askmrsinh/RaspbianPostInstall.md

## cleanUp.sh
#!/bin/bash

# Remove old Kernel Modules after update
# Be careful with this.
sudo rm -rf /lib/modules/!(*$(uname -r | cut -f1 -d"-")*)

## configure-netdata.sh
#!/bin/bash

bash <(curl -Ss https://my-netdata.io/kickstart.sh) --disable-telemetry --stable-channel

sudo cat << 'EOT' >> /usr/lib/netdata/conf.d/health.d/ri_temp.conf
alarm: 5m_avg_temp
on: sensors.temp_thermal_zone0_thermal_thermal_zone0
os: linux
hosts: RaspberryPi raspberrypi
lookup: average -5m
every: 5m
green: 50
red: 60
warn: $this > $green
crit: $this > $red
delay: down 10m
to:sysadmin
EOT

# manually set registery
# https://docs.netdata.cloud/registry/#run-your-own-registry

## configure-pihole.sh
#!/bin/bash

sudo apt-get install php-zip -y

curl -sSL https://install.pi-hole.net | bash

sudo sed -i.bak d /etc/pihole/adlists.list
sudo cat << EOT > /etc/pihole/adlists.list

# The below list amalgamates several lists we used previously.
# See `https://github.com/StevenBlack/hosts` for details
##StevenBlack's list
#https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
#https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
#https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling/hosts
#https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/porn/hosts
#https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/social/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts

##MalwareDomains
https://mirror1.malwaredomains.com/files/justdomains

##Cameleon
http://sysctl.org/cameleon/hosts

##Zeustracker
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

##Disconnect.me Tracking
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt

##Disconnect.me Ads
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt

##Hosts-file.net
https://hosts-file.net/ad_servers.txt

# Mahakala list. Has been known to block legitimage domains including the entire .com range.
# Warning: Due to the sheer size of this list, the web admin console will be unresponsive
https://adblock.mahakala.is/

##AdAway
https://adaway.org/hosts.txt

##hpHosts
https://hosts-file.net/ad_servers.txt
https://hosts-file.net/grm.txt
https://hosts-file.net/exp.txt
https://hosts-file.net/emd.txt
https://hosts-file.net/psh.txt

##ZeroDot1 CoinBlockerLists
https://zerodot1.gitlab.io/CoinBlockerLists/hosts
EOT

/usr/local/bin/pihole -up && /usr/local/bin/pihole -g

## configure-raspbian.sh
#!/bin/bash

## https://www.raspberrypi.org/documentation/configuration/security.md

read -r -p "Give name for new user: " username
sudo useradd -m $username -G sudo
sudo passwd $username

#sudo deluser -remove-home pi

sudo apt-get install -y needrestart unattended-upgrades
sudo apt-get install -y openssh-server
sudo apt-get install -y fail2ban firewall-applet firewall-config ufw
sudo apt-get install -y wireshark

## dailyUpdate.sh
#!/bin/bash

#set -x

lockdir="/tmp/dailyUpdate.lock"
pidfile="$lockdir/$$.pid"

logFile="/var/log/dailyUpdate.log"

if [[ -z "$1" ]]; then
	echo "Script ${0##*/} started manually by $USER."
else
	# Make sure you give the 1st argument as "cron" when using in crontab
	appName=$(dpkg-query -W -f='${binary:Package} ${Version}\n' "$1")
fi

if mkdir "$lockdir" &>/dev/null
then
	echo -e "\n\e[0;32;47m PID $$ successfully acquired lock on $lockdir \e[0m\n"

	# Remove lockdir when the script finishes, or when it receives an EXIT signal
	trap 'rm -rf "$lockdir"; echo -e "\n\e[0;36;47m removed $lockdir \e[0m"' 0

	# Optionally create temporary files in this directory, because
	# they will be removed automatically:
	touch "$pidfile"

	if [[ ! -f "$logFile" ]]; then
		sudo touch $logFile
		sudo chmod 644 $logFile
		#change this!!!
		sudo chown ashesh $logFile
	fi

	ssh 4-1103tx 'DISPLAY=:0 notify-send "ashesh@raspberrypi:~/bin/dailyUpdate.sh" "Starting scheduled update of RaspberryPi." --icon=dialog-information --category=transfer.complete --urgency=normal'

