dimorphic/server_bootstrap.sh

## server_bootstrap.sh
#!/bin/bash
set -e

######################################################################
# This Bootstrap Script installs Dokku latest on Ubuntu (use LTS or latest)
#
# This script also installs UFW (firewall), some basic Dokku plugins, and
# raises ulimits. Comment out any step you wish to skip.
#
# IMPORTANT: This script also disables password authentication via SSH for
# subsequent logins (a recommended hardening step). Don't forget to add your SSK
# key to your server before logging out!
######################################################################
# See Comments in the related GitHub Gist below for installation instructions
######################################################################

# DOKKU_TAG=v0.32.4

# Ensure we are running as root
check_root() {
if [ "$USER" != "root" ]; then
      echo "Permission Denied"
      echo "Can only be run by root"
      exit
fi
}

# Create a keys file if one does not already exist
create-keys-file() {
	mkdir -p ~/.ssh
	touch ~/.ssh/authorized_keys
}

# Update apps
apt-get-update() {
  sudo apt-get update
}

# Set up automatic updates
automatic-updates() {
  # Ubuntu
  sudo apt install unattended-upgrades apt-listchanges bsd-mailx -y

  # sudo dpkg-reconfigure -plow unattended-upgrades -y
  sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure --priority=low unattended-upgrades

  echo 'Unattended-Upgrade::Automatic-Reboot "true";' >> /etc/apt/apt.conf.d/50unattended-upgrades
  sudo unattended-upgrades --dry-run
}

raise-ulimits() {
  if ! grep -q "fs.file-max = 65535" "/etc/sysctl.conf"; then
    echo "fs.file-max = 65535" >> /etc/sysctl.conf
    echo "fs.nr_open = 65535" >> /etc/sysctl.conf
    echo "session required pam_limits.so" >> /etc/pam.d/common-session
    echo "* soft     nproc          65535" >> su
    echo "* hard     nproc          65535" >> /etc/security/limits.conf
    echo "* soft     nofile         65535" >> /etc/security/limits.conf
    echo "* hard     nofile         65535" >> /etc/security/limits.conf
    echo "root soft     nproc          65535" >> /etc/security/limits.conf
    echo "root hard     nproc          65535" >> /etc/security/limits.conf
    echo "root soft     nofile         65535" >> /etc/security/limits.conf
    echo "root hard     nofile         65535" >> /etc/security/limits.conf
    echo "* soft     nproc          65535" >> /etc/security/limits.conf
    echo "* hard     nproc          65535" >> /etc/security/limits.conf
    echo "* soft     nofile         65535" >> /etc/security/limits.conf
    echo "* hard     nofile         65535" >> /etc/security/limits.conf
    echo "root soft     nproc          65535" >> /etc/security/limits.conf
    echo "root hard     nproc          65535" >> /etc/security/limits.conf
    echo "root soft     nofile         65535" >> /etc/security/limits.conf
    echo "root hard     nofile         65535" >> /etc/security/limits.conf

    u
    ulimit -n 65535
  fi
}

# Disable password-based SSH authentication
disable-password-authentication() {
	# Disable password authentication
	sudo grep -q "ChallengeResponseAuthentication" /etc/ssh/sshd_config && sed -i "/^[^#]*ChallengeResponseAuthentication[[:space:]]yes.*/c\ChallengeResponseAuthentication no" /etc/ssh/sshd_config || echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
	sudo grep -q "^[^#]*PasswordAuthentication" /etc/ssh/sshd_config && sed -i "/^[^#]*PasswordAuthentication[[:space:]]yes/c\PasswordAuthentication no" /etc/ssh/sshd_config || echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
	/etc/init.d/ssh reload
}

# Get Dokku if not already installed
install-dokku() {
    if ! command -v dokku &> /dev/null
    then
        wget https://dokku.com/bootstrap.sh;
        sudo bash bootstrap.sh
    fi
}

# Check that dokku is installed on the server
ensure-dokku() {
  if ! command -v dokku &> /dev/null
  then
      echo "dokku is not installed"
      exit
  fi
}

# Install UFW
install-firewall() {
	apt-get install ufw
	ufw enable && sudo ufw allow www && sudo ufw allow https
	(yes | sudo ufw allow ssh)
	sudo ufw status
}

