|
# VARS |
|
# Nom du compte principal qui sera utilisé pour se connecter en SSH sans passer par root |
|
MAIN_USER=bess |
|
|
|
# Nom du compte dédié au run de Docker. Dissocié du main pour une mesure de sécurité. |
|
DOCKER_USER=dock |
|
|
|
# Port pour SSH qui ne doit pas rester 22 par sécurité |
|
SSH_PORT=2222 |
|
# TODO : regardez la step 5 et décommentez si nécessaire. |
|
|
|
########################### |
|
# |
|
# STEP 1 : install all soft, excepted Docker itself |
|
# |
|
# nano : editor |
|
# sudo : controlled privileges |
|
# btop : for showing CPU & other inforations nicely |
|
# nfs-common : For NFS Utilities on client |
|
# apt-transport-https ca-certificates curl gnupg : needed to install Docker |
|
# |
|
########################### |
|
|
|
apt update -qq |
|
apt install -qq -y \ |
|
nano \ |
|
sudo \ |
|
btop \ |
|
nfs-common \ |
|
apt-transport-https ca-certificates curl gnupg |
|
apt -qq --purge autoremove |
|
apt -qq autoclean |
|
|
|
########################### |
|
# |
|
# STEP 2 : Create a main account for SSH & sudo |
|
# |
|
########################### |
|
|
|
#Create main user |
|
user_main=$MAIN_USER |
|
group_main=$user_main |
|
home_main=/home/$user_main |
|
|
|
if grep -Fq $group_main /etc/group; then |
|
echo " >> Groupe existant" |
|
else |
|
echo " >> Creation de groupe" |
|
groupadd $group_main |
|
fi |
|
|
|
|
|
if grep -Fq $user_main /etc/passwd; then |
|
echo " >> User existant,affectation au groupe" |
|
usermod -aG $group_main $user_main |
|
else |
|
echo " >> Création de user & affectation au groupe" |
|
useradd $user_main -g $group_main |
|
passwd $user_main |
|
fi |
|
|
|
# Set bash for shell |
|
usermod --shell /bin/bash $user_main |
|
|
|
if [ -d $home_main ]; then |
|
echo " >> Home directory existant" |
|
else |
|
echo " >> Création home directory" |
|
mkdir -p $home_main |
|
fi |
|
|
|
#customize shell experience for $user |
|
touch /home/$user_main/.bash_profile |
|
echo "if [ -f ~/.bashrc ]; then |
|
source ~/.bashrc |
|
fi" > /home/$user_main/.bash_profile |
|
|
|
touch /home/$user_main/.bashrc |
|
echo " |
|
export LS_OPTIONS='--color=auto' |
|
eval "`dircolors`" |
|
alias ls='ls $LS_OPTIONS' |
|
alias ll='ls $LS_OPTIONS -lia' |
|
alias l='ls $LS_OPTIONS -lA'" > /home/$user_main/.bashrc |
|
|
|
|
|
# Reset owning by security |
|
chown $user_main:$group_main -R $home_main |
|
|
|
|
|
########################### |
|
# |
|
# STEP 3 : SUDO for main user |
|
# |
|
########################### |
|
|
|
if [ ! -f /etc/sudoers.d/$user_main ]; then |
|
|
|
touch /etc/sudoers.d/$user_main |
|
echo " |
|
# A placer dans /etc/sudoers.d/monUser avec visudo -f /etc/sudoers.d/monUser |
|
|
|
# This allows running arbitrary commands, but so does ALL, and it means |
|
# different sudoers have their choice of editor respected. |
|
Defaults:%sudo env_keep += 'EDITOR' |
|
|
|
# Completely harmless preservation of a user preference. |
|
Defaults:%sudo env_keep += 'GREP_COLOR' |
|
|
|
# Host alias specification |
|
# Nothing to do, we will use 'ALL' |
|
|
|
# User alias specification |
|
User_Alias MY_USERS = $user_main |
|
|
|
# Cmnd alias specification |
|
Cmnd_Alias MY_CMDS = /usr/bin/nano, /usr/bin/apt, /usr/bin/su |
|
|
|
# Allow users myUser to execute commands myCmd as admin |
|
MY_USERS ALL=(ALL) MY_CMDS |
|
" > /etc/sudoers.d/$user_main |
|
echo " >> Configuration SUDO installée" |
|
else |
|
echo " >> Configuration SUDO déjà présente" |
|
fi |
|
|
|
########################### |
|
# |
|
# STEP 4 : Customize SSH connexion & reload configuration |
|
# |
|
########################### |
|
|
|
|
|
# add custom SSH configuration |
|
touch /etc/ssh/sshd_config.d/local.conf |
|
echo "# Securisation SSH |
|
Port ${SSH_PORT} |
|
PermitRootLogin no" > /etc/ssh/sshd_config.d/local.conf |
|
|
|
# Restart SSH deamon |
|
/etc/init.d/ssh restart |
|
|
|
########################### |
|
# |
|
# STEP 5 : Mount NFS directory from Synlogy NAS |
|
# |
|
########################### |
|
|
|
## Create diretory if necessary |
|
#mkdir -p /mnt/Medias |
|
#mkdir -p /mnt/Photos |
|
#mkdir -p /mnt/BattleStationSynology |
|
# |
|
## Remove previous mount |
|
#umount /mnt/Medias |
|
#umount /mnt/Photos |
|
#umount /mnt/BattleStationSynology |
|
# |
|
## Backup fstab or security reasons |
|
#timestamp=$(date +%s) |
|
#filename=/etc/fstab |
|
#filename_bk=/etc/fstab_bk_$timestamp |
|
#cp $filename $filename_bk |
|
# |
|
## Remove previous instruction in fstab |
|
