboot.service << EOF2
	[Unit]
	Description=Reboot system
	[Service]
	ExecStart=/bin/reboot
	EOF2

	cat > /etc/systemd/system/reboot.timer << EOF2
	[Unit]
	Description=Periodically reboot system
	[Timer]
	OnCalendar=Mon --* 06:00:00
	[Install]
	WantedBy=timers.target
	EOF2

	# Set up Let's Encrypt auto renewal
	cat > /etc/systemd/system/certbot.service << EOF2
	[Unit]
	Description=Let's Encrypt renewal
	[Service]
	Type=oneshot
	ExecStart=/usr/bin/certbot renew --quiet --agree-tos --deploy-hook "systemctl reload nginx.service"
	EOF2

	cat > /etc/systemd/system/certbot.timer << EOF2
	[Unit]
	Description=Twice daily renewal of Let's Encrypt's certificates
	[Timer]
	OnCalendar=0/12:00:00
	RandomizedDelaySec=1h
	Persistent=true
	[Install]
	WantedBy=timers.target
	EOF2

	# Set up time
	timedatectl set-timezone America/Chicago

	# Enable configured services
	systemctl enable ddclient sslh-select btrfs-scrub@-.timer nginx certbot.timer
	EOF

	# Update the field with your own info
	sudo nano /etc/ddclient/ddclient.conf

	# Set up Let's Encrypt
	sudo certbot --nginx -n --agree-tos -m <email address> --domains <domains>

	# Set up reverse proxy for Jellyfin
	su << EOF
	root

	mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
	cat > /etc/nginx/nginx.conf << EOF2
	events {
	worker_connections 1024;
	}

	http {
	server {
	listen 80;
	return 301 https://\$host\$request_uri;
	}

	server {
	listen 8443 ssl http2;
	port_in_redirect off;
	error_page 403 404 = @fallback;

	ssl_certificate /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem;
	include /etc/letsencrypt/options-ssl-nginx.conf;
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
	add_header Strict-Transport-Security "max-age=31536000" always;
	ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
	ssl_stapling on;
	ssl_stapling_verify on;

	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options "nosniff";
	add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

	location / {
	root /usr/share/nginx/html;
	try_files $uri $uri/ =404;
	}

	location @fallback {
	return 444;
	}

	location /jellyfin/ {
	proxy_pass http://SERVER_IP_ADDRESS:8096/jellyfin/;
	proxy_pass_request_headers on;
	proxy_set_header Host \$host;
	proxy_set_header Upgrade \$http_upgrade;
	proxy_set_header Connection \$http_connection;
	proxy_set_header X-Real-IP \$remote_addr;
	proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto \$scheme;
	proxy_set_header X-Forwarded-Host \$http_host;
	proxy_buffering off;
	}

	location /jellyfin/socket {
	proxy_pass http://SERVER_IP_ADDRESS:8096/jellyfin/socket;
	proxy_http_version 1.1;
	proxy_set_header Host \$host;
	proxy_set_header Upgrade \$http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header X-Real-IP \$remote_addr;
	proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto \$scheme;
	proxy_set_header X-Forwarded-Host \$http_host;
	}
	}
	}
	EOF2

	EOF
	sudo sed -i "s/DOMAIN_NAME/DOMAIN_NAME/" /etc/nginx/nginx.conf
	sudo sed -i "s/SERVER_IP_ADDRESS/SERVER_IP_ADDRESS/" /etc/nginx/nginx.conf


	# Change password
	passwd
	sudo passwd

	# Reboot to allow new configuration to be applied
	sudo reboot

	# Change user name, need to login as root
	# usermod -l <new_name> alarm
	# sed -i "s/alarm/new_name/" /etc/sudoers