Created
August 2, 2013 07:42
-
-
Save MartiUK/6138146 to your computer and use it in GitHub Desktop.
Installs Ubuntu using stack scripting for linodes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# By Sun Liwen <sunliwen@gmail.com> | |
# Not fully tested. | |
function system_primary_ip { | |
# returns the primary IP assigned to eth0 | |
echo $(ifconfig eth0 | awk -F: '/inet addr:/ {print $2}' | awk '{ print $1 }') | |
} | |
function get_rdns { | |
# calls host on an IP address and returns its reverse dns | |
if [ ! -e /usr/bin/host ]; then | |
aptitude -y install dnsutils > /dev/null | |
fi | |
echo $(host $1 | awk '/pointer/ {print $5}' | sed 's/\.$//') | |
} | |
function get_rdns_primary_ip { | |
# returns the reverse dns of the primary IP assigned to this system | |
echo $(get_rdns $(system_primary_ip)) | |
} | |
function prep_system | |
{ | |
#update system | |
#setup hostname | |
if [ -z "$HOSTNAME" ] | |
then | |
export HOSTNAME=$(get_rdns_primary_ip) | |
fi | |
HOST=$(echo $HOSTNAME | sed 's/\(\[a-z0-9\]\)*\..*/\1/') | |
echo "$HOST" > /etc/hostname | |
echo "`system_primary_ip` $HOSTNAME $HOST" >> /etc/hosts | |
start hostname | |
echo "/usr/sbin/nologin" >> /etc/shells | |
#set timezone to UTC | |
ln -s -f /usr/share/zoneinfo/Europe/London /etc/localtime | |
aptitude update | |
aptitude -y safe-upgrade | |
aptitude -y install python-software-properties | |
aptitude -y install debconf-utils | |
} | |
function install_nginx { | |
#add nginx ppa | |
if [ $NGINX_VERSION == "Yes" ] | |
then | |
add-apt-repository -y ppa:nginx/stable | |
aptitude update | |
fi | |
#Install nginx | |
aptitude -y install nginx | |
cat <<EOT > /etc/nginx/fastcgi_config | |
fastcgi_intercept_errors on; | |
fastcgi_ignore_client_abort on; | |
fastcgi_connect_timeout 60; | |
fastcgi_send_timeout 180; | |
fastcgi_read_timeout 180; | |
fastcgi_buffer_size 128k; | |
fastcgi_buffers 4 256k; | |
fastcgi_busy_buffers_size 256k; | |
fastcgi_temp_file_write_size 256k; | |
fastcgi_max_temp_file_size 0; | |
fastcgi_index index.php; | |
EOT | |
cat <<EOT > /etc/nginx/sites-available/nginx_status | |
server { | |
listen 127.0.0.1:80; | |
location /nginx_status { | |
stub_status on; | |
access_log off; | |
} | |
} | |
EOT | |
ln -s /etc/nginx/sites-available/nginx_status /etc/nginx/sites-enabled/nginx_status | |
mkdir -p /etc/munin/plugins/ | |
ln -s /usr/share/munin/plugins/nginx_request /etc/munin/plugins/nginx_request | |
ln -s /usr/share/munin/plugins/nginx_status /etc/munin/plugins/nginx_status | |
mkdir -p /etc/munin/plugin-conf.d/ | |
cat <<EOT >> /etc/munin/plugin-conf.d/nginx | |
[nginx*] | |
env.url http://localhost/nginx_status | |
EOT | |
service nginx start | |
sed -i 's/# gzip_types/gzip_types/' /etc/nginx/nginx.conf | |
sed -i 's/# gzip_vary/gzip_vary/' /etc/nginx/nginx.conf | |
} | |
function notification_email { | |
#mail root to confirm installation | |
mail -s "Linode "`cat /etc/hostname`" setup complete" root <<EOT | |