# Install Fail2Ban
install-fail2ban() {
    sudo apt-get install fail2ban -y
    cd /etc/fail2ban/

    wget https://gist.githubusercontent.com/petarGitNik/e24f9bfda6e1277640e376f8a2ecfaef/raw/a58d7983260e73a45668c2774e16122ccf4fc5f4/http-get-dos.conf
    wget https://gist.githubusercontent.com/petarGitNik/e24f9bfda6e1277640e376f8a2ecfaef/raw/a58d7983260e73a45668c2774e16122ccf4fc5f4/http-post-dos.conf
    wget https://gist.githubusercontent.com/petarGitNik/e24f9bfda6e1277640e376f8a2ecfaef/raw/a58d7983260e73a45668c2774e16122ccf4fc5f4/jail.local
    cd ~

    if command -v fail2ban &> /dev/null
    then
        sudo systemctl restart fail2ban
        # sudo fail2ban-client status
    fi
}

# Make directories for db import/export
make-dirs() {
    cd ~
    if [ ! -d "$HOME/dumps" ]; then
      mkdir dumps
      cd dumps
      mkdir postgres
      mkdir mysql
      mkdir redis
      mkdir mongo
      cd ~
    fi
}

# Check if dokku redis plugin is installed and otherwise install it
install-redis() {
  if sudo dokku plugin:installed redis; then
    echo "=> Redis plugin already installed skipping"
  else
    echo "=> Installing redis plugin"
    sudo dokku plugin:install https://github.com/dokku/dokku-redis.git redis
  fi
}

# Check if dokku postgres plugin is installed and otherwise install it
install-postgres() {
  if sudo dokku plugin:installed postgres; then
    echo "=> Postgres plugin already installed skipping"
  else
    echo "=> Installing postgres plugin"
    sudo dokku plugin:install https://github.com/dokku/dokku-postgres.git postgres
  fi
}

# Check if dokku MySQL plugin is installed and otherwise install it
install-mysql() {
  if sudo dokku plugin:installed mysql; then
    echo "=> Postgres plugin already installed skipping"
  else
    echo "=> Installing mysql plugin"
    sudo dokku plugin:install https://github.com/dokku/dokku-mysql.git mysql
  fi
}

# Check if dokku mongo plugin is installed and otherwise install it
install-mongo() {
  if sudo dokku plugin:installed mongo; then
    echo "=> Postgres plugin already installed skipping"
  else
    echo "=> Installing mongo plugin"
    sudo dokku plugin:install https://github.com/dokku/dokku-mongo.git mongo
  fi
}

# Check if dokku memcached plugin is installed and otherwise install it
install-memcached() {
  if sudo dokku plugin:installed memcached; then
    echo "=> Memcached plugin already installed skipping"
  else
    echo "=> Installing memcached plugin"
    sudo dokku plugin:install https://github.com/dokku/dokku-memcached.git memcached
  fi
}

# Check if dokku clickhouse plugin is installed and otherwise install it
install-clickhouse() {
  if sudo dokku plugin:installed clickhouse; then
    echo "=> Clickhouse plugin already installed skipping"
  else
    echo "=> Installing clickhouse plugin"
    sudo dokku plugin:install https://github.com/dokku/dokku-clickhouse.git clickhouse
  fi
}

# Install Letsencrypt plugin
install-letsencrypt() {
    if [ ! -d "/var/lib/dokku/plugins/available/letsencrypt" ]; then
      sudo dokku plugin:install https://github.com/dokku/dokku-letsencrypt.git
      dokku letsencrypt:cron-job --add
    fi
}

# Install custom dokku limited users plugin
install-limited-users() {
    if [ ! -d "/var/lib/dokku/plugins/available/limited-users" ]; then
	  sudo dokku plugin:install https://github.com/kidGodzilla/dokku-limited-users.git
	fi
}


main() {
  check_root

  # Get user ip and export to environment variable
  DOKKU_SSH_HOST=$(curl ifconfig.co)
  SERVER_IP=$(curl ipinfo.io/ip)

  # Basics
  apt-get-update
  install-firewall

  # Add access key
  create-keys-file

  # Hardening
  disable-password-authentication

  # Install Dokku
  install-dokku
  make-dirs

  # Ensure dokku was installed
  ensure-dokku

  # dokku databases & plugins
  install-redis
  install-postgres
  install-mysql
  install-mongo
  install-letsencrypt
  install-limited-users
  install-clickhouse
  install-memcached

