arainho/pihole_on_vps.sh

## pihole_on_vps.sh
#!/usr/bin/env bash

# 🕵️🕵️🕵️ Check
# 1. read https://docs.pi-hole.net/ftldns/interfaces/
# 2. go to www.virustotal.com and check 'https://install.pi-hole.net'

# port 22 is open everywhere
# port 53 is open only for the value of 'YOUR_HOME_EXTERNAL_IP'

### ✏️✏️✏️ fill out
YOUR_HOME_EXTERNAL_IP="w.x.y.z"       # your office/home external ip or network cidr
YOUR_VPS_INTERFACE="eth0"             # network interface of your vps

# 🍓🍓🍓 pi-hole setup
wget -O basic-install.sh https://install.pi-hole.net    # ensure you open/trust 'basic-install.sh'
sudo bash basic-install.sh

apt udpate
apt upgrade
# reboot
apt install sudo vim iftop htop nmap iperf3 iotop screen
apt install python3-pip

# ansible
echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu bionic main" > /etc/apt/sources.list.d/ansible.list
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
apt update
apt install ansible

# etckeeper
ansible-galaxy install sourcejedi.etckeeper
cat << EOF > etckeeper.yml
---
- name: Install etckeeper
  hosts: localhost
  connection: local
  become: yes
  gather_facts: yes

  tasks:
    - name: install etckeeper
      include_role:
        name: sourcejedi.etckeeper

    - name: "initialize /etc path"
      raw: cd /etc && etckeeper init
      register: etckeeper_init
      failed_when: etckeeper_init.rc >= 2

    - name: "perform first commit "
      raw: cd /etc && etckeeper commit "first commit"
      register: etckeeper_commit
      failed_when: etckeeper_commit.rc >= 2
EOF
ansible-playbook etckeeper.yml

# unattended upgrades
apt-get install unattended-upgrades apt-listchanges
ansible-galaxy install hifis.unattended_upgrades
cat << EOF > unattended.yml
---
- name: Unattended upgrades
  hosts: localhost
  connection: local
  become: yes
  gather_facts: yes

  roles:
    - role: hifis.unattended_upgrades
      unattended_remove_unused_dependencies: true
      unattended_automatic_reboot: true
      unattended_automatic_reboot_time: 04:00
      unattended_update_days: 6
      unattended_origins_patterns:
        - 'origin=Debian,codename=${distro_codename},label=Debian-Security'
        - 'o=Debian,codename=${distro_codename},label=Debian'
      when:
        - ansible_lsb.id == "Debian"
EOF
ansible-playbook unattended.yml

# 🛡️🛡️🛡️ fail2ban
ansible-galaxy install robertdebock.fail2ban
cat << EOF > fail2ban.yml
---
- name: SetupVPS
  hosts: localhost
  connection: local
  become: yes
  gather_facts: yes

  roles:
    - role: robertdebock.fail2ban
EOF
ansible-playbook fail2ban.yml
sed -i 's/#PasswordAuthentication.*/PasswordAuthentication yes/g' /etc/ssh/sshd_config
grep -r "PasswordAuthentication no" /etc/ssh/sshd_config || exit
service ssh restart

# 🔥🔥🔥 ufw
apt-get install ufw
ufw reset
ufw default allow incoming
ufw deny 1:21/tcp
ufw deny 23:52/tcp
ufw deny 54:65535/tcp
ufw allow ssh
ufw allow from ${YOUR_HOME_EXTERNAL_IP} to any port 53
ufw deny 53
ufw default allow outgoing
echo y | ufw enable
ufw status verbose

# ☠️☠️☠️ Enabling pi-hole on non-local networks is [DANGEROUS]
# ⚠️⚠️⚠️ Uncomment only if you understand the consequences ... 'https://docs.pi-hole.net/ftldns/interfaces/#potentially-dangerous-options'
# grep -r local-service /etc/dnsmasq.d/01-pihole.conf && sed -i "s/local-service/interface=${YOUR_VPS_INTERFACE}/g' /etc/dnsmasq.d/01-pihole.conf
# pihole restartdns

# swappiness
grep -r swappiness /etc/sysctl.conf || echo "vm.swappiness=1" >> /etc/sysctl.conf
sysctl -p
	#!/usr/bin/env bash