Your linode setup is complete, if you encounter problems or would like commercial support email sunliwen@gmail.com. Your linode will reboot shortly after this email is sent. | |
EOT | |
$(shutdown -r +1) & | |
} | |
function install_php_fpm { | |
#Install PHP and common extensions | |
aptitude -y install php5-fpm php5-cli php5-curl php5-gd php5-mcrypt php5-mysql php5-sqlite php-apc | |
#configure php to run as fcgi under user www-data on port 8000 edit init script to change this | |
sed -i 's/short_open_tag = On/short_open_tag = Off/' /etc/php5/fpm/php.ini | |
sed -i 's/disable_functions =/disable_functions = dl/' /etc/php5/fpm/php.ini | |
sed -i 's/expose_php = On/expose_php = Off/' /etc/php5/fpm/php.ini | |
sed -i 's/memory_limit = 128M/memory_limit = 32M/' /etc/php5/fpm/php.ini | |
sed -i 's/;arg_separator.output/arg_separator.output/' /etc/php5/fpm/php.ini | |
sed -i 's/;date.timezone =/date.timezone = UTC/' /etc/php5/fpm/php.ini | |
sed -i 's/session.name = PHPSESSID/session.name = SESSID/' /etc/php5/fpm/php.ini | |
sed -i 's@;error_log = syslog@error_log = /var/log/php/error.log@' /etc/php5/fpm/php.ini | |
mkdir -p /var/log/php/ | |
chown www-data /var/log/php/ | |
sed -i 's/#/;/' /etc/php5/conf.d/mcrypt.ini | |
} | |
function install_mysql | |
{ | |
#Install mysql | |
echo "mysql-server-5.5 mysql-server/root_password password $MYSQL_PASSWORD" | debconf-set-selections | |
echo "mysql-server-5.5 mysql-server/root_password_again password $MYSQL_PASSWORD" | debconf-set-selections | |
aptitude -y install mysql-server mysql-client | |
innodb_memory=$(awk '/MemTotal/ {print int($2/3072)}' /proc/meminfo) | |
cat <<EOT > /etc/mysql/conf.d/innodb.cnf | |
[mysqld] | |
innodb_file_per_table | |
innodb_buffer_pool_size=${innodb_memory}M | |
innodb_additional_mem_pool_size=8M | |
EOT | |
#set charset to utf8 | |
cat <<EOT > /etc/mysql/conf.d/charset.cnf | |
[mysqld] | |
character-set-server=utf8 | |
collation-server=utf8_general_ci | |
EOT | |
#enable slow query logging to table compatible with mysql workbench | |
cat <<EOT > /etc/mysql/conf.d/logging.cnf | |
[mysqld] | |
slow_query_log = 1 | |
slow_query_log_file = /var/log/mysql/mysql-slow.log | |
long_query_time = 1 | |
log-queries-not-using-indexes | |
log-output=TABLE | |
EOT | |
#make pid file static name across installations | |
cat <<EOT > /etc/mysql/conf.d/pid.cnf | |
[mysqld] | |
pid-file = /var/lib/mysql/mysqld.pid | |
EOT | |
#limit number of simultanious connections to 20 | |
cat <<EOT > /etc/mysql/conf.d/connections.cnf | |
[mysqld] | |
max_connections = 20 | |
EOT | |
#drop myisam specific settings since I'm assuming you're using innodb | |
cat <<EOT > /etc/mysql/conf.d/myisam.cnf | |
[mysqld] | |
key_buffer_size = 256k | |
read_buffer_size = 256k | |
read_rnd_buffer_size = 256k | |
EOT | |
#add root password to .my.cnf to prevent prompting | |
cat <<EOT > /root/.my.cnf | |
[client] | |
user=root | |
password=$MYSQL_PASSWORD | |
EOT | |
chmod 0400 /root/.my.cnf | |
} | |
function install_postfix | |
{ | |
#Install postfix | |
