chris-redbeed/debian-setup.sh

## debian-setup.sh
# Arch Linux Setup: https://gist.github.com/kevinkub/46ce7229ee4f17be710ddd7c5a80a3c3

# Change root password
echo "# Change password of root user"
passwd

# Change hostname
echo "# Change hostname"
hostname
hostname $hostname

# Setup mirror-list
echo "# Finding fastest mirrors"
aptitude -y install netselect netselect-apt
netselect-apt -c germany -t 15 -a amd64

# Self-upgrade
echo "# Update system"
aptitude -y update && aptitude -y safe-upgrade

# Create user
echo "# Create new user"
echo "Please enter username:"
read username
useradd -m $username
passwd $username
chsh -s /bin/bash $username
echo "Please enter public key:"
read publickey
mkdir "/home/"$username"/.ssh/"
echo $publickey > "/home/"$username"/.ssh/authorized_keys"

# Configure sshd
echo "# Configure sshd"
echo "Please enter a ssh port:"
read sshport
echo "# Custom sshd configurations

# Set the ssh port
Port "$sshport"
# Forbid root login
PermitRootLogin no
# End login-attempts after 30s
LoginGraceTime 30s
# Give only one try to auth
MaxAuthTries 1
# Use public key authentication only
PubkeyAuthentication yes
# Find the file in .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
# Use the pam authentication module
UsePAM yes
# Disable password auth
PasswordAuthentication no
# Limit the maximum number of not-logged-in connections to 2
MaxStartups 2
# Print no default message after login as this will be handeled by pam
PrintMotd no
# Load sftp-subsystem (default arch linux)
Subsystem sftp /usr/lib/ssh/sftp-server
# Add permissions for specific users
AllowUsers "$username > /etc/ssh/sshd_config

# Setup firewall
echo "# Setup firewall with ufw."
aptitude -y install ufw
ufw default allow outgoing
ufw default deny incoming
ufw allow $sshport/tcp
ufw limit $sshport/tcp
ufw enable
systemctl start ufw
systemctl enable ufw

# Setup auto-update
echo "# Setup auto-update (unattended-upgrades)"
aptitude -y install unattended-upgrades apt-listchanges

# run "apt-get update" and "upgrade" daily
echo 'APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/20auto-upgrades

# add whiteliste for "Security" updates
echo 'Unattended-Upgrade::Origins-Pattern {
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
};

Unattended-Upgrade::Package-Blacklist {
};' >> /etc/apt/apt.conf.d/50unattended-upgrades

# add mail service (send root info)
echo '[apt]
frontend=pager
confirm=false
email_address=root
save_seen=/var/lib/apt/listchanges.db
which=news' >> /etc/apt/listchanges.conf

# Setup timezone and ntp
timedatectl set-timezone Europe/Berlin
timedatectl set-ntp true

# Good to know:
#   nginx: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10
#   php: https://www.itzgeek.com/how-tos/linux/debian/how-to-install-php-7-3-7-2-7-1-on-debian-10-debian-9-debian-8.html
#   certbot https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10
	# Arch Linux Setup: https://gist.github.com/kevinkub/46ce7229ee4f17be710ddd7c5a80a3c3

	# Change root password
	echo "# Change password of root user"
	passwd

	# Change hostname
	echo "# Change hostname"
	hostname
	hostname $hostname

	# Setup mirror-list
	echo "# Finding fastest mirrors"
	aptitude -y install netselect netselect-apt
	netselect-apt -c germany -t 15 -a amd64

	# Self-upgrade
	echo "# Update system"
	aptitude -y update && aptitude -y safe-upgrade

	# Create user
	echo "# Create new user"
	echo "Please enter username:"
	read username
	useradd -m $username
	passwd $username
	chsh -s /bin/bash $username
	echo "Please enter public key:"
	read publickey
	mkdir "/home/"$username"/.ssh/"
	echo $publickey > "/home/"$username"/.ssh/authorized_keys"

	# Configure sshd
	echo "# Configure sshd"
	echo "Please enter a ssh port:"
	read sshport
	echo "# Custom sshd configurations

	# Set the ssh port
	Port "$sshport"
	# Forbid root login
	PermitRootLogin no
	# End login-attempts after 30s
	LoginGraceTime 30s
	# Give only one try to auth
	MaxAuthTries 1
	# Use public key authentication only
	PubkeyAuthentication yes
	# Find the file in .ssh/authorized_keys
	AuthorizedKeysFile .ssh/authorized_keys
	# Use the pam authentication module
	UsePAM yes
	# Disable password auth
	PasswordAuthentication no
	# Limit the maximum number of not-logged-in connections to 2
	MaxStartups 2
	# Print no default message after login as this will be handeled by pam
	PrintMotd no
	# Load sftp-subsystem (default arch linux)
	Subsystem sftp /usr/lib/ssh/sftp-server
	# Add permissions for specific users
	AllowUsers "$username > /etc/ssh/sshd_config

	# Setup firewall
	echo "# Setup firewall with ufw."
	aptitude -y install ufw
	ufw default allow outgoing
	ufw default deny incoming
	ufw allow $sshport/tcp
	ufw limit $sshport/tcp
	ufw enable
	systemctl start ufw
	systemctl enable ufw

	# Setup auto-update
	echo "# Setup auto-update (unattended-upgrades)"
	aptitude -y install unattended-upgrades apt-listchanges

	# run "apt-get update" and "upgrade" daily
	echo 'APT::Periodic::Update-Package-Lists "1";
	APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/20auto-upgrades

	# add whiteliste for "Security" updates
	echo 'Unattended-Upgrade::Origins-Pattern {
	"origin=Debian,codename=${distro_codename},label=Debian-Security";
	};

	Unattended-Upgrade::Package-Blacklist {
	};' >> /etc/apt/apt.conf.d/50unattended-upgrades

	# add mail service (send root info)
	echo '[apt]
	frontend=pager
	confirm=false
	email_address=root
	save_seen=/var/lib/apt/listchanges.db
	which=news' >> /etc/apt/listchanges.conf

	# Setup timezone and ntp
	timedatectl set-timezone Europe/Berlin
	timedatectl set-ntp true

	# Good to know:
	# nginx: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10
	# php: https://www.itzgeek.com/how-tos/linux/debian/how-to-install-php-7-3-7-2-7-1-on-debian-10-debian-9-debian-8.html
	# certbot https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10