	{ echo; date;	echo "============================"; } >> $logFile

	# Update Packages
	echo "[1] Updating APT's binary cache files" 2>&1 | tee -a $logFile;
	echo "    $(date '+%Y-%m-%d %H:%M:%S')" 2>&1 | tee -a $logFile;
	sudo apt-get update 2>&1 | tee -a $logFile;
	echo "[2] Upgrading installed packages" 2>&1 | tee -a $logFile;
	echo "    $(date '+%Y-%m-%d %H:%M:%S')" 2>&1 | tee -a $logFile;
	sudo apt-get upgrade -y 2>&1 | tee -a $logFile;

	# Update Distribution
	echo "[3] Upgrading distribution" 2>&1 | tee -a $logFile;
	echo "    $(date '+%Y-%m-%d %H:%M:%S')" 2>&1 | tee -a $logFile;
	sudo apt-get dist-upgrade -y 2>&1 | tee -a $logFile;

	# Update Pi-hole
	if [[ -f "/usr/local/bin/pihole" ]]; then
		echo "[4] Updating Pi-hole" 2>&1 | tee -a $logFile;
		echo "    $(date '+%Y-%m-%d %H:%M:%S')" 2>&1 | tee -a $logFile;
		/usr/local/bin/pihole -up 2>&1 | tee -a $logFile;
		/usr/local/bin/pihole -g 2>&1 | tee -a $logFile;
	else
		echo "[4] Pi-hole installation not found" 2>&1 | tee -a $logFile;
		echo "    $(date '+%Y-%m-%d %H:%M:%S')" 2>&1 | tee -a $logFile;
	fi

	# Update Firmware
	if [[ $(sudo JUST_CHECK=1 rpi-update | grep "Firmware update required. New commits available:" | head -n 1) != "" ]]; then
		echo "[5] Updating Firmware" 2>&1 | tee -a $logFile;
		echo "    $(date '+%Y-%m-%d %H:%M:%S')" 2>&1 | tee -a $logFile;
		echo yes | sudo rpi-update 2>&1 | tee -a $logFile
		if [[ "${PIPESTATUS[1]}" -ne 0 && ! -z "$appName" ]]; then
			read -d '' postData << EOF
				{
					"source_device_iden":"$(head -1 ~/.config/pushbullet-source_device_iden | base64 -d)",
					"title":"[$appName] ${0##*/}",
					"body":"Failed to update $HOST firmware using rpi-update to\\\n\\\t\\\"$(ls -t /lib/modules | head -1)\\\". See logfile for details.\\\n$(date)\\\ndisk /\\\n\\\tfree:$(df --output=avail -h / | sed '1d')  used:$(df --output=pcent -h / | sed '1d')",
					"type":"note"
				}
EOF
		elif [[ ! -z "$appName" ]]; then
			read -d '' postData << EOF
				{
					"source_device_iden":"$(head -1 ~/.config/pushbullet-source_device_iden | base64 -d)",
					"title":"[$appName] ${0##*/}",
					"body":"Updated from\\\n\\\t\\\"$(uname -a)\\\"\\\n to\\\n\\\t\\\"$(ls -t /lib/modules | head -1)\\\".\\\n$(date)\\\ndisk /\\\n\\\tfree:$(df --output=avail -h / | sed '1d')  used:$(df --output=pcent -h / | sed '1d')",
					"type":"note"
				}
EOF
		else
			echo -e "\nManual run, not sending Pushbullet Notification.\n"
		fi
		curl --header "Access-Token: $(head -1 ~/.config/pushbullet-access_token | base64 -d)" \
				 --header 'Content-Type: application/json' \
				 --data-binary  "$postData" \
				 --request POST \
		https://api.pushbullet.com/v2/pushes | jq . >> $logFile
		sudo reboot 2>&1 | tee -a $logFile;
	fi

	ssh 4-1103tx 'DISPLAY=:0 notify-send "ashesh@raspberrypi:~/bin/dailyUpdate.sh" "Completed scheduled update of RaspberryPi." --icon=dialog-information --category=transfer.complete --urgency=normal'

else
	echo -e "\n\e[0;31;47m PID $$ cannot acquire lock on $lockdir, exiting \e[0m\n"
	exit 0
fi

#set +x

## install-packages.sh
#!/bin/bash

sudo apt install -y network-manager iotop
sudo apt install -y network-manager-gtk