echo "postfix postfix/main_mailer_type select Internet Site" | debconf-set-selections | |
echo "postfix postfix/mailname string $HOSTNAME" | debconf-set-selections | |
echo "postfix postfix/destinations string localhost.localdomain, localhost, $HOSTNAME" | debconf-set-selections | |
aptitude -y install postfix mailutils | |
/usr/sbin/postconf -e "inet_interfaces = loopback-only" | |
#configure root alias | |
echo "root: $ROOT_EMAIL" >> /etc/aliases | |
echo "$USER_NAME: root" >> /etc/aliases | |
echo $HOSTNAME > /etc/mailname | |
/usr/bin/newaliases | |
} | |
function configure_ssh { | |
#setup ssh | |
#add ssh key | |
sudo -u $USER_NAME mkdir /home/$USER_NAME/.ssh | |
sudo -u $USER_NAME echo "${USER_SSHKEY}" >> /home/$USER_NAME/.ssh/authorized_keys | |
mkdir -p /root/.ssh/ | |
echo "${USER_SSHKEY}" >> /root/.ssh/authorized_keys | |
chmod 0600 /home/$USER_NAME/.ssh/authorized_keys /root/.ssh/authorized_keys | |
chown $USER_NAME:$USER_NAME /home/$USER_NAME/.ssh/authorized_keys | |
sed -i "s/Port 22/Port $SSH_PORT/" /etc/ssh/sshd_config #set ssh port | |
#enable internal sftp for chrooting | |
sed -i 's@Subsystem sftp /usr/lib/openssh/sftp-server@Subsystem sftp internal-sftp@' /etc/ssh/sshd_config | |
if [[ "$SSH_ALLOW_USERS" != *root* ]] | |
then | |
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config | |
else | |
sed -i 's/PermitRootLogin yes/PermitRootLogin without-password/' /etc/ssh/sshd_config | |
fi | |
if [ "$USER_SSHKEY" != "" ] | |
then | |
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config #disable ssh password auth if $USER_SSHKEY is not empty | |
fi | |
sed -i 's/X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config #disable xforwarding | |
echo "AllowUsers $USER_NAME $SSH_ALLOW_USERS" >> /etc/ssh/sshd_config #only allow access from $USER | |
/etc/init.d/ssh restart | |
} | |
function configure_user | |
{ | |
#configure ssh/sudo | |
useradd -m -s /bin/bash $USER_NAME #add user account | |
echo "$USER_NAME:$USER_PASSWORD" | chpasswd #setpassword | |
#add user to sudoers | |
echo "$USER_NAME ALL=(ALL) ALL" >> /etc/sudoers | |
usermod -a -G adm $USER_NAME | |
#lock out root | |
passwd -l root | |
} | |
function install_shorewall | |
{ | |
#sets up shorewall firewall | |
aptitude -y install shorewall shorewall6 | |
cp /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall/ | |
sed -i 's/BLACKLISTNEWONLY=Yes/BLACKLISTNEWONLY=No/' /etc/shorewall/shorewall.conf | |
sed -i 's/REJECT/DROP/' /etc/shorewall/policy | |
if [ "$WEBSERVER" != "None" ] | |
then | |
echo "#accept http/s" >> /etc/shorewall/rules | |
echo "ACCEPT net \$FW:`system_primary_ip` tcp 80" >> /etc/shorewall/rules | |
echo "ACCEPT net \$FW:`system_primary_ip` tcp 443" >> /etc/shorewall/rules | |
fi | |
echo '#accept ssh and ratelimit to 5 connections per miniute per ip' >> /etc/shorewall/rules | |
echo "ACCEPT net \$FW:`system_primary_ip` tcp $SSH_PORT - - s:ssh:5/min:1" >> /etc/shorewall/rules | |
echo "#accept l2tp/s" >> /etc/shorewall/rules | |
echo "ACCEPT net \$FW:`system_primary_ip` udp 500" >> /etc/shorewall/rules | |