  # Additional Configuration
  automatic-updates
  raise-ulimits
  # install-fail2ban
}

main
	#!/bin/bash
	set -e

	######################################################################
	# This Bootstrap Script installs Dokku latest on Ubuntu (use LTS or latest)
	#
	# This script also installs UFW (firewall), some basic Dokku plugins, and
	# raises ulimits. Comment out any step you wish to skip.
	#
	# IMPORTANT: This script also disables password authentication via SSH for
	# subsequent logins (a recommended hardening step). Don't forget to add your SSK
	# key to your server before logging out!
	######################################################################
	# See Comments in the related GitHub Gist below for installation instructions
	######################################################################

	# DOKKU_TAG=v0.32.4

	# Ensure we are running as root
	check_root() {
	if [ "$USER" != "root" ]; then
	echo "Permission Denied"
	echo "Can only be run by root"
	exit
	fi
	}

	# Create a keys file if one does not already exist
	create-keys-file() {
	mkdir -p ~/.ssh
	touch ~/.ssh/authorized_keys
	}

	# Update apps
	apt-get-update() {
	sudo apt-get update
	}

	# Set up automatic updates
	automatic-updates() {
	# Ubuntu
	sudo apt install unattended-upgrades apt-listchanges bsd-mailx -y

	# sudo dpkg-reconfigure -plow unattended-upgrades -y
	sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure --priority=low unattended-upgrades

	echo 'Unattended-Upgrade::Automatic-Reboot "true";' >> /etc/apt/apt.conf.d/50unattended-upgrades
	sudo unattended-upgrades --dry-run
	}

	raise-ulimits() {
	if ! grep -q "fs.file-max = 65535" "/etc/sysctl.conf"; then
	echo "fs.file-max = 65535" >> /etc/sysctl.conf
	echo "fs.nr_open = 65535" >> /etc/sysctl.conf
	echo "session required pam_limits.so" >> /etc/pam.d/common-session
	echo "* soft nproc 65535" >> su
	echo "* hard nproc 65535" >> /etc/security/limits.conf
	echo "* soft nofile 65535" >> /etc/security/limits.conf
	echo "* hard nofile 65535" >> /etc/security/limits.conf
	echo "root soft nproc 65535" >> /etc/security/limits.conf
	echo "root hard nproc 65535" >> /etc/security/limits.conf
	echo "root soft nofile 65535" >> /etc/security/limits.conf
	echo "root hard nofile 65535" >> /etc/security/limits.conf
	echo "* soft nproc 65535" >> /etc/security/limits.conf
	echo "* hard nproc 65535" >> /etc/security/limits.conf
	echo "* soft nofile 65535" >> /etc/security/limits.conf
	echo "* hard nofile 65535" >> /etc/security/limits.conf
	echo "root soft nproc 65535" >> /etc/security/limits.conf
	echo "root hard nproc 65535" >> /etc/security/limits.conf
	echo "root soft nofile 65535" >> /etc/security/limits.conf
	echo "root hard nofile 65535" >> /etc/security/limits.conf

	u
	ulimit -n 65535
	fi
	}

	# Disable password-based SSH authentication
	disable-password-authentication() {
	# Disable password authentication
	sudo grep -q "ChallengeResponseAuthentication" /etc/ssh/sshd_config && sed -i "/^[^#]ChallengeResponseAuthentication[[:space:]]yes./c\ChallengeResponseAuthentication no" /etc/ssh/sshd_config \|\| echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
	sudo grep -q "^[^#]PasswordAuthentication" /etc/ssh/sshd_config && sed -i "/^[^#]PasswordAuthentication[[:space:]]yes/c\PasswordAuthentication no" /etc/ssh/sshd_config \|\| echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
	/etc/init.d/ssh reload
	}

	# Get Dokku if not already installed
	install-dokku() {
	if ! command -v dokku &> /dev/null
	then
	wget https://dokku.com/bootstrap.sh;
	sudo bash bootstrap.sh
	fi
	}

	# Check that dokku is installed on the server
	ensure-dokku() {
	if ! command -v dokku &> /dev/null
	then
	echo "dokku is not installed"
	exit
	fi
	}

	# Install UFW
	install-firewall() {
	apt-get install ufw
	ufw enable && sudo ufw allow www && sudo ufw allow https
	(yes \| sudo ufw allow ssh)
	sudo ufw status
	}