## RaspbianPostInstall.md

      
    Raw
  

              RaspbianPostInstall.md
            
          
    Scripts to setup Raspbian

configure-pihole.sh configure-raspbian.sh cleanUp.sh dailyUpdate.sh
	#!/bin/bash

	# Remove old Kernel Modules after update
	# Be careful with this.
	sudo rm -rf /lib/modules/!($(uname -r \| cut -f1 -d"-"))
	#!/bin/bash

	bash <(curl -Ss https://my-netdata.io/kickstart.sh) --disable-telemetry --stable-channel

	sudo cat << 'EOT' >> /usr/lib/netdata/conf.d/health.d/ri_temp.conf
	alarm: 5m_avg_temp
	on: sensors.temp_thermal_zone0_thermal_thermal_zone0
	os: linux
	hosts: RaspberryPi raspberrypi
	lookup: average -5m
	every: 5m
	green: 50
	red: 60
	warn: $this > $green
	crit: $this > $red
	delay: down 10m
	to:sysadmin
	EOT

	# manually set registery
	# https://docs.netdata.cloud/registry/#run-your-own-registry
	#!/bin/bash

	sudo apt-get install php-zip -y

	curl -sSL https://install.pi-hole.net \| bash

	sudo sed -i.bak d /etc/pihole/adlists.list
	sudo cat << EOT > /etc/pihole/adlists.list

	# The below list amalgamates several lists we used previously.
	# See `https://github.com/StevenBlack/hosts` for details
	##StevenBlack's list
	#https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
	#https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
	#https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling/hosts
	#https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/porn/hosts
	#https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/social/hosts
	https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts

	##MalwareDomains
	https://mirror1.malwaredomains.com/files/justdomains

	##Cameleon
	http://sysctl.org/cameleon/hosts

	##Zeustracker
	https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

	##Disconnect.me Tracking
	https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt

	##Disconnect.me Ads
	https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt

	##Hosts-file.net
	https://hosts-file.net/ad_servers.txt

	# Mahakala list. Has been known to block legitimage domains including the entire .com range.
	# Warning: Due to the sheer size of this list, the web admin console will be unresponsive
	https://adblock.mahakala.is/

	##AdAway
	https://adaway.org/hosts.txt

	##hpHosts
	https://hosts-file.net/ad_servers.txt
	https://hosts-file.net/grm.txt
	https://hosts-file.net/exp.txt
	https://hosts-file.net/emd.txt
	https://hosts-file.net/psh.txt

	##ZeroDot1 CoinBlockerLists
	https://zerodot1.gitlab.io/CoinBlockerLists/hosts
	EOT

	/usr/local/bin/pihole -up && /usr/local/bin/pihole -g
	#!/bin/bash

	## https://www.raspberrypi.org/documentation/configuration/security.md

	read -r -p "Give name for new user: " username
	sudo useradd -m $username -G sudo
	sudo passwd $username

	#sudo deluser -remove-home pi

	sudo apt-get install -y needrestart unattended-upgrades
	sudo apt-get install -y openssh-server
	sudo apt-get install -y fail2ban firewall-applet firewall-config ufw
	sudo apt-get install -y wireshark
	#!/bin/bash

	#set -x

	lockdir="/tmp/dailyUpdate.lock"
	pidfile="$lockdir/$$.pid"

	logFile="/var/log/dailyUpdate.log"

	if [[ -z "$1" ]]; then
	echo "Script ${0##*/} started manually by $USER."
	else
	# Make sure you give the 1st argument as "cron" when using in crontab
	appName=$(dpkg-query -W -f='${binary:Package} ${Version}\n' "$1")
	fi

	if mkdir "$lockdir" &>/dev/null
	then
	echo -e "\n\e[0;32;47m PID $$ successfully acquired lock on $lockdir \e[0m\n"

	# Remove lockdir when the script finishes, or when it receives an EXIT signal
	trap 'rm -rf "$lockdir"; echo -e "\n\e[0;36;47m removed $lockdir \e[0m"' 0

	# Optionally create temporary files in this directory, because
	# they will be removed automatically:
	touch "$pidfile"

	if [[ ! -f "$logFile" ]]; then
	sudo touch $logFile
	sudo chmod 644 $logFile
	#change this!!!
	sudo chown ashesh $logFile
	fi

	ssh 4-1103tx 'DISPLAY=:0 notify-send "ashesh@raspberrypi:~/bin/dailyUpdate.sh" "Starting scheduled update of RaspberryPi." --icon=dialog-information --category=transfer.complete --urgency=normal'