echo "ACCEPT net \$FW:`system_primary_ip` udp 4500" >> /etc/shorewall/rules | |
sed -i 's/STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/' /etc/shorewall/shorewall.conf | |
sed -i 's/startup=0/startup=1/' /etc/default/shorewall | |
#disable ipv6 by default | |
cp /usr/share/doc/shorewall6/examples/one-interface/* /etc/shorewall6/ | |
sed -i 's/BLACKLISTNEWONLY=Yes/BLACKLISTNEWONLY=No/' /etc/shorewall6/shorewall6.conf | |
sed -i 's/REJECT/DROP/' /etc/shorewall6/policy | |
sed -i 's/STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/' /etc/shorewall6/shorewall6.conf | |
sed -i 's/startup=0/startup=1/' /etc/default/shorewall6 | |
} | |
function install_ufw | |
{ | |
aptitude -y install ufw | |
yes 'yes' | ufw enable | |
cat <<EOT > /etc/ufw/before.rules | |
*filter | |
#Allow L2TP only over IPSEC | |
-A ufw-before-input -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT | |
COMMIT | |
EOT | |
sed -i "s/DEFAULT_FORWARD_POLICY=\"DROP\"/DEFAULT_FORWARD_POLICY=\"ACCEPT\"/" /etc/default/ufw | |
sed -i "s/#net\/ipv4\/ip_forward=1/net\/ipv4\/ip_forward=1/" /etc/ufw/sysctl.conf | |
sed -i "s/#net\/ipv6\/conf\/default\/forwarding=1/net\/ipv6\/conf\/default\/forwarding=1/" /etc/ufw/sysctl.conf | |
sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/" /etc/sysctl.conf | |
sed -i "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/" /etc/sysctl.conf | |
sed -i "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/" /etc/sysctl.conf | |
sed -i "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/" /etc/sysctl.conf | |
sysctl -p | |
if [ "$WEBSERVER" != "None" ] | |
then | |
ufw allow www | |
fi | |
ufw allow ssh | |
ufw allow 500/udp | |
ufw allow 4500/udp | |
ufw allow 1701/udp | |
#ufw allow 1723/tcp | |
#/etc/init.d/ufw restart | |
} | |
function install_monit | |
{ | |
#install and enable monit | |
aptitude -y install monit | |
sed -i 's/startup=0/startup=1/' /etc/default/monit | |
mkdir -p /etc/monit/conf.d/ | |
sed -i "s/# set daemon 120/set daemon 120/" /etc/monit/monitrc | |
sed -i "s/# with start delay 240/with start delay 240/" /etc/monit/monitrc | |
sed -i "s/# set logfile syslog facility log_daemon/set logfile \/var\/log\/monit.log/" /etc/monit/monitrc | |
sed -i "s/# set mailserver mail.bar.baz,/set mailserver localhost/" /etc/monit/monitrc | |
sed -i "s/# set eventqueue/set eventqueue/" /etc/monit/monitrc | |
sed -i "s/# basedir \/var\/monit/basedir \/var\/monit/" /etc/monit/monitrc | |
sed -i "s/# slots 100 /slots 100/" /etc/monit/monitrc | |
sed -i "s/# set alert sysadm@foo.bar/set alert root@localhost reminder 180/" /etc/monit/monitrc | |
sed -i "s/# set httpd port 2812 and/ set httpd port 2812 and/" /etc/monit/monitrc | |
sed -i "s/# use address localhost/use address localhost/" /etc/monit/monitrc | |
sed -i "s/# allow localhost/allow localhost/" /etc/monit/monitrc | |
sed -i "s/# set mail-format { from: monit@foo.bar }/set mail-format { from: monit@`hostname -f` }/" /etc/monit/monitrc | |
} | |
function install_munin | |