	# 🕵️🕵️🕵️ Check
	# 1. read https://docs.pi-hole.net/ftldns/interfaces/
	# 2. go to www.virustotal.com and check 'https://install.pi-hole.net'

	# port 22 is open everywhere
	# port 53 is open only for the value of 'YOUR_HOME_EXTERNAL_IP'

	### ✏️✏️✏️ fill out
	YOUR_HOME_EXTERNAL_IP="w.x.y.z" # your office/home external ip or network cidr
	YOUR_VPS_INTERFACE="eth0" # network interface of your vps

	# 🍓🍓🍓 pi-hole setup
	wget -O basic-install.sh https://install.pi-hole.net # ensure you open/trust 'basic-install.sh'
	sudo bash basic-install.sh

	apt udpate
	apt upgrade
	# reboot
	apt install sudo vim iftop htop nmap iperf3 iotop screen
	apt install python3-pip

	# ansible
	echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu bionic main" > /etc/apt/sources.list.d/ansible.list
	apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
	apt update
	apt install ansible

	# etckeeper
	ansible-galaxy install sourcejedi.etckeeper
	cat << EOF > etckeeper.yml
	---
	- name: Install etckeeper
	hosts: localhost
	connection: local
	become: yes
	gather_facts: yes

	tasks:
	- name: install etckeeper
	include_role:
	name: sourcejedi.etckeeper

	- name: "initialize /etc path"
	raw: cd /etc && etckeeper init
	register: etckeeper_init
	failed_when: etckeeper_init.rc >= 2

	- name: "perform first commit "
	raw: cd /etc && etckeeper commit "first commit"
	register: etckeeper_commit
	failed_when: etckeeper_commit.rc >= 2
	EOF
	ansible-playbook etckeeper.yml

	# unattended upgrades
	apt-get install unattended-upgrades apt-listchanges
	ansible-galaxy install hifis.unattended_upgrades
	cat << EOF > unattended.yml
	---
	- name: Unattended upgrades
	hosts: localhost
	connection: local
	become: yes
	gather_facts: yes

	roles:
	- role: hifis.unattended_upgrades
	unattended_remove_unused_dependencies: true
	unattended_automatic_reboot: true
	unattended_automatic_reboot_time: 04:00
	unattended_update_days: 6
	unattended_origins_patterns:
	- 'origin=Debian,codename=${distro_codename},label=Debian-Security'
	- 'o=Debian,codename=${distro_codename},label=Debian'
	when:
	- ansible_lsb.id == "Debian"
	EOF
	ansible-playbook unattended.yml

	# 🛡️🛡️🛡️ fail2ban
	ansible-galaxy install robertdebock.fail2ban
	cat << EOF > fail2ban.yml
	---
	- name: SetupVPS
	hosts: localhost
	connection: local
	become: yes
	gather_facts: yes

	roles:
	- role: robertdebock.fail2ban
	EOF
	ansible-playbook fail2ban.yml
	sed -i 's/#PasswordAuthentication.*/PasswordAuthentication yes/g' /etc/ssh/sshd_config
	grep -r "PasswordAuthentication no" /etc/ssh/sshd_config \|\| exit
	service ssh restart

	# 🔥🔥🔥 ufw
	apt-get install ufw
	ufw reset
	ufw default allow incoming
	ufw deny 1:21/tcp
	ufw deny 23:52/tcp
	ufw deny 54:65535/tcp
	ufw allow ssh
	ufw allow from ${YOUR_HOME_EXTERNAL_IP} to any port 53
	ufw deny 53
	ufw default allow outgoing
	echo y \| ufw enable
	ufw status verbose

	# ☠️☠️☠️ Enabling pi-hole on non-local networks is [DANGEROUS]
	# ⚠️⚠️⚠️ Uncomment only if you understand the consequences ... 'https://docs.pi-hole.net/ftldns/interfaces/#potentially-dangerous-options'
	# grep -r local-service /etc/dnsmasq.d/01-pihole.conf && sed -i "s/local-service/interface=${YOUR_VPS_INTERFACE}/g' /etc/dnsmasq.d/01-pihole.conf
	# pihole restartdns

	# swappiness
	grep -r swappiness /etc/sysctl.conf \|\| echo "vm.swappiness=1" >> /etc/sysctl.conf
	sysctl -p