	{ echo; date; echo "============================"; } >> $logFile

	# Update Packages
	echo "[1] Updating APT's binary cache files" 2>&1 \| tee -a $logFile;
	echo " $(date '+%Y-%m-%d %H:%M:%S')" 2>&1 \| tee -a $logFile;
	sudo apt-get update 2>&1 \| tee -a $logFile;
	echo "[2] Upgrading installed packages" 2>&1 \| tee -a $logFile;
	echo " $(date '+%Y-%m-%d %H:%M:%S')" 2>&1 \| tee -a $logFile;
	sudo apt-get upgrade -y 2>&1 \| tee -a $logFile;

	# Update Distribution
	echo "[3] Upgrading distribution" 2>&1 \| tee -a $logFile;
	echo " $(date '+%Y-%m-%d %H:%M:%S')" 2>&1 \| tee -a $logFile;
	sudo apt-get dist-upgrade -y 2>&1 \| tee -a $logFile;

	# Update Pi-hole
	if [[ -f "/usr/local/bin/pihole" ]]; then
	echo "[4] Updating Pi-hole" 2>&1 \| tee -a $logFile;
	echo " $(date '+%Y-%m-%d %H:%M:%S')" 2>&1 \| tee -a $logFile;
	/usr/local/bin/pihole -up 2>&1 \| tee -a $logFile;
	/usr/local/bin/pihole -g 2>&1 \| tee -a $logFile;
	else
	echo "[4] Pi-hole installation not found" 2>&1 \| tee -a $logFile;
	echo " $(date '+%Y-%m-%d %H:%M:%S')" 2>&1 \| tee -a $logFile;
	fi

	# Update Firmware
	if [[ $(sudo JUST_CHECK=1 rpi-update \| grep "Firmware update required. New commits available:" \| head -n 1) != "" ]]; then
	echo "[5] Updating Firmware" 2>&1 \| tee -a $logFile;
	echo " $(date '+%Y-%m-%d %H:%M:%S')" 2>&1 \| tee -a $logFile;
	echo yes \| sudo rpi-update 2>&1 \| tee -a $logFile
	if [[ "${PIPESTATUS[1]}" -ne 0 && ! -z "$appName" ]]; then
	read -d '' postData << EOF
	{
	"source_device_iden":"$(head -1 ~/.config/pushbullet-source_device_iden \| base64 -d)",
	"title":"[$appName] ${0##*/}",
	"body":"Failed to update $HOST firmware using rpi-update to\\\n\\\t\\\"$(ls -t /lib/modules \| head -1)\\\". See logfile for details.\\\n$(date)\\\ndisk /\\\n\\\tfree:$(df --output=avail -h / \| sed '1d') used:$(df --output=pcent -h / \| sed '1d')",
	"type":"note"
	}
	EOF
	elif [[ ! -z "$appName" ]]; then
	read -d '' postData << EOF
	{
	"source_device_iden":"$(head -1 ~/.config/pushbullet-source_device_iden \| base64 -d)",
	"title":"[$appName] ${0##*/}",
	"body":"Updated from\\\n\\\t\\\"$(uname -a)\\\"\\\n to\\\n\\\t\\\"$(ls -t /lib/modules \| head -1)\\\".\\\n$(date)\\\ndisk /\\\n\\\tfree:$(df --output=avail -h / \| sed '1d') used:$(df --output=pcent -h / \| sed '1d')",
	"type":"note"
	}
	EOF
	else
	echo -e "\nManual run, not sending Pushbullet Notification.\n"
	fi
	curl --header "Access-Token: $(head -1 ~/.config/pushbullet-access_token \| base64 -d)" \
	--header 'Content-Type: application/json' \
	--data-binary "$postData" \
	--request POST \
	https://api.pushbullet.com/v2/pushes \| jq . >> $logFile
	sudo reboot 2>&1 \| tee -a $logFile;
	fi

	ssh 4-1103tx 'DISPLAY=:0 notify-send "ashesh@raspberrypi:~/bin/dailyUpdate.sh" "Completed scheduled update of RaspberryPi." --icon=dialog-information --category=transfer.complete --urgency=normal'

	else
	echo -e "\n\e[0;31;47m PID $$ cannot acquire lock on $lockdir, exiting \e[0m\n"
	exit 0
	fi

	#set +x
	#!/bin/bash

	sudo apt install -y network-manager iotop
	sudo apt install -y network-manager-gtk