{ | |
#install munin | |
aptitude -y install munin munin-node libcache-cache-perl libdbd-mysql-perl | |
sed -i 's/host \*/host 127.0.0.1/' /etc/munin/munin-node.conf | |
sed -i "s/localhost.localdomain/`hostname -f`/" /etc/munin/munin.conf | |
echo "munin: root" >> /etc/aliases | |
sed -i "s#\[mysql\*\]#[mysql*]\nenv.mysqladmin /usr/bin/mysqladmin#" /etc/munin/plugin-conf.d/munin-node | |
rm /etc/munin/plugins/nfs* | |
ln -s /usr/share/munin/plugins/postfix_mailstats /etc/munin/plugins/ | |
ln -s /usr/share/munin/plugins/netstat /etc/munin/plugins/ | |
if [ -x /usr/bin/newaliases ] | |
then | |
/usr/bin/newaliases | |
fi | |
} | |
function install_security | |
{ | |
#install chrootkit rkhunter logwatch | |
aptitude -y install chkrootkit rkhunter logwatch logcheck libsys-cpu-perl logcheck fail2ban | |
set +e | |
echo "yes" | cpan 'Sys::MemInfo' | |
echo "yes" | cpan 'Sys::MemInfo' | |
set -e | |
sed -i 's/#ALLOWHIDDENDIR=\/dev\/.initramfs/ALLOWHIDDENDIR=\/dev\/.initramfs/' /etc/rkhunter.conf | |
sed -i 's/#ALLOWHIDDENDIR=\/dev\/.udev/ALLOWHIDDENDIR=\/dev\/.udev/' /etc/rkhunter.conf | |
sed -i 's/DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"/DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps os_specific"/' /etc/rkhunter.conf | |
rkhunter --propupd | |
sed -i 's/--output mail/--output mail --detail 10 --range "since 1 days ago" --archives --numeric --service All/' /etc/cron.daily/00logwatch | |
} | |
function install_tools | |
{ | |
#install full vim, nano, less, htop (nice version of top), iotop (top for disk io), logrotate (rotates logs..), lynx (text webbrowser), mytop (top for mysql), screen (terminal emulator), sqlite3 (command line interface for sqlite databases) | |
aptitude -y install vim nano less htop iotop logrotate lynx mytop nmap screen sqlite3 cron-apt ntp curl pflogsumm bar apt-show-versions iftop build-essential | |
echo 'SYSLOGON="always"' >> /etc/cron-apt/config | |
echo 'MAILON="upgrade"' >> /etc/cron-apt/config | |
} | |
function install_ubuntu_stock_kernel | |
{ | |
#installs ubuntu virtual kernel which works best on linode | |
#sets console to hvc0 so you can access via lish | |
#turns off barrier which breaks booting with 3.2+ kernels | |
#switches to ext4 but retains backwards compatablity with ext3 | |
aptitude -y install linux-virtual grub | |
update-grub -y | |
sed -i 's#kopt=root=.* ro#kopt=root=/dev/xvda ro#' /boot/grub/menu.lst | |
sed -i 's#groot=.*#groot=(hd0)#' /boot/grub/menu.lst | |
sed -i 's/defoptions=quiet splash/defoptions=quiet console=hvc0/' /boot/grub/menu.lst | |
sed -i 's/# indomU=detect/# indomU=true/' /boot/grub/menu.lst | |
sed -i 's/noatime/barrier=0,noatime/' /etc/fstab | |
sed -i 's/ext3/ext4/' /etc/fstab | |
update-grub -y | |
chmod 0600 /boot/grub/menu.lst | |
cat <<EOT >/etc/init/hvc0.conf | |
# hvc - getty | |
# | |
# This service maintains a getty on hvc0 from the point the system is | |
# started until it is shut down again. | |
start on stopped rc RUNLEVEL=[2345] | |
stop on runlevel [!2345] | |