#if grep -Fq "#START_CUSTOM_SCRIPT" "$filename"; |
|
#then |
|
# sed -i "/#START_CUSTOM_SCRIPT/ ,/#END_CUSTOM_SCRIPT/d" $filename |
|
#fi |
|
# |
|
## Add instructions in fstab |
|
#echo " |
|
##START_CUSTOM_SCRIPT |
|
#192.168.1.99:/volume1/Medias /mnt/Medias nfs defaults,_netdev,nofail,x-systemd.automount 0 0 |
|
#192.168.1.99:/volume1/photo /mnt/Photos nfs defaults,_netdev,nofail,x-systemd.automount 0 0 |
|
#192.168.1.99:/volume1/BattleStation /mnt/BattleStationSynology nfs defaults,_netdev,nofail,x-systemd.automount 0 0 |
|
##END_CUSTOM_SCRIPT" >> $filename |
|
# |
|
## reload configuration of fstab |
|
#systemctl daemon-reload |
|
# |
|
## Manually Mount binding |
|
#mount /mnt/Medias |
|
#mount /mnt/Photos |
|
#mount /mnt/BattleStationSynology |
|
|
|
########################### |
|
# |
|
# STEP 6 : Change behavior of laptop |
|
# |
|
########################### |
|
|
|
#Avoid hibernate when closing Lid (screen) of laptop |
|
instructions_lid="HandleLidSwitch=ignore" |
|
if grep -Fq $instructions_lid /etc/systemd/logind.conf; then |
|
echo " >> Lid Configuration ok" |
|
else |
|
echo $instructions_lid >> /etc/systemd/logind.conf |
|
echo " >> Lid Configuration setted" |
|
fi |
|
|
|
#Reload login.conf configuration |
|
systemctl restart systemd-logind |
|
|
|
########################### |
|
# |
|
# STEP 7 : Install & configure Docker |
|
# |
|
########################### |
|
|
|
# Create group & user dedicated to Docker usage (non-root only) |
|
user_docker=$DOCKER_USER |
|
group_docker=$user_docker |
|
home=/home/$user |
|
|
|
if grep -Fq $group_docker /etc/group; then |
|
echo " >> Groupe existant" |
|
else |
|
echo " >> Creation de groupe" |
|
groupadd $group_docker |
|
fi |
|
|
|
|
|
if grep -Fq $user_docker /etc/passwd; then |
|
echo " >> User existant,affectation au groupe" |
|
usermod -aG $group_docker $user_docker |
|
else |
|
echo " >> Création de user & affectation au groupe" |
|
useradd $user_docker -g $group_docker |
|
passwd $user_docker |
|
fi |
|
|
|
# Set bash for shell |
|
usermod --shell /bin/bash $user_docker |
|
|
|
if [ -d $home_docker ]; then |
|
echo " >> Home directory existant" |
|
else |
|
echo " >> Création home directory" |
|
mkdir -p $home_docker |
|
fi |
|
|
|
#customize shell experience for $user |
|
touch /home/$user_docker/.bash_profile |
|
echo "if [ -f ~/.bashrc ]; then |
|
source ~/.bashrc |
|
fi" > /home/$user_docker/.bash_profile |
|
|
|
touch /home/$user_docker/.bashrc |
|
echo " |
|
export LS_OPTIONS='--color=auto' |
|
eval "`dircolors`" |
|
alias ls='ls $LS_OPTIONS' |
|
alias ll='ls $LS_OPTIONS -lia' |
|
alias l='ls $LS_OPTIONS -lA'" > /home/$user_docker/.bashrc |
|
|
|
|
|
# Reset owning by security |
|
chown $user_docker:$group_docker -R $home_docker |
|
|
|
# Install trusted key & apt repository if not exist already |
|
if [ ! -f /usr/share/keyrings/docker.gpg ]; then |
|
echo " >> gpg key doesn't exist for Docker so we install it" |
|
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker.gpg |
|
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu jammy stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null |
|
else |
|
echo " >> gpg key already exist for Docker" |
|
fi |
|
|
|
# Install Docker component & rootless componants |
|
# rootless componants : |
|
# dbus-user-session \ |
|
# fuse-overlayfs \ |
|
# slirp4netns |
|
# uidmap => to using newuidmap & newgidmap |
|
# see more : https://docs.docker.com/engine/security/rootless/ |
|
|
|
apt update -qq |
|
apt install -qq -y \ |
|
docker-ce \ |
|
docker-ce-cli \ |
|
containerd.io \ |
|
docker-buildx-plugin \ |
|
docker-compose-plugin |
|
# dbus-user-session \ |
|
# fuse-overlayfs \ |
|
# slirp4netns \ |
|
# uidmap |
|
|
|
apt -qq --purge autoremove |
|
apt -qq autoclean |
|
|
|
retour=`systemctl is-active docker` |
|
if [ $retour == "active" ]; then |
|
echo " >> Doker is Active" |
|
else |
|
echo " >> ! there is a problem.systemctl is-active docker doesn't answer with 'active' response" |
|
fi |
|
|
|
# Set group Docker-daemon to user |
|
usermod -aG docker $user_docker |
|
|
|
#systemctl disable --now docker.service docker.socket |
|
|
|
#if [ ! -f /usr/bin/dockerd-rootless-setuptool.sh ]; then |
|
# echo " >> Error, script not found usr/bin/dockerd-rootless-setuptool.sh" |
|
# echo " >> See for more information https://docs.docker.com/engine/security/rootless/#install" |
|
# exit -1 |
|
#fi |
|
|
|
#su $user_docker |
|
#dockerd-rootless-setuptool.sh install |