	# Install Fail2Ban
	install-fail2ban() {
	sudo apt-get install fail2ban -y
	cd /etc/fail2ban/

	wget https://gist.githubusercontent.com/petarGitNik/e24f9bfda6e1277640e376f8a2ecfaef/raw/a58d7983260e73a45668c2774e16122ccf4fc5f4/http-get-dos.conf
	wget https://gist.githubusercontent.com/petarGitNik/e24f9bfda6e1277640e376f8a2ecfaef/raw/a58d7983260e73a45668c2774e16122ccf4fc5f4/http-post-dos.conf
	wget https://gist.githubusercontent.com/petarGitNik/e24f9bfda6e1277640e376f8a2ecfaef/raw/a58d7983260e73a45668c2774e16122ccf4fc5f4/jail.local
	cd ~

	if command -v fail2ban &> /dev/null
	then
	sudo systemctl restart fail2ban
	# sudo fail2ban-client status
	fi
	}

	# Make directories for db import/export
	make-dirs() {
	cd ~
	if [ ! -d "$HOME/dumps" ]; then
	mkdir dumps
	cd dumps
	mkdir postgres
	mkdir mysql
	mkdir redis
	mkdir mongo
	cd ~
	fi
	}

	# Check if dokku redis plugin is installed and otherwise install it
	install-redis() {
	if sudo dokku plugin:installed redis; then
	echo "=> Redis plugin already installed skipping"
	else
	echo "=> Installing redis plugin"
	sudo dokku plugin:install https://github.com/dokku/dokku-redis.git redis
	fi
	}

	# Check if dokku postgres plugin is installed and otherwise install it
	install-postgres() {
	if sudo dokku plugin:installed postgres; then
	echo "=> Postgres plugin already installed skipping"
	else
	echo "=> Installing postgres plugin"
	sudo dokku plugin:install https://github.com/dokku/dokku-postgres.git postgres
	fi
	}

	# Check if dokku MySQL plugin is installed and otherwise install it
	install-mysql() {
	if sudo dokku plugin:installed mysql; then
	echo "=> Postgres plugin already installed skipping"
	else
	echo "=> Installing mysql plugin"
	sudo dokku plugin:install https://github.com/dokku/dokku-mysql.git mysql
	fi
	}

	# Check if dokku mongo plugin is installed and otherwise install it
	install-mongo() {
	if sudo dokku plugin:installed mongo; then
	echo "=> Postgres plugin already installed skipping"
	else
	echo "=> Installing mongo plugin"
	sudo dokku plugin:install https://github.com/dokku/dokku-mongo.git mongo
	fi
	}

	# Check if dokku memcached plugin is installed and otherwise install it
	install-memcached() {
	if sudo dokku plugin:installed memcached; then
	echo "=> Memcached plugin already installed skipping"
	else
	echo "=> Installing memcached plugin"
	sudo dokku plugin:install https://github.com/dokku/dokku-memcached.git memcached
	fi
	}

	# Check if dokku clickhouse plugin is installed and otherwise install it
	install-clickhouse() {
	if sudo dokku plugin:installed clickhouse; then
	echo "=> Clickhouse plugin already installed skipping"
	else
	echo "=> Installing clickhouse plugin"
	sudo dokku plugin:install https://github.com/dokku/dokku-clickhouse.git clickhouse
	fi
	}

	# Install Letsencrypt plugin
	install-letsencrypt() {
	if [ ! -d "/var/lib/dokku/plugins/available/letsencrypt" ]; then
	sudo dokku plugin:install https://github.com/dokku/dokku-letsencrypt.git
	dokku letsencrypt:cron-job --add
	fi
	}

	# Install custom dokku limited users plugin
	install-limited-users() {
	if [ ! -d "/var/lib/dokku/plugins/available/limited-users" ]; then
	sudo dokku plugin:install https://github.com/kidGodzilla/dokku-limited-users.git
	fi
	}


	main() {
	check_root

	# Get user ip and export to environment variable
	DOKKU_SSH_HOST=$(curl ifconfig.co)
	SERVER_IP=$(curl ipinfo.io/ip)

	# Basics
	apt-get-update
	install-firewall

	# Add access key
	create-keys-file

	# Hardening
	disable-password-authentication

	# Install Dokku
	install-dokku
	make-dirs

	# Ensure dokku was installed
	ensure-dokku

	# dokku databases & plugins
	install-redis
	install-postgres
	install-mysql
	install-mongo
	install-letsencrypt
	install-limited-users
	install-clickhouse
	install-memcached

	# Additional Configuration
	automatic-updates
	raise-ulimits
	# install-fail2ban
	}

	main