respawn | |
exec /sbin/getty -8 38400 hvc0 | |
EOT | |
} | |
function set_root_profile | |
{ | |
#Black 0;30 Dark Gray 1;30 | |
#Blue 0;34 Light Blue 1;34 | |
#Green 0;32 Light Green 1;32 | |
#Cyan 0;36 Light Cyan 1;36 | |
#Red 0;31 Light Red 1;31 | |
#Purple 0;35 Light Purple 1;35 | |
#Brown 0;33 Yellow 1;33 | |
#Light Gray 0;37 White 1;37 | |
cat <<EOT >> /root/.profile | |
PS1='\[\033[0;33m\]root@' | |
#add hostname | |
PS1=\$PS1\$(hostname -f)'\n' | |
#add ipv4 addresses | |
PS1=\$PS1\$(ifconfig | grep -v '127.0.0.1' | awk -F: '/inet addr:/ {print \$2}' | awk '{ print \$1 }') | |
#add ipv6 addresses | |
PS1=\$PS1'\n'\$(ifconfig | grep 'Global' | awk -F / '/inet6 addr: / {print \$1}' | awk '{ print \$3 }') | |
#add current working dir and close colours | |
PS1=\$PS1'\n\$PWD:\$\033[00m\]\n' | |
export PS1 | |
EOT | |
} | |
function cleanup | |
{ | |
#disable services not required | |
if [ -f /etc/init/atd.conf ] | |
then | |
stop atd | |
mv /etc/init/atd.conf /etc/init/atd.conf.noexec | |
fi | |
sed -i 's/true/false/' /etc/default/whoopsie | |
update-locale | |
#tweak min free kbytes to get around page allocation failures on newer kernels | |
echo "vm.min_free_kbytes=6144" > /etc/sysctl.d/60-page.conf | |
} | |
function install_vpn | |
{ | |
#L2TPD/IPSEC | |
echo "openswan openswan/install_x509_certificate boolean false" | debconf-set-selections | |
echo "openswan openswan/runlevel_changes note" | debconf-set-selections | |
DEBIAN_FRONTEND=noninteractive apt-get install -q -y openswan | |
rm -rf /etc/ipsec.conf | |
touch /etc/ipsec.conf | |
cat <<EOT > /etc/ipsec.conf | |
version 2.0 | |
config setup | |
nat_traversal=yes | |
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 | |
oe=off | |
protostack=netkey | |
conn L2TP-PSK-NAT | |
rightsubnet=vhost:%priv,%no | |
also=L2TP-PSK-noNAT | |
conn L2TP-PSK-noNAT | |
authby=secret | |
pfs=no | |
auto=add | |
keyingtries=3 | |
rekey=no | |
ikelifetime=8h | |
keylife=1h | |
type=transport | |
left=`system_primary_ip` | |
leftprotoport=17/1701 | |
right=%any | |
rightprotoport=17/%any | |
EOT | |
cat <<EOT > /etc/ipsec.secrets | |
`system_primary_ip` %any: PSK "$VPN_PSK" | |
EOT | |
apt-get install -y xl2tpd | |
touch /etc/xl2tpd/xl2tpd.conf | |
cat <<EOT > /etc/xl2tpd/xl2tpd.conf | |
[global] | |
ipsec saref = yes | |
[lns default] | |
ip range = $VPN_IPRANGE.2-$VPN_IPRANGE.254 | |
local ip = $VPN_IPRANGE.1 | |
refuse chap = yes | |
refuse pap = yes | |
require authentication = yes | |
ppp debug = yes | |
pppoptfile = /etc/ppp/options.xl2tpd | |
length bit = yes | |
EOT | |
rm -rf /etc/ppp/options.xl2tpd | |
touch /etc/ppp/options.xl2tpd | |
cat <<EOT > /etc/ppp/options.xl2tpd | |
require-mschap-v2 | |
ms-dns 8.8.8.8 | |
ms-dns 8.8.4.4 | |
asyncmap 0 | |
auth | |
crtscts | |
lock | |
hide-password | |
modem | |
debug | |
name $VPN_SERVICENAME | |
proxyarp | |
lcp-echo-interval 30 | |
lcp-echo-failure 4 | |
EOT | |
cat <<EOT > /etc/ppp/chap-secrets | |
$VPN_USERNAME $VPN_SERVICENAME $VPN_PASSWORD * | |
EOT | |
cat <<EOT > /etc/rc.local | |
#!/bin/sh -e | |
iptables --table nat --append POSTROUTING --jump MASQUERADE | |
echo 1 > /proc/sys/net/ipv4/ip_forward | |
for each in /proc/sys/net/ipv4/conf/* | |
do | |
echo 0 > \$each/accept_redirects | |
echo 0 > \$each/send_redirects | |
done | |
/etc/init.d/ipsec restart | |
exit 0 | |
EOT | |
clear | |
iptables --table nat --append POSTROUTING --jump MASQUERADE | |
echo 1 > /proc/sys/net/ipv4/ip_forward | |
for each in /proc/sys/net/ipv4/conf/* | |
do | |
echo 0 > $each/accept_redirects | |
echo 0 > $each/send_redirects | |
done | |
xl2tpd | |
/etc/init.d/ipsec restart | |
ipsec verify | |
clear | |
/etc/init.d/ipsec restart | |
ipsec verify | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Originally By Sun Liwen <sunliwen@gmail.com> | |
# Feel free to donate a beer if you feel this script save some time for you :) - https://www.gittip.com/on/github/sunliwen/ | |
###### | |
#<udf name="INSTALL_MYSQL" label="Instal MySQL?" oneOf="Yes,No"> | |
#<udf name="MYSQL_PASSWORD" label="MySQL root password" default=""> | |
#<udf name="NGINX_VERSION" label="Install nginx from PPA" oneOf="Yes,No" example="See https://launchpad.net/~nginx/+archive/stable"> | |
#<udf name="SSH_PORT" label="SSH port" default="22"> | |
#<udf name="USER_NAME" label="Unprivileged User Account" /> | |
#<udf name="USER_PASSWORD" label="Unprivileged User Password" /> | |
#<udf name="USER_SSHKEY" label="Public Key for User" default="" /> | |
#<udf name="SSH_ALLOW_USERS" label="SSH Allow Users directive, leave blank if you don't know what this is" default="" /> | |
#<udf name="ROOT_EMAIL" label="Email alias for root" /> | |
#<udf name="HOSTNAME" label="Hostname" default="" /> | |
#<udf name="WHICH_KERNEL" label="Use ubuntu virtual kernel?" oneOf="No,Yes" /> | |
#<udf name="INSTALL_PHP" label="Install PHP?" oneOf="Yes,No" /> | |
#<udf name="VPN_SERVICENAME" label="VPN Service Name" default="l2tp" example="l2tp" /> | |
#<udf name="VPN_PSK" label="PSK" default="fuckgfw" example="fuckgfw" /> | |
#<udf name="VPN_IPRANGE" label="IP Range" default="10.0.100" example="10.0.100" /> | |
#<udf name="VPN_USERNAME" label="Username" /> | |
#<udf name="VPN_PASSWORD" label="Password" /> | |
###### | |
set -e | |
source <ssinclude StackScriptID="7000"> # Private SS on Linode | |
#update system and set hostname | |
prep_system | |
#setup firewall | |
install_ufw | |
#setup standard user | |
configure_user | |
#secure ssh | |
configure_ssh | |
#setup postfix | |
install_postfix | |
if [ "$INSTALL_MYSQL" == "Yes" ] | |
then | |
#setup mysql | |
install_mysql | |
fi | |
if [ "$INSTALL_PHP" == "Yes" ] | |
then | |
#setup php | |
install_php_fpm | |
fi | |
#setup nginx | |
install_nginx | |
#install monit/munin/security tools/other tools | |
install_monit | |
install_munin | |
install_security | |
install_tools | |
install_vpn | |
#set root .profile | |
set_root_profile | |
#cleanup | |
cleanup | |
#send notification | |
notification_email |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment